APT Groups and Operations

1

China

2

Common Name

CrowdStrike

IRL

Kaspersky

Secureworks

Mandiant

FireEye

Symantec

iSight

Cisco (Sourcefire/VRT > Talos)

Palo Alto Unit 42

Other Names

MITRE ATT&CK

Operation 1

Operation 2

Operation 3

Operation 4

Toolset / Malware

Targets

Modus Operandi

Overlaps to

Comment

Link 1

Link 2

Link 3

Link 4

Link 5

Link 6

Link 7

Link 8

Link 9

Link 10

Link 11

Link 12

Link 13

Link 14

Link 15

Link 16

Link 17

Link 18

Link 19

Link 20

Link 21

Link 22

Link 23

Link 24

Link 25

3

Comment Crew

Comment Panda

PLA Unit 61398

TG-8223

APT1

BrownFox

Group 3

GIF89a, ShadyRAT, Shanghai Group, Byzantine Candor

G0006

Shady RAT

GhostNet

WEBC2, BISCUIT and many others

U.S. cybersecurity firm Mandiant, later purchased by FireEye, released a report in February 2013 that exposed one of China's cyber espionage units, Unit 61398. The group, which FireEye called APT1, is a unit within China's People's Liberation Army (PLA) that has been linked to a wide range of cyber operations targeting U.S. private sector entities for espionage purposes. The comprehensive report detailed evidence connecting APT1 and the PLA, offered insight into APT1's operational malware and methodologies, and provided timelines of the espionage it conducted.

http://www.mcafee.com/us/resources/white-papers/wp-operation-shady-rat.pdf

http://www.nytimes.com/2013/02/19/technology/chinas-army-is-seen-as-tied-to-hacking-against-us.html?emc=na&_r=2&

https://www.secureworks.com/research/analysis-of-dhs-nccic-indicators

https://www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network

http://www.nartv.org/mirror/ghostnet.pdf

4

APT2

Putter Panda

PLA Unit 61486

TG-6952

APT2

Group 36

SearchFire

G0024

Their activities are commonly known to be exploiting CVE-2012-0158 (MSOffice vulnerability in MSCOMCTL.OCX) in SpearPhising operations. Related malware: Moose, Warp, MSUpdater

This threat actor targets firms in the technology (communications, space, aerospace), research, defense, and government sectors in the United States for espionage purposes. The tools and infrastructure it uses overlap with PLA Unit 61398.

http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf

http://icitech.org/icit-brief-chinas-espionage-dynasty-economic-death-by-a-thousand-cuts/

5

UPS

Gothic Panda

TG-0110

APT3

Buckeye

UPS Team

Group 6

Boyusec – the Guangzhou Boyu Information Technology Company, Ltd

G0022

Clandestine Fox

Double Tap

Clandestine Wolf

Shotput, Pirpi, PlugX/Sogu, Kaba, Cookie Cutter, many 0days: IE, Firefox, and Flash, SportLoader, Shadow Brokers exploits, DoublePulsar, Bemstour, Filensfer

This threat actor targets and compromises entities in the defense, construction, technology, and transportation sectors. Up until 2015, it was primarily focused on U.S. and UK entities, but it shifted to Hong Kongâ€“based targets afterward. Aerospace and Defence; Construction and Engineering; Energy; High Tech; Nonprofit; Telecommunications; Transportation

https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html

http://www.secureworks.com/resources/blog/research/threat-group-0110-targets-manufacturing-and-financial-organizations-via-phishing/

http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong

https://intrusiontruth.wordpress.com/2017/05/09/apt3-is-boyusec-a-chinese-intelligence-contractor/

https://www.fireeye.com/current-threats/apt-groups.html

https://www.recordedfuture.com/chinese-mss-behind-apt3/

http://freebeacon.com/national-security/u-s-indicts-three-chinese-hackers-linked-security-firm/amp/

https://www.washingtonpost.com/world/national-security/china-hacked-a-navy-contractor-and-secured-a-trove-of-highly-sensitive-data-on-submarine-warfare/2018/06/08/6cc396fa-68e6-11e8-bea7-c8eb28bc52b1_story.html?noredirect=on&utm_term=.209df584e031

https://intrusiontruth.wordpress.com/2018/05/22/the-destruction-of-apt3/

https://www.symantec.com/blogs/threat-intelligence/buckeye-windows-zero-day-exploit

6

IXESHE

Numbered Panda

TG-2754 (tentative)

APT12

BeeBus

Calc Team

Group 22

DynCalc, Crimson Iron, DNSCalc

G0005

NYT Oct 2012

Etumbot, Riptide, Hightide, ThreeByte, Waterspout, Mswab, Gh0st, ShowNews, 3001

This threat actor targets organizations in Japan, Taiwan, and elsewhere in East Asiaâ€”including electronics manufacturers and telecommunications companiesâ€”for espionage purposes.

http://www.crowdstrike.com/blog/whois-numbered-panda/

http://www.computerworld.com/s/article/9241577/The_Chinese_hacker_group_that_hit_the_N.Y._Times_is_back_with_updated_tools?taxonomyId=17

http://blog.crowdstrike.com/whois-numbered-panda/

http://www.secureworks.com/cyber-threat-intelligence/threats/analysis-of-dhs-nccic-indicators/

http://blog.trendmicro.com/taking-a-bite-out-of-ixeshe/

http://www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/

https://cysinfo.com/sx-2nd-meetup-reversing-and-decrypting-the-communications-of-apt-malware/

http://blog.macnica.net/blog/2017/08/post-fb81.html

7

APT16

G0023

ELMER backdoor, Gh0st, HTRAN, UNICAT,Poison Ivy, Pandora

This threat actor targets and compromises Japanese and Taiwanese entities in the finance, tech, media, and government sectors.

Spear phishing email delivering a malicious Microsoft Word document exploiting EPS dict copy use-after-free vulnerability, and the local Windows privilege escalation vulnerability CVE-2015-1701. The successful exploitation of both vulnerabilities led to the delivery of either a downloader (IRONHALO), or a backdoor (ELMER). Also known to be using compromised VPN credentials to maintain network persistency.

https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html

https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html

https://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/

https://cybergeeks.tech/a-detailed-analysis-of-elmer-backdoor-used-by-apt16/

8

Hidden Lynx

Aurora Panda

APT17

Deputy Dog

Hidden Lynx

Tailgater Team

Group 8

Burning Umbrella

G0025

Ephemeral Hydra

BLACKCOFFEE, WEBCnC, Joy RAT, PlugX, Trojan.Naid, Backdoor.Moudoor, Backdoor.Vasport, Backdoor.Boda, Trojan.Hydraq, ZxShell, Sakula, China Chopper, DestroyRAT

Government, defense & aerospace, industrial engineering, NGOs

http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html

http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdf

http://www.darkreading.com/attacks-and-breaches/chinese--hidden-lynx--hackers-launch-widespread-apt-attacks/d/d-id/1111589?page_number=2

https://www.rsaconference.com/writable/presentations/file_upload/crwd-t11-hide_and_seek-how_threat_actors_respond_in_the_face_of_public_exposure.pdf

http://www.crowdstrike.com/blog/french-connection-french-aerospace-focused-cve-2014-0322-attack-shares-similarities-2012/

https://401trg.com/burning-umbrella/

https://www.infosecurity-magazine.com/news/chinese-espionage-group-widescale/

https://intrusiontruth.wordpress.com/2019/07/24/apt17-is-run-by-the-jinan-bureau-of-the-chinese-ministry-of-state-security/

https://www.bloomberg.com/features/2021-supermicro/

9

Wekby

Dynamite Panda

TG-0416

APT18

TA428

G0026

Maudi

HTTPBrowser, TokenControl, HcdLoader, PisLoader, TManger

Aerospace and Defence; Construction and Engineering; Education; Health and Biotechnology; High Tech; Telecommunications; Transportation

https://threatpost.com/apt-gang-branches-out-to-medical-espionage-in-community-health-breach/107828

http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem

https://www.threatstream.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop

https://www.volexity.com/blog/2015/07/08/158-2/

http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/

https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2012/NormanShark-MaudiOperation.pdf

https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology

https://insight-jp.nttsecurity.com/post/102gi9b/pandas-new-arsenal-part-1-tmanger

https://st.drweb.com/static/new-www/news/2021/april/drweb_research_attacks_on_russian_research_institutes_en.pdf

https://labs.sentinelone.com/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op/

https://www.recordedfuture.com/china-linked-ta428-threat-group/

https://blog.group-ib.com/task

https://sebdraven.medium.com/ta428-behind-operation-lagtime-the-following-of-icefog-30fc1f853b80

https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/

https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-Targeted-attack-on-industrial-enterprises-and-public-institutions-En.pdf

10

Axiom

APT17

Tailgater Team

Group 72

Dogfish (iDefense), Deputy Dog (iDefense), Winnti Umbrella

G0001

SMN

Winnti, Gh0st RAT, PoisonIvy, HydraQ, Hikit, ZxShell, Deputy Dog, Derusbi, PlugX, HTRAN, HDRoot, Fscan, Timestomper

Shell Crew, Hidden Lynx, Axiom

Use "Skeleton Key" on DCs

http://securelist.com/blog/research/57585/winnti-faq-more-than-just-a-game/

http://www.novetta.com/files/5614/1329/6232/novetta_cybersecurity_exec_summary-3.pdf

http://www.novetta.com/2015/04/operation-smn-winnti-update/

https://securelist.com/analysis/publications/72275/i-am-hdroot-part-1/

https://401trg.com/burning-umbrella/

https://blog.trendmicro.com/trendlabs-security-intelligence/supply-chain-attack-operation-red-signature-targets-south-korean-organizations/

11

Winnti Group

Wicked Panda

BRONZE ATLAS

APT41

Winnti Umbrella, BARIUM, LEAD, RedEcho, Vanadinite, TAG-22

G0044

Winnti, AceHash, PlugX, Webshells, ZxShell, ShadowPad, LightSpy

ThyssenKrupp, Gameforge, Valve, Teamviewer,Siemens, Sumitomo, BASF, Covestro, Shin-Etsu, Bayer, Roche

Deep Panda, Wicked Spider

http://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/

https://www.protectwise.com/blog/winnti-evolution-going-open-source.html

https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2015/january/windows-firewall-hook-enumeration/

https://www.nccgroup.trust/globalassets/our-research/uk/technical-advisories/2015/derusbi-server-technical-note-1-1-tlp-white.pdf

https://lab52.io/blog/winnti-group-geostrategic-analysis-and-ttp/

https://401trg.com/burning-umbrella/

https://web.br.de/interaktiv/winnti/index.html

https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf

https://www.dragos.com/blog/industry-news/new-ics-threat-activity-group-vanadinite/

https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan/

https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayfly-china-sidewalk-malware

https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/

https://www.welivesecurity.com/2022/09/14/you-never-walk-alone-sidewalk-backdoor-linux-variant/

https://www.hhs.gov/sites/default/files/apt41-recent-activity.pdf

https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackfly-espionage-materials

https://www.trendmicro.com/en_us/research/24/d/earth-freybug.html

12

Shell Crew

Deep Panda

WebMasters

APT19

KungFu Kittens

Group 13

Sh3llCr3w, PinkPanther, Winnti Group

G0009

Anthem

OPM

Anthem Hack

Sakula/Sakurel, Derusbi, Scanbox Framework, many Webshells including China Chopper, WCE

Axiom, Winnti

http://cybercampaigns.net/wp-content/uploads/2013/06/Deep-Panda.pdf

https://www.isightpartners.com/2015/07/threatscape-media-highlights-update-week-of-july-29th/

https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html

13

Naikon

Lotus Panda

PLA Unit 78020

Naikon

APT30

Thrip, Billbug, Firefly

G0019

MsnMM

Naikon

Camera Shy

RARSTONE, BACKSPACe, NETEAGLE, XSControl

satellite communications operator, Telecoms, and Defense Companies, Hong Kong

https://securelist.com/analysis/publications/69953/the-naikon-apt/

http://blog.trendmicro.com/trendlabs-security-intelligence/rarstone-found-in-targeted-attacks/

https://www.threatconnect.com/camerashy/

http://www.crowdstrike.com/blog/rhetoric-foreshadows-cyber-activity-in-the-south-china-sea/

https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets

https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/

https://www.symantec.com/blogs/threat-intelligence/thrip-apt-south-east-asia

https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/

https://cluster25.io/2022/04/29/lotus-panda-awake-last-strike/

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments-cert-authority

https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf

https://symantec-enterprise-blogs.security.com/threat-intelligence/telecoms-espionage-asia

14

Lotus Blossom

Spring Dragon

Lotus Blossom

ST Group, Esile,BitterBug

G0030

Operation Lotus Blossom

Elise Backdoor, Lstudio, CVE-2017-11882

https://securelist.com/blog/research/70726/the-spring-dragon-apt/

http://researchcenter.paloaltonetworks.com/2015/06/operation-lotus-blossom/

https://securelist.com/blog/research/70726/the-spring-dragon-apt/

http://www.trendmicro.com.my/vinfo/my/security/news/cyber-attacks/esile-targeted-attack-campaign-hits-apac-governments

http://researchcenter.paloaltonetworks.com/2015/12/attack-on-french-diplomat-linked-to-operation-lotus-blossom/

https://community.rsa.com/community/products/netwitness/blog/2018/01/30/apt32-continues-asean-targeting

https://www.accenture.com/t20180127T003755Z__w__/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf

https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/

https://documents.trendmicro.com/assets/Tech-Brief-Operation-Poisoned-News-Hong-Kong-Users-Targeted-with-Mobile-Malware-via-Local-News-Links.pdf

15

APT6

1.php Group

Poison Ivy,

US Government Organizations

Overlaps with Operation Night Dragon

https://motherboard.vice.com/read/fbi-flash-alert-hacking-group-has-had-access-to-us-govt-files-for-years

https://www.zscaler.com/pdf/technicalbriefs/tb_advanced_persistent_threats.pdf

https://www.zscaler.com/blogs/research/1php-group-intrusion-set-paper

https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2011/tb_advanced_persistent_threats.pdf

16

APT26

Turbine Panda

APT26

Hippo Team

JerseyMikes

Cobalt, QuickPulse, credential stealers
such as WCE, GSECDUMP, COATHOOK, HTRAN, SOGU, TWOCHAINS, QUICKBALL

Affected Industry: Aerospace and Defense, business and Professional Services/Legal/Accounting, High Tech Software and hardware services

Supply-chain attacks such as strategic web compromise (SWC) where the actor compromise 3rd-party service provider hosting the victim websites

https://go.crowdstrike.com/rs/281-OBQ-266/images/15GlobalThreatReport.pdf?mkt_tok=3RkMMJWWfF9wsRojuKrPZKXonjHpfsX/7e8tWrHr08Yy0EZ5VunJEUWy2ocITtQ/cOedCQkZHblFnV4AS626XrENqKML

https://www.crowdstrike.com/resources/wp-content/brochures/reports/huge-fan-of-your-work-intelligence-report.pdf

https://digit.fyi/lengthy-cyber-espionage-operation-helped-china-develop-c919-airliner/

17

Mirage

Vixen Panda

Ke3Chang

Playful Dragon

GREF

APT15

Social Network Team

Mirage Team, Lurid, Social Network Team, Royal APT, Metushy, Winnti Umbrella, NICKEL, Playful Taurus, BackdoorDiplomacy

G0004

Umbrella Revolution

Mirage, (Nvidia program side-loading) PlugX, XSLCmd, TidePool, BS2005, RoyalCli, iWebRat, Russian-language decoy document, ENFAL, ENDCMD, QUICKHEAL, SOGU, CYFREE, MIRAGE, NOISEMAKER, QUICKHEAL, SWALLOWFLY, Turian Backdoor

PH, VN, TW, US, UK, IT, PL, UN, SG, NATO - Gov, Political party

Winnti

Some vendors track this group in up to 3 separate groups

http://arstechnica.com/security/2015/04/elite-cyber-crime-group-strikes-back-after-attack-by-rival-apt-gang/

https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html

https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf

http://researchcenter.paloaltonetworks.com/2016/05/operation-ke3chang-resurfaces-with-new-tidepool-malware/

https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/

https://github.com/nccgroup/Royal_APT

https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/

https://401trg.com/burning-umbrella/

https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/

https://www.welivesecurity.com/2019/07/18/okrum-ke3chang-targets-diplomatic-missions/

https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf

https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi#page=51

https://www.lookout.com/documents/threat-reports/us/lookout-moonshine-badbazaar.pdf

https://unit42.paloaltonetworks.com/playful-taurus/

https://www-zurnal24-si.translate.goog/slovenija/znano-kdo-stoji-za-napadom-na-ministrstvo-za-zunanje-zadeve-404450?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp

18

APT21

Hammer Panda

Lanzhou PLA Unit

NetTraveler

APT21

Zhenbao, Temp.Zhenbao,TravNet

NetTraveler

This threat actor targets computer networks associated with Tibetan and Uyghur activists for espionage purposes.

https://securelist.com/blog/research/35936/nettraveler-is-running-red-star-apt-attacks-compromise-high-profile-victims/

https://securelist.com/blog/incidents/57455/nettraveler-is-back-the-red-star-apt-returns-with-new-tricks/

https://cybergeeks.tech/dissecting-apt21-samples-using-a-step-by-step-approach/

http://www.darkreading.com/endpoint/chinese-cyberspies-pivot-to-russia-in-wake-of-obama-xi-pact/d/d-id/1324242

https://www.isightpartners.com/2014/11/threatscape-media-highlights-update-week-november-10/

http://www.securityweek.com/plugx-rat-used-gather-intel-afghan-russian-military-report

19

Ice Fog

Dagger Panda

IceFog

ICEFOG

Fucobha, Temp.Trident

Dagger Three (C2 software), Fucobha Backdoor, IceFog, RoyalRoad RTF Weaponizer

This threat actor targets government institutions, military contractors, maritime and shipbuilding groups, telecommunications operators, and others, primarily in US, Taiwan, Japan and South Korea.

Links to Onion Dog

https://securelist.com/blog/research/57331/the-icefog-apt-a-tale-of-cloak-and-three-daggers/

https://securelist.com/blog/incidents/58209/the-icefog-apt-hits-us-targets-with-java-backdoor/

http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/icefog.pdf

http://www.darkreading.com/attacks-and-breaches/java-icefog-malware-variant-infects-us-businesses/d/d-id/1113451

https://www.anomali.com/blog/analyzing-digital-quartermasters-in-asia-do-chinese-and-indian-apts-have-a-shared-supply-chain

https://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt

https://sebdraven.medium.com/ta428-behind-operation-lagtime-the-following-of-icefog-30fc1f853b80

20

Beijing Group

Sneaky Panda

Hydraq, SIG22, Elderwood, Elderwood Gang

G0066

Aurora

Hydraq, Elderwood Project

This threat actor targets private sector companies in the defense, shipping, aeronautics, arms, and energy sectors, as well as nonprofits and financial firms.

