Actor Navigation Workbench
Use this page as the click-through hub from an actor to its structured TTPs, IOC reference locations, malware/tool references, mapped hunts, mapped detections, and evidence records.
The page is generated from repository CSV/register data. It is an analyst navigation aid, not an attribution shortcut.
Actor Coverage Matrix
| Actor | Priority | TTPs | IOC refs | Tools | Hunts | Detections | Evidence | Research intakes | Intel leads |
|---|---|---|---|---|---|---|---|---|---|
| MuddyWater | High | 4 | 4 | 26 | 2 | 2 | 1 | 1 | 1 |
| OilRig | High | 2 | 1 | 31 | 0 | 0 | 2 | 2 | 1 |
| Magic Hound | High | 2 | 0 | 14 | 1 | 1 | 1 | 2 | 1 |
| APT42 | High | 3 | 2 | 3 | 1 | 1 | 2 | 0 | 1 |
| Agrius | High | 2 | 1 | 10 | 1 | 1 | 1 | 0 | 1 |
| CyberAv3ngers | High | 3 | 1 | 2 | 1 | 1 | 3 | 0 | 0 |
| Imperial Kitten | High | 3 | 0 | 2 | 0 | 0 | 1 | 0 | 1 |
| Pioneer Kitten | High | 3 | 0 | 1 | 2 | 2 | 1 | 1 | 1 |
| DarkBit | High | 2 | 0 | 1 | 0 | 0 | 1 | 0 | 0 |
| Lyceum | High | 2 | 0 | 12 | 0 | 0 | 1 | 0 | 1 |
| Cotton Sandstorm | High | 3 | 1 | 1 | 1 | 1 | 1 | 0 | 0 |
| APT39 | Medium | 2 | 0 | 11 | 0 | 0 | 1 | 1 | 1 |
| APT-C-23 | High | 2 | 3 | 7 | 0 | 0 | 1 | 1 | 1 |
| UNC3890 | Medium-High | 1 | 1 | 1 | 0 | 0 | 1 | 1 | 0 |
| Cyber Toufan | Medium-High | 3 | 0 | 1 | 1 | 1 | 1 | 1 | 0 |
| Void Manticore / Handala | High | 7 | 2 | 9 | 2 | 2 | 2 | 0 | 1 |
| Lebanese Cedar | Medium | 2 | 1 | 2 | 1 | 1 | 1 | 0 | 1 |
| WIRTE | High | 5 | 2 | 2 | 2 | 2 | 1 | 0 | 1 |
| TA402 | Medium-High | 2 | 2 | 1 | 0 | 0 | 1 | 0 | 2 |
| UNC1860 | High | 5 | 2 | 9 | 1 | 1 | 2 | 0 | 0 |
| Scarred Manticore | High | 5 | 0 | 1 | 1 | 1 | 1 | 0 | 0 |
Actor Drilldowns
MuddyWater
- Actor workbench: MuddyWater
- TTP-to-detection matrix: all mapped techniques
- Surface and capability routes: Endpoint RMM, Scripting, And User-Path Execution; Email, Cloud-Service, IMAP, And DNS C2
- Detection status: dashboard
- Hunt workflow: hunt workflow
- ATT&CK mappings: T1566 Phishing (M2); T1059.001 PowerShell (M2); T1219 Remote Access Software (M3); T1567.002 Exfiltration to Cloud Storage (M2)
- Mapped detections: DET-002 Suspicious RMM Installer Download From User Context (Pilot, DRL-6); DET-004 Mail Click To Execution Correlation (Hunt, DRL-4)
- Mapped hunts: HUNT-002 If MuddyWater-style RMM abuse is active then unauthorized RMM execution will appear from user-controlled paths; HUNT-004 If VIP phishing is active then mail click events will correlate to risky sign-in or execution
- IOC reference sources:
SRC-MITRE-G0069Technique references;SRC-AP-MUDDYWATERMalware/tool references; ATT&CK mappings; campaign IOCs;SRC-THREAT-HUNTER-V3Domains; IPs; Rclone destinations; Dindoor/Fakeset references;SRC-INCD-MUDDYWATER-2024Domains; hashes; tools; infrastructure; TTPs - Tool detail pages:
