APT Groups and Operations


1	General Information		How to Search in this Spreadsheet?
2	Topic	Comment
3	Motive	Cyber security companies and Antivirus vendors use different names for the same threat actors and often refer to the reports and group names of each other. However, it is a difficult task to keep track of the different names and naming schemes. I wanted to create a reference that answers questions like "I read a report about the 'Tsar Team', is there another name for that group?" or "Attackers used 'China Chopper' webshell, which of the APT groups did use that shell too?" or "Did he just say 'NetTraveler'? So, does he talk about Chinese or Russian attackers?"	1. Step Use Ctrl+F / Command+F to bring up the search field, then click on the dotted vectical line next to the "X"
4	Hints	- Each active country / region has its own tab - The "Other" tab contains actors from certain regions not covered by the main tabs - The "Unknown" tab is used for groups and operations with no attribution - Cells with overlaps are highlighted in gray - overlaps are no error per se but necessary to visualize that groups tracked by one vendor are divided into two different groups by another vendor	2. Step Type the keyword you search for in the "Find" field and click on the "Find" button or press Enter. This will search the keyword in all tabs of the spreadsheet.
5	Disclaimer	Attribution is a very complex issue. This list is an intent to map together the findings of different vendors and is not a reliable source. Most of the mappings rely on the findings in a single incident analysis. Groups often change their toolsets or exchange them with other groups. This makes attribution of certain operations extremely difficult. However, we decided that even an uncertain mapping is better than no mapping at all. Be aware that information published here may be wrong, quickly outdated, or may change based on evolving information. People tend to comment on the sheet. Sometimes they add threat intel that isn't TLP:WHITE but taken from some fee-based platform. Please let me know if confidential information has been disclosed.
6	Known Issues	- Groups named after the malware (families) they've used - Groups named after a certain operation - Lists / tables are not normalized to allow a better overview by avoiding too many spreadsheets - Some groups have now been discovered to be "umbrella" terms for sub-groups. (e.g. Lazarus has subgroups; Winnti's "Burning Umbrella" report )
7	Search	Press CTRL+F or Command+F and then use the Symbol with the three dots to bring up the search dialogue that looks in the full workbook for your keywords
8	Overlaps	Names that appear multiple times are shaded in a light grey
9	First Release	12/26/2015
10	License	CC Creative Commons - Attribution 4.0 International (CC BY 4.0) https://creativecommons.org/licenses/by/4.0/
11	Access Rights	Everyone: READ / COMMENT Invited Editors: READ / COMMENT / WRITE
12	Support	Please contact me (@cyb3rops) if you would like to modify or add content to these lists. I will gladly give you write access to this list if: - I know you personally or from my Twitter stream - you are a threat intel researcher / malware analyst with some reference - you are a vendor representative - you are an author of the listed sources (see '_Sources' work sheet) Please provide you email address if you are interested in helping me (preferably Gmail - this allows native access via the connected Google account)
13	Search Engine	https://cse.google.com/cse/publicurl?cx=003248445720253387346:turlh5vi4xc
14	Short URL	https://apt.threattracking.com
15
16	Contributors
17	Name / Nickname	Twitter Handle
18	Pasquale Stirparo	@pstirparo
19	David Bizeul	@davidbizeul
20	Brian Bell	No Twitter Account
21	Ziv Chang	@Gasgas4Ggyy
22	Joel Esler	@joelesler
23	Kristopher Bleich	@kc0iqx_bleich
24	Maite Moreno	@mmorenog
25	Monnappa K A	@monnappa22
26	J. Capmany	@theweeZ
27	Paul Hutchinson	@AllAboutAPT
28	Boris Ivanov	@BlackCaesar1973
29	Andre Gironda	@andregironda
30	Devon Ackerman	@aboutdfir
31	Carlos Fragoso	@cfragoso
32	Eyal Sela	@eyalsela
33	Florian Egloff	@egflo
34	Ohad Zaidenberg	@ohad_mz
35	Gary Warner	@GarWarner
36	Efi Pecani	@Excited_Efi
37	And many helpful people that just commented on cells - thank you!


1	China
2	Common Name	CrowdStrike	IRL	Kaspersky	Secureworks	Mandiant	FireEye	Symantec	iSight	Cisco (Sourcefire/VRT > Talos)	Palo Alto Unit 42	Other Names	MITRE ATT&CK	Operation 1	Operation 2	Operation 3	Operation 4	Toolset / Malware	Targets	Modus Operandi	Overlaps to	Comment	Link 1	Link 2	Link 3	Link 4	Link 5	Link 6	Link 7	Link 8	Link 9	Link 10	Link 11	Link 12	Link 13	Link 14	Link 15	Link 16	Link 17	Link 18	Link 19	Link 20	Link 21	Link 22	Link 23	Link 24	Link 25

3	Comment Crew	Comment Panda	PLA Unit 61398		TG-8223	APT1			BrownFox	Group 3		GIF89a, ShadyRAT, Shanghai Group, Byzantine Candor	G0006	Shady RAT	GhostNet			WEBC2, BISCUIT and many others	U.S. cybersecurity firm Mandiant, later purchased by FireEye, released a report in February 2013 that exposed one of China's cyber espionage units, Unit 61398. The group, which FireEye called APT1, is a unit within China's People's Liberation Army (PLA) that has been linked to a wide range of cyber operations targeting U.S. private sector entities for espionage purposes. The comprehensive report detailed evidence connecting APT1 and the PLA, offered insight into APT1's operational malware and methodologies, and provided timelines of the espionage it conducted.				http://www.mcafee.com/us/resources/white-papers/wp-operation-shady-rat.pdf	http://www.nytimes.com/2013/02/19/technology/chinas-army-is-seen-as-tied-to-hacking-against-us.html?emc=na&_r=2&	https://www.secureworks.com/research/analysis-of-dhs-nccic-indicators	https://www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network	http://www.nartv.org/mirror/ghostnet.pdf
4	APT2	Putter Panda	PLA Unit 61486		TG-6952	APT2				Group 36		SearchFire	G0024					Their activities are commonly known to be exploiting CVE-2012-0158 (MSOffice vulnerability in MSCOMCTL.OCX) in SpearPhising operations. Related malware: Moose, Warp, MSUpdater	This threat actor targets firms in the technology (communications, space, aerospace), research, defense, and government sectors in the United States for espionage purposes. The tools and infrastructure it uses overlap with PLA Unit 61398.				http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf	http://icitech.org/icit-brief-chinas-espionage-dynasty-economic-death-by-a-thousand-cuts/
5	UPS	Gothic Panda			TG-0110	APT3		Buckeye	UPS Team	Group 6		Boyusec – the Guangzhou Boyu Information Technology Company, Ltd	G0022	Clandestine Fox	Double Tap	Clandestine Wolf		Shotput, Pirpi, PlugX/Sogu, Kaba, Cookie Cutter, many 0days: IE, Firefox, and Flash, SportLoader, Shadow Brokers exploits, DoublePulsar, Bemstour, Filensfer	This threat actor targets and compromises entities in the defense, construction, technology, and transportation sectors. Up until 2015, it was primarily focused on U.S. and UK entities, but it shifted to Hong Kongâ€“based targets afterward. Aerospace and Defence; Construction and Engineering; Energy; High Tech; Nonprofit; Telecommunications; Transportation				https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html	http://www.secureworks.com/resources/blog/research/threat-group-0110-targets-manufacturing-and-financial-organizations-via-phishing/	http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong	https://intrusiontruth.wordpress.com/2017/05/09/apt3-is-boyusec-a-chinese-intelligence-contractor/	https://www.fireeye.com/current-threats/apt-groups.html	https://www.recordedfuture.com/chinese-mss-behind-apt3/	http://freebeacon.com/national-security/u-s-indicts-three-chinese-hackers-linked-security-firm/amp/	https://www.washingtonpost.com/world/national-security/china-hacked-a-navy-contractor-and-secured-a-trove-of-highly-sensitive-data-on-submarine-warfare/2018/06/08/6cc396fa-68e6-11e8-bea7-c8eb28bc52b1_story.html?noredirect=on&utm_term=.209df584e031	https://intrusiontruth.wordpress.com/2018/05/22/the-destruction-of-apt3/	https://www.symantec.com/blogs/threat-intelligence/buckeye-windows-zero-day-exploit
6	IXESHE	Numbered Panda			TG-2754 (tentative)	APT12	BeeBus		Calc Team	Group 22		DynCalc, Crimson Iron, DNSCalc	G0005	NYT Oct 2012				Etumbot, Riptide, Hightide, ThreeByte, Waterspout, Mswab, Gh0st, ShowNews, 3001	This threat actor targets organizations in Japan, Taiwan, and elsewhere in East Asiaâ€”including electronics manufacturers and telecommunications companiesâ€”for espionage purposes.				http://www.crowdstrike.com/blog/whois-numbered-panda/	http://www.computerworld.com/s/article/9241577/The_Chinese_hacker_group_that_hit_the_N.Y._Times_is_back_with_updated_tools?taxonomyId=17	http://blog.crowdstrike.com/whois-numbered-panda/	http://www.secureworks.com/cyber-threat-intelligence/threats/analysis-of-dhs-nccic-indicators/	http://blog.trendmicro.com/taking-a-bite-out-of-ixeshe/	http://www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/	https://cysinfo.com/sx-2nd-meetup-reversing-and-decrypting-the-communications-of-apt-malware/	http://blog.macnica.net/blog/2017/08/post-fb81.html
7	APT16					APT16							G0023					ELMER backdoor, Gh0st, HTRAN, UNICAT,Poison Ivy, Pandora	This threat actor targets and compromises Japanese and Taiwanese entities in the finance, tech, media, and government sectors.	Spear phishing email delivering a malicious Microsoft Word document exploiting EPS dict copy use-after-free vulnerability, and the local Windows privilege escalation vulnerability CVE-2015-1701. The successful exploitation of both vulnerabilities led to the delivery of either a downloader (IRONHALO), or a backdoor (ELMER). Also known to be using compromised VPN credentials to maintain network persistency.			https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html	https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html	https://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/	https://cybergeeks.tech/a-detailed-analysis-of-elmer-backdoor-used-by-apt16/
8	Hidden Lynx	Aurora Panda				APT17	Deputy Dog	Hidden Lynx	Tailgater Team	Group 8		Burning Umbrella	G0025	Ephemeral Hydra				BLACKCOFFEE, WEBCnC, Joy RAT, PlugX, Trojan.Naid, Backdoor.Moudoor, Backdoor.Vasport, Backdoor.Boda, Trojan.Hydraq, ZxShell, Sakula, China Chopper, DestroyRAT	Government, defense & aerospace, industrial engineering, NGOs				http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html	http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html	http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdf	http://www.darkreading.com/attacks-and-breaches/chinese--hidden-lynx--hackers-launch-widespread-apt-attacks/d/d-id/1111589?page_number=2	https://www.rsaconference.com/writable/presentations/file_upload/crwd-t11-hide_and_seek-how_threat_actors_respond_in_the_face_of_public_exposure.pdf	http://www.crowdstrike.com/blog/french-connection-french-aerospace-focused-cve-2014-0322-attack-shares-similarities-2012/	https://401trg.com/burning-umbrella/	https://www.infosecurity-magazine.com/news/chinese-espionage-group-widescale/	https://intrusiontruth.wordpress.com/2019/07/24/apt17-is-run-by-the-jinan-bureau-of-the-chinese-ministry-of-state-security/	https://www.bloomberg.com/features/2021-supermicro/
9	Wekby	Dynamite Panda			TG-0416	APT18						TA428	G0026	Maudi				HTTPBrowser, TokenControl, HcdLoader, PisLoader, TManger	Aerospace and Defence; Construction and Engineering; Education; Health and Biotechnology; High Tech; Telecommunications; Transportation				https://threatpost.com/apt-gang-branches-out-to-medical-espionage-in-community-health-breach/107828	http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem	https://www.threatstream.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop	https://www.volexity.com/blog/2015/07/08/158-2/	http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/	https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2012/NormanShark-MaudiOperation.pdf	https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology	https://insight-jp.nttsecurity.com/post/102gi9b/pandas-new-arsenal-part-1-tmanger	https://st.drweb.com/static/new-www/news/2021/april/drweb_research_attacks_on_russian_research_institutes_en.pdf	https://labs.sentinelone.com/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op/	https://www.recordedfuture.com/china-linked-ta428-threat-group/	https://blog.group-ib.com/task	https://sebdraven.medium.com/ta428-behind-operation-lagtime-the-following-of-icefog-30fc1f853b80	https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/	https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-Targeted-attack-on-industrial-enterprises-and-public-institutions-En.pdf
10	Axiom					APT17			Tailgater Team	Group 72		Dogfish (iDefense), Deputy Dog (iDefense), Winnti Umbrella	G0001	SMN				Winnti, Gh0st RAT, PoisonIvy, HydraQ, Hikit, ZxShell, Deputy Dog, Derusbi, PlugX, HTRAN, HDRoot, Fscan, Timestomper			Shell Crew, Hidden Lynx, Axiom	Use "Skeleton Key" on DCs	http://securelist.com/blog/research/57585/winnti-faq-more-than-just-a-game/	http://www.novetta.com/files/5614/1329/6232/novetta_cybersecurity_exec_summary-3.pdf	http://www.novetta.com/2015/04/operation-smn-winnti-update/	https://securelist.com/analysis/publications/72275/i-am-hdroot-part-1/	https://401trg.com/burning-umbrella/	https://blog.trendmicro.com/trendlabs-security-intelligence/supply-chain-attack-operation-red-signature-targets-south-korean-organizations/
11	Winnti Group	Wicked Panda			BRONZE ATLAS	APT41						Winnti Umbrella, BARIUM, LEAD, RedEcho, Vanadinite, TAG-22	G0044					Winnti, AceHash, PlugX, Webshells, ZxShell, ShadowPad, LightSpy	ThyssenKrupp, Gameforge, Valve, Teamviewer,Siemens, Sumitomo, BASF, Covestro, Shin-Etsu, Bayer, Roche		Deep Panda, Wicked Spider		http://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/	https://www.protectwise.com/blog/winnti-evolution-going-open-source.html	https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2015/january/windows-firewall-hook-enumeration/	https://www.nccgroup.trust/globalassets/our-research/uk/technical-advisories/2015/derusbi-server-technical-note-1-1-tlp-white.pdf	https://lab52.io/blog/winnti-group-geostrategic-analysis-and-ttp/	https://401trg.com/burning-umbrella/	https://web.br.de/interaktiv/winnti/index.html	https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf	https://www.dragos.com/blog/industry-news/new-ics-threat-activity-group-vanadinite/	https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan/	https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf	https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayfly-china-sidewalk-malware	https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/	https://www.welivesecurity.com/2022/09/14/you-never-walk-alone-sidewalk-backdoor-linux-variant/	https://www.hhs.gov/sites/default/files/apt41-recent-activity.pdf	https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html	https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackfly-espionage-materials
12	Shell Crew	Deep Panda		WebMasters		APT19	KungFu Kittens			Group 13		Sh3llCr3w, PinkPanther, Winnti Group	G0009	Anthem	OPM	Anthem Hack		Sakula/Sakurel, Derusbi, Scanbox Framework, many Webshells including China Chopper, WCE			Axiom, Winnti		http://cybercampaigns.net/wp-content/uploads/2013/06/Deep-Panda.pdf	https://www.isightpartners.com/2015/07/threatscape-media-highlights-update-week-of-july-29th/	https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html
13	Naikon	Lotus Panda	PLA Unit 78020	Naikon		APT30		Thrip, Billbug					G0019	MsnMM	Naikon	Camera Shy		RARSTONE, BACKSPACe, NETEAGLE, XSControl	satellite communications operator, Telecoms, and Defense Companies, Hong Kong				https://securelist.com/analysis/publications/69953/the-naikon-apt/	http://blog.trendmicro.com/trendlabs-security-intelligence/rarstone-found-in-targeted-attacks/	https://www.threatconnect.com/camerashy/	http://www.crowdstrike.com/blog/rhetoric-foreshadows-cyber-activity-in-the-south-china-sea/	https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets	https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/	https://www.symantec.com/blogs/threat-intelligence/thrip-apt-south-east-asia	https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/	https://cluster25.io/2022/04/29/lotus-panda-awake-last-strike/	https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments-cert-authority	https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf
14	Lotus Blossom			Spring Dragon							Lotus Blossom	ST Group, Esile,BitterBug	G0030	Operation Lotus Blossom				Elise Backdoor, Lstudio, CVE-2017-11882					https://securelist.com/blog/research/70726/the-spring-dragon-apt/	http://researchcenter.paloaltonetworks.com/2015/06/operation-lotus-blossom/	https://securelist.com/blog/research/70726/the-spring-dragon-apt/	http://www.trendmicro.com.my/vinfo/my/security/news/cyber-attacks/esile-targeted-attack-campaign-hits-apac-governments	http://researchcenter.paloaltonetworks.com/2015/12/attack-on-french-diplomat-linked-to-operation-lotus-blossom/	https://community.rsa.com/community/products/netwitness/blog/2018/01/30/apt32-continues-asean-targeting	https://www.accenture.com/t20180127T003755Z__w__/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf	https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/	https://documents.trendmicro.com/assets/Tech-Brief-Operation-Poisoned-News-Hong-Kong-Users-Targeted-with-Mobile-Malware-via-Local-News-Links.pdf
15	APT6					APT6						1.php Group						Poison Ivy,	US Government Organizations			Overlaps with Operation Night Dragon	https://motherboard.vice.com/read/fbi-flash-alert-hacking-group-has-had-access-to-us-govt-files-for-years	https://www.zscaler.com/pdf/technicalbriefs/tb_advanced_persistent_threats.pdf	https://www.zscaler.com/blogs/research/1php-group-intrusion-set-paper	https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2011/tb_advanced_persistent_threats.pdf
16	APT26	Turbine Panda				APT26			Hippo Team			JerseyMikes						Cobalt, QuickPulse, credential stealers such as WCE, GSECDUMP, COATHOOK, HTRAN, SOGU, TWOCHAINS, QUICKBALL	Affected Industry: Aerospace and Defense, business and Professional Services/Legal/Accounting, High Tech Software and hardware services	Supply-chain attacks such as strategic web compromise (SWC) where the actor compromise 3rd-party service provider hosting the victim websites			https://go.crowdstrike.com/rs/281-OBQ-266/images/15GlobalThreatReport.pdf?mkt_tok=3RkMMJWWfF9wsRojuKrPZKXonjHpfsX/7e8tWrHr08Yy0EZ5VunJEUWy2ocITtQ/cOedCQkZHblFnV4AS626XrENqKML	https://www.crowdstrike.com/resources/wp-content/brochures/reports/huge-fan-of-your-work-intelligence-report.pdf	https://digit.fyi/lengthy-cyber-espionage-operation-helped-china-develop-c919-airliner/
17	Mirage	Vixen Panda	Ke3Chang	Playful Dragon	GREF	APT15			Social Network Team			Mirage Team, Lurid, Social Network Team, Royal APT, Metushy, Winnti Umbrella, NICKEL, Playful Taurus, BackdoorDiplomacy	G0004	Umbrella Revolution				Mirage, (Nvidia program side-loading) PlugX, XSLCmd, TidePool, BS2005, RoyalCli, iWebRat, Russian-language decoy document, ENFAL, ENDCMD, QUICKHEAL, SOGU, CYFREE, MIRAGE, NOISEMAKER, QUICKHEAL, SWALLOWFLY, Turian Backdoor	PH, VN, TW, US, UK, IT, PL, UN, SG, NATO - Gov, Political party		Winnti	Some vendors track this group in up to 3 separate groups	http://arstechnica.com/security/2015/04/elite-cyber-crime-group-strikes-back-after-attack-by-rival-apt-gang/	https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html	https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf	http://researchcenter.paloaltonetworks.com/2016/05/operation-ke3chang-resurfaces-with-new-tidepool-malware/	https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/	https://github.com/nccgroup/Royal_APT	https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/	https://401trg.com/burning-umbrella/	https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/	https://www.welivesecurity.com/2019/07/18/okrum-ke3chang-targets-diplomatic-missions/	https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf	https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi#page=51	https://www.lookout.com/documents/threat-reports/us/lookout-moonshine-badbazaar.pdf	https://unit42.paloaltonetworks.com/playful-taurus/	https://www-zurnal24-si.translate.goog/slovenija/znano-kdo-stoji-za-napadom-na-ministrstvo-za-zunanje-zadeve-404450?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp
18	APT21	Hammer Panda	Lanzhou PLA Unit	NetTraveler		APT21						Zhenbao, Temp.Zhenbao,TravNet						NetTraveler	This threat actor targets computer networks associated with Tibetan and Uyghur activists for espionage purposes.				https://securelist.com/blog/research/35936/nettraveler-is-running-red-star-apt-attacks-compromise-high-profile-victims/	https://securelist.com/blog/incidents/57455/nettraveler-is-back-the-red-star-apt-returns-with-new-tricks/	https://cybergeeks.tech/dissecting-apt21-samples-using-a-step-by-step-approach/	http://www.darkreading.com/endpoint/chinese-cyberspies-pivot-to-russia-in-wake-of-obama-xi-pact/d/d-id/1324242	https://www.isightpartners.com/2014/11/threatscape-media-highlights-update-week-november-10/	http://www.securityweek.com/plugx-rat-used-gather-intel-afghan-russian-military-report
19	Ice Fog	Dagger Panda		IceFog			ICEFOG					Fucobha, Temp.Trident						Dagger Three (C2 software), Fucobha Backdoor, IceFog, RoyalRoad RTF Weaponizer	This threat actor targets government institutions, military contractors, maritime and shipbuilding groups, telecommunications operators, and others, primarily in US, Taiwan, Japan and South Korea.		Links to Onion Dog		https://securelist.com/blog/research/57331/the-icefog-apt-a-tale-of-cloak-and-three-daggers/	https://securelist.com/blog/incidents/58209/the-icefog-apt-hits-us-targets-with-java-backdoor/	http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/icefog.pdf	http://www.darkreading.com/attacks-and-breaches/java-icefog-malware-variant-infects-us-businesses/d/d-id/1113451	https://www.anomali.com/blog/analyzing-digital-quartermasters-in-asia-do-chinese-and-indian-apts-have-a-shared-supply-chain	https://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt	https://sebdraven.medium.com/ta428-behind-operation-lagtime-the-following-of-icefog-30fc1f853b80
