APT & CyberCriminal Campaign Collection

This is collections of APT and cybercriminals campaign. Please fire issue to me if any lost APT/Malware events/campaigns.

---

The password of malware samples could be ‘virus‘ or ‘infected‘

2022

• Feb 23 – [Pangulab] Bvp47:Top-tier Backdoor of US NSA Equation Group
• Feb 23 – [Mandiant] (Ex)Change of Pace: UNC2596 Observed Leveraging Vulnerabilities to Deploy Cuba Ransomware
• Feb 15 – [Dell] ShadowPad Malware Analysis
• Feb 03 – [Symantec] Antlion: Chinese APT Uses Custom Backdoor to Target Financial Institutions in Taiwan
• Feb 01 – [Cybereason] PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage 
• Jan 31 – [CISCO] Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables
• Jan 31 – [Symantec] Shuckworm Continues Cyber-Espionage Attacks Against Ukraine
• Jan 27 – [MalwareBytes] North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign
• Jan 27 – [CrowdStrike] Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign
• Jan 25 – [Trellix] Prime Minister’s Office Compromised: Details of Recent Espionage Campaign
• Jan 20 – [Kaspersky] MoonBounce: the dark side of UEFI firmware
• Jan 17 – [Trend Micro] Earth Lusca Employs Sophisticated Infrastructure, Varied Tools and Techniques
• Jan 07 – [MalwareBytes] Patchwork APT caught in its own web 
• Jan 05 – [Sygnia] ELEPHANT BEETLE: UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION
• Jan 03 – [Cluster25] North Korean Group “KONNI” Targets The Russian Diplomatic Sector With New Versions Of Malware Implants

2021

---

• Dec 16 – [Zscaler] New DarkHotel APT attack chain identified
• Dec 11 – [ESET] Jumping the air gap: 15 years of nation-state effort
• Dec 07 – [Mandiant] FIN13: A Cybercriminal Threat Actor Focused on Mexico
• Dec 03 – [Pwc] Conti cyber attack on the HSE
• Nov 29 – [Trend Micro] Campaign Abusing Legitimate Remote Administrator Tools Uses Fake Cryptocurrency Websites
• Nov 16 – [ESET] Strategic web compromises in the Middle East with a pinch of Candiru
• Nov 11 – [Google] Analyzing a watering hole campaign using macOS exploits 
• Nov 10 – [Trend Micro] Void Balaur: Tracking a Cybermercenary’s Activities 
• Nov 08 – [NCCGroup] TA505 exploits SolarWinds Serv-U vulnerability (CVE-2021-35211) for initial access
• Nov 04 – [SSU] Gamaredon Armageddon Group 
• Oct 19 – [CrowdStrike] LightBasin: A Roaming Threat to Telecommunications Companies 
• Oct 26 – [JPCERT] Malware WinDealer used by LuoYu Attack Group 
• Oct 19 – [Proofpoint] Whatta TA: TA505 Ramps Up Activity, Delivers New FlawedGrace Variant
• Oct 19 – [Trend Micro] PurpleFox Adds New Backdoor That Uses WebSockets
• Oct 18 – [Symantec] Harvester: Nation-state-backed group uses new toolset to target victims in South Asia
• Oct 14 – [Trend Micro] Analyzing Email Services Abused for Business Email Compromise
• Oct 12 – [Kaspersky] MysterySnail attacks with Windows zero-day 
• Oct 06 – [Cybereason] Operation GhostShell: Novel RAT Targets Global Aerospace and Telecoms Firms
• Oct 05 – [ESET] UEFI threats moving to the ESP: Introducing ESPecter bootkit
• Oct 04 – [JP-CERT] Malware Gh0stTimes Used by BlackTech
• Sep 30 – [Kaspersky] GhostEmperor: From ProxyLogon to kernel mode
• Sep 27 – [Microsoft] FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor
• Sep 23 – [ESET] FamousSparrow: A suspicious hotel guest
• Sep 14 – [McAfee] Operation ‘Harvest’: A Deep Dive into a Long-term Campaign
• Sep 13 – [Trend Micro] APT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs 
• Sep 09 – [Recorded Future] Dark Covenant: Connections Between the Russian State and Criminal Actors
• Sep 08 – [Fireeye] Pro-PRC Influence Campaign Expands to Dozens of Social Media Platforms, Websites, and Forums in at Least Seven Languages, Attempted to Physically Mobilize Protesters in the U.S.
• Aug 25 – [Bitdefender] FIN8 Threat Actor Spotted Once Again with New “Sardonic” Backdoor
• Aug 24 – [Trend Micro] Earth Baku Returns
• Aug 19 – [Sentinel] ShadowPad | A Masterpiece of Privately Sold Malware in Chinese Espionage
• Aug 17 – [Trend Micro] Confucius Uses Pegasus Spyware-related Lures to Target Pakistani Military
• Aug 17 – [ClearSky] New Iranian Espionaje Campaign by “SiameseKitten” – Lyceum
• Aug 17 – [Volexity] North Korean APT InkySquid Infects Victims Using Browser Exploits 
• Aug 14 – [Checkpoint] Indra — Hackers Behind Recent Attacks on Iran
• Aug 12 – [imp0rtp3] Uncovering Tetris – a Full Surveillance Kit Running in your Browser
• Aug 10 – [Fireeye] UNC215: Spotlight on a Chinese Espionage Campaign in Israel
• Aug 09 – [Trend Micro] Cinobi Banking Trojan Targets Cryptocurrency Exchange Users via Malvertising
• Aug 03 – [CyberGeeks] A STEP-BY-STEP ANALYSIS OF THE NEW MALWARE USED BY APT28/SOFACY CALLED SKINNYBOY
• Aug 03 – [GROUP-IB] The Art of Cyberwarfare Chinese APTs attack Russia
• Aug 03 – [Cybereason] DeadRinger: Exposing Chinese Threat Actors Targeting Major Telcos
• Aug 03 – [Positive] APT31 new dropper. Target destinations: Mongolia, Russia, the U.S., and elsewhere
• Aug 02 – [Sygnia] TG1021: “Praying Mantis” DISSECTING AN ADVANCED MEMORY-RESIDENT ATTACK
• Jul 28 – [Proofpoint] I Knew You Were Trouble: TA456 Targets Defense Contractor with Alluring Social Media Persona
• Jul 27 – [Palo Alto Networks] THOR: Previously Unseen PlugX Variant Deployed During Microsoft Exchange Server Attacks by PKPLUG Group
• Jul 20 – [Trend Micro] Tracking the Activities of TeamTNT: A Closer Look at a Cloud-Focused Malicious Actor Group 
• Jul 19 – [US-CERT] Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department 
• Jul 14 – [Google] How we protect users from 0-day attacks 
• Jul 12 – [Trend Micro] #NoFilter: Exposing the Tactics of Instagram Account Hackers 
• Jul 09 – [Trend Micro] BIOPASS RAT: New Malware Sniffs Victims via Live Streaming 
• Jul 06 – [AT&T] Lazarus campaign TTPs and evolution 
• Jul 05 – [Trend Micro] Tracking Cobalt Strike: A Trend Micro Vision One Investigation
• Jul 01 – [CheckPoint] IndigoZebra APT continues to attack Central Asia with evolving tools
• Jun 24 – [Securifera] Operation Eagle Eye
• Jun 16 – [Recorded Future] Threat Activity Group RedFoxtrot Linked to China’s PLA Unit 69010; Targets Bordering Asian Countries
• Jun 16 – [Kaspersky] Ferocious Kitten: 6 years of covert surveillance in Iran
• Jun 10 – [Group-IB] Big airline heist
• Jun 08 – [Kaspersky] PuzzleMaker attacks with Chrome zero-day exploit chain
• Jun 03 – [CheckPoint] SharpPanda: Chinese APT Group Targets Southeast Asian Government With Previously Unknown Backdoor 
• May 28 – [Microsoft] Breaking down NOBELIUM’s latest early-stage toolset
• May 27 – [Microsoft] New sophisticated email-based attack from NOBELIUM
• May 25 – [SentinelOne] FROM WIPER TO RANSOMWARE: THE EVOLUTION OF AGRIUS
• May 13 – [CISCO] Transparent Tribe APT expands its Windows malware arsenal
• May 07 – [NCSC] Further TTPs associated with SVR cyber actors
• May 07 – [Marco Ramilli] MuddyWater: Binder Project (Part 2)
• May 06 – [Kaspersky] Operation TunnelSnake
• May 01 – [ClearSky] Attributing Attacks Against Crypto Exchanges to LAZARUS – North Korea
• May 01 – [Marco Ramilli] MuddyWater: Binder Project (Part 1)
• Apr 28 – [Trend Micro] Water Pamola Attacked Online Shops Via Malicious Orders
• Apr 28 – [Fireeye] Ghostwriter Update: Cyber Espionage Group UNC1151 Likely Conducts Ghostwriter Influence Activity 
• Apr 27 – [Positive] Lazarus Group Recruitment: Threat Hunters vs Head Hunters
• Apr 23 – [Bitdefender] NAIKON – Traces from a Military Cyber-Espionage Operation 
• Apr 23 – [Darktrace] APT35 ‘Charming Kitten’ discovered in a pre-infected environment
• Apr 20 – [FireEye] Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day
• Apr 19 – [SentinelOne] A Deep Dive into Zebrocy’s Dropper Docs
• Apr 19 – [MalwareBytes] Lazarus APT conceals malicious code within BMP image to drop its RAT
• Apr 13 – [Sentire] Hackers Flood the Web with 100,000 Malicious Pages, Promising Professionals Free Business Forms, But Delivering Malware, Reports eSentire
• Apr 13 – [Kaspersky] Zero-day vulnerability in Desktop Window Manager (CVE-2021-28310) used in the wild
• Apr 09 – [TrendMicro] Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware
• Apr 08 – [CheckPoint] Iran’s APT34 Returns with an Updated Arsenal
• Apr 08 – [ESET] (Are you) afreight of the dark? Watch out for Vyveva, new Lazarus backdoor
• Apr 07 – [CISCO] Sowing Discord: Reaping the benefits of collaboration app abuseApr 06 – [Cado Security] Threat Group Uses Voice Changing Software in Espionage Attempt
• Mar XX – [CSET] Academics, AI, and APTs
• Mar 30 – [Kaspersky] APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign
• Mar 30 – [proofpoint] BadBlood: TA453 Targets US and Israeli Medical Research Personnel in Credential Phishing Campaigns
• Mar 23 – [Trend Micro] Websites Hosting Cracks Spread Malware, Adware
• Mar 18 – [Prodaft] SilverFish Group Threat Actor Report
• Mar 10 – [Bitdefender] FIN8 Returns with Improved BADHATCH Toolkit
• Mar 10 – [Intezer] New Linux Backdoor RedXOR Likely Operated by Chinese Nation-State Actor
• Mar 02 – [Volexity] Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities
• Mar 02 – [Microsoft] HAFNIUM targeting Exchange Servers with 0-day exploits
• Feb 28 – [Recorded Future] China-linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions
• Feb 25 – [Proofpoint] TA413 Leverages New FriarFox Browser Extension to Target the Gmail Accounts of Global Tibetan Organizations
• Feb 25 – [Kaspersky] Lazarus targets defense industry with ThreatNeedle
• Feb 25 – [TeamT5] APT10: Tracking down the stealth activity of the A41APT campaign
• Feb 24 – [MalwareBytes] LazyScripter: From Empire to double RAT
• Feb 24 – [Amnesty] Click and Bait: Vietnamese Human Rights Defenders Targeted with Spyware Attacks
• Feb 22 – [CheckPoint] The Story of Jian – How APT31 Stole and Used an Unknown Equation Group 0-Day
• Feb 17 – [Cybleinc] Confucius APT Android Spyware Targets Pakistani and Other South Asian Regions
• Feb 10 – [Lookout] Lookout Discovers Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict
• Feb 09 – [Palo Alto Networks] BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech
• Feb 08 – [CheckPoint] Domestic Kitten – An Inside Look at the Iranian Surveillance Operations
• Feb 03 – [Palo Alto Networks] Hildegard: New TeamTNT Malware Targeting Kubernetes
• Feb 02 – [ESET] Kobalos – A complex Linux threat to high performance computing infrastructure 
• Feb 01 – [VinCSS] ElephantRAT (Kunming version): our latest discovered RAT of Panda and the similarities with recently Smanager RAT
• Feb 01 – [ESET] Operation NightScout: Supply‑chain attack targets online gaming in Asia 
• Jan 31 – [JPCERT] A41APT case ~ Analysis of the Stealth APT Campaign Threatening Japan 
• Jan 28 – [ClearSky] “Lebanese Cedar” APT: Global Lebanese Espionage Campaign Leveraging Web Servers 
• Jan 20 – [JPCERT] Commonly Known Tools Used by Lazarus 
• Jan 20 – [Cybie] A Deep Dive Into Patchwork APT Group 
• Jan 14 – [Positive] Higaisa or Winnti? APT41 backdoors, old and new 
• Jab 12 – [ESET] Operation Spalax: Targeted malware attacks in Colombia 
• Jan 12 – [Yoroi] Opening “STEELCORGI”: A Sophisticated APT Swiss Army Knife 
• Jan 12 – [NCCgroup] Abusing cloud services to fly under the radar 
• Jan 11 – [Palo Alto Networks] xHunt Campaign: New BumbleBee Webshell and SSH Tunnels Used for Lateral Movement
• Jan 11 – [CrowdStrike] SUNSPOT: An Implant in the Build Process 
• Jan 11 – [Kaspersky] Sunburst backdoor – code overlaps with Kazuar 
• Jan 08 – [Certfa] Charming Kitten’s Christmas Gift 
• Jan 07 – [Prodaft] Brunhilda DaaS Malware Analysis Report 
• Jan 06 – [CISCO] A Deep Dive into Lokibot Infection Chain 
• Jan 06 – [Malwarebytes] Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat 
• Jan 05 – [QuoIntelligence] ReconHellcat Uses NIST Theme as Lure To Deliver New BlackSoul Malware 
• Jan 05 – [Trend Micro] Earth Wendigo Injects JavaScript Backdoor to Service Worker for Mailbox Exfiltration 
• Jan 04 – [CheckPoint] Stopping Serial Killer: Catching the Next Strike: Dridex 
• Jan 04 – [Medium] APT27 Turns to Ransomware
• Jan 04 – [Nao-Sec] Royal Road! Re:Dive 

