Zeus Panda

APT19 downloaded and launched code within a SCT file; APT32 used COM scriptlets to download Cobalt Strike beacons; APT37 used Ruby scripts to execute payloads; ArcaneDoor included the adversary executing command line interface (CLI) commands.

The content repeatedly describes threat actors and malware using PowerShell scripts/commands for execution, download, staging, reconnaissance, persistence, credential access, lateral movement, and defense evasion; e.g., "Sandworm Team used PowerShell scripts to run a credential harvesting tool in memory to evade defenses."

During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.

Across the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder.

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder.

The content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.

Examples throughout the content include 'encrypted payloads decrypted and executed in memory,' 'encrypts its configuration file,' 'AES-encrypted resource,' 'RC4 encrypted embedded scripts,' and 'payload includes an encrypted main component.'

Examples throughout the content include deleting tools, logs, malware-related files, staged archives, screenshots, temporary files, and exfiltrated data 'to cover their tracks,' 'reduce their footprint,' 'remove traces of activity,' or as part of 'post-intrusion cleanup.'

The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.

The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'

Across the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.

The content repeatedly describes malware and threat actors querying, enumerating, searching, reading, or checking Windows Registry keys and values, e.g., "ADVSTORESHELL can enumerate registry keys," "APT41 queried registry values to determine items such as configured RDP ports and network configurations," and "Reg may be used to gather details from the Windows Registry of a local or remote system at the command-line interface."

The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.

The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."

“3PARA RAT has a command to retrieve metadata for files on disk as well as a command to list the current working directory… admin@338 actors used… dir c:\ >> %temp%\download … APT28 has used Forfiles to locate PDF, Excel, and Word documents…”

Multiple malware and threat groups are described as collecting/deriving local system time, date, timestamp, tick count, or time zone (e.g., "used time /t and net time \ip/hostname for system time discovery"; "collects the timestamp from the victim’s machine"; "can collect the time zone information from the system").

Avaddon checks for specific keyboard layouts and OS languages to avoid targeting Commonwealth of Independent States (CIS) entities... Bazar can perform a check to ensure that the operating system's keyboard and language settings are not set to Russian... Clop has checked the keyboard language using the GetKeyboardLayout() function... Ryuk has been observed to query the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language and the value InstallLanguage.

"Agent Tesla can capture screenshots of the victim’s desktop"; "AppleSeed can take screenshots on a compromised host"; "APT28 has used tools to take screenshots from victims"; "Cobalt Strike's Beacon payload is capable of capturing screenshots"; "PowerSploit's Get-TimedScreenshot Exfiltration module can take screenshots at regular intervals"; "Hydraq includes a component based on the code of VNC that can stream a live feed of the desktop"

The content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.

Representative examples include "APT33 has utilized PowerShell to download files from the C2 server and run various scripts," "QakBot can use PowerShell to download and execute payloads," and "TrickBot has been known to use PowerShell to download new payloads."

BlackByte performed Registry modifications to escalate privileges and disable security tools. Embargo has modified and deleted Registry keys to add services, and to disable Security Solutions such as Windows Defender. TA505 has used malware to disable Windows Defender through modification of the Registry. During SharePoint ToolShell Exploitation, threat actors, including Storm-2603, disabled security services via Registry modifications.

Examples include BlackByte performing Registry modifications to escalate privileges and disable security tools; LockBit 3.0 changing Registry values to disable SmartScreen and Windows Defender; TA505 using malware to disable Windows Defender through Registry modification.