Skip to content

Hide Navigation Hide TOC

Edit

Malware

Name of ATT&CK software

Authors
Authors and/or Contributors
MITRE

Hacking Team UEFI Rootkit - S0047

Hacking Team UEFI Rootkit is a rootkit developed by the company Hacking Team as a method of persistence for remote access software. (Citation: TrendMicro Hacking Team UEFI)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Hacking Team UEFI Rootkit - S0047.

Known Synonyms
Hacking Team UEFI Rootkit
Internal MISP references

UUID 4b62ab58-c23b-4704-9c15-edd568cd59f8 which can be used as unique global reference for Hacking Team UEFI Rootkit - S0047 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0047
Related clusters

To see the related clusters, click here.

X-Agent for Android - S0314

X-Agent for Android is Android malware that was placed in a repackaged version of a Ukrainian artillery targeting application. The malware reportedly retrieved general location data on where the victim device was used, and therefore could likely indicate the potential location of Ukrainian artillery. (Citation: CrowdStrike-Android) Is it tracked separately from the CHOPSTICK.

Internal MISP references

UUID 56660521-6db4-4e5a-a927-464f22954b7c which can be used as unique global reference for X-Agent for Android - S0314 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0314
Related clusters

To see the related clusters, click here.

Red Alert 2.0 - S0539

Red Alert 2.0 is a banking trojan that masquerades as a VPN client.(Citation: Sophos Red Alert 2.0)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Red Alert 2.0 - S0539.

Known Synonyms
Red Alert 2.0
Internal MISP references

UUID 6e282bbf-5f32-476a-b879-ba77eec463c8 which can be used as unique global reference for Red Alert 2.0 - S0539 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0539
mitre_platforms ['Android']
Related clusters

To see the related clusters, click here.

Exaramel for Linux - S0401

Exaramel for Linux is a backdoor written in the Go Programming Language and compiled as a 64-bit ELF binary. The Windows version is tracked separately under Exaramel for Windows.(Citation: ESET TeleBots Oct 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Exaramel for Linux - S0401.

Known Synonyms
Exaramel for Linux
Internal MISP references

UUID 11194d8b-fdce-45d2-8047-df15bb8f16bd which can be used as unique global reference for Exaramel for Linux - S0401 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0401
mitre_platforms ['Linux']
Related clusters

To see the related clusters, click here.

Winnti for Linux - S0430

Winnti for Linux is a trojan, seen since at least 2015, designed specifically for targeting Linux systems. Reporting indicates the winnti malware family is shared across a number of actors including Winnti Group. The Windows variant is tracked separately under Winnti for Windows.(Citation: Chronicle Winnti for Linux May 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Winnti for Linux - S0430.

Known Synonyms
Winnti for Linux
Internal MISP references

UUID 8787e86d-8475-4f13-acea-d33eb83b6105 which can be used as unique global reference for Winnti for Linux - S0430 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0430
mitre_platforms ['Linux']
Related clusters

To see the related clusters, click here.

XLoader for iOS - S0490

XLoader for iOS is a malicious iOS application that is capable of gathering system information.(Citation: TrendMicro-XLoader-FakeSpy) It is tracked separately from the XLoader for Android.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular XLoader for iOS - S0490.

Known Synonyms
XLoader for iOS
Internal MISP references

UUID 29944858-da52-4d3d-b428-f8a6eb8dde6f which can be used as unique global reference for XLoader for iOS - S0490 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0490
mitre_platforms ['iOS']
Related clusters

To see the related clusters, click here.

Winnti for Windows - S0141

Winnti for Windows is a modular remote access Trojan (RAT) that has been used likely by multiple groups to carry out intrusions in various regions since at least 2010, including by one group referred to as the same name, Winnti Group.(Citation: Kaspersky Winnti April 2013)(Citation: Microsoft Winnti Jan 2017)(Citation: Novetta Winnti April 2015)(Citation: 401 TRG Winnti Umbrella May 2018). The Linux variant is tracked separately under Winnti for Linux.(Citation: Chronicle Winnti for Linux May 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Winnti for Windows - S0141.

Known Synonyms
Winnti for Windows
Internal MISP references

UUID d3afa961-a80c-4043-9509-282cdf69ab21 which can be used as unique global reference for Winnti for Windows - S0141 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0141
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Pegasus for Android - S0316

Pegasus for Android is the Android version of malware that has reportedly been linked to the NSO Group. (Citation: Lookout-PegasusAndroid) (Citation: Google-Chrysaor) The iOS version is tracked separately under Pegasus for iOS.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Pegasus for Android - S0316.

Known Synonyms
Chrysaor
Pegasus for Android
Internal MISP references

UUID 93799a9d-3537-43d8-b6f4-17215de1657c which can be used as unique global reference for Pegasus for Android - S0316 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0316
mitre_platforms ['Android']
Related clusters

To see the related clusters, click here.

XLoader for Android - S0318

XLoader for Android is a malicious Android app first observed targeting Japan, Korea, China, Taiwan, and Hong Kong in 2018. It has more recently been observed targeting South Korean users as a pornography application.(Citation: TrendMicro-XLoader-FakeSpy)(Citation: TrendMicro-XLoader) It is tracked separately from the XLoader for iOS.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular XLoader for Android - S0318.

Known Synonyms
XLoader for Android
Internal MISP references

UUID 2740eaf6-2db2-4a40-a63f-f5b166c7059c which can be used as unique global reference for XLoader for Android - S0318 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0318
mitre_platforms ['Android']
Related clusters

To see the related clusters, click here.

Pegasus for iOS - S0289

Pegasus for iOS is the iOS version of malware that has reportedly been linked to the NSO Group. It has been advertised and sold to target high-value victims.(Citation: Lookout-Pegasus)(Citation: PegasusCitizenLab) The Android version is tracked separately under Pegasus for Android.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Pegasus for iOS - S0289.

Known Synonyms
Pegasus for iOS
Internal MISP references

UUID 33d9d91d-aad9-49d5-a516-220ce101ac8a which can be used as unique global reference for Pegasus for iOS - S0289 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0289
mitre_platforms ['iOS']
Related clusters

To see the related clusters, click here.

Exaramel for Windows - S0343

Exaramel for Windows is a backdoor used for targeting Windows systems. The Linux version is tracked separately under Exaramel for Linux.(Citation: ESET TeleBots Oct 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Exaramel for Windows - S0343.

Known Synonyms
Exaramel for Windows
Internal MISP references

UUID 051eaca1-958f-4091-9e5f-a9acd8f820b5 which can be used as unique global reference for Exaramel for Windows - S0343 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0343
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

P.A.S. Webshell - S0598

P.A.S. Webshell is a publicly available multifunctional PHP webshell in use since at least 2016 that provides remote access and execution on target web servers.(Citation: ANSSI Sandworm January 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular P.A.S. Webshell - S0598.

Known Synonyms
Fobushell
P.A.S. Webshell
Internal MISP references

UUID 4800d0f9-00aa-47cd-a4d2-92198585b8fd which can be used as unique global reference for P.A.S. Webshell - S0598 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0598
mitre_platforms ['Linux', 'Windows']
Related clusters

To see the related clusters, click here.

gh0st RAT - S0032

gh0st RAT is a remote access tool (RAT). The source code is public and it has been used by multiple groups.(Citation: FireEye Hacking Team)(Citation: Arbor Musical Chairs Feb 2018)(Citation: Nccgroup Gh0st April 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular gh0st RAT - S0032.

Known Synonyms
Moudoor
Mydoor
gh0st RAT
Internal MISP references

UUID 88c621a7-aef9-4ae0-94e3-1fc87123eb24 which can be used as unique global reference for gh0st RAT - S0032 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0032
mitre_platforms ['Windows', 'macOS']
Related clusters

To see the related clusters, click here.

China Chopper - S0020

China Chopper is a Web Shell hosted on Web servers to provide access back into an enterprise network that does not rely on an infected system calling back to a remote command and control server.(Citation: Lee 2013) It has been used by several threat groups.(Citation: Dell TG-3390)(Citation: FireEye Periscope March 2018)(Citation: CISA AA21-200A APT40 July 2021)(Citation: Rapid7 HAFNIUM Mar 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular China Chopper - S0020.

Known Synonyms
China Chopper
Internal MISP references

UUID 5a3a31fe-5a8f-48e1-bff0-a753e5b1be70 which can be used as unique global reference for China Chopper - S0020 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0020
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Skeleton Key - S0007

Skeleton Key is malware used to inject false credentials into domain controllers with the intent of creating a backdoor password. (Citation: Dell Skeleton) Functionality similar to Skeleton Key is included as a module in Mimikatz.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Skeleton Key - S0007.

Known Synonyms
Skeleton Key
Internal MISP references

UUID 89f63ae4-f229-4a5c-95ad-6f22ed2b5c49 which can be used as unique global reference for Skeleton Key - S0007 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0007
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

P2P ZeuS - S0016

P2P ZeuS is a closed-source fork of the leaked version of the ZeuS botnet. It presents improvements over the leaked version, including a peer-to-peer architecture. (Citation: Dell P2P ZeuS)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular P2P ZeuS - S0016.

Known Synonyms
Gameover ZeuS
P2P ZeuS
Peer-to-Peer ZeuS
Internal MISP references

UUID b2c5d3ca-b43a-4888-ad8d-e2d43497bf85 which can be used as unique global reference for P2P ZeuS - S0016 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0016
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Unknown Logger - S0130

Unknown Logger is a publicly released, free backdoor. Version 1.5 of the backdoor has been used by the actors responsible for the MONSOON campaign. (Citation: Forcepoint Monsoon)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Unknown Logger - S0130.

Known Synonyms
Unknown Logger
Internal MISP references

UUID ab3580c8-8435-4117-aace-3d9fbe46aa56 which can be used as unique global reference for Unknown Logger - S0130 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0130
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Black Basta - S1070

Black Basta is ransomware written in C++ that has been offered within the ransomware-as-a-service (RaaS) model since at least April 2022; there are variants that target Windows and VMWare ESXi servers. Black Basta operations have included the double extortion technique where in addition to demanding ransom for decrypting the files of targeted organizations the cyber actors also threaten to post sensitive information to a leak site if the ransom is not paid. Black Basta affiliates have targeted multiple high-value organizations, with the largest number of victims based in the U.S. Based on similarities in TTPs, leak sites, payment sites, and negotiation tactics, security researchers assess the Black Basta RaaS operators could include current or former members of the Conti group.(Citation: Palo Alto Networks Black Basta August 2022)(Citation: Deep Instinct Black Basta August 2022)(Citation: Minerva Labs Black Basta May 2022)(Citation: Avertium Black Basta June 2022)(Citation: NCC Group Black Basta June 2022)(Citation: Cyble Black Basta May 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Black Basta - S1070.

Known Synonyms
Black Basta
Internal MISP references

UUID 8d242fb4-9033-4f13-8a88-4b9b4bcd9a53 which can be used as unique global reference for Black Basta - S1070 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S1070
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Cherry Picker - S0107

Cherry Picker is a point of sale (PoS) memory scraper. (Citation: Trustwave Cherry Picker)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cherry Picker - S0107.

Known Synonyms
Cherry Picker
Internal MISP references

UUID b2203c59-4089-4ee4-bfe1-28fa25f0dbfe which can be used as unique global reference for Cherry Picker - S0107 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0107
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Zeus Panda - S0330

Zeus Panda is a Trojan designed to steal banking information and other sensitive credentials for exfiltration. Zeus Panda’s original source code was leaked in 2011, allowing threat actors to use its source code as a basis for new malware variants. It is mainly used to target Windows operating systems ranging from Windows XP through Windows 10.(Citation: Talos Zeus Panda Nov 2017)(Citation: GDATA Zeus Panda June 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Zeus Panda - S0330.

Known Synonyms
Zeus Panda
Internal MISP references

UUID 198db886-47af-4f4c-bff5-11b891f85946 which can be used as unique global reference for Zeus Panda - S0330 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0330
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

SpyNote RAT - S0305

SpyNote RAT (Remote Access Trojan) is a family of malicious Android apps. The SpyNote RAT builder tool can be used to develop malicious apps with the malware's functionality. (Citation: Zscaler-SpyNote)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SpyNote RAT - S0305.

Known Synonyms
SpyNote RAT
Internal MISP references

UUID 20dbaf05-59b8-4dc6-8777-0b17f4553a23 which can be used as unique global reference for SpyNote RAT - S0305 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0305
mitre_platforms ['Android']
Related clusters

To see the related clusters, click here.

3PARA RAT - S0066

3PARA RAT is a remote access tool (RAT) programmed in C++ that has been used by Putter Panda. (Citation: CrowdStrike Putter Panda)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular 3PARA RAT - S0066.

