This is a repository for various publicly-available documents and notes related to APT, sorted by year. For malware sample hashes, please see the individual reports
For the moment, it would be nice to have a PDF of the article that we add to the list, just to be sure we always have a copy.
To contribute, you can either:
- Fork, add and send me a pull request
- Open a ticket with the data you want to be added
Adding data:
- Add a link to the public document to Documents.md page
- Add the PDF file to the appropriate year
Thanks to the contributors for helping with the project!
The papers section contains historical documents.
- Aug 10 - Russian Invasion of Georgia Russian Cyberwar on Georgia
- Oct ?? - How China will use cyber warfare to leapfrog in military competitiveness
- Nov 19 - Agent.BTZ
- ??? ?? - China's Electronic Long-Range Reconnaissance
- Jan 18 - Impact of Alleged Russian Cyber Attacks
- Mar 29 - Tracking GhostNet
- Jan 12 - Operation Aurora
- Jan 13 - The Command Structure of the Aurora Botnet - Damballa
- Jan 27 - Operation Aurora Detect, Diagnose, Respond
- Jan ?? - Case Study: Operation Aurora - Triumfant
- Jan ?? - McAfee Labs: Combating Aurora
- Feb 24 - How Can I Tell if I Was Infected By Aurora? (IOCs)
- Mar 14 - In-depth Analysis of Hydraq
- Apr 06 - Shadows in the cloud: Investigating Cyber Espionage 2.0
- Sep 03 - The "MSUpdater" Trojan And Ongoing Targeted Attacks
- Dec 09 - The Stuxnet Computer Worm: Harbinger of an Emerging Warfare Capability
- Feb ?? - W32.Stuxnet Dossier
- Feb 10 - Global Energy Cyberattacks: Night Dragon
- Feb 18 - Night Dragon Specific Protection Measures for Consideration
- Apr 20 - Stuxnet Under the Microscope
- Aug ?? - Shady RAT
- Aug 04 - Operation Shady RAT
- Aug ?? - Operation Shady rat : Vanity
- Aug 03 - HTran and the Advanced Persistent Threat
- Sep 11 - SK Hack by an Advanced Persistent Threat
- Sep 22 - The "LURID" Downloader
- Oct 12 - Alleged APT Intrusion Set: "1.php" Group
- Oct 26 - Duqu Trojan Questions and Answers
- Oct 31 - The Nitro Attacks: Stealing Secrets from the Chemical Industry
- Jan 03 - The HeartBeat APT
- Feb ?? - Command and Control in the Fifth Domain
- Feb 29 - The Sin Digoo Affair
- Mar 12 - Crouching Tiger, Hidden Dragon, Stolen Data
- Mar 13 - Reversing DarkComet RAT's crypto
- Mar 26 - Luckycat Redux
- Apr 10 - Anatomy of a Gh0st RAT
- May 18 - Analysis of Flamer C&C Server
- May 22 - IXESHEA An APT Campaign
- May 31 - sKyWIper (Flame/Flamer)
- Jul 10 - Advanced Social Engineering for the Distribution of LURK Malware
- Jul 11 - Wired article on DarkComet creator
- Jul 27 - The Madi Campaign
- Aug 09 - Gauss: Abnormal Distribution
- Sep 06 - The Elderwood Project
- Sep 07 - IEXPLORE RAT
- Sep 12 - The VOHO Campaign: An in depth analysis
- Sep 18 - The Mirage Campaign
- Oct 08 - Matasano notes on DarkComet, Bandook, CyberGate and Xtreme RAT
- Oct 27 - Trojan.Taidoor: Targeting Think Tanks
- Nov 03 - Systematic cyber attacks against Israeli and Palestinian targets going on for a year