20	Beijing Group	Sneaky Panda										Hydraq, SIG22, Elderwood, Elderwood Gang	G0066	Aurora				Hydraq, Elderwood Project	This threat actor targets private sector companies in the defense, shipping, aeronautics, arms, and energy sectors, as well as nonprofits and financial firms.			Possibly assisted in Operation Aurora, the RSA incident, and the Joint Strike Fighter Program compromise	https://en.wikipedia.org/wiki/Operation_Aurora#Attackers_involved	http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf	http://www.csmonitor.com/USA/2012/0914/Stealing-US-business-secrets-Experts-ID-two-huge-cyber-gangs-in-China	https://blog.crysys.hu/2018/03/territorial-dispute-nsas-perspective-on-apt-landscape/
21	APT22	Wet Panda			BRONZE OLIVE							Barista						China Chopper, PISCES, SOGU, FLATNOTE, ANGRYBELL, BASELESS, SEAWOLF, LOGJAM				Possible overlap with Beijing Group	http://www.slideshare.net/CTruncer/ever-present-persistence-established-footholds-seen-in-the-wild
22	Suckfly												G0039					Nidiran, Korplug, PlugX	Indian organisations and Republic of Korea				http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates
23	APT4	Samurai Panda	PLA Navy			APT4	APT4	Sykipot	Wisp Team													“PdPD” (50 64 50 44) marker for encrypted binaries	http://www.crowdstrike.com/blog/whois-samurai-panda/
24	Pitty Tiger	Pitty Panda					Pitty Tiger						G0011					PittyTiger, Paladin RAT				"Pitty Tiger" was originally the name of a malware payload by the malware tracker blog. Airbus and FireEye identified the actor as Chinese. CrowdStrike uses "tiger" when naming adversaries alligned with India. Crowdstrike associates the actor with the name "Pitty Panda" conforming to their naming convention for Chinese actors.	http://blog.airbuscybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2	https://www.fireeye.com/blog/threat-research/2014/07/spy-of-the-tiger.html	http://blog.malwaretracker.com/2013/06/tomato-garden-campaign-possible.html
25	Scarlet Mimic										Scarlet Mimic		G0029					FakeM, Psylo, MobileOrder	Uyghur and Tibetan activists as well as those who are interested in their causes				http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/
26	C0d0so	Codoso				APT19	Sunshop Group						G0073	Bassos Campaign				Bergard Trojan, Derusbi, TXER	Forbes, Defense, Finance, Energy, Government, Political Dissidents, Global Think Tanks	Watering Hole			https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks	http://www.isightpartners.com/2015/02/codoso/#sthash.VJMDVPQB.dpuf	http://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-group/	https://www.proofpoint.com/us/threat-insight/post/exploring-bergard-old-malware-new-tricks	https://cybergeeks.tech/analyzing-apt19-malware-using-a-step-by-step-method/
27	SVCMONDR																	CVE-2015-2545	Taiwan, Thailand		Tamper Panda	“PdPD” (50 64 50 44) marker for encrypted binaries	https://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/
28	Wisp Team					APT4			Wisp Team										Defense Industrial Base, US Government			iSight has mentioned tracking a China-nexus group they dub "Wisp Team" - have not resolved this w/ other naming conventions	https://www.isightpartners.com/2014/04/weeks-threatscape-media-highlights-update-2/	https://www.isightpartners.com/2014/09/weeks-threatscape-media-highlights-update-22/	https://www.isightpartners.com/2015/01/threatscape-media-highlights-update-week-january-12/
29	Mana Team								Mana Team										Australia			iSight has mentioned tracking a China-nexus activity they dub "Mana Team", targeting Australian interests - have not resolved this w/ other naming conventions	https://www.isightpartners.com/2016/02/threatscape-media-highlights-update-week-of-february-17th/
30	SPIVY																		Hong Kong dissidents				http://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/
31	Mofang				BRONZE WALKER							Whitefly	G0103 (Kasperksy) G0107 (Symantec)		SingHealth			ShimRAT, ShimRATReporter	Government, military, Critical Infrastructure,Automotive Industry,Weapon Industry, This threat actor compromises government and critical infrastructure entities, primarily in Myanmar, for espionage purposes. Myanmar, Canada, United States, Germany, India, South Korea, Singapore		Superman		https://blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/	https://www.threatconnect.com/china-superman-apt/	https://securelist.com/big-threats-using-code-similarity-part-1/97239/	https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/whitefly-espionage-singapore
32	DragonOK						DragonOK				DragonOK	Dragon Castling	G0017					CVE-2015-1641, Sysget, IsSpace, Rambo Backdoor	Japan, SE Asia casino & gaming		KHRAT links to Rancor		http://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/	http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/	https://blogs.forcepoint.com/security-labs/trojanized-adobe-installer-used-install-dragonok%E2%80%99s-new-custom-backdoor	http://www.morphick.com/resources/news/deep-dive-dragonok-rambo-backdoor	https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf	https://decoded.avast.io/luigicamastra/operation-dragon-castling-apt-group-targeting-betting-companies/	https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/
33	Group 27									Group 27								Trochilus RAT, PlugX, EvilGrab, 3102 variant of 9002 RAT			Seven Pointed Dagger, Trochilus RAT		https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Pointed-Dagger.pdf	https://unit42.paloaltonetworks.com/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/
34	Tonto Team			CactusPete			Tonto Team						G0131	Seven Pointed Dagger				RoyalRoad RTF Weaponizer					https://www.wsj.com/articles/chinas-secret-weapon-in-south-korea-missile-fight-hackers-1492766403?emailToken=JRrydPtyYnqTg9EyZsw31FwuZ7JNEOKCXF7LaW/HM1DLsjnUp6e6wLgph560pnmiTAN/5ssf7moyADPQj2p2Gc+YkL1yi0zhIiUM9M6aj1HTYQ==	https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf	https://securelist.com/cactuspete-apt-groups-updated-bisonal-backdoor/97962/	https://www.cybereason.com/blog/portdoor-new-chinese-apt-backdoor-attack-targets-russian-defense-sector	https://cert.gov.ua/article/375404	https://www.group-ib.com/blog/tonto-team/	https://asec.ahnlab.com/en/51746/
35	TA459												G0062					PlugX, NetTraveler, ZeroT, PCrat, Gh0st, RoyalRoad RTF Weaponizer	Central Asian countries, Russia, Belarus, Mongolia, and others		?NetTraveler?		https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts#.WS3IBVFV4no.twitter	https://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists
36	Tick				BRONZE BUTLER			Tick				REDBALDKNIGHT	G0060					whoami, procdump, VBS, WCE, Mimikatz, gsecdump, PsExec, Daserf, Gofarer, Datper, ABK Downloader, avirra Downloader, Datper, RoyalRoad RTF Weaponizer					https://www.symantec.com/connect/blogs/tick-cyberespionage-group-zeros-japan	https://www.secureworks.jp/resources/rp-bronze-butler	https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/	http://blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.html	https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses	http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/	https://blog.talosintelligence.com/2018/10/tracking-tick-through-recent-campaigns.html	https://blog.trendmicro.com/trendlabs-security-intelligence/operation-endtrade-finding-multi-stage-backdoors-that-tick/	https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_8_koike-nakajima_jp.pdf	https://therecord.media/japanese-police-say-tick-apt-is-linked-to-chinese-military/
37	Lucky Cat											Shadow Network, SabPub, TA413 (Proofpoint)		ENDTRADE					A threat actor targets computer networks associated with Tibetan activists, as well as military research and development, aerospace, engineering, and shipping industries in India and Japan.				http://blog.trendmicro.com/trendlabs-security-intelligence/luckycat-redux-inside-an-apt-campaign/	http://www.nartv.org/mirror/shadows-in-the-cloud.pdf	https://securelist.com/blog/incidents/33208/new-version-of-osx-sabpub-confirmed-mac-apt-attacks-19/	http://www.securityweek.com/mac-malware-linked-luckycat-attack-campaign	http://www.infoworld.com/article/2617225/malware/sabpub-malware-proves-macs-are-an-apt-target.html	https://blog.talosintelligence.com/2019/02/exilerat-shares-c2-with-luckycat.html	https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_luckycat_hackers.pdf	https://www.proofpoint.com/us/blog/threat-insight/chinese-apt-ta413-resumes-targeting-tibet-following-covid-19-themed-economic
38	APT40	Leviathan				APT40	Temp.Periscope					Temp.Jumper, GADOLINIUM, MUDCARP, Hainan Xiandun Technology Company, TA423, Red Ladon, ScanBox	G0065					AIRBREAK, BADFLICK, PHOTO, HOMEFRY, LUNCHMONEY, MURKYTOP, China Chopper, Beacon, BLACKCOFFEE, CVE-2017-11882, Derusbi, RoyalRoad RTF Weaponizer	maritime-related targets across multiple verticals, including engineering firms, shipping and transportation, manufacturing, defense, government offices, and research universities				https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets	https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html	https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html	https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html	https://www.anomali.com/blog/analyzing-digital-quartermasters-in-asia-do-chinese-and-indian-apts-have-a-shared-supply-chain	https://lab52.io/blog/leviathan-geostrategy-and-ttp-technical-tactics-and-procedures/	https://prezi.com/view/jGyAzyy5dTOkDrtwsJi5/	https://intrusiontruth.wordpress.com/2020/01/09/what-is-the-hainan-xiandun-technology-development-company/	https://intrusiontruth.wordpress.com/2020/01/10/who-is-mr-gu/	https://intrusiontruth.wordpress.com/2020/01/13/who-else-works-for-this-cover-company-network/	https://intrusiontruth.wordpress.com/2020/01/14/who-is-mr-ding/	https://intrusiontruth.wordpress.com/2020/01/15/hainan-xiandun-technology-company-is-apt40/	https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_8_koike-nakajima_jp.pdf	https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/	https://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea
39	PassCV				TG-3279							Winnti Umbrella, China Cracking Group,						Sabre, Kitkiot, Conpee, Etso, Runxx, dnsenum, s (custom port scanner), rdp_crk, icmp_shell, Jynxkit, Gh0st RAT, NetCommander, Carberp RAT	Gaming Companies		Winnti	Personas: Laurentiu Moon, Sincoder	https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies	https://401trg.com/burning-umbrella/	https://www.secureworks.com/research/threat-group-3279-targets-the-video-game-industry#up2
40	BARIUM				TG-2633							Winnti Umbrella, BRONZE ATLAS						Winnti Rootkit malware	Electronic gaming, multimedia, Internet content industries, technology companies		Winnti		https://cloudblogs.microsoft.com/microsoftsecure/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/?source=mmpc	https://401trg.pw/burning-umbrella/
41	LEAD											Winnti Umbrella						Winnti Rootkit malware	Multinational, multi-industry companies, textiles, chemicals, electronics, pharmaceutical companies, manufacturing		Winnti		https://cloudblogs.microsoft.com/microsoftsecure/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/?source=mmpc	https://401trg.pw/burning-umbrella/	https://www.france24.com/en/20190404-bayer-victim-cyber-attack-german-media
42	Iron Group											Rocke		Bayer Cyber Attack				XBash	Cybercrime, Cryptomining, Cryptojacking				https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/	https://blog.talosintelligence.com/2018/12/cryptomining-campaigns-2018.html	https://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products/	https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html	https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang#When:18:10:00Z
43	Anchor Panda	Anchor Panda										APT14, APT-14,QAZTeam,ALUMINUM						Adobe Gh0st, Poison Ivy, Torn RAT	This threat actor targets government and private sector entities interested in maritime issues in the South China Sea for espionage purposes. Maritime satellite systems, aerospace companies, and defense contractors.			“PdPD” (50 64 50 44) marker for encrypted binaries	http://www.crowdstrike.com/blog/whois-anchor-panda/
44	Aquatic Panda												G0143										https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/
45	Big Panda																		Financial services firms			Mentioned by Alperovitch in 2013 article as targeting financial services industry	http://www.darkreading.com/attacks-and-breaches/crowdstrike-falcon-traces-attacks-back-to-hackers/d/d-id/1110402?
46	Electric Panda																					Listed on slide 8	http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem
47	Eloquent Panda																					Mentioned slide 15	http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf
48	Emissary Panda	Emissary Panda		LuckyMouse	BRONZE UNION, TG-3390	APT27			TEMP.Hippo	Group 35		ZipToken, Iron Tiger	G0027		A Tale of Two Targets			PlugX, China Chopper Webshell, HttpBrowser, Hunter, ASPXTool, wce, gsecdump, nbtscan, htran	US Gov and contractors, Western think tanks, Gaming, iGaming, Gambling		DEV-0322, Earth Berberoka	Suspected South Korean group? https://attack.mitre.org/groups/G0012/	http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/	http://newsroom.trendmicro.com/blog/operation-iron-tiger-attackers-shift-east-asia-united-states	https://www.threatconnect.com/blog/threatconnect-discovers-chinese-apt-activity-in-europe/	https://www.secureworks.com/research/bronze-union	https://research.nccgroup.com/2018/04/17/decoding-network-data-from-a-gh0st-rat-variant/	https://securelist.com/luckymouse-hits-national-data-center/86083/	https://securelist.com/luckymouse-ndisproxy-driver/87914/	https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/	https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox	https://lab52.io/blog/apt27-rootkit-updates/	https://marcoramilli.com/2020/03/19/is-apt27-abusing-covid-19-to-attack-people/	https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/	https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia	https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/	https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html	https://labs.sentinelone.com/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op/	https://blog.group-ib.com/task	https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/	https://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html	https://blog.sekoia.io/luckymouse-uses-a-backdoored-electron-app-to-target-macos/	https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/budworm-espionage-us-state	https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html	https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/budworm-tool-update-telecoms-govt
49	Foxy Panda	Foxy Panda												Iron Tiger					Technology & Communications			Listed slide 4	http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf
50	Gibberish Panda	Gibberish Panda																				Listed slide 8	http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem
51	Goblin Panda	Goblin Panda	Hellsing	Cycldek								Cycldek, Conimes Team, China1937CN Team, Temp.Conimes, Earth Zhulong						ZeGhost, PlugX, tempfun, NewCore RAT, Sisfader, RoyalRoad RTF Weaponizer, BlueCore, RedCore	Southeast Asia, Government of Vietnam			Weaponizer leaked, new activity wrongly attributed to this long inactive group, possible links to Icefog/Dagger Panda and Temp.Periscope/APT40	http://www.crowdstrike.com/blog/rhetoric-foreshadows-cyber-activity-in-the-south-china-sea/	https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-august-goblin-panda/	https://www.anomali.com/blog/analyzing-digital-quartermasters-in-asia-do-chinese-and-indian-apts-have-a-shared-supply-chain	https://www.fortinet.com/blog/threat-research/cta-security-playbook--goblin-panda.html	https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_8_koike-nakajima_jp.pdf	https://securelist.com/cycldek-bridging-the-air-gap/97157/	https://securelist.com/the-leap-of-a-cycldek-related-threat-actor/101243/
52	Hurricane Panda	Hurricane Panda			BRONZE VINEWOOD	APT31		Black Vine	TEMP.Avengers			Zirconium, TA412			Op. Poisoned Hurricane			China Chopper Webshell, PlugX, Mimikatz, Sakula	Aerospace, Healthcare, Energy (gas & electric turbine manufacturing), Military and defense, Finance, Agriculture, Technology, Japan, United States, United Kingdom, India, Canada, Brazil, South Africa, Australia, Thailand, South Korea, France, Switzerland, Sweden, Finland, Norway			used free DNS servers provided by Hurricane Electric	http://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/	http://blog.crowdstrike.com/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/	http://blog.airbuscybersecurity.com/post/2015/09/APT-BlackVine-Malware-Sakula	https://www.symantec.com/connect/blogs/black-vine-formidable-cyberespionage-group-targeted-aerospace-healthcare-2012	http://blog.airbuscybersecurity.com/post/2015/10/Malware-Sakula-Evolutions-%28Part-2/2%29	https://blog.confiant.com/uncovering-2017s-largest-malvertising-operation-b84cd38d6b85	https://uk.reuters.com/article/uk-china-cyber-norway-visma/china-hacked-norways-visma-to-steal-client-secrets-investigators-idUKKCN1PV14R	https://raw.githubusercontent.com/GuardaCyber/APT-Groups-and-Operations/master/Reports/FireEye%20Intel%20-%20APT31%20Threat%20Group%20Profile.pdf	https://www.secureworks.com/research/bronze-vinewood-targets-supply-chains	https://research.checkpoint.com/2021/the-story-of-jian/	https://therecord.media/norway-says-chinese-group-apt31-is-behind-catastrophic-2018-government-hack/	https://www.cert.ssi.gouv.fr/ioc/CERTFR-2021-IOC-003/	https://www.sekoia.io/en/walking-on-apt31-infrastructure-footprints/	https://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists	https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-cloud-attacks/
53	Impersonating Panda	Impersonating Panda																	Financial sector
54	Judgement Panda													Umbrella Revolution				Spear-phishing, URL “web bugs” and scheduled tasks to automate credential harvesting	Upstream providers (e.g., law firms and managed service providers) to support additional intrusions against high-profile assets				https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
55	Karma Panda	Karma Panda	CactusPete	CactusPete					Tonto Team			Bisonal (malware), Lone Ranger							Dissident groups			Listed slide 4	http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf	https://securelist.com/apt-trends-report-q1-2019/90643/
56	Keyhole Panda	Keyhole Panda			Bronze Fleetwood				temp.bottle										Electronics & Communications			Listed slide 4	http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf
57	Kryptonite Panda																	8.t exploit document builder	Cambodia				https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
58	Mustang Panda			HoneyMyte	BRONZE PRESIDENT				Temp.Hex			TA416, RedDelta, Earth Preta (TrendMicro), Stately Taurus	G0129					Cobalt Strike, PlugX, ORat, RCSession, Nbtscan, Nmap, Wmiexec, China Chopper web shell, MQsTTang	Mining sector in Mongolia, private individuals \|=\| gathering geo-political and economic intelligence, NGOs, political & law enforcement org in South and East Asia				https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/	https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations#When:17:14:00Z	https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/	https://securelist.com/apt-trends-report-q3-2019/94530/	https://www.secureworks.com/research/bronze-president-targets-ngos	https://lab52.io/blog/mustang-panda-recent-activity-dll-sideloading-trojans-with-temporal-c2-servers/	https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf	https://kc.mcafee.com/corporate/index?page=content&id=KB92635&locale=en_US	https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader	https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/	https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-dianxun-cyberespionage-campaign-targeting-telecommunication-companies/	https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-dianxun.pdf	https://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european	https://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/	https://www.secureworks.com/blog/bronze-president-targets-russian-speakers-with-updated-plugx	https://blog.talosintelligence.com/2022/05/mustang-panda-targets-europe.html	https://www.secureworks.com/blog/bronze-president-targets-government-officials	https://blogs.blackberry.com/en/2022/10/mustang-panda-abuses-legitimate-apps-to-target-myanmar-based-victims	https://www.lac.co.jp/lacwatch/report/20221117_003189.html	https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html	https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets	https://blog.eclecticiq.com/mustang-panda-apt-group-uses-european-commission-themed-lure-to-deliver-plugx-malware	https://thehackernews.com/2023/03/chinese-hackers-targeting-european.html	https://unit42.paloaltonetworks.com/stately-taurus-attacks-se-asian-government/	https://unit42.paloaltonetworks.com/stately-taurus-targets-philippines-government-cyberespionage/
59	Night Dragon	Night Dragon											G0014						A threat actor compromised U.S. oil companies through spear phishing and remote administration tools. Oil, Energy and Petrochemical (OpNightDragon)				https://kc.mcafee.com/corporate/index?page=content&id=KB71150	http://www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf
60	Nightshade Panda	Nightshade Panda				APT9						FlowerLady						Poison Ivy, PlugX, BIGJOLT,FUNRUN,GH0ST,HOMEUNIX,JIM A,PHOTO,POISON IVY,SKINNYGENE,SOGU,VICEROY,VIPSH ELL,WETHEAD,XDOOR,ZXSHELL	HK, US, SG, MY, JP, IN, KR, TH, TW - Aerospace, Agriculture, Construction, Energy, Healthcare, ,High Tech, Media, Transportation				https://otx.alienvault.com/pulse/55bbc68e67db8c2d547ae393/	https://www.aha.org/system/files/media/file/2020/11/hc3-threat-briefing-tlp-white-chinese-state-sponsored-cyber-activity-november-19-2020.pdf	https://apt.etda.or.th/cgi-bin/showcard.cgi?g=Nightshade%20Panda%2C%20APT%209%2C%20Group%2027&n=1#:~:text=Names%2C%20Nightshade%20Panda%20(CrowdStrike)%20APT%209%20(Mandiant),(ASERT)%20FlowerLady%20(Context)%20FlowerShow%20(Context).%20Country%2C%20China.
