Malware And Tool Intelligence
This page turns the repository's malware and tooling references into an analyst navigation layer: actor, tool, behavior, hash/IOC status, source, and detection notes.
It is intentionally defensive. The repository stores no malware binaries, no exploit code, and no copied bulk IOC dumps. Hashes are included only where a primary public source explicitly maps a representative hash to a tool or activity; otherwise the page links to the current source-controlled IOC location.
Hash-only matches MUST NOT be used as actor attribution. Use source-backed behavior, victimology, infrastructure, and telemetry context.
UNC1860 Mandiant-Linked Tooling Notes
- Mandiant reports UNC1860 as a likely MOIS-affiliated actor with specialized passive backdoors, GUI controllers, web shells, and droppers used for persistent access and possible handoff operations.
- TEMPLEDOOR is tracked here as a passive backdoor family controlled by TEMPLEPLAY; Mandiant publishes representative MD5s for TEMPLEPLAY and TEMPLEDOOR activity.
- STAYSHANTE and SASHEYAWAY are tracked as web shell/dropper access-enablement tooling from Mandiant-linked reporting. The source publishes activity-level hashes, but this repository does not assign every activity hash to those individual tools unless the source does so.
- Malpedia confirms UNC1860 associated families
win.cryptoslayandwin.templedoor, and references CRYPTOSLAY, PipeSnoop, TEMPLEDOOR, and UNC1860 in the Mandiant-linked library entry.
Primary references: SRC-MANDIANT-UNC1860; SRC-MALPEDIA-UNC1860.
Actor Tool Coverage
Actor Drilldowns
MuddyWater
| Tool | Type | Behavior | Hash / IOC Status | Detection Notes | Source |
|---|---|---|---|---|---|
Remote Monitoring and Management tools | Living-off-the-land tooling | Legitimate remote-management software abused for access, persistence, and operator control in MuddyWater-linked intrusion chains. | No malware hash; inventory and signed binary allowlist required. | Compare RMM binaries, installation paths, remote URLs, and parents against approved enterprise inventory. | SRC-MITRE-G0069 |
Dindoor | Backdoor | Deno runtime-based implant reported in MuddyWater-linked activity. | Hash not committed; use source-linked IOCs only. | Hunt unusual Deno runtime execution, user-path staging, and network egress not tied to development hosts. | SRC-THREAT-HUNTER-V3 |
Fakeset | Backdoor | Python-based implant reported in MuddyWater-linked post-exploitation. | Hash not committed; use source-linked IOCs only. | Hunt Python execution from temporary paths, persistence changes, and suspicious outbound sessions. | SRC-THREAT-HUNTER-V3 |
BugSleep | Backdoor | Check Point reports BugSleep as a MuddyWater backdoor under active development; reported behavior includes victim fingerprinting, command execution, file upload/download, persistence-oriented check-ins, and follow-on C2 after phishing-led access. | Hash not committed from source page; use Check Point IOC appendix/current report if sample-level matching is required. | Hunt MuddyWater phishing-to-loader chains, new scheduled tasks or recurring check-ins, suspicious file transfer from user endpoints, and C2 from hosts that recently executed lure-delivered payloads. | SRC-CP-BUGSLEEP |
BlackBeard | Backdoor | Backdoor named in INCD MuddyWater phishing reporting. | Hash not committed; use INCD source-linked IOCs. | Hunt fake-official phishing chains, unusual archives, and post-click endpoint execution. | SRC-INCD-MUDDYWATER-PHISHING |
Fooder / MuddyViper | Loader and backdoor | ESET reports Fooder as a MuddyWater loader paired with MuddyViper; reported behavior includes in-memory payload loading, sandbox-delay logic, RMM-assisted access, and post-compromise collection against Israeli and regional critical-infrastructure targets. | Hash not committed; validate ESET IOC availability before IOC-level use. | Hunt lure-to-RMM chains, new SimpleHelp/Atera/Level/PDQ installs outside IT inventory, in-memory loader behavior, sleep/delay loops before payload execution, and unusual cloud-service C2. | SRC-ESET-MUDDYWATER-SNAKES |
ConnectWise | Remote monitoring and management tool | MITRE ATT&CK lists ConnectWise as software used by this actor; track it as remote administration and screen capture behavior. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for ConnectWise execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0069 |
CrackMapExec | Post-exploitation / credential validation tool | MITRE ATT&CK lists CrackMapExec as software used by this actor; track it as network credential validation and lateral movement behavior. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for CrackMapExec execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0069 |
DCHSpy | MITRE-listed software/tool | MITRE ATT&CK lists DCHSpy as software used by this actor; track it as source-backed software use by the actor. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for DCHSpy execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0069 |
Empire | Post-exploitation framework | MITRE ATT&CK lists Empire as software used by this actor; track it as PowerShell-based post-exploitation behavior. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for Empire execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0069 |
Koadic | Post-exploitation framework | MITRE ATT&CK lists Koadic as software used by this actor; track it as scripted post-exploitation and remote command behavior. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for Koadic execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0069 |
LaZagne | Credential access tool | MITRE ATT&CK lists LaZagne as software used by this actor; track it as password-store extraction behavior. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for LaZagne execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0069 |
LP-Notes | MITRE-listed software/tool | MITRE ATT&CK lists LP-Notes as software used by this actor; track it as source-backed software use by the actor. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for LP-Notes execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0069 |
Mimikatz | Credential access tool | MITRE ATT&CK lists Mimikatz as software used by this actor; track it as credential dumping behavior. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for Mimikatz execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0069 |
Mori | MITRE-listed software/tool | MITRE ATT&CK lists Mori as software used by this actor; track it as source-backed software use by the actor. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for Mori execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0069 |
