← Back to Cybersecurity News Center
Severity
HIGH
CVSS
7.5
Priority
0.850
×
Tip
Pick your view
Analyst for full detail, Executive for the short version.
Analyst
Executive
Executive Summary
North Korean state-affiliated threat actors, primarily Lazarus Group and APT38, have been attributed with a significant portion of cryptocurrency theft in 2026, including an estimated 76% per secondary reporting dated May 1, 2026 (underlying methodology unconfirmed). This concentration reflects a shift from opportunistic targeting to systematized, near-industrial financial operations, with methods spanning social engineering, credential theft, smart contract exploitation, and laundering through mixing services and cross-chain bridges. Organizations holding, trading, or custodying digital assets face elevated exposure; the scale and sophistication of these operations suggest adversaries with dedicated resourcing, operational continuity, and sanctions-evasion infrastructure. Confidence is medium; the 76% figure originates from a secondary news source and lacks corroboration from T1 threat intelligence sources.
Impact Assessment
CISA KEV Status
Not listed
Threat Severity
HIGH
High severity — prioritize for investigation
Actor Attribution
HIGH
Lazarus Group, APT38
TTP Sophistication
HIGH
12 MITRE ATT&CK techniques identified
Detection Difficulty
HIGH
Multiple evasion techniques observed
Target Scope
INFO
Cryptocurrency exchanges and platforms (specific vendors not identified in source reporting)
Are You Exposed?
⚠
Your industry is targeted by Lazarus Group, APT38 → Heightened risk
⚠
You use products/services from Cryptocurrency exchanges and platforms (specific vendors not identified in source reporting) → Assess exposure
⚠
12 attack techniques identified — review your detection coverage for these TTPs
✓
Your EDR/XDR detects the listed IOCs and TTPs → Reduced risk
✓
You have incident response procedures for this threat type → Prepared
Business Context
If your organization holds, trades, or provides custody for cryptocurrency assets, DPRK-affiliated actors represent the most active and scaled financial theft threat in the current environment. A successful compromise can result in direct, irreversible loss of digital assets — blockchain transactions are final and recovery is unlikely without prior multisig controls or insurance coverage. Regulatory exposure is significant: organizations subject to FinCEN, OFAC, or equivalent financial compliance frameworks may face sanctions-related liability if stolen funds are traced through their infrastructure, and incident disclosure obligations apply in most regulated jurisdictions.
You Are Affected If
You operate a cryptocurrency exchange, DeFi platform, or digital asset custody service
Your organization holds significant cryptocurrency reserves or manages wallet infrastructure on behalf of clients
Employees with access to signing keys, withdrawal functions, or exchange APIs received unsolicited job offers, technical collaboration requests, or software packages from unknown contacts
Your software supply chain includes third-party cryptocurrency libraries, SDKs, or developer tools that have not been verified against published checksums
Your smart contract or cross-chain bridge infrastructure has not undergone a recent third-party security audit
Board Talking Points
North Korean state actors now account for an estimated 76% of all cryptocurrency stolen in 2026, targeting exchanges and DeFi platforms through social engineering, supply chain compromise, and credential theft — this is a nation-state financial operation, not opportunistic cybercrime.
Organizations in the digital asset space should immediately audit privileged access to custody and trading systems, verify software supply chain integrity, and confirm that multi-signature controls are enforced for high-value transactions — within the next 5 business days.
Failure to act exposes the organization to direct, irreversible asset loss and potential regulatory liability under OFAC sanctions frameworks if stolen funds transit through company infrastructure.
Technical Analysis
DPRK-affiliated groups are conducting sustained, multi-vector campaigns against cryptocurrency exchanges and DeFi platforms.
Documented TTPs map to MITRE ATT&CK techniques including spearphishing (T1566 ), web session cookie theft (T1539 ), account access removal (T1531 ), data archival (T1560 ), dynamic resolution (T1568 ), obfuscated files (T1027 ), financial theft (T1657 ), supply chain compromise (T1195 ), command and scripting interpreter abuse (T1059 ), malicious user execution (T1204 ), exfiltration over C2 (T1041 ), and valid account abuse (T1078 ).
