Archive org download MITRES 008 MITRE S6 demo1 300k

Images Donate icon An illustration of a heart shape Donate Ellipses icon An illustration of text ellipses. It appears your browser does not have it turned on. Please see your browser settings for this feature.

It was first discovered in the wild in Corona Updates is Android spyware that took advantage of the Coronavirus pandemic.

The campaign distributing this spyware is tracked as Project Spy. Multiple variants of this spyware have been discovered to have been hosted on the Google Play Store. CosmicDuke is malware that was used by APT29 from to CostaBricks is a loader that was used to deploy bit backdoors in the CostaRicto campaign.

CozyCar is malware that was used by APT29 from to It is a modular malware platform, and its backdoor component can be instructed to download and execute a variety of modules with different functionality. CrackMapExec , or CME, is a post-exploitation tool developed in Python and designed for penetration testing against networks.

CrackMapExec collects Active Directory information to conduct lateral movement through targeted networks. Crimson is a remote access Trojan that has been used by Transparent Tribe since at least Crutch is a backdoor designed for document theft that has been used by Turla since at least Cryptoistic is a backdoor, written in Swift, that has been used by Lazarus Group.

CSPY Downloader is a tool designed to evade analysis and download additional payloads used by Kimsuky. Cuba is a Windows-based ransomware family that has been used against financial institutions, technology, and logistics organizations in North and South America as well as Europe since at least December Dacls is a multi-platform remote access tool used by Lazarus Group since at least December Daserf is a backdoor that has been used to spy on and steal from Japanese, South Korean, Russian, Singaporean, and Chinese victims.

Researchers have identified versions written in both Visual C and Delphi. Derusbi is malware used by multiple Chinese APT groups. Both Windows and Linux variants have been observed. Desert Scorpion is surveillanceware that has targeted the Middle East, specifically individuals located in Palestine. Dok is a Trojan application disguised as a.

Doki is a backdoor that uses a unique Dogecoin-based Domain Generation Algorithm and was first observed in July Doki was used in conjunction with the Ngrok Mining Botnet in a campaign that targeted Docker servers in cloud platforms.

DoubleAgent is a family of RAT malware dating back to , known to target groups with contentious relationships with the Chinese government. Downdelph is a first-stage downloader written in Delphi that has been used by APT28 in rare instances between and DownPaper is a backdoor Trojan; its main functionality is to download and run second stage malware.

Dridex is a prolific banking Trojan that first appeared in Dridex was created from the source code of the Bugat banking Trojan also known as Cridex. DroidJack is an Android remote access tool that has been observed posing as legitimate applications including the Super Mario Run and Pokemon GO games.

Drovorub is a Linux malware toolset comprised of an agent, client, server, and kernel modules, that has been used by APT It is typically installed only on Windows Server versions but can be installed on non-server variants through the Microsoft-provided Remote Server Administration Tools bundle.

Dtrack is spyware that was discovered in and has been used against Indian financial institutions, research facilities, and the Kudankulam Nuclear Power Plant. Dtrack shares similarities with the DarkSeoul campaign, which was attributed to Lazarus Group. Duqu is a malware platform that uses a modular approach to extend functionality after deployment within a target network. DustySky is multi-stage malware written in. NET that has been used by Molerats since May Dvmap is rooting malware that injects malicious code into system runtime libraries.

It is credited with being the first malware that performs this type of code injection. Ebury is an SSH backdoor targeting Linux operating systems. Attackers require root-level access, which allows them to replace SSH binaries ssh, sshd, ssh-add, etc or modify a shared library used by OpenSSH libkeyutils.

It is a reconnaissance tool--with keylogging and screen capture functionality--used for information gathering on compromised systems. Researchers have noted code similarities between Egregor and Sekhmet ransomware, as well as Maze ransomware. Elise is a custom backdoor Trojan that appears to be used exclusively by Lotus Blossom. Emissary is a Trojan that has been used by Lotus Blossom.

It shares code with Elise , with both Trojans being part of a malware group referred to as LStudio. Emotet is a modular malware variant which is primarily used as a downloader for other malware variants such as TrickBot and IcedID. Emotet first emerged in June and has been primarily used to target the banking sector.

