Initial Access

• Initial Access The Art of Getting In The complete red team guide to Initial Access: Payload Development (DLL Sideloading, Shellcode Loaders, Syscalls), HTML Smuggling, Phishing (QR Code Quishing, Teams Phishing), AitM/MFA Bypass (Evilginx, Device Code Phishing), Password Spraying, Exploiting Public-Facing Applications, Vishing, Physical Access (Rubber Ducky, Bash Bunny), Supply Chain attacks with real-world APT case studies.

Case Studies

The MITRE ATT&CK website contains a number of real cases where each technique has been used. The examples listed here are just a bunch of further examples, particularly interesting because they illustrate all the intrusion steps that followed Initial Access.

• Exploit Public-Facing Application:

  • Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells
  • Dutch Department of Justice offline after Citrix vulnerability The Department of Justice shut down all internet connections on Friday morning after a serious security threat. Analysis showed that hackers had probably exploited a vulnerability in Citrix NetScaler, also known as Citrix Bleed 2.
  • Nearly 50,000 Cisco firewalls vulnerable to actively exploited flaws (September 2025).

• Valid Accounts:

  • Threat Actor Leverages Compromised Account of Former Employee to Access State Government Organization
  • The silent heist: cybercriminals use information stealer malware to compromise corporate networks Infostealer malware. Nice publication by the Australian Cybersecurity Centre.

• Phishing:

  • Malware attack and counterattack "I have 45 years experience in programming, I use debuggers all the time, I know all sorts of langages including assembly langage, I know how all this works at the lowest level." Yet he fell prey of a phishing attack. Really worth reading. It includes a detailed and easy to read analysis of the malware (which used the MacOS Command and Scripting Interpreter for Execution).
  • Connecting a successful phishing attempt to Scattered Spider through Validin pivoting Even security-conscious individuals can fall victim to well-crafted social engineering attacks, especially when tired or distracted. On March 25, 2025, a sophisticated phishing attack targeted Troy Hunt, a highly regarded security researcher and the creator of Have I Been Pwned?, a free data breach search and notification service, resulting in the compromise of his Mailchimp account.
  • Text-to-Malware: How Cybercriminals Weaponize Fake AI-Themed Websites You think you have downloaded an AI-generated video while you have downloaded an exe ("The resulting file name, Lumalabs_1926326251082123689-626.mp4⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀.exe, aims to make the binary less suspicious by pushing the .exe extension out of the user view."). This is a Phishing: Spearphishing via Service.
  • A "pretty well executed phishing": it disguises a curl and bash execution as an "I am not a bot" verification (click and fix).
  • The Curious Case of an Egg-Cellent Resume Spearphishing via Service (job application). Zipped attachment contains a file.lnk that when clicked executes a shell script. An excellent and easy to read report detailing all the steps of an attack (like all reports by DIFR).
  • Phishing emails and Docusign electronic signature Phishers have adopted another trick: they send emails pretending to be from Docusign with a fake link to a document that the recipient must sign.
  • March 2025 Internal Sophos Phishing Attempt A senior Sophos employee (Sophos is one of the leading companies in Cybersecurity defense) received a phishing email containing a fraudulent DocuSign link. The employee clicked the link in the email, and was taken to a fake Office 365 login page, where they entered their credentials. They then received a multi-factor authentication (MFA) challenge – triggered by our legitimate MFA process – and approved it.

Phishing

Just two resources (I am not even trying to provide a link to relevant incidents; I would not know where to start):

• Internet Crime Complaint Center (IC3) - FBI Have a look at the annual reports: which is the most prevalent crime type by victim count?
• "phishing" search on Computers and Security This is a prestigious scientific journal. The list of papers published in the last year suffices to realize that there is still a lot of ongoing research on this seemingly irrelevant topic. Full text available only from internal UniTS network.

