Whitefly
Whitefly is a threat actor referenced in the provided content as using credential theft and remote access tooling, payload encryption, masquerading, and malicious file execution. Reported behaviors include obtaining and using Mimikatz; using a simple remote shell tool that calls back to command-and-control infrastructure and waits for commands; encrypting payloads used for C2; naming malicious DLLs the same as DLLs belonging to legitimate software from security vendors; and using malicious .exe or .dll files disguised as documents or images. The content also associates Whitefly with ATT&CK techniques including T1068 (Exploitation for Privilege Escalation), T1190 (Exploit Public-Facing Application), T1505.003 (Web Shell), T1059 (Command and Scripting Interpreter), T1129 (Shared Modules), T1218.007 (Msiexec), and T1204.002 (Malicious File Execution). Whitefly is also listed in association with detections related to UDL-file-based spearphishing attachment activity. No additional aliases or sub-groups are directly supported by the provided content.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
31 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
2 malware families attributed to this actor across reporting.
Associated vulnerabilities
2 CVEs this actor has used in observed campaigns. 2 of them exploited in the wild.
Whitefly has used an open-source tool to exploit a known Windows privilege escalation vulnerability (CVE-2016-0051) on unpatched computers.
This detection identifies instances where Windows Explorer.exe spawns PowerShell or cmd.exe processes, particularly focusing on executions initiated by LNK files. This behavior is associated with the ZDI-CAN-25373 Windows shortcut zero-day vulnerability, where specially crafted LNK files are used to trigger malicious code execution through cmd.exe or powershell.exe. This technique has been actively exploited by multiple APT groups in targeted attacks through both HTTP and SMB delivery methods.
Recent activity
20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Listed in the detection annotations as a threat actor associated with exploitation for privilege escalation.
Listed as a threat actor associated with the malicious file execution technique detected by this analytic.
Referenced as a threat actor associated with exploitation for privilege escalation, specifically the use of Windows Potato-family privilege escalation tools.
Listed in the detection annotations as a threat actor associated with EFI volume mounting / installation-related behavior.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.