Known Synonyms
3PARA RAT
Internal MISP references

UUID 7bec698a-7e20-4fd3-bb6a-12787770fb1a which can be used as unique global reference for 3PARA RAT - S0066 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0066
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Agent Smith - S0440

Agent Smith is mobile malware that generates financial gain by replacing legitimate applications on devices with malicious versions that include fraudulent ads. As of July 2019 Agent Smith had infected around 25 million devices, primarily targeting India though effects had been observed in other Asian countries as well as Saudi Arabia, the United Kingdom, and the United States.(Citation: CheckPoint Agent Smith)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Agent Smith - S0440.

Known Synonyms
Agent Smith
Internal MISP references

UUID a6228601-03f6-4949-ae22-c1087627a637 which can be used as unique global reference for Agent Smith - S0440 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0440
mitre_platforms ['Android']
Related clusters

To see the related clusters, click here.

4H RAT - S0065

4H RAT is malware that has been used by Putter Panda since at least 2007. (Citation: CrowdStrike Putter Panda)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular 4H RAT - S0065.

Known Synonyms
4H RAT
Internal MISP references

UUID 8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc which can be used as unique global reference for 4H RAT - S0065 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0065
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Desert Scorpion - S0505

Desert Scorpion is surveillanceware that has targeted the Middle East, specifically individuals located in Palestine. Desert Scorpion is suspected to have been operated by the threat actor APT-C-23.(Citation: Lookout Desert Scorpion)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Desert Scorpion - S0505.

Known Synonyms
Desert Scorpion
Internal MISP references

UUID 3271c107-92c4-442e-9506-e76d62230ee8 which can be used as unique global reference for Desert Scorpion - S0505 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0505
mitre_platforms ['Android']
Related clusters

To see the related clusters, click here.

Net Crawler - S0056

Net Crawler is an intranet worm capable of extracting credentials using credential dumpers and spreading to systems on a network over SMB by brute forcing accounts with recovered passwords and using PsExec to execute a copy of Net Crawler. (Citation: Cylance Cleaver)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Net Crawler - S0056.

Known Synonyms
Net Crawler
NetC
Internal MISP references

UUID fde50aaa-f5de-4cb8-989a-babb57d6a704 which can be used as unique global reference for Net Crawler - S0056 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0056
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Bad Rabbit - S0606

Bad Rabbit is a self-propagating ransomware that affected the Ukrainian transportation sector in 2017. Bad Rabbit has also targeted organizations and consumers in Russia. (Citation: Secure List Bad Rabbit)(Citation: ESET Bad Rabbit)(Citation: Dragos IT ICS Ransomware)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Bad Rabbit - S0606.

Known Synonyms
Bad Rabbit
Win32/Diskcoder.D
Internal MISP references

UUID 2eaa5319-5e1e-4dd7-bbc4-566fced3964a which can be used as unique global reference for Bad Rabbit - S0606 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0606
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Green Lambert - S0690

Green Lambert is a modular backdoor that security researchers assess has been used by an advanced threat group referred to as Longhorn and The Lamberts. First reported in 2017, the Windows variant of Green Lambert may have been used as early as 2008; a macOS version was uploaded to a multiscanner service in September 2014.(Citation: Kaspersky Lamberts Toolkit April 2017)(Citation: Objective See Green Lambert for OSX Oct 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Green Lambert - S0690.

Known Synonyms
Green Lambert
Internal MISP references

UUID 59c8a28c-200c-4565-9af1-cbdb24870ba0 which can be used as unique global reference for Green Lambert - S0690 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0690
mitre_platforms ['Windows', 'iOS', 'macOS', 'Linux']
Related clusters

To see the related clusters, click here.

Saint Bot - S1018

Saint Bot is a .NET downloader that has been used by Ember Bear since at least March 2021.(Citation: Malwarebytes Saint Bot April 2021)(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

Internal MISP references

UUID 7724581b-06ff-4d2b-b77c-80dc8d53070b which can be used as unique global reference for Saint Bot - S1018 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S1018
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Heyoka Backdoor - S1027

Heyoka Backdoor is a custom backdoor--based on the Heyoka open source exfiltration tool--that has been used by Aoqin Dragon since at least 2013.(Citation: SentinelOne Aoqin Dragon June 2022)(Citation: Sourceforge Heyoka 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Heyoka Backdoor - S1027.

Known Synonyms
Heyoka Backdoor
Internal MISP references

UUID dff90475-9f72-41a6-84ed-1fbefd3874c0 which can be used as unique global reference for Heyoka Backdoor - S1027 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S1027
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Action RAT - S1028

Action RAT is a remote access tool written in Delphi that has been used by SideCopy since at least December 2021 against Indian and Afghani government personnel.(Citation: MalwareBytes SideCopy Dec 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Action RAT - S1028.

Known Synonyms
Action RAT
Internal MISP references

UUID 36801ffb-5c85-4c50-9121-6122e389366d which can be used as unique global reference for Action RAT - S1028 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S1028
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

AutoIt backdoor - S0129

AutoIt backdoor is malware that has been used by the actors responsible for the MONSOON campaign. The actors frequently used it in weaponized .pps files exploiting CVE-2014-6352. (Citation: Forcepoint Monsoon) This malware makes use of the legitimate scripting language for Windows GUI automation with the same name.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular AutoIt backdoor - S0129.

Known Synonyms
AutoIt backdoor
Internal MISP references

UUID f5352566-1a64-49ac-8f7f-97e1d1a03300 which can be used as unique global reference for AutoIt backdoor - S0129 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0129
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

AuTo Stealer - S1029

AuTo Stealer is malware written in C++ has been used by SideCopy since at least December 2021 to target government agencies and personnel in India and Afghanistan.(Citation: MalwareBytes SideCopy Dec 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular AuTo Stealer - S1029.

Known Synonyms
AuTo Stealer
Internal MISP references

UUID 3e4e2c79-2b27-4245-a5c1-5586a3cbd8f5 which can be used as unique global reference for AuTo Stealer - S1029 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S1029
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Agent Tesla - S0331

Agent Tesla is a spyware Trojan written for the .NET framework that has been observed since at least 2014.(Citation: Fortinet Agent Tesla April 2018)(Citation: Bitdefender Agent Tesla April 2020)(Citation: Malwarebytes Agent Tesla April 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Agent Tesla - S0331.

Known Synonyms
Agent Tesla
Internal MISP references

UUID e7a5229f-05eb-440e-b982-9a6d2b2b87c8 which can be used as unique global reference for Agent Tesla - S0331 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0331
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Small Sieve - S1035

Small Sieve is a Telegram Bot API-based Python backdoor that has been distributed using a Nullsoft Scriptable Install System (NSIS) Installer; it has been used by MuddyWater since at least January 2022.(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: NCSC GCHQ Small Sieve Jan 2022)

Security researchers have also noted Small Sieve's use by UNC3313, which may be associated with MuddyWater.(Citation: Mandiant UNC3313 Feb 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Small Sieve - S1035.

Known Synonyms
GRAMDOOR
Small Sieve
Internal MISP references

UUID ff41b9b6-4c1d-407b-a7e2-835109c8dbc5 which can be used as unique global reference for Small Sieve - S1035 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S1035
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Cobalt Strike - S0154

Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.(Citation: cobaltstrike manual)

In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.(Citation: cobaltstrike manual)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cobalt Strike - S0154.

Known Synonyms
Cobalt Strike
Internal MISP references

UUID a7881f21-e978-4fe4-af56-92c9416a2616 which can be used as unique global reference for Cobalt Strike - S0154 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0154
mitre_platforms ['Windows', 'Linux', 'macOS']
Related clusters

To see the related clusters, click here.

Ragnar Locker - S0481

Ragnar Locker is a ransomware that has been in use since at least December 2019.(Citation: Sophos Ragnar May 2020)(Citation: Cynet Ragnar Apr 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ragnar Locker - S0481.

Known Synonyms
Ragnar Locker
Internal MISP references

UUID 54895630-efd2-4608-9c24-319de972a9eb which can be used as unique global reference for Ragnar Locker - S0481 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0481
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Woody RAT - S1065

Woody RAT is a remote access trojan (RAT) that has been used since at least August 2021 against Russian organizations.(Citation: MalwareBytes WoodyRAT Aug 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Woody RAT - S1065.

Known Synonyms
Woody RAT
Internal MISP references

UUID 3bc7e862-5610-4c02-9c48-15b2e2dc1ddb which can be used as unique global reference for Woody RAT - S1065 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S1065
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

SYNful Knock - S0519

SYNful Knock is a stealthy modification of the operating system of network devices that can be used to maintain persistence within a victim's network and provide new capabilities to the adversary.(Citation: Mandiant - Synful Knock)(Citation: Cisco Synful Knock Evolution)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SYNful Knock - S0519.

Known Synonyms
SYNful Knock
Internal MISP references

UUID 84c1ecc6-e5a2-4e8a-bf4b-651a618e0053 which can be used as unique global reference for SYNful Knock - S0519 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0519
mitre_platforms ['Network']
Related clusters

To see the related clusters, click here.

Power Loader - S0177

Power Loader is modular code sold in the cybercrime market used as a downloader in malware families such as Carberp, Redyms and Gapz. (Citation: MalwareTech Power Loader Aug 2013) (Citation: WeLiveSecurity Gapz and Redyms Mar 2013)

Internal MISP references

UUID 0a9c51e0-825d-4b9b-969d-ce86ed8ce3c3 which can be used as unique global reference for Power Loader - S0177 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0177
Related clusters

To see the related clusters, click here.

HUI Loader - S1097

HUI Loader is a custom DLL loader that has been used since at least 2015 by China-based threat groups including Cinnamon Tempest and menuPass to deploy malware on compromised hosts. HUI Loader has been observed in campaigns loading SodaMaster, PlugX, Cobalt Strike, Komplex, and several strains of ransomware.(Citation: SecureWorks BRONZE STARLIGHT Ransomware Operations June 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular HUI Loader - S1097.

Known Synonyms
HUI Loader
Internal MISP references

UUID 54089fba-8662-4f37-9a44-6ad25a5f630a which can be used as unique global reference for HUI Loader - S1097 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S1097
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Brave Prince - S0252

Brave Prince is a Korean-language implant that was first observed in the wild in December 2017. It contains similar code and behavior to Gold Dragon, and was seen along with Gold Dragon and RunningRAT in operations surrounding the 2018 Pyeongchang Winter Olympics. (Citation: McAfee Gold Dragon)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Brave Prince - S0252.

Known Synonyms
Brave Prince
Internal MISP references

UUID 28b97733-ef07-4414-aaa5-df50b2d30cc5 which can be used as unique global reference for Brave Prince - S0252 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0252
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Smoke Loader - S0226

Smoke Loader is a malicious bot application that can be used to load other malware. Smoke Loader has been seen in the wild since at least 2011 and has included a number of different payloads. It is notorious for its use of deception and self-protection. It also comes with several plug-ins. (Citation: Malwarebytes SmokeLoader 2016) (Citation: Microsoft Dofoil 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Smoke Loader - S0226.

Known Synonyms
Dofoil
Smoke Loader
Internal MISP references

UUID 0c824410-58ff-49b2-9cf2-1c96b182bdf0 which can be used as unique global reference for Smoke Loader - S0226 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0226
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Linux Rabbit - S0362

Linux Rabbit is malware that targeted Linux servers and IoT devices in a campaign lasting from August to October 2018. It shares code with another strain of malware known as Rabbot. The goal of the campaign was to install cryptocurrency miners onto the targeted servers and devices.(Citation: Anomali Linux Rabbit 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Linux Rabbit - S0362.

Known Synonyms
Linux Rabbit
Internal MISP references

UUID 0efefea5-78da-4022-92bc-d726139e8883 which can be used as unique global reference for Linux Rabbit - S0362 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0362
mitre_platforms ['Linux']
Related clusters

To see the related clusters, click here.

Stealth Mango - S0328

Stealth Mango is Android malware that has reportedly been used to successfully compromise the mobile devices of government officials, members of the military, medical professionals, and civilians. The iOS malware known as Tangelo is believed to be from the same developer. (Citation: Lookout-StealthMango)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Stealth Mango - S0328.

Known Synonyms
Stealth Mango
Internal MISP references

UUID 085eb36d-697d-4d9a-bac3-96eb879fe73c which can be used as unique global reference for Stealth Mango - S0328 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0328
mitre_platforms ['Android']
Related clusters

To see the related clusters, click here.

Corona Updates - S0425

Corona Updates is Android spyware that took advantage of the Coronavirus pandemic. The campaign distributing this spyware is tracked as Project Spy. Multiple variants of this spyware have been discovered to have been hosted on the Google Play Store.(Citation: TrendMicro Coronavirus Updates)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Corona Updates - S0425.

Known Synonyms
Concipit1248
Corona Updates
Wabi Music
Internal MISP references

UUID 366c800f-97a8-48d5-b0a6-79d00198252a which can be used as unique global reference for Corona Updates - S0425 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0425
mitre_platforms ['Android']
Related clusters

To see the related clusters, click here.

