APT Groups and Operations


1	General Information		How to Search in this Spreadsheet?
2	Topic	Comment
3	Motive	Cyber security companies and Antivirus vendors use different names for the same threat actors and often refer to the reports and group names of each other. However, it is a difficult task to keep track of the different names and naming schemes. I wanted to create a reference that answers questions like "I read a report about the 'Tsar Team', is there another name for that group?" or "Attackers used 'China Chopper' webshell, which of the APT groups did use that shell too?" or "Did he just say 'NetTraveler'? So, does he talk about Chinese or Russian attackers?"	1. Step Use Ctrl+F / Command+F to bring up the search field, then click on the dotted vectical line next to the "X"
4	Hints	- Each active country / region has its own tab - The "Other" tab contains actors from certain regions not covered by the main tabs - The "Unknown" tab is used for groups and operations with no attribution - Cells with overlaps are highlighted in gray - overlaps are no error per se but necessary to visualize that groups tracked by one vendor are divided into two different groups by another vendor	2. Step Type the keyword you search for in the "Find" field and click on the "Find" button or press Enter. This will search the keyword in all tabs of the spreadsheet.
5	Disclaimer	Attribution is a very complex issue. This list is an intent to map together the findings of different vendors and is not a reliable source. Most of the mappings rely on the findings in a single incident analysis. Groups often change their toolsets or exchange them with other groups. This makes attribution of certain operations extremely difficult. However, we decided that even an uncertain mapping is better than no mapping at all. Be aware that information published here may be wrong, quickly outdated, or may change based on evolving information. People tend to comment on the sheet. Sometimes they add threat intel that isn't TLP:WHITE but taken from some fee-based platform. Please let me know if confidential information has been disclosed.
6	Known Issues	- Groups named after the malware (families) they've used - Groups named after a certain operation - Lists / tables are not normalized to allow a better overview by avoiding too many spreadsheets - Some groups have now been discovered to be "umbrella" terms for sub-groups. (e.g. Lazarus has subgroups; Winnti's "Burning Umbrella" report )
7	Search	Press CTRL+F or Command+F and then use the Symbol with the three dots to bring up the search dialogue that looks in the full workbook for your keywords
8	Overlaps	Names that appear multiple times are shaded in a light grey
9	First Release	12/26/2015
10	License	CC Creative Commons - Attribution 4.0 International (CC BY 4.0) https://creativecommons.org/licenses/by/4.0/
11	Access Rights	Everyone: READ / COMMENT Invited Editors: READ / COMMENT / WRITE
12	Support	Please contact me (@cyb3rops) if you would like to modify or add content to these lists. I will gladly give you write access to this list if: - I know you personally or from my Twitter stream - you are a threat intel researcher / malware analyst with some reference - you are a vendor representative - you are an author of the listed sources (see '_Sources' work sheet) Please provide you email address if you are interested in helping me (preferably Gmail - this allows native access via the connected Google account)
13	Search Engine	https://cse.google.com/cse/publicurl?cx=003248445720253387346:turlh5vi4xc
14	Short URL	https://apt.threattracking.com
15
16	Contributors
17	Name / Nickname	Twitter Handle
18	Pasquale Stirparo	@pstirparo
19	David Bizeul	@davidbizeul
20	Brian Bell	No Twitter Account
21	Ziv Chang	@Gasgas4Ggyy
22	Joel Esler	@joelesler
23	Kristopher Bleich	@kc0iqx_bleich
24	Maite Moreno	@mmorenog
25	Monnappa K A	@monnappa22
26	J. Capmany	@theweeZ
27	Paul Hutchinson	@AllAboutAPT
28	Boris Ivanov	@BlackCaesar1973
29	Andre Gironda	@andregironda
30	Devon Ackerman	@aboutdfir
31	Carlos Fragoso	@cfragoso
32	Eyal Sela	@eyalsela
33	Florian Egloff	@egflo
34	Ohad Zaidenberg	@ohad_mz
35	Gary Warner	@GarWarner
36	And many helpful people that just commented on cells - thank you!


1	China
2	Common Name	CrowdStrike	IRL	Kaspersky	Secureworks	Mandiant	FireEye	Symantec	iSight	Cisco (Sourcefire/VRT > Talos)	Palo Alto Unit 42	Other Names	MITRE ATT&CK	Operation 2	Operation 3	Operation 4	Toolset / Malware	Targets	Modus Operandi	Overlaps to	Comment	Link 1	Link 2	Link 3	Link 4	Link 5	Link 6	Link 7	Link 8	Link 9	Link 10	Link 11	Link 12	Link 13	Link 14	Link 15	Link 16	Link 17	Link 18	Link 19	Link 20	Link 21	Link 22	Link 23

3	Comment Crew	Comment Panda	PLA Unit 61398		TG-8223	APT1			BrownFox	Group 3		GIF89a, ShadyRAT, Shanghai Group, Byzantine Candor	G0006	GhostNet			WEBC2, BISCUIT and many others	U.S. cybersecurity firm Mandiant, later purchased by FireEye, released a report in February 2013 that exposed one of China's cyber espionage units, Unit 61398. The group, which FireEye called APT1, is a unit within China's People's Liberation Army (PLA) that has been linked to a wide range of cyber operations targeting U.S. private sector entities for espionage purposes. The comprehensive report detailed evidence connecting APT1 and the PLA, offered insight into APT1's operational malware and methodologies, and provided timelines of the espionage it conducted.				http://www.mcafee.com/us/resources/white-papers/wp-operation-shady-rat.pdf	http://www.nytimes.com/2013/02/19/technology/chinas-army-is-seen-as-tied-to-hacking-against-us.html?emc=na&_r=2&	https://www.secureworks.com/research/analysis-of-dhs-nccic-indicators	https://www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network	http://www.nartv.org/mirror/ghostnet.pdf
4	APT2	Putter Panda	PLA Unit 61486		TG-6952	APT2				Group 36		SearchFire	G0024				Their activities are commonly known to be exploiting CVE-2012-0158 (MSOffice vulnerability in MSCOMCTL.OCX) in SpearPhising operations. Related malware: Moose, Warp, MSUpdater	This threat actor targets firms in the technology (communications, space, aerospace), research, defense, and government sectors in the United States for espionage purposes. The tools and infrastructure it uses overlap with PLA Unit 61398.				http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf	http://icitech.org/icit-brief-chinas-espionage-dynasty-economic-death-by-a-thousand-cuts/
5	UPS	Gothic Panda			TG-0110	APT3		Buckeye	UPS Team	Group 6		Boyusec – the Guangzhou Boyu Information Technology Company, Ltd	G0022	Double Tap	Clandestine Wolf		Shotput, Pirpi, PlugX/Sogu, Kaba, Cookie Cutter, many 0days: IE, Firefox, and Flash, SportLoader, Shadow Brokers exploits, DoublePulsar, Bemstour, Filensfer	This threat actor targets and compromises entities in the defense, construction, technology, and transportation sectors. Up until 2015, it was primarily focused on U.S. and UK entities, but it shifted to Hong Kongâ€“based targets afterward. Aerospace and Defence; Construction and Engineering; Energy; High Tech; Nonprofit; Telecommunications; Transportation				https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html	http://www.secureworks.com/resources/blog/research/threat-group-0110-targets-manufacturing-and-financial-organizations-via-phishing/	http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong	https://intrusiontruth.wordpress.com/2017/05/09/apt3-is-boyusec-a-chinese-intelligence-contractor/	https://www.fireeye.com/current-threats/apt-groups.html	https://www.recordedfuture.com/chinese-mss-behind-apt3/	http://freebeacon.com/national-security/u-s-indicts-three-chinese-hackers-linked-security-firm/amp/	https://www.washingtonpost.com/world/national-security/china-hacked-a-navy-contractor-and-secured-a-trove-of-highly-sensitive-data-on-submarine-warfare/2018/06/08/6cc396fa-68e6-11e8-bea7-c8eb28bc52b1_story.html?noredirect=on&utm_term=.209df584e031	https://intrusiontruth.wordpress.com/2018/05/22/the-destruction-of-apt3/	https://www.symantec.com/blogs/threat-intelligence/buckeye-windows-zero-day-exploit
6	IXESHE	Numbered Panda			TG-2754 (tentative)	APT12	BeeBus		Calc Team	Group 22		DynCalc, Crimson Iron, DNSCalc	G0005				Etumbot, Riptide, Hightide, ThreeByte, Waterspout, Mswab, Gh0st, ShowNews, 3001	This threat actor targets organizations in Japan, Taiwan, and elsewhere in East Asiaâ€”including electronics manufacturers and telecommunications companiesâ€”for espionage purposes.				http://www.crowdstrike.com/blog/whois-numbered-panda/	http://www.computerworld.com/s/article/9241577/The_Chinese_hacker_group_that_hit_the_N.Y._Times_is_back_with_updated_tools?taxonomyId=17	http://blog.crowdstrike.com/whois-numbered-panda/	http://www.secureworks.com/cyber-threat-intelligence/threats/analysis-of-dhs-nccic-indicators/	http://blog.trendmicro.com/taking-a-bite-out-of-ixeshe/	http://www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/	https://cysinfo.com/sx-2nd-meetup-reversing-and-decrypting-the-communications-of-apt-malware/	http://blog.macnica.net/blog/2017/08/post-fb81.html
7	APT16					APT16							G0023				ELMER backdoor, Gh0st, HTRAN, UNICAT,Poison Ivy, Pandora	This threat actor targets and compromises Japanese and Taiwanese entities in the finance, tech, media, and government sectors.	Spear phishing email delivering a malicious Microsoft Word document exploiting EPS dict copy use-after-free vulnerability, and the local Windows privilege escalation vulnerability CVE-2015-1701. The successful exploitation of both vulnerabilities led to the delivery of either a downloader (IRONHALO), or a backdoor (ELMER). Also known to be using compromised VPN credentials to maintain network persistency.			https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html	https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html	https://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/	https://cybergeeks.tech/a-detailed-analysis-of-elmer-backdoor-used-by-apt16/
8	Hidden Lynx	Aurora Panda				APT17	Deputy Dog	Hidden Lynx	Tailgater Team	Group 8		Burning Umbrella	G0025				BLACKCOFFEE, WEBCnC, Joy RAT, PlugX, Trojan.Naid, Backdoor.Moudoor, Backdoor.Vasport, Backdoor.Boda, Trojan.Hydraq, ZxShell, Sakula, China Chopper, DestroyRAT	Government, defense & aerospace, industrial engineering, NGOs				http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html	http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html	http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdf	http://www.darkreading.com/attacks-and-breaches/chinese--hidden-lynx--hackers-launch-widespread-apt-attacks/d/d-id/1111589?page_number=2	https://www.rsaconference.com/writable/presentations/file_upload/crwd-t11-hide_and_seek-how_threat_actors_respond_in_the_face_of_public_exposure.pdf	http://www.crowdstrike.com/blog/french-connection-french-aerospace-focused-cve-2014-0322-attack-shares-similarities-2012/	https://401trg.com/burning-umbrella/	https://www.infosecurity-magazine.com/news/chinese-espionage-group-widescale/	https://intrusiontruth.wordpress.com/2019/07/24/apt17-is-run-by-the-jinan-bureau-of-the-chinese-ministry-of-state-security/	https://www.bloomberg.com/features/2021-supermicro/
9	Wekby	Dynamite Panda			TG-0416	APT18						TA428	G0026				HTTPBrowser, TokenControl, HcdLoader, PisLoader, TManger	Aerospace and Defence; Construction and Engineering; Education; Health and Biotechnology; High Tech; Telecommunications; Transportation				https://threatpost.com/apt-gang-branches-out-to-medical-espionage-in-community-health-breach/107828	http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem	https://www.threatstream.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop	https://www.volexity.com/blog/2015/07/08/158-2/	http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/	https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2012/NormanShark-MaudiOperation.pdf	https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology	https://insight-jp.nttsecurity.com/post/102gi9b/pandas-new-arsenal-part-1-tmanger	https://st.drweb.com/static/new-www/news/2021/april/drweb_research_attacks_on_russian_research_institutes_en.pdf	https://labs.sentinelone.com/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op/	https://www.recordedfuture.com/china-linked-ta428-threat-group/	https://blog.group-ib.com/task	https://sebdraven.medium.com/ta428-behind-operation-lagtime-the-following-of-icefog-30fc1f853b80	https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/	https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-Targeted-attack-on-industrial-enterprises-and-public-institutions-En.pdf
10	Axiom					APT17			Tailgater Team	Group 72		Dogfish (iDefense), Deputy Dog (iDefense), Winnti Umbrella	G0001				Winnti, Gh0st RAT, PoisonIvy, HydraQ, Hikit, ZxShell, Deputy Dog, Derusbi, PlugX, HTRAN, HDRoot, Fscan, Timestomper			Shell Crew, Hidden Lynx, Axiom	Use "Skeleton Key" on DCs	http://securelist.com/blog/research/57585/winnti-faq-more-than-just-a-game/	http://www.novetta.com/files/5614/1329/6232/novetta_cybersecurity_exec_summary-3.pdf	http://www.novetta.com/2015/04/operation-smn-winnti-update/	https://securelist.com/analysis/publications/72275/i-am-hdroot-part-1/	https://401trg.com/burning-umbrella/	https://blog.trendmicro.com/trendlabs-security-intelligence/supply-chain-attack-operation-red-signature-targets-south-korean-organizations/
11	Winnti Group	Wicked Panda			BRONZE ATLAS	APT41						Winnti Umbrella, BARIUM, LEAD, RedEcho, Vanadinite, TAG-22	G0044				Winnti, AceHash, PlugX, Webshells, ZxShell, ShadowPad	ThyssenKrupp, Gameforge, Valve, Teamviewer,Siemens, Sumitomo, BASF, Covestro, Shin-Etsu, Bayer, Roche		Deep Panda, Wicked Spider		http://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/	https://www.protectwise.com/blog/winnti-evolution-going-open-source.html	https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2015/january/windows-firewall-hook-enumeration/	https://www.nccgroup.trust/globalassets/our-research/uk/technical-advisories/2015/derusbi-server-technical-note-1-1-tlp-white.pdf	https://lab52.io/blog/winnti-group-geostrategic-analysis-and-ttp/	https://401trg.com/burning-umbrella/	https://web.br.de/interaktiv/winnti/index.html	https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf	https://www.dragos.com/blog/industry-news/new-ics-threat-activity-group-vanadinite/	https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan/	https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf	https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayfly-china-sidewalk-malware	https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/	https://www.welivesecurity.com/2022/09/14/you-never-walk-alone-sidewalk-backdoor-linux-variant/	https://www.hhs.gov/sites/default/files/apt41-recent-activity.pdf	https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html	https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackfly-espionage-materials
12	Shell Crew	Deep Panda		WebMasters		APT19	KungFu Kittens			Group 13		Sh3llCr3w, PinkPanther, Winnti Group	G0009	OPM	Anthem Hack		Sakula/Sakurel, Derusbi, Scanbox Framework, many Webshells including China Chopper, WCE			Axiom, Winnti		http://cybercampaigns.net/wp-content/uploads/2013/06/Deep-Panda.pdf	https://www.isightpartners.com/2015/07/threatscape-media-highlights-update-week-of-july-29th/	https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html
13	Naikon	Lotus Panda	PLA Unit 78020	Naikon		APT30		Thrip, Billbug					G0019	Naikon	Camera Shy		RARSTONE, BACKSPACe, NETEAGLE, XSControl	satellite communications operator, Telecoms, and Defense Companies, Hong Kong				https://securelist.com/analysis/publications/69953/the-naikon-apt/	http://blog.trendmicro.com/trendlabs-security-intelligence/rarstone-found-in-targeted-attacks/	https://www.threatconnect.com/camerashy/	http://www.crowdstrike.com/blog/rhetoric-foreshadows-cyber-activity-in-the-south-china-sea/	https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets	https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/	https://www.symantec.com/blogs/threat-intelligence/thrip-apt-south-east-asia	https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/	https://cluster25.io/2022/04/29/lotus-panda-awake-last-strike/	https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments-cert-authority	https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf
14	Lotus Blossom			Spring Dragon							Lotus Blossom	ST Group, Esile	G0030				Elise Backdoor, Lstudio, CVE-2017-11882					https://securelist.com/blog/research/70726/the-spring-dragon-apt/	http://researchcenter.paloaltonetworks.com/2015/06/operation-lotus-blossom/	https://securelist.com/blog/research/70726/the-spring-dragon-apt/	http://www.trendmicro.com.my/vinfo/my/security/news/cyber-attacks/esile-targeted-attack-campaign-hits-apac-governments	http://researchcenter.paloaltonetworks.com/2015/12/attack-on-french-diplomat-linked-to-operation-lotus-blossom/	https://community.rsa.com/community/products/netwitness/blog/2018/01/30/apt32-continues-asean-targeting	https://www.accenture.com/t20180127T003755Z__w__/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf	https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/	https://documents.trendmicro.com/assets/Tech-Brief-Operation-Poisoned-News-Hong-Kong-Users-Targeted-with-Mobile-Malware-via-Local-News-Links.pdf
