1. Home
  2. Techniques
  3. Enterprise
  4. 系统时间发现

系统时间发现

ID Name
T1124.001 合法进程时间戳读取
T1124.002 分布式时间戳采集

系统时间发现是攻击者通过本地或远程方式获取目标系统时间、时区或运行时间的侦察技术,通常用于构建攻击时间线、触发定时任务或辅助地理定位。攻击者可能使用net time、w32tm等命令行工具或系统API(如GetTickCount)实施探测,防御方可通过对异常命令行操作监控、网络设备AAA日志审计等方式进行检测,但由于合法进程频繁调用时间接口,传统检测方法存在高误报率缺陷。

为规避传统检测机制,攻击者发展出多维度匿迹技术,将显式时间查询转化为隐式信息收集。通过劫持合法进程、分布式节点协同等手法,将时间发现行为深度嵌入系统正常活动中,形成"无特征、低信噪比"的新型时间侦察模式。

现有匿迹技术的共性在于突破传统时间查询的显式特征约束,构建多层隐匿体系:在行为层,通过进程注入或API劫持将恶意操作融入可信进程上下文,消除独立攻击痕迹;在数据层,采用分片编码与协议寄生策略,使时间数据传输符合正常业务流量特征,形成覆盖攻击链全环节的匿迹能力。

匿迹技术的演进迫使防御体系从单一事件检测转向多维度行为分析,需构建进程行为基线模型、网络流量语义解析及分布式日志关联能力,结合可信执行环境(TEE)技术监控敏感API调用链,并通过威胁情报共享机制识别隐蔽信道特征,提升对新型时间发现攻击的感知精度。

ID: T1124
Sub-techniques:  T1124.001, T1124.002
Tactic: 环境测绘
Platforms: Linux, Network, Windows, macOS
Contributors: Austin Clark, @c2defense; FIRST.ORG's Cyber Threat Intelligence SIG
Version: 1.4
Created: 31 May 2017
Last Modified: 16 April 2024

匿迹效应

效应类型 是否存在
特征伪装
行为透明
数据遮蔽
时空释痕

行为透明

攻击者通过劫持合法进程的时间接口,使时间查询行为具有与正常系统操作相同的进程特征、API调用链及数据访问模式。例如将GetSystemTime调用嵌入杀毒软件更新进程中,或通过文件元数据分析替代直接时间查询,实现恶意行为与合法操作的深度混淆,系统时间发现技术本身具有一定的行为透明匿迹效应。

时空释痕

分布式时间戳采集技术将高频次时间查询任务分解为跨地域、长周期的低频操作。每个代理节点按预设时间窗口(如每6小时)执行单次查询,利用全球节点的时间差自动拼合完整时间轴,使得单节点行为特征低于检测阈值,整体攻击特征稀释在跨国网络流量中。

Procedure Examples

ID Name Description
S0331 Agent Tesla

Agent Tesla can collect the timestamp from the victim’s machine.[1]
S0622 AppleSeed

AppleSeed can pull a timestamp from the victim's machine.[2]
S0373 Astaroth

Astaroth collects the timestamp from the infected machine. [3]
S1053 AvosLocker

AvosLocker has checked the system time before and after encryption.[4]
S0344 Azorult

Azorult can collect the time zone information from the system.[5][6]
S1081 BADHATCH

BADHATCH can obtain the DATETIME and UPTIME from a compromised machine.[7]

S0534 Bazar

Bazar can collect the time on the compromised host.[8][9]
S0574 BendyBear

BendyBear has the ability to determine local time on a compromised host.[10]

S0017 BISCUIT

BISCUIT has a command to collect the system UPTIME.[11]
S0268 Bisonal

Bisonal can check the system time set on the infected host.[12]
S0657 BLUELIGHT

BLUELIGHT can collect the local time on a compromised host.[13]
G0060 BRONZE BUTLER

BRONZE BUTLER has used net time to check the local time on a target system.[14]
S0471 build_downer

build_downer has the ability to determine the local time to ensure malware installation only happens during the hours that the infected system is active.[15]
C0015 C0015

During C0015, the threat actors used the command net view /all time to gather the local time of a compromised network.[16]
S0351 Cannon

Cannon can collect the current time zone information from the victim’s machine.[17]
S0335 Carbon

