Tools

Tools observed in various incidents or known to be utilized against cloud environments

Name	Tags	Incidents	Techniques
4l4md4r loader and stager		Mimo Targets Magento, Docker, and Cloud Environments
9hits	CommercialDual-use	9hits Docker campaign	Proxyjacking
AADInternals		Storm-0501 Deploys Cloud-Based Ransomware
ADRecon	EnumerationActive Directory	Scattered Spider SaaS targeting (2024)
AgentTesla	RAT	8820 Gang targeting WebLogic
Akira ransomware	Ransomware	Veeam Vulnerability Exploited by Akira and Fog Ransomware Akira Ransomware Targeting Critical Vulnerability in SonicWall SSLVPN
alamdar.so rootkit		Mimo Targets Magento, Docker, and Cloud Environments
Albabat ransomware		Albabat Ransomware Targets Windows, Linux, and macOS Using GitHub Infrastructure
AlienFox	Attacker-sideToolkit	AlienFox campaign
AndroxGh0st	Toolkit	AndroxGh0st usage (2024)Mozi Botnet Using AndroxGh0st Toolkit to Target Cloud Environments
AntSword	Toolkit	RedJuliett Exploiting VPN and Firewall Vulnerabilities
AnvilEcho powershell trojan	TrojanMalware
AnyDesk	CommercialDual-use	Peach Sandstorm targeting Azure Magnet Goblin campaign (2024)TargetCompany Abusing MSSQL Servers for Ransomware Storm-0501 Targeting Hybrid Environments with Ransomware
ASN	OffSecDual-use	CRYSTALRAY: threat actors exploiting OSS tools
ASPXSpy	Webshell	DragonRank Targeting IIS Web Servers	Webshell deployment
Atomic Red Team	OffSecK8sAttacker-sideDual-use
Auto-Color malware		Auto-Color Malware Exploits SAP Vulnerability for Linux Backdoor
AWS tools for PowerShell		EC2 Grouper campaign
aws-ethereum-miner	CryptominerCloud
AWSealion	OffSecToolkitAttacker-sideDual-use
AzCopy		Storm-0501 Deploys Cloud-Based Ransomware
AzureChecker		Password spray attack leads to containers being used for cryptomining
AzureHound	OffSecToolkitAttacker-sideCloudDual-use	Peach Sandstorm targeting Azure Storm-0501 Deploys Cloud-Based Ransomware
Babuk	Ransomware	ESXiArgs ransomware campaign
BadIIS	MalwareBackdoor	DragonRank Targeting IIS Web Servers
Behinder	Webshell	RevivalStone Campaign by Winnti	Webshell deployment Reverse shell
BlackBasta ransomware	Ransomware	Ransomware operators exploit ESXi vulnerability Black Basta Exploiting Vulnerabilities in Multiple Products
BlackSmith toolkit	Toolkit
BlueShell	OffSecDual-use
Boto3		JavaGhost SES abuse
BPFDoor	Malware	BPFDoor’s Hidden Controller Targets AMEA Sectors
BRIGHTCREST	Malware
BRUSHFIRE		Critical Ivanti Connect Secure Vulnerability Exploited by China-linked Actor
Brute Ratel		SAP NetWeaver Visual Composer exploitation campaign
Buildkite Agent	Dual-use
BUSHWALK	Malware	Ivanti Connect Secure targeting campaign
BypassBoss		Earth Lamia Custom Toolkit Targets Multiple Sectors via Web Vulnerabilities
C3Bash	Cryptominer	RUBYCARP: Botnet Exploiting Vulnerabilities for Crypto
C3Pool	Cryptominer	C3Pool mining via Confluence vulnerability Exposed Jupyter Notebooks Targeted for Cryptomining
C3RB3R Ransomware	RansomwareMalware	Confluence targeting by C3RB3R	Vulnerability exploitation