Out1 | MITRE-listed software/tool | MITRE ATT&CK lists Out1 as software used by this actor; track it as source-backed software use by the actor. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for Out1 execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0069 |
PowerSploit | PowerShell post-exploitation framework | MITRE ATT&CK lists PowerSploit as software used by this actor; track it as PowerShell offensive module execution. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for PowerSploit execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0069 |
POWERSTATS | MITRE-listed software/tool | MITRE ATT&CK lists POWERSTATS as software used by this actor; track it as source-backed software use by the actor. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for POWERSTATS execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0069 |
PowGoop | MITRE-listed software/tool | MITRE ATT&CK lists PowGoop as software used by this actor; track it as source-backed software use by the actor. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for PowGoop execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0069 |
Rclone | Cloud sync / exfiltration utility | MITRE ATT&CK lists Rclone as software used by this actor; track it as cloud-storage synchronization and exfiltration behavior. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for Rclone execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0069 |
RemoteUtilities | Remote administration tool | MITRE ATT&CK lists RemoteUtilities as software used by this actor; track it as remote access and operator control behavior. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for RemoteUtilities execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0069 |
RustyWater | MITRE-listed software/tool | MITRE ATT&CK lists RustyWater as software used by this actor; track it as source-backed software use by the actor. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for RustyWater execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0069 |
SHARPSTATS | MITRE-listed software/tool | MITRE ATT&CK lists SHARPSTATS as software used by this actor; track it as source-backed software use by the actor. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for SHARPSTATS execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0069 |
Small Sieve | MITRE-listed software/tool | MITRE ATT&CK lists Small Sieve as software used by this actor; track it as source-backed software use by the actor. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for Small Sieve execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0069 |
STARWHALE | MITRE-listed software/tool | MITRE ATT&CK lists STARWHALE as software used by this actor; track it as source-backed software use by the actor. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for STARWHALE execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0069 |
Tsundere Botnet | MITRE-listed software/tool | MITRE ATT&CK lists Tsundere Botnet as software used by this actor; track it as source-backed software use by the actor. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for Tsundere Botnet execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0069 |
OilRig
| Tool | Type | Behavior | Hash / IOC Status | Detection Notes | Source |
|---|---|---|---|---|---|
OilBooster | Downloader | ESET reports OilBooster as an OilRig downloader deployed against Israeli organizations; it uses attacker-controlled Microsoft cloud service accounts and APIs for C2 and data exchange rather than victim internal mail infrastructure. | Primary source confirms tool behavior; imported SHA1 seed 1B2FEDD5F2A37A0152231AE4099A13C8D4B73C9E returned VT not_found and remains unpromoted pending primary hash verification. | Hunt Microsoft Graph, OneDrive, Outlook, Exchange Online, or EWS API use by non-standard processes, especially on healthcare, local-government, or manufacturing hosts with prior OilRig exposure. | SRC-ESET-OILRIG-ISRAEL |
Saitama | DNS-tunneling backdoor | OilRig/APT34 DNS tunneling family that encodes command-and-control over DNS queries. | Hash not committed; use Unit 42 IOC references if needed. | Hunt high-entropy subdomains, long query names, and high-frequency single-domain DNS from one host. | SRC-UNIT42-OILRIG-DNS-TUNNELING |
BONDUPDATER | MITRE-listed software/tool | MITRE ATT&CK lists BONDUPDATER as software used by this actor; track it as source-backed software use by the actor. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for BONDUPDATER execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0049 |
certutil | Living-off-the-land binary | MITRE ATT&CK lists certutil as software used by this actor; track it as download, decode, and certificate-store abuse behavior. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for certutil execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0049 |
ftp | Living-off-the-land utility | MITRE ATT&CK lists ftp as software used by this actor; track it as file transfer over FTP. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for ftp execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0049 |
Helminth | MITRE-listed software/tool | MITRE ATT&CK lists Helminth as software used by this actor; track it as source-backed software use by the actor. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for Helminth execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0049 |
ipconfig | System discovery utility | MITRE ATT&CK lists ipconfig as software used by this actor; track it as network configuration discovery. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for ipconfig execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0049 |
ISMInjector | MITRE-listed software/tool | MITRE ATT&CK lists ISMInjector as software used by this actor; track it as source-backed software use by the actor. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for ISMInjector execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0049 |
LaZagne | Credential access tool | MITRE ATT&CK lists LaZagne as software used by this actor; track it as password-store extraction behavior. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for LaZagne execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0049 |
Mango | MITRE-listed software/tool | MITRE ATT&CK lists Mango as software used by this actor; track it as source-backed software use by the actor. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for Mango execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0049 |
Mimikatz | Credential access tool | MITRE ATT&CK lists Mimikatz as software used by this actor; track it as credential dumping behavior. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for Mimikatz execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0049 |
