Skip to content

Hide Navigation Hide TOC

Gamaredon Group (1a77e156-76bc-43f5-bdd7-bd67f30fbbbb)

Unit 42 threat researchers have recently observed a threat group distributing new, custom developed malware. We have labelled this threat group the Gamaredon Group and our research shows that the Gamaredon Group has been active since at least 2013. In the past, the Gamaredon Group has relied heavily on off-the-shelf tools. Our new research shows the Gamaredon Group have made a shift to custom-developed malware. We believe this shift indicates the Gamaredon Group have improved their technical capabilities.

Cluster A Galaxy A Cluster B Galaxy B Level
Gamaredon Group (1a77e156-76bc-43f5-bdd7-bd67f30fbbbb) Threat Actor Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 1
Gamaredon Group (1a77e156-76bc-43f5-bdd7-bd67f30fbbbb) Threat Actor Aqua Blizzard (fc77a775-d06f-5efc-a6fa-0b2af01902a7) Microsoft Activity Group actor 1
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern 2
Peripheral Device Discovery - T1120 (348f1eef-964b-4eb6-bb53-69b3dcb0c643) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Internet Connection Discovery - T1016.001 (132d5b37-aac5-4378-a8dc-3127b18a73dc) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619) Attack Pattern 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set One-Way Communication - T1102.003 (9c99724c-a483-4d60-ad9d-7f004e42e8e8) Attack Pattern 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Template Injection - T1221 (dc31fe1e-d722-49da-8f5f-92c7b5aff534) Attack Pattern 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Reflective Code Loading - T1620 (4933e63b-9b77-476e-ab29-761bc5b7d15a) Attack Pattern 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Compile After Delivery - T1027.004 (c726e0a2-a57a-4b7b-a973-d0f013246617) Attack Pattern 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18) Attack Pattern 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern 2
Reg - S0075 (cde2d700-9ed1-46cf-9bce-07364fe8b24f) mitre-tool Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 2
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Ping - S0097 (b77b563c-34bb-4fb8-86a3-3694338f7b47) mitre-tool 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54) Attack Pattern 2
Replication Through Removable Media - T1091 (3b744087-9945-4a6f-91e8-9dbceda417a4) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Digital Certificates - T1587.003 (1cec9319-743b-4840-bb65-431547bce82a) Attack Pattern 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Data from Removable Media - T1025 (1b7ba276-eedc-4951-a762-0ceea2c030ec) Attack Pattern 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 2
PowerPunch - S0685 (d52291b4-bb23-45a8-aef0-3dc7e986ba15) Malware Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4) Attack Pattern 2
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377) Attack Pattern 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Disk Content Wipe - T1561.001 (fb640c43-aa6b-431e-a961-a279010424ac) Attack Pattern 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Upload Malware - T1608.001 (3ee16395-03f0-4690-a32e-69ce9ada0f9e) Attack Pattern 2
Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
LNK Icon Smuggling - T1027.012 (887274fc-2d63-4bdc-82f3-fae56d1d5fdc) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set QuietSieve - S0686 (03eb4a05-6a02-43f6-afb7-3c7835501828) Malware 2
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Junk Code Insertion - T1027.016 (671cd17f-a765-48fd-adc4-dad1941b1ae3) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Internal Spearphishing - T1534 (9e7452df-5144-4b6e-b04a-b66dd4016747) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Pteranodon - S0147 (5f9f7648-04ba-4a9f-bb4c-2a13e74572bd) Malware 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Data Obfuscation - T1001 (ad255bfe-a9e6-4b52-a258-8d3462abe842) Attack Pattern 2
Component Object Model - T1559.001 (2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Automated Exfiltration - T1020 (774a3188-6ba9-4dc4-879d-d54ee48a5ce9) Attack Pattern 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Fast Flux DNS - T1568.001 (29ba5a15-3b7b-4732-b817-65ea8f6468e6) Attack Pattern 2
Data from Network Shared Drive - T1039 (ae676644-d2d2-41b7-af7e-9bed1b55898c) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Dynamic Resolution - T1568 (7bd9c723-2f78-4309-82c5-47cad406572b) Attack Pattern 2
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Virtual Private Server - T1583.003 (79da0971-3147-4af6-a4f5-e8cd447cd795) Attack Pattern 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Internal Defacement - T1491.001 (8c41090b-aa47-4331-986b-8c9a51a91103) Attack Pattern 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set VNC - T1021.005 (01327cde-66c4-4123-bf34-5f258d59457b) Attack Pattern 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 2
Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Compression - T1027.015 (fbd91bfc-75c2-4f0c-8116-3b4e722906b3) Attack Pattern 2
Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6) Attack Pattern 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 2
Taint Shared Content - T1080 (246fd3c7-f5e3-466d-8787-4c13d9e3b61c) Attack Pattern Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set 2
Gamaredon Group - G0047 (2e290bfe-93b5-48ce-97d6-edcd6d32b7cf) Intrusion Set Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern 2
Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1) Attack Pattern 3
Internet Connection Discovery - T1016.001 (132d5b37-aac5-4378-a8dc-3127b18a73dc) Attack Pattern System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 3
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d) Attack Pattern 3