Relevant CWEs from source metadata, CWE-20 (Improper Input Validation), CWE-506 (Embedded Malicious Code), and CWE-494 (Download of Code Without Integrity Check), are consistent with previously documented DPRK supply chain and trojanized software delivery operations, though direct linkage to this specific report is unconfirmed.
Specific tooling details remain unconfirmed. No CVE is associated. No patch exists for campaign-level social engineering and financial theft operations; defensive posture depends on detection, access control hardening, and supply chain integrity controls. Source quality score: 0.4, treat specific statistics as directionally informative, not precision figures.
Action Checklist IR ENRICHED
Triage Priority:
IMMEDIATE
Escalate immediately to executive leadership, legal counsel, and relevant financial regulators if any unauthorized transfer of customer funds is confirmed, if on-chain evidence shows funds routed to OFAC-sanctioned mixer or bridge addresses (triggering potential sanctions compliance obligations), or if the scope of credential compromise extends to systems holding customer PII or private keys beyond the initially identified accounts.
1
Step 1: Containment — Audit all accounts with withdrawal, transfer, or API signing authority against your account inventory. Revoke or rotate credentials for any unreviewed account immediately. Suspend third-party integrations lacking documented authorization. (Cite: NIST AC-2 Account Management / CIS 5.1 Establish and Maintain an Inventory of Accounts / CIS 6.2 Establish an Access Revoking Process / D3-CRO Credential Rotation / D3-UAP User Account Permissions)
IR Detail
Containment
NIST 800-61r3 §3.3 — Containment Strategy
NIST IR-4 (Incident Handling)
NIST AC-2 (Account Management)
NIST AC-6 (Least Privilege)
CIS 5.1 (Establish and Maintain an Inventory of Accounts)
CIS 6.2 (Establish an Access Revoking Process)
CIS 6.5 (Require MFA for Administrative Access)
Compensating Control
Export active API keys and service account lists from your exchange or custody platform via CLI or admin portal. For AWS-hosted infrastructure, run: `aws iam list-access-keys --user-name <user>` and `aws iam list-attached-user-policies` for each privileged user. For on-premise HSM or wallet nodes, enumerate active sessions manually and cross-reference against your last-known-good access roster. Disable any key not tied to a named, verified human owner. Use a shared spreadsheet with two-person sign-off to track revocations — this is your containment log under NIST 800-61r3 §3.3.
Preserve Evidence
Before revoking credentials, capture full API key audit logs including creation timestamps, last-used timestamps, associated IP addresses, and linked permissions from the exchange or custody platform's admin console. Export cloud provider IAM credential reports (e.g., AWS IAM credential report via `aws iam generate-credential-report`). Snapshot active OAuth token grants for any third-party integrations. Preserve wallet node access logs showing signing key usage events — Lazarus Group and TraderTraitor are known to stage access quietly before executing large transfers, so last-used timestamps on dormant keys are critical pre-revocation artifacts.
2
Step 2: Detection — Review authentication logs for T1078 indicators: logins from unexpected geolocations, off-hours access, and new device enrollments on exchange admin, API key management, and wallet systems. Hunt for T1566 spearphishing delivery to HR, finance, and developer staff via email gateway logs. Enable and verify log collection is active across all custody and trading stack assets. (Cite: NIST AU-2 Event Logging / NIST AU-3 Content Of Audit Records / NIST AU-6 Audit Record Review, Analysis, And Reporting / CIS 8.2 Collect Audit Logs / D3-LAM Local Account Monitoring)
IR Detail
Detection & Analysis
NIST 800-61r3 §3.2 — Detection and Analysis
NIST SI-4 (System Monitoring)
NIST AU-6 (Audit Record Review, Analysis, and Reporting)
NIST AU-2 (Event Logging)
NIST IR-5 (Incident Monitoring)
CIS 8.2 (Collect Audit Logs)
Compensating Control
Without a SIEM, run targeted log queries directly on your identity provider and exchange platform. For Okta or similar SSO: export authentication logs via API and grep for login events from ASNs associated with DPRK infrastructure (reference CISA advisories for known North Korean IP ranges). For Windows-based admin workstations: query Windows Security Event Log for Event ID 4624 (Successful Logon) and Event ID 4648 (Logon Using Explicit Credentials) filtering on admin accounts, correlated with off-hours timestamps. Deploy the free Sigma rule `proc_creation_win_susp_spearphish_attachment.yml` on endpoints with access to financial systems to detect T1566 document-based delivery. For email, export mail server logs and search for TraderTraitor-associated lure themes: fake job offers, crypto investment proposals, and DeFi protocol documents sent to finance and engineering staff.