61	Nomad Panda													Night Dragon				8.t exploit document builder	Central Asian nations		RedFoxtrot, Moshen Dragon		https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
62	Pale Panda													Agriculture in EU				PlugX				Mentioned in 2014 Crowdstrike Global Threat Intel Report pg 22	http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf
63	Pirate Panda	Pirate Panda										KeyBoys	G0081							Southeast Asia	Tropic Trooper & KeyBoy		http://www.crowdstrike.com/blog/rhetoric-foreshadows-cyber-activity-in-the-south-china-sea/	http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are-back-in-town.html	https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/	https://blogs.cisco.com/security/scope-of-keyboy-targeted-malware-attacks	https://citizenlab.ca/2016/11/parliament-keyboy/
64	Poisonous Panda	Poisonous Panda																	Energy technology, G20, NGOs, Dissident Groups			Listed slide 4	http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf
65	Predator Panda	Predator Panda																PlugX	Southeast Asia			Mentioned pg 22 & 42	http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf
66	Radio Panda	Radio Panda
67	Sabre Panda																		Umbrella Revolution			Listed in 2014 Global Threat Report (pg 9) - observed in Umbrella Revolution related activity (pg 28)	http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf
68	Spicy Panda																					Listed in 2014 Global Threat Report - no more details pg 9	http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf
69	Stone Panda	Stone Panda			BRONZE RIVERSIDE	APT10			MenuPass Team		menuPass	Red Apollo, CVNX, POTASSIUM, Cloud Hopper, Hogfish, TA429, Cicada, TALONITE, DEV-0401	G0045		Dust Storm	Cloud Hopper	ChessMaster	Poison Ivy, EvilGrab, IEChecker, ChChes, PlugX, RedLeaves, Quasar, CobaltStrike, Trochilus, UPPERCUT (aka ANEL), StoneNetLoader	Healthcare; Pharma, Defense, Aerospace, Government, MSP,	Data exfil over common TCP services (RDP, HTTPS)	Compromise & Persistence: BUGJUICE, SOGU, SNUGRIDE, Group 27	Profile slide 13 & 14	http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem	http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/	https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf	https://www.cylance.com/hubfs/2015_cylance_website/assets/operation-dust-storm/Op_Dust_Storm_Report.pdf	https://www.isightpartners.com/2016/02/threatscape-media-highlights-update-week-february-24th/	https://threatpost.com/poison-ivy-rat-spotted-in-three-new-attacks/102022/	https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html	http://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/	https://www.us-cert.gov/ncas/alerts/TA17-117A	https://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf	https://www.lac.co.jp/lacwatch/people/20180521_001638.html	https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html	https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/	https://blog.ensilo.com/uncovering-new-activity-by-apt10	https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage	https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-china-ngo-government-attacks	https://www.dragos.com/blog/how-adversaries-use-spear-phishing-to-target-engineering-staff/	https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group
70	Temper Panda	Temper Panda	Admin338	Team338			admin@338		338 Team						admin@338			Poison Ivy, jRat, LOWBALL, BUBBLEWRAP	Target Gov + Military, DIB, Finiancial/Think Tanks, Telco, Academia, Religious organisations			“PdPD” (50 64 50 44) marker for encrypted binaries	https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html	https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html	https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html
71	Test Panda	Test Panda												menuPass								Listed slide 8	http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem
72	Toxic Panda	Toxic Panda												Umbrella Revolution					Dissident Groups			Listed slide 4	http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf
73	Twisted Panda																				Stone Panda, Mustang Panda		https://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/
74	Union Panda	Union Panda																	Industrial companies			Listed slide 4	http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf
75	Vicious Panda																						https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/	https://securelist.com/apt-trends-report-q2-2020/97937/
76	Violin Panda	Violin Panda				APT8	APT20					Covert Grove		Nitro Attacks	th3bug	Wocao		Poison Ivy, CAKELOG, CANDYCLOG, COOKIECLOG, CETTRA	Energy, Chemical Industry, Healthcare and Pharma			Listed slide 12	http://www.slideshare.net/CrowdStrike/crowdcast-monthly-operationalizing-intelligence-34141777	http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_nitro_attacks.pdf	https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/
77	Wet Panda	Wet Panda																PlugX	Energy			Mentioned in 2014 Global Threat Report using PlugX (pg 22)	http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf	http://www.slideshare.net/CrowdStrike/crowdcast-monthly-operationalizing-intelligence-34141777
78	?													Four Element Sword				UP007, SLServer, Grabber, T9000, Kivars, PlugX, Gh0StRAT, Agent.XST	Tibetans, Hong Kong, Taiwanese interests and human rights workers, Uyghur Interests	Active	IXESHE (see PWC report)		https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/	https://citizenlab.org/2016/04/between-hong-kong-and-burma/	http://pwc.blogs.com/cyber_security_updates/2016/03/taiwant-election-targetting.html
79	?													INOCNATION							IXESHE (malware), Etumbot, Numbered Panda		https://web.archive.org/web/20151217200415/https://www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL.pdf
80	?													Poisoned Helmand					Afghan Government	Watering Hole	Operation Poisoned Hurricane		https://www.threatconnect.com/operation-poisoned-helmand/
81	?					APT1?								Titan Rain	Titan Rain				USA			web archive link to 12/12/2005 article about Titan Rain, ZDNet link dated 11/23/2005 is similar article	http://web.archive.org/web/20081011233241/http://www.breitbart.com/news/2005/12/12/051212224756.jwmkvntb.html	https://www.zdnet.com/article/security-experts-lift-lid-on-chinese-hack-attacks/
82	?	Maverick Panda	PLA Navy	Sykipot		APT4?								Sykipot, Getkys, Wyksol					DIB (Defence Industrial Base) and other government organizations				https://www.alienvault.com/open-threat-exchange/blog/new-sykipot-developments	http://blog.trendmicro.com/trendlabs-security-intelligence/sykipot-now-targeting-us-civil-aviation-sector-information/
83	Calypso											Links to Skyipot, Pitty Tiger, Comment Crew, Mirage						Byebe, CMStar, Calypso RAT, PlugX					https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/	https://resources.malwarebytes.com/files/2020/04/200407-MWB-COVID-White-Paper_Final.pdf	https://resources.malwarebytes.com/files/2020/04/200407-MWB-COVID-White-Paper_Final.pdf
84	Tropic Trooper	KeyBoy	Earth Centaur										G0081					Poison Ivy, PCShare, Yahoyah	Taiwan, High-Tech in Asia, Taiwanese Government, Fossil Fuel Provider, Taiwanese, Philippine, and Hong Kong targets, focusing on their government, healthcare, transportation, and high-tech industries		Pirate Panda & KeyBoy	Group based in Xiamen, in same area as PLA Navy. Likely a navy SIGINT TRB	http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/	https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/	https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-troopers-back-usbferry-attack-targets-air-gapped-environments/	https://research.checkpoint.com/2022/chinese-actor-takes-aim-armed-with-nim-language-and-bizarro-aes/	https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html
85	APT41					APT41							G0096					CRACKSHOT, GEARSHIFT, HIGHNOON, JUMPALL, POISONPLUG, HOTCHAI, LATELUNCH, LIFEBOAT, LOWKEY, NJRAT, PACMAN, PHOTO, POTROAST, ROCKBOOT, SAGEHIRE, SWEETCANDLE, SOGU, TERA, TIDYELF, WIDETONE, WINTERLOVE, XDoor, Xmrig, ZxShell				Overlap with BARIUM and Winnti	https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html	https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html	https://www.fireeye.com/blog/threat-research/2019/10/messagetap-who-is-reading-your-text-messages.html	https://www.bankinfosecurity.com/feds-chinese-hacking-group-undeterred-by-indictment-a-20153
86	Poison Carp											Earth Empusa		Evil Eye				ActionSpy, ScanBox, BeEF, Evil Eye	This threat actor targets smartphones associated with Tibetan and Uyghur activists for espionage purposes.	Strategic web compromise (watering hole)			https://citizenlab.ca/2019/09/poison-carp-tibetan-groups-targeted-with-1-click-mobile-exploits/	https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html	https://www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/	https://blog.trendmicro.com/trendlabs-security-intelligence/new-android-spyware-actionspy-revealed-via-phishing-attacks-from-earth-empusa/	https://about.fb.com/news/2021/03/taking-action-against-hackers-in-china/
87	AVIVORE													Airbus Attack				PlugX, Mimikatz, WmiExec	aerospace and defence industries in the UK and Europe				https://www.contextis.com/en/blog/avivore	https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-CTI-005.pdf
88	APT-C-01											PoisonVine						Poison Ivy, ZxShell, Kanbox RAT, CVE-2012-0158, CVE-2014-6352, CVE-2017-8759	government agencies, military individuals, research institutes, maritime agencies				https://ti.qianxin.com/blog/articles/analysis-of-apt-c-01/	https://ti.qianxin.com/uploads/2018/09/20/6f8ad451646c9eda1f75c5d31f39f668.pdf	http://blogs.360.cn/post/APT_C_01_en.html	https://www.netscout.com/sites/default/files/2019-02/SECR_001_EN-1901%20-%20NETSCOUT%20Threat%20Intelligence%20Report%202H%202018.pdf	https://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-vine-climbing-over-great-firewall-longterm-attack-against-china/	https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-GuPan.pdf
89	DarkUniverse																	ItaDuke	Tibet and Uyghur activists, Syria, Iran, Afghanistan, Tanzania, Ethiopia, Sudan, Russia, Belarus and the United Arab Emirates	Spearphishing w/CVE-2013-0640 weaponized PDF			https://securelist.com/new-uyghur-and-tibetan-themed-attacks-using-pdf-exploits/35465/	https://www.alienvault.com/blogs/labs-research/latest-adobe-pdf-exploit-used-to-target-uyghur-and-tibetan-activists	https://securelist.com/darkuniverse-the-mysterious-apt-framework-27/94897/
90	Taskmasters																	RemShell, 404-Input-shell, Eternal Blue, Scheduled Tasks	Military, government, telecommunication, small businesses				https://www.ptsecurity.com/ww-en/analytics/operation-taskmasters-2019/	https://www.youtube.com/watch?v=XYuclHsoQO4&feature=youtu.be	https://blog.group-ib.com/task
91	GALLIUM											Soft Cell, UNSC 2814, Alloy Taurus, Granite Typhoon		Soft Cell				BlackMould, China Chopper, PoisonIvy, QuarkBandit, Htran, NBTScan, PsExec, Winrar, Netcat	Telecom				https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/	https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers	https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos	https://unit42.paloaltonetworks.com/pingpull-gallium/	https://unit42.paloaltonetworks.com/alloy-taurus/
92	RANCOR												G0075					KHRAT Trojan, Derusbi, Dudell, DDKONG Plugin	South-East Asia		DragonOK		https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/	https://meltx0r.github.io/tech/2019/09/11/rancor-apt.html	https://research.checkpoint.com/rancor-the-year-of-the-phish/	https://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/
93	ChinaZ																	Linux.BackDoor.Xnote.1, Linux/BillGates.Lite, Linux/UDPfker					https://news.drweb.com/show/?i=9272&lng=en&c=5	https://blog.malwaremustdie.org/2015/08/mmd-0039-2015-chinaz-made-new-malware.html	https://blog.malwaremustdie.org/2016/10/mmd-0060-2016-linuxudpfker-and-chinaz.html	https://www.intezer.com/blog-chinaz-relations/	https://www.intezer.com/blog-chinese-apts-rising-ia-community-may-2019/	https://www.intezer.com/blog-chinaz-introduces-new-undetected-malware/	https://www.botconf.eu/wp-content/uploads/2014/12/2014-2.10-Chinese-Chicken-Multiplatform-DDoS-Botnets.pdf
94	APT-C-37	Slap Bear	Papa Bear	Pat/Patted Bear																			http://blogs.360.cn/post/analysis-of-apt-c-37.html	https://zhuanlan.kanxue.com/article-8168.htm	https://mp.weixin.qq.com/s/lUtXwWjPVMHXfR6oLnXYhQ	https://cybersecurity.att.com/blogs/labs-research/alien-labs-2019-analysis-of-threat-groups-molerats-and-apt-c-37
95	APT-C-27	Goldmouse/Gold Mouse/Gold Rat																	Middle East		Link to OilRig?		https://ti.360.net/blog/articles/apt-c-27-(goldmouse):-suspected-target-attack-against-the-middle-east-with-winrar-exploit-en/	https://blog.360totalsecurity.com/en/the-sample-analysis-of-apt-c-27s-recent-attack/	https://www.pbwcz.cz/Reporty/20180723_CSE_APT27_Syria_v1.pdf
96	Storm Cloud														Holy Water			Godlike12, SweetAlerts		Strategic web compromise (watering hole)
97	TA410							Witchetty				FlowingFrog,Flowing Frog,LookingFrog,Looking Frog,JollyFrog,Jolly Frog						LookBack, FlowCloud	utility providers across the U.S		APT10		https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new	https://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/	https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage	https://threatpost.com/apt-id-3-separate-actors/179435/	https://www.securityweek.com/chinese-cyberespionage-group-witchetty-updates-toolset-recent-attacks/
98	SixLittleMonkeys	Microcin																Microcin, BYEBY, Mikroceen	Central Asia, Russian military, Belarussia, Mongolia,		Link to Vicious Panda		https://securelist.com/steganography-in-contemporary-cyberattacks/79276/	https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170759/Microcin_Technical_4PDF_eng_final_s.pdf	https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia/	https://securelist.com/microcin-is-here/97353/	https://securelist.com/apt-trends-report-q2-2019/91897/
99	HAFNIUM						UNC2639, UNC2640, UNC2643	Ant							Operation Exchange Marauder			Covenant, Procdump, 7-Zip, Nishang, PowerCat	Microsoft Exchange Server				https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/	https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/	https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/microsoft-exchange-server-protection	https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/	https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/
100	Luminous Moth			Luminous Moth															South East Asia		Mustang Panda		https://securelist.com/apt-luminousmoth/103332/
101	Spiral																	SolarWinds Orion API (CVE-2020-10148), SUPERNOVA					https://www.secureworks.com/blog/supernova-web-shell-deployment-linked-to-spiral-threat-group	https://www.secureworks.com/blog/supernova-web-shell-deployment-linked-to-spiral-threat-group
102	Sparkling Goblin																	CROSSWALK, SideWalk	Academic sectors in Macao, Hong Kong and Taiwan, A religious organization in Taiwan, A computer and electronics manufacturer in Taiwan, Government organizations in Southeast Asia, An e-commerce platform in South Korea, The education sector in Canada, Media companies in India, Bahrain, and the USA, A computer retail company based in the USA, Local government in the country of Georgia, Unidentified organizations in South Korea and Singapore,		Winnti, APT41		https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/	https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf
103	APT5				BRONZE FLEETWOOD							MANGANESE						BRIGHTCREST, SWEETCOLA, SPIRITBOX, PALEJAB, WIDERIM, WINVAULT, HAPPYSAD, BIRDWORLD, FARCRY, CYFREE, FULLSILO, HELLOTHEWORLD, HAZELNUT, GIF89A, SCREENBIND, SHINYFUR, TRUCKBED, LEOUNCIA, FREESWIM, PULLTAB, HIREDHELP, NEDDYHORSE, PITCHFORK, BRIGHTCOMB, ENCORE, TABCTENG, SHORTLEASH, CLEANACT, BRIGHTCYAN, DANCEPARTY, HALFBACK, PUSHBACK, COOLWHIP, LOWBID, TIGHTROPE, DIRTYWORD, AURIGA, KEYFANG, Poison Ivy, Comfoo, Skeleton Key	Regional telecommunication providers, Asia-based employees of global telecommunications and tech firms, high-tech manufacturing, and military application technology.		UNC2630		https://www.fireeye.com/current-threats/apt-groups.html	https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html	https://www.bloomberg.com/news/features/2021-09-02/juniper-mystery-attacks-traced-to-pentagon-role-and-chinese-hackers	https://www.secureworks.com/research/threat-profiles/bronze-fleetwood	https://media.defense.gov/2022/Dec/13/2003131586/-1/-1/0/CSA-APT5-CITRIXADC-V1.PDF	https://duo.com/decipher/apt5-exploiting-new-flaw-in-citrix-adc-and-gateway#:~:text=APT5%2C%20a%20Chinese%20threat%20group%2C%20has%20used,to%20target%20a%20small%20number%20of%20organizations
104	RedFoxtrot																	PlugX-Talisman, ShadowPad, GUNTERS	South Asia Telecom & Defense		?Moshen Dragon, Nomad Panda, Goblin Panda, LuckyMouse, Cycldek, Emissary Panda, TG-3390		https://www.recordedfuture.com/redfoxtrot-china-pla-targets-bordering-asian-countries/	https://go.recordedfuture.com/redfoxtrot-insikt-report	https://www.recordedfuture.com/chinese-apt-groups-target-afghan-telecommunications-firm/	https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/	https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/plugx-a-talisman-to-behold.html
105	IronHusky																	MysterySnail, CVE-2021-40449			Vicious Panda		https://securelist.com/apt-trends-report-q1-2018/85280/https://securelist.com/apt-trends-report-q1-2018/85280/	https://securelist.com/apt-trends-report-q2-2020/97937/	https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/
106	Antlion							Antlion										Xpack, JpgRun, EHAGBPSL, NetSessionEnum	Financial Services in ROC (Taiwan)				https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/china-apt-antlion-taiwan-financial-attacks
107	DEV-0322											Circle Typhoon			TiltedTemple				US Defense Industrial Base, higher education, consulting services, and information technology sectors	Serv-u Secure FTP, Exploit ZOHO ManageEngine ADSelfService Plus	TG-3390, Emissary Panda, APT27		https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/	https://www.microsoft.com/security/blog/2021/11/08/threat-actor-dev-0322-exploiting-zoho-manageengine-adselfservice-plus/	https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/	https://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/
108	Curious Gorge											UNC3742							government & military organizations in Ukraine, Russia, Kazakhstan, and Mongolia			Subordinate to Strategic Support Force	https://blog.google/threat-analysis-group/tracking-cyber-activity-eastern-europe/	https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe/
109	Scarab																	Scieron, Trojan.Scieron, Trojan.Scieron.B,	Russia, Ukraine		UAC-0026		https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=8bfa7311-fdd9-4f8d-b813-1ab6c9d2c363&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments	https://otx.alienvault.com/pulse/54c7e1e811d4085eb82e0598/	https://cert.gov.ua/article/38097	https://www.sentinelone.com/labs/chinese-threat-actor-scarab-targeting-ukraine/	https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/
