References

Actors

AdGholas

References:
  • The proof is in the cookie - 2014-11-05 - Malwarebytes - Jérôme Segura AdGholas Angler
  • Massive AdGholas Malvertising Campaigns Use Steganography and File Whitelisting to Hide in Plain Sight - 2016-07-28 - Proofpoint - Kafeine AdGholas Angler
  • Readers of popular websites targeted by stealthy Stegano exploit kit hiding in pixels of malicious ads - 2016-12-06 - Eset Astrum AdGholas
    • Read More ›

    APT28

    - Sofacy - Pawn Storm - Sednit - Fancy Bear - STRONTIUM

    References:
  • Sednit update: How Fancy Bear Spent the Year - 2017-12-21 - Eset - ESET Research APT28 Sedkit Xagent
    • Read More ›

    bbsindex

    Read More ›

    Bikarys

    Read More ›

    Cobalt Group

    - CobaltG

    References:
  • Cobalt: logical attacks on ATMs - - Group-IB Cobalt Group
    • Read More ›

    Controller

    Read More ›

    Ebates

    - HookAds

    Read More ›

    EITest

    References:
  • Exposing the Flash ‘EITest’ malware campaign - 2014-11-29 - Malwarebytes - Jérôme Segura EITest
  • EITest Nabbing Chrome Users with a “Chrome Font” Social Engineering Scheme - 2017-01-17 - Proofpoint - Kafeine EITest Fleercivet
  • Exposing EITest campaign - 2017-01-30 - Brillanit EITest RIG Cerber Madness
  • EITest: Sinkholing the oldest infection chain - 2018-04-12 - Proofpoint - Kafeine EITest Glazunov Angler Gootkit Cerber CryptXXX Smokebot
    • Read More ›

    FIN6

    - SKELETON SPIDER - ITG08

    Read More ›

    FIN7

    - Navigator - Carbanak - Anunak - CARBON SPIDER

    References:
  • On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation - 2018-08-01 - FireEye - Nick Carr - Kimberly Goody - Steve Miller - Barry Vengerik FIN7 Bateleur
  • Three Members of Notorious International Cybercrime Group “Fin7” In Custody for Role in Attacking Over 100 U.S. companies - 2018-08-01 - Department of Justice - DoJ FIN7
    • Read More ›

    GamiNook

    Read More ›

    GooNky

    - Zirconium

    References:
  • The shadow knows: Malvertising campaigns use domain shadowing to pull in Angler EK - 2015-12-15 - Proofpoint - Kafeine GooNky Angler CVE-2016-3351
  • Uncovering 2017’s Largest Malvertising Operation - 2018-01-13 - Confiant - Jérôme Dangu GooNky
    • Read More ›

    GRIM SPIDER

    References:
  • Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware - 2019-01-10 - CrowdStrike - Alexander Hanel Ryuk Hermes GRIM SPIDER Trickbot WIZARD SPIDER
    • Read More ›

    INDRIK SPIDER

    References:
  • Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware - 2018-11-14 - CrowdStrike - Sergei Frankoff - Bex Hartley INDRIK SPIDER BitPaymer Dridex
    • Read More ›

    KovCoreG

    - MaxTDS - 3ve2

    References:
  • Large Kovter digitally-signed malvertising campaign and MSRT cleanup release - 2016-05-10 - Microsoft - Microsoft Defender ATP Research Team KovCoreG Kovter
  • Kovter Group malvertising campaign exposes millions to potential malware and fraud - 2017-10-07 - Proofpoint - Kafeine - Proofpoint Staff KovCoreG Kovter
  • Threat Actor Profile: KovCoreG, The Kovter Saga - 2017-11-01 - Proofpoint - Kafeine Kovter KovCoreG Angler Sweet Orange Nuclear Sakura BlackHole Neutrino Fiesta Styx EITest
  • New Fileless Botnet Novter Distributed by KovCoreG Malvertising Campaign - 2019-10-01 - Trend Micro - Jaromir Horejsi - Joseph C. Chen Novter Nodster KovCoreG Kovter
    • Read More ›

    NeutrAds

    References:
  • Neutrino EK: more Flash trickery - 2016-08-12 - Malwarebytes - Jérôme Segura NeutrAds Neutrino
    • Read More ›

    PINCHY SPIDER

    - GandCrab

    References:
  • PINCHY SPIDER Affiliates Adopt "Big Game Hunting" Tactics to Distribute GandCrab Ransomware - 2019-03-06 - CrowdStrike - Brendon Feeley - Bex Hartley - Sergei Frankoff PINCHY SPIDER GandCrab
    • Read More ›