CDK	OffSecK8sDual-use		Abusing exposed Docker socket Exploiting host mount to escape to host
Cdorked	BackdoorLinux	Cdorked campaign
Cetus	WormCryptominer	Cetus campaign
CHAINLINE	Backdoor	Ivanti Connect Secure targeting campaign
Chaos RAT	RAT
Cheerscrypt	Ransomware
China Chopper	Webshell	Storm-0558 phishing campaigns RedJuliett Exploiting VPN and Firewall Vulnerabilities RevivalStone Campaign by Winnti Weaver Ant data exfiltration campaign Attacks on Korean IIS & Linux Servers
Chisel	Proxy	From web app exploitation to Chisel tunneling Seashell Blizzard Subgroup's Campaign Exploiting Vulnerabilities for Data Exfiltration
Cigril	Trojan	Storm-0558 phishing campaigns	DLL search order hijacking
Cl0p ransomware	Ransomware	Cleo Vulnerabilities Targeted by Cl0p Ransomware
CloudBrute	OffSecCloudDual-use
CloudedHope		Silk Typhoon Exploiting Trusted Relationships for Cloud Environments Compromise
CloudFox	OffSecAttacker-sideCloudDual-use
CloudSnooper	Rootkit	Cyberoam breach (2018)	In-band signaling
CloudSplaining	OffSecDual-use
CLR shell	Reverse shellMalware	Mimic used by Trigona operators
Cobalt Strike	OffSecDual-use	Apache server Cryptojacking with Cobalt Strike Widespread TeamCity exploitation (March ‘24)Agenda Ransomware Targets ESXi and vCenter Servers Ransomware operators exploit ESXi vulnerability Storm-0501 Targeting Hybrid Environments with Ransomware Earth Kasha’s Campaign Exploiting Fortinet Vulnerability Cleo Vulnerabilities Targeted by Cl0p Ransomware PHP-CGI Vulnerability Exploited in Attacks Targeting Japan Operation LongFang Earth Lamia Custom Toolkit Targets Multiple Sectors via Web Vulnerabilities UTG-Q-015 Exploits 0-Days for Espionage in Asia UAT-7237 Targets Taiwanese Web Infrastructure Using Customized Open-Source Tools
CoinStomp	Cryptominer	CoinStomp campaign
CrackMapExec	OffSecDual-use	Ivanti Connect Secure targeting campaign
CrazyHunter		CrazyHunter Ransomware Group Targets Critical Sectors in Taiwan
CredMaster	Dual-use
CUNNINGPIGEON	BackdoorMalware	RevivalStone Campaign by Winnti
Dagon Locker	Ransomware		Phishing
Dama	Webshell	Dama webshell deployment via ThinkPHP exploitation
DarkMe	MalwareRAT	Microsoft Smartscreen Vulnerability Exploited by Water Hydra
DCSync	Malware	Campaign targeting exposed FortiGate firewall management interfaces
Ddostf	DDoS
DEATHLOTUS	Backdoor	RevivalStone Campaign by Winnti
DEEPDATA	MalwareWindows	BrazenBamboo Weaponizes FortiClient Vulnerability to Steal Credentials	Credential theft
DEEPPOST	Malware	BrazenBamboo Weaponizes FortiClient Vulnerability to Steal Credentials
Denonia	Cryptominer	Denonia campaign	Serverless execution
DeRF	ToolkitOffSecCloudDual-use
DERO miner	Cryptominer	Dero cryptojacking targeting K8s
devilzshell	Webshell	RedJuliett Exploiting VPN and Firewall Vulnerabilities
Diamorphine rootkit	Rootkit	Qubitstrike Crypto Mining and Rootkit Campaign
DinodasRAT	RAT
DragonForce ransomware		DragonForce Exploits SimpleHelp Vulnerabilities in Ransomware Campaign
DripDropper		DripDropper Malware Exploits Patched Apache ActiveMQ for Persistence on Cloud Linux Systems
