Trusted Design

Privileges and Credentials: Phished at the Request of Counsel

概要

In May and June 2017, FireEye observed a phishing campaign targeting at least seven global law and investment firms. We have associated this campaign with APT19, a group that we assess is composed of freelancers, with some degree of sponsorship by the Chinese government. APT19 used three different techniques to attempt to compromise targets. In early May, the phishing lures leveraged RTF attachments that exploited the Microsoft Windows vulnerability described in CVE 2017-0199. Toward the end of May, APT19 switched to using macro-enabled Microsoft Excel (XLSM) documents. In the most recent versions, APT19 added an application whitelisting bypass to the macro-enabled Microsoft Excel (XLSM) documents. At least one observed phishing lure delivered a Cobalt Strike payload.

Created: 2026-02-23

Indicators

類似Pulses

このPulseに関連する脅威アクター (事実ベース)

LAPSUS$

Score: 20.43
Matched TTPs:
  • T1216.001 - PubPrn
  • T1019 - System Firmware
  • T1193 - Spearphishing Attachment
  • T1199 - Trusted Relationship
  • T1592.003 - Firmware
  • T1065 - Uncommonly Used Port
MITREへのリンク →

Contagious Interview

Score: 14.05
Matched TTPs:
  • T1044 - File System Permissions Weakness
  • T1606.002 - SAML Tokens
  • T1098.007 - Additional Local or Domain Groups
  • T1552.003 - Shell History
  • T1199 - Trusted Relationship
  • T1547.008 - LSASS Driver
MITREへのリンク →

Ember Bear

Score: 9.76
Matched TTPs:
  • T1564.008 - Email Hiding Rules
  • T1218.010 - Regsvr32
  • T1003.003 - NTDS
MITREへのリンク →

Sandworm Team

Score: 23.94
Matched TTPs:
  • T1564.008 - Email Hiding Rules
  • T1606.002 - SAML Tokens
  • T1686.003 - Windows Host Firewall
  • T1566.002 - Spearphishing Link
  • T1598.003 - Spearphishing Link
  • T1098.007 - Additional Local or Domain Groups
  • T1193 - Spearphishing Attachment
  • T1199 - Trusted Relationship
  • T1218.010 - Regsvr32
  • T1546.016 - Installer Packages
MITREへのリンク →

Volt Typhoon

Score: 25.02
Matched TTPs:
  • T1685.001 - Disable or Modify Windows Event Log
  • T1686.003 - Windows Host Firewall
  • T1057 - Process Discovery
  • T1199 - Trusted Relationship
  • T1584.002 - DNS Server
  • T1065 - Uncommonly Used Port
  • T1546.016 - Installer Packages
  • T1665 - Hide Infrastructure
MITREへのリンク →

APT28

Score: 28.26
Matched TTPs:
  • T1685.001 - Disable or Modify Windows Event Log
  • T1566.002 - Spearphishing Link
  • T1598.003 - Spearphishing Link
  • T1098.007 - Additional Local or Domain Groups
  • T1057 - Process Discovery
  • T1199 - Trusted Relationship
  • T1592.003 - Firmware
  • T1218.010 - Regsvr32
  • T1197 - BITS Jobs
  • T1200 - Hardware Additions
  • T1566.003 - Spearphishing via Service
MITREへのリンク →

ZIRCONIUM

Score: 11.04
Matched TTPs:
  • T1685.001 - Disable or Modify Windows Event Log
  • T1566.002 - Spearphishing Link
  • T1098.007 - Additional Local or Domain Groups
  • T1197 - BITS Jobs
MITREへのリンク →

Leviathan

Score: 17.40
Matched TTPs:
  • T1685.001 - Disable or Modify Windows Event Log
  • T1598.003 - Spearphishing Link
  • T1098.007 - Additional Local or Domain Groups
  • T1055.014 - VDSO Hijacking
  • T1592.003 - Firmware
  • T1218.010 - Regsvr32
  • T1546.016 - Installer Packages
MITREへのリンク →

