NETWIRE

TA2541 uses themes related to aviation, transportation, and travel. When Proofpoint first started tracking this actor, the group sent macro-laden Microsoft Word attachments that downloaded the RAT payload. The group pivoted, and now they more frequently send messages with links to cloud services such as Google Drive hosting the payload.

Throughout the last decade, ModifiedElephant operators sought to infect their targets via spearphishing emails with malicious file attachments, with their techniques evolving over time. Their primary delivery mechanism is malicious Microsoft Office document files weaponized to deliver the malware of choice at the time.

In 2019 phishing campaigns, ModifiedElephant operators also took the approach of providing links to files hosted externally for manual download and execution by the target.

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

The content repeatedly describes threat actors and malware using PowerShell scripts/commands for execution, download, staging, reconnaissance, persistence, credential access, lateral movement, and defense evasion; e.g., "Sandworm Team used PowerShell scripts to run a credential harvesting tool in memory to evade defenses."

During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.

Observed lure documents repeatedly made use of CVE-2012-0158, CVE-2014-1761, CVE-2013-3906, CVE-2015-1641 exploits to drop and execute their malware of choice.

The content repeatedly describes victims being lured into opening malicious attachments, enabling macros, launching installers, clicking embedded files/links, or otherwise directly executing malicious content.

Sandworm Team leveraged Microsoft Office attachments which contained malicious macros that were automatically executed once the user permitted them... APT29 has used various forms of spearphishing attempting to get a user to open attachments... DarkGate is distributed through phishing links to VBS or MSI objects requiring user interaction for execution.

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

Many malware families store configuration, payloads, encryption keys, C2 addresses, or other operational data in Registry keys, such as QakBot storing configuration in a randomly named subkey under HKCU\Software\Microsoft and PolyglotDuke writing encrypted JSON configuration files to the Registry. | The content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution.

Bundlore can persist via a LaunchAgent. Calisto adds a .plist file to the /Library/LaunchAgents folder to maintain persistence. CoinTicker creates user launch agents named .espl.plist and com.apple.[random string].plist to establish persistence.

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

A group of remote access trojans, among them WarZoneRAT, njrat, nanocore, and netwire, overlap on process injection, keylogging-related calls, and command-and-control traffic.

Bundlore can persist via a LaunchAgent. Calisto adds a .plist file to the /Library/LaunchAgents folder to maintain persistence. CoinTicker creates user launch agents named .espl.plist and com.apple.[random string].plist to establish persistence.

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.

The content repeatedly describes malware and threat actors using obfuscated code, encrypted strings, Base64/XOR/RC4/AES encoding, VMProtect/ConfuserEx/SmartAssembly, stack strings, control-flow flattening, opaque predicates, and hidden payloads to evade analysis and detection.

During the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.

A group of remote access trojans, among them WarZoneRAT, njrat, nanocore, and netwire, overlap on process injection, keylogging-related calls, and command-and-control traffic.

Agent Tesla has created hidden folders. AppleJeus has added a leading . to plist filenames, unlisting them from the Finder app and default Terminal directory listings. APT28 has saved files with hidden file attributes. FIN13 has created hidden files and folders within a compromised Linux system /tmp directory and also used attrib.exe to hide gathered local host information.

Many malware families store configuration, payloads, encryption keys, C2 addresses, or other operational data in Registry keys, such as QakBot storing configuration in a randomly named subkey under HKCU\Software\Microsoft and PolyglotDuke writing encrypted JSON configuration files to the Registry. | The content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution.

A group of remote access trojans, among them WarZoneRAT, njrat, nanocore, and netwire, overlap on process injection, keylogging-related calls, and command-and-control traffic.

Agent Tesla has the ability to steal credentials from FTP clients and wireless profiles... APT33 has used a variety of publicly available tools like LaZagne to gather credentials... Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways, including from the credential vault and DPAPI.

The content repeatedly describes threat actors and malware stealing usernames, passwords, cookies, session tokens, and other saved credentials from web browsers such as Chrome, Firefox, Internet Explorer, Edge, Opera, Safari, and Yandex.

Evilnum can collect email credentials from victims... Malteiro has obtained credentials from mail clients via NirSoft MailPassView... MgBot includes modules for stealing stored credentials from Outlook and Foxmail email client software... PLEAD has the ability to steal saved passwords from Microsoft Outlook.

The content repeatedly describes malware and threat actors using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, nbtstat, netsh, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, domains, and network adapter/interface details.

The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.

The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."

The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").

A group of remote access trojans, among them WarZoneRAT, njrat, nanocore, and netwire, overlap on process injection, keylogging-related calls, and command-and-control traffic.

The content repeatedly describes adversaries and malware storing collected data, command output, credentials, archives, or files in local temporary folders, working directories, hidden directories, registry locations, recycle bins, or specific files prior to exfiltration.

Agrius used a custom tool, sql.net4.exe, to query SQL databases and then identify and extract personally identifiable information... AppleSeed has automatically collected data from USB drives, keystrokes, and screen images before exfiltration... Ember Bear engages in mass collection from compromised systems during intrusions.

APT28 used a publicly available tool to gather and compress multiple documents... LoFiSe can collect all the files from the working directory every three hours and place them into a password-protected archive... NETWIRE can automatically archive collected data.

The content repeatedly describes threat actors and malware using HTTP and HTTPS for command and control, such as: "Sandworm Team used BlackEnergy to communicate between compromised hosts and their command-and-control servers via HTTP post requests."

First, we see a call to a location in the stack ... that will execute the function InternetOpenUrlA, we also see the C2 it will use... the second shellcode downloads further malware.

The primary malware families deployed were NetWire and DarkComet remote access trojans (RATs). Both of these RATs are publicly available, and have a long history of abuse by threat actors across the spectrum of skill and capability.

It turns out that a compromise of defendant systems led to the planting of files that were later used as evidence of terrorism and justification for the defendants’ imprisonment.

Scammers running business email compromise (BEC) fraud have grown in number, attack more often, and turn to remote access trojans as the preferred malware type to accompany their raids.