Possibly assisted in Operation Aurora, the RSA incident, and the Joint Strike Fighter Program compromise

https://en.wikipedia.org/wiki/Operation_Aurora#Attackers_involved

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf

http://www.csmonitor.com/USA/2012/0914/Stealing-US-business-secrets-Experts-ID-two-huge-cyber-gangs-in-China

https://blog.crysys.hu/2018/03/territorial-dispute-nsas-perspective-on-apt-landscape/

21

APT22

Wet Panda

BRONZE OLIVE

Barista

China Chopper, PISCES, SOGU, FLATNOTE, ANGRYBELL, BASELESS, SEAWOLF, LOGJAM

Possible overlap with Beijing Group

http://www.slideshare.net/CTruncer/ever-present-persistence-established-footholds-seen-in-the-wild

22

Suckfly

G0039

Nidiran, Korplug, PlugX

Indian organisations and Republic of Korea

http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates

23

APT4

Samurai Panda

PLA Navy

APT4

Sykipot

Wisp Team

“PdPD” (50 64 50 44) marker for encrypted binaries

http://www.crowdstrike.com/blog/whois-samurai-panda/

24

Pitty Tiger

Pitty Panda

Pitty Tiger

G0011

PittyTiger, Paladin RAT

"Pitty Tiger" was originally the name of a malware payload by the malware tracker blog. Airbus and FireEye identified the actor as Chinese. CrowdStrike uses "tiger" when naming adversaries alligned with India. Crowdstrike associates the actor with the name "Pitty Panda" conforming to their naming convention for Chinese actors.

http://blog.airbuscybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2

https://www.fireeye.com/blog/threat-research/2014/07/spy-of-the-tiger.html

http://blog.malwaretracker.com/2013/06/tomato-garden-campaign-possible.html

25

Scarlet Mimic

G0029

FakeM, Psylo, MobileOrder

Uyghur and Tibetan activists as well as those who are interested in their causes

http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/

26

C0d0so

Codoso

APT19

Sunshop Group

G0073

Bassos Campaign

Bergard Trojan, Derusbi, TXER

Forbes, Defense, Finance, Energy, Government, Political Dissidents, Global Think Tanks

Watering Hole

https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

http://www.isightpartners.com/2015/02/codoso/#sthash.VJMDVPQB.dpuf

http://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-group/

https://www.proofpoint.com/us/threat-insight/post/exploring-bergard-old-malware-new-tricks

https://cybergeeks.tech/analyzing-apt19-malware-using-a-step-by-step-method/

27

SVCMONDR

CVE-2015-2545

Taiwan, Thailand

Tamper Panda

“PdPD” (50 64 50 44) marker for encrypted binaries

https://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/

28

Wisp Team

APT4

Wisp Team

Defense Industrial Base, US Government

iSight has mentioned tracking a China-nexus group they dub "Wisp Team" - have not resolved this w/ other naming conventions

https://www.isightpartners.com/2014/04/weeks-threatscape-media-highlights-update-2/

https://www.isightpartners.com/2014/09/weeks-threatscape-media-highlights-update-22/

https://www.isightpartners.com/2015/01/threatscape-media-highlights-update-week-january-12/

29

Mana Team

Australia

iSight has mentioned tracking a China-nexus activity they dub "Mana Team", targeting Australian interests - have not resolved this w/ other naming conventions

https://www.isightpartners.com/2016/02/threatscape-media-highlights-update-week-of-february-17th/

30

SPIVY

Hong Kong dissidents

http://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/

31

Mofang

BRONZE WALKER

Whitefly

G0103
(Kasperksy)
G0107
(Symantec)

SingHealth

ShimRAT, ShimRATReporter

Government, military, Critical Infrastructure,Automotive Industry*,Weapon Industry*, This threat actor compromises government and critical infrastructure entities, primarily in Myanmar, for espionage purposes. Myanmar, Canada, United States, Germany, India, South Korea, Singapore

Superman

https://blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/

https://www.threatconnect.com/china-superman-apt/

https://securelist.com/big-threats-using-code-similarity-part-1/97239/

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/whitefly-espionage-singapore

32

DragonOK

Dragon Castling

G0017

CVE-2015-1641, Sysget, IsSpace, Rambo Backdoor

Japan, SE Asia casino & gaming

KHRAT links to Rancor

http://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/

http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/

https://blogs.forcepoint.com/security-labs/trojanized-adobe-installer-used-install-dragonok%E2%80%99s-new-custom-backdoor

http://www.morphick.com/resources/news/deep-dive-dragonok-rambo-backdoor

https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf

https://decoded.avast.io/luigicamastra/operation-dragon-castling-apt-group-targeting-betting-companies/

https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/

33

Group 27

Trochilus RAT, PlugX, EvilGrab, 3102 variant of 9002 RAT

Seven Pointed Dagger, Trochilus RAT

https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Pointed-Dagger.pdf

https://unit42.paloaltonetworks.com/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/

34

Tonto Team

CactusPete

Tonto Team

G0131

Seven Pointed Dagger

RoyalRoad RTF Weaponizer

https://www.wsj.com/articles/chinas-secret-weapon-in-south-korea-missile-fight-hackers-1492766403?emailToken=JRrydPtyYnqTg9EyZsw31FwuZ7JNEOKCXF7LaW/HM1DLsjnUp6e6wLgph560pnmiTAN/5ssf7moyADPQj2p2Gc+YkL1yi0zhIiUM9M6aj1HTYQ==

https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf

https://securelist.com/cactuspete-apt-groups-updated-bisonal-backdoor/97962/

https://www.cybereason.com/blog/portdoor-new-chinese-apt-backdoor-attack-targets-russian-defense-sector

https://cert.gov.ua/article/375404

https://www.group-ib.com/blog/tonto-team/

https://asec.ahnlab.com/en/51746/

35

TA459

G0062

PlugX, NetTraveler, ZeroT, PCrat, Gh0st, RoyalRoad RTF Weaponizer

Central Asian countries, Russia, Belarus, Mongolia, and others

?NetTraveler?

https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts#.WS3IBVFV4no.twitter

https://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists

36

Tick

BRONZE BUTLER

Tick

REDBALDKNIGHT

G0060

whoami, procdump, VBS, WCE, Mimikatz, gsecdump, PsExec, Daserf, Gofarer, Datper, ABK Downloader, avirra Downloader, Datper, RoyalRoad RTF Weaponizer

https://www.symantec.com/connect/blogs/tick-cyberespionage-group-zeros-japan

https://www.secureworks.jp/resources/rp-bronze-butler

https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/

http://blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.html

https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses

http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/

https://blog.talosintelligence.com/2018/10/tracking-tick-through-recent-campaigns.html

https://blog.trendmicro.com/trendlabs-security-intelligence/operation-endtrade-finding-multi-stage-backdoors-that-tick/

https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_8_koike-nakajima_jp.pdf

https://therecord.media/japanese-police-say-tick-apt-is-linked-to-chinese-military/

37

Lucky Cat

Shadow Network, SabPub, TA413 (Proofpoint)

ENDTRADE

A threat actor targets computer networks associated with Tibetan activists, as well as military research and development, aerospace, engineering, and shipping industries in India and Japan.

http://blog.trendmicro.com/trendlabs-security-intelligence/luckycat-redux-inside-an-apt-campaign/

http://www.nartv.org/mirror/shadows-in-the-cloud.pdf

https://securelist.com/blog/incidents/33208/new-version-of-osx-sabpub-confirmed-mac-apt-attacks-19/

http://www.securityweek.com/mac-malware-linked-luckycat-attack-campaign

http://www.infoworld.com/article/2617225/malware/sabpub-malware-proves-macs-are-an-apt-target.html

https://blog.talosintelligence.com/2019/02/exilerat-shares-c2-with-luckycat.html

https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_luckycat_hackers.pdf

https://www.proofpoint.com/us/blog/threat-insight/chinese-apt-ta413-resumes-targeting-tibet-following-covid-19-themed-economic

38

APT40

Leviathan

APT40

Temp.Periscope

Temp.Jumper, GADOLINIUM, MUDCARP, Hainan Xiandun Technology Company, TA423, Red Ladon, ScanBox

G0065

AIRBREAK, BADFLICK, PHOTO, HOMEFRY, LUNCHMONEY, MURKYTOP, China Chopper, Beacon, BLACKCOFFEE, CVE-2017-11882, Derusbi, RoyalRoad RTF Weaponizer

maritime-related targets across multiple verticals, including engineering firms, shipping and transportation, manufacturing, defense, government offices, and research universities

https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets

https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html

https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html

https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html

https://www.anomali.com/blog/analyzing-digital-quartermasters-in-asia-do-chinese-and-indian-apts-have-a-shared-supply-chain

https://lab52.io/blog/leviathan-geostrategy-and-ttp-technical-tactics-and-procedures/

https://prezi.com/view/jGyAzyy5dTOkDrtwsJi5/

https://intrusiontruth.wordpress.com/2020/01/09/what-is-the-hainan-xiandun-technology-development-company/

https://intrusiontruth.wordpress.com/2020/01/10/who-is-mr-gu/

https://intrusiontruth.wordpress.com/2020/01/13/who-else-works-for-this-cover-company-network/

https://intrusiontruth.wordpress.com/2020/01/14/who-is-mr-ding/

https://intrusiontruth.wordpress.com/2020/01/15/hainan-xiandun-technology-company-is-apt40/

https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_8_koike-nakajima_jp.pdf

https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/

https://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea

39

PassCV

TG-3279

Winnti Umbrella, China Cracking Group,

Sabre, Kitkiot, Conpee, Etso, Runxx, dnsenum, s (custom port scanner), rdp_crk, icmp_shell, Jynxkit, Gh0st RAT, NetCommander, Carberp RAT

Gaming Companies

Winnti

Personas: Laurentiu Moon, Sincoder

https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies

https://401trg.com/burning-umbrella/

https://www.secureworks.com/research/threat-group-3279-targets-the-video-game-industry#up2

40

BARIUM

TG-2633

Winnti Umbrella, BRONZE ATLAS

Winnti Rootkit malware

Electronic gaming, multimedia, Internet content industries, technology companies

Winnti

https://cloudblogs.microsoft.com/microsoftsecure/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/?source=mmpc

https://401trg.pw/burning-umbrella/

41

LEAD

Winnti Umbrella

Winnti Rootkit malware

Multinational, multi-industry companies, textiles, chemicals, electronics, pharmaceutical companies, manufacturing

Winnti

https://cloudblogs.microsoft.com/microsoftsecure/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/?source=mmpc

https://401trg.pw/burning-umbrella/

https://www.france24.com/en/20190404-bayer-victim-cyber-attack-german-media

42

Iron Group

Rocke

Bayer Cyber Attack

XBash

Cybercrime, Cryptomining, Cryptojacking

https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/

https://blog.talosintelligence.com/2018/12/cryptomining-campaigns-2018.html

https://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products/

https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html

https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang#When:18:10:00Z

43

Anchor Panda

APT14, APT-14,QAZTeam,ALUMINUM

Adobe Gh0st, Poison Ivy, Torn RAT

This threat actor targets government and private sector entities interested in maritime issues in the South China Sea for espionage purposes. Maritime satellite systems, aerospace companies, and defense contractors.

“PdPD” (50 64 50 44) marker for encrypted binaries

http://www.crowdstrike.com/blog/whois-anchor-panda/

44

Aquatic Panda

G0143

https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/

45

Big Panda

Financial services firms

Mentioned by Alperovitch in 2013 article as targeting financial services industry

http://www.darkreading.com/attacks-and-breaches/crowdstrike-falcon-traces-attacks-back-to-hackers/d/d-id/1110402?

46

Electric Panda

Listed on slide 8

http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem

47

Eloquent Panda

Mentioned slide 15

http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf

48

Emissary Panda

LuckyMouse

BRONZE UNION, TG-3390

APT27

TEMP.Hippo

Group 35

ZipToken, Iron Tiger

G0027

A Tale of Two Targets

PlugX, China Chopper Webshell, HttpBrowser, Hunter, ASPXTool, wce, gsecdump, nbtscan, htran

US Gov and contractors, Western think tanks, Gaming, iGaming, Gambling

DEV-0322, Earth Berberoka

Suspected South Korean group? https://attack.mitre.org/groups/G0012/

http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/

http://newsroom.trendmicro.com/blog/operation-iron-tiger-attackers-shift-east-asia-united-states

https://www.threatconnect.com/blog/threatconnect-discovers-chinese-apt-activity-in-europe/

https://www.secureworks.com/research/bronze-union

https://research.nccgroup.com/2018/04/17/decoding-network-data-from-a-gh0st-rat-variant/

https://securelist.com/luckymouse-hits-national-data-center/86083/

https://securelist.com/luckymouse-ndisproxy-driver/87914/

https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/

https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox

https://lab52.io/blog/apt27-rootkit-updates/

https://marcoramilli.com/2020/03/19/is-apt27-abusing-covid-19-to-attack-people/

https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/

https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia

https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/

https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html

https://labs.sentinelone.com/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op/

https://blog.group-ib.com/task

https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/

https://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html

https://blog.sekoia.io/luckymouse-uses-a-backdoored-electron-app-to-target-macos/

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/budworm-espionage-us-state

https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/budworm-tool-update-telecoms-govt

49

Foxy Panda

Iron Tiger

Technology & Communications

Listed slide 4

http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf

50

Gibberish Panda

Listed slide 8

http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem

51

Goblin Panda

Hellsing

Cycldek

Cycldek, Conimes Team, China1937CN Team, Temp.Conimes, Earth Zhulong

ZeGhost, PlugX, tempfun, NewCore RAT, Sisfader, RoyalRoad RTF Weaponizer, BlueCore, RedCore

Southeast Asia, Government of Vietnam

Weaponizer leaked, new activity wrongly attributed to this long inactive group, possible links to Icefog/Dagger Panda and Temp.Periscope/APT40

http://www.crowdstrike.com/blog/rhetoric-foreshadows-cyber-activity-in-the-south-china-sea/

https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-august-goblin-panda/

https://www.anomali.com/blog/analyzing-digital-quartermasters-in-asia-do-chinese-and-indian-apts-have-a-shared-supply-chain

https://www.fortinet.com/blog/threat-research/cta-security-playbook--goblin-panda.html

https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_8_koike-nakajima_jp.pdf

https://securelist.com/cycldek-bridging-the-air-gap/97157/

https://securelist.com/the-leap-of-a-cycldek-related-threat-actor/101243/

52

Hurricane Panda

BRONZE VINEWOOD

APT31

Black Vine

TEMP.Avengers

Zirconium, TA412

Op. Poisoned Hurricane

China Chopper Webshell, PlugX, Mimikatz, Sakula

Aerospace, Healthcare, Energy (gas & electric turbine manufacturing), Military and defense, Finance, Agriculture, Technology, Japan, United States, United Kingdom, India, Canada, Brazil, South Africa, Australia, Thailand, South Korea, France, Switzerland, Sweden, Finland, Norway

used free DNS servers provided by Hurricane Electric

http://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/

http://blog.crowdstrike.com/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/

http://blog.airbuscybersecurity.com/post/2015/09/APT-BlackVine-Malware-Sakula

https://www.symantec.com/connect/blogs/black-vine-formidable-cyberespionage-group-targeted-aerospace-healthcare-2012

http://blog.airbuscybersecurity.com/post/2015/10/Malware-Sakula-Evolutions-%28Part-2/2%29

https://blog.confiant.com/uncovering-2017s-largest-malvertising-operation-b84cd38d6b85

https://uk.reuters.com/article/uk-china-cyber-norway-visma/china-hacked-norways-visma-to-steal-client-secrets-investigators-idUKKCN1PV14R

https://raw.githubusercontent.com/GuardaCyber/APT-Groups-and-Operations/master/Reports/FireEye%20Intel%20-%20APT31%20Threat%20Group%20Profile.pdf

https://www.secureworks.com/research/bronze-vinewood-targets-supply-chains

https://research.checkpoint.com/2021/the-story-of-jian/

https://therecord.media/norway-says-chinese-group-apt31-is-behind-catastrophic-2018-government-hack/

https://www.cert.ssi.gouv.fr/ioc/CERTFR-2021-IOC-003/

https://www.sekoia.io/en/walking-on-apt31-infrastructure-footprints/

https://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists

https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-cloud-attacks/

53

Impersonating Panda

Financial sector

54

Judgement Panda

Umbrella Revolution

Spear-phishing, URL “web bugs” and scheduled tasks to automate credential harvesting

Upstream providers (e.g., law firms and managed service providers) to support additional intrusions against high-profile assets

https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/

55

Karma Panda

CactusPete

Tonto Team

Bisonal (malware), Lone Ranger

Dissident groups

Listed slide 4

http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf

https://securelist.com/apt-trends-report-q1-2019/90643/

56

Keyhole Panda

Bronze Fleetwood

temp.bottle

Electronics & Communications

Listed slide 4

http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf

57

Kryptonite Panda

8.t exploit document builder

Cambodia

https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/

58

Mustang Panda

HoneyMyte

BRONZE PRESIDENT

Temp.Hex

TA416, RedDelta, Earth Preta (TrendMicro), Stately Taurus, Fireant

G0129

Cobalt Strike, PlugX, ORat, RCSession, Nbtscan, Nmap, Wmiexec, China Chopper web shell, MQsTTang

Mining sector in Mongolia, private individuals |=| gathering geo-political and economic intelligence, NGOs, political & law enforcement org in South and East Asia

https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/

https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations#When:17:14:00Z

https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/

https://securelist.com/apt-trends-report-q3-2019/94530/

https://www.secureworks.com/research/bronze-president-targets-ngos

https://lab52.io/blog/mustang-panda-recent-activity-dll-sideloading-trojans-with-temporal-c2-servers/

https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf

https://kc.mcafee.com/corporate/index?page=content&id=KB92635&locale=en_US

https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader

https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-dianxun-cyberespionage-campaign-targeting-telecommunication-companies/

https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-dianxun.pdf

https://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european

https://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/

https://www.secureworks.com/blog/bronze-president-targets-russian-speakers-with-updated-plugx

https://blog.talosintelligence.com/2022/05/mustang-panda-targets-europe.html

https://www.secureworks.com/blog/bronze-president-targets-government-officials

https://blogs.blackberry.com/en/2022/10/mustang-panda-abuses-legitimate-apps-to-target-myanmar-based-victims

https://www.lac.co.jp/lacwatch/report/20221117_003189.html

https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html

https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets

https://blog.eclecticiq.com/mustang-panda-apt-group-uses-european-commission-themed-lure-to-deliver-plugx-malware

https://thehackernews.com/2023/03/chinese-hackers-targeting-european.html

https://unit42.paloaltonetworks.com/stately-taurus-attacks-se-asian-government/

https://unit42.paloaltonetworks.com/stately-taurus-targets-philippines-government-cyberespionage/

https://csirt-cti.net/2024/01/23/stately-taurus-targets-myanmar/

https://csirt-cti.net/2024/02/01/stately-taurus-continued-new-information-on-cyberespionage-attacks-against-myanmar-military-junta/

https://unit42.paloaltonetworks.com/chinese-apts-target-asean-entities/

59

Night Dragon

G0014

A threat actor compromised U.S. oil companies through spear phishing and remote administration tools. Oil, Energy and Petrochemical (OpNightDragon)

https://kc.mcafee.com/corporate/index?page=content&id=KB71150

http://www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf

60

Nightshade Panda

APT9

FlowerLady

Poison Ivy, PlugX, BIGJOLT,FUNRUN,GH0ST,HOMEUNIX,JIM A,PHOTO,POISON IVY,SKINNYGENE,SOGU,VICEROY,VIPSH ELL,WETHEAD,XDOOR,ZXSHELL

HK, US, SG, MY, JP, IN, KR, TH, TW - Aerospace, Agriculture, Construction, Energy, Healthcare, ,High Tech, Media, Transportation

https://otx.alienvault.com/pulse/55bbc68e67db8c2d547ae393/

https://www.aha.org/system/files/media/file/2020/11/hc3-threat-briefing-tlp-white-chinese-state-sponsored-cyber-activity-november-19-2020.pdf

https://apt.etda.or.th/cgi-bin/showcard.cgi?g=Nightshade%20Panda%2C%20APT%209%2C%20Group%2027&n=1#:~:text=Names%2C%20Nightshade%20Panda%20(CrowdStrike)%20APT%209%20(Mandiant),(ASERT)%20FlowerLady%20(Context)%20FlowerShow%20(Context).%20Country%2C%20China.

61

Nomad Panda

Neeedleminer group

Night Dragon

8.t exploit document builder

Central Asian nations

RedFoxtrot, Moshen Dragon

https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/

62

Pale Panda

Agriculture in EU

PlugX

Mentioned in 2014 Crowdstrike Global Threat Intel Report pg 22

http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf

63

Pirate Panda

KeyBoys

G0081

Southeast Asia

Tropic Trooper & KeyBoy

http://www.crowdstrike.com/blog/rhetoric-foreshadows-cyber-activity-in-the-south-china-sea/

http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are-back-in-town.html

https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/

https://blogs.cisco.com/security/scope-of-keyboy-targeted-malware-attacks

https://citizenlab.ca/2016/11/parliament-keyboy/

64

Poisonous Panda

Energy technology, G20, NGOs, Dissident Groups

Listed slide 4

http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf

65

Predator Panda

PlugX

Southeast Asia

Mentioned pg 22 & 42

http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf

66

Radio Panda

67

Sabre Panda

Umbrella Revolution

Listed in 2014 Global Threat Report (pg 9) - observed in Umbrella Revolution related activity (pg 28)

http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf

68

Spicy Panda

Listed in 2014 Global Threat Report - no more details pg 9

http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf

69

Stone Panda

BRONZE RIVERSIDE

APT10

MenuPass Team

menuPass

Red Apollo, CVNX, POTASSIUM, Cloud Hopper, Hogfish, TA429, Cicada, TALONITE, DEV-0401

G0045

Dust Storm

Cloud Hopper

ChessMaster

Poison Ivy, EvilGrab, IEChecker, ChChes, PlugX, RedLeaves, Quasar, CobaltStrike, Trochilus, UPPERCUT (aka ANEL), StoneNetLoader

Healthcare; Pharma, Defense, Aerospace, Government, MSP,

Data exfil over common TCP services (RDP, HTTPS)

Compromise & Persistence: BUGJUICE, SOGU, SNUGRIDE, Group 27

Profile slide 13 & 14

http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem

http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/

https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf

https://www.cylance.com/hubfs/2015_cylance_website/assets/operation-dust-storm/Op_Dust_Storm_Report.pdf

https://www.isightpartners.com/2016/02/threatscape-media-highlights-update-week-february-24th/

https://threatpost.com/poison-ivy-rat-spotted-in-three-new-attacks/102022/

https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html

http://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/

https://www.us-cert.gov/ncas/alerts/TA17-117A

https://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf

https://www.lac.co.jp/lacwatch/people/20180521_001638.html

https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html

https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/

https://blog.ensilo.com/uncovering-new-activity-by-apt10

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-china-ngo-government-attacks

https://www.dragos.com/blog/how-adversaries-use-spear-phishing-to-target-engineering-staff/

https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group

70

Temper Panda

Admin338

Team338

admin@338

338 Team

admin@338

Poison Ivy, jRat, LOWBALL, BUBBLEWRAP

Target Gov + Military, DIB, Finiancial/Think Tanks, Telco, Academia, Religious organisations

“PdPD” (50 64 50 44) marker for encrypted binaries

https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html

https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html

71

Test Panda

menuPass

Listed slide 8

http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem

72

Toxic Panda

Umbrella Revolution

Dissident Groups

Listed slide 4

http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf

73

Twisted Panda

Stone Panda, Mustang Panda

https://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/

74

Union Panda

Industrial companies

Listed slide 4

http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf

75

Vicious Panda

https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/

https://securelist.com/apt-trends-report-q2-2020/97937/

76

Violin Panda

APT8

APT20

Covert Grove

Nitro Attacks

th3bug

Wocao

Poison Ivy, CAKELOG, CANDYCLOG, COOKIECLOG, CETTRA

Energy, Chemical Industry, Healthcare and Pharma

Listed slide 12

http://www.slideshare.net/CrowdStrike/crowdcast-monthly-operationalizing-intelligence-34141777

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_nitro_attacks.pdf

https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/

77

Wet Panda

PlugX

Energy

Mentioned in 2014 Global Threat Report using PlugX (pg 22)

http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf

http://www.slideshare.net/CrowdStrike/crowdcast-monthly-operationalizing-intelligence-34141777

78

?

Four Element Sword

UP007, SLServer, Grabber, T9000, Kivars, PlugX, Gh0StRAT, Agent.XST

Tibetans, Hong Kong, Taiwanese interests and human rights workers, Uyghur Interests

Active

IXESHE (see PWC report)

https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/

https://citizenlab.org/2016/04/between-hong-kong-and-burma/

http://pwc.blogs.com/cyber_security_updates/2016/03/taiwant-election-targetting.html

79

?

INOCNATION

IXESHE (malware), Etumbot, Numbered Panda

https://web.archive.org/web/20151217200415/https://www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL.pdf

80

?

Poisoned Helmand

Afghan Government

Watering Hole

Operation Poisoned Hurricane

https://www.threatconnect.com/operation-poisoned-helmand/

81

?