Net | System administration utility | MITRE ATT&CK lists Net as software used by this actor; track it as account, group, and service discovery or modification. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for Net execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0049 |
netstat | System discovery utility | MITRE ATT&CK lists netstat as software used by this actor; track it as network connection discovery. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for netstat execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0049 |
ngrok | Tunneling / proxy tooling | MITRE ATT&CK lists ngrok as software used by this actor; track it as external tunnel creation behavior. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for ngrok execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0049 |
ODAgent | MITRE-listed software/tool | ESET reports ODAgent in the network of an Israeli manufacturing company; it is part of the OilRig cloud-service-powered downloader set used to maintain access. | Imported SHA1 seed 7E498B3366F54E936CB0AF767BFC3D1F92D80687 returned VT not_found and remains unpromoted pending primary hash verification. | Hunt downloader execution on manufacturing, healthcare, or local-government hosts followed by Microsoft cloud API traffic and file staging. | SRC-ESET-OILRIG-ISRAEL |
OilCheck | MITRE-listed software/tool | OilCheck is an OilRig downloader in ESET reporting; it uses cloud-based email services for C2 communications and shares logic with other OilRig cloud-service-powered downloaders. | Imported SHA1 seed 8D84D32DF5768B0D4D2AB8B1327C43F17F182001 returned VT not_found and remains unpromoted pending primary hash verification. | Hunt cloud-mail API calls by unusual executables, unexpected Outlook/EWS traffic from non-mail clients, and OilRig downloader execution near prior SC5k or ODAgent activity. | SRC-ESET-OILRIG-ISRAEL |
OopsIE | MITRE-listed software/tool | MITRE ATT&CK lists OopsIE as software used by this actor; track it as source-backed software use by the actor. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for OopsIE execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0049 |
PowerExchange | MITRE-listed software/tool | MITRE ATT&CK lists PowerExchange as software used by this actor; track it as source-backed software use by the actor. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for PowerExchange execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0049 |
POWRUNER | MITRE-listed software/tool | MITRE ATT&CK lists POWRUNER as software used by this actor; track it as source-backed software use by the actor. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for POWRUNER execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0049 |
PsExec | Remote execution utility | MITRE ATT&CK lists PsExec as software used by this actor; track it as service-based lateral execution behavior. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for PsExec execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0049 |
QUADAGENT | MITRE-listed software/tool | MITRE ATT&CK lists QUADAGENT as software used by this actor; track it as source-backed software use by the actor. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for QUADAGENT execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0049 |
RDAT | MITRE-listed software/tool | MITRE ATT&CK lists RDAT as software used by this actor; track it as source-backed software use by the actor. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for RDAT execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0049 |
Reg | Registry utility | MITRE ATT&CK lists Reg as software used by this actor; track it as registry query or modification behavior. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for Reg execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0049 |
RGDoor | MITRE-listed software/tool | MITRE ATT&CK lists RGDoor as software used by this actor; track it as source-backed software use by the actor. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for RGDoor execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0049 |
SampleCheck5000 | MITRE-listed software/tool | MITRE ATT&CK lists SampleCheck5000 as software used by this actor; track it as source-backed software use by the actor. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for SampleCheck5000 execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0049 |
SEASHARPEE | MITRE-listed software/tool | MITRE ATT&CK lists SEASHARPEE as software used by this actor; track it as source-backed software use by the actor. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for SEASHARPEE execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0049 |
SideTwist | MITRE-listed software/tool | MITRE ATT&CK lists SideTwist as software used by this actor; track it as source-backed software use by the actor. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for SideTwist execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0049 |
Solar | MITRE-listed software/tool | MITRE ATT&CK lists Solar as software used by this actor; track it as source-backed software use by the actor. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for Solar execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0049 |
Systeminfo | System discovery utility | MITRE ATT&CK lists Systeminfo as software used by this actor; track it as host information discovery. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for Systeminfo execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0049 |
Tasklist | Process discovery utility | MITRE ATT&CK lists Tasklist as software used by this actor; track it as process discovery behavior. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for Tasklist execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0049 |
ZeroCleare | Wiper | MITRE ATT&CK lists ZeroCleare as software used by this actor; track it as raw-disk destructive wipe behavior. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for ZeroCleare execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0049 |
Magic Hound
| Tool | Type | Behavior | Hash / IOC Status | Detection Notes | Source |
|---|---|---|---|---|---|
FRP / Plink | Dual-use tunneling / proxy tooling | MITRE reports Magic Hound use of Fast Reverse Proxy and Plink-style tooling for proxying, masqueraded access, and non-standard C2 routing. | No malware hash; dual-use binary monitoring and local allowlisting required. | Hunt FRP/Plink execution from user paths or server paths, masqueraded filenames, non-standard ports, and unauthorized proxy sessions. | SRC-MITRE-G0059 |
Mimikatz / SQLMap / Havij | Public offensive/security tooling | MITRE reports Magic Hound use of public tools including Mimikatz, sqlmap, Havij, Metasploit, and Plink. | No stable actor-specific hash; use process, command-line, and control-plane telemetry. | Hunt credential dumping, SQL injection tooling on admin hosts, and public tool execution after phishing or edge compromise. | SRC-MITRE-G0059 |