110	BackdoorDiplomacy			CloudComputating								BackDip,Quarian	G0135					Quarian, Turian, Follina				Kaspersky = CloudComputating = Chinese in 2Q2017 APT summary, CloudComputating = BackdoorDiplomacy in 3Q2021 APT summary, ESET CloudComputating = BackdoorDiplomacy using Turian & Quarian	https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/	https://securelist.com/?s=CloudComputating	https://www.fortinet.com/blog/threat-research/analysis-of-follina-zero-day
111	Earth Berberoka											GamblingPuppet, Gambling Puppet							Chinese gambling websites, one education-related government institution, two IT services companies, and one electronics manufacturing company		Emissary Panda, Iron Tiger		https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf	https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf
112	RedAlpha											DeepCliff									DeepCliff, Red Dev 3		https://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-with-targets-in-the-tibetan-community/	https://go.recordedfuture.com/hubfs/reports/cta-2018-0626.pdf	https://go.recordedfuture.com/hubfs/reports/ta-2022-0816.pdf
113	Bluebottle											OPERA1ER,DESKTOP-GROUP,NXSMS,Common Raven											https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa
114	DragonSpark																						https://www.sentinelone.com/labs/dragonspark-attacks-evade-detection-with-sparkrat-and-golang-source-code-interpretation/
115	Yanluowang																						https://darktrace.com/blog/inside-the-yanluowang-leak-organization-members-and-tactics
116	LuoYu																						https://thestack.technology/kaspersky-luoyu-windealer-man-on-the-side/
117	Aoqin Dragon																						https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/
118	WIP19																	SQLMaggie,ScreenCap,WinEggDrop	A new threat cluster, called WIP19, has been targeting telecommunications and IT service providers in the Middle East and Asia. The group is believed to be Chinese-speaking and involved in espionage-related activities. WIP19 uses a stolen, legitimate digital certificate issued by a Korean company called DEEPSoft to sign several malicious components. The threat actor has been using several backdoors authored by a Chinese-speaking malware author named WinEggDrop, who has been active since 2014. The activity has some overlap with Operation Shadow Force, but WIP19 represents a more mature actor that uses new malware and techniques. The group utilizes several pieces of malware, including SQLMaggie, a credential dumper, and a keylogger/screen recording component called ScreenCap. The group is said to use a less-common DLL search order hijacking of explorer.exe to load the keylogging and screen recording component.				https://www.sentinelone.com/labs/wip19-espionage-new-chinese-apt-targets-it-service-providers-and-telcos-with-signed-malware/
119	Taidoor											Earth Aughisky, EarthAughisky	G0015					Roudan,LuckDLL,GrubbyRAT, Taikite,SVCMONDR,SiyBot	Earth Aughisky (also known as Taidoor) is an active advanced persistent threat (APT) group that has been consistently targeting specific targets in Taiwan and Japan over the past decade. In a recent research paper titled "The Rise of Earth Aughisky: Tracking the Campaigns Taidoor Started," the researchers provide an overview of the malware families and tools attributed to the group, including Roudan (also known as Taidoor), LuckDLL, GrubbyRAT, Taikite (also known as SVCMONDR), and SiyBot. These malware families and tools have been observed to have components that have yet to be identified or reported, indicating ongoing evolution and adaptation by the APT group. The researchers also highlight connections and overlaps between Earth Aughisky's malware and tools, including shared infrastructure, similar hashing mechanisms, and common logging mechanisms. The insights gained from this research can be used by security analysts and teams to evaluate and enhance their defense measures against Earth Aughisky's activities.				https://www.trendmicro.com/en_nl/research/22/j/tracking-earth-aughiskys-malware-and-changes.html
120	Red Menshen											Red Dev 18											https://malpedia.caad.fkie.fraunhofer.de/actor/red_menshen
121	VAPOR PANDA	VAPOR PANDA																	VAPOR PANDA leveraged the ProxyLogon exploit chain (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065)
122	ETHEREAL PANDA	ETHEREAL PANDA																GodZilla webshell
123	Nitro											Covert Grove											https://malpedia.caad.fkie.fraunhofer.de/actor/nitro
124	Returned Libra										Mining Group	8220,8220 Gang							Returned Libra, also known as 8220 Mining Group, is a cloud threat actor group that has been active since at least 2017. Tools commonly employed during their operations are PwnRig or DBUsed which are customized variants of the XMRig Monero mining software. The Returned Libra mining group is believed to have originated from a GitHub fork of the Rocke group's software. Returned Libra has elevated its mining operations with the use of cloud service platform credential scrapping.
125	Yanbian Gang											Yanbian						FunkyBot,Moqhao					https://www.telekom.com/en/blog/group/article/moqhao-masters-new-tricks-1031484
126	Dark PInk											Saaiwc Group							ASEAN, Vietnamese, Malaysian, Indonesian, Cambodian, Philippines, Bosnia and Herzegovina				https://mp.weixin.qq.com/s/G3gUjg9WC96NW4cRPww6gw	https://blog.group-ib.com/dark-pink-apt	https://blog.eclecticiq.com/dark-pink-apt-group-strikes-government-entities-in-south-asian-countries	https://www.group-ib.com/blog/dark-pink-episode-2/
127	UNC3886					UNC3886																	https://www.mandiant.com/resources/blog/esxi-hypervisors-malware-persistence	https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem	https://www.mandiant.com/resources/blog/vmware-detection-containment-hardening
128	FamousSparrow	Famous Sparrow		GhostEmperor		UNC4841																	https://www.mandiant.com/resources/blog/unc4841-post-barracuda-zero-day-remediation	https://www.cisa.gov/news-events/alerts/2023/08/29/cisa-releases-iocs-associated-malicious-barracuda-activity	https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally	https://www.barracuda.com/company/legal/esg-vulnerability	https://www.welivesecurity.com/2021/09/23/famoussparrow-suspicious-hotel-guest/	https://www.eset.com/int/about/newsroom/press-releases/research/eset-research-discovers-famoussparrow-apt-group-spying-on-hotels-governments-and-private-companies/	https://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html
129	Volt Typhoon	VANGUARD PANDA			BRONZE SILHOUETTE			Redfly										Mimikatz,ProcDump,Nbtscan,SparrowDoor	Government, Military industrial complexes, critical infrastructure,Israel,USA,Saudi Arabia,South Africa,Brazil,France,UK,Thailand	preinstalled binaries (living off the land concept)			https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/	https://www.secureworks.com/blog/chinese-cyberespionage-group-bronze-silhouette-targets-us-government-and-defense-organizations	https://www.crowdstrike.com/blog/falcon-complete-thwarts-vanguard-panda-tradecraft/	https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF	https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/critical-infrastructure-attacks


1	Russia
2	Common Name	Other Name 1	Other Name 2	Other Name 3	Other Name 4	Other Name 5	Other Name 6	Other Name 7	Other Name 8	Other Name 9	Other Name 10	Other Name 11	Other Name 12	MITRE ATT&CK	Secureworks	Operation 1	Operation 2	Operation 3	Operation 4	Operation 5	Operation 6	Operation 7	Toolset / Malware	Targets	Modus Operandi	Comment	Link 1	Link 2	Link 3	Link 4	Link 5	Link 6	Link 7	Link 8	Link 9	Link 10	Link 11	Link 12	Link 13	Link 14	Link 15	Link 16	Link 17	Link 18	Link 19	Link 20	Link 21	Link 22	Link 23	Link 24	Link 25	Link 26	Link 27	Link 28	Link 29	Link 30	Link 31

3	Sofacy	APT28	Sednit	Pawn Storm	Group 74	Tsar Team	Fancy Bear	Strontium	Swallowtail	SIG40	Grizzly Steppe	TG-4127	SNAKEMACKEREL,Armada Collective, Dark Power, G0007, ATK5,Fighting Ursa, ITG05,Blue Athena	G0007	IRON TWILIGHT	Russian Doll	Bundestag	TV5 Monde "Cyber Caliphate"	EFF Attack	DNC Hack	OpOlympics	Burisma	CHOPSTICK, CORESHELL, Winexe, SOURFACE, OLDBAIT, Sofacy, XAgent, XTunnel, WinIDS, Foozer, DownRange, Sedreco Dropper, Komplex, DealersChoice, Downdelph, Sednit, USBStealer, Sedkit, HideDrv (Rootkit), LoJax, Sofacy, SeduUploader	United States government, Romania, Poland, Jordan, Ukraine, Turkey		Called out by DHS & FBI as responsible for cyber attacks associated with US election 2016. Allegedly attributed the first UEFI rootkit seen in the wild: LoJax (2018), Overlaps with Zebrocy	https://aptnotes.malwareconfig.com/web/viewer.html?file=../APTnotes/2014/apt28.pdf	https://app.box.com/s/g55oxdd3q63hyngbjm4fbipfct94wrye	https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/	http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf	https://www2.fireeye.com/rs/848-DID-242/images/wp-mandiant-matryoshka-mining.pdf	https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/	http://researchcenter.paloaltonetworks.com/2016/06/unit42-new-sofacy-attacks-against-us-government-agency/	https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/	http://fancybear.net/	http://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/	http://www.welivesecurity.com/2016/10/20/new-eset-research-paper-puts-sednit-under-the-microscope/	https://www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/	https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296.pdf	https://www.us-cert.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf	http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html	https://apnews.com/3bca5267d4544508bb523fa0db462cb2?utm_campaign=SocialFlow&utm_source=Twitter&utm_medium=AP	https://blog.trendmicro.com/trendlabs-security-intelligence/update-pawn-storm-new-targets-politically-motivated-campaigns/	https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/	https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/	https://securelist.com/a-slice-of-2017-sofacy-activity/83930/	https://securelist.com/masha-and-these-bears/84311/	https://cdn.area1security.com/reports/Area-1-Security-PhishingBarismaHoldings.pdf	https://www.intezer.com/blog/research/russian-apt-uses-covid-19-lures-to-deliver-zebrocy/	https://cybergeeks.tech/skinnyboy-apt28/	https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/prime-ministers-office-compromised.html	https://www.bloomberg.com/news/articles/2022-03-07/hackers-targeted-u-s-lng-producers-in-run-up-to-war-in-ukraine?sref=ExbtjcSG	https://blog.cluster25.duskrise.com/2022/09/23/in-the-footsteps-of-the-fancy-bear-powerpoint-graphite/	https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-outlook-zero-day-used-by-russian-hackers-since-april-2022/	https://www.deepinstinct.com/blog/cve-2023-23397-exploitations-in-the-wild-what-you-need-to-know
4	APT29	Dukes	Group 100	Cozy Duke	EuroAPT	Cozy Bear	CozyCar	Cozer	Office Monkeys / TEMP.Monkeys	Minidionis	SeaDuke	Hammer Toss	Fritillary, Yttrium, StellarParticle, UNC3524, Cranefly	G0016	IRON HEMLOCK	Operation Ghost							Hammertoss, OnionDuke, CosmicDuke, MiniDuke, CozyDuke, SeaDuke, SeaDaddy implant developed in Python and compiled with py2exe, AdobeARM, ATI-Agent, MiniDionis, Grizzly Steppe, Vernaldrop, Tadpole, Spikerush, POSHSPY, PolyglotDuke, RegDuke, FatDuke	This threat actor targets government ministries and agencies in Europe, the US, Central Asia, East Africa, and the Middle East, associated with DNC attacks	phishing emails	Active campaign post 2016 US presidential election	https://aptnotes.malwareconfig.com/web/viewer.html?file=../APTnotes/2015/apt29-hammertoss-stealthy-tactics-define-a.pdf	https://labsblog.f-secure.com/2015/09/17/the-dukes-7-years-of-russian-cyber-espionage/	https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/	https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf	http://www.volexity.com/blog/	https://www.us-cert.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf	https://www2.fireeye.com/rs/848-DID-242/images/RPT-M-Trends-2017.pdf	https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html	https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html	https://securelist.com/the-cozyduke-apt/69731/	https://www.welivesecurity.com/2019/10/17/operation-ghost-dukes-never-left/	https://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a	https://www.istrosec.com/blog/apt-sk-cobalt/	https://cybergeeks.tech/how-to-defeat-the-russian-dukes-a-step-by-step-analysis-of-miniduke-used-by-apt29-cozy-bear/	https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/	https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft	https://cluster25.io/2022/05/13/cozy-smuggled-into-the-box/	https://www.mandiant.com/resources/blog/unc3524-eye-spy-email	https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cranefly-new-tools-technique-geppei-danfuan	https://blog.eclecticiq.com/german-embassy-lure-likely-part-of-campaign-against-nato-aligned-ministries-of-foreign-affairs	https://go.recordedfuture.com/hubfs/reports/cta-2023-0727-1.pdf	https://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing
5	Turla Group	Snake	Venomous Bear	Group 88	Waterbug	Turla Team	Krypton	Uroburos	SIG23	MAKERSMARK	ITG12	SUMMIT,Турла	UNC4210,Blue Python,ATK13,Pfinet,TAG_0530,Pacifier APT,Popeye	G0010	IRON HUNTER	Satellite Turla	Epic Turla	The 'Penquin' Turla	Witchcoven	RUAG hack	Mosquito	Moonlight Maze	systeminfo, net, tasklist, gpresult, wce, pwdump, Uroburos, Turla, Agent.BTZ, Tavdig, Wipbot, Agent.dne, AdobeARM, ATI-Agent, MiniDionis, WhiteBear, Gazer, Neuron, Nautilus	Targeting several governments and sensitive businesses such as the defense industry		Turla also uses OilRig's (APT34) implants	https://securelist.com/analysis/publications/65545/the-epic-turla-operation/	https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/	https://securelist.com/blog/research/67962/the-penquin-turla-2/	https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf	https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf	https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/	https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/	https://securelist.com/kopiluwak-a-new-javascript-payload-from-turla/77429/	https://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopiluwak-javascript-backdoor-use-g20-themed-attack	https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/	https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case	http://www.sueddeutsche.de/digital/it-sicherheit-einbrechen-ausbreiten-abgreifen-1.3887843	https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/	https://www.ncsc.gov.uk/alerts/turla-group-malware	https://motherboard.vice.com/en_us/article/vvk83b/moonlight-maze-turla-link	https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180251/Penquins_Moonlit_Maze_PDF_eng.pdf	https://www.wired.com/2017/04/russian-hackers-used-backdoor-two-decades/	https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-march-venomous-bear/	https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments	https://securelist.com/turla-renews-its-arsenal-with-topinambour/91687/	https://securelist.com/shedding-skin-turlas-fresh-faces/88069/	https://twitter.com/lehtior2/status/893085897226412036	https://www.ncsc.gov.uk/news/turla-group-exploits-iran-apt-to-expand-coverage-of-victims	https://medium.com/chronicle-blog/who-is-gossipgirl-3b4170f846c0	https://cybergeeks.tech/a-step-by-step-analysis-of-the-russian-apt-turla-backdoor-called-tinyturla/	https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe/	https://blog.sekoia.io/turla-new-phishing-campaign-eastern-europe/	https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag/	https://www.ncsc.gov.uk/news/turla-group-exploits-iran-apt-to-expand-coverage-of-victims
6	Energetic Bear	Dragonfly	Crouching Yeti	Group 24	Koala Team	Berserk Bear	Anger Bear	Dymalloy	Havex	PEACEPIPE	Fertger	TEMP.Isotope	Blue Kraken,ITG15,BROMINE,Ghost Blizzard,ATK6	G0035	IRON LIBERTY								Havex RAT, Oldrea, LightsOut ExploitKit, Inveigh, PsExec, Persistence through .LNK file manipulations, Nmap, Dirsearch, Sqlmap, Sublist3r, Wpscan, Impacket, SMBTrap, Commix, Subbrute, PHPMailer, Web Shells (PHP), MCMD	This threat actor targets companies in the education, energy, construction, information technology, and pharmaceutical sectors for the purposes of espionage. It uses malware tailored to target industrial control systems. Energy, Middle East oil and natural gas as the goal, dedicated to gather relevant information, technology company in Western Europe that produces civil, military and critical infrastructure communications equipment	Active	Detected in Middle East networks in 2014, Compromise via spear phish or SWC, Motivation somewhat unclear; CrowdStrike lists Berserk Bear as separate group (evolution of Energetic) while Symantec sees Energetic Bear and Berserk Bear as single group named Dragonfly	http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf	http://www.netresec.com/?page=Blog&month=2014-10&post=Full-Disclosure-of-Havex-Trojans	https://threatpost.com/energy-watering-hole-attack-used-lightsout-exploit-kit/104772/	https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group	https://securelist.com/blog/incidents/35520/the-teamspy-crew-attacks-abusing-teamviewer-for-cyberespionage-8/	https://www.us-cert.gov/ncas/alerts/TA17-293A	https://threatmatrix.cylance.com/en_us/home/energetic-dragonfly-dymalloy-bear-2-0.html	https://securelist.com/energetic-bear-crouching-yeti/85345/	https://www.fireeye.com/content/dam/fireeye-www/company/events/infosec/threat-landscape-overview-fireeye-summit-paris.pdf	https://insights.sei.cmu.edu/cert/2019/03/api-hashing-tool-imagine-that.html	https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector	https://www.secureworks.com/research/mcmd-malware-analysis	https://www.secureworks.com/blog/own-the-router-own-the-traffic	https://us-cert.cisa.gov/ncas/alerts/aa20-296a	https://theintercept.com/2020/12/17/russia-hack-austin-texas/	https://vblocalhost.com/uploads/VB2021-Slowik.pdf	https://www.dragos.com/blog/how-adversaries-use-spear-phishing-to-target-engineering-staff/
7	ALLANITE	Palmetto Fusion												G1000