Kimsuky

Score: 36.87
Matched TTPs:
  • T1606.002 - SAML Tokens
  • T1566.002 - Spearphishing Link
  • T1598.003 - Spearphishing Link
  • T1098.007 - Additional Local or Domain Groups
  • T1552.003 - Shell History
  • T1057 - Process Discovery
  • T1055.014 - VDSO Hijacking
  • T1199 - Trusted Relationship
  • T1562.013 - Disable or Modify Network Device Firewall
  • T1197 - BITS Jobs
  • T1665 - Hide Infrastructure
  • T1003.003 - NTDS
  • T1053.002 - At
  • T1490 - Inhibit System Recovery
MITREへのリンク →

FIN13

Score: 5.47
Matched TTPs:
  • T1606.002 - SAML Tokens
  • T1552.003 - Shell History
  • T1199 - Trusted Relationship
MITREへのリンク →

Moonstone Sleet

Score: 16.19
Matched TTPs:
  • T1606.002 - SAML Tokens
  • T1566.002 - Spearphishing Link
  • T1598.003 - Spearphishing Link
  • T1098.007 - Additional Local or Domain Groups
  • T1057 - Process Discovery
  • T1197 - BITS Jobs
  • T1547.008 - LSASS Driver
MITREへのリンク →

Indrik Spider

Score: 4.93
Matched TTPs:
  • T1606.002 - SAML Tokens
  • T1546.016 - Installer Packages
MITREへのリンク →

Lazarus Group

Score: 18.30
Matched TTPs:
  • T1606.002 - SAML Tokens
  • T1598.003 - Spearphishing Link
  • T1098.007 - Additional Local or Domain Groups
  • T1057 - Process Discovery
  • T1199 - Trusted Relationship
  • T1218.010 - Regsvr32
  • T1546.016 - Installer Packages
  • T1665 - Hide Infrastructure
  • T1547.008 - LSASS Driver
MITREへのリンク →

OilRig

Score: 12.97
Matched TTPs:
  • T1606.002 - SAML Tokens
  • T1598.003 - Spearphishing Link
  • T1098.007 - Additional Local or Domain Groups
  • T1199 - Trusted Relationship
  • T1218.010 - Regsvr32
  • T1556.009 - Conditional Access Policies
  • T1547.008 - LSASS Driver
MITREへのリンク →

UNC3886

Score: 3.59
Matched TTPs:
  • T1606.002 - SAML Tokens
  • T1218.010 - Regsvr32
MITREへのリンク →

APT29

Score: 14.35
Matched TTPs:
  • T1606.002 - SAML Tokens
  • T1598.003 - Spearphishing Link
  • T1592.004 - Client Configurations
  • T1199 - Trusted Relationship
  • T1218.010 - Regsvr32
  • T1547.008 - LSASS Driver
  • T1490 - Inhibit System Recovery
MITREへのリンク →

Play

Score: 8.13
Matched TTPs:
  • T1606.002 - SAML Tokens
  • T1552.003 - Shell History
  • T1199 - Trusted Relationship
  • T1490 - Inhibit System Recovery
MITREへのリンク →

Aoqin Dragon

Score: 4.44
Matched TTPs:
  • T1606.002 - SAML Tokens
  • T1199 - Trusted Relationship
  • T1218.010 - Regsvr32
MITREへのリンク →

Turla

Score: 12.07
Matched TTPs:
  • T1606.002 - SAML Tokens
  • T1199 - Trusted Relationship
  • T1556.009 - Conditional Access Policies
  • T1546.016 - Installer Packages
  • T1490 - Inhibit System Recovery
MITREへのリンク →

Mustang Panda

Score: 13.83
Matched TTPs:
  • T1606.002 - SAML Tokens
  • T1566.002 - Spearphishing Link
  • T1598.003 - Spearphishing Link
  • T1098.007 - Additional Local or Domain Groups
  • T1569.001 - Launchctl
  • T1199 - Trusted Relationship
  • T1218.010 - Regsvr32
MITREへのリンク →

TeamTNT

Score: 6.45
Matched TTPs:
  • T1606.002 - SAML Tokens
  • T1098.007 - Additional Local or Domain Groups
  • T1665 - Hide Infrastructure
MITREへのリンク →

