User Execution: Malicious Link, Sub-technique T1204.001 - Enterprise (original) (raw)
AppleJeus's spearphishing links required user interaction to navigate to the malicious website.[1]
APT-C-36 has used malicious links in emails, often impersonating official notifications and documents, to direct users to execute malicious payloads.[2]
APT28 has tricked unwitting recipients into clicking on malicious hyperlinks within emails crafted to resemble trustworthy senders.[3][4]
APT29 has used various forms of spearphishing attempting to get a user to click on a malicious link.[5][6]
APT3 has lured victims into clicking malicious links delivered through spearphishing.[7]
APT32 has lured targets to download a Cobalt Strike beacon by including a malicious link within spearphishing emails.[8][9][10]
APT33 has lured users to click links to malicious HTML applications delivered via spearphishing emails.[11][12]
APT38 has used links to execute a malicious Visual Basic script.[13]
APT39 has sent spearphishing emails in an attempt to lure users to click on a malicious link.[14][15]
BackConfig has compromised victims via links to URLs hosting malicious content.[16]
Bazar can gain execution after a user clicks on a malicious link to decoy landing pages hosted on Google Docs.[17][18][19]
BlackTech has used e-mails with malicious links to lure victims into installing malware.[20]
Bumblebee has relied upon a user downloading a file from a OneDrive link for execution.[21][22]
During C0011, Transparent Tribe relied on student targets to click on a malicious link sent via email.[23]
During C0021, the threat actors lured users into clicking a malicious link which led to the download of a ZIP archive containing a malicious .LNK file.[24]
Cobalt Group has sent emails containing malicious links that require users to execute a file or macro to infect the victim machine.[25][26][27]
Confucius has lured victims into clicking on a malicious link sent through spearphishing.[28]
Contagious Interview has lured victims to click on a malicious link that led to download of a malicious payload.[29] Contagious Interview has also leveraged links to malicious payloads on social media and code repositories.[29]
Daggerfly has used strategic website compromise to deliver a malicious link requiring user interaction.[30]
Earth Lusca has sent spearphishing emails that required the user to click on a malicious link and subsequently open a decoy document with a malicious loader.[31]
Elderwood has leveraged multiple types of spearphishing in order to attempt to get a user to open links.[32][33]
Emotet has relied upon users clicking on a malicious link delivered through spearphishing.[34][35]
Evilnum has sent spearphishing emails designed to trick the recipient into opening malicious shortcut links which downloads a .LNK file.[36]
EXOTIC LILY has used malicious links to lure users into executing malicious payloads.[37]
FIN4 has lured victims to click malicious links delivered via spearphishing emails (often sent from compromised accounts).[38][39]
FIN7 has used malicious links to lure victims into downloading malware.[40]
FIN8 has used emails with malicious links to lure victims into installing malware.[41][42][43]
Gamaredon Group has attempted to get users to click on a link pointing to a malicious HTML file leading to follow-on malicious content.[44][45]
Gootloader has been executed through malicious links presented to users as internet search results.[46][47]
Grandoreiro has used malicious links to gain execution on victim machines.[48][49]
GuLoader has relied upon users clicking on links to malicious documents.[50]
Hancitor has relied upon users clicking on a malicious link delivered through phishing.[51]
Javali has achieved execution through victims clicking links to malicious websites.[52]
Kerrdown has gained execution through victims opening malicious links.[10]
Kimsuky has lured victims into clicking malicious links.[53]
KOCTOPUS has relied on victims clicking on a malicious link delivered via email.[54]
Latrodectus has been executed through malicious links distributed in email campaigns.[55][56]
LazyScripter has relied upon users clicking on links to malicious files.[54]
Leviathan has sent spearphishing email links attempting to get a user to click.[57][58]
LuminousMoth has lured victims into clicking malicious Dropbox download links delivered through spearphishing.[59]
Machete has has relied on users opening malicious links delivered through spearphishing to execute malware.[60][61][62]
Magic Hound has attempted to lure victims into opening malicious links embedded in emails.[63][64]
Melcoz has gained execution through victims opening malicious links.[52]
Mofang's spearphishing emails required a user to click the link to connect to a compromised website.[65]
Molerats has sent malicious links via email trick users into opening a RAR archive and running an executable.[66][67]
MuddyWater has distributed URLs in phishing e-mails that link to lure documents.[68][69][70]
