# APT & Cybercriminals Campaign Collection

This is collections of APT and cybercriminals campaign. 
Please fire issue to me if any lost APT/Malware events/campaigns. 

🤷The password of malware samples could be 'virus' or 'infected'

## URL to PDF Tool
* [Print Friendly & PDF](https://www.printfriendly.com/)

## Reference Resources
:small_blue_diamond: [kbandla](https://github.com/kbandla/APTnotes) <br>
:small_blue_diamond: [APTnotes](https://github.com/aptnotes/data) <br>
:small_blue_diamond: [Florian Roth - APT Groups](https://docs.google.com/spreadsheets/u/0/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/pubhtml) <br>
:small_blue_diamond: [Attack Wiki](https://attack.mitre.org/wiki/Groups) <br>
:small_blue_diamond: [threat-INTel](https://github.com/fdiskyou/threat-INTel) <br>
:small_blue_diamond: [targetedthreats](https://securitywithoutborders.org/resources/targeted-surveillance-reports.html) <br>
:small_blue_diamond: [Raw Threat Intelligence](https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit) <br>
:small_blue_diamond: [APT search](https://cse.google.com/cse/publicurl?cx=003248445720253387346:turlh5vi4xc) <br>
:small_blue_diamond: [APT Sample by 0xffff0800](http://0xffff0800.ddns.net/Library/) (https://iec56w4ibovnb4wc.onion.si/) <br>
:small_blue_diamond: [APT Map](https://aptmap.netlify.com/) <br>
:small_blue_diamond: [sapphirex00 - Threat-Hunting](https://github.com/sapphirex00/Threat-Hunting) <br>
:small_blue_diamond: [APTSimulator](https://github.com/NextronSystems/APTSimulator) <br>
:small_blue_diamond: [MITRE Att&CK: Group](https://attack.mitre.org/groups/) <br>
:small_blue_diamond: [APT_REPORT collected by @blackorbird](https://github.com/blackorbird/APT_REPORT) <br>
:small_blue_diamond: [Analysis of malware and Cyber Threat Intel of APT and cybercriminals groups](https://github.com/StrangerealIntel/CyberThreatIntel) <br>
:small_blue_diamond: [APT_Digital_Weapon](https://github.com/RedDrip7/APT_Digital_Weapon) <br>
:small_blue_diamond: [vx-underground](https://vx-underground.org/apts.html) <br>
:small_blue_diamond: [StrangerealIntel-EternalLiberty](https://github.com/StrangerealIntel/EternalLiberty/blob/main/EternalLiberty.csv)  <br>


## 2024
* Mar 7 - [[ESET] Evasive Panda leverages Monlam Festival to target Tibetans](https://www.welivesecurity.com/en/eset-research/evasive-panda-leverages-monlam-festival-target-tibetans/) | [:closed_book:](../../blob/master/2024/2024.03.07_Evasive_Panda)
* Feb 27 - [[Mandiant] When Cats Fly: Suspected Iranian Threat Actor UNC1549 Targets Israeli and Middle East Aerospace and Defense Sectors](https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east) | [:closed_book:](../../blob/master/2024/2024.02.27.UNC1549)
* Feb 23 - [[Sophos] ConnectWise ScreenConnect attacks deliver malware](https://news.sophos.com/en-us/2024/02/23/connectwise-screenconnect-attacks-deliver-malware/) | [:closed_book:](../../blob/master/2024/2024.02.23.ConnectWise_Malware)
* Feb 16 - [[---] inside I-Soon APT(Earth Lusca) operation center](https://github.com/I-S00N/I-S00N) | [:closed_book:](../../blob/master/2024/2024.02.16_I-Soon_Earth_Lusca)
* Feb 14 - [[Microsoft] Staying ahead of threat actors in the age of AI](https://www.microsoft.com/en-us/security/blog/2024/02/14/staying-ahead-of-threat-actors-in-the-age-of-ai/) | [:closed_book:](../../blob/master/2024/2024.02.14_APT_AI)
* Feb 13 - [[Trend Micro] CVE-2024-21412: Water Hydra Targets Traders With Microsoft Defender SmartScreen Zero-Day](https://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html) | [:closed_book:](../../blob/master/2024/2024.02.13.Water_Hydra)
* Jan 25 - [[KrCERT/CC] Lazarus Group’s Large-scale Threats
via Watering Hole and Financial Software](https://jsac.jpcert.or.jp/archive/2024/pdf/JSAC2024_1_6_dongwook-kim_seulgi-lee_en.pdf) | [:closed_book:](../../blob/master/2024/2024.01.25.Lazarus_Group)
* Jan 24 - [[itochuci] The Endless Struggle Against APT10: Insights from LODEINFO](https://blog-en.itochuci.co.jp/entry/2024/01/24/134100) | [:closed_book:](../../blob/master/2024/2024.01.24.APT10_LODEINFO)
* Jan 10 - [[Volexity] Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN](https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/) | [:closed_book:](../../blob/master/2024/2024.01.10.Active_Exploitation_UTA0178)


## 2023
* Dec 27 - [[Kaspersky] Operation Triangulation: The last (hardware) mystery](https://securelist.com/operation-triangulation-the-last-hardware-mystery/111669/) | [:closed_book:](../../blob/master/2023/2023.12.27.Operation_Triangulation)
* Dec 21 - [[CISCO] Intellexa and Cytrox: From fixer-upper to Intel Agency-grade spyware](https://blog.talosintelligence.com/intellexa-and-cytrox-intel-agency-grade-spyware/) | [:closed_book:](../../blob/master/2023/2023.12.21.Intellexa_Cytrox)
* Dec 19 - [[Symantec] Seedworm: Iranian Hackers Target Telecoms Orgs in North and East Africa](https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/iran-apt-seedworm-africa-telecoms) | [:closed_book:](../../blob/master/2023/2023.12.19.Seedworm)
* Nov 30 - [[CISCO] New SugarGh0st RAT targets Uzbekistan government and South Korea](https://blog.talosintelligence.com/new-sugargh0st-rat/) | [:closed_book:](../../blob/master/2023/2023.11.30.New_SugarGh0st_RAT)
* Nov 27 - [[Intezer] WildCard: The APT Behind SysJoker Targets Critical Sectors in Israel](https://blog.talosintelligence.com/new-sugargh0st-rat/https://intezer.com/blog/research/wildcard-evolution-of-sysjoker-cyber-threat/) | [:closed_book:](../../blob/master/2023/2023.11.27.WildCard_SysJoker_Israel)
* Nov 23 - [[CheckPoint] ISRAEL-HAMAS WAR SPOTLIGHT: SHAKING THE RUST OFF SYSJOKER](https://research.checkpoint.com/2023/israel-hamas-war-spotlight-shaking-the-rust-off-sysjoker/) | [:closed_book:](../../blob/master/2023/2023.11.23.israel-hamas-sysjoker)
* Nov 14 - [[HKUK] APT29 attacks Embassies using CVE-2023-38831](https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/november/APT29%20attacks%20Embassies%20using%20CVE-2023-38831%20-%20report%20en.pdf) | [:closed_book:](../../blob/master/2023/2023.11.14.APT29_CVE-2023-38831)
* Nov 09 - [[Kaspersky] Modern Asian APT groups’ tactics, techniques and procedures (TTPs)](https://securelist.com/modern-asia-apt-groups-ttp/111009/) | [:closed_book:](../../blob/master/2023/2023.11.09.Modern_Asian_APT_TTPs)
* Nov 07 - [[Palo Alto Networks] Chinese APT Targeting Cambodian Government](https://unit42.paloaltonetworks.com/chinese-apt-linked-to-cambodia-government-attacks/) | [:closed_book:](../../blob/master/2023/2023.11.07.Chinese_APT_Cambodian)
* Nov 06 - [[Palo Alto Networks] Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors](https://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/) | [:closed_book:](../../blob/master/2023/2023.11.06.Agrius_Israeli)
* Oct 31 - [[CheckPoint] FROM ALBANIA TO THE MIDDLE EAST: THE SCARRED MANTICORE IS LISTENING](https://research.checkpoint.com/2023/from-albania-to-the-middle-east-the-scarred-manticore-is-listening/) | [:closed_book:](../../blob/master/2023/2023.10.31.Scarred_Manticore)
* Oct 26 - [[Kaspersky] StripedFly: Perennially flying under the radar](https://securelist.com/stripedfly-perennially-flying-under-the-radar/110903/) | [:closed_book:](../../blob/master/2023/2023.10.26.StripedFly)
* Oct 13 - [[Trend Micro] Void Rabisu Targets Female Political Leaders with New Slimmed-Down ROMCOM Variant](https://www.trendmicro.com/en_us/research/23/j/void-rabisu-targets-female-leaders-with-new-romcom-variant.html) | [:closed_book:](../../blob/master/2023/2023.10.13.Void_Rabisu)
* Sep 19 - [[CISCO] New ShroudedSnooper actor targets telecommunications firms in the Middle East with novel Implants](https://blog.talosintelligence.com/introducing-shrouded-snooper/) | [:closed_book:](../../blob/master/2023/2023.09.19.ShroudedSnooper_Middle_East)
* Jul 27 - [[Recorded Future] BlueBravo Adapts to Target Diplomatic Entities with GraphicalProton Malware](https://www.recordedfuture.com/bluebravo-adapts-to-target-diplomatic-entities-with-graphicalproton-malware) | [:closed_book:](../../blob/master/2023/2023.07.27.BlueBravo)
* May 24 - [[Microsoft] Volt Typhoon targets US critical infrastructure with living-off-the-land techniques](https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/) | [:closed_book:](../../blob/master/2023/2023.05.24.Volt_Typhoon)
* Jan 26 - [[Mandiant] Welcome to Goot Camp: Tracking the Evolution of GOOTLOADER Operations](https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations) | [:closed_book:](../../blob/master/2023/2023.01.26.GOOTLOADER_Operations)
* Jan 11 - [[GROUP-IB] Dark Pink](https://www.group-ib.com/blog/dark-pink-apt/) | [:closed_book:](../../blob/master/2023/2023.01.11.Dark_Pink_APT)
* Jan 09 - [[Intrinsec] Emotet returns and deploys loaders](https://www.intrinsec.com/emotet-returns-and-deploys-loaders/) | [:closed_book:](../../blob/master/2023/2023.01.09.Emotet_return)


## 2022
* Dec 07 - [[Google] Internet Explorer 0-day exploited by North Korean actor APT37](https://blog.google/threat-analysis-group/internet-explorer-0-day-exploited-by-north-korean-actor-apt37/) | [:closed_book:](../../blob/master/2022/2022.12.07.APT37_0Day)
* Dec 06 - [[BlackBerry] Mustang Panda Uses the Russian-Ukrainian War to Attack Europe and Asia Pacific Targets](https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets) | [:closed_book:](../../blob/master/2022/2022.12.06.Mustang_Panda)
* Dec 05 - [[Recorded Future] Exposing TAG-53’s Credential Harvesting Infrastructure Used for Russia-Aligned Espionage Operations](https://www.recordedfuture.com/exposing-tag-53-credential-harvesting-infrastructure-for-russia-aligned-espionage-operations) | [:closed_book:](../../blob/master/2022/2022.12.05.TAG-53_Russia)
* Dec 02 - [[Palo Alto Networks] Blowing Cobalt Strike Out of the Water With Memory Analysis](https://unit42.paloaltonetworks.com/cobalt-strike-memory-analysis/) | [:closed_book:](../../blob/master/2022/2022.12.02.Cobalt_Strike_Out_of_the_Water)
* Nov 03 - [[Zscaler] APT-36 Uses New TTPs and New Tools to Target Indian Governmental Organizations](https://www.zscaler.com/blogs/security-research/apt-36-uses-new-ttps-and-new-tools-target-indian-governmental-organizations) | [:closed_book:](../../blob/master/2022/2022.11.03.APT-36)
* Nov 02 - [[BlackBerry] RomCom Threat Actor Abuses KeePass and SolarWinds to Target Ukraine and Potentially the United Kingdom](https://blogs.blackberry.com/en/2022/11/romcom-spoofing-solarwinds-keepass) | [:closed_book:](../../blob/master/2022/2022.11.02.RomCom_Ukraine_UK)
* Oct 06 - [[BlackBerry] Mustang Panda Abuses Legitimate Apps to Target Myanmar Based Victims](https://blogs.blackberry.com/en/2022/10/mustang-panda-abuses-legitimate-apps-to-target-myanmar-based-victims) | [:closed_book:](../../blob/master/2022/2022.10.06.Mustang_Panda_Myanmar)
* Oct 04 - [[Trend Micro] The Rise of Earth Aughisky](https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/connecting-taidoors-dots-earth-aughisky-over-the-last-10-years) | [:closed_book:](../../blob/master/2022/2022.10.04.Rise_Earth_Aughisky)
* Sep 28 - [[NSOGroup] Exploit-archaeology-a-forensic-history-of-in-the-wild](https://www.virusbulletin.com/uploads/pdf/conference/vb2022/papers/VB2022-Exploit-archaeology-a-forensic-history-of-in-the-wild-NSO-Group-exploits.pdf) | [:closed_book:](../../blob/master/2022/2022.09.28.EXPLOIT_ARCHAEOLOGY)
* Sep 28 - [[Recorded Future] The Chinese Communist Party’s Strategy for Targeted Propaganda](https://go.recordedfuture.com/hubfs/reports/ta-2022-0928.pdf) | [:closed_book:](../../blob/master/2022/2022.09.28.Chinese_Communist_Party)
* Sep 08 - [[Secureworks] BRONZE PRESIDENT Targets Government Officials](https://www.secureworks.com/blog/bronze-president-targets-government-officials) | [:closed_book:](../../blob/master/2022/2022.09.08.BRONZE_PRESIDENT)
* Aug 12 - [[SEKOIA.IO] LuckyMouse uses a backdoored Electron app to target MacOS](https://blog.sekoia.io/luckymouse-uses-a-backdoored-electron-app-to-target-macos/) | [:closed_book:](../../blob/master/2022/2022.08.12.LuckyMouse)
* Aug 12 - [[Trend Micro] Iron Tiger Compromises Chat Application Mimi, Targets Windows, Mac, and Linux Users](https://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html) | [:closed_book:](../../blob/master/2022/2022.08.12.Iron_Tiger_Mimi)
* Jul 26 - [[PWC] Old cat, new tricks, bad habits An analysis of Charming Kitten’s new tools and OPSEC errors](https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/old-cat-new-tricks.html) | [:closed_book:](../../blob/master/2022/2022.07.26.Charming_Kitten_APT)
* Jul 25 - [[Kaspersky] CosmicStrand: the discovery of a sophisticated UEFI firmware rootkit](https://securelist.com/cosmicstrand-uefi-firmware-rootkit/106973/) | [:closed_book:](../../blob/master/2022/2022.07.25.CosmicStrand)
* Jun 27 - [[Kaspersky] Attacks on industrial control systems using ShadowPad](https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/) | [:closed_book:](../../blob/master/2022/2022.06.27.ShadowPad_ICS)