FIN7

Score: 14.91
Matched TTPs:
  • T1606.002 - SAML Tokens
  • T1598.003 - Spearphishing Link
  • T1098.007 - Additional Local or Domain Groups
  • T1057 - Process Discovery
  • T1199 - Trusted Relationship
  • T1065 - Uncommonly Used Port
  • T1490 - Inhibit System Recovery
MITREへのリンク →

Storm-0501

Score: 6.37
Matched TTPs:
  • T1686.003 - Windows Host Firewall
  • T1552.003 - Shell History
MITREへのリンク →

Sidewinder

Score: 8.45
Matched TTPs:
  • T1566.002 - Spearphishing Link
  • T1598.003 - Spearphishing Link
  • T1657 - Financial Theft
  • T1218.010 - Regsvr32
MITREへのリンク →

Scattered Spider

Score: 19.46
Matched TTPs:
  • T1566.002 - Spearphishing Link
  • T1098.007 - Additional Local or Domain Groups
  • T1019 - System Firmware
  • T1552.003 - Shell History
  • T1199 - Trusted Relationship
  • T1027.005 - Indicator Removal from Tools
  • T1197 - BITS Jobs
MITREへのリンク →

Silent Librarian

Score: 4.83
Matched TTPs:
  • T1566.002 - Spearphishing Link
  • T1098.007 - Additional Local or Domain Groups
  • T1199 - Trusted Relationship
MITREへのリンク →

APT32

Score: 13.70
Matched TTPs:
  • T1566.002 - Spearphishing Link
  • T1598.003 - Spearphishing Link
  • T1098.007 - Additional Local or Domain Groups
  • T1592.004 - Client Configurations
  • T1199 - Trusted Relationship
  • T1218.010 - Regsvr32
  • T1490 - Inhibit System Recovery
MITREへのリンク →

Magic Hound

Score: 14.07
Matched TTPs:
  • T1566.002 - Spearphishing Link
  • T1098.007 - Additional Local or Domain Groups
  • T1199 - Trusted Relationship
  • T1592.003 - Firmware
  • T1547.008 - LSASS Driver
  • T1053.002 - At
MITREへのリンク →

Star Blizzard

Score: 9.32
Matched TTPs:
  • T1566.002 - Spearphishing Link
  • T1598.003 - Spearphishing Link
  • T1098.007 - Additional Local or Domain Groups
  • T1657 - Financial Theft
  • T1199 - Trusted Relationship
MITREへのリンク →

CURIUM

Score: 7.37
Matched TTPs:
  • T1566.002 - Spearphishing Link
  • T1598.003 - Spearphishing Link
  • T1098.007 - Additional Local or Domain Groups
  • T1547.008 - LSASS Driver
MITREへのリンク →

Dragonfly

Score: 20.64
Matched TTPs:
  • T1566.002 - Spearphishing Link
  • T1598.003 - Spearphishing Link
  • T1098.007 - Additional Local or Domain Groups
  • T1193 - Spearphishing Attachment
  • T1657 - Financial Theft
  • T1199 - Trusted Relationship
  • T1218.010 - Regsvr32
  • T1200 - Hardware Additions
  • T1546.016 - Installer Packages
MITREへのリンク →

Patchwork

Score: 8.51
Matched TTPs:
  • T1566.002 - Spearphishing Link
  • T1598.003 - Spearphishing Link
  • T1199 - Trusted Relationship
  • T1218.010 - Regsvr32
  • T1665 - Hide Infrastructure
MITREへのリンク →

Cobalt Group

Score: 3.22
Matched TTPs:
  • T1598.003 - Spearphishing Link
  • T1199 - Trusted Relationship
  • T1218.010 - Regsvr32
MITREへのリンク →

Tropic Trooper

Score: 11.02
Matched TTPs:
  • T1598.003 - Spearphishing Link
  • T1218.010 - Regsvr32
  • T1200 - Hardware Additions
  • T1665 - Hide Infrastructure
  • T1490 - Inhibit System Recovery
MITREへのリンク →