Phishing tools and services

• Evilginx is a man-in-the-middle attack framework used for phishing login credentials along with session cookies, which in turn allows to bypass 2-factor authentication protection (evil proxy).
• Uncloaking VoidProxy: a Novel and Evasive Phishing-as-a-Service Framework
• Microsoft seizes 338 websites to disrupt rapidly growing ‘RaccoonO365’ phishing service
• DNS Uncovers Infrastructure Used in SSO Attacks Phishing campaign based on Evilginx targeted at university students.
• Tycoon2FA Phishing-as-a-Service Platform Persists Following Takedown (March 2026).

Secure email (SPF, DKIM, DMARC)

These are very interesting topics but not part of this course.

• Tackling Email Spoofing and Phishing High-level description, by Cloudflare.
• Trustworthy Email Technical guide by NIST. In-depth explanation.

Trusted Relationship

Case Studies

Also look at the "Procedure examples" in the MITRE ATT&CK technique.

• Microsoft lost its keys, and the government got hacked
• Microsoft reveals how hackers stole its email signing key… kind of
• ConnectWise says nation-state attack targeted multiple ScreenConnect customers
• DragonForce ransomware abuses SimpleHelp in MSP supply chain attack (the title mentions supply chain but this is actually a trusted relationship).

Supply Chain Compromise

Case Studies

Also look at the References in the MITRE ATT&CK technique (and their sub-techniques).

SolarWinds

A major incident with national security implications.

• CISA Emergency Directive: Mitigate SolarWinds Orion Code Compromise
• Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations Attack description mapped on MITRE ATT&CK.
• Look at the "Solar Winds" section in the Defense - Resources page of this website.

Linux xz compression library

Over a period of over two years, an attacker worked as a diligent, effective contributor to the xz compression library, eventually being granted commit access and maintainership. Using that access, they installed a very subtle, carefully hidden backdoor into liblzma, a part of xz that also happens to be a dependency of OpenSSH sshd on Debian, Ubuntu, Fedora, and other systemd-based Linux systems. That backdoor gives the attacker the ability to run an arbitrary command on the target system without logging in: unauthenticated, targeted remote code execution.

This attack was publicly disclosed on March 29, 2024 and it marks a watershed moment in open source supply chain security.

Because the backdoor was discovered before the malicious versions of xz Utils were added to production versions of Linux, “it's not really affecting anyone...BUT that's only because it was discovered early due to bad actor sloppiness. Had it not been discovered, it would have been catastrophic to the world.”

• Backdoor found in widely used Linux utility targets encrypted SSH connections
• Timeline of the xz open source attack This post is a detailed timeline of the social engineering aspect of the attack, which appears to date back to late 2021.
• Techies vs spies: the xz backdoor debate An interesting non-technical analysis and perspective.

Interesting examples

• Accounting Ukraine cyber-attack: Software firm MeDoc's servers seized "some of the initial infections were indeed spread via a malicious update to MeDoc. It is Ukraine's most popular accounting software. The cyber-attack - a variant of an earlier virus called Petya - hit businesses around the world including the shipping firm Maersk"
• System utility CCleaner Attack Timeline—Here's How Hackers Infected 2.3 Million PCs Hackers compromised the company's servers for more than a month and replaced the original version of the software with the malicious one. The malware attack infected over 2.3 million users who downloaded or updated their CCleaner app between August and September last year from the official website.
• Digital signature, government certification authority Operation SignSight: Supply-chain attack against a certification authority in Southeast Asia The attackers modified two of the software installers available for download on the website of the Vietnam Government Certification Authority and added a backdoor.
• Browsers infected by government websites, infected by a website plugin Government websites hit by cryptocurrency mining malware Thousands of sites, including NHS services and the ICO, have been infected by malware that forces visitors’ computers to mine cryptocurrency while using the site. The cryptojacking script was inserted into website codes through BrowseAloud, a popular plugin that helps blind and partially-sighted people access the web.