* Jun 21 - [[Kaspersky] APT ToddyCat](https://securelist.com/toddycat/106799/) | [:closed_book:](../../blob/master/2022/2022.06.21.ToddyCat_APT)
* Jun 02 - [[Kaspersky] WinDealer malware shows extremely sophisticated network abilities](https://securelist.com/windealer-dealing-on-the-side/105946/) | [:closed_book:](../../blob/master/2022/2022.06.02.WinDealer)
* May 19 - [[CheckPoint] Twisted Panda: Chinese APT espionage operation against Russian’s state-owned defense institutes](https://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/) | [:closed_book:](../../blob/master/2022/2022.05.19.Twisted_Panda)
* May 12 - [[BlackBerry] Threat Thursday: Malware Rebooted - How Industroyer2 Takes Aim at Ukraine Infrastructure](https://blogs.blackberry.com/en/2022/05/threat-thursday-malware-rebooted-how-industroyer2-takes-aim-at-ukraine-infrastructure) | [:closed_book:](../../blob/master/2022/2022.05.12.Industroyer2_Ukraine)
* May 11 - [[CISCO] Bitter APT adds Bangladesh to their targets](https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html) | [:closed_book:](../../blob/master/2022/2022.05.11.Bitter_APT_Bangladesh)
* May 05 - [[CISCO] Mustang Panda deploys a new wave of malware targeting Europe](https://blog.talosintelligence.com/2022/05/mustang-panda-targets-europe.html) | [:closed_book:](../../blob/master/2022/2022.05.05.Mustang_Panda_Europe)
* May 02 - [[Mandiant] UNC3524: Eye Spy on Your Email](https://www.mandiant.com/resources/unc3524-eye-spy-email) | [:closed_book:](../../blob/master/2022/2022.05.02.UNC3524)
* Apr 06 - [[Recorded Future] Continued Targeting of Indian Power Grid Assets by Chinese State-Sponsored Activity Group](https://www.recordedfuture.com/continued-targeting-of-indian-power-grid-assets/) | [:closed_book:](../../blob/master/2022/2022.04.06.Targeting_of_Indian_Power_Grid)
* Mar 30 - [[Fortinet] New Milestones for Deep Panda: Log4Shell and Digitally Signed Fire Chili Rootkits](https://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits) | [:closed_book:](../../blob/master/2022/2022.03.30.Deep_Panda_New_Milestones)
* Mar 23 - [[Dr.Web] Study of an APT attack on a telecommunications company in Kazakhstan](https://st.drweb.com/static/new-www/news/2022/march/telecom_research_en.pdf) | [:closed_book:](../../blob/master/2022/2022.03.23.Kazakhstan_APT)
* Mar 23 - [[ESET] Mustang Panda’s Hodur: Old tricks, new Korplug variant](https://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/) | [:closed_book:](../../blob/master/2022/2022.03.23.Mustang_Panda)
* Mar 17 - [[Trend Micro] Cyclops Blink Sets Sights on Asus Routers](https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html) | [:closed_book:](../../blob/master/2022/2022.03.17.Cyclops_Blink_Voodoo_Bear)
* Mar 08 - [[Trend Micro] New RURansom Wiper Targets Russia](https://www.trendmicro.com/en_us/research/22/c/new-ruransom-wiper-targets-russia.html) | [:closed_book:](../../blob/master/2022/2022.03.08.RURansom_Wiper)
* Mar 07 - [[proofpoint] The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates](https://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european) | [:closed_book:](../../blob/master/2022/2022.03.07.TA416)
* Mar 01 - [[proofpoint] Asylum Ambuscade: State Actor Uses Compromised Private Ukrainian Military Emails to Target European Governments and Refugee Movement](https://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails) | [:closed_book:](../../blob/master/2022/2022.03.01.Asylum_Ambuscade)
* Feb 23 - [[Pangulab] Bvp47:Top-tier Backdoor of US NSA Equation Group](https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf) | [:closed_book:](../../blob/master/2022/2022.02.23.Bvp47)
* Feb 23 - [[Mandiant] (Ex)Change of Pace: UNC2596 Observed Leveraging Vulnerabilities to Deploy Cuba Ransomware ](https://www.mandiant.com/resources/unc2596-cuba-ransomware) | [:closed_book:](../../blob/master/2022/2022.02.23.UNC2596)
* Feb 15 - [[Dell] ShadowPad Malware Analysis](https://www.secureworks.com/research/shadowpad-malware-analysis) | [:closed_book:](../../blob/master/2022/2022.02.15_ShadowPad)
* Feb 03 - [[Symantec] Antlion: Chinese APT Uses Custom Backdoor to Target Financial Institutions in Taiwan](https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/china-apt-antlion-taiwan-financial-attacks) | [:closed_book:](../../blob/master/2022/2022.02.03.Antlion_APT)
* Feb 01 - [[Cybereason] PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage](https://www.cybereason.com/blog/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage) | [:closed_book:](../../blob/master/2022/2022.02.01.Phosphorus_APT)
* Jan 31 - [[CISCO] Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables](https://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html) | [:closed_book:](../../blob/master/2022/2022.01.31.MuddyWater_Turkish)
* Jan 31 - [[Symantec] Shuckworm Continues Cyber-Espionage Attacks Against Ukraine](https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine) | [:closed_book:](../../blob/master/2022/2022.01.31.Shuckworm_APT)
* Jan 27 - [[MalwareBytes] North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign](https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/) | [:closed_book:](../../blob/master/2022/2022.01.27.Lazarus_APT)
* Jan 27 - [[CrowdStrike] Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign](https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/) | [:closed_book:](../../blob/master/2022/2022.01.27.APT29_StellarParticle)
* Jan 25 - [[Trellix] Prime Minister’s Office Compromised: Details of Recent Espionage Campaign](https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/prime-ministers-office-compromised.html) | [:closed_book:](../../blob/master/2022/2022.01.25.Prime_Minister_Compromised)
* Jan 20 - [[Kaspersky] MoonBounce: the dark side of UEFI firmware](https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/) | [:closed_book:](../../blob/master/2022/2022.01.20.MoonBounce)
* Jan 17 - [[Trend Micro] Earth Lusca Employs Sophisticated Infrastructure, Varied Tools and Techniques](https://www.trendmicro.com/en_us/research/22/a/earth-lusca-sophisticated-infrastructure-varied-tools-and-techni.html) | [:closed_book:](../../blob/master/2022/2022.01.17.Earth_Lucsa)
* Jan 07 - [[MalwareBytes] Patchwork APT caught in its own web
](https://blog.malwarebytes.com/threat-intelligence/2022/01/patchwork-apt-caught-in-its-own-web/) | [:closed_book:](../../blob/master/2022/2022.01.07.Patchwork_APT_India)
* Jan 05 - [[Sygnia] ELEPHANT BEETLE: UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION](https://blog.sygnia.co/elephant-beetle-an-organized-financial-theft-operation) | [:closed_book:](../../blob/master/2022/2022.01.05.Elephant_Beetle)
* Jan 03 - [[Cluster25] North Korean Group “KONNI” Targets The Russian Diplomatic Sector With New Versions Of Malware Implants](https://cluster25.io/2022/01/03/konni-targets-the-russian-diplomatic-sector/) | [:closed_book:](../../blob/master/2022/2022.01.03.KONNI_Targets_Russian_Diplomatic)



## 2021
* Dec 29 - [[NTT] Report on APT Attacks by BlackTech](https://jp.security.ntt/resources/EN-BlackTech_2021.pdf) | [:closed_book:](../../blob/master/2021/2021.12.19.BlackTech_APT)
* Dec 16 - [[Zscaler] New DarkHotel APT attack chain identified](https://www.zscaler.com/blogs/security-research/new-darkhotel-apt-attack-chain-identified) | [:closed_book:](../../blob/master/2021/2021.12.16.New_DarkHotel_APT)
* Dec 11 - [[ESET] Jumping the air gap: 15 years of nation-state effort](https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf) | [:closed_book:](../../blob/master/2021/2021.12.11.Jumping_the_air_gap)
* Dec 07 - [[Mandiant] FIN13: A Cybercriminal Threat Actor Focused on Mexico](https://www.mandiant.com/resources/fin13-cybercriminal-mexico) | [:closed_book:](../../blob/master/2021/2021.12.07.FIN13)
* Dec 03 - [[Pwc] Conti cyber attack on the HSE](https://www.hse.ie/eng/services/publications/conti-cyber-attack-on-the-hse-full-report.pdf) | [:closed_book:](../../blob/master/2021/2021.12.03.Conti_Attack_HSE)
* Nov 29 - [[Trend Micro] Campaign Abusing Legitimate Remote Administrator Tools Uses Fake Cryptocurrency Websites](https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html) | [:closed_book:](../../blob/master/2021/2021.11.29.Safib_Assistant) 
* Nov 16 - [[Mandiant] UNC1151 Assessed with High Confidence to have Links to Belarus, Ghostwriter Campaign Aligned with Belarusian Government Interests](https://www.mandiant.com/resources/unc1151-linked-to-belarus-government) | [:closed_book:](../../blob/master/2021/2021.11.16.UNC1151)
* Nov 16 - [[ESET] Strategic web compromises in the Middle East with a pinch of Candiru](https://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/) | [:closed_book:](../../blob/master/2021/2021.11.16.Pinch_of_Candiru)
* Nov 11 - [[Google] Analyzing a watering hole campaign using macOS exploits](https://blog.google/threat-analysis-group/analyzing-watering-hole-campaign-using-macos-exploits/) | [:closed_book:](../../blob/master/2021/2021.11.11.watering_hole_macOS_exploits)
* Nov 10 - [[Trend Micro] Void Balaur: Tracking a Cybermercenary’s Activities](https://documents.trendmicro.com/assets/white_papers/wp-void-balaur-tracking-a-cybermercenarys-activities.pdf) | [:closed_book:](../../blob/master/2021/2021.11.10.Void_Balaur)
* Nov 08 - [[NCCGroup] TA505 exploits SolarWinds Serv-U vulnerability (CVE-2021-35211) for initial access](https://research.nccgroup.com/2021/11/08/ta505-exploits-solarwinds-serv-u-vulnerability-cve-2021-35211-for-initial-access/) | [:closed_book:](../../blob/master/2021/2021.11.08.TA505_SolarWinds)
* Nov 04 - [[SSU] Gamaredon Armageddon Group](https://ssu.gov.ua/uploads/files/DKIB/Technical%20report%20Armagedon.pdf) | [:closed_book:](../../blob/master/2021/2021.11.04.Gamaredon_Armageddon_Group)
* Oct 19 - [[CrowdStrike] LightBasin: A Roaming Threat to Telecommunications Companies](https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks/) | [:closed_book:](../../blob/master/2021/2021.10.19.UNC1945_LightBasin)
* Oct 26 - [[JPCERT] Malware WinDealer used by LuoYu Attack Group](https://blogs.jpcert.or.jp/en/2021/10/windealer.html) | [:closed_book:](../../blob/master/2021/2021.10.26.WinDealer_LuoYu_Group)
* Oct 19 - [[Proofpoint] Whatta TA: TA505 Ramps Up Activity, Delivers New FlawedGrace Variant](https://www.proofpoint.com/us/blog/threat-insight/whatta-ta-ta505-ramps-activity-delivers-new-flawedgrace-variant) | [:closed_book:](../../blob/master/2021/2021.10.19.TA505_New_FlawedGrace)
* Oct 19 - [[Trend Micro] PurpleFox Adds New Backdoor That Uses WebSockets](https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html) | [:closed_book:](../../blob/master/2021/2021.10.19.PurpleFox)
* Oct 18 - [[Symantec] Harvester: Nation-state-backed group uses new toolset to target victims in South Asia](https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/harvester-new-apt-attacks-asia) | [:closed_book:](../../blob/master/2021/2021.10.18.Harvester_South_Asia)
* Oct 14 - [[Trend Micro] Analyzing Email Services Abused for Business Email Compromise](https://www.trendmicro.com/zh_hk/research/21/j/analyzing-email-services-abused-for-business-email-compromise.html) | [:closed_book:](../../blob/master/2021/2021.10.14.BEC_groups) 
* Oct 12 - [[Kaspersky] MysterySnail attacks with Windows zero-day](https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/) | [:closed_book:](../../blob/master/2021/2021.10.12.MysterySnail)
* Oct 06 - [[Cybereason] Operation GhostShell: Novel RAT Targets Global Aerospace and Telecoms Firms](https://www.cybereason.com/blog/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms) | [:closed_book:](../../blob/master/2021/2021.10.06.Operation_GhostShell)
* Oct 05 - [[ESET] UEFI threats moving to the ESP: Introducing ESPecter bootkit](https://www.welivesecurity.com/2021/10/05/uefi-threats-moving-esp-introducing-especter-bootkit/) | [:closed_book:](../../blob/master/2021/2021.10.05.ESPecter_bootkit)
* Oct 04 - [[JP-CERT] Malware Gh0stTimes Used by BlackTech](https://blogs.jpcert.or.jp/en/2021/10/gh0sttimes.html) | [:closed_book:](../../blob/master/2021/2021.10.04.Gh0stTimes_BlackTech)
* Sep 30 - [[Kaspersky] GhostEmperor: From ProxyLogon to kernel mode](https://securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/) | [:closed_book:](../../blob/master/2021/2021.09.30.GhostEmperor)
* Sep 27 - [[Microsoft] FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor](https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/) | [:closed_book:](../../blob/master/2021/2021.09.27.FoggyWeb)
* Sep 23 - [[ESET] FamousSparrow: A suspicious hotel guest](https://www.welivesecurity.com/2021/09/23/famoussparrow-suspicious-hotel-guest/) | [:closed_book:](../../blob/master/2021/2021.09.23.FamousSparrow)
* Sep 14 - [[McAfee] Operation ‘Harvest’: A Deep Dive into a Long-term Campaign](https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/operation-harvest-a-deep-dive-into-a-long-term-campaign/) | [:closed_book:](../../blob/master/2021/2021.09.14.Operation_Harvest)
* Sep 13 - [[Trend Micro] APT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs](https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html) | [:closed_book:](../../blob/master/2021/2021.09.13.APT-C-36_South_American)
