Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)

Lotus Blossom is a long-standing threat group largely targeting various entities in Asia since at least 2009. In addition to government and related targets, Lotus Blossom has also targeted entities such as digital certificate issuers.(Citation: Lotus Blossom Jun 2015)(Citation: Symantec Bilbug 2022)(Citation: Cisco LotusBlossom 2025)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735)	Attack Pattern	Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)	Intrusion Set	1
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)	Intrusion Set	1
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)	Intrusion Set	1
Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)	Intrusion Set	Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	1
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662)	Attack Pattern	Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)	Intrusion Set	1
certutil - S0160 (0a68f1f1-da74-4d28-8d9a-696c082706cc)	mitre-tool	Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)	Intrusion Set	1
Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)	Intrusion Set	Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	1
AdFind - S0552 (f59508a6-3615-47c3-b493-6676e1a39a87)	mitre-tool	Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)	Intrusion Set	1
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)	Intrusion Set	1
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)	Intrusion Set	1
System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475)	Attack Pattern	Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)	Intrusion Set	1
Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0)	Attack Pattern	Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)	Intrusion Set	1
Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)	Intrusion Set	Domain Trust Discovery - T1482 (767dbf9e-df3f-45cb-8998-4903ab5f80c0)	Attack Pattern	1
Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b)	mitre-tool	Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)	Intrusion Set	1
NBTscan - S0590 (b63970b7-ddfb-4aee-97b1-80d335e033a8)	mitre-tool	Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)	Intrusion Set	1
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)	Intrusion Set	1
Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88)	Attack Pattern	Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)	Intrusion Set	1
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055)	Attack Pattern	Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)	Intrusion Set	1
Ping - S0097 (b77b563c-34bb-4fb8-86a3-3694338f7b47)	mitre-tool	Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)	Intrusion Set	1
Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)	Intrusion Set	Hannotog - S1211 (273e2b53-64ec-48be-9ad9-8f3dc0e53718)	Malware	1
Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af)	Attack Pattern	Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)	Intrusion Set	1
Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)	Intrusion Set	Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755)	Attack Pattern	1
Steal Web Session Cookie - T1539 (10ffac09-e42d-4f56-ab20-db94c67d76ff)	Attack Pattern	Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)	Intrusion Set	1
Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b)	Attack Pattern	Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)	Intrusion Set	1
Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)	Intrusion Set	LOTUS PANDA (32fafa69-fe3c-49db-afd4-aac2664bcf0d)	Threat Actor	1
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)	Intrusion Set	1
Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)	Intrusion Set	Emissary - S0082 (0f862b01-99da-47cc-9bdb-db4a86a95bb1)	Malware	1
Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d)	Attack Pattern	Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)	Intrusion Set	1
Sagerunex - S1210 (7f269253-c225-45ff-87c2-5e8ef6dd369f)	Malware	Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)	Intrusion Set	1
Internet Connection Discovery - T1016.001 (132d5b37-aac5-4378-a8dc-3127b18a73dc)	Attack Pattern	Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)	Intrusion Set	1
Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913)	Malware	Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7)	Intrusion Set	1
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	2
Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e)	Attack Pattern	Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	2
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662)	Attack Pattern	Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	2
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662)	Attack Pattern	certutil - S0160 (0a68f1f1-da74-4d28-8d9a-696c082706cc)	mitre-tool	2
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	certutil - S0160 (0a68f1f1-da74-4d28-8d9a-696c082706cc)	mitre-tool	2
certutil - S0160 (0a68f1f1-da74-4d28-8d9a-696c082706cc)	mitre-tool	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
certutil - S0160 (0a68f1f1-da74-4d28-8d9a-696c082706cc)	mitre-tool	Install Root Certificate - T1553.004 (c615231b-f253-4f58-9d47-d5b4cbdb6839)	Attack Pattern	2
AdFind - S0552 (f59508a6-3615-47c3-b493-6676e1a39a87)	mitre-tool	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	2
AdFind - S0552 (f59508a6-3615-47c3-b493-6676e1a39a87)	mitre-tool	Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735)	Attack Pattern	2
AdFind - S0552 (f59508a6-3615-47c3-b493-6676e1a39a87)	mitre-tool	Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c)	Attack Pattern	2
AdFind - S0552 (f59508a6-3615-47c3-b493-6676e1a39a87)	mitre-tool	Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af)	Attack Pattern	2
AdFind - S0552 (f59508a6-3615-47c3-b493-6676e1a39a87)	mitre-tool	Domain Trust Discovery - T1482 (767dbf9e-df3f-45cb-8998-4903ab5f80c0)	Attack Pattern	2
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08)	Attack Pattern	2
Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0)	Attack Pattern	Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1)	Attack Pattern	2
Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b)	mitre-tool	Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055)	Attack Pattern	2
Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b)	mitre-tool	Kerberoasting - T1558.003 (f2877f7f-9a4c-4251-879f-1224e3006bee)	Attack Pattern	2
Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b)	mitre-tool	Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	2
Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b)	mitre-tool	LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001 (650c784b-7504-4df7-ab2c-4ea882384d1e)	Attack Pattern	2
Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b)	mitre-tool	Ccache Files - T1558.005 (394220d9-8efc-4252-9040-664f7b115be6)	Attack Pattern	2
Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b)	mitre-tool	Network Sniffing - T1040 (3257eb21-f9a7-4430-8de1-d8b6e288f529)	Attack Pattern	2
Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b)	mitre-tool	LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	2
Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b)	mitre-tool	NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24)	Attack Pattern	2
Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b)	mitre-tool	Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5)	Attack Pattern	2
Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b)	mitre-tool	Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011)	Attack Pattern	2
Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b)	mitre-tool	LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc)	Attack Pattern	2
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	NBTscan - S0590 (b63970b7-ddfb-4aee-97b1-80d335e033a8)	mitre-tool	2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	NBTscan - S0590 (b63970b7-ddfb-4aee-97b1-80d335e033a8)	mitre-tool	2
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735)	Attack Pattern	NBTscan - S0590 (b63970b7-ddfb-4aee-97b1-80d335e033a8)	mitre-tool	2
NBTscan - S0590 (b63970b7-ddfb-4aee-97b1-80d335e033a8)	mitre-tool	Network Sniffing - T1040 (3257eb21-f9a7-4430-8de1-d8b6e288f529)	Attack Pattern	2
NBTscan - S0590 (b63970b7-ddfb-4aee-97b1-80d335e033a8)	mitre-tool	Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88)	Attack Pattern	2
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735)	Attack Pattern	Ping - S0097 (b77b563c-34bb-4fb8-86a3-3694338f7b47)	mitre-tool	2
Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18)	Attack Pattern	Hannotog - S1211 (273e2b53-64ec-48be-9ad9-8f3dc0e53718)	Malware	2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Hannotog - S1211 (273e2b53-64ec-48be-9ad9-8f3dc0e53718)	Malware	2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	Hannotog - S1211 (273e2b53-64ec-48be-9ad9-8f3dc0e53718)	Malware	2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	Hannotog - S1211 (273e2b53-64ec-48be-9ad9-8f3dc0e53718)	Malware	2
Service Stop - T1489 (20fb2507-d71c-455d-9b6d-6104461cf26b)	Attack Pattern	Hannotog - S1211 (273e2b53-64ec-48be-9ad9-8f3dc0e53718)	Malware	2
Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b)	Attack Pattern	Hannotog - S1211 (273e2b53-64ec-48be-9ad9-8f3dc0e53718)	Malware	2
Automated Exfiltration - T1020 (774a3188-6ba9-4dc4-879d-d54ee48a5ce9)	Attack Pattern	Hannotog - S1211 (273e2b53-64ec-48be-9ad9-8f3dc0e53718)	Malware	2
Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af)	Attack Pattern	Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08)	Attack Pattern	2
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755)	Attack Pattern	2
Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b)	Attack Pattern	Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	2
Raspberry Typhoon (37f012df-54d8-4b3d-a288-af47240430ea)	Threat Actor	LOTUS PANDA (32fafa69-fe3c-49db-afd4-aac2664bcf0d)	Threat Actor	2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	Emissary - S0082 (0f862b01-99da-47cc-9bdb-db4a86a95bb1)	Malware	2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	Emissary - S0082 (0f862b01-99da-47cc-9bdb-db4a86a95bb1)	Malware	2
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	Emissary - S0082 (0f862b01-99da-47cc-9bdb-db4a86a95bb1)	Malware	2
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	Emissary - S0082 (0f862b01-99da-47cc-9bdb-db4a86a95bb1)	Malware	2
Binary Padding - T1027.001 (5bfccc3f-2326-4112-86cc-c1ece9d8a2b5)	Attack Pattern	Emissary - S0082 (0f862b01-99da-47cc-9bdb-db4a86a95bb1)	Malware	2
System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa)	Attack Pattern	Emissary - S0082 (0f862b01-99da-47cc-9bdb-db4a86a95bb1)	Malware	2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Emissary - S0082 (0f862b01-99da-47cc-9bdb-db4a86a95bb1)	Malware	2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	Emissary - S0082 (0f862b01-99da-47cc-9bdb-db4a86a95bb1)	Malware	2
Group Policy Discovery - T1615 (1b20efbf-8063-4fc3-a07d-b575318a301b)	Attack Pattern	Emissary - S0082 (0f862b01-99da-47cc-9bdb-db4a86a95bb1)	Malware	2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	Emissary - S0082 (0f862b01-99da-47cc-9bdb-db4a86a95bb1)	Malware	2
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	Emissary - S0082 (0f862b01-99da-47cc-9bdb-db4a86a95bb1)	Malware	2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Emissary - S0082 (0f862b01-99da-47cc-9bdb-db4a86a95bb1)	Malware	2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Emissary - S0082 (0f862b01-99da-47cc-9bdb-db4a86a95bb1)	Malware	2
Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b)	Attack Pattern	Emissary - S0082 (0f862b01-99da-47cc-9bdb-db4a86a95bb1)	Malware	2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	Emissary - S0082 (0f862b01-99da-47cc-9bdb-db4a86a95bb1)	Malware	2
Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d)	Attack Pattern	Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	Sagerunex - S1210 (7f269253-c225-45ff-87c2-5e8ef6dd369f)	Malware	2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	Sagerunex - S1210 (7f269253-c225-45ff-87c2-5e8ef6dd369f)	Malware	2
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	Sagerunex - S1210 (7f269253-c225-45ff-87c2-5e8ef6dd369f)	Malware	2
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	Sagerunex - S1210 (7f269253-c225-45ff-87c2-5e8ef6dd369f)	Malware	2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Sagerunex - S1210 (7f269253-c225-45ff-87c2-5e8ef6dd369f)	Malware	2