Gold Dragon - S0249

Gold Dragon is a Korean-language, data gathering implant that was first observed in the wild in South Korea in July 2017. Gold Dragon was used along with Brave Prince and RunningRAT in operations targeting organizations associated with the 2018 Pyeongchang Winter Olympics. (Citation: McAfee Gold Dragon)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Gold Dragon - S0249.

Known Synonyms
Gold Dragon
Internal MISP references

UUID b9799466-9dd7-4098-b2d6-f999ce50b9a8 which can be used as unique global reference for Gold Dragon - S0249 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0249
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Caterpillar WebShell - S0572

Caterpillar WebShell is a self-developed Web Shell tool created by the group Volatile Cedar.(Citation: ClearSky Lebanese Cedar Jan 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Caterpillar WebShell - S0572.

Known Synonyms
Caterpillar WebShell
Internal MISP references

UUID 751b77e6-af1f-483b-93fe-eddf17f92a64 which can be used as unique global reference for Caterpillar WebShell - S0572 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0572
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Cobian RAT - S0338

Cobian RAT is a backdoor, remote access tool that has been observed since 2016.(Citation: Zscaler Cobian Aug 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cobian RAT - S0338.

Known Synonyms
Cobian RAT
Internal MISP references

UUID aa1462a1-d065-416c-b354-bedd04998c7f which can be used as unique global reference for Cobian RAT - S0338 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0338
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Cardinal RAT - S0348

Cardinal RAT is a potentially low volume remote access trojan (RAT) observed since December 2015. Cardinal RAT is notable for its unique utilization of uncompiled C# source code and the Microsoft Windows built-in csc.exe compiler.(Citation: PaloAlto CardinalRat Apr 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cardinal RAT - S0348.

Known Synonyms
Cardinal RAT
Internal MISP references

UUID b879758f-bbc4-4cab-b5ba-177ac9b009b4 which can be used as unique global reference for Cardinal RAT - S0348 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0348
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Golden Cup - S0535

Golden Cup is Android spyware that has been used to target World Cup fans.(Citation: Symantec GoldenCup)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Golden Cup - S0535.

Known Synonyms
Golden Cup
Internal MISP references

UUID f3975cc0-72bc-4308-836e-ac701b83860e which can be used as unique global reference for Golden Cup - S0535 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0535
mitre_platforms ['Android']
Related clusters

To see the related clusters, click here.

Olympic Destroyer - S0365

Olympic Destroyer is malware that was used by Sandworm Team against the 2018 Winter Olympics, held in Pyeongchang, South Korea. The main purpose of the malware was to render infected computer systems inoperable. The malware leverages various native Windows utilities and API calls to carry out its destructive tasks. Olympic Destroyer has worm-like features to spread itself across a computer network in order to maximize its destructive impact.(Citation: Talos Olympic Destroyer 2018)(Citation: US District Court Indictment GRU Unit 74455 October 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Olympic Destroyer - S0365.

Known Synonyms
Olympic Destroyer
Internal MISP references

UUID 3249e92a-870b-426d-8790-ba311c1abfb4 which can be used as unique global reference for Olympic Destroyer - S0365 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0365
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Revenge RAT - S0379

Revenge RAT is a freely available remote access tool written in .NET (C#).(Citation: Cylance Shaheen Nov 2018)(Citation: Cofense RevengeRAT Feb 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Revenge RAT - S0379.

Known Synonyms
Revenge RAT
Internal MISP references

UUID bdb27a1d-1844-42f1-a0c0-826027ae0326 which can be used as unique global reference for Revenge RAT - S0379 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0379
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Rising Sun - S0448

Rising Sun is a modular backdoor that was used extensively in Operation Sharpshooter between 2017 and 2019. Rising Sun infected at least 87 organizations around the world, including nuclear, defense, energy, and financial service companies. Security researchers assessed Rising Sun included some source code from Lazarus Group's Trojan Duuzer.(Citation: McAfee Sharpshooter December 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Rising Sun - S0448.

Known Synonyms
Rising Sun
Internal MISP references

UUID 56e6b6c2-e573-4969-8bab-783205cebbbf which can be used as unique global reference for Rising Sun - S0448 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0448
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

JSS Loader - S0648

JSS Loader is Remote Access Trojan (RAT) with .NET and C++ variants that has been used by FIN7 since at least 2020.(Citation: eSentire FIN7 July 2021)(Citation: CrowdStrike Carbon Spider August 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular JSS Loader - S0648.

Known Synonyms
JSS Loader
Internal MISP references

UUID f559f945-eb8b-48b1-904c-68568deebed3 which can be used as unique global reference for JSS Loader - S0648 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0648
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

DEFENSOR ID - S0479

DEFENSOR ID is a banking trojan capable of clearing a victim’s bank account or cryptocurrency wallet and taking over email or social media accounts. DEFENSOR ID performs the majority of its malicious functionality by abusing Android’s accessibility service.(Citation: ESET DEFENSOR ID)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DEFENSOR ID - S0479.

Known Synonyms
DEFENSOR ID
Internal MISP references

UUID 5a5dca4c-03c1-4b99-bfcf-c206e20aa663 which can be used as unique global reference for DEFENSOR ID - S0479 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0479
mitre_platforms ['Android']
Related clusters

To see the related clusters, click here.

Tiktok Pro - S0558

Tiktok Pro is spyware that has been masquerading as the TikTok application.(Citation: Zscaler TikTok Spyware)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Tiktok Pro - S0558.

Known Synonyms
Tiktok Pro
Internal MISP references

UUID c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0 which can be used as unique global reference for Tiktok Pro - S0558 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0558
mitre_platforms ['Android']
Related clusters

To see the related clusters, click here.

Cyclops Blink is a modular malware that has been used in widespread campaigns by Sandworm Team since at least 2019 to target Small/Home Office (SOHO) network devices, including WatchGuard and Asus.(Citation: NCSC Cyclops Blink February 2022)(Citation: NCSC CISA Cyclops Blink Advisory February 2022)(Citation: Trend Micro Cyclops Blink March 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cyclops Blink - S0687.

Known Synonyms
Cyclops Blink
Internal MISP references

UUID b350b47f-88fe-4921-8538-6d9c59bac84e which can be used as unique global reference for Cyclops Blink - S0687 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0687
mitre_platforms ['Network']
Related clusters

To see the related clusters, click here.

Trojan-SMS.AndroidOS.FakeInst.a - S0306

Trojan-SMS.AndroidOS.FakeInst.a is Android malware. (Citation: Kaspersky-MobileMalware)

Internal MISP references

UUID 28e39395-91e7-4f02-b694-5e079c964da9 which can be used as unique global reference for Trojan-SMS.AndroidOS.FakeInst.a - S0306 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0306
Related clusters

To see the related clusters, click here.

Trojan-SMS.AndroidOS.Agent.ao - S0307

Trojan-SMS.AndroidOS.Agent.ao is Android malware. (Citation: Kaspersky-MobileMalware)

Internal MISP references

UUID a1867c56-8c86-455a-96ad-b0d5f7e2bc17 which can be used as unique global reference for Trojan-SMS.AndroidOS.Agent.ao - S0307 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0307
Related clusters

To see the related clusters, click here.

Trojan-SMS.AndroidOS.OpFake.a - S0308

Trojan-SMS.AndroidOS.OpFake.a is Android malware. (Citation: Kaspersky-MobileMalware)

Internal MISP references

UUID d89c132d-7752-4c7f-9372-954a71522985 which can be used as unique global reference for Trojan-SMS.AndroidOS.OpFake.a - S0308 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0308
Related clusters

To see the related clusters, click here.

Mis-Type - S0084

Mis-Type is a backdoor hybrid that was used in Operation Dust Storm by 2012.(Citation: Cylance Dust Storm)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Mis-Type - S0084.

Known Synonyms
Mis-Type
Internal MISP references

UUID e1161124-f22e-487f-9d5f-ed8efc8dcd61 which can be used as unique global reference for Mis-Type - S0084 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0084
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

S-Type - S0085

S-Type is a backdoor that was used in Operation Dust Storm since at least 2013.(Citation: Cylance Dust Storm)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular S-Type - S0085.

Known Synonyms
S-Type
Internal MISP references

UUID 66b1dcde-17a0-4c7b-95fa-b08d430c2131 which can be used as unique global reference for S-Type - S0085 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0085
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Hi-Zor - S0087

Hi-Zor is a remote access tool (RAT) that has characteristics similar to Sakula. It was used in a campaign named INOCNATION. (Citation: Fidelis Hi-Zor)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Hi-Zor - S0087.

Known Synonyms
Hi-Zor
Internal MISP references

UUID 5967cc93-57c9-404a-8ffd-097edfa7bdfc which can be used as unique global reference for Hi-Zor - S0087 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0087
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Miner-C - S0133

Miner-C is malware that mines victims for the Monero cryptocurrency. It has targeted FTP servers and Network Attached Storage (NAS) devices to spread. (Citation: Softpedia MinerC)

Internal MISP references

UUID 17dec760-9c8f-4f1b-9b4b-0ac47a453234 which can be used as unique global reference for Miner-C - S0133 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0133
Related clusters

To see the related clusters, click here.

Seth-Locker - S0639

Seth-Locker is a ransomware with some remote control capabilities that has been in use since at least 2021. (Citation: Trend Micro Ransomware February 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Seth-Locker - S0639.

Known Synonyms
Seth-Locker
Internal MISP references

UUID f931a0b9-0361-4b1b-bacf-955062c35746 which can be used as unique global reference for Seth-Locker - S0639 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0639
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Aria-body - S0456

Aria-body is a custom backdoor that has been used by Naikon since approximately 2017.(Citation: CheckPoint Naikon May 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Aria-body - S0456.

Known Synonyms
Aria-body
Internal MISP references

UUID 3161d76a-e2b2-4b97-9906-24909b735386 which can be used as unique global reference for Aria-body - S0456 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0456
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

S.O.V.A. - S1062

S.O.V.A. is an Android banking trojan that was first identified in August 2021 and has subsequently been found in a variety of applications, including banking, cryptocurrency wallet/exchange, and shopping apps. S.O.V.A., which is Russian for "owl", contains features not commonly found in Android malware, such as session cookie theft.(Citation: threatfabric_sova_0921)(Citation: cleafy_sova_1122)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular S.O.V.A. - S1062.

Known Synonyms
S.O.V.A.
Internal MISP references

UUID 4b53eb01-57d7-47b4-b078-22766b002b36 which can be used as unique global reference for S.O.V.A. - S1062 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S1062
mitre_platforms ['Android']
Related clusters

To see the related clusters, click here.

Android/Chuli.A - S0304

Android/Chuli.A is Android malware that was delivered to activist groups via a spearphishing email with an attachment. (Citation: Kaspersky-WUC)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Android/Chuli.A - S0304.

Known Synonyms
Android/Chuli.A
Internal MISP references

UUID d05f7357-4cbe-47ea-bf83-b8604226d533 which can be used as unique global reference for Android/Chuli.A - S0304 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0304
mitre_platforms ['Android']
Related clusters

To see the related clusters, click here.

AndroidOS/MalLocker.B - S0524

AndroidOS/MalLocker.B is a variant of a ransomware family targeting Android devices. It prevents the user from interacting with the UI by displaying a screen containing a ransom note over all other windows. (Citation: Microsoft MalLockerB)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular AndroidOS/MalLocker.B - S0524.

Known Synonyms
AndroidOS/MalLocker.B
Internal MISP references

UUID 9b86f8c3-33ab-44cf-a66d-c0fd6070e2ce which can be used as unique global reference for AndroidOS/MalLocker.B - S0524 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0524
mitre_platforms ['Android']
Related clusters

To see the related clusters, click here.

Android/AdDisplay.Ashas - S0525

Android/AdDisplay.Ashas is a variant of adware that has been distributed through multiple apps in the Google Play Store. (Citation: WeLiveSecurity AdDisplayAshas)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Android/AdDisplay.Ashas - S0525.

Known Synonyms
Android/AdDisplay.Ashas
Internal MISP references

UUID f7e7b736-2cff-4c2a-9232-352cd383463a which can be used as unique global reference for Android/AdDisplay.Ashas - S0525 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0525
mitre_platforms ['Android']
Related clusters

To see the related clusters, click here.

Trojan.Mebromi - S0001

Trojan.Mebromi is BIOS-level malware that takes control of the victim before MBR. (Citation: Ge 2011)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Trojan.Mebromi - S0001.

Known Synonyms
Trojan.Mebromi
Internal MISP references

UUID c5e9cb46-aced-466c-85ea-7db5572ad9ec which can be used as unique global reference for Trojan.Mebromi - S0001 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0001
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

ANDROIDOS_ANSERVER.A - S0310

ANDROIDOS_ANSERVER.A is Android malware that is unique because it uses encrypted content within a blog site for command and control. (Citation: TrendMicro-Anserver)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ANDROIDOS_ANSERVER.A - S0310.