* Sep 09 - [[Recorded Future] Dark Covenant: Connections Between the Russian State and Criminal Actors](https://www.recordedfuture.com/russian-state-connections-criminal-actors/) | [:closed_book:](../../blob/master/2021/2021.09.09.Dark_Covenant)
* Sep 08 - [[Fireeye] Pro-PRC Influence Campaign Expands to Dozens of Social Media Platforms, Websites, and Forums in at Least Seven Languages, Attempted to Physically Mobilize Protesters in the U.S.](https://www.fireeye.com/blog/threat-research/2021/09/pro-prc-influence-campaign-social-media-websites-forums.html) | [:closed_book:](../../blob/master/2021/2021.09.08.Pro-PRC_Campaign)
* Aug 25 - [[Bitdefender] FIN8 Threat Actor Spotted Once Again with New "Sardonic" Backdoor](https://www.bitdefender.com/blog/labs/fin8-threat-actor-spotted-once-again-with-new-sardonic-backdoor/) | [:closed_book:](../../blob/master/2021/2021.08.25.FIN8_Sardonic_Backdoor)
* Aug 24 - [[Trend Micro] Earth Baku Returns](https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/earth-baku-returns) | [:closed_book:](../../blob/master/2021/2021.08.24.Earth_Baku_Returns)
* Aug 19 - [[Sentinel] ShadowPad | A Masterpiece of Privately Sold Malware in Chinese Espionage](https://labs.sentinelone.com/shadowpad-a-masterpiece-of-privately-sold-malware-in-chinese-espionage/) | [:closed_book:](../../blob/master/2021/2021.08.19.ShadowPad)
* Aug 17 - [[Trend Micro] Confucius Uses Pegasus Spyware-related Lures to Target Pakistani Military](https://www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html) | [:closed_book:](../../blob/master/2021/2021.08.17.Confucius_Pegasus)
* Aug 17 - [[ClearSky] New Iranian Espionaje Campaign by "SiameseKitten" - Lyceum](https://www.clearskysec.com/siamesekitten/) | [:closed_book:](../../blob/master/2021/2021.08.17_new_iranian_campaign_by_Siamesekitten)
* Aug 17 - [[Volexity] North Korean APT InkySquid Infects Victims Using Browser Exploits](https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/) | [:closed_book:](../../blob/master/2021/2021.08.17.NK_APT_InkySquid)
* Aug 14 - [[Checkpoint] Indra — Hackers Behind Recent Attacks on Iran](https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/) | [:closed_book:](../../blob/master/2021/2021.08.14.Indra_Iran)
* Aug 12 - [[imp0rtp3] Uncovering Tetris – a Full Surveillance Kit Running in your Browser](https://imp0rtp3.wordpress.com/2021/08/12/tetris/) | [:closed_book:](../../blob/master/2021/2021.08.12.Full-Surveillance-Kit-China)
* Aug 10 - [[Fireeye] UNC215: Spotlight on a Chinese Espionage Campaign in Israel](https://www.fireeye.com/blog/threat-research/2021/08/unc215-chinese-espionage-campaign-in-israel.html) | [:closed_book:](../../blob/master/2021/2021.08.10.UNC215_Chinese_Israel)
* Aug 09 - [[Trend Micro] Cinobi Banking Trojan Targets Cryptocurrency Exchange Users via Malvertising](https://www.trendmicro.com/en_us/research/21/h/cinobi-banking-trojan-targets-users-of-cryptocurrency-exchanges-.html) | [:closed_book:](../../blob/master/2021/2021.08.09.Cinobi_Banking_Trojan)
* Aug 03 - [[CyberGeeks] A STEP-BY-STEP ANALYSIS OF THE NEW MALWARE USED BY APT28/SOFACY CALLED SKINNYBOY](https://cybergeeks.tech/skinnyboy-apt28/) | [:closed_book:](../../blob/master/2021/2021.08.03.SKINNYBOY)
* Aug 03 - [[GROUP-IB] The Art of Cyberwarfare Chinese APTs attack Russia](https://blog.group-ib.com/task) | [:closed_book:](../../blob/master/2021/2021.08.03.Chinese_APTs_attackRussia)
* Aug 03 - [[Cybereason] DeadRinger: Exposing Chinese Threat Actors Targeting Major Telcos](https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos) | [:closed_book:](../../blob/master/2021/2021.08.03.DeadRinger)
* Aug 03 - [[Positive] APT31 new dropper. Target destinations: Mongolia, Russia, the U.S., and elsewhere](https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-new-attacks/) | [:closed_book:](../../blob/master/2021/2021.08.03.APT31_new_dropper)
* Aug 02 - [[Sygnia] TG1021: “Praying Mantis” DISSECTING AN ADVANCED MEMORY-RESIDENT ATTACK](https://f.hubspotusercontent30.net/hubfs/8776530/TG1021%20-%20Praying%20Mantis%20Threat%20Actor.pdf) | [:closed_book:](../../blob/master/2021/2021.08.02.TG1021_Praying_Mantis)
* Jul 28 - [[Proofpoint] I Knew You Were Trouble: TA456 Targets Defense Contractor with Alluring Social Media Persona](https://www.proofpoint.com/us/blog/threat-insight/i-knew-you-were-trouble-ta456-targets-defense-contractor-alluring-social-media) | [:closed_book:](../../blob/master/2021/2021.07.28.TA456)
* Jul 27 - [[Palo Alto Networks] THOR: Previously Unseen PlugX Variant Deployed During Microsoft Exchange Server Attacks by PKPLUG Group](https://unit42.paloaltonetworks.com/thor-plugx-variant/) | [:closed_book:](../../blob/master/2021/2021.07.27.THOR_PKPLUG_Group)
* Jul 20 - [[Trend Micro] Tracking the Activities of TeamTNT: A Closer Look at a Cloud-Focused Malicious Actor Group](https://documents.trendmicro.com/assets/white_papers/wp-tracking-the-activities-of-teamTNT.pdf) | [:closed_book:](../../blob/master/2021/2021.07.20.Tracking.TeamTNT)
* Jul 19 - [[US-CERT] Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department](https://us-cert.cisa.gov/sites/default/files/publications/CSA_TTPs-of-Indicted-APT40-Actors-Associated-with-China-MSS-Hainan-State-Security-Department.pdf) | [:closed_book:](../../blob/master/2021/2021.07.19.APT40_TTP)
* Jul 14 - [[Google] How we protect users from 0-day attacks](https://blog.google/threat-analysis-group/how-we-protect-users-0-day-attacks/) | [:closed_book:](../../blob/master/2021/2021.07.14.Candiru_0Day)
* Jul 12 - [[Trend Micro] #NoFilter: Exposing the Tactics of Instagram Account Hackers](https://www.trendmicro.com/en_us/research/21/g/no-filter--exposing-the-tactics-of-instagram-account-hackers.html) | [:closed_book:](../../blob/master/2021/2021.07.12.NoFilter)
* Jul 09 - [[Trend Micro] BIOPASS RAT: New Malware Sniffs Victims via Live Streaming](https://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html) | [:closed_book:](../../blob/master/2021/2021.07.09.BIOPASS_RAT)
* Jul 06 - [[AT&T] Lazarus campaign TTPs and evolution](https://cybersecurity.att.com/blogs/labs-research/lazarus-campaign-ttps-and-evolution) | [:closed_book:](../../blob/master/2021/2021.07.06.Lazarus_TTPs_evolution)
* Jul 05 - [[Trend Micro] Tracking Cobalt Strike: A Trend Micro Vision One Investigation](https://www.trendmicro.com/en_us/research/21/g/tracking_cobalt_strike_a_vision_one_investigation.html) | [:closed_book:](../../blob/master/2021/2021.07.05.cobalt_strike_tracking)
* Jul 01 - [[CheckPoint] IndigoZebra APT continues to attack Central Asia with evolving tools](https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/) | [:closed_book:](../../blob/master/2021/2021.07.01.IndigoZebra_APT)
* Jun 24 - [[Securifera] Operation Eagle Eye](https://www.securifera.com/blog/2021/06/24/operation-eagle-eye/) | [:closed_book:](../../blob/master/2021/2021.06.24.Operation_Eagle_Eye)
* Jun 16 - [[Recorded Future] Threat Activity Group RedFoxtrot Linked to China’s PLA Unit 69010; Targets Bordering Asian Countries](https://www.recordedfuture.com/redfoxtrot-china-pla-targets-bordering-asian-countries/) | [:closed_book:](../../blob/master/2021/2021.06.16.RedFoxtrot_APT_PLA_69010)
* Jun 16 - [[Kaspersky] Ferocious Kitten: 6 years of covert surveillance in Iran](https://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/) | [:closed_book:](../../blob/master/2021/2021.06.16.Ferocious_Kitten)
* Jun 10 - [[Group-IB] Big airline heist](https://blog.group-ib.com/colunmtk_apt41) | [:closed_book:](../../blob/master/2021/2021.06.10.Big_airline_heist)
* Jun 08 - [[Kaspersky] PuzzleMaker attacks with Chrome zero-day exploit chain](https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/) | [:closed_book:](../../blob/master/2021/2021.06.08.PuzzleMaker_APT)
* Jun 03 - [[CheckPoint] SharpPanda: Chinese APT Group Targets Southeast Asian Government With Previously Unknown Backdoor](https://research.checkpoint.com/2021/chinese-apt-group-targets-southeast-asian-government-with-previously-unknown-backdoor/) | [:closed_book:](../../blob/master/2021/2021.06.03.SharpPanda_APT)
* May 28 - [[Microsoft] Breaking down NOBELIUM’s latest early-stage toolset](https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/) | [:closed_book:](../../blob/master/2021/2021.05.28.NOBELIUM_toolset)
* May 27 - [[Microsoft] New sophisticated email-based attack from NOBELIUM](https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/) | [:closed_book:](../../blob/master/2021/2021.05.27.NOBELIUM_New)
* May 25 - [[SentinelOne] FROM WIPER TO RANSOMWARE: THE EVOLUTION OF AGRIUS](https://assets.sentinelone.com/sentinellabs/evol-agrius) | [:closed_book:](../../blob/master/2021/2021.05.25.AGRIUSAuthor)
* May 13 - [[CISCO] Transparent Tribe APT expands its Windows malware arsenal](https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html)  | [:closed_book:](../../blob/master/2021/2021.05.13.Transparent_Tribe_APT)
* May 07 - [[NCSC] Further TTPs associated with SVR cyber actors](https://www.ncsc.gov.uk/files/Advisory%20Further%20TTPs%20associated%20with%20SVR%20cyber%20actors.pdf) | [:closed_book:](../../blob/master/2021/2021.05.07.SVR_TTPs)
* May 07 - [[Marco Ramilli] MuddyWater: Binder Project (Part 2)](https://marcoramilli.com/2021/05/07/muddywater-binder-project-part-2/) | [:closed_book:](../../blob/master/2021/2021.05.07.MuddyWater_Binder_2)
* May 06 - [[Kaspersky] Operation TunnelSnake](https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831/) | [:closed_book:](../../blob/master/2021/2021.05.06.Operation_TunnelSnake)
* May 01 - [[ClearSky] Attributing Attacks Against Crypto Exchanges to LAZARUS – North Korea](https://www.clearskysec.com/wp-content/uploads/2021/05/CryptoCore-Lazarus-Clearsky.pdf) | [:closed_book:](../../blob/master/2021/2021.05.01.CryptoCore-Lazarus)
* May 01 - [[Marco Ramilli] MuddyWater: Binder Project (Part 1)](https://marcoramilli.com/2021/05/01/muddywater-binder-project-part-1/) | [:closed_book:](../../blob/master/2021/2021.05.01.MuddyWater_Binder_1)
* Apr 28 - [[Trend Micro] Water Pamola Attacked Online Shops Via Malicious Orders](https://www.trendmicro.com/en_us/research/21/d/water-pamola-attacked-online-shops-via-malicious-orders.html) | [:closed_book:](../../blob/master/2021/2021.04.28.Water_Pamola)
* Apr 28 - [[Fireeye] Ghostwriter Update: Cyber Espionage Group UNC1151 Likely Conducts Ghostwriter Influence Activity](https://www.fireeye.com/blog/threat-research/2021/04/espionage-group-unc1151-likely-conducts-ghostwriter-influence-activity.html) | [:closed_book:](../../blob/master/2021/2021.04.28.Ghostwriter_UNC1151)
* Apr 27 - [[Positive] Lazarus Group Recruitment: Threat Hunters vs Head Hunters](https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/lazarus-recruitment/) | [:closed_book:](../../blob/master/2021/2021.04.27.Lazarus_Group_Recruitment)
* Apr 23 - [[Bitdefender] NAIKON – Traces from a Military Cyber-Espionage Operation](https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf) | [:closed_book:](../../blob/master/2021/2021.04.23.NAIKON)
* Apr 23 - [[Darktrace] APT35 ‘Charming Kitten' discovered in a pre-infected environment](https://www.darktrace.com/en/blog/apt-35-charming-kitten-discovered-in-a-pre-infected-environment/) | [:closed_book:](../../blob/master/2021/2021.04.23.Charming_Kitten)
* Apr 20 - [[FireEye] Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day](https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html) | [:closed_book:](../../blob/master/2021/2021.04.20.APT_Pulse_Secure_Zero-Day)
* Apr 19 - [[SentinelOne] A Deep Dive into Zebrocy’s Dropper Docs](https://labs.sentinelone.com/a-deep-dive-into-zebrocys-dropper-docs/) | [:closed_book:](../../blob/master/2021/2021.04.19.A_Deep_Dive_into_Zebrocys_Dropper_Docs)
* Apr 19 - [[MalwareBytes] Lazarus APT conceals malicious code within BMP image to drop its RAT](https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/) | [:closed_book:](../../blob/master/2021/2021.04.19.Lazarus_APT_conceals_malicious_code_within_BMP_image_to_drop_its_RAT)
* Apr 13 - [[Sentire] Hackers Flood the Web with 100,000 Malicious Pages, Promising Professionals Free Business Forms, But Delivering Malware, Reports eSentire](https://www.esentire.com/security-advisories/hackers-flood-the-web-with-100-000-malicious-pages-promising-professionals-free-business-forms-but-are-delivering-malware-reports-esentire) | [:closed_book:](../../blob/master/2021/2021.04.13.Hackers_Flood)
* Apr 13 - [[Kaspersky] Zero-day vulnerability in Desktop Window Manager (CVE-2021-28310) used in the wild](https://securelist.com/zero-day-vulnerability-in-desktop-window-manager-cve-2021-28310-used-in-the-wild/101898/) | [:closed_book:](../../blob/master/2021/2021.04.13.CVE-2021-28310_APT)
* Apr 09 - [[TrendMicro] Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware](https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html) | [:closed_book:](../../blob/master/2021/2021.04.09.Iron_Tiger_SysUpdate)