15	APT6					APT6						1.php Group					Poison Ivy,	US Government Organizations			Overlaps with Operation Night Dragon	https://motherboard.vice.com/read/fbi-flash-alert-hacking-group-has-had-access-to-us-govt-files-for-years	https://www.zscaler.com/pdf/technicalbriefs/tb_advanced_persistent_threats.pdf	https://www.zscaler.com/blogs/research/1php-group-intrusion-set-paper	https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2011/tb_advanced_persistent_threats.pdf
16	APT26	Turbine Panda				APT26			Hippo Team			JerseyMikes					Cobalt, QuickPulse, credential stealers such as WCE, GSECDUMP, COATHOOK, HTRAN, SOGU, TWOCHAINS, QUICKBALL	Affected Industry: Aerospace and Defense, business and Professional Services/Legal/Accounting, High Tech Software and hardware services	Supply-chain attacks such as strategic web compromise (SWC) where the actor compromise 3rd-party service provider hosting the victim websites			https://go.crowdstrike.com/rs/281-OBQ-266/images/15GlobalThreatReport.pdf?mkt_tok=3RkMMJWWfF9wsRojuKrPZKXonjHpfsX/7e8tWrHr08Yy0EZ5VunJEUWy2ocITtQ/cOedCQkZHblFnV4AS626XrENqKML	https://www.crowdstrike.com/resources/wp-content/brochures/reports/huge-fan-of-your-work-intelligence-report.pdf	https://digit.fyi/lengthy-cyber-espionage-operation-helped-china-develop-c919-airliner/
17	Mirage	Vixen Panda	Ke3Chang	Playful Dragon	GREF	APT15			Social Network Team			Mirage Team, Lurid, Social Network Team, Royal APT, Metushy, Winnti Umbrella, NICKEL, Playful Taurus, BackdoorDiplomacy	G0004				Mirage, (Nvidia program side-loading) PlugX, XSLCmd, TidePool, BS2005, RoyalCli, iWebRat, Russian-language decoy document, ENFAL, ENDCMD, QUICKHEAL, SOGU, CYFREE, MIRAGE, NOISEMAKER, QUICKHEAL, SWALLOWFLY, Turian Backdoor	PH, VN, TW, US, UK, IT, PL, UN, SG, NATO - Gov, Political party		Winnti	Some vendors track this group in up to 3 separate groups	http://arstechnica.com/security/2015/04/elite-cyber-crime-group-strikes-back-after-attack-by-rival-apt-gang/	https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html	https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf	http://researchcenter.paloaltonetworks.com/2016/05/operation-ke3chang-resurfaces-with-new-tidepool-malware/	https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/	https://github.com/nccgroup/Royal_APT	https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/	https://401trg.com/burning-umbrella/	https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/	https://www.welivesecurity.com/2019/07/18/okrum-ke3chang-targets-diplomatic-missions/	https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf	https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi#page=51	https://www.lookout.com/documents/threat-reports/us/lookout-moonshine-badbazaar.pdf	https://unit42.paloaltonetworks.com/playful-taurus/
18	NetTraveler		Lanzhou PLA Unit	NetTraveler		APT21											NetTraveler	This threat actor targets computer networks associated with Tibetan and Uyghur activists for espionage purposes.				https://securelist.com/blog/research/35936/nettraveler-is-running-red-star-apt-attacks-compromise-high-profile-victims/	https://securelist.com/blog/incidents/57455/nettraveler-is-back-the-red-star-apt-returns-with-new-tricks/	https://cybergeeks.tech/dissecting-apt21-samples-using-a-step-by-step-approach/
19	Ice Fog	Dagger Panda		IceFog			ICEFOG					Fucobha, Temp.Trident					Dagger Three (C2 software), Fucobha Backdoor, IceFog, RoyalRoad RTF Weaponizer	This threat actor targets government institutions, military contractors, maritime and shipbuilding groups, telecommunications operators, and others, primarily in US, Taiwan, Japan and South Korea.		Links to Onion Dog		https://securelist.com/blog/research/57331/the-icefog-apt-a-tale-of-cloak-and-three-daggers/	https://securelist.com/blog/incidents/58209/the-icefog-apt-hits-us-targets-with-java-backdoor/	http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/icefog.pdf	http://www.darkreading.com/attacks-and-breaches/java-icefog-malware-variant-infects-us-businesses/d/d-id/1113451	https://www.anomali.com/blog/analyzing-digital-quartermasters-in-asia-do-chinese-and-indian-apts-have-a-shared-supply-chain	https://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt	https://sebdraven.medium.com/ta428-behind-operation-lagtime-the-following-of-icefog-30fc1f853b80
20	Beijing Group	Sneaky Panda										Hydraq, SIG22, Elderwood, Elderwood Gang	G0066				Hydraq, Elderwood Project	This threat actor targets private sector companies in the defense, shipping, aeronautics, arms, and energy sectors, as well as nonprofits and financial firms.			Possibly assisted in Operation Aurora, the RSA incident, and the Joint Strike Fighter Program compromise	https://en.wikipedia.org/wiki/Operation_Aurora#Attackers_involved	http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf	http://www.csmonitor.com/USA/2012/0914/Stealing-US-business-secrets-Experts-ID-two-huge-cyber-gangs-in-China	https://blog.crysys.hu/2018/03/territorial-dispute-nsas-perspective-on-apt-landscape/
21	APT22	Wet Panda			BRONZE OLIVE							Barista					China Chopper, PISCES, SOGU, FLATNOTE, ANGRYBELL, BASELESS, SEAWOLF, LOGJAM				Possible overlap with Beijing Group	http://www.slideshare.net/CTruncer/ever-present-persistence-established-footholds-seen-in-the-wild
22	Suckfly												G0039				Nidiran, Korplug, PlugX	Indian organisations and Republic of Korea				http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates
23	APT4	Samurai Panda	PLA Navy			APT4	APT4	Sykipot	Wisp Team												“PdPD” (50 64 50 44) marker for encrypted binaries	http://www.crowdstrike.com/blog/whois-samurai-panda/
24	Pitty Tiger	Pitty Panda					Pitty Tiger						G0011				PittyTiger, Paladin RAT				"Pitty Tiger" was originally the name of a malware payload by the malware tracker blog. Airbus and FireEye identified the actor as Chinese. CrowdStrike uses "tiger" when naming adversaries alligned with India. Crowdstrike associates the actor with the name "Pitty Panda" conforming to their naming convention for Chinese actors.	http://blog.airbuscybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2	https://www.fireeye.com/blog/threat-research/2014/07/spy-of-the-tiger.html	http://blog.malwaretracker.com/2013/06/tomato-garden-campaign-possible.html
25	Scarlet Mimic										Scarlet Mimic		G0029				FakeM, Psylo, MobileOrder	Uyghur and Tibetan activists as well as those who are interested in their causes				http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/
26	C0d0so	Codoso				APT19	Sunshop Group						G0073				Bergard Trojan, Derusbi, TXER	Forbes, Defense, Finance, Energy, Government, Political Dissidents, Global Think Tanks	Watering Hole			https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks	http://www.isightpartners.com/2015/02/codoso/#sthash.VJMDVPQB.dpuf	http://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-group/	https://www.proofpoint.com/us/threat-insight/post/exploring-bergard-old-malware-new-tricks	https://cybergeeks.tech/analyzing-apt19-malware-using-a-step-by-step-method/
27	SVCMONDR																CVE-2015-2545	Taiwan, Thailand		Tamper Panda	“PdPD” (50 64 50 44) marker for encrypted binaries	https://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/
28	Wisp Team					APT4			Wisp Team									Defense Industrial Base, US Government			iSight has mentioned tracking a China-nexus group they dub "Wisp Team" - have not resolved this w/ other naming conventions	https://www.isightpartners.com/2014/04/weeks-threatscape-media-highlights-update-2/	https://www.isightpartners.com/2014/09/weeks-threatscape-media-highlights-update-22/	https://www.isightpartners.com/2015/01/threatscape-media-highlights-update-week-january-12/
29	Mana Team								Mana Team									Australia			iSight has mentioned tracking a China-nexus activity they dub "Mana Team", targeting Australian interests - have not resolved this w/ other naming conventions	https://www.isightpartners.com/2016/02/threatscape-media-highlights-update-week-of-february-17th/
30	TEMP.Zhenbao								TEMP.Zhenbao													https://www.isightpartners.com/2014/11/threatscape-media-highlights-update-week-november-10/	http://www.securityweek.com/plugx-rat-used-gather-intel-afghan-russian-military-report
31	SPIVY																	Hong Kong dissidents				http://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/
32	Mofang				BRONZE WALKER							Whitefly	G0103 (Kasperksy) G0107 (Symantec)	SingHealth			ShimRAT, ShimRATReporter	Government, military, Critical Infrastructure,Automotive Industry,Weapon Industry, This threat actor compromises government and critical infrastructure entities, primarily in Myanmar, for espionage purposes. Myanmar, Canada, United States, Germany, India, South Korea, Singapore		Superman		https://blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/	https://www.threatconnect.com/china-superman-apt/	https://securelist.com/big-threats-using-code-similarity-part-1/97239/	https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/whitefly-espionage-singapore
33	DragonOK						DragonOK				DragonOK	Dragon Castling	G0017				CVE-2015-1641, Sysget, IsSpace, Rambo Backdoor	Japan, SE Asia casino & gaming		KHRAT links to Rancor		http://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/	http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/	https://blogs.forcepoint.com/security-labs/trojanized-adobe-installer-used-install-dragonok%E2%80%99s-new-custom-backdoor	http://www.morphick.com/resources/news/deep-dive-dragonok-rambo-backdoor	https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf	https://decoded.avast.io/luigicamastra/operation-dragon-castling-apt-group-targeting-betting-companies/	https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/
34	Group 27									Group 27							Trochilus RAT, PlugX, EvilGrab, 3102 variant of 9002 RAT			Seven Pointed Dagger, Trochilus RAT		https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Pointed-Dagger.pdf	https://unit42.paloaltonetworks.com/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/
35	Tonto Team			CactusPete			Tonto Team						G0131				RoyalRoad RTF Weaponizer					https://www.wsj.com/articles/chinas-secret-weapon-in-south-korea-missile-fight-hackers-1492766403?emailToken=JRrydPtyYnqTg9EyZsw31FwuZ7JNEOKCXF7LaW/HM1DLsjnUp6e6wLgph560pnmiTAN/5ssf7moyADPQj2p2Gc+YkL1yi0zhIiUM9M6aj1HTYQ==	https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf	https://securelist.com/cactuspete-apt-groups-updated-bisonal-backdoor/97962/	https://www.cybereason.com/blog/portdoor-new-chinese-apt-backdoor-attack-targets-russian-defense-sector	https://cert.gov.ua/article/375404	https://www.group-ib.com/blog/tonto-team/
36	TA459												G0062				PlugX, NetTraveler, ZeroT, PCrat, Gh0st, RoyalRoad RTF Weaponizer	Central Asian countries, Russia, Belarus, Mongolia, and others		?NetTraveler?		https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts#.WS3IBVFV4no.twitter	https://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists
37	Tick				BRONZE BUTLER			Tick				REDBALDKNIGHT	G0060				whoami, procdump, VBS, WCE, Mimikatz, gsecdump, PsExec, Daserf, Gofarer, Datper, ABK Downloader, avirra Downloader, Datper, RoyalRoad RTF Weaponizer					https://www.symantec.com/connect/blogs/tick-cyberespionage-group-zeros-japan	https://www.secureworks.jp/resources/rp-bronze-butler	https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/	http://blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.html	https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses	http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/	https://blog.talosintelligence.com/2018/10/tracking-tick-through-recent-campaigns.html	https://blog.trendmicro.com/trendlabs-security-intelligence/operation-endtrade-finding-multi-stage-backdoors-that-tick/	https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_8_koike-nakajima_jp.pdf	https://therecord.media/japanese-police-say-tick-apt-is-linked-to-chinese-military/
38	Lucky Cat											Shadow Network, SabPub, TA413 (Proofpoint)						A threat actor targets computer networks associated with Tibetan activists, as well as military research and development, aerospace, engineering, and shipping industries in India and Japan.				http://blog.trendmicro.com/trendlabs-security-intelligence/luckycat-redux-inside-an-apt-campaign/	http://www.nartv.org/mirror/shadows-in-the-cloud.pdf	https://securelist.com/blog/incidents/33208/new-version-of-osx-sabpub-confirmed-mac-apt-attacks-19/	http://www.securityweek.com/mac-malware-linked-luckycat-attack-campaign	http://www.infoworld.com/article/2617225/malware/sabpub-malware-proves-macs-are-an-apt-target.html	https://blog.talosintelligence.com/2019/02/exilerat-shares-c2-with-luckycat.html	https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_luckycat_hackers.pdf	https://www.proofpoint.com/us/blog/threat-insight/chinese-apt-ta413-resumes-targeting-tibet-following-covid-19-themed-economic
39	APT40	Leviathan				APT40	Temp.Periscope					Temp.Jumper, GADOLINIUM, MUDCARP, Hainan Xiandun Technology Company, TA423, Red Ladon, ScanBox	G0065				AIRBREAK, BADFLICK, PHOTO, HOMEFRY, LUNCHMONEY, MURKYTOP, China Chopper, Beacon, BLACKCOFFEE, CVE-2017-11882, Derusbi, RoyalRoad RTF Weaponizer	maritime-related targets across multiple verticals, including engineering firms, shipping and transportation, manufacturing, defense, government offices, and research universities				https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets	https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html	https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html	https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html	https://www.anomali.com/blog/analyzing-digital-quartermasters-in-asia-do-chinese-and-indian-apts-have-a-shared-supply-chain	https://lab52.io/blog/leviathan-geostrategy-and-ttp-technical-tactics-and-procedures/	https://prezi.com/view/jGyAzyy5dTOkDrtwsJi5/	https://intrusiontruth.wordpress.com/2020/01/09/what-is-the-hainan-xiandun-technology-development-company/	https://intrusiontruth.wordpress.com/2020/01/10/who-is-mr-gu/	https://intrusiontruth.wordpress.com/2020/01/13/who-else-works-for-this-cover-company-network/	https://intrusiontruth.wordpress.com/2020/01/14/who-is-mr-ding/	https://intrusiontruth.wordpress.com/2020/01/15/hainan-xiandun-technology-company-is-apt40/	https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_8_koike-nakajima_jp.pdf	https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/	https://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea
40	PassCV				TG-3279							Winnti Umbrella, China Cracking Group,					Sabre, Kitkiot, Conpee, Etso, Runxx, dnsenum, s (custom port scanner), rdp_crk, icmp_shell, Jynxkit, Gh0st RAT, NetCommander, Carberp RAT	Gaming Companies		Winnti	Personas: Laurentiu Moon, Sincoder	https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies	https://401trg.com/burning-umbrella/	https://www.secureworks.com/research/threat-group-3279-targets-the-video-game-industry#up2
41	BARIUM				TG-2633							Winnti Umbrella, BRONZE ATLAS					Winnti Rootkit malware	Electronic gaming, multimedia, Internet content industries, technology companies		Winnti		https://cloudblogs.microsoft.com/microsoftsecure/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/?source=mmpc	https://401trg.pw/burning-umbrella/
42	LEAD											Winnti Umbrella					Winnti Rootkit malware	Multinational, multi-industry companies, textiles, chemicals, electronics, pharmaceutical companies, manufacturing		Winnti		https://cloudblogs.microsoft.com/microsoftsecure/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/?source=mmpc	https://401trg.pw/burning-umbrella/	https://www.france24.com/en/20190404-bayer-victim-cyber-attack-german-media
43	Iron Group											Rocke					XBash	Cybercrime, Cryptomining, Cryptojacking				https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/	https://blog.talosintelligence.com/2018/12/cryptomining-campaigns-2018.html	https://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products/	https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html	https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang#When:18:10:00Z
44	Anchor Panda	Anchor Panda															Adobe Gh0st, Poison Ivy, Torn RAT	This threat actor targets government and private sector entities interested in maritime issues in the South China Sea for espionage purposes. Maritime satellite systems, aerospace companies, and defense contractors.			“PdPD” (50 64 50 44) marker for encrypted binaries	http://www.crowdstrike.com/blog/whois-anchor-panda/
45	Aquatic Panda												G0143									https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/
46	Big Panda																	Financial services firms			Mentioned by Alperovitch in 2013 article as targeting financial services industry	http://www.darkreading.com/attacks-and-breaches/crowdstrike-falcon-traces-attacks-back-to-hackers/d/d-id/1110402?