2020

---

• Dec 30 – [Recorded Future] SolarWinds Attribution: Are We Getting Ahead of Ourselves? 
• Dec 29 – [Uptycs] Revenge RAT targeting users in South America
• Dec 23 – [Kaspersky] Lazarus covets COVID-19-related intelligence
• Dec 22 – [Truesec] Collaboration between FIN7 and the RYUK group, a Truesec Investigation
• Dec 19 – [VinCSS] Analyzing new malware of China Panda hacker group used to attack supply chain against Vietnam Government Certification Authority 
• Dec 17 – [ClearSky] Pay2Kitten
• Dec 17 – [ESET] Operation SignSight: Supply‑chain attack against a certification authority in Southeast Asia
• Dec 16 – [Team Cymru] Mapping out AridViper Infrastructure Using Augury’s Malware Module 
• Dec 15 – [WeiXin] APT-C-47 ClickOnce Operation 
• Dec 15 – [hvs consulting] Greetings from Lazarus Anatomy of a cyber espionage campaign 
• Dec 13 – [Fireeye] Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor 
• Dec 09 – [Intezer] A Zebra in Gopher’s Clothing: Russian APT Uses COVID-19 Lures to Deliver Zebrocy
• Dec 09 – [Trend Micro] SideWinder Uses South Asian Issues for Spear Phishing, Mobile Attacks
• Dec 07 – [Group-IB] The footprints of Raccoon: a story about operators of JS-sniffer FakeSecurity distributing Raccoon stealer 
• Dec 02 – [ESET] Turla Crutch: Keeping the “back door” open 
• Dec 03 – [Telsy] Adversary Tracking Report 
• Dec 01 – [CISA] Advanced Persistent Threat Actors Targeting U.S. Think Tanks 
• Dec 01 – [Prevasio] OPERATION RED KANGAROO: INDUSTRY’S FIRST DYNAMIC ANALYSIS OF 4M PUBLIC DOCKER CONTAINER IMAGES 
• Nov 30 – [Yoroi] Shadows From the Past Threaten Italian Enterprises 
• Nov 30 – [Microsoft] Threat actor leverages coin miner techniques to stay under the radar – here’s how to spot them 
• Nov 27 – [PTSecurity] Investigation with a twist: an accidental APT attack and averted data destruction 
• Nov 26 – [CheckPoint] Bandook: Signed & Delivered
• Nov 23 – [S2W Lab] Analysis of Clop Ransomware suspiciously related to the Recent Incident 
• Nov 19 – [Cybereason] Cybereason vs. MedusaLocker Ransomware 
• Nov 18 – [KR-CERT] Analysis of the Bookcodes RAT C2 framework starting with spear phishing 
• Nov 17 – [Cybereason] CHAES: Novel Malware Targeting Latin American E-Commerce 
• Nov 17 – [Symantec] Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign
• Nov 16 – [FoxIT] TA505: A Brief History Of Their Time
• Nov 16 – [Bitdefender] A Detailed Timeline of a Chinese APT Espionage Attack Targeting South Eastern Asian Government Institutions
• Nov 12 – [CISCO] CRAT wants to plunder your endpoints 
• Nov 12 – [BlackBerry] The CostaRicto Campaign: Cyber-Espionage Outsourced 
• Nov 12 – [ESET] Hungry for data, ModPipe backdoor hits POS software used in hospitality sector 
• Nov 12 – [Morphisec] JUPYTER INFOSTEALER 
• Nov 10 – [Record Future] New APT32 Malware Campaign Targets Cambodian Government 
• Nov 06 – [Volexity] OceanLotus: Extending Cyber Espionage Operations Through Fake Websites 
• Nov 04 – [Sophos] A new APT uses DLL side-loads to “KilllSomeOne” 
• Nov 02 – [FireEye] Live off the Land? How About Bringing Your Own Island? An Overview of UNC1945 
• Nov 01 – [Cyberstanc] A look into APT36’s (Transparent Tribe) tradecraft 
• Oct 27 – [US-CERT] North Korean Advanced Persistent Threat Focus: Kimsuky 
• Oct 26 – [DrWeb] Study of the ShadowPad APT backdoor and its relation to PlugX 
• Oct 23 – [360] APT-C-44 NAFox 
• Oct 22 – [WeiXin] Bitter CHM
• Oct 19 – [Trend Micro] Operation Earth Kitsune: Tracking SLUB’s Current Operations 
• Oct 15 – [ClearSky] Operation Quicksand – MuddyWater’s Offensive Attack Against Israeli Organizations 
• Oct 14 – [MalwareByte] Silent Librarian APT right on schedule for 20/21 academic year 
• Oct 13 – [WeiXin] Operation Rubia cordifolia
• Oct 07 – [BlackBerry] BlackBerry Uncovers Massive Hack-For-Hire Group Targeting Governments, Businesses, Human Rights Groups and Influential Individuals 
• Oct 06 – [Malwarebytes] Release the Kraken: Fileless APT attack abuses Windows Error Reporting service
• Oct 05 – [Kaspersky] MosaicRegressor: Lurking in the Shadows of UEFI 
• Sep 30 – [ESET] APT‑C‑23 group evolves its Android spyware
• Sep 29 – [Symantec] Palmerworm: Espionage Gang Targets the Media, Finance, and Other Sectors
• Sep 29 – [PTSecurity] ShadowPad: new activity from the Winnti group 
• Sep 25 – [Amnesty] German-made FinSpy spyware found in Egypt, and Mac and Linux versions revealed 
• Sep 25 – [360] APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign
• Sep 24 – [Microsoft] detecting empires in the cloud
• Sep 23 – [Seqrite] Operation SideCopy
• Sep 22 – [Quointelligence] APT28 Delivers Zebrocy Malware Campaign using NATO Theme as Lure
• Sep 21 – [CISCO] The art and science of detecting Cobalt Strike
• Sep 17 – [Qianxin] Operation Tibbar
• Sep 16 – [Intel471] Partners in crime: North Koreans and elite Russian-speaking cybercriminals 
• Sep 08 – [Microsoft] TeamTNT activity targets Weave Scope deployments 
• Sep 03 – [Cybereason] NO REST FOR THE WICKED: EVILNUM UNLEASHES PYVIL RAT 
• Sep 01 – [proofpoint] Chinese APT TA413 Resumes Targeting of Tibet Following COVID-19 Themed Economic Espionage Campaign Delivering Sepulcher Malware Targeting Europe 
• Aug 27 – [ClearSky] The Kittens Are Back in Town 3 
• Aug 28 – [Kaspersky] Transparent Tribe: Evolution analysis, part 2 
• Aug 24 – [Kaspersky] Lifting the veil on DeathStalker, a mercenary triumvirate 
• Aug 20 – [CertFR] DEVELOPMENT OF THE ACTIVITY OF THE TA505 CYBERCRIMINAL GROUP 
• Aug 20 – [Bitdefender] More Evidence of APT Hackers-for-Hire Used for Industrial Espionage 
• Aug 18 – [F-Secure] LAZARUS GROUP CAMPAIGN TARGETING THE CRYPTOCURRENCY VERTICAL 
• Aug 13 – [Kaspersky] CactusPete APT group’s updated Bisonal backdoor
• Aug 13 – [ClearSky] Operation ‘Dream Job’ Widespread North Korean Espionage Campaign 
• Aug 13 – [CISA] Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware 
• Aug 12 – [Kaspersky] Internet Explorer and Windows zero-day exploits used in Operation PowerFall 
• Aug 10 – [Seqrite] Gorgon APT targeting MSME sector in India 
• Aug 03 – [CISA] MAR-10292089-1.v2 – Chinese Remote Access Trojan: TAIDOOR 
• Jul 29 – [McAfee] Operation North Star: A Job Offer That’s Too Good to be True? 
• Jul 28 – [Group-IB] JOLLY ROGER’S PATRONS 
• Jul 22 – [Palo Alto Network] OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory 
• Jul 22 – [Kaspersky] MATA: Multi-platform targeted malware framework 
• Jul 20 – [Dr.Web] Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan 
• Jul 17 – [CERT-FR] THE MALWARE DRIDEX: ORIGINS AND USES 
• Jul 16 – [NCSC] Advisory: APT29 targets COVID-19 vaccine development 
• Jul 15 – [F-Secure] THE FAKE CISCO: Hunting for backdoors in Counterfeit Cisco devices 
• Jul 14 – [Tesly] TURLA / VENOMOUS BEAR UPDATES ITS ARSENAL: “NEWPASS” APPEARS ON THE APT THREAT SCENE 
• Jul 14 – [ESET] Welcome Chat as a secure messaging app? Nothing could be further from the truth
• Jul 12 – [WeiXin] SideWinder 2020 H1
• Jul 09 – [AGARI] Cosmic Lynx: The Rise of Russian BEC 
• Jul 09 – [ESET] More evil: A deep look at Evilnum and its toolset
• Jul 08 – [Sedbraven] Copy cat of APT Sidewinder ? 
• Jul 08 – [proofpoint] TA410: The Group Behind LookBack Attacks Against U.S. Utilities Sector Returns with New Malware 
• Jul 08 – [Seqrite] Operation ‘Honey Trap’: APT36 Targets Defense Organizations in India 
• Jul 06 – [Sansec] North Korean hackers are skimming US and European shoppers 
• Jul 01 – [Lookout] Mobile APT Surveillance Campaigns Targeting Uyghurs
• Jun 30 – [Bitdefender] StrongPity APT – Revealing Trojanized Tools, Working Hours and Infrastructure 
• Jun 29 – [CISCO] PROMETHIUM extends global reach with StrongPity3 APT 
• Jun 26 – [Symantec] WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations 
• Jun 25 – [Elastic] A close look at the advanced techniques used in a Malaysian-focused APT campaign 
• Jun 24 – [Dell] BRONZE VINEWOOD Targets Supply Chains 
• Jun 23 – [NCCGroup] WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group 
• Jun 19 – [Zscaler] Targeted Attack Leverages India-China Border Dispute to Lure Victims 
• Jun 18 – [ESET] Digging up InvisiMole’s hidden arsenal 
• Jun 17 – [ESET] Operation In(ter)ception: Aerospace and military companies in the crosshairs of cyberspies 
• Jun 17 – [Palo Alto] AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations 
• Jun 17 – [Malwarebytes] Multi-stage APT attack drops Cobalt Strike using Malleable C2 feature 
• Jun 16 – [PTSecurity] Cobalt: tactics and tools update
• Jun 15 – [Amnesty] India: Human Rights Defenders Targeted by a Coordinated Spyware Operation 
• Jun 11 – [Trend Micro] New Android Spyware ActionSpy Revealed via Phishing Attacks from Earth Empusa 
• Jul 11 – [ESET] Gamaredon group grows its game 
• Jun 08 – [proofpoint] TA410: The Group Behind LookBack Attacks Against U.S. Utilities Sector Returns with New Malware
• Jun 08 – [CheckPoint] GuLoader? No, CloudEyE 
• Jun 03 – [Malwarebyte] New LNK attack tied to Higaisa APT discovered
• Jun 03 – [Kaspersky] Cycldek: Bridging the (air) gap
• Jun 01 – [Lifars] Cryptocurrency Miners – XMRig Based CoinMiner by Blue Mockingbird Group
• May 29 – [IronNet] Russian Cyber Attack Campaigns and Actors 
• May 28 – [Kaspersky] The zero-day exploits of Operation WizardOpium 
• May 26 – [ESET] From Agent.BTZ to ComRAT v4: A ten‑year journey 
• May 21 – [Intezer] The Evolution of APT15’s Codebase 2020 
• May 21 – [Bitdefender] Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia 
• May 21 – [ESET] No “Game over” for the Winnti Group 
• May 19 – [Symantec] Sophisticated Espionage Group Turns Attention to Telecom Providers in South Asia 
• May 18 – [360] APT-C-23 middle East 
• May 14 – [Telekom] LOLSnif – Tracking Another Ursnif-Based Targeted Campaign 
• May 14 – [Sophos] RATicate: an attacker’s waves of information-stealing malware 
• May 14 – [360] Vendetta-new threat actor from Europe 
• May 14 – [ESET] Mikroceen: Spying backdoor leveraged in high‑profile networks in Central Asia 
• May 14 – [Avast] APT Group Planted Backdoors Targeting High Profile Networks in Central Asia 
• May 14 – [Kaspersky] COMpfun authors spoof visa application with HTTP status-based Trojan 
• May 13 – [ESET] Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks 
• May 12 – [Trend Micro] Tropic Trooper’s Back: USBferry Attack Targets Air-gapped Environments 
• May 11 – [Zscaler] Targeted Attacks on Indian Government and Financial Institutions Using the JsOutProx RAT 
• May 11 – [Palo Alto] Updated BackConfig Malware Targeting Government and Military Organizations in South Asia 
• May 07 – [RedCanary] Introducing Blue Mockingbird 
• May 07 – [CheckPoint] Naikon APT: Cyber Espionage Reloaded 
• May 06 – [Prevailion] Phantom in the Command Shell 
• May 06 – [CyberStruggle] Leery Turtle Threat Report
• May 05 – [CheckPoint] Nazar: Spirits of the Past 
• Apr 29 – [Recorded Future] Chinese Influence Operations Evolve in Campaigns Targeting Taiwanese Elections, Hong Kong Protests 
• Apr 28 – [Yoroi] Outlaw is Back, a New Crypto-Botnet Targets European Organizations 
• Apr 28 – [ESET] Grandoreiro: How engorged can an EXE get? 
• Apr 24 – [LAC JP] PoshC2 
• Apr 21 – [Volexity] Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant 
• Apr 20 – [QuoIntelligence] WINNTI GROUP: Insights From the Past 
• Apr 17 – [Trend Micro] Gamaredon APT Group Use Covid-19 Lure in Campaigns
• Apr 16 – [Trend Micro] Exposing Modular Adware: How DealPly, IsErIk, and ManageX Persist in Systems 
• Apr 16 – [White Ops] Giving Fraudsters the Cold Shoulder: Inside the Largest Connected TV Bot Attack 
• Apr 15 – [Lookout] Nation-state Mobile Malware Targets Syrians with COVID-19 Lures
• Apr 15 – [Cycraft] Craft for Resilience: APT Group Chimera
• Apr 07 – [MalwareBytes] APTs and COVID-19: How advanced persistent threats use the coronavirus as a lure 
• Apr 07 – [Zscaler] New Ursnif Campaign: A Shift from PowerShell to Mshta 
• Apr 07 – [BlackBerry] Decade of the RATs: Novel APT Attacks Targeting Linux, Windows and Android 
• Mar 30 – [Alyac] The ‘Spy Cloud’ Operation: Geumseong121 group carries out the APT attack disguising the evidence of North Korean defection 
• Mar 26 – [Kaspersky] iOS exploit chain deploys LightSpy feature-rich malware 
• Mar 25 – [FireEye] This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits 
• Mar 24 – [Kaspersky] WildPressure targets industrial-related entities in the Middle East 
• Mar 24 – [Trend Micro] Operation Poisoned News: Hong Kong Users Targeted With Mobile Malware via Local News Links 
• Mar 19 – [Trend Micro] Probing Pawn Storm : Cyberespionage Campaign Through Scanning, Credential Phishing and More 
• Mar 15 – [MalwareBytes] APT36 jumps on the coronavirus bandwagon, delivers Crimson RAT 
• Mar 12 – [Checkpoint] Vicious Panda: The COVID Campaign 
• Mar 12 – [SecPulse] Two-tailed scorpion APT-C-23 
• Mar 12 – [ESET] Tracking Turla: New backdoor delivered via Armenian watering holes 
• Mar 11 – [Trend Micro] Operation Overtrap Targets Japanese Online Banking Users Via Bottle Exploit Kit and Brand-New Cinobi Banking Trojan 
• Mar 10 – [Cybereason] WHO’S HACKING THE HACKERS: NO HONOR AMONG THIEVES 
• Mar 05 – [Trend Micro] Dissecting Geost: Exposing the Anatomy of the Android Trojan Targeting Russian Banks
• Mar 05 – [ESET] Guildma: The Devil drives electric 
• Mar 03 – [F5] New Perl Botnet (Tuyul) Found with Possible Indonesian Attribution 
• Mar 03 – [Yoroi] The North Korean Kimsuky APT keeps threatening South Korea evolving its TTPs 
• Mar 02 – [Telsy] APT34 (AKA OILRIG, AKA HELIX KITTEN) ATTACKS LEBANON GOVERNMENT ENTITIES WITH MAILDROPPER IMPLANTS 
• Feb 28 – [Qianxin] Nortrom_Lion_APT 
• Feb 25 – [Sophos] ‘Cloud Snooper’ Attack Bypasses Firewall Security Measures 
• Feb 22 – [Objective-See] Weaponizing a Lazarus Group Implant 
• Feb 21 – [AhnLab] MyKings Botnet 
• Feb 19 – [lexfo] The Lazarus Constellation 
• Feb 18 – [Trend Micro] Operation DRBControl 
• Feb 17 – [Yoroi] Cyberwarfare: A deep dive into the latest Gamaredon Espionage Campaign 
• Feb 17 – [Talent-Jump] CLAMBLING – A New Backdoor Base On Dropbox (EN) 
• Feb 17 – [ClearSky] Fox Kitten Campaign 
• Feb 13 – [Cybereason] NEW CYBER ESPIONAGE CAMPAIGNS TARGETING PALESTINIANS – PART 2: THE DISCOVERY OF THE NEW, MYSTERIOUS PIEROGI BACKDOOR 
• Feb 10 – [Trend Micro] Outlaw Updates Kit to Kill Older Miner Versions, Targets More Systems 
• Feb 03 – [PaloAlto Networks] Actors Still Exploiting SharePoint Vulnerability to Attack Middle East Government Organizations 
• Jan XX – [IBM] New Destructive Wiper “ZeroCleare” Targets Energy Sector in the Middle East 
• Jan 31 – [ESET] Winnti Group targeting universities in Hong Kong 
• Jan 16 – [CISCO] JhoneRAT: Cloud based python RAT targeting Middle Eastern countries 
• Jan 13 – [ShellsSystems] Reviving MuddyC3 Used by MuddyWater (IRAN) APT 
• Jan 13 – [Lab52] APT27 ZxShell RootKit module updates 
• Jan 09 – [Dragos] The State of Threats to Electric Entities in North America 
• Jan 08 – [Kaspersky] Operation AppleJeus Sequel 
• Jan 07 – [Recorded Future] Iranian Cyber Response to Death of IRGC Head Would Likely Use Reported TTPs and Previous Access
• Jan 07 – [NCA] Destructive Attack: DUSTMAN 
• Jan 06 – [Trend Micro] First Active Attack Exploiting CVE-2019-2215 Found on Google Play, Linked to SideWinder APT Group
• Jan 01 – [WeiXin] Pakistan Sidewinder APT Attack