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern One-Way Communication - T1102.003 (9c99724c-a483-4d60-ad9d-7f004e42e8e8) Attack Pattern 3
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern 3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Compile After Delivery - T1027.004 (c726e0a2-a57a-4b7b-a973-d0f013246617) Attack Pattern 3
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 3
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern 3
Reg - S0075 (cde2d700-9ed1-46cf-9bce-07364fe8b24f) mitre-tool Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern 3
Reg - S0075 (cde2d700-9ed1-46cf-9bce-07364fe8b24f) mitre-tool Credentials in Registry - T1552.002 (341e222a-a6e3-4f6f-b69c-831d792b1580) Attack Pattern 3
Reg - S0075 (cde2d700-9ed1-46cf-9bce-07364fe8b24f) mitre-tool Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern 3
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 3
Ping - S0097 (b77b563c-34bb-4fb8-86a3-3694338f7b47) mitre-tool Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern 3
Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54) Attack Pattern 3
Digital Certificates - T1587.003 (1cec9319-743b-4840-bb65-431547bce82a) Attack Pattern Develop Capabilities - T1587 (edadea33-549c-4ed1-9783-8f5a5853cbdf) Attack Pattern 3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 3
PowerPunch - S0685 (d52291b4-bb23-45a8-aef0-3dc7e986ba15) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 3
PowerPunch - S0685 (d52291b4-bb23-45a8-aef0-3dc7e986ba15) Malware PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 3
PowerPunch - S0685 (d52291b4-bb23-45a8-aef0-3dc7e986ba15) Malware Environmental Keying - T1480.001 (f244b8dd-af6c-4391-a497-fc03627ce995) Attack Pattern 3
PowerPunch - S0685 (d52291b4-bb23-45a8-aef0-3dc7e986ba15) Malware Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377) Attack Pattern 3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 3
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4) Attack Pattern 3
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 3
Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 3
Disk Wipe - T1561 (1988cc35-ced8-4dad-b2d1-7628488fa967) Attack Pattern Disk Content Wipe - T1561.001 (fb640c43-aa6b-431e-a961-a279010424ac) Attack Pattern 3
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 3
Stage Capabilities - T1608 (84771bc3-f6a0-403e-b144-01af70e5fda0) Attack Pattern Upload Malware - T1608.001 (3ee16395-03f0-4690-a32e-69ce9ada0f9e) Attack Pattern 3
Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern 3
Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern 3
Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern 3
Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1) Attack Pattern 3
Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern 3
Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool Clipboard Data - T1115 (30973a08-aed9-4edf-8604-9084ce1b5c4f) Attack Pattern 3
Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 3
Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 3
Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 3
Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool Audio Capture - T1123 (1035cdf2-3e5f-446f-a7a7-e8f6d7925967) Attack Pattern 3
Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 3
Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 3
Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool Video Capture - T1125 (6faf650d-bf31-4eb4-802d-1000cf38efaf) Attack Pattern 3
Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern 3
Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool Dynamic Resolution - T1568 (7bd9c723-2f78-4309-82c5-47cad406572b) Attack Pattern 3
Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 3
Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern 3
Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern 3
Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern 3
Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 3
Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 3
Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool Application Window Discovery - T1010 (4ae4f953-fe58-4cc8-a327-33257e30a830) Attack Pattern 3
Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 3
Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool Internal Defacement - T1491.001 (8c41090b-aa47-4331-986b-8c9a51a91103) Attack Pattern 3
Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6) Attack Pattern 3
Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 3
Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 3
Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern 3
Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern 3
Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern 3
Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 3
Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern 3
Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979) Attack Pattern 3
Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 3
Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 3
Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern 3
Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern 3
Remcos - S0332 (7cd0bc75-055b-4098-a00e-83dc8beaff14) mitre-tool System Shutdown/Reboot - T1529 (ff73aa03-0090-4464-83ac-f89e233c02bc) Attack Pattern 3
LNK Icon Smuggling - T1027.012 (887274fc-2d63-4bdc-82f3-fae56d1d5fdc) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 3
QuietSieve - S0686 (03eb4a05-6a02-43f6-afb7-3c7835501828) Malware Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern 3
QuietSieve - S0686 (03eb4a05-6a02-43f6-afb7-3c7835501828) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 3
