Tools

Tools observed in various incidents or known to be utilized against cloud environments

Name	Tags	Incidents	Techniques
4l4md4r loader and stager		Mimo Targets Magento, Docker, and Cloud Environments
9hits	CommercialDual-use	9hits Docker campaign	Proxyjacking
AADInternals		Storm-0501 Deploys Cloud-Based Ransomware
ADRecon	EnumerationActive Directory	Scattered Spider SaaS targeting (2024)
AgentTesla	RAT	8820 Gang targeting WebLogic
Akira ransomware	Ransomware	Veeam Vulnerability Exploited by Akira and Fog RansomwareAkira Ransomware Targeting Critical Vulnerability in SonicWall SSLVPN
alamdar.so rootkit		Mimo Targets Magento, Docker, and Cloud Environments
Albabat ransomware		Albabat Ransomware Targets Windows, Linux, and macOS Using GitHub Infrastructure
AlienFox	Attacker-sideToolkit	AlienFox campaign
AndroxGh0st	Toolkit	AndroxGh0st usage (2024)Mozi Botnet Using AndroxGh0st Toolkit to Target Cloud Environments
AntSword	Toolkit	RedJuliett Exploiting VPN and Firewall Vulnerabilities
AnvilEcho powershell trojan	TrojanMalware
AnyDesk	CommercialDual-use	Peach Sandstorm targeting AzureMagnet Goblin campaign (2024)TargetCompany Abusing MSSQL Servers for RansomwareStorm-0501 Targeting Hybrid Environments with RansomwareUnauthenticated Remote Access via Triofox Vulnerability Exploited by UNC6485
ASN	OffSecDual-use	CRYSTALRAY: threat actors exploiting OSS tools
ASPXSpy	Webshell	DragonRank Targeting IIS Web Servers	Webshell deployment
Atomic Red Team	OffSecK8sAttacker-sideDual-use
Auto-Color malware		Auto-Color Malware Exploits SAP Vulnerability for Linux Backdoor
AWS tools for PowerShell		EC2 Grouper campaign
aws-ethereum-miner	CryptominerCloud
AWSealion	OffSecToolkitAttacker-sideDual-use
AzCopy		Storm-0501 Deploys Cloud-Based Ransomware
AzureChecker		Password spray attack leads to containers being used for cryptomining
AzureHound	OffSecToolkitAttacker-sideCloudDual-use	Peach Sandstorm targeting AzureStorm-0501 Deploys Cloud-Based Ransomware
Babuk	Ransomware	ESXiArgs ransomware campaign
BadIIS	MalwareBackdoor	DragonRank Targeting IIS Web Servers
Behinder	Webshell	RevivalStone Campaign by Winnti	Webshell deploymentReverse shell
BlackBasta ransomware	Ransomware	Ransomware operators exploit ESXi vulnerabilityBlack Basta Exploiting Vulnerabilities in Multiple Products
BlackSmith toolkit	Toolkit
BlueShell	OffSecDual-use
Boto3		JavaGhost SES abuse
BPFDoor	Malware	BPFDoor’s Hidden Controller Targets AMEA Sectors
BRICKSTEAL		BRICKSTORM Espionage Backdoor Targeting U.S. Tech and Legal Sectors
BRICKSTORM backdoor		BRICKSTORM Espionage Backdoor Targeting U.S. Tech and Legal Sectors
BRIGHTCREST	Malware
BRUSHFIRE		Critical Ivanti Connect Secure Vulnerability Exploited by China-linked Actor
Brute Ratel		SAP NetWeaver Visual Composer exploitation campaign
Buildkite Agent	Dual-use
BUSHWALK	Malware	Ivanti Connect Secure targeting campaign
BypassBoss		Earth Lamia Custom Toolkit Targets Multiple Sectors via Web Vulnerabilities
C3Bash	Cryptominer	RUBYCARP: Botnet Exploiting Vulnerabilities for Crypto
