[RDFSNIFFER] is a module loaded by [BOOSTWRITE]( which allows an attacker to monitor and tamper with legitimate connections made via an application designed to provide visibility and system management capabilities to remote IT techs.(Citation: FireEye FIN7 Oct 2019)


[Proxysvc] is a malicious DLL used by [Lazarus Group]( in a campaign known as Operation GhostSecret. It has appeared to be operating undetected since 2017 and was mostly observed in higher education organizations. The goal of [Proxysvc] is to deliver additional payloads to the target and to maintain control for the attacker. It is in the form of a DLL that can


[Orz] is a custom JavaScript backdoor used by [Leviathan]( It was observed being used in 2014 as well as in August 2017 when it was dropped by Microsoft Publisher files. (Citation: Proofpoint Leviathan Oct 2017) (Citation: FireEye Periscope March 2018)


[NOKKI] is a modular remote access tool. The earliest observed attack using [NOKKI] was in January 2018. [NOKKI] has significant code overlap with the [KONNI]( malware family. There is some evidence potentially linking [NOKKI] to [APT37]( Unit 42 NOKKI Sept 2018)(Citation: Unit 42 Nokki Oct 2018)


[yty] is a modular, plugin-based malware framework. The components of the framework are written in a variety of programming languages. (Citation: ASERT Donot March 2018)


[Backdoor.Oldrea] is a backdoor used by [Dragonfly]( It appears to be custom malware authored by the group or specifically for it. (Citation: Symantec Dragonfly)


[DOGCALL] is a backdoor used by [APT37]( that has been used to target South Korean government and military organizations in 2017. It is typically dropped using a Hangul Word Processor (HWP) exploit. (Citation: FireEye APT37 Feb 2018)


[Downdelph] is a first-stage downloader written in Delphi that has been used by [APT28]( in rare instances between 2013 and 2015. (Citation: ESET Sednit Part 3)


[SEASHARPEE] is a Web shell that has been used by [OilRig]( (Citation: FireEye APT34 Webinar Dec 2017)


[Get2] is a downloader written in C++ that has been used by [TA505]( to deliver [FlawedGrace](, [FlawedAmmyy](, Snatch and [SDBbot]( Proofpoint TA505 October 2019)