GREENCAT is a malware family/backdoor referenced in Mandiant’s APT1 reporting and used as an example family for PE import-hash (imphash) based clustering. The provided content associates GREENCAT with the APT1 malware corpus and indicates that Mandiant tracks such backdoors over time to follow threat-group activity. In the cited dataset from the February 2013 Mandiant APT1 report, GREENCAT appeared in multiple imphash clusters, including 2c26ec4a570a502ed3e8484295581989 (74 imports, 23 matched samples), b722c33458882a1ab65a13e99efe357e (74 imports, 18 matched samples), 2d24325daea16e770eb82fa6774d70f1 (113 imports, 13 matched samples), and 0d72b49ed68430225595cc1efb43ced9 (100 imports, 13 matched samples). The content does not provide specific infection vectors, victim industries, operating-system details beyond being PE malware, or detailed runtime behavior/IOCs other than these imphash values and sample counts. High-confidence attribution in the content is limited to its inclusion in the APT1 malware set and its use by Mandiant as a tracked backdoor family for correlation and discovery of related variants.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
2 sources tracked across advisories and community write-ups. News coverage will land here when it surfaces.
No news coverage yet. Advisories and community discussion only.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.