China | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
Common Name | | CrowdStrike | IRL | Kaspersky | Secureworks | Mandiant | FireEye | Symantec | iSight | Cisco (Sourcefire/VRT > Talos) | Palo Alto Unit 42 | Other Names | MITRE ATT&CK | Operation 2 | Operation 3 | Operation 4 | Toolset / Malware | Targets | Modus Operandi | Overlaps to | Comment | Link 1 | Link 2 | Link 3 | Link 4 | Link 5 | Link 6 | Link 7 | Link 8 | Link 9 | Link 10 | Link 11 | Link 12 | Link 13 | Link 14 | Link 15 | Link 16 | Link 17 | Link 18 | Link 19 | Link 20 | Link 21 | Link 22 | Link 23 |
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
---|
Comment Crew | | Comment Panda | PLA Unit 61398 | | TG-8223 | APT1 | | | BrownFox | Group 3 | | GIF89a, ShadyRAT, Shanghai Group, Byzantine Candor | G0006 | GhostNet | | | WEBC2, BISCUIT and many others | U.S. cybersecurity firm Mandiant, later purchased by FireEye, released a report in February 2013 that exposed one of China's cyber espionage units, Unit 61398. The group, which FireEye called APT1, is a unit within China's People's Liberation Army (PLA) that has been linked to a wide range of cyber operations targeting U.S. private sector entities for espionage purposes. The comprehensive report detailed evidence connecting APT1 and the PLA, offered insight into APT1's operational malware and methodologies, and provided timelines of the espionage it conducted. | | | | http://www.mcafee.com/us/resources/white-papers/wp-operation-shady-rat.pdf | http://www.nytimes.com/2013/02/19/technology/chinas-army-is-seen-as-tied-to-hacking-against-us.html?emc=na&_r=2& | https://www.secureworks.com/research/analysis-of-dhs-nccic-indicators | https://www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network | http://www.nartv.org/mirror/ghostnet.pdf | | | | | | | | | | | | | | | | | | |
APT2 | | Putter Panda | PLA Unit 61486 | | TG-6952 | APT2 | | | | Group 36 | | SearchFire | G0024 | | | | Their activities are commonly known to be exploiting CVE-2012-0158 (MSOffice vulnerability in MSCOMCTL.OCX) in SpearPhising operations. Related malware: Moose, Warp, MSUpdater | This threat actor targets firms in the technology (communications, space, aerospace), research, defense, and government sectors in the United States for espionage purposes. The tools and infrastructure it uses overlap with PLA Unit 61398. | | | | http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf | http://icitech.org/icit-brief-chinas-espionage-dynasty-economic-death-by-a-thousand-cuts/ | | | | | | | | | | | | | | | | | | | | | |
UPS | | Gothic Panda | | | TG-0110 | APT3 | | Buckeye | UPS Team | Group 6 | | Boyusec – the Guangzhou Boyu Information Technology Company, Ltd | G0022 | Double Tap | Clandestine Wolf | | Shotput, Pirpi, PlugX/Sogu, Kaba, Cookie Cutter, many 0days: IE, Firefox, and Flash, SportLoader, Shadow Brokers exploits, DoublePulsar, Bemstour, Filensfer | This threat actor targets and compromises entities in the defense, construction, technology, and transportation sectors. Up until 2015, it was primarily focused on U.S. and UK entities, but it shifted to Hong Kong–based targets afterward. Aerospace and Defence; Construction and Engineering; Energy; High Tech; Nonprofit; Telecommunications; Transportation | | | | https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html | http://www.secureworks.com/resources/blog/research/threat-group-0110-targets-manufacturing-and-financial-organizations-via-phishing/ | http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong | https://intrusiontruth.wordpress.com/2017/05/09/apt3-is-boyusec-a-chinese-intelligence-contractor/ | https://www.fireeye.com/current-threats/apt-groups.html | https://www.recordedfuture.com/chinese-mss-behind-apt3/ | http://freebeacon.com/national-security/u-s-indicts-three-chinese-hackers-linked-security-firm/amp/ | https://www.washingtonpost.com/world/national-security/china-hacked-a-navy-contractor-and-secured-a-trove-of-highly-sensitive-data-on-submarine-warfare/2018/06/08/6cc396fa-68e6-11e8-bea7-c8eb28bc52b1_story.html?noredirect=on&utm_term=.209df584e031 | https://intrusiontruth.wordpress.com/2018/05/22/the-destruction-of-apt3/ | https://www.symantec.com/blogs/threat-intelligence/buckeye-windows-zero-day-exploit | | | | | | | | | | | | | |
IXESHE | | Numbered Panda | | | TG-2754 (tentative) | APT12 | BeeBus | | Calc Team | Group 22 | | DynCalc, Crimson Iron, DNSCalc | G0005 | | | | Etumbot, Riptide, Hightide, ThreeByte, Waterspout, Mswab, Gh0st, ShowNews, 3001 | This threat actor targets organizations in Japan, Taiwan, and elsewhere in East Asia—including electronics manufacturers and telecommunications companies—for espionage purposes. | | | | http://www.crowdstrike.com/blog/whois-numbered-panda/ | http://www.computerworld.com/s/article/9241577/The_Chinese_hacker_group_that_hit_the_N.Y._Times_is_back_with_updated_tools?taxonomyId=17 | http://blog.crowdstrike.com/whois-numbered-panda/ | http://www.secureworks.com/cyber-threat-intelligence/threats/analysis-of-dhs-nccic-indicators/ | http://blog.trendmicro.com/taking-a-bite-out-of-ixeshe/ | http://www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/ | https://cysinfo.com/sx-2nd-meetup-reversing-and-decrypting-the-communications-of-apt-malware/ | http://blog.macnica.net/blog/2017/08/post-fb81.html | | | | | | | | | | | | | | | |
APT16 | | | | | | APT16 | | | | | | | G0023 | | | | ELMER backdoor, Gh0st, HTRAN, UNICAT,Poison Ivy, Pandora | This threat actor targets and compromises Japanese and Taiwanese entities in the finance, tech, media, and government sectors. | Spear phishing email delivering a malicious Microsoft Word document exploiting EPS dict copy use-after-free vulnerability, and the local Windows privilege escalation vulnerability CVE-2015-1701. The successful exploitation of both vulnerabilities led to the delivery of either a downloader (IRONHALO), or a backdoor (ELMER). Also known to be using compromised VPN credentials to maintain network persistency. | | | https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html | https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html | https://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/ | https://cybergeeks.tech/a-detailed-analysis-of-elmer-backdoor-used-by-apt16/ | | | | | | | | | | | | | | | | | | | |
Hidden Lynx | | Aurora Panda | | | | APT17 | Deputy Dog | Hidden Lynx | Tailgater Team | Group 8 | | Burning Umbrella | G0025 | | | | BLACKCOFFEE, WEBCnC, Joy RAT, PlugX, Trojan.Naid, Backdoor.Moudoor, Backdoor.Vasport, Backdoor.Boda, Trojan.Hydraq, ZxShell, Sakula, China Chopper, DestroyRAT | Government, defense & aerospace, industrial engineering, NGOs | | | | http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html | http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html | http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdf | http://www.darkreading.com/attacks-and-breaches/chinese--hidden-lynx--hackers-launch-widespread-apt-attacks/d/d-id/1111589?page_number=2 | https://www.rsaconference.com/writable/presentations/file_upload/crwd-t11-hide_and_seek-how_threat_actors_respond_in_the_face_of_public_exposure.pdf | http://www.crowdstrike.com/blog/french-connection-french-aerospace-focused-cve-2014-0322-attack-shares-similarities-2012/ | https://401trg.com/burning-umbrella/ | https://www.infosecurity-magazine.com/news/chinese-espionage-group-widescale/ | https://intrusiontruth.wordpress.com/2019/07/24/apt17-is-run-by-the-jinan-bureau-of-the-chinese-ministry-of-state-security/ | https://www.bloomberg.com/features/2021-supermicro/ | | | | | | | | | | | | | |
Wekby | | Dynamite Panda | | | TG-0416 | APT18 | | | | | | TA428 | G0026 | | | | HTTPBrowser, TokenControl, HcdLoader, PisLoader, TManger | Aerospace and Defence; Construction and Engineering; Education; Health and Biotechnology; High Tech; Telecommunications; Transportation | | | | https://threatpost.com/apt-gang-branches-out-to-medical-espionage-in-community-health-breach/107828 | http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem | https://www.threatstream.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop | https://www.volexity.com/blog/2015/07/08/158-2/ | http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/ | https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2012/NormanShark-MaudiOperation.pdf | https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology | https://insight-jp.nttsecurity.com/post/102gi9b/pandas-new-arsenal-part-1-tmanger | https://st.drweb.com/static/new-www/news/2021/april/drweb_research_attacks_on_russian_research_institutes_en.pdf | https://labs.sentinelone.com/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op/ | https://www.recordedfuture.com/china-linked-ta428-threat-group/ | https://blog.group-ib.com/task | https://sebdraven.medium.com/ta428-behind-operation-lagtime-the-following-of-icefog-30fc1f853b80 | https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/ | https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-Targeted-attack-on-industrial-enterprises-and-public-institutions-En.pdf | | | | | | | | |