* Apr 08 - [[CheckPoint] Iran’s APT34 Returns with an Updated Arsenal](https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/) | [:closed_book:](../../blob/master/2021/2021.04.08.APT34_Returns)
* Apr 08 - [[ESET] (Are you) afreight of the dark? Watch out for Vyveva, new Lazarus backdoor](https://www.welivesecurity.com/2021/04/08/are-you-afreight-dark-watch-out-vyveva-new-lazarus-backdoor/) | [:closed_book:](../../blob/master/2021/2021.04.08.Vyveva_Lazarus)
* Apr 07 - [[CISCO] Sowing Discord: Reaping the benefits of collaboration app abuse](https://blog.talosintelligence.com/2021/04/collab-app-abuse.html) | [:closed_book:](../../blob/master/2021/2021.04.07.Sowing_Discord)
* Apr 06 - [[Cado Security] Threat Group Uses Voice Changing Software in Espionage Attempt](https://www.cadosecurity.com/threat-group-uses-voice-changing-software-in-espionage-attempt/)| [:closed_book:](../../blob/master/2021/2021.04.06.APT-C-23_Voice_Changing)
* Mar XX - [[CSET] Academics, AI, and APTs](https://cset.georgetown.edu/wp-content/uploads/CSET-Academics-AI-and-APTs.pdf) | [:closed_book:](../../blob/master/2021/2021.03.XX.Academics_AI_APTs)
* Mar 30 - [[Kaspersky] APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign](https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/) | [:closed_book:](../../blob/master/2021/2021.03.30.APT10)
* Mar 30 - [[proofpoint] BadBlood: TA453 Targets US and Israeli Medical Research Personnel in Credential Phishing Campaigns](https://www.proofpoint.com/us/blog/threat-insight/badblood-ta453-targets-us-and-israeli-medical-research-personnel-credential) | [:closed_book:](../../blob/master/2021/2021.03.30.BadBlood_TA453)
* Mar 23 - [[Trend Micro] Websites Hosting Cracks Spread Malware, Adware](https://www.trendmicro.com/en_us/research/21/c/websites-hosting-cracks-spread-malware-adware.html) | [:closed_book:](../../blob/master/2021/2021.03.23.CopperStealer)
* Mar 18 - [[Prodaft] SilverFish Group Threat Actor Report](https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf) | [:closed_book:](../../blob/master/2021/2021.03.18.SilverFish_Group)
* Mar 10 - [[Bitdefender] FIN8 Returns with Improved BADHATCH Toolkit](https://www.bitdefender.com/files/News/CaseStudies/study/394/Bitdefender-PR-Whitepaper-BADHATCH-creat5237-en-EN.pdf) | [:closed_book:](../../blob/master/2021/2021.03.10.FIN8_BADHATCH_Toolkit)
* Mar 10 - [[Intezer] New Linux Backdoor RedXOR Likely Operated by Chinese Nation-State Actor](https://www.intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/) | [:closed_book:](../../blob/master/2021/2021.03.10.RedXOR)
* Mar 02 - [[Volexity] Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities](https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/) | [:closed_book:](../../blob/master/2021/2021.03.02.Operation_Exchange_Marauder)
* Mar 02 - [[Microsoft] HAFNIUM targeting Exchange Servers with 0-day exploits](https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/) | [:closed_book:](../../blob/master/2021/2021.03.02.HAFNIUM_APT)
* Feb 28 - [[Recorded Future] China-linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions](https://www.recordedfuture.com/redecho-targeting-indian-power-sector/) | [:closed_book:](../../blob/master/2021/2021.02.28.RedEcho_APT)
* Feb 25 - [[Proofpoint] TA413 Leverages New FriarFox Browser Extension to Target the Gmail Accounts of Global Tibetan Organizations](https://www.proofpoint.com/us/blog/threat-insight/ta413-leverages-new-friarfox-browser-extension-target-gmail-accounts-global) | [:closed_book:](../../blob/master/2021/2021.02.25.TA413_FriarFox)
* Feb 25 - [[Kaspersky] Lazarus targets defense industry with ThreatNeedle](https://securelist.com/lazarus-threatneedle/100803/) | [:closed_book:](../../blob/master/2021/2021.02.25.Lazarus_ThreatNeedle)
* Feb 25 - [[TeamT5] APT10: Tracking down the stealth activity of the A41APT campaign](https://media.kasperskydaily.com/wp-content/uploads/sites/86/2021/02/25140359/greatidea_A41_v1.0.pdf) | [:closed_book:](../../blob/master/2021/2021.02.25.A41APT)
* Feb 24 - [[MalwareBytes] LazyScripter: From Empire to double RAT](https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/) | [:closed_book:](../../blob/master/2021/2021.02.24.LazyScripter)
* Feb 24 - [[Amnesty] Click and Bait: Vietnamese Human Rights Defenders Targeted with Spyware Attacks](https://www.amnesty.org/en/latest/research/2021/02/click-and-bait-vietnamese-human-rights-defenders-targeted-with-spyware-attacks/) | [:closed_book:](../../blob/master/2021/2021.02.24.Click_and_Bait)
* Feb 22 - [[CheckPoint] The Story of Jian – How APT31 Stole and Used an Unknown Equation Group 0-Day](https://research.checkpoint.com/2021/the-story-of-jian/) | [:closed_book:](../../blob/master/2021/2021.02.22.APT31_Equation_Group)
* Feb 17 - [[Cybleinc] Confucius APT Android Spyware Targets Pakistani and Other South Asian Regions](https://cybleinc.com/2021/02/17/confucius-apt-android-spyware-targets-pakistani-and-other-south-asian-regions/) | [:closed_book:](../../blob/master/2021/2021.02.17.Confucius_Pakistani_South_Asian)
* Feb 10 - [[Lookout] Lookout Discovers Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict](https://blog.lookout.com/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict) | [:closed_book:](../../blob/master/2021/2021.02.10.Confucius_India-Pakistan)
* Feb 09 - [[Palo Alto Networks] BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech](https://unit42.paloaltonetworks.com/bendybear-shellcode-blacktech/) | [:closed_book:](../../blob/master/2021/2021.02.09.BendyBear)
* Feb 08 - [[CheckPoint] Domestic Kitten – An Inside Look at the Iranian Surveillance Operations](https://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/) | [:closed_book:](../../blob/master/2021/2021.02.08.Domestic_Kitten)
* Feb 03 - [[Palo Alto Networks] Hildegard: New TeamTNT Malware Targeting Kubernetes](https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/) | [:closed_book:](../../blob/master/2021/2021.02.03.Hildegard)
* Feb 02 - [[ESET] Kobalos – A complex Linux threat to high performance computing infrastructure](https://www.welivesecurity.com/2021/02/02/kobalos-complex-linux-threat-high-performance-computing-infrastructure/) | [:closed_book:](../../blob/master/2021/2021.02.02.Kobalos)
* Feb 01 - [[VinCSS] ElephantRAT (Kunming version): our latest discovered RAT of Panda and the similarities with recently Smanager RAT](https://blog.vincss.net/2021/02/re020-elephantrat-kunming-version-our-latest-discovered-RAT-of-Panda.html)| [:closed_book:](../../blob/master/2021/2021.02.01.ElephantRAT)
* Feb 01 - [[ESET] Operation NightScout: Supply‑chain attack targets online gaming in Asia](https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/) | [:closed_book:](../../blob/master/2021/2021.02.01.Operation_NightScout)
* Jan 31 - [[JPCERT] A41APT case ~ Analysis of the Stealth APT Campaign Threatening Japan](http://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_202_niwa-yanagishita_en.pdf) | [:closed_book:](../../blob/master/2021/2021.01.31.A41APT)
* Jan 28 - [[ClearSky] “Lebanese Cedar” APT: Global Lebanese Espionage Campaign Leveraging Web Servers](https://www.clearskysec.com/wp-content/uploads/2021/01/Lebanese-Cedar-APT.pdf) | [:closed_book:](../../blob/master/2021/2021.01.28.Lebanese_Cedar_APT)
* Jan 25 - [[cybergeeks] A DETAILED ANALYSIS OF ELMER BACKDOOR USED BY APT16](https://cybergeeks.tech/a-detailed-analysis-of-elmer-backdoor-used-by-apt16/) | [:closed_book:](../../blob/master/2021/2021.01.25.APT16_Elmer_backdoor)
* Jan 20 - [[JPCERT] Commonly Known Tools Used by Lazarus](https://blogs.jpcert.or.jp/en/2021/01/Lazarus_tools.html) | [:closed_book:](../../blob/master/2021/2021.01.20.Commonly_Known_Tools_Lazarus)
* Jan 20 - [[Cybie] A Deep Dive Into Patchwork APT Group](https://cybleinc.com/2021/01/20/a-deep-dive-into-patchwork-apt-group/) | [:closed_book:](../../blob/master/2021/2021.01.20.Deep_Dive_Patchwork)
* Jan 14 - [[Positive] Higaisa or Winnti? APT41 backdoors, old and new](https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/) | [:closed_book:](../../blob/master/2021/2021.01.14.Higaisa_or_Winnti_APT41)
* Jab 12 - [[ESET] Operation Spalax: Targeted malware attacks in Colombia](https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/) | [:closed_book:](../../blob/master/2021/2021.01.12.Operation_Spalax)
* Jan 12 - [[Yoroi] Opening “STEELCORGI”: A Sophisticated APT Swiss Army Knife](https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/) | [:closed_book:](../../blob/master/2021/2021.01.12.STEELCORGI)
* Jan 12 - [[NCCgroup] Abusing cloud services to fly under the radar](https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/) | [:closed_book:](../../blob/master/2021/2021.01.12.Abusing_cloud_services_Chimera)
* Jan 11 - [[Palo Alto Networks] xHunt Campaign: New BumbleBee Webshell and SSH Tunnels Used for Lateral Movement](https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/) | [:closed_book:](../../blob/master/2021/2021.01.11.xHunt_Campaign)
* Jan 11 - [[CrowdStrike] SUNSPOT: An Implant in the Build Process](https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/) | [:closed_book:](../../blob/master/2021/2021.01.11.SUNSPOT)
* Jan 11 - [[Kaspersky] Sunburst backdoor – code overlaps with Kazuar](https://securelist.com/sunburst-backdoor-kazuar/99981/) | [:closed_book:](../../blob/master/2021/2021.01.11.Sunburst_Kazuar)
* Jan 08 - [[Certfa] Charming Kitten’s Christmas Gift](https://blog.certfa.com/posts/charming-kitten-christmas-gift/) | [:closed_book:](../../blob/master/2021/2021.01.08.Charming_Kitten_Christmas_Gift)
* Jan 07 - [[Prodaft] Brunhilda DaaS Malware Analysis Report](https://t.co/mzp7NRDIm1?amp=1) | [:closed_book:](../../blob/master/2021/2021.01.07.Brunhilda_DaaS_Malware)
* Jan 06 - [[CISCO] A Deep Dive into Lokibot Infection Chain](https://blog.talosintelligence.com/2021/01/a-deep-dive-into-lokibot-infection-chain.html) | [:closed_book:](../../blob/master/2021/2021.01.06.Lokibot_Infection_Chain)
* Jan 06 - [[Malwarebytes] Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat](https://blog.malwarebytes.com/threat-analysis/2021/01/retrohunting-apt37-north-korean-apt-used-vba-self-decode-technique-to-inject-rokrat/) | [:closed_book:](../../blob/master/2021/2021.01.06.APT37_North_Korean_APT_RokRat)
* Jan 05 - [[QuoIntelligence] ReconHellcat Uses NIST Theme as Lure To Deliver New BlackSoul Malware](https://quointelligence.eu/2021/01/reconhellcat-uses-nist-theme-as-lure-to-deliver-new-blacksoul-malware/) | [:closed_book:](../../blob/master/2021/2021.01.05.ReconHellcat_APT_BlackSoul_Malware)
* Jan 05 - [[Trend Micro] Earth Wendigo Injects JavaScript Backdoor to Service Worker for Mailbox Exfiltration](https://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html) | [:closed_book:](../../blob/master/2021/2021.01.05.Earth_Wendigo_Mailbox_Exfiltration)
* Jan 04 - [[CheckPoint] Stopping Serial Killer: Catching the Next Strike: Dridex](https://research.checkpoint.com/2021/stopping-serial-killer-catching-the-next-strike/amp/) | [:closed_book:](../../blob/master/2021/2021.01.04.Dridex_Next_Strike)
* Jan 04 - [[Medium] APT27 Turns to Ransomware](https://shared-public-reports.s3-eu-west-1.amazonaws.com/APT27+turns+to+ransomware.pdf) | [:closed_book:](../../blob/master/2021/2021.01.04.APT27_Ransomware)
* Jan 04 - [[Nao-Sec] Royal Road! Re:Dive](https://nao-sec.org/2021/01/royal-road-redive.html) | [:closed_book:](../../blob/master/2021/2021.01.04.Royal_Road_ReDive)

## 2020
* Dec 30 - [[Recorded Future] SolarWinds Attribution: Are We Getting Ahead of Ourselves?](https://go.recordedfuture.com/hubfs/reports/pov-2020-1230.pdf) | [:closed_book:](../../blob/master/2020/2020.12.30.SolarWinds_Attribution)
* Dec 29 - [[Uptycs] Revenge RAT targeting users in South America](https://www.uptycs.com/blog/revenge-rat-targeting-users-in-south-america) | [:closed_book:](../../blob/master/2020/2020.12.29.Revenge_RAT)
* Dec 23 - [[Kaspersky] Lazarus covets COVID-19-related intelligence](https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/) | [:closed_book:](../../blob/master/2020/2020.12.23.Lazarus_COVID-19)
* Dec 22 - [[Truesec] Collaboration between FIN7 and the RYUK group, a Truesec Investigation](https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/) | [:closed_book:](../../blob/master/2020/2020.12.22.FIN7_RYUK)
* Dec 19 - [[VinCSS] Analyzing new malware of China Panda hacker group used to attack supply chain against Vietnam Government Certification Authority](https://blog.vincss.net/2020/12/re018-1-analyzing-new-malware-of-china-panda-hacker-group-used-to-attack-supply-chain-against-vietnam-government-certification-authority.html?m=1) | [:closed_book:](../../blob/master/2020/2020.12.19.Panda_Vietnam)
* Dec 17 - [[ClearSky] Pay2Kitten](https://www.clearskysec.com/wp-content/uploads/2020/12/Pay2Kitten.pdf) | [:closed_book:](../../blob/master/2020/2020.12.17.Pay2Kitten)
* Dec 17 - [[ESET] Operation SignSight: Supply‑chain attack against a certification authority in Southeast Asia](https://www.welivesecurity.com/2020/12/17/operation-signsight-supply-chain-attack-southeast-asia/) | [:closed_book:](../../blob/master/2020/2020.12.17.Operation_SignSight)