Preserve Evidence
Capture raw authentication logs from the exchange admin portal, API key management interface, and any SSO/IdP before log rotation. Collect email gateway logs and quarantine records for messages received by employees with custody or trading system access in the prior 90 days — TraderTraitor specifically targets these roles with tailored LinkedIn-sourced lures. Preserve browser history and download artifacts from workstations used by targeted employees (Lazarus Group frequently delivers malicious documents or fake DeFi apps via spearphish). Export new device enrollment records from your MFA provider, as adversaries using T1078 frequently enroll attacker-controlled authenticators after initial credential theft.
3
Step 3: Eradication — Audit software dependencies and CI/CD build pipelines against your software inventory for unsigned, unexpected, or unrecognized packages (T1195). Verify integrity of recently installed tooling against vendor checksums. Remove unrecognized browser extensions or software on systems with exchange credential access. Enforce least privilege on all accounts touching signing keys or APIs. (Cite: NIST AC-6 Least Privilege / NIST AC-20 Use Of External Systems / CIS 2.1 Establish and Maintain a Software Inventory / CIS 2.3 Address Unauthorized Software / D3-SFA System File Analysis / D3-FMBV File Magic Byte Verification)
IR Detail
Eradication
NIST 800-61r3 §3.4 — Eradication
NIST SI-2 (Flaw Remediation)
NIST SI-7 (Software, Firmware, and Information Integrity)
NIST CM-3 (Configuration Change Control)
CIS 2.1 (Establish and Maintain a Software Inventory)
CIS 2.3 (Address Unauthorized Software)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
Compensating Control
For dependency auditing: run `npm audit` or `pip-audit` against all package manifests in your exchange or wallet codebase and compare installed package hashes against registry-published checksums. Lazarus Group and TraderTraitor have injected malicious npm packages (e.g., targeting blockchain developer toolchains) as a supply chain vector — flag any package with a recent unexpected version bump or an unfamiliar maintainer account. For build pipeline integrity: diff your CI/CD configuration files against last known-good git commits to detect injected build steps. For browser extensions: on Windows admin workstations, enumerate installed Chrome extensions via `Get-ChildItem 'C:\Users\*\AppData\Local\Google\Chrome\User Data\Default\Extensions'` and cross-reference each extension ID against the Chrome Web Store. Use ClamAV with YARA rules published by CISA (AA22-108A) targeting Lazarus Group implants to scan all systems with exchange access.
Preserve Evidence
Before removing any software, capture full filesystem snapshots or at minimum directory listings with timestamps (`ls -laR` on Linux, `dir /s /tc` on Windows) for paths associated with recently installed tooling, npm/pip caches, and browser extension directories. Collect package-lock.json or requirements.txt files alongside installed state to diff against repository versions. Preserve any suspicious binaries for offline analysis with YARA — do not detonate on production systems. For CI/CD pipeline compromise (T1195), capture git commit history and pipeline run logs showing what executed during the suspected exposure window, as TraderTraitor has been documented altering build scripts to exfiltrate signing keys during automated builds.