Axiom | | | | | | APT17 | | | Tailgater Team | Group 72 | | Dogfish (iDefense), Deputy Dog (iDefense), Winnti Umbrella | G0001 | | | | Winnti, Gh0st RAT, PoisonIvy, HydraQ, Hikit, ZxShell, Deputy Dog, Derusbi, PlugX, HTRAN, HDRoot, Fscan, Timestomper | | | Shell Crew, Hidden Lynx, Axiom | Use "Skeleton Key" on DCs | http://securelist.com/blog/research/57585/winnti-faq-more-than-just-a-game/ | http://www.novetta.com/files/5614/1329/6232/novetta_cybersecurity_exec_summary-3.pdf | http://www.novetta.com/2015/04/operation-smn-winnti-update/ | https://securelist.com/analysis/publications/72275/i-am-hdroot-part-1/ | https://401trg.com/burning-umbrella/ | https://blog.trendmicro.com/trendlabs-security-intelligence/supply-chain-attack-operation-red-signature-targets-south-korean-organizations/ | | | | | | | | | | | | | | | | | |
Winnti Group | | Wicked Panda | | | BRONZE ATLAS | APT41 | | | | | | Winnti Umbrella, BARIUM, LEAD, RedEcho, Vanadinite, TAG-22 | G0044 | | | | Winnti, AceHash, PlugX, Webshells, ZxShell, ShadowPad | ThyssenKrupp, Gameforge, Valve, Teamviewer,Siemens, Sumitomo, BASF, Covestro, Shin-Etsu, Bayer, Roche | | Deep Panda, Wicked Spider | | http://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/ | https://www.protectwise.com/blog/winnti-evolution-going-open-source.html | https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2015/january/windows-firewall-hook-enumeration/ | https://www.nccgroup.trust/globalassets/our-research/uk/technical-advisories/2015/derusbi-server-technical-note-1-1-tlp-white.pdf | https://lab52.io/blog/winnti-group-geostrategic-analysis-and-ttp/ | https://401trg.com/burning-umbrella/ | https://web.br.de/interaktiv/winnti/index.html | https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf | https://www.dragos.com/blog/industry-news/new-ics-threat-activity-group-vanadinite/ | https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan/ | https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf | https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayfly-china-sidewalk-malware | https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/ | https://www.welivesecurity.com/2022/09/14/you-never-walk-alone-sidewalk-backdoor-linux-variant/ | https://www.hhs.gov/sites/default/files/apt41-recent-activity.pdf | https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html | https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackfly-espionage-materials | | | | | | |
Shell Crew | | Deep Panda | | WebMasters | | APT19 | KungFu Kittens | | | Group 13 | | Sh3llCr3w, PinkPanther, Winnti Group | G0009 | OPM | Anthem Hack | | Sakula/Sakurel, Derusbi, Scanbox Framework, many Webshells including China Chopper, WCE | | | Axiom, Winnti | | http://cybercampaigns.net/wp-content/uploads/2013/06/Deep-Panda.pdf | https://www.isightpartners.com/2015/07/threatscape-media-highlights-update-week-of-july-29th/ | https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html | | | | | | | | | | | | | | | | | | | | |
Naikon | | Lotus Panda | PLA Unit 78020 | Naikon | | APT30 | | Thrip, Billbug | | | | | G0019 | Naikon | Camera Shy | | RARSTONE, BACKSPACe, NETEAGLE, XSControl | satellite communications operator, Telecoms, and Defense Companies, Hong Kong | | | | https://securelist.com/analysis/publications/69953/the-naikon-apt/ | http://blog.trendmicro.com/trendlabs-security-intelligence/rarstone-found-in-targeted-attacks/ | https://www.threatconnect.com/camerashy/ | http://www.crowdstrike.com/blog/rhetoric-foreshadows-cyber-activity-in-the-south-china-sea/ | https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets | https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ | https://www.symantec.com/blogs/threat-intelligence/thrip-apt-south-east-asia | https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/ | https://cluster25.io/2022/04/29/lotus-panda-awake-last-strike/ | https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments-cert-authority | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | | | | | | | | | | | | |
Lotus Blossom | | | | Spring Dragon | | | | | | | Lotus Blossom | ST Group, Esile | G0030 | | | | Elise Backdoor, Lstudio, CVE-2017-11882 | | | | | https://securelist.com/blog/research/70726/the-spring-dragon-apt/ | http://researchcenter.paloaltonetworks.com/2015/06/operation-lotus-blossom/ | https://securelist.com/blog/research/70726/the-spring-dragon-apt/ | http://www.trendmicro.com.my/vinfo/my/security/news/cyber-attacks/esile-targeted-attack-campaign-hits-apac-governments | http://researchcenter.paloaltonetworks.com/2015/12/attack-on-french-diplomat-linked-to-operation-lotus-blossom/ | https://community.rsa.com/community/products/netwitness/blog/2018/01/30/apt32-continues-asean-targeting | https://www.accenture.com/t20180127T003755Z__w__/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf | https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/ | https://documents.trendmicro.com/assets/Tech-Brief-Operation-Poisoned-News-Hong-Kong-Users-Targeted-with-Mobile-Malware-via-Local-News-Links.pdf | | | | | | | | | | | | | | |
APT6 | | | | | | APT6 | | | | | | 1.php Group | | | | | Poison Ivy, | US Government Organizations | | | Overlaps with Operation Night Dragon | https://motherboard.vice.com/read/fbi-flash-alert-hacking-group-has-had-access-to-us-govt-files-for-years | https://www.zscaler.com/pdf/technicalbriefs/tb_advanced_persistent_threats.pdf | https://www.zscaler.com/blogs/research/1php-group-intrusion-set-paper | https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2011/tb_advanced_persistent_threats.pdf | | | | | | | | | | | | | | | | | | | |
APT26 | | Turbine Panda | | | | APT26 | | | Hippo Team | | | JerseyMikes | | | | | Cobalt, QuickPulse, credential stealers such as WCE, GSECDUMP, COATHOOK, HTRAN, SOGU, TWOCHAINS, QUICKBALL | Affected Industry: Aerospace and Defense, business and Professional Services/Legal/Accounting, High Tech Software and hardware services | Supply-chain attacks such as strategic web compromise (SWC) where the actor compromise 3rd-party service provider hosting the victim websites | | | https://go.crowdstrike.com/rs/281-OBQ-266/images/15GlobalThreatReport.pdf?mkt_tok=3RkMMJWWfF9wsRojuKrPZKXonjHpfsX/7e8tWrHr08Yy0EZ5VunJEUWy2ocITtQ/cOedCQkZHblFnV4AS626XrENqKML | https://www.crowdstrike.com/resources/wp-content/brochures/reports/huge-fan-of-your-work-intelligence-report.pdf | https://digit.fyi/lengthy-cyber-espionage-operation-helped-china-develop-c919-airliner/ | | | | | | | | | | | | | | | | | | | | |
Mirage | | Vixen Panda | Ke3Chang | Playful Dragon | GREF | APT15 | | | Social Network Team | | | Mirage Team, Lurid, Social Network Team, Royal APT, Metushy, Winnti Umbrella, NICKEL, Playful Taurus, BackdoorDiplomacy | G0004 | | | | Mirage, (Nvidia program side-loading) PlugX, XSLCmd, TidePool, BS2005, RoyalCli, iWebRat, Russian-language decoy document, ENFAL, ENDCMD, QUICKHEAL, SOGU, CYFREE, MIRAGE, NOISEMAKER, QUICKHEAL, SWALLOWFLY, Turian Backdoor | PH, VN, TW, US, UK, IT, PL, UN, SG, NATO - Gov, Political party | | Winnti | Some vendors track this group in up to 3 separate groups | http://arstechnica.com/security/2015/04/elite-cyber-crime-group-strikes-back-after-attack-by-rival-apt-gang/ | https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html | https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf | http://researchcenter.paloaltonetworks.com/2016/05/operation-ke3chang-resurfaces-with-new-tidepool-malware/ | https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/ | https://github.com/nccgroup/Royal_APT | https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/ | https://401trg.com/burning-umbrella/ | https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ | https://www.welivesecurity.com/2019/07/18/okrum-ke3chang-targets-diplomatic-missions/ | https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf | https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi#page=51 | https://www.lookout.com/documents/threat-reports/us/lookout-moonshine-badbazaar.pdf | https://unit42.paloaltonetworks.com/playful-taurus/ | https://www-zurnal24-si.translate.goog/slovenija/znano-kdo-stoji-za-napadom-na-ministrstvo-za-zunanje-zadeve-404450?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp | | | | | | | | |
NetTraveler | | | Lanzhou PLA Unit | NetTraveler | | APT21 | | | | | | | | | | | NetTraveler | This threat actor targets computer networks associated with Tibetan and Uyghur activists for espionage purposes. | | | | https://securelist.com/blog/research/35936/nettraveler-is-running-red-star-apt-attacks-compromise-high-profile-victims/ | https://securelist.com/blog/incidents/57455/nettraveler-is-back-the-red-star-apt-returns-with-new-tricks/ | https://cybergeeks.tech/dissecting-apt21-samples-using-a-step-by-step-approach/ | | | | | | | | | | | | | | | | | | | | |
Ice Fog | | Dagger Panda | | IceFog | | | ICEFOG | | | | | Fucobha, Temp.Trident | | | | | Dagger Three (C2 software), Fucobha Backdoor, IceFog, RoyalRoad RTF Weaponizer | This threat actor targets government institutions, military contractors, maritime and shipbuilding groups, telecommunications operators, and others, primarily in US, Taiwan, Japan and South Korea. | | Links to Onion Dog | | https://securelist.com/blog/research/57331/the-icefog-apt-a-tale-of-cloak-and-three-daggers/ | https://securelist.com/blog/incidents/58209/the-icefog-apt-hits-us-targets-with-java-backdoor/ | http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/icefog.pdf | http://www.darkreading.com/attacks-and-breaches/java-icefog-malware-variant-infects-us-businesses/d/d-id/1113451 | https://www.anomali.com/blog/analyzing-digital-quartermasters-in-asia-do-chinese-and-indian-apts-have-a-shared-supply-chain | https://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt | https://sebdraven.medium.com/ta428-behind-operation-lagtime-the-following-of-icefog-30fc1f853b80 | | | | | | | | | | | | | | | | |
Beijing Group | | Sneaky Panda | | | | | | | | | | Hydraq, SIG22, Elderwood, Elderwood Gang | G0066 | | | | Hydraq, Elderwood Project | This threat actor targets private sector companies in the defense, shipping, aeronautics, arms, and energy sectors, as well as nonprofits and financial firms. | | | Possibly assisted in Operation Aurora, the RSA incident, and the Joint Strike Fighter Program compromise | https://en.wikipedia.org/wiki/Operation_Aurora#Attackers_involved | http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf | http://www.csmonitor.com/USA/2012/0914/Stealing-US-business-secrets-Experts-ID-two-huge-cyber-gangs-in-China | https://blog.crysys.hu/2018/03/territorial-dispute-nsas-perspective-on-apt-landscape/ | | | | | | | | | | | | | | | | | | | |
APT22 | | Wet Panda | | | BRONZE OLIVE | | | | | | | Barista | | | | | China Chopper, PISCES, SOGU, FLATNOTE, ANGRYBELL, BASELESS, SEAWOLF, LOGJAM | | | | Possible overlap with Beijing Group | http://www.slideshare.net/CTruncer/ever-present-persistence-established-footholds-seen-in-the-wild | | | | | | | | | | | | | | | | | | | | | | |
Suckfly | | | | | | | | | | | | | G0039 | | | | Nidiran, Korplug, PlugX | Indian organisations and Republic of Korea | | | | http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates | | | | | | | | | | | | | | | | | | | | | | |
APT4 | | Samurai Panda | PLA Navy | | | APT4 | APT4 | Sykipot | Wisp Team | | | | | | | | | | | | “PdPD” (50 64 50 44) marker for encrypted binaries | http://www.crowdstrike.com/blog/whois-samurai-panda/ | | | | | | | | | | | | | | | | | | | | | | |
Pitty Tiger | | Pitty Panda | | | | | Pitty Tiger | | | | | | G0011 | | | | PittyTiger, Paladin RAT | | | | "Pitty Tiger" was originally the name of a malware payload by the malware tracker blog. Airbus and FireEye identified the actor as Chinese. CrowdStrike uses "tiger" when naming adversaries alligned with India. Crowdstrike associates the actor with the name "Pitty Panda" conforming to their naming convention for Chinese actors. | http://blog.airbuscybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2 | https://www.fireeye.com/blog/threat-research/2014/07/spy-of-the-tiger.html | http://blog.malwaretracker.com/2013/06/tomato-garden-campaign-possible.html | | | | | | | | | | | | | | | | | | | | |
Scarlet Mimic | | | | | | | | | | | Scarlet Mimic | | G0029 | | | | FakeM, Psylo, MobileOrder | Uyghur and Tibetan activists as well as those who are interested in their causes | | http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/ | | | | | | | | | | | | | | | | | | | | | | |
C0d0so | | Codoso | | | | APT19 | Sunshop Group | | | | | | G0073 | | | | Bergard Trojan, Derusbi, TXER | Forbes, Defense, Finance, Energy, Government, Political Dissidents, Global Think Tanks | Watering Hole | | | https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks | http://www.isightpartners.com/2015/02/codoso/#sthash.VJMDVPQB.dpuf | http://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-group/ | https://www.proofpoint.com/us/threat-insight/post/exploring-bergard-old-malware-new-tricks | https://cybergeeks.tech/analyzing-apt19-malware-using-a-step-by-step-method/ | | | | | | | | | | | | | | | | | | |
SVCMONDR | | | | | | | | | | | | | | | | | CVE-2015-2545 | Taiwan, Thailand | | Tamper Panda | “PdPD” (50 64 50 44) marker for encrypted binaries | https://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/ | | | | | | | | | | | | | | | | | | | | | | |
Wisp Team | | | | | | APT4 | | | Wisp Team | | | | | | | | | Defense Industrial Base, US Government | | | iSight has mentioned tracking a China-nexus group they dub "Wisp Team" - have not resolved this w/ other naming conventions | https://www.isightpartners.com/2014/04/weeks-threatscape-media-highlights-update-2/ | https://www.isightpartners.com/2014/09/weeks-threatscape-media-highlights-update-22/ | https://www.isightpartners.com/2015/01/threatscape-media-highlights-update-week-january-12/ | | | | | | | | | | | | | | | | | | | | |
Mana Team | | | | | | | | | Mana Team | | | | | | | | | Australia | | | iSight has mentioned tracking a China-nexus activity they dub "Mana Team", targeting Australian interests - have not resolved this w/ other naming conventions | https://www.isightpartners.com/2016/02/threatscape-media-highlights-update-week-of-february-17th/ | | | | | | | | | | | | | | | | | | | | | | |
TEMP.Zhenbao | | | | | | | | | TEMP.Zhenbao | | | | | | | | | | | | | https://www.isightpartners.com/2014/11/threatscape-media-highlights-update-week-november-10/ | http://www.securityweek.com/plugx-rat-used-gather-intel-afghan-russian-military-report | | | | | | | | | | | | | | | | | | | | | |
SPIVY | | | | | | | | | | | | | | | | | | Hong Kong dissidents | | | | http://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/ | | | | | | | | | | | | | | | | | | | | | | |
Mofang | | | | | BRONZE WALKER | | | | | | | Whitefly | G0103 (Kasperksy) G0107 (Symantec)
| SingHealth | | | ShimRAT, ShimRATReporter | Government, military, Critical Infrastructure,Automotive Industry*,Weapon Industry*, This threat actor compromises government and critical infrastructure entities, primarily in Myanmar, for espionage purposes. Myanmar, Canada, United States, Germany, India, South Korea, Singapore | | Superman | | https://blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/ | https://www.threatconnect.com/china-superman-apt/ | https://securelist.com/big-threats-using-code-similarity-part-1/97239/ | https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/whitefly-espionage-singapore | | | | | | | | | | | | | | | | | | | |
DragonOK | | | | | | | DragonOK | | | | DragonOK | Dragon Castling | G0017 | | | | CVE-2015-1641, Sysget, IsSpace, Rambo Backdoor | Japan, SE Asia casino & gaming | | KHRAT links to Rancor | | http://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/ | http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/ | https://blogs.forcepoint.com/security-labs/trojanized-adobe-installer-used-install-dragonok%E2%80%99s-new-custom-backdoor | http://www.morphick.com/resources/news/deep-dive-dragonok-rambo-backdoor | https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf | https://decoded.avast.io/luigicamastra/operation-dragon-castling-apt-group-targeting-betting-companies/ | https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/ | | | | | | | | | | | | | | | | |
Group 27 | | | | | | | | | | Group 27 | | | | | | | Trochilus RAT, PlugX, EvilGrab, 3102 variant of 9002 RAT | | | Seven Pointed Dagger, Trochilus RAT | | https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Pointed-Dagger.pdf | https://unit42.paloaltonetworks.com/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/ | | | | | | | | | | | | | | | | | | | | | |