C3Pool	Cryptominer	C3Pool mining via Confluence vulnerabilityExposed Jupyter Notebooks Targeted for Cryptomining
C3RB3R Ransomware	RansomwareMalware	Confluence targeting by C3RB3R	Vulnerability exploitation
CDK	OffSecK8sDual-use		Abusing exposed Docker socketExploiting host mount to escape to host
Cdorked	BackdoorLinux	Cdorked campaign
Cetus	WormCryptominer	Cetus campaign
CHAINLINE	Backdoor	Ivanti Connect Secure targeting campaign
Chaos RAT	RAT
Cheerscrypt	Ransomware
China Chopper	Webshell	Storm-0558 phishing campaignsRedJuliett Exploiting VPN and Firewall VulnerabilitiesRevivalStone Campaign by WinntiWeaver Ant data exfiltration campaignAttacks on Korean IIS & Linux Servers
Chisel	Proxy	From web app exploitation to Chisel tunnelingSeashell Blizzard Subgroup's Campaign Exploiting Vulnerabilities for Data Exfiltration
Cigril	Trojan	Storm-0558 phishing campaigns	DLL search order hijacking
Cl0p ransomware	Ransomware	Cleo Vulnerabilities Targeted by Cl0p RansomwareCl0p Extortion Campaign Claims Theft via Oracle E-Business Suite
CloudBrute	OffSecCloudDual-use
CloudedHope		Silk Typhoon Exploiting Trusted Relationships for Cloud Environments Compromise
CloudFox	OffSecAttacker-sideCloudDual-use
CloudSnooper	Rootkit	Cyberoam breach (2018)	In-band signaling
CloudSplaining	OffSecDual-use
CLR shell	Reverse shellMalware	Mimic used by Trigona operators
Cobalt Strike	OffSecDual-use	Apache server Cryptojacking with Cobalt StrikeWidespread TeamCity exploitation (March ‘24)Agenda Ransomware Targets ESXi and vCenter ServersRansomware operators exploit ESXi vulnerabilityStorm-0501 Targeting Hybrid Environments with RansomwareEarth Kasha’s Campaign Exploiting Fortinet VulnerabilityCleo Vulnerabilities Targeted by Cl0p RansomwarePHP-CGI Vulnerability Exploited in Attacks Targeting JapanOperation LongFangEarth Lamia Custom Toolkit Targets Multiple Sectors via Web VulnerabilitiesUTG-Q-015 Exploits 0-Days for Espionage in AsiaUAT-7237 Targets Taiwanese Web Infrastructure Using Customized Open-Source Tools
CoinStomp	Cryptominer	CoinStomp campaign
CrackMapExec	OffSecDual-use	Ivanti Connect Secure targeting campaign
CrazyHunter		CrazyHunter Ransomware Group Targets Critical Sectors in Taiwan
CredMaster	Dual-use
CUNNINGPIGEON	BackdoorMalware	RevivalStone Campaign by Winnti
Dagon Locker	Ransomware		Phishing
Dama	Webshell	Dama webshell deployment via ThinkPHP exploitation
DarkMe	MalwareRAT	Microsoft Smartscreen Vulnerability Exploited by Water Hydra
DCSync	Malware	Campaign targeting exposed FortiGate firewall management interfaces
Ddostf	DDoS
DEATHLOTUS	Backdoor	RevivalStone Campaign by Winnti
DEEPDATA	MalwareWindows	BrazenBamboo Weaponizes FortiClient Vulnerability to Steal Credentials	Credential theft
DEEPPOST	Malware	BrazenBamboo Weaponizes FortiClient Vulnerability to Steal Credentials
Denonia	Cryptominer	Denonia campaign	Serverless execution
DeRF	ToolkitOffSecCloudDual-use
DERO miner	Cryptominer	Dero cryptojacking targeting K8s
devilzshell	Webshell	RedJuliett Exploiting VPN and Firewall Vulnerabilities
Diamorphine rootkit	Rootkit	Qubitstrike Crypto Mining and Rootkit Campaign
