{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,24]],"date-time":"2026-02-24T16:33:50Z","timestamp":1771950830872,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":113,"publisher":"ACM","license":[{"start":{"date-parts":[[2024,9,30]],"date-time":"2024-09-30T00:00:00Z","timestamp":1727654400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"\u00d6sterreichische Forschungsf\u00f6rderungsgesellschaft","award":["SBA-K1"],"award-info":[{"award-number":["SBA-K1"]}]},{"name":"European Union - Recovery, Transformation and Resilience Plan (Next Generation)","award":["C127\/23"],"award-info":[{"award-number":["C127\/23"]}]},{"DOI":"10.13039\/501100001821","name":"Vienna Science and Technology Fund","doi-asserted-by":"publisher","award":["ICT19-056"],"award-info":[{"award-number":["ICT19-056"]}],"id":[{"id":"10.13039\/501100001821","id-type":"DOI","asserted-by":"publisher"}]},{"name":"Google ASPIRE Award","award":["NA"],"award-info":[{"award-number":["NA"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2024,9,30]]},"DOI":"10.1145\/3678890.3678909","type":"proceedings-article","created":{"date-parts":[[2024,9,29]],"date-time":"2024-09-29T22:23:36Z","timestamp":1727648616000},"page":"114-129","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":8,"title":["ADAPT it! Automating APT Campaign and Group Attribution by Leveraging and Linking Heterogeneous Files"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0005-7161-9964","authenticated-orcid":false,"given":"Aakanksha","family":"Saha","sequence":"first","affiliation":[{"name":"TU Wien, Austria"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4392-9023","authenticated-orcid":false,"given":"Jorge","family":"Blasco","sequence":"additional","affiliation":[{"name":"Universidad Polit\u00e9cnica de Madrid, Spain"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-3878-2680","authenticated-orcid":false,"given":"Lorenzo","family":"Cavallaro","sequence":"additional","affiliation":[{"name":"University College London, United Kingdom"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7001-4481","authenticated-orcid":false,"given":"Martina","family":"Lindorfer","sequence":"additional","affiliation":[{"name":"TU Wien, Austria"}]}],"member":"320","published-online":{"date-parts":[[2024,9,30]]},"reference":[{"key":"e_1_3_2_1_1_1","volume-title":"Proc. of the 27th Network and Distributed System Security Symposium (NDSS).","author":"Aghakhani Hojjat","year":"2020","unstructured":"[1] Hojjat Aghakhani, Fabio Gritti, Francesco Mecca, Martina Lindorfer, Stefano Ortolani, Davide Balzarotti, Giovanni Vigna, and Christopher Kruegel. 2020. When Malware is Packing Heat; Limits of Machine Learning Classifiers based on Static Analysis Features. In Proc. of the 27th Network and Distributed System Security Symposium (NDSS)."},{"key":"e_1_3_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.1145\/2857705.2857713"},{"key":"e_1_3_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1145\/3230833.3233280"},{"key":"e_1_3_2_1_4_1","unstructured":"[4] AlienVault. 2022. Open Threat Exchange. https:\/\/otx.alienvault.com\/."},{"key":"e_1_3_2_1_5_1","volume-title":"Proc. of the 9th International Symposium on Foundations and Practice of Security (FPS).","author":"Alrabaee Saed","year":"2016","unstructured":"[5] Saed Alrabaee, Paria Shirani, Mourad Debbabi, and LingyuWang. 2016. On the Feasibility of Malware Authorship Attribution. In Proc. of the 9th International Symposium on Foundations and Practice of Security (FPS)."},{"key":"e_1_3_2_1_6_1","volume-title":"Anderson and Phil Roth","author":"Hyrum","year":"2018","unstructured":"[6] Hyrum S. Anderson and Phil Roth. 2018. EMBER: An Open Dataset for Training Static PE Malware Machine Learning Models. (2018). arXiv: 180 4.04637 [cs.CR]."