DSLog	Backdoor	Ivanti Connect Secure targeting campaign	Vulnerability exploitation
EagleRelay	Proxy	Peach Sandstorm targeting Azure
Ebury	Botnet	Operation Windigo
emp3ror	ToolkitWindowsLinuxMalware	CRYSTALRAY: threat actors exploiting OSS tools
enum4Linux	OffSecDual-use	Ivanti Connect Secure targeting campaign
enumerate-iam	ToolkitOffSecCloudDual-use
Everything	Windows	SharePoint Vulnerability Exploited in-the-Wild
Evil-WinRM		Storm-0501 Deploys Cloud-Based Ransomware
FAKEUPDATES	Dropper	UNC2165 Targets Hybrid Environments with Ransomware
FBot	ToolkitMalwareAttacker-side	FBot toolkit targets cloud environments
ffmpeg	Commercial	Sports Piracy Exploiting Misconfigured Jupyter Servers
FireProx	ProxyCloud
FireWood	BackdoorLinuxRootkit	Gelsemium’s Shift to Linux Malware with WolfsBane and FireWood
FleetDeck	Commercial	Scattered Spider Abuses Cloud Management Agent
Flodrix botnet		Langflow Vulnerability Exploited to Deliver Flodrix Botnet
Fog ransomware	Ransomware	Veeam Vulnerability Exploited by Akira and Fog Ransomware
FRAMESTING	Webshell	Ivanti Connect Secure targeting campaign
frp	Proxy	z0Miner targeting WebLogic servers Mauri Ransomware Exploiting Apache ActiveMQ
fscan	OffSecDual-use	From WSO2 RCE to SSH lateral movement Attacks on Korean IIS & Linux Servers
Fudmodule rootkit	Rootkit		Bring Your Own Vulnerable Driver Direct Kernel object manipulation
Fuso		Silent Skimmer Attacks Exploiting Telerik UI to Steal Payment Data
Gafgyt botnet		Gafgyt Malware Targeting Cloud Environments Gafgyt Malware Targeting Misconfigured Docker Servers
Gato	ToolkitCI/CDDual-use		CI/CD system enumeration
Gelsevirine
Gh0st RAT	MalwareRAT	Apache server Cryptojacking with Cobalt Strike Cyberoam breach (2018)Larva-25003: IIS Native Module Malware Used in Targeted Web Server Attacks
Gh0stCringe	Malware
Ghost		UTG-Q-015 Exploits 0-Days for Espionage in Asia
ghostfile93.aspx webshell		SharePoint Vulnerability Exploited in-the-Wild
git-dumper		EMERALDWHALE Attacks Targeting Exposed Git Config Files
Glutton backdoor		PHP Targeted with Glutton backdoor
GMiner	Cryptominer
GoBruteforcer	Botnet	GoBruteforcer campaign	Password bruteforcing
GoBuster		Volkswagen data leak through Spring Boot Actuator misconfiguration
GodPotato		DragonRank Targeting IIS Web Servers Earth Lamia Custom Toolkit Targets Multiple Sectors via Web Vulnerabilities
Godzilla	Webshell	From WSO2 RCE to SSH lateral movement From ActiveMQ to Godzilla webshell RedJuliett Exploiting VPN and Firewall Vulnerabilities Earth Baku campaign Godzilla Backdoor Exploiting Confluence Vulnerability DragonRank Targeting IIS Web Servers Code Injection Attacks Exploiting Publicly Disclosed ASP.NET Keys Attacks on Korean IIS & Linux Servers
GOHEAVY		UNC5174 ScreenConnect and F5 BIG-IP exploitation
GooseEgg		APT28 Targeting Print Spooler Vulnerability for GooseEgg Deployment
GOREVERSE		UNC5174 Exploits Ivanti CSA Zero-Days in “Houken” Campaign
GoTitan	Botnet	GoTitan ActiveMQ campaign
