This report includes key findings, background of the Operation SMN effort and its intended goals, some preliminary data on its impact, analysis of campaign targets, operational practices of Axiom as well as some strategic analysis of potential motivations and groups behind the tasking of Axiom actors.
This report outlines in detail the full known lineage and capabilities of the HiKit malware family as it is known to Novetta and the Operation SMN coalition.
This report outlines in detail the functioning of the ZoxPNG member of the Zox family, and includes some preliminary analysis of ZoxRPC a relative of ZoxPNG malware.
This triage report outlines one of the specific malware families the threat actor group uses and preliminary analysis of the findings of the coalition.
These are YARA signatures, created by Novetta, that will detect and identify malware families that Axiom has used.
These are hashes of malware binaries that are members of malware families that Axiom has used.
These are YARA signatures, created by ThreatConnect, that will detect and identify malware families that Axiom has used.
This reverse engineering report outlines the capabilities of newer versions of Winnti that were observed during Operation SMN, including details on the malware’s start-up sequence, basic capabilities, and C2 communication protocol.
This list contains hashes of Winnti samples that can be found in VirusTotal.
This report provides an analysis of the attacks observed targeting Novetta’s ElasticSearch honeypots, including the malware installed by attackers, the attackers’ tactics, techniques and protocols (TTPs), as well as remediation suggestions for vulnerable ElasticSearch instances.