BeagleBoyz Threat Group Robbing Banks

BeagleBoyz is a newly identified group that is responsible for attempting to steal nearly $2 billion from various financial institutions in coordinated cash-out attacks in over 30 countries worldwide. These cyber-enabled ATM cash-out campaigns were recognized openly as FASTCash.


You can test the effectiveness of your security controls against the FASTCash campaigns with '265977 BeagleBoyzThreat Group FASTCash 2.0 Campaign Attack Scenario" in Picus Threat Library. You can also validate your defenses against PowerRatankba Trojan Downloader used in this attack campaign with threats 255145, 461582, and 66239 in Picus Threat Library.


Transparent Tribe

  • Picus Threat ID: 670692, 752639, 310594
  • Target Regions: Asia, Middle East
  • Target Industries: Government, Military
  • Malware: Crimson RAT


  • Picus Threat ID: 886802, 425472, 686303, 381573
  • Target Regions: Europe, US, UK, China, Middle East, Asia
  • Target Industries: Finance, Law, Consultancy, Government
  • Malware: Powersing


  • Picus Threat ID: 214029, 519330, 406961
  • Target Regions: North America, Europe, Asia
  • Target Industries: All
  • Malware: RedCurl Trojan Downloader

Our world-class red team analyzed 500.000 TTPs to identify the top 10 most common ATT&CK techniques.

Download Now: The Red Report: Your Handbook to Utilize MITRE ATT&CK Framework


BeagleBoyz Threat Group FASTCash 2.0 Campaign

Picus Threat ID: 265977


1. Display the Groups using "whoami /groups"

Technique: T1033 System Owner/User Discovery

Tactic: Discovery


2. Execute a Keylogger uses GetAsyncKeyState()

Technique: T1056 Input Capture

Tactic: Credential Access, Collection


3. Connect to RDP using mstsc.exe

Technique: T1076 Remote Desktop Protocol

Tactic: Lateral Movement


18. C2 Communicate Over HTTPS Port 443

Technique: T1043 Commonly Used Port

Tactic: Command and Control

Conni RAT Scenario

Picus Threat ID: 506809



1. Copy Certutil.exe to TEMP by using Word Macro

Technique: T1024 User Execution

Tactic: Execution


2. Download First Stage Payload using Certutil.exe

Technique: T1105 Remote File Copy

Tactic: Command and Control, Lateral Movement

3. Create New Service for Persistence

Technique: T1050 New Service

Tactic: Privilege Escalation


7. Exfiltrate CAB File Over TCP Port 21

Technique: T1043 Commonly Used Port

Tactic: Command and Control


Atomic Attacks

AMSI Bypass via Obfuscated Powershell Reflection Method with WMF5 Autologging Bypass

  • Picus Threat ID: 531001
  • Technique: T1562 Impair Defenses
  • Tactics: Defense Evasion

For more information on MITRE ATT&CK T1562 Impair Defenses, here is the blog post you can read:

  MITRE ATT&CK T1562 Impair Defenses

Security Support Provider Technique by using the ImplantSSP Tool

  • Picus Threat ID: 434255
  • Technique: T1101 Security Support Provider
  • Tactic: Persistence

Credential Dumping by using the SharpKatz Tool

  • Picus Threat ID: 675942
  • Technique: T1003 Credential Dumping
  • Tactic: Credential Access

For more information on MITRE ATT&CK T1003 Credential Dumping, here is the blog post you can read:
    MITRE ATT&CK T1003 Credential Dumping



Bisonal Backdoor Malware

  • Picus Threat ID: 668690, 201911, 409211, 721511, 704112
  • Signature Technique: T1574 Hijack Execution Flow
  • Target Regions: Asia and Eastern Europe
  • Target Industries: Military, Government, Critical Infrastructure
  • Threat Group: CactusPete (Aliases: Karma Panda, Tonto Team)

M00nd3v Logger Infostealer Malware

  • Picus Threat ID: 767981
  • Signature Technique: T1056 Input Capture
  • Target Regions: All
  • Target Industries: All
  • Threat Group: M00nD3v

MATA: Multi-platform targeted malware framework

  • Picus Threat ID: 259609
  • Signature Technique: T1055 Process Injection 
  • Target Regions: All
  • Target Industries: All

Watch our webinar, we dig down into T1055 Process Injection as the no. 1 technique in the Picus 10 Critical MITRE ATT&CK Techniques list.




Microsoft SharePoint DataSet/DataTable Remote Code Execution (RCE)

  • Picus Threat ID: 751022
  • OWASP Top 10: A1 - Injection
  • CVSS 3 Base Score: 7.8 High
  • CVE: CVE-2020-1147
  • Affected Product: Microsoft Sharepoint

Apache Kylin Remote Code Execution (RCE)

  • Picus Threat ID:
  • OWASP Top 10: A1 - Injection
  • CVSS 3 Base Score: 8.8 High
  • CVE: CVE-2020-1956
  • Affected Product: Apache Kylin

Nagios Log Server 'username' Persistent Cross-Site Scripting (XSS)

  • Picus Threat ID: 608769
  • OWASP Top 10: A7 - Cross-Site Scripting (XSS)
  • CVSS 3 Base Score: 5.4 Medium
  • CVE: CVE-2020-16157
  • Affected Product: Nagios Log Server


Windows Setup Elevation of Privilege

  • Picus Threat ID: 306665
  • CVE: CVE-2020-1571
  • CVSS 3 Base Score: 7.8 High
  • Affected Product: Windows Setup

Sudo PwFeedback Buffer Overflow Vulnerability

  • Picus Threat ID: 482402
  • CVE: CVE-2019-18634
  • CVSS 3 Base Score: 7.8 High
  • Affected Product: Sudo

Windows Update Orchestrator Service Privilege Escalation

  • Picus Threat ID: 850862
  • CVE: CVE-2020-1313
  • CVSS 3 Base Score: 7.8 High
  • Affected Product: Windows Update Orchestrator Service
10 Critical MITRE ATT&CK Techniques


System Information Discovery from Registry via PowerShell

  • Picus Sigma ID: 4834
  • Technique: T1082 System Information Discovery
  • Tactic: Discovery

 In this webinar, Dr. Erdal Ozkaya from Standard Chartered Bank joined Picus for the webinar and we talked about T1082 System Information Discovery.


Dr.Erdal Ozkaya Picus Webinar

Suspicious Process Execution via WMI

  • Picus Sigma ID: 4256
  • Technique: T1047 Windows Management Instrumentation
  • Tactics: Execution

Sandbox Evasion by Querying Debuggers

  • Picus Sigma ID: 5608
  • Detected Technique: T1497 Virtualization/Sandbox Evasion
  • Tactic: Defense Evasion, Discovery