Known Synonyms
ANDROIDOS_ANSERVER.A
Internal MISP references

UUID 4bf6ba32-4165-42c1-b911-9c36165891c8 which can be used as unique global reference for ANDROIDOS_ANSERVER.A - S0310 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0310
mitre_platforms ['Android']
Related clusters

To see the related clusters, click here.

Agent.btz - S0092

Agent.btz is a worm that primarily spreads itself via removable devices such as USB drives. It reportedly infected U.S. military networks in 2008. (Citation: Securelist Agent.btz)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Agent.btz - S0092.

Known Synonyms
Agent.btz
Internal MISP references

UUID 40d3e230-ed32-469f-ba89-be70cc08ab39 which can be used as unique global reference for Agent.btz - S0092 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0092
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Backdoor.Oldrea - S0093

Backdoor.Oldrea is a modular backdoor that used by Dragonfly against energy companies since at least 2013. Backdoor.Oldrea was distributed via supply chain compromise, and included specialized modules to enumerate and map ICS-specific systems, processes, and protocols.(Citation: Symantec Dragonfly)(Citation: Gigamon Berserk Bear October 2021)(Citation: Symantec Dragonfly Sept 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Backdoor.Oldrea - S0093.

Known Synonyms
Backdoor.Oldrea
Havex
Internal MISP references

UUID 083bb47b-02c8-4423-81a2-f9ef58572974 which can be used as unique global reference for Backdoor.Oldrea - S0093 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0093
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Trojan.Karagany - S0094

Trojan.Karagany is a modular remote access tool used for recon and linked to Dragonfly. The source code for Trojan.Karagany originated from Dream Loader malware which was leaked in 2010 and sold on underground forums. (Citation: Symantec Dragonfly)(Citation: Secureworks Karagany July 2019)(Citation: Dragos DYMALLOY )

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Trojan.Karagany - S0094.

Known Synonyms
Karagany
Trojan.Karagany
xFrost
Internal MISP references

UUID 82cb34ba-02b5-432b-b2d2-07f55cbf674d which can be used as unique global reference for Trojan.Karagany - S0094 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0094
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

macOS.OSAMiner - S1048

macOS.OSAMiner is a Monero mining trojan that was first observed in 2018; security researchers assessed macOS.OSAMiner may have been circulating since at least 2015. macOS.OSAMiner is known for embedding one run-only AppleScript into another, which helped the malware evade full analysis for five years due to a lack of Apple event (AEVT) analysis tools.(Citation: SentinelLabs reversing run-only applescripts 2021)(Citation: VMRay OSAMiner dynamic analysis 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular macOS.OSAMiner - S1048.

Known Synonyms
macOS.OSAMiner
Internal MISP references

UUID 2a59a237-1530-4d55-91f9-2aebf961cc37 which can be used as unique global reference for macOS.OSAMiner - S1048 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S1048
mitre_platforms ['macOS']
Related clusters

To see the related clusters, click here.

OSX_OCEANLOTUS.D - S0352

OSX_OCEANLOTUS.D is a macOS backdoor used by APT32. First discovered in 2015, APT32 has continued to make improvements using a plugin architecture to extend capabilities, specifically using .dylib files. OSX_OCEANLOTUS.D can also determine it's permission level and execute according to access type (root or user).(Citation: Unit42 OceanLotus 2017)(Citation: TrendMicro MacOS April 2018)(Citation: Trend Micro MacOS Backdoor November 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular OSX_OCEANLOTUS.D - S0352.

Known Synonyms
Backdoor.MacOS.OCEANLOTUS.F
OSX_OCEANLOTUS.D
Internal MISP references

UUID b00f90b6-c75c-4bfd-b813-ca9e6c9ebf29 which can be used as unique global reference for OSX_OCEANLOTUS.D - S0352 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0352
mitre_platforms ['macOS']
Related clusters

To see the related clusters, click here.

LITTLELAMB.WOOLTEA - S1121

LITTLELAMB.WOOLTEA is a backdoor that was used by UNC5325 during Cutting Edge to deploy malware on targeted Ivanti Connect Secure VPNs and to establish persistence across system upgrades and patches.(Citation: Mandiant Cutting Edge Part 3 February 2024)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular LITTLELAMB.WOOLTEA - S1121.

Known Synonyms
LITTLELAMB.WOOLTEA
Internal MISP references

UUID 19256855-65e9-48f2-8b74-9f3d0a994428 which can be used as unique global reference for LITTLELAMB.WOOLTEA - S1121 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S1121
mitre_platforms ['Network']
Related clusters

To see the related clusters, click here.

OSX/Shlayer - S0402

OSX/Shlayer is a Trojan designed to install adware on macOS that was first discovered in 2018.(Citation: Carbon Black Shlayer Feb 2019)(Citation: Intego Shlayer Feb 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular OSX/Shlayer - S0402.

Known Synonyms
Crossrider
OSX/Shlayer
Zshlayer
Internal MISP references

UUID f1314e75-ada8-49f4-b281-b1fb8b48f2a7 which can be used as unique global reference for OSX/Shlayer - S0402 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0402
mitre_platforms ['macOS']
Related clusters

To see the related clusters, click here.

T9000 - S0098

T9000 is a backdoor that is a newer variant of the T5000 malware family, also known as Plat1. Its primary function is to gather information about the victim. It has been used in multiple targeted attacks against U.S.-based organizations. (Citation: FireEye admin@338 March 2014) (Citation: Palo Alto T9000 Feb 2016)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular T9000 - S0098.

Known Synonyms
T9000
Internal MISP references

UUID 876f6a77-fbc5-4e13-ab1a-5611986730a3 which can be used as unique global reference for T9000 - S0098 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0098
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

BS2005 - S0014

BS2005 is malware that was used by Ke3chang in spearphishing campaigns since at least 2011. (Citation: Mandiant Operation Ke3chang November 2014)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BS2005 - S0014.

Known Synonyms
BS2005
Internal MISP references

UUID 67fc172a-36fa-4a35-88eb-4ba730ed52a6 which can be used as unique global reference for BS2005 - S0014 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0014
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Sys10 - S0060

Sys10 is a backdoor that was used throughout 2013 by Naikon. (Citation: Baumgartner Naikon 2015)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Sys10 - S0060.

Known Synonyms
Sys10
Internal MISP references

UUID 7f8730af-f683-423f-9ee1-5f6875a80481 which can be used as unique global reference for Sys10 - S0060 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0060
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Lurid - S0010

Lurid is a malware family that has been used by several groups, including PittyTiger, in targeted attacks as far back as 2006. (Citation: Villeneuve 2014) (Citation: Villeneuve 2011)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Lurid - S0010.

Known Synonyms
Enfal
Lurid
Internal MISP references

UUID 251fbae2-78f6-4de7-84f6-194c727a64ad which can be used as unique global reference for Lurid - S0010 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0010
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Dipsind - S0200

Dipsind is a malware family of backdoors that appear to be used exclusively by PLATINUM. (Citation: Microsoft PLATINUM April 2016)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Dipsind - S0200.

Known Synonyms
Dipsind
Internal MISP references

UUID e170995d-4f61-4f17-b60e-04f9a06ee517 which can be used as unique global reference for Dipsind - S0200 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0200
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

DressCode - S0300

DressCode is an Android malware family. (Citation: TrendMicro-DressCode)

Internal MISP references

UUID ff742eeb-1f90-4f5a-8b92-9d40fffd99ca which can be used as unique global reference for DressCode - S0300 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0300
Related clusters

To see the related clusters, click here.

Carbanak - S0030

Carbanak is a full-featured, remote backdoor used by a group of the same name (Carbanak). It is intended for espionage, data exfiltration, and providing remote access to infected machines. (Citation: Kaspersky Carbanak) (Citation: FireEye CARBANAK June 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Carbanak - S0030.

Known Synonyms
Anunak
Carbanak
Internal MISP references

UUID 72f54d66-675d-4587-9bd3-4ed09f9522e4 which can be used as unique global reference for Carbanak - S0030 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0030
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

RIPTIDE - S0003

RIPTIDE is a proxy-aware backdoor used by APT12. (Citation: Moran 2014)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RIPTIDE - S0003.

Known Synonyms
RIPTIDE
Internal MISP references

UUID ad4f146f-e3ec-444a-ba71-24bffd7f0f8e which can be used as unique global reference for RIPTIDE - S0003 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0003
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

TinyZBot - S0004

TinyZBot is a bot written in C# that was developed by Cleaver. (Citation: Cylance Cleaver)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TinyZBot - S0004.

Known Synonyms
TinyZBot
Internal MISP references

UUID c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9 which can be used as unique global reference for TinyZBot - S0004 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0004
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

RobbinHood - S0400

RobbinHood is ransomware that was first observed being used in an attack against the Baltimore city government's computer network.(Citation: CarbonBlack RobbinHood May 2019)(Citation: BaltimoreSun RobbinHood May 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RobbinHood - S0400.

Known Synonyms
RobbinHood
Internal MISP references

UUID 0a607c53-df52-45da-a75d-0e53df4dad5f which can be used as unique global reference for RobbinHood - S0400 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0400
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

CosmicDuke - S0050

CosmicDuke is malware that was used by APT29 from 2010 to 2015. (Citation: F-Secure The Dukes)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CosmicDuke - S0050.

Known Synonyms
BotgenStudios
CosmicDuke
NemesisGemina
TinyBaron
Internal MISP references

UUID 2eb9b131-d333-4a48-9eb4-d8dec46c19ee which can be used as unique global reference for CosmicDuke - S0050 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0050
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Doki - S0600

Doki is a backdoor that uses a unique Dogecoin-based Domain Generation Algorithm and was first observed in July 2020. Doki was used in conjunction with the ngrok Mining Botnet in a campaign that targeted Docker servers in cloud platforms. (Citation: Intezer Doki July 20)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Doki - S0600.

Known Synonyms
Doki
Internal MISP references

UUID 4f1c389e-a80e-4a3e-9b0e-9be8c91df64f which can be used as unique global reference for Doki - S0600 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0600
mitre_platforms ['Linux', 'Containers']
Related clusters

To see the related clusters, click here.

HTTPBrowser - S0070

HTTPBrowser is malware that has been used by several threat groups. (Citation: ThreatStream Evasion Analysis) (Citation: Dell TG-3390) It is believed to be of Chinese origin. (Citation: ThreatConnect Anthem)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular HTTPBrowser - S0070.

Known Synonyms
HTTPBrowser
HttpDump
Token Control
Internal MISP references

UUID e066bf86-9cfb-407a-9d25-26fd5d91e360 which can be used as unique global reference for HTTPBrowser - S0070 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0070
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Mivast - S0080

Mivast is a backdoor that has been used by Deep Panda. It was reportedly used in the Anthem breach. (Citation: Symantec Black Vine)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Mivast - S0080.

Known Synonyms
Mivast
Internal MISP references

UUID fbb470da-1d44-4f29-bbb3-9efbe20f94a3 which can be used as unique global reference for Mivast - S0080 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0080
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Hikit - S0009

Hikit is malware that has been used by Axiom for late-stage persistence and exfiltration after the initial compromise.(Citation: Novetta-Axiom)(Citation: FireEye Hikit Rootkit)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Hikit - S0009.

Known Synonyms
Hikit
Internal MISP references

UUID 95047f03-4811-4300-922e-1ba937d53a61 which can be used as unique global reference for Hikit - S0009 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0009
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Ngrok - S9000

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ngrok - S9000.

Known Synonyms
Ngrok
Internal MISP references

UUID 911fe4c3-444d-4e92-83b8-cc761ac5fd3b which can be used as unique global reference for Ngrok - S9000 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S9000
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Rover - S0090

Rover is malware suspected of being used for espionage purposes. It was used in 2015 in a targeted email sent to an Indian Ambassador to Afghanistan. (Citation: Palo Alto Rover)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Rover - S0090.

Known Synonyms
Rover
Internal MISP references

UUID 6b616fc1-1505-48e3-8b2c-0d19337bff38 which can be used as unique global reference for Rover - S0090 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0090
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Ninja - S1100

Ninja is a malware developed in C++ that has been used by ToddyCat to penetrate networks and control remote systems since at least 2020. Ninja is possibly part of a post exploitation toolkit exclusively used by ToddyCat and allows multiple operators to work simultaneously on the same machine. Ninja has been used against government and military entities in Europe and Asia and observed in specific infection chains being deployed by Samurai.(Citation: Kaspersky ToddyCat June 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ninja - S1100.

Known Synonyms
Ninja
Internal MISP references

UUID 023254de-caaf-4a05-b2c7-e4e2f283f7a5 which can be used as unique global reference for Ninja - S1100 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S1100
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Taidoor - S0011

Taidoor is a remote access trojan (RAT) that has been used by Chinese government cyber actors to maintain access on victim networks.(Citation: CISA MAR-10292089-1.v2 TAIDOOR August 2021) Taidoor has primarily been used against Taiwanese government organizations since at least 2010.(Citation: TrendMicro Taidoor)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Taidoor - S0011.