2019

---

• Dec 29 – [Dell] BRONZE PRESIDENT Targets NGOs 
• Dec 26 – [Pedro Tavares] Targeting Portugal: A new trojan ‘Lampion’ has spread using template emails from the Portuguese Government Finance & Tax 
• Dec 19 – [FoxIT] Operation Wocao 
• Dec 17 – [PaloAlto] Rancor: Cyber Espionage Group Uses New Custom Malware to Attack Southeast Asia 
• Dec 17 – [360] Dacls, the Dual platform RAT 
• Dec 16 – [Sophos] MyKings: The Slow But Steady Growth of a Relentless Botnet 
• Dec 12 – [Trend Micro] Drilling Deep: A Look at Cyberattacks on the Oil and Gas Industry 
• Dec 12 – [Microsoft] GALLIUM: Targeting global telecom 
• Dec 12 – [Recorded Future] Operation Gamework: Infrastructure Overlaps Found Between BlueAlpha and Iranian APTs
• Dec 11 – [Trend Micro] Waterbear is Back, Uses API Hooking to Evade Security Product Detection 
• Dec 11 – [Cyberason] DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE
• Dec 10 – [Sentinel] Anchor Project: The Deadly Planeswalker: How The TrickBot Group United High-Tech Crimeware & APT 
• Dec 06 – [SCILabs] Cosmic Banker campaign is still active revealing link with Banload malware
• Dec 04 – [IBM] New Destructive Wiper “ZeroCleare” Targets Energy Sector in the Middle East
• Dec 04 – [Trend Micro] Obfuscation Tools Found in the Capesand Exploit Kit Possibly Used in “KurdishCoder” Campaign
• Dec 03 – [NSHC] Threat Actor Targeting Hong Kong Pro-Democracy Figures 
• Nov 29 – [Trend Micro] Operation ENDTRADE: Finding Multi-Stage Backdoors that TICK
• Nov 28 – [Kaspersky] RevengeHotels: cybercrime targeting hotel front desks worldwide
• Nov 26 – [Microsoft] Insights from one year of tracking a polymorphic threat: Dexphot 
• Nov 25 – [Positive] Studying Donot Team
• Nov 21 – [ESET] Registers as “Default Print Monitor”, but is a malicious downloader. Meet DePriMon
• Nov 20 – [360] Golden Eagle (APT-C-34) 
• Nov 20 – [Trend Micro] Mac Backdoor Linked to Lazarus Targets Korean Users
• Nov 13 – [Trend Micro] More than a Dozen Obfuscated APT33 Botnets Used for Extreme Narrow Targeting
• Nov 12 – [Marco Ramilli] TA-505 Cybercrime on System Integrator Companies 
• Nov 08 – [Group-IB] Massive malicious campaign by FakeSecurity JS-sniffer
• Nov 08 – [Kapsersky] Titanium: the Platinum group strikes again 
• Nov 05 – [Telsy] THE LAZARUS’ GAZE TO THE WORLD: WHAT IS BEHIND THE FIRST STONE ? 
• Nov 04 – [Tencent] Higaisa APT
• Nov 04 – [Marcoramilli] Is Lazarus/APT38 Targeting Critical Infrastructures 
• Nov 01 – [Kaspersky] Chrome 0-day exploit CVE-2019-13720 used in Operation WizardOpium
• Oct 31 – [PTsecurity] Calypso APT: new group attacking state institutions
• Oct 31 – [Fireeye] MESSAGETAP: Who’s Reading Your Text Messages?
• Oct 28 – [Marco Ramilli] SWEED Targeting Precision Engineering Companies in Italy
• Oct 21 – [ESET] Winnti Group’s skip‑2.0: A Microsoft SQL Server backdoor
• Oct 21 – [VB] Geost botnet. The story of the discovery of a new Android banking trojan from an OpSec error
• Oct 17 – [ESET] Operation Ghost: The Dukes aren’t back – they never left
• Oct 15 – [Fireeye] LOWKEY: Hunting for the Missing Volume Serial ID
• Oct 14 – [Marco Ramilli] Is Emotet gang targeting companies with external SOC?
• Oct 14 – [Exatrack] From tweet to rootkit 
• Oct 14 – [Crowdstrike] HUGE FAN OF YOUR WORK: TURBINE PANDA 
• Oct 10 – [Fireeye] Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques
• Oct 10 – [ESET] CONNECTING THE DOTS Exposing the arsenal and methods of the Winnti Group
• Oct 10 – [ESET] Attor, a spy platform with curious GSM fingerprinting 
• Oct 09 – [Trend Micro] FIN6 Compromised E-commerce Platform via Magecart to Inject Credit Card Skimmers Into Thousands of Online Shops
• Oct 07 – [CERT-FR] Supply chain attacks: threats targeting service providers and design offices
• Oct 07 – [Clearsky] The Kittens Are Back in Town 2 – Charming Kitten Campaign Keeps Going on, Using New Impersonation Methods
• Oct 07 – [Anomali] China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations
• Oct 04 – [Avest] GEOST BOTNET. THE STORY OF THE DISCOVERY OF A NEW ANDROID BANKING TROJAN FROM AN OPSEC ERROR
• Oct 03 – [Palo Alto Networks] PKPLUG: Chinese Cyber Espionage Group Attacking Asia
• Oct 01 – [Netskope] New Adwind Campaign targets US Petroleum Industry
• Oct 01 – [Trend Micro] New Fileless Botnet Novter Distributed by KovCoreG Malvertising Campaign
• Sep 30 – [Lastline] HELO Winnti: Attack or Scan?
• Sep 26 – [GBHackers] Chinese APT Hackers Attack Windows Users via FakeNarrator Malware to Implant PcShare Backdoor
• Sep 24 – [Telsy] DeadlyKiss APT
• Sep 24 – [CISCO] How Tortoiseshell created a fake veteran hiring website to host malware
• Sep 24 – [CheckPoint] Mapping the connections inside Russia’s APT Ecosystem
• Sep 18 – [Symantec] Tortoiseshell Group Targets IT Providers in Saudi Arabia in Probable Supply Chain Attacks
• Sep 18 – [Trend Micro] Magecart Skimming Attack Targets Mobile Users of Hotel Chain Booking Websites
• Sep 15 – [Clearsky] The Kittens Are Back in Town Charming Kitten Campaign Against Academic Researchers
• Sep 11 – [MeltX0R Security] RANCOR APT: Suspected targeted attacks against South East Asia
• Sep 09 – [Symantec] Thrip: Ambitious Attacks Against High Level Targets Continue
• Sep 06 – [MeltX0R Security] BITTER APT: Not So Sweet 
• Sep 05 – [CheckPoint] UPSynergy: Chinese-American Spy vs. Spy Story
• Sep 04 – [Trend Micro] Glupteba Campaign Hits Network Routers and Updates C&C Servers with Data from Bitcoin Transactions
• Aug 31 – [StrangerealIntel] Malware analysis on Bitter APT campaign 
• Aug 29 – [AhnLab] Tick Tock – Activities of the Tick Cyber Espionage Group in East Asia Over the Last 10 Years
• Aug 29 – [Trend Micro] ‘Heatstroke’ Campaign Uses Multistage Phishing Attack to Steal PayPal and Credit Card Information
• Aug 29 – [IBM] More_eggs, Anyone? Threat Actor ITG08 Strikes Again
• Aug 29 – [NSHC] SectorJ04 Group’s Increased Activity in 2019
• Aug 27 – [StrangerealIntel] Malware analysis about sample of APT Patchwork
• Aug 27 – [Dell] LYCEUM Takes Center Stage in Middle East Campaign
• Aug 27 – [CISCO] China Chopper still active 9 years later
• Aug 27 – [Trend Micro] TA505 At It Again: Variety is the Spice of ServHelper and FlawedAmmyy
• Aug 26 – [QianXin] APT-C-09 Reappeared as Conflict Intensified Between India and Pakistan
• Aug 22 – [PTsecurity] Operation TaskMasters: Cyberespionage in the digital economy age
• Aug 21 – [Fortinet] The Gamaredon Group: A TTP Profile Analysis
• Aug 21 – [Group-IB] Silence 2.0
• Aug 20 – [StrangerealIntel] Malware analysis about unknown Chinese APT campaign
• Aug 14 – [ESET] In the Balkans, businesses are under fire from a double‑barreled weapon
• Aug 12 – [Kaspersky] Recent Cloud Atlas activity
• Aug 08 – [Anomali] Suspected BITTER APT Continues Targeting Government of China and Chinese Organizations
• Aug 07 – [FireEye] APT41: A Dual Espionage and Cyber Crime Operation
• Aug 05 – [Trend Micro] Latest Trickbot Campaign Delivered via Highly Obfuscated JS File
• Aug 05 – [ESET] Sharpening the Machete
• Aug 01 – [Anity] Analysis of the Attack of Mobile Devices by OceanLotus
• Jul 24 – [Dell] Resurgent Iron Liberty Targeting Energy Sector
• Jul 24 – [] Attacking the Heart of the German Industry
• Jul 24 – [Proofpoint] Chinese APT “Operation LagTime IT” Targets Government Information Technology Agencies in Eastern Asia
• Jul 18 – [FireEye] Hard Pass: Declining APT34’s Invite to Join Their Professional Network 
• Jul 18 – [Trend Micro] Spam Campaign Targets Colombian Entities with Custom-made ‘Proyecto RAT,’ Uses Email Service YOPmail for C&C
• Jul 18 – [ESET] OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY 
• Jul 17 – [AT&T] Newly identified StrongPity operations
• Jul 17 – [Intezer] EvilGnome: Rare Malware Spying on Linux Desktop Users
• Jul 16 – [Trend Micro] SLUB Gets Rid of GitHub, Intensifies Slack Use
• Jul 15 – [CISCO] SWEED: Exposing years of Agent Tesla campaigns
• Jul 11 – [ESET] Buhtrap group uses zero‑day in latest espionage campaigns
• Jul 09 – [CISCO] Sea Turtle keeps on swimming, finds new victims, DNS hijacking techniques
• Jul 04 – [Kaspersky] Twas the night before
• Jul 04 – [Trend Micro] Latest Spam Campaigns from TA505 Now Using New Malware Tools Gelup and FlowerPippi
• Jul 03 – [Anomali] Multiple Chinese Threat Groups Exploiting CVE-2018-0798 Equation Editor Vulnerability Since Late 2018
• Jul 01 – [Check Point] Operation Tripoli
• Jul 01 – [Cylance] Threat Spotlight: Ratsnif – New Network Vermin from OceanLotus
• Jun 27 – [Trend Micro] ShadowGate Returns to Worldwide Operations With Evolved Greenflash Sundown Exploit Kit
• Jun 26 – [Recorded Future] Iranian Threat Actor Amasses Large Cyber Operations Infrastructure Network to Target Saudi Organizations
• Jun 25 – [QianXin] Analysis of MuddyC3, a New Weapon Used by MuddyWater
• Jun 25 – [Cybereason] OPERATION SOFT CELL: A WORLDWIDE CAMPAIGN AGAINST TELECOMMUNICATIONS PROVIDERS
• Jun 21 – [Symantec] Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments
• Jun 20 – [QianXin] New Approaches Utilized by OceanLotus to Target An Environmental Group in Vietnam
• Jun 12 – [ThaiCERT] Threat Group Cards: A Threat Actor Encyclopedia
• Jun 11 – [Recorded Future] The Discovery of Fishwrap: A New Social Media Information Operation Methodology
• Jun 10 – [BlackBerry] Threat Spotlight: MenuPass/QuasarRAT Backdoor
• Jun 10 – [Trend Micro] MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools 
• Jun 05 – [Agari] Scattered Canary The Evolution and Inner Workings of a West African Cybercriminal Startup Turned BEC Enterprise
• Jun 04 – [Bitdefender] An APT Blueprint: Gaining New Visibility into Financial Threats
• Jun 03 – [Kaspersky] Zebrocy’s Multilanguage Malware Salad 
• May 30 – [CISCO] 10 years of virtual dynamite: A high-level retrospective of ATM malware
• May 29 – [ESET] A dive into Turla PowerShell usage
• May 29 – [Yoroi] TA505 is Expanding its Operations
• May 28 – [Palo Alto Networks] Emissary Panda Attacks Middle East Government Sharepoint Servers
• May 27 – [360] APT-C-38
• May 24 – [ENSILO] UNCOVERING NEW ACTIVITY BY APT10
• May 22 – [ESET] A journey to Zebrocy land
• May 19 – [Intezer] HiddenWasp Malware Stings Targeted Linux System
• May 18 – [ADLab] Operation_BlackLion
• May 15 – [Chronicle] Winnti: More than just Windows and Gates
• May 13 – [Kaspersky] ScarCruft continues to evolve, introduces Bluetooth harvester
• May 11 – [Sebdraven] Chinese Actor APT target Ministry of Justice Vietnamese 
• May 09 – [Clearsky] Iranian Nation-State APT Groups – “Black Box” Leak
• May 08 – [Kaspersky] FIN7.5: the infamous cybercrime rig “FIN7” continues its activities
• May 08 – [QianXin] OceanLotus’ Attacks to Indochinese Peninsula: Evolution of Targets, Techniques and Procedure
• May 07 – [Yoroi] ATMitch: New Evidence Spotted In The Wild
• May 07 – [ESET] Turla LightNeuron: An email too far 
• May 07 – [Symantec] Buckeye: Espionage Outfit Used Equation Group Tools Prior to Shadow Brokers Leak
• May 03 – [Kaspersky] Who’s who in the Zoo Cyberespionage operation targets Android users in the Middle East
• Apr 30 – [ThreatRecon] SectorB06 using Mongolian language in lure document
• Apr 24 – [CyberInt] legit remote admin tools turn into threat actors’ tools 
• Apr 23 – [Kaspersky] Operation ShadowHammer: a high-profile supply chain attack
• Apr 22 – [CheckPoint] FINTEAM: Trojanized TeamViewer Against Government Targets
• Apr 19 – [MalwareBytes] “Funky malware format” found in Ocean Lotus sample 
• Apr 17 – [Palo Alto Networks] Aggah Campaign: Bit.ly, BlogSpot, and Pastebin Used for C2 in Large Scale Campaign
• Apr 17 – [CISCO] DNS Hijacking Abuses Trust In Core Internet Service 
• Apr 10 – [CheckPoint] The Muddy Waters of APT Attacks
• Apr 10 – [Kaspersky] Project TajMahal – a sophisticated new APT framework
• Apr 10 – [Kaspersky] Gaza Cybergang Group1, operation SneakyPastes
• Apr 02 – [Cylance] OceanLotus Steganography
• Mar 28 – [Trend Micro] Desktop, Mobile Phishing Campaign Targets South Korean Websites, Steals Credentials Via Watering Hole
• Mar 28 – [C4ADS] Above Us Only Stars: Exposing GPS Spoofing in Russia and Syria
• Mar 28 – [ThreatRecon] Threat Actor Group using UAC Bypass Module to run BAT File 
• Mar 27 – [Symantec] Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.
• Mar 25 – [Kaspersky] Operation ShadowHammer 
• Mar 22 – [Netscout] LUCKY ELEPHANT CAMPAIGN MASQUERADING
• Mar 13 – [CISCO] GlitchPOS: New PoS malware for sale
• Mar 13 – [FlashPoint] ‘DMSniff’ POS Malware Actively Leveraged to Target Small-, Medium-Sized Businesses
• Mar 13 – [CheckPoint] Operation Sheep: Pilfer-Analytics SDK in Action
• Mar 12 – [Pala Alto Network] Operation Comando: How to Run a Cheap and Effective Credit Card Business 
• Mar 11 – [ESET] Gaming industry still in the scope of attackers in Asia 
• Mar 08 – [Resecurity] Supply Chain – The Major Target of Cyberespionage Groups
• Mar 07 – [Trend Micro] New SLUB Backdoor Uses GitHub, Communicates via Slack 
• Mar 06 – [Cybaze-Yoroi Z-LAB] Operation Pistacchietto
• Mar 06 – [NTT] Targeted attack using Taidoor Analysis report
• Mar 06 – [Symantec] Whitefly: Espionage Group has Singapore in Its Sights
• Mar 04 – [FireEye] APT40: Examining a China-Nexus Espionage Actor
• Feb 28 – [Marco Ramilli] Ransomware, Trojan and Miner together against “PIK-Group”
• Feb 27 – [Dell] A Peek into BRONZE UNION’s Toolbox
• Feb 26 – [Cybaze-Yoroi Z-LAB] The Arsenal Behind the Australian Parliament Hack
• Feb 25 – [CarbonBlack] Defeating Compiler Level Obfuscations Used in APT10 Malware
• Feb 20 – [SecureSoft] IT IS IDENTIFIED ATTACKS OF THE CIBERCRIMINAL LAZARUS GROUP DIRECTED TO ORGANIZATIONS IN RUSSIA
• Feb 18 – [360] APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations
• Feb 14 – [360] Suspected Molerats’ New Attack in the Middle East
• Feb 06 – [Recorded Future] APT10 Targeted Norwegian MSP and US Companies in Sustained Campaign
• Feb 05 – [Anomali] Analyzing Digital Quartermasters in Asia – Do Chinese and Indian APTs Have a Shared Supply Chain?
• Feb 01 – [Palo Alto Networks] Tracking OceanLotus’ new Downloader, KerrDown
• Jan 30 – [Kaspersky] Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities 
• Jan 30 – [NSHC] The Double Life of SectorA05 Nesting in Agora (Operation Kitty Phishing
• Jan 30 – [Morphisec] NEW CAMPAIGN DELIVERS ORCUS RAT
• Jan 25 – [LAB52] WIRTE Group attacking the Middle East
• Jan 24 – [Carbon Black] GandCrab and Ursnif Campaign
• Jan 18 – [Palo Alto Networks] DarkHydrus delivers new Trojan that can use Google Drive for C2 communications
• Jan 17 – [Palo Alto Networks] Malware Used by “Rocke” Group Evolves to Evade Detection by Cloud Security Products 
• Jan 16 – [360] Latest Target Attack of DarkHydruns Group Against Middle East

