APT Notes

This is a repository for various publicly-available documents and notes related to APT, sorted by year. For malware sample hashes, please see the individual reports.

• Data repo makes it easier for automation
• To add new reports, please create a new issue
• For more information, see the new README

2023

• Dec 19 - Seedworm: Iranian Hackers Target Telecoms Orgs in North and East Africa
• Dec 14 - OilRig's persistent attacks using cloud service-powered downloaders
• Dec 14 - Gaza Cybergang Unified Front Targeting Hamas Opposition
• Dec 13 - Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally
• Dec 08 - ITG05 operations leverage Israel-Hamas conflict lures to deliver Headlace malware
• Dec 08 - Kimsuky Group Uses AutoIt to Create Malware (RftRAT, Amadey)
• Dec 01 - New Tool Set Found Used Against Organizations in the Middle East, Africa and the US
• Nov 30 - AeroBlade on the Hunt Targeting the U.S. Aerospace Industry
• Nov 22 - HrServ - Previously unknown web shell used in APT attack
• Nov 09 - Modern Asia APT groups TTPs
• Nov 01 - MuddyWater eN-Able spear-phishing with new TTPs
• Oct 31 - From Albania To The Middle East: The Scarred Manticore Is Listening
• Oct 31 - Analysis of activities of suspected APT-C-36 (Blind Eagle) organization launching Amadey botnet Trojan
• Oct 27 - A cascade of compromise: unveiling Lazarus' new campaign
• Mar 16 - Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation
• Mar 14 - The slow Ticking time bomb: Tick APT group compromise of a DLP software developer in East Asia
• Mar 13 - Analysis of APT-C-56 (Transparent Tribe) camouflage resume attack campaign
• Mar 09 - Stealing the LIGHTSHOW (Part Two) - LIGHTSHIFT and LIGHTSHOW
• Mar 09 - Stealing the LIGHTSHOW (Part One) - North Korea's UNC2970
• Mar 07 - Pandas with a Soul: Chinese Espionage Attacks Against Southeast Asian Government Entities
• Mar 07 - Don't Answer That! Russia-Aligned TA499 Beleaguers Targets with Video Call Requests
• Mar 02 - MQsTTang: Mustang Panda's latest backdoor treads new ground with Qt and MQTT
• Mar 01 - Iron Tiger's SysUpdate Reappears, Adds Linux Targeting
• Feb 28 - Blackfly: Espionage Group Targets Materials Technology
• Feb 27 - Lazarus group using public certificate vulnerability
• Feb 27 - Blind Eagle Deploys Fake UUE Files and Fsociety to Target Colombia
• Feb 23 - WinorDLL64: A backdoor from the vast Lazarus arsenal?
• Feb 22 - Hydrochasma: Previously Unknown Group Targets Medical and Shipping Organizations in Asia
• Feb 21 - HWP Malware Using the Steganography Technique: RedEyes (ScarCruft)
• Feb 16 - Operation Silent Watch: Desktop Surveillance in Azerbaijan and Armenia
• Feb 13 - Dalbit (m00nlight): Chinese Hacker Group's APT Attack Campaign
• Feb 08 - Graphiron: New Russian Information Stealing Malware Deployed Against Ukraine
• Feb 02 - New APT34 Malware Targets The Middle East
• Feb 02 - Mustang Panda APT Group Uses European Commission-Themed Lure to Deliver PlugX Malware
• Jan 11 - Dark Pink: New APT hitting Asia-Pacific, Europe that goes deeper and darker
• Jan 05 - BlindEagle Targeting Ecuador With Sharpened Tools

2022

• Dec 20 - Russia's Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine
• Dec 09 - Cloud Atlas targets entities in Russia and Belarus amid the ongoing war in Ukraine
• Sep 15 - Gamaredon APT targets Ukrainian government agencies in new campaign
• May 02 - UNC3524: Eye Spy on Your Email
• Apr 28 - Update: Destructive Malware Targeting Organizations in Ukraine
• Apr 28 - LAPSUS$: Recent techniques, tactics and procedures
• Apr 27 - Stonefly: North Korea-linked Spying Operation Continues to Hit High-value Targets
• Apr 26 - A "Naver" ending game of Lazarus APT
• Apr 21 - The ink-stained trail of GOLDBACKDOOR
• Apr 20 - Shuckworm: Espionage Group Continues Intense Campaign Against Ukraine
• Apr 18 - TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies
• Apr 18 - Lazarus attack group that exploits the INITECH process
• Apr 18 - Cyberattack on state organizations of Ukraine using the topic "Azovstal"
• Apr 18 - Nobelium - Israeli Embassy Maldoc
• Apr 14 - Cyberattack on state organizations of Ukraine using the malicious program IcedID
• Apr 14 - Lazarus Targets Chemical Sector
• Apr 12 - Cyberattack by Sandworm Group (UAC-0082) on energy facilities of Ukraine using malicious programs INDUSTROYER2 and CADDYWIPER
• Apr 12 - Cyberattack by Sandworm Group (UAC-0082) on energy facilities of Ukraine using malicious programs INDUSTROYER2 and CADDYWIPER
• Apr 12 - Tarrask malware uses scheduled tasks for defense evasion
• Apr 11 - Snow abuse and gluttony: Analysis of suspected Lazarus attack activities against Korean companies
• Apr 06 - Continued Targeting of Indian Power Grid Assets by Chinese State-Sponsored Activity Group
• Mar 31 - AcidRain: A Modem Wiper Rains Down on Europe
• Mar 31 - Lazarus Trojanized DeFi app for delivering malware
• Mar 30 - New Milestones for Deep Panda: Log4Shell and Digitally Signed Fire Chili Rootkits
• Mar 30 - VajraEleph from South Asia - Cyber espionage against Pakistani military personnel revealed
• Mar 29 - Transparent Tribe campaign uses new bespoke malware to target Indian government officials
• Mar 29 - APT attack disguised as North Korean defector resume format
• Mar 29 - New spear phishing campaign targets Russian dissidents
• Mar 28 - UAC-0056 cyberattack on Ukrainian authorities using GraphSteel and GrimPlant malware
• Mar 24 - Study of an APT attack on a telecommunications company in Kazakhstan
• Mar 23 - New Sandworm Malware Cyclops Blink Replaces VPNFilter
• Mar 22 - [Operation Dragon Castling: APT group targeting betting co