* Dec 16 - [[Team Cymru] Mapping out AridViper Infrastructure Using Augury’s Malware Module](https://team-cymru.com/blog/2020/12/16/mapping-out-aridviper-infrastructure-using-augurys-malware-addon/) | [:closed_book:](../../blob/master/2020/2020.12.16.AridViper_Augury)
* Dec 15 - [[WeiXin] APT-C-47 ClickOnce Operation](https://mp.weixin.qq.com/s/h_MUJfa3QGM9SqT_kzcdHQ) | [:closed_book:](../../blob/master/2020/2020.12.15.APT-C-47_ClickOnce)
* Dec 15 - [[hvs consulting] Greetings from Lazarus Anatomy of a cyber espionage campaign](https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf) | [:closed_book:](../../blob/master/2020/2020.12.15.Lazarus_Campaign)
* Dec 13 - [[Fireeye] Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor](https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html) | [:closed_book:](../../blob/master/2020/2020.12.13.SolarWinds_Supply_Chain_SUNBURST_Backdoor)
* Dec 09 - [[Intezer] A Zebra in Gopher's Clothing: Russian APT Uses COVID-19 Lures to Deliver Zebrocy](https://www.intezer.com/blog/research/russian-apt-uses-covid-19-lures-to-deliver-zebrocy/) | [:closed_book:](../../blob/master/2020/2020.12.09.Sofacy_APT)
* Dec 09 - [[Trend Micro] SideWinder Uses South Asian Issues for Spear Phishing, Mobile Attacks](https://www.trendmicro.com/en_us/research/20/l/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html) | [:closed_book:](../../blob/master/2020/2020.12.09.SideWinder)
* Dec 07 - [[Group-IB] The footprints of Raccoon: a story about operators of JS-sniffer FakeSecurity distributing Raccoon stealer](https://www.group-ib.com/blog/fakesecurity_raccoon) | [:closed_book:](../../blob/master/2020/2020.12.07.FakeSecurity)
* Dec 02 - [[ESET] Turla Crutch: Keeping the “back door” open](https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/) | [:closed_book:](../../blob/master/2020/2020.12.02.Turla_Crutch)
* Dec 03 - [[Telsy] Adversary Tracking Report](https://www.telsy.com/wp-content/uploads/ATR_82599-1.pdf) | [:closed_book:](../../blob/master/2020/2020.12.03.Adversary_Tracking_Report)
* Dec 01 - [[CISA] Advanced Persistent Threat Actors Targeting U.S. Think Tanks](https://us-cert.cisa.gov/ncas/alerts/aa20-336a) | [:closed_book:](../../blob/master/2020/2020.12.01.APT_US_Think_Tanks)
* Dec 01 - [[Prevasio] OPERATION RED KANGAROO: INDUSTRY'S FIRST DYNAMIC ANALYSIS OF 4M PUBLIC DOCKER CONTAINER IMAGES](https://blog.prevasio.com/2020/12/operation-red-kangaroo-industrys-first.html) | [:closed_book:](../../blob/master/2020/2020.12.01.Operation_RED_KANGAROO)
* Nov 30 - [[Yoroi] Shadows From the Past Threaten Italian Enterprises](https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/) | [:closed_book:](../../blob/master/2020/2020.11.30.UNC1945)
* Nov 30 - [[Microsoft] Threat actor leverages coin miner techniques to stay under the radar – here’s how to spot them](https://www.microsoft.com/security/blog/2020/11/30/threat-actor-leverages-coin-miner-techniques-to-stay-under-the-radar-heres-how-to-spot-them/) | [:closed_book:](../../blob/master/2020/2020.11.30.BISMUTH_CoinMiner)
* Nov 27 - [[PTSecurity] Investigation with a twist: an accidental APT attack and averted data destruction](https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/) | [:closed_book:](../../blob/master/2020/2020.11.27.Twist_APT27)
* Nov 26 - [[CheckPoint] Bandook: Signed & Delivered](https://research.checkpoint.com/2020/bandook-signed-delivered/) | [:closed_book:](../../blob/master/2020/2020.11.26.Bandook)
* Nov 23 - [[S2W Lab] Analysis of Clop Ransomware suspiciously related to the Recent Incident](https://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-English-088056baf01242409a6e9f844f0c5f2e) | [:closed_book:](../../blob/master/2020/2020.11.23.Clop_Campaign)
* Nov 19 - [[Cybereason] Cybereason vs. MedusaLocker Ransomware](https://www.cybereason.com/blog/medusalocker-ransomware) | [:closed_book:](../../blob/master/2020/2020.11.19.MedusaLocker_Ransomware)
* Nov 18 - [[KR-CERT] Analysis of the Bookcodes RAT C2 framework starting with spear phishing](https://www.boho.or.kr/filedownload.do?attach_file_seq=2612&attach_file_id=EpF2612.pdf) | [:closed_book:](../../blob/master/2020/2020.11.18.Bookcodes_C2)
* Nov 17 - [[Cybereason] CHAES: Novel Malware Targeting Latin American E-Commerce](https://www.cybereason.com/hubfs/dam/collateral/reports/11-2020-Chaes-e-commerce-malware-research.pdf) | [:closed_book:](../../blob/master/2020/2020.11.17.CHAES)
* Nov 17 - [[Symantec] Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign](https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage) | [:closed_book:](../../blob/master/2020/2020.11.17.Cicada_Japan)
* Nov 16 - [[FoxIT] TA505: A Brief History Of Their Time](https://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/) | [:closed_book:](../../blob/master/2020/2020.11.16.TA505_History)
* Nov 16 - [[Bitdefender] A Detailed Timeline of a Chinese APT Espionage Attack Targeting South Eastern Asian Government Institutions](https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf) | [:closed_book:](../../blob/master/2020/2020.11.16.Chinese_APT_South_Eastern_Asian)
* Nov 12 - [[CISCO] CRAT wants to plunder your endpoints](https://blog.talosintelligence.com/2020/11/crat-and-plugins.html) | [:closed_book:](../../blob/master/2020/2020.11.12.CRAT_Lazarus)
* Nov 12 - [[BlackBerry] The CostaRicto Campaign: Cyber-Espionage Outsourced](https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced) | [:closed_book:](../../blob/master/2020/2020.11.12.CostaRicto_Campaign)
* Nov 12 - [[ESET] Hungry for data, ModPipe backdoor hits POS software used in hospitality sector](https://www.welivesecurity.com/2020/11/12/hungry-data-modpipe-backdoor-hits-pos-software-hospitality-sector/) | [:closed_book:](../../blob/master/2020/2020.11.12.ModPipe_POS_Hospitality-Sector)
* Nov 12 - [[Morphisec] JUPYTER INFOSTEALER](https://blog.morphisec.com/jupyter-infostealer-backdoor-introduction) | [:closed_book:](../../blob/master/2020/2020.11.12.Jupyter_InfoStealer)
* Nov 10 - [[Record Future] New APT32 Malware Campaign Targets Cambodian Government](https://www.recordedfuture.com/apt32-malware-campaign/) | [:closed_book:](../../blob/master/2020/2020.11.10.APT32_Cambodian)
* Nov 06 - [[Volexity] OceanLotus: Extending Cyber Espionage Operations Through Fake Websites](https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/) | [:closed_book:](../../blob/master/2020/2020.11.06.OceanLotus_Fake_Websites)
* Nov 04 - [[Sophos] A new APT uses DLL side-loads to “KilllSomeOne”](https://news.sophos.com/en-us/2020/11/04/a-new-apt-uses-dll-side-loads-to-killlsomeone/) | [:closed_book:](../../blob/master/2020/2020.11.04.KilllSomeOne_DLL_APT)
* Nov 02 - [[FireEye] Live off the Land? How About Bringing Your Own Island? An Overview of UNC1945](https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html) | [:closed_book:](../../blob/master/2020/2020.11.02.UNC1945)
* Nov 01 - [[Cyberstanc] A look into APT36's (Transparent Tribe) tradecraft](https://cyberstanc.com/blog/a-look-into-apt36-transparent-tribe/) | [:closed_book:](../../blob/master/2020/2020.11.01.Transparent_Tribe_APT)
* Oct 27 - [[US-CERT] North Korean Advanced Persistent Threat
Focus: Kimsuky](https://us-cert.cisa.gov/sites/default/files/publications/TLP-WHITE_AA20-301A_North_Korean_APT_Focus_Kimsuky.pdf) | [:closed_book:](../../blob/master/2020/2020.10.27_AA20-301A.North_Korean_APT)
* Oct 26 - [[DrWeb] Study of the ShadowPad APT backdoor and its relation to PlugX](https://news.drweb.com/show/?i=14048&lng=en) | [:closed_book:](../../blob/master/2020/2020.10.26.ShadowPad_APT_backdoor_PlugX)
* Oct 23 - [[360] APT-C-44 NAFox](https://blogs.360.cn/post/APT-C-44.html) | [:closed_book:](../../blob/master/2020/2020.10.23.APT-C-44_NAFox)
* Oct 22 - [[WeiXin] Bitter CHM](https://mp.weixin.qq.com/s/9O4nZV-LNHuBy2ihg2XeIw) | [:closed_book:](../../blob/master/2020/2020.10.22.Bitter_CHM_APT)
* Oct 19 - [[Trend Micro] Operation Earth Kitsune: Tracking SLUB’s Current Operations](https://www.trendmicro.com/vinfo/hk-en/security/news/cyber-attacks/operation-earth-kitsune-tracking-slub-s-current-operations) | [:closed_book:](../../blob/master/2020/2020.10.19_-_Operation_Earth_Kitsune_-_Tracking_SLUBs_current_operations/2020.10.19_-_Operation_Earth_Kitsune_-_Tracking_SLUBs_current_operations.pdf)
* Oct 15 - [[ClearSky] Operation Quicksand – MuddyWater’s Offensive Attack Against Israeli Organizations](https://www.clearskysec.com/operation-quicksand/) | [:closed_book:](../../blob/master/2020/2020.10.15_Operation_Quicksand_MuddyWater’s_Offensive_Attack_Against_Israeli/2020.10.15_Operation_Quicksand_MuddyWater’s_Offensive_Attack_Against_Israeli.pdf)
* Oct 14 - [[MalwareByte] Silent Librarian APT right on schedule for 20/21 academic year](https://blog.malwarebytes.com/malwarebytes-news/2020/10/silent-librarian-apt-phishing-attack/) | [:closed_book:](../../blob/master/2020/2020.10.14.Silent_Librarian_APT)
* Oct 13 - [[WeiXin] Operation Rubia cordifolia](https://mp.weixin.qq.com/s/omacDXAdio88a_f0Xwu-kg) | [:closed_book:](../../blob/master/2020/2020.10.13.Operation_Rubia_cordifolia)
* Oct 07 - [[BlackBerry] BlackBerry Uncovers Massive Hack-For-Hire Group Targeting Governments, Businesses, Human Rights Groups and Influential Individuals](https://www.blackberry.com/us/en/company/newsroom/press-releases/2020/blackberry-uncovers-massive-hack-for-hire-group-targeting-governments-businesses-human-rights-groups-and-influential-individuals) | [:closed_book:](../../blob/master/2020/2020.10.07.Massive_Hack-For-Hire_Group)
* Oct 06 - [[Malwarebytes] Release the Kraken: Fileless APT attack abuses Windows Error Reporting service](https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/) | [:closed_book:](../../blob/master/2020/2020.10.06.Kraken_Fileless_APT)
* Oct 05 - [[Kaspersky] MosaicRegressor: Lurking in the Shadows of UEFI](https://securelist.com/mosaicregressor/98849/) | [:closed_book:](../../blob/master/2020/2020.10.05.MosaicRegressor_Lurking_in_the_Shadows_of_UEFI/2020.10.05_-_MosaicRegressor_Lurking_in_the_Shadows_of_UEFI_Securelist_2020.pdf)
* Sep 30 - [[ESET] APT‑C‑23 group evolves its Android spyware](https://www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/) | [:closed_book:](../../blob/master/2020/2020.09.30.APT‑C‑23_Android)
* Sep 29 - [[Symantec] Palmerworm: Espionage Gang Targets the Media, Finance, and Other Sectors](https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt) | [:closed_book:](../../blob/master/2020/2020.09.29.Palmerworm)
* Sep 29 - [[PTSecurity] ShadowPad: new activity from the Winnti group](https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/shadowpad-new-activity-from-the-winnti-group/) | [:closed_book:](../../blob/master/2020/2020.09.29_ShadowPad_-_new_activity_from_the_Winnti_group)
* Sep 25 - [[Amnesty] German-made FinSpy spyware found in Egypt, and Mac and Linux versions revealed](https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/) | [:closed_book:](../../blob/master/2020/2020.09.25.Finspy_in_Egypt)
* Sep 25 - [[360] APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign](https://blog.360totalsecurity.com/en/apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign/) | [:closed_book:](../../blob/master/2020/2020.09.25.APT-C-43_HpReact_campaign)
* Sep 24 - [[Microsoft] detecting empires in the cloud](https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/) | [:closed_book:](../../blob/master/2020/2020.09.24.Empires_in_the_Cloud)
* Sep 23 - [[Seqrite] Operation SideCopy](https://www.seqrite.com/blog/operation-sidecopy/) | [:closed_book:](../../blob/master/2020/2020.09.23.Operation_SideCopy)
* Sep 22 - [[Quointelligence] APT28 Delivers Zebrocy Malware Campaign using NATO Theme as Lure](https://quointelligence.eu/2020/09/apt28-zebrocy-malware-campaign-nato-theme/) | [:closed_book:](../../blob/master/2020/2020.09.22.APT28_Zebrocy_Malware_Campaign)
* Sep 21 - [[CISCO] The art and science of detecting Cobalt Strike](https://blog.talosintelligence.com/2020/09/coverage-strikes-back-cobalt-strike-paper.html) | [:closed_book:](../../blob/master/2020/2020.09.21.coverage-strikes-back-cobalt-strike-paper)
* Sep 17 - [[Qianxin] Operation Tibbar](https://ti.qianxin.com/uploads/2020/09/17/69da886eecc7087e9dac2d3ea4c66ba8.pdf) | [:closed_book:](../../blob/master/2020/2020.09.17.Operation_Tibbar)
* Sep 16 - [[Intel471] Partners in crime: North Koreans and elite Russian-speaking cybercriminals](https://public.intel471.com/blog/partners-in-crime-north-koreans-and-elite-russian-speaking-cybercriminals/) | [:closed_book:](../../blob/master/2020/2020.09.16.Partners_in_crime)
* Sep 08 - [[Microsoft] TeamTNT activity targets Weave Scope deployments](https://techcommunity.microsoft.com/t5/azure-security-center/teamtnt-activity-targets-weave-scope-deployments/ba-p/1645968) | [:closed_book:](../../blob/master/2020/2020.09.08.TeamTNT_Weave-Scope)
* Sep 03 - [[Cybereason] NO REST FOR THE WICKED: EVILNUM UNLEASHES PYVIL RAT](https://www.cybereason.com/blog/no-rest-for-the-wicked-evilnum-unleashes-pyvil-rat) | [:closed_book:](../../blob/master/2020/2020.09.03.Evilnum_Pyvil)