- Jan 18 - Ooperation Red October
- Feb 12 - Targeted cyber attacks: examples and challenges ahead
- Feb 13 - Operation SnowMan: DeputyDog Actor Compromises US Veterans of Foreign Wars Website
- Feb 18 - Mandiant APT1 Report
- Feb 22 - Comment Crew: Indicators of Compromise
- Feb 26 - Stuxnet 0.5: The Missing Link
- Feb 27 - The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0x29A Micro Backdoor
- Feb 27 - Miniduke: Indicators v1
- Mar 13 - You Only Click Twice: FinFisher’s Global Proliferation
- Mar 17 - Safe: A Targeted Threat
- Mar 20 - Dissecting Operation Troy
- Mar 27 - APT1: technical backstage (Terminator/Fakem RAT)
- Apr 01 - Trojan.APT.BaneChant
- Apr 13 - "Winnti" More than just a game
- Apr 24 - Operation Hangover
- May ?? - Operation Hangover
- May 13 - Operation Saffron Rose
- Jun ?? - The Chinese Malware Complexes: The Maudi Surveillance Operation
- Jun 01 - Crude Faux: An analysis of cyber conflict within the oil & gas industries
- Jun 04 - The NetTraveller (aka 'Travnet')
- Jun 18 - Trojan.APT.Seinup Hitting ASEAN
- Jun 21 - A Call to Harm: New Malware Attacks Target the Syrian Opposition
- Jun 28 - njRAT Uncovered
- Jul ?? - Dark Seoul Cyber Attack: Could it be worse?
- Jul 15 - PlugX revisited: "Smoaler"
- Jul 31 - Secrets of the Comfoo Masters
- Jul 31 - Blackhat: In-Depth Analysis of Escalated APT Attacks (Lstudio,Elirks), video
- Aug ?? - Operation Hangover - Unveiling an Indian Cyberattack Infrastructure
- Aug ?? - APT Attacks on Indian Cyber Space
- Aug 02 - Where There is Smoke, There is Fire: South Asian Cyber Espionage Heats Up
- Aug 02 - Surtr: Malware Family Targeting the Tibetan Community
- Aug 19 - ByeBye Shell and the targeting of Pakistan
- Aug 21 - POISON IVY: Assessing Damage and Extracting Intelligence
- Aug 23 - Operation Molerats: Middle East Cyber Attacks Using Poison Ivy
- Sep ?? - Feature: EvilGrab Campaign Targets Diplomatic Agencies
- Sep 11 - The "Kimsuky" Operation
- Sep 13 - Operation DeputyDog: Zero-Day (CVE-2013-3893) Attack Against Japanese Targets
- Sep 17 - Hidden Lynx - Professional Hackers for Hire
- Sep 25 - The 'ICEFROG' APT: A Tale of cloak and three daggers
- Sep 30 - World War C: State of affairs in the APT world
- Oct 24 - Terminator RAT or FakeM RAT
- Nov 10 - Operation Ephemeral Hydra: IE Zero-Day Linked to DeputyDog Uses Diskless Method
- Nov 11 - Supply Chain Analysis
- Dev 02 - njRAT, The Saga Continues
- Dec 11 - Operation "Ke3chang"
- Dec 20 - ETSO APT Attacks Analysis
- ??? ?? - Deep Panda
- ??? ?? - Detecting and Defeating the China Chopper Web Shell
- Jan 06 - PlugX: some uncovered points
- Jan 13 - Targeted attacks against the Energy Sector
- Jan 14 - The Icefog APT Hits US Targets With Java Backdoor
- Jan 21 - Shell_Crew (Deep Panda)
- Feb 11 - Unveiling "Careto" - The Masked APT
- Feb 13 - Operation SnowMan: DeputyDog Actor Compromises US Veterans of Foreign Wars Website
- Feb 19 - The Monju Incident
- Feb 19 - XtremeRAT: Nuisance or Threat?
