Skip to content

Hide Navigation Hide TOC

Gamaredon Group (1a77e156-76bc-43f5-bdd7-bd67f30fbbbb)

Unit 42 threat researchers have recently observed a threat group distributing new, custom developed malware. We have labelled this threat group the Gamaredon Group and our research shows that the Gamaredon Group has been active since at least 2013. In the past, the Gamaredon Group has relied heavily on off-the-shelf tools. Our new research shows the Gamaredon Group have made a shift to custom-developed malware. We believe this shift indicates the Gamaredon Group have improved their technical capabilities.

Cluster A Galaxy A Cluster B Galaxy B Level
Aqua Blizzard (fc77a775-d06f-5efc-a6fa-0b2af01902a7) Microsoft Activity Group actor Gamaredon Group (1a77e156-76bc-43f5-bdd7-bd67f30fbbbb) Threat Actor 1
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Gamaredon Group (1a77e156-76bc-43f5-bdd7-bd67f30fbbbb) Threat Actor 1
Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377) Attack Pattern 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 2
Reg - S0075 (cde2d700-9ed1-46cf-9bce-07364fe8b24f) mitre-tool Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Upload Malware - T1608.001 (3ee16395-03f0-4690-a32e-69ce9ada0f9e) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Disk Content Wipe - T1561.001 (fb640c43-aa6b-431e-a961-a279010424ac) Attack Pattern 2
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Internal Spearphishing - T1534 (9e7452df-5144-4b6e-b04a-b66dd4016747) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Ping - S0097 (b77b563c-34bb-4fb8-86a3-3694338f7b47) mitre-tool 2
LNK Icon Smuggling - T1027.012 (887274fc-2d63-4bdc-82f3-fae56d1d5fdc) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) Attack Pattern 2
Junk Code Insertion - T1027.016 (671cd17f-a765-48fd-adc4-dad1941b1ae3) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Data Obfuscation - T1001 (ad255bfe-a9e6-4b52-a258-8d3462abe842) Attack Pattern 2
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Automated Exfiltration - T1020 (774a3188-6ba9-4dc4-879d-d54ee48a5ce9) Attack Pattern 2
PowerPunch - S0685 (d52291b4-bb23-45a8-aef0-3dc7e986ba15) Malware Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Dynamic Resolution - T1568 (7bd9c723-2f78-4309-82c5-47cad406572b) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Component Object Model - T1559.001 (2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Fast Flux DNS - T1568.001 (29ba5a15-3b7b-4732-b817-65ea8f6468e6) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool 2
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set QuietSieve - S0686 (03eb4a05-6a02-43f6-afb7-3c7835501828) Malware 2
Data from Network Shared Drive - T1039 (ae676644-d2d2-41b7-af7e-9bed1b55898c) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern 2
VNC - T1021.005 (01327cde-66c4-4123-bf34-5f258d59457b) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Virtual Private Server - T1583.003 (79da0971-3147-4af6-a4f5-e8cd447cd795) Attack Pattern 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Internal Defacement - T1491.001 (8c41090b-aa47-4331-986b-8c9a51a91103) Attack Pattern 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 2
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Compression - T1027.015 (fbd91bfc-75c2-4f0c-8116-3b4e722906b3) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Pteranodon - S0147 (5f9f7648-04ba-4a9f-bb4c-2a13e74572bd) Malware Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 2
Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern 2
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Taint Shared Content - T1080 (246fd3c7-f5e3-466d-8787-4c13d9e3b61c) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Template Injection - T1221 (dc31fe1e-d722-49da-8f5f-92c7b5aff534) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Peripheral Device Discovery - T1120 (348f1eef-964b-4eb6-bb53-69b3dcb0c643) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d) Attack Pattern 2
One-Way Communication - T1102.003 (9c99724c-a483-4d60-ad9d-7f004e42e8e8) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 2
Internet Connection Discovery - T1016.001 (132d5b37-aac5-4378-a8dc-3127b18a73dc) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern 2
Reflective Code Loading - T1620 (4933e63b-9b77-476e-ab29-761bc5b7d15a) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Compile After Delivery - T1027.004 (c726e0a2-a57a-4b7b-a973-d0f013246617) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Digital Certificates - T1587.003 (1cec9319-743b-4840-bb65-431547bce82a) Attack Pattern 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 2
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 2
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Replication Through Removable Media - T1091 (3b744087-9945-4a6f-91e8-9dbceda417a4) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Data from Removable Media - T1025 (1b7ba276-eedc-4951-a762-0ceea2c030ec) Attack Pattern 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 2
Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4) Attack Pattern Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern 3
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern 3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377) Attack Pattern 3
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern Reg - S0075 (cde2d700-9ed1-46cf-9bce-07364fe8b24f) mitre-tool 3
Reg - S0075 (cde2d700-9ed1-46cf-9bce-07364fe8b24f) mitre-tool Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern 3
Reg - S0075 (cde2d700-9ed1-46cf-9bce-07364fe8b24f) mitre-tool Credentials in Registry - T1552.002 (341e222a-a6e3-4f6f-b69c-831d792b1580) Attack Pattern 3
Upload Malware - T1608.001 (3ee16395-03f0-4690-a32e-69ce9ada0f9e) Attack Pattern Stage Capabilities - T1608 (84771bc3-f6a0-403e-b144-01af70e5fda0) Attack Pattern 3
Disk Wipe - T1561 (1988cc35-ced8-4dad-b2d1-7628488fa967) Attack Pattern Disk Content Wipe - T1561.001 (fb640c43-aa6b-431e-a961-a279010424ac) Attack Pattern 3
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern 3
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 3
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern Ping - S0097 (b77b563c-34bb-4fb8-86a3-3694338f7b47) mitre-tool 3
LNK Icon Smuggling - T1027.012 (887274fc-2d63-4bdc-82f3-fae56d1d5fdc) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 3
Junk Code Insertion - T1027.016 (671cd17f-a765-48fd-adc4-dad1941b1ae3) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 3
Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern 3
PowerPunch - S0685 (d52291b4-bb23-45a8-aef0-3dc7e986ba15) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 3
PowerPunch - S0685 (d52291b4-bb23-45a8-aef0-3dc7e986ba15) Malware Environmental Keying - T1480.001 (f244b8dd-af6c-4391-a497-fc03627ce995) Attack Pattern 3
PowerPunch - S0685 (d52291b4-bb23-45a8-aef0-3dc7e986ba15) Malware PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 3
PowerPunch - S0685 (d52291b4-bb23-45a8-aef0-3dc7e986ba15) Malware Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377) Attack Pattern 3
Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d) Attack Pattern Component Object Model - T1559.001 (2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64) Attack Pattern 3
Fast Flux DNS - T1568.001 (29ba5a15-3b7b-4732-b817-65ea8f6468e6) Attack Pattern Dynamic Resolution - T1568 (7bd9c723-2f78-4309-82c5-47cad406572b) Attack Pattern 3
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool 3
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool 3
System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6) Attack Pattern Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool 3
Audio Capture - T1123 (1035cdf2-3e5f-446f-a7a7-e8f6d7925967) Attack Pattern Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool 3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool 3
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool 3
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1) Attack Pattern Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool 3
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool 3
Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 3
Video Capture - T1125 (6faf650d-bf31-4eb4-802d-1000cf38efaf) Attack Pattern Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool 3
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool 3
Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 3
Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool Clipboard Data - T1115 (30973a08-aed9-4edf-8604-9084ce1b5c4f) Attack Pattern 3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool 3
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool 3
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool 3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern 3
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern QuietSieve - S0686 (03eb4a05-6a02-43f6-afb7-3c7835501828) Malware 3
Peripheral Device Discovery - T1120 (348f1eef-964b-4eb6-bb53-69b3dcb0c643) Attack Pattern QuietSieve - S0686 (03eb4a05-6a02-43f6-afb7-3c7835501828) Malware 3
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern QuietSieve - S0686 (03eb4a05-6a02-43f6-afb7-3c7835501828) Malware 3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern QuietSieve - S0686 (03eb4a05-6a02-43f6-afb7-3c7835501828) Malware 3
Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f) Attack Pattern QuietSieve - S0686 (03eb4a05-6a02-43f6-afb7-3c7835501828) Malware 3
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern QuietSieve - S0686 (03eb4a05-6a02-43f6-afb7-3c7835501828) Malware 3
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern QuietSieve - S0686 (03eb4a05-6a02-43f6-afb7-3c7835501828) Malware 3
Internet Connection Discovery - T1016.001 (132d5b37-aac5-4378-a8dc-3127b18a73dc) Attack Pattern QuietSieve - S0686 (03eb4a05-6a02-43f6-afb7-3c7835501828) Malware 3
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern QuietSieve - S0686 (03eb4a05-6a02-43f6-afb7-3c7835501828) Malware 3