47	Electric Panda																				Listed on slide 8	http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem
48	Eloquent Panda																				Mentioned slide 15	http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf
49	Emissary Panda	Emissary Panda		LuckyMouse	BRONZE UNION, TG-3390	APT27			TEMP.Hippo	Group 35		ZipToken, Iron Tiger	G0027	A Tale of Two Targets			PlugX, China Chopper Webshell, HttpBrowser, Hunter, ASPXTool, wce, gsecdump, nbtscan, htran	US Gov and contractors, Western think tanks, Gaming, iGaming, Gambling		DEV-0322, Earth Berberoka	Suspected South Korean group? https://attack.mitre.org/groups/G0012/	http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/	http://newsroom.trendmicro.com/blog/operation-iron-tiger-attackers-shift-east-asia-united-states	https://www.threatconnect.com/blog/threatconnect-discovers-chinese-apt-activity-in-europe/	https://www.secureworks.com/research/bronze-union	https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/	https://securelist.com/luckymouse-hits-national-data-center/86083/	https://securelist.com/luckymouse-ndisproxy-driver/87914/	https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/	https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox	https://lab52.io/blog/apt27-rootkit-updates/	https://marcoramilli.com/2020/03/19/is-apt27-abusing-covid-19-to-attack-people/	https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/	https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia	https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/	https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html	https://labs.sentinelone.com/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op/	https://blog.group-ib.com/task	https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/	https://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html	https://blog.sekoia.io/luckymouse-uses-a-backdoored-electron-app-to-target-macos/	https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/budworm-espionage-us-state	https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html
50	Foxy Panda	Foxy Panda																Technology & Communications			Listed slide 4	http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf
51	Gibberish Panda	Gibberish Panda																			Listed slide 8	http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem
52	Goblin Panda	Goblin Panda	Hellsing	Cycldek								Cycldek, Conimes Team, China1937CN Team, Temp.Conimes, Earth Zhulong					ZeGhost, PlugX, tempfun, NewCore RAT, Sisfader, RoyalRoad RTF Weaponizer, BlueCore, RedCore	Southeast Asia, Government of Vietnam			Weaponizer leaked, new activity wrongly attributed to this long inactive group, possible links to Icefog/Dagger Panda and Temp.Periscope/APT40	http://www.crowdstrike.com/blog/rhetoric-foreshadows-cyber-activity-in-the-south-china-sea/	https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-august-goblin-panda/	https://www.anomali.com/blog/analyzing-digital-quartermasters-in-asia-do-chinese-and-indian-apts-have-a-shared-supply-chain	https://www.fortinet.com/blog/threat-research/cta-security-playbook--goblin-panda.html	https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_8_koike-nakajima_jp.pdf	https://securelist.com/cycldek-bridging-the-air-gap/97157/	https://securelist.com/the-leap-of-a-cycldek-related-threat-actor/101243/
53	Hammer Panda																	Russia				http://www.darkreading.com/endpoint/chinese-cyberspies-pivot-to-russia-in-wake-of-obama-xi-pact/d/d-id/1324242
54	Hurricane Panda	Hurricane Panda			BRONZE VINEWOOD	APT31		Black Vine	TEMP.Avengers			Zirconium, TA412		Op. Poisoned Hurricane			China Chopper Webshell, PlugX, Mimikatz, Sakula	Aerospace, Healthcare, Energy (gas & electric turbine manufacturing), Military and defense, Finance, Agriculture, Technology, Japan, United States, United Kingdom, India, Canada, Brazil, South Africa, Australia, Thailand, South Korea, France, Switzerland, Sweden, Finland, Norway			used free DNS servers provided by Hurricane Electric	http://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/	http://blog.crowdstrike.com/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/	http://blog.airbuscybersecurity.com/post/2015/09/APT-BlackVine-Malware-Sakula	https://www.symantec.com/connect/blogs/black-vine-formidable-cyberespionage-group-targeted-aerospace-healthcare-2012	http://blog.airbuscybersecurity.com/post/2015/10/Malware-Sakula-Evolutions-%28Part-2/2%29	https://blog.confiant.com/uncovering-2017s-largest-malvertising-operation-b84cd38d6b85	https://uk.reuters.com/article/uk-china-cyber-norway-visma/china-hacked-norways-visma-to-steal-client-secrets-investigators-idUKKCN1PV14R	https://raw.githubusercontent.com/GuardaCyber/APT-Groups-and-Operations/master/Reports/FireEye%20Intel%20-%20APT31%20Threat%20Group%20Profile.pdf	https://www.secureworks.com/research/bronze-vinewood-targets-supply-chains	https://research.checkpoint.com/2021/the-story-of-jian/	https://therecord.media/norway-says-chinese-group-apt31-is-behind-catastrophic-2018-government-hack/	https://www.cert.ssi.gouv.fr/ioc/CERTFR-2021-IOC-003/	https://www.sekoia.io/en/walking-on-apt31-infrastructure-footprints/	https://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists	https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-cloud-attacks/
55	Impersonating Panda	Impersonating Panda																Financial sector
56	Judgement Panda																Spear-phishing, URL “web bugs” and scheduled tasks to automate credential harvesting	Upstream providers (e.g., law firms and managed service providers) to support additional intrusions against high-profile assets				https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
57	Karma Panda	Karma Panda	CactusPete	CactusPete					Tonto Team			Bisonal (malware), Lone Ranger						Dissident groups			Listed slide 4	http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf	https://securelist.com/apt-trends-report-q1-2019/90643/
58	Keyhole Panda	Keyhole Panda			Bronze Fleetwood				temp.bottle									Electronics & Communications			Listed slide 4	http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf
59	Kryptonite Panda																8.t exploit document builder	Cambodia				https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
60	Mustang Panda			HoneyMyte	BRONZE PRESIDENT				Temp.Hex			TA416, RedDelta, Earth Preta (TrendMicro)	G0129				Cobalt Strike, PlugX, ORat, RCSession, Nbtscan, Nmap, Wmiexec, China Chopper web shell	Mining sector in Mongolia, private individuals \|=\| gathering geo-political and economic intelligence, NGOs, political & law enforcement org in South and East Asia				https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/	https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations#When:17:14:00Z	https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/	https://securelist.com/apt-trends-report-q3-2019/94530/	https://www.secureworks.com/research/bronze-president-targets-ngos	https://lab52.io/blog/mustang-panda-recent-activity-dll-sideloading-trojans-with-temporal-c2-servers/	https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf	https://kc.mcafee.com/corporate/index?page=content&id=KB92635&locale=en_US	https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader	https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/	https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-dianxun-cyberespionage-campaign-targeting-telecommunication-companies/	https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-dianxun.pdf	https://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european	https://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/	https://www.secureworks.com/blog/bronze-president-targets-russian-speakers-with-updated-plugx	https://blog.talosintelligence.com/2022/05/mustang-panda-targets-europe.html	https://www.secureworks.com/blog/bronze-president-targets-government-officials	https://blogs.blackberry.com/en/2022/10/mustang-panda-abuses-legitimate-apps-to-target-myanmar-based-victims	https://www.lac.co.jp/lacwatch/report/20221117_003189.html	https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html	https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets	https://blog.eclecticiq.com/mustang-panda-apt-group-uses-european-commission-themed-lure-to-deliver-plugx-malware
61	Night Dragon	Night Dragon											G0014					A threat actor compromised U.S. oil companies through spear phishing and remote administration tools. Oil, Energy and Petrochemical (OpNightDragon)				https://kc.mcafee.com/corporate/index?page=content&id=KB71150	http://www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf
62	Nightshade Panda	Nightshade Panda				APT9						FlowerLady					Poison Ivy, PlugX, BIGJOLT,FUNRUN,GH0ST,HOMEUNIX,JIM A,PHOTO,POISON IVY,SKINNYGENE,SOGU,VICEROY,VIPSH ELL,WETHEAD,XDOOR,ZXSHELL	HK, US, SG, MY, JP, IN, KR, TH, TW - Aerospace, Agriculture, Construction, Energy, Healthcare, ,High Tech, Media, Transportation				https://otx.alienvault.com/pulse/55bbc68e67db8c2d547ae393/
63	Nomad Panda																8.t exploit document builder	Central Asian nations		RedFoxtrot, Moshen Dragon		https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
64	Pale Panda																PlugX				Mentioned in 2014 Crowdstrike Global Threat Intel Report pg 22	http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf
65	Pirate Panda	Pirate Panda										KeyBoys	G0081						Southeast Asia	Tropic Trooper & KeyBoy		http://www.crowdstrike.com/blog/rhetoric-foreshadows-cyber-activity-in-the-south-china-sea/	http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are-back-in-town.html	https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/	https://blogs.cisco.com/security/scope-of-keyboy-targeted-malware-attacks	https://citizenlab.ca/2016/11/parliament-keyboy/
66	Poisonous Panda	Poisonous Panda																Energy technology, G20, NGOs, Dissident Groups			Listed slide 4	http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf
67	Predator Panda	Predator Panda															PlugX	Southeast Asia			Mentioned pg 22 & 42	http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf
68	Radio Panda	Radio Panda
69	Sabre Panda																	Umbrella Revolution			Listed in 2014 Global Threat Report (pg 9) - observed in Umbrella Revolution related activity (pg 28)	http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf
70	Spicy Panda																				Listed in 2014 Global Threat Report - no more details pg 9	http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf
71	Stone Panda	Stone Panda			BRONZE RIVERSIDE	APT10			MenuPass Team		menuPass	Red Apollo, CVNX, POTASSIUM, Cloud Hopper, Hogfish, TA429, Cicada, TALONITE, DEV-0401	G0045	Dust Storm	Cloud Hopper	ChessMaster	Poison Ivy, EvilGrab, IEChecker, ChChes, PlugX, RedLeaves, Quasar, CobaltStrike, Trochilus, UPPERCUT (aka ANEL), StoneNetLoader	Healthcare; Pharma, Defense, Aerospace, Government, MSP,	Data exfil over common TCP services (RDP, HTTPS)	Compromise & Persistence: BUGJUICE, SOGU, SNUGRIDE, Group 27	Profile slide 13 & 14	http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem	http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/	https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf	https://www.cylance.com/hubfs/2015_cylance_website/assets/operation-dust-storm/Op_Dust_Storm_Report.pdf	https://www.isightpartners.com/2016/02/threatscape-media-highlights-update-week-february-24th/	https://threatpost.com/poison-ivy-rat-spotted-in-three-new-attacks/102022/	https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html	http://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/	https://www.us-cert.gov/ncas/alerts/TA17-117A	https://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf	https://www.lac.co.jp/lacwatch/people/20180521_001638.html	https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html	https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/	https://blog.ensilo.com/uncovering-new-activity-by-apt10	https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage	https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-china-ngo-government-attacks	https://www.dragos.com/blog/how-adversaries-use-spear-phishing-to-target-engineering-staff/	https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group
72	Temper Panda	Temper Panda	Admin338	Team338			admin@338		338 Team					admin@338			Poison Ivy, jRat, LOWBALL, BUBBLEWRAP	Target Gov + Military, DIB, Finiancial/Think Tanks, Telco, Academia, Religious organisations			“PdPD” (50 64 50 44) marker for encrypted binaries	https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html	https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html	https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html
73	Test Panda	Test Panda																			Listed slide 8	http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem
74	Toxic Panda	Toxic Panda																Dissident Groups			Listed slide 4	http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf
75	Twisted Panda																			Stone Panda, Mustang Panda		https://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/
76	Union Panda	Union Panda																Industrial companies			Listed slide 4	http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf
77	Vicious Panda																					https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/	https://securelist.com/apt-trends-report-q2-2020/97937/
78	Violin Panda	Violin Panda				APT8	APT20					Covert Grove		th3bug	Wocao		Poison Ivy, CAKELOG, CANDYCLOG, COOKIECLOG, CETTRA	Energy, Chemical Industry, Healthcare and Pharma			Listed slide 12	http://www.slideshare.net/CrowdStrike/crowdcast-monthly-operationalizing-intelligence-34141777	http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_nitro_attacks.pdf	https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/
79	Wet Panda	Wet Panda															PlugX	Energy			Mentioned in 2014 Global Threat Report using PlugX (pg 22)	http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf	http://www.slideshare.net/CrowdStrike/crowdcast-monthly-operationalizing-intelligence-34141777
80	?																UP007, SLServer, Grabber, T9000, Kivars, PlugX, Gh0StRAT, Agent.XST	Tibetans, Hong Kong, Taiwanese interests and human rights workers, Uyghur Interests	Active	IXESHE (see PWC report)		https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/	https://citizenlab.org/2016/04/between-hong-kong-and-burma/	http://pwc.blogs.com/cyber_security_updates/2016/03/taiwant-election-targetting.html
81	?																			IXESHE (malware), Etumbot, Numbered Panda		https://web.archive.org/web/20151217200415/https://www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL.pdf
82	?																	Afghan Government	Watering Hole	Operation Poisoned Hurricane		https://www.threatconnect.com/operation-poisoned-helmand/
83	?					APT1?								Titan Rain				USA			web archive link to 12/12/2005 article about Titan Rain, ZDNet link dated 11/23/2005 is similar article	http://web.archive.org/web/20081011233241/http://www.breitbart.com/news/2005/12/12/051212224756.jwmkvntb.html	https://www.zdnet.com/article/security-experts-lift-lid-on-chinese-hack-attacks/
84	?	Maverick Panda	PLA Navy	Sykipot		APT4?												DIB (Defence Industrial Base) and other government organizations				https://www.alienvault.com/open-threat-exchange/blog/new-sykipot-developments	http://blog.trendmicro.com/trendlabs-security-intelligence/sykipot-now-targeting-us-civil-aviation-sector-information/
85	Calypso											Links to Skyipot, Pitty Tiger, Comment Crew, Mirage					Byebe, CMStar, Calypso RAT, PlugX					https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/	https://resources.malwarebytes.com/files/2020/04/200407-MWB-COVID-White-Paper_Final.pdf	https://resources.malwarebytes.com/files/2020/04/200407-MWB-COVID-White-Paper_Final.pdf
86	Tropic Trooper	KeyBoy											G0081				Poison Ivy, PCShare, Yahoyah	Taiwan, High-Tech in Asia, Taiwanese Government, Fossil Fuel Provider, Taiwanese, Philippine, and Hong Kong targets, focusing on their government, healthcare, transportation, and high-tech industries		Pirate Panda & KeyBoy	Group based in Xiamen, in same area as PLA Navy. Likely a navy SIGINT TRB	http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/	https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/	https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-troopers-back-usbferry-attack-targets-air-gapped-environments/	https://research.checkpoint.com/2022/chinese-actor-takes-aim-armed-with-nim-language-and-bizarro-aes/
87	APT41					APT41							G0096				CRACKSHOT, GEARSHIFT, HIGHNOON, JUMPALL, POISONPLUG, HOTCHAI, LATELUNCH, LIFEBOAT, LOWKEY, NJRAT, PACMAN, PHOTO, POTROAST, ROCKBOOT, SAGEHIRE, SWEETCANDLE, SOGU, TERA, TIDYELF, WIDETONE, WINTERLOVE, XDoor, Xmrig, ZxShell				Overlap with BARIUM and Winnti	https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html	https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html	https://www.fireeye.com/blog/threat-research/2019/10/messagetap-who-is-reading-your-text-messages.html	https://www.bankinfosecurity.com/feds-chinese-hacking-group-undeterred-by-indictment-a-20153
