[POWRUNER] is a PowerShell script that sends and receives commands to and from the C2 server. (Citation: FireEye APT34 Dec 2017)

Power Loader

[Power Loader] is modular code sold in the cybercrime market used as a downloader in malware families such as Carberp, Redyms and Gapz. (Citation: MalwareTech Power Loader Aug 2013) (Citation: WeLiveSecurity Gapz and Redyms Mar 2013)


[TDTESS] is a 64-bit .NET binary backdoor used by [CopyKittens]( (Citation: ClearSky Wilted Tulip July 2017)


[SharpStage] is a .NET malware with backdoor capabilities.(Citation: Cybereason Molerats Dec 2020)(Citation: BleepingComputer Molerats Dec 2020)

Smoke Loader

[Smoke Loader] is a malicious bot application that can be used to load other malware. [Smoke Loader] has been seen in the wild since at least 2011 and has included a number of different payloads. It is notorious for its use of deception and self-protection. It also comes with several plug-ins. (Citation: Malwarebytes SmokeLoader 2016) (Citation: Microsoft Dofoil 2018)


[HALFBAKED] is a malware family consisting of multiple components intended to establish persistence in victim networks. (Citation: FireEye FIN7 April 2017)


[WindTail] is a macOS surveillance implant used by [Windshift]( [WindTail] shares code similarities with Hack Back aka KitM OSX.(Citation: SANS Windshift August 2018)(Citation: objective-see windtail1 dec 2018)(Citation: objective-see windtail2 jan 2019)


[Misdat] is a backdoor that was used by [Dust Storm]( from 2010 to 2011. (Citation: Cylance Dust Storm)


[FLIPSIDE] is a simple tool similar to Plink that is used by [FIN5]( to maintain access to victims. (Citation: Mandiant FIN5 GrrCON Oct 2016)

Linux Rabbit

[Linux Rabbit] is malware that targeted Linux servers and IoT devices in a campaign lasting from August to October 2018. It shares code with another strain of malware known as Rabbot. The goal of the campaign was to install cryptocurrency miners onto the targeted servers and devices.(Citation: Anomali Linux Rabbit 2018)