},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1145\/3477314.3507097"},{"key":"e_1_3_2_1_8_1","volume-title":"Proc. of the 31st USENIX Security Symposium (USENIX Security).","author":"Arp Daniel","year":"2022","unstructured":"[8] Daniel Arp, Erwin Quiring, Feargus Pendlebury, Alexander Warnecke, Fabio Pierazzi, Christian Wressnegger, Lorenzo Cavallaro, and Konrad Rieck. 2022. Dos and Don\u2019t of Machine Learning in Computer Security. In Proc. of the 31st USENIX Security Symposium (USENIX Security)."},{"key":"e_1_3_2_1_9_1","volume-title":"Jeff Johnson, Taylor Long, Michelle Cantos, and Adrian Hernandez.","author":"Barnhart Michael","year":"2023","unstructured":"[9] Michael Barnhart, Austin Larsen, Jeff Johnson, Taylor Long, Michelle Cantos, and Adrian Hernandez. 2023. Assessed Cyber Structure and Alignments of North Korea in 2023. (Oct. 10, 2023). https:\/\/www.mandiant.com\/resources\/bl og\/north-korea-cyber-structure-alignment-2023."},{"key":"e_1_3_2_1_10_1","volume-title":"Virus Bulletin Conference.","author":"Bartholomew Brian","year":"2016","unstructured":"[10] Brian Bartholomew and Juan Andres Guerrero-Saade. 2016. Wave Your False Flags! Deception Tactics Muddying Attribution in Targeted Attacks. In Virus Bulletin Conference."},{"key":"e_1_3_2_1_11_1","volume-title":"Proc. of the 16th Network and Distributed System Security Symposium (NDSS).","author":"Bayer Ulrich","year":"2009","unstructured":"[11] Ulrich Bayer, Paolo Milani Comparetti, Clemens Hlauschek, Christopher Kruegel, and Engin Kirda. 2009. Scalable, Behavior-based Malware Clustering. In Proc. of the 16th Network and Distributed System Security Symposium (NDSS)."},{"key":"e_1_3_2_1_12_1","unstructured":"[12] Blockchain.com. 2016. Bitcoin Address. https:\/\/www.blockchain.com\/explore r\/addresses\/btc\/1QLDYEyeo8c6CFHdcEB5yBjQw6pcRiTdN5."},{"key":"e_1_3_2_1_13_1","first-page":"2","article-title":"One Size Does Not Fit All: A Longitudinal Analysis of Brazilian Financial Malware","volume":"24","author":"Botacin Marcus","year":"2021","unstructured":"[13] Marcus Botacin, Hojjat Aghakhani, Stefano Ortolani, Christopher Kruegel, Giovanni Vigna, Daniela Oliveira, Paulo L\u00edcio De Geus, and Andr\u00e9 Gr\u00e9gio. 2021. One Size Does Not Fit All: A Longitudinal Analysis of Brazilian Financial Malware. ACM Transactions on Privacy and Security (TOPS), 24, 2.","journal-title":"ACM Transactions on Privacy and Security (TOPS)"},{"key":"e_1_3_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1109\/NTMS.2016.7792480"},{"key":"e_1_3_2_1_15_1","volume-title":"Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. (Mar. 8","author":"Brown Rufus","year":"2022","unstructured":"[15] Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, and JohnWolfram. 2022. Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. (Mar. 8, 2022). https:\/\/www.mandiant.com\/resources\/blog\/apt4 1-us-state-governments."},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.5555\/2831143.2831160"},{"key":"e_1_3_2_1_17_1","volume-title":"Tracking the Cross-Domain Solorigate Attack from Endpoint to the Cloud. (Dec. 28","author":"Microsoft Security Response Center","year":"2020","unstructured":"[17] Microsoft Security Response Center. 2020. Tracking the Cross-Domain Solorigate Attack from Endpoint to the Cloud. (Dec. 28, 2020). https:\/\/www.micros oft.com\/en-us\/security\/blog\/2020\/12\/28\/using-microsoft-365-defender-tocoordinate- protection-against-solorigate\/."},{"key":"e_1_3_2_1_18_1","volume-title":"Cyber Warfare in the Shadow of the India-Pakistan War - A Summary of Recent Indo-Pakistani APT Attack Activities. (Sept. 9","author":"Tencent Security Threat Intelligence Center","year":"2019","unstructured":"[18] Tencent Security Threat Intelligence Center. 