APT1?

Titan Rain

USA

web archive link to 12/12/2005 article about Titan Rain, ZDNet link dated 11/23/2005 is similar article

http://web.archive.org/web/20081011233241/http://www.breitbart.com/news/2005/12/12/051212224756.jwmkvntb.html

https://www.zdnet.com/article/security-experts-lift-lid-on-chinese-hack-attacks/

82

?

Maverick Panda

PLA Navy

Sykipot

APT4?

Sykipot, Getkys, Wyksol

DIB (Defence Industrial Base) and other government organizations

https://www.alienvault.com/open-threat-exchange/blog/new-sykipot-developments

http://blog.trendmicro.com/trendlabs-security-intelligence/sykipot-now-targeting-us-civil-aviation-sector-information/

83

Calypso

Links to Skyipot, Pitty Tiger, Comment Crew, Mirage

Byebe, CMStar, Calypso RAT, PlugX

https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/

https://resources.malwarebytes.com/files/2020/04/200407-MWB-COVID-White-Paper_Final.pdf

84

Tropic Trooper

KeyBoy

Earth Centaur

G0081

Poison Ivy, PCShare, Yahoyah

Taiwan, High-Tech in Asia, Taiwanese Government, Fossil Fuel Provider, Taiwanese, Philippine, and Hong Kong targets, focusing on their government, healthcare, transportation, and high-tech industries

Pirate Panda & KeyBoy

Group based in Xiamen, in same area as PLA Navy. Likely a navy SIGINT TRB

http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/

https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/

https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-troopers-back-usbferry-attack-targets-air-gapped-environments/

https://research.checkpoint.com/2022/chinese-actor-takes-aim-armed-with-nim-language-and-bizarro-aes/

https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html

85

APT41

G0096

CRACKSHOT, GEARSHIFT, HIGHNOON, JUMPALL, POISONPLUG, HOTCHAI, LATELUNCH, LIFEBOAT, LOWKEY, NJRAT, PACMAN, PHOTO, POTROAST, ROCKBOOT, SAGEHIRE, SWEETCANDLE, SOGU, TERA, TIDYELF, WIDETONE, WINTERLOVE, XDoor, Xmrig, ZxShell

Overlap with BARIUM and Winnti

https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html

https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html

https://www.fireeye.com/blog/threat-research/2019/10/messagetap-who-is-reading-your-text-messages.html

https://www.bankinfosecurity.com/feds-chinese-hacking-group-undeterred-by-indictment-a-20153

https://therecord.media/taiwan-government-backed-research-institution-apt41-hack

86

Poison Carp

Earth Empusa

Evil Eye

ActionSpy, ScanBox, BeEF, Evil Eye

This threat actor targets smartphones associated with Tibetan and Uyghur activists for espionage purposes.

Strategic web compromise (watering hole)

https://citizenlab.ca/2019/09/poison-carp-tibetan-groups-targeted-with-1-click-mobile-exploits/

https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html

https://www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/

https://blog.trendmicro.com/trendlabs-security-intelligence/new-android-spyware-actionspy-revealed-via-phishing-attacks-from-earth-empusa/

https://about.fb.com/news/2021/03/taking-action-against-hackers-in-china/

87

AVIVORE

Airbus Attack

PlugX, Mimikatz, WmiExec

aerospace and defence industries in the UK and Europe

https://www.contextis.com/en/blog/avivore

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-CTI-005.pdf

88

APT-C-01

PoisonVine

Poison Ivy, ZxShell, Kanbox RAT, CVE-2012-0158, CVE-2014-6352, CVE-2017-8759

government agencies, military individuals, research institutes, maritime agencies

https://ti.qianxin.com/blog/articles/analysis-of-apt-c-01/

https://ti.qianxin.com/uploads/2018/09/20/6f8ad451646c9eda1f75c5d31f39f668.pdf

http://blogs.360.cn/post/APT_C_01_en.html

https://www.netscout.com/sites/default/files/2019-02/SECR_001_EN-1901%20-%20NETSCOUT%20Threat%20Intelligence%20Report%202H%202018.pdf

https://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-vine-climbing-over-great-firewall-longterm-attack-against-china/

https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-GuPan.pdf

89

DarkUniverse

ItaDuke

Tibet and Uyghur activists, Syria, Iran, Afghanistan, Tanzania, Ethiopia, Sudan, Russia, Belarus and the United Arab Emirates

Spearphishing w/CVE-2013-0640 weaponized PDF

https://securelist.com/new-uyghur-and-tibetan-themed-attacks-using-pdf-exploits/35465/

https://www.alienvault.com/blogs/labs-research/latest-adobe-pdf-exploit-used-to-target-uyghur-and-tibetan-activists

https://securelist.com/darkuniverse-the-mysterious-apt-framework-27/94897/

90

Taskmasters

RemShell, 404-Input-shell, Eternal Blue, Scheduled Tasks

Military, government, telecommunication, small businesses

https://www.ptsecurity.com/ww-en/analytics/operation-taskmasters-2019/

https://www.youtube.com/watch?v=XYuclHsoQO4&feature=youtu.be

https://blog.group-ib.com/task

91

GALLIUM

Soft Cell, UNSC 2814, Alloy Taurus, Granite Typhoon

Soft Cell

BlackMould, China Chopper, PoisonIvy, QuarkBandit, Htran, NBTScan, PsExec, Winrar, Netcat

Telecom

https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/

https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers

https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos

https://unit42.paloaltonetworks.com/pingpull-gallium/

https://unit42.paloaltonetworks.com/alloy-taurus/

92

RANCOR

G0075

KHRAT Trojan, Derusbi, Dudell, DDKONG Plugin

South-East Asia

DragonOK

https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/

https://meltx0r.github.io/tech/2019/09/11/rancor-apt.html

https://research.checkpoint.com/rancor-the-year-of-the-phish/

https://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/

93

ChinaZ

Linux.BackDoor.Xnote.1, Linux/BillGates.Lite, Linux/UDPfker

https://news.drweb.com/show/?i=9272&lng=en&c=5

https://blog.malwaremustdie.org/2015/08/mmd-0039-2015-chinaz-made-new-malware.html

https://blog.malwaremustdie.org/2016/10/mmd-0060-2016-linuxudpfker-and-chinaz.html

https://www.intezer.com/blog-chinaz-relations/

https://www.intezer.com/blog-chinese-apts-rising-ia-community-may-2019/

https://www.intezer.com/blog-chinaz-introduces-new-undetected-malware/

https://www.botconf.eu/wp-content/uploads/2014/12/2014-2.10-Chinese-Chicken-Multiplatform-DDoS-Botnets.pdf

94

APT-C-37

Slap Bear

Papa Bear

Pat/Patted Bear

http://blogs.360.cn/post/analysis-of-apt-c-37.html

https://zhuanlan.kanxue.com/article-8168.htm

https://mp.weixin.qq.com/s/lUtXwWjPVMHXfR6oLnXYhQ

https://cybersecurity.att.com/blogs/labs-research/alien-labs-2019-analysis-of-threat-groups-molerats-and-apt-c-37

95

APT-C-27

Goldmouse/Gold Mouse/Gold Rat

Middle East

Link to OilRig?

https://ti.360.net/blog/articles/apt-c-27-(goldmouse):-suspected-target-attack-against-the-middle-east-with-winrar-exploit-en/

https://blog.360totalsecurity.com/en/the-sample-analysis-of-apt-c-27s-recent-attack/

https://www.pbwcz.cz/Reporty/20180723_CSE_APT27_Syria_v1.pdf

96

Storm Cloud

Holy Water

Godlike12, SweetAlerts

Strategic web compromise (watering hole)

97

TA410

Witchetty

FlowingFrog,Flowing Frog,LookingFrog,Looking Frog,JollyFrog,Jolly Frog

LookBack, FlowCloud

utility providers across the U.S

APT10

https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new

https://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage

https://threatpost.com/apt-id-3-separate-actors/179435/

https://www.securityweek.com/chinese-cyberespionage-group-witchetty-updates-toolset-recent-attacks/

98

SixLittleMonkeys

Microcin

Microcin, BYEBY, Mikroceen

Central Asia, Russian military, Belarussia, Mongolia,

Link to Vicious Panda

https://securelist.com/steganography-in-contemporary-cyberattacks/79276/

https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170759/Microcin_Technical_4PDF_eng_final_s.pdf

https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia/

https://securelist.com/microcin-is-here/97353/

https://securelist.com/apt-trends-report-q2-2019/91897/

99

HAFNIUM

UNC2639, UNC2640, UNC2643

Ant

Operation Exchange Marauder

Covenant, Procdump, 7-Zip, Nishang, PowerCat

Microsoft Exchange Server

https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/microsoft-exchange-server-protection

https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/

https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/

100

Luminous Moth

South East Asia

Mustang Panda

https://securelist.com/apt-luminousmoth/103332/

101

Spiral

SolarWinds Orion API (CVE-2020-10148), SUPERNOVA

https://www.secureworks.com/blog/supernova-web-shell-deployment-linked-to-spiral-threat-group

102

Sparkling Goblin

CROSSWALK, SideWalk

Academic sectors in Macao, Hong Kong and Taiwan, A religious organization in Taiwan, A computer and electronics manufacturer in Taiwan, Government organizations in Southeast Asia, An e-commerce platform in South Korea, The education sector in Canada, Media companies in India, Bahrain, and the USA, A computer retail company based in the USA, Local government in the country of Georgia, Unidentified organizations in South Korea and Singapore,

Winnti, APT41

https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/

https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf

103

APT5

BRONZE FLEETWOOD

MANGANESE

BRIGHTCREST, SWEETCOLA, SPIRITBOX, PALEJAB, WIDERIM, WINVAULT, HAPPYSAD, BIRDWORLD, FARCRY, CYFREE, FULLSILO, HELLOTHEWORLD, HAZELNUT, GIF89A, SCREENBIND, SHINYFUR, TRUCKBED, LEOUNCIA, FREESWIM, PULLTAB, HIREDHELP, NEDDYHORSE, PITCHFORK, BRIGHTCOMB, ENCORE, TABCTENG, SHORTLEASH, CLEANACT, BRIGHTCYAN, DANCEPARTY, HALFBACK, PUSHBACK, COOLWHIP, LOWBID, TIGHTROPE, DIRTYWORD, AURIGA, KEYFANG, Poison Ivy, Comfoo, Skeleton Key

Regional telecommunication providers, Asia-based employees of global telecommunications and tech firms, high-tech manufacturing, and military application technology.

UNC2630

https://www.fireeye.com/current-threats/apt-groups.html

https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html

https://www.bloomberg.com/news/features/2021-09-02/juniper-mystery-attacks-traced-to-pentagon-role-and-chinese-hackers

https://www.secureworks.com/research/threat-profiles/bronze-fleetwood

https://media.defense.gov/2022/Dec/13/2003131586/-1/-1/0/CSA-APT5-CITRIXADC-V1.PDF

https://duo.com/decipher/apt5-exploiting-new-flaw-in-citrix-adc-and-gateway#:~:text=APT5%2C%20a%20Chinese%20threat%20group%2C%20has%20used,to%20target%20a%20small%20number%20of%20organizations

104

RedFoxtrot

PlugX-Talisman, ShadowPad, GUNTERS

South Asia Telecom & Defense

?Moshen Dragon, Nomad Panda, Goblin Panda, LuckyMouse, Cycldek, Emissary Panda, TG-3390

https://www.recordedfuture.com/redfoxtrot-china-pla-targets-bordering-asian-countries/

https://go.recordedfuture.com/redfoxtrot-insikt-report

https://www.recordedfuture.com/chinese-apt-groups-target-afghan-telecommunications-firm/

https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/

https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/plugx-a-talisman-to-behold.html

105

IronHusky

MysterySnail, CVE-2021-40449

Vicious Panda

https://securelist.com/apt-trends-report-q1-2018/85280/https://securelist.com/apt-trends-report-q1-2018/85280/

https://securelist.com/apt-trends-report-q2-2020/97937/

https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/

106

Antlion

Xpack, JpgRun, EHAGBPSL, NetSessionEnum

Financial Services in ROC (Taiwan)

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/china-apt-antlion-taiwan-financial-attacks

107

DEV-0322

Circle Typhoon

TiltedTemple

US Defense Industrial Base, higher education, consulting services, and information technology sectors

Serv-u Secure FTP, Exploit ZOHO ManageEngine ADSelfService Plus

TG-3390, Emissary Panda, APT27

https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/

https://www.microsoft.com/security/blog/2021/11/08/threat-actor-dev-0322-exploiting-zoho-manageengine-adselfservice-plus/

https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/

https://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/

108

Curious Gorge

UNC3742

government & military organizations in Ukraine, Russia, Kazakhstan, and Mongolia

Subordinate to Strategic Support Force

https://blog.google/threat-analysis-group/tracking-cyber-activity-eastern-europe/

https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe/

109

Scarab

Scieron, Trojan.Scieron, Trojan.Scieron.B,

Russia, Ukraine

UAC-0026

https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=8bfa7311-fdd9-4f8d-b813-1ab6c9d2c363&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments

https://otx.alienvault.com/pulse/54c7e1e811d4085eb82e0598/

https://cert.gov.ua/article/38097

https://www.sentinelone.com/labs/chinese-threat-actor-scarab-targeting-ukraine/

https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/

110

BackdoorDiplomacy

CloudComputating

BackDip,Quarian

G0135

Quarian, Turian, Follina

Kaspersky = CloudComputating = Chinese in 2Q2017 APT summary, CloudComputating = BackdoorDiplomacy in 3Q2021 APT summary, ESET CloudComputating = BackdoorDiplomacy using Turian & Quarian

https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/

https://securelist.com/?s=CloudComputating

https://www.fortinet.com/blog/threat-research/analysis-of-follina-zero-day

111

Earth Berberoka

GamblingPuppet, Gambling Puppet

Chinese gambling websites, one education-related government institution, two IT services companies, and one electronics manufacturing company

Emissary Panda, Iron Tiger

https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf

https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf

112

RedAlpha

DeepCliff

DeepCliff, Red Dev 3

https://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-with-targets-in-the-tibetan-community/

https://go.recordedfuture.com/hubfs/reports/cta-2018-0626.pdf

https://go.recordedfuture.com/hubfs/reports/ta-2022-0816.pdf

113

Bluebottle

OPERA1ER,DESKTOP-GROUP,NXSMS,Common Raven

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa

114

DragonSpark

https://www.sentinelone.com/labs/dragonspark-attacks-evade-detection-with-sparkrat-and-golang-source-code-interpretation/

115

Yanluowang

https://darktrace.com/blog/inside-the-yanluowang-leak-organization-members-and-tactics

116

LuoYu

https://thestack.technology/kaspersky-luoyu-windealer-man-on-the-side/

117

Aoqin Dragon

https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/

118

WIP19

SQLMaggie,ScreenCap,WinEggDrop

A new threat cluster, called WIP19, has been targeting telecommunications and IT service providers in the Middle East and Asia. The group is believed to be Chinese-speaking and involved in espionage-related activities. WIP19 uses a stolen, legitimate digital certificate issued by a Korean company called DEEPSoft to sign several malicious components. The threat actor has been using several backdoors authored by a Chinese-speaking malware author named WinEggDrop, who has been active since 2014. The activity has some overlap with Operation Shadow Force, but WIP19 represents a more mature actor that uses new malware and techniques. The group utilizes several pieces of malware, including SQLMaggie, a credential dumper, and a keylogger/screen recording component called ScreenCap. The group is said to use a less-common DLL search order hijacking of explorer.exe to load the keylogging and screen recording component.

https://www.sentinelone.com/labs/wip19-espionage-new-chinese-apt-targets-it-service-providers-and-telcos-with-signed-malware/

119

Taidoor

Earth Aughisky, EarthAughisky

G0015

Roudan,LuckDLL,GrubbyRAT, Taikite,SVCMONDR,SiyBot

Earth Aughisky (also known as Taidoor) is an active advanced persistent threat (APT) group that has been consistently targeting specific targets in Taiwan and Japan over the past decade. In a recent research paper titled "The Rise of Earth Aughisky: Tracking the Campaigns Taidoor Started," the researchers provide an overview of the malware families and tools attributed to the group, including Roudan (also known as Taidoor), LuckDLL, GrubbyRAT, Taikite (also known as SVCMONDR), and SiyBot. These malware families and tools have been observed to have components that have yet to be identified or reported, indicating ongoing evolution and adaptation by the APT group. The researchers also highlight connections and overlaps between Earth Aughisky's malware and tools, including shared infrastructure, similar hashing mechanisms, and common logging mechanisms. The insights gained from this research can be used by security analysts and teams to evaluate and enhance their defense measures against Earth Aughisky's activities.

https://www.trendmicro.com/en_nl/research/22/j/tracking-earth-aughiskys-malware-and-changes.html

120

Red Menshen

Red Dev 18

https://malpedia.caad.fkie.fraunhofer.de/actor/red_menshen

121

VAPOR PANDA

VAPOR PANDA leveraged the ProxyLogon exploit chain (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065)

122

ETHEREAL PANDA

GodZilla webshell

123

Nitro

Covert Grove

https://malpedia.caad.fkie.fraunhofer.de/actor/nitro

124

Returned Libra

Mining Group

8220,8220 Gang

Returned Libra, also known as 8220 Mining Group, is a cloud threat actor group that has been active since at least 2017. Tools commonly employed during their operations are PwnRig or DBUsed which are customized variants of the XMRig Monero mining software. The Returned Libra mining group is believed to have originated from a GitHub fork of the Rocke group's software. Returned Libra has elevated its mining operations with the use of cloud service platform credential scrapping.

125

Yanbian Gang

Yanbian

FunkyBot,Moqhao

https://www.telekom.com/en/blog/group/article/moqhao-masters-new-tricks-1031484

126

Dark PInk

Saaiwc Group

ASEAN, Vietnamese, Malaysian, Indonesian, Cambodian, Philippines, Bosnia and Herzegovina

https://mp.weixin.qq.com/s/G3gUjg9WC96NW4cRPww6gw

https://blog.group-ib.com/dark-pink-apt

https://blog.eclecticiq.com/dark-pink-apt-group-strikes-government-entities-in-south-asian-countries

https://www.group-ib.com/blog/dark-pink-episode-2/

127

UNC3886

https://www.mandiant.com/resources/blog/esxi-hypervisors-malware-persistence

https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem

https://www.mandiant.com/resources/blog/vmware-detection-containment-hardening

128

FamousSparrow

Famous Sparrow

GhostEmperor

UNC4841

Salt Typhoon

US Government wiretap system, via Verizon and AT&T.

https://www.mandiant.com/resources/blog/unc4841-post-barracuda-zero-day-remediation

https://www.cisa.gov/news-events/alerts/2023/08/29/cisa-releases-iocs-associated-malicious-barracuda-activity

https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally

https://www.barracuda.com/company/legal/esg-vulnerability

https://www.welivesecurity.com/2021/09/23/famoussparrow-suspicious-hotel-guest/

https://www.eset.com/int/about/newsroom/press-releases/research/eset-research-discovers-famoussparrow-apt-group-spying-on-hotels-governments-and-private-companies/

https://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html

129

Volt Typhoon

VANGUARD PANDA

BRONZE SILHOUETTE

Redfly

Mimikatz,ProcDump,Nbtscan,SparrowDoor

Government, Military industrial complexes, critical infrastructure,Israel,USA,Saudi Arabia,South Africa,Brazil,France,UK,Thailand

preinstalled binaries (living off the land concept)

https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/

https://www.secureworks.com/blog/chinese-cyberespionage-group-bronze-silhouette-targets-us-government-and-defense-organizations

https://www.crowdstrike.com/blog/falcon-complete-thwarts-vanguard-panda-tradecraft/

https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/critical-infrastructure-attacks

130

Sharp Dragon (CHKPT)

Sharp Panda

VictoryDLL, Soul framework, Cobalt Strike Beacon

Shifting to Africa and Caribbean regions

https://research.checkpoint.com/2024/sharp-dragon-expands-towards-africa-and-the-caribbean/


1	General Information		How to Search in this Spreadsheet?
2	Topic	Comment
3	Motive	Cyber security companies and Antivirus vendors use different names for the same threat actors and often refer to the reports and group names of each other. However, it is a difficult task to keep track of the different names and naming schemes. I wanted to create a reference that answers questions like "I read a report about the 'Tsar Team', is there another name for that group?" or "Attackers used 'China Chopper' webshell, which of the APT groups did use that shell too?" or "Did he just say 'NetTraveler'? So, does he talk about Chinese or Russian attackers?"	1. Step Use Ctrl+F / Command+F to bring up the search field, then click on the dotted vectical line next to the "X"
4	Hints	- Each active country / region has its own tab - The "Other" tab contains actors from certain regions not covered by the main tabs - The "Unknown" tab is used for groups and operations with no attribution - Cells with overlaps are highlighted in gray - overlaps are no error per se but necessary to visualize that groups tracked by one vendor are divided into two different groups by another vendor	2. Step Type the keyword you search for in the "Find" field and click on the "Find" button or press Enter. This will search the keyword in all tabs of the spreadsheet.	2. Step Type the keyword you search for in the "Find" field and click on the "Find" button or press Enter. This will search the keyword in all tabs of the spreadsheet.
5	Disclaimer	Attribution is a very complex issue. This list is an intent to map together the findings of different vendors and is not a reliable source. Most of the mappings rely on the findings in a single incident analysis. Groups often change their toolsets or exchange them with other groups. This makes attribution of certain operations extremely difficult. However, we decided that even an uncertain mapping is better than no mapping at all. Be aware that information published here may be wrong, quickly outdated, or may change based on evolving information. People tend to comment on the sheet. Sometimes they add threat intel that isn't TLP:WHITE but taken from some fee-based platform. Please let me know if confidential information has been disclosed.
6	Known Issues	- Groups named after the malware (families) they've used - Groups named after a certain operation - Lists / tables are not normalized to allow a better overview by avoiding too many spreadsheets - Some groups have now been discovered to be "umbrella" terms for sub-groups. (e.g. Lazarus has subgroups; Winnti's "Burning Umbrella" report )
7	Search	Press CTRL+F or Command+F and then use the Symbol with the three dots to bring up the search dialogue that looks in the full workbook for your keywords
8	Overlaps	Names that appear multiple times are shaded in a light grey
9	First Release	12/26/2015
10	License	CC Creative Commons - Attribution 4.0 International (CC BY 4.0) https://creativecommons.org/licenses/by/4.0/
11	Access Rights	Everyone: READ / COMMENT Invited Editors: READ / COMMENT / WRITE
12	Support	Please contact me (@cyb3rops) if you would like to modify or add content to these lists. I will gladly give you write access to this list if: - I know you personally or from my Twitter stream - you are a threat intel researcher / malware analyst with some reference - you are a vendor representative - you are an author of the listed sources (see '_Sources' work sheet) Please provide you email address if you are interested in helping me (preferably Gmail - this allows native access via the connected Google account)
13	Search Engine	https://cse.google.com/cse/publicurl?cx=003248445720253387346:turlh5vi4xc
14	Short URL	https://apt.threattracking.com
15
16	Contributors
17	Name / Nickname	Twitter Handle
18	Pasquale Stirparo	@pstirparo
19	David Bizeul	@davidbizeul
20	Brian Bell	No Twitter Account
21	Ziv Chang	@Gasgas4Ggyy
22	Joel Esler	@joelesler
23	Kristopher Bleich	@kc0iqx_bleich
24	Maite Moreno	@mmorenog
25	Monnappa K A	@monnappa22
26	J. Capmany	@theweeZ
27	Paul Hutchinson	@AllAboutAPT
28	Boris Ivanov	@BlackCaesar1973
29	Andre Gironda	@andregironda
30	Devon Ackerman	@aboutdfir
31	Carlos Fragoso	@cfragoso
32	Eyal Sela	@eyalsela
33	Florian Egloff	@egflo
34	Ohad Zaidenberg	@ohad_mz
35	Gary Warner	@GarWarner
36	Efi Pecani	@Excited_Efi
37	And many helpful people that just commented on cells - thank you!


