APT Notes
This is a repository for various publicly-available documents and notes related to APT, sorted by year. For malware sample hashes, please see the individual reports.
Contributing
For the moment, it would be nice to have a PDF of the article that we add to the list, just to be sure we always have a copy.
To contribute, you can either:
- Fork, add the report, and send in a pull request; or
- Open an issue with the data you want to be added.
Adding data:
- Add a link to the public document to README.md page.
- Add the PDF file to the appropriate year. If the document is only available in HTML, print a "clean" version (e.g. with Readability, Clearly, or similar) to PDF and add that.
Thanks to the contributors for helping with the project! If you have any questions, please reach out to @krmaxwell or me.
Papers
The papers section contains historical documents.
2015
- Aug 04 - Terracotta VPN: Enabler of Advanced Threat Anonymity
- Jul 31 - Operation Potao Express - IOC
- Jul 28 - Black Vine: Formidable cyberespionage group targeted aerospace, healthcare since 2012
- Jul 27 - HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group
- Jul 22 - Duke APT group's latest tools: cloud services and Linux support
- Jul 20 - China Hacks the Peace Palace: All Your EEZ’s Are Belong to Us
- Jul 20 - Watering Hole Attack on Aerospace Firm Exploits CVE-2015-5122 to Install IsSpace Backdoor
- Jul 14 - Tracking MiniDionis: CozyCar’s New Ride Is Related to Seaduke
- Jul 13 - "Forkmeiamfamous": Seaduke, latest weapon in the Duke armory
- Jul 09 - Butterfly: Corporate spies out for financial gain
- Jul 08 - Wild Neutron – Economic espionage threat actor returns with new tricks
- Jun 30 - Dino – the latest spying malware from an allegedly French espionage group analyzed
- Jun 28 - APT on Taiwan - insight into advances of adversary TTPs
- Jun 26 - Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign
- Jun 24 - UnFIN4ished Business (FIN4)
- Jun 22 - Winnti targeting pharmaceutical companies
- Jun 16 - Operation Lotus Bloom
- Jun 15 - Targeted Attacks against Tibetan and Hong Kong Groups Exploiting CVE-2014-4114
- Jun 10 - The_Mystery_of_Duqu_2_0 IOC Yara
- Jun 10 - Crysys Lab - Duqu 2.0
- Jun 04 - Blue Thermite targeting Japan (CloudyOmega)
- Jun 03 - Thamar Reservoir
- May 29 - OceanLotusReport
- May 28 - Grabit and the RATs
- May 27 - Analysis On Apt-To-Be Attack That Focusing On China's Government Agency'
- May 26 - Dissecting-Linux/Moose
- May 21 - The Naikon APT and the MsnMM Campaigns
- May 19 - Operation 'Oil Tanker'
- May 18 - Cmstar Downloader: Lurid and Enfal’s New Cousin
- May 14 - Operation Tropic Trooper
- May 14 - The Naikon APT
- May 13 - SPEAR: A Threat Actor Resurfaces
- May 12 - root9B Uncovers Planned Sofacy Cyber Attack Targeting Several International and Domestic Financial Institutions
- May 07 - Dissecting the Kraken
- Apr 27 - Attacks against Israeli & Palestinian interests
- Apr 22 - CozyDuke
- Apr 21 - The CozyDuke APT
- Apr 20 - Sofacy II – Same Sofacy, Different Day
- Apr 18 - Operation RussianDoll: Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia’s APT28 in Highly-Targeted Attack
- Apr 16 - Operation Pawn Storm Ramps Up its Activities; Targets NATO, White House
- Apr 15 - The Chronicles of the Hellsing APT: the Empire Strikes Back
- Apr 12 - APT 30 and the Mechanics of a Long-Running Cyber Espionage Operation
- Mar 31 - Volatile Cedar – Analysis of a Global Cyber Espionage Campaign
- Mar 19 - Rocket Kitten Showing Its Claws: Operation Woolen-GoldFish and the GHOLE campaign
- Mar 11 - Inside the EquationDrug Espionage Platform
- Mar 10 - Tibetan Uprising Day Malware Attacks
- Mar 06 - Is Babar a Bunny?