CharmPower | PowerShell backdoor | MITRE ATT&CK lists CharmPower as software used by this actor; track it as PowerShell-based C2 and collection behavior. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for CharmPower execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0059 |
DownPaper | Backdoor | MITRE ATT&CK lists DownPaper as software used by this actor; track it as PowerShell/VBS backdoor and discovery behavior. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for DownPaper execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0059 |
Impacket | Python network protocol toolkit | MITRE ATT&CK lists Impacket as software used by this actor; track it as SMB, credential, and lateral movement behavior. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for Impacket execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0059 |
ipconfig | System discovery utility | MITRE ATT&CK lists ipconfig as software used by this actor; track it as network configuration discovery. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for ipconfig execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0059 |
Mimikatz | Credential access tool | MITRE ATT&CK lists Mimikatz as software used by this actor; track it as credential dumping behavior. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for Mimikatz execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0059 |
Net | System administration utility | MITRE ATT&CK lists Net as software used by this actor; track it as account, group, and service discovery or modification. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for Net execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0059 |
netsh | Network configuration utility | MITRE ATT&CK lists netsh as software used by this actor; track it as network configuration or firewall manipulation. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for netsh execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0059 |
Ping | Network utility | MITRE ATT&CK lists Ping as software used by this actor; track it as connectivity and remote host discovery. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for Ping execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0059 |
PowerLess | Backdoor | MITRE ATT&CK lists PowerLess as software used by this actor; track it as Magic Hound-linked backdoor behavior. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for PowerLess execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0059 |
PsExec | Remote execution utility | MITRE ATT&CK lists PsExec as software used by this actor; track it as service-based lateral execution behavior. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for PsExec execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0059 |
Pupy | RAT / post-exploitation framework | MITRE ATT&CK lists Pupy as software used by this actor; track it as remote access and post-exploitation behavior. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for Pupy execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0059 |
Systeminfo | System discovery utility | MITRE ATT&CK lists Systeminfo as software used by this actor; track it as host information discovery. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for Systeminfo execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0059 |
APT42
| Tool | Type | Behavior | Hash / IOC Status | Detection Notes | Source |
|---|---|---|---|---|---|
POWERPOST | Script / collection tool | PowerShell-based collection tooling referenced for APT42 activity; useful as a behavior anchor for script execution and collection staging. | Hash not committed; source-linked behavior only. | Hunt PowerShell collection from unusual parent processes, cloud identity follow-on access, and archive staging after phishing. | SRC-MITRE-G1044 |
NICECURL | Backdoor / C2 tool | APT42-linked backdoor family used for command-and-control and post-compromise operations. | Hash not committed; retrieve current IOCs from linked source or vendor appendix. | Hunt uncommon HTTPS egress from user-path executables after credential phishing or social-engineering lures. | SRC-MITRE-G1044 |
TAMECAT | Backdoor / C2 tool | APT42-linked backdoor with scripting, encrypted communications, and discovery-oriented behavior in public reporting. | Hash not committed; retrieve current IOCs from linked source or vendor appendix. | Hunt script execution, discovery commands, and encrypted outbound sessions following APT42-themed lure activity. | SRC-MITRE-G1044 |
Agrius
| Tool | Type | Behavior | Hash / IOC Status | Detection Notes | Source |
|---|---|---|---|---|---|
Moneybird | Ransomware / destructive malware | Agrius-associated ransomware-like payload reported in targeted Israeli incidents; use as destructive-operation context rather than stable criminal-brand attribution. | Hash not committed; source IOC appendix should be used if needed. | Prioritize VSS deletion, backup tampering, mass file writes, and pseudo-ransomware staging behavior. | SRC-MITRE-G1030 |
BlackShadow | Ransomware / persona | Agrius-linked destructive/extortion persona and malware reference depending on source context. | Hash not committed; persona claims require corroboration. | Separate public claims from telemetry; hunt destructive preparation and data theft before leak publication. | SRC-MITRE-G1030 |
Apostle | Wiper / ransomware-like malware | MITRE ATT&CK lists Apostle as software used by this actor; track it as destructive or ransomware-like impact behavior. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for Apostle execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G1030 |
ASPXSpy | Web shell | MITRE ATT&CK lists ASPXSpy as software used by this actor; track it as server-side web shell persistence. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for ASPXSpy execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G1030 |
BFG Agonizer | Wiper | MITRE ATT&CK lists BFG Agonizer as software used by this actor; track it as disk wiping and recovery-inhibition behavior. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for BFG Agonizer execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G1030 |
DEADWOOD | Wiper | MITRE ATT&CK lists DEADWOOD as software used by this actor; track it as destructive wipe behavior. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for DEADWOOD execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G1030 |
IPsec Helper | MITRE-listed software/tool | MITRE ATT&CK lists IPsec Helper as software used by this actor; track it as source-backed software use by the actor. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for IPsec Helper execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G1030 |