4
Step 4: Recovery — Re-verify multi-signature approval workflows for all high-value transactions executed during the exposure window. Confirm no unauthorized API keys remain active per account inventory. Review transaction logs for unexplained transfers or staging activity consistent with T1560 data archival. Ensure audit record retention covers the full suspected exposure window. (Cite: NIST AC-2 Account Management / NIST AU-11 Audit Record Retention / NIST AU-10 Non-Repudiation / CIS 5.1 Establish and Maintain an Inventory of Accounts / D3-CRO Credential Rotation)
IR Detail
Recovery
NIST 800-61r3 §3.5 — Recovery
NIST IR-4 (Incident Handling)
NIST AU-11 (Audit Record Retention)
NIST AU-3 (Content of Audit Records)
NIST SI-7 (Software, Firmware, and Information Integrity)
CIS 6.2 (Establish an Access Revoking Process)
Compensating Control
Pull on-chain transaction history for all hot wallet addresses using a free blockchain explorer (Etherscan, BscScan, or equivalent chain-specific tool) and reconcile every outbound transfer during the exposure window against approved transaction records. Flag any transfer to an address not in your approved counterparty whitelist — Lazarus Group consistently stages funds through intermediary wallets before routing to Tornado Cash-equivalent mixers or cross-chain bridges (Railgun, THORChain have been observed in recent DPRK laundering chains per OFAC and FBI advisories). For API key verification: re-run `aws iam list-access-keys` or equivalent platform command and confirm zero unrecognized keys exist. For T1560 staging detection, check for unexpected compressed archives (`.zip`, `.tar.gz`, `.7z`) created on systems with exchange database or wallet access using: `find / -name '*.zip' -newer /var/log/auth.log -ls` on Linux.
Preserve Evidence
Before restoring normal transaction flow, preserve immutable blockchain records (on-chain receipts are permanent, but capture your internal reconciliation logs showing the delta between approved and actual transactions). Export the full API key activity log showing all API calls made during the exposure window, including endpoints called, volumes queried, and source IPs — APT38 specifically uses API access to enumerate balances and map withdrawal limits before executing large transfers. Preserve any database query logs from your exchange backend that show bulk data reads against user account balances or withdrawal address tables, consistent with T1560 pre-exfiltration archival behavior.
5
Step 5: Post-Incident — Enforce MFA on all externally exposed exchange applications, remote access paths, and administrative accounts. Conduct operational dependency mapping to identify third parties with privileged custody or trading access. Calibrate social engineering and insider threat controls against nation-state persistence TTPs. Review vendor risk posture and document access authorizations for all third-party integrations. (Cite: NIST AC-17 Remote Access / NIST AC-20 Use Of External Systems / CIS 6.3 Require MFA for Externally-Exposed Applications / CIS 6.4 Require MFA for Remote Network Access / CIS 6.5 Require MFA for Administrative Access / D3-MFA Multi-factor Authentication / D3-ODM Operational Dependency Mapping / D3-CH Credential Hardening)
IR Detail
Post-Incident
NIST 800-61r3 §4 — Post-Incident Activity
NIST IR-8 (Incident Response Plan)
NIST IR-2 (Incident Response Training)
NIST RA-3 (Risk Assessment)
NIST SA-9 (External System Services)
CIS 7.2 (Establish and Maintain a Remediation Process)
CIS 5.4 (Restrict Administrator Privileges to Dedicated Administrator Accounts)
Compensating Control
Conduct a tabletop exercise specifically simulating a TraderTraitor-style recruitment lure targeting your engineering or finance staff — use the publicly available CISA/FBI advisory AA24-038A (TraderTraitor) as your scenario source material. For smart contract coverage gaps: use free static analysis tools (Slither, Mythril) to audit any contracts interacting with cross-chain bridges or external liquidity pools, focusing on reentrancy and access control weaknesses that DPRK actors have exploited in prior DeFi heists (e.g., Ronin Bridge, Harmony Horizon). For vendor risk: document every third party with a privileged integration and require each to attest MFA enforcement and credential rotation on their access — Nation-state actors persistently pivot through trusted vendor relationships to re-enter environments post-incident.
Preserve Evidence
For the lessons-learned record, compile: (1) timeline of initial access vector (spearphish, supply chain, or credential theft) with supporting log evidence; (2) dwell time between first anomalous authentication event and detection; (3) list of all accounts and API keys that had withdrawal or signing authority during the exposure window; (4) inventory of all third-party integrations active during the incident. These artifacts directly inform the insider threat calibration and vendor risk assessments called for in this step, and satisfy NIST IR-8 (Incident Response Plan) documentation requirements for updating the plan based on lessons learned.
