# Backdoors > Implantes furtivos que estabelecem acesso persistente e nao autorizado a sistemas comprometidos, tipicamente usados em operações de espionagem de longa duracao. Diferem dos RATs por priorizar a furtividade sobre a interatividade, muitas vezes permanecendo dormente por longos períodos. > [!warning] Principal Ferramenta de Espionagem APT > Backdoors sao a categoria favorita de grupos APT patrocinados por estados. GoldMax, FoggyWeb, Kazuar, GraphSteel e dezenas de outras familias foram desenvolvidas exclusivamente para operações de espionagem sofisticada contra governos, contratados de defesa e infraestrutura critica. ## Como Funcionam Backdoors priorizam persistência e evasão de detecção sobre capacidades interativas. Frequentemente utilizam protocolos legitimos para mascarar comunicação C2 e técnicas avancadas de anti-análise. ```mermaid graph TB A["🎯 Implantacao Furtiva<br/>Supply chain / Zero-day / Spear-phishing"] --> B["🛡️ Evasao<br/>Rootkit / Anti-VM / Code signing"] B --> C["🔐 Persistencia<br/>Firmware / Kernel / Scheduled task"] C --> D["💤 Dormente<br/>Aguarda sinal de ativacao"] D --> E["📡 Beacon Passivo<br/>Pull-based C2 / Intervalos longos"] E --> F["🔍 Reconhecimento<br/>Coleta credenciais / estrutura AD"] F --> G["📤 Exfiltracao Lenta<br/>Dados criptografados em pequenos chunks"] style A fill:#8e44ad,color:#fff style B fill:#2c3e50,color:#fff style C fill:#1a5276,color:#fff style D fill:#117a65,color:#fff style E fill:#1e8bc3,color:#fff style F fill:#d35400,color:#fff style G fill:#c0392b,color:#fff ``` **Caracteristicas que diferenciam backdoors:** - **Furtividade prioritaria** - Projetados para nao serem detectados por meses ou anos - **Footprint mínimo** - Pouca ou nenhuma escrita em disco, operação in-memory - **Pull-based C2** - Contacta o servidor periodicamente ao inves de manter conexão ativa - **Protocolo legitimo** - Usa DNS, HTTPS, e-mail ou servicos cloud para C2 ## Familias Catalogadas %% ```dataview TABLE WITHOUT ID link(file.link, title) AS "Nome", status AS "Status", used-by AS "Usado Por" FROM "cti/software/malware/backdoors" WHERE type = "malware" SORT title ASC ``` %% <!-- QueryToSerialize: TABLE WITHOUT ID link(file.link, title) AS "Nome", status AS "Status", used-by AS "Usado Por" FROM "cti/software/malware/backdoors" WHERE type = "malware" SORT title ASC --> <!