Remote Monitoring and Management tools;Dindoor;Fakeset;BugSleep;BlackBeard;Fooder / MuddyViper;ConnectWise;CrackMapExec;DCHSpy;Empire;Koadic;LaZagne;LP-Notes;Mimikatz;Mori;Out1;PowerSploit;POWERSTATS;PowGoop;Rclone;RemoteUtilities;RustyWater;SHARPSTATS;Small Sieve;STARWHALE;Tsundere Botnet - Tool matrix: all actor-linked tools (26 mapped tool row(s))
- Evidence records:
EVD-004/CLM-MUDDYWATER-001 - Imported research intakes: MuddyWater Deep Research Intake (High, Needs source validation)
- Intel update candidates: 1 current candidate(s)
- Source IDs in structured data:
SRC-AP-MUDDYWATER,SRC-CP-BUGSLEEP,SRC-ESET-MUDDYWATER-SNAKES,SRC-INCD-MUDDYWATER-2024,SRC-INCD-MUDDYWATER-PHISHING,SRC-MITRE-G0069,SRC-THREAT-HUNTER-V3
OilRig
- Actor workbench: OilRig
- TTP-to-detection matrix: all mapped techniques
- Surface and capability routes: Endpoint RMM, Scripting, And User-Path Execution; Internet-Facing Servers, Webshells, And Passive Access; Email, Cloud-Service, IMAP, And DNS C2
- Detection status: dashboard
- Hunt workflow: hunt workflow
- ATT&CK mappings: T1505.003 Web Shell (M3); T1049 System Network Connections Discovery (M1)
- Mapped detections: None currently mapped.
- Mapped hunts: None currently mapped.
- IOC reference sources:
SRC-MITRE-G0049Technique references - Tool detail pages:
OilBooster;Saitama;BONDUPDATER;certutil;ftp;Helminth;ipconfig;ISMInjector;LaZagne;Mango;Mimikatz;Net;netstat;ngrok;ODAgent;OilCheck;OopsIE;PowerExchange;POWRUNER;PsExec;QUADAGENT;RDAT;Reg;RGDoor;SampleCheck5000;SEASHARPEE;SideTwist;Solar;Systeminfo;Tasklist;ZeroCleare - Tool matrix: all actor-linked tools (31 mapped tool row(s))
- Evidence records:
EVD-013/CLM-OILRIG-001;EVD-014/CLM-OILRIG-002 - Imported research intakes: OilRig And Magic Hound Deep Research Intake (High, Needs source validation); APT35 And OilRig Israel Deep Research Intake (High, Needs source validation)
- Intel update candidates: 1 current candidate(s)
- Source IDs in structured data:
SRC-ESET-OILRIG-ISRAEL,SRC-MITRE-G0049,SRC-UNIT42-OILRIG-DNS-TUNNELING
Magic Hound
- Actor workbench: Magic Hound
- TTP-to-detection matrix: all mapped techniques
- Surface and capability routes: Identity, MDM, And Cloud Administration
- Detection status: dashboard
- Hunt workflow: hunt workflow
- ATT&CK mappings: T1566.002 Spearphishing Link (M2); T1583.001 Acquire Domains (M1)
- Mapped detections: DET-004 Mail Click To Execution Correlation (Hunt, DRL-4)
- Mapped hunts: HUNT-004 If VIP phishing is active then mail click events will correlate to risky sign-in or execution
- IOC reference sources: None currently mapped.