Carbon uses the command net time \127.0.0.1 to get information the system’s time.[18]
S1043 ccf32

ccf32 can determine the local time on targeted machines.[19]
G0114 Chimera

Chimera has used time /t and net time \ip/hostname for system time discovery.[20]
S0660 Clambling

Clambling can determine the current time.[21]
S0126 ComRAT

ComRAT has checked the victim system's date and time to perform tasks during business hours (9 to 5, Monday to Friday).[22]

S0608 Conficker

Conficker uses the current UTC victim system date for domain generation and connects to time servers to determine the current date.[23][24]
S0115 Crimson

Crimson has the ability to determine the date and time on a compromised host.[25]
G1012 CURIUM

CURIUM deployed mechanisms to check system time information following strategic website compromise attacks.[26]
S1111 DarkGate

DarkGate creates a log file for capturing keylogging, clipboard, and related data using the victim host's current date for the filename.[27] DarkGate queries victim system epoch time during execution.[27] DarkGate captures system time information as part of automated profiling on initial installation.[28]
G0012 Darkhotel

Darkhotel malware can obtain system time from a compromised host.[29]
S0673 DarkWatchman

DarkWatchman can collect time zone information and system UPTIME.[30]
S1033 DCSrv

DCSrv can compare the current time on an infected host with a configuration value to determine when to start the encryption process.[31]
S1134 DEADWOOD

DEADWOOD will set a timestamp value to determine when wiping functionality starts. When the timestamp is met on the system, a trigger file is created on the operating system allowing for execution to proceed. If the timestamp is in the past, the wiper will execute immediately.[32]
S0694 DRATzarus

DRATzarus can use the GetTickCount and GetSystemTimeAsFileTime API calls to inspect system time.[33]
S1159 DUSTTRAP

DUSTTRAP reads the infected system's current time and writes it to a log file during execution.[34]
S0554 Egregor

Egregor contains functionality to query the local/system time.[35]
S0091 Epic

Epic uses the net time command to get the system time from the machine and collect the current date and time zone information.[36]
S0396 EvilBunny

EvilBunny has used the API calls NtQuerySystemTime, GetSystemTimeAsFileTime, and GetTickCount to gather time metrics as part of its checks to see if the malware is running in a sandbox.[37]
S0267 FELIXROOT

FELIXROOT gathers the time zone information from the victim’s machine.[38]
S1044 FunnyDream

FunnyDream can check system time to help determine when changes were made to specified files.[19]
S0588 GoldMax

GoldMax can check the current date-time value of the compromised system, comparing it to the hardcoded execution trigger and can send the current timestamp to the C2 server.[39][40]

S0531 Grandoreiro

Grandoreiro can determine the time on the victim machine via IPinfo.[41]
S0237 GravityRAT

GravityRAT can obtain the date and time of a system.[42]
S0690 Green Lambert

Green Lambert can collect the date and time from a compromised host.[43][44]
S0417 GRIFFON

GRIFFON has used a reconnaissance module that can be used to retrieve the date and time of the system.[45]

G0126 Higaisa

Higaisa used a function to gather the current time.[46]
S0376 HOPLIGHT

HOPLIGHT has been observed collecting system time from victim machines.[47]
S0260 InvisiMole

InvisiMole gathers the local system time from the victim’s machine.[48][49]
S1051 KEYPLUG

KEYPLUG can obtain the current tick count of an infected computer.[50]
G0032 Lazarus Group

A Destover-like implant used by Lazarus Group can obtain the current system time and send it to the C2 server.[51]
S0455 Metamorfo

Metamorfo uses JavaScript to get the system time.[52]

S0149 MoonWind

MoonWind obtains the victim's current time.[53]
S0039 Net

The net time command can be used in Net to determine the local or remote system time.[54]
S1147 Nightdoor

Nightdoor can identify the system local time information.[55]
S0353 NOKKI

NOKKI can collect the current timestamp of the victim's machine.[56]
S0439 Okrum

Okrum can obtain the date and time of the compromised system.[57]
S0264 OopsIE

OopsIE checks to see if the system is configured with "Daylight" time and checks for a specific region to be set for the timezone.[58]
C0012 Operation CuckooBees

During Operation CuckooBees, the threat actors used the net time command as part of their advanced reconnaissance.[59]
C0014 Operation Wocao