Graboid	WormCryptominer	Graboid campaign
GreenBot	ToolkitAttacker-side
Gsocket	OffSecDual-use	SilentBob cryptomining campaign Labrat GitLab campaign Campaign targeting Selenium Grid for cryptomining REF6138 campaign
HeadCrab		HeadCrab campaign
Heaven’s Gate		SAP NetWeaver Visual Composer exploitation campaign
HiddenShovel	Cryptominer		Bring Your Own Vulnerable Driver
HijackDriverManager		Larva-25003: IIS Native Module Malware Used in Targeted Web Server Attacks
Hildegard	Cryptominer	TeamTNT campaigns
HinataBot	DDoSBotnet
Hive	Ransomware
Horoung Antivirus		SharePoint Vulnerability Exploited in-the-Wild
HubSpot Free Form Builder		Phishing campaign leading to Azure account takeover
IceFire	Ransomware	IceFire Aspera Faspex campaign
Impacket	OffSecDual-use	Ivanti Connect Secure targeting campaign Scattered Spider SaaS targeting (2024)SharePoint Vulnerability Exploited in-the-Wild Storm-0501 Deploys Cloud-Based Ransomware
Infection Monkey	OffSecToolkitDual-use
INMemory webshell		Weaver Ant data exfiltration campaign
iodine	OffSecDual-use	Ivanti Connect Secure targeting campaign
IPRoyal	CommercialDual-useProxy	Labrat GitLab campaign Campaign targeting Selenium Grid for cryptomining Mimo Exploits Craft CMS RCE to Deploy Cryptominer and Proxyware in Coordinated Campaign	Proxyjacking
Jasmin		Widespread TeamCity exploitation (March ‘24)
JSFuck		JSFireTruck: Malicious JavaScript Campaign Using Obfuscation
JuicyPotato		Earth Lamia Custom Toolkit Targets Multiple Sectors via Web Vulnerabilities UAT-7237 Targets Taiwanese Web Infrastructure Using Customized Open-Source Tools
KAIJI	DDoS	REF6138 campaign
kerbrute		SharePoint Vulnerability Exploited in-the-Wild
KeyChecker	Cloud
KEYPLUG		Horde Panda targeting South Asian telecommunications provider
Kinsing		Kinsing campaigns (2020)
Krasue	RAT	Krasue Thailand campaign
kube-hunter	OffSecK8sDual-use
kubescape	K8sOffSecDual-use
Kubesploit	OffSecK8sDual-use
Kubestroyer	OffSecK8sDual-use
Kunpeng	OffSecDual-use	Abcbot Huawei Cloud targeting campaign
LaZagne	OffSecMalware
Legion	ToolkitAttacker-side
Leonidas	OffSecToolkitCloudDual-use
LIGHTSPY		BrazenBamboo Weaponizes FortiClient Vulnerability to Steal Credentials
LIGHTWIRE		Ivanti Connect Secure targeting campaign
Ligolo		Magnet Goblin campaign (2024)
Line Dancer	MalwareRATReverse shell	ArcaneDoor Campaign Targeting Cisco Adaptive Security Appliance 0day	Disable logging Exfiltration via AWS Transfer
Line Runner	MalwareBackdoor	ArcaneDoor Campaign Targeting Cisco Adaptive Security Appliance 0day
linPEAS	OffSecDual-use	Use of linPEAS for cloud enumeration
Linux Exploit Suggester	OffSecDual-use
Linuxsys coinminer		Linuxsys Cryptominer Campaign
LocalOlive shell		Seashell Blizzard Subgroup's Campaign Exploiting Vulnerabilities for Data Exfiltration
LockBit	Ransomware
LODEINFO		Earth Kasha’s Campaign Exploiting Fortinet Vulnerability
Loggerminer	Cryptominer	Loggerminer campaign
LokiLocker		TRIPLESTRENGTH: Cloud Account Hijacking and Cryptocurrency Mining via Stolen Credentials