2019. Cyber Warfare in the Shadow of the India-Pakistan War - A Summary of Recent Indo-Pakistani APT Attack Activities. (Sept. 9, 2019). https:\/\/mp.weixin.qq.com\/s\/pJ-rnzB7 VMZ0feM2X0ZrHA."},{"key":"e_1_3_2_1_19_1","volume-title":"AppleJeus: JMT Trading. (Apr. 15","author":"CISA.","year":"2021","unstructured":"[19] CISA. 2021. AppleJeus: JMT Trading. (Apr. 15, 2021). https:\/\/www.cisa.gov\/ne ws-events\/cybersecurity-advisories\/aa21-048a."},{"key":"e_1_3_2_1_20_1","volume-title":"Advanced Persistent Threat: Understanding the Danger and How to Protect your Organization","author":"Cole Eric","unstructured":"[20] Eric Cole. 2012. Advanced Persistent Threat: Understanding the Danger and How to Protect your Organization. Syngress Publishing."},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2018.00054"},{"key":"e_1_3_2_1_22_1","volume-title":"APT Malware Dataset. (July 16","year":"2019","unstructured":"[22] cyber-research. 2019. APT Malware Dataset. (July 16, 2019). https:\/\/github.co m\/cyber-research\/APTMalware."},{"key":"e_1_3_2_1_23_1","volume-title":"Sidewinder APT Targets with Futuristic Tactics and Techniques. (Sept. 26","year":"2020","unstructured":"[23] Cyble. 2020. Sidewinder APT Targets with Futuristic Tactics and Techniques. (Sept. 26, 2020). https:\/\/blog.cyble.com\/2020\/09\/26\/sidewinder-apt-targets-wi th-futuristic-tactics-and-techniques\/."},{"key":"e_1_3_2_1_24_1","volume-title":"DoNot Team APT Updates its Malware Arsenal. (Aug. 12","year":"2020","unstructured":"[24] Cyware. 2020. DoNot Team APT Updates its Malware Arsenal. (Aug. 12, 2020). https:\/\/cyware.com\/news\/donot-team-apt-updates-its-malware-arsenal-a5 a76e92."},{"key":"e_1_3_2_1_25_1","volume-title":"DPRK Hacking Indictment. (Feb. 17","author":"DOJ.","year":"2021","unstructured":"[25] DOJ. 2021. DPRK Hacking Indictment. (Feb. 17, 2021). https:\/\/www.justice.go v\/d9\/press-releases\/attachments\/2021\/02\/17\/dprk_hacking_-_indictment_1 _0.pdf."},{"key":"e_1_3_2_1_26_1","volume-title":"Proc. of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS).","author":"Durumeric Zakir","unstructured":"[26] Zakir Durumeric, David Adrian, Ariana Mirian, Michael Bailey, and J. Alex Halderman. 2015. A Search Engine Backed by Internet-Wide Scanning. In Proc. of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS)."},{"key":"e_1_3_2_1_27_1","unstructured":"[27] Hugging Face. 2022. all-MiniLM-L12-v2. https:\/\/huggingface.co\/sentence-tra nsformers\/all-MiniLM-L12-v2."},{"key":"e_1_3_2_1_28_1","unstructured":"[28] Hugging Face. 2022. Multi-qa-mpnet-base-dot-v1. https:\/\/huggingface.co\/sen tence-transformers\/multi-qa-mpnet-base-dot-v1."},{"key":"e_1_3_2_1_29_1","unstructured":"[29] FBI. 2018. APT 10 Group. (Dec. 17 2018). https:\/\/www.fbi.gov\/wanted\/cyber \/apt-10-group."},{"key":"e_1_3_2_1_30_1","unstructured":"[30] FBI. 2020. APT 41 Group. (Aug. 11 2020). https:\/\/www.fbi.gov\/wanted\/cyber \/apt-41-group."},{"key":"e_1_3_2_1_31_1","doi-asserted-by":"crossref","unstructured":"[31] Ibrahim Ghafir Mohammad Hammoudeh Vaclav Prenosil Liangxiu Han Robert Hegarty Khaled Rabie and Francisco J Aparicio-Navarro. 2018. Detection of Advanced Persistent Threat using Machine-Learning Correlation Analysis. Future Generation Computer Systems 89.","DOI":"10.1016\/j.future.2018.06.055"},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1145\/3653973"},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"crossref","unstructured":"[33] Weijie Han Jingfeng Xue YongWang Fuquan Zhang and Xianwei Gao. 2021. APTMalInsight: Identify and Cognize APT Malware Based on System Call Information and Ontology Knowledge Framework. Information Sciences 546.","DOI":"10.1016\/j.ins.2020.08.095"},{"key":"e_1_3_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2020.24046"},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"crossref","unstructured":"[35] Irfan Ul Haq Sergio Chica Juan Caballero and Somesh Jha. 2018. Malware Lineage in the Wild. Computers & Security 78.","DOI":"10.1016\/j.cose.2018.07.012"},{"key":"e_1_3_2_1_36_1","volume-title":"The Evolution of Sidewinder APT and their Modus Operandi. (Dec. 9","year":"2022","unstructured":"[36] Hawkeye. 