- Mar 06 - Animals in the APT Farm
- Mar 05 - Casper Malware: After Babar and Bunny, Another Espionage Cartoon
- Feb 24 - A deeper look into Scanbox
- Feb 27 - The Anthem Hack: All Roads Lead to China
- Feb 25 - Southeast Asia: An Evolving Cyber Threat Landscape
- Feb 25 - PlugX goes to the registry (and India)
- Feb 18 - Babar: espionage software finally found and put under the microscope
- Feb 18 - Shooting Elephants
- Feb 17 - Desert Falcons APT
- Feb 17 - A Fanny Equation: "I am your father, Stuxnet"
- Feb 16 - Operation Arid Viper
- Feb 16 - The Carbanak APT
- Feb 16 - Equation: The Death Star of Malware Galaxy
- Feb 10 - CrowdStrike Global Threat Intel Report for 2014
- Feb 04 - Pawn Storm Update: iOS Espionage App Found
- Feb 02 - Behind the Syrian Conflict’s Digital Frontlines
- Jan 29 - Analysis of PlugX Variant - P2P PlugX
- Jan 29 - Backdoor.Winnti attackers and Trojan.Skelky
- Jan 27 - Comparing the Regin module 50251 and the "Qwerty" keylogger
- Jan 22 - Regin's Hopscotch and Legspin
- Jan 22 - Scarab attackers Russian targets | IOCs
- Jan 22 - The Waterbug attack group
- Jan 20 - Reversing the Inception APT malware
- Jan 20 - Analysis of Project Cobra
- Jan 15 - Evolution of Agent.BTZ to ComRAT
- Jan 12 - Skeleton Key Malware Analysis
- Jan 11 - Hong Kong SWC attack
2014
- Dec 22 - Anunak: APT against financial institutions
- Dec 21 - Operation Poisoned Helmand
- Dec 19 - TA14-353A: Targeted Destructive Malware (wiper)
- Dec 18 - Malware Attack Targeting Syrian ISIS Critics
- Dec 17 - Wiper Malware – A Detection Deep Dive
- Dec 12 - Bots, Machines, and the Matrix
- Dec 12 - Vinself now with steganography
- Dec 10 - South Korea MBR Wiper
- Dec 10 - W64/Regin, Stage #1
- Dec 10 - W32/Regin, Stage #1
- Dec 10 - Cloud Atlas: RedOctober APT
- Dec 09 - The Inception Framework
- Dec 08 - The 'Penquin' Turla
- Dec 03 - Operation Cleaver: The Notepad Files
- Dec 02 - Operation Cleaver | IOCs
- Nov 30 - FIN4: Stealing Insider Information for an Advantage in Stock Trading?
- Nov 24 - Deep Panda Uses Sakula Malware
- Nov 24 - [TheIntercept's report on The Regin Platform] (https://firstlook.org/theintercept/2014/11/24/secret-regin-malware-belgacom-nsa-gchq/)
- Nov 24 - Kaspersky's report on The Regin Platform
- Nov 23 - Symantec's report on Regin
- Nov 21 - Operation Double Tap | IOCs
- Nov 20 - EvilBunny: Suspect #4
- Nov 14 - Roaming Tiger (Slides)
- Nov 14 - OnionDuke: APT Attacks Via the Tor Network
- Nov 13 - Operation CloudyOmega: Ichitaro 0-day targeting Japan
- Nov 12 - Korplug military targeted attacks: Afghanistan & Tajikistan
- Nov 11 - The Uroburos case- Agent.BTZ’s successor, ComRAT
- Nov 10 - The Darkhotel APT - A Story of Unusual Hospitality
- Nov 03 - Operation Poisoned Handover: Unveiling Ties Between APT Activity in Hong Kong’s Pro-Democracy Movement
- Nov 03 - New observations on BlackEnergy2 APT activity
- Oct 31 - Operation TooHash
- Oct 30 - The Rotten Tomato Campaign
- Oct 28 - Group 72, Opening the ZxShell
- Oct 28 - APT28 - A Window Into Russia's Cyber Espionage Operations
- Oct 27 - Micro-Targeted Malvertising via Real-time Ad Bidding
- Oct 27 - ScanBox framework – who’s affected, and who’s using it?