Mimikatz | Credential access tool | MITRE ATT&CK lists Mimikatz as software used by this actor; track it as credential dumping behavior. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for Mimikatz execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G1030 |
MultiLayer Wiper | Wiper | MITRE ATT&CK lists MultiLayer Wiper as software used by this actor; track it as multi-stage destructive wiping behavior. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for MultiLayer Wiper execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G1030 |
NBTscan | Network scanner | MITRE ATT&CK lists NBTscan as software used by this actor; track it as NetBIOS/host discovery behavior. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for NBTscan execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G1030 |
CyberAv3ngers
| Tool | Type | Behavior | Hash / IOC Status | Detection Notes | Source |
|---|---|---|---|---|---|
Unitronics Vision PLC Web/HMI | Targeted technology | Internet-exposed HMI-capable Unitronics PLCs targeted in IRGC-affiliated activity. | Not malware; no hash. Exposure and configuration indicators only. | Inventory internet-exposed PLC/HMI paths, enforce passwords, restrict remote access, and monitor HMI defacement attempts. | SRC-CISA-AA23-335A |
IOControl | OT/IoT malware | Claroty Team82 reports IOCONTROL as custom OT/IoT malware linked to CyberAv3ngers-aligned IRGC activity; reported behavior includes Linux/ARM ELF deployment, device fingerprinting, MQTT over TLS on 8883, DoH use, router and fuel-management targeting, and command execution against OT/IoT devices. | Claroty-published SHA256 1b39f9b2b96a6586c4a11ab2fdbff8fdf16ba5a0ac7603149023d73f33b84498; VT enrichment found an ELF with public detections and label trojan.iocontrol/multiverze. | Hunt OT/IoT devices with unusual MQTT/8883, DoH, unexpected ARM ELF execution, router persistence, and PLC/HMI/fuel-controller manipulation indicators. | SRC-CLAROTY-IOCONTROL-2024 |
Imperial Kitten
| Tool | Type | Behavior | Hash / IOC Status | Detection Notes | Source |
|---|---|---|---|---|---|
IMAPLoader | .NET downloader / loader | PwC and related reporting describe IMAPLoader as an Imperial Kitten/Yellow Liderc .NET loader using legitimate or compromised email accounts for IMAP-based C2 after strategic web compromise or lure execution; it identifies target systems and can deploy follow-on payloads. | Hash not committed; use PwC or vendor IOC appendix/current report for current sample hashes and mail-account indicators. | Hunt non-mail-client IMAP/IMAPS egress, high-frequency mailbox polling, encoded attachment retrieval by unusual processes, and Office/XLL to csc.exe chains after maritime/logistics web compromise. | SRC-PWC-YELLOW-LIDERC-2023 |
StandardKeyboard | Backdoor / C2 tool | Public vendor reporting describes email-based C2 aligned with Imperial Kitten tooling. | Hash not committed; use CrowdStrike source if available. | Use as enrichment term until primary technical behavior is fully captured in repository evidence. | SRC-CS-IMPERIAL-KITTEN-2023 |
Pioneer Kitten
| Tool | Type | Behavior | Hash / IOC Status | Detection Notes | Source |
|---|---|---|---|---|---|
NGROK / Ligolo | Tunneling / proxy tooling | Dual-use tunneling tools used after edge compromise in Pioneer Kitten / Fox Kitten reporting. | No malware hash; monitor tool binary, process, account, and network usage against approved admin list. | Hunt unauthorized tunnels from edge servers, VPN appliances, or administrator workstations. | SRC-CISA-AA24-241A |
DarkBit
| Tool | Type | Behavior | Hash / IOC Status | Detection Notes | Source |
|---|---|---|---|---|---|
DarkBit ransomware | Pseudo-ransomware / destructive malware | Persona and payload associated with the Technion February 2023 incident and MuddyWater/MERCURY ecosystem reporting. | Hash not committed; incident-specific IOCs should come from INCD/Microsoft source material. | Hunt pseudo-ransom notes, mass file changes, destructive cloud/on-prem actions, and MuddyWater/MERCURY overlap. | SRC-INCD-DARKBIT-MUDDYWATER-2023 |
Lyceum
| Tool | Type | Behavior | Hash / IOC Status | Detection Notes | Source |
|---|---|---|---|---|---|
DanBot | Remote Access Trojan | Lyceum / HEXANE-associated backdoor family referenced in MITRE and public reporting. | Hash not committed; use MITRE references and primary reports. | Hunt telecom and energy endpoint persistence, C2, and lateral movement in MENA-relevant environments. | SRC-MITRE-G1001 |
Kevin | Backdoor | Lyceum-associated backdoor line referenced by public reporting. | Hash not committed; use MITRE references and primary reports. | Use as enrichment term for Lyceum hunting until behavior is source-backed locally. | SRC-MITRE-G1001 |
Shark | Backdoor | Lyceum-associated backdoor line referenced by public reporting. | Hash not committed; use MITRE references and primary reports. | Use as enrichment term for Lyceum hunting until behavior is source-backed locally. | SRC-MITRE-G1001 |
BITSAdmin | Living-off-the-land binary | MITRE ATT&CK lists BITSAdmin as software used by this actor; track it as BITS-based file transfer or job execution behavior. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for BITSAdmin execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G1001 |
DnsSystem | Backdoor | MITRE ATT&CK lists DnsSystem as software used by this actor; track it as Lyceum-linked DNS/C2 backdoor behavior. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for DnsSystem execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G1001 |
Empire | Post-exploitation framework | MITRE ATT&CK lists Empire as software used by this actor; track it as PowerShell-based post-exploitation behavior. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for Empire execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G1001 |
ipconfig | System discovery utility | MITRE ATT&CK lists ipconfig as software used by this actor; track it as network configuration discovery. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for ipconfig execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G1001 |
Milan | Backdoor | MITRE ATT&CK lists Milan as software used by this actor; track it as Lyceum-linked backdoor behavior. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for Milan execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G1001 |
Mimikatz | Credential access tool | MITRE ATT&CK lists Mimikatz as software used by this actor; track it as credential dumping behavior. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for Mimikatz execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G1001 |
netstat | System discovery utility | MITRE ATT&CK lists netstat as software used by this actor; track it as network connection discovery. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for netstat execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G1001 |