- Tool detail pages:
FRP / Plink;Mimikatz / SQLMap / Havij;CharmPower;DownPaper;Impacket;ipconfig;Mimikatz;Net;netsh;Ping;PowerLess;PsExec;Pupy;Systeminfo - Tool matrix: all actor-linked tools (14 mapped tool row(s))
- Evidence records:
EVD-015/CLM-APT35-001 - Imported research intakes: OilRig And Magic Hound Deep Research Intake (High, Needs source validation); APT35 And OilRig Israel Deep Research Intake (High, Needs source validation)
- Intel update candidates: 1 current candidate(s)
- Source IDs in structured data:
SRC-MITRE-G0059
APT42
- Actor workbench: APT42
- TTP-to-detection matrix: all mapped techniques
- Surface and capability routes: Identity, MDM, And Cloud Administration; Endpoint RMM, Scripting, And User-Path Execution; Email, Cloud-Service, IMAP, And DNS C2
- Detection status: dashboard
- Hunt workflow: hunt workflow
- ATT&CK mappings: T1530 Data from Cloud Storage (M1); T1102 Web Service (M1); T1566.002 Spearphishing Link (M3)
- Mapped detections: DET-004 Mail Click To Execution Correlation (Hunt, DRL-4)
- Mapped hunts: HUNT-004 If VIP phishing is active then mail click events will correlate to risky sign-in or execution
- IOC reference sources:
SRC-MANDIANT-APT42Domains; malware hashes; infrastructure;SRC-PROOFPOINT-IRAN-CONFLICT-2026Phishing infrastructure; lure domains; campaign indicators - Tool detail pages:
POWERPOST;NICECURL;TAMECAT - Tool matrix: all actor-linked tools (3 mapped tool row(s))
- Evidence records:
EVD-003/CLM-APT42-001;EVD-016/CLM-APT42-002 - Imported research intakes: None currently mapped.
- Intel update candidates: 1 current candidate(s)
- Source IDs in structured data:
SRC-GOOGLE-APT42-PHISHING,SRC-MANDIANT-APT42,SRC-MITRE-G1044,SRC-PROOFPOINT-IRAN-CONFLICT-2026
Agrius
- Actor workbench: Agrius
- TTP-to-detection matrix: all mapped techniques
- Surface and capability routes: Destructive Operations, Backup Deletion, And Wipers
- Detection status: dashboard
- Hunt workflow: hunt workflow
- ATT&CK mappings: T1485 Data Destruction (M2); T1486 Data Encrypted for Impact (M2)
- Mapped detections: DET-001 Intune Bulk Device Wipe Anomaly (Hunt, DRL-5)
- Mapped hunts: HUNT-001 If identity-plane destructive tradecraft is attempted then privileged role activation or bulk device actions will appear in audit logs
- IOC reference sources:
SRC-MITRE-G1030Technique references - Tool detail pages:
Moneybird;BlackShadow;Apostle;ASPXSpy;BFG Agonizer;DEADWOOD;IPsec Helper;Mimikatz;MultiLayer Wiper;NBTscan - Tool matrix: all actor-linked tools (10 mapped tool row(s))
- Evidence records:
EVD-017/CLM-AGRIUS-001 - Imported research intakes: None currently mapped.
- Intel update candidates: 1 current candidate(s)
- Source IDs in structured data:
SRC-MITRE-G1030
CyberAv3ngers
- Actor workbench: CyberAv3ngers
- TTP-to-detection matrix: all mapped techniques
- Surface and capability routes: OT, PLC, HMI, And Exposed Engineering Interfaces
- Detection status: dashboard
- Hunt workflow: hunt workflow
- ATT&CK mappings: T0883 Internet Accessible Device (M2); T0836 Modify Parameter (M2); T0832 Manipulation of View (M2)
- Mapped detections: DET-003 Unitronics PLC HMI Web Interface Access (Hunt, DRL-4)
- Mapped hunts: HUNT-003 If exposed PLC/HMI surfaces are targeted then OT management paths or ports will show external access
- IOC reference sources:
SRC-CISA-AA23-335AIP; device exposure; affected product context - Tool detail pages:
Unitronics Vision PLC Web/HMI;IOControl - Tool matrix: all actor-linked tools (2 mapped tool row(s))
- Evidence records:
EVD-002/CLM-CYBERAV3NGERS-001;EVD-009/CLM-CYBERAV3NGERS-002;EVD-026/CLM-CYBERAV3NGERS-003 - Imported research intakes: None currently mapped.