Tonto Team | | | | CactusPete | | | Tonto Team | | | | | | G0131 | | | | RoyalRoad RTF Weaponizer | | | | | https://www.wsj.com/articles/chinas-secret-weapon-in-south-korea-missile-fight-hackers-1492766403?emailToken=JRrydPtyYnqTg9EyZsw31FwuZ7JNEOKCXF7LaW/HM1DLsjnUp6e6wLgph560pnmiTAN/5ssf7moyADPQj2p2Gc+YkL1yi0zhIiUM9M6aj1HTYQ== | https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf | https://securelist.com/cactuspete-apt-groups-updated-bisonal-backdoor/97962/ | https://www.cybereason.com/blog/portdoor-new-chinese-apt-backdoor-attack-targets-russian-defense-sector | https://cert.gov.ua/article/375404 | https://www.group-ib.com/blog/tonto-team/ | https://asec.ahnlab.com/en/51746/ | | | | | | | | | | | | | | | | |
TA459 | | | | | | | | | | | | | G0062 | | | | PlugX, NetTraveler, ZeroT, PCrat, Gh0st, RoyalRoad RTF Weaponizer | Central Asian countries, Russia, Belarus, Mongolia, and others | | ?NetTraveler? | | https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts#.WS3IBVFV4no.twitter | https://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists | | | | | | | | | | | | | | | | | | | | | |
Tick | | | | | BRONZE BUTLER | | | Tick | | | | REDBALDKNIGHT | G0060 | | | | whoami, procdump, VBS, WCE, Mimikatz, gsecdump, PsExec, Daserf, Gofarer, Datper, ABK Downloader, avirra Downloader, Datper, RoyalRoad RTF Weaponizer | | | | | https://www.symantec.com/connect/blogs/tick-cyberespionage-group-zeros-japan | https://www.secureworks.jp/resources/rp-bronze-butler | https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/ | http://blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.html | https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses | http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/ | https://blog.talosintelligence.com/2018/10/tracking-tick-through-recent-campaigns.html | https://blog.trendmicro.com/trendlabs-security-intelligence/operation-endtrade-finding-multi-stage-backdoors-that-tick/ | https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_8_koike-nakajima_jp.pdf | https://therecord.media/japanese-police-say-tick-apt-is-linked-to-chinese-military/ | | | | | | | | | | | | | |
Lucky Cat | | | | | | | | | | | | Shadow Network, SabPub, TA413 (Proofpoint) | | | | | | A threat actor targets computer networks associated with Tibetan activists, as well as military research and development, aerospace, engineering, and shipping industries in India and Japan. | | | | http://blog.trendmicro.com/trendlabs-security-intelligence/luckycat-redux-inside-an-apt-campaign/ | http://www.nartv.org/mirror/shadows-in-the-cloud.pdf | https://securelist.com/blog/incidents/33208/new-version-of-osx-sabpub-confirmed-mac-apt-attacks-19/ | http://www.securityweek.com/mac-malware-linked-luckycat-attack-campaign | http://www.infoworld.com/article/2617225/malware/sabpub-malware-proves-macs-are-an-apt-target.html | https://blog.talosintelligence.com/2019/02/exilerat-shares-c2-with-luckycat.html | https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_luckycat_hackers.pdf | https://www.proofpoint.com/us/blog/threat-insight/chinese-apt-ta413-resumes-targeting-tibet-following-covid-19-themed-economic | | | | | | | | | | | | | | | |
APT40 | | Leviathan | | | | APT40 | Temp.Periscope | | | | | Temp.Jumper, GADOLINIUM, MUDCARP, Hainan Xiandun Technology Company, TA423, Red Ladon, ScanBox | G0065 | | | | AIRBREAK, BADFLICK, PHOTO, HOMEFRY, LUNCHMONEY, MURKYTOP, China Chopper, Beacon, BLACKCOFFEE, CVE-2017-11882, Derusbi, RoyalRoad RTF Weaponizer | maritime-related targets across multiple verticals, including engineering firms, shipping and transportation, manufacturing, defense, government offices, and research universities | | | | https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets | https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html | https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html | https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html | https://www.anomali.com/blog/analyzing-digital-quartermasters-in-asia-do-chinese-and-indian-apts-have-a-shared-supply-chain | https://lab52.io/blog/leviathan-geostrategy-and-ttp-technical-tactics-and-procedures/ | https://prezi.com/view/jGyAzyy5dTOkDrtwsJi5/ | https://intrusiontruth.wordpress.com/2020/01/09/what-is-the-hainan-xiandun-technology-development-company/ | https://intrusiontruth.wordpress.com/2020/01/10/who-is-mr-gu/ | https://intrusiontruth.wordpress.com/2020/01/13/who-else-works-for-this-cover-company-network/ | https://intrusiontruth.wordpress.com/2020/01/14/who-is-mr-ding/ | https://intrusiontruth.wordpress.com/2020/01/15/hainan-xiandun-technology-company-is-apt40/ | https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_8_koike-nakajima_jp.pdf | https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/ | https://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea | | | | | | | | |
PassCV | | | | | TG-3279 | | | | | | | Winnti Umbrella, China Cracking Group, | | | | | Sabre, Kitkiot, Conpee, Etso, Runxx, dnsenum, s (custom port scanner), rdp_crk, icmp_shell, Jynxkit, Gh0st RAT, NetCommander, Carberp RAT | Gaming Companies | | Winnti | Personas: Laurentiu Moon, Sincoder | https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies | https://401trg.com/burning-umbrella/ | https://www.secureworks.com/research/threat-group-3279-targets-the-video-game-industry#up2 | | | | | | | | | | | | | | | | | | | | |
BARIUM | | | | | TG-2633 | | | | | | | Winnti Umbrella, BRONZE ATLAS | | | | | Winnti Rootkit malware | Electronic gaming, multimedia, Internet content industries, technology companies | | Winnti | | https://cloudblogs.microsoft.com/microsoftsecure/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/?source=mmpc | https://401trg.pw/burning-umbrella/ | | | | | | | | | | | | | | | | | | | | | |
LEAD | | | | | | | | | | | | Winnti Umbrella | | | | | Winnti Rootkit malware | Multinational, multi-industry companies, textiles, chemicals, electronics, pharmaceutical companies, manufacturing | | Winnti | | https://cloudblogs.microsoft.com/microsoftsecure/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/?source=mmpc | https://401trg.pw/burning-umbrella/ | https://www.france24.com/en/20190404-bayer-victim-cyber-attack-german-media | | | | | | | | | | | | | | | | | | | | |
Iron Group | | | | | | | | | | | | Rocke | | | | | XBash | Cybercrime, Cryptomining, Cryptojacking | | | | https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/ | https://blog.talosintelligence.com/2018/12/cryptomining-campaigns-2018.html | https://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products/ | https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html | https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang#When:18:10:00Z | | | | | | | | | | | | | | | | | | |
Anchor Panda | | Anchor Panda | | | | | | | | | | | | | | | Adobe Gh0st, Poison Ivy, Torn RAT | This threat actor targets government and private sector entities interested in maritime issues in the South China Sea for espionage purposes. Maritime satellite systems, aerospace companies, and defense contractors. | | | “PdPD” (50 64 50 44) marker for encrypted binaries | http://www.crowdstrike.com/blog/whois-anchor-panda/ | | | | | | | | | | | | | | | | | | | | | | |
Aquatic Panda | | | | | | | | | | | | | G0143 | | | | | | | | | https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/ | | | | | | | | | | | | | | | | | | | | | | |
Big Panda | | | | | | | | | | | | | | | | | | Financial services firms | | | Mentioned by Alperovitch in 2013 article as targeting financial services industry | http://www.darkreading.com/attacks-and-breaches/crowdstrike-falcon-traces-attacks-back-to-hackers/d/d-id/1110402? | | | | | | | | | | | | | | | | | | | | | | |
Electric Panda | | | | | | | | | | | | | | | | | | | | | Listed on slide 8 | http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem | | | | | | | | | | | | | | | | | | | | | | |
Eloquent Panda | | | | | | | | | | | | | | | | | | | | | Mentioned slide 15 | http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf | | | | | | | | | | | | | | | | | | | | | | |