Ping | Network utility | MITRE ATT&CK lists Ping as software used by this actor; track it as connectivity and remote host discovery. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for Ping execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G1001 |
PoshC2 | Post-exploitation framework | MITRE ATT&CK lists PoshC2 as software used by this actor; track it as PowerShell/C2 framework behavior. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for PoshC2 execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G1001 |
Cotton Sandstorm
| Tool | Type | Behavior | Hash / IOC Status | Detection Notes | Source |
|---|---|---|---|---|---|
WezRat | Modular infostealer / RAT | Check Point reports WezRat as a modular infostealer/RAT distributed through fake INCD-themed phishing; behavior includes modular collection, command execution, screenshot or data theft capabilities depending on module, and Israeli security-update lure abuse. | Hash not committed; use Check Point and government IOC references for current sample hashes, lure senders, domains, and C2 paths. | Hunt fake INCD/security-update lures, sender/domain impersonation, user-path execution after download, modular infostealer staging, and unusual outbound C2 after security-themed attachments. | SRC-CP-WEZRAT |
APT39
| Tool | Type | Behavior | Hash / IOC Status | Detection Notes | Source |
|---|---|---|---|---|---|
Remexi | Malware / collection tool | MITRE reports APT39 use of Remexi for system owner/user discovery and related collection behavior. | Hash not committed; use MITRE references and original vendor reports. | Hunt suspicious username/system discovery, collection utilities, and legacy APT39 malware indicators only with source context. | SRC-MITRE-G0087 |
ANTAK / ASPXSPY | Web shells | MITRE reports APT39 installed ANTAK and ASPXSPY web shells. | Hash not committed; use source-linked IOCs and local webroot baselines. | Hunt webroot integrity changes, web server child processes, and suspicious ASPX/JSP server-side files. | SRC-MITRE-G0087 |
Cadelspy | Backdoor | MITRE ATT&CK lists Cadelspy as software used by this actor; track it as APT39-linked backdoor behavior. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for Cadelspy execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0087 |
CrackMapExec | Post-exploitation / credential validation tool | MITRE ATT&CK lists CrackMapExec as software used by this actor; track it as network credential validation and lateral movement behavior. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for CrackMapExec execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0087 |
ftp | Living-off-the-land utility | MITRE ATT&CK lists ftp as software used by this actor; track it as file transfer over FTP. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for ftp execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0087 |
MechaFlounder | Backdoor | MITRE ATT&CK lists MechaFlounder as software used by this actor; track it as APT39-linked command execution and collection behavior. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for MechaFlounder execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0087 |
Mimikatz | Credential access tool | MITRE ATT&CK lists Mimikatz as software used by this actor; track it as credential dumping behavior. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for Mimikatz execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0087 |
NBTscan | Network scanner | MITRE ATT&CK lists NBTscan as software used by this actor; track it as NetBIOS/host discovery behavior. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for NBTscan execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0087 |
PsExec | Remote execution utility | MITRE ATT&CK lists PsExec as software used by this actor; track it as service-based lateral execution behavior. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for PsExec execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0087 |
pwdump | Credential access tool | MITRE ATT&CK lists pwdump as software used by this actor; track it as password hash dumping behavior. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for pwdump execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0087 |
Windows Credential Editor | Credential access tool | MITRE ATT&CK lists Windows Credential Editor as software used by this actor; track it as Windows credential extraction behavior. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for Windows Credential Editor execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G0087 |
APT-C-23
| Tool | Type | Behavior | Hash / IOC Status | Detection Notes | Source |
|---|---|---|---|---|---|
AridSpy | Mobile RAT | ESET reports AridSpy as a multi-stage Android spyware family distributed through trojanized apps; behavior includes payload download/decryption, Firebase C2, HTTPS exfiltration, camera capture, audio recording, location tracking, SMS/contact/call-log collection, accessibility abuse, and WhatsApp/Facebook Messenger collection. | Representative ESET-published SHA1s include 797073511A15EB85C1E9D8584B26BAA3A0B14C9E, 5F0213BA62B84221C9628F7D0A0CF87F27A45A28, E71F1484B1E3ACB4C8E8525BA1F5F8822AB7238B, and 16C8725362D1EBC8443C97C5AB79A1B6428FF87D; use full ESET IOC table for current coverage. | Hunt sideloaded APKs from dedicated lure sites, unknown-source installs, Google Play Services impersonation, Firebase C2, suspicious accessibility-service grants, data.zip staging, and mobile apps requesting SMS/contact/location/audio/camera permissions together. | SRC-ESET-ARIDSPY |
RedAlert.apk | Mobile spyware / trojanized app | Secondary Cybernews/Acronis coverage describes malicious RedAlert-themed Android application delivery against Israeli users. | Hash not committed; provisional until primary Acronis reporting is available. | Hunt smishing delivery, sideloaded alert apps, OTP/SMS access permissions, and spoofed app identities. | SRC-CYBERNEWS-REDALERT-2026 |
Desert Scorpion | Mobile malware | MITRE ATT&CK lists Desert Scorpion as software used by this actor; track it as mobile surveillance behavior. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for Desert Scorpion execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G1028 |
FrozenCell | Mobile malware | MITRE ATT&CK lists FrozenCell as software used by this actor; track it as mobile surveillance and collection behavior. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for FrozenCell execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G1028 |