1	Russia
2	Common Name	Other Name 1	Other Name 2	Other Name 3	Other Name 4	Other Name 5	Other Name 6	Other Name 7	Other Name 8	Other Name 9	Other Name 10	Other Name 11	Other Name 12	MITRE ATT&CK	Secureworks	Operation 1	Operation 2	Operation 3	Operation 4	Operation 5	Operation 6	Operation 7	Toolset / Malware	Targets	Modus Operandi	Comment	Link 1	Link 2	Link 3	Link 4	Link 5	Link 6	Link 7	Link 8	Link 9	Link 10	Link 11	Link 12	Link 13	Link 14	Link 15	Link 16	Link 17	Link 18	Link 19	Link 20	Link 21	Link 22	Link 23	Link 24	Link 25	Link 26	Link 27	Link 28	Link 29	Link 30	Link 31

3	Sofacy	APT28	Sednit	Pawn Storm	Group 74	Tsar Team	Fancy Bear	Strontium	Swallowtail	SIG40	Grizzly Steppe	TG-4127	SNAKEMACKEREL,Armada Collective, Dark Power, G0007, ATK5,Fighting Ursa, ITG05,Blue Athena	G0007	IRON TWILIGHT	Russian Doll	Bundestag	TV5 Monde "Cyber Caliphate"	EFF Attack	DNC Hack	OpOlympics	Burisma	CHOPSTICK, CORESHELL, Winexe, SOURFACE, OLDBAIT, Sofacy, XAgent, XTunnel, WinIDS, Foozer, DownRange, Sedreco Dropper, Komplex, DealersChoice, Downdelph, Sednit, USBStealer, Sedkit, HideDrv (Rootkit), LoJax, Sofacy, SeduUploader	United States government, Romania, Poland, Jordan, Ukraine, Turkey		Called out by DHS & FBI as responsible for cyber attacks associated with US election 2016. Allegedly attributed the first UEFI rootkit seen in the wild: LoJax (2018), Overlaps with Zebrocy	https://aptnotes.malwareconfig.com/web/viewer.html?file=../APTnotes/2014/apt28.pdf	https://app.box.com/s/g55oxdd3q63hyngbjm4fbipfct94wrye	https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/	http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf	https://www2.fireeye.com/rs/848-DID-242/images/wp-mandiant-matryoshka-mining.pdf	https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/	http://researchcenter.paloaltonetworks.com/2016/06/unit42-new-sofacy-attacks-against-us-government-agency/	https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/	http://fancybear.net/	http://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/	http://www.welivesecurity.com/2016/10/20/new-eset-research-paper-puts-sednit-under-the-microscope/	https://www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/	https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296.pdf	https://www.us-cert.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf	http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html	https://apnews.com/3bca5267d4544508bb523fa0db462cb2?utm_campaign=SocialFlow&utm_source=Twitter&utm_medium=AP	https://blog.trendmicro.com/trendlabs-security-intelligence/update-pawn-storm-new-targets-politically-motivated-campaigns/	https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/	https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/	https://securelist.com/a-slice-of-2017-sofacy-activity/83930/	https://securelist.com/masha-and-these-bears/84311/	https://cdn.area1security.com/reports/Area-1-Security-PhishingBarismaHoldings.pdf	https://www.intezer.com/blog/research/russian-apt-uses-covid-19-lures-to-deliver-zebrocy/	https://cybergeeks.tech/skinnyboy-apt28/	https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/prime-ministers-office-compromised.html	https://www.bloomberg.com/news/articles/2022-03-07/hackers-targeted-u-s-lng-producers-in-run-up-to-war-in-ukraine?sref=ExbtjcSG	https://blog.cluster25.duskrise.com/2022/09/23/in-the-footsteps-of-the-fancy-bear-powerpoint-graphite/	https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-outlook-zero-day-used-by-russian-hackers-since-april-2022/	https://www.deepinstinct.com/blog/cve-2023-23397-exploitations-in-the-wild-what-you-need-to-know	https://www.bleepingcomputer.com/news/security/hackers-breach-us-firm-over-wi-fi-from-russia-in-nearest-neighbor-attack/
4	APT29	Dukes	Group 100	Cozy Duke	EuroAPT	Cozy Bear	CozyCar	Cozer	Office Monkeys / TEMP.Monkeys	Minidionis	SeaDuke	Hammer Toss	Fritillary, Yttrium, StellarParticle, UNC3524, Cranefly	G0016	IRON HEMLOCK	Operation Ghost							Hammertoss, OnionDuke, CosmicDuke, MiniDuke, CozyDuke, SeaDuke, SeaDaddy implant developed in Python and compiled with py2exe, AdobeARM, ATI-Agent, MiniDionis, Grizzly Steppe, Vernaldrop, Tadpole, Spikerush, POSHSPY, PolyglotDuke, RegDuke, FatDuke	This threat actor targets government ministries and agencies in Europe, the US, Central Asia, East Africa, and the Middle East, associated with DNC attacks	phishing emails	Active campaign post 2016 US presidential election	https://aptnotes.malwareconfig.com/web/viewer.html?file=../APTnotes/2015/apt29-hammertoss-stealthy-tactics-define-a.pdf	https://labsblog.f-secure.com/2015/09/17/the-dukes-7-years-of-russian-cyber-espionage/	https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/	https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf	http://www.volexity.com/blog/	https://www.us-cert.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf	https://www2.fireeye.com/rs/848-DID-242/images/RPT-M-Trends-2017.pdf	https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html	https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html	https://securelist.com/the-cozyduke-apt/69731/	https://www.welivesecurity.com/2019/10/17/operation-ghost-dukes-never-left/	https://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a	https://www.istrosec.com/blog/apt-sk-cobalt/	https://cybergeeks.tech/how-to-defeat-the-russian-dukes-a-step-by-step-analysis-of-miniduke-used-by-apt29-cozy-bear/	https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/	https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft	https://cluster25.io/2022/05/13/cozy-smuggled-into-the-box/	https://www.mandiant.com/resources/blog/unc3524-eye-spy-email	https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cranefly-new-tools-technique-geppei-danfuan	https://blog.eclecticiq.com/german-embassy-lure-likely-part-of-campaign-against-nato-aligned-ministries-of-foreign-affairs	https://go.recordedfuture.com/hubfs/reports/cta-2023-0727-1.pdf	https://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing
5	Turla Group	Snake	Venomous Bear	Group 88	Waterbug	Turla Team	Krypton	Uroburos	SIG23	MAKERSMARK	ITG12	SUMMIT,Турла	UNC4210,Blue Python,ATK13,Pfinet,TAG_0530,Pacifier APT,Popeye	G0010	IRON HUNTER	Satellite Turla	Epic Turla	The 'Penquin' Turla	Witchcoven	RUAG hack	Mosquito	Moonlight Maze	systeminfo, net, tasklist, gpresult, wce, pwdump, Uroburos, Turla, Agent.BTZ, Tavdig, Wipbot, Agent.dne, AdobeARM, ATI-Agent, MiniDionis, WhiteBear, Gazer, Neuron, Nautilus	Targeting several governments and sensitive businesses such as the defense industry		Turla also uses OilRig's (APT34) implants	https://securelist.com/analysis/publications/65545/the-epic-turla-operation/	https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/	https://securelist.com/blog/research/67962/the-penquin-turla-2/	https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf	https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf	https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/	https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/	https://securelist.com/kopiluwak-a-new-javascript-payload-from-turla/77429/	https://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopiluwak-javascript-backdoor-use-g20-themed-attack	https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/	https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case	http://www.sueddeutsche.de/digital/it-sicherheit-einbrechen-ausbreiten-abgreifen-1.3887843	https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/	https://www.ncsc.gov.uk/alerts/turla-group-malware	https://motherboard.vice.com/en_us/article/vvk83b/moonlight-maze-turla-link	https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180251/Penquins_Moonlit_Maze_PDF_eng.pdf	https://www.wired.com/2017/04/russian-hackers-used-backdoor-two-decades/	https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-march-venomous-bear/	https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments	https://securelist.com/turla-renews-its-arsenal-with-topinambour/91687/	https://securelist.com/shedding-skin-turlas-fresh-faces/88069/	https://twitter.com/lehtior2/status/893085897226412036	https://www.ncsc.gov.uk/news/turla-group-exploits-iran-apt-to-expand-coverage-of-victims	https://medium.com/chronicle-blog/who-is-gossipgirl-3b4170f846c0	https://cybergeeks.tech/a-step-by-step-analysis-of-the-russian-apt-turla-backdoor-called-tinyturla/	https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe/	https://blog.sekoia.io/turla-new-phishing-campaign-eastern-europe/	https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag/	https://www.ncsc.gov.uk/news/turla-group-exploits-iran-apt-to-expand-coverage-of-victims
6	Energetic Bear	Dragonfly	Crouching Yeti	Group 24	Koala Team	Berserk Bear	Anger Bear	Dymalloy	Havex	PEACEPIPE	Fertger	TEMP.Isotope	Blue Kraken,ITG15,BROMINE,Ghost Blizzard,ATK6	G0035	IRON LIBERTY								Havex RAT, Oldrea, LightsOut ExploitKit, Inveigh, PsExec, Persistence through .LNK file manipulations, Nmap, Dirsearch, Sqlmap, Sublist3r, Wpscan, Impacket, SMBTrap, Commix, Subbrute, PHPMailer, Web Shells (PHP), MCMD	This threat actor targets companies in the education, energy, construction, information technology, and pharmaceutical sectors for the purposes of espionage. It uses malware tailored to target industrial control systems. Energy, Middle East oil and natural gas as the goal, dedicated to gather relevant information, technology company in Western Europe that produces civil, military and critical infrastructure communications equipment	Active	Detected in Middle East networks in 2014, Compromise via spear phish or SWC, Motivation somewhat unclear; CrowdStrike lists Berserk Bear as separate group (evolution of Energetic) while Symantec sees Energetic Bear and Berserk Bear as single group named Dragonfly	http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf	http://www.netresec.com/?page=Blog&month=2014-10&post=Full-Disclosure-of-Havex-Trojans	https://threatpost.com/energy-watering-hole-attack-used-lightsout-exploit-kit/104772/	https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group	https://securelist.com/blog/incidents/35520/the-teamspy-crew-attacks-abusing-teamviewer-for-cyberespionage-8/	https://www.us-cert.gov/ncas/alerts/TA17-293A	https://threatmatrix.cylance.com/en_us/home/energetic-dragonfly-dymalloy-bear-2-0.html	https://securelist.com/energetic-bear-crouching-yeti/85345/	https://www.fireeye.com/content/dam/fireeye-www/company/events/infosec/threat-landscape-overview-fireeye-summit-paris.pdf	https://insights.sei.cmu.edu/cert/2019/03/api-hashing-tool-imagine-that.html	https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector	https://www.secureworks.com/research/mcmd-malware-analysis	https://www.secureworks.com/blog/own-the-router-own-the-traffic	https://us-cert.cisa.gov/ncas/alerts/aa20-296a	https://theintercept.com/2020/12/17/russia-hack-austin-texas/	https://vblocalhost.com/uploads/VB2021-Slowik.pdf	https://www.dragos.com/blog/how-adversaries-use-spear-phishing-to-target-engineering-staff/
7	ALLANITE	Palmetto Fusion												G1000
8	APT44	Sandworm Team	TEMP.Noble	Electrum	TeleBots	Quedagh Group	BE2 APT	Black Energy	Iridium	Hades	Voodoo Bear	Quedagh	Iron Viking ,Grey Energy	G0034	IRON VIKING	Black Energy	Ukrenergo	NPetya, NotPetya	Ukraine Power Grid 2016-12-17				CVE-2014-4114, Industroyer, CrashOverride, OlympicDestroyer, GreyEngergy Mini as their 1st-stage implant, GCat, Delphocy, Zebrocy, Zekapab	This threat actor targets industrial control systems, using a tool called Black Energy, associated with electricity and power generation for espionage, denial of service, and data destruction purposes. Ukrainian energy sector, Eastern Europe.		Linked to Kiev Dec2016 ICS cyberattack	http://www.isightpartners.com/2014/10/cve-2014-4114/	http://www.isightpartners.com/2016/01/ukraine-and-sandworm-team/	https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf	https://www.us-cert.gov/ncas/alerts/TA17-163A	https://ics.sans.org/blog/2016/01/09/confirmation-of-a-coordinated-attack-on-the-ukrainian-power-grid	https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/	https://securelist.com/from-blackenergy-to-expetr/78937/	https://securelist.com/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/73440/	https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/	https://securelist.com/greyenergys-overlap-with-zebrocy/89506/	https://securelist.com/be2-extraordinary-plugins-siemens-targeting-dev-fails/68838/	https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector	https://dragos.com/wp-content/uploads/CRASHOVERRIDE.pdf	https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/	https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/	https://securelist.com/olympicdestroyer-is-here-to-trick-the-industry/84295/	https://securelist.com/olympic-destroyer-is-still-alive/86169/	https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf	https://www.domaintools.com/resources/blog/centreon-to-exim-and-back-on-the-trail-of-sandworm	https://cert.gov.ua/article/39518	https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/	https://www.state.gov/rewards-for-justice-reward-offer-for-information-on-russian-military-intelligence-officers-conducting-malicious-activity-against-u-s-critical-infrastructure/	https://cert.gov.ua/article/6123309	https://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology
9	FIN7	Carbanak	Anunak	Coried,Coreid	ELBRUS	Carbon Spider,CarbonSpider	GOLD NIAGARA	Sangria Tempest	Calcium	ITG14				G0046,G0008									PowerSource	Bank of Valetta, Malta		Overlaps with Carbanak (but not the same group)	https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns	https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor	https://blog.cyber4sight.com/2017/04/similarities-between-carbanak-and-fin7-malware-suggest-actors-are-closely-related/	https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html	https://www.rsa.com/content/dam/en/white-paper/the-carbanak-fin7-syndicate.pdf	https://www.rsa.com/content/dam/premium/en/white-paper/the-shadows-of-ghosts-carbanak-report.pdf	https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/	https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/	https://securityaffairs.co/wordpress/64083/apt/fin7-new-techniques.html	https://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html	https://blog.malwarebytes.com/threat-analysis/2019/10/the-forgotten-domain-exploring-a-link-between-magecart-group-5-and-the-carbanak-apt/	https://www.fortinet.com/blog/threat-research/bioload-fin7-boostwrite-lost-twin.html	https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/would-you-exchange-your-security-for-a-gift-card/	https://blog.morphisec.com/the-evolution-of-the-fin7-jssloader	https://www.esentire.com/security-advisories/notorious-cybercrime-gang-fin7-lands-malware-in-law-firm-using-fake-legal-complaint-against-jack-daniels-owner-brown-forman-inc	https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/	https://www.prodaft.com/m/reports/FIN7_TLPCLEAR.pdf
10	FIN8																						PowerSniff, PUNCHBUGGY, PUNCHTRACK, ShellTea, BADHATCH, PoSlurp	Hotel-Entertainment Industry, POS malware attack			https://unit42.paloaltonetworks.com/powersniff-malware-used-in-macro-based-attacks/	https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html	https://www.root9b.com/sites/default/files/whitepapers/PoS%20Malware%20ShellTea%20PoSlurp_YARA.pdf	https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html	http://blog.morphisec.com/security-alert-fin8-is-back	https://atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d-discovering-badhatch-and-a-detailed-look-at-fin8s-tooling/	https://www.bitdefender.com/files/News/CaseStudies/study/394/Bitdefender-PR-Whitepaper-BADHATCH-creat5237-en-EN.pdf	https://businessinsights.bitdefender.com/deep-dive-into-a-fin8-attack-a-forensic-investigation
11	Inception Framework	Blue Odin												G0100		Red October	Cloud Atlas							This threat actor targets governments and diplomatic organizations for espionage purposes. Suspected Operator in Ukraine working for Russia or its allies.			https://securelist.com/blog/incidents/57647/the-red-october-campaign/	http://securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-back-in-style/	https://www.symantec.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies	https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware	https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/	https://securelist.com/recent-cloud-atlas-activity/92016/	https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt-cloud-atlas-unbroken-threat/	https://research.checkpoint.com/2022/cloud-atlas-targets-entities-in-russia-and-belarus-amid-the-ongoing-war-in-ukraine/	https://therecord.media/cloud-atlas-targets-russian-orgs-war-phishing
12	TeamSpy Crew	SIG39														TeamSpy							Malicious TeamViewer versions, JAVA RATs	This threat actor primarily compromises government entities and human rights activists in Eastern Europe and Central Asia for espionage purposes. It has also compromised private and public sector entities in the Middle East and in Western countries.			http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/theteamspystory_final_t2.pdf	https://blog.crysys.hu/2018/03/territorial-dispute-nsas-perspective-on-apt-landscape/
13	BuhTrap	Ratopak																					AmmyAdmin, LURK, NSIS, Mimikatz, CVE-2012-0158, PuntoSwitcher (like Keylogger)				https://www.welivesecurity.com/2015/04/09/operation-buhtrap/	http://www.welivesecurity.com/2015/11/11/operation-buhtrap-malware-distributed-via-ammyy-com/	http://www.group-ib.com/brochures/gib-buhtrap-report.pdf	https://www.netscout.com/blog/asert/diving-buhtrap-banking-trojan-activity	https://www.welivesecurity.com/2019/07/11/buhtrap-zero-day-espionage-campaigns/
14	Carberb																							USA			http://itlaw.wikia.com/wiki/Moonlight_Maze
15	???															RUAG Espionage							Turla Family, Uroburos, Snake (Carbon) Rootkit, Tavdig/Wipbot/Epic, Mimikatz, dsquery, dsget	Swiss defence department			https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case
16	FSB 16th & 18th Centers	Gamaredon Group	BlueAlpha	Shuckworm	ACTINIUM	Primitive Bear	Trident Ursa	Iron Tilden	Hive0051 (IBM)					G0047		OP Armageddon	Op Gamework						Pterodo, QuietSieve, DessertDown, DinoTrain			Hijack infrastructure of Iranian APT33, APT35 & Muddywater, overlap to Callisto	https://lookingglasscyber.com/wp-content/uploads/2015/08/Operation_Armageddon_FINAL.pdf	http://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/	https://blog.yoroi.company/research/the-russian-shadow-in-eastern-europe-ukrainian-mod-campaign/	https://www.recordedfuture.com/bluealpha-iranian-apts/	https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/	https://www.anomali.com/blog/primitive-bear-gamaredon-targets-ukraine-with-timely-themes	https://mp.weixin.qq.com/s/OfDTcrTVAgjACeh0Z5wi7w	https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine	https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/	https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/#indicators-of-compromise	https://cert.gov.ua/article/39386	https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-intense-campaign-ukraine	https://blogs.cisco.com/security/network-footprints-of-gamaredon-group	https://cert.gov.ua/article/1229152	https://cert.gov.ua/article/1229152	https://unit42.paloaltonetworks.com/trident-ursa/	https://www.secureworks.com/research/threat-profiles/iron-tilden	https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military