2018

---

• Dec 28 – [Medium] Goblin Panda changes the dropper and reuses the old infrastructure 
• Dec 27 – [Cybaze-Yoroi Z-LAB] The Enigmatic “Roma225” Campaign 
• Dec 20 – [Objective-See] Middle East Cyber-Espionage: analyzing WindShift’s implant: OSX.WindTail
• Dec 18 – [Trend Micro] URSNIF, EMOTET, DRIDEX and BitPaymer Gangs Linked by a Similar Loader 
• Dec 13 – [Certfa] The Return of The Charming Kitten 
• Dec 13 – [Trend Micro] Tildeb: Analyzing the 18-year-old Implant from the Shadow Brokers’ Leak 
• Dec 13 – [Palo Alto Networks] Shamoon 3 Targets Oil and Gas Organization 
• Dec 12 – [McAfee] ‘Operation Sharpshooter’ Targets Global Defense, Critical Infrastructure 
• Dec 12 – [360] Donot (APT-C-35) Group Is Targeting Pakistani Businessman Working In China 
• Dec 11 – [Cylance] Poking the Bear: Three-Year Campaign Targets Russian Critical Infrastructure 
• Nov ?? – [Google] The Hunt for 3ve 
• Nov 30 – [Trend Micro] New PowerShell-based Backdoor Found in Turkey, Strikingly Similar to MuddyWater Tools 
• Nov 29 – [360] Analysis Of Targeted Attack Against Pakistan By Exploiting InPage Vulnerability And Related APT Groups 
• Nov 28 – [Microsoft] Windows Defender ATP device risk score exposes new cyberattack, drives Conditional access to protect networks 
• Nov 28 – [Clearsky] MuddyWater Operations in Lebanon and Oman 
• Nov 27 – [CISCO] DNSpionage Campaign Targets Middle East 
• Nov 20 – [Trend Micro] Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America 
• Nov 19 – [FireEye] Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign 
• Nov 13 – [Recorded Future] Chinese Threat Actor TEMP.Periscope Targets UK-Based Engineering Company Using Russian APT Techniques 
• Nov 08 – [Symantec] FASTCash: How the Lazarus Group is Emptying Millions from ATMs 
• Nov 05 – [Palo Alto Networks] Inception Attackers Target Europe with Year-old Office Vulnerability 
• Nov 01 – [Trend Micro] Outlaw group: Perl-Based Shellbot Looks to Target Organizations via C&C 
• Oct 19 – [Kaspersky] DarkPulsar 
• Oct 18 – [Medium] APT Sidewinder changes theirs TTPs to install their backdoor 
• Oct 18 – [CISCO] Tracking Tick Through Recent Campaigns Targeting East Asia 
• Oct 18 – [McAfee] Operation Oceansalt Attacks South Korea, U.S. and Canada with Source Code from Chinese Hacker Group 
• Oct 17 – [Marco Ramilli] MartyMcFly Malware: Targeting Naval Industry 
• Oct 17 – [Cylance] The SpyRATs of OceanLotus: Malware Analysis White Paper 
• Oct 17 – [ESET] GreyEnergy: Updated arsenal of one of the most dangerous threat actors 
• Oct 17 – [Yoroi] Cyber-Espionage Campaign Targeting the Naval Industry (“MartyMcFly”) 
• Oct 15 – [Kaspersky] Octopus-infested seas of Central Asia 
• Oct 11 – [Symantec] Gallmaker: New Attack Group Eschews Malware to Live off the Land 
• Oct 10 – [Kaspersky] MuddyWater expands operations 
• Oct 03 – [FireEye] APT38: Details on New North Korean Regime-Backed Threat Group 
• Sep 27 – [ESET] LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group 
• Sep 20 – [360] (Non-English) (CN) PoisonVine 
• Sep 19 – [Antiy] (Non-English) (CN) Green Spot APT 
• Sep 13 – [FireEye] APT10 Targeting Japanese Corporations Using Updated TTPs 
• Sep 10 – [Kaspersky] LuckyMouse signs malicious NDISProxy driver with certificate of Chinese IT company 
• Sep 07 – [Volon] Targeted Attack on Indian Ministry of External Affairs using Crimson RAT 
• Sep 07 – [CheckPoint] Domestic Kitten: An Iranian Surveillance Operation 
• Sep 07 – [Medium] Goblin Panda targets Cambodia sharing capacities with another Chinese group hackers Temp Periscope 
• Sep 04 – [Palo Alto Networks] OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE 
• Sep 04 – [Group-IB] Silence: Moving into the darkside 
• Aug 30 – [MalwareBytes] Reversing malware in a custom format: Hidden Bee elements 
• Aug 30 – [CrowdStrike] Two Birds, One STONE PANDA 
• Aug 30 – [Arbor] Double the Infection, Double the Fun 
• Aug 30 – [Dark Matter] COMMSEC: The Trails of WINDSHIFT APT 
• Aug 29 – [Trend Micro] The Urpage Connection to Bahamut, Confucius and Patchwork 
• Aug 28 – [CheckPoint] CeidPageLock: A Chinese RootKit 
• Aug 23 – [Kaspersky] Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware 
• Aug 21 – [ESET] TURLA OUTLOOK BACKDOOR 
• Aug 21 – [Trend Micro] Supply Chain Attack Operation Red Signature Targets South Korean Organizations 
• Aug 16 – [Recorded Future] Chinese Cyberespionage Originating From Tsinghua University Infrastructure 
• Aug 09 – [McAfee] Examining Code Reuse Reveals Undiscovered Links Among North Korea’s Malware Families 
• Aug 02 – [Accenture] Goldfin Security Alert 
• Aug 02 – [Palo Alto Networks] The Gorgon Group: Slithering Between Nation State and Cybercrime 
• Aug 02 – [Medium] Goblin Panda against the Bears 
• Aug 01 – [Medium] Malicious document targets Vietnamese officials 
• Jul 31 – [Palo Alto Networks] Bisonal Malware Used in Attacks Against Russia and South Korea 
• Jul 31 – [Medium] Malicious document targets Vietnamese officials 
• Jul 27 – [Palo Alto Networks] New Threat Actor Group DarkHydrus Targets Middle East Government 
• Jul 23 – [CSE] APT27: A long-term espionage campaign in Syria 
• Jul 16 – [Trend Micro] New Andariel Reconnaissance Tactics Hint At Next Targets 
• Jul 13 – [CSE] Operation Roman Holiday – Hunting the Russian APT28 group 
• Jul 12 – [CISCO] Advanced Mobile Malware Campaign in India uses Malicious MDM 
• Jul 09 – [ESET] Certificates stolen from Taiwanese tech-companies misused in Plead malware campaign 
• Jul 08 – [CheckPoint] APT Attack In the Middle East: The Big Bang 
• Jul 08 – [Fortinet] Hussarini – Targeted Cyber Attack in the Philippines 
• Jun XX – [Ahnlab] Operation Red Gambler 
• Jun 26 – [Palo Alto Networks] RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families 
• Jun 23 – [Ahnlab] Full Discloser of Andariel,A Subgroup of Lazarus Threat Group 
• Jun 22 – [Palo Alto networks] Tick Group Weaponized Secure USB Drives to Target Air-Gapped Critical Systems 
• Jun 20 – [Symantec] Thrip: Espionage Group Hits Satellite, Telecoms, and Defense Companies 
• Jun 19 – [Kaspersky] Olympic Destroyer is still alive 
• Jun 14 – [Trend Micro] Another Potential MuddyWater Campaign uses Powershell-based PRB-Backdoor 
• Jun 14 – [intezer] MirageFox: APT15 Resurfaces With New Tools Based On Old Ones 
• Jun 13 – [Kaspersky] LuckyMouse hits national data center to organize country-level waterholing campaign 
• Jun 07 – [Volexity] Patchwork APT Group Targets US Think Tanks 
• Jun 07 – [ICEBRG] ADOBE FLASH ZERO-DAY LEVERAGED FOR TARGETED ATTACK IN MIDDLE EAST 
• Jun 07 – [FireEye] A Totally Tubular Treatise on TRITON and TriStation 
• Jun 06 – [CISCO] VPNFilter Update – VPNFilter exploits endpoints, targets new devices 
• Jun 06 – [GuardiCore] OPERATION PROWLI: MONETIZING 40,000 VICTIM MACHINES 
• Jun 06 – [Palo Alto Networks] Sofacy Group’s Parallel Attacks 
• May 31 – [CISCO] NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea 
• May 29 – [intezer] Iron Cybercrime Group Under The Scope 
• May 23 – [CISCO] New VPNFilter malware targets at least 500K networking devices worldwide 
• May 23 – [Ahnlab] Andariel Group Trend Report 
• May 23 – [Trend Micro] Confucius Update: New Tools and Techniques, Further Connections with Patchwork 
• May 22 – [Intrusiontruth] The destruction of APT3
• May 22 – [ESET] Turla Mosquito: A shift towards more generic tools 
• May 09 – [Recorded Future] Iran’s Hacker Hierarchy Exposed 
• May 09 – [360] Analysis of CVE-2018-8174 VBScript 0day and APT actor related to Office targeted attack 
• May 03 – [ProtectWise] Burning Umbrella 
• May 03 – [Kaspersky] Who’s who in the Zoo: Cyberespionage operation targets Android users in the Middle East 
• May 03 – [Ahnlab] Detailed Analysis of Red Eyes Hacking Group 
• Apr 27 – [Tencent] OceanLotus new malware analysis 
• Apr 26 – [CISCO] GravityRAT – The Two-Year Evolution Of An APT Targeting India 
• Apr 24 – [FireEye] Metamorfo Campaigns Targeting Brazilian Users 
• Apr 24 – [McAfee] Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide 
• Apr 24 – [ESET] Sednit update: Analysis of Zebrocy 
• Apr 23 – [Accenture] HOGFISH REDLEAVES CAMPAIGN 
• Apr 23 – [Symantec] New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia 
• Apr 23 – [Kaspersky] Energetic Bear/Crouching Yeti: attacks on servers 
• Apr 17 – [NCCGroup] Decoding network data from a Gh0st RAT variant 
• Apr 12 – [Kaspersky] Operation Parliament, who is doing what? 
• Apr 04 – [Trend Micro] New MacOS Backdoor Linked to OceanLotus Found 
• Mar 29 – [Trend Micro] ChessMaster Adds Updated Tools to Its Arsenal 
• Mar 27 – [Arbor] Panda Banker Zeros in on Japanese Targets 
• Mar 23 – [Ahnlab] Targeted Attacks on South Korean Organizations 
• Mar 15 – [US-CERT] Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors 
• Mar 14 – [Symantec] Inception Framework: Alive and Well, and Hiding Behind Proxies 
• Mar 14 – [Trend Micro] Tropic Trooper’s New Strategy 
• Mar 13 – [FireEye] Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign 
• Mar 13 – [Kaspersky] Time of death? A therapeutic postmortem of connected medicine 
• Mar 13 – [Proofpoint] Drive-by as a service: BlackTDS 
• Mar 13 – [ESET] OceanLotus: Old techniques, new backdoor 
• Mar 12 – [Trend Micro] Campaign Possibly Connected to “MuddyWater” Surfaces in the Middle East and Central Asia 
• Mar 09 – [CitizenLab] BAD TRAFFIC Sandvine’s PacketLogic Devices Used to Deploy Government Spyware in Turkey and Redirect Egyptian Users to Affiliate Ads? 
• Mar 09 – [Kaspersky] Masha and these Bears 2018 Sofacy Activity 
• Mar 09 – [NCC] APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS 
• Mar 09 – [ESET] New traces of Hacking Team in the wild 
• Mar 08 – [McAfee] Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant 
• Mar 08 – [Kaspersky] OlympicDestroyer is here to trick the industry 
• Mar 08 – [Arbor] Donot Team Leverages New Modular Malware Framework in South Asia 
• Mar 08 – [Crysys] Territorial Dispute – NSA’s perspective on APT landscape 
• Mar 07 – [Palo Alto Networks] Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent 
• Mar 06 – [Kaspersky] The Slingshot APT 
• Mar 05 – [Palo Alto Networks] Sure, I’ll take that! New ComboJack Malware Alters Clipboards to Steal Cryptocurrency 
• Mar 02 – [McAfee] McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups 
• Mar 01 – [Security 0wnage] A Quick Dip into MuddyWater’s Recent Activity 
• Feb 28 – [Palo Alto Networks] Sofacy Attacks Multiple Government Entities 
• Feb 28 – [Symantec] Chafer: Latest Attacks Reveal Heightened Ambitions 
• Feb 21 – [Avast] Avast tracks down Tempting Cedar Spyware 
• Feb 20 – [Arbor] Musical Chairs Playing Tetris 
• Feb 20 – [Kaspersky] A Slice of 2017 Sofacy Activity 
• Feb 20 – [FireEye] APT37 (Reaper): The Overlooked North Korean Actor 
• Feb 13 – [Trend Micro] Deciphering Confucius’ Cyberespionage Operations 
• Feb 13 – [RSA] Lotus Blossom Continues ASEAN Targeting 
• Feb 07 – [CISCO] Targeted Attacks In The Middle East 
• Feb 02 – [McAfee] Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems 
• Jan 30 – [Palo Alto Networks] Comnie Continues to Target Organizations in East Asia 
• Jan 30 – [RSA] APT32 Continues ASEAN Targeting 
• Jan 29 – [Trend Micro] Hacking Group Spies on Android Users in India Using PoriewSpy 
• Jan 29 – [Palo Alto Networks] VERMIN: Quasar RAT and Custom Malware Used In Ukraine 
• Jan 27 – [Accenture] DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS’ MEETING AND ASSOCIATES 
• Jan 26 – [Palo Alto Networks] The TopHat Campaign: Attacks Within The Middle East Region Using Popular Third-Party Services 
• Jan 25 – [Palo Alto Networks] OilRig uses RGDoor IIS Backdoor on Targets in the Middle East 
• Jan 24 – [Trend Micro] Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More 
• Jan 18 – [NCSC] Turla group update Neuron malware 
• Jan 17 – [Lookout] Dark Caracal 
• Jan 16 – [Kaspersky] Skygofree: Following in the footsteps of HackingTeam 
• Jan 16 – [Recorded Future] North Korea Targeted South Korean Cryptocurrency Users and Exchange in Late 2017 Campaign 
• Jan 16 – [CISCO] Korea In The Crosshairs 
• Jan 15 – [Trend Micro] New KillDisk Variant Hits Financial Organizations in Latin America 
• Jan 12 – [Trend Micro] Update on Pawn Storm: New Targets and Politically Motivated Campaigns 
• Jan 11 – [McAfee] North Korean Defectors and Journalists Targeted Using Social Networks and KakaoTalk 
• Jan 09 – [ESET] Diplomats in Eastern Europe bitten by a Turla mosquito 
• Jan 06 – [McAfee] Malicious Document Targets Pyeongchang Olympics
• Jan 04 – [Carnegie] Iran’s Cyber Threat: Espionage, Sabotage, and Revenge 