-- SerializedQuery: TABLE WITHOUT ID link(file.link, title) AS "Nome", status AS "Status", used-by AS "Usado Por" FROM "cti/software/malware/backdoors" WHERE type = "malware" SORT title ASC --> | Nome | Status | Usado Por | | -------------------------------------------------------------------------------------- | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [[s0202-adbupd\|adbupd]] | active | <ul><li>[[g0068-platinum\|PLATINUM]]</li></ul> | | [[s0045-advstoreshell\|ADVSTORESHELL]] | active | <ul><li>[[cti/groups/g0007-apt28.md\|APT28]]</li></ul> | | [[s0504-anchor\|Anchor]] | active | <ul><li>[[g0102-conti-group\|Wizard Spider]]</li></ul> | | [[s0456-aria-body\|Aria-body]] | active | <ul><li>[[g0019-naikon\|Naikon]]</li></ul> | | [[s0093-backdooroldrea\|Backdoor.Oldrea]] | active | <ul><li>[[g0035-dragonfly\|Dragonfly]]</li></ul> | | [[s0031-backspace\|BACKSPACE]] | active | <ul><li>[[g0013-apt30\|APT30]]</li></ul> | | [[bad-rabbit\|Bad Rabbit]] | inactive | <ul><li>[[g0034-sandworm]]</li></ul> | | [[s0128-badnews\|BADNEWS]] | active | <ul><li>[[g0040-patchwork\|Patchwork]]</li></ul> | | [[s1184-boldmove\|BOLDMOVE]] | active | <ul><li>\-</li></ul> | | [[s0651-boxcaon\|BoxCaon]] | active | <ul><li>[[g0136-indigozebra\|IndigoZebra]]</li></ul> | | [[bpfdoor\|BPFDoor]] | active | <ul><li>[[cti/groups/red-menshen.md\|red-menshen]]</li></ul> | | [[s0204-briba\|Briba]] | active | <ul><li>[[g0066-elderwood\|Elderwood]]</li></ul> | | [[brickstorm\|BRICKSTORM]] | active | <ul><li>[[unc5221]]</li><li>[[unc6201]]</li></ul> | | [[s0335-carbon\|Carbon]] | active | <ul><li>[[g0010-turla\|Turla]]</li></ul> | | [[s0020-china-chopper\|China Chopper]] | active | <ul><li>[[g0093-gallium]]</li><li>[[cti/groups/g0096-apt41.md\|g0096-apt41]]</li><li>[[g0027-threat-group-3390]]</li><li>[[g0125-silk-typhoon]]</li><li>[[g0065-leviathan]]</li><li>[[g0129-mustang-panda]]</li><li>[[g1022-toddycat]]</li><li>[[backdoor-diplomacy]]</li></ul> | | [[s1041-chinoxy\|Chinoxy]] | active | <ul><li>\-</li></ul> | | [[chrysalis\|Chrysalis]] | active | <ul><li>[[g0030-raspberry-typhoon]]</li></ul> | | [[s0660-clambling\|Clambling]] | active | <ul><li>[[g0027-threat-group-3390\|Threat Group-3390]]</li></ul> | | [[s0338-cobian-rat\|Cobian RAT]] | active | <ul><li>\-</li></ul> | | [[s0244-comnie\|Comnie]] | active | <ul><li>\-</li></ul> | | [[s0046-cozycar\|CozyCar]] | active | <ul><li>[[g0016-apt29\|APT29]]</li></ul> | | [[s0023-cozyduke\|CozyDuke]] | inactive | <ul><li>[[g0016-apt29\|APT29]]</li></ul> | | [[s0527-creep\|CREEP]] | active | <ul><li>[[g0010-turla\|Turla]]</li></ul> | | [[crosswalk\|Crosswalk]] | active | <ul><li>[[cti/groups/g0096-apt41.md\|APT41]]</li></ul> | | [[s0492-customdoor\|CustomDoor]] | active | <ul><li>[[g0010-turla\|Turla]]</li></ul> | | [[s0497-dacls\|Dacls]] | active | <ul><li>[[g0032-lazarus-group\|Lazarus Group]]</li></ul> | | [[s1111-dango\|DANGO]] | active | <ul><li>[[g0129-mustang-panda\|Mustang Panda]]</li></ul> | | [[s0235-darkhydrus\|DarkHydrus]] | inactive | <ul><li>[[g0079-darkhydrus\|DarkHydrus]]</li></ul> | | [[s0673-darkpulsar\|DarkPulsar]] | active | <ul><li>\-</li></ul> | | [[s1052-deadeye\|DEADEYE]] | active | <ul><li>[[cti/groups/g0096-apt41.md\|g0096-apt41]]</li></ul> | | [[deathstalker\|DeathStalker]] | active | <ul><li>[[deathstalker\|DeathStalker]]</li></ul> | | [[dindoor\|DinDoor]] | active | <ul><li>[[donot-team]]</li></ul> | | [[s0352-dnspionage\|DNSpionage]] | inactive | <ul><li>[[g0049-oilrig\|OilRig]]</li></ul> | | [[s1021-dnssystem\|DnsSystem]] | active | <ul><li>[[g1001-hexane\|HEXANE]]</li></ul> | | [[s0186-downpaper\|DownPaper]] | active | <ul><li>[[g0059-magic-hound\|Magic Hound]]</li></ul> | | [[s0081-elise\|Elise]] | active | <ul><li>[[g0030-raspberry-typhoon\|Lotus Blossom]]</li></ul> | | [[s0064-elmer\|ELMER]] | active | <ul><li>[[g0023-apt16\|APT16]]</li></ul> | | [[s0401-exaramel-for-linux\|Exaramel for Linux]] | active | <ul><li>[[g0034-sandworm\|Sandworm Team]]</li></ul> | | [[s0343-exaramel-for-windows\|Exaramel for Windows]] | active | <ul><li>[[g0034-sandworm\|Sandworm Team]]</li></ul> | | [[s0512-fatduke\|FatDuke]] | active | <ul><li>[[g0016-apt29\|APT29]]</li></ul> | | [[s0267-felixroot\|FELIXROOT]] | active | <ul><li>\-</li></ul> | | [[s0381-flyagent\|FlyAgent]] | inactive | <ul><li>[[g0067-apt37\|APT37]]</li></ul> | | [[s0661-foggyweb\|FoggyWeb]] | active | <ul><li>[[g0016-apt29\|APT29]]</li></ul> | | [[freshcamel\|FreshCamel]] | active | <ul><li>[[unc3524\|UNC3524]]</li></ul> | | [[s1110-fullhousedoored\|FULLHOUSE.DOORED]] | active | <ul><li>[[cti/groups/g0096-apt41.md\|APT41]]</li></ul> | | [[s1044-funnydream\|FunnyDream]] | active | <ul><li>\-</li></ul> | | [[funshion\|Funshion]] | active | <ul><li>[[cti/groups/g0096-apt41.md\|APT41]]</li></ul> | | [[s0410-fysbis\|Fysbis]] | active | <ul><li>[[cti/groups/g0007-apt28.md\|APT28]]</li></ul> | | [[s0168-gazer\|Gazer]] | active | <ul><li>[[g0010-turla\|Turla]]</li></ul> | | [[ghostblade\|GHOSTBLADE]] | active | <ul><li>[[unc6353]]</li><li>[[unc6748]]</li></ul> | | [[s0342-ghostsecret\|GhostSecret]] | active | <ul><li>[[g0032-lazarus-group\|Lazarus Group]]</li></ul> | | [[cti/software/malware/backdoors/ghostspider.md\|GHOSTSPIDER]] | active | <ul><li>[[earth-estries\|Earth Estries]]</li><li>[[g1045-salt-typhoon\|Salt Typhoon]]</li></ul> | | [[glamtariel\|GLAMTARIEL]] | active | <ul><li>[[g0016-apt29\|APT29]]</li></ul> | | [[gobot2\|Gobot2]] | active | <ul><li>[[cti/groups/g0096-apt41.md\|APT41]]</li></ul> | | [[goldbackdoor\|GoldBackdoor]] | active | <ul><li>[[g0067-apt37\|APT37]]</li></ul> | | [[s0245-golddragon\|GOLDDRAGON]] | active | <ul><li>[[g0032-lazarus-group\|Lazarus Group]]</li></ul> | | [[s0493-goldenspy\|GoldenSpy]] | active | <ul><li>\-</li></ul> | | [[s0588-goldmax\|GoldMax]] | inactive | <ul><li>[[g0016-apt29\|APT29]]</li></ul> | | [[s1198-gomir\|Gomir]] | active | <ul><li>[[g0094-kimsuky\|Kimsuky]]</li></ul> | | [[gopuram\|Gopuram]] | active | <ul><li>[[g0032-lazarus-group\|Lazarus Group]]</li></ul> | | [[graphite\|Graphite]] | active | <ul><li>[[cti/groups/g0007-apt28.md\|APT28]]</li></ul> | | [[gravityadmin\|GravityAdmin]] | active | <ul><li>[[unc2165\|UNC2165]]</li></ul> | | [[s0690-green-lambert\|Green Lambert]] | active | <ul><li>\-</li></ul> | | [[greenlambert\|GreenLambert]] | inactive | <ul><li>[[longhorn\|Longhorn]]</li></ul> | | [[greyenergy\|GreyEnergy]] | active | <ul><li>[[g0034-sandworm\|Sandworm]]</li></ul> | | [[s0417-griffon\|GRIFFON]] | active | <ul><li>[[g0046-fin7\|FIN7]]</li></ul> | | [[s0632-grimagent\|GrimAgent]] | active | <ul><li>[[g0037-fin6\|FIN6]]</li><li>[[g0102-conti-group\|Wizard Spider]]</li></ul> | | [[s1211-hannotog\|Hannotog]] | active | <ul><li>[[g0030-raspberry-typhoon\|Lotus Blossom]]</li></ul> | | [[s1145-happydoor\|HappyDoor]] | active | <ul><li>[[g0094-kimsuky\|Kimsuky]]</li></ul> | | [[cti/software/malware/backdoors/headlace.md\|HeadLace]] | active | <ul><li>[[cti/groups/g0007-apt28.md\|APT28]]</li></ul> | | [[s0170-helminth\|Helminth]] | active | <ul><li>[[g0049-oilrig\|OilRig]]</li></ul> | | [[s1027-heyoka-backdoor\|Heyoka Backdoor]] | active | <ul><li>[[g1007-aoqin-dragon\|Aoqin Dragon]]</li></ul> | | [[s0376-hoplight\|HOPLIGHT]] | active | <ul><li>[[g0032-lazarus-group\|Lazarus Group]]</li><li>[[g0082-apt38\|APT38]]</li></ul> | | [[s0015-icefog\|Icefog]] | active | <ul><li>\-</li></ul> | | [[ida\|IDA]] | active | <ul><li>\-</li></ul> | | [[s1072-infected-mushroom\|Infected Mushroom]] | active | <ul><li>\-</li></ul> | | [[s0260-invisimole\|InvisiMole]] | active | <ul><li>\-</li></ul> | | [[s1017-jerboa\|Jerboa]] | active | <ul><li>[[g0032-lazarus-group\|Lazarus Group]]</li></ul> | | [[s1040-jumplump\|JUMPLUMP]] | active | <ul><li>[[g0125-silk-typhoon\|HAFNIUM]]</li></ul> | | [[s0201-juniper-backdoor\|Juniper Backdoor]] | inactive | <ul><li>\-</li></ul> | | [[s0265-kazuarv2\|KazuarV2]] | active | <ul><li>[[g0010-turla\|Turla]]</li></ul> | | [[s0271-keymarble\|KEYMARBLE]] | active | <ul><li>[[g0032-lazarus-group\|Lazarus Group]]</li></ul> | | [[s0278-kitsune\|Kitsune]] | active | <ul><li>[[g0032-lazarus-group\|Lazarus Group]]</li></ul> | | [[s0356-klackring\|Klackring]] | inactive | <ul><li>[[g0022-apt3\|APT3]]</li></ul> | | [[s0162-komplex\|Komplex]] | active | <ul><li>[[cti/groups/g0007-apt28.md\|APT28]]</li></ul> | | [[s0276-kramgon\|KRAMGON]] | active | <ul><li>[[g0032-lazarus-group\|Lazarus