8	Sandworm	Sandworm Team	TEMP.Noble	Electrum	TeleBots	Quedagh Group	BE2 APT	Black Energy	Iridium	Hades	Voodoo Bear	Quedagh	Iron Viking ,Grey Energy	G0034	IRON VIKING	Black Energy	Ukrenergo	NPetya, NotPetya	Ukraine Power Grid 2016-12-17				CVE-2014-4114, Industroyer, CrashOverride, OlympicDestroyer, GreyEngergy Mini as their 1st-stage implant, GCat, Delphocy, Zebrocy, Zekapab	This threat actor targets industrial control systems, using a tool called Black Energy, associated with electricity and power generation for espionage, denial of service, and data destruction purposes. Ukrainian energy sector, Eastern Europe.		Linked to Kiev Dec2016 ICS cyberattack	http://www.isightpartners.com/2014/10/cve-2014-4114/	http://www.isightpartners.com/2016/01/ukraine-and-sandworm-team/	https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf	https://www.us-cert.gov/ncas/alerts/TA17-163A	https://ics.sans.org/blog/2016/01/09/confirmation-of-a-coordinated-attack-on-the-ukrainian-power-grid	https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/	https://securelist.com/from-blackenergy-to-expetr/78937/	https://securelist.com/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/73440/	https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/	https://securelist.com/greyenergys-overlap-with-zebrocy/89506/	https://securelist.com/be2-extraordinary-plugins-siemens-targeting-dev-fails/68838/	https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector	https://dragos.com/wp-content/uploads/CRASHOVERRIDE.pdf	https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/	https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/	https://securelist.com/olympicdestroyer-is-here-to-trick-the-industry/84295/	https://securelist.com/olympic-destroyer-is-still-alive/86169/	https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf	https://www.domaintools.com/resources/blog/centreon-to-exim-and-back-on-the-trail-of-sandworm	https://cert.gov.ua/article/39518	https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/	https://www.state.gov/rewards-for-justice-reward-offer-for-information-on-russian-military-intelligence-officers-conducting-malicious-activity-against-u-s-critical-infrastructure/	https://cert.gov.ua/article/6123309	https://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology
9	FIN7	Carbanak	Anunak	Coried,Coreid	ELBRUS	Carbon Spider,CarbonSpider	GOLD NIAGARA	Sangria Tempest	Calcium	ITG14				G0046,G0008									PowerSource	Bank of Valetta, Malta		Overlaps with Carbanak (but not the same group)	https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns	https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor	https://blog.cyber4sight.com/2017/04/similarities-between-carbanak-and-fin7-malware-suggest-actors-are-closely-related/	https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html	https://www.rsa.com/content/dam/en/white-paper/the-carbanak-fin7-syndicate.pdf	https://www.rsa.com/content/dam/premium/en/white-paper/the-shadows-of-ghosts-carbanak-report.pdf	https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/	https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/	https://securityaffairs.co/wordpress/64083/apt/fin7-new-techniques.html	https://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html	https://blog.malwarebytes.com/threat-analysis/2019/10/the-forgotten-domain-exploring-a-link-between-magecart-group-5-and-the-carbanak-apt/	https://www.fortinet.com/blog/threat-research/bioload-fin7-boostwrite-lost-twin.html	https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/would-you-exchange-your-security-for-a-gift-card/	https://blog.morphisec.com/the-evolution-of-the-fin7-jssloader	https://www.esentire.com/security-advisories/notorious-cybercrime-gang-fin7-lands-malware-in-law-firm-using-fake-legal-complaint-against-jack-daniels-owner-brown-forman-inc	https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/	https://www.prodaft.com/m/reports/FIN7_TLPCLEAR.pdf
10	FIN8																						PowerSniff, PUNCHBUGGY, PUNCHTRACK, ShellTea, BADHATCH, PoSlurp	Hotel-Entertainment Industry, POS malware attack			https://unit42.paloaltonetworks.com/powersniff-malware-used-in-macro-based-attacks/	https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html	https://www.root9b.com/sites/default/files/whitepapers/PoS%20Malware%20ShellTea%20PoSlurp_YARA.pdf	https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html	http://blog.morphisec.com/security-alert-fin8-is-back	https://atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d-discovering-badhatch-and-a-detailed-look-at-fin8s-tooling/	https://www.bitdefender.com/files/News/CaseStudies/study/394/Bitdefender-PR-Whitepaper-BADHATCH-creat5237-en-EN.pdf	https://businessinsights.bitdefender.com/deep-dive-into-a-fin8-attack-a-forensic-investigation
11	Inception Framework	Blue Odin												G0100		Red October	Cloud Atlas							This threat actor targets governments and diplomatic organizations for espionage purposes. Suspected Operator in Ukraine working for Russia or its allies.			https://securelist.com/blog/incidents/57647/the-red-october-campaign/	http://securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-back-in-style/	https://www.symantec.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies	https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware	https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/	https://securelist.com/recent-cloud-atlas-activity/92016/	https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt-cloud-atlas-unbroken-threat/	https://research.checkpoint.com/2022/cloud-atlas-targets-entities-in-russia-and-belarus-amid-the-ongoing-war-in-ukraine/
12	TeamSpy Crew	SIG39														TeamSpy							Malicious TeamViewer versions, JAVA RATs	This threat actor primarily compromises government entities and human rights activists in Eastern Europe and Central Asia for espionage purposes. It has also compromised private and public sector entities in the Middle East and in Western countries.			http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/theteamspystory_final_t2.pdf	https://blog.crysys.hu/2018/03/territorial-dispute-nsas-perspective-on-apt-landscape/
13	BuhTrap	Ratopak																					AmmyAdmin, LURK, NSIS, Mimikatz, CVE-2012-0158, PuntoSwitcher (like Keylogger)				https://www.welivesecurity.com/2015/04/09/operation-buhtrap/	http://www.welivesecurity.com/2015/11/11/operation-buhtrap-malware-distributed-via-ammyy-com/	http://www.group-ib.com/brochures/gib-buhtrap-report.pdf	https://www.netscout.com/blog/asert/diving-buhtrap-banking-trojan-activity	https://www.welivesecurity.com/2019/07/11/buhtrap-zero-day-espionage-campaigns/
14	Carberb																							USA			http://itlaw.wikia.com/wiki/Moonlight_Maze
15	???															RUAG Espionage							Turla Family, Uroburos, Snake (Carbon) Rootkit, Tavdig/Wipbot/Epic, Mimikatz, dsquery, dsget	Swiss defence department			https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case
16	FSB 16th & 18th Centers	Gamaredon Group	BlueAlpha	Shuckworm	ACTINIUM	Primitive Bear	Trident Ursa	Iron Tilden	Hive0051 (IBM)					G0047		OP Armageddon	Op Gamework						Pterodo, QuietSieve, DessertDown, DinoTrain			Hijack infrastructure of Iranian APT33, APT35 & Muddywater, overlap to Callisto	https://lookingglasscyber.com/wp-content/uploads/2015/08/Operation_Armageddon_FINAL.pdf	http://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/	https://blog.yoroi.company/research/the-russian-shadow-in-eastern-europe-ukrainian-mod-campaign/	https://www.recordedfuture.com/bluealpha-iranian-apts/	https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/	https://www.anomali.com/blog/primitive-bear-gamaredon-targets-ukraine-with-timely-themes	https://mp.weixin.qq.com/s/OfDTcrTVAgjACeh0Z5wi7w	https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine	https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/	https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/#indicators-of-compromise	https://cert.gov.ua/article/39386	https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-intense-campaign-ukraine	https://blogs.cisco.com/security/network-footprints-of-gamaredon-group	https://cert.gov.ua/article/1229152	https://cert.gov.ua/article/1229152	https://unit42.paloaltonetworks.com/trident-ursa/	https://www.secureworks.com/research/threat-profiles/iron-tilden	https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military
17	Cyber Berkut																							Bellingcat		During Ukrainian Revolution	https://www.threatconnect.com/blog/russia-hacks-bellingcat-mh17-investigation/#.V-wnrubaeEU.twitter
18	WhiteBear	Skipper Turla																					Kopiluwak	embassies and diplomatic/foreign affair organizations, defense-related organizations		Associated with Turla	https://securelist.com/introducing-whitebear/81638/
19	???															BugDrop								This threat actor targets critical infrastructure entities in the oil and gas sector, primarily in Ukraine. The threat actors deploy the BugDrop malware to remotely access the microphones in their targets' computers to eavesdrop on conversations.			https://cyberx-labs.com/en/blog/operation-bugdrop-cyberx-discovers-large-scale-cyber-reconnaissance-operation/
20	GRU GTsST (Main Center for Special Technology)																						NotPetya				https://www.washingtonpost.com/world/national-security/russian-military-was-behind-notpetya-cyberattack-in-ukraine-cia-concludes/2018/01/12/048d8506-f7ca-11e7-b34a-b85626af34ef_story.html?utm_term=.23e3c7810049
21	TEMP.Veles	Xenotime	Triton																				Triton	Oil refinery, other infrastructure			https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html	https://dragos.com/resource/xenotime/	https://dragos.com/resource/trisis-analyzing-safety-system-targeting-malware/	https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html	https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html	https://www.fireeye.com/blog/threat-research/2018/06/totally-tubular-treatise-on-triton-and-tristation.html	https://dragos.com/wp-content/uploads/NA-EL-Threat-Perspective-2019.pdf	https://www.dragos.com/blog/industry-news/manufacturing-sector-cyber-threats/
22	Zebrocy	Zebrocy																						Germany, Indonesia, the United States, Taiwan, India, France, Serbia, Ecuador, Argentina, South Korea, Japan, China, Britain, South Africa, Italy, Hong Kong, Romania, Ukraine, Macedonia, Russia, Switzerland, Senegal, the Philippines, UAE, Qatar, Saudi Arabia, Pakistan, Thailand, Bahrain, Turkey, Bulgaria, Bangladesh			https://securelist.com/a-zebrocy-go-downloader/89419/	https://unit42.paloaltonetworks.com/sofacy-creates-new-go-variant-of-zebrocy-tool/	https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/	https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/	https://securelist.com/zebrocys-multilanguage-malware-salad/90680/
23	TA505	CHIMBORAZO	SectorJ04	Dudear	Spandex Tempest	ATK103	Hive0065							G0092									Dridex, The Trick, Locky, Jaff, FlawedAmmyy, GraceWire malicious software signed with valid digital signatures			TTP indicates possibly TA505 Microsoft Security Intelligence and McAfee Teams have affiliated TA505 with SectorJ04 aka Evil Corp aka Dudear since 2014 - reference in Link2 Department of Justice issues warrant for arrest of Dridex member, whom is working for Russian FSB since 2017	https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/	https://www.bankinfosecurity.com/ta505-apt-group-returns-new-techniques-report-a-13678	https://www.databreachtoday.com/two-russians-indicted-over-100m-dridex-malware-thefts-a-13473	https://www.mcafee.com/enterprise/en-us/threat-center/threat-landscape-dashboard/campaigns-details.operation-sectorj04-2019.html
24	FullofDeep																						QNAPCrypt ransomware			Operates from Union State & Ukraine	https://www.intezer.com/blog-russian-cybercrime-group-fullofdeep-behind-qnapcrypt-ransomware-campaigns/
25	RedCurl																						Powershell scripts	Russia, ukraine, Canada, Germany, the united Kingdom, norway, mainly targeting sectors: construction companies, financial and consulting companies, retailers, banks, insurance companies, law firms, travel agencies		Corporate espionage and theft of documents	https://www.group-ib.com/media/red-curl/
26	TA551	Shathak,Shatak	ATK236	Monster Libra										G0127	Gold Cabin								IcedID, Valak, Sliver				https://unit42.paloaltonetworks.com/valak-evolution/	https://isc.sans.edu/diary/rss/26438	https://isc.sans.edu/forums/diary/More+TA551+Shathak+Word+docs+push+IcedID+Bokbot/26674	https://unit42.paloaltonetworks.com/ta551-shathak-icedid/	https://threatresearch.ext.hp.com/detecting-ta551-domains/	https://www.proofpoint.com/us/blog/security-briefs/ta551-uses-sliver-red-team-tool-new-activity
27	UNC2452	Dark Halo	NOBELIUM	Silver Fish	StellarParticle											FireEye Compromise	Solarwinds Supply Chain Attack						SUNBURST, TEARDROP, SUPERNOVA Webshell (likely by other unknown group), COSMICGALE PowerShell Tool, CobaltStrike	IT sector		High sophistication, overlap to APT29, SVR, YTTRIUM	https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html	https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html	https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/	https://blog.reversinglabs.com/blog/sunburst-the-next-level-of-stealth	https://github.com/eanmeyer/SolarwindsVulnerablityInfo	https://us-cert.cisa.gov/ncas/alerts/aa20-352a	https://github.com/center-for-threat-informed-defense/public-resources/tree/master/solorigate	https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/	https://malpedia.caad.fkie.fraunhofer.de/actor/unc2452	https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf	https://www.riskiq.com/blog/external-threat-management/solarwinds-c2-servers-new-tactics/	https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/	https://blogs.microsoft.com/on-the-issues/2021/05/27/nobelium-cyberattack-nativezone-solarwinds/	https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/	https://www.microsoft.com/security/blog/2022/08/24/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone/	https://www.microsoft.com/en-us/security/blog/2023/02/08/solving-one-of-nobeliums-most-novel-attacks-cyberattack-series/	https://www.microsoft.com/en-us/security/blog/2023/08/02/midnight-blizzard-conducts-targeted-social-engineering-over-microsoft-teams/
28	Ember Bear	UAC-0056	Lorec53	Lorec Bear	Bleeding Bear	Saint Bear,SaintBear	UNC2589	TA471	DEV-0586	Nascent Ursa	EmberBear	Frozen Vista,FROZENVISTA	Ruinous Ursa,Nodaria	G1003									WhisperGate wiper, Elephant Framework,Graphiron	Ukraine, limited evidence to suggest that the group has been involved in attacks on targets in Kyrgyzstan. Third-party reporting has also linked the group to attacks on Georgia.			https://www.microsoft.com/en-us/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/	https://cert.gov.ua/article/37704	https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/	https://socprime.com/blog/cobalt-strike-beacon-grimplant-and-graphsteel-malware-massively-spread-by-uac-0056-threat-actors-in-targeted-phishing-emails-cert-ua-alert/	https://www.crowdstrike.com/blog/who-is-ember-bear/	https://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs/	https://cert.gov.ua/article/703548	https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nodaria-ukraine-infostealer	https://www.mandiant.com/resources/blog/russia-invasion-ukraine-retaliation	https://www.malwarebytes.com/blog/threat-intelligence/2021/04/a-deep-dive-into-saint-bot-downloader	https://unit42.paloaltonetworks.com/ukraine-cyber-conflict-cve-2021-32648-whispergate/	https://www.malwarebytes.com/blog/threat-intelligence/2022/07/cobalt-strikes-again-uac-0056-continues-to-target-ukraine-in-its-latest-campaign	https://www.malwarebytes.com/blog/threat-intelligence/2022/04/new-uac-0056-activity-theres-a-go-elephant-in-the-room	https://nsfocusglobal.com/apt-retrospection-lorec53-an-active-russian-hack-group-launched-phishing-attacks-against-georgian-government/	https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nodaria-ukraine-infostealer
29	COLDRIVER	Callisto	TA446	SEABORGIUM	Calisto	TAG-53																				Overlap w/Gamaredon	https://www.f-secure.com/documents/996508/1030745/callisto-group	https://natoassociation.ca/phishing-on-the-dnieper-russian-offensive-cyber-operations-in-ukraine/	https://blog.google/threat-analysis-group/tracking-cyber-activity-eastern-europe/	https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe/	https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag/	https://www.microsoft.com/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/	blog.sekoia.io/calisto-show-interests-into-entities-involved-in-ukraine-war-support/	https://www.recordedfuture.com/exposing-tag-53-credential-harvesting-infrastructure-for-russia-aligned-espionage-operations	https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/blue-callisto-orbits-around-us.html	https://www.recordedfuture.com/exposing-tag-53-credential-harvesting-infrastructure-for-russia-aligned-espionage-operations	https://6068438.fs1.hubspotusercontent-na1.net/hubfs/6068438/Nisos-Research-Coldriver-Group.pdf
30	Vice Society	VICE SPIDER	DEV-0832	Vanilla Tempest	Vicesociety																		PrintNightmare, HelloKitty and Zeppelin ransomware	Education and research institutes			https://socradar.io/dark-web-profile-vice-society/	https://www.cybersecuritydive.com/news/microsoft-leaks-vice-society-playbook/634964/	https://www.wired.com/story/vice-society-ransomware-gang/	https://blog.sekoia.io/vice-society-a-discreet-but-steady-double-extortion-ransomware-group/	https://www.cisa.gov/uscert/ncas/alerts/aa22-249a
31	Karakurt	Karakurt Lair	Karakurt Team																								https://www.cisa.gov/uscert/ncas/alerts/aa22-152a
32	Killnet	Legion Spetsnaz RF	CYBER SPETSNAZ	Cyber Special Forces RF	Killmilk	Blackside	Phoenix,Rayd,Vera,FasoninnGung,Mirai,Jacky	Sakurajima,Kratos,Phoenix squad,AKUR,XakNet	Legion	DDOSGUNG,Impulse													killnet,aura,aura ddos,Mirai,Bobik	USA,Ukraine,Nato,Latvia,Norway,Romania,Italy Pro-Russian Hacktivism			https://cyware.com/news/cyber-spetsnazs-operation-panopticon-launches-espionage-attacks-3d49eade	https://decoded.avast.io/martinchlumecky/bobik/	https://www.google.com/url?q=https://www.bleepingcomputer.com/news/security/russian-hacktivists-take-down-norway-govt-sites-in-ddos-attacks/&sa=D&source=editors&ust=1689053536672341&usg=AOvVaw1CVKTzlK09YdPEyRlvYRhP	https://threatmon.io/killnet-in-depth-analysis-on-the-roles-of-threat-actors-and-attacks-in-the-ukraine-russia-war/	https://socradar.io/dark-web-profile-killnet-russian-hacktivist-group/	https://www.reliaquest.com/blog/killnet-the-hactivist-group-that-started-a-global-cyber-war/
33	Royal	DEV-0569	Conti	Quantum	Black Byte	Diavol	Black Basta,blackbasta	Ryuk (as FIN12)	Wizard Spider (DEV-0193)							BazarCall Campaign							BATLOADER, Royal Ransomware, Ursnif, Gozi, Vidar Stealer & Cobals Strike as well as legitimate synchro remote monitoring and management (RMM) tools.	Healthcare, manifacturing, professional, scientific, technical services, wholesale, education		Former Conti and other groups around Wizard Spider	https://blog.bushidotoken.net/2022/11/the-continuity-of-conti.html	https://socradar.io/dark-web-profile-royal-ransomware/	https://www.bleepingcomputer.com/news/security/new-royal-ransomware-emerges-in-multi-million-dollar-attacks/	https://unit42.paloaltonetworks.com/bazarloader-malware/	https://www.trendmicro.com/de_de/research/22/l/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-wit.html	https://github.com/pan-unit42/tweets/blob/master/2023-02-07-IOCs-for-probable-Matanbuchus-activity.txt	https://twitter.com/Unit42_Intel/status/1623349272061136900