Micropsia | Backdoor | MITRE ATT&CK lists Micropsia as software used by this actor; track it as Windows backdoor and collection behavior. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for Micropsia execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G1028 |
Phenakite | Mobile malware | MITRE ATT&CK lists Phenakite as software used by this actor; track it as mobile surveillance behavior. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for Phenakite execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G1028 |
SpyC23 | Mobile spyware | MITRE ATT&CK lists SpyC23 as software used by this actor; track it as mobile collection and surveillance behavior. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for SpyC23 execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G1028 |
UNC3890
| Tool | Type | Behavior | Hash / IOC Status | Detection Notes | Source |
|---|---|---|---|---|---|
SUGARUSH / SUGARDUMP | Information stealer | UNC3890-linked tools reported for Israeli shipping, logistics, and adjacent sector data collection. | Hash not committed; use Mandiant source references. | Hunt credential and browser-data collection from maritime/logistics environments. | SRC-MANDIANT-UNC3890 |
Cyber Toufan
| Tool | Type | Behavior | Hash / IOC Status | Detection Notes | Source |
|---|---|---|---|---|---|
Cyber Toufan supplier-access playbook | Credential and admin-interface abuse | OP Innovate reporting frames Cyber Toufan around exposed provider infrastructure, weak credentials, and leak-operation playbook behavior. | Not malware; no hash. Track claims and exposure indicators. | Hunt supplier VPN/firewall/admin-surface access, default credential exposure, SMB admin-share movement, and public-claim timing. | SRC-OPI-CYBER-TOUFAN |
Void Manticore / Handala
| Tool | Type | Behavior | Hash / IOC Status | Detection Notes | Source |
|---|---|---|---|---|---|
BiBi / BiBi Wiper lineage | Wiper / destructive malware lineage | Handala/Void Manticore-related reporting discusses destructive wiper activity and BiBi-style lineage context. | Hash not committed; use primary wiper reports for active IOCs. | Hunt extension renaming, destructive writes, VSS deletion, backup tampering, and ransom-note decoy behavior. | SRC-AP-HANDALA |
Handala-linked destructive installer chains | Installer-led destructive chain | Archive or installer-centered destructive chains used as defensive first-30-minutes response model. | Hash not committed; chain behavior matters more than static IOCs. | Hunt archive extraction, suspicious installer execution, mass process creation, and rapid destructive staging. | SRC-AP-HANDALA |
CHIMNEYSWEEP | Wiper | MITRE ATT&CK lists CHIMNEYSWEEP as software used by this actor; track it as destructive wipe behavior. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for CHIMNEYSWEEP execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G1055 |
ftp | Living-off-the-land utility | MITRE ATT&CK lists ftp as software used by this actor; track it as file transfer over FTP. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for ftp execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G1055 |
Impacket | Python network protocol toolkit | MITRE ATT&CK lists Impacket as software used by this actor; track it as SMB, credential, and lateral movement behavior. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for Impacket execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G1055 |
Mimikatz | Credential access tool | MITRE ATT&CK lists Mimikatz as software used by this actor; track it as credential dumping behavior. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for Mimikatz execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G1055 |
RawDisk | Disk access driver/tool | MITRE ATT&CK lists RawDisk as software used by this actor; track it as raw disk access for destructive operations. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for RawDisk execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G1055 |
ROADSWEEP | Wiper | MITRE ATT&CK lists ROADSWEEP as software used by this actor; track it as destructive wipe behavior. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for ROADSWEEP execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G1055 |
ZeroCleare | Wiper | MITRE ATT&CK lists ZeroCleare as software used by this actor; track it as raw-disk destructive wipe behavior. | Hash not committed; use the linked MITRE references and original source reports for current IOCs. | Hunt for ZeroCleare execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain. | SRC-MITRE-G1055 |
Lebanese Cedar
| Tool | Type | Behavior | Hash / IOC Status | Detection Notes | Source |
|---|---|---|---|---|---|
Explosive RAT | Remote Access Trojan | Custom RAT associated with Lebanese Cedar / Volatile Cedar reporting. | Hash not committed; use ClearSky report references. | Hunt Java web compromise leading to RAT staging and long-lived outbound access. | SRC-CLEARSKY-LEBANESE-CEDAR |
Caterpillar WebShell | Web Shell | Modified JSP file browser/webshell used by Lebanese Cedar for persistence on public-facing servers. | Hash not committed; use ClearSky report references. | Hunt modified JSP files, unexpected upload paths, and web server process spawning shells. | SRC-CLEARSKY-LEBANESE-CEDAR |
WIRTE
| Tool | Type | Behavior | Hash / IOC Status | Detection Notes | Source |
|---|---|---|---|---|---|
SameCoin | Wiper | Check Point reports SameCoin as a WIRTE-linked multi-platform wiper used in disruptive Israeli campaigns; behavior includes INCD/ESET security-update impersonation, oref.org.il reachability/XOR guardrail, Active Directory propagation through scheduled tasks, file overwrite with random bytes, Android zero-fill/delete logic, and propaganda wallpaper/video artifacts. | Check Point publishes lure hash b7c5af2d7e1eb7651b1fe3a224121d3461f3473d081990c02ef8ab4ace13f785; component hashes should be pulled from the primary Check Point/HarfangLab references before blocking. | Hunt non-browser requests to oref.org.il from newly dropped binaries, fake INCD/ESET update execution, mass file overwrite, remote scheduled-task propagation, suspicious desktop changes, and Android security-update APK side-loads. | SRC-CP-WIRTE-2024 |
AshTag | Modular .NET malware suite | Unit 42 reports AshTag as a WIRTE/Ashen Lepus modular .NET malware suite with AshenLoader, AshenStager, AshenOrchestrator, and modules; behavior includes DLL side-loading, HTML tag payload retrieval, AES/XOR-protected staging, modular collection, and Rclone exfiltration. | Representative Unit 42 SHA256s include f554c43707f5d87625a3834116a2d22f551b1d9a5aff1e446d24893975c431bc, 739a5199add1d970ba22d69cc10b4c3a13b72136be6d45212429e8f0969af3dc, 6bd3d05aef89cd03d6b49b20716775fe92f0cf8a3c2747094404ef98f96e9376, 30490ba95c42cefcca1d0328ea740e61c26eaf606a98f68d26c4a519ce918c99, and 66ab29d2d62548faeaeadaad9dd62818163175872703fda328bb1b4894f5e69e; use full Unit 42 IOC table for coverage. | Hunt DLL side-loading of dwampi.dll, wtsapi32.dll, srvcli.dll, or netutils.dll from unexpected paths, HTML-staged payload retrieval, AES/XOR decoding artifacts, modular C2, and Rclone execution after collection. | SRC-UNIT42-ASHTAG-2025 |