During Operation Wocao, threat actors used the time command to retrieve the current time of a compromised system.[60]
S0501 PipeMon

PipeMon can send time zone information from a compromised host to C2.[61]
S0139 PowerDuke

PowerDuke has commands to get the time the machine was built, the time, and the time zone.[62]
S0238 Proxysvc

As part of the data reconnaissance phase, Proxysvc grabs the system time to send back to the control server.[51]
S0650 QakBot

QakBot can identify the system time on a targeted host.[63]
S1148 Raccoon Stealer

Raccoon Stealer gathers victim machine timezone information.[64][65]
S0148 RTM

RTM can obtain the victim time zone.[66]
S0596 ShadowPad

ShadowPad has collected the current date and time of the victim system.[67]
S0140 Shamoon

Shamoon obtains the system time and will only activate if it is greater than a preset date.[68][69]
S0450 SHARPSTATS

SHARPSTATS has the ability to identify the current date and time on the compromised host.[70]
G0121 Sidewinder

Sidewinder has used tools to obtain the current system time.[71]
S0692 SILENTTRINITY

SILENTTRINITY can collect start time information from a compromised host.[72]
S0615 SombRAT

SombRAT can execute getinfo to discover the current time on a compromised host.[73][74]
S0380 StoneDrill

StoneDrill can obtain the current date and time of the victim machine.[75]

S1034 StrifeWater

StrifeWater can collect the time zone from the victim's machine.[76]
S0603 Stuxnet

Stuxnet collects the time and date of a system when it is infected.[77]
S0559 SUNBURST

SUNBURST collected device UPTIME.[78][79]
S1064 SVCReady

SVCReady can collect time zone information.[80]
S0098 T9000

T9000 gathers and beacons the system time during installation.[81]
S0011 Taidoor

Taidoor can use GetLocalTime and GetSystemTime to collect system time.[82]
S0586 TAINTEDSCRIBE

TAINTEDSCRIBE can execute GetLocalTime for time discovery.[83]
S0467 TajMahal

TajMahal has the ability to determine local time on a compromised host.[84]
G0089 The White Company

The White Company has checked the current date on the victim system.[85]
S0678 Torisma

Torisma can collect the current time on a victim machine.[86]
G0010 Turla

Turla surveys a system upon check-in to discover the system time by using the net time command.[36]
S0275 UPPERCUT

UPPERCUT has the capability to obtain the time zone information and current timestamp of the victim’s machine.[87]
G1017 Volt Typhoon

Volt Typhoon has obtained the victim's system timezone.[88]
S0466 WindTail

WindTail has the ability to generate the current date and time.[89]
S0251 Zebrocy

Zebrocy gathers the current time zone and date information from the system.[90][91]
S0330 Zeus Panda

Zeus Panda collects the current system time (UTC) and sends it back to the C2 server.[92]
G0128 ZIRCONIUM

ZIRCONIUM has used a tool to capture the time on a compromised host in order to register it with C2.[93]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments for actions that may gather the system time and/or time zone from a local or remote system.
DS0009 Process OS API Execution

Monitor for API calls that may gather the system time and/or time zone from a local or remote system. Remote access tools with built-in features may interact directly with the Windows API to gather information.
Process Creation

Monitor for newly executed processes that may gather the system time and/or time zone from a local or remote system.

