Software

Zox is a remote access tool that has been used by Axiom since at least 2008.[1]

ZxShell is a remote administration tool and backdoor that can be downloaded from the Internet, particularly from Chinese hacker websites. It has been used since at least 2004.[1][2]

ZxxZ is a trojan written in Visual C++ that has been used by BITTER since at least August 2021, including against Bangladeshi government personnel.[1]

adbupd is a backdoor used by PLATINUM that is similar to Dipsind. [1]

at is used to schedule tasks on a system to run at a specified date or time.[1][2]

attrib is a Windows utility used to display, set or remove attributes assigned to files or directories.[1]

build_downer is a downloader that has been used by BRONZE BUTLER since at least 2019.[1]

ccf32 is data collection malware that has been used since at least February 2019, most notably during the FunnyDream campaign; there is also a similar x64 version.[1]

cd00r is an open-source backdoor for UNIX and UNIX-variant operating systems that was orginally released in 2000. cd00r source code is primarily based on a packet-capturing program as it utilizes a sniffer to listen for specific sequences of network traffic or "secret knock" before executing the attacker's code.[1][2]

certutil is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services. [1]

cipher.exe is a native Microsoft utility that manages encryption of directories and files on NTFS (New Technology File System) partitions by using the Encrypting File System (EFS).[1]

cmd is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities. [1]

Cmd.exe contains native functionality to perform many operations to interact with the system, including listing files in a directory (e.g., dir [2]), deleting files (e.g., del [3]), and copying files (e.g., copy [4]).

down_new is a downloader that has been used by BRONZE BUTLER since at least 2019.[1]

dsquery is a command-line utility that can be used to query Active Directory for information from a system within a domain. [1] It is typically installed only on Windows Server versions but can be installed on non-server variants through the Microsoft-provided Remote Server Administration Tools bundle.

eSurv is mobile surveillanceware designed for the lawful intercept market that was developed over the course of many years.[1]

esentutl is a command-line tool that provides database utilities for the Windows Extensible Storage Engine.[1]

evilginx2 is an open-source adversary-in-the-middle (AiTM) attack framework based on the open-source nginx web server. evilginx2 can be used as a reverse proxy between victims and legitimate web services to intercept and capture credentials, authentication tokens, and session cookies.[1][2][3]

ftp is a utility commonly available with operating systems to transfer information over the File Transfer Protocol (FTP). Adversaries can use it to transfer other tools onto a system or to exfiltrate data.[1][2]

gh0st RAT is a remote access tool (RAT). The source code is public and it has been used by multiple groups.[1][2][3]

gsecdump is a publicly-available credential dumper used to obtain password hashes and LSA secrets from Windows operating systems. [1]

hcdLoader is a remote access tool (RAT) that has been used by APT18. [1]

httpclient is malware used by Putter Panda. It is a simple tool that provides a limited range of functionality, suggesting it is likely used as a second-stage or supplementary/backup tool. [1]

iKitten is a macOS exfiltration agent [1].

ifconfig is a Unix-based utility used to gather information about and interact with the TCP/IP settings on a system. [1]

ipconfig is a Windows utility that can be used to find information about a system's TCP/IP, DNS, DHCP, and adapter configuration. [1]