88	Poison Carp											Earth Empusa					ActionSpy, ScanBox, BeEF, Evil Eye	This threat actor targets smartphones associated with Tibetan and Uyghur activists for espionage purposes.	Strategic web compromise (watering hole)			https://citizenlab.ca/2019/09/poison-carp-tibetan-groups-targeted-with-1-click-mobile-exploits/	https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html	https://www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/	https://blog.trendmicro.com/trendlabs-security-intelligence/new-android-spyware-actionspy-revealed-via-phishing-attacks-from-earth-empusa/	https://about.fb.com/news/2021/03/taking-action-against-hackers-in-china/
89	AVIVORE																PlugX, Mimikatz, WmiExec	aerospace and defence industries in the UK and Europe				https://www.contextis.com/en/blog/avivore	https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-CTI-005.pdf
90	APT-C-01											PoisonVine					Poison Ivy, ZxShell, Kanbox RAT, CVE-2012-0158, CVE-2014-6352, CVE-2017-8759	government agencies, military individuals, research institutes, maritime agencies				https://ti.qianxin.com/blog/articles/analysis-of-apt-c-01/	https://ti.qianxin.com/uploads/2018/09/20/6f8ad451646c9eda1f75c5d31f39f668.pdf	http://blogs.360.cn/post/APT_C_01_en.html	https://www.netscout.com/sites/default/files/2019-02/SECR_001_EN-1901%20-%20NETSCOUT%20Threat%20Intelligence%20Report%202H%202018.pdf	https://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-vine-climbing-over-great-firewall-longterm-attack-against-china/	https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-GuPan.pdf
91	DarkUniverse																ItaDuke	Tibet and Uyghur activists, Syria, Iran, Afghanistan, Tanzania, Ethiopia, Sudan, Russia, Belarus and the United Arab Emirates	Spearphishing w/CVE-2013-0640 weaponized PDF			https://securelist.com/new-uyghur-and-tibetan-themed-attacks-using-pdf-exploits/35465/	https://www.alienvault.com/blogs/labs-research/latest-adobe-pdf-exploit-used-to-target-uyghur-and-tibetan-activists	https://securelist.com/darkuniverse-the-mysterious-apt-framework-27/94897/
92	Taskmasters																RemShell, 404-Input-shell, Eternal Blue, Scheduled Tasks	Military, government, telecommunication, small businesses				https://www.ptsecurity.com/ww-en/analytics/operation-taskmasters-2019/	https://www.youtube.com/watch?v=XYuclHsoQO4&feature=youtu.be	https://blog.group-ib.com/task
93	GALLIUM											Soft Cell, UNSC 2814					BlackMould, China Chopper, PoisonIvy, QuarkBandit, Htran, NBTScan, PsExec, Winrar, Netcat	Telecom				https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/	https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers	https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos	https://unit42.paloaltonetworks.com/pingpull-gallium/
94	RANCOR												G0075				KHRAT Trojan, Derusbi, Dudell, DDKONG Plugin	South-East Asia		DragonOK		https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/	https://meltx0r.github.io/tech/2019/09/11/rancor-apt.html	https://research.checkpoint.com/rancor-the-year-of-the-phish/	https://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/
95	ChinaZ																Linux.BackDoor.Xnote.1, Linux/BillGates.Lite, Linux/UDPfker					https://news.drweb.com/show/?i=9272&lng=en&c=5	https://blog.malwaremustdie.org/2015/08/mmd-0039-2015-chinaz-made-new-malware.html	https://blog.malwaremustdie.org/2016/10/mmd-0060-2016-linuxudpfker-and-chinaz.html	https://www.intezer.com/blog-chinaz-relations/	https://www.intezer.com/blog-chinese-apts-rising-ia-community-may-2019/	https://www.intezer.com/blog-chinaz-introduces-new-undetected-malware/	https://www.botconf.eu/wp-content/uploads/2014/12/2014-2.10-Chinese-Chicken-Multiplatform-DDoS-Botnets.pdf
96	APT-C-37	Slap Bear	Papa Bear	Pat/Patted Bear																		http://blogs.360.cn/post/analysis-of-apt-c-37.html	https://zhuanlan.kanxue.com/article-8168.htm	https://mp.weixin.qq.com/s/lUtXwWjPVMHXfR6oLnXYhQ	https://cybersecurity.att.com/blogs/labs-research/alien-labs-2019-analysis-of-threat-groups-molerats-and-apt-c-37
97	APT-C-27	Goldmouse/Gold Mouse/Gold Rat																Middle East		Link to OilRig?		https://ti.360.net/blog/articles/apt-c-27-(goldmouse):-suspected-target-attack-against-the-middle-east-with-winrar-exploit-en/	https://blog.360totalsecurity.com/en/the-sample-analysis-of-apt-c-27s-recent-attack/	https://www.pbwcz.cz/Reporty/20180723_CSE_APT27_Syria_v1.pdf
98	Storm Cloud													Holy Water			Godlike12, SweetAlerts		Strategic web compromise (watering hole)
99	TA410																LookBack, FlowCloud	utility providers across the U.S		APT10		https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new	https://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/
100	SixLittleMonkeys	Microcin															Microcin, BYEBY, Mikroceen	Central Asia, Russian military, Belarussia, Mongolia,		Link to Vicious Panda		https://securelist.com/steganography-in-contemporary-cyberattacks/79276/	https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170759/Microcin_Technical_4PDF_eng_final_s.pdf	https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia/	https://securelist.com/microcin-is-here/97353/	https://securelist.com/apt-trends-report-q2-2019/91897/
101	HAFNIUM						UNC2639, UNC2640, UNC2643	Ant						Operation Exchange Marauder			Covenant, Procdump, 7-Zip, Nishang, PowerCat	Microsoft Exchange Server				https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/	https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/	https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/microsoft-exchange-server-protection	https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/	https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/
102	Luminous Moth			Luminous Moth														South East Asia		Mustang Panda		https://securelist.com/apt-luminousmoth/103332/
103	Spiral																SolarWinds Orion API (CVE-2020-10148), SUPERNOVA					https://www.secureworks.com/blog/supernova-web-shell-deployment-linked-to-spiral-threat-group	https://www.secureworks.com/blog/supernova-web-shell-deployment-linked-to-spiral-threat-group
104	Sparkling Goblin																CROSSWALK, SideWalk	Academic sectors in Macao, Hong Kong and Taiwan, A religious organization in Taiwan, A computer and electronics manufacturer in Taiwan, Government organizations in Southeast Asia, An e-commerce platform in South Korea, The education sector in Canada, Media companies in India, Bahrain, and the USA, A computer retail company based in the USA, Local government in the country of Georgia, Unidentified organizations in South Korea and Singapore,		Winnti, APT41		https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/	https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf
105	APT5				BRONZE FLEETWOOD							MANGANESE					BRIGHTCREST, SWEETCOLA, SPIRITBOX, PALEJAB, WIDERIM, WINVAULT, HAPPYSAD, BIRDWORLD, FARCRY, CYFREE, FULLSILO, HELLOTHEWORLD, HAZELNUT, GIF89A, SCREENBIND, SHINYFUR, TRUCKBED, LEOUNCIA, FREESWIM, PULLTAB, HIREDHELP, NEDDYHORSE, PITCHFORK, BRIGHTCOMB, ENCORE, TABCTENG, SHORTLEASH, CLEANACT, BRIGHTCYAN, DANCEPARTY, HALFBACK, PUSHBACK, COOLWHIP, LOWBID, TIGHTROPE, DIRTYWORD, AURIGA, KEYFANG, Poison Ivy, Comfoo, Skeleton Key	Regional telecommunication providers, Asia-based employees of global telecommunications and tech firms, high-tech manufacturing, and military application technology.		UNC2630		https://www.fireeye.com/current-threats/apt-groups.html	https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html	https://www.bloomberg.com/news/features/2021-09-02/juniper-mystery-attacks-traced-to-pentagon-role-and-chinese-hackers	https://www.secureworks.com/research/threat-profiles/bronze-fleetwood	https://media.defense.gov/2022/Dec/13/2003131586/-1/-1/0/CSA-APT5-CITRIXADC-V1.PDF
106	RedFoxtrot																PlugX-Talisman, ShadowPad, GUNTERS	South Asia Telecom & Defense		?Moshen Dragon, Nomad Panda, Goblin Panda, LuckyMouse, Cycldek, Emissary Panda, TG-3390		https://www.recordedfuture.com/redfoxtrot-china-pla-targets-bordering-asian-countries/	https://go.recordedfuture.com/redfoxtrot-insikt-report	https://www.recordedfuture.com/chinese-apt-groups-target-afghan-telecommunications-firm/	https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/	https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/plugx-a-talisman-to-behold.html
107	IronHusky																MysterySnail, CVE-2021-40449			Vicious Panda		https://securelist.com/apt-trends-report-q1-2018/85280/https://securelist.com/apt-trends-report-q1-2018/85280/	https://securelist.com/apt-trends-report-q2-2020/97937/	https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/
108	Antlion							Antlion									Xpack, JpgRun, EHAGBPSL, NetSessionEnum	Financial Services in ROC (Taiwan)				https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/china-apt-antlion-taiwan-financial-attacks
109	DEV-0322													TiltedTemple				US Defense Industrial Base, higher education, consulting services, and information technology sectors	Serv-u Secure FTP, Exploit ZOHO ManageEngine ADSelfService Plus	TG-3390, Emissary Panda, APT27		https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/	https://www.microsoft.com/security/blog/2021/11/08/threat-actor-dev-0322-exploiting-zoho-manageengine-adselfservice-plus/	https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/	https://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/
110	Curious Gorge																	government & military organizations in Ukraine, Russia, Kazakhstan, and Mongolia			Subordinate to Strategic Support Force	https://blog.google/threat-analysis-group/tracking-cyber-activity-eastern-europe/	https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe/
111	Scarab																Scieron, Trojan.Scieron, Trojan.Scieron.B,	Russia, Ukraine		UAC-0026		https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=8bfa7311-fdd9-4f8d-b813-1ab6c9d2c363&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments	https://otx.alienvault.com/pulse/54c7e1e811d4085eb82e0598/	https://cert.gov.ua/article/38097	https://www.sentinelone.com/labs/chinese-threat-actor-scarab-targeting-ukraine/	https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/
112	BackdoorDiplomacy			CloudComputating									G0135				Quarian, Turian, Follina				Kaspersky = CloudComputating = Chinese in 2Q2017 APT summary, CloudComputating = BackdoorDiplomacy in 3Q2021 APT summary, ESET CloudComputating = BackdoorDiplomacy using Turian & Quarian	https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/	https://securelist.com/?s=CloudComputating	https://www.fortinet.com/blog/threat-research/analysis-of-follina-zero-day
113	Earth Berberoka											GamblingPuppet, Gambling Puppet						Chinese gambling websites, one education-related government institution, two IT services companies, and one electronics manufacturing company		Emissary Panda, Iron Tiger		https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf	https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf
114	RedAlpha																			DeepCliff, Red Dev 3		https://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-with-targets-in-the-tibetan-community/	https://go.recordedfuture.com/hubfs/reports/cta-2018-0626.pdf	https://go.recordedfuture.com/hubfs/reports/ta-2022-0816.pdf
115	Bluebottle																					https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa
116	DragonSpark																					https://www.sentinelone.com/labs/dragonspark-attacks-evade-detection-with-sparkrat-and-golang-source-code-interpretation/
117	Yanluowang																					https://darktrace.com/blog/inside-the-yanluowang-leak-organization-members-and-tactics
118	LuoYu																					https://thestack.technology/kaspersky-luoyu-windealer-man-on-the-side/
119	Aoqin Dragon																					https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/
120
121
122
123
124	Earth Yako													RestyLink				Japan & Taiwan				https://security.macnica.co.jp/blog/2022/05/iso.html	https://insight-jp.nttsecurity.com/post/102ho8o/operation-restylink	https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_2_5_hara-higashi-shoji_en.pdf	https://www.trendmicro.com/en_us/research/23/b/invitation-to-secret-event-uncovering-earth-yako-campaigns.html


1	Russia
2	Common Name	Other Name 1	Other Name 2	Other Name 3	Other Name 4	Other Name 5	Other Name 6	Other Name 7	Other Name 8	Other Name 9	Other Name 10	Other Name 11	Other Name 12	Other Name 13	Secureworks	Operation 1	Operation 2	Operation 3	Operation 4	Operation 5	Operation 6	Operation 7	Toolset / Malware	Targets	Modus Operandi	Comment	Link 1	Link 2	Link 3	Link 4	Link 5	Link 6	Link 7	Link 8	Link 9	Link 10	Link 11	Link 12	Link 13	Link 14	Link 15	Link 16	Link 17	Link 18	Link 19	Link 20	Link 21	Link 22	Link 23	Link 24	Link 25	Link 26	Link 27	Link 28

3	Sofacy	APT28	Sednit	Pawn Storm	Group 74	Tsar Team	Fancy Bear	Strontium	Swallowtail	SIG40	Grizzly Steppe	TG-4127	SNAKEMACKEREL		IRON TWILIGHT	Russian Doll	Bundestag	TV5 Monde "Cyber Caliphate"	EFF Attack	DNC Hack	OpOlympics	Burisma	CHOPSTICK, CORESHELL, Winexe, SOURFACE, OLDBAIT, Sofacy, XAgent, XTunnel, WinIDS, Foozer, DownRange, Sedreco Dropper, Komplex, DealersChoice, Downdelph, Sednit, USBStealer, Sedkit, HideDrv (Rootkit), LoJax, Sofacy, SeduUploader	United States government		Called out by DHS & FBI as responsible for cyber attacks associated with US election 2016. Allegedly attributed the first UEFI rootkit seen in the wild: LoJax (2018), Overlaps with Zebrocy	https://aptnotes.malwareconfig.com/web/viewer.html?file=../APTnotes/2014/apt28.pdf	https://app.box.com/s/g55oxdd3q63hyngbjm4fbipfct94wrye	https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/	http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf	https://www2.fireeye.com/rs/848-DID-242/images/wp-mandiant-matryoshka-mining.pdf	https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/	http://researchcenter.paloaltonetworks.com/2016/06/unit42-new-sofacy-attacks-against-us-government-agency/	https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/	http://fancybear.net/	http://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/	http://www.welivesecurity.com/2016/10/20/new-eset-research-paper-puts-sednit-under-the-microscope/	https://www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/	https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296.pdf	https://www.us-cert.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf	http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html	https://apnews.com/3bca5267d4544508bb523fa0db462cb2?utm_campaign=SocialFlow&utm_source=Twitter&utm_medium=AP	https://blog.trendmicro.com/trendlabs-security-intelligence/update-pawn-storm-new-targets-politically-motivated-campaigns/	https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/	https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/	https://securelist.com/a-slice-of-2017-sofacy-activity/83930/	https://securelist.com/masha-and-these-bears/84311/	https://cdn.area1security.com/reports/Area-1-Security-PhishingBarismaHoldings.pdf	https://www.intezer.com/blog/research/russian-apt-uses-covid-19-lures-to-deliver-zebrocy/	https://cybergeeks.tech/skinnyboy-apt28/	https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/prime-ministers-office-compromised.html	https://www.bloomberg.com/news/articles/2022-03-07/hackers-targeted-u-s-lng-producers-in-run-up-to-war-in-ukraine?sref=ExbtjcSG	https://blog.cluster25.duskrise.com/2022/09/23/in-the-footsteps-of-the-fancy-bear-powerpoint-graphite/
4	APT29	Dukes	Group 100	Cozy Duke	EuroAPT	Cozy Bear	CozyCar	Cozer	Office Monkeys / TEMP.Monkeys	Minidionis	SeaDuke	Hammer Toss	Fritillary	Yttrium / StellarParticle / UNC3524 / Cranefly /	IRON HEMLOCK	Operation Ghost							Hammertoss, OnionDuke, CosmicDuke, MiniDuke, CozyDuke, SeaDuke, SeaDaddy implant developed in Python and compiled with py2exe, AdobeARM, ATI-Agent, MiniDionis, Grizzly Steppe, Vernaldrop, Tadpole, Spikerush, POSHSPY, PolyglotDuke, RegDuke, FatDuke	This threat actor targets government ministries and agencies in Europe, the US, Central Asia, East Africa, and the Middle East, associated with DNC attacks	phishing emails	Active campaign post 2016 US presidential election	https://aptnotes.malwareconfig.com/web/viewer.html?file=../APTnotes/2015/apt29-hammertoss-stealthy-tactics-define-a.pdf	https://labsblog.f-secure.com/2015/09/17/the-dukes-7-years-of-russian-cyber-espionage/	https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/	https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf	http://www.volexity.com/blog/	https://www.us-cert.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf	https://www2.fireeye.com/rs/848-DID-242/images/RPT-M-Trends-2017.pdf	https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html	https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html	https://securelist.com/the-cozyduke-apt/69731/	https://www.welivesecurity.com/2019/10/17/operation-ghost-dukes-never-left/	https://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a	https://www.istrosec.com/blog/apt-sk-cobalt/	https://cybergeeks.tech/how-to-defeat-the-russian-dukes-a-step-by-step-analysis-of-miniduke-used-by-apt29-cozy-bear/	https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/	https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft	https://cluster25.io/2022/05/13/cozy-smuggled-into-the-box/	https://www.mandiant.com/resources/blog/unc3524-eye-spy-email	https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cranefly-new-tools-technique-geppei-danfuan