Emissary Panda | | Emissary Panda | | LuckyMouse | BRONZE UNION, TG-3390 | APT27 | | | TEMP.Hippo | Group 35 | | ZipToken, Iron Tiger | G0027 | A Tale of Two Targets | | | PlugX, China Chopper Webshell, HttpBrowser, Hunter, ASPXTool, wce, gsecdump, nbtscan, htran | US Gov and contractors, Western think tanks, Gaming, iGaming, Gambling | | DEV-0322, Earth Berberoka | Suspected South Korean group? https://attack.mitre.org/groups/G0012/ | http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/ | http://newsroom.trendmicro.com/blog/operation-iron-tiger-attackers-shift-east-asia-united-states | https://www.threatconnect.com/blog/threatconnect-discovers-chinese-apt-activity-in-europe/ | https://www.secureworks.com/research/bronze-union | https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/ | https://securelist.com/luckymouse-hits-national-data-center/86083/ | https://securelist.com/luckymouse-ndisproxy-driver/87914/ | https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ | https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox | https://lab52.io/blog/apt27-rootkit-updates/ | https://marcoramilli.com/2020/03/19/is-apt27-abusing-covid-19-to-attack-people/ | https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/ | https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia | https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/ | https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html | https://labs.sentinelone.com/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op/ | https://blog.group-ib.com/task | https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/ | https://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html | https://blog.sekoia.io/luckymouse-uses-a-backdoored-electron-app-to-target-macos/ | https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/budworm-espionage-us-state | https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html | |
Foxy Panda | | Foxy Panda | | | | | | | | | | | | | | | | Technology & Communications | | | Listed slide 4 | http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf | | | | | | | | | | | | | | | | | | | | | | |
Gibberish Panda | | Gibberish Panda | | | | | | | | | | | | | | | | | | | Listed slide 8 | http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem | | | | | | | | | | | | | | | | | | | | | | |
Goblin Panda | | Goblin Panda | Hellsing | Cycldek | | | | | | | | Cycldek, Conimes Team, China1937CN Team, Temp.Conimes, Earth Zhulong | | | | | ZeGhost, PlugX, tempfun, NewCore RAT, Sisfader, RoyalRoad RTF Weaponizer, BlueCore, RedCore | Southeast Asia, Government of Vietnam | | | Weaponizer leaked, new activity wrongly attributed to this long inactive group, possible links to Icefog/Dagger Panda and Temp.Periscope/APT40 | http://www.crowdstrike.com/blog/rhetoric-foreshadows-cyber-activity-in-the-south-china-sea/ | https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-august-goblin-panda/ | https://www.anomali.com/blog/analyzing-digital-quartermasters-in-asia-do-chinese-and-indian-apts-have-a-shared-supply-chain | https://www.fortinet.com/blog/threat-research/cta-security-playbook--goblin-panda.html | https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_8_koike-nakajima_jp.pdf | https://securelist.com/cycldek-bridging-the-air-gap/97157/ | https://securelist.com/the-leap-of-a-cycldek-related-threat-actor/101243/ | | | | | | | | | | | | | | | | |
Hammer Panda | | | | | | | | | | | | | | | | | | Russia | | | | http://www.darkreading.com/endpoint/chinese-cyberspies-pivot-to-russia-in-wake-of-obama-xi-pact/d/d-id/1324242 | | | | | | | | | | | | | | | | | | | | | | |
Hurricane Panda | | Hurricane Panda | | | BRONZE VINEWOOD | APT31 | | Black Vine | TEMP.Avengers | | | Zirconium, TA412 | | Op. Poisoned Hurricane | | China Chopper Webshell, PlugX, Mimikatz, Sakula | Aerospace, Healthcare, Energy (gas & electric turbine manufacturing), Military and defense, Finance, Agriculture, Technology, Japan, United States, United Kingdom, India, Canada, Brazil, South Africa, Australia, Thailand, South Korea, France, Switzerland, Sweden, Finland, Norway | | | used free DNS servers provided by Hurricane Electric | http://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/ | http://blog.crowdstrike.com/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/ | http://blog.airbuscybersecurity.com/post/2015/09/APT-BlackVine-Malware-Sakula | https://www.symantec.com/connect/blogs/black-vine-formidable-cyberespionage-group-targeted-aerospace-healthcare-2012 | http://blog.airbuscybersecurity.com/post/2015/10/Malware-Sakula-Evolutions-%28Part-2/2%29 | https://blog.confiant.com/uncovering-2017s-largest-malvertising-operation-b84cd38d6b85 | https://uk.reuters.com/article/uk-china-cyber-norway-visma/china-hacked-norways-visma-to-steal-client-secrets-investigators-idUKKCN1PV14R | https://raw.githubusercontent.com/GuardaCyber/APT-Groups-and-Operations/master/Reports/FireEye%20Intel%20-%20APT31%20Threat%20Group%20Profile.pdf | https://www.secureworks.com/research/bronze-vinewood-targets-supply-chains | https://research.checkpoint.com/2021/the-story-of-jian/ | https://therecord.media/norway-says-chinese-group-apt31-is-behind-catastrophic-2018-government-hack/ | https://www.cert.ssi.gouv.fr/ioc/CERTFR-2021-IOC-003/ | https://www.sekoia.io/en/walking-on-apt31-infrastructure-footprints/ | https://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists | https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-cloud-attacks/ | | | | | | | | |
Impersonating Panda | | Impersonating Panda | | | | | | | | | | | | | | | | Financial sector | | | | | | | | | | | | | | | | | | | | | | | | | | |
Judgement Panda | | | | | | | | | | | | | | | | | Spear-phishing, URL “web bugs” and scheduled tasks to automate credential harvesting | Upstream providers (e.g., law firms and managed service providers) to support additional intrusions against high-profile assets | | | | https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ | | | | | | | | | | | | | | | | | | | | | | |
Karma Panda | | Karma Panda | CactusPete | CactusPete | | | | | Tonto Team | | | Bisonal (malware), Lone Ranger | | | | | | Dissident groups | | | Listed slide 4 | http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf | https://securelist.com/apt-trends-report-q1-2019/90643/ | | | | | | | | | | | | | | | | | | | | | |
Keyhole Panda | | Keyhole Panda | | | Bronze Fleetwood | | | | temp.bottle | | | | | | | | | Electronics & Communications | | | Listed slide 4 | http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf | | | | | | | | | | | | | | | | | | | | | | |
Kryptonite Panda | | | | | | | | | | | | | | | | | 8.t exploit document builder | Cambodia | | | | https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ | | | | | | | | | | | | | | | | | | | | | | |
Mustang Panda | | | | HoneyMyte | BRONZE PRESIDENT | | | | Temp.Hex | | | TA416, RedDelta, Earth Preta (TrendMicro) | G0129 | | | | Cobalt Strike, PlugX, ORat, RCSession, Nbtscan, Nmap, Wmiexec, China Chopper web shell | Mining sector in Mongolia, private individuals |=| gathering geo-political and economic intelligence, NGOs, political & law enforcement org in South and East Asia | | | | https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ | https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations#When:17:14:00Z | https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/ | https://securelist.com/apt-trends-report-q3-2019/94530/ | https://www.secureworks.com/research/bronze-president-targets-ngos | https://lab52.io/blog/mustang-panda-recent-activity-dll-sideloading-trojans-with-temporal-c2-servers/ | https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf | https://kc.mcafee.com/corporate/index?page=content&id=KB92635&locale=en_US | https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader | https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/ | https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-dianxun-cyberespionage-campaign-targeting-telecommunication-companies/ | https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-dianxun.pdf | https://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european | https://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/ | https://www.secureworks.com/blog/bronze-president-targets-russian-speakers-with-updated-plugx | https://blog.talosintelligence.com/2022/05/mustang-panda-targets-europe.html | https://www.secureworks.com/blog/bronze-president-targets-government-officials | https://blogs.blackberry.com/en/2022/10/mustang-panda-abuses-legitimate-apps-to-target-myanmar-based-victims | https://www.lac.co.jp/lacwatch/report/20221117_003189.html | https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html | https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets | https://blog.eclecticiq.com/mustang-panda-apt-group-uses-european-commission-themed-lure-to-deliver-plugx-malware | |