- Intel update candidates: None in current feed pull.
- Source IDs in structured data:
SRC-CISA-AA23-335A,SRC-CISA-AA26-097A,SRC-CLAROTY-IOCONTROL-2024
Imperial Kitten
- Actor workbench: Imperial Kitten
- TTP-to-detection matrix: all mapped techniques
- Surface and capability routes: Endpoint RMM, Scripting, And User-Path Execution; Email, Cloud-Service, IMAP, And DNS C2
- Detection status: dashboard
- Hunt workflow: hunt workflow
- ATT&CK mappings: T1189 Drive-by Compromise (M2); T1071.003 Mail Protocols (M3); T1059.005 Visual Basic (M2)
- Mapped detections: None currently mapped.
- Mapped hunts: None currently mapped.
- IOC reference sources: None currently mapped.
- Tool detail pages:
IMAPLoader;StandardKeyboard - Tool matrix: all actor-linked tools (2 mapped tool row(s))
- Evidence records:
EVD-018/CLM-IMPERIALKITTEN-001 - Imported research intakes: None currently mapped.
- Intel update candidates: 1 current candidate(s)
- Source IDs in structured data:
SRC-CS-IMPERIAL-KITTEN-2023,SRC-PWC-YELLOW-LIDERC-2023
Pioneer Kitten
- Actor workbench: Pioneer Kitten
- TTP-to-detection matrix: all mapped techniques
- Surface and capability routes: Identity, MDM, And Cloud Administration; Internet-Facing Servers, Webshells, And Passive Access
- Detection status: dashboard
- Hunt workflow: hunt workflow
- ATT&CK mappings: T1190 Exploit Public-Facing Application (M2); T1219 Remote Access Software (M2); T1572 Protocol Tunneling (M2)
- Mapped detections: DET-002 Suspicious RMM Installer Download From User Context (Pilot, DRL-6); DET-003 Unitronics PLC HMI Web Interface Access (Hunt, DRL-4)
- Mapped hunts: HUNT-002 If MuddyWater-style RMM abuse is active then unauthorized RMM execution will appear from user-controlled paths; HUNT-003 If exposed PLC/HMI surfaces are targeted then OT management paths or ports will show external access
- IOC reference sources: None currently mapped.
- Tool detail pages:
NGROK / Ligolo - Tool matrix: all actor-linked tools (1 mapped tool row(s))
- Evidence records:
EVD-019/CLM-PIONEERKITTEN-001 - Imported research intakes: Pioneer Kitten Deep Research Intake (High, Needs source validation)
- Intel update candidates: 1 current candidate(s)
- Source IDs in structured data:
SRC-CISA-AA24-241A
DarkBit
- Actor workbench: DarkBit
- TTP-to-detection matrix: all mapped techniques
- Surface and capability routes: Destructive Operations, Backup Deletion, And Wipers
- Detection status: dashboard
- Hunt workflow: hunt workflow
- ATT&CK mappings: T1486 Data Encrypted for Impact (M2); T1490 Inhibit System Recovery (M2)
- Mapped detections: None currently mapped.
- Mapped hunts: None currently mapped.
- IOC reference sources: None currently mapped.
- Tool detail pages:
DarkBit ransomware - Tool matrix: all actor-linked tools (1 mapped tool row(s))
- Evidence records:
EVD-020/CLM-DARKBIT-001 - Imported research intakes: None currently mapped.
- Intel update candidates: None in current feed pull.