Sagerunex - S1210 (7f269253-c225-45ff-87c2-5e8ef6dd369f)	Malware	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	2
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	Sagerunex - S1210 (7f269253-c225-45ff-87c2-5e8ef6dd369f)	Malware	2
One-Way Communication - T1102.003 (9c99724c-a483-4d60-ad9d-7f004e42e8e8)	Attack Pattern	Sagerunex - S1210 (7f269253-c225-45ff-87c2-5e8ef6dd369f)	Malware	2
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	Sagerunex - S1210 (7f269253-c225-45ff-87c2-5e8ef6dd369f)	Malware	2
Sagerunex - S1210 (7f269253-c225-45ff-87c2-5e8ef6dd369f)	Malware	Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	2
Sagerunex - S1210 (7f269253-c225-45ff-87c2-5e8ef6dd369f)	Malware	Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	2
Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4)	Attack Pattern	Sagerunex - S1210 (7f269253-c225-45ff-87c2-5e8ef6dd369f)	Malware	2
Sagerunex - S1210 (7f269253-c225-45ff-87c2-5e8ef6dd369f)	Malware	Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	2
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662)	Attack Pattern	Sagerunex - S1210 (7f269253-c225-45ff-87c2-5e8ef6dd369f)	Malware	2
Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852)	Attack Pattern	Sagerunex - S1210 (7f269253-c225-45ff-87c2-5e8ef6dd369f)	Malware	2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	Sagerunex - S1210 (7f269253-c225-45ff-87c2-5e8ef6dd369f)	Malware	2
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	Sagerunex - S1210 (7f269253-c225-45ff-87c2-5e8ef6dd369f)	Malware	2
Sagerunex - S1210 (7f269253-c225-45ff-87c2-5e8ef6dd369f)	Malware	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	Internet Connection Discovery - T1016.001 (132d5b37-aac5-4378-a8dc-3127b18a73dc)	Attack Pattern	2
Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	2
Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	2
Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913)	Malware	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	2
Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913)	Malware	Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	2
Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913)	Malware	Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	2
Elise (3477a25d-e04b-475e-8330-39f66c10cc01)	Malpedia	Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913)	Malware	2
Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913)	Malware	Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	2
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913)	Malware	2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913)	Malware	2
Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913)	Malware	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	2
Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913)	Malware	Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	2
Elise Backdoor (d70fd29d-590e-4ed5-b72f-6ce0142019c6)	Tool	Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913)	Malware	2
Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913)	Malware	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	2
System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa)	Attack Pattern	Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913)	Malware	2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913)	Malware	2
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913)	Malware	2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913)	Malware	2
Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913)	Malware	Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	2
Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	2
Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913)	Malware	2
Install Root Certificate - T1553.004 (c615231b-f253-4f58-9d47-d5b4cbdb6839)	Attack Pattern	Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	3
Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce)	Attack Pattern	Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c)	Attack Pattern	3
Kerberoasting - T1558.003 (f2877f7f-9a4c-4251-879f-1224e3006bee)	Attack Pattern	Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a)	Attack Pattern	3
System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253)	Attack Pattern	Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	3
Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d)	Attack Pattern	LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001 (650c784b-7504-4df7-ab2c-4ea882384d1e)	Attack Pattern	3
Ccache Files - T1558.005 (394220d9-8efc-4252-9040-664f7b115be6)	Attack Pattern	Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a)	Attack Pattern	3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24)	Attack Pattern	3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011)	Attack Pattern	3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc)	Attack Pattern	3
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	3
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b)	Attack Pattern	3
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	3
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Binary Padding - T1027.001 (5bfccc3f-2326-4112-86cc-c1ece9d8a2b5)	Attack Pattern	3
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	3
Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce)	Attack Pattern	Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b)	Attack Pattern	3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	3
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	3
One-Way Communication - T1102.003 (9c99724c-a483-4d60-ad9d-7f004e42e8e8)	Attack Pattern	Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	3
Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4)	Attack Pattern	Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	3
Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f)	Attack Pattern	Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	3
Elise Backdoor (d70fd29d-590e-4ed5-b72f-6ce0142019c6)	Tool	Elise (3477a25d-e04b-475e-8330-39f66c10cc01)	Malpedia	3
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	3
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	3