Known Synonyms
Taidoor
Internal MISP references

UUID b143dfa4-e944-43ff-8429-bfffc308c517 which can be used as unique global reference for Taidoor - S0011 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0011
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

WEBC2 - S0109

WEBC2 is a family of backdoor malware used by APT1 as early as July 2006. WEBC2 backdoors are designed to retrieve a webpage, with commands hidden in HTML comments or special tags, from a predetermined C2 server. (Citation: Mandiant APT1 Appendix)(Citation: Mandiant APT1)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular WEBC2 - S0109.

Known Synonyms
WEBC2
Internal MISP references

UUID 1d808f62-cf63-4063-9727-ff6132514c22 which can be used as unique global reference for WEBC2 - S0109 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0109
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Derusbi - S0021

Derusbi is malware used by multiple Chinese APT groups.(Citation: Novetta-Axiom)(Citation: ThreatConnect Anthem) Both Windows and Linux variants have been observed.(Citation: Fidelis Turbo)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Derusbi - S0021.

Known Synonyms
Derusbi
PHOTO
Internal MISP references

UUID 94379dec-5c87-49db-b36e-66abc0b81344 which can be used as unique global reference for Derusbi - S0021 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0021
mitre_platforms ['Windows', 'Linux']
Related clusters

To see the related clusters, click here.

JPIN - S0201

JPIN is a custom-built backdoor family used by PLATINUM. Evidence suggests developers of JPIN and Dipsind code bases were related in some way. (Citation: Microsoft PLATINUM April 2016)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular JPIN - S0201.

Known Synonyms
JPIN
Internal MISP references

UUID de6cb631-52f6-4169-a73b-7965390b0c30 which can be used as unique global reference for JPIN - S0201 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0201
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

PoisonIvy - S0012

PoisonIvy is a popular remote access tool (RAT) that has been used by many groups.(Citation: FireEye Poison Ivy)(Citation: Symantec Elderwood Sept 2012)(Citation: Symantec Darkmoon Aug 2005)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PoisonIvy - S0012.

Known Synonyms
Breut
Darkmoon
Poison Ivy
PoisonIvy
Internal MISP references

UUID b42378e0-f147-496f-992a-26a49705395b which can be used as unique global reference for PoisonIvy - S0012 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0012
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Kevin - S1020

Kevin is a backdoor implant written in C++ that has been used by HEXANE since at least June 2020, including in operations against organizations in Tunisia.(Citation: Kaspersky Lyceum October 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Kevin - S1020.

Known Synonyms
Kevin
Internal MISP references

UUID e7863f5d-cb6a-4f81-8804-0a635eec160a which can be used as unique global reference for Kevin - S1020 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S1020
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Nerex - S0210

Nerex is a Trojan used by Elderwood to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Nerex May 2012)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Nerex - S0210.

Known Synonyms
Nerex
Internal MISP references

UUID c251e4a5-9a2e-4166-8e42-442af75c3b9a which can be used as unique global reference for Nerex - S0210 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0210
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

BACKSPACE - S0031

BACKSPACE is a backdoor used by APT30 that dates back to at least 2005. (Citation: FireEye APT30)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BACKSPACE - S0031.

Known Synonyms
BACKSPACE
Lecna
Internal MISP references

UUID fb261c56-b80e-43a9-8351-c84081e7213d which can be used as unique global reference for BACKSPACE - S0031 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0031
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Dendroid - S0301

Dendroid is an Android remote access tool (RAT) primarily targeting Western countries. The RAT was available for purchase for $300 and came bundled with a utility to inject the RAT into legitimate applications.(Citation: Lookout-Dendroid)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Dendroid - S0301.

Known Synonyms
Dendroid
Internal MISP references

UUID 317a2c10-d489-431e-b6b2-f0251fddc88e which can be used as unique global reference for Dendroid - S0301 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0301
mitre_platforms ['Android']
Related clusters

To see the related clusters, click here.

PlugX - S0013

PlugX is a remote access tool (RAT) with modular plugins that has been used by multiple threat groups.(Citation: Lastline PlugX Analysis)(Citation: FireEye Clandestine Fox Part 2)(Citation: New DragonOK)(Citation: Dell TG-3390)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PlugX - S0013.

Known Synonyms
DestroyRAT
Kaba
Korplug
PlugX
Sogu
TVT
Thoper
Internal MISP references

UUID 64fa0de0-6240-41f4-8638-f4ca7ed528fd which can be used as unique global reference for PlugX - S0013 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0013
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Squirrelwaffle - S1030

Squirrelwaffle is a loader that was first seen in September 2021. It has been used in spam email campaigns to deliver additional malware such as Cobalt Strike and the QakBot banking trojan.(Citation: ZScaler Squirrelwaffle Sep 2021)(Citation: Netskope Squirrelwaffle Oct 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Squirrelwaffle - S1030.

Known Synonyms
Squirrelwaffle
Internal MISP references

UUID 3c18ad16-9eaf-4649-984e-68551bff0d47 which can be used as unique global reference for Squirrelwaffle - S1030 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S1030
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Fysbis - S0410

Fysbis is a Linux-based backdoor used by APT28 that dates back to at least 2014.(Citation: Fysbis Palo Alto Analysis)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Fysbis - S0410.

Known Synonyms
Fysbis
Internal MISP references

UUID 50d6688b-0985-4f3d-8cbe-0c796b30703b which can be used as unique global reference for Fysbis - S0410 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0410
mitre_platforms ['Linux']
Related clusters

To see the related clusters, click here.

Shamoon - S0140

Shamoon is wiper malware that was first used by an Iranian group known as the "Cutting Sword of Justice" in 2012. Other versions known as Shamoon 2 and Shamoon 3 were observed in 2016 and 2018. Shamoon has also been seen leveraging RawDisk and Filerase to carry out data wiping tasks. Analysis has linked Shamoon with Kwampirs based on multiple shared artifacts and coding patterns.(Citation: Cylera Kwampirs 2022) The term Shamoon is sometimes used to refer to the group using the malware as well as the malware itself.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Unit 42 Shamoon3 2018)(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Shamoon - S0140.

Known Synonyms
Disttrack
Shamoon
Internal MISP references

UUID 8901ac23-6b50-410c-b0dd-d8174a86f9b3 which can be used as unique global reference for Shamoon - S0140 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0140
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Wiper - S0041

Wiper is a family of destructive malware used in March 2013 during breaches of South Korean banks and media companies. (Citation: Dell Wiper)

Internal MISP references

UUID a19c49aa-36fe-4c05-b817-23e1c7a7d085 which can be used as unique global reference for Wiper - S0041 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0041
Related clusters

To see the related clusters, click here.

MiniDuke - S0051

MiniDuke is malware that was used by APT29 from 2010 to 2015. The MiniDuke toolset consists of multiple downloader and backdoor components. The loader has been used with other MiniDuke components as well as in conjunction with CosmicDuke and PinchDuke. (Citation: F-Secure The Dukes)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MiniDuke - S0051.

Known Synonyms
MiniDuke
Internal MISP references

UUID 5e7ef1dc-7fb6-4913-ac75-e06113b59e0c which can be used as unique global reference for MiniDuke - S0051 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0051
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

POSHSPY - S0150

POSHSPY is a backdoor that has been used by APT29 since at least 2015. It appears to be used as a secondary backdoor used if the actors lost access to their primary backdoors. (Citation: FireEye POSHSPY April 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular POSHSPY - S0150.

Known Synonyms
POSHSPY
Internal MISP references

UUID 5e595477-2e78-4ce7-ae42-e0b059b17808 which can be used as unique global reference for POSHSPY - S0150 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0150
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Ixeshe - S0015

Ixeshe is a malware family that has been used since at least 2009 against targets in East Asia. (Citation: Moran 2013)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ixeshe - S0015.

Known Synonyms
Ixeshe
Internal MISP references

UUID 8beac7c2-48d2-4cd9-9b15-6c452f38ac06 which can be used as unique global reference for Ixeshe - S0015 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0015
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

PipeMon - S0501

PipeMon is a multi-stage modular backdoor used by Winnti Group.(Citation: ESET PipeMon May 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PipeMon - S0501.

Known Synonyms
PipeMon
Internal MISP references

UUID 8393dac0-0583-456a-9372-fd81691bca20 which can be used as unique global reference for PipeMon - S0501 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0501
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

HDoor - S0061

HDoor is malware that has been customized and used by the Naikon group. (Citation: Baumgartner Naikon 2015)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular HDoor - S0061.

Known Synonyms
Custom HDoor
HDoor
Internal MISP references

UUID 007b44b6-e4c5-480b-b5b9-56f2081b1b7b which can be used as unique global reference for HDoor - S0061 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0061
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Hildegard - S0601

Hildegard is malware that targets misconfigured kubelets for initial access and runs cryptocurrency miner operations. The malware was first observed in January 2021. The TeamTNT activity group is believed to be behind Hildegard. (Citation: Unit 42 Hildegard Malware)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Hildegard - S0601.

Known Synonyms
Hildegard
Internal MISP references

UUID 40a1b8ec-7295-416c-a6b1-68181d86f120 which can be used as unique global reference for Hildegard - S0601 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0601
mitre_platforms ['Linux', 'Containers', 'IaaS']
Related clusters

To see the related clusters, click here.

Mafalda - S1060

Mafalda is a flexible interactive implant that has been used by Metador. Security researchers assess the Mafalda name may be inspired by an Argentinian cartoon character that has been popular as a means of political commentary since the 1960s. (Citation: SentinelLabs Metador Sept 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Mafalda - S1060.

Known Synonyms
Mafalda
Internal MISP references

UUID 3be1fb7a-0f7e-415e-8e3a-74a80d596e68 which can be used as unique global reference for Mafalda - S1060 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S1060
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

SideTwist - S0610

SideTwist is a C-based backdoor that has been used by OilRig since at least 2021.(Citation: Check Point APT34 April 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SideTwist - S0610.

Known Synonyms
SideTwist
Internal MISP references

UUID df4cd566-ff2f-4d08-976d-8c86e95782de which can be used as unique global reference for SideTwist - S0610 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0610
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

BISCUIT - S0017

BISCUIT is a backdoor that has been used by APT1 since as early as 2007. (Citation: Mandiant APT1)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BISCUIT - S0017.

Known Synonyms
BISCUIT
Internal MISP references

UUID b8eb28e4-48a6-40ae-951a-328714f75eda which can be used as unique global reference for BISCUIT - S0017 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0017
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Helminth - S0170

Helminth is a backdoor that has at least two variants - one written in VBScript and PowerShell that is delivered via a macros in Excel spreadsheets, and one that is a standalone Windows executable. (Citation: Palo Alto OilRig May 2016)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Helminth - S0170.

Known Synonyms
Helminth
Internal MISP references

UUID eff1a885-6f90-42a1-901f-eef6e7a1905e which can be used as unique global reference for Helminth - S0170 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0170
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

hcdLoader - S0071

hcdLoader is a remote access tool (RAT) that has been used by APT18. (Citation: Dell Lateral Movement)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular hcdLoader - S0071.

Known Synonyms
hcdLoader
Internal MISP references

UUID 9e2bba94-950b-4fcf-8070-cb3f816c5f4e which can be used as unique global reference for hcdLoader - S0071 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0071
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Elise - S0081

Elise is a custom backdoor Trojan that appears to be used exclusively by Lotus Blossom. It is part of a larger group of tools referred to as LStudio, ST Group, and APT0LSTU. (Citation: Lotus Blossom Jun 2015)(Citation: Accenture Dragonfish Jan 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Elise - S0081.

Known Synonyms
BKDR_ESILE
Elise
Page
Internal MISP references

UUID 7551188b-8f91-4d34-8350-0d0c57b2b913 which can be used as unique global reference for Elise - S0081 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0081
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Fakecalls - S1080

Fakecalls is an Android trojan, first detected in January 2021, that masquerades as South Korean banking apps. It has capabilities to intercept calls to banking institutions and even maintain realistic dialogues with the victim using pre-recorded audio snippets.(Citation: kaspersky_fakecalls_0422)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Fakecalls - S1080.

Known Synonyms
Fakecalls
Internal MISP references

UUID 429e1526-6293-495b-8808-af7f9a66c4be which can be used as unique global reference for Fakecalls - S1080 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S1080
mitre_platforms ['Android']
Related clusters

To see the related clusters, click here.

Sykipot - S0018

Sykipot is malware that has been used in spearphishing campaigns since approximately 2007 against victims primarily in the US. One variant of Sykipot hijacks smart cards on victims. (Citation: Alienvault Sykipot DOD Smart Cards) The group using this malware has also been referred to as Sykipot. (Citation: Blasco 2013)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Sykipot - S0018.

