← threatfilter.dev / all groups / Velvet Ant
Velvet Ant
Overview
Velvet Ant is a threat actor operating since at least 2021. Velvet Ant is associated with complex persistence mechanisms, the targeting of network devices and appliances during operations, and the use of zero day exploits.
Capabilities
- Exploitation of public-facing / client applications — ATT&CK T1211
TTPs — 22 techniques across 8 tactics
Execution
-
T1047Windows Management Instrumentation -
T1059.004Unix Shell -
T1569.002Service Execution
Persistence
-
T1037.004RC Scripts -
T1133External Remote Services
Stealth
-
T1036.005Match Legitimate Resource Name or Location -
T1055Process Injection -
T1078.003Local Accounts -
T1211Exploitation for Stealth -
T1574.001DLL
Defense Impairment
Credential Access
-
T1040Network Sniffing
Discovery
Lateral Movement
-
T1021.002SMB/Windows Admin Shares -
T1570Lateral Tool Transfer
Command and Control
-
T1071Application Layer Protocol -
T1090.001Internal Proxy -
T1132Data Encoding -
T1571Non-Standard Port -
T1573.002Asymmetric Cryptography
Tools & malware (2)
PlugX · Impacket