* Sep 01 - [[proofpoint] Chinese APT TA413 Resumes Targeting of Tibet Following COVID-19 Themed Economic Espionage Campaign Delivering Sepulcher Malware Targeting Europe](https://www.proofpoint.com/us/blog/threat-insight/chinese-apt-ta413-resumes-targeting-tibet-following-covid-19-themed-economic) | [:closed_book:](../../blob/master/2020/2020.09.01.Chinese_APT_TA413)
* Aug 27 - [[ClearSky] The Kittens Are Back in Town 3](https://www.clearskysec.com/the-kittens-are-back-in-town-3/) | [:closed_book:](../../blob/master/2020/2020.08.27.Kittens_Are_Back)
* Aug 28 - [[Kaspersky] Transparent Tribe: Evolution analysis, part 2](https://securelist.com/transparent-tribe-part-2/98233/) | [:closed_book:](../../blob/master/2020/2020.08.28_Transparent_Tribe)
* Aug 24 - [[Kaspersky] Lifting the veil on DeathStalker, a mercenary triumvirate](https://securelist.com/deathstalker-mercenary-triumvirate/98177/) | [:closed_book:](../../blob/master/2020/2020.08.24_DeathStalker)
* Aug 20 - [[CertFR] DEVELOPMENT OF THE ACTIVITY OF THE TA505 CYBERCRIMINAL GROUP](https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf) | [:closed_book:](../../blob/master/2020/2020.08.20_DEVELOPMENT_TA505)
* Aug 20 - [[Bitdefender] More Evidence of APT Hackers-for-Hire Used for Industrial Espionage](https://labs.bitdefender.com/2020/08/apt-hackers-for-hire-used-for-industrial-espionage/) | [:closed_book:](../../blob/master/2020/2020.08.20_APT_Hackers_for_Hire)
* Aug 18 - [[F-Secure] LAZARUS GROUP CAMPAIGN TARGETING THE CRYPTOCURRENCY VERTICAL](https://labs.f-secure.com/assets/BlogFiles/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf) | [:closed_book:](../../blob/master/2020/2020.08.18.LAZARUS_GROUP)
* Aug 13 - [[Kaspersky] CactusPete APT group’s updated Bisonal backdoor](https://securelist.com/cactuspete-apt-groups-updated-bisonal-backdoor/97962/) | [:closed_book:](../../blob/master/2020/2020.08.13.CactusPete_APT)
* Aug 13 - [[ClearSky] Operation ‘Dream Job’ Widespread North Korean Espionage Campaign](https://www.clearskysec.com/operation-dream-job/) | [:closed_book:](../../blob/master/2020/2020.08.13.Operation_Dream_Job)
* Aug 13 - [[CISA] Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware](https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF) | [:closed_book:](../../blob/master/2020/2020.08.13.Russian_GRU_85th_GTsSS)
* Aug 12 - [[Kaspersky] Internet Explorer and Windows zero-day exploits used in Operation PowerFall](https://securelist.com/ie-and-windows-zero-day-operation-powerfall/97976/) | [:closed_book:](../../blob/master/2020/2020.08.12.Operation_PowerFall)
* Aug 10 - [[Seqrite] Gorgon APT targeting MSME sector in India](https://www.seqrite.com/blog/gorgon-apt-targeting-msme-sector-in-india/) | [:closed_book:](../../blob/master/2020/2020.08.10.Gorgon_APT)
* Aug 03 - [[CISA] MAR-10292089-1.v2 – Chinese Remote Access Trojan: TAIDOOR](https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a) | [:closed_book:](../../blob/master/2020/2020.08.03.TAIDOOR)
* Jul 29 - [[McAfee] Operation North Star:  A Job Offer That’s Too Good to be True?](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-a-job-offer-thats-too-good-to-be-true/) | [:closed_book:](../../blob/master/2020/2020.07.29.Operation_North_Star)
* Jul 28 - [[Group-IB] JOLLY ROGER’S PATRONS](https://www.group-ib.com/resources/threat-research/black-jack.html) | [:closed_book:](../../blob/master/2020/2020.07.28.black-jack)
* Jul 28 - [[Recorded Future] Chinese State-Sponsored Group ‘RedDelta’ Targets the Vatican and Catholic Organizations](https://www.recordedfuture.com/reddelta-targets-catholic-organizations/) | [:closed_book:](../../blob/master/2020/2020.07.28.RedDelta_APT)
* Jul 22 - [[Palo Alto Network] OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory](https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/) | [:closed_book:](../../blob/master/2020/2020.07.22.OilRig_Middle_Eastern_Telecommunication)
* Jul 22 - [[Kaspersky] MATA: Multi-platform targeted malware framework](https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/) | [:closed_book:](../../blob/master/2020/2020.07.22_MATA_APT)
* Jul 20 - [[Dr.Web] Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan](https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf) | [:closed_book:](../../blob/master/2020/2020.07.20.APT_attacks_Kazakhstan_Kyrgyzstan)
* Jul 17 - [[CERT-FR] THE MALWARE DRIDEX: ORIGINS AND USES](https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf) | [:closed_book:](../../blob/master/2020/2020.07.17.DRIDEX)
* Jul 16 - [[NCSC] Advisory: APT29 targets COVID-19 vaccine development](https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development) | [:closed_book:](../../blob/master/2020/2020.07.16.apt29-targets-covid-19-vaccine-development)
* Jul 15 - [[F-Secure] THE FAKE CISCO: Hunting for backdoors in Counterfeit Cisco devices](https://labs.f-secure.com/assets/BlogFiles/2020-07-the-fake-cisco.pdf) | [:closed_book:](../../blob/master/2020/2020.07.15_the_Fake_CISCO)
* Jul 14 - [[Tesly] TURLA / VENOMOUS BEAR UPDATES ITS ARSENAL: “NEWPASS” APPEARS ON THE APT THREAT SCENE](https://www.telsy.com/turla-venomous-bear-updates-its-arsenal-newpass-appears-on-the-apt-threat-scene/) | [:closed_book:](../../blob/master/2020/2020.07.14_Turla_VENOMOUS_BEAR)
* Jul 14 - [[ESET] Welcome Chat as a secure messaging app? Nothing could be further from the truth](https://www.welivesecurity.com/2020/07/14/welcome-chat-secure-messaging-app-nothing-further-truth/) | [:closed_book:](../../blob/master/2020/2020.07.14_Molerats_Middle_East_APT)
* Jul 12 - [[WeiXin] SideWinder 2020 H1](https://mp.weixin.qq.com/s/5mBqxf_v6G006EnjECoTHw) | [:closed_book:](../../blob/master/2020/2020.07.12_SideWinder_2020_H1)
* Jul 09 - [[AGARI] Cosmic Lynx: The Rise of Russian BEC](https://www.agari.com/cyber-intelligence-research/whitepapers/acid-agari-cosmic-lynx.pdf) | [:closed_book:](../../blob/master/2020/2020.07.09_Cosmic_Lynx)
* Jul 09 - [[ESET] More evil: A deep look at Evilnum and its toolset](https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/) | [:closed_book:](../../blob/master/2020/2020.07.09_Evilnum_Toolset)
* Jul 08 - [[Sedbraven] Copy cat of APT Sidewinder ?](https://medium.com/@Sebdraven/copy-cat-of-apt-sidewinder-1893059ca68d) | [:closed_book:](../../blob/master/2020/2020.07.08.Copy_Cat_of_Sidewinder)
* Jul 08 - [[proofpoint] TA410: The Group Behind LookBack Attacks Against U.S. Utilities Sector Returns with New Malware](https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new) | [:closed_book:](../../blob/master/2020/2020.07.08.TA410)
* Jul 08 - [[Seqrite] Operation ‘Honey Trap’: APT36 Targets Defense Organizations in India](https://www.seqrite.com/blog/operation-honey-trap-apt36-targets-defense-organizations-in-india/) | [:closed_book:](../../blob/master/2020/2020.07.08_Operation_Honey_Trap)
* Jul 06 - [[Sansec] North Korean hackers are skimming US and European shoppers](https://sansec.io/research/north-korea-magecart) | [:closed_book:](../../blob/master/2020/2020.07.06_North_Korean_Magecart)
* Jul 01 - [[Lookout] Mobile APT Surveillance Campaigns Targeting Uyghurs](https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf) | [:closed_book:](../../blob/master/2020/2020.07.01.Mobile_APT_Uyghurs)
* Jun 30 - [[Bitdefender] StrongPity APT – Revealing Trojanized Tools, Working Hours and Infrastructure](https://labs.bitdefender.com/2020/06/strongpity-apt-revealing-trojanized-tools-working-hours-and-infrastructure/) | [:closed_book:](../../blob/master/2020/2020.06.30_StrongPity_APT)
* Jun 29 - [[CISCO] PROMETHIUM extends global reach with StrongPity3 APT](https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html) | [:closed_book:](../../blob/master/2020/2020.06.29.PROMETHIUM_StrongPity3_APT)
* Jun 26 - [[Symantec] WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations](https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us) | [:closed_book:](../../blob/master/2020/2020.06.26_WastedLocker_Attack)
* Jun 25 - [[Elastic] A close look at the advanced techniques used in a Malaysian-focused APT campaign](https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign) | [:closed_book:](../../blob/master/2020/2020.06.25.Malaysian-focused-APT_campaign)
* Jun 24 - [[Dell] BRONZE VINEWOOD Targets Supply Chains](https://www.secureworks.com/research/bronze-vinewood-targets-supply-chains) | [:closed_book:](../../blob/master/2020/2020.06.24.BRONZE_VINEWOOD)
* Jun 23 - [[NCCGroup] WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group](https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/) | [:closed_book:](../../blob/master/2020/2020.06.23.WastedLocker_Evil_Corp_Group)
* Jun 19 - [[Zscaler] Targeted Attack Leverages India-China Border Dispute to Lure Victims](https://www.zscaler.com/blogs/research/targeted-attack-leverages-india-china-border-dispute-lure-victims) | [:closed_book:](../../blob/master/2020/2020.06.19.India-China_Border_Dispute_APT)
* Jun 18 - [[ESET] Digging up InvisiMole’s hidden arsenal](https://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal/) | [:closed_book:](../../blob/master/2020/2020.06.18.InvisiMole_hidden_arsenal)
* Jun 17 - [[ESET] Operation In(ter)ception: Aerospace and military companies in the crosshairs of cyberspies](https://www.welivesecurity.com/2020/06/17/operation-interception-aerospace-military-companies-cyberspies/) | [:closed_book:](../../blob/master/2020/2020.06.17.Operation_Interception)
* Jun 17 - [[Palo Alto] AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations](https://unit42.paloaltonetworks.com/acidbox-rare-malware/) | [:closed_book:](../../blob/master/2020/2020.06.17.AcidBox)
* Jun 17 - [[Malwarebytes] Multi-stage APT attack drops Cobalt Strike using Malleable C2 feature](https://blog.malwarebytes.com/threat-analysis/2020/06/multi-stage-apt-attack-drops-cobalt-strike-using-malleable-c2-feature/) | [:closed_book:](../../blob/master/2020/2020.06.17.malleable-c2-feature_APT)
* Jun 16 - [[PTSecurity] Cobalt: tactics and tools update](https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/cobalt_upd_ttps/) | [:closed_book:](../../blob/master/2020/2020.06.16.Cobalt_Update)
* Jun 15 - [[Amnesty] India: Human Rights Defenders Targeted by a Coordinated Spyware Operation](https://www.amnesty.org/en/latest/research/2020/06/india-human-rights-defenders-targeted-by-a-coordinated-spyware-operation/) | [:closed_book:](../../blob/master/2020/2020.06.15.india-human-rights-defenders-targeted)
* Jun 11 - [[Trend Micro] New Android Spyware ActionSpy Revealed via Phishing Attacks from Earth Empusa](https://blog.trendmicro.com/trendlabs-security-intelligence/new-android-spyware-actionspy-revealed-via-phishing-attacks-from-earth-empusa/) | [:closed_book:](../../blob/master/2020/2020.06.11.Earth_Empusa)
* Jul 11 - [[ESET] Gamaredon group grows its game](https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/)  | [:closed_book:](../../blob/master/2020/2020.06.11.Gamaredon_group)
* Jun 08 - [[proofpoint] TA410: The Group Behind LookBack Attacks Against U.S. Utilities Sector Returns with New Malware](https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new) | [:closed_book:](../../blob/master/2020/2020.06.08.TA410)
* Jun 08 - [[CheckPoint] GuLoader? No, CloudEyE](https://research.checkpoint.com/2020/guloader-cloudeye/) | [:closed_book:](../../blob/master/2020/2020.06.08.GuLoader_CloudEyE)
* Jun 03 - [[Malwarebyte] New LNK attack tied to Higaisa APT discovered](https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/) | [:closed_book:](../../blob/master/2020/2020.06.03.Higaisa_APT)
* Jun 03 - [[Kaspersky] Cycldek: Bridging the (air) gap](https://securelist.com/cycldek-bridging-the-air-gap/97157/) | [:closed_book:](../../blob/master/2020/2020.06.03.Cycldek)
* Jun 01 - [[Lifars] Cryptocurrency Miners – XMRig Based CoinMiner by Blue Mockingbird Group](https://lifars.com/knowledge-center/xmrig-based-coinminer-bluemockingbird-group/) | [:closed_book:](../../blob/master/2020/2020.06.01.Blue_Mockingbird_Group)
* May 29 - [[IronNet] Russian Cyber Attack Campaigns and Actors](https://ironnet.com/blog/russian-cyber-attack-campaigns-and-actors/) | [:closed_book:](../../blob/master/2020/2020.05.29_russian-cyber-attack-campaigns-and-actors)
* May 28 - [[Kaspersky] The zero-day exploits of Operation WizardOpium](https://securelist.com/the-zero-day-exploits-of-operation-wizardopium/97086/) | [:closed_book:](../../blob/master/2020/2020.05.28_Operation_WizardOpium)
* May 26 - [[ESET] From Agent.BTZ to ComRAT v4: A ten‑year journey](https://www.welivesecurity.com/2020/05/26/agentbtz-comratv4-ten-year-journey/) | [:closed_book:](../../blob/master/2020/2020.05.26_From_Agent.BTZ_to_ComRAT)
* May 21 - [[Intezer] The Evolution of APT15’s Codebase 2020](https://www.intezer.com/blog/research/the-evolution-of-apt15s-codebase-2020/) | [:closed_book:](../../blob/master/2020/2020.05.21.APT15_Codebase_2020)
* May 21 - [[Bitdefender] Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia](https://www.bitdefender.com/files/News/CaseStudies/study/332/Bitdefender-Whitepaper-Chafer-creat4491-en-EN-interactive.pdf) | [:closed_book:](../../blob/master/2020/2020.05.21.Iranian_Chafer_APT)