2017

---

• Dec 19 – [Proofpoint] North Korea Bitten by Bitcoin Bug: Financially motivated campaigns reveal new dimension of the Lazarus Group 
• Dec 17 – [McAfee] Operation Dragonfly Analysis Suggests Links to Earlier Attacks
• Dec 14 – [FireEye] Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure
• Dec 11 – [Group-IB] MoneyTaker, revealed after 1.5 years of silent operations.
• Dec 11 – [Trend Micro] Untangling the Patchwork Cyberespionage Group
• Dec 07 – [FireEye] New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit
• Dec 05 – [ClearSky] Charming Kitten: Iranian Cyber Espionage Against Human Rights Activists, Academic Researchers and Media Outlets – And the HBO Hacker Connection
• Dec 04 – [RSA] The Shadows of Ghosts: Inside the Response of a Unique Carbanak Intrusion
• Nov 22 – [REAQTA] A dive into MuddyWater APT targeting Middle-East 
• Nov 14 – [Palo Alto Networks] Muddying the Water: Targeted Attacks in the Middle East
• Nov 10 – [Palo Alto Networks] New Malware with Ties to SunOrcal Discovered
• Nov 07 – [McAfee] Threat Group APT28 Slips Office Malware into Doc Citing NYC Terror Attack
• Nov 07 – [Symantec] Sowbug: Cyber espionage group targets South American and Southeast Asian governments 
• Nov 06 – [Trend Micro] ChessMaster’s New Strategy: Evolving Tools and Tactics 
• Nov 06 – [Volexity] OceanLotus Blossoms: Mass Digital Surveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society
• Nov 02 – [Palo Alto Networks] Recent InPage Exploits Lead to Multiple Malware Families
• Nov 02 – [PwC] The KeyBoys are back in town
• Nov 02 – [Clearsky] LeetMX – a Yearlong Cyber-Attack Campaign Against Targets in Latin America
• Nov 02 – [RISKIQ] New Insights into Energetic Bear’s Watering Hole Attacks on Turkish Critical Infrastructure 
• Oct 31 – [Cybereason] Night of the Devil: Ransomware or wiper? A look into targeted attacks in Japan using MBR-ONI
• Oct 30 – [Kaspersky] Gaza Cybergang – updated activity in 2017 
• Oct 27 – [Bellingcat] Bahamut Revisited, More Cyber Espionage in the Middle East and South Asia
• Oct 24 – [ClearSky] Iranian Threat Agent Greenbug Impersonates Israeli High-Tech and Cyber Security Companies
• Oct 19 – [Bitdefender] Operation PZCHAO
• Oct 16 – [BAE Systems] Taiwan Heist: Lazarus Tools And Ransomware
• Oct 16 – [Kaspersky] BlackOasis APT and new targeted attacks leveraging zero-day exploit 
• OCt 16 – [Proofpoint] Leviathan: Espionage actor spearphishes maritime and defense targets 
• Oct 12 – [Dell] BRONZE BUTLER Targets Japanese Enterprises 
• Oct 10 – [Trustwave] Post Soviet Bank Heists 
• Oct 02 – [intezer] Evidence Aurora Operation Still Active Part 2: More Ties Uncovered Between CCleaner Hack & Chinese Hackers 
• Sep XX – [MITRE] APT3 Adversary Emulation Plan 
• Sep 28 – [Palo Alto Networks] Threat Actors Target Government of Belarus Using CMSTAR Trojan 
• Sep 20 – [intezer] Evidence Aurora Operation Still Active: Supply Chain Attack Through CCleaner 
• Sep 20 – [FireEye] Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware 
• Sep 20 – [CISCO] CCleaner Command and Control Causes Concern 
• Sep 18 – [CISCO] CCleanup: A Vast Number of Machines at Risk 
• Sep 18 – [Kaspersky] An (un)documented Word feature abused by attackers
• Sep 12 – [FireEye] FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY
• Sep 06 – [Symantec] Dragonfly: Western energy sector targeted by sophisticated attack group 
• Sep 06 – [Treadstone 71] Intelligence Games in the Power Grid 
• Aug 30 – [ESET] Gazing at Gazer: Turla’s new second stage backdoor 
• Aug 30 – [Kaspersky] Introducing WhiteBear 
• Aug 25 – [Proofpoint] Operation RAT Cook: Chinese APT actors use fake Game of Thrones leaks as lures 
• Aug 18 – [RSA] Russian Bank Offices Hit with Broad Phishing Wave
• Aug 17 – [Proofpoint] Turla APT actor refreshes KopiLuwak JavaScript backdoor for use in G20-themed attack 
• Aug 15 – [Palo Alto Networks] The Curious Case of Notepad and Chthonic: Exposing a Malicious Infrastructure 
• Aug 11 – [FireEye] APT28 Targets Hospitality Sector, Presents Threat to Travelers 
• Aug 08 – [Kaspersky] APT Trends report Q2 2017 
• Aug 01 – [Positive Research] Cobalt strikes back: an evolving multinational threat to finance 
• Jul 27 – [Trend Micro] ChessMaster Makes its Move: A Look into the Campaign’s Cyberespionage Arsenal 
• Jul 27 – [Palo Alto Networks] OilRig Uses ISMDoor Variant; Possibly Linked to Greenbug Threat Group 
• Jul 27 – [Clearsky, Trend Micro] Operation Wilted Tulip 
• Jul 24 – [Palo Alto Networks] “Tick” Group Continues Attacks 
• Jul 18 – [Clearsky] Recent Winnti Infrastructure and Samples 
• Jul 18 – [Bitdefender] Inexsmar: An unusual DarkHotel campaign
• Jul 11 – [ProtectWise] Winnti Evolution – Going Open Source 
• Jul 10 – [Trend Micro] OSX Malware Linked to Operation Emmental Hijacks User Network Traffic 
• Jul 06 – [Malware Party] Operation Desert Eagle 
• Jul 05 – [Citizen Lab] Insider Information: An intrusion campaign targeting Chinese language news sites 
• Jun 30 – [ESET] TeleBots are back: supply-chain attacks against Ukraine 
• Jun 30 – [Kaspersky] From BlackEnergy to ExPetr 
• Jun 26 – [Dell] Threat Group-4127 Targets Google Accounts 
• Jun 22 – [Palo Alto Networks] The New and Improved macOS Backdoor from OceanLotus 
• Jun 22 – [Trend Micro] Following the Trail of BlackTech’s Cyber Espionage Campaigns 
• Jun 19 – [root9B] SHELLTEA + POSLURP MALWARE: memory resident point-of-sale malware attacks industry 
• Jun 18 – [Palo Alto Networks] APT3 Uncovered: The code evolution of Pirpi 
• Jun 15 – [Recorded Future] North Korea Is Not Crazy 
• Jun 14 – [ThreatConnect] KASPERAGENT Malware Campaign resurfaces in the run up to May Palestinian Authority Elections 
• Jun 13 – [US-CERT] HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure 
• Jun 12 – [Dragos] CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations 
• Jun 12 – [ESET] WIN32/INDUSTROYER A new threat for industrial control systems 
• May 30 – [Group-IB] Lazarus Arisen: Architecture, Techniques and Attribution 
• May 24 – [Cybereason] OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP 
• May 14 – [FireEye] Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations 
• May 03 – [Palo Alto Networks] Kazuar: Multiplatform Espionage Backdoor with API Access 
• May 03 – [CISCO] KONNI: A Malware Under The Radar For Years 
• Apr 27 – [Morphisec] Iranian Fileless Attack Infiltrates Israeli Organizations 
• Apr 13 – [F-SECURE] Callisto Group 
• Apr 11 – [Kaspersky] Unraveling the Lamberts Toolkit 
• Apr 10 – [Symantec] Longhorn: Tools used by cyberespionage group linked to Vault 7 
• Apr 06 – [PwC] Operation Cloud Hopper 
• Apr 05 – [Palo Alto Networks, Clearsky] Targeted Attacks in the Middle East Using KASPERAGENT and MICROPSIA 
• Mar 15 – [JPCERT] FHAPPI Campaign 
• Mar 14 – [Clearsky] Operatio Electric Powder – Who is targeting Israel Electric Company? 
• Mar 08 – [Netskope] Targeted Attack Campaigns with Multi-Variate Malware Observed in the Cloud 
• Mar 06 – [Kaspersky] From Shamoon to StoneDrill 
• Feb 28 – [IBM] Dridex’s Cold War: Enter AtomBombing 
• Feb 27 – [Palo Alto Networks] The Gamaredon Group Toolset Evolution 
• Feb 23 – [Bitdefender] Dissecting the APT28 Mac OS X Payload 
• Feb 22 – [FireEye] Spear Phishing Techniques Used in Attacks Targeting the Mongolian Government 
• Feb 21 – [Arbor] Additional Insights on Shamoon2 
• Feb 20 – [BAE Systems] azarus’ False Flag Malware
• Feb 17 – [JPCERT] ChChes – Malware that Communicates with C&C Servers Using Cookie Headers 
• Feb 16 – [BadCyber] Technical analysis of recent attacks against Polish banks 
• Feb 15 – [Morphick] Deep Dive On The DragonOK Rambo Backdoor 
• Feb 15 – [IBM] The Full Shamoon: How the Devastating Malware Was Inserted Into Networks 
• Feb 15 – [Dell] Iranian PupyRAT Bites Middle Eastern Organizations 
• Feb 15 – [Palo Alto Networks] Magic Hound Campaign Attacks Saudi Targets 
• Feb 14 – [Medium] Operation Kingphish: Uncovering a Campaign of Cyber Attacks against Civil Society in Qatar and Nepal 
• Feb 12 – [BAE Systems] Lazarus & Watering-Hole Attacks 
• Feb 10 – [Cysinfo] Cyber Attack Targeting Indian Navy’s Submarine And Warship Manufacturer 
• Feb 10 – [DHS] Enhanced Analysis of GRIZZLY STEPPE Activity 
• Feb 03 – [RSA] KingSlayer A Supply chain attack 
• Feb 03 – [BadCyber] Several Polish banks hacked, information stolen by unknown attackers 
• Feb 02 – [Proofpoint] Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX 
• Jan 30 – [Palo Alto Networks] Downeks and Quasar RAT Used in Recent Targeted Attacks Against Governments 
• Jan 25 – [Microsoft] Detecting Threat actors in recent German industrial attacks with Windows Defender ATP 
• Jan 19 – [Cysinfo] URI Terror Attack & Kashmir Protest Themed Spear Phishing Emails Targeting Indian Embassies And Indian Ministry Of External Affairs 
• Jan 18 – [Trustwave] Operation Grand Mars: Defending Against Carbanak Cyber Attacks 
• Jan 15 – [tr1adx] Bear Spotting Vol. 1: Russian Nation State Targeting of Government and Military Interests 
• Jan 12 – [Kaspersky] The “EyePyramid” attacks 
• Jan 11 – [FireEye] APT28: AT THE CENTER OF THE STORM 
• Jan 09 – [Palo Alto Networks] Second Wave of Shamoon 2 Attacks Identified 
• Jan 05 – [Clearsky] Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford 