- Source IDs in structured data:
SRC-INCD-DARKBIT-MUDDYWATER-2023,SRC-MS-MERCURY-DEV1084-2023
Lyceum
- Actor workbench: Lyceum
- TTP-to-detection matrix: all mapped techniques
- Surface and capability routes: OT, PLC, HMI, And Exposed Engineering Interfaces
- Detection status: dashboard
- Hunt workflow: hunt workflow
- ATT&CK mappings: T1071.004 DNS (M2); T1003.001 LSASS Memory (M2)
- Mapped detections: None currently mapped.
- Mapped hunts: None currently mapped.
- IOC reference sources: None currently mapped.
- Tool detail pages:
DanBot;Kevin;Shark;BITSAdmin;DnsSystem;Empire;ipconfig;Milan;Mimikatz;netstat;Ping;PoshC2 - Tool matrix: all actor-linked tools (12 mapped tool row(s))
- Evidence records:
EVD-021/CLM-LYCEUM-001 - Imported research intakes: None currently mapped.
- Intel update candidates: 1 current candidate(s)
- Source IDs in structured data:
SRC-MITRE-G1001
Cotton Sandstorm
- Actor workbench: Cotton Sandstorm
- TTP-to-detection matrix: all mapped techniques
- Surface and capability routes: None currently mapped.
- Detection status: dashboard
- Hunt workflow: hunt workflow
- ATT&CK mappings: T1585 Establish Accounts (M1); T1204.002 User Execution: Malicious File (M3); T1566 Phishing (M3)
- Mapped detections: DET-004 Mail Click To Execution Correlation (Hunt, DRL-4)
- Mapped hunts: HUNT-004 If VIP phishing is active then mail click events will correlate to risky sign-in or execution
- IOC reference sources:
SRC-CP-WEZRATEmail sender; domains; hashes; C2 paths; malware behavior - Tool detail pages:
WezRat - Tool matrix: all actor-linked tools (1 mapped tool row(s))
- Evidence records:
EVD-022/CLM-COTTONSANDSTORM-001 - Imported research intakes: None currently mapped.
- Intel update candidates: None in current feed pull.
- Source IDs in structured data:
SRC-CP-WEZRAT,SRC-FBI-EMENNET-2024,SRC-MS-IRAN-IO
APT39
- Actor workbench: APT39
- TTP-to-detection matrix: all mapped techniques
- Surface and capability routes: None currently mapped.
- Detection status: dashboard
- Hunt workflow: hunt workflow
- ATT&CK mappings: T1566.001 Spearphishing Attachment (M2); T1003.001 LSASS Memory (M2)
- Mapped detections: None currently mapped.
- Mapped hunts: None currently mapped.
- IOC reference sources: None currently mapped.
- Tool detail pages:
Remexi;ANTAK / ASPXSPY;Cadelspy;CrackMapExec;ftp;MechaFlounder;Mimikatz;NBTscan;PsExec;pwdump;Windows Credential Editor - Tool matrix: all actor-linked tools (11 mapped tool row(s))
- Evidence records:
EVD-027/CLM-APT39-001 - Imported research intakes: APT39 Arid Viper UNC3890 Cyber Toufan Deep Research Intake (Medium, Needs source validation)
- Intel update candidates: 1 current candidate(s)
- Source IDs in structured data:
SRC-MITRE-G0087
APT-C-23
- Actor workbench: APT-C-23
- TTP-to-detection matrix: all mapped techniques
- Surface and capability routes: None currently mapped.
- Detection status: dashboard
- Hunt workflow: hunt workflow
- ATT&CK mappings: T1660 Phishing (M2); T1204.002 User Execution: Malicious File (M3)
- Mapped detections: None currently mapped.
- Mapped hunts: None currently mapped.
