New Adversary Playbooks on Unit 42

Community Team Member

Learn about new Adversary Playbooks from Palo Alto Networks Unit 42 and view two featured Learning Happy Hour episodes with a malware analyst and a threat hunter. Got questions? Get answers here on LIVEcommunity.


Unit 42 recently released 11 new Adversary Playbooks as part of its mission to provide actionable threat intelligence. Playbooks organize the tools, techniques, and procedures (TTPs) that an adversary uses into a structured format that can easily be shared and built upon. All of the Playbooks Unit 42 has released can be accessed through the Playbook Viewer.


A few  brief descriptions of the new Unit 42 Adversary Playbooks:

  • MuddyWater: In Spring 2019, the group altered its TTPs to evade particular security controls in the BlackWater attack campaign. An espionage campaign previously conflated with FIN7 activity, MuddyWater was first reported by Unit 42 in November 2017.
  • Scarlet Mimic: Unveiled by Unit 42 in early 2016 and active since at least 2014, this espionage campaign largely targeted Tibetan and Uyghur activists using a suite of custom Windows and Android malware.
  • Inception: Active since at least 2014, this adversary used custom malware for a variety of platforms to target a range of industries, primarily in Russia, but also around the world. In October 2018 Inception used a new PowerShell backdoor and CVE-2017-11882 in attacks against European targets.
  • Windshift: In February 2019, Unit 42 shared additional targeting and technical data tied to this espionage group, first reported in October 2018. The group’s targets are primarily located in the Middle East. It is unique in that it only targets OSX systems with custom malware.
  • Sofacy: Active since at least 2007, this Russian-attributed espionage group persistently attacked government and private organizations around the world from mid-October 2018 through mid-November 2018. The majority of targets were NATO-aligned nation states, although several former USSR nation states were also targeted.
  • Chafer: Active since at least 2015, the espionage group Chafer in November 2018 targeted a Turkish government entity. While investigating, Unit 42 discovered a new secondary Python-based payload we named MechaFlounder, marking the first time Unit 42 observed this group use a Python-based payload.
  • Gorgon Group: Unit 42 researchers unveiled the Gorgon Group in August 2018, which performed a litany of attacks and operations around the globe, involving both criminal as well as targeted attacks. It was discovered while monitoring Subaat, an apparent member of Gorgon Group, who Unit 42 started tracking in 2017.
  • Cobalt Gang: While investigating ongoing commodity attacks by the Cobalt Gang in October 2018, Unit 42 identified the use of a common macro builder and specific document metadata that allowed us to track and cluster new activity and infrastructure.
  • Th3bug: In the summer of 2014, this cyber espionage group, which compromised multiple websites to use in watering hole attacks. Watering hole attacks offer a much better chance of success because they involve compromising legitimate websites and install malware intended to infect website visitors. These often target popular websites frequented by people who work in specific industries or have political sympathies to which the actors want to gain access.
  • Rocke: In January 2019, Unit 42 revealed that this China-based cybercrime group had added new code to its Linux coin mining malware to uninstalls five different cloud security protection and monitoring products from compromised servers. The products were developed by Tencent Cloud and Alibaba Cloud (Aliyun), the two leading cloud providers in China that are expanding their business globally. This is the first malware family Unit 42 has seen with the unique capability to target and remove cloud security products.
  • CozyDuke: Active since at least 2008, this Russian-attributed espionage group launched a spear phishing campaign beginning in early July 2015 that leveraged new malware we named MiniDionis. The new malware, which is related to the group’s Seaduke malware, appeared to target government organizations and think-tanks located in democratic countries, and utilized compromised, legitimate websites for spear phishing and C2 activity.

All Adversary Playbooks can be viewed courtesy of Unit 42.





Want to learn more about threats, exploits, attacks and the like? Be sure to check out these Learning Happy Hour episodes:

Q&A With A Malware Analyst (Bonus Episode 18) Learning Happy Hour

Have you ever wondered how malware is caught and identified? Have you ever been curious who the people are behind the scenes working to stop the spread of cyber threats? Learn about all of this and more as Tacoma Bob interviews a Palo Alto Networks - Unit42 Malware Analyst (Brad Duncan)

Interview with a Threat Hunter (Bonus Episode 4) Learning Happy Hour

In this bonus episode of Learning Happy Hour, Jason and Mitch interview Brian Lee, Principal Researcher in Unit 42. Follow along as they cover a list of topics and Brian takes them through the cybersecurity zoo.


Check out more from Unit 42 with the Learning Happy Hour here in the LIVEcommunity and on our YouTube channel.


Be sure to give Mitch and Jason a thumbs up if you're enjoying the lively exchange with Learning Happy Hour  Unit 42 experts!


Ask Questions Get Answers Join the Live Community