34	Revil	Water Mare	GrandCrab													Medibank November 2022							Sodinokibi, IcedID, Qakbot, PsExec, FileZilla	Transportation, Financial, Oil and Gas, Technology, Healthcare, in United States, Mexico, Germany, Japan, Israel		They are again active since November 2022 attacking Medibank in Australia	https://www.cyjax.com/2021/07/09/revilevolution/	https://www.nomios.com/resources/what-is-revil-ransomware/	https://img.nomios.com/images/Resources/2021/revil-ransomware-execution-flaw.png?auto=compress%2Cformat&fit=max&fm=jpg&q=70&w=2800&s=48724d52aa9478208925e681d6a332d6	https://analyst1.com/file-assets/History-of-REvil.pdf	https://unit42.paloaltonetworks.com/tutorial-qakbot-infection/	https://de.tenable.com/blog/cve-2019-11510-critical-pulse-connect-secure-vulnerability-used-in-sodinokibi-ransomware	https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-revil	https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/	https://www.hhs.gov/sites/default/files/revil-update-tlpwhite.pdf
35	Bl00dy	Bloody Gang																					Babuk,Conti,LockBit 3.0				https://www.bleepingcomputer.com/news/security/leaked-lockbit-30-builder-used-by-bl00dy-ransomware-gang-in-attacks/	https://radetskiy.wordpress.com/2022/09/26/bl00dy-ransomware-en/
36	NoName057(16)	Nnm05716	NoName057	NoName05716	05716nnm	NoName																	mySingleMessenger			NorthKorea vs Samsung	http://securityfactory.tistory.com/332	https://www.tagesanzeiger.ch/wir-haben-ddos-raketen-gegen-die-website-des-schweizer-parlaments-geschickt-250307088918	https://www.admin.ch/gov/en/start/documentation/media-releases.msg-id-95641.html	https://www.sentinelone.com/labs/noname05716-the-pro-russian-hacktivist-group-targeting-nato/
37	DoppelPaymer																						PowerShell Empire, Cobalt Strike, PsExec,Mimikatz,BitPaymer ransomware			Overlap EvilCorp	https://www.trendmicro.com/en_dk/research/21/a/an-overview-of-the-doppelpaymer-ransomware.html	https://www.malwarebytes.com/blog/news/2023/03/doppelpaymer-ransomware-group-disrupted-by-fbi-and-european-police-agencies
38	Anonymous Sudan	storm-1359																									https://thehackernews.com/2023/05/romcom-rat-using-deceptive-web-of-rogue.html	https://www.darkreading.com/endpoint/romcom-spies-nato-summit-zelensky-arrival
39	RomCom	Storm-0978	DEV-0978	Void Rabisu																				The RomCom APT group is a threat actor that has been active since at least 2022. It was initially associated with the Cuba ransomware and was primarily focused on targeting individuals and organizations tied to the Ukrainian government. However, its activities have since expanded to have global political ambitions. The group has been known to distribute the RomCom backdoor malware through impersonating websites of well-known or fictional software, tricking users into downloading and launching malicious installers. They have also been observed using payload encryption and obfuscation, as well as introducing new and powerful commands to enhance their capabilities. RomCom has been linked to various campaigns against Ukrainian and pro-Ukraine targets in Eastern Europe and other parts of the world. The exact goals and motivations of the RomCom operators remain unclear, but they are considered a versatile and sophisticated threat. It is recommended to defend against RomCom and other APTs with security solutions that have behavior-monitoring capabilities, can detect malicious files and messages, and block malicious URLs. Additionally, inspecting emails for malicious attachments and URLs can help organizations and individuals avoid compromise.		Overlap Cuba ransomware TA	https://blogs.blackberry.com/en/2022/10/unattributed-romcom-threat-actor-spoofing-popular-apps-now-hits-ukrainian-militaries	https://blogs.blackberry.com/en/2022/11/romcom-spoofing-solarwinds-keepass	https://blogs.blackberry.com/en/2023/06/romcom-resurfaces-targeting-ukraine	https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit	https://blogs.blackberry.com/en/2023/07/decoding-romcom-behaviors-and-opportunities-for-detection	https://cert.gov.ua/article/2394117	https://www.trendmicro.com/en_se/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html	https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/	https://thehackernews.com/2023/05/romcom-rat-using-deceptive-web-of-rogue.html
40	DOPPEL SPIDER	Gold Heron	DoppelPaymer,doppel paymer	DoppelPaymer group	DoppelPaymer ransomware	DoppelPaymer gang																	PowerShell Empire, Cobalt Strike, PsExec,Mimikatz,BitPaymer ransomware,DoppelDridex,DoppelPaymer	healthcare, emergency services, education			https://www.trendmicro.com/en_dk/research/21/a/an-overview-of-the-doppelpaymer-ransomware.html	https://www.malwarebytes.com/blog/news/2023/03/doppelpaymer-ransomware-group-disrupted-by-fbi-and-european-police-agencies
41	Salty Spider	KuKu	SalLoad	Kookoo	Sality	Kukacka	SaliCode																	Salty Spider is a sophisticated advanced persistent threat (APT) group that is believed to be based in Russia. The group has been active since at least 2018 and is known for targeting organizations in various industries, including technology, healthcare, and government.			https://www.crowdstrike.com/blog/who-is-salty-spider/
42	Brain Spider	RedTeam	5BIRD	exp3rt	brain	BOSS	reverse5net	bigrichy	Signature	bigboss	RAID
43	Skeleton Spider	FIN6	ITG08	Magecart Group 6	Gold Franklin	ATK88	Trinity	Camouflage Tempest,TAAL						G0037											Criminal		https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2018GlobalThreatReport.pdf	https://www.fireeye.com/blog/threat-research/2016/04/follow_the_money.html	https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf	https://webcache.googleusercontent.com/search?q=cache:wMkxJorBEKIJ:https://securityintelligence.com/x-force-iris-identifies-fin6-activity-on-pos-networks/+&cd=1&hl=en&ct=clnk&gl=uk&client=firefox-b	https://exchange.xforce.ibmcloud.com/collection/FIN6-Financial-Crime-Actor-f55930eb9f4438efe9101a618d6a8703	https://www.proofpoint.com/us/search/site?search_text=TA530&language=en	https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html	https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/	https://blog.trendmicro.com/trendlabs-security-intelligence/fin6-compromised-e-commerce-platform-via-magecart-to-inject-credit-card-skimmers-into-thousands-of-online-shops/
44	Winter Vivern	TA473	UAC-0114																							Alligned with security interests of Belarus and Russia’s governments	https://www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs/	https://www.sentinelone.com/labs/winter-vivern-uncovering-a-wave-of-global-espionage/	https://www.welivesecurity.com/en/eset-research/winter-vivern-exploits-zero-day-vulnerability-roundcube-webmail-servers/


1	North Korea
2	Common Name	CrowdStrike	Talos Group	Dell Secure Works	Other Name 1	Other Name 2	Other Name 3	Other Name 4	Other Name 5	Other Name 6	Other Name 7	Other Name 8	Rep. of Korea FSI	MITRE AT&CK	Operation 1	Operation 2	Operation 3	Operation 4	Operation 5	Operation 6	Operation 7	Operation 8	Operation 9	Toolset / Malware	Targets	Modus Operandi	Comment	Link 1	Link 2	Link 3	Link 4	Link 5	Link 6	Link 7	Link 8	Link 9	Link 10	Link 11	Link 12	Link 13	Link 14	Link 15	Link 16	Link 17	Link 18	Link 19	Link 20	Link 21	Link 22	Link 23	Link 24	Link 25	Link 26	Link 27	Link 28	Link 29	Link 30	Link 31	Link 32	Link 33	Link 34	Link 35	Link 36	Link 37	Link 38	Link 39	Link 40	Link 41	Link 42	Link 43	Link 44	Link 45

3	Lazarus Group	Labyrinth Chollima	Group 77	Hastati Group	Bureau 121,BeagleBoyzBureau121,BeagleBoyz	Unit 121,Unit121	Whois Hacking Team,WHOis Team	NewRomanic Cyber Army Team	ZINC,APT-C-26,UNC2970,UNC577,UNC4736	Appleworm,NICKEL GLADSTONE,COVELLITE,ATK3	Hidden Cobra,Diamond Sleet,Black Artemis,	Nickel Academy, LolZarus		G0032	Troy	Blockbuster	Dark Seoul	Applejeus	Inception	NorthStar	Dream Job	KuCoin Hack	ThreatNeedle	Tdrop, Tdrop2, Troy, Destover, FallChill RAT, Volgmer, Hawup, Manuscrypt, WolfRAT, SheepRAT, HtDnDownLoader, ThreatNeedle	Believed to be responsible for Dark Seoul, Ten Days of Rain, the Sony Pictures Entertainment attack, the SWIFT-related bank heists, and WannaCry. Known to the U.S. government as Hidden Cobra. Targeting also BitCoin Exchanges, financial sector, technology/engineering sector	Delivery: usually via spear phishing email. Infrastructure: C2 often based on compromised servers,moving to own servers paid by bitcoin to preserve anonymity Persistency: tipically launching ransomware after operation to destroy evidences	Threat Recon.nshc.net alias=SectorA01	http://www.mcafee.com/us/resources/white-papers/wp-dissecting-operation-troy.pdf	http://researchcenter.paloaltonetworks.com/2015/11/tdrop2-attacks-suggest-dark-seoul-attackers-return/	https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf	https://www.alienvault.com/open-threat-exchange/blog/operation-blockbuster-unveils-the-actors-behind-the-sony-attacks	https://www.us-cert.gov/ncas/alerts/TA17-164A	http://www.fsec.or.kr/common/proc/fsec/bbs/21/fileDownLoad/1235.do	https://researchcenter.paloaltonetworks.com/2017/08/unit42-blockbuster-saga-continues/	https://www.crowdstrike.com/blog/unprecedented-announcement-fbi-implicates-north-korea-destructive-attacks/	https://www.us-cert.gov/ncas/alerts/TA17-318A	https://www.us-cert.gov/ncas/alerts/TA17-318B	https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf	https://securingtomorrow.mcafee.com/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/	https://www.darkreading.com/vulnerabilities---threats/lazarus-group-fancy-bear-most-active-threat-groups-in-2017/d/d-id/1330954?print=yes	https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity	https://securelist.com/operation-applejeus/87553/	https://blogs.microsoft.com/on-the-issues/2017/12/19/microsoft-facebook-disrupt-zinc-malware-attack-protect-customers-internet-ongoing-cyberthreats/	https://www.secureworks.com/about/press/media-alert-secureworks-discovers-north-korean-cyber-threat-group-lazarus-spearphishing	https://threatrecon.nshc.net/2019/01/23/sectora01-custom-proxy-utility-tool-analysis/	https://objective-see.com/blog/blog_0x49.html	https://www.sentinelone.com/blog/lazarus-apt-targets-mac-users-poisoned-word-document/	https://blog.alyac.co.kr/2827	https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/	https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/	https://www.welivesecurity.com/2020/06/17/operation-interception-aerospace-military-companies-cyberspies/	https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-a-job-offer-thats-too-good-to-be-true/	https://www.clearskysec.com/operation-dream-job/	https://blogs.jpcert.or.jp/en/2020/08/Lazarus-malware.html	https://medium.com/s2wlab/analysis-of-threatneedle-c-c-communication-feat-google-tag-warning-to-researchers-782aa51cf74	https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/	https://www.microsoft.com/security/blog/2021/01/28/zinc-attacks-against-security-researchers/	https://www.hvs-consulting.de/lazarus-report/	https://blog.chainalysis.com/reports/lazarus-group-kucoin-exchange-hack	https://securelist.com/lazarus-threatneedle/100803/	https://www.clearskysec.com/wp-content/uploads/2021/05/CryptoCore-Lazarus-Clearsky.pdf	https://blog.alyac.co.kr/3814	https://www.cisa.gov/uscert/ncas/alerts/aa22-108a	https://www.sentinelone.com/blog/lazarus-operation-interception-targets-macos-users-dreaming-of-jobs-in-crypto/	https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/	https://securelist.com/dtrack-targeting-europe-latin-america/107798/	https://www.volexity.com/blog/2022/12/01/buyer-beware-fake-cryptocurrency-applications-serving-as-front-for-applejeus-malware/	https://www.microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches-targeted-attacks-against-the-cryptocurrency-industry/	https://labs.withsecure.com/content/dam/labs/docs/WithSecure-Lazarus-No-Pineapple-Threat-Intelligence-Report-2023.pdf	https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/	https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/	https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/
4	APT37	Ricochet Chollima	Group 123	ScarCruft	APT37	Red Eyes	Reaper	Venus 121 (금성121)	THALLIUM					G0067	Reaper	Erebus	Golden Time	Evil New Year	Are you Happy?	FreeMilk	North Korean Human Rights	Evil New Year 2018	Operation Earth Kitsune	KARAE, SOUNDWAVE, ZUMKONG, RICECURRY, CORALDECK, POORAIM, SLOWDRIFT, MILKDROP, GELCAPSULE, DOGCALL, HAPPYWORK, RUHAPPY, SHUTTERSPEED, Flash Exploit CVE-2016-4117, ROKRAT, KEVDROID, BabyShark, KimJongRAT, GOLDBACKDOOR	Primarily South Korea – though also Japan, Vietnam and the Middle East – in various industry verticals, including chemicals, electronics, manufacturing, aerospace, automotive, and healthcare; Scarcruft Tracking: Russia, Nepal, South Korea, China, India, Kuwait and Romania		FireEye iSIGHT Intelligence believes that APT37 is aligned with the activity publicly reported as Scarcruft and Group123	https://www.fireeye.com/blog/threat-research/2018/02/apt37-overlooked-north-korean-actor.html	http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html	https://securelist.com/blog/research/75082/cve-2016-4171-adobe-flash-zero-day-used-in-targeted-attacks/	https://exchange.xforce.ibmcloud.com/collection/Fear-The-Reaper-North-Korean-Group-APT37-dc96e8bdff7573efb87d43d7584c1fbc	https://unit42.paloaltonetworks.com/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/	https://unit42.paloaltonetworks.com/unit42-reaper-groups-updated-mobile-arsenal/	https://blog.alyac.co.kr/1985	https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/	https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/	https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/	https://www.zdnet.com/article/microsoft-takes-down-50-domains-operated-by-north-korean-hackers/?mid=1#cid=8960026	https://blog.malwarebytes.com/threat-analysis/2021/01/retrohunting-apt37-north-korean-apt-used-vba-self-decode-technique-to-inject-rokrat/	https://blog.alyac.co.kr/3489	https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/?utm_source=rss&utm_medium=rss&utm_campaign=north-korean-apt-inkysquid-infects-victims-using-browser-exploits	https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/	https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/	https://0xthreatintel.medium.com/static-analysis-of-bluelight-malware-7bb0a399a54e	https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/	https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/	https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/	https://stairwell.com/wp-content/uploads/2022/04/Stairwell-threat-report-The-ink-stained-trail-of-GOLDBACKDOOR.pdf	https://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/	https://blog.google/threat-analysis-group/internet-explorer-0-day-exploited-by-north-korean-actor-apt37/	https://blog.alyac.co.kr/5009	https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-kitsune.pdf	https://www.trendmicro.com/en_us/research/20/l/who-is-the-threat-actor-behind-operation-earth-kitsune-.html	https://www.trendmicro.com/en_us/research/23/b/earth-kitsune-delivers-new-whiskerspy-backdoor.html	https://interlab.or.kr/archives/2567	https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/wirtschafts-wissenschaftsschutz/2023-03-20-sicherheitshinweis-cyberaktivitaeten.pdf?__blob=publicationFile&v=2	https://asec.ahnlab.com/en/51751/	https://research.checkpoint.com/2023/chain-reaction-rokrats-missing-link/	https://asec.ahnlab.com/en/54349/
5	Andariel	Silent Chollima			DEV-0530,DEV0530	DarkSeoul,Dark Seoul	PLUTONIUM	Guardian of Peace	GOP	Onyx Sleet	Storm-0530	H0lyGh0st	Andariel	G0138	Dark Hotel	DesertWolf	Vanxatm	Mayday	INITROY	XEDA	Sony			RifDoor,Phandoor,H0lyGh0st	Information gathering and profit		Lazarus subgroup	https://www.scmagazineuk.com/war-plans-including-assassination-plan-stolen-by-north-korean-hackers/article/699089/	https://gsec.hitb.org/materials/sg2017/D1%20-%20Ashley%20Shen%20and%20Moonbeom%20Park%20-%20A%20Deep%20Dive%20into%20the%20Digital%20Weapons%20of%20the%20North%20Korean%20Cyber%20Army.pdf	http://www.fsec.or.kr/user/bbs/fsec/21/13/bbsDataView/910.do	http://online.wsj.com/public/resources/documents/print/WSJ_-A006-20170728.pdf	https://blog.trendmicro.com/trendlabs-security-intelligence/new-andariel-reconnaissance-tactics-hint-at-next-targets/	https://asec.ahnlab.com/en/48198/
6	Kimsuky	Velvet Chollima			Kimsuki,Konni	Thallium,TA408,TA427	CloudDragon,Cloud Dragon	TA406,TA-406	SharpTongue	Crooked Pisces,Osmium	Cerium,Emerald Sleet	Black Banshee,APT43,Archipelago,Ruby Sleet		G0094	Campaign Rifle									KPortScan, PsExec, Procdump, Mimikatz, Eternal suite of exploits, NirSoft MailPassView/Network Password Recovery/Remote Desktop PassView/SniffPass/WebBrowserPassView, Mechanical, Grease, KGH_SPY	This threat actor targets South Korean think tanks, industry, nuclear power operators, and the Ministry of Unification for espionage purposes.			http://securelist.com/analysis/57915/the-kimsuky-operation-a-north-korean-apt/	http://www.reuters.com/article/us-nuclear-southkorea-northkorea-idUSKBN0MD0GR20150317	https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/	https://apt.securelist.com/#!/threat/972	https://www.anomali.com/blog/suspected-north-korean-cyber-espionage-campaign-targets-multiple-foreign-ministries-and-think-tanks#When:14:00:00Z	https://crowdstrike.lookbookhq.com/web-global-threat-report-2019/crowdstrike-2019-gtr	https://www.zdnet.com/article/cyber-espionage-group-uses-chrome-extension-to-infect-victims/	https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-ACT-009.pdf	https://blog.alyac.co.kr/2243	https://blog.alyac.co.kr/attachment/cfile5.uf@99A0CD415CB67E210DCEB3.pdf	https://blog.prevailion.com/2019/09/autumn-aperture-report.html	https://www.dailynk.com/english/north-korean-hackers-mount-phishing-attack-nkhr-groups/	https://blog.yoroi.company/research/the-north-korean-kimsuky-apt-keeps-threatening-south-korea-evolving-its-ttps/	https://asec.ahnlab.com/1313?category=342979	https://blog.alyac.co.kr/2906	https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite	https://blog.alyac.co.kr/3368	http://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-How-CloudDragon-Turns-A-Nightmare-Into-Reality.pdf	https://blog.alyac.co.kr/3799	https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/	https://cybleinc.com/2021/06/03/kimsuky-apt-group-distributes-fake-security-app-disguised-as-kisa-security-program/	https://teamt5.org/en/posts/clouddragon-campaign-vpn-zero-day-vulnerability-new-backdoor/	https://blog.alyac.co.kr/4130	https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-threat-insight-paper-triple-threat-N-Korea-aligned-TA406-steals-scams-spies.pdf	https://securelist.com/kimsukys-golddragon-cluster-and-its-c2-operations/107258/	https://ti.qianxin.com/blog/articles/spikes-from-the-kimsuky-organization-targeted-killing-of-south-korea-with-multiple-assault-weapons/	https://asec.ahnlab.com/en/54678/
