Skip to content

Hide Navigation Hide TOC

Molerats (f7c2e501-73b1-400f-a5d9-2e2e07b7dfde)

In October 2012, malware attacks against Israeli government targets grabbed media attention as officials temporarily cut off Internet access for its entire police force and banned the use of USB memory sticks. Security researchers subsequently linked these attacks to a broader, yearlong campaign that targeted not just Israelis but Palestinians as well. and as discovered later, even the U.S. and UK governments. Further research revealed a connection between these attacks and members of the so-called “Gaza Hackers Team.” We refer to this campaign as “Molerats.”

Cluster A Galaxy A Cluster B Galaxy B Level
Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411) Intrusion Set Molerats (f7c2e501-73b1-400f-a5d9-2e2e07b7dfde) Threat Actor 1
Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411) Intrusion Set Msiexec - T1218.007 (365be77f-fc0e-42ee-bac8-4faf806d9336) Attack Pattern 2
Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411) Intrusion Set Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern 2
Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411) Intrusion Set MoleNet - S0553 (8a59f456-79a0-4151-9f56-9b1a67332af2) Malware 2
Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411) Intrusion Set SharpStage - S0546 (0ba9281c-93fa-4b29-8e9e-7ef918c7b13a) Malware 2
Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411) Intrusion Set DropBook - S0547 (3ae6097d-d700-46c6-8b21-42fc0bcb48fa) Malware 2
Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411) Intrusion Set Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern 2
Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411) Intrusion Set Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern 2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411) Intrusion Set 2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411) Intrusion Set 2
Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411) Intrusion Set Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7) Attack Pattern 2
Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411) Intrusion Set Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 2
Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411) Intrusion Set Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 2
Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411) Intrusion Set Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern 2
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411) Intrusion Set 2
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411) Intrusion Set 2
Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411) Intrusion Set Spark - S0543 (03ea629c-517a-41e3-94f8-c7e5368cf8f4) Malware 2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411) Intrusion Set 2
Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411) Intrusion Set PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware 2
Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411) Intrusion Set Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern 2
Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411) Intrusion Set DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54) Malware 2
Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411) Intrusion Set Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 2
Molerats - G0021 (df71bb3b-813c-45eb-a8bc-f2a419837411) Intrusion Set Compression - T1027.015 (fbd91bfc-75c2-4f0c-8116-3b4e722906b3) Attack Pattern 2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Msiexec - T1218.007 (365be77f-fc0e-42ee-bac8-4faf806d9336) Attack Pattern 3
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern 3
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern MoleNet - S0553 (8a59f456-79a0-4151-9f56-9b1a67332af2) Malware 3
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern MoleNet - S0553 (8a59f456-79a0-4151-9f56-9b1a67332af2) Malware 3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern MoleNet - S0553 (8a59f456-79a0-4151-9f56-9b1a67332af2) Malware 3
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern MoleNet - S0553 (8a59f456-79a0-4151-9f56-9b1a67332af2) Malware 3
MoleNet - S0553 (8a59f456-79a0-4151-9f56-9b1a67332af2) Malware Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern 3
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern MoleNet - S0553 (8a59f456-79a0-4151-9f56-9b1a67332af2) Malware 3
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern MoleNet - S0553 (8a59f456-79a0-4151-9f56-9b1a67332af2) Malware 3
SharpStage - S0546 (0ba9281c-93fa-4b29-8e9e-7ef918c7b13a) Malware Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern SharpStage - S0546 (0ba9281c-93fa-4b29-8e9e-7ef918c7b13a) Malware 3
SharpStage - S0546 (0ba9281c-93fa-4b29-8e9e-7ef918c7b13a) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 3
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern SharpStage - S0546 (0ba9281c-93fa-4b29-8e9e-7ef918c7b13a) Malware 3
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern SharpStage - S0546 (0ba9281c-93fa-4b29-8e9e-7ef918c7b13a) Malware 3
System Language Discovery - T1614.001 (c1b68a96-3c48-49ea-a6c0-9b27359f9c19) Attack Pattern SharpStage - S0546 (0ba9281c-93fa-4b29-8e9e-7ef918c7b13a) Malware 3