2016

---

• Dec 15 – [Microsoft] PROMETHIUM and NEODYMIUM APT groups on Turkish citizens living in Turkey and various other European countries. 
• Dec 13 – [ESET] The rise of TeleBots: Analyzing disruptive KillDisk attacks 
• Nov 30 – [Cysinfo] MALWARE ACTORS USING NIC CYBER SECURITY THEMED SPEAR PHISHING TO TARGET INDIAN GOVERNMENT ORGANIZATIONS 
• Nov 22 – [Palo Alto Networks] Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy 
• Nov 09 – [Fidelis] Down the H-W0rm Hole with Houdini’s RAT 
• Nov 03 – [Booz Allen] When The Lights Went Out: Ukraine Cybersecurity Threat Briefing 
• Oct 31 – [Palo Alto Networks] Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve? 
• Oct 27 – [ESET] En Route with Sednit Part 3: A Mysterious Downloader 
• Oct 27 – [Trend Micro] BLACKGEAR Espionage Campaign Evolves, Adds Japan To Target List 
• Oct 26 – [Vectra Networks] Moonlight – Targeted attacks in the Middle East 
• Oct 25 – [Palo Alto Networks] Houdini’s Magic Reappearance 
• Oct 25 – [ESET] En Route with Sednit Part 2: Lifting the lid on Sednit: A closer look at the software it uses 
• Oct 20 – [ESET] En Route with Sednit Part 1: Approaching the Target 
• Oct 17 – [ThreatConnect] ThreatConnect identifies Chinese targeting of two companies. Economic espionage or military intelligence? 
• Oct 05 – [Kaspersky] Wave your false flags 
• Oct 03 – [Kaspersky] On the StrongPity Waterhole Attacks Targeting Italian and Belgian Encryption Users 
• Sep 29 – [NATO CCD COE] China and Cyber: Attitudes, Strategies, Organisation 
• Sep 28 – [Palo Alto Networks] Confucius Says…Malware Families Get Further By Abusing Legitimate Websites 
• Sep 28 – [ThreatConnect] Belling the BEAR: russia-hacks-bellingcat-mh17-investigation 
• Sep 26 – [Palo Alto Networks] Sofacy’s ‘Komplex’ OS X Trojan 
• Sep 18 – [Cyberkov] Hunting Libyan Scorpions 
• Sep 14 – [Palo Alto Networks] MILE TEA: Cyber Espionage Campaign Targets Asia Pacific Businesses and Government Agencies 
• Sep 06 – [Symantec] Buckeye cyberespionage group shifts gaze from US to Hong Kong 
• Sep 01 – [IRAN THREATS] MALWARE POSING AS HUMAN RIGHTS ORGANIZATIONS AND COMMERCIAL SOFTWARE TARGETING IRANIANS, FOREIGN POLICY INSTITUTIONS AND MIDDLE EASTERN COUNTRIES 
• Aug 25 – [Lookout] Technical Analysis of Pegasus Spyware 
• Aug 24 – [Citizen Lab] The Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender 
• Aug 19 – [ThreatConnect] Russian Cyber Operations on Steroids 
• Aug 17 – [Kaspersky] Operation Ghoul: targeted attacks on industrial and engineering organizations 
• Aug 16 – [Palo Alto Networks] Aveo Malware Family Targets Japanese Speaking Users 
• Aug 11 – [IRAN THREATS] Iran and the Soft War for Internet Dominance 
• Aug 08 – [Forcepoint] MONSOON 
• Aug 08 – [Kaspersky] ProjectSauron: top level cyber-espionage platform covertly extracts encrypted government comms 
• Aug 07 – [Symantec] Strider: Cyberespionage group turns eye of Sauron on targets 
• Aug 06 – [360] APT-C-09 
• Aug 04 – [Recorded Future] Running for Office: Russian APT Toolkits Revealed 
• Aug 03 – [EFF] Operation Manul: I Got a Letter From the Government the Other Day…Unveiling a Campaign of Intimidation, Kidnapping, and Malware in Kazakhstan 
• Aug 02 – [Citizen Lab] Group5: Syria and the Iranian Connection 
• Jul 28 – [ICIT] China’s Espionage Dynasty 
• Jul 26 – [Palo Alto Networks] Attack Delivers ‘9002’ Trojan Through Google Drive 
• Jul 21 – [360] Sphinx (APT-C-15) Targeted cyber-attack in the Middle East 
• Jul 21 – [RSA] Hide and Seek: How Threat Actors Respond in the Face of Public Exposure 
• Jul 13 – [SentinelOne] State-Sponsored SCADA Malware targeting European Energy Companies 
• Jul 12 – [F-SECURE] NanHaiShu: RATing the South China Sea 
• Jul 08 – [Kaspersky] The Dropping Elephant – aggressive cyber-espionage in the Asian region 
• Jul 07 – [Proofpoint] NetTraveler APT Targets Russian, European Interests 
• Jul 07 – [Cymmetria] UNVEILING PATCHWORK: THE COPY-PASTE APT 
• Jul 03 – [Check Point] From HummingBad to Worse 
• Jul 01 – [Bitdefender] Pacifier APT
• Jul 01 – [ESET] Espionage toolkit targeting Central and Eastern Europe uncovered 
• Jun 30 – [JPCERT] Asruex: Malware Infecting through Shortcut Files 
• Jun 28 – [Palo Alto Networks] Prince of Persia – Game Over 
• Jun 28 – [JPCERT] (Japan)Attack Tool Investigation 
• Jun 26 – [Trend Micro] The State of the ESILE/Lotus Blossom Campaign 
• Jun 26 – [Cylance] Nigerian Cybercriminals Target High-Impact Industries in India via Pony 
• Jun 23 – [Palo Alto Networks] Tracking Elirks Variants in Japan: Similarities to Previous Attacks 
• Jun 21 – [Fortinet] The Curious Case of an Unknown Trojan Targeting German-Speaking Users 
• Jun 21 – [FireEye] Redline Drawn: China Recalculates Its Use of Cyber Espionage 
• Jun 21 – [ESET] Visiting The Bear Den 
• Jun 17 – [Kaspersky] Operation Daybreak 
• Jun 16 – [Dell] Threat Group-4127 Targets Hillary Clinton Presidential Campaign 
• Jun 15 – [CrowdStrike] Bears in the Midst: Intrusion into the Democratic National Committee 
• Jun 09 – [Clearsky] Operation DustySky Part 2
• Jun 02 – [Trend Micro] FastPOS: Quick and Easy Credit Card Theft 
• May 27 – [Trend Micro] IXESHE Derivative IHEATE Targets Users in America 
• May 26 – [Palo Alto Networks] The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor 
• May 25 – [Kaspersky] CVE-2015-2545: overview of current threats 
• May 24 – [Palo Alto Networks] New Wekby Attacks Use DNS Requests As Command and Control Mechanism 
• May 23 – [MELANI:GovCERT] APT Case RUAG Technical Report 
• May 22 – [FireEye] TARGETED ATTACKS AGAINST BANKS IN THE MIDDLE EAST 
• May 22 – [Palo Alto Networks] Operation Ke3chang Resurfaces With New TidePool Malware 
• May 18 – [ESET] Operation Groundbait: Analysis of a surveillance toolkit 
• May 17 – [FOX-IT] Mofang: A politically motivated information stealing adversary 
• May 17 – [Symantec] Indian organizations targeted in Suckfly attacks 
• May 10 – [Trend Micro] Backdoor as a Software Suite: How TinyLoader Distributes and Upgrades PoS Threats | paper 
• May 09 – [CMU SEI] Using Honeynets and the Diamond Model for ICS Threat Analysis 
• May 06 – [PwC] Exploring CVE-2015-2545 and its users 
• May 05 – [Forcepoint] Jaku: an on-going botnet campaign 
• May 02 – [Team Cymru] GOZNYM MALWARE target US, AT, DE 
• May 02 – [Palo Alto Networks] Prince of Persia: Infy Malware Active In Decade of Targeted Attacks 
• Apr 27 – [Kaspersky] Repackaging Open Source BeEF for Tracking and More 
• Apr 26 – [Financial Times] Cyber warfare: Iran opens a new front 
• Apr 26 – [Arbor] New Poison Ivy Activity Targeting Myanmar, Asian Countries 
• Apr 22 – [Cylance] The Ghost Dragon 
• Apr 21 – [SentinelOne] Teaching an old RAT new tricks 
• Apr 21 – [Palo Alto Networks] New Poison Ivy RAT Variant Targets Hong Kong Pro-Democracy Activists 
• Apr 18 – [Citizen Lab] Between Hong Kong and Burma: Tracking UP007 and SLServer Espionage Campaigns 
• Apr 15 – [SANS] Detecting and Responding Pandas and Bears 
• Apr 12 – [Microsoft] PLATINUM: Targeted attacks in South and Southeast Asia 
• Mar 25 – [Palo Alto Networks] ProjectM: Link Found Between Pakistani Actor and Operation Transparent Tribe 
• Mar 23 – [Trend Micro] Operation C-Major: Information Theft Campaign Targets Military Personnel in India 
• Mar 18 – [SANS] Analysis of the Cyber Attack on the Ukrainian Power Grid: Defense Use Case 
• Mar 17 – [PwC] Taiwan Presidential Election: A Case Study on Thematic Targeting 
• Mar 15 – [Symantec] Suckfly: Revealing the secret life of your code signing certificates 
• Mar 14 – [Proofpoint] Bank robbery in progress: New attacks from Carbanak group target banks in Middle East and US 
• Mar 10 – [Citizen Lab] Shifting Tactics: Tracking changes in years-long espionage campaign against Tibetans
• Mar 09 – [FireEye] LESSONS FROM OPERATION RUSSIANDOLL 
• Mar 08 – [360] Operation OnionDog: A 3 Year Old APT Focused On the Energy and Transportation Industries in Korean-language Countries 
• Mar 03 – [Recorded Future] Shedding Light on BlackEnergy With Open Source Intelligence 
• Mar 01 – [Proofpoint] Operation Transparent Tribe – APT Targeting Indian Diplomatic and Military Interests 
• Feb 29 – [Fidelis] The Turbo Campaign, Featuring Derusbi for 64-bit Linux 
• Feb 24 – [NOVETTA] Operation Blockbuster 
• Feb 23 – [Cylance] OPERATION DUST STORM 
• Feb 12 – [Palo Alto Networks] A Look Into Fysbis: Sofacy’s Linux Backdoor
• Feb 11 – [Recorded Future] Hacktivism: India vs. Pakistan
• Feb 09 – [Kaspersky] Poseidon Group: a Targeted Attack Boutique specializing in global cyber-espionage
• Feb 08 – [ICIT] Know Your Enemies 2.0: A Primer on Advanced Persistent Threat Groups 
• Feb 04 – [Palo Alto Networks] T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques 
• Feb 03 – [Palo Alto Networks] Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve? 
• Feb 01 – [Sucuri] Massive Admedia/Adverting iFrame Infection 
• Feb 01 – [IBM] Organized Cybercrime Big in Japan: URLZone Now on the Scene 
• Jan 29 – [F5] Tinbapore: Millions of Dollars at Risk 
• Jan 29 – [Zscaler] Malicious Office files dropping Kasidet and Dridex 
• Jan 28 – [Kaspersky] BlackEnergy APT Attacks in Ukraine employ spearphishing with Word documents 
• Jan 27 – [Fidelis] Dissecting the Malware Involved in the INOCNATION Campaign 
• Jan 26 – [SentinelOne] Analyzing a New Variant of BlackEnergy 3 
• Jan 24 – [Palo Alto Networks] Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists 
• Jan 21 – [Palo Alto Networks] NetTraveler Spear-Phishing Email Targets Diplomat of Uzbekistan 
• Jan 19 – [360] 2015 APT Annual Report 
• Jan 14 – [CISCO] RESEARCH SPOTLIGHT: NEEDLES IN A HAYSTACK 
• Jan 14 – [Symantec] The Waterbug attack group 
• Jan 07 – [Clearsky] Operation DustySky 
• Jan 07 – [CISCO] RIGGING COMPROMISE – RIG EXPLOIT KIT 
• Jan 03 – [ESET] BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry 

2015

---

• Dec 23 – [PwC] ELISE: Security Through Obesity 
• Dec 22 – [Palo Alto Networks] BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger 
• Dec 20 – [FireEye] The EPS Awakens – Part 2 
• Dec 18 – [Palo Alto Networks] Attack on French Diplomat Linked to Operation Lotus Blossom 
• Dec 16 – [Bitdefender] APT28 Under the Scope – A Journey into Exfiltrating Intelligence and Government Information 
• Dec 16 – [Trend Micro] Operation Black Atlas, Part 2: Tools and Malware Used and How to Detect Them 
• Dec 16 – [Fidelis] Dissecting the Malware Involved in the INOCNATION Campaign 
• Dec 15 – [AirBus] Newcomers in the Derusbi family 
• Dec 08 – [Citizen Lab] Packrat: Seven Years of a South American Threat Actor 
• Dec 07 – [FireEye] Financial Threat Group Targets Volume Boot Record 
• Dec 07 – [Symantec] Iran-based attackers use back door threats to spy on Middle Eastern targets 
• Dec 04 – [Kaspersky] Sofacy APT hits high profile targets with updated toolset 
• Dec 01 – [FireEye] China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets 
• Nov 30 – [FOX-IT] Ponmocup A giant hiding in the shadows 
• Nov 24 – [Palo Alto Networks] Attack Campaign on the Government of Thailand Delivers Bookworm Trojan 
• Nov 23 – [Minerva Labs, ClearSky] CopyKittens Attack Group 
• Nov 23 – [RSA] PEERING INTO GLASSRAT 
• Nov 23 – [Trend Micro] Prototype Nation: The Chinese Cybercriminal Underground in 2015 
• Nov 19 – [Kaspersky] Russian financial cybercrime: how it works
• Nov 19 – [JPCERT] Decrypting Strings in Emdivi
• Nov 18 – [Palo Alto Networks] TDrop2 Attacks Suggest Dark Seoul Attackers Return
• Nov 18 – [CrowdStrike] Sakula Reloaded 
• Nov 18 – [Damballa] Damballa discovers new toolset linked to Destover Attacker’s arsenal helps them to broaden attack surface
• Nov 16 – [FireEye] WitchCoven: Exploiting Web Analytics to Ensnare Victims 
• Nov 10 – [Palo Alto Networks] Bookworm Trojan: A Model of Modular Architecture 
• Nov 09 – [Check Point] Rocket Kitten: A Campaign With 9 Lives 
• Nov 04 – [RSA] Evolving Threats:dissection of a CyberEspionage attack 
• Oct 16 – [Citizen Lab] Targeted Malware Attacks against NGO Linked to Attacks on Burmese Government Websites(https://otx.alienvault.com/pulse/5621208f4637f21ecf2aac36/)
• Oct 15 – [Citizen Lab] Pay No Attention to the Server Behind the Proxy: Mapping FinFisher’s Continuing Proliferation 
• Oct 05 – [Recorded Future] Proactive Threat Identification Neutralizes Remote Access Trojan Efficacy 
• Oct 03 – [Cybereason] Webmail Server APT: A New Persistent Attack Methodology Targeting Microsoft Outlook Web Application (OWA) 
• Sep 23 – [ThreatConnect] PROJECT CAMERASHY: CLOSING THE APERTURE ON CHINA’S UNIT 78020 | PDF
• Sep 17 – [F-SECURE] The Dukes 7 Years of Russian Cyber Espionage – PDF 
• Sep 16 – [Proofpoint] The shadow knows: Malvertising campaigns use domain shadowing to pull in Angler EK 
• Sep 16 – [Trend Micro] Operation Iron Tiger: How China-Based Actors Shifted Attacks from APAC to US Targets | IOC 
• Sep 15 – [Proofpoint] In Pursuit of Optical Fibers and Troop Intel: Targeted Attack Distributes PlugX in Russia 
• Sep 09 – [Trend Micro] Shadow Force Uses DLL Hijacking, Targets South Korean Company 
• Sep 09 – [Kaspersky] Satellite Turla: APT Command and Control in the Sky 
• Sep 08 – [Palo Alto Networks] Musical Chairs: Multi-Year Campaign Involving New Variant of Gh0st Malware
• Sep 01 – [Trend Micro, Clearsky] The Spy Kittens Are Back: Rocket Kitten 2 | PDF 
• Aug 20 – [Arbor] PlugX Threat Activity in Myanmar 
• Aug 20 – [Kaspersky] New activity of the Blue Termite APT 
• Aug 19 – [Symantec] New Internet Explorer zero-day exploited in Hong Kong attacks 
• Aug 10 – [ShadowServer] The Italian Connection: An analysis of exploit supply chains and digital quartermasters 
• Aug 08 – [Cyint] Threat Analysis: Poison Ivy and Links to an Extended PlugX Campaign 
• Aug 05 – [Dell] Threat Group-3390 Targets Organizations for Cyberespionage 
• Aug 04 – [RSA] Terracotta VPN: Enabler of Advanced Threat Anonymity 
• Jul 30 – [ESET] Operation Potao Express | IOC 
• Jul 28 – [Symantec] Black Vine: Formidable cyberespionage group targeted aerospace, healthcare since 2012 
• Jul 27 – [FireEye] HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group 
• Jul 22 – [F-SECURE] Duke APT group’s latest tools: cloud services and Linux support 
• Jul 20 – [ThreatConnect] China Hacks the Peace Palace: All Your EEZ’s Are Belong to Us 
• Jul 20 – [Palo Alto Networks] Watering Hole Attack on Aerospace Firm Exploits CVE-2015-5122 to Install IsSpace Backdoor 
• Jul 14 – [Palo Alto Networks] Tracking MiniDionis: CozyCar’s New Ride Is Related to Seaduke 
• Jul 14 – [Trend Micro] An In-Depth Look at How Pawn Storm’s Java Zero-Day Was Used 
• Jul 13 – [Symantec] “Forkmeiamfamous”: Seaduke, latest weapon in the Duke armory 
• Jul 13 – [FireEye] Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability CVE-2015-5119 Following Hacking Team Leak 
• Jul 10 – [Palo Alto Networks] APT Group UPS Targets US Government with Hacking Team Flash Exploit 
• Jul 09 – [Symantec] Butterfly: Corporate spies out for financial gain 
• Jul 08 – [Kaspersky] Wild Neutron – Economic espionage threat actor returns with new tricks 
• Jul 08 – [Volexity] APT Group Wekby Leveraging Adobe Flash Exploit (CVE-2015-5119) 
• Jun 30 – [ESET] Dino – the latest spying malware from an allegedly French espionage group analyzed 
• Jun 28 – [Dragon Threat Labs] APT on Taiwan – insight into advances of adversary TTPs 
• Jun 26 – [FireEye] Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign 
• Jun 24 – [PwC] UnFIN4ished Business (FIN4) 
• Jun 22 – [Kaspersky] Winnti targeting pharmaceutical companies 
• Jun 16 – [Palo Alto Networks] Operation Lotus Bloom 
• Jun 15 – [Citizen Lab] Targeted Attacks against Tibetan and Hong Kong Groups Exploiting CVE-2014-4114 
• Jun 12 – [Volexity] Afghan Government Compromise: Browser Beware 
• Jun 10 – [Kaspersky] The_Mystery_of_Duqu_2_0 IOC Yara 
• Jun 10 – [Crysys] Duqu 2.0 
• Jun 09 – [Microsoft] Duqu 2.0 Win32k Exploit Analysis 
• Jun 04 – [JP Internet Watch] Blue Thermite targeting Japan (CloudyOmega) 
• Jun 03 – [ClearSky] Thamar Reservoir 
• May 29 – [360] OceanLotusReport 
• May 28 – [Kaspersky] Grabit and the RATs 
• May 27 – [Antiy Labs] Analysis On Apt-To-Be Attack That Focusing On China’s Government Agency’ 
• May 27 – [CyberX] BlackEnergy 3 – Exfiltration of Data in ICS Networks 
• May 26 – [ESET] Dissecting-Linux/Moose 
• May 21 – [Kaspersky] The Naikon APT and the MsnMM Campaigns 
• May 19 – [Panda] Operation ‘Oil Tanker’ 
• May 18 – [Palo Alto Networks] Cmstar Downloader: Lurid and Enfal’s New Cousin 
• May 14 – [Trend Micro] Operation Tropic Trooper 
• May 14 – [Kaspersky] The Naikon APT 
• May 13 – [Cylance] SPEAR: A Threat Actor Resurfaces 
• May 12 – [PR Newswire] root9B Uncovers Planned Sofacy Cyber Attack Targeting Several International and Domestic Financial Institutions 
• May 07 – [G DATA] Dissecting the Kraken 
• May 05 – [Ahnlab] Targeted attack on France’s TV5Monde 
• Apr 27 – [PWC] Attacks against Israeli & Palestinian interests 
• Apr 22 – [F-SECURE] CozyDuke 
• Apr 21 – [Kaspersky] The CozyDuke APT 
• Apr 20 – [PWC] Sofacy II – Same Sofacy, Different Day 
• Apr 18 – [FireEye] Operation RussianDoll: Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia’s APT28 in Highly-Targeted Attack 
• Apr 16 – [Trend Micro] Operation Pawn Storm Ramps Up its Activities; Targets NATO, White House 
• Apr 15 – [Kaspersky] The Chronicles of the Hellsing APT: the Empire Strikes Back 
• Apr 12 – [FireEye] APT 30 and the Mechanics of a Long-Running Cyber Espionage Operation 
• Mar 31 – [CheckPoint] Volatile Cedar – Analysis of a Global Cyber Espionage Campaign 
• Mar 30 – [CrowdStrike] Chopping packets: Decoding China Chopper Web shell traffic over SSL 
• Mar 19 – [Trend Micro] Rocket Kitten Showing Its Claws: Operation Woolen-GoldFish and the GHOLE campaign 
• Mar 11 – [Kaspersky] Inside the EquationDrug Espionage Platform 
• Mar 10 – [Citizen Lab] Tibetan Uprising Day Malware Attacks 
• Mar 06 – [F-SECURE] Is Babar a Bunny? 
• Mar 06 – [Kaspersky] Animals in the APT Farm
• Mar 05 – [ESET] Casper Malware: After Babar and Bunny, Another Espionage Cartoon 
• Feb 24 – [PWC] A deeper look into Scanbox 
• Feb 27 – [ThreatConnect] The Anthem Hack: All Roads Lead to China 
• Feb 25 – [FireEye] Southeast Asia: An Evolving Cyber Threat Landscape 
• Feb 25 – [Sophos] PlugX goes to the registry (and India) 
• Feb 18 – [G DATA] Babar: espionage software finally found and put under the microscope 
• Feb 18 – [CIRCL Luxembourg] Shooting Elephants 
• Feb 17 – [Kaspersky] Desert Falcons APT 
• Feb 17 – [Kaspersky] A Fanny Equation: “I am your father, Stuxnet” 
• Feb 16 – [Trend Micro] Operation Arid Viper 
• Feb 16 – [Kaspersky] The Carbanak APT 
• Feb 16 – [Kaspersky] Equation: The Death Star of Malware Galaxy 
• Feb 10 – [CrowdStrike] CrowdStrike Global Threat Intel Report for 2014 
• Feb 04 – [Trend Micro] Pawn Storm Update: iOS Espionage App Found 
• Feb 02 – [FireEye] Behind the Syrian Conflict’s Digital Frontlines 
• Jan 29 – [JPCERT] Analysis of PlugX Variant – P2P PlugX 
• Jan 29 – [Symantec] Backdoor.Winnti attackers and Trojan.Skelky 
• Jan 27 – [Kaspersky] Comparing the Regin module 50251 and the “Qwerty” keylogger 
• Jan 22 – [Kaspersky] Regin’s Hopscotch and Legspin 
• Jan 22 – [Symantec] Scarab attackers Russian targets | IOCs 
• Jan 22 – [Symantec] The Waterbug attack group
• Jan 20 – [BlueCoat] Reversing the Inception APT malware 
• Jan 20 – [G DATA] Analysis of Project Cobra 
• Jan 15 – [G DATA] Evolution of Agent.BTZ to ComRAT 
• Jan 12 – [Dell] Skeleton Key Malware Analysis 
• Jan 11 – [Dragon Threat Labs] Hong Kong SWC attack 