Mustang Panda has sent malicious links including links directing victims to a Google Drive folder.[71][72][73][74][75][76] Mustang Panda has also utilized webpages with Javascript code that downloads malicious payloads to the victim device.[77]
Mustard Tempest has lured users into downloading malware through malicious links in fake advertisements and spearphishing emails.[78][79]
NETWIRE has been executed through convincing victims into clicking malicious links.[80][50]
During Night Dragon, threat actors enticed users to click on links in spearphishing emails to download malware.[81]
ObliqueRAT has gained execution on targeted systems through luring users to click on links to malicious URLs.[82][83]
OilRig has delivered malicious links to achieve execution on the target system.[84][85][86][87]
During Operation AkaiRyƫ, MirrorFace lured users into executing malicious payloads with links to resources hosted on OneDrive.[88][89]
During Operation Dream Job, Lazarus Group lured users into executing a malicious link to disclose private account information or provide initial access.[90][91]
During Operation Dust Storm, the threat actors relied on a victim clicking on a malicious link sent via email.[92]
During Operation Spalax, the threat actors relied on a victim to click on a malicious link distributed via phishing emails.[93]
OutSteel has relied on a user to click a malicious link within a spearphishing email.[94]
Patchwork has used spearphishing with links to try to get users to click, download and open malicious files.[95][96][97][16]
PLEAD has been executed via malicious links in e-mails.[20]
Pony has attempted to lure targets into clicking links in spoofed emails from legitimate banks.[98]
QakBot has gained execution through users opening malicious links.[99][100][101][102][103][104][105]
Qilin has been executed by luring victims into clicking links in spearphishing emails.[106][107]
RedCurl has used malicious links to infect the victim machines.[108][109]
RedDelta Modified PlugX Infection Chain Operations
Mustang Panda distributed hyperlinks that would result in an MSC file running a PowerShell command to download and install a remotely-hosted MSI file during RedDelta Modified PlugX Infection Chain Operations.[110]
ROAMINGHOUSE has been executed through luring victims into clicking links to download malicious ZIP files.[111]
Saint Bear has, in addition to email-based phishing attachments, used malicious websites masquerading as legitimate entities to host links to malicious files for user execution.[94][112]
Saint Bot has relied on users to click on a malicious link delivered via a spearphishing.[94]
Sandworm Team has tricked unwitting recipients into clicking on malicious hyperlinks within emails crafted to resemble trustworthy senders.[113]
Sidewinder has lured targets to click on malicious links to gain execution in the target environment.[114][115][116][117]
SMOKEDHAM has relied upon users clicking on a malicious link delivered through phishing.[118]
Snip3 has been executed through luring victims into clicking malicious links.[119]
SocGholish has lured victims into interacting with malicious links on compromised websites for execution.[79]
SpicyOmelette has been executed through malicious links within spearphishing emails.[27]
Squirrelwaffle has relied on victims to click on a malicious link send via phishing campaigns.[120]
TA2541 has used malicious links to cloud and web services to gain execution on victim machines.[121][80]
TA505 has used lures to get users to click links in emails and attachments. For example, TA505 makes their malware look like legitimate Microsoft Word documents, .pdf and/or .lnk files. [122][123][124][125][126][127][128][129]
TA577 has lured users into executing malicious JavaScript files by sending malicious links via email.[55]
TA578 has placed malicious links in contact forms on victim sites, often spoofing a copyright complaint, to redirect users to malicious file downloads.[55]
Transparent Tribe has directed users to open URLs hosting malicious content.[82][83]
TSCookie has been executed via malicious links embedded in e-mails spoofing the Ministries of Education, Culture, Sports, Science and Technology of Japan.[130]
Turla has used spearphishing via a link to get users to download and run their malware.[131]
Water Curupira Pikabot Distribution
Water Curupira Pikabot Distribution distributed a PDF attachment containing a malicious link to a Pikabot installer.[132]
Windshift has used links embedded in e-mails to lure victims into executing malicious code.[133]
Winter Vivern has mimicked legitimate government-related domains to deliver malicious webpages containing links to documents or other content for user execution.[134][135]
WIRTE has used links embedded in emails to lure users into downloading malicious files.[136]
Wizard Spider has lured victims into clicking a malicious link delivered through spearphishing.[137]
ZIRCONIUM has used malicious links in e-mails to lure victims into downloading malware.[138][139]