5	Turla Group	Snake	Venomous Bear	Group 88	Waterbug	Turla Team	Krypton	Uroburos	SIG23	MAKERSMARK	ITG12				IRON HUNTER	Satellite Turla	Epic Turla	The 'Penquin' Turla	Witchcoven	RUAG hack	Mosquito	Moonlight Maze	systeminfo, net, tasklist, gpresult, wce, pwdump, Uroburos, Turla, Agent.BTZ, Tavdig, Wipbot, Agent.dne, AdobeARM, ATI-Agent, MiniDionis, WhiteBear, Gazer, Neuron, Nautilus	Targeting several governments and sensitive businesses such as the defense industry		Turla also uses OilRig's (APT34) implants	https://securelist.com/analysis/publications/65545/the-epic-turla-operation/	https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/	https://securelist.com/blog/research/67962/the-penquin-turla-2/	https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf	https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf	https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/	https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/	https://securelist.com/kopiluwak-a-new-javascript-payload-from-turla/77429/	https://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopiluwak-javascript-backdoor-use-g20-themed-attack	https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/	https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case	http://www.sueddeutsche.de/digital/it-sicherheit-einbrechen-ausbreiten-abgreifen-1.3887843	https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/	https://www.ncsc.gov.uk/alerts/turla-group-malware	https://motherboard.vice.com/en_us/article/vvk83b/moonlight-maze-turla-link	https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180251/Penquins_Moonlit_Maze_PDF_eng.pdf	https://www.wired.com/2017/04/russian-hackers-used-backdoor-two-decades/	https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-march-venomous-bear/	https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments	https://securelist.com/turla-renews-its-arsenal-with-topinambour/91687/	https://securelist.com/shedding-skin-turlas-fresh-faces/88069/	https://twitter.com/lehtior2/status/893085897226412036	https://www.ncsc.gov.uk/news/turla-group-exploits-iran-apt-to-expand-coverage-of-victims	https://medium.com/chronicle-blog/who-is-gossipgirl-3b4170f846c0	https://cybergeeks.tech/a-step-by-step-analysis-of-the-russian-apt-turla-backdoor-called-tinyturla/	https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe/	https://blog.sekoia.io/turla-new-phishing-campaign-eastern-europe/	https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag/
6	Energetic Bear	Dragonfly	Crouching Yeti	Group 24	Koala Team	Berserk Bear	Anger Bear	Dymalloy	Havex	PEACEPIPE	Fertger	TEMP.Isotope	ALLANITE		IRON LIBERTY								Havex RAT, Oldrea, LightsOut ExploitKit, Inveigh, PsExec, Persistence through .LNK file manipulations, Nmap, Dirsearch, Sqlmap, Sublist3r, Wpscan, Impacket, SMBTrap, Commix, Subbrute, PHPMailer, Web Shells (PHP), MCMD	This threat actor targets companies in the education, energy, construction, information technology, and pharmaceutical sectors for the purposes of espionage. It uses malware tailored to target industrial control systems. Energy, Middle East oil and natural gas as the goal, dedicated to gather relevant information, technology company in Western Europe that produces civil, military and critical infrastructure communications equipment	Active	Detected in Middle East networks in 2014, Compromise via spear phish or SWC, Motivation somewhat unclear; CrowdStrike lists Berserk Bear as separate group (evolution of Energetic) while Symantec sees Energetic Bear and Berserk Bear as single group named Dragonfly	http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf	http://www.netresec.com/?page=Blog&month=2014-10&post=Full-Disclosure-of-Havex-Trojans	https://threatpost.com/energy-watering-hole-attack-used-lightsout-exploit-kit/104772/	https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group	https://securelist.com/blog/incidents/35520/the-teamspy-crew-attacks-abusing-teamviewer-for-cyberespionage-8/	https://www.us-cert.gov/ncas/alerts/TA17-293A	https://threatmatrix.cylance.com/en_us/home/energetic-dragonfly-dymalloy-bear-2-0.html	https://securelist.com/energetic-bear-crouching-yeti/85345/	https://www.fireeye.com/content/dam/fireeye-www/company/events/infosec/threat-landscape-overview-fireeye-summit-paris.pdf	https://insights.sei.cmu.edu/cert/2019/03/api-hashing-tool-imagine-that.html	https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector	https://www.secureworks.com/research/mcmd-malware-analysis	https://www.secureworks.com/blog/own-the-router-own-the-traffic	https://us-cert.cisa.gov/ncas/alerts/aa20-296a	https://theintercept.com/2020/12/17/russia-hack-austin-texas/	https://vblocalhost.com/uploads/VB2021-Slowik.pdf	https://www.dragos.com/blog/how-adversaries-use-spear-phishing-to-target-engineering-staff/
7	Sandworm	Sandworm Team (MITRE G0034)	TEMP.Noble	Electrum	TeleBots	Quedagh Group	BE2 APT	Black Energy	Iridium	Hades	Voodoo Bear	Quedagh	Iron Viking	Grey Energy	IRON VIKING	Black Energy	Ukrenergo	NPetya, NotPetya	Ukraine Power Grid 2016-12-17				CVE-2014-4114, Industroyer, CrashOverride, OlympicDestroyer, GreyEngergy Mini as their 1st-stage implant, GCat, Delphocy, Zebrocy, Zekapab	This threat actor targets industrial control systems, using a tool called Black Energy, associated with electricity and power generation for espionage, denial of service, and data destruction purposes. Ukrainian energy sector, Eastern Europe.		Linked to Kiev Dec2016 ICS cyberattack	http://www.isightpartners.com/2014/10/cve-2014-4114/	http://www.isightpartners.com/2016/01/ukraine-and-sandworm-team/	https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf	https://www.us-cert.gov/ncas/alerts/TA17-163A	https://ics.sans.org/blog/2016/01/09/confirmation-of-a-coordinated-attack-on-the-ukrainian-power-grid	https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/	https://securelist.com/from-blackenergy-to-expetr/78937/	https://securelist.com/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/73440/	https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/	https://securelist.com/greyenergys-overlap-with-zebrocy/89506/	https://securelist.com/be2-extraordinary-plugins-siemens-targeting-dev-fails/68838/	https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector	https://dragos.com/wp-content/uploads/CRASHOVERRIDE.pdf	https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/	https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/	https://securelist.com/olympicdestroyer-is-here-to-trick-the-industry/84295/	https://securelist.com/olympic-destroyer-is-still-alive/86169/	https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf	https://www.domaintools.com/resources/blog/centreon-to-exim-and-back-on-the-trail-of-sandworm	https://cert.gov.ua/article/39518	https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/	https://www.state.gov/rewards-for-justice-reward-offer-for-information-on-russian-military-intelligence-officers-conducting-malicious-activity-against-u-s-critical-infrastructure/
8	FIN7	Carbanak	Anunak	Carbon Spider																			PowerSource	Bank of Valetta, Malta		Overlaps with Carbanak (but not the same group)	https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns	https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor	https://blog.cyber4sight.com/2017/04/similarities-between-carbanak-and-fin7-malware-suggest-actors-are-closely-related/	https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html	https://www.rsa.com/content/dam/en/white-paper/the-carbanak-fin7-syndicate.pdf	https://www.rsa.com/content/dam/premium/en/white-paper/the-shadows-of-ghosts-carbanak-report.pdf	https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/	https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/	https://securityaffairs.co/wordpress/64083/apt/fin7-new-techniques.html	https://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html	https://blog.malwarebytes.com/threat-analysis/2019/10/the-forgotten-domain-exploring-a-link-between-magecart-group-5-and-the-carbanak-apt/	https://www.fortinet.com/blog/threat-research/bioload-fin7-boostwrite-lost-twin.html	https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/would-you-exchange-your-security-for-a-gift-card/	https://blog.morphisec.com/the-evolution-of-the-fin7-jssloader	https://www.esentire.com/security-advisories/notorious-cybercrime-gang-fin7-lands-malware-in-law-firm-using-fake-legal-complaint-against-jack-daniels-owner-brown-forman-inc	https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/	https://www.prodaft.com/m/reports/FIN7_TLPCLEAR.pdf
9	FIN8																						PowerSniff, PUNCHBUGGY, PUNCHTRACK, ShellTea, BADHATCH, PoSlurp	Hotel-Entertainment Industry, POS malware attack			https://unit42.paloaltonetworks.com/powersniff-malware-used-in-macro-based-attacks/	https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html	https://www.root9b.com/sites/default/files/whitepapers/PoS%20Malware%20ShellTea%20PoSlurp_YARA.pdf	https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html	http://blog.morphisec.com/security-alert-fin8-is-back	https://atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d-discovering-badhatch-and-a-detailed-look-at-fin8s-tooling/	https://www.bitdefender.com/files/News/CaseStudies/study/394/Bitdefender-PR-Whitepaper-BADHATCH-creat5237-en-EN.pdf	https://businessinsights.bitdefender.com/deep-dive-into-a-fin8-attack-a-forensic-investigation
10	Inception Framework	Blue Odin												MITRE: G0100		Red October	Cloud Atlas							This threat actor targets governments and diplomatic organizations for espionage purposes. Suspected Operator in Ukraine working for Russia or its allies.			https://securelist.com/blog/incidents/57647/the-red-october-campaign/	http://securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-back-in-style/	https://www.symantec.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies	https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware	https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/	https://securelist.com/recent-cloud-atlas-activity/92016/	https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt-cloud-atlas-unbroken-threat/	https://research.checkpoint.com/2022/cloud-atlas-targets-entities-in-russia-and-belarus-amid-the-ongoing-war-in-ukraine/
11	TeamSpy Crew	SIG39														TeamSpy							Malicious TeamViewer versions, JAVA RATs	This threat actor primarily compromises government entities and human rights activists in Eastern Europe and Central Asia for espionage purposes. It has also compromised private and public sector entities in the Middle East and in Western countries.			http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/theteamspystory_final_t2.pdf	https://blog.crysys.hu/2018/03/territorial-dispute-nsas-perspective-on-apt-landscape/
12	BuhTrap	Ratopak																					AmmyAdmin, LURK, NSIS, Mimikatz, CVE-2012-0158, PuntoSwitcher (like Keylogger)				https://www.welivesecurity.com/2015/04/09/operation-buhtrap/	http://www.welivesecurity.com/2015/11/11/operation-buhtrap-malware-distributed-via-ammyy-com/	http://www.group-ib.com/brochures/gib-buhtrap-report.pdf	https://www.netscout.com/blog/asert/diving-buhtrap-banking-trojan-activity	https://www.welivesecurity.com/2019/07/11/buhtrap-zero-day-espionage-campaigns/
13	Carberb																							USA			http://itlaw.wikia.com/wiki/Moonlight_Maze
14	???															RUAG Espionage							Turla Family, Uroburos, Snake (Carbon) Rootkit, Tavdig/Wipbot/Epic, Mimikatz, dsquery, dsget	Swiss defence department			https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case
15	FSB 16th & 18th Centers	Gamaredon Group	BlueAlpha	Shuckworm	ACTINIUM	Primitive Bear	Trident Ursa	Iron Tilden								OP Armageddon	Op Gamework						Pterodo, QuietSieve, DessertDown, DinoTrain			Hijack infrastructure of Iranian APT33, APT35 & Muddywater, overlap to Callisto	https://lookingglasscyber.com/wp-content/uploads/2015/08/Operation_Armageddon_FINAL.pdf	http://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/	https://blog.yoroi.company/research/the-russian-shadow-in-eastern-europe-ukrainian-mod-campaign/	https://www.recordedfuture.com/bluealpha-iranian-apts/	https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/	https://www.anomali.com/blog/primitive-bear-gamaredon-targets-ukraine-with-timely-themes	https://mp.weixin.qq.com/s/OfDTcrTVAgjACeh0Z5wi7w	https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine	https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/	https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/#indicators-of-compromise	https://cert.gov.ua/article/39386	https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-intense-campaign-ukraine	https://blogs.cisco.com/security/network-footprints-of-gamaredon-group	https://cert.gov.ua/article/1229152	https://cert.gov.ua/article/1229152	https://unit42.paloaltonetworks.com/trident-ursa/	https://www.secureworks.com/research/threat-profiles/iron-tilden
16	Cyber Berkut																							Bellingcat		During Ukrainian Revolution	https://www.threatconnect.com/blog/russia-hacks-bellingcat-mh17-investigation/#.V-wnrubaeEU.twitter
17	WhiteBear	Skipper Turla																					Kopiluwak	embassies and diplomatic/foreign affair organizations, defense-related organizations		Associated with Turla	https://securelist.com/introducing-whitebear/81638/
18	???															BugDrop								This threat actor targets critical infrastructure entities in the oil and gas sector, primarily in Ukraine. The threat actors deploy the BugDrop malware to remotely access the microphones in their targets' computers to eavesdrop on conversations.			https://cyberx-labs.com/en/blog/operation-bugdrop-cyberx-discovers-large-scale-cyber-reconnaissance-operation/
19	GRU GTsST (Main Center for Special Technology)																						NotPetya				https://www.washingtonpost.com/world/national-security/russian-military-was-behind-notpetya-cyberattack-in-ukraine-cia-concludes/2018/01/12/048d8506-f7ca-11e7-b34a-b85626af34ef_story.html?utm_term=.23e3c7810049
20	TEMP.Veles	Xenotime	Triton																				Triton	Oil refinery, other infrastructure			https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html	https://dragos.com/resource/xenotime/	https://dragos.com/resource/trisis-analyzing-safety-system-targeting-malware/	https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html	https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html	https://www.fireeye.com/blog/threat-research/2018/06/totally-tubular-treatise-on-triton-and-tristation.html	https://dragos.com/wp-content/uploads/NA-EL-Threat-Perspective-2019.pdf
21	Zebrocy	Zebrocy																						Germany, Indonesia, the United States, Taiwan, India, France, Serbia, Ecuador, Argentina, South Korea, Japan, China, Britain, South Africa, Italy, Hong Kong, Romania, Ukraine, Macedonia, Russia, Switzerland, Senegal, the Philippines, UAE, Qatar, Saudi Arabia, Pakistan, Thailand, Bahrain, Turkey, Bulgaria, Bangladesh			https://securelist.com/a-zebrocy-go-downloader/89419/	https://unit42.paloaltonetworks.com/sofacy-creates-new-go-variant-of-zebrocy-tool/	https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/	https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/	https://securelist.com/zebrocys-multilanguage-malware-salad/90680/
22	SectorJ04																						Dridex, The Trick, Locky, Jaff, FlawedAmmyy, GraceWire malicious software signed with valid digital signatures			TTP indicates possibly TA505 Microsoft Security Intelligence and McAfee Teams have affiliated TA505 with SectorJ04 aka Evil Corp aka Dudear since 2014 - reference in Link2 Department of Justice issues warrant for arrest of Dridex member, whom is working for Russian FSB since 2017	https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/	https://www.bankinfosecurity.com/ta505-apt-group-returns-new-techniques-report-a-13678	https://www.databreachtoday.com/two-russians-indicted-over-100m-dridex-malware-thefts-a-13473	https://www.mcafee.com/enterprise/en-us/threat-center/threat-landscape-dashboard/campaigns-details.operation-sectorj04-2019.html
23	FullofDeep																						QNAPCrypt ransomware			Operates from Union State & Ukraine	https://www.intezer.com/blog-russian-cybercrime-group-fullofdeep-behind-qnapcrypt-ransomware-campaigns/
24	RedCurl																						Powershell scripts	Russia, ukraine, Canada, Germany, the united Kingdom, norway, mainly targeting sectors: construction companies, financial and consulting companies, retailers, banks, insurance companies, law firms, travel agencies		Corporate espionage and theft of documents	https://www.group-ib.com/media/red-curl/