Empire is an open source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. Empire was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries. EnvyScout is a dropper that has been used by APT29 since at least Epic is a backdoor that has been used by Turla.

EventBot was designed to target over different banking and financial applications, the majority of which are European bank and cryptocurrency exchange applications. EvilGrab is a malware family with common reconnaissance capabilities.

It has been deployed by menuPass via malicious Microsoft Office documents as part of spearphishing campaigns. The Windows version is tracked separately under Exaramel for Windows. Exaramel for Windows is a backdoor used for targeting Windows systems.

The Linux version is tracked separately under Exaramel for Linux. Exobot is Android banking malware, primarily targeting financial institutions in Germany, Austria, and France. Exodus is Android spyware deployed in two distinct stages named Exodus One dropper and Exodus Two payload. Expand is a Windows utility used to expand one or more compressed CAB files. Explosive is a custom-made remote access tool used by the group Volatile Cedar.

It was first identified in the wild in FakeM is a shellcode-based Windows backdoor that has been used by Scarlet Mimic. FakeSpy is Android spyware that has been operated by the Chinese threat actor behind the Roaming Mantis campaigns. It is usually dropped by other Lazarus Group malware or delivered when a victim unknowingly visits a compromised website.

FatDuke is a backdoor used by APT29 since at least Felismus is a modular backdoor that has been used by Sowbug. FinFisher is a government-grade commercial surveillance spyware reportedly sold exclusively to government agencies for use in targeted and lawful criminal investigations.

It is heavily obfuscated and uses multiple anti-analysis techniques. It has other variants including Wingbird. Flame is a sophisticated toolkit that has been used to collect information since at least , largely targeting Middle East countries. APT30 may use this capability to exfiltrate data across air-gaps.

FlawedAmmyy is a remote access tool RAT that was first seen in early The code for FlawedAmmyy was based on leaked source code for a version of Ammyy Admin, a remote access software. FlexiSpy is sophisticated surveillanceware for iOS and Android. Publicly-available, comprehensive analysis has only been found for the Android version. FlexiSpy markets itself as a parental control and employee monitoring application. Forfiles is a Windows utility commonly used in batch jobs to execute commands on one or more selected files or directories ex: list all directories in a drive, read the first line of all files created yesterday, etc.

FrozenCell is the mobile component of a family of surveillanceware, with a corresponding desktop component known as KasperAgent and Micropsia. Adversaries can use it to transfer other tools onto a system or to exfiltrate data. Fysbis is a Linux-based backdoor used by APT28 that dates back to at least Gazer is a backdoor used by Turla since at least GeminiDuke is malware that was used by APT29 from to The source code is public and it has been used by multiple groups.

Ginp is an Android banking trojan that has been used to target Spanish banks. Some of the code was taken directly from Anubis. Gold Dragon is a Korean-language, data gathering implant that was first observed in the wild in South Korea in July Golden Cup is Android spyware that has been used to target World Cup fans. GoldenEagle is a piece of Android malware that has been used in targeting of Uyghurs, Muslims, Tibetans, individuals in Turkey, and individuals in China.

Samples have been found as early as GoldenSpy is a backdoor malware which has been packaged with legitimate tax preparation software. GoldFinder is a custom HTTP tracer tool written in Go that logs the route a packet takes between a compromised network and a C2 server.

It can be used to inform threat actors of potential points of discovery or logging of their actions, including C2 related to other malware. GoldMax is a second-stage C2 backdoor written in Go that was used by APT29 and discovered in early during the investigation into breaches related to the SolarWinds intrusion.

GoldMax uses multiple defense evasion techniques, including avoiding virtualization execution and masking malicious traffic. GolfSpy is Android spyware deployed by the group Bouncing Golf. Gooligan is a malware family that runs privilege escalation exploits on Android devices and then uses its escalated privileges to steal authentication tokens that can be used to access data from many Google applications. Gooligan has been described as part of the Ghost Push Android malware family.

Goopy is a Windows backdoor and Trojan used by APT32 and shares several similarities to another backdoor used by the group Denis. Goopy is named for its impersonation of the legitimate Google Updater executable. Grandoreiro is a banking trojan written in Delphi that was first observed in and uses a Malware-as-a-Service MaaS business model. Grandoreiro has confirmed victims in Brazil, Mexico, Portugal, and Spain. The actor behind the tool remains unknown, but two usernames have been recovered that link to the author, which are "TheMartian" and "The Invincible.