2022. The Evolution of Sidewinder APT and their Modus Operandi. (Dec. 9, 2022). https:\/\/www.hawk-eye.io\/2022\/12\/the-evolution-of-sidewinde r-apt-and-their-modus-operandi\/."},{"key":"e_1_3_2_1_37_1","volume-title":"Proc. of the 41st IEEE Symposium on Security & Privacy (S&P).","author":"Hossain Md Nahid","unstructured":"[37] Md Nahid Hossain, Sanaz Sheikhi, and R. Sekar. 2020. Combating Dependence Explosion in Forensic Analysis using Alternative Tag Propagation Semantics. In Proc. of the 41st IEEE Symposium on Security & Privacy (S&P)."},{"key":"e_1_3_2_1_38_1","volume-title":"Fact Sheet: Imposing Costs for Harmful Foreign Activities by the Russian Government. (Apr. 15","author":"House The White","year":"2021","unstructured":"[38] The White House. 2021. Fact Sheet: Imposing Costs for Harmful Foreign Activities by the Russian Government. (Apr. 15, 2021). https:\/\/www.whitehou se.gov\/briefing-room\/statements-releases\/2021\/04\/15\/fact-sheet-imposingcosts- for-harmful-foreign-activities-by-the-russian-government\/."},{"key":"e_1_3_2_1_39_1","volume-title":"Handling Vanishing Gradient Problem using Artificial Derivative","author":"Hu Zheng","unstructured":"[39] Zheng Hu, Jiaojiao Zhang, and Yun Ge. 2021. Handling Vanishing Gradient Problem using Artificial Derivative. IEEE Access, 9."},{"key":"e_1_3_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1145\/331499.331504"},{"key":"e_1_3_2_1_41_1","volume-title":"Proc. of the 22nd USENIX Security Symposium (USENIX Security).","author":"Jang Jiyong","year":"2013","unstructured":"[41] Jiyong Jang, Maverick Woo, and David Brumley. 2013. Towards Automatic Software Lineage Inference. In Proc. of the 22nd USENIX Security Symposium (USENIX Security)."},{"key":"e_1_3_2_1_42_1","volume-title":"Proc. of the 32nd USENIX Security Symposium (USENIX Security).","author":"Jia Zian","year":"2023","unstructured":"[42] Zian Jia, Yun Xiong, Yuhong Nan, Yao Zhang, Jinjing Zhao, and Mi Wen. 2023. MAGIC: Detecting Advanced Persistent Threats via Masked Graph Representation Learning. In Proc. of the 32nd USENIX Security Symposium (USENIX Security)."},{"key":"e_1_3_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1145\/3230833.3230849"},{"key":"e_1_3_2_1_44_1","volume-title":"The Gamaredon Group Toolset Evolution. (Feb. 27","author":"Kasza Anthony","year":"2017","unstructured":"[44] Anthony Kasza and Dominik Reiche. 2017. The Gamaredon Group Toolset Evolution. (Feb. 27, 2017). https:\/\/unit42.paloaltonetworks.com\/unit-42-titlegamaredon- group-toolset-evolution\/."},{"key":"e_1_3_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1109\/DSN.2018.00057"},{"key":"e_1_3_2_1_46_1","volume-title":"A Global Perspective of the SideWinder APT. (Jan. 13","author":"Labs Alien","year":"2021","unstructured":"[46] Alien Labs. 2021. A Global Perspective of the SideWinder APT. (Jan. 13, 2021). https:\/\/cdn-cybersecurity.att.com\/docs\/global-perspective-of-the-sidewind er-apt.pdf."},{"key":"e_1_3_2_1_47_1","volume-title":"Oletools - Python Tools to Analyze OLE and MS Office Files (version 0.60.1). (May 9","author":"Lagadec Philippe","year":"2022","unstructured":"[47] Philippe Lagadec. 2022. Oletools - Python Tools to Analyze OLE and MS Office Files (version 0.60.1). (May 9, 2022). https:\/\/github.com\/decalage2\/oletools."