Hannotog - S1211 (273e2b53-64ec-48be-9ad9-8f3dc0e53718)

Hannotog is a type of backdoor malware uniquely assoicated with Lotus Blossom operations since at least 2022.(Citation: Symantec Bilbug 2022)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	Hannotog - S1211 (273e2b53-64ec-48be-9ad9-8f3dc0e53718)	Malware	1
Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b)	Attack Pattern	Hannotog - S1211 (273e2b53-64ec-48be-9ad9-8f3dc0e53718)	Malware	1
Service Stop - T1489 (20fb2507-d71c-455d-9b6d-6104461cf26b)	Attack Pattern	Hannotog - S1211 (273e2b53-64ec-48be-9ad9-8f3dc0e53718)	Malware	1
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Hannotog - S1211 (273e2b53-64ec-48be-9ad9-8f3dc0e53718)	Malware	1
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	Hannotog - S1211 (273e2b53-64ec-48be-9ad9-8f3dc0e53718)	Malware	1
Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18)	Attack Pattern	Hannotog - S1211 (273e2b53-64ec-48be-9ad9-8f3dc0e53718)	Malware	1
Automated Exfiltration - T1020 (774a3188-6ba9-4dc4-879d-d54ee48a5ce9)	Attack Pattern	Hannotog - S1211 (273e2b53-64ec-48be-9ad9-8f3dc0e53718)	Malware	1
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b)	Attack Pattern	2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	2