25	TA551	Shathak																					IcedID, Valak, Sliver				https://unit42.paloaltonetworks.com/valak-evolution/	https://isc.sans.edu/diary/rss/26438	https://isc.sans.edu/forums/diary/More+TA551+Shathak+Word+docs+push+IcedID+Bokbot/26674	https://unit42.paloaltonetworks.com/ta551-shathak-icedid/	https://threatresearch.ext.hp.com/detecting-ta551-domains/	https://www.proofpoint.com/us/blog/security-briefs/ta551-uses-sliver-red-team-tool-new-activity
26	UNC2452	Dark Halo	NOBELIUM	Silver Fish	StellarParticle											FireEye Compromise	Solarwinds Supply Chain Attack						SUNBURST, TEARDROP, SUPERNOVA Webshell (likely by other unknown group), COSMICGALE PowerShell Tool, CobaltStrike	IT sector		High sophistication, overlap to APT29, SVR, YTTRIUM	https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html	https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html	https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/	https://blog.reversinglabs.com/blog/sunburst-the-next-level-of-stealth	https://github.com/eanmeyer/SolarwindsVulnerablityInfo	https://us-cert.cisa.gov/ncas/alerts/aa20-352a	https://github.com/center-for-threat-informed-defense/public-resources/tree/master/solorigate	https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/	https://malpedia.caad.fkie.fraunhofer.de/actor/unc2452	https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf	https://www.riskiq.com/blog/external-threat-management/solarwinds-c2-servers-new-tactics/	https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/	https://blogs.microsoft.com/on-the-issues/2021/05/27/nobelium-cyberattack-nativezone-solarwinds/	https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/	https://www.microsoft.com/security/blog/2022/08/24/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone/	https://www.microsoft.com/en-us/security/blog/2023/02/08/solving-one-of-nobeliums-most-novel-attacks-cyberattack-series/
27	Ember Bear	UAC-0056	Lorec53	Lorec Bear	Bleeding Bear	Saint Bear	UNC2589	TA471	DEV-0586														WhisperGate wiper, Elephant Framework	Ukraine, limited evidence to suggest that the group has been involved in attacks on targets in Kyrgyzstan. Third-party reporting has also linked the group to attacks on Georgia.			https://www.microsoft.com/en-us/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/	https://cert.gov.ua/article/37704	https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/	https://socprime.com/blog/cobalt-strike-beacon-grimplant-and-graphsteel-malware-massively-spread-by-uac-0056-threat-actors-in-targeted-phishing-emails-cert-ua-alert/	https://www.crowdstrike.com/blog/who-is-ember-bear/	https://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs/	https://cert.gov.ua/article/703548	https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nodaria-ukraine-infostealer	https://www.mandiant.com/resources/blog/russia-invasion-ukraine-retaliation	https://www.malwarebytes.com/blog/threat-intelligence/2021/04/a-deep-dive-into-saint-bot-downloader	https://unit42.paloaltonetworks.com/ukraine-cyber-conflict-cve-2021-32648-whispergate/	https://www.malwarebytes.com/blog/threat-intelligence/2022/07/cobalt-strikes-again-uac-0056-continues-to-target-ukraine-in-its-latest-campaign	https://www.malwarebytes.com/blog/threat-intelligence/2022/04/new-uac-0056-activity-theres-a-go-elephant-in-the-room	https://nsfocusglobal.com/apt-retrospection-lorec53-an-active-russian-hack-group-launched-phishing-attacks-against-georgian-government/
28	COLDRIVER	Callisto	TA446	SEABORGIUM	Calisto	TAG-53																				Overlap w/Gamaredon	https://www.f-secure.com/documents/996508/1030745/callisto-group	https://natoassociation.ca/phishing-on-the-dnieper-russian-offensive-cyber-operations-in-ukraine/	https://blog.google/threat-analysis-group/tracking-cyber-activity-eastern-europe/	https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe/	https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag/	https://www.microsoft.com/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/	blog.sekoia.io/calisto-show-interests-into-entities-involved-in-ukraine-war-support/	https://www.recordedfuture.com/exposing-tag-53-credential-harvesting-infrastructure-for-russia-aligned-espionage-operations	https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/blue-callisto-orbits-around-us.html	https://www.recordedfuture.com/exposing-tag-53-credential-harvesting-infrastructure-for-russia-aligned-espionage-operations	https://6068438.fs1.hubspotusercontent-na1.net/hubfs/6068438/Nisos-Research-Coldriver-Group.pdf
29	Vice Society																						PrintNightmare, HelloKitty and Zeppelin ransomware	Education and research institutes			https://socradar.io/dark-web-profile-vice-society/	https://www.cybersecuritydive.com/news/microsoft-leaks-vice-society-playbook/634964/	https://www.wired.com/story/vice-society-ransomware-gang/	https://blog.sekoia.io/vice-society-a-discreet-but-steady-double-extortion-ransomware-group/	https://www.cisa.gov/uscert/ncas/alerts/aa22-249a
30	Karakurt																										https://www.cisa.gov/uscert/ncas/alerts/aa22-152a
31	Cyber Spetsnazs																										https://cyware.com/news/cyber-spetsnazs-operation-panopticon-launches-espionage-attacks-3d49eade
32	Royal	DEV-0569	Conti	Quantum	Black Byte	Diavol	Black Basta	Ryuk (as FIN12)	Wizard Spider (DEV-0193)							BazarCall Campaign							BATLOADER, Royal Ransomware, Ursnif, Gozi, Vidar Stealer & Cobals Strike as well as legitimate synchro remote monitoring and management (RMM) tools.	Healthcare, manifacturing, professional, scientific, technical services, wholesale, education		Former Conti and other groups around Wizard Spider	https://blog.bushidotoken.net/2022/11/the-continuity-of-conti.html	https://socradar.io/dark-web-profile-royal-ransomware/	https://www.bleepingcomputer.com/news/security/new-royal-ransomware-emerges-in-multi-million-dollar-attacks/	https://unit42.paloaltonetworks.com/bazarloader-malware/	https://www.trendmicro.com/de_de/research/22/l/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-wit.html	https://github.com/pan-unit42/tweets/blob/master/2023-02-07-IOCs-for-probable-Matanbuchus-activity.txt	https://twitter.com/Unit42_Intel/status/1623349272061136900
33	Revil	Water Mare	GrandCrab													Medibank November 2022							Sodinokibi, IcedID, Qakbot, PsExec, FileZilla	Transportation, Financial, Oil and Gas, Technology, Healthcare, in United States, Mexico, Germany, Japan, Israel		They are again active since November 2022 attacking Medibank in Australia	https://www.cyjax.com/2021/07/09/revilevolution/	https://www.nomios.com/resources/what-is-revil-ransomware/	https://img.nomios.com/images/Resources/2021/revil-ransomware-execution-flaw.png?auto=compress%2Cformat&fit=max&fm=jpg&q=70&w=2800&s=48724d52aa9478208925e681d6a332d6	https://analyst1.com/file-assets/History-of-REvil.pdf	https://unit42.paloaltonetworks.com/tutorial-qakbot-infection/	https://de.tenable.com/blog/cve-2019-11510-critical-pulse-connect-secure-vulnerability-used-in-sodinokibi-ransomware	https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-revil	https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/	https://www.hhs.gov/sites/default/files/revil-update-tlpwhite.pdf


1	North Korea
2	Common Name	CrowdStrike	Talos Group	Dell Secure Works	Other Name 1	Other Name 2	Other Name 3	Other Name 4	Other Name 5	Other Name 6	Other Name 7	Other Name 8	Rep. of Korea FSI	MITRE AT&CK	Operation 2	Operation 3	Operation 4	Operation 5	Operation 6	Operation 7	Operation 8	Operation 9	Toolset / Malware	Targets	Modus Operandi	Comment	Link 1	Link 2	Link 3	Link 4	Link 5	Link 6	Link 7	Link 8	Link 9	Link 10	Link 11	Link 12	Link 13	Link 14	Link 15	Link 16	Link 17	Link 18	Link 19	Link 20	Link 21	Link 22	Link 23	Link 24	Link 25	Link 26	Link 27	Link 28	Link 29	Link 30	Link 31	Link 32	Link 33	Link 34	Link 35	Link 36	Link 37	Link 38	Link 39	Link 40	Link 41	Link 42	Link 43	Link 44	Link 45

3	Lazarus Group	Labyrinth Chollima	Group 77	Hastati Group	Bureau 121	Unit 121	Whois Hacking Team	NewRomanic Cyber Army Team	ZINC	Appleworm	Hidden Cobra	Nickel Academy		G0032	Blockbuster	Dark Seoul	Applejeus	Inception	NorthStar	Dream Job	KuCoin Hack	ThreatNeedle	Tdrop, Tdrop2, Troy, Destover, FallChill RAT, Volgmer, Hawup, Manuscrypt, WolfRAT, SheepRAT, HtDnDownLoader, ThreatNeedle	Believed to be responsible for Dark Seoul, Ten Days of Rain, the Sony Pictures Entertainment attack, the SWIFT-related bank heists, and WannaCry. Known to the U.S. government as Hidden Cobra. Targeting also BitCoin Exchanges, financial sector, technology/engineering sector	Delivery: usually via spear phishing email. Infrastructure: C2 often based on compromised servers,moving to own servers paid by bitcoin to preserve anonymity Persistency: tipically launching ransomware after operation to destroy evidences	Threat Recon.nshc.net alias=SectorA01	http://www.mcafee.com/us/resources/white-papers/wp-dissecting-operation-troy.pdf	http://researchcenter.paloaltonetworks.com/2015/11/tdrop2-attacks-suggest-dark-seoul-attackers-return/	https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf	https://www.alienvault.com/open-threat-exchange/blog/operation-blockbuster-unveils-the-actors-behind-the-sony-attacks	https://www.us-cert.gov/ncas/alerts/TA17-164A	http://www.fsec.or.kr/common/proc/fsec/bbs/21/fileDownLoad/1235.do	https://researchcenter.paloaltonetworks.com/2017/08/unit42-blockbuster-saga-continues/	https://www.crowdstrike.com/blog/unprecedented-announcement-fbi-implicates-north-korea-destructive-attacks/	https://www.us-cert.gov/ncas/alerts/TA17-318A	https://www.us-cert.gov/ncas/alerts/TA17-318B	https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf	https://securingtomorrow.mcafee.com/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/	https://www.darkreading.com/vulnerabilities---threats/lazarus-group-fancy-bear-most-active-threat-groups-in-2017/d/d-id/1330954?print=yes	https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity	https://securelist.com/operation-applejeus/87553/	https://blogs.microsoft.com/on-the-issues/2017/12/19/microsoft-facebook-disrupt-zinc-malware-attack-protect-customers-internet-ongoing-cyberthreats/	https://www.secureworks.com/about/press/media-alert-secureworks-discovers-north-korean-cyber-threat-group-lazarus-spearphishing	https://threatrecon.nshc.net/2019/01/23/sectora01-custom-proxy-utility-tool-analysis/	https://objective-see.com/blog/blog_0x49.html	https://www.sentinelone.com/blog/lazarus-apt-targets-mac-users-poisoned-word-document/	https://blog.alyac.co.kr/2827	https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/	https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/	https://www.welivesecurity.com/2020/06/17/operation-interception-aerospace-military-companies-cyberspies/	https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-a-job-offer-thats-too-good-to-be-true/	https://www.clearskysec.com/operation-dream-job/	https://blogs.jpcert.or.jp/en/2020/08/Lazarus-malware.html	https://medium.com/s2wlab/analysis-of-threatneedle-c-c-communication-feat-google-tag-warning-to-researchers-782aa51cf74	https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/	https://www.microsoft.com/security/blog/2021/01/28/zinc-attacks-against-security-researchers/	https://www.hvs-consulting.de/lazarus-report/	https://blog.chainalysis.com/reports/lazarus-group-kucoin-exchange-hack	https://securelist.com/lazarus-threatneedle/100803/	https://www.clearskysec.com/wp-content/uploads/2021/05/CryptoCore-Lazarus-Clearsky.pdf	https://blog.alyac.co.kr/3814	https://www.cisa.gov/uscert/ncas/alerts/aa22-108a	https://www.sentinelone.com/blog/lazarus-operation-interception-targets-macos-users-dreaming-of-jobs-in-crypto/	https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/	https://securelist.com/dtrack-targeting-europe-latin-america/107798/	https://www.volexity.com/blog/2022/12/01/buyer-beware-fake-cryptocurrency-applications-serving-as-front-for-applejeus-malware/	https://www.microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches-targeted-attacks-against-the-cryptocurrency-industry/	https://labs.withsecure.com/content/dam/labs/docs/WithSecure-Lazarus-No-Pineapple-Threat-Intelligence-Report-2023.pdf
4	APT37	Ricochet Chollima	Group 123	ScarCruft	APT37	Red Eyes	Reaper	Venus 121 (금성121)	THALLIUM					G0067	Erebus	Golden Time	Evil New Year	Are you Happy?	FreeMilk	North Korean Human Rights	Evil New Year 2018	Operation Earth Kitsune	KARAE, SOUNDWAVE, ZUMKONG, RICECURRY, CORALDECK, POORAIM, SLOWDRIFT, MILKDROP, GELCAPSULE, DOGCALL, HAPPYWORK, RUHAPPY, SHUTTERSPEED, Flash Exploit CVE-2016-4117, ROKRAT, KEVDROID, BabyShark, KimJongRAT, GOLDBACKDOOR	Primarily South Korea – though also Japan, Vietnam and the Middle East – in various industry verticals, including chemicals, electronics, manufacturing, aerospace, automotive, and healthcare; Scarcruft Tracking: Russia, Nepal, South Korea, China, India, Kuwait and Romania		FireEye iSIGHT Intelligence believes that APT37 is aligned with the activity publicly reported as Scarcruft and Group123	https://www.fireeye.com/blog/threat-research/2018/02/apt37-overlooked-north-korean-actor.html	http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html	https://securelist.com/blog/research/75082/cve-2016-4171-adobe-flash-zero-day-used-in-targeted-attacks/	https://exchange.xforce.ibmcloud.com/collection/Fear-The-Reaper-North-Korean-Group-APT37-dc96e8bdff7573efb87d43d7584c1fbc	https://unit42.paloaltonetworks.com/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/	https://unit42.paloaltonetworks.com/unit42-reaper-groups-updated-mobile-arsenal/	https://blog.alyac.co.kr/1985	https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/	https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/	https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/	https://www.zdnet.com/article/microsoft-takes-down-50-domains-operated-by-north-korean-hackers/?mid=1#cid=8960026	https://blog.malwarebytes.com/threat-analysis/2021/01/retrohunting-apt37-north-korean-apt-used-vba-self-decode-technique-to-inject-rokrat/	https://blog.alyac.co.kr/3489	https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/?utm_source=rss&utm_medium=rss&utm_campaign=north-korean-apt-inkysquid-infects-victims-using-browser-exploits	https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/	https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/	https://0xthreatintel.medium.com/static-analysis-of-bluelight-malware-7bb0a399a54e	https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/	https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/	https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/	https://stairwell.com/wp-content/uploads/2022/04/Stairwell-threat-report-The-ink-stained-trail-of-GOLDBACKDOOR.pdf	https://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/	https://blog.google/threat-analysis-group/internet-explorer-0-day-exploited-by-north-korean-actor-apt37/	https://blog.alyac.co.kr/5009	https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-kitsune.pdf	https://www.trendmicro.com/en_us/research/20/l/who-is-the-threat-actor-behind-operation-earth-kitsune-.html	https://www.trendmicro.com/en_us/research/23/b/earth-kitsune-delivers-new-whiskerspy-backdoor.html	https://interlab.or.kr/archives/2567	https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/wirtschafts-wissenschaftsschutz/2023-03-20-sicherheitshinweis-cyberaktivitaeten.pdf?__blob=publicationFile&v=2
5	Andariel	Silent Chollima											Andariel	G0138	DesertWolf	Vanxatm	Mayday	INITROY	XEDA	Sony			RifDoor, Phandoor	Information gathering and profit		Lazarus subgroup	https://www.scmagazineuk.com/war-plans-including-assassination-plan-stolen-by-north-korean-hackers/article/699089/	https://gsec.hitb.org/materials/sg2017/D1%20-%20Ashley%20Shen%20and%20Moonbeom%20Park%20-%20A%20Deep%20Dive%20into%20the%20Digital%20Weapons%20of%20the%20North%20Korean%20Cyber%20Army.pdf	http://www.fsec.or.kr/user/bbs/fsec/21/13/bbsDataView/910.do	http://online.wsj.com/public/resources/documents/print/WSJ_-A006-20170728.pdf	https://blog.trendmicro.com/trendlabs-security-intelligence/new-andariel-reconnaissance-tactics-hint-at-next-targets/	https://asec.ahnlab.com/en/48198/
