UPPERCUT

"PLAYFULGHOST Delivered via Phishing and SEO Poisoning"; "Victims get infected via phishing emails"; "phishing campaign" (multiple entries)

"the group sent spear phishing emails containing malicious documents that led to the installation of the UPPERCUT backdoor" / "Microsoft Word documents ... being attached to spear phishing emails"

MirrorFace has leveraged WMIC on targeted systems post compromise. During Operation AkaiRyū, MirrorFace used WMI to proxy execution of UPPERCUT.

During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.

"Microsoft Word documents containing a malicious VBA macro"

"The DLL is then loaded into memory and the randomly named exported function is called"

"Once the password (delivered in the body of the email) is entered, the users are presented with a document that will request users to enable the malicious macro"

"The executable sideloads the malicious DLL (libcurl.dll)"

During Operation AkaiRyū, MirrorFace loaded malicious Word templates containing VBA code leading to installation of UPPERCUT.

"The initial Word documents were password protected, likely in an effort to bypass detection" / "drops three PEM files, padre1.txt, padre2.txt, and padre3.txt"

"The macro deletes the initially dropped .txt files"

"The macro decodes the dropped files using Windows certutil.exe" / "The executable sideloads the malicious DLL ... which decrypts and runs shellcode"

"The macro decodes the dropped files using Windows certutil.exe" / "creates a copy of the files with their proper extensions using ... esentutil.exe"

"An APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload." / "menuPass has used certutil in a macro to decode base64-encoded content..." / "OilRig ... used certutil to decode base64-encoded files on victims."

"The executable sideloads the malicious DLL (libcurl.dll)"

"the shellcode uses an anti-debug technique based on ntdll_NtSetInformationThread which causes the thread to be detached from the debugger"

MirrorFace has abused a known Microsoft digital signature verification issues to append encrypted data to digital signatures that still appear to be validly signed. During Operation AkaiRyū, MirrorFace abused a signed McAfee executable to load UPPERCUT.

The content repeatedly describes actors and malware using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, netsh interface show, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, and network adapter/interface details.

The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking admin status, and enumerating user sessions.

The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."

"...has a command to retrieve metadata for files on disk as well as a command to list the current working directory." / "...can list files and directories." / "...used the following commands... to obtain information about files and directories: dir c:\ >> %temp%\download ..."

Multiple malware and threat groups are described as collecting/deriving local system time, date, timestamp, tick count, or time zone (e.g., "used time /t and net time \ip/hostname for system time discovery"; "collects the timestamp from the victim’s machine"; "can collect the time zone information from the system").

"the shellcode uses an anti-debug technique based on ntdll_NtSetInformationThread which causes the thread to be detached from the debugger"

"Agent Tesla can capture screenshots of the victim’s desktop"; "AppleSeed can take screenshots on a compromised host"; "APT28 has used tools to take screenshots from victims"; "Cobalt Strike's Beacon payload is capable of capturing screenshots"; "PowerSploit's Get-TimedScreenshot Exfiltration module can take screenshots at regular intervals"; "Hydraq includes a component based on the code of VNC that can stream a live feed of the desktop"

Examples include 'AppleJeus's COLDCAT C2 leverages cookie headers to contain data over HTTPS,' 'ChChes ... embeds data within the Cookie HTTP header,' 'GoldMax ... used custom HTTP cookies for C2,' and 'UPPERCUT ... sending error codes in Cookie headers.'

The content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.

C2 traffic from ADVSTORESHELL is encrypted, then encoded with Base64 encoding... APT19 HTTP malware variant used Base64 to encode communications to the C2 server... APT33 has used base64 to encode command and control traffic.

"Earlier versions ... used ... Blowfish encryption ... in the latest version, the keys are hard-coded uniquely for each C2 address and use the C2’s calculated MD5 hash"

"3PARA RAT command and control commands are encrypted within the HTTP C2 channel using the DES algorithm in CBC mode..."; "APT33 has used AES for encryption of command and control traffic."; "Carbanak encrypts the message body of HTTP traffic with RC2 (in CBC mode)."; "Duqu ... data stream can be encrypted with AES-CBC."; "PoisonIvy uses the Camellia cipher to encrypt communications."

Many entries state malware or actors can upload, transfer, send, or exfiltrate files from compromised hosts to command-and-control servers or attacker infrastructure.