2014

---

• Dec 22 – [Group-IB] Anunak: APT against financial institutions 
• Dec 21 – [ThreatConnect] Operation Poisoned Helmand 
• Dec 19 – [US-CERT] TA14-353A: Targeted Destructive Malware (wiper) 
• Dec 18 – [Citizen Lab] Malware Attack Targeting Syrian ISIS Critics
• Dec 17 – [CISCO] Wiper Malware – A Detection Deep Dive 
• Dec 12 – [Fidelis] Bots, Machines, and the Matrix 
• Dec 12 – [AirBus] Vinself now with steganography 
• Dec 10 – [Ahnlab] South Korea MBR Wiper 
• Dec 10 – [F-Secure] W64/Regin, Stage #1 
• Dec 10 – [F-Secure] W32/Regin, Stage #1 
• Dec 10 – [Kaspersky] Cloud Atlas: RedOctober APT 
• Dec 09 – [BlueCoat] The Inception Framework 
• Dec 08 – [Kaspersky] The ‘Penquin’ Turla 
• Dec 05 – [Cylance] Operation Cleaver: The Notepad Files 
• Dec 02 – [Cylance] Operation Cleaver | IOCs 
• Nov 30 – [FireEye] FIN4: Stealing Insider Information for an Advantage in Stock Trading? 
• Nov 24 – [CrowdStrike] Deep Panda Uses Sakula Malware 
• Nov 24 – [TheIntercept] Regin: SECRET MALWARE IN EUROPEAN UNION ATTACK LINKED TO U.S. AND BRITISH INTELLIGENCE 
• Nov 24 – [Kaspersky] Kaspersky’s report on The Regin Platform 
• Nov 24 – [Symantec] Regin: Top-tier espionage tool enables stealthy surveillance 
• Nov 21 – [FireEye] Operation Double Tap | IOCs 
• Nov 20 – [0x1338] EvilBunny: Suspect #4 
• Nov 14 – [ESET] Roaming Tiger (Slides) 
• Nov 14 – [F-Secure] OnionDuke: APT Attacks Via the Tor Network 
• Nov 13 – [Symantec] Operation CloudyOmega: Ichitaro 0-day targeting Japan 
• Nov 12 – [ESET] Korplug military targeted attacks: Afghanistan & Tajikistan
• Nov 11 – [GDATA] The Uroburos case- Agent.BTZ’s successor, ComRAT 
• Nov 10 – [Kaspersky] The Darkhotel APT – A Story of Unusual Hospitality 
• Nov 03 – [FireEye] Operation Poisoned Handover: Unveiling Ties Between APT Activity in Hong Kong’s Pro-Democracy Movement 
• Nov 03 – [Kaspersky] New observations on BlackEnergy2 APT activity 
• Oct 31 – [GData] Operation TooHash 
• Oct 30 – [Sophos] The Rotten Tomato Campaign 
• Oct 28 – [CISCO] Group 72, Opening the ZxShell 
• Oct 28 – [FireEye] APT28 – A Window Into Russia’s Cyber Espionage Operations
• Oct 27 – [Invincea] Micro-Targeted Malvertising via Real-time Ad Bidding 
• Oct 27 – [PWC] ScanBox framework – who’s affected, and who’s using it? 
• Oct 27 – [Netresec] Full Disclosure of Havex Trojans – ICS Havex backdoors 
• Oct 24 – [AirBus] LeoUncia and OrcaRat
• Oct 23 – [LEVIATHAN] THE CASE OF THE MODIFIED BINARIES 
• Oct 22 – [PWC] Sofacy Phishing by PWC
• Oct 22 – [Trend Micro] Operation Pawn Storm: The Red in SEDNIT
• Oct 20 – [PWC] OrcaRAT – A whale of a tale 
• Oct 14 – [iSightPartners] Sandworm – CVE-2104-4114 
• Oct 14 – [CISCO] Group 72 
• Oct 14 – [Novetta] Derusbi Preliminary Analysis 
• Oct 14 – [Novetta] Hikit Preliminary Analysis
• Oct 14 – [Novetta] ZoxPNG Preliminary Analysis 
• Oct 09 – [Volexity] Democracy in Hong Kong Under Attack 
• Oct 03 – [Palo Alto Networks] New indicators for APT group Nitro 
• Sep 26 – [F-Secure] BlackEnergy & Quedagh 
• Sep 26 – [FireEye] Aided Frame, Aided Direction (Sunshop Digital Quartermaster)
• Sep 23 – [Kaspersky] Ukraine and Poland Targeted by BlackEnergy (video)
• Sep 19 – [Palo Alto Networks] Watering Hole Attacks using Poison Ivy by “th3bug” group
• Sep 18 – [F-Secure] COSMICDUKE: Cosmu with a twist of MiniDuke
• Sep 17 – [U.S. Senate Committee] Chinese intrusions into key defense contractors 
• Sep 10 – [FireEye] Operation Quantum Entanglement 
• Sep 08 – [Usenix] When Governments Hack Opponents: A Look at Actors and Technology video 
• Sep 08 – [Usenix] Targeted Threat Index: Characterizingand Quantifying Politically-MotivatedTargeted Malware video 
• Sep 04 – [ClearSky] Gholee – a “Protective Edge” themed spear phishing campaign
• Sep 04 – [FireEye] Forced to Adapt: XSLCmd Backdoor Now on OS X 
• Sep 04 – [Netresec] Analysis of Chinese MITM on Google 
• Sep 03 – [FireEye] Darwin’s Favorite APT Group (APT12) 
• Aug 29 – [FireEye] Syrian Malware Team Uses BlackWorm for Attacks 
• Aug 28 – [AlienVault] Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks 
• Aug 27 – [Kaspersky] NetTraveler APT Gets a Makeover for 10th Birthday 
• Aug 25 – [Malware Must Die] Vietnam APT Campaign 
• Aug 20 – [Kaspersky] El Machete 
• Aug 18 – [Kaspersky] The Syrian Malware House of Cards 
• Aug 16 – [HP] Profiling an enigma: The mystery of North Korea’s cyber threat landscape 
• Aug 13 – [USENIX] A Look at Targeted Attacks Through the Lense of an NGO 
• Aug 12 – [FireEye] New York Times Attackers Evolve Quickly (Aumlib/Ixeshe/APT12)
• Aug 07 – [Kaspersky] The Epic Turla Operation Appendix 
• Aug 06 – [FireEye] Operation Poisoned Hurricane 
• Aug 05 – [ThreatConnect] Operation Arachnophobia 
• Aug 04 – [FireEye] SIDEWINDER TARGETED ATTACK AGAINST ANDROID IN THE GOLDEN AGE OF AD LIBRARIES 
• Jul 31 – [Kaspersky] Energetic Bear/Crouching Yeti 
• Jul 29 – [Dell] Threat Group-3279 Targets the Video Game Industry 
• Jul 20 – [Vinsula] Sayad (Flying Kitten) Analysis & IOCs 
• Jul 11 – [AirBus] Pitty Tiger 
• Jul 10 – [CIRCL] TR-25 Analysis – Turla / Pfinet / Snake/ Uroburos 
• Jul 07 – [CrowdStrike] Deep Pandas, Deep in Thought: Chinese Targeting of National Security Think Tanks 
• Jul 10 – [TrapX] Anatomy of the Attack: Zombie Zero 
• Jun 30 – [Symantec] Dragonfly: Cyberespionage Attacks Against Energy Suppliers 
• Jun 20 – [Blitzanalysis] Embassy of Greece Beijing 
• Jun 09 – [CrowdStrike] Putter Panda 
• Jun 06 – [Arbor] Illuminating The Etumbot APT Backdoor (APT12) 
• May 28 – [iSightPartners] NewsCaster_An_Iranian_Threat_Within_Social_Networks 
• May 21 – [Fidelis] RAT in jar: A phishing campaign using Unrecom 
• May 20 – [ESET] Miniduke Twitter C&C 
• May 13 – [CrowdStrike] Cat Scratch Fever: CrowdStrike Tracks Newly Reported Iranian Actor as FLYING KITTEN 
• May 13 – [FireEye] Operation Saffron Rose (aka Flying Kitten) 
• Apr 26 – [FireEye] CVE-2014-1776: Operation Clandestine Fox 
• Mar 12 – [FireEye] A Detailed Examination of the Siesta Campaign 
• Mar 08 – [Reuters] Russian spyware Turla 
• Mar 07 – [BAE] Snake Campaign & Cyber Espionage Toolkit 
• Mar 06 – [Trend Micro] The Siesta Campaign 
• Feb 28 – [GData] Uroburos: Highly complex espionage software with Russian roots 
• Feb 25 – [CrowdStrike] The French Connection: French Aerospace-Focused CVE-2014-0322 Attack Shares Similarities with 2012 Capstone Turbine Activity 
• Feb 23 – [Fidelis] Gathering in the Middle East, Operation STTEAM 
• Feb 20 – [CrowdStrike] Mo’ Shells Mo’ Problems – Deep Panda Web Shells 
• Feb 20 – [FireEye] Operation GreedyWonk: Multiple Economic and Foreign Policy Sites Compromised, Serving Up Flash Zero-Day Exploit 
• Feb 19 – [FireEye] XtremeRAT: Nuisance or Threat? 
• Feb 19 – [Context Information Security] The Monju Incident 
• Feb 13 – [FireEye] Operation SnowMan: DeputyDog Actor Compromises US Veterans of Foreign Wars Website 
• Feb 11 – [Kaspersky] Unveiling “Careto” – The Masked APT 
• Jan 31 – [Fidelis] Intruder File Report- Sneakernet Trojan 
• Jan 21 – [RSA] Shell_Crew (Deep Panda) 
• Jan 15 – [Fidelis] New CDTO: A Sneakernet Trojan Solution 
• Jan 14 – [Kaspersky] The Icefog APT Hits US Targets With Java Backdoor 
• Jan 13 – [Symantec] Targeted attacks against the Energy Sector 
• Jan 06 – [AirBus] PlugX: some uncovered points 