Group]]</li></ul> | | [[cti/software/malware/backdoors/ktlvdoor.md\|KTLVdoor]] | active | <ul><li>[[g1006-earth-lusca\|Earth Lusca]]</li></ul> | | [[s0236-kwampirs\|Kwampirs]] | active | <ul><li>[[g0071-orangeworm\|Orangeworm]]</li></ul> | | [[lightbasin\|LightBasin]] | active | <ul><li>[[unc1945]]</li></ul> | | [[s1081-lightbasin-backdoor\|LightBasin Backdoor]] | active | <ul><li>[[lightbasin\|LightBasin]]</li></ul> | | [[s1188-line-runner\|Line Runner]] | active | <ul><li>\-</li></ul> | | [[s0211-linfo\|Linfo]] | active | <ul><li>[[g0066-elderwood\|Elderwood]]</li></ul> | | [[s1121-littlelambwooltea\|LITTLELAMB.WOOLTEA]] | active | <ul><li>\-</li></ul> | | [[s1142-lunarmail\|LunarMail]] | active | <ul><li>[[g0010-turla\|Turla]]</li></ul> | | [[s1141-lunarweb\|LunarWeb]] | active | <ul><li>[[g0010-turla\|Turla]]</li></ul> | | [[s0084-mis-type\|Mis-Type]] | active | <ul><li>\-</li></ul> | | [[s0083-misdat\|Misdat]] | active | <ul><li>\-</li></ul> | | [[s0080-mivast\|Mivast]] | active | <ul><li>[[g0009-deep-panda\|Deep Panda]]</li></ul> | | [[s1026-mongall\|Mongall]] | active | <ul><li>[[g1007-aoqin-dragon\|Aoqin Dragon]]</li></ul> | | [[cti/software/malware/backdoors/moonwalk.md\|MoonWalk]] | active | <ul><li>[[cti/groups/g0096-apt41.md\|APT41]]</li></ul> | | [[s0205-naid\|Naid]] | active | <ul><li>[[g0066-elderwood\|Elderwood]]</li></ul> | | [[s0228-nanhaishu\|NanHaiShu]] | active | <ul><li>[[g0065-leviathan\|Leviathan]]</li></ul> | | [[s0630-nebulae\|Nebulae]] | active | <ul><li>[[g0019-naikon\|Naikon]]</li></ul> | | [[s0210-nerex\|Nerex]] | active | <ul><li>[[g0066-elderwood\|Elderwood]]</li></ul> | | [[s0034-neteagle\|NETEAGLE]] | active | <ul><li>[[g0013-apt30\|APT30]]</li></ul> | | [[s0439-okrum\|Okrum]] | active | <ul><li>[[g0004-apt15\|Ke3chang]]</li></ul> | | [[osxoceanlotusd\|OSX_OCEANLOTUS.D]] | active | <ul><li>[[g0050-apt32\|APT32]]</li></ul> | | [[s0664-pandora\|Pandora]] | active | <ul><li>[[g1021-cinnamon-tempest\|Cinnamon Tempest]]</li><li>[[g0027-threat-group-3390\|Threat Group-3390]]</li></ul> | | [[s0208-pasam\|Pasam]] | active | <ul><li>[[g0066-elderwood\|Elderwood]]</li></ul> | | [[s0587-penquin\|Penquin]] | active | <ul><li>[[g0010-turla\|Turla]]</li></ul> | | [[s0501-pipemon\|PipeMon]] | active | <ul><li>[[g0044-winnti-group\|Winnti Group]]</li></ul> | | [[s0012-poisonivy\|PoisonIvy]] | active | <ul><li>[[g0066-elderwood\|Elderwood]]</li><li>[[g1023-apt5\|APT5]]</li><li>[[g0093-gallium\|GALLIUM]]</li><li>[[g0006-apt1\|APT1]]</li><li>[[g0018-admin338\|admin@338]]</li><li>[[g0081-tropic-trooper\|Tropic