Recovery Guidance
After credential rotation and API key revocation, maintain enhanced monitoring on all wallet addresses associated with the exposure window for a minimum of 90 days — Lazarus Group and APT38 are documented to maintain persistent footholds and re-engage weeks after apparent eviction. Re-verify multi-sig quorum integrity by having each signer confirm their key material has not been exported or shared, and consider re-keying the multi-sig scheme entirely if any signer's workstation was potentially compromised. Resume normal transaction flow only after completing a full dependency audit of the build pipeline and confirming no unauthorized packages or build-step modifications remain, given TraderTraitor's documented use of supply chain persistence to re-compromise environments post-incident.
Key Forensic Artifacts
Exchange and custody platform API key audit logs: creation timestamps, last-used timestamps, source IPs, and permission scopes for all keys active during the 90-day exposure window — APT38 characteristically creates API keys with enumeration-only permissions as a low-noise reconnaissance precursor before requesting withdrawal-capable keys.
Blockchain explorer transaction records for all hot wallet addresses: outbound transfers during the exposure window reconciled against internal approval records, with particular attention to transactions routed to known DPRK-associated intermediary addresses published in OFAC SDN list updates and FBI flash alerts (e.g., FBI PIN 20230320-001 on TraderTraitor).
Email gateway and phishing delivery logs for finance and engineering staff: MIME headers, sender infrastructure, and attachment hashes for all messages received in the 90 days prior to detection, cross-referenced against TraderTraitor lure themes (fake Zoom meeting invites, crypto job offers, DeFi whitepaper documents) documented in CISA AA24-038A.
npm, pip, or language-specific package manager lock files and install logs on build servers and developer workstations: diff of installed package hashes against registry-published checksums to identify Lazarus Group-style malicious package injections targeting blockchain developer toolchains (consistent with T1195.001 — Compromise Software Dependencies and Development Tools).
Browser extension installation records and associated network traffic from workstations with exchange admin or wallet access: Chrome extension manifests at `%LOCALAPPDATA%\Google\Chrome\User Data\Default\Extensions\` and corresponding network connections, as DPRK-affiliated actors have deployed malicious browser extensions that silently intercept exchange session tokens and private key material.
Detection Guidance
Detection for this campaign must focus on behavioral indicators mapped to documented DPRK TTPs.
Static IOCs rotate frequently and should be supplemented with current CISA advisories rather than relied upon as primary signals.
T1078 — Valid Account Abuse: Enable AU-2 Event Logging and AU-3 Content Of Audit Records across all exchange admin, API key management, and wallet systems.
AU-6 Audit Record Review, Analysis, And Reporting should be applied at defined frequency to surface logins from new ASNs, unexpected countries, or unrecognized devices for accounts with financial authority. CIS 8.2 Collect Audit Logs requires logging to be enabled enterprise-wide — verify this is active on custody and trading stack assets before hunting. Apply D3-LAM Local Account Monitoring to detect unauthorized activity on accounts with withdrawal or signing authority.
T1566 — Spearphishing: Use AU-6 to review email gateway logs for malicious attachment or link delivery targeting HR, finance, and developer staff. AU-3 requires records to capture what occurred, when, where, and who — confirm email logs meet this standard.
T1195 — Supply Chain Compromise: Monitor CI/CD pipeline logs and package manager audit logs for unexpected dependency changes. Cross-reference against your CIS 2.1 software inventory. D3-SFA System File Analysis covers monitoring of configuration files and system executables for modification — apply this to build tooling and dependency manifests. D3-FMBV File Magic Byte Verification should be used to validate file integrity against expected package types.
T1059 / T1027 — Obfuscated Script Execution: Monitor endpoints with access to signing keys or exchange APIs for obfuscated script execution. AU-12 Audit Record Generation should capture command execution events. D3-SFA applies to executable and configuration file monitoring on these high-value endpoints. D3-SICA System Init Config Analysis can detect persistence via startup configuration modification.
T1041 / T1568 — Exfiltration and Dynamic Resolution: Hunt for unexpected outbound connections to newly registered domains or dynamic DNS providers from systems in the custody or trading stack. CIS 4.4 Implement and Manage a Firewall on Servers and CIS 4.5 Implement and Manage a Firewall on End-User Devices establish baseline egress controls — review firewall logs against these baselines. AU-13 Monitoring For Information Disclosure supports monitoring for unauthorized data exposure via open-source and external channels.