DinodasRAT	RAT
DragonForce ransomware		DragonForce Exploits SimpleHelp Vulnerabilities in Ransomware Campaign
DripDropper		DripDropper Malware Exploits Patched Apache ActiveMQ for Persistence on Cloud Linux Systems
DSLog	Backdoor	Ivanti Connect Secure targeting campaign	Vulnerability exploitation
EagleRelay	Proxy	Peach Sandstorm targeting Azure
Ebury	Botnet	Operation Windigo
emp3ror	ToolkitWindowsLinuxMalware	CRYSTALRAY: threat actors exploiting OSS tools
enum4Linux	OffSecDual-use	Ivanti Connect Secure targeting campaign
enumerate-iam	ToolkitOffSecCloudDual-use
Everything	Windows	SharePoint Vulnerability Exploited in-the-Wild
Evil-WinRM		Storm-0501 Deploys Cloud-Based Ransomware
FAKEUPDATES	Dropper	UNC2165 Targets Hybrid Environments with Ransomware
FBot	ToolkitMalwareAttacker-side	FBot toolkit targets cloud environments
ffmpeg	Commercial	Sports Piracy Exploiting Misconfigured Jupyter Servers
FireProx	ProxyCloud
FireWood	BackdoorLinuxRootkit	Gelsemium’s Shift to Linux Malware with WolfsBane and FireWood
FleetDeck	Commercial	Scattered Spider Abuses Cloud Management Agent
Flodrix botnet		Langflow Vulnerability Exploited to Deliver Flodrix Botnet
Fog ransomware	Ransomware	Veeam Vulnerability Exploited by Akira and Fog Ransomware
FRAMESTING	Webshell	Ivanti Connect Secure targeting campaign
frp	Proxy	z0Miner targeting WebLogic serversMauri Ransomware Exploiting Apache ActiveMQ
fscan	OffSecDual-use	From WSO2 RCE to SSH lateral movementAttacks on Korean IIS & Linux Servers
Fudmodule rootkit	Rootkit		Bring Your Own Vulnerable DriverDirect Kernel object manipulation
Fuso		Silent Skimmer Attacks Exploiting Telerik UI to Steal Payment Data
Gafgyt botnet		Gafgyt Malware Targeting Cloud EnvironmentsGafgyt Malware Targeting Misconfigured Docker Servers
Gato	ToolkitCI/CDDual-use		CI/CD system enumeration
Gelsevirine
Gh0st RAT	MalwareRAT	Apache server Cryptojacking with Cobalt StrikeCyberoam breach (2018)Larva-25003: IIS Native Module Malware Used in Targeted Web Server Attacks
Gh0stCringe	Malware
Ghost		UTG-Q-015 Exploits 0-Days for Espionage in Asia
ghostfile93.aspx webshell		SharePoint Vulnerability Exploited in-the-Wild
git-dumper		EMERALDWHALE Attacks Targeting Exposed Git Config Files
Glutton backdoor		PHP Targeted with Glutton backdoor
GMiner	Cryptominer
GoBruteforcer	Botnet	GoBruteforcer campaign	Password bruteforcing
GoBuster		Volkswagen data leak through Spring Boot Actuator misconfiguration
GodPotato		DragonRank Targeting IIS Web ServersEarth Lamia Custom Toolkit Targets Multiple Sectors via Web Vulnerabilities
Godzilla	Webshell	From WSO2 RCE to SSH lateral movementFrom ActiveMQ to Godzilla webshellRedJuliett Exploiting VPN and Firewall VulnerabilitiesEarth Baku campaignGodzilla Backdoor Exploiting Confluence VulnerabilityDragonRank Targeting IIS Web ServersCode Injection Attacks Exploiting Publicly Disclosed ASP.NET KeysAttacks on Korean IIS & Linux ServersIIS Backdoor Exploiting Exposed ASP.NET Machine Keys
GOHEAVY		UNC5174 ScreenConnect and F5 BIG-IP exploitation