LuaPlug		Horde Panda targeting South Asian telecommunications provider
Lucifer	Botnet	Lucifer Botnet targeting Hadoop	Vulnerability exploitation Misconfigured Apache Hadoop abuse
Mallox ransomware		TargetCompany Abusing MSSQL Servers for Ransomware Hadooken Malware Targeting Weblogic Servers
Masscan	OffSecDual-use	SilentBob cryptomining campaign Docker Swarm and K8s cryptojacking campaign
Mauri ransomware	Ransomware	Mauri Ransomware Exploiting Apache ActiveMQ
Mélofée	Malware
Meson CDN		Meson Network cryptojacking campaign
Metasploit	OffSecDual-use	Andariel exploiting Apache ActiveMQ From code commit to production takeover
Meterpreter
MicroBurst	OffSecDual-use
Mimic ransomware	Ransomware	RE#TURGENCE MSSQL Server RansomOp Mimic used by Trigona operators	Password bruteforcing Vulnerability exploitation
Mimikatz	Dual-use	RE#TURGENCE MSSQL Server RansomOp Scattered Spider SaaS targeting (2024)DragonRank Targeting IIS Web Servers SharePoint Vulnerability Exploited in-the-Wild State-Sponsored APT Abuse Visual Studio Code in Attacks Storm-0501 attacking hybrid environments with ransomware PHP-CGI Vulnerability Exploited in Attacks Targeting Japan Operation LongFang UAT-7237 Targets Taiwanese Web Infrastructure Using Customized Open-Source Tools Warlock Ransomware Exploiting Sharepoint Vulnerabilities
Mimipenguin	OffSecMalwareDual-use
Mimipy	OffSecDual-use
Mimo	Cryptominer	Mimo cryptomining campaign Mimo Exploits Craft CMS RCE to Deploy Cryptominer and Proxyware in Coordinated Campaign
Mimus	Ransomware	Mimo cryptomining campaign
Mineping		Panamorfi campaign
MiniNerbian		Magnet Goblin campaign (2024)
Mirai		Mirai campaign targeting Ivanti products Mirai Botnet Exploiting Apache OFBiz Vulnerability
MirrorStealer		Earth Kasha’s Campaign Exploiting Fortinet Vulnerability
Mispadu stealer	MalwareTrojanRATBackdoor	Windows SmartScreen vulnerability exploited by Mispadu trojan	Phishing Malvertising Misconfigured Wordpress abuse
MIZARU		EMERALDWHALE Attacks Targeting Exposed Git Config Files
Monero miner		Lucifer Botnet targeting Hadoop
Msupedge backdoor		Msupedge Backdoor Targeting Taiwanese University
Muhstik		Muhstik campaign
Neo-reGeorg		UNC5174 Exploits Ivanti CSA Zero-Days in “Houken” Campaign Silk Typhoon Exploiting Trusted Relationships for Cloud Environments Compromise
NerbianRAT		Magnet Goblin campaign (2024)
netcat	Dual-use	z0Miner targeting WebLogic servers K8s targeted via OpenMetadata exploitation
nevada	Ransomware
ngrok	OffSecDual-use	SilentBob cryptomining campaign ngrok cryptojacking campaign Earth Simnavaz (APT34) Targeting UAE and Gulf Regions
NHAS reverse_ssh	Reverse shell	Mimo cryptomining campaign
NoaBot	BotnetCryptominer		SSH propagation
NOOPDOOR		Earth Kasha’s Campaign Exploiting Fortinet Vulnerability
nuclei		CRYSTALRAY: threat actors exploiting OSS tools
NukeSped	RAT	Andariel exploiting Apache ActiveMQ
Onderon		Cyberoam breach (2018)
OracleIV	DDoSBotnet	OracleIV campaign
Outlaw malware	Cryptominer		SSH bruteforcing UPX packing