17	Cyber Berkut																							Bellingcat		During Ukrainian Revolution	https://www.threatconnect.com/blog/russia-hacks-bellingcat-mh17-investigation/#.V-wnrubaeEU.twitter
18	WhiteBear	Skipper Turla																					Kopiluwak	embassies and diplomatic/foreign affair organizations, defense-related organizations		Associated with Turla	https://securelist.com/introducing-whitebear/81638/
19	???															BugDrop								This threat actor targets critical infrastructure entities in the oil and gas sector, primarily in Ukraine. The threat actors deploy the BugDrop malware to remotely access the microphones in their targets' computers to eavesdrop on conversations.			https://cyberx-labs.com/en/blog/operation-bugdrop-cyberx-discovers-large-scale-cyber-reconnaissance-operation/
20	GRU GTsST (Main Center for Special Technology)																						NotPetya				https://www.washingtonpost.com/world/national-security/russian-military-was-behind-notpetya-cyberattack-in-ukraine-cia-concludes/2018/01/12/048d8506-f7ca-11e7-b34a-b85626af34ef_story.html?utm_term=.23e3c7810049
21	TEMP.Veles	Xenotime	Triton																				Triton	Oil refinery, other infrastructure			https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html	https://dragos.com/resource/xenotime/	https://dragos.com/resource/trisis-analyzing-safety-system-targeting-malware/	https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html	https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html	https://www.fireeye.com/blog/threat-research/2018/06/totally-tubular-treatise-on-triton-and-tristation.html	https://dragos.com/wp-content/uploads/NA-EL-Threat-Perspective-2019.pdf	https://www.dragos.com/blog/industry-news/manufacturing-sector-cyber-threats/
22	Zebrocy	Zebrocy																						Germany, Indonesia, the United States, Taiwan, India, France, Serbia, Ecuador, Argentina, South Korea, Japan, China, Britain, South Africa, Italy, Hong Kong, Romania, Ukraine, Macedonia, Russia, Switzerland, Senegal, the Philippines, UAE, Qatar, Saudi Arabia, Pakistan, Thailand, Bahrain, Turkey, Bulgaria, Bangladesh			https://securelist.com/a-zebrocy-go-downloader/89419/	https://unit42.paloaltonetworks.com/sofacy-creates-new-go-variant-of-zebrocy-tool/	https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/	https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/	https://securelist.com/zebrocys-multilanguage-malware-salad/90680/
23	TA505	CHIMBORAZO	SectorJ04	Dudear	Spandex Tempest	ATK103	Hive0065							G0092									Dridex, The Trick, Locky, Jaff, FlawedAmmyy, GraceWire malicious software signed with valid digital signatures			TTP indicates possibly TA505 Microsoft Security Intelligence and McAfee Teams have affiliated TA505 with SectorJ04 aka Evil Corp aka Dudear since 2014 - reference in Link2 Department of Justice issues warrant for arrest of Dridex member, whom is working for Russian FSB since 2017	https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/	https://www.bankinfosecurity.com/ta505-apt-group-returns-new-techniques-report-a-13678	https://www.databreachtoday.com/two-russians-indicted-over-100m-dridex-malware-thefts-a-13473	https://www.mcafee.com/enterprise/en-us/threat-center/threat-landscape-dashboard/campaigns-details.operation-sectorj04-2019.html
24	FullofDeep																						QNAPCrypt ransomware			Operates from Union State & Ukraine	https://www.intezer.com/blog-russian-cybercrime-group-fullofdeep-behind-qnapcrypt-ransomware-campaigns/
25	RedCurl																						Powershell scripts	Russia, ukraine, Canada, Germany, the united Kingdom, norway, mainly targeting sectors: construction companies, financial and consulting companies, retailers, banks, insurance companies, law firms, travel agencies		Corporate espionage and theft of documents	https://www.group-ib.com/media/red-curl/
26	TA551	Shathak,Shatak	ATK236	Monster Libra										G0127	Gold Cabin								IcedID, Valak, Sliver				https://unit42.paloaltonetworks.com/valak-evolution/	https://isc.sans.edu/diary/rss/26438	https://isc.sans.edu/forums/diary/More+TA551+Shathak+Word+docs+push+IcedID+Bokbot/26674	https://unit42.paloaltonetworks.com/ta551-shathak-icedid/	https://threatresearch.ext.hp.com/detecting-ta551-domains/	https://www.proofpoint.com/us/blog/security-briefs/ta551-uses-sliver-red-team-tool-new-activity
27	UNC2452	Dark Halo	NOBELIUM	Silver Fish	StellarParticle	Midnight Blizzard										FireEye Compromise	Solarwinds Supply Chain Attack						SUNBURST, TEARDROP, SUPERNOVA Webshell (likely by other unknown group), COSMICGALE PowerShell Tool, CobaltStrike	IT sector		High sophistication, overlap to APT29, SVR, YTTRIUM, Midnight Blizzard	https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html	https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html	https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/	https://blog.reversinglabs.com/blog/sunburst-the-next-level-of-stealth	https://github.com/eanmeyer/SolarwindsVulnerablityInfo	https://us-cert.cisa.gov/ncas/alerts/aa20-352a	https://github.com/center-for-threat-informed-defense/public-resources/tree/master/solorigate	https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/	https://malpedia.caad.fkie.fraunhofer.de/actor/unc2452	https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf	https://www.riskiq.com/blog/external-threat-management/solarwinds-c2-servers-new-tactics/	https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/	https://blogs.microsoft.com/on-the-issues/2021/05/27/nobelium-cyberattack-nativezone-solarwinds/	https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/	https://www.microsoft.com/security/blog/2022/08/24/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone/	https://www.microsoft.com/en-us/security/blog/2023/02/08/solving-one-of-nobeliums-most-novel-attacks-cyberattack-series/	https://www.microsoft.com/en-us/security/blog/2023/08/02/midnight-blizzard-conducts-targeted-social-engineering-over-microsoft-teams/	https://msrc.microsoft.com/blog/2024/03/update-on-microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/
28	Ember Bear	UAC-0056	Lorec53	Lorec Bear	Bleeding Bear	Saint Bear,SaintBear	UNC2589	TA471	DEV-0586	Nascent Ursa	EmberBear	Frozen Vista,FROZENVISTA	Ruinous Ursa,Nodaria	G1003									WhisperGate wiper, Elephant Framework,Graphiron	Ukraine, limited evidence to suggest that the group has been involved in attacks on targets in Kyrgyzstan. Third-party reporting has also linked the group to attacks on Georgia.			https://www.microsoft.com/en-us/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/	https://cert.gov.ua/article/37704	https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/	https://socprime.com/blog/cobalt-strike-beacon-grimplant-and-graphsteel-malware-massively-spread-by-uac-0056-threat-actors-in-targeted-phishing-emails-cert-ua-alert/	https://www.crowdstrike.com/blog/who-is-ember-bear/	https://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs/	https://cert.gov.ua/article/703548	https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nodaria-ukraine-infostealer	https://www.mandiant.com/resources/blog/russia-invasion-ukraine-retaliation	https://www.malwarebytes.com/blog/threat-intelligence/2021/04/a-deep-dive-into-saint-bot-downloader	https://unit42.paloaltonetworks.com/ukraine-cyber-conflict-cve-2021-32648-whispergate/	https://www.malwarebytes.com/blog/threat-intelligence/2022/07/cobalt-strikes-again-uac-0056-continues-to-target-ukraine-in-its-latest-campaign	https://www.malwarebytes.com/blog/threat-intelligence/2022/04/new-uac-0056-activity-theres-a-go-elephant-in-the-room	https://nsfocusglobal.com/apt-retrospection-lorec53-an-active-russian-hack-group-launched-phishing-attacks-against-georgian-government/	https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nodaria-ukraine-infostealer
29	COLDRIVER	Callisto	TA446	SEABORGIUM	Calisto	TAG-53																				Overlap w/Gamaredon	https://www.f-secure.com/documents/996508/1030745/callisto-group	https://natoassociation.ca/phishing-on-the-dnieper-russian-offensive-cyber-operations-in-ukraine/	https://blog.google/threat-analysis-group/tracking-cyber-activity-eastern-europe/	https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe/	https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag/	https://www.microsoft.com/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/	blog.sekoia.io/calisto-show-interests-into-entities-involved-in-ukraine-war-support/	https://www.recordedfuture.com/exposing-tag-53-credential-harvesting-infrastructure-for-russia-aligned-espionage-operations	https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/blue-callisto-orbits-around-us.html	https://www.recordedfuture.com/exposing-tag-53-credential-harvesting-infrastructure-for-russia-aligned-espionage-operations	https://6068438.fs1.hubspotusercontent-na1.net/hubfs/6068438/Nisos-Research-Coldriver-Group.pdf	https://blog.google/threat-analysis-group/google-tag-coldriver-russian-phishing-malware/
30	Vice Society	VICE SPIDER	DEV-0832	Vanilla Tempest	Vicesociety																		PrintNightmare, HelloKitty and Zeppelin ransomware	Education and research institutes			https://socradar.io/dark-web-profile-vice-society/	https://www.cybersecuritydive.com/news/microsoft-leaks-vice-society-playbook/634964/	https://www.wired.com/story/vice-society-ransomware-gang/	https://blog.sekoia.io/vice-society-a-discreet-but-steady-double-extortion-ransomware-group/	https://www.cisa.gov/uscert/ncas/alerts/aa22-249a
31	Karakurt	Karakurt Lair	Karakurt Team																								https://www.cisa.gov/uscert/ncas/alerts/aa22-152a
32	Killnet	Legion Spetsnaz RF	CYBER SPETSNAZ	Cyber Special Forces RF	Killmilk	Blackside	Phoenix, Rayd, Vera, FasoninnGung, Mirai, Jacky	Sakurajima,Kratos,Phoenix squad,AKUR,XakNet	Legion	DDOSGUNG,Impulse													killnet,aura,aura ddos,Mirai,Bobik	USA,Ukraine,Nato,Latvia,Norway,Romania,Italy Pro-Russian Hacktivism			https://cyware.com/news/cyber-spetsnazs-operation-panopticon-launches-espionage-attacks-3d49eade	https://decoded.avast.io/martinchlumecky/bobik/	https://www.google.com/url?q=https://www.bleepingcomputer.com/news/security/russian-hacktivists-take-down-norway-govt-sites-in-ddos-attacks/&sa=D&source=editors&ust=1689053536672341&usg=AOvVaw1CVKTzlK09YdPEyRlvYRhP	https://threatmon.io/killnet-in-depth-analysis-on-the-roles-of-threat-actors-and-attacks-in-the-ukraine-russia-war/	https://socradar.io/dark-web-profile-killnet-russian-hacktivist-group/	https://www.reliaquest.com/blog/killnet-the-hactivist-group-that-started-a-global-cyber-war/
33	Royal	DEV-0569	Conti	Quantum	Black Byte	Diavol	Black Basta,blackbasta	Ryuk (as FIN12)	Wizard Spider (DEV-0193)							BazarCall Campaign							BATLOADER, Royal Ransomware, Ursnif, Gozi, Vidar Stealer & Cobals Strike as well as legitimate synchro remote monitoring and management (RMM) tools.	Healthcare, manifacturing, professional, scientific, technical services, wholesale, education		Former Conti and other groups around Wizard Spider	https://blog.bushidotoken.net/2022/11/the-continuity-of-conti.html	https://socradar.io/dark-web-profile-royal-ransomware/	https://www.bleepingcomputer.com/news/security/new-royal-ransomware-emerges-in-multi-million-dollar-attacks/	https://unit42.paloaltonetworks.com/bazarloader-malware/	https://www.trendmicro.com/de_de/research/22/l/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-wit.html	https://github.com/pan-unit42/tweets/blob/master/2023-02-07-IOCs-for-probable-Matanbuchus-activity.txt	https://twitter.com/Unit42_Intel/status/1623349272061136900
34	Revil	Water Mare	GrandCrab													Medibank November 2022							Sodinokibi, IcedID, Qakbot, PsExec, FileZilla	Transportation, Financial, Oil and Gas, Technology, Healthcare, in United States, Mexico, Germany, Japan, Israel		They are again active since November 2022 attacking Medibank in Australia	https://www.cyjax.com/2021/07/09/revilevolution/	https://www.nomios.com/resources/what-is-revil-ransomware/	https://img.nomios.com/images/Resources/2021/revil-ransomware-execution-flaw.png?auto=compress%2Cformat&fit=max&fm=jpg&q=70&w=2800&s=48724d52aa9478208925e681d6a332d6	https://analyst1.com/file-assets/History-of-REvil.pdf	https://unit42.paloaltonetworks.com/tutorial-qakbot-infection/	https://de.tenable.com/blog/cve-2019-11510-critical-pulse-connect-secure-vulnerability-used-in-sodinokibi-ransomware	https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-revil	https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/	https://www.hhs.gov/sites/default/files/revil-update-tlpwhite.pdf
35	Bl00dy	Bloody Gang																					Babuk,Conti,LockBit 3.0				https://www.bleepingcomputer.com/news/security/leaked-lockbit-30-builder-used-by-bl00dy-ransomware-gang-in-attacks/	https://radetskiy.wordpress.com/2022/09/26/bl00dy-ransomware-en/
36	NoName057(16)	Nnm05716	NoName057	NoName05716	05716nnm	NoName																	mySingleMessenger			NorthKorea vs Samsung	http://securityfactory.tistory.com/332	https://www.tagesanzeiger.ch/wir-haben-ddos-raketen-gegen-die-website-des-schweizer-parlaments-geschickt-250307088918	https://www.admin.ch/gov/en/start/documentation/media-releases.msg-id-95641.html	https://www.sentinelone.com/labs/noname05716-the-pro-russian-hacktivist-group-targeting-nato/
37	DoppelPaymer																						PowerShell Empire, Cobalt Strike, PsExec,Mimikatz,BitPaymer ransomware			Overlap EvilCorp	https://www.trendmicro.com/en_dk/research/21/a/an-overview-of-the-doppelpaymer-ransomware.html	https://www.malwarebytes.com/blog/news/2023/03/doppelpaymer-ransomware-group-disrupted-by-fbi-and-european-police-agencies
38	Anonymous Sudan	storm-1359																									https://thehackernews.com/2023/05/romcom-rat-using-deceptive-web-of-rogue.html	https://www.darkreading.com/endpoint/romcom-spies-nato-summit-zelensky-arrival
39	RomCom	Storm-0978	DEV-0978	Void Rabisu																				The RomCom APT group is a threat actor that has been active since at least 2022. It was initially associated with the Cuba ransomware and was primarily focused on targeting individuals and organizations tied to the Ukrainian government. However, its activities have since expanded to have global political ambitions. The group has been known to distribute the RomCom backdoor malware through impersonating websites of well-known or fictional software, tricking users into downloading and launching malicious installers. They have also been observed using payload encryption and obfuscation, as well as introducing new and powerful commands to enhance their capabilities. RomCom has been linked to various campaigns against Ukrainian and pro-Ukraine targets in Eastern Europe and other parts of the world. The exact goals and motivations of the RomCom operators remain unclear, but they are considered a versatile and sophisticated threat. It is recommended to defend against RomCom and other APTs with security solutions that have behavior-monitoring capabilities, can detect malicious files and messages, and block malicious URLs. Additionally, inspecting emails for malicious attachments and URLs can help organizations and individuals avoid compromise.		Overlap Cuba ransomware TA	https://blogs.blackberry.com/en/2022/10/unattributed-romcom-threat-actor-spoofing-popular-apps-now-hits-ukrainian-militaries	https://blogs.blackberry.com/en/2022/11/romcom-spoofing-solarwinds-keepass	https://blogs.blackberry.com/en/2023/06/romcom-resurfaces-targeting-ukraine	https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit	https://blogs.blackberry.com/en/2023/07/decoding-romcom-behaviors-and-opportunities-for-detection	https://cert.gov.ua/article/2394117	https://www.trendmicro.com/en_se/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html	https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/	https://thehackernews.com/2023/05/romcom-rat-using-deceptive-web-of-rogue.html
40	DOPPEL SPIDER	Gold Heron	DoppelPaymer,doppel paymer	DoppelPaymer group	DoppelPaymer ransomware	DoppelPaymer gang																	PowerShell Empire, Cobalt Strike, PsExec,Mimikatz,BitPaymer ransomware,DoppelDridex,DoppelPaymer	healthcare, emergency services, education			https://www.trendmicro.com/en_dk/research/21/a/an-overview-of-the-doppelpaymer-ransomware.html	https://www.malwarebytes.com/blog/news/2023/03/doppelpaymer-ransomware-group-disrupted-by-fbi-and-european-police-agencies
41	Salty Spider	KuKu	SalLoad	Kookoo	Sality	Kukacka	SaliCode																	Salty Spider is a sophisticated advanced persistent threat (APT) group that is believed to be based in Russia. The group has been active since at least 2018 and is known for targeting organizations in various industries, including technology, healthcare, and government.			https://www.crowdstrike.com/blog/who-is-salty-spider/
42	Brain Spider	RedTeam	5BIRD	exp3rt	brain	BOSS	reverse5net	bigrichy	Signature	bigboss	RAID
43	Skeleton Spider	FIN6	ITG08	Magecart Group 6	Gold Franklin	ATK88	Trinity	Camouflage Tempest, TAAL						G0037											Criminal		https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2018GlobalThreatReport.pdf	https://www.fireeye.com/blog/threat-research/2016/04/follow_the_money.html	https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf	https://webcache.googleusercontent.com/search?q=cache:wMkxJorBEKIJ:https://securityintelligence.com/x-force-iris-identifies-fin6-activity-on-pos-networks/+&cd=1&hl=en&ct=clnk&gl=uk&client=firefox-b	https://exchange.xforce.ibmcloud.com/collection/FIN6-Financial-Crime-Actor-f55930eb9f4438efe9101a618d6a8703	https://www.proofpoint.com/us/search/site?search_text=TA530&language=en	https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html	https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/	https://blog.trendmicro.com/trendlabs-security-intelligence/fin6-compromised-e-commerce-platform-via-magecart-to-inject-credit-card-skimmers-into-thousands-of-online-shops/
44	Winter Vivern	TA473	UAC-0114																							Alligned with security interests of Belarus and Russia’s governments	https://www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs/	https://www.sentinelone.com/labs/winter-vivern-uncovering-a-wave-of-global-espionage/	https://www.welivesecurity.com/en/eset-research/winter-vivern-exploits-zero-day-vulnerability-roundcube-webmail-servers/