GreyEnergy is a backdoor written in C and compiled in Visual Studio. GreyEnergy shares similarities with the BlackEnergy malware and is thought to be the successor of it. GrimAgent is a backdoor that has been used before the deployment of Ryuk ransomware since at least ; it is likely used by FIN6 and Wizard Spider.

Gustuff is mobile malware designed to steal users' banking and virtual currency credentials. H1N1 is a malware variant that has been distributed via a campaign using VBA macros to infect victims.

Although it initially had only loader capabilities, it has evolved to include information-stealing functionality. Hancitor is a downloader that has been used by Pony and other information stealing malware.

Havij has been used by penetration testers and adversaries. HDoor is malware that has been customized and used by the Naikon group. Helminth is a backdoor that has at least two variants - one written in VBScript and PowerShell that is delivered via a macros in Excel spreadsheets, and one that is a standalone Windows executable. HenBox has primarily been used to target Uyghurs, a minority Turkic ethnic group. HiddenWasp is a Linux-based Trojan used to target systems for remote control.

It has been deployed along with Downdelph to execute and hide that malware. Hikit is malware that has been used by Axiom for late-stage persistence and exfiltration after the initial compromise. Hildegard is malware that targets misconfigured kubelets for initial access and runs cryptocurrency miner operations.

The malware was first observed in January HotCroissant shares numerous code similarities with Rifdoor. HTRAN is a tool that proxies connections through intermediate hops and aids users in disguising their true geographical location.

It can be used by adversaries to hide their location when interacting with the victim networks. HTTPBrowser is malware that has been used by several threat groups. It is believed to be of Chinese origin. HummingBad is a family of Android malware that generates fraudulent advertising revenue and has the ability to obtain root access on older, vulnerable versions of Android.

Hydraq is a data-theft trojan first used by Elderwood in the Google intrusion known as Operation Aurora, though variations of this trojan have been used in more recent campaigns by other Chinese actors, possibly including APT HyperBro is a custom in-memory backdoor used by Threat Group HyperStack has similarities to other backdoors used by Turla including Carbon.

IcedID is a modular banking malware designed to steal financial information that has been observed in the wild since at least IcedID has been downloaded by Emotet in multiple campaigns. Imminent Monitor was a commodity remote access tool RAT offered for sale from until , when an operation was conducted to take down the Imminent Monitor infrastructure. Various cracked versions and variations of this RAT are still in circulation. Impacket is an open source collection of modules written in Python for programmatically constructing and manipulating network protocols.

Impacket contains several tools for remote service execution, Kerberos manipulation, Windows credential dumping, packet sniffing, and relay attacks.

Industroyer is a sophisticated malware framework designed to cause an impact to the working processes of Industrial Control Systems ICS , specifically components used in electrical substations.

Industroyer was used in the attacks on the Ukrainian power grid in December This is the first publicly known malware specifically designed to target and impact operations in the electric grid. InnaputRAT has been seen out in the wild since InvisiMole is a modular spyware program that has been used by the InvisiMole Group since at least It has been discovered on compromised victims in the Ukraine and Russia.

Gamaredon Group infrastructure has been used to download and execute InvisiMole against a small number of victims. It generates a one liner for executing either from a file of from the web. Example of usage is embedding the PowerShell code from the Invoke-Mimikatz module and embed it into an image file.

By calling the image file from a macro for example, the macro will download the picture and execute the PowerShell code, which in this case will dump the passwords. IronNetInjector is a Turla toolchain that utilizes scripts from the open-source IronPython implementation of Python with a.

Ixeshe is a malware family that has been used since at least against targets in East Asia. Javali is a banking trojan that has targeted Portuguese and Spanish-speaking countries since , primarily focusing on customers of financial institutions in Brazil and Mexico.

JCry is ransomware written in Go. It was identified as apart of the OpJerusalem campaign. It is based on Carberp source code and serves as reconnaissance malware. Variants of jRAT have been distributed via a software-as-a-service platform, similar to an online subscription model.

