Today’s successful targeted attacks use a combination of social engineering, malware, and backdoor activities. Though there are a variety of tools available to attackers, they tend to prefer specific ones.
While they can routinely create new malware executables with automated builders and embed them in documents designed to exploit vulnerabilities in popular office software, the traffic generated by the malware when communicating with a C&C server tends to remain consistent.
This is significant because targeted attacks are rarely a “singular set of events,” but are in fact part of ongoing campaigns. They are consistent espionage campaigns—a series of failed and successful attempts to compromise a target over time—that aim to establish a persistent and covert presence in a target network so that information can be extracted when needed.