- IOC reference sources:
SRC-META-ARIDVIPERDomains; apps; mobile indicators;SRC-CYBERNEWS-REDALERT-2026App names; package references; domains from secondary coverage;SRC-S1-ISRAEL-HAMAS-CYBER-2023Actor context; mobile and social-engineering references - Tool detail pages:
AridSpy;RedAlert.apk;Desert Scorpion;FrozenCell;Micropsia;Phenakite;SpyC23 - Tool matrix: all actor-linked tools (7 mapped tool row(s))
- Evidence records:
EVD-011/CLM-ARIDVIPER-001 - Imported research intakes: APT39 Arid Viper UNC3890 Cyber Toufan Deep Research Intake (High, Needs source validation)
- Intel update candidates: 1 current candidate(s)
- Source IDs in structured data:
SRC-CYBERNEWS-REDALERT-2026,SRC-ESET-ARIDSPY,SRC-META-ARIDVIPER,SRC-MITRE-G1028,SRC-S1-ISRAEL-HAMAS-CYBER-2023
UNC3890
- Actor workbench: UNC3890
- TTP-to-detection matrix: all mapped techniques
- Surface and capability routes: None currently mapped.
- Detection status: dashboard
- Hunt workflow: hunt workflow
- ATT&CK mappings: T1189 Drive-by Compromise (M2)
- Mapped detections: None currently mapped.
- Mapped hunts: None currently mapped.
- IOC reference sources:
SRC-MANDIANT-UNC3890Punycode domains; malware references; infrastructure - Tool detail pages:
SUGARUSH / SUGARDUMP - Tool matrix: all actor-linked tools (1 mapped tool row(s))
- Evidence records:
EVD-025/CLM-UNC3890-001 - Imported research intakes: APT39 Arid Viper UNC3890 Cyber Toufan Deep Research Intake (Medium, Needs source validation)
- Intel update candidates: None in current feed pull.
- Source IDs in structured data:
SRC-MANDIANT-UNC3890,SRC-SECWEEK-UNC3890
Cyber Toufan
- Actor workbench: Cyber Toufan
- TTP-to-detection matrix: all mapped techniques
- Surface and capability routes: OT, PLC, HMI, And Exposed Engineering Interfaces; Destructive Operations, Backup Deletion, And Wipers
- Detection status: dashboard
- Hunt workflow: hunt workflow
- ATT&CK mappings: T1491 Defacement (M2); T1595 Active Scanning (M1); T1021.002 SMB/Windows Admin Shares (M3)
- Mapped detections: DET-003 Unitronics PLC HMI Web Interface Access (Hunt, DRL-4)
- Mapped hunts: HUNT-003 If exposed PLC/HMI surfaces are targeted then OT management paths or ports will show external access
- IOC reference sources: None currently mapped.
- Tool detail pages:
Cyber Toufan supplier-access playbook - Tool matrix: all actor-linked tools (1 mapped tool row(s))
- Evidence records:
EVD-023/CLM-CYBERTOUFAN-001 - Imported research intakes: APT39 Arid Viper UNC3890 Cyber Toufan Deep Research Intake (High, Needs source validation)
- Intel update candidates: None in current feed pull.
- Source IDs in structured data:
SRC-MS-IRAN-HAMAS,SRC-OPI-CYBER-TOUFAN
Void Manticore / Handala
- Actor workbench: Void Manticore / Handala
- TTP-to-detection matrix: all mapped techniques
- Surface and capability routes: Identity, MDM, And Cloud Administration; Destructive Operations, Backup Deletion, And Wipers
- Detection status: dashboard
- Hunt workflow: hunt workflow
- ATT&CK mappings: T1566 Phishing (M2); T1204 User Execution (M2); T1485 Data Destruction (M2); T1490 Inhibit System Recovery (M2); T1567 Exfiltration Over Web Service (M2); T1078.004 Valid Accounts: Cloud Accounts (M3)
- Mapped detections: DET-001 Intune Bulk Device Wipe Anomaly (Hunt, DRL-5); DET-004 Mail Click To Execution Correlation (Hunt, DRL-4)
- Mapped hunts: HUNT-001 If identity-plane destructive tradecraft is attempted then privileged role activation or bulk device actions will appear in audit logs; HUNT-004 If VIP phishing is active then mail click events will correlate to risky sign-in or execution
- IOC reference sources:
SRC-AP-HANDALAIP/CIDR; hashes; URLs; actor channels; soft IOCs;SRC-THREAT-HUNTER-V3Domains; IPs; file names; driver names; behavioral IOCs - Tool detail pages:
BiBi / BiBi Wiper lineage;Handala-linked destructive installer chains;CHIMNEYSWEEP;ftp;Impacket;Mimikatz;RawDisk;ROADSWEEP;ZeroCleare - Tool matrix: all actor-linked tools (9 mapped tool row(s))
- Evidence records:
EVD-005/CLM-HANDALA-001;EVD-006/CLM-HANDALA-002 - Imported research intakes: None currently mapped.