Peripheral Device Discovery - T1120 (348f1eef-964b-4eb6-bb53-69b3dcb0c643) Attack Pattern QuietSieve - S0686 (03eb4a05-6a02-43f6-afb7-3c7835501828) Malware 3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern QuietSieve - S0686 (03eb4a05-6a02-43f6-afb7-3c7835501828) Malware 3
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern QuietSieve - S0686 (03eb4a05-6a02-43f6-afb7-3c7835501828) Malware 3
QuietSieve - S0686 (03eb4a05-6a02-43f6-afb7-3c7835501828) Malware Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f) Attack Pattern 3
Internet Connection Discovery - T1016.001 (132d5b37-aac5-4378-a8dc-3127b18a73dc) Attack Pattern QuietSieve - S0686 (03eb4a05-6a02-43f6-afb7-3c7835501828) Malware 3
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern QuietSieve - S0686 (03eb4a05-6a02-43f6-afb7-3c7835501828) Malware 3
QuietSieve - S0686 (03eb4a05-6a02-43f6-afb7-3c7835501828) Malware Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern 3
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 3
Junk Code Insertion - T1027.016 (671cd17f-a765-48fd-adc4-dad1941b1ae3) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 3
Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern Pteranodon - S0147 (5f9f7648-04ba-4a9f-bb4c-2a13e74572bd) Malware 3
Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern Pteranodon - S0147 (5f9f7648-04ba-4a9f-bb4c-2a13e74572bd) Malware 3
Pteranodon - S0147 (5f9f7648-04ba-4a9f-bb4c-2a13e74572bd) Malware Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern 3
Pteranodon - S0147 (5f9f7648-04ba-4a9f-bb4c-2a13e74572bd) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 3
Pteranodon - S0147 (5f9f7648-04ba-4a9f-bb4c-2a13e74572bd) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Pteranodon - S0147 (5f9f7648-04ba-4a9f-bb4c-2a13e74572bd) Malware 3
Pteranodon - S0147 (5f9f7648-04ba-4a9f-bb4c-2a13e74572bd) Malware Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 3
Pteranodon (d5138738-846e-4466-830c-cd2bb6ad09cf) Malpedia Pteranodon - S0147 (5f9f7648-04ba-4a9f-bb4c-2a13e74572bd) Malware 3
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern Pteranodon - S0147 (5f9f7648-04ba-4a9f-bb4c-2a13e74572bd) Malware 3
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern Pteranodon - S0147 (5f9f7648-04ba-4a9f-bb4c-2a13e74572bd) Malware 3
Pteranodon - S0147 (5f9f7648-04ba-4a9f-bb4c-2a13e74572bd) Malware Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern 3
Pteranodon - S0147 (5f9f7648-04ba-4a9f-bb4c-2a13e74572bd) Malware Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern 3
Pteranodon - S0147 (5f9f7648-04ba-4a9f-bb4c-2a13e74572bd) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 3
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern Pteranodon - S0147 (5f9f7648-04ba-4a9f-bb4c-2a13e74572bd) Malware 3
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern Pteranodon - S0147 (5f9f7648-04ba-4a9f-bb4c-2a13e74572bd) Malware 3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Pteranodon - S0147 (5f9f7648-04ba-4a9f-bb4c-2a13e74572bd) Malware 3
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern Pteranodon - S0147 (5f9f7648-04ba-4a9f-bb4c-2a13e74572bd) Malware 3
Dynamic API Resolution - T1027.007 (ea4c2f9c-9df1-477c-8c42-6da1118f2ac4) Attack Pattern Pteranodon - S0147 (5f9f7648-04ba-4a9f-bb4c-2a13e74572bd) Malware 3
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 3
Component Object Model - T1559.001 (2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64) Attack Pattern Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d) Attack Pattern 3
Dynamic Resolution - T1568 (7bd9c723-2f78-4309-82c5-47cad406572b) Attack Pattern Fast Flux DNS - T1568.001 (29ba5a15-3b7b-4732-b817-65ea8f6468e6) Attack Pattern 3
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 3
Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern Virtual Private Server - T1583.003 (79da0971-3147-4af6-a4f5-e8cd447cd795) Attack Pattern 3
Defacement - T1491 (5909f20f-3c39-4795-be06-ef1ea40d350b) Attack Pattern Internal Defacement - T1491.001 (8c41090b-aa47-4331-986b-8c9a51a91103) Attack Pattern 3
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern VNC - T1021.005 (01327cde-66c4-4123-bf34-5f258d59457b) Attack Pattern 3
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 3
Compression - T1027.015 (fbd91bfc-75c2-4f0c-8116-3b4e722906b3) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 3
Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 3
Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3) Attack Pattern Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern 3
Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6) Attack Pattern 3
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern 3
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern Credentials in Registry - T1552.002 (341e222a-a6e3-4f6f-b69c-831d792b1580) Attack Pattern 4
Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852) Attack Pattern Environmental Keying - T1480.001 (f244b8dd-af6c-4391-a497-fc03627ce995) Attack Pattern 4
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern 4
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 4
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 4
Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern 4
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 4
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f) Attack Pattern 4
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 4
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 4
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern 4
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e) Attack Pattern 4
Dynamic API Resolution - T1027.007 (ea4c2f9c-9df1-477c-8c42-6da1118f2ac4) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 4