[POWERSOURCE] is a PowerShell backdoor that is a heavily obfuscated and modified version of the publicly available tool DNS_TXT_Pwnage. It was observed in February 2017 in spearphishing campaigns against personnel involved with United States Securities and Exchange Commission (SEC) filings at various organizations. The malware was delivered when macros were enabled by the victim and a VBS script w


[Felismus] is a modular backdoor that has been used by [Sowbug]( (Citation: Symantec Sowbug Nov 2017) (Citation: Forcepoint Felismus Mar 2017)

Zeus Panda

[Zeus Panda] is a Trojan designed to steal banking information and other sensitive credentials for exfiltration. [Zeus Panda](’s original source code was leaked in 2011, allowing threat actors to use its source code as a basis for new malware variants. It is mainly used to target Windows operating systems ranging from Windows XP through Windows 10.(Citatio


[GeminiDuke] is malware that was used by [APT29]( from 2009 to 2012. (Citation: F-Secure The Dukes)


[CARROTBAT] is a customized dropper that has been in use since at least 2017. [CARROTBAT] has been used to install [SYSCON]( and has infrastructure overlap with [KONNI]( Unit 42 CARROTBAT November 2018)(Citation: Unit 42 CARROTBAT January 2020)


[Matryoshka] is a malware framework used by [CopyKittens]( that consists of a dropper, loader, and RAT. It has multiple versions; v1 was seen in the wild from July 2016 until January 2017. v2 has fewer commands and other minor differences. (Citation: ClearSky Wilted Tulip July 2017) (Citation: CopyKittens Nov 2015)


[FrameworkPOS] is a point of sale (POS) malware used by [FIN6]( to steal payment card data from sytems that run physical POS devices.(Citation: SentinelOne FrameworkPOS September 2019)


[GravityRAT] is a remote access tool (RAT) and has been in ongoing development since 2016. The actor behind the tool remains unknown, but two usernames have been recovered that link to the author, which are "TheMartian" and "The Invincible." According to the National Computer Emergency Response Team (CERT) of India, the malware has been identified in attacks against organization and entities in In


[WEBC2] is a family of backdoor malware used by [APT1]( as early as July 2006. [WEBC2] backdoors are designed to retrieve a webpage, with commands hidden in HTML comments or special tags, from a predetermined C2 server. (Citation: Mandiant APT1 Appendix)(Citation: Mandiant APT1)


[Bankshot] is a remote access tool (RAT) that was first reported by the Department of Homeland Security in December of 2017. In 2018, [Lazarus Group]( used the [Bankshot] implant in attacks against the Turkish financial sector. (Citation: McAfee Bankshot)