GooseEgg		APT28 Targeting Print Spooler Vulnerability for GooseEgg Deployment
GOREVERSE		UNC5174 Exploits Ivanti CSA Zero-Days in “Houken” Campaign
GoTitan	Botnet	GoTitan ActiveMQ campaign
Graboid	WormCryptominer	Graboid campaign
GreenBot	ToolkitAttacker-side
Gsocket	OffSecDual-use	SilentBob cryptomining campaignLabrat GitLab campaignCampaign targeting Selenium Grid for cryptominingREF6138 campaign
HeadCrab		HeadCrab campaign
Heaven’s Gate		SAP NetWeaver Visual Composer exploitation campaign
HiddenShovel	Cryptominer		Bring Your Own Vulnerable Driver
HijackDriverManager		Larva-25003: IIS Native Module Malware Used in Targeted Web Server Attacks
Hildegard	Cryptominer	TeamTNT campaigns
HinataBot	DDoSBotnet
Hive	Ransomware
Horoung Antivirus		SharePoint Vulnerability Exploited in-the-Wild
HubSpot Free Form Builder		Phishing campaign leading to Azure account takeover
IceFire	Ransomware	IceFire Aspera Faspex campaign
Impacket	OffSecDual-use	Ivanti Connect Secure targeting campaignScattered Spider SaaS targeting (2024)SharePoint Vulnerability Exploited in-the-WildStorm-0501 Deploys Cloud-Based Ransomware
Infection Monkey	OffSecToolkitDual-use
INMemory webshell		Weaver Ant data exfiltration campaign
iodine	OffSecDual-use	Ivanti Connect Secure targeting campaign
IPRoyal	CommercialDual-useProxy	Labrat GitLab campaignCampaign targeting Selenium Grid for cryptominingMimo Exploits Craft CMS RCE to Deploy Cryptominer and Proxyware in Coordinated Campaign	Proxyjacking
Jasmin		Widespread TeamCity exploitation (March ‘24)
JSFuck		JSFireTruck: Malicious JavaScript Campaign Using Obfuscation
JuicyPotato		Earth Lamia Custom Toolkit Targets Multiple Sectors via Web VulnerabilitiesUAT-7237 Targets Taiwanese Web Infrastructure Using Customized Open-Source Tools
KAIJI	DDoS	REF6138 campaign
kerbrute		SharePoint Vulnerability Exploited in-the-Wild
KeyChecker	Cloud
KEYPLUG		Horde Panda targeting South Asian telecommunications provider
Kinsing		Kinsing campaigns (2020)
Krasue	RAT	Krasue Thailand campaign
kube-hunter	OffSecK8sDual-use
kubescape	K8sOffSecDual-use
Kubesploit	OffSecK8sDual-use
Kubestroyer	OffSecK8sDual-use
Kunpeng	OffSecDual-use	Abcbot Huawei Cloud targeting campaign
LaZagne	OffSecMalware
Legion	ToolkitAttacker-side
Leonidas	OffSecToolkitCloudDual-use
LIGHTSPY		BrazenBamboo Weaponizes FortiClient Vulnerability to Steal Credentials
LIGHTWIRE		Ivanti Connect Secure targeting campaign
Ligolo		Magnet Goblin campaign (2024)
Line Dancer	MalwareRATReverse shell	ArcaneDoor Campaign Targeting Cisco Adaptive Security Appliance 0day	Disable loggingExfiltration via AWS Transfer
Line Runner	MalwareBackdoor	ArcaneDoor Campaign Targeting Cisco Adaptive Security Appliance 0day
LINE VIPER		Renewed "ArcaneDoor" Campaign Targeting 0-day Vulnerabilities in Cisco ASA
LinkPro		eBPF Rootkit Targeting AWS and Linux Environments
linPEAS	OffSecDual-use	Use of linPEAS for cloud enumeration
Linux Exploit Suggester	OffSecDual-use
Linuxsys coinminer		Linuxsys Cryptominer Campaign
LocalOlive shell		Seashell Blizzard Subgroup's Campaign Exploiting Vulnerabilities for Data Exfiltration