1	North Korea
2	Common Name	CrowdStrike	Talos Group	Dell Secure Works	Other Name 1	Other Name 2	Other Name 3	Other Name 4	Other Name 5	Other Name 6	Other Name 7	Other Name 8	Rep. of Korea FSI	MITRE AT&CK	Operation 1	Operation 2	Operation 3	Operation 4	Operation 5	Operation 6	Operation 7	Operation 8	Operation 9	Toolset / Malware	Targets	Modus Operandi	Comment	Link 1	Link 2	Link 3	Link 4	Link 5	Link 6	Link 7	Link 8	Link 9	Link 10	Link 11	Link 12	Link 13	Link 14	Link 15	Link 16	Link 17	Link 18	Link 19	Link 20	Link 21	Link 22	Link 23	Link 24	Link 25	Link 26	Link 27	Link 28	Link 29	Link 30	Link 31	Link 32	Link 33	Link 34	Link 35	Link 36	Link 37	Link 38	Link 39	Link 40	Link 41	Link 42	Link 43	Link 44	Link 45

3	Lazarus Group	Labyrinth Chollima	Group 77	Hastati Group	Bureau 121,BeagleBoyzBureau121,BeagleBoyz	Unit 121,Unit121	Whois Hacking Team,WHOis Team	NewRomanic Cyber Army Team	ZINC,APT-C-26,UNC2970,UNC577,UNC4736	Appleworm,NICKEL GLADSTONE,COVELLITE,ATK3	Hidden Cobra,Diamond Sleet,Black Artemis,	Nickel Academy, LolZarus		G0032	Troy	Blockbuster	Dark Seoul	Applejeus	Inception	NorthStar	Dream Job	KuCoin Hack	ThreatNeedle	Tdrop, Tdrop2, Troy, Destover, FallChill RAT, Volgmer, Hawup, Manuscrypt, WolfRAT, SheepRAT, HtDnDownLoader, ThreatNeedle	Believed to be responsible for Dark Seoul, Ten Days of Rain, the Sony Pictures Entertainment attack, the SWIFT-related bank heists, and WannaCry. Known to the U.S. government as Hidden Cobra. Targeting also BitCoin Exchanges, financial sector, technology/engineering sector	Delivery: usually via spear phishing email. Infrastructure: C2 often based on compromised servers,moving to own servers paid by bitcoin to preserve anonymity Persistency: tipically launching ransomware after operation to destroy evidences	Threat Recon.nshc.net alias=SectorA01	http://www.mcafee.com/us/resources/white-papers/wp-dissecting-operation-troy.pdf	http://researchcenter.paloaltonetworks.com/2015/11/tdrop2-attacks-suggest-dark-seoul-attackers-return/	https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf	https://www.alienvault.com/open-threat-exchange/blog/operation-blockbuster-unveils-the-actors-behind-the-sony-attacks	https://www.us-cert.gov/ncas/alerts/TA17-164A	http://www.fsec.or.kr/common/proc/fsec/bbs/21/fileDownLoad/1235.do	https://researchcenter.paloaltonetworks.com/2017/08/unit42-blockbuster-saga-continues/	https://www.crowdstrike.com/blog/unprecedented-announcement-fbi-implicates-north-korea-destructive-attacks/	https://www.us-cert.gov/ncas/alerts/TA17-318A	https://www.us-cert.gov/ncas/alerts/TA17-318B	https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf	https://securingtomorrow.mcafee.com/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/	https://www.darkreading.com/vulnerabilities---threats/lazarus-group-fancy-bear-most-active-threat-groups-in-2017/d/d-id/1330954?print=yes	https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity	https://securelist.com/operation-applejeus/87553/	https://blogs.microsoft.com/on-the-issues/2017/12/19/microsoft-facebook-disrupt-zinc-malware-attack-protect-customers-internet-ongoing-cyberthreats/	https://www.secureworks.com/about/press/media-alert-secureworks-discovers-north-korean-cyber-threat-group-lazarus-spearphishing	https://threatrecon.nshc.net/2019/01/23/sectora01-custom-proxy-utility-tool-analysis/	https://objective-see.com/blog/blog_0x49.html	https://www.sentinelone.com/blog/lazarus-apt-targets-mac-users-poisoned-word-document/	https://blog.alyac.co.kr/2827	https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/	https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/	https://www.welivesecurity.com/2020/06/17/operation-interception-aerospace-military-companies-cyberspies/	https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-a-job-offer-thats-too-good-to-be-true/	https://www.clearskysec.com/operation-dream-job/	https://blogs.jpcert.or.jp/en/2020/08/Lazarus-malware.html	https://medium.com/s2wlab/analysis-of-threatneedle-c-c-communication-feat-google-tag-warning-to-researchers-782aa51cf74	https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/	https://www.microsoft.com/security/blog/2021/01/28/zinc-attacks-against-security-researchers/	https://www.hvs-consulting.de/lazarus-report/	https://blog.chainalysis.com/reports/lazarus-group-kucoin-exchange-hack	https://securelist.com/lazarus-threatneedle/100803/	https://www.clearskysec.com/wp-content/uploads/2021/05/CryptoCore-Lazarus-Clearsky.pdf	https://blog.alyac.co.kr/3814	https://www.cisa.gov/uscert/ncas/alerts/aa22-108a	https://www.sentinelone.com/blog/lazarus-operation-interception-targets-macos-users-dreaming-of-jobs-in-crypto/	https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/	https://securelist.com/dtrack-targeting-europe-latin-america/107798/	https://www.volexity.com/blog/2022/12/01/buyer-beware-fake-cryptocurrency-applications-serving-as-front-for-applejeus-malware/	https://www.microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches-targeted-attacks-against-the-cryptocurrency-industry/	https://labs.withsecure.com/content/dam/labs/docs/WithSecure-Lazarus-No-Pineapple-Threat-Intelligence-Report-2023.pdf	https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/	https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/	https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/
4	APT37	Ricochet Chollima	Group 123	ScarCruft	APT37	Red Eyes	Reaper	Venus 121 (금성121)	THALLIUM					G0067	Reaper	Erebus	Golden Time	Evil New Year	Are you Happy?	FreeMilk	North Korean Human Rights	Evil New Year 2018	Operation Earth Kitsune	KARAE, SOUNDWAVE, ZUMKONG, RICECURRY, CORALDECK, POORAIM, SLOWDRIFT, MILKDROP, GELCAPSULE, DOGCALL, HAPPYWORK, RUHAPPY, SHUTTERSPEED, Flash Exploit CVE-2016-4117, ROKRAT, KEVDROID, BabyShark, KimJongRAT, GOLDBACKDOOR	Primarily South Korea – though also Japan, Vietnam and the Middle East – in various industry verticals, including chemicals, electronics, manufacturing, aerospace, automotive, and healthcare; Scarcruft Tracking: Russia, Nepal, South Korea, China, India, Kuwait and Romania		FireEye iSIGHT Intelligence believes that APT37 is aligned with the activity publicly reported as Scarcruft and Group123	https://www.fireeye.com/blog/threat-research/2018/02/apt37-overlooked-north-korean-actor.html	http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html	https://securelist.com/blog/research/75082/cve-2016-4171-adobe-flash-zero-day-used-in-targeted-attacks/	https://exchange.xforce.ibmcloud.com/collection/Fear-The-Reaper-North-Korean-Group-APT37-dc96e8bdff7573efb87d43d7584c1fbc	https://unit42.paloaltonetworks.com/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/	https://unit42.paloaltonetworks.com/unit42-reaper-groups-updated-mobile-arsenal/	https://blog.alyac.co.kr/1985	https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/	https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/	https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/	https://www.zdnet.com/article/microsoft-takes-down-50-domains-operated-by-north-korean-hackers/?mid=1#cid=8960026	https://blog.malwarebytes.com/threat-analysis/2021/01/retrohunting-apt37-north-korean-apt-used-vba-self-decode-technique-to-inject-rokrat/	https://blog.alyac.co.kr/3489	https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/?utm_source=rss&utm_medium=rss&utm_campaign=north-korean-apt-inkysquid-infects-victims-using-browser-exploits	https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/	https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/	https://0xthreatintel.medium.com/static-analysis-of-bluelight-malware-7bb0a399a54e	https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/	https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/	https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/	https://stairwell.com/wp-content/uploads/2022/04/Stairwell-threat-report-The-ink-stained-trail-of-GOLDBACKDOOR.pdf	https://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/	https://blog.google/threat-analysis-group/internet-explorer-0-day-exploited-by-north-korean-actor-apt37/	https://blog.alyac.co.kr/5009	https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-kitsune.pdf	https://www.trendmicro.com/en_us/research/20/l/who-is-the-threat-actor-behind-operation-earth-kitsune-.html	https://www.trendmicro.com/en_us/research/23/b/earth-kitsune-delivers-new-whiskerspy-backdoor.html	https://interlab.or.kr/archives/2567	https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/wirtschafts-wissenschaftsschutz/2023-03-20-sicherheitshinweis-cyberaktivitaeten.pdf?__blob=publicationFile&v=2	https://asec.ahnlab.com/en/51751/	https://research.checkpoint.com/2023/chain-reaction-rokrats-missing-link/	https://asec.ahnlab.com/en/54349/
5	Andariel	Silent Chollima			DEV-0530,DEV0530, APT45, Jumpy Pisces	DarkSeoul,Dark Seoul	PLUTONIUM	Guardian of Peace	GOP	Onyx Sleet	Storm-0530	H0lyGh0st	Andariel	G0138	Dark Hotel	DesertWolf	Vanxatm	Mayday	INITROY	XEDA	Sony			RifDoor,Phandoor,H0lyGh0st	Information gathering and profit		Lazarus subgroup	https://www.scmagazineuk.com/war-plans-including-assassination-plan-stolen-by-north-korean-hackers/article/699089/	https://gsec.hitb.org/materials/sg2017/D1%20-%20Ashley%20Shen%20and%20Moonbeom%20Park%20-%20A%20Deep%20Dive%20into%20the%20Digital%20Weapons%20of%20the%20North%20Korean%20Cyber%20Army.pdf	http://www.fsec.or.kr/user/bbs/fsec/21/13/bbsDataView/910.do	http://online.wsj.com/public/resources/documents/print/WSJ_-A006-20170728.pdf	https://blog.trendmicro.com/trendlabs-security-intelligence/new-andariel-reconnaissance-tactics-hint-at-next-targets/	https://asec.ahnlab.com/en/48198/
6	Kimsuky	Velvet Chollima			Kimsuki	Thallium,TA408,TA427, TAG-115	CloudDragon,Cloud Dragon	TA406,TA-406	SharpTongue	Crooked Pisces,Osmium	Cerium,Emerald Sleet	Black Banshee,APT43,Archipelago,Ruby Sleet		G0094	Campaign Rifle									KPortScan, PsExec, Procdump, Mimikatz, Eternal suite of exploits, NirSoft MailPassView/Network Password Recovery/Remote Desktop PassView/SniffPass/WebBrowserPassView, Mechanical, Grease, KGH_SPY	This threat actor targets South Korean think tanks, industry, nuclear power operators, and the Ministry of Unification for espionage purposes.			http://securelist.com/analysis/57915/the-kimsuky-operation-a-north-korean-apt/	http://www.reuters.com/article/us-nuclear-southkorea-northkorea-idUSKBN0MD0GR20150317	https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/	https://apt.securelist.com/#!/threat/972	https://www.anomali.com/blog/suspected-north-korean-cyber-espionage-campaign-targets-multiple-foreign-ministries-and-think-tanks#When:14:00:00Z	https://crowdstrike.lookbookhq.com/web-global-threat-report-2019/crowdstrike-2019-gtr	https://www.zdnet.com/article/cyber-espionage-group-uses-chrome-extension-to-infect-victims/	https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-ACT-009.pdf	https://blog.alyac.co.kr/2243	https://blog.alyac.co.kr/attachment/cfile5.uf@99A0CD415CB67E210DCEB3.pdf	https://blog.prevailion.com/2019/09/autumn-aperture-report.html	https://www.dailynk.com/english/north-korean-hackers-mount-phishing-attack-nkhr-groups/	https://blog.yoroi.company/research/the-north-korean-kimsuky-apt-keeps-threatening-south-korea-evolving-its-ttps/	https://asec.ahnlab.com/1313?category=342979	https://blog.alyac.co.kr/2906	https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite	https://blog.alyac.co.kr/3368	http://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-How-CloudDragon-Turns-A-Nightmare-Into-Reality.pdf	https://blog.alyac.co.kr/3799	https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/	https://cybleinc.com/2021/06/03/kimsuky-apt-group-distributes-fake-security-app-disguised-as-kisa-security-program/	https://teamt5.org/en/posts/clouddragon-campaign-vpn-zero-day-vulnerability-new-backdoor/	https://blog.alyac.co.kr/4130	https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-threat-insight-paper-triple-threat-N-Korea-aligned-TA406-steals-scams-spies.pdf	https://securelist.com/kimsukys-golddragon-cluster-and-its-c2-operations/107258/	https://ti.qianxin.com/blog/articles/spikes-from-the-kimsuky-organization-targeted-killing-of-south-korea-with-multiple-assault-weapons/	https://asec.ahnlab.com/en/54678/
7	OnionDog																								This threat actor targets the South Korean government, transportation, and energy sectors.		False Positive. APT Training by SK Government	http://news.softpedia.com/news/korean-energy-and-transportation-targets-attacked-by-oniondog-apt-501534.shtml	http://zhuiri.360.cn/upload/APT-C-03-en.pdf	http://www.chinadaily.com.cn/china/2016-03/09/content_23794129.htm	http://news.softpedia.com/news/korean-energy-and-transportation-targets-attacked-by-oniondog-apt-501534.shtml
8	TEMP.Hermit				APT38									G0082										VOLGMER, PEACHPIT	Korean Peninsula, US Aerospace, SWIFT-fraud operations in East Asia	Media, government, but mainly financial institutions in order to raise money for the North Korean regime: Russia, Turkey, US, Poland, Mexico, Brazil, Ururguay, Taiwan, Malaysia, Chile, Vietnam, Philippines		https://www.isightpartners.com/2016/02/threatscape-media-highlights-update-week-of-february-17th/	http://www.scmagazine.com/sony-hackers-are-still-hacking-researchers-say/article/474166/	https://www.fireeye.com/blog/threat-research/2018/10/apt38-details-on-new-north-korean-regime-backed-threat-group.html
9	?																							MaoCheng Dropper	Humanitarian Aid Groups			https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/
10	Stardust Chollima	Stardust Chollima			APT38	ElectricFish	BlueNoroff	TA444 (Proofpoint)	COPERNICIUM (Microsoft)	TAG-71				G0082		Far Eastern International Bank								Dimens, MBR Killer, ElectricFish	Latin America, Mexico, Costa Rica, Chile, Argentina, financial institutions in Asia and Africa in 2018			https://app.cdn.lookbookhq.com/lbhq-production/10339/content/original/9dd0e31a-c9c0-4e1c-aea1-f35d3e930f3d/CrowdStrike_GTR_2019_.pdf	https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-april-stardust-chollima/	https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/	https://baesystemsai.blogspot.com/2017/10/taiwan-heist-lazarus-tools.html	https://techcrunch.com/2019/08/15/cyber-command-north-korea-malware/	https://www.thedailybeast.com/north-korean-hackers-caught-snooping-on-chinas-cyber-squad	https://www.cisa.gov/uscert/ncas/alerts/aa22-108a	https://securelist.com/bluenoroff-methods-bypass-motw/108383/	https://www.proofpoint.com/us/blog/threat-insight/ta444-apt-startup-aimed-at-your-funds
11	APT43	Archipelago													Honeybee													https://www.mandiant.com/resources/reports/apt43-north-korea-cybercrime-espionage	https://blog.google/threat-analysis-group/how-were-protecting-users-from-government-backed-attacks-from-north-korea/	https://blog.virustotal.com/2023/04/apt43-investigation-into-north-korean.html
12	WASSONITE														FASTCash									DTrack	WASSONITE targeting focuses on Asian entities, largely in India, as well as possibly Japan and South Korea. At this time, WASSONITE does not appear to have an ICS-specific disruptive or destructive capability. All the activity represents Stage 1 ICS kill-chain: access operations within IT networks. WASSONITE operations rely on deploying DTrack malware for remote access to victim machines, capturing credentials via Mimikatz and publicly available tools, and utilizing system tools to transfer files and move laterally within the enterprise system. Researchers first disclosed DTrack in late September 2019, and identified the tool targeting Indian financial institutions and research centers. DTrack is loosely connected to an earlier observed malware family, ATMDTrack, used for robbing ATM machines. Third-party security firms associate DTrack and its related malware to the Lazarus Group. Dragos also associates the activity group COVELLITE to Lazarus Group. However, while COVELLITE is also linked to broader Lazarus activity, this group leveraged substantially different capabilities and infrastructure to pursue a target set that does not overlap with observed WASSONITE activity.		Overlaps Lazarus Group	https://www.dragos.com/threat/wassonite/


1	Iran
2	Common Name	Other Name 1	Other Name 2	Other Name 3	Other Name 4	Other Name 5	Other Name 6	Other Name 7	FireEye Name	Crowdstrike	Cisco Name	MITRE ATT&CK	Operation 1	Operation 2	Operation 3	Toolset / Malware	Targets	Modus Operandi	Comment	Link 1	Link 2	Link 3	Link 4	Link 5	Link 6	Link 7	Link 8	Link 9	Link 10	Link 11	Link 12	Link 13	Link 14	Link 15	Link 16	Link 17	Link 18	Link 19	Link 20	Link 21	Link 22	Link 23	Link 24	Link 25	Link 26	Link 27	Link 28	Link 29	Link 30	Link 31