    SadClowns

    Read More ›

    Sagrid

    Read More ›

    ScriptJS

    - DoublePar - AfraidGate

    Read More ›

    Severa

    - ZOMBIE SPIDER

    References:
  • Inside the Takedown of ZOMBIE SPIDER and the Kelihos Botnet - 2017-04-13 - CrowdStrike - Falcon Intelligence Team Kelihos Severa
  • Farewell to Kelihos and ZOMBIE SPIDER - 2018-12-05 - CrowdStrike - Brett Stone-Gross - Tillman Werner - Bex Hartley Severa Kelihos
    • Read More ›

    SocGholish

    - FakeUpdates

    References:
  • Fake Flash Player update delivers Net Support RAT - 2017-12-20 - BroadAnalysis - Broad Analysis SocGholish
  • Fake Software Update Abuses NetSupport Remote Access Too - 2018-04-05 - FireEye - Sudhanshu Dubey js-GhoLoader SocGholish
  • "FakeUpdates" campaign leverages multiple website platforms - 2018-04-10 - Malwarebytes - Jérôme Segura SocGholish js-GhoLoader Chthonic
    • Read More ›

    StrongPity

    References:
  • On the StrongPity Waterhole Attacks Targeting Italian and Belgian Encryption Users - 2016-08-03 - Securelist - Kurt Baumgartner StrongPity
    • Read More ›

    TA2101

    - Gladkoff

    References:
  • TA2101 plays government imposter to distribute malware to German, Italian, and US organizations - 2019-11-14 - Proofpoint - Bryan Campbell - Bryan Campbell - Proofpoint Staff TA2101 Cobalt Strike Maze IcedID
    • Read More ›

    TA505

    - MONTY SPIDER - UNC902

    References:
  • Threat Actor Profile: TA505, From Dridex to GlobeImposter - 2017-09-27 - Proofpoint - Proofpoint Staff TA505 Dridex Trickbot Shifu
  • An in-depth malware analysis of QuantLoader - 2018-03-28 - Malwarebytes - Vishal Thakur Quant TA505 FlawedAmmyy
  • TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader - 2019-10-16 - Proofpoint - Dennis Schwarz - Kafeine - Matthew Mesa - Axel F - Proofpoint Staff Get2 TA505 SDBbot FlawedGrace FlawedAmmyy Snatch ServHelper
    • Read More ›

    TA530

    - Personalized

    References:
  • Phish Scales: Malicious Actor Combines Personalized Email, Variety of Malware To Target Execs - 2016-04-05 - Proofpoint - Matthew Mesa TA530 Gozi ISFB TinyLoader Nymaim Dridex Smokebot RecoLoad
    • Read More ›

    TA536

    - Modest

    Read More ›

    TA540

    - SWEED - Giant

    References:
  • SWEED: Exposing years of Agent Tesla campaigns - 2019-07-15 - Talos - Edmund Brumaghin - Edmund Brumaghin - Cisco Talos Researchers TA540
    • Read More ›

    TA542

    - MUMMY SPIDER

    Read More ›

    TA544

    - NARWHAL SPIDER - Hastur

    References:
  • Threat Actor Profile: TA544 targets geographies from Italy to Japan with a range of malware - 2019-07-11 - Proofpoint - Proofpoint Staff TA544 Nymaim Gozi ISFB URLZone
    • Read More ›

    TA547

    Read More ›

    TA551

    - Shathak

    Read More ›

    TA554

    References:
  • sLoad and Ramnit pairing in sustained campaigns against UK and Italy - 2018-10-23 - Proofpoint - Proofpoint Staff TA554 sLoad Ramnit PsiXBot Gootkit Snatch
    • Read More ›

    TA555

    Read More ›

    Terazak

    Read More ›

    VirtualDonna

    References:
  • 3,000 High-Profile Japanese Sites Hit By Massive Malvertising Campaign - 2015-09-30 - Trend Micro - Joseph C. Chen VirtualDonna Angler
  • A DoubleClick https open redirect used in some malvertising chain - 2015-10-15 - MDNC - Kafeine VirtualDonna Angler
    • Read More ›

    WIZARD SPIDER

    Read More ›

    WordsJS

    - ShadowGate

    References:
  • CVE-2018-4878 (Flash Player up to 28.0.0.137) and Exploit Kits - 2018-03-09 - MDNC - Kafeine CVE-2018-4878 WordsJS GreenFlash Sundown Magnitude RIG Fallout Hermes
    • Read More ›