LockBit	Ransomware
LODEINFO		Earth Kasha’s Campaign Exploiting Fortinet Vulnerability
Loggerminer	Cryptominer	Loggerminer campaign
LokiLocker		TRIPLESTRENGTH: Cloud Account Hijacking and Cryptocurrency Mining via Stolen Credentials
LuaPlug		Horde Panda targeting South Asian telecommunications provider
Lucifer	Botnet	Lucifer Botnet targeting Hadoop	Vulnerability exploitationMisconfigured Apache Hadoop abuse
Mallox ransomware		TargetCompany Abusing MSSQL Servers for RansomwareHadooken Malware Targeting Weblogic Servers
Masscan	OffSecDual-use	SilentBob cryptomining campaignDocker Swarm and K8s cryptojacking campaign
Mauri ransomware	Ransomware	Mauri Ransomware Exploiting Apache ActiveMQ
Mélofée	Malware
Meson CDN		Meson Network cryptojacking campaign
Metasploit	OffSecDual-use	Andariel exploiting Apache ActiveMQFrom code commit to production takeover
Meterpreter
MicroBurst	OffSecDual-use
Mimic ransomware	Ransomware	RE#TURGENCE MSSQL Server RansomOpMimic used by Trigona operators	Password bruteforcingVulnerability exploitation
Mimikatz	Dual-use	RE#TURGENCE MSSQL Server RansomOpScattered Spider SaaS targeting (2024)DragonRank Targeting IIS Web ServersSharePoint Vulnerability Exploited in-the-WildState-Sponsored APT Abuse Visual Studio Code in AttacksStorm-0501 attacking hybrid environments with ransomwarePHP-CGI Vulnerability Exploited in Attacks Targeting JapanOperation LongFangUAT-7237 Targets Taiwanese Web Infrastructure Using Customized Open-Source ToolsWarlock Ransomware Exploiting Sharepoint Vulnerabilities IIS Backdoor Exploiting Exposed ASP.NET Machine Keys
Mimipenguin	OffSecMalwareDual-use
Mimipy	OffSecDual-use
Mimo	Cryptominer	Mimo cryptomining campaignMimo Exploits Craft CMS RCE to Deploy Cryptominer and Proxyware in Coordinated Campaign
Mimus	Ransomware	Mimo cryptomining campaign
Mineping		Panamorfi campaign
MiniNerbian		Magnet Goblin campaign (2024)
Mirai		Mirai campaign targeting Ivanti productsMirai Botnet Exploiting Apache OFBiz Vulnerability
MirrorStealer		Earth Kasha’s Campaign Exploiting Fortinet Vulnerability
Mispadu stealer	MalwareTrojanRATBackdoor	Windows SmartScreen vulnerability exploited by Mispadu trojan	PhishingMalvertisingMisconfigured Wordpress abuse
MIZARU		EMERALDWHALE Attacks Targeting Exposed Git Config Files
Monero miner		Lucifer Botnet targeting Hadoop
Msupedge backdoor		Msupedge Backdoor Targeting Taiwanese University
Muhstik		Muhstik campaign
Neo-reGeorg		UNC5174 Exploits Ivanti CSA Zero-Days in “Houken” CampaignSilk Typhoon Exploiting Trusted Relationships for Cloud Environments Compromise
NerbianRAT		Magnet Goblin campaign (2024)
netcat	Dual-use	z0Miner targeting WebLogic serversK8s targeted via OpenMetadata exploitation
NeuralExecutor		PassiveNeuron Campaign: Espionage Campaign Targeting Windows Server Environments
Neursite		PassiveNeuron Campaign: Espionage Campaign Targeting Windows Server Environments
nevada	Ransomware
ngrok	OffSecDual-use	SilentBob cryptomining campaignngrok cryptojacking campaignEarth Simnavaz (APT34) Targeting UAE and Gulf Regions