TA402
| Tool | Type | Behavior | Hash / IOC Status | Detection Notes | Source |
|---|---|---|---|---|---|
IronWind | Initial access downloader / staged malware | Proofpoint reports IronWind as a TA402 infection chain using PPAM, XLL, RAR, cloud-link and actor-controlled C2 delivery; behavior includes staged downloader execution, geofencing/decoy delivery, and DLL side-loading in later related reporting. | Proofpoint-published SHA256 indicators include 9b2a16cbe5af12b486d31b68ef397d6bc48b2736e6b388ad8895b588f1831f47, 5d773e734290b93649a41ccda63772560b4fa25ba715b17df7b9f18883679160, 19f452239dadcd7544f055d26199cb482c1f6ae5486309bde1526174e926146a, A4bf96aee6284effb4c4fe0ccfee7b32d497e45408e253fb8e1199454e5c65a3, and 26cb6055be1ee503f87d040c84c0a7cacb245b4182445e3eee47ed6e073eca47; use full Proofpoint IOC list for operational use. | Hunt PPAM/XLL/RAR lure execution, DLL side-loading from user-writable paths, cloud-link retrieval, geofenced decoy behavior, and actor-controlled C2 pivots. | SRC-PROOFPOINT-TA402-IRONWIND |
UNC1860
| Tool | Type | Behavior | Hash / IOC Status | Detection Notes | Source |
|---|---|---|---|---|---|
TEMPLEDOOR | Passive backdoor family | Mandiant describes TEMPLEDOOR as a passive backdoor controlled by TEMPLEPLAY; behavior includes command execution, file transfer, endpoint URI selection, echo/ping checks, and HTTP proxying for middlebox-style RDP reachability. | Representative Mandiant MD5s include c57e59314aee7422e626520e495effe0 and b219672bcd60ce9a81b900217b3b5864. VT enrichment found b219672bcd60ce9a81b900217b3b5864 as Win32 EXE/System.dll with 47 malicious public detections; c57e59314aee7422e626520e495effe0 returned VT not_found. | Hunt passive/listener implants on edge servers, unusual inbound-controlled HTTPS endpoints, magic-URI echo/ping testing, proxy behavior from compromised servers, and RDP routed through DMZ hosts. | SRC-MANDIANT-UNC1860 |
TEMPLEPLAY | GUI malware controller | Mandiant reports TEMPLEPLAY as a .NET controller for TEMPLEDOOR with tabs for command execution, upload, download, HTTP proxying, URL endpoint selection, and backdoor testing. | Mandiant reports MD5 c517519097bff386dc1784d98ad93f9d for TEMPLEPLAY; VT enrichment returned not_found on 2026-05-16. | Hunt operator tooling on admin workstations, rare .NET GUI execution, and outbound requests matching known TEMPLEDOOR endpoint behavior. | SRC-MANDIANT-UNC1860 |
CRYPTOSLAY | Associated family | Malpedia lists win.cryptoslay as an associated UNC1860 family and ties the reference set to Mandiant's UNC1860 reporting. | Family confirmed by Malpedia; no per-sample hash committed in this repo. | Use as taxonomy enrichment; do not create production detections until behavior is tied to a primary source or sample-level report. | SRC-MALPEDIA-UNC1860 |
PipeSnoop | Referenced tool/family term | Malpedia library links PipeSnoop to the Mandiant UNC1860 Temple of Oats reference set. | Reference confirmed by Malpedia; no per-sample hash committed in this repo. | Use as a research pivot term for UNC1860 tooling; require source-backed behavior before detection logic. | SRC-MALPEDIA-UNC1860 |
STAYSHANTE | Web shell / handoff tooling | Mandiant reports STAYSHANTE as a UNC1860 web shell deployed on compromised servers and controlled by VIROGREEN; INCD March 2024 indicators included unique STAYSHANTE web shell activity against Israeli sectors. | Mandiant publishes activity-level MD5 IOCs and a VT collection; this repo does not map every hash to STAYSHANTE. | Hunt webroot changes, server-file-name masquerading, SharePoint/IIS anomalies, and web server process child shells. | SRC-MANDIANT-UNC1860 |
SASHEYAWAY | Dropper / access-enablement tooling | Mandiant reports SASHEYAWAY as a low-detection dropper that can enable execution of full passive backdoors such as TEMPLEDOOR, FACEFACE, and SPARKLOAD. | Mandiant publishes activity-level MD5 IOCs and a VT collection; this repo does not map every hash to SASHEYAWAY. | Hunt dropper-to-passive-backdoor chains, low-prevalence .NET utilities, and follow-on deployment from exploited public-facing servers. | SRC-MANDIANT-UNC1860 |
VIROGREEN | GUI exploitation / post-exploitation framework | Mandiant reports VIROGREEN as a custom framework for scanning and exploiting CVE-2019-0604 SharePoint servers and controlling payloads, backdoors, STAYSHANTE, BASEWALK, command execution, upload, and download. | Hash not committed; use Mandiant source and technical annex where accessible. | Hunt SharePoint exploitation, unexpected files under SharePoint paths, and post-exploitation command/upload/download behavior. | SRC-MANDIANT-UNC1860 |
TEMPLEDROP | Passive backdoor / driver-abuse implant | Mandiant reports TEMPLEDROP repurposed a legitimate Iranian AV file-system filter driver for protecting deployed files and its own file from modification. | Mandiant reports related Sheed AV MD5 0c93cac9854831da5f761ee98bb40c37 and WINTAPIX/TOFUDRV MD5s 286bd9c2670215d3cb4790aac4552f22 and b4b1e285b9f666ae7304a456da01545e in the same report; VT enrichment found the Sheed AV reference as signed and not malicious by public verdicts. | Hunt unexpected filter drivers, driver load events, protected file behavior, WINTAPIX/TOFUDRV artifacts, and kernel-mode tampering on edge or telecom servers. | SRC-MANDIANT-UNC1860 |
TEMPLELOCK | Defense-evasion utility | Mandiant reports TEMPLELOCK as a .NET utility observed in foothold utilities and passive implants, capable of terminating threats associated with Windows Event Log service and restarting service operation on demand. | Hash not committed; use Mandiant activity-level IOC list. | Hunt Event Log service stop/start anomalies, log service tampering, and unusual .NET utility execution from compromised servers. | SRC-MANDIANT-UNC1860 |
Scarred Manticore
| Tool | Type | Behavior | Hash / IOC Status | Detection Notes | Source |
|---|---|---|---|---|---|
Liontail | Passive backdoor framework | Check Point reports Liontail as Scarred Manticore passive server-side tooling using IIS/native-module or HTTP.sys-adjacent access patterns for stealthy inbound-controlled access rather than standard webshell request/response behavior. | Hash not committed; use Check Point source report references and local IIS module baselines. | Hunt IIS/native-module integrity changes, appcmd module registration, unexpected DLLs in IIS paths, HTTP.sys listener anomalies, worker-process child processes, and suspicious server DLL/service changes. | SRC-CP-SCARRED-MANTICORE-2023 |