FIN6

Score: 4.25
Matched TTPs:
  • T1598.003 - Spearphishing Link
  • T1199 - Trusted Relationship
  • T1547.008 - LSASS Driver
MITREへのリンク →

Windshift

Score: 3.40
Matched TTPs:
  • T1598.003 - Spearphishing Link
  • T1547.008 - LSASS Driver
MITREへのリンク →

BRONZE BUTLER

Score: 7.06
Matched TTPs:
  • T1598.003 - Spearphishing Link
  • T1592.004 - Client Configurations
  • T1199 - Trusted Relationship
  • T1218.010 - Regsvr32
MITREへのリンク →

MuddyWater

Score: 11.38
Matched TTPs:
  • T1598.003 - Spearphishing Link
  • T1558.001 - Golden Ticket
  • T1199 - Trusted Relationship
  • T1218.010 - Regsvr32
  • T1059.013 - Container CLI/API
MITREへのリンク →

menuPass

Score: 3.24
Matched TTPs:
  • T1598.003 - Spearphishing Link
  • T1098.007 - Additional Local or Domain Groups
  • T1199 - Trusted Relationship
MITREへのリンク →

Threat Group-3390

Score: 4.73
Matched TTPs:
  • T1598.003 - Spearphishing Link
  • T1098.007 - Additional Local or Domain Groups
  • T1199 - Trusted Relationship
  • T1218.010 - Regsvr32
MITREへのリンク →

Gamaredon Group

Score: 13.64
Matched TTPs:
  • T1598.003 - Spearphishing Link
  • T1098.007 - Additional Local or Domain Groups
  • T1055.014 - VDSO Hijacking
  • T1199 - Trusted Relationship
  • T1059.013 - Container CLI/API
  • T1200 - Hardware Additions
MITREへのリンク →

BITTER

Score: 4.73
Matched TTPs:
  • T1598.003 - Spearphishing Link
  • T1098.007 - Additional Local or Domain Groups
  • T1199 - Trusted Relationship
  • T1218.010 - Regsvr32
MITREへのリンク →

Inception

Score: 6.37
Matched TTPs:
  • T1598.003 - Spearphishing Link
  • T1199 - Trusted Relationship
  • T1218.010 - Regsvr32
  • T1200 - Hardware Additions
MITREへのリンク →

EXOTIC LILY

Score: 6.41
Matched TTPs:
  • T1598.003 - Spearphishing Link
  • T1098.007 - Additional Local or Domain Groups
  • T1218.010 - Regsvr32
  • T1547.008 - LSASS Driver
MITREへのリンク →

Ajax Security Team

Score: 3.40
Matched TTPs:
  • T1598.003 - Spearphishing Link
  • T1547.008 - LSASS Driver
MITREへのリンク →

APT33

Score: 7.35
Matched TTPs:
  • T1598.003 - Spearphishing Link
  • T1567.001 - Exfiltration to Code Repository
  • T1199 - Trusted Relationship
  • T1218.010 - Regsvr32
MITREへのリンク →

APT41

Score: 3.22
Matched TTPs:
  • T1598.003 - Spearphishing Link
  • T1199 - Trusted Relationship
  • T1218.010 - Regsvr32
MITREへのリンク →

Higaisa

Score: 5.20
Matched TTPs:
  • T1598.003 - Spearphishing Link
  • T1218.010 - Regsvr32
  • T1665 - Hide Infrastructure
MITREへのリンク →

Confucius

Score: 8.35
Matched TTPs:
  • T1598.003 - Spearphishing Link
  • T1218.010 - Regsvr32
  • T1200 - Hardware Additions
  • T1665 - Hide Infrastructure
MITREへのリンク →

BlackTech

Score: 3.22
Matched TTPs:
  • T1598.003 - Spearphishing Link
  • T1199 - Trusted Relationship
  • T1218.010 - Regsvr32
MITREへのリンク →

Ferocious Kitten

Score: 3.24
Matched TTPs:
  • T1598.003 - Spearphishing Link
  • T1098.007 - Additional Local or Domain Groups
  • T1199 - Trusted Relationship
MITREへのリンク →