Known Synonyms
Sykipot
Internal MISP references

UUID 6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9 which can be used as unique global reference for Sykipot - S0018 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0018
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Volgmer - S0180

Volgmer is a backdoor Trojan designed to provide covert access to a compromised system. It has been used since at least 2013 to target the government, financial, automotive, and media industries. Its primary delivery mechanism is suspected to be spearphishing. (Citation: US-CERT Volgmer Nov 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Volgmer - S0180.

Known Synonyms
Volgmer
Internal MISP references

UUID 495b6cdb-7b5a-4fbc-8d33-e7ef68806d08 which can be used as unique global reference for Volgmer - S0180 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0180
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

NightClub - S1090

NightClub is a modular implant written in C++ that has been used by MoustachedBouncer since at least 2014.(Citation: MoustachedBouncer ESET August 2023)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular NightClub - S1090.

Known Synonyms
NightClub
Internal MISP references

UUID 91c57ed3-7c32-4c68-b388-7db00cb8dac6 which can be used as unique global reference for NightClub - S1090 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S1090
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Epic - S0091

Epic is a backdoor that has been used by Turla. (Citation: Kaspersky Turla)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Epic - S0091.

Known Synonyms
Epic
TadjMakhal
Tavdig
Wipbot
WorldCupSec
Internal MISP references

UUID 6b62e336-176f-417b-856a-8552dd8c44e1 which can be used as unique global reference for Epic - S0091 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0091
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Regin - S0019

Regin is a malware platform that has targeted victims in a range of industries, including telecom, government, and financial institutions. Some Regin timestamps date back to 2003. (Citation: Kaspersky Regin)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Regin - S0019.

Known Synonyms
Regin
Internal MISP references

UUID 4c59cce8-cb48-4141-b9f1-f646edfaadb0 which can be used as unique global reference for Regin - S0019 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0019
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Chaos - S0220

Chaos is Linux malware that compromises systems by brute force attacks against SSH services. Once installed, it provides a reverse shell to its controllers, triggered by unsolicited packets. (Citation: Chaos Stolen Backdoor)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Chaos - S0220.

Known Synonyms
Chaos
Internal MISP references

UUID 5bcd5511-6756-4824-a692-e8bb109364af which can be used as unique global reference for Chaos - S0220 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0220
mitre_platforms ['Linux']
Related clusters

To see the related clusters, click here.

Uroburos - S0022

Uroburos is a sophisticated cyber espionage tool written in C that has been used by units within Russia's Federal Security Service (FSB) associated with the Turla toolset to collect intelligence on sensitive targets worldwide. Uroburos has several variants and has undergone nearly constant upgrade since its initial development in 2003 to keep it viable after public disclosures. Uroburos is typically deployed to external-facing nodes on a targeted network and has the ability to leverage additional tools and TTPs to further exploit an internal network. Uroburos has interoperable implants for Windows, Linux, and macOS, employs a high level of stealth in communications and architecture, and can easily incorporate new or replacement components.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)(Citation: Kaspersky Turla)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Uroburos - S0022.

Known Synonyms
Snake
Uroburos
Internal MISP references

UUID 80a014ba-3fef-4768-990b-37d8bd10d7f4 which can be used as unique global reference for Uroburos - S0022 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0022
mitre_platforms ['Linux', 'Windows', 'macOS']
Related clusters

To see the related clusters, click here.

adbupd - S0202

adbupd is a backdoor used by PLATINUM that is similar to Dipsind. (Citation: Microsoft PLATINUM April 2016)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular adbupd - S0202.

Known Synonyms
adbupd
Internal MISP references

UUID 0f1ad2ef-41d4-4b7a-9304-ddae68ea3005 which can be used as unique global reference for adbupd - S0202 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0202
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

CHOPSTICK - S0023

CHOPSTICK is a malware family of modular backdoors used by APT28. It has been used since at least 2012 and is usually dropped on victims as second-stage malware, though it has been used as first-stage malware in several cases. It has both Windows and Linux variants. (Citation: FireEye APT28) (Citation: ESET Sednit Part 2) (Citation: FireEye APT28 January 2017) (Citation: DOJ GRU Indictment Jul 2018) It is tracked separately from the X-Agent for Android.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CHOPSTICK - S0023.

Known Synonyms
Backdoor.SofacyX
CHOPSTICK
SPLM
X-Agent
Xagent
webhp
Internal MISP references

UUID ccd61dfc-b03f-4689-8c18-7c97eab08472 which can be used as unique global reference for CHOPSTICK - S0023 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0023
mitre_platforms ['Windows', 'Linux']
Related clusters

To see the related clusters, click here.

DroidJack - S0320

DroidJack is an Android remote access tool that has been observed posing as legitimate applications including the Super Mario Run and Pokemon GO games. (Citation: Zscaler-SuperMarioRun) (Citation: Proofpoint-Droidjack)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DroidJack - S0320.

Known Synonyms
DroidJack
Internal MISP references

UUID 05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1 which can be used as unique global reference for DroidJack - S0320 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0320
mitre_platforms ['Android']
Related clusters

To see the related clusters, click here.

Hydraq - S0203

Hydraq is a data-theft trojan first used by Elderwood in the 2009 Google intrusion known as Operation Aurora, though variations of this trojan have been used in more recent campaigns by other Chinese actors, possibly including APT17.(Citation: MicroFocus 9002 Aug 2016)(Citation: Symantec Elderwood Sept 2012)(Citation: Symantec Trojan.Hydraq Jan 2010)(Citation: ASERT Seven Pointed Dagger Aug 2015)(Citation: FireEye DeputyDog 9002 November 2013)(Citation: ProofPoint GoT 9002 Aug 2017)(Citation: FireEye Sunshop Campaign May 2013)(Citation: PaloAlto 3102 Sept 2015)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Hydraq - S0203.

Known Synonyms
9002 RAT
Aurora
HidraQ
HomeUnix
Homux
HydraQ
Hydraq
McRat
MdmBot
Roarur
Internal MISP references

UUID 73a4793a-ce55-4159-b2a6-208ef29b326f which can be used as unique global reference for Hydraq - S0203 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0203
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

ZeroT - S0230

ZeroT is a Trojan used by TA459, often in conjunction with PlugX. (Citation: Proofpoint TA459 April 2017) (Citation: Proofpoint ZeroT Feb 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ZeroT - S0230.

Known Synonyms
ZeroT
Internal MISP references

UUID 4ab44516-ad75-4e43-a280-705dc0420e2f which can be used as unique global reference for ZeroT - S0230 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0230
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Twitoor - S0302

Twitoor is a dropper application capable of receiving commands from social media.(Citation: ESET-Twitoor)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Twitoor - S0302.

Known Synonyms
Twitoor
Internal MISP references

UUID 41e3fd01-7b83-471f-835d-d2b1dc9a770c which can be used as unique global reference for Twitoor - S0302 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0302
mitre_platforms ['Android']
Related clusters

To see the related clusters, click here.

Get2 - S0460

Get2 is a downloader written in C++ that has been used by TA505 to deliver FlawedGrace, FlawedAmmyy, Snatch and SDBbot.(Citation: Proofpoint TA505 October 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Get2 - S0460.

Known Synonyms
Get2
Internal MISP references

UUID 099ecff2-41b8-436d-843c-038a9aa9aa69 which can be used as unique global reference for Get2 - S0460 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0460
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

LOWBALL - S0042

LOWBALL is malware used by admin@338. It was used in August 2015 in email messages targeting Hong Kong-based media organizations. (Citation: FireEye admin@338)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular LOWBALL - S0042.

Known Synonyms
LOWBALL
Internal MISP references

UUID 2a6f4c7b-e690-4cc7-ab6b-1f821fb6b80b which can be used as unique global reference for LOWBALL - S0042 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0042
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

ROKRAT - S0240

ROKRAT is a cloud-based remote access tool (RAT) used by APT37 to target victims in South Korea. APT37 has used ROKRAT during several campaigns from 2016 through 2021.(Citation: Talos ROKRAT)(Citation: Talos Group123)(Citation: Volexity InkySquid RokRAT August 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ROKRAT - S0240.

Known Synonyms
ROKRAT
Internal MISP references

UUID 60a9c2f0-b7a5-4e8e-959c-e1a3ff314a5f which can be used as unique global reference for ROKRAT - S0240 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0240
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Briba - S0204

Briba is a trojan used by Elderwood to open a backdoor and download files on to compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Briba May 2012)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Briba - S0204.

Known Synonyms
Briba
Internal MISP references

UUID 79499993-a8d6-45eb-b343-bf58dea5bdde which can be used as unique global reference for Briba - S0204 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0204
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Dvmap - S0420

Dvmap is rooting malware that injects malicious code into system runtime libraries. It is credited with being the first malware that performs this type of code injection.(Citation: SecureList DVMap June 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Dvmap - S0420.

Known Synonyms
Dvmap
Internal MISP references

UUID 22b596a6-d288-4409-8520-5f2846f85514 which can be used as unique global reference for Dvmap - S0420 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0420
mitre_platforms ['Android']
Related clusters

To see the related clusters, click here.

Dyre - S0024

Dyre is a banking Trojan that has been used for financial gain. (Citation: Symantec Dyre June 2015)(Citation: Malwarebytes Dyreza November 2015)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Dyre - S0024.

Known Synonyms
Dyre
Dyreza
Dyzap
Internal MISP references

UUID 63c2a130-8a5b-452f-ad96-07cf0af12ffe which can be used as unique global reference for Dyre - S0024 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0024
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

CALENDAR - S0025

CALENDAR is malware used by APT1 that mimics legitimate Gmail Calendar traffic. (Citation: Mandiant APT1)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CALENDAR - S0025.

Known Synonyms
CALENDAR
Internal MISP references

UUID 5a84dc36-df0d-4053-9b7c-f0c388a57283 which can be used as unique global reference for CALENDAR - S0025 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0025
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

BLINDINGCAN - S0520

BLINDINGCAN is a remote access Trojan that has been used by the North Korean government since at least early 2020 in cyber operations against defense, engineering, and government organizations in Western Europe and the US.(Citation: US-CERT BLINDINGCAN Aug 2020)(Citation: NHS UK BLINDINGCAN Aug 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BLINDINGCAN - S0520.

Known Synonyms
BLINDINGCAN
Internal MISP references

UUID 01dbc71d-0ee8-420d-abb4-3dfb6a4bf725 which can be used as unique global reference for BLINDINGCAN - S0520 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0520
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

OnionDuke - S0052

OnionDuke is malware that was used by APT29 from 2013 to 2015. (Citation: F-Secure The Dukes)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular OnionDuke - S0052.

Known Synonyms
OnionDuke
Internal MISP references

UUID b136d088-a829-432c-ac26-5529c26d4c7e which can be used as unique global reference for OnionDuke - S0052 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0052
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Drovorub - S0502

Drovorub is a Linux malware toolset comprised of an agent, client, server, and kernel modules, that has been used by APT28.(Citation: NSA/FBI Drovorub August 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Drovorub - S0502.

Known Synonyms
Drovorub
Internal MISP references

UUID 99164b38-1775-40bc-b77b-a2373b14540a which can be used as unique global reference for Drovorub - S0502 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0502
mitre_platforms ['Linux']
Related clusters

To see the related clusters, click here.

Naid - S0205

Naid is a trojan used by Elderwood to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Naid June 2012)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Naid - S0205.

Known Synonyms
Naid
Internal MISP references

UUID 48523614-309e-43bf-a2b8-705c2b45d7b2 which can be used as unique global reference for Naid - S0205 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0205
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

GLOOXMAIL - S0026

GLOOXMAIL is malware used by APT1 that mimics legitimate Jabber/XMPP traffic. (Citation: Mandiant APT1)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GLOOXMAIL - S0026.

Known Synonyms
GLOOXMAIL
Trojan.GTALK
Internal MISP references

UUID f2e8c7a1-cae1-45c4-baf0-6f21bdcbb2c2 which can be used as unique global reference for GLOOXMAIL - S0026 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0026
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Circles - S0602

Circles reportedly takes advantage of Signaling System 7 (SS7) weaknesses, the protocol suite used to route phone calls, to both track the location of mobile devices and intercept voice calls and SMS messages. It can be connected to a telecommunications company’s infrastructure or purchased as a cloud service. Circles has reportedly been linked to the NSO Group.(Citation: CitizenLab Circles)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Circles - S0602.

Known Synonyms
Circles
Internal MISP references

UUID c6a07c89-a24c-4c7e-9e3e-6153cc595e24 which can be used as unique global reference for Circles - S0602 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0602
Related clusters

To see the related clusters, click here.

DustySky - S0062

DustySky is multi-stage malware written in .NET that has been used by Molerats since May 2015. (Citation: DustySky) (Citation: DustySky2)(Citation: Kaspersky MoleRATs April 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DustySky - S0062.