* May 21 - [[ESET] No “Game over” for the Winnti Group](https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/) | [:closed_book:](../../blob/master/2020/2020.05.21.No_Game_Over_Winnti)
* May 19 - [[Symantec] Sophisticated Espionage Group Turns Attention to Telecom Providers in South Asia](https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia) | [:closed_book:](../../blob/master/2020/2020.05.19.Greenbug_South_Asia)
* May 18 - [[360] APT-C-23 middle East](https://blogs.360.cn/post/APT-C-23_target_at_Middle_East.html) | [:closed_book:](../../blob/master/2020/2020.05.18_APT-C-23)
* May 14 - [[Telekom] LOLSnif – Tracking Another Ursnif-Based Targeted Campaign](https://www.telekom.com/en/blog/group/article/lolsnif-tracking-another-ursnif-based-targeted-campaign-600062) | [:closed_book:](../../blob/master/2020/2020.05.14.LOLSnif)
* May 14 - [[Sophos] RATicate: an attacker’s waves of information-stealing malware](https://news.sophos.com/en-us/2020/05/14/raticate/) | [:closed_book:](../../blob/master/2020/2020.05.14.RATicate)
* May 14 - [[360] Vendetta-new threat actor from Europe](https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/) | [:closed_book:](../../blob/master/2020/2020.05.14.Vendetta_APT)
* May 14 - [[ESET] Mikroceen: Spying backdoor leveraged in high‑profile networks in Central Asia](https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia/) | [:closed_book:](../../blob/master/2020/2020.05.14.Mikroceen)
* May 14 - [[Avast] APT Group Planted Backdoors Targeting High Profile Networks in Central Asia](https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia/?utm_source=rss&utm_medium=rss&utm_campaign=apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia) | [:closed_book:](../../blob/master/2020/2020.05.14.Central_Asia_APT)
* May 14 - [[Kaspersky] COMpfun authors spoof visa application with HTTP status-based Trojan](https://securelist.com/compfun-http-status-based-trojan/96874/) | [:closed_book:](../../blob/master/2020/2020.05.14.COMpfun)
* May 13 - [[ESET] Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks](https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/) | [:closed_book:](../../blob/master/2020/2020.05.13.Ramsay)
* May 12 - [[Trend Micro] Tropic Trooper’s Back: USBferry Attack Targets Air-gapped Environments](https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-troopers-back-usbferry-attack-targets-air-gapped-environments/?utm_source=trendmicroresearch&utm_medium=smk&utm_campaign=0520_tropic-trooper) | [:closed_book:](../../blob/master/2020/2020.05.12.Tropic_Trooper_Back)
* May 11 - [[Zscaler] Targeted Attacks on Indian Government and Financial Institutions Using the JsOutProx RAT](https://www.zscaler.com/blogs/research/targeted-attacks-indian-government-and-financial-institutions-using-jsoutprox-rat) | [:closed_book:](../../blob/master/2020/2020.05.11.JsOutProx_RAT_Targeted_Attacks)
* May 11 - [[Palo Alto] Updated BackConfig Malware Targeting Government and Military Organizations in South Asia](https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/) | [:closed_book:](../../blob/master/2020/2020.05.11_BackConfig_South_Asia)
* May 07 - [[RedCanary] Introducing Blue Mockingbird](https://redcanary.com/blog/blue-mockingbird-cryptominer/) | [:closed_book:](../../blob/master/2020/2020.05.07_Blue_Mockingbird)
* May 07 - [[CheckPoint] Naikon APT: Cyber Espionage Reloaded](https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/) | [:closed_book:](../../blob/master/2020/2020.05.07_Naikon_APT_Reloaded)
* May 06 - [[Prevailion] Phantom in the Command Shell
](https://blog.prevailion.com/2020/05/phantom-in-command-shell5.html) | [:closed_book:](../../blob/master/2020/2020.05.06_Phantom_EVILNUM)
* May 06 - [[CyberStruggle] Leery Turtle Threat Report](https://cyberstruggle.org/delta/LeeryTurtleThreatReport_05_20.pdf) | [:closed_book:](../../blob/master/2020/2020.05.06_Leery_Turtle)
* May 05 - [[CheckPoint] Nazar: Spirits of the Past](https://research.checkpoint.com/2020/nazar-spirits-of-the-past/) | [:closed_book:](../../blob/master/2020/2020.05.05.Nazar_APT)
* Apr 29 - [[Recorded Future] Chinese Influence Operations Evolve in Campaigns Targeting Taiwanese Elections, Hong Kong Protests](https://go.recordedfuture.com/hubfs/reports/cta-2020-0429.pdf) | [:closed_book:](../../blob/master/2020/2020.04.29.Chinese_Influence_Operations_Taiwanese_Elections_Hong_Kong_Protests)
* Apr 28 - [[Yoroi] Outlaw is Back, a New Crypto-Botnet Targets European Organizations](https://yoroi.company/research/outlaw-is-back-a-new-crypto-botnet-targets-european-organizations/) | [:closed_book:](../../blob/master/2020/2020.04.28_Outlaw_is_Back)
* Apr 28 - [[ESET] Grandoreiro: How engorged can an EXE get?](https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/) | [:closed_book:](../../blob/master/2020/2020.04.28.Grandoreiro)
* Apr 24 - [[LAC JP] PoshC2](https://www.lac.co.jp/lacwatch/people/20200424_002177.html) | [:closed_book:](../../blob/master/2020/2020.04.24_PoshC2_APT)
* Apr 21 - [[Volexity] Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant](https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/) | [:closed_book:](../../blob/master/2020/2020.04.21.evil-eye-threat-actor)
* Apr 20 - [[QuoIntelligence] WINNTI GROUP: Insights From the Past](https://quointelligence.eu/2020/04/winnti-group-insights-from-the-past/) | [:closed_book:](../../blob/master/2020/2020.04.20_Winnti_from_the_past)
* Apr 17 - [[Trend Micro] Gamaredon APT Group Use Covid-19 Lure in Campaigns](https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns) | [:closed_book:](../../blob/master/2020/2020.04.17_Gamaredon_APT_Covid-19)
* Apr 16 - [[Trend Micro] Exposing Modular Adware: How DealPly, IsErIk, and ManageX Persist in Systems](https://blog.trendmicro.com/trendlabs-security-intelligence/exposing-modular-adware-how-dealply-iserik-and-managex-persist-in-systems/) | [:closed_book:](../../blob/master/2020/2020.04.16_Exposing_Modular_Adware)
* Apr 16 - [[White Ops] Giving Fraudsters the Cold Shoulder: Inside the Largest Connected TV Bot Attack](https://www.whiteops.com/blog/giving-fraudsters-the-cold-shoulder-inside-the-largest-connected-tv-bot-attack) | [:closed_book:](../../blob/master/2020/2020.04.16_ICEBUCKET_TV_Bot_Attack)
* Apr 15 - [[Lookout] Nation-state Mobile Malware Targets Syrians with COVID-19 Lures](https://blog.lookout.com/nation-state-mobile-malware-targets-syrians-with-covid-19-lures) | [:closed_book:](../../blob/master/2020/2020.04.15_COVID-19_Lures_Syrians)
* Apr 15 - [[Cycraft] Craft for Resilience: APT Group Chimera](https://cycraft.com/download/%5BTLP-White%5D20200415%20Chimera_V4.1.pdf) | [:closed_book:](../../blob/master/2020/2020.04.15_Chimera_APT)
* Apr 07 - [[MalwareBytes] APTs and COVID-19: How advanced persistent threats use the coronavirus as a lure](https://resources.malwarebytes.com/files/2020/04/200407-MWB-COVID-White-Paper_Final.pdf) | [:closed_book:](../../blob/master/2020/2020.04.07_APTs_COVID-19)
* Apr 07 - [[Zscaler] New Ursnif Campaign: A Shift from PowerShell to Mshta](https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta) | [:closed_book:](../../blob/master/2020/2020.04.07_New_Ursnif_Campaign)
* Apr 07 - [[BlackBerry] Decade of the RATs: Novel APT Attacks Targeting Linux, Windows and Android](https://blogs.blackberry.com/en/2020/04/decade-of-the-rats) | [:closed_book:](../../blob/master/2020/2020.04.07_Decade_of_the_RATs)
* Mar 30 - [[Alyac] The 'Spy Cloud' Operation: Geumseong121 group carries out the APT attack disguising the evidence of North Korean defection](https://blog.alyac.co.kr/attachment/cfile8.uf@9977CF405E81A09B1C4CE2.pdf) | [:closed_book:](../../blob/master/2020/2020.03.30_Spy_Cloud_Operation)
* Mar 26 - [[Kaspersky] iOS exploit chain deploys LightSpy feature-rich malware](https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/) | [:closed_book:](../../blob/master/2020/2020.03.26_LightSpy_TwoSail_Junk_APT)
* Mar 25 - [[FireEye] This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits](https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html) | [:closed_book:](../../blob/master/2020/2020.03.25_APT41-initiates-global-intrusion-campaign)
* Mar 24 - [[Kaspersky] WildPressure targets industrial-related entities in the Middle East](https://securelist.com/wildpressure-targets-industrial-in-the-middle-east/96360/) | [:closed_book:](../../blob/master/2020/2020.03.24_WildPressure)
* Mar 24 - [[Trend Micro] Operation Poisoned News: Hong Kong Users Targeted With Mobile Malware via Local News Links](https://blog.trendmicro.com/trendlabs-security-intelligence/operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links/) | [:closed_book:](../../blob/master/2020/2020.03.24_Operation_Poisoned_News)
* Mar 19 - [[Trend Micro] Probing Pawn Storm : Cyberespionage Campaign Through Scanning, Credential Phishing and More](https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/probing-pawn-storm-cyberespionage-campaign-through-scanning-credential-phishing-and-more) | [:closed_book:](../../blob/master/2020/2020.03.19_Probing_Pawn_Storm)
* Mar 15 - [[MalwareBytes] APT36 jumps on the coronavirus bandwagon, delivers Crimson RAT](https://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/) | [:closed_book:](../../blob/master/2020/2020.03.15_APT36_Crimson_RAT)
* Mar 12 - [[Checkpoint] Vicious Panda: The COVID Campaign](https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/) | [:closed_book:](../../blob/master/2020/2020.03.12_Vicious_Panda)
* Mar 12 - [[SecPulse] Two-tailed scorpion APT-C-23](https://www.secpulse.com/archives/125292.html) | [:closed_book:](../../blob/master/2020/2020.03.12_Two-tailed_scorpion)
* Mar 12 - [[ESET] Tracking Turla: New backdoor delivered via Armenian watering holes](https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes) | [:closed_book:](../../blob/master/2020/2020.03.12_Tracking_Turla)
* Mar 11 - [[Trend Micro] Operation Overtrap Targets Japanese Online Banking Users Via Bottle Exploit Kit and Brand-New Cinobi Banking Trojan](https://blog.trendmicro.com/trendlabs-security-intelligence/operation-overtrap-targets-japanese-online-banking-users-via-bottle-exploit-kit-and-brand-new-cinobi-banking-trojan/) | [:closed_book:](../../blob/master/2020/2020.03.11.Operation_Overtrap)
* Mar 10 - [[Cybereason] WHO'S HACKING THE HACKERS: NO HONOR AMONG THIEVES](https://www.cybereason.com/blog/whos-hacking-the-hackers-no-honor-among-thieves) | [:closed_book:](../../blob/master/2020/2020.03.10.WHO_HACKING_THE_HACKERS)
* Mar 05 - [[Trend Micro] Dissecting Geost: Exposing the Anatomy of the Android Trojan Targeting Russian Banks](https://blog.trendmicro.com/trendlabs-security-intelligence/dissecting-geost-exposing-the-anatomy-of-the-android-trojan-targeting-russian-banks/) | [:closed_book:](../../blob/master/2020/2020.03.05_Dissecting_Geost)
* Mar 05 - [[ESET] Guildma: The Devil drives electric](https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/) | [:closed_book:](../../blob/master/2020/2020.03.05_Guildma)
* Mar 03 - [[F5] New Perl Botnet (Tuyul) Found with Possible Indonesian Attribution](https://www.f5.com/labs/articles/threat-intelligence/new-perl-botnet--tuyul--found-with-possible-indonesian-attributi) | [:closed_book:](../../blob/master/2020/2020.03.03_Tuyul_Botnet_Indonesian)
* Mar 03 - [[Yoroi] The North Korean Kimsuky APT keeps threatening South Korea evolving its TTPs](https://blog.yoroi.company/research/the-north-korean-kimsuky-apt-keeps-threatening-south-korea-evolving-its-ttps/) | [:closed_book:](../../blob/master/2020/2020.03.03_Kimsuky_APT)
* Mar 02 - [[Telsy] APT34 (AKA OILRIG, AKA HELIX KITTEN) ATTACKS LEBANON GOVERNMENT ENTITIES WITH MAILDROPPER IMPLANTS](https://blog.telsy.com/apt34-aka-oilrig-attacks-lebanon-government-entities-with-maildropper-implant/) | [:closed_book:](../../blob/master/2020/2020.03.02_APT34_MAILDROPPER)
* Feb 28 - [[Qianxin] Nortrom_Lion_APT](https://ti.qianxin.com/blog/articles/who-is-the-next-silent-lamb-nuo-chong-lions-apt-organization-revealed/) | [:closed_book:](../../blob/master/2020/2020.02.28_Nortrom_Lion_APT)
* Feb 25 - [[Sophos] ‘Cloud Snooper’ Attack Bypasses Firewall Security Measures](https://news.sophos.com/en-us/2020/02/25/cloud-snooper-attack-bypasses-firewall-security-measures/) | [:closed_book:](../../blob/master/2020/2020.02.25_Cloud_Snooper)
* Feb 22 - [[Objective-See] Weaponizing a Lazarus Group Implant](https://objective-see.com/blog/blog_0x54.html) | [:closed_book:](../../blob/master/2020/2020.02.22_Lazarus_Group_Weaponizing)
* Feb 21 - [[AhnLab] MyKings Botnet](http://download.ahnlab.com/kr/site/library/[AhnLab]Analysis%20Report_MyKings%20Botnet.pdf) | [:closed_book:](../../blob/master/2020/2020.02.21_MyKings_Botnet)
* Feb 19 - [[lexfo] The Lazarus Constellation](https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf) | [:closed_book:](../../blob/master/2020/2020.02.19_The_Lazarus_Constellation)