- Oct 27 - Full Disclosure of Havex Trojans - ICS Havex backdoors
- Oct 24 - LeoUncia and OrcaRat
- Oct 23 - Modified Tor Binaries
- Oct 22 - Sofacy Phishing by PWC
- Oct 22 - Operation Pawn Storm: The Red in SEDNIT
- Oct 20 - OrcaRAT - A whale of a tale
- Oct 14 - Sandworm - CVE-2104-4114
- Oct 14 - Group 72 (Axiom)
- Oct 14 - Derusbi Preliminary Analysis
- Oct 14 - Hikit Preliminary Analysis
- Oct 14 - ZoxPNG Preliminary Analysis
- Oct 09 - Democracy in Hong Kong Under Attack
- Oct 03 - New indicators for APT group Nitro
- Sep 26 - BlackEnergy & Quedagh
- Sep 26 - Aided Frame, Aided Direction (Sunshop Digital Quartermaster)
- Sep 23 - Ukraine and Poland Targeted by BlackEnergy (video)
- Sep 19 - Watering Hole Attacks using Poison Ivy by "th3bug" group
- Sep 18 - COSMICDUKE: Cosmu with a twist of MiniDuke
- Sep 17 - Chinese intrusions into key defense contractors
- Sep 10 - Operation Quantum Entanglement
- Sep 08 - When Governments Hack Opponents: A Look at Actors and Technology video
- Sep 08 - Targeted Threat Index: Characterizingand Quantifying Politically-MotivatedTargeted Malware video
- Sep 04 - Gholee – a “Protective Edge” themed spear phishing campaign
- Sep 04 - Forced to Adapt: XSLCmd Backdoor Now on OS X
- Sep 03 - Darwin’s Favorite APT Group (APT12)
- Aug 29 - Syrian Malware Team Uses BlackWorm for Attacks
- Aug 28 - Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks
- Aug 27 - North Korea’s cyber threat landscape
- Aug 27 - NetTraveler APT Gets a Makeover for 10th Birthday
- Aug 25 - Vietnam APT Campaign
- Aug 20 - El Machete
- Aug 18 - The Syrian Malware House of Cards
- Aug 13 - A Look at Targeted Attacks Through the Lense of an NGO
- Aug 12 - New York Times Attackers Evolve Quickly (Aumlib/Ixeshe/APT12)
- Aug 07 - The Epic Turla Operation Appendix
- Aug 06 - Operation Poisoned Hurricane
- Aug 05 - Operation Arachnophobia
- Aug 04 - Sidewinder Targeted Attack Against Android
- Jul 31 - Energetic Bear/Crouching Yeti Appendix
- Jul 31 - Energetic Bear/Crouching Yeti
- Jul 20 - Sayad (Flying Kitten) Analysis & IOCs
- Jul 11 - Pitty Tiger
- Jul 10 - TR-25 Analysis - Turla / Pfinet / Snake/ Uroburos
- Jul 07 - Deep Pandas
- Jun 10 - Anatomy of the Attack: Zombie Zero
- Jun 30 - Dragonfly: Cyberespionage Attacks Against Energy Suppliers
- Jun 20 - Embassy of Greece Beijing
- Jun 09 - Putter Panda
- Jun 06 - Illuminating The Etumbot APT Backdoor (APT12)
- May 21 - RAT in jar: A phishing campaign using Unrecom
- May 20 - Miniduke Twitter C&C
- May 13 - CrowdStrike's report on Flying Kitten
- May 13 - Operation Saffron Rose (aka Flying Kitten)
- Apr 26 - CVE-2014-1776: Operation Clandestine Fox
- Mar 08 - Russian spyware Turla
- Mar 07 - Snake Campaign & Cyber Espionage Toolkit
- Mar 06 - The Siesta Campaign
- Feb 28 - Uroburos: Highly complex espionage software with Russian roots
- Feb 23 - Gathering in the Middle East, Operation STTEAM
- Feb 20 - Mo' Shells Mo' Problems - Deep Panda Web Shells
- Feb 20 - Operation GreedyWonk: Multiple Economic and Foreign Policy Sites Compromised, Serving Up Flash Zero-Day Exploit
- Feb 19 - XtremeRAT: Nuisance or Threat?