Night Dragon | | Night Dragon | | | | | | | | | | | G0014 | | | | | A threat actor compromised U.S. oil companies through spear phishing and remote administration tools. Oil, Energy and Petrochemical (OpNightDragon) | | | | https://kc.mcafee.com/corporate/index?page=content&id=KB71150 | http://www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf | | | | | | | | | | | | | | | | | | | | | |
Nightshade Panda | | Nightshade Panda | | | | APT9 | | | | | | FlowerLady | | | | | Poison Ivy, PlugX, BIGJOLT,FUNRUN,GH0ST,HOMEUNIX,JIM A,PHOTO,POISON IVY,SKINNYGENE,SOGU,VICEROY,VIPSH ELL,WETHEAD,XDOOR,ZXSHELL | HK, US, SG, MY, JP, IN, KR, TH, TW - Aerospace, Agriculture, Construction, Energy, Healthcare, ,High Tech, Media, Transportation | | | | https://otx.alienvault.com/pulse/55bbc68e67db8c2d547ae393/ | | | | | | | | | | | | | | | | | | | | | | |
Nomad Panda | | | | | | | | | | | | | | | | | 8.t exploit document builder | Central Asian nations | | RedFoxtrot, Moshen Dragon | | https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ | | | | | | | | | | | | | | | | | | | | | | |
Pale Panda | | | | | | | | | | | | | | | | | PlugX | | | | Mentioned in 2014 Crowdstrike Global Threat Intel Report pg 22 | http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf | | | | | | | | | | | | | | | | | | | | | | |
Pirate Panda | | Pirate Panda | | | | | | | | | | KeyBoys | G0081 | | | | | | Southeast Asia | Tropic Trooper & KeyBoy | | http://www.crowdstrike.com/blog/rhetoric-foreshadows-cyber-activity-in-the-south-china-sea/ | http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are-back-in-town.html | https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/ | https://blogs.cisco.com/security/scope-of-keyboy-targeted-malware-attacks | https://citizenlab.ca/2016/11/parliament-keyboy/ | | | | | | | | | | | | | | | | | | |
Poisonous Panda | | Poisonous Panda | | | | | | | | | | | | | | | | Energy technology, G20, NGOs, Dissident Groups | | | Listed slide 4 | http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf | | | | | | | | | | | | | | | | | | | | | | |
Predator Panda | | Predator Panda | | | | | | | | | | | | | | | PlugX | Southeast Asia | | | Mentioned pg 22 & 42 | http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf | | | | | | | | | | | | | | | | | | | | | | |
Radio Panda | | Radio Panda | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
Sabre Panda | | | | | | | | | | | | | | | | | | Umbrella Revolution | | | Listed in 2014 Global Threat Report (pg 9) - observed in Umbrella Revolution related activity (pg 28) | http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf | | | | | | | | | | | | | | | | | | | | | | |
Spicy Panda | | | | | | | | | | | | | | | | | | | | | Listed in 2014 Global Threat Report - no more details pg 9 | http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf | | | | | | | | | | | | | | | | | | | | | | |
Stone Panda | | Stone Panda | | | BRONZE RIVERSIDE | APT10 | | | MenuPass Team | | menuPass | Red Apollo, CVNX, POTASSIUM, Cloud Hopper, Hogfish, TA429, Cicada, TALONITE, DEV-0401 | G0045 | Dust Storm | Cloud Hopper | ChessMaster | Poison Ivy, EvilGrab, IEChecker, ChChes, PlugX, RedLeaves, Quasar, CobaltStrike, Trochilus, UPPERCUT (aka ANEL), StoneNetLoader | Healthcare; Pharma, Defense, Aerospace, Government, MSP, | Data exfil over common TCP services (RDP, HTTPS) | Compromise & Persistence: BUGJUICE, SOGU, SNUGRIDE, Group 27 | Profile slide 13 & 14 | http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem | http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/ | https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf | https://www.cylance.com/hubfs/2015_cylance_website/assets/operation-dust-storm/Op_Dust_Storm_Report.pdf | https://www.isightpartners.com/2016/02/threatscape-media-highlights-update-week-february-24th/ | https://threatpost.com/poison-ivy-rat-spotted-in-three-new-attacks/102022/ | https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html | http://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/ | https://www.us-cert.gov/ncas/alerts/TA17-117A | https://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf | https://www.lac.co.jp/lacwatch/people/20180521_001638.html | https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html | https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ | https://blog.ensilo.com/uncovering-new-activity-by-apt10 | https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage | https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-china-ngo-government-attacks | https://www.dragos.com/blog/how-adversaries-use-spear-phishing-to-target-engineering-staff/ | https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group | | | | | |
Temper Panda | | Temper Panda | Admin338 | Team338 | | | admin@338 | | 338 Team | | | | | admin@338 | | | Poison Ivy, jRat, LOWBALL, BUBBLEWRAP | Target Gov + Military, DIB, Finiancial/Think Tanks, Telco, Academia, Religious organisations | | | “PdPD” (50 64 50 44) marker for encrypted binaries | https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html | https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html | https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html | | | | | | | | | | | | | | | | | | | | |
Test Panda | | Test Panda | | | | | | | | | | | | | | | | | | | Listed slide 8 | http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem | | | | | | | | | | | | | | | | | | | | | | |
Toxic Panda | | Toxic Panda | | | | | | | | | | | | | | | | Dissident Groups | | | Listed slide 4 | http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf | | | | | | | | | | | | | | | | | | | | | | |
Twisted Panda | | | | | | | | | | | | | | | | | | | | Stone Panda, Mustang Panda | | https://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/ | | | | | | | | | | | | | | | | | | | | | | |
Union Panda | | Union Panda | | | | | | | | | | | | | | | | Industrial companies | | | Listed slide 4 | http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf | | | | | | | | | | | | | | | | | | | | | | |
Vicious Panda | | | | | | | | | | | | | | | | | | | | | | https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/ | https://securelist.com/apt-trends-report-q2-2020/97937/ | | | | | | | | | | | | | | | | | | | | | |
Violin Panda | | Violin Panda | | | | APT8 | APT20 | | | | | Covert Grove | | th3bug | Wocao | | Poison Ivy, CAKELOG, CANDYCLOG, COOKIECLOG, CETTRA | Energy, Chemical Industry, Healthcare and Pharma | | | Listed slide 12 | http://www.slideshare.net/CrowdStrike/crowdcast-monthly-operationalizing-intelligence-34141777 | http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_nitro_attacks.pdf | https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/ | | | | | | | | | | | | | | | | | | | | |
Wet Panda | | Wet Panda | | | | | | | | | | | | | | | PlugX | Energy | | | Mentioned in 2014 Global Threat Report using PlugX (pg 22) | http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf | http://www.slideshare.net/CrowdStrike/crowdcast-monthly-operationalizing-intelligence-34141777 | | | | | | | | | | | | | | | | | | | | | |
? | | | | | | | | | | | | | | | | | UP007, SLServer, Grabber, T9000, Kivars, PlugX, Gh0StRAT, Agent.XST | Tibetans, Hong Kong, Taiwanese interests and human rights workers, Uyghur Interests | Active | IXESHE (see PWC report) | | https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/ | https://citizenlab.org/2016/04/between-hong-kong-and-burma/ | http://pwc.blogs.com/cyber_security_updates/2016/03/taiwant-election-targetting.html | | | | | | | | | | | | | | | | | | | | |
? | | | | | | | | | | | | | | | | | | | | IXESHE (malware), Etumbot, Numbered Panda | | https://web.archive.org/web/20151217200415/https://www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL.pdf | | | | | | | | | | | | | | | | | | | | | | |
? | | | | | | | | | | | | | | | | | | Afghan Government | Watering Hole | Operation Poisoned Hurricane | https://www.threatconnect.com/operation-poisoned-helmand/ | | | | | | | | | | | | | | | | | | | | | | |
? | | | | | | APT1? | | | | | | | | Titan Rain | | | | USA | | | web archive link to 12/12/2005 article about Titan Rain, ZDNet link dated 11/23/2005 is similar article | http://web.archive.org/web/20081011233241/http://www.breitbart.com/news/2005/12/12/051212224756.jwmkvntb.html | https://www.zdnet.com/article/security-experts-lift-lid-on-chinese-hack-attacks/ | | | | | | | | | | | | | | | | | | | | | |