6	Kimsuki	Velvet Chollima			Kimsuky	Thallium	CloudDragon	TA406 (Proofpoint)						G0094									KPortScan, PsExec, Procdump, Mimikatz, Eternal suite of exploits, NirSoft MailPassView/Network Password Recovery/Remote Desktop PassView/SniffPass/WebBrowserPassView, Mechanical, Grease, KGH_SPY	This threat actor targets South Korean think tanks, industry, nuclear power operators, and the Ministry of Unification for espionage purposes.			http://securelist.com/analysis/57915/the-kimsuky-operation-a-north-korean-apt/	http://www.reuters.com/article/us-nuclear-southkorea-northkorea-idUSKBN0MD0GR20150317	https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/	https://apt.securelist.com/#!/threat/972	https://www.anomali.com/blog/suspected-north-korean-cyber-espionage-campaign-targets-multiple-foreign-ministries-and-think-tanks#When:14:00:00Z	https://crowdstrike.lookbookhq.com/web-global-threat-report-2019/crowdstrike-2019-gtr	https://www.zdnet.com/article/cyber-espionage-group-uses-chrome-extension-to-infect-victims/	https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-ACT-009.pdf	https://blog.alyac.co.kr/2243	https://blog.alyac.co.kr/attachment/cfile5.uf@99A0CD415CB67E210DCEB3.pdf	https://blog.prevailion.com/2019/09/autumn-aperture-report.html	https://www.dailynk.com/english/north-korean-hackers-mount-phishing-attack-nkhr-groups/	https://blog.yoroi.company/research/the-north-korean-kimsuky-apt-keeps-threatening-south-korea-evolving-its-ttps/	https://asec.ahnlab.com/1313?category=342979	https://blog.alyac.co.kr/2906	https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite	https://blog.alyac.co.kr/3368	http://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-How-CloudDragon-Turns-A-Nightmare-Into-Reality.pdf	https://blog.alyac.co.kr/3799	https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/	https://cybleinc.com/2021/06/03/kimsuky-apt-group-distributes-fake-security-app-disguised-as-kisa-security-program/	https://teamt5.org/en/posts/clouddragon-campaign-vpn-zero-day-vulnerability-new-backdoor/	https://blog.alyac.co.kr/4130	https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-threat-insight-paper-triple-threat-N-Korea-aligned-TA406-steals-scams-spies.pdf	https://securelist.com/kimsukys-golddragon-cluster-and-its-c2-operations/107258/	https://ti.qianxin.com/blog/articles/spikes-from-the-kimsuky-organization-targeted-killing-of-south-korea-with-multiple-assault-weapons/
7	NoName																						malware with name "mySingleMessenger.exe"			NorthKorea vs Samsung	http://securityfactory.tistory.com/332
8	OnionDog																							This threat actor targets the South Korean government, transportation, and energy sectors.		False Positive. APT Training by SK Government	http://news.softpedia.com/news/korean-energy-and-transportation-targets-attacked-by-oniondog-apt-501534.shtml	http://zhuiri.360.cn/upload/APT-C-03-en.pdf	http://www.chinadaily.com.cn/china/2016-03/09/content_23794129.htm	http://news.softpedia.com/news/korean-energy-and-transportation-targets-attacked-by-oniondog-apt-501534.shtml
9	TEMP.Hermit				APT38									G0082									VOLGMER, PEACHPIT	Korean Peninsula, US Aerospace, SWIFT-fraud operations in East Asia	Media, government, but mainly financial institutions in order to raise money for the North Korean regime: Russia, Turkey, US, Poland, Mexico, Brazil, Ururguay, Taiwan, Malaysia, Chile, Vietnam, Philippines		https://www.isightpartners.com/2016/02/threatscape-media-highlights-update-week-of-february-17th/	http://www.scmagazine.com/sony-hackers-are-still-hacking-researchers-say/article/474166/	https://www.fireeye.com/blog/threat-research/2018/10/apt38-details-on-new-north-korean-regime-backed-threat-group.html
10	?																						MaoCheng Dropper	Humanitarian Aid Groups			https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/
11	Stardust Chollima	Stardust Chollima			APT38	ElectricFish	BlueNoroff	TA444 (Proofpoint)	COPERNICIUM (Microsoft)					G0082	Far Eastern International Bank								Dimens, MBR Killer, ElectricFish	Latin America, Mexico, Costa Rica, Chile, Argentina, financial institutions in Asia and Africa in 2018			https://app.cdn.lookbookhq.com/lbhq-production/10339/content/original/9dd0e31a-c9c0-4e1c-aea1-f35d3e930f3d/CrowdStrike_GTR_2019_.pdf	https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-april-stardust-chollima/	https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/	https://baesystemsai.blogspot.com/2017/10/taiwan-heist-lazarus-tools.html	https://techcrunch.com/2019/08/15/cyber-command-north-korea-malware/	https://www.thedailybeast.com/north-korean-hackers-caught-snooping-on-chinas-cyber-squad	https://www.cisa.gov/uscert/ncas/alerts/aa22-108a	https://securelist.com/bluenoroff-methods-bypass-motw/108383/	https://www.proofpoint.com/us/blog/threat-insight/ta444-apt-startup-aimed-at-your-funds


1	Iran
2	Common Name	Other Name 1	Other Name 2	Other Name 3	Other Name 4	Other Name 5			FireEye Name	Crowdstrike	Cisco Name	MITRE ATT&CK	Operation 1	Operation 2	Operation 3	Toolset / Malware	Targets	Modus Operandi	Comment	Link 1	Link 2	Link 3	Link 4	Link 5	Link 6	Link 7	Link 8	Link 9	Link 10	Link 11	Link 12	Link 13	Link 14	Link 15	Link 16	Link 17	Link 18	Link 19	Link 20	Link 21	Link 22	Link 23	Link 24	Link 25	Link 26	Link 27	Link 28	Link 29	Link 30	Link 31

3	Cutting Kitten	TG-2889	Ghambar	COBALT GYPSY						Cutting Kitten		G0059	Cleaver			TinyZBot, PupyRAT	This threat actor targets governments and private sector entities for espionage and sabotage purposes. It is believed to be responsible for compromising U.S. Navy computers at the Navy Marine Corps Intranet in San Diego, the U.S. energy company Calpine Corporation, Saudi Aramco, Pemex, Qatar Airways, and Korean Air		COBALT GYPSY overlap with OilRig	http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/	https://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf	https://www.secureworks.com/research/the-curious-case-of-mia-ash
4	Shamoon									Volatile Kitten		S0140				Shamoon / Disttrack	This threat actor targets energy sector, oil and gas industry as well as transportation and telecommunication services.	wiper		https://en.wikipedia.org/wiki/Shamoon	http://www.nytimes.com/2012/10/24/business/global/cyberattack-on-saudi-oil-firm-disquiets-us.html
5	Clever Kitten									Clever Kitten	Group 41					Acunetix Web Vulnerability Scanner, PHP Webshell RC SHELL				http://www.crowdstrike.com/blog/whois-clever-kitten/
6	Madi																This threat actor compromises engineering firms, government entities, and financial and academic institutions in the United States, Israel, Iran, and Pakistan	Social engineering		https://securelist.com/blog/incidents/33693/the-madi-campaign-part-i-5/	https://securelist.com/blog/incidents/33701/the-madi-campaign-part-ii-53/
7	Cyber fighters of Izz Ad-Din Al Qassam		Fraternal Jackal										Ababil / ApAbabil				The websites of Bank of America, JPMorgan Chase, Wells Fargo, and other U.S. financial institutions suffered simultaneous outages due to a coordinated denial of service cyberattack in September 2012. Attackers flooded bank servers with junk traffic, preventing users from online banking. An Iranian group called Izz ad-Din al-Qassam Cyber Fighters initially claimed responsibility for the incident. At the time, the media reported that U.S. intelligence believed the denial of service was in response to U.S. imposed economic sanctions to counter Iran's nuclear program. Seven Iranian individuals linked to the Islamic Revolutionary Guard Corps were eventually indicted by the U.S. Department of Justice in 2016 for their involvement in the incident.	DoS		http://pastebin.com/u/QassamCyberFighters	http://ddanchev.blogspot.com.es/2012/09/dissecting-operation-ababil-osint.html	http://www.nytimes.com/2013/01/09/technology/online-banking-attacks-were-work-of-iran-us-officials-say.html	https://www.washingtonpost.com/world/national-security/iran-blamed-for-cyberattacks/2012/09/21/afbe2be4-0412-11e2-9b24-ff730c7f6312_story.html
8	Chafer	Cadelle	ITG07	Rana					APT39	Remix Kitten		G0087				Remexi, PsExec, Mimikatz, Web Shells (aspx spy, b374k), nbtscan, plink, RemCom, VNC Bypass scanner, CoreSecurity tools, Impacket / Python exploits, NSSM, Remcom, HTTPTunnel, Cadelspy, PLink, SSH Tunnels to Windows Servers	Airlines, Airports, Transportation, Logistics - worldwide		Uses the same C2 infrastructure as OilRig	http://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets	https://www.symantec.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions	http://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets	https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html	https://securelist.com/chafer-used-remexi-malware/89538/	https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/	https://unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/	https://securityintelligence.com/posts/observations-of-itg07-cyber-operations/	https://www.bitdefender.com/files/News/CaseStudies/study/332/Bitdefender-Whitepaper-Chafer-creat4491-en-EN-interactive.pdf	https://threatconnect.com/blog/research-roundup-apt39-adversaries/	https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-releases-cybersecurity-advisory-on-previously-undisclosed-iranian-malware-used-to-monitor-dissidents-and-travel-and-telecommunications-companies
9	Prince of Persia	APT-C-50														Infy	This threat actor targets governments and businesses of multiple countries, including the United States, Israel, and Denmark.			https://iranthreats.github.io/	http://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/	https://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/	https://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/	https://blogs.360.cn/post/APT-C-50.html	https://blogs.360.cn/post/APT-C-50.html	https://download.bitdefender.com/resources/files/News/CaseStudies/study/393/Bitdefender-Whitepaper-Iranian-APT-Makes-a-Comeback-with-Thunder-and-Lightning-Backdoor-and-Espionage-Combo.pdf	https://research.checkpoint.com/2021/after-lightning-comes-thunder/
10	Sima																focus on dissidents, woman rights activists, human rights organizations			https://iranthreats.github.io/
11	Oilrig	COBALT GYPSY	Twisted Kitten	Crambus	ITG13	Chrysene			APT34	Helix Kitten		G0049				Helminth, ISMDoor, Clayslide, QUADAGENT, OopsIE, ALMA Communicator, customized Mimikatz, Invoke-Obfuscation,POWBAT, POWRUNER (PS Backdoor), BONDUPDATER, malicious RTF files CVE-2017-0199 and CVE-2017-11882, ELVENDOOR, PLink, PsExec, SSH Tunnels to Windows Servers, Webshells (TwoFace, DarkSeaGreenShell, LittleFace), PowDesk			Uses the same C2 infrastructure as Chafer - which caused a major mixup of OilRig campaigns falsely attributed to Chafer. Also note that Turla used OilRigs implants	https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html	http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/	http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/	http://www.clearskysec.com/oilrig/	https://cert.gov.il/Updates/Alerts/SiteAssets/CERT-IL-ALERT-W-120.pdf	http://researchcenter.paloaltonetworks.com/2017/04/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/	http://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability%20	https://www.forbes.com/sites/thomasbrewster/2017/02/15/oilrig-iran-hackers-cyberespionage-us-turkey-saudi-arabia/#56749aa2468a	https://researchcenter.paloaltonetworks.com/2017/07/unit42-twoface-webshell-persistent-access-point-lateral-movement/	https://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/	https://researchcenter.paloaltonetworks.com/2017/09/unit42-striking-oil-closer-look-adversary-infrastructure/	https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html	https://researchcenter.paloaltonetworks.com/2017/12/unit42-introducing-the-adversary-playbook-first-up-oilrig/	https://www.dragos.com/blog/20180517Chrysene.html	https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf	https://sec0wn.blogspot.com/2018/05/prb-backdoor-fully-loaded-powershell.html	https://www.ncsc.gov.uk/news/turla-group-exploits-iran-apt-to-expand-coverage-of-victims	https://securityintelligence.com/posts/new-destructive-wiper-zerocleare-targets-energy-sector-in-the-middle-east/	https://www.clearskysec.com/powdesk-apt34/	https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/	https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html	https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html	https://www.crowdstrike.com/blog/widespread-dns-hijacking-activity-targets-multiple-sectors/	https://blog-cert.opmd.fr/dnspionage-retour-factuel-sur-les-attaques-annoncees-dans-differents-medias/	https://www.trendmicro.com/en_us/research/23/b/new-apt34-malware-targets-the-middle-east.html
12	CopyKittens	Slayer Kitten	DarkHydrus	LazyMeerkat								G0052	Wilted Tulip			TDTESS backdoor, Vminst, NetSrv, Cobalt Strike, ZPP, Matryoshka v1 and Matryoshka v2	Israel’s Ministry of Foreign Affairs and some well-known Israeli academic researchers specializing in Middle East Studies. Israel, Saudi Arabia, United States, Jordan, Germany		DarkHydrus C2 Infra Overlap	https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf	https://blog.domaintools.com/2017/03/hunt-case-study-hunting-campaign-indicators-on-privacy-protected-attack-infrastructure/	http://www.clearskysec.com/copykitten-jpost/	http://www.clearskysec.com/tulip/	https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/
13	Charming Kitten	Parastoo	iKittens	NEWSCASTER	NewsBeef	Phosphorus	TA453	COBALT MIRAGE,	APT35	Charming Kitten	Group 83	G0059				ALFA TEaM Shell, DROPSHOT, TURNEDUP, SHAPESHIFT, malicious HTA files, MacDownloader	This threat actor uses watering hole attacks and fake profiles to lure targets from the U.S. government for espionage purposes.	Fake Social Media Account	IBM=ITG18, Overlap w/Yellow Garuda, UNC788	https://iranthreats.github.io/resources/macdownloader-macos-malware/	https://www.isightpartners.com/2014/05/newscaster-iranian-threat-inside-social-media/	https://github.com/gasgas4/APT_CyberCriminal_Campagin/tree/master/2014/2014.05.28.NewsCaster_An_Iranian_Threat_Within_Social_Networks	https://www.verfassungsschutz.de/download/broschuere-2016-10-bfv-cyber-brief-2016-04.pdf	https://securelist.com/blog/software/74503/freezer-paper-around-free-meat/	https://securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf	https://cryptome.org/2012/11/parastoo-hacks-iaea.htm	https://www.forbes.com/sites/thomasbrewster/2017/07/27/iran-hackers-oilrig-use-fake-personas-on-facebook-linkedin-for-cyberespionage/	http://www.clearskysec.com/charmingkitten/	https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf	https://noticeofpleadings.com/phosphorus/files/Sealing.pdf?fbclid=IwAR1HMnynb0AaGyCI-8ejHjH-pNORfuHYOzQdsTrSpin2eRww6rRh-6VK2SI	https://securelist.com/twas-the-night-before/91599/	https://www.clearskysec.com/wp-content/uploads/2019/09/The-Kittens-Are-Back-in-Town-Charming-Kitten-2019.pdf	https://blogs.microsoft.com/on-the-issues/2019/10/04/recent-cyberattacks-require-us-all-to-be-vigilant/	https://www.clearskysec.com/the-kittens-are-back-in-town-2/	https://securityintelligence.com/posts/new-research-exposes-iranian-threat-group-operations/	https://www.clearskysec.com/the-kittens-are-back-in-town-3/	https://www.cybereason.com/blog/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage	https://www.secureworks.com/blog/cobalt-mirage-conducts-ransomware-operations-in-us	https://www.deepinstinct.com/blog/iranian-threat-actor-continues-to-develop-mass-exploitation-tools	https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/old-cat-new-tricks.html	https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/	https://www.proofpoint.com/us/blog/threat-insight/ta453-uses-multi-persona-impersonation-capitalize-fomo	https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/	https://www.hrw.org/news/2022/12/05/iran-state-backed-hacking-activists-journalists-politicians	https://www.secureworks.com/blog/drokbk-malware-uses-github-as-dead-drop-resolver
14	Greenbug															ISMdoor	Saudi Arabia		Sub group of APT34 according to Mandiant	https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon	https://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/	https://www.arbornetworks.com/blog/asert/greenbugs-dns-isms/	https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2017/february/ism-rat/	http://www.clearskysec.com/ismagent/	https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia
15	Magic Hound	Timberworm	MAGNALLIUM	Elfin	Refined Kitten	Holmium			APT33			G0059	Stonedrill/ Shamoon2.0			Shamoon, POWERTON, Ruler, PUPYRAT, POSHC2 (.NET backdoor), TURNEDUP, AutoIt backdoor, Gpppassword, LaZagne, Quasar RAT, Remcos, SniffPass, DarkComet, AutoIt FTP tool, .NET FTP tool, PowerShell downloader (registry.ps1), POSHC2 backdoor, different keyloggers	A threat actor used malware known as Shamoon 2.0 to exfiltrate and delete data from computers in the Saudi transportation sector. Commercial entities, Middle East, US, South Korea, DND focussed entities, Airlines, Airline suppliers.		possibly associated with Rocket Kitten and Cobalt Gypsy, Sandcat, use Recruitment themes	http://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/	https://securityintelligence.com/the-full-shamoon-how-the-devastating-malware-was-inserted-into-networks/	https://www.symantec.com/connect/blogs/shamoon-multi-staged-destructive-attacks-limited-specific-targets	https://www.fireeye.com/current-threats/annual-threat-report/mtrends.html	https://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/	https://webcache.googleusercontent.com/search?q=cache:Dicnr9-eKKYJ:https://securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf+&cd=6&hl=en&ct=clnk&gl=ie	https://gallery.logrhythm.com/threat-intelligence-reports/shamoon-2-malware-analysis-logrhythm-labs-threat-intelligence-report.pdf	https://blog.trendmicro.com/trendlabs-security-intelligence/more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting/	https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html	https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage	https://www.securityweek.com/iranian-hackers-caused-losses-hundreds-millions-report	https://go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf	https://www.wired.com/story/iran-apt33-industrial-control-systems/	https://blog.trendmicro.com/trendlabs-security-intelligence/more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting/	https://thehackernews.com/2022/12/iranian-hackers-strike-diamond-industry.html