References

  1. The DigiTrust Group. (2017, January 12). The Rise of Agent Tesla. Retrieved November 5, 2018.
  2. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.
  3. Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved September 25, 2024.
  4. Hasherezade. (2021, July 23). AvosLocker enters the ransomware scene, asks for partners. Retrieved January 11, 2023.
  5. Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018.
  6. Proofpoint. (2018, July 30). New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign. Retrieved November 29, 2018.
  7. Vrabie, V., et al. (2021, March 10). FIN8 Returns with Improved BADHATCH Toolkit. Retrieved September 8, 2021.
  8. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020.
  9. Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.
  10. Harbison, M. (2021, February 9). BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech. Retrieved February 16, 2021.
  11. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
  12. Zykov, K. (2020, August 13). CactusPete APT group’s updated Bisonal backdoor. Retrieved May 5, 2021.
  13. Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021.
  14. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  15. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
  16. DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.
  17. Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018.
  18. GovCERT. (2016, May 23). Technical Report about the Espionage Case at RUAG. Retrieved November 7, 2018.
  19. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
  20. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024.
  21. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
  22. CISA. (2020, October 29). Malware Analysis Report (AR20-303A). Retrieved December 9, 2020.
  23. Burton, K. (n.d.). The Conficker Worm. Retrieved February 18, 2021.
  24. Trend Micro. (2014, March 18). Conficker. Retrieved February 18, 2021.
  25. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.
  26. PwC Threat Intelligence. (2023, October 25). Yellow Liderc ships its scripts and delivers IMAPLoader malware. Retrieved August 14, 2024.
  27. Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024.
  28. Ernesto Fernández Provecho, Pham Duy Phuc, Ciana Driscoll & Vinoo Thomas. (2023, November 21). The Continued Evolution of the DarkGate Malware-as-a-Service. Retrieved February 9, 2024.
  29. Arunpreet Singh, Clemens Kolbitsch. (2015, November 5). Defeating Darkhotel Just-In-Time Decryption. Retrieved April 15, 2021.
  30. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.
  31. Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022.
  32. Amitai Ben & Shushan Ehrlich. (2021, May). From Wiper to Ransomware: The Evolution of Agrius. Retrieved May 21, 2024.
  33. ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.
  34. Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024.
  35. Joe Security. (n.d.). Analysis Report fasm.dll. Retrieved January 6, 2021.
  36. Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
  37. Marschalek, M.. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved June 28, 2019.
  38. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
  39. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
  40. Smith, L., Leathery, J., Read, B. (2021, March 4). New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452. Retrieved March 12, 2021.
  41. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.
  42. Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018.
  43. Sandvik, Runa. (2021, October 1). Made In America: Green Lambert for OS X. Retrieved March 21, 2022.
  44. Sandvik, Runa. (2021, October 18). Green Lambert and ATT&CK. Retrieved March 21, 2022.
  45. Namestnikov, Y. and Aime, F. (2019, May 8). FIN7.5: the infamous cybercrime rig “FIN7” continues its activities. Retrieved October 11, 2019.
  46. Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021.
  47. US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.
  1. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  2. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
  3. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022.
  4. Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018.
  5. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020.
  6. Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.
  7. Microsoft. (n.d.). Net time. Retrieved November 25, 2016.
  8. Ahn Ho, Facundo Muñoz, & Marc-Etienne M.Léveillé. (2024, March 7). Evasive Panda leverages Monlam Festival to target Tibetans. Retrieved July 25, 2024.
  9. Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018.
  10. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.
  11. Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018.
  12. Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022.
  13. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  14. Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020.
  15. Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
  16. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.
  17. S2W TALON. (2022, June 16). Raccoon Stealer is Back with a New Version. Retrieved August 1, 2024.
  18. Pierre Le Bourhis, Quentin Bourgue, & Sekoia TDR. (2022, June 29). Raccoon Stealer v2 - Part 2: In-depth analysis. Retrieved August 1, 2024.
  19. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  20. Kaspersky Lab. (2017, August). ShadowPad: popular server management software hit in supply chain attack. Retrieved March 22, 2021.
  21. Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
  22. Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019.
  23. Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020.
  24. Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021.
  25. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.
  26. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.
  27. CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021.
  28. Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019.
  29. Cybereason Nocturnus. (2022, February 1). StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations. Retrieved August 15, 2022.
  30. Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22
  31. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
  32. MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021.
  33. Schlapfer, Patrick. (2022, June 6). A New Loader Gets Ready. Retrieved December 13, 2022.
  34. Grunzweig, J. and Miller-Osborn, J.. (2016, February 4). T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques. Retrieved April 15, 2016.
  35. CISA, FBI, DOD. (2021, August). MAR-10292089-1.v2 – Chinese Remote Access Trojan: TAIDOOR. Retrieved August 24, 2021.
  36. USG. (2020, May 12). MAR-10288834-2.v1 – North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021.
  37. GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.
  38. Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.
  39. Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021.
  40. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.
  41. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
  42. Wardle, Patrick. (2018, December 20). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 1). Retrieved October 3, 2019.
  43. ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019.
  44. CISA. (2020, October 29). Malware Analysis Report (AR20-303B). Retrieved December 9, 2020.
  45. Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018.
  46. Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021.