Browser extensions

• 500 Chrome Extensions Caught Stealing Private Data of 1.7 Million Users
• 108 malicious Chrome extensions caught stealing Google and Telegram data from 20,000 users

Software development

You develop software and you could unwillingly distribute malicious software to your customers:

• Supply chain attack hits 26 open source projects on GitHub
• Malicious npm packages caught installing remote access trojans JavaScript and Node.js developers who installed the jdb.js and db-json.js packages were infected with the njRAT malware.
• Hacker group inserted malware in NoxPlayer Android emulator A mysterious hacking group has compromised the server infrastructure of a popular Android emulator and has delivered malware to a handful of victims across Asia in a highly-targeted supply chain attack.
• The Story Behind Deloitte 2025 Breach Not really a supply chain attack, but it might have been. On May 30, 2025, a threat actor using the alias “303” claimed responsibility for a significant cyberattack on Deloitte, one of the world’s leading consulting firms. The attacker alleged that they had accessed and exfiltrated sensitive internal data, including GitHub credentials and proprietary source code from Deloitte’s U.S. consulting division.
• Hackers hijack npm packages with 2 billion weekly downloads in supply chain attack Attackers injected malware into NPM packages with over 2.6 billion weekly downloads after compromising a maintainer's account in a phishing attack (September 2025).
• The GhostAction Campaign: 3,325 Secrets Stolen Through Compromised GitHub Workflows Supply chain attack affecting 327 GitHub users across 817 repositories. Attackers injected malicious workflows that exfiltrated 3,325 secrets, including PyPI, npm, and DockerHub tokens via HTTP POST requests to a remote endpoint (September 2025).
• Supply Chain Security Alert: Popular Nx Build System Package Compromised with Data-Stealing Malware (August 2025).

...or you could suffer stealing of YOUR information

• Ethereum Developer Falls Victim to Malicious AI Extension One of Ethereum’s key developers, Zak Cole, has fallen prey to a cryptocurrency drainer. The perpetrators stole the private key to his hot wallet.

Firmware and routers

• Check Point Research reveals a malicious firmware implant for TP-Link routers, linked to Chinese APT group (2023)
• Hackers Hijacked ASUS Software Updates to Install Backdoors on Thousands of Computers ASUS is believed to have pushed the malware to hundreds of thousands of customers through its trusted automatic software update tool after attackers compromised the company’s server and used it to push the malware to machines.
• How the NSA tampers with US-made internet routers The NSA has been covertly implanting interception tools in US servers heading overseas – even though the US government has warned against using Chinese technology for the same reason.

National Security

• Don’t use Huawei phones, say heads of FBI, CIA, and NSA
• Kaspersky bans and allegations of Russian government ties (Wikipedia).
• Commission strengthens cybersecurity and suspends the use of TikTok on its corporate devices

Antivirus (!)

• Critical eScan Supply Chain Compromise Active supply chain compromise affecting MicroWorld Technologies’ eScan antivirus product. Malicious updates were distributed through eScan’s legitimate update infrastructure, resulting in the deployment of multi-stage malware to enterprise and consumer endpoints globally. This document provides IoCs.

Security scanner (!)

• Trivy vulnerability scanner breach pushed infostealer via GitHub Actions Threat actors compromised Trivy's GitHub build process, swapping the entrypoint.sh in GitHub Actions with a malicious version and publishing trojanized binaries in the Trivy v0.69.4 release, both of which acted as infostealers.

Defense best practices

• Supply chain security guidance (NCSC, UK) Proposing a series of 12 principles, designed to help you establish effective control and oversight of your supply chain.
• Information and Communications Technology Supply Chain Risk Management (CISA)

Analyses

• Israel’s Pager Attacks and Supply Chain Vulnerabilities Bruce Schneier.
• Who are the maintainers of public software? Who are we trusting? Russia-based Yandex employee oversees open-source software approved for DOD use and