Trooper]]</li><li>[[g0017-dragonok\|DragonOK]]</li><li>[[g0011-pittytiger\|PittyTiger]]</li><li>[[g0136-indigozebra\|IndigoZebra]]</li><li>[[g0001-axiom\|Axiom]]</li></ul> | | [[s0441-powershower\|PowerShower]] | active | <ul><li>[[g0100-inception-framework\|Inception]]</li></ul> | | [[s0145-powersource\|POWERSOURCE]] | active | <ul><li>[[g0046-fin7\|FIN7]]</li></ul> | | [[s0371-powerton\|POWERTON]] | active | <ul><li>[[g0064-apt33\|APT33]]</li></ul> | | [[s0147-pteranodon\|Pteranodon]] | active | <ul><li>[[g0047-gamaredon\|Gamaredon Group]]</li></ul> | | [[s0269-quadagent\|QUADAGENT]] | active | <ul><li>[[g0049-oilrig\|OilRig]]</li></ul> | | [[s1076-quietcanary\|QUIETCANARY]] | active | <ul><li>\-</li></ul> | | [[s1084-quietexit\|QUIETEXIT]] | active | <ul><li>[[g0016-apt29\|APT29]]</li></ul> | | [[s0629-rainyday\|RainyDay]] | active | <ul><li>[[g0019-naikon\|Naikon]]</li></ul> | | [[s0662-rcsession\|RCSession]] | active | <ul><li>[[g0027-threat-group-3390\|Threat Group-3390]]</li><li>[[g0129-mustang-panda\|Mustang Panda]]</li></ul> | | [[s0495-rdat\|RDAT]] | active | <ul><li>[[g0049-oilrig\|OilRig]]</li></ul> | | [[s0153-redleaves\|RedLeaves]] | active | <ul><li>[[g0045-apt10\|menuPass]]</li></ul> | | [[s0019-regin\|Regin]] | active | <ul><li>[[g0020-equation-group]]</li></ul> | | [[s1219-reptile\|REPTILE]] | active | <ul><li>[[g1048-unc3886\|UNC3886]]</li></ul> | | [[s1222-riflespine\|RIFLESPINE]] | active | <ul><li>[[g1048-unc3886\|UNC3886]]</li></ul> | | [[s1078-rotajkiro\|RotaJákiro]] | active | <ul><li>[[g0050-apt32\|APT32]]</li></ul> | | [[s0085-s-type\|S-Type]] | active | <ul><li>\-</li></ul> | | [[s1099-samurai\|Samurai]] | active | <ul><li>[[g1022-toddycat\|ToddyCat]]</li></ul> | | [[s0053-seaduke\|SeaDuke]] | active | <ul><li>[[g0016-apt29\|APT29]]</li></ul> | | [[s0345-seasalt\|Seasalt]] | active | <ul><li>[[g0006-apt1\|APT1]]</li></ul> | | [[s0382-servhelper\|ServHelper]] | active | <ul><li>[[ta505\|TA505]]</li></ul> | | [[s0596-shadowpad\|ShadowPad]] | active | <ul><li>[[cti/groups/g0096-apt41.md\|g0096-apt41]]</li><li>[[bronze-atlas]]</li><li>[[g0129-mustang-panda]]</li><li>[[g0060-bronze-butler]]</li><li>[[g0004-apt15]]</li></ul> | | [[s0546-sharpstage\|SharpStage]] | active | <ul><li>[[g0021-molerats\|Molerats]]</li></ul> | | [[s1035-small-sieve\|Small Sieve]] | active | <ul><li>[[g0069-mango-sandstorm\|MuddyWater]]</li></ul> | | [[s0649-smokedham\|SMOKEDHAM]] | active | <ul><li>\-</li></ul> | | [[s0159-snugride\|SNUGRIDE]] | active | <ul><li>[[g0045-apt10\|menuPass]]</li></ul> | | [[solarmarker\|SolarMarker]] | active | <ul><li></li></ul> | | [[cti/software/malware/backdoors/spypress-zimbra.md\|SpyPress.ZIMBRA]] | active | <ul><li>[[cti/groups/g0007-apt28.md\|APT28]]</li></ul> | | [[s0058-sslmm\|SslMM]] | active | <ul><li>[[g0019-naikon\|Naikon]]</li></ul> | | [[s1037-starwhale\|STARWHALE]] | active | <ul><li>[[g0069-mango-sandstorm\|MuddyWater]]</li></ul> | | [[s1049-sugarush\|SUGARUSH]] | active | <ul><li>\-</li></ul> | | [[s0533-systembc\|SystemBC]] | active | <ul><li>[[g0114-fin12\|FIN12]]</li><li>[[rhysida-ransomware]]</li><li>[[cti/groups/blackbasta.md\|blackbasta]]</li><li>[[cti/software/malware/s0154-cobalt-strike.md\|GOLD CABIN]]</li></ul> | | [[s0164-tdtess\|TDTESS]] | active | <ul><li>[[g0052-copykittens\|CopyKittens]]</li></ul> | | [[s0665-threatneedle\|ThreatNeedle]] | active | <ul><li>[[g0032-lazarus-group\|Lazarus Group]]</li></ul> | | [[s0668-tinyturla\|TinyTurla]] | active | <ul><li>[[g0010-turla]]</li></ul> | | [[s0131-tinytyphon\|TINYTYPHON]] | active | <ul><li>[[g0040-patchwork\|Patchwork]]</li></ul> | | [[s0647-turian\|Turian]] | active | <ul><li>[[g0135-backdoordiplomacy\|BackdoorDiplomacy]]</li></ul> | | [[s0199-turnedup\|TURNEDUP]] | active | <ul><li>[[g0064-apt33\|APT33]]</li></ul> | | [[s0275-uppercut\|UPPERCUT]] | active | <ul><li>[[g0045-apt10\|menuPass]]</li></ul> | | [[s0207-vasport\|Vasport]] | active | <ul><li>[[g0066-elderwood\|Elderwood]]</li></ul> | | [[s0180-volgmer\|Volgmer]] | active | <ul><li>[[g0032-lazarus-group\|Lazarus Group]]</li></ul> | | [[s0206-wiarp\|Wiarp]] | active | <ul><li>[[g0066-elderwood\|Elderwood]]</li></ul> | | [[s0176-wingbird\|Wingbird]] | active | <ul><li>[[g0055-neodymium\|NEODYMIUM]]</li></ul> | | [[s0059-winmm\|WinMM]] | active | <ul><li>[[g0019-naikon\|Naikon]]</li></ul> | | [[xagent\|X-Agent]] | active | <ul><li>[[cti/groups/g0007-apt28.md\|g0007-apt28]]</li></ul> | | [[s0653-xcaon\|xCaon]] | active | <ul><li>[[g0136-indigozebra\|IndigoZebra]]</li></ul> | | [[s0086-zlib\|ZLib]] | active | <ul><li>\-</li></ul> | <!-- SerializedQuery END --> > [!info] Estatisticas > **38 familias** catalogadas - **36 ativas** - Categoria com maior diversidade de desenvolvedores APT - Operacoes medidas em anos, nao dias ## Defesas e Mitigacoes - [[m1042-disable-or-remove-feature-or-program|M1042 - Disable or Remove Feature]] - Reduzir superficie de ataque - [[m1031-network-intrusion-prevention|M1031 - Network Intrusion Prevention]] - Detecção de beacons em protocolos legitimos - [[m1026-privileged-account-management|M1026 - Privileged Account Management]] - Zero trust para acesso privilegiado - Monitoramento de DNS para detecção de DNS tunneling - Análise de trafego de saida para identificar beacons periodicos ## Relacionados [[_malware]] - [[_groups]] - [[t1543-003-windows-service|T1543.003 - Windows Service]] - [[t1071-004-dns|T1071.004 - DNS]] - [[t1027-defense-evasion|T1027 - Obfuscated Files or Information]]