Malteiro

Score: 3.40
Matched TTPs:
  • T1598.003 - Spearphishing Link
  • T1552.003 - Shell History
MITREへのリンク →

SideCopy

Score: 11.91
Matched TTPs:
  • T1598.003 - Spearphishing Link
  • T1657 - Financial Theft
  • T1584.002 - DNS Server
  • T1053.002 - At
MITREへのリンク →

Transparent Tribe

Score: 7.17
Matched TTPs:
  • T1598.003 - Spearphishing Link
  • T1098.007 - Additional Local or Domain Groups
  • T1218.010 - Regsvr32
  • T1053.002 - At
MITREへのリンク →

Wizard Spider

Score: 9.48
Matched TTPs:
  • T1598.003 - Spearphishing Link
  • T1567.001 - Exfiltration to Code Repository
  • T1199 - Trusted Relationship
  • T1556.009 - Conditional Access Policies
MITREへのリンク →

TA2541

Score: 3.24
Matched TTPs:
  • T1598.003 - Spearphishing Link
  • T1098.007 - Additional Local or Domain Groups
  • T1199 - Trusted Relationship
MITREへのリンク →

TA505

Score: 3.24
Matched TTPs:
  • T1598.003 - Spearphishing Link
  • T1098.007 - Additional Local or Domain Groups
  • T1199 - Trusted Relationship
MITREへのリンク →

IndigoZebra

Score: 3.24
Matched TTPs:
  • T1598.003 - Spearphishing Link
  • T1098.007 - Additional Local or Domain Groups
  • T1199 - Trusted Relationship
MITREへのリンク →

APT1

Score: 6.53
Matched TTPs:
  • T1598.003 - Spearphishing Link
  • T1098.007 - Additional Local or Domain Groups
  • T1199 - Trusted Relationship
  • T1053.002 - At
MITREへのリンク →

APT38

Score: 3.24
Matched TTPs:
  • T1598.003 - Spearphishing Link
  • T1098.007 - Additional Local or Domain Groups
  • T1199 - Trusted Relationship
MITREへのリンク →

DarkHydrus

Score: 4.88
Matched TTPs:
  • T1598.003 - Spearphishing Link
  • T1199 - Trusted Relationship
  • T1200 - Hardware Additions
MITREへのリンク →

Storm-1811

Score: 4.89
Matched TTPs:
  • T1098.007 - Additional Local or Domain Groups
  • T1199 - Trusted Relationship
  • T1547.008 - LSASS Driver
MITREへのリンク →

HEXANE

Score: 9.61
Matched TTPs:
  • T1098.007 - Additional Local or Domain Groups
  • T1055.014 - VDSO Hijacking
  • T1199 - Trusted Relationship
  • T1065 - Uncommonly Used Port
MITREへのリンク →

Earth Lusca

Score: 5.20
Matched TTPs:
  • T1098.007 - Additional Local or Domain Groups
  • T1199 - Trusted Relationship
  • T1546.016 - Installer Packages
MITREへのリンク →

Sea Turtle

Score: 13.43
Matched TTPs:
  • T1098.007 - Additional Local or Domain Groups
  • T1199 - Trusted Relationship
  • T1562.013 - Disable or Modify Network Device Firewall
  • T1218.010 - Regsvr32
  • T1059.013 - Container CLI/API
  • T1490 - Inhibit System Recovery
MITREへのリンク →

INC Ransom

Score: 6.66
Matched TTPs:
  • T1552.003 - Shell History
  • T1199 - Trusted Relationship
  • T1562.013 - Disable or Modify Network Device Firewall
MITREへのリンク →

Cinnamon Tempest

Score: 3.37
Matched TTPs:
  • T1552.003 - Shell History
  • T1199 - Trusted Relationship
MITREへのリンク →

AppleJeus

Score: 5.81
Matched TTPs:
  • T1552.003 - Shell History
  • T1562.013 - Disable or Modify Network Device Firewall
MITREへのリンク →