Pacu	OffSecDual-use	SilentBob cryptomining campaign SugarCRM as initial access to AWS envs
Peer2Profit	ProxyDual-use	Mimo cryptomining campaign EMERALDWHALE Attacks Targeting Exposed Git Config Files
Peirates	OffSecK8sDual-use	SilentBob cryptomining campaign TeamTNT campaigns
perfctl		perfctl campaign targeting Docker API perfctl Malware Targeting Linux
Phobos		TRIPLESTRENGTH: Cloud Account Hijacking and Cryptocurrency Mining via Stolen Credentials
Plague backdoor		Plague PAM-Based Backdoor for Linux
Platypus		CRYSTALRAY: threat actors exploiting OSS tools
PlugX		DragonRank Targeting IIS Web Servers
PMapper	ToolkitCloudDual-use
PowerZure	OffSecDual-use
Prince ransomware		CrazyHunter Ransomware Group Targets Critical Sectors in Taiwan
PrintNotifyPotato		DragonRank Targeting IIS Web Servers
PRIVATELOG		RevivalStone Campaign by Winnti
Prometei	Botnet	Prometei campaign
proot	OffSecDual-use
ProtonVPN		LLM Hijacking Targeting AWS
ProxyLite	CommercialDual-useProxy	Labrat GitLab campaign	Proxyjacking
PsExec	Dual-use	Agenda Ransomware Targets ESXi and vCenter Servers
PureCrypter		8220 Gang Exploiting WebLogic Vulnerabilities for Cryptojacking
pwnRig	Cryptominer
Pypikatz		Ransomware operators exploit ESXi vulnerability
PySoxy	OffSecProxyDual-use	Ivanti Connect Secure targeting campaign
Qakbot		Ransomware operators exploit ESXi vulnerability
Raccoon stealer		TRIPLESTRENGTH: Cloud Account Hijacking and Cryptocurrency Mining via Stolen Credentials
Rakshasa		Earth Baku campaign
RansomEXX	Ransomware
RANSOMHUB		UNC2165 Targets Hybrid Environments with Ransomware
rapeflake		Snowflake compromised creds abuse campaign
Rclone		Storm-0501 Targeting Hybrid Environments with Ransomware
RCRU64		TRIPLESTRENGTH: Cloud Account Hijacking and Cryptocurrency Mining via Stolen Credentials
Red-kube	OffSecK8sDual-use
Redigo		Redigo campaign
RedTail		RedTail Cryptomining campaign
Rekoobe	Malware	APT31 Rekoobe campaign
Remcos RAT		TargetCompany Abusing MSSQL Servers for Ransomware
Reptile	Rootkit	UNC3886 campaigns
RingQ loader		Silent Skimmer Attacks Exploiting Telerik UI to Steal Payment Data
ROADtoken	Cloud
ROADtools	OffSecDual-use	Peach Sandstorm targeting Azure
RomCom backdoor		RomCom exploiting Word vulnerability in campaign targeting government entities
rsockstun		Seashell Blizzard Subgroup's Campaign Exploiting Vulnerabilities for Data Exfiltration
RUDEDEVIL	Cryptominer	REF6138 campaign
S3 Browser		ShinyHunters Ransomware Targeting Cloud Environments
s3-account-search	OffSecDual-use
SASHEYAWAY		UNC1860 Attacks Targeting the Middle East
ScanBox Framework
ScoutSuite	OffSecDual-use	SugarCRM as initial access to AWS envs
ScreenConnect	Dual-use	Magnet Goblin campaign (2024)
SecureShell	Dual-use	Agenda Ransomware Targets ESXi and vCenter Servers
sedexp	Linux		Persistence via udev
SHADOWGAZE		RevivalStone Campaign by Winnti
SharpWMI		UAT-7237 Targets Taiwanese Web Infrastructure Using Customized Open-Source Tools
ShellBot / PerlBot	Botnet	RUBYCARP: Botnet Exploiting Vulnerabilities for Crypto	Misconfigured SSH abuse