16	Rocket Kitten	Flying Kitten	TEMP.Beanie	Saffron Rose	Ajax Security Team					Rocket Kitten	Group 26	G0059	Woolen Goldfish	Thamar Reservoir		GHOLE / Core Impact, CWoolger, FireMalv, .NETWoolger, MPK, Open source tools, Puppy RAT, MagicHound.Leash (IRC Bot), PowGoop (Downloader.Covic)	Saudi Arabia, Israel, US, Iran, high ranking defense officials, embassies of various target countries, notable Iran researchers, human rights activists, media and journalists, academic institutions and various scholars, including scientists in the fields of physics and nuclear sciences. It seeks out material related to diplomacy, defense, security, journalism, and human rights for espionage purposes.			https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-woolen-goldfish-when-kittens-go-phishing	https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-the-spy-kittens-are-back.pdf	http://www.clearskysec.com/thamar-reservoir/	https://citizenlab.org/2015/08/iran_two_factor_phishing/	https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf	http://www.crowdstrike.com/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/	https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2014/july/a-new-flying-kitten/	https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-operation-saffron-rose.pdf
17	?												Mermaid				This threat actor is based in the Middle East (possibly Iran) and targets English- and Persian-language organizations. It is alleged to be the same group behind a compromise of the Danish Ministry of Foreign Affairs.			https://ti.360.com/upload/report/file/mryxdgkb20160707en.pdf
18	ITSecTeam											G0059					One of the threat actors responsible for the denial of service attacks against U.S in 2012/2013. Three individuals associated with the group believed to be have been working on behalf of Iran's Islamic Revolutionary Guard Corps were indicted by the Justice Department in 2016.			http://pastebin.com/mCHia4W5	http://www.nytimes.com/2013/01/09/technology/online-banking-attacks-were-work-of-iran-us-officials-say.html	https://www.washingtonpost.com/world/national-security/iran-blamed-for-cyberattacks/2012/09/21/afbe2be4-0412-11e2-9b24-ff730c7f6312_story.html
19	MuddyWater	TEMP.Zagros	Seedworm	Cobalt Ulster	SectorD02	MERCURY				Static Kitten		G0069	BlackWater	Operation Quicksand		POWERSTATS, PoweMuddy, LaZagne, Crackmapexec, ScreenConnect, MoriAgent, Pudpoul, Thanos Ransomware, PowGoop, Covicli,	individuals in Asia and the Middle East, government and defense entities in Central and Southwest Asia		Struggle with Kaspersky, relates to UNC3313	https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/	https://sec0wn.blogspot.co.il/2018/03/a-quick-dip-into-muddywaters-recent.html	https://blog.trendmicro.com/trendlabs-security-intelligence/campaign-possibly-connected-muddywater-surfaces-middle-east-central-asia/	https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html	https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group	https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf	https://sec0wn.blogspot.com/2018/02/burping-on-muddywater.html	https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/	https://threatrecon.nshc.net/2019/03/07/sectord02-powershell-backdoor-analysis/	https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html	https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/	https://documents.trendmicro.com/assets/white_papers/wp_new_muddywater_findings_uncovered.pdf	https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf	https://securelist.com/muddywaters-arsenal/90659/	https://www.prevailion.com/summer-mirage-2/	https://www.secureworks.com/blog/business-as-usual-for-iranian-operations-despite-increased-tensions	https://www.bleepingcomputer.com/news/security/microsoft-iranian-hackers-actively-exploiting-windows-zerologon-flaw/	https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf	https://www.telsy.com/operation-space-race-reaching-the-stars-through-professional-social-networks/	https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east	https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies	https://www.clearskysec.com/operation-quicksand/	https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/	https://www.picussecurity.com/resource/blog/ttp-ioc-used-by-muddywater-apt-group-attacks	https://www.cisa.gov/uscert/ncas/alerts/aa22-055a	https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/
20	Mabna Institute	Silent Librarian	TA407	Cobalt Dickens	Yellow Nabu												144 universities in the United States, 176 foreign universities in 21 countries, five federal and state government agencies in the United States, 36 private companies in the United States, 11 foreign private companies, and two international non-governmental organizations			https://www.fbi.gov/wanted/cyber/iranian-mabna-hackers	https://info.phishlabs.com/blog/silent-librarian-more-to-the-story-of-the-iranian-mabna-institute-indictment	https://twitter.com/ClearskySec/status/977899578346430464	https://www.secureworks.com/blog/back-to-school-cobalt-dickens-targets-universities	https://www.proofpoint.com/us/threat-insight/post/seems-phishy-back-school-lures-target-university-students-and-staff	https://www.secureworks.com/blog/cobalt-dickens-goes-back-to-school-again	https://www.bleepingcomputer.com/news/security/iranian-hackers-create-credible-phishing-to-steal-library-access/	https://www.secureworks.com/research/threat-profiles/cobalt-dickens	https://blog.malwarebytes.com/malwarebytes-news/2020/10/silent-librarian-apt-phishing-attack/	https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/
21	DarkHydrus											G0079				RogueRobin				https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/	https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.ez428aw98bca
22	Domestic Kitten									Domestic Kitten										https://research.checkpoint.com/domestic-kitten-an-iranian-surveillance-operation/	https://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/
23	Flash Kitten	Raspite	Leafminer							Flash Kitten		G0077				Sorgu, guester / Trojan.Imecab	MENA Region		long-running SWC campaigns from December 2016 until public disclosure in July 2018	https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/	https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east	https://www.dragos.com/blog/20180802Raspite.html
24	Gold lowell	Boss Spider														SamSam			Criminal	https://www.secureworks.com/research/samsam-ransomware-campaigns	https://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/	https://www.justice.gov/opa/pr/two-iranian-men-indicted-deploying-ransomware-extort-hospitals-municipalities-and-public	https://garwarner.blogspot.com/2018/11/two-iranian-hackers-charged-with-6.html
25	Iridium												Australian Parliament Hack	Citrix Hack		China Chopper / Ckife Webshells, LazyCat, reGeorge			NOTHING CONFIRMED YET, Resecurity page, original source, is 404	https://resecurity.com/blog/parliament_races/	https://www.scmagazine.com/home/security-news/apts-cyberespionage/iridium-cyberespionage-gang-behind-aussie-parliament-attacks/	https://www.zdnet.com/article/citrix-discloses-security-breach-of-internal-network/	https://www.forbes.com/sites/kateoflahertyuk/2019/03/15/who-is-resecurity-the-firm-that-named-the-iranian-group-allegedly-behind-the-citrix-hack/	https://www.wsj.com/articles/iran-blamed-for-cyberattack-on-australias-parliament-11550736796
26	DNSpionage	Oilrig
27	Tortoiseshell								APT35	Imperial Kitten		G0059				Backdoor.Syskit, Poison Frog, Infostealer/Sha.exe/Sha432.exe, Infostealer/stereoversioncontrol.exe, get-logon-history.ps1	IT providers in Saudi Arabia		Inconclusive link to OilRig/APT34	https://www.symantec.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain	https://www.cyberscoop.com/saudi-arabia-hackers-it-providers-symantec/	https://blog.talosintelligence.com/2019/09/tortoiseshell-fake-veterans.html
28	?												Bapco Attack			Zerocleare, DUSTMAN	Oil companies in the middle east			https://www.ibm.com/downloads/cas/OAJ4VZNJ?_ga=2.162718588.1703640646.1575470035-355468858.1568634484&cm_mc_uid=62832336079115590460108&cm_mc_sid_50200000=12616311575470030712	https://www.wired.com/story/iran-soleimani-cyberattack-hackers/
29	Fox Kitten	Parisite	Pioneer Kitten	Pay2key	UNC757								Pay2Key			SSHNET, Juicy Potato, Port, STSRCHECK, LPManager, Invoke-SMBClient, Invoke-SMBEnum, Invoke-SMBExec, Invoke-TheHash, Invoke-WMIExec, SOCKET-Based Backdoor, Ngrok, Pay2Key ransomware, FRPC, Ngrok	IT, Telecommunication, Oil and Gas, Aviation, Government, and Security sectors around the world.		Overlaps with APT33, APT34 and Chafer	https://www.clearskysec.com/fox-kitten/ https://www.clearskysec.com/pay2kitten/	https://dragos.com/blog/industry-news/the-state-of-threats-to-electric-entities-in-north-america/	https://www.crowdstrike.com/blog/who-is-pioneer-kitten/	https://us-cert.cisa.gov/ncas/alerts/aa20-259a
30	Tracer KItten																			https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020OverWatchNowheretoHide.pdf
31	Agrius	BlackShadow														Deadwood, Detbosit, IPSecHelper, Apstole	Finance, Hosting, Telecomminication, Israeli people, Academic Sector	Influence Operations, Ransomware		https://assets.sentinelone.com/sentinellabs/evol-agrius
32	MalKamak												Operation GhostShell			ShellClient				https://www.cybereason.com/blog/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms
33	Nemesis Kitten	Charming Kitten	DireFate							Nemesis Kitten						FRP, Plink, Bitlocker, Shredder (wiper)	Oil and Gas, Manufacturing, Media, Telecommunications, Government			https://www.cisa.gov/uscert/ncas/alerts/aa21-321a	https://therecord.media/iranian-hackers-behind-cox-media-group-ransomware-attack/
34	UNC3313															GRAMDOOR, STARWHALE			Relates to MuddyWater	https://www.mandiant.com/resources/telegram-malware-iranian-espionage
35	DEV-0343																US & Israeli defense technology companies, Persian Gulf ports of entry, or global maritime transportation companies			https://www.microsoft.com/security/blog/2021/10/11/iran-linked-dev-0343-targeting-defense-gis-and-maritime-sectors/
36	APT42																Western think tanks, researchers, journalists, current Western government officials, former Iranian government officials, and the Iranian diaspora abroad	Credential harvesting and Android malware	Subordinate to IRGC-IO, links/overlap to TA453, Yellow Garuda, ITG18, Phosphorus, Charming Kitten	https://www.mandiant.com/sites/default/files/2022-09/apt42-report-mandiant.pdf
37	HomeLand Justice																			https://www.cisa.gov/uscert/ncas/alerts/aa22-264a
38	Emennet Pasargad																			https://www.cisa.gov/uscert/ncas/current-activity/2022/01/27/fbi-releases-pin-iranian-cyber-group-emennet-pasargad
39	Predatory Sparrow																			https://malpedia.caad.fkie.fraunhofer.de/actor/predatory_sparrow
40	Bohrium																			https://securityaffairs.com/132002/apt/microsoft-seized-bohrium-apt-domains.html


1	Israel
2	Common Name	Other Name 1	Other Name 2	Other Name 3	NSA	Operation 1	Operation 2	Toolset / Malware	Targets	Modus Operandi	Comment	Link 1	Link 2	Link 3	Link 4	Link 5

3	Unit 8200					Olympic Games / Stuxnet		Stuxnet	Directed at Iranian nuclear facilities	Stuxnet is typically introduced to the target environment via an infected USB flash drive.		http://www.langner.com/en/wp-content/uploads/2013/11/To-kill-a-centrifuge.pdf	https://archive.org/details/Stuxnet
4	Unit 8200	Duqu Group			SIG35	Duqu 2.0		Duqu	A threat actor, using a tool dubbed Duqu 2.0, targeted individuals and companies linked to the P5+1 (the five permanent member states of the UN Security Council, plus Germany), which was conducting negotiations on Iran's nuclear program.			https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/	https://securelist.com/files/2015/06/The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf	http://www.wsj.com/articles/spy-virus-linked-to-israel-targeted-hotels-used-for-iran-nuclear-talks-1433937601	https://blog.crysys.hu/2018/03/territorial-dispute-nsas-perspective-on-apt-landscape/
5	SunFlower	MoonFlower	Cheshire Cat	Flowershop	SIG17 / SIG18						Might be related to Duqu, Stuxnet and might attributed to Israel.	https://blog.crysys.hu/2018/03/territorial-dispute-nsas-perspective-on-apt-landscape/	https://malware-research.org/prepare-father-of-stuxnet-news-are-coming/	https://github.com/Yara-Rules/rules/blob/master/malware/APT_CheshireCat.yar	https://blog.crysys.hu/2018/03/territorial-dispute-nsas-perspective-on-apt-landscape/


1	NATO
2	Common Name	Other Name 1	Other Name 2	Other Name 3	Other Name 4	Other Name 5	Symantec	Kaspersky	Operation 1	Operation 2	Operation 3	Operation 4	Toolset / Malware	Targets	Modus Operandi	Comment	Link 1	Link 2	Link 3	Link 4	Link 5	Link 6	Link 7	Link 8	Link 9
3	GOSSIPGIRL								Olympic Games / Stuxnet				Flame, Stuxnet, Miniflame, Duqu, Gauss			Collaborative umbrella of varioius threat actors	https://medium.com/chronicle-blog/who-is-gossipgirl-3b4170f846c0
4	Equation Group	Tilded Team	EQGRP	Housefly	Remsec				Socialist	Olympic Games / Stuxnet	Project Sauron / Strider		Regin, EquationLaser, EquationDrug, DoubleFantasy, TripleFantasy, Fanny, Grayfish, RemSec, Gauss			NSA, GCHQ, CSIS, ASIS, GCSB, FiveEyes, FVEY	http://securelist.com/blog/research/67741/regin-nation-state-ownage-of-gsm-networks/	https://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/	http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets	https://securelist.com/analysis/publications/75533/faq-the-projectsauron-apt/	https://www.bleepingcomputer.com/news/security/longhorn-cyber-espionage-group-is-actually-the-cia/	https://web.archive.org/web/20160304022846/http://www.kaspersky.com/about/news/virus/2012/Kaspersky_Lab_and_ITU_Discover_Gauss_A_New_Complex_Cyber_Threat_Designed_to_Monitor_Online_Banking_Accounts	https://twitter.com/RedDrip7/status/1178511323954434048	https://securelist.com/darkuniverse-the-mysterious-apt-framework-27/94897/
5	Lamberts	APT-C-39	Rattlesnake				Longhorn	Lamberts						PRC		CIA	http://blogs.360.cn/post/APT-C-39_CIA_EN.html	https://securityaffairs.co/wordpress/57916/apt/longhorn-group-cia.html	https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7ca2e331-2209-46a8-9e60-4cb83f9602de&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments	http://securelist.com/blog/research/77990/unraveling-the-lamberts-toolkit/
6	Snowglobe							Animal Farm					Babar, Bunny, Dino, Casper, Tafacalou, NBot, Chocopop			Probably French origins	https://securelist.com/blog/research/69114/animals-in-the-apt-farm/	https://motherboard.vice.com/read/meet-babar-a-new-malware-almost-certainly-created-by-france	http://www.cyphort.com/evilbunny-malware-instrumented-lua/	http://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/	https://blog.gdatasoftware.com/blog/article/babar-espionage-software-finally-found-and-put-under-the-microscope.html
7	Slingshot								Mikrotik Router Compromise				Slingshot, Cahnadr, GollumApp, SsCB, ffproxy, NeedleWatch, Sfc2, Minisling, Spork downloader	Kenya, Yemen, Libya, Afghanistan, Iraq, Tanzania, Jordan, Mauritius, Somalia, Democratic Republic of the Congo, Turkey, Sudan and United Arab Emirates		US Joint Special Operations Command	https://securelist.com/apt-slingshot/84312/	https://www.cyberscoop.com/kaspersky-slingshot-isis-operation-socom-five-eyes/
8	?								Project Tajmahal				full-blown spying framework consists of two packages named ‘Tokyo’ and ‘Yokohama	single victim – a diplomatic entity from a country in Central Asia			https://securelist.com/project-tajmahal/90240/
9	Sea Turtle								Sea Turtle				DNS hijacking, CVE-2009-1151, CVE-2014-6271, CVE-2017-3881, CVE-2017-6736, CVE-2017-12617, CVE-2018-0296, CVE-2018-7600, Drupalgeddon	industries: Ministries of foreign affairs, Military organizations, Intelligence agencies, Prominent energy organizations in US, Libya, Egypt, Lebanon, UAE, Albania, Cyprus, Turkey, Iraq, Jordan, Syria, Armenia, Sweden		Turkish threat group	https://blog.talosintelligence.com/2019/04/seaturtle.html	https://blog.talosintelligence.com/2019/07/sea-turtle-keeps-on-swimming.html	https://www.reuters.com/article/us-cyber-attack-hijack-exclusive/exclusive-hackers-acting-in-turkeys-interests-believed-to-be-behind-recent-cyberattacks-sources-idUSKBN1ZQ10X