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern VNC - T1021.005 (01327cde-66c4-4123-bf34-5f258d59457b) Attack Pattern 3
Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern Virtual Private Server - T1583.003 (79da0971-3147-4af6-a4f5-e8cd447cd795) Attack Pattern 3
Internal Defacement - T1491.001 (8c41090b-aa47-4331-986b-8c9a51a91103) Attack Pattern Defacement - T1491 (5909f20f-3c39-4795-be06-ef1ea40d350b) Attack Pattern 3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 3
Compression - T1027.015 (fbd91bfc-75c2-4f0c-8116-3b4e722906b3) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 3
Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 3
Pteranodon - S0147 (5f9f7648-04ba-4a9f-bb4c-2a13e74572bd) Malware Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern 3
Pteranodon - S0147 (5f9f7648-04ba-4a9f-bb4c-2a13e74572bd) Malware Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 3
Pteranodon - S0147 (5f9f7648-04ba-4a9f-bb4c-2a13e74572bd) Malware Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern 3
Pteranodon - S0147 (5f9f7648-04ba-4a9f-bb4c-2a13e74572bd) Malware Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern 3
Pteranodon - S0147 (5f9f7648-04ba-4a9f-bb4c-2a13e74572bd) Malware Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern 3
Pteranodon - S0147 (5f9f7648-04ba-4a9f-bb4c-2a13e74572bd) Malware Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern 3
Pteranodon - S0147 (5f9f7648-04ba-4a9f-bb4c-2a13e74572bd) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 3
Pteranodon - S0147 (5f9f7648-04ba-4a9f-bb4c-2a13e74572bd) Malware Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern 3
Pteranodon - S0147 (5f9f7648-04ba-4a9f-bb4c-2a13e74572bd) Malware Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 3
Pteranodon - S0147 (5f9f7648-04ba-4a9f-bb4c-2a13e74572bd) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 3
Pteranodon - S0147 (5f9f7648-04ba-4a9f-bb4c-2a13e74572bd) Malware Pteranodon (d5138738-846e-4466-830c-cd2bb6ad09cf) Malpedia 3
Pteranodon - S0147 (5f9f7648-04ba-4a9f-bb4c-2a13e74572bd) Malware Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern 3
Pteranodon - S0147 (5f9f7648-04ba-4a9f-bb4c-2a13e74572bd) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 3
Pteranodon - S0147 (5f9f7648-04ba-4a9f-bb4c-2a13e74572bd) Malware Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 3
Pteranodon - S0147 (5f9f7648-04ba-4a9f-bb4c-2a13e74572bd) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 3
Pteranodon - S0147 (5f9f7648-04ba-4a9f-bb4c-2a13e74572bd) Malware Dynamic API Resolution - T1027.007 (ea4c2f9c-9df1-477c-8c42-6da1118f2ac4) Attack Pattern 3
Pteranodon - S0147 (5f9f7648-04ba-4a9f-bb4c-2a13e74572bd) Malware Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern 3
Pteranodon - S0147 (5f9f7648-04ba-4a9f-bb4c-2a13e74572bd) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 3
Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3) Attack Pattern 3
Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6) Attack Pattern 3
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern 3
Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1) Attack Pattern 3
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 3
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d) Attack Pattern 3
One-Way Communication - T1102.003 (9c99724c-a483-4d60-ad9d-7f004e42e8e8) Attack Pattern Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern 3
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 3
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern Internet Connection Discovery - T1016.001 (132d5b37-aac5-4378-a8dc-3127b18a73dc) Attack Pattern 3
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern 3
Compile After Delivery - T1027.004 (c726e0a2-a57a-4b7b-a973-d0f013246617) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 3
Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54) Attack Pattern 3
Develop Capabilities - T1587 (edadea33-549c-4ed1-9783-8f5a5853cbdf) Attack Pattern Digital Certificates - T1587.003 (1cec9319-743b-4840-bb65-431547bce82a) Attack Pattern 3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 3
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 3
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 3
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 3
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern Credentials in Registry - T1552.002 (341e222a-a6e3-4f6f-b69c-831d792b1580) Attack Pattern 4
Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852) Attack Pattern Environmental Keying - T1480.001 (f244b8dd-af6c-4391-a497-fc03627ce995) Attack Pattern 4
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1) Attack Pattern 4
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern 4
Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern 4
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e) Attack Pattern 4
Dynamic API Resolution - T1027.007 (ea4c2f9c-9df1-477c-8c42-6da1118f2ac4) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 4