- Feb 19 - The Monju Incident
- Feb 13 - Operation SnowMan: DeputyDog Actor Compromises US Veterans of Foreign Wars Website
- Feb 11 - Unveiling "Careto" - The Masked APT
- Jan 31 - Intruder File Report- Sneakernet Trojan
- Jan 21 - Shell_Crew (Deep Panda)
- Jan 15 - “New'CDTO:'A'Sneakernet'Trojan'Solution
- Jan 14 - The Icefog APT Hits US Targets With Java Backdoor
- Jan 13 - Targeted attacks against the Energy Sector
- Jan 06 - PlugX: some uncovered points
2013
- ??? ?? - Detecting and Defeating the China Chopper Web Shell
- ??? ?? - Deep Panda (OFFLINE)
- Dec 20 - ETSO APT Attacks Analysis
- Dec 11 - Operation "Ke3chang"
- Dev 02 - njRAT, The Saga Continues
- Nov 11 - Supply Chain Analysis
- Nov 10 - Operation Ephemeral Hydra: IE Zero-Day Linked to DeputyDog Uses Diskless Method
- Oct 24 - Terminator RAT or FakeM RAT
- Sep 30 - World War C: State of affairs in the APT world
- Sep 25 - The 'ICEFROG' APT: A Tale of cloak and three daggers
- Sep 17 - Hidden Lynx - Professional Hackers for Hire
- Sep 13 - Operation DeputyDog: Zero-Day (CVE-2013-3893) Attack Against Japanese Targets
- Sep 11 - The "Kimsuky" Operation
- Sep ?? - Feature: EvilGrab Campaign Targets Diplomatic Agencies
- Aug 23 - Operation Molerats: Middle East Cyber Attacks Using Poison Ivy
- Aug 21 - POISON IVY: Assessing Damage and Extracting Intelligence
- Aug 19 - ByeBye Shell and the targeting of Pakistan
- Aug 02 - Surtr: Malware Family Targeting the Tibetan Community
- Aug 02 - Where There is Smoke, There is Fire: South Asian Cyber Espionage Heats Up
- Aug ?? - APT Attacks on Indian Cyber Space
- Aug ?? - Operation Hangover - Unveiling an Indian Cyberattack Infrastructure
- Jul 31 - Blackhat: In-Depth Analysis of Escalated APT Attacks (Lstudio,Elirks), video
- Jul 31 - Secrets of the Comfoo Masters
- Jul 15 - PlugX revisited: "Smoaler"
- Jul 09 - Dark Seoul Cyber Attack: Could it be worse?
- Jun 30 - Targeted Campaign Steals Credentials in Gulf States and Caribbean
- Jun 28 - njRAT Uncovered
- Jun 21 - A Call to Harm: New Malware Attacks Target the Syrian Opposition
- Jun 18 - Trojan.APT.Seinup Hitting ASEAN
- Jun 07 - KeyBoy, Targeted Attacks against Vietnam and India
- Jun 04 - The NetTraveller (aka 'Travnet')
- Jun 01 - Crude Faux: An analysis of cyber conflict within the oil & gas industries
- Jun ?? - The Chinese Malware Complexes: The Maudi Surveillance Operation
- May 30 - TR-14 - Analysis of a stage 3 Miniduke malware sample
- May ?? - Operation Hangover
- Apr 24 - Operation Hangover
- Apr 21 - MiniDuke - The Final Cut
- Apr 13 - "Winnti" More than just a game
- Apr 01 - Trojan.APT.BaneChant
- Mar 28 - TR-12 - Analysis of a PlugX malware variant used for targeted attacks
- Mar 27 - APT1: technical backstage (Terminator/Fakem RAT)
- Mar 21 - Darkseoul/Jokra Analysis And Recovery
- Mar 20 - The TeamSpy Crew Attacks
- Mar 20 - Dissecting Operation Troy
- Mar 17 - Safe: A Targeted Threat
- Mar 13 - You Only Click Twice: FinFisher’s Global Proliferation
- Feb 27 - Miniduke: Indicators v1
- Feb 27 - The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0x29A Micro Backdoor
- Feb 26 - Stuxnet 0.5: The Missing Link
- Feb 22 - Comment Crew: Indicators of Compromise
- Feb 18 - Mandiant APT1 Report
- Feb 12 - Targeted cyber attacks: examples and challenges ahead
- Jan 18 - Operation Red October
- Jan 14 - Red October Diplomatic Cyber Attacks Investigation
- Jan 14 - The Red October Campaign
2012
- Nov 03 - Systematic cyber attacks against Israeli and Palestinian targets going on for a year
- Nov 01 - RECOVERING FROM SHAMOON
- Oct 27 - Trojan.Taidoor: Targeting Think Tanks
- Oct 08 - Matasano notes on DarkComet, Bandook, CyberGate and Xtreme RAT
- Sep 18 - The Mirage Campaign
- Sep 12 - The VOHO Campaign: An in depth analysis
- Sep 07 - IEXPLORE RAT
- Sep 06 - The Elderwood Project
- Aug 09 - Gauss: Abnormal Distribution
- Jul 27 - The Madi Campaign
- Jul 25 - From Bahrain With Love: FinFisher’s Spy Kit Exposed?
