# KGH_SPY > Tipo: **malware** · S0526 · [MITRE ATT&CK](https://attack.mitre.org/software/S0526) ## Descrição [[s0526-kghspy|KGH_SPY]] é um conjunto modular de ferramentas utilizado pelo [[g0094-kimsuky|Kimsuky]] para reconhecimento, roubo de informações e funcionalidades de backdoor. O [[s0526-kghspy|KGH_SPY]] derivou seu nome de caminhos PDB e nomes internos encontrados em amostras contendo "KGH". **Plataformas:** Windows ## Técnicas Utilizadas - [[t1036-005-match-legitimate-resource-name-or-location|T1036.005 - Match Legitimaté Resource Name or Location]] - [[t1555-003-credentials-from-web-browsers|T1555.003 - Credentials from Web Browsers]] - [[t1059-003-windows-command-shell|T1059.003 - Windows Command Shell]] - [[t1204-002-malicious-file|T1204.002 - Malicious File]] - [[t1037-001-logon-script-windows|T1037.001 - Logon Script (Windows)]] - [[t1105-ingress-tool-transfer|T1105 - Ingress Tool Transfer]] - [[t1071-001-web-protocols|T1071.001 - Web Protocols]] - [[t1114-001-local-email-collection|T1114.001 - Local Email Collection]] - [[t1083-file-and-directory-discovery|T1083 - File and Directory Discovery]] - [[t1041-exfiltration-over-c2-channel|T1041 - Exfiltration Over C2 Channel]] - [[t1027-013-encryptedencoded-file|T1027.013 - Encrypted/Encoded File]] - [[t1059-001-powershell|T1059.001 - PowerShell]] - [[t1555-004-windows-credential-manager|T1555.004 - Windows Credential Manager]] - [[t1074-001-local-data-staging|T1074.001 - Local Data Staging]] - [[t1518-software-discovery|T1518 - Software Discovery]] ## Grupos que Usam - [[g0094-kimsuky|Kimsuky]] ## Referências - [MITRE ATT&CK - S0526](https://attack.mitre.org/software/S0526)