Skip to content
Detecteam
  • CompanyExpand
    • Founders Story
    • The Team
  • ProductExpand
    • About Us
  • SolutionsExpand
    • Use Cases
  • ResourcesExpand
    • Detecteam Blogs
    • Contact Us
Twitter Linkedin
Detecteam
Blog · Scenario

WebDav-O

Avatar photoByDetecteam 2023-11-222023-11-22

TLP

TLP CLEAR

Author

David Deflache, Sebastien Tricaud

Summary

In 2022, a targeted cyberattack employing the WebDav-O malware was identified against a Russian government agency. This malicious activity, linked to the CoughingDown group, spanned back to 2018 and targeted government entities in Belarus. The campaign involved the discovery of multiple WebDav-O variants, with observed commands executed on compromised hosts. The primary objective of the operation is persistent infiltration and espionage within the targeted infrastructure. The CoughingDown group demonstrates a high level of motivation in its clandestine efforts against government agencies in both Russia and Belarus.

TIMELINE

DATA

We are providing data for attacks weekly hoping to contribute raising awareness to threats from their data.

windows_sysmon.xmlDownload

CATEGORY

APT

references

  • https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/11/09055246/Modern-Asian-APT-groups-TTPs_report_eng.pdf

TAGS

Post Tags: #T1003.001 - OS Credential Dumping: LSASS Memory#T1003.002 - OS Credential Dumping: Security Account Manager#T1003.004 - OS Credential Dumping: LSA Secrets#T1003.005 - OS Credential Dumping: Cached Domain Credentials#T1005 - Data from Local System#T1012 - Query Registry#T1016 - System Network Configuration Discovery#T1018 - Remote System Discovery#T1036.004 - Masquerading: Masquerade Task or Service#T1041 - Exfiltration Over C2 Channel#T1057 - Process Discovery#T1069 - Permission Groups Discovery#T1070.001 - Indicator Removal: Clear Windows Event Logs#T1083 - File and Directory Discovery#T1102.002 - Web Service Bidirectional Communication#T1124 - System Time Discovery#T1135 - Network Share Discovery#T1190 - Exploit Public-Facing Application#T1482 - Domain Trust Discovery#T1518 - Software Discovery#T1543.003 - Create or Modify System Process: Windows Service
Avatar photo
Detecteam
X

Detecteam is transforming cybersecurity detection from static rule-writing to autonomous, continuous validation. Our REFLEX platform automates the detection lifecycle—building, testing, validating and deploying detections in minutes, not months. We help enterprises maximize ROI on existing tools, close high-risk detection gaps faster, and scale security outcomes without scaling headcount. This is the future of detection-as-code, and we’re leading it.

CONTACT US

Detecteam Inc.
300 Lenora Street PMB 659
Seattle, WA 98121 USA
+1 (650) 542-0831
sales@detecteam.com

  • Privacy Policy

SOCIAL MEDIA

Twitter Linkedin
OUR NEWSLETTER

Check your inbox or spam to confirm your subscription.

© 2025 Detecteam Inc. All Rights Reserved.

  • Company
    • Founders Story
    • The Team
  • Product
    • About Us
  • Solutions
    • Use Cases
  • Resources
    • Detecteam Blogs
    • Contact Us
Search