Judy is auto-clicking adware that was distributed through multiple apps in the Google Play Store. Kasidet is a backdoor that has been dropped by using malicious VBA macros. Kazuar is a fully featured, multi-platform backdoor Trojan written using the Microsoft. NET framework. Kerrdown is a custom downloader that has been used by APT32 since at least to install spyware from a server on the victim's network.

Kessel is an advanced version of OpenSSH which acts as a custom backdoor, mainly acting to steal credentials and function as a bot. Kessel has been active since its C2 domain began resolving in August KeyBoy is malware that has been used in targeted campaigns against members of the Tibetan Parliament in This piece of malware steals the content of the user's keychain while maintaining a permanent backdoor. KeyRaider is malware that steals Apple account credentials and other data from jailbroken iOS devices.

It also has ransomware functionality. KillDisk is a disk-wiping tool designed to overwrite files with random data to render the OS unbootable. It was first observed as a component of BlackEnergy malware during cyber attacks against Ukraine in KillDisk has since evolved into stand-alone malware used by a variety of threat actors against additional targets in Europe and Latin America; in a ransomware component was also incorporated into some KillDisk variants.

Kinsing is Golang-based malware that runs a cryptocurrency miner and attempts to spread itself to other hosts in the victim environment. Koadic is a Windows post-exploitation framework and penetration testing tool. Koadic is publicly available on GitHub and the tool is executed via the command-line. Koadic has several options for staging payloads and creating implants.

Koadic performs most of its operations using Windows Script Host. Kobalos has been deployed against high profile targets, including high-performance computers, academic servers, an endpoint security vendor, and a large internet service provider; it has been found in Europe, North America, and Asia. Kobalos was first identified in late KONNI is a Windows remote administration too that has been seen in use since and evolved in its capabilities through at least Kwampirs is a backdoor Trojan used by Orangeworm.

It has been found on machines which had software installed for the use and control of high-tech imaging devices such as X-Ray and MRI machines. LaZagne is a post-exploitation, open-source tool used to recover stored passwords on a system.

LaZagne is publicly available on GitHub. LightNeuron is a sophisticated backdoor that has targeted Microsoft Exchange servers since at least LightNeuron has been used by Turla to target diplomatic and foreign affairs-related organizations.

The presence of certain strings in the malware suggests a Linux variant of LightNeuron exists. Linfo is a rootkit trojan used by Elderwood to open a backdoor on compromised hosts. Linux Rabbit is malware that targeted Linux servers and IoT devices in a campaign lasting from August to October It shares code with another strain of malware known as Rabbot.

The goal of the campaign was to install cryptocurrency miners onto the targeted servers and devices. LiteDuke is a third stage backdoor that was used by APT29 , primarily in LiteDuke used the same dropper as PolyglotDuke , and was found on machines also compromised by MiniDuke.

LockerGoga is ransomware that has been tied to various attacks on European companies. It was first reported upon in January Lokibot is a widely distributed information stealer that was first reported in It is designed to steal sensitive information such as usernames, passwords, cryptocurrency wallets, and other credentials.

Lokibot can also create a backdoor into infected systems to allow an attacker to install additional payloads. LoudMiner is a cryptocurrency miner which uses virtualization software to siphon system resources. It was used in August in email messages targeting Hong Kong-based media organizations. Lslsass is a publicly-available tool that can dump active logon session password hashes from the lsass process. Lucifer is a crypto miner and DDoS hybrid malware that leverages well-known exploits to spread laterally on Windows platforms.

Lurid is a malware family that has been used by several groups, including PittyTiger , in targeted attacks as far back as Machete is a cyber espionage toolset used by Machete.

Audio Software icon An illustration of a 3. Software Images icon An illustration of two photographs. Images Donate icon An illustration of a heart shape Donate Ellipses icon An illustration of text ellipses. It appears your browser does not have it turned on. MITRE recruits, employs, trains, compensates, and promotes regardless of age; ancestry; color; family medical or genetic information; gender identity and expression; marital, military, or veteran status; national and ethnic origin; physical or mental disability; political affiliation; pregnancy; race; religion; sex; sexual orientation; and any other protected characteristics.

MITRE intends to maintain a website that is fully accessible to all individuals. All rights reserved. User icon An illustration of a person's head and chest. Sign up Log in. Web icon An illustration of a computer application window Wayback Machine Texts icon An illustration of an open book.