Software

jRAT is a cross-platform, Java-based backdoor originally available for purchase in 2012. Variants of jRAT have been distributed via a software-as-a-service platform, similar to an online subscription model.[1] [2]

macOS.OSAMiner is a Monero mining trojan that was first observed in 2018; security researchers assessed macOS.OSAMiner may have been circulating since at least 2015. macOS.OSAMiner is known for embedding one run-only AppleScript into another, which helped the malware evade full analysis for five years due to a lack of Apple event (AEVT) analysis tools.[1][2]

meek is an open-source Tor plugin that tunnels Tor traffic through HTTPS connections.

metaMain is a backdoor used by Metador to maintain long-term access to compromised machines; it has also been used to decrypt Mafalda into memory.[1][2]

nbtstat is a utility used to troubleshoot NetBIOS name resolution. [1]

netsh is a scripting utility used to interact with networking components on local or remote systems. [1]

netstat is an operating system utility that displays active TCP connections, listening ports, and network statistics. [1]

ngrok is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. ngrok has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration.[1][2][3][4]

njRAT is a remote access tool (RAT) that was first observed in 2012. It has been used by threat actors in the Middle East.[1]

pngdowner is malware used by Putter Panda. It is a simple tool with limited functionality and no persistence mechanism, suggesting it is used only as a simple "download-and- execute" utility. [1]

pwdump is a credential dumper. [1]

reGeorg is an open-source web shell written in Python that can be used as a proxy to bypass firewall rules and tunnel data in and out of targeted networks.[1][2]

route can be used to find or change information within the local system IP routing table. [1]

schtasks is used to schedule execution of programs or scripts on a Windows system to run at a specific date and time. [1]

spwebmember is a Microsoft SharePoint enumeration and data dumping tool written in .NET. [1]

sqlmap is an open source penetration testing tool that can be used to automate the process of detecting and exploiting SQL injection flaws. [1]

xCaon is an HTTP variant of the BoxCaon malware family that has used by IndigoZebra since at least 2014. xCaon has been used to target political entities in Central Asia, including Kyrgyzstan and Uzbekistan.[1][2]

xCmd is an open source tool that is similar to PsExec and allows the user to execute applications on remote systems. [1]

yty is a modular, plugin-based malware framework. The components of the framework are written in a variety of programming languages. [1]

zwShell is a remote access tool (RAT) written in Delphi that has been seen in the wild since the spring of 2010 and used by threat actors during Night Dragon.[1]