3	Cutting Kitten	TG-2889	Ghambar		CuttingKitten	alibaba	Cleaver	Tarh andishan	ITSecTeam	Cutting Kitten		G0003	Cleaver			TinyZBot, PupyRAT	This threat actor targets governments and private sector entities for espionage and sabotage purposes. It is believed to be responsible for compromising U.S. Navy computers at the Navy Marine Corps Intranet in San Diego, the U.S. energy company Calpine Corporation, Saudi Aramco, Pemex, Qatar Airways, and Korean Air		COBALT GYPSY overlap with OilRig	http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/	https://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf	https://www.secureworks.com/research/the-curious-case-of-mia-ash
4	Shamoon									Volatile Kitten		S0140				Shamoon / Disttrack	This threat actor targets energy sector, oil and gas industry as well as transportation and telecommunication services.	wiper		https://en.wikipedia.org/wiki/Shamoon	http://www.nytimes.com/2012/10/24/business/global/cyberattack-on-saudi-oil-firm-disquiets-us.html
5	Clever Kitten									Clever Kitten	Group 41					Acunetix Web Vulnerability Scanner, PHP Webshell RC SHELL				http://www.crowdstrike.com/blog/whois-clever-kitten/
6	Madi																This threat actor compromises engineering firms, government entities, and financial and academic institutions in the United States, Israel, Iran, and Pakistan	Social engineering		https://securelist.com/blog/incidents/33693/the-madi-campaign-part-i-5/	https://securelist.com/blog/incidents/33701/the-madi-campaign-part-ii-53/
7	Cyber fighters of Izz Ad-Din Al Qassam		Fraternal Jackal										Ababil / ApAbabil				The websites of Bank of America, JPMorgan Chase, Wells Fargo, and other U.S. financial institutions suffered simultaneous outages due to a coordinated denial of service cyberattack in September 2012. Attackers flooded bank servers with junk traffic, preventing users from online banking. An Iranian group called Izz ad-Din al-Qassam Cyber Fighters initially claimed responsibility for the incident. At the time, the media reported that U.S. intelligence believed the denial of service was in response to U.S. imposed economic sanctions to counter Iran's nuclear program. Seven Iranian individuals linked to the Islamic Revolutionary Guard Corps were eventually indicted by the U.S. Department of Justice in 2016 for their involvement in the incident. Israel, French and U.Kingdom	DoS		http://pastebin.com/u/QassamCyberFighters	http://ddanchev.blogspot.com.es/2012/09/dissecting-operation-ababil-osint.html	http://www.nytimes.com/2013/01/09/technology/online-banking-attacks-were-work-of-iran-us-officials-say.html	https://www.washingtonpost.com/world/national-security/iran-blamed-for-cyberattacks/2012/09/21/afbe2be4-0412-11e2-9b24-ff730c7f6312_story.html
8	Chafer	Cadelle	ITG07	Rana					APT39	Remix Kitten		G0087				Remexi, PsExec, Mimikatz, Web Shells (aspx spy, b374k), nbtscan, plink, RemCom, VNC Bypass scanner, CoreSecurity tools, Impacket / Python exploits, NSSM, Remcom, HTTPTunnel, Cadelspy, PLink, SSH Tunnels to Windows Servers	Airlines, Airports, Transportation, Logistics - worldwide		Uses the same C2 infrastructure as OilRig	http://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets	https://www.symantec.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions	http://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets	https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html	https://securelist.com/chafer-used-remexi-malware/89538/	https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/	https://unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/	https://securityintelligence.com/posts/observations-of-itg07-cyber-operations/	https://www.bitdefender.com/files/News/CaseStudies/study/332/Bitdefender-Whitepaper-Chafer-creat4491-en-EN-interactive.pdf	https://threatconnect.com/blog/research-roundup-apt39-adversaries/	https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-releases-cybersecurity-advisory-on-previously-undisclosed-iranian-malware-used-to-monitor-dissidents-and-travel-and-telecommunications-companies
9	Prince of Persia	APT-C-50														Infy	This threat actor targets governments and businesses of multiple countries, including the United States, Israel, and Denmark.			https://iranthreats.github.io/	http://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/	https://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/	https://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/	https://blogs.360.cn/post/APT-C-50.html	https://blogs.360.cn/post/APT-C-50.html	https://download.bitdefender.com/resources/files/News/CaseStudies/study/393/Bitdefender-Whitepaper-Iranian-APT-Makes-a-Comeback-with-Thunder-and-Lightning-Backdoor-and-Espionage-Combo.pdf	https://research.checkpoint.com/2021/after-lightning-comes-thunder/
10	Sima																focus on dissidents, woman rights activists, human rights organizations			https://iranthreats.github.io/
11	Oilrig	COBALT GYPSY	Twisted Kitten	Crambus	ITG13	Chrysene	Evasive Serpens	IRN2,ATK40,Hazel Sandstorm,Helminth,EUROPIUM,Clayslide	APT34,APT 34	Helix Kitten,HelixKitten		G0049				Helminth, ISMDoor, Clayslide, QUADAGENT, OopsIE, ALMA Communicator, customized Mimikatz, Invoke-Obfuscation,POWBAT, POWRUNER (PS Backdoor), BONDUPDATER, malicious RTF files CVE-2017-0199 and CVE-2017-11882, ELVENDOOR, PLink, PsExec, SSH Tunnels to Windows Servers, Webshells (TwoFace, DarkSeaGreenShell, LittleFace), PowDesk,Menorah,SideTwist			Uses the same C2 infrastructure as Chafer - which caused a major mixup of OilRig campaigns falsely attributed to Chafer. Also note that Turla used OilRigs implants	https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html	http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/	http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/	http://www.clearskysec.com/oilrig/	https://cert.gov.il/Updates/Alerts/SiteAssets/CERT-IL-ALERT-W-120.pdf	http://researchcenter.paloaltonetworks.com/2017/04/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/	http://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability%20	https://www.forbes.com/sites/thomasbrewster/2017/02/15/oilrig-iran-hackers-cyberespionage-us-turkey-saudi-arabia/#56749aa2468a	https://researchcenter.paloaltonetworks.com/2017/07/unit42-twoface-webshell-persistent-access-point-lateral-movement/	https://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/	https://researchcenter.paloaltonetworks.com/2017/09/unit42-striking-oil-closer-look-adversary-infrastructure/	https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html	https://researchcenter.paloaltonetworks.com/2017/12/unit42-introducing-the-adversary-playbook-first-up-oilrig/	https://www.dragos.com/blog/20180517Chrysene.html	https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf	https://sec0wn.blogspot.com/2018/05/prb-backdoor-fully-loaded-powershell.html	https://www.ncsc.gov.uk/news/turla-group-exploits-iran-apt-to-expand-coverage-of-victims	https://securityintelligence.com/posts/new-destructive-wiper-zerocleare-targets-energy-sector-in-the-middle-east/	https://www.clearskysec.com/powdesk-apt34/	https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/	https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html	https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html	https://www.crowdstrike.com/blog/widespread-dns-hijacking-activity-targets-multiple-sectors/	https://blog-cert.opmd.fr/dnspionage-retour-factuel-sur-les-attaques-annoncees-dans-differents-medias/	https://www.trendmicro.com/en_us/research/23/b/new-apt34-malware-targets-the-middle-east.html	https://www.trendmicro.com/en_no/research/23/i/apt34-deploys-phishing-attack-with-new-malware.html	https://research.checkpoint.com/2023/from-albania-to-the-middle-east-the-scarred-manticore-is-listening/
12	CopyKittens	Slayer Kitten	DarkHydrus	LazyMeerkat								G0052	Wilted Tulip			TDTESS backdoor, Vminst, NetSrv, Cobalt Strike, ZPP, Matryoshka v1 and Matryoshka v2	Israel’s Ministry of Foreign Affairs and some well-known Israeli academic researchers specializing in Middle East Studies. Israel, Saudi Arabia, United States, Jordan, Germany		DarkHydrus C2 Infra Overlap	https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf	https://blog.domaintools.com/2017/03/hunt-case-study-hunting-campaign-indicators-on-privacy-protected-attack-infrastructure/	http://www.clearskysec.com/copykitten-jpost/	http://www.clearskysec.com/tulip/	https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/
13	Charming Kitten	Parastoo	iKittens	NEWSCASTER	NewsBeef	Phosphorus / Mint Sandstorm	TA453	COBALT MIRAGE, Ballistic Bobcat	APT35	Charming Kitten	Group 83	G0059	Sponsoring Access			ALFA TEaM Shell, DROPSHOT, TURNEDUP, SHAPESHIFT, malicious HTA files, MacDownloader	This threat actor uses watering hole attacks and fake profiles to lure targets from the U.S. government for espionage purposes.	Fake Social Media Account	IBM=ITG18, Overlap w/Yellow Garuda, UNC788	https://iranthreats.github.io/resources/macdownloader-macos-malware/	https://www.isightpartners.com/2014/05/newscaster-iranian-threat-inside-social-media/	https://github.com/gasgas4/APT_CyberCriminal_Campagin/tree/master/2014/2014.05.28.NewsCaster_An_Iranian_Threat_Within_Social_Networks	https://www.verfassungsschutz.de/download/broschuere-2016-10-bfv-cyber-brief-2016-04.pdf	https://securelist.com/blog/software/74503/freezer-paper-around-free-meat/	https://securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf	https://cryptome.org/2012/11/parastoo-hacks-iaea.htm	https://www.forbes.com/sites/thomasbrewster/2017/07/27/iran-hackers-oilrig-use-fake-personas-on-facebook-linkedin-for-cyberespionage/	http://www.clearskysec.com/charmingkitten/	https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf	https://noticeofpleadings.com/phosphorus/files/Sealing.pdf?fbclid=IwAR1HMnynb0AaGyCI-8ejHjH-pNORfuHYOzQdsTrSpin2eRww6rRh-6VK2SI	https://securelist.com/twas-the-night-before/91599/	https://www.clearskysec.com/wp-content/uploads/2019/09/The-Kittens-Are-Back-in-Town-Charming-Kitten-2019.pdf	https://blogs.microsoft.com/on-the-issues/2019/10/04/recent-cyberattacks-require-us-all-to-be-vigilant/	https://www.clearskysec.com/the-kittens-are-back-in-town-2/	https://securityintelligence.com/posts/new-research-exposes-iranian-threat-group-operations/	https://www.clearskysec.com/the-kittens-are-back-in-town-3/	https://www.cybereason.com/blog/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage	https://www.secureworks.com/blog/cobalt-mirage-conducts-ransomware-operations-in-us	https://www.deepinstinct.com/blog/iranian-threat-actor-continues-to-develop-mass-exploitation-tools	https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/old-cat-new-tricks.html	https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/	https://www.proofpoint.com/us/blog/threat-insight/ta453-uses-multi-persona-impersonation-capitalize-fomo	https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/	https://www.hrw.org/news/2022/12/05/iran-state-backed-hacking-activists-journalists-politicians	https://www.secureworks.com/blog/drokbk-malware-uses-github-as-dead-drop-resolver	https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/	https://www.bitdefender.com/blog/businessinsights/unpacking-bellaciao-a-closer-look-at-irans-latest-malware/	https://research.checkpoint.com/2023/educated-manticore-iran-aligned-threat-actor-targeting-israel-via-improved-arsenal-of-tools/	https://www.welivesecurity.com/en/eset-research/sponsor-batch-filed-whiskers-ballistic-bobcats-scan-strike-backdoor/	https://www.eset.com/int/about/newsroom/press-releases/research/eset-research-iran-aligned-ballistic-bobcat-targets-businesses-in-israel-with-a-new-backdoor/	https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/	https://www.volexity.com/blog/2024/02/13/charmingcypress-innovating-persistence/
14	Greenbug															ISMdoor	Saudi Arabia		Sub group of APT34 according to Mandiant	https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon	https://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/	https://www.arbornetworks.com/blog/asert/greenbugs-dns-isms/	https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2017/february/ism-rat/	http://www.clearskysec.com/ismagent/	https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia
15	Magic Hound	Timberworm	MAGNALLIUM	Elfin	Refined Kitten	Holmium			APT33			G0059	Stonedrill/ Shamoon2.0			Shamoon, POWERTON, Ruler, PUPYRAT, POSHC2 (.NET backdoor), TURNEDUP, AutoIt backdoor, Gpppassword, LaZagne, Quasar RAT, Remcos, SniffPass, DarkComet, AutoIt FTP tool, .NET FTP tool, PowerShell downloader (registry.ps1), POSHC2 backdoor, different keyloggers	A threat actor used malware known as Shamoon 2.0 to exfiltrate and delete data from computers in the Saudi transportation sector. Commercial entities, Middle East, US, South Korea, DND focussed entities, Airlines, Airline suppliers.		possibly associated with Rocket Kitten and Cobalt Gypsy, Sandcat, use Recruitment themes	http://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/	https://securityintelligence.com/the-full-shamoon-how-the-devastating-malware-was-inserted-into-networks/	https://www.symantec.com/connect/blogs/shamoon-multi-staged-destructive-attacks-limited-specific-targets	https://www.fireeye.com/current-threats/annual-threat-report/mtrends.html	https://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/	https://webcache.googleusercontent.com/search?q=cache:Dicnr9-eKKYJ:https://securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf+&cd=6&hl=en&ct=clnk&gl=ie	https://gallery.logrhythm.com/threat-intelligence-reports/shamoon-2-malware-analysis-logrhythm-labs-threat-intelligence-report.pdf	https://blog.trendmicro.com/trendlabs-security-intelligence/more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting/	https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html	https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage	https://www.securityweek.com/iranian-hackers-caused-losses-hundreds-millions-report	https://go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf	https://www.wired.com/story/iran-apt33-industrial-control-systems/	https://blog.trendmicro.com/trendlabs-security-intelligence/more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting/	https://thehackernews.com/2022/12/iranian-hackers-strike-diamond-industry.html	https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/	https://x.com/MsftSecIntel/status/1737895710169628824?s=20
16	Rocket Kitten	Flying Kitten	TEMP.Beanie	Saffron Rose	Ajax Security Team					Rocket Kitten	Group 26	G0059	Woolen Goldfish	Thamar Reservoir		GHOLE / Core Impact, CWoolger, FireMalv, .NETWoolger, MPK, Open source tools, Puppy RAT, MagicHound.Leash (IRC Bot), PowGoop (Downloader.Covic)	Saudi Arabia, Israel, US, Iran, high ranking defense officials, embassies of various target countries, notable Iran researchers, human rights activists, media and journalists, academic institutions and various scholars, including scientists in the fields of physics and nuclear sciences. It seeks out material related to diplomacy, defense, security, journalism, and human rights for espionage purposes.			https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-woolen-goldfish-when-kittens-go-phishing	https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-the-spy-kittens-are-back.pdf	http://www.clearskysec.com/thamar-reservoir/	https://citizenlab.org/2015/08/iran_two_factor_phishing/	https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf	http://www.crowdstrike.com/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/	https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2014/july/a-new-flying-kitten/	https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-operation-saffron-rose.pdf
17	?												Mermaid				This threat actor is based in the Middle East (possibly Iran) and targets English- and Persian-language organizations. It is alleged to be the same group behind a compromise of the Danish Ministry of Foreign Affairs.			https://ti.360.com/upload/report/file/mryxdgkb20160707en.pdf
18	ITSecTeam											G0059					One of the threat actors responsible for the denial of service attacks against U.S in 2012/2013. Three individuals associated with the group believed to be have been working on behalf of Iran's Islamic Revolutionary Guard Corps were indicted by the Justice Department in 2016.			http://pastebin.com/mCHia4W5	http://www.nytimes.com/2013/01/09/technology/online-banking-attacks-were-work-of-iran-us-officials-say.html	https://www.washingtonpost.com/world/national-security/iran-blamed-for-cyberattacks/2012/09/21/afbe2be4-0412-11e2-9b24-ff730c7f6312_story.html
19	MuddyWater	TEMP.Zagros	Seedworm	Cobalt Ulster	SectorD02	MERCURY	Muddy Water,DarkBit	Mango Sandstorm,Boggy Serpens,ATK51		Static Kitten,Yellow nix,POWERSTATS,NTSTATS		G0069	BlackWater	Operation Quicksand		POWERSTATS, PoweMuddy, LaZagne, Crackmapexec, ScreenConnect, MoriAgent, Pudpoul, Thanos Ransomware, PowGoop, Covicli,DarkBit,MuddyRot	Israel,Academic Sector,individuals in Asia and the Middle East, government and defense entities in Central and Southwest Asia		Struggle with Kaspersky, relates to UNC3313	https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/	https://sec0wn.blogspot.co.il/2018/03/a-quick-dip-into-muddywaters-recent.html	https://blog.trendmicro.com/trendlabs-security-intelligence/campaign-possibly-connected-muddywater-surfaces-middle-east-central-asia/	https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html	https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group	https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf	https://sec0wn.blogspot.com/2018/02/burping-on-muddywater.html	https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/	https://threatrecon.nshc.net/2019/03/07/sectord02-powershell-backdoor-analysis/	https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html	https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/	https://documents.trendmicro.com/assets/white_papers/wp_new_muddywater_findings_uncovered.pdf	https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf	https://securelist.com/muddywaters-arsenal/90659/	https://www.prevailion.com/summer-mirage-2/	https://www.secureworks.com/blog/business-as-usual-for-iranian-operations-despite-increased-tensions	https://www.bleepingcomputer.com/news/security/microsoft-iranian-hackers-actively-exploiting-windows-zerologon-flaw/	https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf	https://www.telsy.com/operation-space-race-reaching-the-stars-through-professional-social-networks/	https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east	https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies	https://www.clearskysec.com/operation-quicksand/	https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/	https://www.picussecurity.com/resource/blog/ttp-ioc-used-by-muddywater-apt-group-attacks	https://www.cisa.gov/uscert/ncas/alerts/aa22-055a	https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/	https://www.group-ib.com/blog/muddywater-infrastructure/	https://www.microsoft.com/en-us/security/blog/2023/04/07/mercury-and-dev-1084-destructive-attack-on-hybrid-environment/	https://www.deepinstinct.com/blog/muddywater-en-able-spear-phishing-with-new-ttps	https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta450-uses-embedded-links-pdf-attachments-latest-campaign	https://therecord.media/iran-muddywater-hackers-target-israel-new-malware
20	Silent Librarian	Mabna Institute	TA407	Cobalt Dickens	Yellow Nabu	SCHOLAR KITTEN						G0122					144 universities in the United States, 176 foreign universities in 21 countries, five federal and state government agencies in the United States, 36 private companies in the United States, 11 foreign private companies, and two international non-governmental organizations			https://www.fbi.gov/wanted/cyber/iranian-mabna-hackers	https://info.phishlabs.com/blog/silent-librarian-more-to-the-story-of-the-iranian-mabna-institute-indictment	https://twitter.com/ClearskySec/status/977899578346430464	https://www.secureworks.com/blog/back-to-school-cobalt-dickens-targets-universities	https://www.proofpoint.com/us/threat-insight/post/seems-phishy-back-school-lures-target-university-students-and-staff	https://www.secureworks.com/blog/cobalt-dickens-goes-back-to-school-again	https://www.bleepingcomputer.com/news/security/iranian-hackers-create-credible-phishing-to-steal-library-access/	https://www.secureworks.com/research/threat-profiles/cobalt-dickens	https://blog.malwarebytes.com/malwarebytes-news/2020/10/silent-librarian-apt-phishing-attack/	https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
21	DarkHydrus											G0079				RogueRobin				https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/	https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.ez428aw98bca
22	Domestic Kitten									Domestic Kitten										https://research.checkpoint.com/domestic-kitten-an-iranian-surveillance-operation/	https://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/
23	Flash Kitten	Raspite	Leafminer							Flash Kitten		G0077				Sorgu, guester / Trojan.Imecab	MENA Region		long-running SWC campaigns from December 2016 until public disclosure in July 2018	https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/	https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east	https://www.dragos.com/blog/20180802Raspite.html
24	Gold lowell	Boss Spider														SamSam			Criminal	https://www.secureworks.com/research/samsam-ransomware-campaigns	https://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/	https://www.justice.gov/opa/pr/two-iranian-men-indicted-deploying-ransomware-extort-hospitals-municipalities-and-public	https://garwarner.blogspot.com/2018/11/two-iranian-hackers-charged-with-6.html
25	Iridium												Australian Parliament Hack	Citrix Hack		China Chopper / Ckife Webshells, LazyCat, reGeorge			NOTHING CONFIRMED YET, Resecurity page, original source, is 404	https://resecurity.com/blog/parliament_races/	https://www.scmagazine.com/home/security-news/apts-cyberespionage/iridium-cyberespionage-gang-behind-aussie-parliament-attacks/	https://www.zdnet.com/article/citrix-discloses-security-breach-of-internal-network/	https://www.forbes.com/sites/kateoflahertyuk/2019/03/15/who-is-resecurity-the-firm-that-named-the-iranian-group-allegedly-behind-the-citrix-hack/	https://www.wsj.com/articles/iran-blamed-for-cyberattack-on-australias-parliament-11550736796
26	DNSpionage	Oilrig	COBALT EDGEWATER
27	Tortoiseshell	FunRun RAT, Liderc	CURIUM,Tortoise Shell	DEV-0228 UNC1549	Crimson Sandstorm Smoke Sandstorm	Cuboid Sandstorm	Yellow Liderc	TA456	APT35	ImperialKitten, Imperial Kitten		G1012				Backdoor.Syskit, Poison Frog, Infostealer/Sha.exe/Sha432.exe, Infostealer/stereoversioncontrol.exe, get-logon-history.ps1, FunRun RAT, Liderc,MINIBUS, MINIBIKE	IT providers in Saudi Arabia, Aerospace & Defense (Israel, UAE)		Inconclusive link to OilRig/APT34	https://www.symantec.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain	https://www.cyberscoop.com/saudi-arabia-hackers-it-providers-symantec/	https://blog.talosintelligence.com/2019/09/tortoiseshell-fake-veterans.html	https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html	https://www.crowdstrike.com/blog/imperial-kitten-deploys-novel-malware-families/	https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east
28	?												Bapco Attack			Zerocleare, DUSTMAN	Oil companies in the middle east			https://www.ibm.com/downloads/cas/OAJ4VZNJ?_ga=2.162718588.1703640646.1575470035-355468858.1568634484&cm_mc_uid=62832336079115590460108&cm_mc_sid_50200000=12616311575470030712	https://www.wired.com/story/iran-soleimani-cyberattack-hackers/
29	Fox Kitten	Parisite	Pioneer Kitten	Pay2key	UNC757								Pay2Key			SSHNET, Juicy Potato, Port, STSRCHECK, LPManager, Invoke-SMBClient, Invoke-SMBEnum, Invoke-SMBExec, Invoke-TheHash, Invoke-WMIExec, SOCKET-Based Backdoor, Ngrok, Pay2Key ransomware, FRPC, Ngrok	IT, Telecommunication, Oil and Gas, Aviation, Government, and Security sectors around the world.		Overlaps with APT33, APT34 and Chafer	https://www.clearskysec.com/fox-kitten/ https://www.clearskysec.com/pay2kitten/	https://dragos.com/blog/industry-news/the-state-of-threats-to-electric-entities-in-north-america/	https://www.crowdstrike.com/blog/who-is-pioneer-kitten/	https://us-cert.cisa.gov/ncas/alerts/aa20-259a
30	Tracer KItten																			https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020OverWatchNowheretoHide.pdf
31	Agrius	BlackShadow	Deadwood	SharpBoys	AMERICIUM	Pink Sandstorm	DEV-0227	Agoniznig Serpens								Deadwood, Detbosit, IPSecHelper, Apstole	Finance, Hosting, Telecomminication, Israeli people, Academic Sector	Influence Operations, Ransomware		https://assets.sentinelone.com/sentinellabs/evol-agrius	https://www.sentinelone.com/labs/new-version-of-apostle-ransomware-reemerges-in-targeted-attack-on-higher-education/	https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/	https://research.checkpoint.com/2023/agrius-deploys-moneybird-in-targeted-attacks-against-israeli-organizations/	https://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/
32	MalKamak												Operation GhostShell			ShellClient				https://www.cybereason.com/blog/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms
33	Nemesis Kitten	Charming Kitten	DireFate							Nemesis Kitten						FRP, Plink, Bitlocker, Shredder (wiper)	Oil and Gas, Manufacturing, Media, Telecommunications, Government			https://www.cisa.gov/uscert/ncas/alerts/aa21-321a	https://therecord.media/iranian-hackers-behind-cox-media-group-ransomware-attack/
34	UNC3313															GRAMDOOR, STARWHALE			Relates to MuddyWater	https://www.mandiant.com/resources/telegram-malware-iranian-espionage
35	DEV-0343																US & Israeli defense technology companies, Persian Gulf ports of entry, or global maritime transportation companies			https://www.microsoft.com/security/blog/2021/10/11/iran-linked-dev-0343-targeting-defense-gis-and-maritime-sectors/
36	APT42																Western think tanks, researchers, journalists, current Western government officials, former Iranian government officials, and the Iranian diaspora abroad	Credential harvesting and Android malware	Subordinate to IRGC-IO, links/overlap to TA453, Yellow Garuda, ITG18, Phosphorus, Charming Kitten	https://www.mandiant.com/sites/default/files/2022-09/apt42-report-mandiant.pdf
37	HomeLand Justice																			https://www.cisa.gov/uscert/ncas/alerts/aa22-264a
38	Magic KITTEN	Black Magic,Emennet Pasargad	Holy Souls,ViceLeaker	NEPTUNIUM,Cotton Sandstorm	Vice Leaker,kalin3t	Eeleyanet Gostar,EeleyanetGostar,Net Peygard Samavat	Hackers of Savior,Deus	Group 42, VOYEUR		HAYWIRE KITTEN							In January 2015, the German news outlet Der Spiegel released previously unpublished documents on cyber espionage conducted by American intelligence agencies.50 One of them revealed an NSA tactic labeled “fourth party collection,” which is the practice of breaking into the command and control infrastructure of foreign-state-sponsored hackers to look over their shoulders. The presentation describes a real-life example of acquiring intelligence and stealing victims from a group code-named VOYEUR by the NSA, otherwise known as Magic Kitten. Magic Kitten appears to be among the oldest and most elaborate threat actors originating in Iran. It is also distinct from other groups because of its apparent relationship with the Iranian Ministry of Intelligence rather than the IRGC. However, Magic Kitten’s activities mirror those of other groups, with the primary targets being Iranians inside Iran and Tehran’s regional rivals. The earliest observed samples of Magic Kitten’s custom malware agent dates to 2007, well before other known malware apparently originated, and the threat actor continues to be active.			https://www.cisa.gov/uscert/ncas/current-activity/2022/01/27/fbi-releases-pin-iranian-cyber-group-emennet-pasargad	https://securelist.com/fanning-the-flames-viceleaker-operation/90877/	https://irancybernews.org/magic-kitten-the-oldest-kitten/	https://www.microsoft.com/en-us/security/business/security-insider/threat-briefs/iran-response-for-charlie-hebdo-attacks/	https://blogs.microsoft.com/on-the-issues/2024/10/23/as-the-u-s-election-nears-russia-iran-and-china-step-up-influence-efforts/
39	Predatory Sparrow	Gonjeshke Darande	گنجشک درنده	GonjeshkDarand	Gonjeshk Darand	Indra														https://malpedia.caad.fkie.fraunhofer.de/actor/predatory_sparrow
40	Bohrium	DEV-0056	Smoke Sandstorm																	https://securityaffairs.com/132002/apt/microsoft-seized-bohrium-apt-domains.html
41	Vengeful Kitten	Moses Staff	Mosesstaff	Abraham's Ax	abrahams-ax	تبر ابراهیم	DEV-0500	Marigold Sandstorm				G1009								https://www.cybereason.com/blog/research/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations


1	Israel
2	Common Name	Other Name 1	Other Name 2	Other Name 3	NSA	Operation 1	Operation 2	Toolset / Malware	Targets	Modus Operandi	Comment	Link 1	Link 2	Link 3	Link 4	Link 5

3	Unit 8200					Olympic Games / Stuxnet		Stuxnet	Directed at Iranian nuclear facilities	Stuxnet is typically introduced to the target environment via an infected USB flash drive.		http://www.langner.com/en/wp-content/uploads/2013/11/To-kill-a-centrifuge.pdf	https://archive.org/details/Stuxnet
4	Unit 8200	Duqu Group			SIG35	Duqu 2.0		Duqu	A threat actor, using a tool dubbed Duqu 2.0, targeted individuals and companies linked to the P5+1 (the five permanent member states of the UN Security Council, plus Germany), which was conducting negotiations on Iran's nuclear program.			https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/	https://securelist.com/files/2015/06/The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf	http://www.wsj.com/articles/spy-virus-linked-to-israel-targeted-hotels-used-for-iran-nuclear-talks-1433937601	https://blog.crysys.hu/2018/03/territorial-dispute-nsas-perspective-on-apt-landscape/
5	SunFlower	MoonFlower	Cheshire Cat	Flowershop	SIG17 / SIG18						Might be related to Duqu, Stuxnet and might attributed to Israel.	https://blog.crysys.hu/2018/03/territorial-dispute-nsas-perspective-on-apt-landscape/	https://malware-research.org/prepare-father-of-stuxnet-news-are-coming/	https://github.com/Yara-Rules/rules/blob/master/malware/APT_CheshireCat.yar	https://blog.crysys.hu/2018/03/territorial-dispute-nsas-perspective-on-apt-landscape/
6	Team Jorge											https://forbiddenstories.org/story-killers/team-jorge-disinformation/
7	WeRedEvils	RedEvils										https://malpedia.caad.fkie.fraunhofer.de/actor/weredevils	https://www.jpost.com/israel-news/article-770599