NHAS reverse_ssh	Reverse shell	Mimo cryptomining campaign
NoaBot	BotnetCryptominer		SSH propagation
NOOPDOOR		Earth Kasha’s Campaign Exploiting Fortinet Vulnerability
nuclei		CRYSTALRAY: threat actors exploiting OSS tools
NukeSped	RAT	Andariel exploiting Apache ActiveMQ
Onderon		Cyberoam breach (2018)
OracleIV	DDoSBotnet	OracleIV campaign
Outlaw malware	Cryptominer		SSH bruteforcingUPX packing
Pacu	OffSecDual-use	SilentBob cryptomining campaignSugarCRM as initial access to AWS envs
Peer2Profit	ProxyDual-use	Mimo cryptomining campaignEMERALDWHALE Attacks Targeting Exposed Git Config Files
Peirates	OffSecK8sDual-use	SilentBob cryptomining campaignTeamTNT campaigns
perfctl		perfctl campaign targeting Docker APIperfctl Malware Targeting Linux
Phobos		TRIPLESTRENGTH: Cloud Account Hijacking and Cryptocurrency Mining via Stolen Credentials
Plague backdoor		Plague PAM-Based Backdoor for Linux
Platypus		CRYSTALRAY: threat actors exploiting OSS tools
PlugX		DragonRank Targeting IIS Web Servers
PMapper	ToolkitCloudDual-use
PowerZure	OffSecDual-use
Prince ransomware		CrazyHunter Ransomware Group Targets Critical Sectors in Taiwan
PrintNotifyPotato		DragonRank Targeting IIS Web Servers
PRIVATELOG		RevivalStone Campaign by Winnti
Prometei	Botnet	Prometei campaign
proot	OffSecDual-use
ProtonVPN		LLM Hijacking Targeting AWS
ProxyLite	CommercialDual-useProxy	Labrat GitLab campaign	Proxyjacking
PsExec	Dual-use	Agenda Ransomware Targets ESXi and vCenter Servers
PureCrypter		8220 Gang Exploiting WebLogic Vulnerabilities for Cryptojacking
pwnRig	Cryptominer
Pypikatz		Ransomware operators exploit ESXi vulnerability
PySoxy	OffSecProxyDual-use	Ivanti Connect Secure targeting campaign
Qakbot		Ransomware operators exploit ESXi vulnerability
Raccoon stealer		TRIPLESTRENGTH: Cloud Account Hijacking and Cryptocurrency Mining via Stolen Credentials
Rakshasa		Earth Baku campaign
RansomEXX	Ransomware
RANSOMHUB		UNC2165 Targets Hybrid Environments with Ransomware
rapeflake		Snowflake compromised creds abuse campaign
RayInitiator		Renewed "ArcaneDoor" Campaign Targeting 0-day Vulnerabilities in Cisco ASA
Rclone		Storm-0501 Targeting Hybrid Environments with Ransomware
RCRU64		TRIPLESTRENGTH: Cloud Account Hijacking and Cryptocurrency Mining via Stolen Credentials
Red-kube	OffSecK8sDual-use
Redigo		Redigo campaign
RedTail		RedTail Cryptomining campaign
Rekoobe	Malware	APT31 Rekoobe campaign
Remcos RAT		TargetCompany Abusing MSSQL Servers for Ransomware
Reptile	Rootkit	UNC3886 campaigns
Rigel		Cryptomining Campaign Exploiting Exposed Ray AI Infrastructure
RingQ loader		Silent Skimmer Attacks Exploiting Telerik UI to Steal Payment Data
ROADtoken	Cloud
ROADtools	OffSecDual-use	Peach Sandstorm targeting Azure
RomCom backdoor		RomCom exploiting Word vulnerability in campaign targeting government entities
rsockstun		Seashell Blizzard Subgroup's Campaign Exploiting Vulnerabilities for Data Exfiltration
RUDEDEVIL	Cryptominer	REF6138 campaign
S3 Browser		ShinyHunters Ransomware Targeting Cloud Environments
s3-account-search	OffSecDual-use