},{"key":"e_1_3_2_1_48_1","volume-title":"Proc. of the International Workshop on Security for Financial Critical Infrastructures and Services (FINSEC).","author":"Laurenza Giuseppe","year":"2019","unstructured":"[48] Giuseppe Laurenza and Riccardo Lazzeretti. 2019. dAPTaset: A Comprehensive Mapping of APT-Related Data. In Proc. of the International Workshop on Security for Financial Critical Infrastructures and Services (FINSEC)."},{"key":"e_1_3_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.1109\/CTC.2014.14"},{"key":"e_1_3_2_1_50_1","volume-title":"Active North Korean Campaign Targeting Security Researchers. (Sept. 7","author":"Lecigne Clement","year":"2023","unstructured":"[50] Clement Lecigne and Maddie Stone. 2023. Active North Korean Campaign Targeting Security Researchers. (Sept. 7, 2023). https:\/\/blog.google\/threat-anal ysis-group\/active-north-korean-campaign-targeting-security-researchers\/."},{"key":"e_1_3_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2024.23204"},{"key":"e_1_3_2_1_52_1","doi-asserted-by":"publisher","DOI":"10.1145\/2420950.2421001"},{"key":"e_1_3_2_1_53_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-23644-0_18"},{"key":"e_1_3_2_1_54_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICICS.2013.6782846"},{"key":"e_1_3_2_1_55_1","doi-asserted-by":"crossref","unstructured":"[55] Moustafa Mahmoud Mohammad Mannan and Amr Youssef. 2022. APTHunter: Detecting Advanced Persistent Threats in Early Stages. Digital Threats: Research and Practice 4.","DOI":"10.1145\/3559768"},{"key":"e_1_3_2_1_56_1","unstructured":"[56] Malcat. 2024. Binary Analysis Software (version 0.8.3). https:\/\/malcat.fr\/."},{"key":"e_1_3_2_1_57_1","unstructured":"[57] Malpedia. 2024. Lazarus Group. (Mar. 2024). https:\/\/malpedia.caad.fkie.fraun hofer.de\/actor\/lazarus_group."},{"key":"e_1_3_2_1_58_1","volume-title":"APT1: Exposing One of China\u2019s Cyber Espionage Units. (Dec. 30","year":"2021","unstructured":"[58] Mandiant. 2021. APT1: Exposing One of China\u2019s Cyber Espionage Units. (Dec. 30, 2021). https:\/\/www.mandiant.com\/resources\/apt1-exposing-one-ofchinas- cyber-espionage-units."},{"key":"e_1_3_2_1_59_1","unstructured":"[59] Mandiant. 2022. Advanced Persistent Threats (APTs). https:\/\/www.mandiant.com\/resources\/insights\/apt-groups. (2022)."},{"key":"e_1_3_2_1_60_1","volume-title":"Cons and Compromises. (Aug. 12","year":"2022","unstructured":"[60] Mandiant. 2022. APT42: Crooked Charms, Cons and Compromises. (Aug. 12, 2022). https:\/\/www.mandiant.com\/media\/17826."},{"key":"e_1_3_2_1_61_1","volume-title":"Supply Chain Analysis: From Quartermaster to Sunshop. (Jan. 20","year":"2022","unstructured":"[61] Mandiant. 2022. Supply Chain Analysis: From Quartermaster to Sunshop. (Jan. 20, 2022). https:\/\/www.mandiant.com\/resources\/supply-chain-analysisfrom- quartermaster-to-sunshop."},{"key":"e_1_3_2_1_62_1","volume-title":"FLOSS - FLARE Obfuscated String Solver (v2.2.0). (Dec. 12","year":"2023","unstructured":"[62] Mandiant. 2023. FLOSS - FLARE Obfuscated String Solver (v2.2.0). (Dec. 12, 2023). https:\/\/github.com\/mandiant\/flare-floss."},{"key":"e_1_3_2_1_63_1","unstructured":"[63] Mandiant. 2024. Uncategorized (UNC) Threat Groups. (Mar. 2024). https:\/\/ww w.mandiant.com\/resources\/insights\/uncategorized-unc-threat-groups."},{"key":"e_1_3_2_1_64_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2020.24297"},{"key":"e_1_3_2_1_65_1","unstructured":"[65] Morgan Marquis-Boire Marion Marschalek and Claudio Guarnieri. 2015. Big Game Hunting: The Peculiarities in Nation-State Malware Research. In BlackHat USA."},{"key":"e_1_3_2_1_66_1","volume-title":"Proc. of the 19th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA).","author":"Meloni Francesco","year":"2022","unstructured":"[66] Francesco Meloni, Alessandro Sanna, Davide Maiorca, and Giorgio Giacinto. 