7	OnionDog																								This threat actor targets the South Korean government, transportation, and energy sectors.		False Positive. APT Training by SK Government	http://news.softpedia.com/news/korean-energy-and-transportation-targets-attacked-by-oniondog-apt-501534.shtml	http://zhuiri.360.cn/upload/APT-C-03-en.pdf	http://www.chinadaily.com.cn/china/2016-03/09/content_23794129.htm	http://news.softpedia.com/news/korean-energy-and-transportation-targets-attacked-by-oniondog-apt-501534.shtml
8	TEMP.Hermit				APT38									G0082										VOLGMER, PEACHPIT	Korean Peninsula, US Aerospace, SWIFT-fraud operations in East Asia	Media, government, but mainly financial institutions in order to raise money for the North Korean regime: Russia, Turkey, US, Poland, Mexico, Brazil, Ururguay, Taiwan, Malaysia, Chile, Vietnam, Philippines		https://www.isightpartners.com/2016/02/threatscape-media-highlights-update-week-of-february-17th/	http://www.scmagazine.com/sony-hackers-are-still-hacking-researchers-say/article/474166/	https://www.fireeye.com/blog/threat-research/2018/10/apt38-details-on-new-north-korean-regime-backed-threat-group.html
9	?																							MaoCheng Dropper	Humanitarian Aid Groups			https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/
10	Stardust Chollima	Stardust Chollima			APT38	ElectricFish	BlueNoroff	TA444 (Proofpoint)	COPERNICIUM (Microsoft)	TAG-71				G0082		Far Eastern International Bank								Dimens, MBR Killer, ElectricFish	Latin America, Mexico, Costa Rica, Chile, Argentina, financial institutions in Asia and Africa in 2018			https://app.cdn.lookbookhq.com/lbhq-production/10339/content/original/9dd0e31a-c9c0-4e1c-aea1-f35d3e930f3d/CrowdStrike_GTR_2019_.pdf	https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-april-stardust-chollima/	https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/	https://baesystemsai.blogspot.com/2017/10/taiwan-heist-lazarus-tools.html	https://techcrunch.com/2019/08/15/cyber-command-north-korea-malware/	https://www.thedailybeast.com/north-korean-hackers-caught-snooping-on-chinas-cyber-squad	https://www.cisa.gov/uscert/ncas/alerts/aa22-108a	https://securelist.com/bluenoroff-methods-bypass-motw/108383/	https://www.proofpoint.com/us/blog/threat-insight/ta444-apt-startup-aimed-at-your-funds
11	APT43	Archipelago													Honeybee													https://www.mandiant.com/resources/reports/apt43-north-korea-cybercrime-espionage	https://blog.google/threat-analysis-group/how-were-protecting-users-from-government-backed-attacks-from-north-korea/	https://blog.virustotal.com/2023/04/apt43-investigation-into-north-korean.html
12	WASSONITE														FASTCash									DTrack	WASSONITE targeting focuses on Asian entities, largely in India, as well as possibly Japan and South Korea. At this time, WASSONITE does not appear to have an ICS-specific disruptive or destructive capability. All the activity represents Stage 1 ICS kill-chain: access operations within IT networks. WASSONITE operations rely on deploying DTrack malware for remote access to victim machines, capturing credentials via Mimikatz and publicly available tools, and utilizing system tools to transfer files and move laterally within the enterprise system. Researchers first disclosed DTrack in late September 2019, and identified the tool targeting Indian financial institutions and research centers. DTrack is loosely connected to an earlier observed malware family, ATMDTrack, used for robbing ATM machines. Third-party security firms associate DTrack and its related malware to the Lazarus Group. Dragos also associates the activity group COVELLITE to Lazarus Group. However, while COVELLITE is also linked to broader Lazarus activity, this group leveraged substantially different capabilities and infrastructure to pursue a target set that does not overlap with observed WASSONITE activity.		Overlaps Lazarus Group	https://www.dragos.com/threat/wassonite/


1	Iran
2	Common Name	Other Name 1	Other Name 2	Other Name 3	Other Name 4	Other Name 5	Other Name 6	Other Name 7	FireEye Name	Crowdstrike	Cisco Name	MITRE ATT&CK	Operation 1	Operation 2	Operation 3	Toolset / Malware	Targets	Modus Operandi	Comment	Link 1	Link 2	Link 3	Link 4	Link 5	Link 6	Link 7	Link 8	Link 9	Link 10	Link 11	Link 12	Link 13	Link 14	Link 15	Link 16	Link 17	Link 18	Link 19	Link 20	Link 21	Link 22	Link 23	Link 24	Link 25	Link 26	Link 27	Link 28	Link 29	Link 30	Link 31

3	Cutting Kitten	TG-2889	Ghambar		CuttingKitten	alibaba	Cleaver	Tarh andishan	ITSecTeam	Cutting Kitten		G0003	Cleaver			TinyZBot, PupyRAT	This threat actor targets governments and private sector entities for espionage and sabotage purposes. It is believed to be responsible for compromising U.S. Navy computers at the Navy Marine Corps Intranet in San Diego, the U.S. energy company Calpine Corporation, Saudi Aramco, Pemex, Qatar Airways, and Korean Air		COBALT GYPSY overlap with OilRig	http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/	https://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf	https://www.secureworks.com/research/the-curious-case-of-mia-ash
4	Shamoon									Volatile Kitten		S0140				Shamoon / Disttrack	This threat actor targets energy sector, oil and gas industry as well as transportation and telecommunication services.	wiper		https://en.wikipedia.org/wiki/Shamoon	http://www.nytimes.com/2012/10/24/business/global/cyberattack-on-saudi-oil-firm-disquiets-us.html
5	Clever Kitten									Clever Kitten	Group 41					Acunetix Web Vulnerability Scanner, PHP Webshell RC SHELL				http://www.crowdstrike.com/blog/whois-clever-kitten/
6	Madi																This threat actor compromises engineering firms, government entities, and financial and academic institutions in the United States, Israel, Iran, and Pakistan	Social engineering		https://securelist.com/blog/incidents/33693/the-madi-campaign-part-i-5/	https://securelist.com/blog/incidents/33701/the-madi-campaign-part-ii-53/
7	Cyber fighters of Izz Ad-Din Al Qassam		Fraternal Jackal										Ababil / ApAbabil				The websites of Bank of America, JPMorgan Chase, Wells Fargo, and other U.S. financial institutions suffered simultaneous outages due to a coordinated denial of service cyberattack in September 2012. Attackers flooded bank servers with junk traffic, preventing users from online banking. An Iranian group called Izz ad-Din al-Qassam Cyber Fighters initially claimed responsibility for the incident. At the time, the media reported that U.S. intelligence believed the denial of service was in response to U.S. imposed economic sanctions to counter Iran's nuclear program. Seven Iranian individuals linked to the Islamic Revolutionary Guard Corps were eventually indicted by the U.S. Department of Justice in 2016 for their involvement in the incident. Israel, French and U.Kingdom	DoS		http://pastebin.com/u/QassamCyberFighters	http://ddanchev.blogspot.com.es/2012/09/dissecting-operation-ababil-osint.html	http://www.nytimes.com/2013/01/09/technology/online-banking-attacks-were-work-of-iran-us-officials-say.html	https://www.washingtonpost.com/world/national-security/iran-blamed-for-cyberattacks/2012/09/21/afbe2be4-0412-11e2-9b24-ff730c7f6312_story.html
8	Chafer	Cadelle	ITG07	Rana					APT39	Remix Kitten		G0087				Remexi, PsExec, Mimikatz, Web Shells (aspx spy, b374k), nbtscan, plink, RemCom, VNC Bypass scanner, CoreSecurity tools, Impacket / Python exploits, NSSM, Remcom, HTTPTunnel, Cadelspy, PLink, SSH Tunnels to Windows Servers	Airlines, Airports, Transportation, Logistics - worldwide		Uses the same C2 infrastructure as OilRig	http://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets	https://www.symantec.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions	http://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets	https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html	https://securelist.com/chafer-used-remexi-malware/89538/	https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/	https://unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/	https://securityintelligence.com/posts/observations-of-itg07-cyber-operations/	https://www.bitdefender.com/files/News/CaseStudies/study/332/Bitdefender-Whitepaper-Chafer-creat4491-en-EN-interactive.pdf	https://threatconnect.com/blog/research-roundup-apt39-adversaries/	https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-releases-cybersecurity-advisory-on-previously-undisclosed-iranian-malware-used-to-monitor-dissidents-and-travel-and-telecommunications-companies
9	Prince of Persia	APT-C-50														Infy	This threat actor targets governments and businesses of multiple countries, including the United States, Israel, and Denmark.			https://iranthreats.github.io/	http://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/	https://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/	https://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/	https://blogs.360.cn/post/APT-C-50.html	https://blogs.360.cn/post/APT-C-50.html	https://download.bitdefender.com/resources/files/News/CaseStudies/study/393/Bitdefender-Whitepaper-Iranian-APT-Makes-a-Comeback-with-Thunder-and-Lightning-Backdoor-and-Espionage-Combo.pdf	https://research.checkpoint.com/2021/after-lightning-comes-thunder/
10	Sima																focus on dissidents, woman rights activists, human rights organizations			https://iranthreats.github.io/
11	Oilrig	COBALT GYPSY	Twisted Kitten	Crambus	ITG13	Chrysene	Evasive Serpens	IRN2,ATK40,Hazel Sandstorm,Helminth,EUROPIUM,Clayslide	APT34,APT 34	Helix Kitten,HelixKitten		G0049				Helminth, ISMDoor, Clayslide, QUADAGENT, OopsIE, ALMA Communicator, customized Mimikatz, Invoke-Obfuscation,POWBAT, POWRUNER (PS Backdoor), BONDUPDATER, malicious RTF files CVE-2017-0199 and CVE-2017-11882, ELVENDOOR, PLink, PsExec, SSH Tunnels to Windows Servers, Webshells (TwoFace, DarkSeaGreenShell, LittleFace), PowDesk,Menorah,SideTwist			Uses the same C2 infrastructure as Chafer - which caused a major mixup of OilRig campaigns falsely attributed to Chafer. Also note that Turla used OilRigs implants	https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html	http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/	http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/	http://www.clearskysec.com/oilrig/	https://cert.gov.il/Updates/Alerts/SiteAssets/CERT-IL-ALERT-W-120.pdf	http://researchcenter.paloaltonetworks.com/2017/04/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/	http://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability%20	https://www.forbes.com/sites/thomasbrewster/2017/02/15/oilrig-iran-hackers-cyberespionage-us-turkey-saudi-arabia/#56749aa2468a	https://researchcenter.paloaltonetworks.com/2017/07/unit42-twoface-webshell-persistent-access-point-lateral-movement/	https://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/	https://researchcenter.paloaltonetworks.com/2017/09/unit42-striking-oil-closer-look-adversary-infrastructure/	https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html	https://researchcenter.paloaltonetworks.com/2017/12/unit42-introducing-the-adversary-playbook-first-up-oilrig/	https://www.dragos.com/blog/20180517Chrysene.html	https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf	https://sec0wn.blogspot.com/2018/05/prb-backdoor-fully-loaded-powershell.html	https://www.ncsc.gov.uk/news/turla-group-exploits-iran-apt-to-expand-coverage-of-victims	https://securityintelligence.com/posts/new-destructive-wiper-zerocleare-targets-energy-sector-in-the-middle-east/	https://www.clearskysec.com/powdesk-apt34/	https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/	https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html	https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html	https://www.crowdstrike.com/blog/widespread-dns-hijacking-activity-targets-multiple-sectors/	https://blog-cert.opmd.fr/dnspionage-retour-factuel-sur-les-attaques-annoncees-dans-differents-medias/	https://www.trendmicro.com/en_us/research/23/b/new-apt34-malware-targets-the-middle-east.html	https://www.trendmicro.com/en_no/research/23/i/apt34-deploys-phishing-attack-with-new-malware.html	https://research.checkpoint.com/2023/from-albania-to-the-middle-east-the-scarred-manticore-is-listening/
12	CopyKittens	Slayer Kitten	DarkHydrus	LazyMeerkat								G0052	Wilted Tulip			TDTESS backdoor, Vminst, NetSrv, Cobalt Strike, ZPP, Matryoshka v1 and Matryoshka v2	Israel’s Ministry of Foreign Affairs and some well-known Israeli academic researchers specializing in Middle East Studies. Israel, Saudi Arabia, United States, Jordan, Germany		DarkHydrus C2 Infra Overlap	https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf	https://blog.domaintools.com/2017/03/hunt-case-study-hunting-campaign-indicators-on-privacy-protected-attack-infrastructure/	http://www.clearskysec.com/copykitten-jpost/	http://www.clearskysec.com/tulip/	https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/
13	Charming Kitten	Parastoo	iKittens	NEWSCASTER	NewsBeef	Phosphorus / Mint Sandstorm	TA453	COBALT MIRAGE, Ballistic Bobcat	APT35	Charming Kitten	Group 83	G0059	Sponsoring Access			ALFA TEaM Shell, DROPSHOT, TURNEDUP, SHAPESHIFT, malicious HTA files, MacDownloader	This threat actor uses watering hole attacks and fake profiles to lure targets from the U.S. government for espionage purposes.	Fake Social Media Account	IBM=ITG18, Overlap w/Yellow Garuda, UNC788	https://iranthreats.github.io/resources/macdownloader-macos-malware/	https://www.isightpartners.com/2014/05/newscaster-iranian-threat-inside-social-media/	https://github.com/gasgas4/APT_CyberCriminal_Campagin/tree/master/2014/2014.05.28.NewsCaster_An_Iranian_Threat_Within_Social_Networks	https://www.verfassungsschutz.de/download/broschuere-2016-10-bfv-cyber-brief-2016-04.pdf	https://securelist.com/blog/software/74503/freezer-paper-around-free-meat/	https://securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf	https://cryptome.org/2012/11/parastoo-hacks-iaea.htm	https://www.forbes.com/sites/thomasbrewster/2017/07/27/iran-hackers-oilrig-use-fake-personas-on-facebook-linkedin-for-cyberespionage/	http://www.clearskysec.com/charmingkitten/	https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf	https://noticeofpleadings.com/phosphorus/files/Sealing.pdf?fbclid=IwAR1HMnynb0AaGyCI-8ejHjH-pNORfuHYOzQdsTrSpin2eRww6rRh-6VK2SI	https://securelist.com/twas-the-night-before/91599/	https://www.clearskysec.com/wp-content/uploads/2019/09/The-Kittens-Are-Back-in-Town-Charming-Kitten-2019.pdf	https://blogs.microsoft.com/on-the-issues/2019/10/04/recent-cyberattacks-require-us-all-to-be-vigilant/	https://www.clearskysec.com/the-kittens-are-back-in-town-2/	https://securityintelligence.com/posts/new-research-exposes-iranian-threat-group-operations/	https://www.clearskysec.com/the-kittens-are-back-in-town-3/	https://www.cybereason.com/blog/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage	https://www.secureworks.com/blog/cobalt-mirage-conducts-ransomware-operations-in-us	https://www.deepinstinct.com/blog/iranian-threat-actor-continues-to-develop-mass-exploitation-tools	https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/old-cat-new-tricks.html	https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/	https://www.proofpoint.com/us/blog/threat-insight/ta453-uses-multi-persona-impersonation-capitalize-fomo	https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/	https://www.hrw.org/news/2022/12/05/iran-state-backed-hacking-activists-journalists-politicians	https://www.secureworks.com/blog/drokbk-malware-uses-github-as-dead-drop-resolver	https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/	https://www.bitdefender.com/blog/businessinsights/unpacking-bellaciao-a-closer-look-at-irans-latest-malware/	https://research.checkpoint.com/2023/educated-manticore-iran-aligned-threat-actor-targeting-israel-via-improved-arsenal-of-tools/	https://www.welivesecurity.com/en/eset-research/sponsor-batch-filed-whiskers-ballistic-bobcats-scan-strike-backdoor/	https://www.eset.com/int/about/newsroom/press-releases/research/eset-research-iran-aligned-ballistic-bobcat-targets-businesses-in-israel-with-a-new-backdoor/
14	Greenbug															ISMdoor	Saudi Arabia		Sub group of APT34 according to Mandiant	https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon	https://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/	https://www.arbornetworks.com/blog/asert/greenbugs-dns-isms/	https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2017/february/ism-rat/	http://www.clearskysec.com/ismagent/	https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia
15	Magic Hound	Timberworm	MAGNALLIUM	Elfin	Refined Kitten	Holmium			APT33			G0059	Stonedrill/ Shamoon2.0			Shamoon, POWERTON, Ruler, PUPYRAT, POSHC2 (.NET backdoor), TURNEDUP, AutoIt backdoor, Gpppassword, LaZagne, Quasar RAT, Remcos, SniffPass, DarkComet, AutoIt FTP tool, .NET FTP tool, PowerShell downloader (registry.ps1), POSHC2 backdoor, different keyloggers	A threat actor used malware known as Shamoon 2.0 to exfiltrate and delete data from computers in the Saudi transportation sector. Commercial entities, Middle East, US, South Korea, DND focussed entities, Airlines, Airline suppliers.		possibly associated with Rocket Kitten and Cobalt Gypsy, Sandcat, use Recruitment themes	http://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/	https://securityintelligence.com/the-full-shamoon-how-the-devastating-malware-was-inserted-into-networks/	https://www.symantec.com/connect/blogs/shamoon-multi-staged-destructive-attacks-limited-specific-targets	https://www.fireeye.com/current-threats/annual-threat-report/mtrends.html	https://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/	https://webcache.googleusercontent.com/search?q=cache:Dicnr9-eKKYJ:https://securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf+&cd=6&hl=en&ct=clnk&gl=ie	https://gallery.logrhythm.com/threat-intelligence-reports/shamoon-2-malware-analysis-logrhythm-labs-threat-intelligence-report.pdf	https://blog.trendmicro.com/trendlabs-security-intelligence/more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting/	https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html	https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage	https://www.securityweek.com/iranian-hackers-caused-losses-hundreds-millions-report	https://go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf	https://www.wired.com/story/iran-apt33-industrial-control-systems/	https://blog.trendmicro.com/trendlabs-security-intelligence/more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting/	https://thehackernews.com/2022/12/iranian-hackers-strike-diamond-industry.html	https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/