SASHEYAWAY		UNC1860 Attacks Targeting the Middle East
ScanBox Framework
ScoutSuite	OffSecDual-use	SugarCRM as initial access to AWS envs
ScreenConnect	Dual-use	Magnet Goblin campaign (2024)
SecureShell	Dual-use	Agenda Ransomware Targets ESXi and vCenter Servers
sedexp	Linux		Persistence via udev
SHADOWGAZE		RevivalStone Campaign by Winnti
SharpWMI		UAT-7237 Targets Taiwanese Web Infrastructure Using Customized Open-Source Tools
ShellBot / PerlBot	Botnet	RUBYCARP: Botnet Exploiting Vulnerabilities for Crypto	Misconfigured SSH abuse
Shikitega	MalwareCryptominer
ShroudedSnooper
Siloscape	Malware	Siloscape campaign
Silver		CRYSTALRAY: threat actors exploiting OSS tools
SkidMap	CryptominerMalware	SkidMap targeting Redis
SkyArk	OffSecDual-use
Sliver	OffSecDual-use	From PHP exploitation to AWS lateral movementFrom PHP vuln to Sliver execution via cronCloudflare incident following Okta breachSliver deployment via Confluence vulnerabilityTeamTNT’s Docker Gatling Gun CampaignUNC5174 Linux Espionage CampaignIvanti EPMM RCE Vulnerability Chain Exploited in the WildDripDropper Malware Exploits Patched Apache ActiveMQ for Persistence on Cloud Linux Systems
Snapekit	LinuxRootkit
SneakCross		Earth Baku campaign
SNOWLIGHT		UNC5174 ScreenConnect and F5 BIG-IP exploitationUNC5174 Linux Espionage Campaign
SNS Sender	ToolkitAttacker-side		SNS abuse for spam or phishingSmishing (SMS phishing)
sockstress		Cryptomining Campaign Exploiting Exposed Ray AI Infrastructure
SoftEther proxy	ProxyDual-use	Microsoft signing key compromiseUAT-7237 Targets Taiwanese Web Infrastructure Using Customized Open-Source Tools
SoundBill		UAT-7237 Targets Taiwanese Web Infrastructure Using Customized Open-Source Tools
SparkRAT		Widespread TeamCity exploitation (March ‘24)
SPAWNSLOTH		Critical Ivanti Connect Secure Vulnerability Exploited by China-linked Actor
SPAWNSNARE		Critical Ivanti Connect Secure Vulnerability Exploited by China-linked Actor
SPAWNWAVE		Critical Ivanti Connect Secure Vulnerability Exploited by China-linked Actor
spinstall0 webshell		0day Vulnerability in Microsoft Sharepoint Exploited in-the-Wild
sqlmap		State-Sponsored APT Abuse Visual Studio Code in Attacks
SRBMiner	Cryptominer
SSH-Snake	OffSecWormDual-use	SSH-Snake Confluence targeting campaignCRYSTALRAY: threat actors exploiting OSS tools
STAYSHANTE		UNC1860 Attacks Targeting the Middle East
StealthReacher		Earth Baku campaign
StealthVector		Earth Baku campaign
Stormspotter	OffSecToolkitCloudDual-use
Stratus Red Team	OffSecK8sCloudDual-use
Subfinder		Volkswagen data leak through Spring Boot Actuator misconfiguration
SUNBURST	Backdoor	Solarigate: Solarwinds supply chain attack
SUPERSHELL	BackdoorOffSec	UNC5174 ScreenConnect and F5 BIG-IP exploitationAttacks on Korean IIS & Linux ServersAuto-Color Malware Exploits SAP Vulnerability for Linux Backdoor
SWEETCOLA
Sysrv	CryptominerBotnet	Sysrv Apache Druid cryptojacking
SystemBC		Ransomware operators exploit ESXi vulnerability
SysUpdate	Malware
Tailscale		Earth Baku campaign
TeamFiltration		TeamFiltration Account Takeover Campaign