- Jul 11 - Wired article on DarkComet creator
- Jul 10 - Advanced Social Engineering for the Distribution of LURK Malware
- May 31 - sKyWIper (Flame/Flamer)
- May 22 - IXESHE An APT Campaign
- May 18 - Analysis of Flamer C&C Server
- Apr 16 - OSX.SabPub & Confirmed Mac APT attacks
- Apr 10 - Anatomy of a Gh0st RAT
- Mar 26 - Luckycat Redux
- Mar 13 - Reversing DarkComet RAT's crypto
- Mar 12 - Crouching Tiger, Hidden Dragon, Stolen Data
- Feb 29 - The Sin Digoo Affair
- Feb 03 - Command and Control in the Fifth Domain
- Jan 03 - The HeartBeat APT
2011
- Dec 08 - Palebot trojan harvests Palestinian online credentials
- Oct 31 - The Nitro Attacks: Stealing Secrets from the Chemical Industry
- Oct 26 - Duqu Trojan Questions and Answers
- Oct 12 - Alleged APT Intrusion Set: "1.php" Group
- Sep 22 - The "LURID" Downloader
- Sep 11 - SK Hack by an Advanced Persistent Threat
- Sep 09 - The RSA Hack
- Aug 03 - HTran and the Advanced Persistent Threat
- Aug 02 - Operation Shady rat : Vanity
- Aug 04 - Operation Shady RAT
- Apr 20 - Stuxnet Under the Microscope
- Feb 18 - Night Dragon Specific Protection Measures for Consideration
- Feb 10 - Global Energy Cyberattacks: Night Dragon
2010
- Dec 09 - The Stuxnet Computer Worm: Harbinger of an Emerging Warfare Capability
- Sep 30 - W32.Stuxnet Dossier
- Sep 03 - The "MSUpdater" Trojan And Ongoing Targeted Attacks
- Apr 06 - Shadows in the cloud: Investigating Cyber Espionage 2.0
- Mar 14 - In-depth Analysis of Hydraq (OFFLINE)
- Feb 24 - How Can I Tell if I Was Infected By Aurora? (IOCs) (OFFLINE)
- Feb 10 - HB Gary Threat Report: Operation Aurora
- Jan ?? - Case Study: Operation Aurora - Triumfant (OFFLINE)
- Jan 27 - Operation Aurora Detect, Diagnose, Respond (OFFLINE)
- Jan 20 - McAfee Labs: Combating Aurora
- Jan 13 - The Command Structure of the Aurora Botnet - Damballa
- Jan 12 - Operation Aurora
2009
- Mar 29 - Tracking GhostNet
- Jan 18 - Impact of Alleged Russian Cyber Attacks
2008
- Nov 19 - Agent.BTZ
- Nov 04 - China's Electronic Long-Range Reconnaissance
- Oct 02 - How China will use cyber warfare to leapfrog in military competitiveness
- Aug 10 - Russian Invasion of Georgia Russian Cyberwar on Georgia (OFFLINE)