? | | Maverick Panda | PLA Navy | Sykipot | | APT4? | | | | | | | | | | | | DIB (Defence Industrial Base) and other government organizations | | | https://www.alienvault.com/open-threat-exchange/blog/new-sykipot-developments | http://blog.trendmicro.com/trendlabs-security-intelligence/sykipot-now-targeting-us-civil-aviation-sector-information/ | | | | | | | | | | | | | | | | | | | | | |
Calypso | | | | | | | | | | | | Links to Skyipot, Pitty Tiger, Comment Crew, Mirage | | | | | Byebe, CMStar, Calypso RAT, PlugX | | | | | https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/ | https://resources.malwarebytes.com/files/2020/04/200407-MWB-COVID-White-Paper_Final.pdf | https://resources.malwarebytes.com/files/2020/04/200407-MWB-COVID-White-Paper_Final.pdf | | | | | | | | | | | | | | | | | | | | |
Tropic Trooper | | KeyBoy | | | | | | | | | | | G0081 | | | | Poison Ivy, PCShare, Yahoyah | Taiwan, High-Tech in Asia, Taiwanese Government, Fossil Fuel Provider, Taiwanese, Philippine, and Hong Kong targets, focusing on their government, healthcare, transportation, and high-tech industries | | Pirate Panda & KeyBoy | Group based in Xiamen, in same area as PLA Navy. Likely a navy SIGINT TRB | http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/ | https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/ | https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-troopers-back-usbferry-attack-targets-air-gapped-environments/ | https://research.checkpoint.com/2022/chinese-actor-takes-aim-armed-with-nim-language-and-bizarro-aes/ | | | | | | | | | | | | | | | | | | | |
APT41 | | | | | | APT41 | | | | | | | G0096 | | | | CRACKSHOT, GEARSHIFT, HIGHNOON, JUMPALL, POISONPLUG, HOTCHAI, LATELUNCH, LIFEBOAT, LOWKEY, NJRAT, PACMAN, PHOTO, POTROAST, ROCKBOOT, SAGEHIRE, SWEETCANDLE, SOGU, TERA, TIDYELF, WIDETONE, WINTERLOVE, XDoor, Xmrig, ZxShell | | | | Overlap with BARIUM and Winnti | https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html | https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html | https://www.fireeye.com/blog/threat-research/2019/10/messagetap-who-is-reading-your-text-messages.html | https://www.bankinfosecurity.com/feds-chinese-hacking-group-undeterred-by-indictment-a-20153 | | | | | | | | | | | | | | | | | | | |
Poison Carp | | | | | | | | | | | | Earth Empusa | | | | | ActionSpy, ScanBox, BeEF, Evil Eye | This threat actor targets smartphones associated with Tibetan and Uyghur activists for espionage purposes. | Strategic web compromise (watering hole) | | | https://citizenlab.ca/2019/09/poison-carp-tibetan-groups-targeted-with-1-click-mobile-exploits/ | https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html | https://www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/ | https://blog.trendmicro.com/trendlabs-security-intelligence/new-android-spyware-actionspy-revealed-via-phishing-attacks-from-earth-empusa/ | https://about.fb.com/news/2021/03/taking-action-against-hackers-in-china/ | | | | | | | | | | | | | | | | | | |
AVIVORE | | | | | | | | | | | | | | | | | PlugX, Mimikatz, WmiExec | aerospace and defence industries in the UK and Europe | | | | https://www.contextis.com/en/blog/avivore | https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-CTI-005.pdf | | | | | | | | | | | | | | | | | | | | | |
APT-C-01 | | | | | | | | | | | | PoisonVine | | | | | Poison Ivy, ZxShell, Kanbox RAT, CVE-2012-0158, CVE-2014-6352, CVE-2017-8759 | government agencies, military individuals, research institutes, maritime agencies | | | | https://ti.qianxin.com/blog/articles/analysis-of-apt-c-01/ | https://ti.qianxin.com/uploads/2018/09/20/6f8ad451646c9eda1f75c5d31f39f668.pdf | http://blogs.360.cn/post/APT_C_01_en.html | https://www.netscout.com/sites/default/files/2019-02/SECR_001_EN-1901%20-%20NETSCOUT%20Threat%20Intelligence%20Report%202H%202018.pdf | https://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-vine-climbing-over-great-firewall-longterm-attack-against-china/ | https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-GuPan.pdf | | | | | | | | | | | | | | | | | |
DarkUniverse | | | | | | | | | | | | | | | | | ItaDuke | Tibet and Uyghur activists, Syria, Iran, Afghanistan, Tanzania, Ethiopia, Sudan, Russia, Belarus and the United Arab Emirates | Spearphishing w/CVE-2013-0640 weaponized PDF | | | https://securelist.com/new-uyghur-and-tibetan-themed-attacks-using-pdf-exploits/35465/ | https://www.alienvault.com/blogs/labs-research/latest-adobe-pdf-exploit-used-to-target-uyghur-and-tibetan-activists | https://securelist.com/darkuniverse-the-mysterious-apt-framework-27/94897/ | | | | | | | | | | | | | | | | | | | | |
Taskmasters | | | | | | | | | | | | | | | | | RemShell, 404-Input-shell, Eternal Blue, Scheduled Tasks | Military, government, telecommunication, small businesses | | | | https://www.ptsecurity.com/ww-en/analytics/operation-taskmasters-2019/ | https://www.youtube.com/watch?v=XYuclHsoQO4&feature=youtu.be | https://blog.group-ib.com/task | | | | | | | | | | | | | | | | | | | | |
GALLIUM | | | | | | | | | | | | Soft Cell, UNSC 2814, Alloy Taurus, Granite Typhoon | | | | | BlackMould, China Chopper, PoisonIvy, QuarkBandit, Htran, NBTScan, PsExec, Winrar, Netcat | Telecom | | | | https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ | https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers | https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos | https://unit42.paloaltonetworks.com/pingpull-gallium/ | https://unit42.paloaltonetworks.com/alloy-taurus/ | | | | | | | | | | | | | | | | | | |
RANCOR | | | | | | | | | | | | | G0075 | | | | KHRAT Trojan, Derusbi, Dudell, DDKONG Plugin | South-East Asia | | DragonOK | | https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/ | https://meltx0r.github.io/tech/2019/09/11/rancor-apt.html | https://research.checkpoint.com/rancor-the-year-of-the-phish/ | https://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/ | | | | | | | | | | | | | | | | | | | |
ChinaZ | | | | | | | | | | | | | | | | | Linux.BackDoor.Xnote.1, Linux/BillGates.Lite, Linux/UDPfker | | | | | https://news.drweb.com/show/?i=9272&lng=en&c=5 | https://blog.malwaremustdie.org/2015/08/mmd-0039-2015-chinaz-made-new-malware.html | https://blog.malwaremustdie.org/2016/10/mmd-0060-2016-linuxudpfker-and-chinaz.html | https://www.intezer.com/blog-chinaz-relations/ | https://www.intezer.com/blog-chinese-apts-rising-ia-community-may-2019/ | https://www.intezer.com/blog-chinaz-introduces-new-undetected-malware/ | https://www.botconf.eu/wp-content/uploads/2014/12/2014-2.10-Chinese-Chicken-Multiplatform-DDoS-Botnets.pdf | | | | | | | | | | | | | | | | |
APT-C-37 | | Slap Bear | Papa Bear | Pat/Patted Bear | | | | | | | | | | | | | | | | | | http://blogs.360.cn/post/analysis-of-apt-c-37.html | https://zhuanlan.kanxue.com/article-8168.htm | https://mp.weixin.qq.com/s/lUtXwWjPVMHXfR6oLnXYhQ | https://cybersecurity.att.com/blogs/labs-research/alien-labs-2019-analysis-of-threat-groups-molerats-and-apt-c-37 | | | | | | | | | | | | | | | | | | | |
APT-C-27 | | Goldmouse/Gold Mouse/Gold Rat | | | | | | | | | | | | | | | | Middle East | | Link to OilRig? | | https://ti.360.net/blog/articles/apt-c-27-(goldmouse):-suspected-target-attack-against-the-middle-east-with-winrar-exploit-en/ | https://blog.360totalsecurity.com/en/the-sample-analysis-of-apt-c-27s-recent-attack/ | https://www.pbwcz.cz/Reporty/20180723_CSE_APT27_Syria_v1.pdf | | | | | | | | | | | | | | | | | | | | |
Storm Cloud | | | | | | | | | | | | | | Holy Water | | | Godlike12, SweetAlerts | | Strategic web compromise (watering hole) | | | | | | | | | | | | | | | | | | | | | | | | | |
TA410 | | | | | | | | | | | | | | | | | LookBack, FlowCloud | utility providers across the U.S | | APT10 | | https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new | https://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/ | | | | | | | | | | | | | | | | | | | | | |
SixLittleMonkeys | | Microcin | | | | | | | | | | | | | | | Microcin, BYEBY, Mikroceen | Central Asia, Russian military, Belarussia, Mongolia, | | Link to Vicious Panda | | https://securelist.com/steganography-in-contemporary-cyberattacks/79276/ | https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170759/Microcin_Technical_4PDF_eng_final_s.pdf | https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia/ | https://securelist.com/microcin-is-here/97353/ | https://securelist.com/apt-trends-report-q2-2019/91897/ | | | | | | | | | | | | | | | | | | |
