Darkhotel - APT-C-06 (f52ab8b8-71f2-5a88-946f-853dc3441efe)

Darkhotel（APT-C-06）是一个长期针对企业高管、国防工业、电子工业等重要机构实施网络间谍攻击活动的APT组织。2014年11月，卡巴斯基实验室的安全专家首次发现了Darkhotel APT组织，并声明该组织至少从2010年就已经开始活跃，目标基本锁定在韩国、中国、俄罗斯和日本。卡巴斯基将该组织命名为Darkhotel（暗黑客栈），是因为他们的一次攻击行动被曝光，主要是利用酒店的无线网络有针对性的瞄准生产制造、国防、投资资本、私人股权投资、汽车等行业的精英管理者。

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Darkhotel - APT-C-06 (f52ab8b8-71f2-5a88-946f-853dc3441efe)	360.net Threat Actors	Zigzag Hail (0a4ddab3-a1a6-5372-b11f-5edc25c0e548)	Microsoft Activity Group actor	1
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	Darkhotel - APT-C-06 (f52ab8b8-71f2-5a88-946f-853dc3441efe)	360.net Threat Actors	1
Darkhotel - APT-C-06 (f52ab8b8-71f2-5a88-946f-853dc3441efe)	360.net Threat Actors	DarkHotel (b8c8b96d-61e6-47b1-8e38-fd8ad5d9854d)	Threat Actor	1
Darkhotel - APT-C-06 (f52ab8b8-71f2-5a88-946f-853dc3441efe)	360.net Threat Actors	DUBNIUM (b56af6ab-69f8-457a-bf50-c3aefa6dc14a)	Microsoft Activity Group actor	1
Zigzag Hail (0a4ddab3-a1a6-5372-b11f-5edc25c0e548)	Microsoft Activity Group actor	DarkHotel (b8c8b96d-61e6-47b1-8e38-fd8ad5d9854d)	Threat Actor	2
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	2
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	2
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	2
System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077)	Attack Pattern	Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	2
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	2
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	Drive-by Compromise - T1189 (d742a578-d70e-4d0e-96a6-02a9c30204e6)	Attack Pattern	2
Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	2
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	2
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	2
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	Replication Through Removable Media - T1091 (3b744087-9945-4a6f-91e8-9dbceda417a4)	Attack Pattern	2
Exploitation for Client Execution - T1203 (be2dcee9-a7a7-4e38-afd6-21b31ecc3d63)	Attack Pattern	Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	2
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	2
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	2
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	2
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	Taint Shared Content - T1080 (246fd3c7-f5e3-466d-8787-4c13d9e3b61c)	Attack Pattern	2
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	User Activity Based Checks - T1497.002 (91541e7e-b969-40c6-bbd8-1b5352ec2938)	Attack Pattern	2
System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6)	Attack Pattern	Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	2
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	2
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d)	Attack Pattern	2
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)	Intrusion Set	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	2
DarkHotel (b8c8b96d-61e6-47b1-8e38-fd8ad5d9854d)	Threat Actor	DUBNIUM (b56af6ab-69f8-457a-bf50-c3aefa6dc14a)	Microsoft Activity Group actor	2
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	3
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	3
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	3
Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	3
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	3
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	3
User Activity Based Checks - T1497.002 (91541e7e-b969-40c6-bbd8-1b5352ec2938)	Attack Pattern	Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d)	Attack Pattern	3
System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6)	Attack Pattern	Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d)	Attack Pattern	3
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	3