Known Synonyms
DustySky
NeD Worm
Internal MISP references

UUID 687c23e4-4e25-4ee7-a870-c5e002511f54 which can be used as unique global reference for DustySky - S0062 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0062
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

InvisiMole - S0260

InvisiMole is a modular spyware program that has been used by the InvisiMole Group since at least 2013. InvisiMole has two backdoor modules called RC2FM and RC2CL that are used to perform post-exploitation activities. It has been discovered on compromised victims in the Ukraine and Russia. Gamaredon Group infrastructure has been used to download and execute InvisiMole against a small number of victims.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular InvisiMole - S0260.

Known Synonyms
InvisiMole
Internal MISP references

UUID 47afe41c-4c08-485e-b062-c3bd209a1cce which can be used as unique global reference for InvisiMole - S0260 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0260
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Wiarp - S0206

Wiarp is a trojan used by Elderwood to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Wiarp May 2012)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Wiarp - S0206.

Known Synonyms
Wiarp
Internal MISP references

UUID 039814a0-88de-46c5-a4fb-b293db21880a which can be used as unique global reference for Wiarp - S0206 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0206
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

OwaAuth - S0072

OwaAuth is a Web shell and credential stealer deployed to Microsoft Exchange servers that appears to be exclusively used by Threat Group-3390. (Citation: Dell TG-3390)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular OwaAuth - S0072.

Known Synonyms
OwaAuth
Internal MISP references

UUID a60657fa-e2e7-4f8f-8128-a882534ae8c5 which can be used as unique global reference for OwaAuth - S0072 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0072
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

RogueRobin - S0270

RogueRobin is a payload used by DarkHydrus that has been developed in PowerShell and C#. (Citation: Unit 42 DarkHydrus July 2018)(Citation: Unit42 DarkHydrus Jan 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RogueRobin - S0270.

Known Synonyms
RogueRobin
Internal MISP references

UUID 8ec6e3b4-b06d-4805-b6aa-af916acc2122 which can be used as unique global reference for RogueRobin - S0270 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0270
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Vasport - S0207

Vasport is a trojan used by Elderwood to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Vasport May 2012)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Vasport - S0207.

Known Synonyms
Vasport
Internal MISP references

UUID f4d8a2d6-c684-453a-8a14-cf4a94f755c5 which can be used as unique global reference for Vasport - S0207 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0207
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Zeroaccess - S0027

Zeroaccess is a kernel-mode Rootkit that attempts to add victims to the ZeroAccess botnet, often for monetary gain. (Citation: Sophos ZeroAccess)

Internal MISP references

UUID 552462b9-ae79-49dd-855c-5973014e157f which can be used as unique global reference for Zeroaccess - S0027 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0027
Related clusters

To see the related clusters, click here.

SHIPSHAPE - S0028

SHIPSHAPE is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps. (Citation: FireEye APT30)

Internal MISP references

UUID b1de6916-7a22-4460-8d26-6b5483ffaa2a which can be used as unique global reference for SHIPSHAPE - S0028 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0028
Related clusters

To see the related clusters, click here.

Emissary - S0082

Emissary is a Trojan that has been used by Lotus Blossom. It shares code with Elise, with both Trojans being part of a malware group referred to as LStudio. (Citation: Lotus Blossom Dec 2015)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Emissary - S0082.

Known Synonyms
Emissary
Internal MISP references

UUID 0f862b01-99da-47cc-9bdb-db4a86a95bb1 which can be used as unique global reference for Emissary - S0082 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0082
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

MirageFox - S0280

MirageFox is a remote access tool used against Windows systems. It appears to be an upgraded version of a tool known as Mirage, which is a RAT believed to originate in 2012. (Citation: APT15 Intezer June 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MirageFox - S0280.

Known Synonyms
MirageFox
Internal MISP references

UUID e3cedcfe-6515-4348-af65-7f2c4157bf0d which can be used as unique global reference for MirageFox - S0280 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0280
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Pasam - S0208

Pasam is a trojan used by Elderwood to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Pasam May 2012)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Pasam - S0208.

Known Synonyms
Pasam
Internal MISP references

UUID e811ff6a-4cef-4856-a6ae-a7daf9ed39ae which can be used as unique global reference for Pasam - S0208 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0208
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Darkmoon - S0209

Internal MISP references

UUID 310f437b-29e7-4844-848c-7220868d074a which can be used as unique global reference for Darkmoon - S0209 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0209
Related clusters

To see the related clusters, click here.

Gooligan - S0290

Gooligan is a malware family that runs privilege escalation exploits on Android devices and then uses its escalated privileges to steal authentication tokens that can be used to access data from many Google applications. Gooligan has been described as part of the Ghost Push Android malware family. (Citation: Gooligan Citation) (Citation: Ludwig-GhostPush) (Citation: Lookout-Gooligan)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Gooligan - S0290.

Known Synonyms
Ghost Push
Gooligan
Internal MISP references

UUID 20d56cd6-8dff-4871-9889-d32d254816de which can be used as unique global reference for Gooligan - S0290 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0290
mitre_platforms ['Android']
Related clusters

To see the related clusters, click here.

MazarBOT - S0303

MazarBOT is Android malware that was distributed via SMS in Denmark in 2016. (Citation: Tripwire-MazarBOT)

Internal MISP references

UUID 5ddf81ea-2c06-497b-8c30-5f1ab89a40f9 which can be used as unique global reference for MazarBOT - S0303 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0303
Related clusters

To see the related clusters, click here.

NetTraveler - S0033

NetTraveler is malware that has been used in multiple cyber espionage campaigns for basic surveillance of victims. The earliest known samples have timestamps back to 2005, and the largest number of observed samples were created between 2010 and 2013. (Citation: Kaspersky NetTraveler)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular NetTraveler - S0033.

Known Synonyms
NetTraveler
Internal MISP references

UUID cafd0bf8-2b9c-46c7-ae3c-3e0f42c5062e which can be used as unique global reference for NetTraveler - S0033 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0033
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

BUBBLEWRAP - S0043

BUBBLEWRAP is a full-featured, second-stage backdoor used by the admin@338 group. It is set to run when the system boots and includes functionality to check, upload, and register plug-ins that can further enhance its capabilities. (Citation: FireEye admin@338)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BUBBLEWRAP - S0043.

Known Synonyms
BUBBLEWRAP
Backdoor.APT.FakeWinHTTPHelper
Internal MISP references

UUID 123bd7b3-675c-4b1a-8482-c55782b20e2b which can be used as unique global reference for BUBBLEWRAP - S0043 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0043
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

NETEAGLE - S0034

NETEAGLE is a backdoor developed by APT30 with compile dates as early as 2008. It has two main variants known as “Scout” and “Norton.” (Citation: FireEye APT30)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular NETEAGLE - S0034.

Known Synonyms
NETEAGLE
Internal MISP references

UUID 53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2 which can be used as unique global reference for NETEAGLE - S0034 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0034
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Octopus - S0340

Octopus is a Windows Trojan written in the Delphi programming language that has been used by Nomadic Octopus to target government organizations in Central Asia since at least 2014.(Citation: Securelist Octopus Oct 2018)(Citation: Security Affairs DustSquad Oct 2018)(Citation: ESET Nomadic Octopus 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Octopus - S0340.

Known Synonyms
Octopus
Internal MISP references

UUID e2031fd5-02c2-43d4-85e2-b64f474530c2 which can be used as unique global reference for Octopus - S0340 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0340
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Riltok - S0403

Riltok is banking malware that uses phishing popups to collect user credentials.(Citation: Kaspersky Riltok June 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Riltok - S0403.

Known Synonyms
Riltok
Internal MISP references

UUID c0efbaae-9e7d-4716-a92d-68373aac7424 which can be used as unique global reference for Riltok - S0403 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0403
mitre_platforms ['Android']
Related clusters

To see the related clusters, click here.

SPACESHIP - S0035

SPACESHIP is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps. (Citation: FireEye APT30)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SPACESHIP - S0035.

Known Synonyms
SPACESHIP
Internal MISP references

UUID 8b880b41-5139-4807-baa9-309690218719 which can be used as unique global reference for SPACESHIP - S0035 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0035
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

SeaDuke - S0053

SeaDuke is malware that was used by APT29 from 2014 to 2015. It was used primarily as a secondary backdoor for victims that were already compromised with CozyCar. (Citation: F-Secure The Dukes)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SeaDuke - S0053.

Known Synonyms
SeaDaddy
SeaDesk
SeaDuke
Internal MISP references

UUID 67e6d66b-1b82-4699-b47a-e2efb6268d14 which can be used as unique global reference for SeaDuke - S0053 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0053
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

FrameworkPOS - S0503

FrameworkPOS is a point of sale (POS) malware used by FIN6 to steal payment card data from sytems that run physical POS devices.(Citation: SentinelOne FrameworkPOS September 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FrameworkPOS - S0503.

Known Synonyms
FrameworkPOS
Trinity
Internal MISP references

UUID 1cdbbcab-903a-414d-8eb0-439a97343737 which can be used as unique global reference for FrameworkPOS - S0503 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0503
Related clusters

To see the related clusters, click here.

Melcoz - S0530

Melcoz is a banking trojan family built from the open source tool Remote Access PC. Melcoz was first observed in attacks in Brazil and since 2018 has spread to Chile, Mexico, Spain, and Portugal.(Citation: Securelist Brazilian Banking Malware July 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Melcoz - S0530.

Known Synonyms
Melcoz
Internal MISP references

UUID d3105fb5-c494-4fd1-a7be-414eab9e0c96 which can be used as unique global reference for Melcoz - S0530 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0530
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

zwShell - S0350

zwShell is a remote access tool (RAT) written in Delphi that has been seen in the wild since the spring of 2010 and used by threat actors during Night Dragon.(Citation: McAfee Night Dragon)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular zwShell - S0350.

Known Synonyms
zwShell
Internal MISP references

UUID 54e8672d-5338-4ad1-954a-a7c986bee530 which can be used as unique global reference for zwShell - S0350 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0350
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

BONDUPDATER - S0360

BONDUPDATER is a PowerShell backdoor used by OilRig. It was first observed in November 2017 during targeting of a Middle Eastern government organization, and an updated version was observed in August 2018 being used to target a government organization with spearphishing emails.(Citation: FireEye APT34 Dec 2017)(Citation: Palo Alto OilRig Sep 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BONDUPDATER - S0360.

Known Synonyms
BONDUPDATER
Internal MISP references

UUID d5268dfb-ae2b-4e0e-ac07-02a460613d8a which can be used as unique global reference for BONDUPDATER - S0360 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0360
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

FLASHFLOOD - S0036

FLASHFLOOD is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps. (Citation: FireEye APT30)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FLASHFLOOD - S0036.

Known Synonyms
FLASHFLOOD
Internal MISP references

UUID 43213480-78f7-4fb3-976f-d48f5f6a4c2a which can be used as unique global reference for FLASHFLOOD - S0036 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0036
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

SHOTPUT - S0063

SHOTPUT is a custom backdoor used by APT3. (Citation: FireEye Clandestine Wolf)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SHOTPUT - S0063.

Known Synonyms
Backdoor.APT.CookieCutter
Pirpi
SHOTPUT
Internal MISP references

UUID 58adaaa8-f1e8-4606-9a08-422e568461eb which can be used as unique global reference for SHOTPUT - S0063 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0063
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Nebulae - S0630

Nebulae Is a backdoor that has been used by Naikon since at least 2020.(Citation: Bitdefender Naikon April 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Nebulae - S0630.

Known Synonyms
Nebulae
Internal MISP references

UUID 22b17791-45bf-45c0-9322-ff1a0af5cf2b which can be used as unique global reference for Nebulae - S0630 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0630
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Stuxnet - S0603

Stuxnet was the first publicly reported piece of malware to specifically target industrial control systems devices. Stuxnet is a large and complex piece of malware that utilized multiple different behaviors including multiple zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)(Citation: CISA ICS Advisory ICSA-10-272-01)(Citation: ESET Stuxnet Under the Microscope)(Citation: Langer Stuxnet) Stuxnet was discovered in 2010, with some components being used as early as November 2008.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Stuxnet - S0603.

Known Synonyms
Stuxnet
W32.Stuxnet
Internal MISP references

UUID 088f1d6e-0783-47c6-9923-9c79b2af43d4 which can be used as unique global reference for Stuxnet - S0603 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0603
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

HAMMERTOSS - S0037

HAMMERTOSS is a backdoor that was used by APT29 in 2015. (Citation: FireEye APT29) (Citation: F-Secure The Dukes)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular HAMMERTOSS - S0037.

Known Synonyms
HAMMERTOSS
HammerDuke
NetDuke
Internal MISP references

UUID 2daa14d6-cbf3-4308-bb8e-213c324a08e4 which can be used as unique global reference for HAMMERTOSS - S0037 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0037
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

ASPXSpy - S0073

ASPXSpy is a Web shell. It has been modified by Threat Group-3390 actors to create the ASPXTool version. (Citation: Dell TG-3390)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ASPXSpy - S0073.