HAFNIUM | | | | | | | UNC2639, UNC2640, UNC2643 | Ant | | | | | | Operation Exchange Marauder | | | Covenant, Procdump, 7-Zip, Nishang, PowerCat | Microsoft Exchange Server | | | | https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ | https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/ | https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/microsoft-exchange-server-protection | https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/ | https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/ | | | | | | | | | | | | | | | | | | |
Luminous Moth | | | | Luminous Moth | | | | | | | | | | | | | | South East Asia | | Mustang Panda | | https://securelist.com/apt-luminousmoth/103332/ | | | | | | | | | | | | | | | | | | | | | | |
Spiral | | | | | | | | | | | | | | | | | SolarWinds Orion API (CVE-2020-10148), SUPERNOVA | | | | | https://www.secureworks.com/blog/supernova-web-shell-deployment-linked-to-spiral-threat-group | https://www.secureworks.com/blog/supernova-web-shell-deployment-linked-to-spiral-threat-group | | | | | | | | | | | | | | | | | | | | | |
Sparkling Goblin | | | | | | | | | | | | | | | | | CROSSWALK, SideWalk | Academic sectors in Macao, Hong Kong and Taiwan, A religious organization in Taiwan, A computer and electronics manufacturer in Taiwan, Government organizations in Southeast Asia, An e-commerce platform in South Korea, The education sector in Canada, Media companies in India, Bahrain, and the USA, A computer retail company based in the USA, Local government in the country of Georgia, Unidentified organizations in South Korea and Singapore, | | Winnti, APT41 | | https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/ | https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf | | | | | | | | | | | | | | | | | | | | | |
APT5 | | | | | BRONZE FLEETWOOD | | | | | | | MANGANESE | | | | | BRIGHTCREST, SWEETCOLA, SPIRITBOX, PALEJAB, WIDERIM, WINVAULT, HAPPYSAD, BIRDWORLD, FARCRY, CYFREE, FULLSILO, HELLOTHEWORLD, HAZELNUT, GIF89A, SCREENBIND, SHINYFUR, TRUCKBED, LEOUNCIA, FREESWIM, PULLTAB, HIREDHELP, NEDDYHORSE, PITCHFORK, BRIGHTCOMB, ENCORE, TABCTENG, SHORTLEASH, CLEANACT, BRIGHTCYAN, DANCEPARTY, HALFBACK, PUSHBACK, COOLWHIP, LOWBID, TIGHTROPE, DIRTYWORD, AURIGA, KEYFANG, Poison Ivy, Comfoo, Skeleton Key | Regional telecommunication providers, Asia-based employees of global telecommunications and tech firms, high-tech manufacturing, and military application technology. | | UNC2630 | | https://www.fireeye.com/current-threats/apt-groups.html | https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html | https://www.bloomberg.com/news/features/2021-09-02/juniper-mystery-attacks-traced-to-pentagon-role-and-chinese-hackers | https://www.secureworks.com/research/threat-profiles/bronze-fleetwood | https://media.defense.gov/2022/Dec/13/2003131586/-1/-1/0/CSA-APT5-CITRIXADC-V1.PDF | | | | | | | | | | | | | | | | | | |
RedFoxtrot | | | | | | | | | | | | | | | | | PlugX-Talisman, ShadowPad, GUNTERS | South Asia Telecom & Defense | | ?Moshen Dragon, Nomad Panda, Goblin Panda, LuckyMouse, Cycldek, Emissary Panda, TG-3390 | | https://www.recordedfuture.com/redfoxtrot-china-pla-targets-bordering-asian-countries/ | https://go.recordedfuture.com/redfoxtrot-insikt-report | https://www.recordedfuture.com/chinese-apt-groups-target-afghan-telecommunications-firm/ | https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/ | https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/plugx-a-talisman-to-behold.html | | | | | | | | | | | | | | | | | | |
IronHusky | | | | | | | | | | | | | | | | | MysterySnail, CVE-2021-40449 | | | Vicious Panda | | https://securelist.com/apt-trends-report-q1-2018/85280/https://securelist.com/apt-trends-report-q1-2018/85280/ | https://securelist.com/apt-trends-report-q2-2020/97937/ | https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/ | | | | | | | | | | | | | | | | | | | | |
Antlion | | | | | | | | Antlion | | | | | | | | | Xpack, JpgRun, EHAGBPSL, NetSessionEnum | Financial Services in ROC (Taiwan) | | | | https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/china-apt-antlion-taiwan-financial-attacks | | | | | | | | | | | | | | | | | | | | | | |
DEV-0322 | | | | | | | | | | | | | | TiltedTemple | | | | US Defense Industrial Base, higher education, consulting services, and information technology sectors | Serv-u Secure FTP, Exploit ZOHO ManageEngine ADSelfService Plus | TG-3390, Emissary Panda, APT27 | | https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/ | https://www.microsoft.com/security/blog/2021/11/08/threat-actor-dev-0322-exploiting-zoho-manageengine-adselfservice-plus/ | https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/ | https://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/ | | | | | | | | | | | | | | | | | | | |
Curious Gorge | | | | | | | | | | | | | | | | | | government & military organizations in Ukraine, Russia, Kazakhstan, and Mongolia | | | Subordinate to Strategic Support Force | https://blog.google/threat-analysis-group/tracking-cyber-activity-eastern-europe/ | https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe/ | | | | | | | | | | | | | | | | | | | | | |
Scarab | | | | | | | | | | | | | | | | | Scieron, Trojan.Scieron, Trojan.Scieron.B, | Russia, Ukraine | | UAC-0026 | | https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=8bfa7311-fdd9-4f8d-b813-1ab6c9d2c363&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments | https://otx.alienvault.com/pulse/54c7e1e811d4085eb82e0598/ | https://cert.gov.ua/article/38097 | https://www.sentinelone.com/labs/chinese-threat-actor-scarab-targeting-ukraine/ | https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/ | | | | | | | | | | | | | | | | | | |
BackdoorDiplomacy | | | | CloudComputating | | | | | | | | | G0135 | | | | Quarian, Turian, Follina | | | | Kaspersky = CloudComputating = Chinese in 2Q2017 APT summary, CloudComputating = BackdoorDiplomacy in 3Q2021 APT summary, ESET CloudComputating = BackdoorDiplomacy using Turian & Quarian | https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/ | https://securelist.com/?s=CloudComputating | https://www.fortinet.com/blog/threat-research/analysis-of-follina-zero-day | | | | | | | | | | | | | | | | | | | | |
Earth Berberoka | | | | | | | | | | | | GamblingPuppet, Gambling Puppet | | | | | | Chinese gambling websites, one education-related government institution, two IT services companies, and one electronics manufacturing company | | Emissary Panda, Iron Tiger | | https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf | https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf | | | | | | | | | | | | | | | | | | | | | |
RedAlpha | | | | | | | | | | | | | | | | | | | | DeepCliff, Red Dev 3 | | https://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-with-targets-in-the-tibetan-community/ | https://go.recordedfuture.com/hubfs/reports/cta-2018-0626.pdf | https://go.recordedfuture.com/hubfs/reports/ta-2022-0816.pdf | | | | | | | | | | | | | | | | | | | | |
Bluebottle | | | | | | | | | | | | | | | | | | | | | | https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa | | | | | | | | | | | | | | | | | | | | | | |
DragonSpark | | | | | | | | | | | | | | | | | | | | | | https://www.sentinelone.com/labs/dragonspark-attacks-evade-detection-with-sparkrat-and-golang-source-code-interpretation/ | | | | | | | | | | | | | | | | | | | | | | |
Yanluowang | | | | | | | | | | | | | | | | | | | | | | https://darktrace.com/blog/inside-the-yanluowang-leak-organization-members-and-tactics | | | | | | | | | | | | | | | | | | | | | | |
LuoYu | | | | | | | | | | | | | | | | | | | | | | https://thestack.technology/kaspersky-luoyu-windealer-man-on-the-side/ | | | | | | | | | | | | | | | | | | | | | | |
Aoqin Dragon | | | | | | | | | | | | | | | | | | | | | | https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/ | | | | | | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
Earth Yako | | | | | | | | | | | | | | RestyLink | | | | Japan & Taiwan | | | | https://security.macnica.co.jp/blog/2022/05/iso.html | https://insight-jp.nttsecurity.com/post/102ho8o/operation-restylink | https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_2_5_hara-higashi-shoji_en.pdf | https://www.trendmicro.com/en_us/research/23/b/invitation-to-secret-event-uncovering-earth-yako-campaigns.html | | | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
Dark PInk | | | | | | | | | | | | Saaiwc Group | | | | | | ASEAN, Vietnamese, Malaysian, Indonesian, Cambodian, Philippines, Bosnia and Herzegovina | | | | https://mp.weixin.qq.com/s/G3gUjg9WC96NW4cRPww6gw | https://blog.group-ib.com/dark-pink-apt | https://blog.eclecticiq.com/dark-pink-apt-group-strikes-government-entities-in-south-asian-countries | | | | | | | | | | | | | | | | | | | | |