2022. Effective Call Graph Fingerprinting for the Analysis and Classification of Windows Malware. In Proc. of the 19th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA)."},{"key":"e_1_3_2_1_67_1","volume-title":"Manage Exclusions for Microsoft Defender. (July 8","year":"2023","unstructured":"[67] Microsoft. 2023. Manage Exclusions for Microsoft Defender. (July 8, 2023). https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/security\/defender-endpoi nt\/defender-endpoint-antivirus-exclusions."},{"key":"e_1_3_2_1_68_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-26834-3_10"},{"key":"e_1_3_2_1_69_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-80825-9_7"},{"key":"e_1_3_2_1_70_1","unstructured":"[70] MITRE. 2020. Sidewinder. https:\/\/attack.mitre.org\/groups\/G0121\/."},{"key":"e_1_3_2_1_71_1","unstructured":"[71] MITRE. 2021. Transparent Tribe. https:\/\/attack.mitre.org\/groups\/G0134\/."},{"key":"e_1_3_2_1_72_1","unstructured":"[72] MITRE. 2022. MITRE Campaigns. https:\/\/attack.mitre.org\/campaigns\/."},{"key":"e_1_3_2_1_73_1","unstructured":"[73] MITRE. 2023. MITRE Groups. https:\/\/attack.mitre.org\/groups\/."},{"key":"e_1_3_2_1_74_1","volume-title":"Advisory: APT29 Targets COVID-19 Vaccine Development. (July 16","author":"NCSC.","year":"2020","unstructured":"[74] NCSC. 2020. Advisory: APT29 Targets COVID-19 Vaccine Development. (July 16, 2020). https:\/\/media.defense.gov\/2020\/Jul\/16\/2002457639\/- 1\/- 1\/0\/NCSC_APT29_ADVISORY-QUAD-OFFICIAL-20200709-1810.PDF."},{"key":"e_1_3_2_1_75_1","unstructured":"[75] NIST. 2017. CVE-2017-11882. (Nov. 14 2017). https:\/\/nvd.nist.gov\/vuln\/detail \/CVE-2017-11882."},{"key":"e_1_3_2_1_76_1","unstructured":"[76] NIST. 2024. Advanced Persistent Threats. https:\/\/csrc.nist.gov\/topics\/security -and-privacy\/risk-management\/threats\/advanced-persistent-threats."},{"key":"e_1_3_2_1_77_1","unstructured":"[77] NIST. 2024. Threat Actor. https:\/\/csrc.nist.gov\/glossary\/term\/threat_actor."},{"key":"e_1_3_2_1_78_1","unstructured":"[78] NIST. 2024. Threat Scenario. https:\/\/csrc.nist.gov\/glossary\/term\/threat_scena rio."},{"key":"e_1_3_2_1_79_1","article-title":"Scikit-learn: Machine Learning in Python","author":"Pedregosa Fabian","year":"2011","unstructured":"[79] Fabian Pedregosa, Ga\u00ebl Varoquaux, Alexandre Gramfort, Vincent Michel, Bertrand Thirion, Olivier Grisel, Mathieu Blondel, Peter Prettenhofer, Ron Weiss, Vincent Dubourg, Jake Vanderplas, Alexandre Passos, David Cournapeau, Matthieu Brucher, Matthieu Perrot, and\u00c9douard Duchesnay. 2011. Scikit-learn: Machine Learning in Python. Journal of Machine Learning Research, 12.","journal-title":"Journal of Machine Learning Research, 12."},{"key":"e_1_3_2_1_80_1","doi-asserted-by":"publisher","DOI":"10.5555\/1855711.1855737"},{"key":"e_1_3_2_1_81_1","doi-asserted-by":"publisher","DOI":"10.1109\/MALWARE.2012.6461006"},{"key":"e_1_3_2_1_82_1","unstructured":"[82] PyPi. 2022. Python Magic. (June 7 2022). https:\/\/pypi.org\/project\/python-ma gic\/."},{"key":"e_1_3_2_1_83_1","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/D19-1410"},{"key":"e_1_3_2_1_84_1","doi-asserted-by":"publisher","DOI":"10.1109\/TKDE.2022.3175719"},{"key":"e_1_3_2_1_85_1","volume-title":"SolarWinds Hack was Largest and Most Sophisticated Attack Ever: Microsoft President. (Feb. 15","year":"2021","unstructured":"[85] Reuters. 2021. SolarWinds Hack was Largest and Most Sophisticated Attack Ever: Microsoft President. (Feb. 15, 2021). https:\/\/www.reuters.com\/article\/us -cyber-solarwinds-microsoft-idUSKBN2AF03R."},{"key":"e_1_3_2_1_86_1","volume-title":"Rewterz Threat Alert\u2013 SideWinder APT Group aka Rattlesnake \u2013 Active IOCs. (Mar. 8","year":"2024","unstructured":"[86] Rewterz. 