Audit log integrity and capacity: AU-4 Audit Storage Capacity and AU-9 Protection Of Audit Information must be verified. Logs covering custody and trading systems must be protected from modification and sized to retain the full exposure window. AU-5 Response To Audit Logging Process Failures should be configured to alert on any logging gaps.
Consult current CISA advisories on Lazarus Group and APT38 for the most recent confirmed IOC sets. This guidance addresses behavioral detection patterns only — no confirmed IOCs specific to 2026 campaign activity were available in the source reporting.
Platform Playbooks
Microsoft Sentinel / Defender
CrowdStrike Falcon
AWS Security
🔒
Microsoft 365 E3
3 log sources
Basic identity + audit. No endpoint advanced hunting. Defender for Endpoint requires separate P1/P2 license.
🛡
Microsoft 365 E5
18 log sources
Full Defender suite: Endpoint P2, Identity, Office 365 P2, Cloud App Security. Advanced hunting across all workloads.
🔍
E5 + Sentinel
27 log sources
All E5 tables + SIEM data (CEF, Syslog, Windows Security Events, Threat Intelligence). Analytics rules, playbooks, workbooks.
MITRE ATT&CK Hunting Queries (5)
Sentinel rule: Phishing email delivery
KQL Query Preview
Read-only — detection query only
EmailEvents
| where Timestamp > ago(7d)
| where ThreatTypes has "Phish" or DetectionMethods has "Phish"
| summarize Attachments = make_set(AttachmentCount), Urls = make_set(UrlCount) by NetworkMessageId, Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, DeliveryAction, DeliveryLocation, ThreatTypes
| sort by Timestamp desc
Sentinel rule: Encoded command execution
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine matches regex @"[A-Za-z0-9+/]{50,}={0,2}"
or ProcessCommandLine has_any ("-enc ", "-encodedcommand", "frombase64string", "certutil -decode")
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "certutil.exe")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName
| sort by Timestamp desc
Sentinel rule: Suspicious PowerShell command line
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| where ProcessCommandLine has_any ("-enc", "-nop", "bypass", "hidden", "downloadstring", "invoke-expression", "iex", "frombase64", "new-object net.webclient")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName, InitiatingProcessFileName
| sort by Timestamp desc
Sentinel rule: Suspicious file execution from downloads
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FolderPath has_any ("\\Downloads\\", "\\Temp\\", "\\AppData\\Local\\Temp\\")
| where FileName endswith_any (".exe", ".scr", ".bat", ".ps1", ".vbs", ".js", ".hta", ".msi")
| where InitiatingProcessFileName in~ ("explorer.exe", "outlook.exe", "chrome.exe", "msedge.exe")
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, ProcessCommandLine, AccountName
| sort by Timestamp desc
Sentinel rule: Sign-ins from unusual locations
KQL Query Preview
Read-only — detection query only
SigninLogs
| where TimeGenerated > ago(7d)
| where ResultType == 0
| summarize Locations = make_set(Location), LoginCount = count(), DistinctIPs = dcount(IPAddress) by UserPrincipalName
| where array_length(Locations) > 3 or DistinctIPs > 5
| sort by DistinctIPs desc
No actionable IOCs for CrowdStrike import (benign/contextual indicators excluded).
No hard IOCs available for AWS detection queries (contextual/benign indicators excluded).
Compliance Framework Mappings
T1566
T1539
T1531
T1560
T1568
T1027
+6
AT-2
CA-7
SC-7
SI-3
SI-4
SI-8
+11
2.5
2.6
16.10
6.3
14.2
15.1
MITRE ATT&CK Mapping
T1566
Phishing
initial-access
T1539
Steal Web Session Cookie
credential-access
T1531
Account Access Removal
impact
T1560
Archive Collected Data
collection
T1568
Dynamic Resolution
command-and-control
T1027
Obfuscated Files or Information
defense-evasion
T1657
Financial Theft
impact
T1195
Supply Chain Compromise
initial-access
T1059
Command and Scripting Interpreter
execution
T1204
User Execution
execution
T1041
Exfiltration Over C2 Channel
exfiltration
T1078
Valid Accounts
defense-evasion
Guidance Disclaimer