SharpStage - S0546 (0ba9281c-93fa-4b29-8e9e-7ef918c7b13a) Malware Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern 3
SharpStage - S0546 (0ba9281c-93fa-4b29-8e9e-7ef918c7b13a) Malware Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern 3
SharpStage - S0546 (0ba9281c-93fa-4b29-8e9e-7ef918c7b13a) Malware Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern 3
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern SharpStage - S0546 (0ba9281c-93fa-4b29-8e9e-7ef918c7b13a) Malware 3
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern SharpStage - S0546 (0ba9281c-93fa-4b29-8e9e-7ef918c7b13a) Malware 3
DropBook - S0547 (3ae6097d-d700-46c6-8b21-42fc0bcb48fa) Malware Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 3
DropBook - S0547 (3ae6097d-d700-46c6-8b21-42fc0bcb48fa) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 3
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern DropBook - S0547 (3ae6097d-d700-46c6-8b21-42fc0bcb48fa) Malware 3
DropBook - S0547 (3ae6097d-d700-46c6-8b21-42fc0bcb48fa) Malware Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1) Attack Pattern 3
DropBook - S0547 (3ae6097d-d700-46c6-8b21-42fc0bcb48fa) Malware Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern 3
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern DropBook - S0547 (3ae6097d-d700-46c6-8b21-42fc0bcb48fa) Malware 3
System Language Discovery - T1614.001 (c1b68a96-3c48-49ea-a6c0-9b27359f9c19) Attack Pattern DropBook - S0547 (3ae6097d-d700-46c6-8b21-42fc0bcb48fa) Malware 3
DropBook - S0547 (3ae6097d-d700-46c6-8b21-42fc0bcb48fa) Malware Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern 3
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern DropBook - S0547 (3ae6097d-d700-46c6-8b21-42fc0bcb48fa) Malware 3
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 3
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern 3
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 3
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7) Attack Pattern 3
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern 3
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 3
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 3
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern Spark - S0543 (03ea629c-517a-41e3-94f8-c7e5368cf8f4) Malware 3
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Spark - S0543 (03ea629c-517a-41e3-94f8-c7e5368cf8f4) Malware 3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Spark - S0543 (03ea629c-517a-41e3-94f8-c7e5368cf8f4) Malware 3
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern Spark - S0543 (03ea629c-517a-41e3-94f8-c7e5368cf8f4) Malware 3
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern Spark - S0543 (03ea629c-517a-41e3-94f8-c7e5368cf8f4) Malware 3
System Language Discovery - T1614.001 (c1b68a96-3c48-49ea-a6c0-9b27359f9c19) Attack Pattern Spark - S0543 (03ea629c-517a-41e3-94f8-c7e5368cf8f4) Malware 3
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern Spark - S0543 (03ea629c-517a-41e3-94f8-c7e5368cf8f4) Malware 3
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern Spark - S0543 (03ea629c-517a-41e3-94f8-c7e5368cf8f4) Malware 3
User Activity Based Checks - T1497.002 (91541e7e-b969-40c6-bbd8-1b5352ec2938) Attack Pattern Spark - S0543 (03ea629c-517a-41e3-94f8-c7e5368cf8f4) Malware 3
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern Spark - S0543 (03ea629c-517a-41e3-94f8-c7e5368cf8f4) Malware 3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 3
Rootkit - T1014 (0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b) Attack Pattern PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware 3
Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742) Attack Pattern PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware 3
poisonivy (e336aeba-b61a-44e0-a0df-cd52a5839db5) Tool PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware 3
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware 3
Application Window Discovery - T1010 (4ae4f953-fe58-4cc8-a327-33257e30a830) Attack Pattern PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware 3
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware 3
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware 3
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware 3
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware 3
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware 3
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware 3
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware 3
Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54) Tool PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware 3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware 3
Poison Ivy (7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7) Malpedia PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware 3
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware 3
Active Setup - T1547.014 (22522668-ddf6-470b-a027-9d6866679f67) Attack Pattern PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware 3
PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0) RAT PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware 3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b) Malware 3
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern 3
DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54) Malware Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern 3
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54) Malware 3
DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54) Malware Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern 3
DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54) Malware Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern 3
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54) Malware 3
Fallback Channels - T1008 (f24faf46-3b26-4dbb-98f2-63460498e433) Attack Pattern DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54) Malware 3
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54) Malware 3
Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5) Attack Pattern DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54) Malware 3
DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54) Malware Peripheral Device Discovery - T1120 (348f1eef-964b-4eb6-bb53-69b3dcb0c643) Attack Pattern 3
DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54) Malware Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern 3
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54) Malware 3
DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 3
DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54) Malware Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern 3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54) Malware 3
DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54) Malware Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern 3
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54) Malware 3
DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54) Malware Replication Through Removable Media - T1091 (3b744087-9945-4a6f-91e8-9dbceda417a4) Attack Pattern 3
DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54) Malware NeD Worm (eedcf785-d011-4e17-96c4-6ff39138ada0) Tool 3
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54) Malware 3
DustySky - S0062 (687c23e4-4e25-4ee7-a870-c5e002511f54) Malware Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 3
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Compression - T1027.015 (fbd91bfc-75c2-4f0c-8116-3b4e722906b3) Attack Pattern 3
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern 4
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 4
System Language Discovery - T1614.001 (c1b68a96-3c48-49ea-a6c0-9b27359f9c19) Attack Pattern System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979) Attack Pattern 4
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1) Attack Pattern 4
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f) Attack Pattern 4
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 4
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 4
User Activity Based Checks - T1497.002 (91541e7e-b969-40c6-bbd8-1b5352ec2938) Attack Pattern Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern 4
Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742) Attack Pattern Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852) Attack Pattern 4
Poison Ivy (7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7) Malpedia poisonivy (e336aeba-b61a-44e0-a0df-cd52a5839db5) Tool 4
poisonivy (e336aeba-b61a-44e0-a0df-cd52a5839db5) Tool Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54) Tool 4
poisonivy (e336aeba-b61a-44e0-a0df-cd52a5839db5) Tool PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0) RAT 4
Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e) Attack Pattern Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern 4
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 4
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern 4
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 4
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 4
Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54) Tool PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0) RAT 4
APT14 (c82c904f-b3b4-40a2-bf0d-008912953104) Threat Actor Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54) Tool 4
Poison Ivy (7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7) Malpedia Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54) Tool 4
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern Active Setup - T1547.014 (22522668-ddf6-470b-a027-9d6866679f67) Attack Pattern 4
APT14 (c82c904f-b3b4-40a2-bf0d-008912953104) Threat Actor PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0) RAT 4
Poison Ivy (7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7) Malpedia PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0) RAT 4
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern 4
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 4
APT14 (c82c904f-b3b4-40a2-bf0d-008912953104) Threat Actor Gh0st Rat (cb8c8253-4024-4cc9-8989-b4a5f95f6c2f) Tool 5
Gh0st RAT (255a59a7-db2d-44fc-9ca9-5859b65817c3) RAT APT14 (c82c904f-b3b4-40a2-bf0d-008912953104) Threat Actor 5
Torn RAT (32a67552-3b31-47bb-8098-078099bbc813) Tool APT14 (c82c904f-b3b4-40a2-bf0d-008912953104) Threat Actor 5
APT43 (aac49b4e-74e9-49fa-84f9-e340cf8bafbc) Threat Actor Gh0st Rat (cb8c8253-4024-4cc9-8989-b4a5f95f6c2f) Tool 6
Gh0st RAT (255a59a7-db2d-44fc-9ca9-5859b65817c3) RAT Ghost RAT (225fa6cf-dc9c-4b86-873b-cdf1d9dd3738) Malpedia 6