1	NATO
2	Common Name	Other Name 1	Other Name 2	Other Name 3	Other Name 4	Other Name 5	Symantec	Kaspersky	Operation 1	Operation 2	Operation 3	Operation 4	Toolset / Malware	Targets	Modus Operandi	Comment	Link 1	Link 2	Link 3	Link 4	Link 5	Link 6	Link 7	Link 8	Link 9	Link 10	Link 11	Link 12	Link 13
3	GOSSIPGIRL								Olympic Games / Stuxnet				Flame, Stuxnet, Miniflame, Duqu, Gauss			Collaborative umbrella of varioius threat actors	https://medium.com/chronicle-blog/who-is-gossipgirl-3b4170f846c0
4	Equation Group	Tilded Team	EQGRP	Housefly	Remsec				Socialist	Olympic Games / Stuxnet	Project Sauron / Strider	Triangulation	Regin, EquationLaser, EquationDrug, DoubleFantasy, TripleFantasy, Fanny, Grayfish, RemSec, Gauss, Apple iOS 0days			NSA, GCHQ, CSIS, ASIS, GCSB, FiveEyes, FVEY	http://securelist.com/blog/research/67741/regin-nation-state-ownage-of-gsm-networks/	https://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/	http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets	https://securelist.com/analysis/publications/75533/faq-the-projectsauron-apt/	https://www.bleepingcomputer.com/news/security/longhorn-cyber-espionage-group-is-actually-the-cia/	https://web.archive.org/web/20160304022846/http://www.kaspersky.com/about/news/virus/2012/Kaspersky_Lab_and_ITU_Discover_Gauss_A_New_Complex_Cyber_Threat_Designed_to_Monitor_Online_Banking_Accounts	https://twitter.com/RedDrip7/status/1178511323954434048	https://securelist.com/darkuniverse-the-mysterious-apt-framework-27/94897/	https://securelist.com/operation-triangulation/109842/
5	Lamberts	APT-C-39	Rattlesnake				Longhorn	Lamberts						PRC		CIA	http://blogs.360.cn/post/APT-C-39_CIA_EN.html	https://securityaffairs.co/wordpress/57916/apt/longhorn-group-cia.html	https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7ca2e331-2209-46a8-9e60-4cb83f9602de&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments	http://securelist.com/blog/research/77990/unraveling-the-lamberts-toolkit/
6	Snowglobe							Animal Farm					Babar, Bunny, Dino, Casper, Tafacalou, NBot, Chocopop			Probably French origins	https://securelist.com/blog/research/69114/animals-in-the-apt-farm/	https://motherboard.vice.com/read/meet-babar-a-new-malware-almost-certainly-created-by-france	http://www.cyphort.com/evilbunny-malware-instrumented-lua/	http://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/	https://blog.gdatasoftware.com/blog/article/babar-espionage-software-finally-found-and-put-under-the-microscope.html
7	Slingshot								Mikrotik Router Compromise				Slingshot, Cahnadr, GollumApp, SsCB, ffproxy, NeedleWatch, Sfc2, Minisling, Spork downloader	Kenya, Yemen, Libya, Afghanistan, Iraq, Tanzania, Jordan, Mauritius, Somalia, Democratic Republic of the Congo, Turkey, Sudan and United Arab Emirates		US Joint Special Operations Command	https://securelist.com/apt-slingshot/84312/	https://www.cyberscoop.com/kaspersky-slingshot-isis-operation-socom-five-eyes/
8	?								Project Tajmahal				full-blown spying framework consists of two packages named ‘Tokyo’ and ‘Yokohama	single victim – a diplomatic entity from a country in Central Asia			https://securelist.com/project-tajmahal/90240/
9	Sea Turtle								Sea Turtle				DNS hijacking, CVE-2009-1151, CVE-2014-6271, CVE-2017-3881, CVE-2017-6736, CVE-2017-12617, CVE-2018-0296, CVE-2018-7600, Drupalgeddon	industries: Ministries of foreign affairs, Military organizations, Intelligence agencies, Prominent energy organizations in US, Libya, Egypt, Lebanon, UAE, Albania, Cyprus, Turkey, Iraq, Jordan, Syria, Armenia, Sweden		Turkish threat group	https://blog.talosintelligence.com/2019/04/seaturtle.html	https://blog.talosintelligence.com/2019/07/sea-turtle-keeps-on-swimming.html	https://www.reuters.com/article/us-cyber-attack-hijack-exclusive/exclusive-hackers-acting-in-turkeys-interests-believed-to-be-behind-recent-cyberattacks-sources-idUSKBN1ZQ10X


1	Download Links
2	Download as XLSX	https://docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/pub?output=xlsx
3	Download as ODS	https://docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/pub?output=ods


1	Naming Taxonomies
2	Country / Selector	FireEye / Mandiant / Trellix	CrowdStrike	Kaspersky	DELL SecureWorks	DELL SecureWorks (old)	Palo Alto Unit 42 (2022-*)	Check Point	Trend Micro Labs	Cisco Talos	Verisign iDefense	Microsoft Windows Defender Research	Microsoft (2023-*)	Symantec	360	Dragos	Thalos Group	ProofPoint	Sophos	RecordedFuture	IBM X-Force	Elastic
3	Name Space		Animals		Metals	Threat Group (TG)	Star Constellations + modifier word		Elements		Fish Names	Elements, Trees, Volcano, DEV	Environmental Hazards	Bug Names		Minerals				Color + NATO Phonetic Alphabet word

4	Generic	APT[X]				TG-[X]				Group [X]					APT-C-[X]		ATK-[#]	TA[#]
5	China		[X] Panda	[X] Dragon*	BRONZE [X]		[X] Taurus						Typhoon
6	Russia		[X] Bear	[X] Duke*	IRON [X]		[X] Ursa						Blizzard
7	North Korea		[X] Chollima		NICKEL [X]		[X] Pisces						Sleet
8	South Korea		[X] Crane		TUNGSTEN [X]								Hail
9	Iran		[X] Kitten		COBALT [X]		[X] Serpens						Sandstorm
10	India		[X] Tiger		ZINC [X]		[X] Gemini
11	Vietnam		[X] Buffalo		TIN [X]								Cyclone
12	Lebanon							[X] Cedar					Rain
13	Syria		[X] Hawk
14	Arab Countries			[X] Falcon					[X] Viper **
15	Pakistan		[X] Leopard		COPPER [X]		[X] Draco
16	Georgia		[X] Lynx
17	Turkey		[X] Wolf										Dust
18	Colombia		[X] Ocelot
19	Egypt		[X] Sphinx
20	Kasakhstan		[X] Saiga
21	Criminal / Financial	FIN[X]	[X] Spider		GOLD [X]		[X] Libra		Water [X]			Volcanos, e.g. CHIMBORAZO, TAAL	Tempest
22	Activists		[X] Jackal				[X] Virgo		Wind [X]
23	Espionage		[X] Bat **						Earth [X]
24	Damage / Destruction								Fire [X]
25	BEC						[X] Orion
26	Private Sector Offensive Actors											Plants, e.g. KNOTWEED, SORGHUM	Tsunami
27	Influence Operations												Flood
28	Ransom						[X] Scorpius
29	Temporary	TEMP.[X]**					CLU[X]					DEV-[#]	Storm
30	Uncategorized Intrusion Clusters	UNC[X]				TG[X]			Void [X]							TAT[X]		UNK[X]	STAC[X]	TAG-[X]	HIVE[X]	REF[X]
31
32	URL (with explanations)	https://www.mandiant.com/resources/blog/how-mandiant-tracks-uncategorized-threat-actors	https://www.crowdstrike.com/blog/naming-adversaries-and-why-it-matters-to-security-teams/		https://www.secureworks.com/research/threat-profiles		https://unit42.paloaltonetworks.com/unit-42-threat-group-naming-update/						https://www.microsoft.com/en-us/security/blog/2023/04/18/microsoft-shifts-to-a-new-threat-actor-naming-taxonomy/				https://cyberthreathitmap.thalesgroup.com/attackers
33
34	* not consistently used / malware focused
35	** not used anymore


1	Malware / Tools
2	(Families / Overlaps)
3	Name 1	Name 2	Name 3	Name 4	Name 5	Name 6	Name 6	Name 7		Family	Comment	Link 1	Link 2	Link 3	Link 4

4	Gh0st RAT	Moudoor	Piano Gh0st	Zegost								https://cysinfo.com/hunting-and-decrypting-communications-of-gh0st-rat-in-memory/	http://researchcenter.paloaltonetworks.com/2015/09/musical-chairs-multi-year-campaign-involving-new-variant-of-gh0st-malware/	https://sentinelone.com/blogs/the-curious-case-of-gh0st-malware/	http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf
5	Poison Ivy	Darkmoon	PIVY									http://www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf
6	HydraQ	9002 RAT	McRAT	Naid	BKDR_MDMBOT	Troj/Agent-XAL						http://cybercampaigns.net/wp-content/uploads/2013/05/Hydraq.pdf	https://cysinfo.com/hunting-apt-rat-9002-in-memory-using-volatility-plugin/
7	Hikit	Matrix RAT	Gaolmay
8	Zxshell	Sensode										http://pastebin.com/jCaLHvkM	https://blogs.cisco.com/security/talos/opening-zxshell
9	DeputyDog	Fexel
10	PlugX	Destory RAT	Thoper	Sogu	Korplug	TVT	Kaba			PlugX	Often uses DLL side-loading	http://blogs.cisco.com/security/talos/threat-spotlight-group-72	https://www.circl.lu/pub/tr-24/	http://labs.lastline.com/an-analysis-of-plugx
11	BACKSPACe	Lecna	BARYS
12	Regin	Prax	WarriorPride	QUERTY							FEYES malware
13	HttpBrowser	TokenControl
14	NetTraveler	TravNet	RedStar	Netfile
15	IceFog	Fucobha										https://web.archive.org/web/20160825001253/http://www.kaspersky.com/about/news/virus/2013/Kaspersky_Lab_exposes_Icefog_a_new_cyber-espionage_campaign_focusing_on_supply_chain_attacks	https://securelist.com/blog/research/57331/the-icefog-apt-a-tale-of-cloak-and-three-daggers/
16	HTran	CTran	ONHAT (similar)	Xdoor							Chinese Tunneling Tool	http://www.secureworks.com/cyber-threat-intelligence/threats/htran/
17	Agent.BTZ	SillyFDC										http://cybercampaigns.net/wp-content/uploads/2013/05/Agent-BTZ.pdf
18	Comfoo										RSA incident, Red October	http://www.secureworks.com/cyber-threat-intelligence/threats/secrets-of-the-comfoo-masters/
19	DNSChanger	RSPlug								ZLob		http://www.secureworks.com/cyber-threat-intelligence/threats/secrets-of-the-comfoo-masters/
20	IEXPLORE RAT	Sharky RAT	Briba	Comfoo								https://citizenlab.org/2012/09/citizen-lab-technical-brief-iexpl0re-rat/	https://www.secureworks.com/research/secrets-of-the-comfoo-masters	https://www.symantec.com/security_response/writeup.jsp?docid=2012-051515-2843-99&tabid=2
21	LSB											https://github.com/RobinDavid/LSB-Steganography	http://ijact.org/volume3issue4/IJ0340004.pdf
22	LStudio	Emissary	Elise									http://researchcenter.paloaltonetworks.com/2015/12/attack-on-french-diplomat-linked-to-operation-lotus-blossom/
23	MNKit	WingD	Tran Duy Linh									http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/
24	Derusbi	Photo	Shyape	Sakula (variant)	Mivast	PHOTO				Derusbi	Chinese Backdoor, Winnti	https://www.rsaconference.com/writable/presentations/file_upload/crwd-t11-hide_and_seek-how_threat_actors_respond_in_the_face_of_public_exposure.pdf	https://www.rsaconference.com/writable/presentations/file_upload/hta-w02-dissecting-derusbi.pdf
25	Wipbot	Epic	Tavdig
26	Carbon Rootkit	Snake Rootkit	Cobra
27	Turla	Uroburos
28	Winnti (Network Driver Component)	Derusbi	HIGHNOON	Rbdoor							P2P Backdoor, Driver loaded into memory	https://securelist.com/?s=winnti	http://blog.vsec.com.vn/apt/initial-winnti-analysis-against-vietnam-game-company.html#more-73
29	WCE	AceHash									Password Dumper, PTH	http://www.ampliasecurity.com/research/windows-credentials-editor/
30	Mimikatz	Powerkatz									Password Dumper, PTH, DCSync, SkeletonKey, Golden/Silver Tickets	https://github.com/gentilkiwi/mimikatz
31	HDRoot	HDD Rootkit									Winnti / Axiom Group	http://williamshowalter.com/a-universal-windows-bootkit/
32	OrcaRAT	LeoUnica									Found with Comfoo malware	http://pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html	https://github.com/kbandla/APTnotes/blob/master/2014/LeoUncia_OrcaRat.pdf
33	Etumbot										Assocaited with Numbered Panda/APT12	https://cysinfo.com/sx-2nd-meetup-reversing-and-decrypting-the-communications-of-apt-malware/	https://www.arbornetworks.com/blog/asert/illuminating-the-etumbot-apt-backdoor/
34	xcmd										Similar to psexec. Used in OPM and Anthem breaches
35	NjRAT
36	X-Agent	Fysbis	CHOPSTICK	Backdoor.SofacyX	SPLM	webhp					Used by Sofacy group, Linux backdoor	http://www.welivesecurity.com/2016/10/25/lifting-lid-sednit-closer-look-software-uses/
37	Adwind RAT	Frutas	jFrutas	AlienSpy	Unrecom	Sockrat	jSocket	jRAT	jBifrost RAT	Adwind		https://t.co/x0jmdEp45w
38	Jiripbot	Flacher									Wild Neutron
39	Quasar RAT											https://github.com/quasar/QuasarRAT/tree/v1.2.0.0
40	Mtool	MultiTool									Cn Group Tool for Recon
41	FallChill	Manuscrypt									Backdoor. Used by Lazarus Group, Bluenoroff.	https://securelist.com/apt-trends-report-q2-2017/79332/
42	Infy	Infy M										https://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/
43	DustySky	NeD Worm										http://www.clearskysec.com/dustysky/
44	Exforel										SIG30 in NSA report, Chinese origin	https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=VirTool:WinNT/Exforel.A	https://blog.crysys.hu/2018/03/territorial-dispute-nsas-perspective-on-apt-landscape/
45	LoJax
46	ROKRAT											https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html	http://v3lo.tistory.com/24
47	Ryuk	Hermes									Ryuk based on Hermes GRIM SPIDER (cybercrime)	https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/	https://blog.kryptoslogic.com/malware/2019/01/10/dprk-emotet.html	https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/	https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/ryuk-exploring-the-human-connection/	https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/
48	Xtunnel	X-Tunnel	Shunnael	XAP							Used by APT28 / Sofacy, A family of modular backdoors with Windows, Linux, and iOS variants. The malware, which includes espionage functionalities like keystroke logging and file exfiltration, is typically dropped after a reconnaissance phase as second-stage malware.
49	Flame	Flamer	sKyWIper								Used by GOSSIPGIRL (umbrella group)	https://medium.com/chronicle-blog/who-is-gossipgirl-3b4170f846c0
50	Zebrocy	Zekapab									A multilanguage family of modular downloaders, droppers, and backdoors deriving from Delphocy
51	SeduUploader	JHUHUGIT	JKEYSKW	SofacyCarberp	Sednit	GAMEFISH					A first-stage downloader based on the Carberp banking Trojan. It serves as reconnaissance malware and can download a secondary backdoor such as XAgent
52	Sofacy	SOURFACE									A first-stage downloader that retrieves a second stage backdoor from a command-and-control server
53	BlackEnergy	BE
54	BlackEnergy2	BE2
55	GreyEnergy Mini	FELIXROOT
56	Industroyer	CrashOverride									A modular malware designed to disrupt ICS processes in electrical substations. Industroyer consists of an initial backdoor, loader module, and several supporting and payload modules. The malware also includes a data wiper and a denial of service (DoS) tool targeted at Siemens SIPROTEC protection relays.
57	NotPetya	GoldenEye	ExPetr	Nyetya	Diskcoder.C	PetrWrap
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001


1	Sources
2	Source	Link
3	APTNotes - Github Repo	https://github.com/kbandla/APTnotes
4	APTNotes - Website	https://aptnotes.malwareconfig.com/
5	Targeted Cyber Attacks Logbook (Kaspersky)	https://apt.securelist.com/
6	Cyber Campaigns	http://cybercampaigns.net/
7	(Slides) Cyber Espionage Nation-State APT Attacks on the Rise	http://www.slideshare.net/Cyphort/cyber-espionage-nation-stateaptattacksontherise
8	(Slides) CrowdCasts Monthly: You Have an Adversary Problem	http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem
9	CrowdStrike Blog	http://www.crowdstrike.com/blog/
10	Securelist.com Blog (Kaspersky)	https://securelist.com/
11	Cyber Operations by CFR	https://www.cfr.org/interactive/cyber-operations
12	Symantec Health Care Attacks	https://www.symantec.com/content/dam/symantec/docs/reports/istr-healthcare-2017-en.pdf
13	FireEye Threat Actors	https://www.fireeye.com/current-threats/apt-groups.html
14	MITRE ATT&CK Groups	https://attack.mitre.org/wiki/Groups
15	APT_CyberCriminal_Campagin_Collections	https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections
16	Dragos' Adversary Groups (ICS Specialists)	https://dragos.com/adversaries.html
17	ClearSky Raw Threat Intel	https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RXB85f6VL_Zm79wtTK59xADKh6MG0G7hSBZi8cPOiQVWAIie0/pub
18	MISP Galaxy	https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json
19	Electronic Transactions Development Agency (formerly ThaiCERT; Thailand)	https://apt.etda.or.th/cgi-bin/listgroups.cgi
20	Malpedia	https://malpedia.caad.fkie.fraunhofer.de/actors
21	Threat Group Cards	https://apt.etda.or.th/cgi-bin/listgroups.cgi


1
2
3	Previous name	New name	Origin/Threat	Other names	Previous name	New name	Origin/Threat	Other names
4	ACTINIUM	Aqua Blizzard	Russia	UNC530, Primitive Bear, Gamaredon	DEV-0146	Pumpkin Sandstorm	Iran	ZeroCleare
5	AMERICIUM	Pink Sandstorm	Iran	Agrius, Deadwood, BlackShadow, SharpBoys	DEV-0193	Periwinkle Tempest	Financially motivated	Wizard Spider, UNC2053.
6	BARIUM	Brass Typhoon	China	APT41	DEV-0196	Carmine Tsunami	Private sector offensive actor	QuaDream
7	BISMUTH	Canvas Cyclone	Vietnam	APT32, OceanLotus	DEV-0198 (NEPTUNIUM)	Cotton Sandstorm	Iran	Vice Leaker
8	BOHRIUM	Smoke Sandstorm	Iran		DEV-0206	Mustard Tempest	Financially motivated	Purple Vallhund
9	BROMINE	Ghost Blizzard	Russia	Energetic Bear, Crouching Yeti	DEV-0215 (LAWRENCIUM)	Pearl Sleet	North Korea
10	CERIUM	Ruby Sleet	North Korea		DEV-0227 (AMERICIUM)	Pink Sandstorm	Iran	Agrius, Deadwood, BlackShadow, SharpBoys
11	CHIMBORAZO	Spandex Tempest	Financially motivated	TA505	DEV-0228	Cuboid Sandstorm	Iran
12	CHROMIUM	Charcoal Typhoon	China	ControlX	DEV-0234	Lilac Typhoon	China
13	COPERNICIUM	Sapphire Sleet	North Korea	Genie Spider, BlueNoroff	DEV-0237	Pistachio Tempest	Financially motivated	FIN12
14	CURIUM	Crimson Sandstorm	Iran	TA456, Tortoise Shell	DEV-0243	Manatee Tempest	Financially motivated	EvilCorp, UNC2165, Indrik Spider
15	DUBNIUM	Zigzag Hail	South Korea	Dark Hotel, Tapaoux	DEV-0257	Storm-0257	Group in development	UNC1151
16	ELBRUS	Sangria Tempest	Financially motivated	Carbon Spider, FIN7	DEV-0322	Circle Typhoon	China
17	EUROPIUM	Hazel Sandstorm	Iran	Cobalt Gypsy, APT34, OilRig	DEV-0336	Night Tsunami	Private sector offensive actor	NSO Group
18	GADOLINIUM	Gingham Typhoon	China	APT40, Leviathan, TEMP.Periscope, Kryptonite Panda	DEV-0343	Gray Sandstorm	Iran
19	GALLIUM	Granite Typhoon	China		DEV-0401	Cinnamon Tempest	Financially motivated	Emperor Dragonfly, Bronze Starlight
20	HAFNIUM	Silk Typhoon	China		DEV-0500	Marigold Sandstorm	Iran	Moses Staff
21	HOLMIUM	Peach Sandstorm	Iran	APT33, Refined Kitten	DEV-0504	Velvet Tempest	Financially motivated
22	IRIDIUM	Seashell Blizzard	Russia	Sandworm	DEV-0530	Storm-0530	North Korea	H0lyGh0st
23	KNOTWEED	Denim Tsunami	Private sector offensive actor	DSIRF	DEV-0537	Strawberry Tempest	Financially motivated	LAPSUS$
24	KRYPTON	Secret Blizzard	Russia	Venomous Bear, Turla, Snake	DEV-0586	Cadet Blizzard	Russia
25	LAWRENCIUM	Pearl Sleet	North Korea		DEV-0605	Wisteria Tsunami	Private sector offensive actor	CyberRoot
26	MANGANESE	Mulberry Typhoon	China	APT5, Keyhole Panda, TABCTENG	DEV-0665	Sunglow Blizzard	Russia
27	MERCURY	Mango Sandstorm	Iran	MuddyWater, SeedWorm, Static Kitten, TEMP.Zagros	DEV-0796	Phlox Tempest	Financially motivated	ClickPirate, Chrome Loader, Choziosi loader
28	NEPTUNIUM	Cotton Sandstorm	Iran	Vice Leaker	DEV-0832	Vanilla Tempest	Financially motivated
29	NICKEL	Nylon Typhoon	China	ke3chang, APT15, Vixen Panda	DEV-0950	Lace Tempest	Financially motivated	FIN11, TA505
30	NOBELIUM	Midnight Blizzard	Russia	APT29, Cozy Bear
31	OSMIUM	Opal Sleet	North Korea	Konni
32	PARINACOTA	Wine Tempest	Financially motivated	Wadhrama
33	PHOSPHORUS	Mint Sandstorm	Iran	APT35, Charming Kitten
34	POLONIUM	Plaid Rain	Lebanon
35	RADIUM	Raspberry Typhoon	China	APT30, LotusBlossom
36	RUBIDIUM	Lemon Sandstorm	Iran	Fox Kitten, UNC757, PioneerKitten.
37	SEABORGIUM	Star Blizzard	Russia	Callisto, Reuse Team
38	SILICON	Marbled Dust	Turkey	Sea Turtle
39	SOURGUM	Caramel Tsunami	Private sector offensive actor	Candiru
40	SPURR	Tomato Tempest	Financially motivated	Vatet
41	STRONTIUM	Forest Blizzard	Russia	APT28, Fancy Bear
42	TAAL	Camouflage Tempest	Financially motivated	FIN6, Skeleton Spider
43	THALLIUM	Emerald Sleet	North Korea	Kimsuky, Velvet Chollima
44	ZINC	Diamond Sleet	North Korea	Labyrinth Chollima, Lazarus
45	ZIRCONIUM	Violet Typhoon	China	APT31