LOWBALL

“The spear phishing emails contained three attachments in total, each of which exploited an older vulnerability in Microsoft Office (CVE-2012-0158)”

During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.

Following exploitation with LOWBALL malware, admin@338 actors created a file containing a list of commands to be executed on the compromised computer.

"actors used the following command ... to obtain information about services: net start"; "APT1 used the commands net start and tasklist to get a listing of the services on the system"; "OilRig has used sc query on a victim to gather information about services"; "Indrik Spider has used the win32_service WMI class to retrieve a list of services"

Multiple actors/tools are described running built-in utilities and APIs to enumerate host/network settings, e.g., "used the ipconfig /all command to gather network configuration information"; "runs the ifconfig command to obtain the IP address"; "uses ipconfig /all and route PRINT to identify network adapter and interface information"; "can use getmac and Get-NetIPAddress to enumerate network settings."

“netstat -ano >> %temp%\download”

The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."

“3PARA RAT has a command to retrieve metadata for files on disk as well as a command to list the current working directory… admin@338 actors used… dir c:\ >> %temp%\download … APT28 has used Forfiles to locate PDF, Excel, and Word documents…”

“actors used the following commands… to enumerate user accounts: net user >> %temp%\download; net user /domain >> %temp%\download … APT1 used the commands net localgroup, net user, and net group to find accounts… APT32 enumerated administrative users using the commands net localgroup administrators … OilRig has run net user, net user /domain, net group "domain admins" /domain …”

The content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.

The adversaries had communicated to both Dropbox and Pastebin. APT28 has used Google Drive for C2. APT37 leverages social networking sites and cloud platforms (AOL, Twitter, Yandex, Mediafire, pCloud, Dropbox, and Box) for C2.

"APT39 has communicated with C2 through files uploaded to and downloaded from DropBox."; "RIFLESPINE can retrieve C2 commands from an encrypted file on Google Drive then upload the results ... back to Google Drive."; "CloudDuke uses a Microsoft OneDrive account to exchange commands and stolen data"

“the attackers will create a file called “[COMPUTER_NAME]_upload.bat” which contains commands to be executed… We observed the threat group upload a second stage malware… BUBBLEWRAP … to their Dropbox account”