2024. Rewterz Threat Alert\u2013 SideWinder APT Group aka Rattlesnake \u2013 Active IOCs. (Mar. 8, 2024). https:\/\/www.rewterz.com\/rewterz-news\/rewter z-threat-alert-sidewinder-apt-group-aka-rattlesnake-active-iocs-2\/."},{"key":"e_1_3_2_1_87_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-70542-0_6"},{"key":"e_1_3_2_1_88_1","volume-title":"Proc. of the 23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID).","author":"Faruk Rokon Md Omar","year":"2020","unstructured":"[88] Md Omar Faruk Rokon, Risul Islam, Ahmad Darki, Evangelos E Papalexakis, and Michalis Faloutsos. 2020. SourceFinder: Finding Malware Source-Code from Publicly Available Repositories in GitHub. In Proc. of the 23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID)."},{"key":"e_1_3_2_1_89_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-68612-7_11"},{"key":"e_1_3_2_1_90_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-23822-2_10"},{"key":"e_1_3_2_1_91_1","unstructured":"[91] Florian Roth. 2018-03-25. The Newcomer\u2019s Guide to Cyber Threat Actor Naming. https:\/\/cyb3rops.medium.com\/the-newcomers-guide-to-cyber-thr eat-actor-naming-7428e18ee263."},{"key":"e_1_3_2_1_92_1","doi-asserted-by":"publisher","DOI":"10.1109\/DSC61021.2023.10354155"},{"key":"e_1_3_2_1_93_1","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSPW61312.2024.00065"},{"key":"e_1_3_2_1_94_1","unstructured":"[94] scikit-learn. 2024. Hierarchical Clustering. https:\/\/scikit-learn.org\/stable\/mod ules\/clustering.html#hierarchical-clustering."},{"key":"e_1_3_2_1_95_1","unstructured":"[95] scikit-learn. 2024. Silhouette Score. https:\/\/scikit-learn.org\/stable\/modules\/ge nerated\/sklearn.metrics.silhouette_score.html."},{"key":"e_1_3_2_1_96_1","unstructured":"[96] Elastic Security. 2024. Elastic Security Detection Content for Endpoint. https: \/\/github.com\/elastic\/protections-artifacts."},{"key":"e_1_3_2_1_97_1","volume-title":"Microsoft Shifts to a New Threat Actor Naming Taxonomy. (Apr","author":"Security Microsoft","year":"2023","unstructured":"[97] Microsoft Security. 2023. Microsoft Shifts to a New Threat Actor Naming Taxonomy. (Apr. 2023). https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023 \/04\/18\/microsoft-shifts-to-a-new-threat-actor-naming-taxonomy\/."},{"key":"e_1_3_2_1_98_1","doi-asserted-by":"publisher","DOI":"10.1109\/CPEE.2017.8093043"},{"key":"e_1_3_2_1_99_1","volume-title":"Hidost: A Static Machine-Learning- Based Detector of Malicious Files. EURASIP Journal on Information Security.","author":"Pavel Laskov Nedim\u0160rndi\u0107","year":"2016","unstructured":"[99] Nedim\u0160rndi\u0107 and Pavel Laskov. 2016. Hidost: A Static Machine-Learning- Based Detector of Malicious Files. EURASIP Journal on Information Security."},{"key":"e_1_3_2_1_100_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICTAI.2004.7"},{"key":"e_1_3_2_1_101_1","volume-title":"What\u2019s with the shared VBA code between Transparent Tribe and other threat actors? (Feb. 9","author":"Svajcer Vanja","year":"2022","unstructured":"[101] Vanja Svajcer and Vitor Ventura. 2022. What\u2019s with the shared VBA code between Transparent Tribe and other threat actors? (Feb. 9, 2022). https:\/\/blo g.talosintelligence.com\/2022\/02\/whats-with-shared-vba-code.html."},{"key":"e_1_3_2_1_102_1","volume-title":"LIEF - Library to Instrument Executable Formats (version 0.13.1). (Feb. 11","author":"Thomas Romain","year":"2024","unstructured":"[102] Romain Thomas. 2024. LIEF - Library to Instrument Executable Formats (version 0.13.1). (Feb. 11, 2024). https:\/\/lief.quarkslab.com\/."},{"key":"e_1_3_2_1_103_1","volume-title":"Afghanistan in Wide- Ranging Spy Campaign. (Dec. 9","year":"2020","unstructured":"[103] Threatpost. 2020. SideWinder APT Targets Nepal, Afghanistan in Wide- Ranging Spy Campaign. (Dec. 9, 2020). https:\/\/threatpost.com\/sidewind er-apt-nepal-afghanistan-spy-campaign\/162086\/."