Orz

"APT40 has been observed leveraging a variety of techniques for initial compromise, including web server exploitation..."

"The operation’s spear-phishing emails typically leverage malicious attachments..."

During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.

Cobalt Group has used a JavaScript backdoor that is capable of launching cmd.exe to execute shell commands. Orz can execute commands with JavaScript. Patchwork used JavaScript code and .SCT files on victim machines. Water Curupira Pikabot Distribution installation via JavaScript will launch follow-on commands via cmd.exe.

The MUDCARP techniques include the use of the compressed-folders module from Microsoft, zipfldr.dll, with RouteTheCall export to run the malicious process or command.

Neoichor can clear the browser history on a compromised host by changing the ClearBrowsingHistoryOnExit value to 1 in the HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Privacy Registry key.

After a successful reboot, the malware is made persistent by a manipulating [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]'help'='c:\windows\system32\rundll32.exe c:\windows\system32\zipfldr.dll,RouteTheCall c:\programdata\winapp.exe' .

"Agent Tesla has used process hollowing to create and manipulate processes through sections of unmapped memory by reallocating that space with its malicious code." / "Astaroth can create a new process in a suspended state... unmap its memory and replace it with malicious code." / "Emotet uses a copy of certutil.exe stored in a temporary directory for process hollowing, starting the program in a suspended state before loading malicious code."

After a successful reboot, the malware is made persistent by a manipulating [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]'help'='c:\windows\system32\rundll32.exe c:\windows\system32\zipfldr.dll,RouteTheCall c:\programdata\winapp.exe' .

The content repeatedly describes malware and threat actors using obfuscated code, encrypted strings, Base64/XOR/RC4/AES encoding, VMProtect/ConfuserEx/SmartAssembly, stack strings, control-flow flattening, opaque predicates, and hidden payloads to evade analysis and detection.

"Agent Tesla has used process hollowing to create and manipulate processes through sections of unmapped memory by reallocating that space with its malicious code." / "Astaroth can create a new process in a suspended state... unmap its memory and replace it with malicious code." / "Emotet uses a copy of certutil.exe stored in a temporary directory for process hollowing, starting the program in a suspended state before loading malicious code."

APT42 has cleared Chrome browser history. ... APT5 has used the THINBLOOD utility to clear SSL VPN log files ... Bankshot deletes all artifacts ... DarkWatchman ... clear the browser history ... CSPY Downloader ... remove values it writes to the Registry ... Mustang Panda has deleted registry keys ...

AppleSeed can call regsvr32.exe for execution. APT19 used Regsvr32 to bypass application control techniques. APT32 created a Scheduled Task/Job that used regsvr32.exe to execute a COM scriptlet that dynamically downloaded a backdoor and injected it into memory. ... Raspberry Robin uses regsvr32.exe execution without any command line parameters for command and control requests to IP addresses associated with Tor nodes.

HermeticWiper can disable pop-up information about folders and desktop items and delete Registry keys to hide malicious services.

The MUDCARP techniques include the use of the compressed-folders module from Microsoft, zipfldr.dll, with RouteTheCall export to run the malicious process or command.

Neoichor can clear the browser history on a compromised host by changing the ClearBrowsingHistoryOnExit value to 1 in the HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Privacy Registry key.

BlackEnergy has removed the watermark associated with enabling the TESTSIGNING boot configuration option by removing the relevant strings in the user32.dll.mui of the system.

"...credential harvesting tools to escalate privileges and dump password hashes... ProcDump... Windows Credential Editor (WCE)..."

The content repeatedly describes actors and malware using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, netsh interface show, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, and network adapter/interface details.

The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.

The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."

“3PARA RAT has a command to retrieve metadata for files on disk as well as a command to list the current working directory… admin@338 actors used… dir c:\ >> %temp%\download … APT28 has used Forfiles to locate PDF, Excel, and Word documents…”

"Bundlore has the ability to enumerate what browser is being used as well as version information"; "Orz can gather the victim's Internet Explorer version"; "SUGARDUMP can identify ... browsers, including version number"; "SideCopy has collected browser information"

"Bazar can query the Registry for installed applications." / "BRONZE BUTLER has used tools to enumerate software installed on an infected host." / "LightSpy ... enumerate the Applications folder to collect the bundle name, bundle identifier, and version information..." / "Volt Typhoon has queried the Registry on compromised systems for information on installed software."

"Common TCP ports 80 and 443 are used to blend in with routine network traffic."

The adversaries had communicated to both Dropbox and Pastebin. APT28 has used Google Drive for C2. APT37 leverages social networking sites and cloud platforms (AOL, Twitter, Yandex, Mediafire, pCloud, Dropbox, and Box) for C2.

"APT39 has communicated with C2 through files uploaded to and downloaded from DropBox."; "RIFLESPINE can retrieve C2 commands from an encrypted file on Google Drive then upload the results ... back to Google Drive."; "CloudDuke uses a Microsoft OneDrive account to exchange commands and stolen data"