- Intel update candidates: 1 current candidate(s)
- Source IDs in structured data:
SRC-AP-HANDALA,SRC-MITRE-G1055,SRC-PUSH-STRYKER-HANDALA,SRC-THREAT-HUNTER-V3
Lebanese Cedar
- Actor workbench: Lebanese Cedar
- TTP-to-detection matrix: all mapped techniques
- Surface and capability routes: Internet-Facing Servers, Webshells, And Passive Access
- Detection status: dashboard
- Hunt workflow: hunt workflow
- ATT&CK mappings: T1190 Exploit Public-Facing Application (M2); T1505.003 Web Shell (M2)
- Mapped detections: DET-003 Unitronics PLC HMI Web Interface Access (Hunt, DRL-4)
- Mapped hunts: HUNT-003 If exposed PLC/HMI surfaces are targeted then OT management paths or ports will show external access
- IOC reference sources:
SRC-CLEARSKY-LEBANESE-CEDARWebshell paths; malware references; vulnerable products - Tool detail pages:
Explosive RAT;Caterpillar WebShell - Tool matrix: all actor-linked tools (2 mapped tool row(s))
- Evidence records:
EVD-012/CLM-LEBANESECEDAR-001 - Imported research intakes: None currently mapped.
- Intel update candidates: 1 current candidate(s)
- Source IDs in structured data:
SRC-CLEARSKY-LEBANESE-CEDAR
WIRTE
- Actor workbench: WIRTE
- TTP-to-detection matrix: all mapped techniques
- Surface and capability routes: Endpoint RMM, Scripting, And User-Path Execution
- Detection status: dashboard
- Hunt workflow: hunt workflow
- ATT&CK mappings: T1566 Phishing (M2); T1574.001 DLL Search Order Hijacking (M3); T1485 Data Destruction (M2); T1105 Ingress Tool Transfer (M3); T1567.002 Exfiltration to Cloud Storage (M3)
- Mapped detections: DET-001 Intune Bulk Device Wipe Anomaly (Hunt, DRL-5); DET-004 Mail Click To Execution Correlation (Hunt, DRL-4)
- Mapped hunts: HUNT-001 If identity-plane destructive tradecraft is attempted then privileged role activation or bulk device actions will appear in audit logs; HUNT-004 If VIP phishing is active then mail click events will correlate to risky sign-in or execution
- IOC reference sources:
SRC-CP-WIRTE-2024Wiper references; trusted sender abuse; fake update artifacts;SRC-UNIT42-ASHTAG-2025Malware hashes; domains; C2 paths; tool behavior - Tool detail pages:
SameCoin;AshTag - Tool matrix: all actor-linked tools (2 mapped tool row(s))
- Evidence records:
EVD-010/CLM-WIRTE-001 - Imported research intakes: None currently mapped.
