QUADAGENT

“Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.” / “APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement… updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.”

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

The content repeatedly describes threat actors and malware using PowerShell scripts/commands for execution, download, staging, reconnaissance, persistence, credential access, lateral movement, and defense evasion; e.g., "Sandworm Team used PowerShell scripts to run a credential harvesting tool in memory to evade defenses."

During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.

“Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.” / “APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement… updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.”

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

Many malware families store configuration, payloads, encryption keys, C2 addresses, or other operational data in Registry keys, such as QakBot storing configuration in a randomly named subkey under HKCU\Software\Microsoft and PolyglotDuke writing encrypted JSON configuration files to the Registry. | The content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution.

“Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.” / “APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement… updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.”

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

"The two encoding methods used by these tools... base16 and base64"; "...custom base64 encoder to strip out non-alphanumeric characters"; "...encoding mechanism... splits each hexadecimal byte into two nibbles..."

Examples include: “ComRAT has encrypted and stored its orchestrator code in the Registry…”, “ShadowPad maintains a configuration block and virtual file system in the Registry.”, and “QakBot can store its configuration information…under HKCU\Software\Microsoft.”

During the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.

Akira has used legitimate names and locations for files to evade defenses.

Many examples describe post-intrusion cleanup, anti-forensics, and removal of artifacts such as logs, scripts, malware components, scheduled tasks, registry keys, and temporary files.

The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.

QUADAGENT has a command to delete its Registry key and scheduled task. Silence has deleted artifacts, including scheduled tasks.

Cherry Picker delete files and registry keys created by the malware. GoldenSpy's uninstaller can delete registry entries, files and folders, and finally itself once these tasks have been completed. QUADAGENT has a command to delete its Registry key.

The content repeatedly describes malware and threat actors decoding, decrypting, deobfuscating, or unpacking payloads, strings, configuration data, commands, and C2 responses prior to execution or use.

Many malware families store configuration, payloads, encryption keys, C2 addresses, or other operational data in Registry keys, such as QakBot storing configuration in a randomly named subkey under HKCU\Software\Microsoft and PolyglotDuke writing encrypted JSON configuration files to the Registry. | The content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution.

The content repeatedly describes malware and threat actors querying, enumerating, searching, reading, or checking Windows Registry keys and values, e.g., "ADVSTORESHELL can enumerate registry keys," "APT41 queried registry values to determine items such as configured RDP ports and network configurations," and "Reg may be used to gather details from the Windows Registry of a local or remote system at the command-line interface."

The content repeatedly describes malware and threat actors using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, nbtstat, netsh, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, domains, and network adapter/interface details.

The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking whether the current user is an administrator, enumerating user sessions, and gathering account details from compromised hosts.

"ALMA... gathering the user name and windows product key"; "...dot variant also gathers the computer name and the serial number of '\\.\PhysicalDrive'"; "...send system specific data... <domain>\<username>:pass"

The content repeatedly describes threat actors and malware using HTTP and HTTPS for command and control, such as: "Sandworm Team used BlackEnergy to communicate between compromised hosts and their command-and-control servers via HTTP post requests."

"...malware can use DNS queries and answers to act as a command and control channel... tools that rely on DNS tunneling used by an adversary known as OilRig." | "Depending on the tool, A, AAAA, and TXT query types have been used by OilRig for tunneling" and "...use DNS queries to resolve specially crafted subdomains... and the answers... to receive data from the C2."

"...downloaded data to save to the batch script"; "...download files provided by the C2 server"; "...download a new PowerShell and/or VBScript script from the C2"; "...download a PowerShell script that it will replace itself with"

C2 traffic from ADVSTORESHELL is encrypted, then encoded with Base64 encoding... APT19 HTTP malware variant used Base64 to encode communications to the C2 server... APT33 has used base64 to encode command and control traffic.