Known Synonyms
ASPXSpy
ASPXTool
Internal MISP references

UUID 56f46b17-8cfa-46c0-b501-dd52fef394e2 which can be used as unique global reference for ASPXSpy - S0073 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0073
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

SamSam - S0370

SamSam is ransomware that appeared in early 2016. Unlike some ransomware, its variants have required operators to manually interact with the malware to execute some of its core components.(Citation: US-CERT SamSam 2018)(Citation: Talos SamSam Jan 2018)(Citation: Sophos SamSam Apr 2018)(Citation: Symantec SamSam Oct 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SamSam - S0370.

Known Synonyms
SamSam
Samas
Internal MISP references

UUID 4d56e6e9-1a6d-46e3-896c-dfdf3cc96e62 which can be used as unique global reference for SamSam - S0370 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0370
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

StoneDrill - S0380

StoneDrill is wiper malware discovered in destructive campaigns against both Middle Eastern and European targets in association with APT33.(Citation: FireEye APT33 Sept 2017)(Citation: Kaspersky StoneDrill 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular StoneDrill - S0380.

Known Synonyms
DROPSHOT
StoneDrill
Internal MISP references

UUID 8dbadf80-468c-4a62-b817-4e4d8b606887 which can be used as unique global reference for StoneDrill - S0380 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0380
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Duqu - S0038

Duqu is a malware platform that uses a modular approach to extend functionality after deployment within a target network. (Citation: Symantec W32.Duqu)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Duqu - S0038.

Known Synonyms
Duqu
Internal MISP references

UUID 68dca94f-c11d-421e-9287-7c501108e18c which can be used as unique global reference for Duqu - S0038 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0038
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Misdat - S0083

Misdat is a backdoor that was used in Operation Dust Storm from 2010 to 2011.(Citation: Cylance Dust Storm)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Misdat - S0083.

Known Synonyms
Misdat
Internal MISP references

UUID 0db09158-6e48-4e7c-8ce7-2b10b9c0c039 which can be used as unique global reference for Misdat - S0083 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0083
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Adups - S0309

Adups is software that was pre-installed onto Android devices, including those made by BLU Products. The software was reportedly designed to help a Chinese phone manufacturer monitor user behavior, transferring sensitive data to a Chinese server. (Citation: NYTimes-BackDoor) (Citation: BankInfoSecurity-BackDoor)

Internal MISP references

UUID f6ac21b6-2592-400c-8472-10d0e2f1bfaf which can be used as unique global reference for Adups - S0309 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0309
Related clusters

To see the related clusters, click here.

SQLRat - S0390

SQLRat is malware that executes SQL scripts to avoid leaving traditional host artifacts. FIN7 has been observed using it.(Citation: Flashpoint FIN 7 March 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SQLRat - S0390.

Known Synonyms
SQLRat
Internal MISP references

UUID 8fc6c9e7-a162-4ca4-a488-f1819e9a7b06 which can be used as unique global reference for SQLRat - S0390 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0390
Related clusters

To see the related clusters, click here.

JHUHUGIT - S0044

JHUHUGIT is malware used by APT28. It is based on Carberp source code and serves as reconnaissance malware. (Citation: Kaspersky Sofacy) (Citation: F-Secure Sofacy 2015) (Citation: ESET Sednit Part 1) (Citation: FireEye APT28 January 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular JHUHUGIT - S0044.

Known Synonyms
GAMEFISH
JHUHUGIT
JKEYSKW
Sednit
Seduploader
SofacyCarberp
Trojan.Sofacy
Internal MISP references

UUID 8ae43c46-57ef-47d5-a77a-eebb35628db2 which can be used as unique global reference for JHUHUGIT - S0044 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0044
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

SHARPSTATS - S0450

SHARPSTATS is a .NET backdoor used by MuddyWater since at least 2019.(Citation: TrendMicro POWERSTATS V3 June 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SHARPSTATS - S0450.

Known Synonyms
SHARPSTATS
Internal MISP references

UUID 73c4711b-407a-449d-b269-e3b1531fe7a9 which can be used as unique global reference for SHARPSTATS - S0450 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0450
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

ADVSTORESHELL - S0045

ADVSTORESHELL is a spying backdoor that has been used by APT28 from at least 2012 to 2016. It is generally used for long-term espionage and is deployed on targets deemed interesting after a reconnaissance phase. (Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 2)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ADVSTORESHELL - S0045.

Known Synonyms
ADVSTORESHELL
AZZY
EVILTOSS
NETUI
Sedreco
Internal MISP references

UUID fb575479-14ef-41e9-bfab-0b7cf10bec73 which can be used as unique global reference for ADVSTORESHELL - S0045 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0045
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Asacub - S0540

Asacub is a banking trojan that attempts to steal money from victims’ bank accounts. It attempts to do this by initiating a wire transfer via SMS message from compromised devices.(Citation: Securelist Asacub)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Asacub - S0540.

Known Synonyms
Asacub
Trojan-SMS.AndroidOS.Smaps
Internal MISP references

UUID a76b837b-93cc-417d-bf28-c47a6a284fa4 which can be used as unique global reference for Asacub - S0540 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0540
mitre_platforms ['Android']
Related clusters

To see the related clusters, click here.

Anchor - S0504

Anchor is one of a family of backdoor malware that has been used in conjunction with TrickBot on selected high profile targets since at least 2018.(Citation: Cyberreason Anchor December 2019)(Citation: Medium Anchor DNS July 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Anchor - S0504.

Known Synonyms
Anchor
Anchor_DNS
Internal MISP references

UUID 5f1d4579-4e8f-48e7-860e-2da773ae432e which can be used as unique global reference for Anchor - S0504 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0504
mitre_platforms ['Linux', 'Windows']
Related clusters

To see the related clusters, click here.

CloudDuke - S0054

CloudDuke is malware that was used by APT29 in 2015. (Citation: F-Secure The Dukes) (Citation: Securelist Minidionis July 2015)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CloudDuke - S0054.

Known Synonyms
CloudDuke
CloudLook
MiniDionis
Internal MISP references

UUID cbf646f1-7db5-4dc6-808b-0094313949df which can be used as unique global reference for CloudDuke - S0054 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0054
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Exodus - S0405

Exodus is Android spyware deployed in two distinct stages named Exodus One (dropper) and Exodus Two (payload).(Citation: SWB Exodus March 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Exodus - S0405.

Known Synonyms
Exodus
Exodus One
Exodus Two
Internal MISP references

UUID 3049b2f2-e323-4cdb-91cb-13b37b904cbb which can be used as unique global reference for Exodus - S0405 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0405
mitre_platforms ['Android']
Related clusters

To see the related clusters, click here.

Avaddon - S0640

Avaddon is ransomware written in C++ that has been offered as Ransomware-as-a-Service (RaaS) since at least June 2020.(Citation: Awake Security Avaddon)(Citation: Arxiv Avaddon Feb 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Avaddon - S0640.

Known Synonyms
Avaddon
Internal MISP references

UUID 58c5a3a1-928f-4094-9e98-a5a4e56dd5f3 which can be used as unique global reference for Avaddon - S0640 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0640
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

CozyCar - S0046

CozyCar is malware that was used by APT29 from 2010 to 2015. It is a modular malware platform, and its backdoor component can be instructed to download and execute a variety of modules with different functionality. (Citation: F-Secure The Dukes)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CozyCar - S0046.

Known Synonyms
Cozer
CozyBear
CozyCar
CozyDuke
EuroAPT
Internal MISP references

UUID e6ef745b-077f-42e1-a37d-29eecff9c754 which can be used as unique global reference for CozyCar - S0046 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0046
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

ELMER - S0064

ELMER is a non-persistent, proxy-aware HTTP backdoor written in Delphi that has been used by APT16. (Citation: FireEye EPS Awakens Part 2)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ELMER - S0064.

Known Synonyms
ELMER
Internal MISP references

UUID 3cab1b76-2f40-4cd0-8d2c-7ed16eeb909c which can be used as unique global reference for ELMER - S0064 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0064
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Gustuff - S0406

Gustuff is mobile malware designed to steal users' banking and virtual currency credentials.(Citation: Talos Gustuff Apr 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Gustuff - S0406.

Known Synonyms
Gustuff
Internal MISP references

UUID ff8e0c38-be47-410f-a2d3-a3d24a87c617 which can be used as unique global reference for Gustuff - S0406 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0406
mitre_platforms ['Android']
Related clusters

To see the related clusters, click here.

Industroyer - S0604

Industroyer is a sophisticated malware framework designed to cause an impact to the working processes of Industrial Control Systems (ICS), specifically components used in electrical substations.(Citation: ESET Industroyer) Industroyer was used in the attacks on the Ukrainian power grid in December 2016.(Citation: Dragos Crashoverride 2017) This is the first publicly known malware specifically designed to target and impact operations in the electric grid.(Citation: Dragos Crashoverride 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Industroyer - S0604.

Known Synonyms
CRASHOVERRIDE
Industroyer
Win32/Industroyer
Internal MISP references

UUID e401d4fe-f0c9-44f0-98e6-f93487678808 which can be used as unique global reference for Industroyer - S0604 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0604
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

BBK - S0470

BBK is a downloader that has been used by BRONZE BUTLER since at least 2019.(Citation: Trend Micro Tick November 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BBK - S0470.

Known Synonyms
BBK
Internal MISP references

UUID f0fc920e-57a3-4af5-89be-9ea594c8b1ea which can be used as unique global reference for BBK - S0470 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0470
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Monokle - S0407

Monokle is targeted, sophisticated mobile surveillanceware. It is developed for Android, but there are some code artifacts that suggests an iOS version may be in development.(Citation: Lookout-Monokle)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Monokle - S0407.

Known Synonyms
Monokle
Internal MISP references

UUID 6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65 which can be used as unique global reference for Monokle - S0407 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0407
mitre_platforms ['Android']
Related clusters

To see the related clusters, click here.

Sakula - S0074

Sakula is a remote access tool (RAT) that first surfaced in 2012 and was used in intrusions throughout 2015. (Citation: Dell Sakula)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Sakula - S0074.

Known Synonyms
Sakula
Sakurel
VIPER
Internal MISP references

UUID 96b08451-b27a-4ff6-893f-790e26393a8e which can be used as unique global reference for Sakula - S0074 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0074
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Cerberus - S0480

Cerberus is a banking trojan whose usage can be rented on underground forums and marketplaces. Prior to being available to rent, the authors of Cerberus claim was used in private operations for two years.(Citation: Threat Fabric Cerberus)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cerberus - S0480.

Known Synonyms
Cerberus
Internal MISP references

UUID 037f44f0-0c07-4c7f-b40e-0325b5b228a9 which can be used as unique global reference for Cerberus - S0480 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0480
mitre_platforms ['Android']
Related clusters

To see the related clusters, click here.

PinchDuke - S0048

PinchDuke is malware that was used by APT29 from 2008 to 2010. (Citation: F-Secure The Dukes)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PinchDuke - S0048.

Known Synonyms
PinchDuke
Internal MISP references

UUID ae9d818d-95d0-41da-b045-9cabea1ca164 which can be used as unique global reference for PinchDuke - S0048 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0048
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

GeminiDuke - S0049

GeminiDuke is malware that was used by APT29 from 2009 to 2012. (Citation: F-Secure The Dukes)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GeminiDuke - S0049.

Known Synonyms
GeminiDuke
Internal MISP references

UUID 199463de-d9be-46d6-bb41-07234c1dd5a6 which can be used as unique global reference for GeminiDuke - S0049 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0049
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

Machete - S0409

Machete is a cyber espionage toolset used by Machete. It is a Python-based backdoor targeting Windows machines that was first observed in 2010.(Citation: ESET Machete July 2019)(Citation: Securelist Machete Aug 2014)(Citation: 360 Machete Sep 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Machete - S0409.

Known Synonyms
Machete
Pyark
Internal MISP references

UUID 35cd1d01-1ede-44d2-b073-a264d727bc04 which can be used as unique global reference for Machete - S0409 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0409
mitre_platforms ['Windows']
Related clusters

To see the related clusters, click here.

DoubleAgent - S0550

DoubleAgent is a family of RAT malware dating back to 2013, known to target groups with contentious relationships with the Chinese government.(Citation: Lookout Uyghur Campaign)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DoubleAgent - S0550.

Known Synonyms
DoubleAgent
Internal MISP references

UUID 3d6c4389-3489-40a3-beda-c56e650b6f68 which can be used as unique global reference for DoubleAgent - S0550 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
external_id S0550
mitre_platforms ['Android']
Related clusters

To see the related clusters, click here.

RARSTONE - S0055

RARSTONE is malware used by the Naikon group that has some characteristics similar to PlugX. (Citation: Aquino RARSTONE)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RARSTONE - S0055.

Known Synonyms
RARSTONE
Internal MISP references

UUID 8c553311-0baa-4146-997a-f79acef3d831 which can be used as unique global reference for RARSTONE - S0055 in MISP communities and other software using the MISP galaxy

External references