Medusa Group

Score: 3.37
Matched TTPs:
  • T1552.003 - Shell History
  • T1199 - Trusted Relationship
MITREへのリンク →

FIN10

Score: 3.52
Matched TTPs:
  • T1199 - Trusted Relationship
  • T1490 - Inhibit System Recovery
MITREへのリンク →

Chimera

Score: 7.12
Matched TTPs:
  • T1199 - Trusted Relationship
  • T1592.003 - Firmware
  • T1665 - Hide Infrastructure
MITREへのリンク →

Axiom

Score: 9.32
Matched TTPs:
  • T1562.013 - Disable or Modify Network Device Firewall
  • T1218.010 - Regsvr32
  • T1160 - Launch Daemon
MITREへのリンク →

GOLD SOUTHFIELD

Score: 3.29
Matched TTPs:
  • T1562.013 - Disable or Modify Network Device Firewall
MITREへのリンク →

Rocke

Score: 3.62
Matched TTPs:
  • T1059.013 - Container CLI/API
MITREへのリンク →

Stealth Falcon

Score: 3.62
Matched TTPs:
  • T1556.009 - Conditional Access Policies
MITREへのリンク →

ToddyCat

Score: 5.36
Matched TTPs:
  • T1665 - Hide Infrastructure
  • T1547.008 - LSASS Driver
MITREへのリンク →

Mustard Tempest

Score: 3.29
Matched TTPs:
  • T1053.002 - At
MITREへのリンク →

Velvet Ant

Score: 6.80
Matched TTPs:
  • T1490 - Inhibit System Recovery
  • T1566.003 - Spearphishing via Service
MITREへのリンク →

このPulseに関連する脅威アクター (推論ベース)

Kimsuky

Score: 0.79
Matched TTPs:
  • T1197 - BITS Jobs
  • T1606.002 - SAML Tokens
  • T1552.003 - Shell History
  • T1598.003 - Spearphishing Link
  • T1055.014 - VDSO Hijacking
  • T1490 - Inhibit System Recovery
  • T1053.002 - At
  • T1566.002 - Spearphishing Link
  • T1057 - Process Discovery
  • T1003.003 - NTDS
  • T1562.013 - Disable or Modify Network Device Firewall
  • T1098.007 - Additional Local or Domain Groups
  • T1199 - Trusted Relationship
  • T1665 - Hide Infrastructure
MITREへのリンク →

APT28

Score: 0.69
Matched TTPs:
  • T1566.003 - Spearphishing via Service
  • T1592.003 - Firmware
  • T1197 - BITS Jobs
  • T1598.003 - Spearphishing Link
  • T1200 - Hardware Additions
  • T1566.002 - Spearphishing Link
  • T1057 - Process Discovery
  • T1218.010 - Regsvr32
  • T1098.007 - Additional Local or Domain Groups
  • T1685.001 - Disable or Modify Windows Event Log
  • T1199 - Trusted Relationship
MITREへのリンク →

Volt Typhoon

Score: 0.60
Matched TTPs:
  • T1686.003 - Windows Host Firewall
  • T1546.016 - Installer Packages
  • T1065 - Uncommonly Used Port
  • T1584.002 - DNS Server
  • T1057 - Process Discovery
  • T1685.001 - Disable or Modify Windows Event Log
  • T1199 - Trusted Relationship
  • T1665 - Hide Infrastructure
MITREへのリンク →

Sandworm Team

Score: 0.58
Matched TTPs:
  • T1686.003 - Windows Host Firewall
  • T1546.016 - Installer Packages
  • T1606.002 - SAML Tokens
  • T1598.003 - Spearphishing Link
  • T1566.002 - Spearphishing Link
  • T1193 - Spearphishing Attachment
  • T1218.010 - Regsvr32
  • T1098.007 - Additional Local or Domain Groups
  • T1564.008 - Email Hiding Rules
  • T1199 - Trusted Relationship
MITREへのリンク →

Related CVEs

このPulseに見つかったCVEはありません。

Pulse – 脅威アクター グラフ

← Pulse一覧に戻る