2013

---

• XXX XX – [CERT-ISAC] Inside Report – APT Attacks on Indian Cyber Space 
• XXX XX – [KPMG] Energy at Risk: A Study of IT Security in the Energy and Natural Resources Industry 
• XXX XX – [FireEye] THE LITTLE MALWARE THAT COULD: Detecting and Defeating the China Chopper Web Shell 
• XXX XX – [CrowdStrike] Deep Panda 
• XXX XX – [CISAK] Dark Seoul Cyber Attack: Could it be worse? 
• XXX XX – [Fireeye] OPERATION SAFFRON ROSE 
• Dec 20 – [Ahnlab] ETSO APT Attacks Analysis 
• Dec 12 – [FireEye] Operation Ke3chang: Targeted Attacks Against Ministries of Foreign Affairs 
• Dec 02 – [Fidelis] njRAT, The Saga Continues 
• Nov 10 – [FireEye] Operation Ephemeral Hydra: IE Zero-Day Linked to DeputyDog Uses Diskless Method 
• Oct 25 – [FireEye] Evasive Tactics: Terminator RAT 
• Oct 24 – [Trend Micro] FakeM RAT 
• Sep 25 – [Kaspersky] The ‘ICEFROG’ APT: A Tale of cloak and three daggers 
• Sep 21 – [FireEye] Operation DeputyDog: Zero-Day (CVE-2013-3893) Attack Against Japanese Targets 
• Sep 19 – [Trend Micro] 2Q 2013 Report on Targeted Attack Campaigns: A Look Into EvilGrab 
• Sep 17 – [Symantec] Hidden Lynx – Professional Hackers for Hire 
• Sep 11 – [Kaspersky] The “Kimsuky” Operation 
• Sep 06 – [FireEye] Evasive Tactics: Taidoor 
• Aug 23 – [FireEye] Operation Molerats: Middle East Cyber Attacks Using Poison Ivy 
• Aug 21 – [FireEye] POISON IVY: Assessing Damage and Extracting Intelligence 
• Aug 19 – [Rapid7] ByeBye Shell and the targeting of Pakistan 
• Aug 02 – [CitizenLab] Surtr: Malware Family Targeting the Tibetan Community 
• Aug 02 – [ThreatConnect] Where There is Smoke, There is Fire: South Asian Cyber Espionage Heats Up 
• Jul 31 – [BlackHat] Hunting the Shadows: In Depth Analysis of Escalated APT Attacks 
• Jul 31 – [Dell] Secrets of the Comfoo Masters 
• Jul 15 – [Sophos] The PlugX malware revisited: introducing “Smoaler” 
• Jul 01 – [McAfee] Targeted Campaign Steals Credentials in Gulf States and Caribbean 
• Jun 28 – [ThreatGeek] njRAT Uncovered 
• Jun 21 – [Citizen Lab] A Call to Harm: New Malware Attacks Target the Syrian Opposition 
• Jun 18 – [FireEye] Trojan.APT.Seinup Hitting ASEAN 
• Jun 07 – [Rapid7] KeyBoy, Targeted Attacks against Vietnam and India 
• Jun 04 – [Kaspersky] The NetTraveller (aka ‘Travnet’) 
• Jun 01 – [Purdue] Crude Faux: An analysis of cyber conflict within the oil & gas industries 
• Jun XX – [BlueCoat] The Chinese Malware Complexes: The Maudi Surveillance Operation |
• May 30 – [CIRCL] TR-14 – Analysis of a stage 3 Miniduke malware sample 
• May 20 – [Norman] OPERATION HANGOVER: Unveiling an Indian Cyberattack Infrastructure 
• May 16 – [ESET] Targeted information stealing attacks in South Asia use email, signed binaries 
• Apr 21 – [Bitdefender] MiniDuke – The Final Cut 
• Apr 13 – [Kaspersky] “Winnti” More than just a game 
• Apr 07 – [FireEye] WORLD WAR C 
• Apr 01 – [FireEye] Trojan.APT.BaneChant 
• Mar 28 – [Circl] TR-12 – Analysis of a PlugX malware variant used for targeted attacks 
• Mar 27 – [malware.lu] APT1: technical backstage (Terminator/Fakem RAT) 
• Mar 21 – [Fidelis] Darkseoul/Jokra Analysis And Recovery 
• Mar 20 – [Kaspersky] The TeamSpy Crew Attacks 
• Mar 20 – [McAfee] Dissecting Operation Troy 
• Mar 17 – [Trend Micro] Safe: A Targeted Threat 
• Mar 13 – [Citizen lab] You Only Click Twice: FinFisher’s Global Proliferation 
• Feb 27 – [Crysys] Miniduke: Indicators v1 
• Feb 27 – [Kaspersky] The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0x29A Micro Backdoor 
• Feb 26 – [Symantec] Stuxnet 0.5: The Missing Link 
• Feb 22 – [Symantec] Comment Crew: Indicators of Compromise 
• Feb 18 – [FireEye] Mandiant APT1 Report 
• Feb 12 – [AIT] Targeted cyber attacks: examples and challenges ahead 
• Jan 18 – [McAfee] Operation Red October 
• Jan 14 – [Kaspersky] The Red October Campaign 
• Jan 02 – [FireEye] SUPPLY CHAIN ANALYSIS: From Quartermaster to SunshopFireEye 

2012

---

• Nov 13 – [FireEye] Poison Ivy Malware Analysis 
• Nov 03 – [CyberPeace] Systematic cyber attacks against Israeli and Palestinian targets going on for a year 
• Nov 01 – [Fidelis] RECOVERING FROM SHAMOON 
• Oct 31 – [DEA] CYBER ESPIONAGE Against Georgian Government (Georbot Botnet) 
• Oct 27 – [Symantec] Trojan.Taidoor: Targeting Think Tanks 
• Oct 08 – [Matasano] pest control: taming the rats 
• Sep 18 – [Dell] The Mirage Campaign 
• Sep 12 – [RSA] The VOHO Campaign: An in depth analysis 
• Sep 07 – [Citizen lab] IEXPLORE RAT 
• Sep 06 – [Symantec] The Elderwood Project 
• Aug 19 – [Rapid7] ByeBye Shell and the targeting of Pakistan 
• Aug 18 – [Trend Micro] The Taidoor Campaign AN IN-DEPTH ANALYSIS 
• Aug 09 – [Kaspersky] Gauss: Abnormal Distribution 
• Jul 27 – [Kaspersky] The Madi Campaign 
• Jul 25 – [Citizen lab] From Bahrain With Love: FinFisher’s Spy Kit Exposed? 
• Jul 11 – [Wired] Wired article on DarkComet creator 
• Jul 10 – [Citizenlab] Advanced Social Engineering for the Distribution of LURK Malware 
• May 31 – [Crysys] sKyWIper (Flame/Flamer) 
• May 22 – [Trend Micro] IXESHE An APT Campaign 
• May 18 – [Symantec] Analysis of Flamer C&C Server
• Apr 16 – [Kaspersky] OSX.SabPub & Confirmed Mac APT attacks 
• Apr 10 – [McAfee] Anatomy of a Gh0st RAT 
• Mar 26 – [Trend Micro] Luckycat Redux 
• Mar 13 – [Arbor] Reversing DarkComet RAT’s crypto 
• Mar 12 – [contextis] Crouching Tiger, Hidden Dragon, Stolen Data 
• Feb 29 – [Dell] The Sin Digoo Affair 
• Feb 03 – [CommandFive] Command and Control in the Fifth Domain 
• Jan 03 – [Trend Micro] The HeartBeat APT 

2011

---

• Dec 08 – [Norman] Palebot trojan harvests Palestinian online credentials 
• Nov 15 – [Norman] The many faces of Gh0st Rat 
• Oct 31 – [Symantec] The Nitro Attacks: Stealing Secrets from the Chemical Industry
• Oct 26 – [Dell] Duqu Trojan Questions and Answers
• Oct 12 – [Zscaler] Alleged APT Intrusion Set: “1.php” Group 
• Sep 22 – [Trend Micro] The “LURID” Downloader
• Sep 11 – [CommandFive] SK Hack by an Advanced Persistent Threat
• Sep 09 – [Fidelis] The RSA Hack
• Aug 04 – [McAfee] Operation Shady RAT
• Aug 03 – [Dell] HTran and the Advanced Persistent Threat
• Aug 02 – [vanityfair] Operation Shady rat : Vanity
• Jun ?? – [CommandFive] Advanced Persistent Threats:A Decade in Review 
• Apr 20 – [ESET] Stuxnet Under the Microscope
• Feb 18 – [NERC] Night Dragon Specific Protection Measures for Consideration
• Feb 10 – [McAfee] Global Energy Cyberattacks: Night Dragon

2010

---

• Dec 09 – [CRS] The Stuxnet Computer Worm: Harbinger of an Emerging Warfare Capability
• Sep 30 – [Symantec] W32.Stuxnet Dossier
• Sep 03 – [Seculert] The “MSUpdater” Trojan And Ongoing Targeted Attacks
• Apr 06 – [ShadowServer] Shadows in the cloud: Investigating Cyber Espionage 2.0 
• Mar 14 – [CA] In-depth Analysis of Hydraq
• Feb 10 – [HB Gary] Threat Report: Operation Aurora
• Jan ?? – [Triumfant] Case Study: Operation Aurora
• Jan 27 – [Alberts] Operation Aurora Detect, Diagnose, Respond
• Jan 26 – [McAfee] How Can I Tell if I Was Infected By Aurora? (IOCs)
• Jan 20 – [McAfee] Combating Aurora
• Jan 13 – [Damballa] The Command Structure of the Aurora Botnet
• Jan 12 – [Google] Operation Aurora

2009

---

• Oct 19 – [Northrop Grumman] Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation
• Mar 29 – [TheSecDevGroup] Tracking GhostNet
• Jan 18 – [Baltic] Impact of Alleged Russian Cyber Attacks

2008

---

• Nov XX – [Military Review] CHINA_CHINA_CYBER_WARFARE
• Nov 19 – [Wired] Agent.BTZ
• Nov 04 – [DTIC] China’s Electronic Long-Range Reconnaissance
• Oct 02 – [Culture Mandala] How China will use cyber warfare to leapfrog in military competitiveness
• Aug 10 – [Georgia] Russian Invasion of Georgia Russian Cyberwar on Georgia

2006

---

• [Krebs on Security] “Wicked Rose” and the NCPH Hacking Group 

Report

Red Canary

🔸 2021 – [Red_Canary] 2021 Threat Detection Report

NSA

🔸 Jan 08 2021 – [NSA] 2020 Cybersecurity Year in Review report

Objective-See

🔸 Jan 04 2021 – [Objective-See] The Mac Malware of 2020

ESET

🔸 Jun 03 2021 – [ESET] ESET Threat Report T1 2021
🔸 Oct 18 2020 – [ESET] 2020 Q3 Threat Report
🔸 Jul 29 2020 – [ESET] 2020 Q2 Threat Report
🔸 Apr 2020 – [ESET] 2020 Q1 Threat Report

Kaspersky

🔸 Jul 29 2021 – [Kaspersky] APT trends report Q2 2021
🔸 Apr 27 2021 – [Kaspersky] APT trends report Q1 2021
🔸 Nov 04 2020 – [Kaspersky] APT trends report Q3 2020
🔸 July 29 2020 – [Kaspersky] APT trends report Q2 2020
🔸 Aug 01 2019 – [Kaspersky] APT trends report Q2 2019
🔸 Apr 30 2019 – [Kaspersky] APT trends report Q1 2019

FireEye

🔸 Apr 15 2021 – [FireEye] M-Trends 2021
🔸 Feb 20 2020 – [FireEye] M-Trends 2020 
🔸 Mar 04 2019 – [FireEye] M-Trends 2019

AhnLab

🔸 Q2 2021 – [AhnLab] ASEC Report Q2 2021
🔸 Q1 2021 – [AhnLab] ASEC Report Q1 2021
🔸 Q4 2020 – [AhnLab] ASEC Report Q4 2020
🔸 Q3 2020 – [AhnLab] ASEC Report Q3 2020
🔸 Q2 2020 – [AhnLab] ASEC Report Q2 2020
🔸 Q1 2020 – [AhnLab] ASEC Report Q1 2020
🔸 Q4 2019 – [AhnLab] ASEC Report Q4 2019
🔸 Q3 2019 – [AhnLab] ASEC Report Q3 2019
🔸 Q2 2019 – [AhnLab] ASEC Report Q2 2019
🔸 Q1 2019 – [AhnLab] ASEC Report Q1 2019

Group-IB

🔸 Nov 24 2020 – [Group-IB] Hi-Tech Crime Trends 2020-2021
🔸 Nov 29 2019 – [Group-IB] Hi-Tech Crime Trends 2019-2020

PTSecurity

🔸 Q1 2021 – [PTSecurity] Cybersecurity threatscape Q1 2021 
🔸 Q4 2020 – [PTSecurity] Cybersecurity threatscape Q4 2020 
🔸 Q3 2020 – [PTSecurity] Cybersecurity threatscape Q3 2020 
🔸 Q2 2020 – [PTSecurity] Cybersecurity threatscape Q2 2020 
🔸 Q1 2020 – [PTSecurity] Cybersecurity threatscape Q1 2020 
🔸 Q4 2019 – [PTSecurity] Cybersecurity threatscape Q4 2019 
🔸 Q3 2019 – [PTSecurity] Cybersecurity threatscape Q3 2019 
🔸 Q2 2019 – [PTSecurity] Cybersecurity threatscape Q2 2019 
🔸 Q1 2019 – [PTSecurity] Cybersecurity threatscape Q1 2019 

ENISA

🔸 Oct 20 2020 – [ENISA] ENISA Threat Landscape 2020 – Main Incidents
🔸 Jan 28 2019 – [ENISA] ENISA Threat Landscape Report 2018

CrowdStrike

🔸 Sep 14 2021 – [CrowdStrike] nowhere to hide: 2021 Threat Hunting Report
🔸 Feb 24 2021 – [CrowdStrike] 2021 GLOBAL THREAT REPORT 
🔸 Mar 03 2020 – [CrowdStrike] 2020 GLOBAL THREAT REPORT
🔸 Feb 19 2019 – [CrowdStrike] 2019 GLOBAL THREAT REPORT

QianXin

🔸 Jun 29 2020 – [QianXin] APT threat report 2020 1H CN version
🔸 Feb 02 2019 – [QianXin] APT threat report 2019 CN version

Tencent

🔸 Mar 05 2020 – [Tencent] [CN] 2019 APT Summary Report
🔸 Jan 03 2019 – [Tencent] [CN] 2018 APT Summary Report

Verizon

🔸 Nov 16 2020 – [Verizon] Cyber-Espionage Report 2020-2021

Sophos

🔸 Nov 18 2020 – [Sophos] SOPHOS 2021 THREAT REPORT
🔸 Dec 02 2019 – [Sophos] SOPHOS 2020 THREAT REPORT

360

🔸 Oct xx 2021 – [360] Global APT Research Report for the first half of 2021 

Microsoft

🔸 Oct xx 2021 – [Microsoft] Microsoft Digital Defense Report October 2021

Other

🔸 Nov 18 2020 – [KELA] Zooming into Darknet Threats Targeting Japanese Organizations
🔸 Nov 04 2020 – [WEF] Partnership against Cybercrime
🔸 May 01 2020 – [Macnia Networks, TeamT5] 2019 H2 APT Report
🔸 Feb 02 2019 – [threatinte] Threat Intel Reads – January 2019
🔸 Feb 2019 – [SWISSCOM] Targeted Attacks: Cyber Security Report 2019
🔸 Jan 30 2019 – [Dragos] Webinar Summary: Uncovering ICS Threat Activity Groups
🔸 Jan 15 2019 – [Hackmageddon] 2018: A Year of Cyber Attacks
🔸 Jan 09 2019 – [360] [CN] 2018 APT Summary Report
🔸 Jan 07 2019 – [Medium] APT_chronicles_december_2018_edition
🔸 Sep 07 2020 – [SWIFT & BAE] Follow the Money

The APT is a github repository by CyberMonitor

---