},{"key":"e_1_3_2_1_104_1","volume-title":"Targeting Linux and Windows. (July 6","author":"Tomonaga Shusei","year":"2018","unstructured":"[104] Shusei Tomonaga. 2018. Malware\u201cWellMess\u201d Targeting Linux and Windows. (July 6, 2018). https:\/\/blogs.jpcert.or.jp\/en\/2018\/07\/malware-wellmes-9b78.ht ml."},{"key":"e_1_3_2_1_105_1","volume-title":"Trellix Insights: FireEye Red Team Tools Stolen in Cyber Attack. (Aug. 29","year":"2022","unstructured":"[105] Trellix. 2022. Trellix Insights: FireEye Red Team Tools Stolen in Cyber Attack. (Aug. 29, 2022). https:\/\/kcm.trellix.com\/corporate\/index?page=content&id =KB93880."},{"key":"e_1_3_2_1_106_1","volume-title":"Mobile Attacks. (Dec. 9","year":"2020","unstructured":"[106] TrendMicro. 2020. SideWinder Uses South Asian Issues for Spear Phishing, Mobile Attacks. (Dec. 9, 2020). https:\/\/www.trendmicro.com\/de_de\/research\/2 0\/l\/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html."},{"key":"e_1_3_2_1_107_1","volume-title":"Russia\u2019s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine. (Feb. 3","year":"2022","unstructured":"[107] Unit42. 2022. Russia\u2019s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine. (Feb. 3, 2022). https:\/\/unit42.paloaltonetworks.com\/gamar edon-primitive-bear-ukraine-update-2021\/."},{"key":"e_1_3_2_1_108_1","volume-title":"DebUNCing Attribution: How Mandiant Tracks Uncategorized Threat Actors. (Dec. 17","author":"Vanderlee Kelli","year":"2020","unstructured":"[108] Kelli Vanderlee. 2020. DebUNCing Attribution: How Mandiant Tracks Uncategorized Threat Actors. (Dec. 17, 2020). https:\/\/www.mandiant.com\/resource s\/blog\/how-mandiant-tracks-uncategorized-threat-actors."},{"key":"e_1_3_2_1_109_1","unstructured":"[109] VirusTotal. 2023. VirusTotal. https:\/\/www.virustotal.com\/."},{"key":"e_1_3_2_1_110_1","doi-asserted-by":"publisher","DOI":"10.1109\/QRS54544.2021.00018"},{"key":"e_1_3_2_1_111_1","volume-title":"New Campaign Targeting Security Researchers. (Jan. 25","author":"Weidemann Adam","year":"2021","unstructured":"[111] Adam Weidemann. 2021. New Campaign Targeting Security Researchers. (Jan. 25, 2021). https:\/\/blog.google\/threat-analysis-group\/new-campaign-targ eting-security-researchers\/."},{"key":"e_1_3_2_1_112_1","unstructured":"[112] Yara Rules Project. 2022. Repository of Yara Rules. https:\/\/github.com\/Yara- Rules\/rules."},{"key":"e_1_3_2_1_113_1","volume-title":"Proc. of the 28th ACM SIGSAC Conference on Computer and Communications Security (CCS).","author":"YongWong Miuyin","year":"2021","unstructured":"[113] Miuyin YongWong, MatthewLanden, Manos Antonakakis, Douglas M. Blough, Elissa M. Redmiles, and Mustaque Ahamad. 2021. An Inside Look into the Practice of Malware Analysis. In Proc. of the 28th ACM SIGSAC Conference on Computer and Communications Security (CCS)."}],"event":{"name":"RAID '24: The 27th International Symposium on Research in Attacks, Intrusions and Defenses","location":"Padua Italy","acronym":"RAID '24"},"container-title":["The 27th International Symposium on Research in Attacks, Intrusions and Defenses"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3678890.3678909","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3678890.3678909","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T01:18:00Z","timestamp":1750295880000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3678890.3678909"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,9,30]]},"references-count":113,"alternative-id":["10.1145\/3678890.3678909","10.1145\/3678890"],"URL":"https:\/\/doi.org\/10.1145\/3678890.3678909","relation":{},"subject":[],"published":{"date-parts":[[2024,9,30]]},"assertion":[{"value":"2024-09-30","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}