16	Rocket Kitten	Flying Kitten	TEMP.Beanie	Saffron Rose	Ajax Security Team					Rocket Kitten	Group 26	G0059	Woolen Goldfish	Thamar Reservoir		GHOLE / Core Impact, CWoolger, FireMalv, .NETWoolger, MPK, Open source tools, Puppy RAT, MagicHound.Leash (IRC Bot), PowGoop (Downloader.Covic)	Saudi Arabia, Israel, US, Iran, high ranking defense officials, embassies of various target countries, notable Iran researchers, human rights activists, media and journalists, academic institutions and various scholars, including scientists in the fields of physics and nuclear sciences. It seeks out material related to diplomacy, defense, security, journalism, and human rights for espionage purposes.			https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-woolen-goldfish-when-kittens-go-phishing	https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-the-spy-kittens-are-back.pdf	http://www.clearskysec.com/thamar-reservoir/	https://citizenlab.org/2015/08/iran_two_factor_phishing/	https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf	http://www.crowdstrike.com/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/	https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2014/july/a-new-flying-kitten/	https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-operation-saffron-rose.pdf
17	?												Mermaid				This threat actor is based in the Middle East (possibly Iran) and targets English- and Persian-language organizations. It is alleged to be the same group behind a compromise of the Danish Ministry of Foreign Affairs.			https://ti.360.com/upload/report/file/mryxdgkb20160707en.pdf
18	ITSecTeam											G0059					One of the threat actors responsible for the denial of service attacks against U.S in 2012/2013. Three individuals associated with the group believed to be have been working on behalf of Iran's Islamic Revolutionary Guard Corps were indicted by the Justice Department in 2016.			http://pastebin.com/mCHia4W5	http://www.nytimes.com/2013/01/09/technology/online-banking-attacks-were-work-of-iran-us-officials-say.html	https://www.washingtonpost.com/world/national-security/iran-blamed-for-cyberattacks/2012/09/21/afbe2be4-0412-11e2-9b24-ff730c7f6312_story.html
19	MuddyWater	TEMP.Zagros	Seedworm	Cobalt Ulster	SectorD02	MERCURY	Muddy Water,DarkBit	Mango Sandstorm,Boggy Serpens,ATK51		Static Kitten,Yellow nix,POWERSTATS,NTSTATS		G0069	BlackWater	Operation Quicksand		POWERSTATS, PoweMuddy, LaZagne, Crackmapexec, ScreenConnect, MoriAgent, Pudpoul, Thanos Ransomware, PowGoop, Covicli,DarkBit	Israel,Academic Sector,individuals in Asia and the Middle East, government and defense entities in Central and Southwest Asia		Struggle with Kaspersky, relates to UNC3313	https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/	https://sec0wn.blogspot.co.il/2018/03/a-quick-dip-into-muddywaters-recent.html	https://blog.trendmicro.com/trendlabs-security-intelligence/campaign-possibly-connected-muddywater-surfaces-middle-east-central-asia/	https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html	https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group	https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf	https://sec0wn.blogspot.com/2018/02/burping-on-muddywater.html	https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/	https://threatrecon.nshc.net/2019/03/07/sectord02-powershell-backdoor-analysis/	https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html	https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/	https://documents.trendmicro.com/assets/white_papers/wp_new_muddywater_findings_uncovered.pdf	https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf	https://securelist.com/muddywaters-arsenal/90659/	https://www.prevailion.com/summer-mirage-2/	https://www.secureworks.com/blog/business-as-usual-for-iranian-operations-despite-increased-tensions	https://www.bleepingcomputer.com/news/security/microsoft-iranian-hackers-actively-exploiting-windows-zerologon-flaw/	https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf	https://www.telsy.com/operation-space-race-reaching-the-stars-through-professional-social-networks/	https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east	https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies	https://www.clearskysec.com/operation-quicksand/	https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/	https://www.picussecurity.com/resource/blog/ttp-ioc-used-by-muddywater-apt-group-attacks	https://www.cisa.gov/uscert/ncas/alerts/aa22-055a	https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/	https://www.group-ib.com/blog/muddywater-infrastructure/	https://www.microsoft.com/en-us/security/blog/2023/04/07/mercury-and-dev-1084-destructive-attack-on-hybrid-environment/	https://www.deepinstinct.com/blog/muddywater-en-able-spear-phishing-with-new-ttps
20	Silent Librarian	Mabna Institute	TA407	Cobalt Dickens	Yellow Nabu	SCHOLAR KITTEN						G0122					144 universities in the United States, 176 foreign universities in 21 countries, five federal and state government agencies in the United States, 36 private companies in the United States, 11 foreign private companies, and two international non-governmental organizations			https://www.fbi.gov/wanted/cyber/iranian-mabna-hackers	https://info.phishlabs.com/blog/silent-librarian-more-to-the-story-of-the-iranian-mabna-institute-indictment	https://twitter.com/ClearskySec/status/977899578346430464	https://www.secureworks.com/blog/back-to-school-cobalt-dickens-targets-universities	https://www.proofpoint.com/us/threat-insight/post/seems-phishy-back-school-lures-target-university-students-and-staff	https://www.secureworks.com/blog/cobalt-dickens-goes-back-to-school-again	https://www.bleepingcomputer.com/news/security/iranian-hackers-create-credible-phishing-to-steal-library-access/	https://www.secureworks.com/research/threat-profiles/cobalt-dickens	https://blog.malwarebytes.com/malwarebytes-news/2020/10/silent-librarian-apt-phishing-attack/	https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
21	DarkHydrus											G0079				RogueRobin				https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/	https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.ez428aw98bca
22	Domestic Kitten									Domestic Kitten										https://research.checkpoint.com/domestic-kitten-an-iranian-surveillance-operation/	https://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/
23	Flash Kitten	Raspite	Leafminer							Flash Kitten		G0077				Sorgu, guester / Trojan.Imecab	MENA Region		long-running SWC campaigns from December 2016 until public disclosure in July 2018	https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/	https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east	https://www.dragos.com/blog/20180802Raspite.html
24	Gold lowell	Boss Spider														SamSam			Criminal	https://www.secureworks.com/research/samsam-ransomware-campaigns	https://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/	https://www.justice.gov/opa/pr/two-iranian-men-indicted-deploying-ransomware-extort-hospitals-municipalities-and-public	https://garwarner.blogspot.com/2018/11/two-iranian-hackers-charged-with-6.html
25	Iridium												Australian Parliament Hack	Citrix Hack		China Chopper / Ckife Webshells, LazyCat, reGeorge			NOTHING CONFIRMED YET, Resecurity page, original source, is 404	https://resecurity.com/blog/parliament_races/	https://www.scmagazine.com/home/security-news/apts-cyberespionage/iridium-cyberespionage-gang-behind-aussie-parliament-attacks/	https://www.zdnet.com/article/citrix-discloses-security-breach-of-internal-network/	https://www.forbes.com/sites/kateoflahertyuk/2019/03/15/who-is-resecurity-the-firm-that-named-the-iranian-group-allegedly-behind-the-citrix-hack/	https://www.wsj.com/articles/iran-blamed-for-cyberattack-on-australias-parliament-11550736796
26	DNSpionage	Oilrig	COBALT EDGEWATER
27	Tortoiseshell	FunRun RAT, Liderc	CURIUM,Tortoise Shell	DEV-0228	Crimson Sandstorm	Cuboid Sandstorm	Yellow Liderc	TA456	APT35	ImperialKitten, Imperial Kitten		G1012				Backdoor.Syskit, Poison Frog, Infostealer/Sha.exe/Sha432.exe, Infostealer/stereoversioncontrol.exe, get-logon-history.ps1, FunRun RAT, Liderc	IT providers in Saudi Arabia		Inconclusive link to OilRig/APT34	https://www.symantec.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain	https://www.cyberscoop.com/saudi-arabia-hackers-it-providers-symantec/	https://blog.talosintelligence.com/2019/09/tortoiseshell-fake-veterans.html	https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html	https://www.crowdstrike.com/blog/imperial-kitten-deploys-novel-malware-families/
28	?												Bapco Attack			Zerocleare, DUSTMAN	Oil companies in the middle east			https://www.ibm.com/downloads/cas/OAJ4VZNJ?_ga=2.162718588.1703640646.1575470035-355468858.1568634484&cm_mc_uid=62832336079115590460108&cm_mc_sid_50200000=12616311575470030712	https://www.wired.com/story/iran-soleimani-cyberattack-hackers/
29	Fox Kitten	Parisite	Pioneer Kitten	Pay2key	UNC757								Pay2Key			SSHNET, Juicy Potato, Port, STSRCHECK, LPManager, Invoke-SMBClient, Invoke-SMBEnum, Invoke-SMBExec, Invoke-TheHash, Invoke-WMIExec, SOCKET-Based Backdoor, Ngrok, Pay2Key ransomware, FRPC, Ngrok	IT, Telecommunication, Oil and Gas, Aviation, Government, and Security sectors around the world.		Overlaps with APT33, APT34 and Chafer	https://www.clearskysec.com/fox-kitten/ https://www.clearskysec.com/pay2kitten/	https://dragos.com/blog/industry-news/the-state-of-threats-to-electric-entities-in-north-america/	https://www.crowdstrike.com/blog/who-is-pioneer-kitten/	https://us-cert.cisa.gov/ncas/alerts/aa20-259a
30	Tracer KItten																			https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020OverWatchNowheretoHide.pdf
31	Agrius	BlackShadow	Deadwood	SharpBoys	AMERICIUM	Pink Sandstorm	DEV-0227	Agoniznig Serpens								Deadwood, Detbosit, IPSecHelper, Apstole	Finance, Hosting, Telecomminication, Israeli people, Academic Sector	Influence Operations, Ransomware		https://assets.sentinelone.com/sentinellabs/evol-agrius	https://www.sentinelone.com/labs/new-version-of-apostle-ransomware-reemerges-in-targeted-attack-on-higher-education/	https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/	https://research.checkpoint.com/2023/agrius-deploys-moneybird-in-targeted-attacks-against-israeli-organizations/	https://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/
32	MalKamak												Operation GhostShell			ShellClient				https://www.cybereason.com/blog/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms
33	Nemesis Kitten	Charming Kitten	DireFate							Nemesis Kitten						FRP, Plink, Bitlocker, Shredder (wiper)	Oil and Gas, Manufacturing, Media, Telecommunications, Government			https://www.cisa.gov/uscert/ncas/alerts/aa21-321a	https://therecord.media/iranian-hackers-behind-cox-media-group-ransomware-attack/
34	UNC3313															GRAMDOOR, STARWHALE			Relates to MuddyWater	https://www.mandiant.com/resources/telegram-malware-iranian-espionage
35	DEV-0343																US & Israeli defense technology companies, Persian Gulf ports of entry, or global maritime transportation companies			https://www.microsoft.com/security/blog/2021/10/11/iran-linked-dev-0343-targeting-defense-gis-and-maritime-sectors/
36	APT42																Western think tanks, researchers, journalists, current Western government officials, former Iranian government officials, and the Iranian diaspora abroad	Credential harvesting and Android malware	Subordinate to IRGC-IO, links/overlap to TA453, Yellow Garuda, ITG18, Phosphorus, Charming Kitten	https://www.mandiant.com/sites/default/files/2022-09/apt42-report-mandiant.pdf
37	HomeLand Justice																			https://www.cisa.gov/uscert/ncas/alerts/aa22-264a
38	Magic KITTEN	Black Magic,Emennet Pasargad	Holy Souls,ViceLeaker	NEPTUNIUM,Cotton Sandstorm	Vice Leaker,kalin3t	Eeleyanet Gostar,EeleyanetGostar,Net Peygard Samavat	Hackers of Savior,Deus	Group 42, VOYEUR		HAYWIRE KITTEN							In January 2015, the German news outlet Der Spiegel released previously unpublished documents on cyber espionage conducted by American intelligence agencies.50 One of them revealed an NSA tactic labeled “fourth party collection,” which is the practice of breaking into the command and control infrastructure of foreign-state-sponsored hackers to look over their shoulders. The presentation describes a real-life example of acquiring intelligence and stealing victims from a group code-named VOYEUR by the NSA, otherwise known as Magic Kitten. Magic Kitten appears to be among the oldest and most elaborate threat actors originating in Iran. It is also distinct from other groups because of its apparent relationship with the Iranian Ministry of Intelligence rather than the IRGC. However, Magic Kitten’s activities mirror those of other groups, with the primary targets being Iranians inside Iran and Tehran’s regional rivals. The earliest observed samples of Magic Kitten’s custom malware agent dates to 2007, well before other known malware apparently originated, and the threat actor continues to be active.			https://www.cisa.gov/uscert/ncas/current-activity/2022/01/27/fbi-releases-pin-iranian-cyber-group-emennet-pasargad	https://securelist.com/fanning-the-flames-viceleaker-operation/90877/	https://irancybernews.org/magic-kitten-the-oldest-kitten/	https://www.microsoft.com/en-us/security/business/security-insider/threat-briefs/iran-response-for-charlie-hebdo-attacks/
39	Predatory Sparrow	Gonjeshke Darande	گنجشک درنده	GonjeshkDarand	Gonjeshk Darand	Indra														https://malpedia.caad.fkie.fraunhofer.de/actor/predatory_sparrow
40	Bohrium	DEV-0056	Smoke Sandstorm																	https://securityaffairs.com/132002/apt/microsoft-seized-bohrium-apt-domains.html
41	Vengeful Kitten	Moses Staff	Mosesstaff	Abraham's Ax	abrahams-ax	تبر ابراهیم	DEV-0500	Marigold Sandstorm				G1009								https://www.cybereason.com/blog/research/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations


1	Israel
2	Common Name	Other Name 1	Other Name 2	Other Name 3	NSA	Operation 1	Operation 2	Toolset / Malware	Targets	Modus Operandi	Comment	Link 1	Link 2	Link 3	Link 4	Link 5

3	Unit 8200					Olympic Games / Stuxnet		Stuxnet	Directed at Iranian nuclear facilities	Stuxnet is typically introduced to the target environment via an infected USB flash drive.		http://www.langner.com/en/wp-content/uploads/2013/11/To-kill-a-centrifuge.pdf	https://archive.org/details/Stuxnet
4	Unit 8200	Duqu Group			SIG35	Duqu 2.0		Duqu	A threat actor, using a tool dubbed Duqu 2.0, targeted individuals and companies linked to the P5+1 (the five permanent member states of the UN Security Council, plus Germany), which was conducting negotiations on Iran's nuclear program.			https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/	https://securelist.com/files/2015/06/The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf	http://www.wsj.com/articles/spy-virus-linked-to-israel-targeted-hotels-used-for-iran-nuclear-talks-1433937601	https://blog.crysys.hu/2018/03/territorial-dispute-nsas-perspective-on-apt-landscape/
5	SunFlower	MoonFlower	Cheshire Cat	Flowershop	SIG17 / SIG18						Might be related to Duqu, Stuxnet and might attributed to Israel.	https://blog.crysys.hu/2018/03/territorial-dispute-nsas-perspective-on-apt-landscape/	https://malware-research.org/prepare-father-of-stuxnet-news-are-coming/	https://github.com/Yara-Rules/rules/blob/master/malware/APT_CheshireCat.yar	https://blog.crysys.hu/2018/03/territorial-dispute-nsas-perspective-on-apt-landscape/
6	Team Jorge											https://forbiddenstories.org/story-killers/team-jorge-disinformation/


1	NATO
2	Common Name	Other Name 1	Other Name 2	Other Name 3	Other Name 4	Other Name 5	Symantec	Kaspersky	Operation 1	Operation 2	Operation 3	Operation 4	Toolset / Malware	Targets	Modus Operandi	Comment	Link 1	Link 2	Link 3	Link 4	Link 5	Link 6	Link 7	Link 8	Link 9	Link 10	Link 11	Link 12	Link 13
3	GOSSIPGIRL								Olympic Games / Stuxnet				Flame, Stuxnet, Miniflame, Duqu, Gauss			Collaborative umbrella of varioius threat actors	https://medium.com/chronicle-blog/who-is-gossipgirl-3b4170f846c0
4	Equation Group	Tilded Team	EQGRP	Housefly	Remsec				Socialist	Olympic Games / Stuxnet	Project Sauron / Strider	Triangulation	Regin, EquationLaser, EquationDrug, DoubleFantasy, TripleFantasy, Fanny, Grayfish, RemSec, Gauss, Apple iOS 0days			NSA, GCHQ, CSIS, ASIS, GCSB, FiveEyes, FVEY	http://securelist.com/blog/research/67741/regin-nation-state-ownage-of-gsm-networks/	https://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/	http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets	https://securelist.com/analysis/publications/75533/faq-the-projectsauron-apt/	https://www.bleepingcomputer.com/news/security/longhorn-cyber-espionage-group-is-actually-the-cia/	https://web.archive.org/web/20160304022846/http://www.kaspersky.com/about/news/virus/2012/Kaspersky_Lab_and_ITU_Discover_Gauss_A_New_Complex_Cyber_Threat_Designed_to_Monitor_Online_Banking_Accounts	https://twitter.com/RedDrip7/status/1178511323954434048	https://securelist.com/darkuniverse-the-mysterious-apt-framework-27/94897/	https://securelist.com/operation-triangulation/109842/
5	Lamberts	APT-C-39	Rattlesnake				Longhorn	Lamberts						PRC		CIA	http://blogs.360.cn/post/APT-C-39_CIA_EN.html	https://securityaffairs.co/wordpress/57916/apt/longhorn-group-cia.html	https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7ca2e331-2209-46a8-9e60-4cb83f9602de&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments	http://securelist.com/blog/research/77990/unraveling-the-lamberts-toolkit/
6	Snowglobe							Animal Farm					Babar, Bunny, Dino, Casper, Tafacalou, NBot, Chocopop			Probably French origins	https://securelist.com/blog/research/69114/animals-in-the-apt-farm/	https://motherboard.vice.com/read/meet-babar-a-new-malware-almost-certainly-created-by-france	http://www.cyphort.com/evilbunny-malware-instrumented-lua/	http://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/	https://blog.gdatasoftware.com/blog/article/babar-espionage-software-finally-found-and-put-under-the-microscope.html
7	Slingshot								Mikrotik Router Compromise				Slingshot, Cahnadr, GollumApp, SsCB, ffproxy, NeedleWatch, Sfc2, Minisling, Spork downloader	Kenya, Yemen, Libya, Afghanistan, Iraq, Tanzania, Jordan, Mauritius, Somalia, Democratic Republic of the Congo, Turkey, Sudan and United Arab Emirates		US Joint Special Operations Command	https://securelist.com/apt-slingshot/84312/	https://www.cyberscoop.com/kaspersky-slingshot-isis-operation-socom-five-eyes/
8	?								Project Tajmahal				full-blown spying framework consists of two packages named ‘Tokyo’ and ‘Yokohama	single victim – a diplomatic entity from a country in Central Asia			https://securelist.com/project-tajmahal/90240/
9	Sea Turtle								Sea Turtle				DNS hijacking, CVE-2009-1151, CVE-2014-6271, CVE-2017-3881, CVE-2017-6736, CVE-2017-12617, CVE-2018-0296, CVE-2018-7600, Drupalgeddon	industries: Ministries of foreign affairs, Military organizations, Intelligence agencies, Prominent energy organizations in US, Libya, Egypt, Lebanon, UAE, Albania, Cyprus, Turkey, Iraq, Jordan, Syria, Armenia, Sweden		Turkish threat group	https://blog.talosintelligence.com/2019/04/seaturtle.html	https://blog.talosintelligence.com/2019/07/sea-turtle-keeps-on-swimming.html	https://www.reuters.com/article/us-cyber-attack-hijack-exclusive/exclusive-hackers-acting-in-turkeys-interests-believed-to-be-behind-recent-cyberattacks-sources-idUSKBN1ZQ10X