- Intel update candidates: 1 current candidate(s)
- Source IDs in structured data:
SRC-CP-WIRTE-2024,SRC-UNIT42-ASHTAG-2025
TA402
- Actor workbench: TA402
- TTP-to-detection matrix: all mapped techniques
- Surface and capability routes: Endpoint RMM, Scripting, And User-Path Execution
- Detection status: dashboard
- Hunt workflow: hunt workflow
- ATT&CK mappings: T1566.001 Spearphishing Attachment (M3); T1574.001 DLL Search Order Hijacking (M3)
- Mapped detections: None currently mapped.
- Mapped hunts: None currently mapped.
- IOC reference sources:
SRC-PROOFPOINT-TA402-IRONWINDDomains; payload hashes; attachment chain details;SRC-S1-ISRAEL-HAMAS-CYBER-2023Actor context; lure and malware family references - Tool detail pages:
IronWind - Tool matrix: all actor-linked tools (1 mapped tool row(s))
- Evidence records:
EVD-024/CLM-TA402-001 - Imported research intakes: None currently mapped.
- Intel update candidates: 2 current candidate(s)
- Source IDs in structured data:
SRC-PROOFPOINT-TA402-IRONWIND,SRC-S1-ISRAEL-HAMAS-CYBER-2023
UNC1860
- Actor workbench: UNC1860
- TTP-to-detection matrix: all mapped techniques
- Surface and capability routes: OT, PLC, HMI, And Exposed Engineering Interfaces; Internet-Facing Servers, Webshells, And Passive Access
- Detection status: dashboard
- Hunt workflow: hunt workflow
- ATT&CK mappings: T1190 Exploit Public-Facing Application (M2); T1505.003 Web Shell (M2); T1105 Ingress Tool Transfer (M2); T1021.001 Remote Services: RDP (M2); T1078 Valid Accounts (M2)
- Mapped detections: DET-003 Unitronics PLC HMI Web Interface Access (Hunt, DRL-4)
- Mapped hunts: HUNT-003 If exposed PLC/HMI surfaces are targeted then OT management paths or ports will show external access
- IOC reference sources:
SRC-MALPEDIA-UNC1860Associated malware families; references; taxonomy;SRC-MANDIANT-UNC1860Tooling; passive backdoors; webshells; access-enablement references - Tool detail pages:
TEMPLEDOOR;TEMPLEPLAY;CRYPTOSLAY;PipeSnoop;STAYSHANTE;SASHEYAWAY;VIROGREEN;TEMPLEDROP;TEMPLELOCK - Tool matrix: all actor-linked tools (9 mapped tool row(s))
- Evidence records:
EVD-001/CLM-UNC1860-001;EVD-008/CLM-UNC1860-002 - Imported research intakes: None currently mapped.
- Intel update candidates: None in current feed pull.
- Source IDs in structured data:
SRC-MALPEDIA-UNC1860,SRC-MANDIANT-UNC1860
Scarred Manticore
- Actor workbench: Scarred Manticore
- TTP-to-detection matrix: all mapped techniques
- Surface and capability routes: Internet-Facing Servers, Webshells, And Passive Access
- Detection status: dashboard
- Hunt workflow: hunt workflow
- ATT&CK mappings: T1190 Exploit Public-Facing Application (M2); T1505.004 IIS Components (M2); T1505.003 Web Shell (M2); T1071.001 Web Protocols (M2); T1199 Trusted Relationship (M2)
- Mapped detections: DET-003 Unitronics PLC HMI Web Interface Access (Hunt, DRL-4)
- Mapped hunts: HUNT-003 If exposed PLC/HMI surfaces are targeted then OT management paths or ports will show external access
- IOC reference sources: None currently mapped.
- Tool detail pages:
Liontail - Tool matrix: all actor-linked tools (1 mapped tool row(s))
- Evidence records:
EVD-007/CLM-SCARRED-001 - Imported research intakes: None currently mapped.
- Intel update candidates: None in current feed pull.
- Source IDs in structured data:
SRC-CP-SCARRED-MANTICORE-2023,SRC-CP-VOID-2024