Shikitega	MalwareCryptominer
ShroudedSnooper
Siloscape	Malware	Siloscape campaign
Silver		CRYSTALRAY: threat actors exploiting OSS tools
SkidMap	CryptominerMalware	SkidMap targeting Redis
SkyArk	OffSecDual-use
Sliver	OffSecDual-use	From PHP exploitation to AWS lateral movement From PHP vuln to Sliver execution via cron Cloudflare incident following Okta breach Sliver deployment via Confluence vulnerability TeamTNT’s Docker Gatling Gun Campaign UNC5174 Linux Espionage Campaign Ivanti EPMM RCE Vulnerability Chain Exploited in the Wild DripDropper Malware Exploits Patched Apache ActiveMQ for Persistence on Cloud Linux Systems
Snapekit	LinuxRootkit
SneakCross		Earth Baku campaign
SNOWLIGHT		UNC5174 ScreenConnect and F5 BIG-IP exploitation UNC5174 Linux Espionage Campaign
SNS Sender	ToolkitAttacker-side		SNS abuse for spam or phishing Smishing (SMS phishing)
SoftEther proxy	ProxyDual-use	Microsoft signing key compromise UAT-7237 Targets Taiwanese Web Infrastructure Using Customized Open-Source Tools
SoundBill		UAT-7237 Targets Taiwanese Web Infrastructure Using Customized Open-Source Tools
SparkRAT		Widespread TeamCity exploitation (March ‘24)
SPAWNSLOTH		Critical Ivanti Connect Secure Vulnerability Exploited by China-linked Actor
SPAWNSNARE		Critical Ivanti Connect Secure Vulnerability Exploited by China-linked Actor
SPAWNWAVE		Critical Ivanti Connect Secure Vulnerability Exploited by China-linked Actor
spinstall0 webshell		0day Vulnerability in Microsoft Sharepoint Exploited in-the-Wild
sqlmap		State-Sponsored APT Abuse Visual Studio Code in Attacks
SRBMiner	Cryptominer
SSH-Snake	OffSecWormDual-use	SSH-Snake Confluence targeting campaign CRYSTALRAY: threat actors exploiting OSS tools
STAYSHANTE		UNC1860 Attacks Targeting the Middle East
StealthReacher		Earth Baku campaign
StealthVector		Earth Baku campaign
Stormspotter	OffSecToolkitCloudDual-use
Stratus Red Team	OffSecK8sCloudDual-use
Subfinder		Volkswagen data leak through Spring Boot Actuator misconfiguration
SUNBURST	Backdoor	Solarigate: Solarwinds supply chain attack
SUPERSHELL	BackdoorOffSec	UNC5174 ScreenConnect and F5 BIG-IP exploitation Attacks on Korean IIS & Linux Servers Auto-Color Malware Exploits SAP Vulnerability for Linux Backdoor
SWEETCOLA
Sysrv	CryptominerBotnet	Sysrv Apache Druid cryptojacking
SystemBC		Ransomware operators exploit ESXi vulnerability
SysUpdate	Malware
Tailscale		Earth Baku campaign
TeamFiltration		TeamFiltration Account Takeover Campaign
TEARDROP	Dropper	Solarigate: Solarwinds supply chain attack
TellYouThePass ransomware	Ransomware	RCE Vulnerability in PHP CGI Exploited by TellYouThePass	Vulnerability exploitation
TEMPLEPLAY		UNC1860 Attacks Targeting the Middle East
THINSPOOL		Ivanti Connect Secure targeting campaign
TinyProxy		Linux SSH Servers Compromised to Deploy Proxies
TinyShell		Commando Cat campaign
tmate	OffSecDual-use	SilentBob cryptomining campaign
TMChecker	ToolkitAttacker-side		Password bruteforcing
TONESHELL		Earth Preta’s Campaign Abusing MAVInject to Bypass Detection