- Feb 20 - Operation GreedyWonk: Multiple Economic and Foreign Policy Sites Compromised, Serving Up Flash Zero-Day Exploit
- Feb 20 - Mo' Shells Mo' Problems - Deep Panda Web Shells
- Feb 28 - Uroburos: Highly complex espionage software with Russian roots
- Mar 06 - The Siesta Campaign
- Mar 07 - Snake Campaign & Cyber Espionage Toolkit
- Mar 08 - Russian spyware Turla
- Apr 26 - CVE-2014-1776: Operation Clandestine Fox
- May 21 - RAT in jar: A phishing campaign using Unrecom
- Jun 06 - Illuminating The Etumbot APT Backdoor (APT12)
- Jun 09 - Putter Panda
- Jun 30 - Dragonfly: Cyberespionage Attacks Against Energy Suppliers
- Jun 10 - Anatomy of the Attack: Zombie Zero
- Jul 11 - Pitty Tiger
- Jul 31 - Energetic Bear/Crouching Yeti
- Jul 31 - Energetic Bear/Crouching Yeti Appendix
- Aug 04 - Sidewinder Targeted Attack Against Android
- Aug 05 - Operation Arachnophobia
- Aug 06 - Operation Poisoned Hurricane
- Aug 07 - The Epic Turla Operation Appendix
- Aug 12 - New York Times Attackers Evolve Quickly (Aumlib/Ixeshe/APT12)
- Aug 13 - A Look at Targeted Attacks Through the Lense of an NGO
- Aug 18 - The Syrian Malware House of Cards
- Aug 20 - El Machete
- Aug 25 - Vietnam APT Campaign
- Aug 27 - NetTraveler APT Gets a Makeover for 10th Birthday
- Aug 27 - North Korea’s cyber threat landscape
- Aug 28 - Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks
- Aug 29 - Syrian Malware Team Uses BlackWorm for Attacks
- Sep 03 - Darwin’s Favorite APT Group (APT12)
- Sep 04 - Forced to Adapt: XSLCmd Backdoor Now on OS X
- Sep 08 - Targeted Threat Index: Characterizingand Quantifying Politically-MotivatedTargeted Malware video
- Sep 08 - When Governments Hack Opponents: A Look at Actors and Technology video
- Sep 10 - Operation Quantum Entanglement
- Sep 17 - Chinese intrusions into key defense contractors
- Sep 18 - COSMICDUKE: Cosmu with a twist of MiniDuke
- Sep 19 - Watering Hole Attacks using Poison Ivy by "th3bug" group
- Sep 23 - Ukraine and Poland Targeted by BlackEnergy (video)
- Sep 26 - Aided Frame, Aided Direction (Sunshop Digital Quartermaster)
- Sep 26 - BlackEnergy & Quedagh
- Oct 03 - New indicators for APT group Nitro
- Oct 09 - Democracy in Hong Kong Under Attack
- Oct 14 - ZoxPNG Preliminary Analysis
- Oct 14 - Hikit Preliminary Analysis
- Oct 14 - Derusbi Preliminary Analysis
- Oct 14 - Group 72 (Axiom)
- Oct 14 - Sandworm - CVE-2104-4114
- Oct 20 - OrcaRAT - A whale of a tale
- Oct 22 - Operation Pawn Storm: The Red in SEDNIT
- Oct 22 - Sofacy Phishing by PWC
- Oct 23 - Modified Tor Binaries
- Oct 24 - LeoUncia and OrcaRat
- Oct 27 - Full Disclosure of Havex Trojans - ICS Havex backdoors
- Oct 27 - ScanBox framework – who’s affected, and who’s using it?
- Oct 28 - APT28 - A Window Into Russia's Cyber Espionage Operations
- Oct 28 - Group 72, Opening the ZxShell
- Oct 30 - The Rotten Tomato Campaign
- Oct 31 - Operation TooHash
- Nov 03 - New observations on BlackEnergy2 APT activity
- Nov 03 - Operation Poisoned Handover: Unveiling Ties Between APT Activity in Hong Kong’s Pro-Democracy Movement
- Nov 10 - The Darkhotel APT - A Story of Unusual Hospitality
- Nov 11 - The Uroburos case- Agent.BTZ’s successor, ComRAT
- Nov 13 - Operation CloudyOmega: Ichitaro 0-day targeting Japan
- Nov 14 - OnionDuke: APT Attacks Via the Tor Network