* Feb 18 - [[Trend Micro] Operation DRBControl](https://documents.trendmicro.com/assets/white_papers/wp-uncovering-DRBcontrol.pdf) | [:closed_book:](../../blob/master/2020/2020.02.18_Operation_DRBControl)
* Feb 17 - [[Yoroi] Cyberwarfare: A deep dive into the latest Gamaredon Espionage Campaign](https://blog.yoroi.company/research/cyberwarfare-a-deep-dive-into-the-latest-gamaredon-espionage-campaign/) | [:closed_book:](../../blob/master/2020/2020.02.17.Cyberwarfare_Gamaredon_Campaign)
* Feb 17 - [[Talent-Jump] CLAMBLING - A New Backdoor Base On Dropbox (EN)](http://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/) | [:closed_book:](../../blob/master/2020/2020.02.17_CLAMBLING_Dropbox_Backdoor)
* Feb 17 - [[ClearSky] Fox Kitten Campaign](https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf) | [:closed_book:](../../blob/master/2020/2020.02.17_Fox_Kitten_Campaign)
* Feb 13 - [[Cybereason] NEW CYBER ESPIONAGE CAMPAIGNS TARGETING PALESTINIANS - PART 2: THE DISCOVERY OF THE NEW, MYSTERIOUS PIEROGI BACKDOOR](https://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-2-the-discovery-of-the-new-mysterious-pierogi-backdoor?utm_content=116986912&utm_medium=social&utm_source=twitter&hss_channel=tw-835463838) | [:closed_book:](../../blob/master/2020/2020.02.13.PIEROGI_BACKDOOR_APT)
* Feb 10 - [[Trend Micro] Outlaw Updates Kit to Kill Older Miner Versions, Targets More Systems](https://blog.trendmicro.com/trendlabs-security-intelligence/outlaw-updates-kit-to-kill-older-miner-versions-targets-more-systems/) | [:closed_book:](../../blob/master/2020/2020.02.10_Outlaw_Updates)
* Feb 03 - [[PaloAlto Networks] Actors Still Exploiting SharePoint Vulnerability to Attack Middle East Government Organizations](https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/) | [:closed_book:](../../blob/master/2020/2020.02.03.SharePoint_Vulnerability_Middle_East)
* Jan XX - [[IBM] New Destructive Wiper “ZeroCleare” Targets Energy Sector in the Middle East](https://www.ibm.com/downloads/cas/OAJ4VZNJ) | [:closed_book:](../../blob/master/2020/2020.01.xx.ZeroCleare_Wiper)
* Jan 31 - [[ESET] Winnti Group targeting universities in Hong Kong](https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/) | [:closed_book:](../../blob/master/2020/2020.01.31.Winnti_universities_in_HK)
* Jan 16 - [[CISCO] JhoneRAT: Cloud based python RAT targeting Middle Eastern countries](https://blog.talosintelligence.com/2020/01/jhonerat.html) | [:closed_book:](../../blob/master/2020/2020.01.16.JhoneRAT)
* Jan 13 - [[ShellsSystems] Reviving MuddyC3 Used by MuddyWater (IRAN) APT](https://shells.systems/reviving-leaked-muddyc3-used-by-muddywater-apt/) | [:closed_book:](../../blob/master/2020/2020.01.13.muddyc3.Revived)
* Jan 13 - [[Lab52] APT27 ZxShell RootKit module updates](https://lab52.io/blog/apt27-rootkit-updates/) | [:closed_book:](../../blob/master/2020/2020.01.13.APT27_ZxShell_RootKit)
* Jan 09 - [[Dragos] The State of Threats to Electric Entities in North America](https://dragos.com/wp-content/uploads/NA-EL-Threat-Perspective-2019.pdf) | [:closed_book:](../../blob/master/2020/2020.01.09.NA-EL-Threat-Perspective)
* Jan 08 - [[Kaspersky] Operation AppleJeus Sequel](https://securelist.com/operation-applejeus-sequel/95596/) | [:closed_book:](../../blob/master/2020/2020.01.08_Operation_AppleJeus_Sequel)
* Jan 07 - [[Recorded Future] Iranian Cyber Response to Death of IRGC Head Would Likely Use Reported TTPs and Previous Access](https://www.recordedfuture.com/iranian-cyber-response/?utm_content=111464182) | [:closed_book:](../../blob/master/2020/2020.01.07_Iranian_Cyber_Response)
* Jan 07 - [[NCA] Destructive Attack: DUSTMAN](https://github.com/blackorbird/APT_REPORT/blob/master/International%20Strategic/Iran/Saudi-Arabia-CNA-report.pdf) | [:closed_book:](../../blob/master/2020/2020.01.07_Destructive_Attack_DUSTMAN)
* Jan 06 - [[Trend Micro] First Active Attack Exploiting CVE-2019-2215 Found on Google Play, Linked to SideWinder APT Group](https://blog.trendmicro.com/trendlabs-security-intelligence/first-active-attack-exploiting-cve-2019-2215-found-on-google-play-linked-to-sidewinder-apt-group/) | [:closed_book:](../../blob/master/2020/2020.01.06.SideWinder_Google_Play)
* Jan 01 - [[WeiXin] Pakistan Sidewinder APT Attack](https://mp.weixin.qq.com/s/CZrdslzEs4iwlaTzJH7Ubg) | [:closed_book:](../../blob/master/2020/2020.01.01.SideWinder_APT)


## 2019
* Dec 29 - [[Dell] BRONZE PRESIDENT Targets NGOs](https://www.secureworks.com/research/bronze-president-targets-ngos) | [:closed_book:](../../blob/master/2019/2019.12.29_BRONZE_PRESIDENT_NGO)
* Dec 26 - [[Pedro Tavares] Targeting Portugal: A new trojan ‘Lampion’ has spread using template emails from the Portuguese Government Finance & Tax](https://seguranca-informatica.pt/targeting-portugal-a-new-trojan-lampion-has-spread-using-template-emails-from-the-portuguese-government-finance-tax/) | [:closed_book:](../../blob/master/2019/2019.12.26.Trojan-Lampion)
* Dec 19 - [[FoxIT] Operation Wocao](https://resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wacao.pdf) | [:closed_book:](../../blob/master/2019/2019.12.19.Operation_Wocao)
* Dec 17 - [[PaloAlto] Rancor: Cyber Espionage Group Uses New Custom Malware to Attack Southeast Asia](https://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/) | [:closed_book:](../../blob/master/2019/2019.12.17.Rancor)
* Dec 17 - [[360] Dacls, the Dual platform RAT](https://blog.netlab.360.com/dacls-the-dual-platform-rat-en/) | [:closed_book:](../../blob/master/2019/2019.12.17.Dacls_RAT)
* Dec 16 - [[Sophos] MyKings: The Slow But Steady Growth of a Relentless Botnet](https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-uncut-mykings-report.pdf) | [:closed_book:](../../blob/master/2019/2019.12.16.MyKings)
* Dec 12 - [[Trend Micro] Drilling Deep: A Look at Cyberattacks on the Oil and Gas Industry](https://documents.trendmicro.com/assets/white_papers/wp-drilling-deep-a-look-at-cyberattacks-on-the-oil-and-gas-industry.pdf) | [:closed_book:](../../blob/master/2019/2019.12.12.Drilling_Deep)
* Dec 12 - [[Microsoft] GALLIUM: Targeting global telecom](https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/) | [:closed_book:](../../blob/master/2019/2019.12.12.GALLIUM)
* Dec 12 - [[Recorded Future] Operation Gamework: Infrastructure Overlaps Found Between BlueAlpha and Iranian APTs](https://go.recordedfuture.com/hubfs/reports/cta-2019-1212.pdf) | [:closed_book:](../../blob/master/2019/2019.12.12.Operation_Gamework)
* Dec 11 - [[Trend Micro] Waterbear is Back, Uses API Hooking to Evade Security Product Detection](https://blog.trendmicro.com/trendlabs-security-intelligence/waterbear-is-back-uses-api-hooking-to-evade-security-product-detection/) | [:closed_book:](../../blob/master/2019/2019.12.11.Waterbear_Back)
* Dec 11 - [[Cyberason] DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE](https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware) | [:closed_book:](../../blob/master/2019/2019.12.11_DROPPING_ANCHOR)
* Dec 10 - [[Sentinel] Anchor Project: The Deadly Planeswalker: How The TrickBot Group United High-Tech Crimeware & APT](https://labs.sentinelone.com/the-deadly-planeswalker-how-the-trickbot-group-united-high-tech-crimeware-apt/#report) | [:closed_book:](../../blob/master/2019/2019.12.10_TrickBot_Planeswalker)
* Dec 06 - [[SCILabs] Cosmic Banker campaign is still active revealing link with Banload malware](https://blog.scilabs.mx/cosmic-banker-campaign-is-still-active-revealing-link-with-banload-malware/) | [:closed_book:](../../blob/master/2019/2019.12.06.Cosmic_Banker_campaign)
* Dec 04 - [[IBM] New Destructive Wiper “ZeroCleare” Targets Energy Sector in the Middle East](https://www.ibm.com/downloads/cas/OAJ4VZNJ) | [:closed_book:](../../blob/master/2019/2019.12.04.ZeroCleare)
* Dec 04 - [[Trend Micro] Obfuscation Tools Found in the Capesand Exploit Kit Possibly Used in “KurdishCoder” Campaign](https://blog.trendmicro.com/trendlabs-security-intelligence/obfuscation-tools-found-in-the-capesand-exploit-kit-possibly-used-in-kurdishcoder-campaign/) | [:closed_book:](../../blob/master/2019/2019.12.04.KurdishCoder_Campaign)
* Dec 03 - [[NSHC] Threat Actor Targeting Hong Kong Pro-Democracy Figures](https://threatrecon.nshc.net/2019/12/03/threat-actor-targeting-hong-kong-activists/) | [:closed_book:](../../blob/master/2019/2019.12.03.Hong_Kong_Pro-Democracy)
* Nov 29 - [[Trend Micro] Operation ENDTRADE: Finding Multi-Stage Backdoors that TICK](https://blog.trendmicro.com/trendlabs-security-intelligence/operation-endtrade-finding-multi-stage-backdoors-that-tick) | [:closed_book:](../../blob/master/2019/2019.11.29.Operation_ENDTRADE)
* Nov 28 - [[Kaspersky] RevengeHotels: cybercrime targeting hotel front desks worldwide](https://securelist.com/revengehotels/95229/) | [:closed_book:](../../blob/master/2019/2019.11.28.RevengeHotels)
* Nov 26 - [[Microsoft] Insights from one year of tracking a polymorphic threat: Dexphot](https://www.microsoft.com/security/blog/2019/11/26/insights-from-one-year-of-tracking-a-polymorphic-threat/) | [:closed_book:](../../blob/master/2019/2019.11.26.Dexphot)
* Nov 25 - [[Positive] Studying Donot Team](http://blog.ptsecurity.com/2019/11/studying-donot-team.html) | [:closed_book:](../../blob/master/2019/2019.11.25_Donot_Team)
* Nov 21 - [[ESET] Registers as “Default Print Monitor”, but is a malicious downloader. Meet DePriMon](https://www.welivesecurity.com/2019/11/21/deprimon-default-print-monitor-malicious-downloader/) | [:closed_book:](../../blob/master/2019/2019.11.21.DePriMon)
* Nov 20 - [[360] Golden Eagle (APT-C-34)](http://blogs.360.cn/post/APT-C-34_Golden_Falcon.html) | [:closed_book:](../../blob/master/2019/2019.11.20.Golden_Eagle_APT-C-34)
* Nov 20 - [[Trend Micro] Mac Backdoor Linked to Lazarus Targets Korean Users](https://blog.trendmicro.com/trendlabs-security-intelligence/mac-backdoor-linked-to-lazarus-targets-korean-users/) | [:closed_book:](../../blob/master/2019/2019.11.20.Mac_Lazarus)
* Nov 13 - [[Trend Micro] More than a Dozen Obfuscated APT33 Botnets Used for Extreme Narrow Targeting](https://blog.trendmicro.com/trendlabs-security-intelligence/more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting/) | [:closed_book:](../../blob/master/2019/2019.11.13.APT33_Extreme＿Narrow_Targeting)
* Nov 12 - [[Marco Ramilli] TA-505 Cybercrime on System Integrator Companies](https://marcoramilli.com/2019/11/12/ta-505-cybercrime-on-system-integrator-companies/) | [:closed_book:](../../blob/master/2019/2019.11.12_TA-505_On_SI)
* Nov 08 - [[Group-IB] Massive malicious campaign by FakeSecurity JS-sniffer](https://www.group-ib.com/blog/fakesecurity) | [:closed_book:](../../blob/master/2019/2019.11.08_FakeSecurity_JS-sniffer)
* Nov 08 - [[Kapsersky] Titanium: the Platinum group strikes again](https://securelist.com/titanium-the-platinum-group-strikes-again/94961/) | [:closed_book:](../../blob/master/2019/2019.11.08_Titanium_Action_Platinum_group)
* Nov 05 - [[Telsy] THE LAZARUS’ GAZE TO THE WORLD: WHAT IS BEHIND THE FIRST STONE ?](https://blog.telsy.com/the-lazarus-gaze-to-the-world-what-is-behind-the-first-stone/) | [:closed_book:](../../blob/master/2019/2019.11.05.LAZARUS_GAZE)
* Nov 04 - [[Tencent] Higaisa APT](https://s.tencent.com/research/report/836.html) | [:closed_book:](../../blob/master/2019/2019.11.04.Higaisa_APT)
* Nov 04 - [[Marcoramilli] Is Lazarus/APT38 Targeting Critical Infrastructures](https://marcoramilli.com/2019/11/04/is-lazarus-apt38-targeting-critical-infrastructures) | [:closed_book:](../../blob/master/2019/2019.11.04.Lazarus_APT38)
* Nov 01 - [[Kaspersky] Chrome 0-day exploit CVE-2019-13720 used in Operation WizardOpium](https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/) | [:closed_book:](../../blob/master/2019/2019.11.1.Operation_WizardOpium)
* Oct 31 - [[PTsecurity] Calypso APT: new group attacking state institutions](https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/) | [:closed_book:](../../blob/master/2019/2019.10.31.Calypso_APT)
* Oct 31 - [[Fireeye] MESSAGETAP: Who’s Reading Your Text Messages?](https://www.fireeye.com/blog/threat-research/2019/10/messagetap-who-is-reading-your-text-messages.html) | [:closed_book:](../../blob/master/2019/2019.10.31.MESSAGETAP)
* Oct 28 - [[Marco Ramilli] SWEED Targeting Precision Engineering Companies in Italy](https://marcoramilli.com/2019/10/28/sweed-targeting-precision-engineering-companies-in-italy/) | [:closed_book:](../../blob/master/2019/2019.10.28_SWEED_Italy)
* Oct 21 - [[ESET] Winnti Group’s skip‑2.0: A Microsoft SQL Server backdoor](https://www.welivesecurity.com/2019/10/21/winnti-group-skip2-0-microsoft-sql-server-backdoor/) | [:closed_book:](../../blob/master/2019/2019.10.21.Winnti_skip_2.0)
* Oct 21 - [[VB] Geost botnet. The story of the discovery of a new Android banking trojan from an OpSec error](https://www.virusbulletin.com/uploads/pdf/magazine/2019/VB2019-Garcia-etal.pdf) | [:closed_book:](../../blob/master/2019/2019.10.21_Geost_botnet)
* Oct 17 - [[ESET] Operation Ghost: The Dukes aren’t back – they never left](https://www.welivesecurity.com/2019/10/17/operation-ghost-dukes-never-left/) | [:closed_book:](../../blob/master/2019/2019.10.17.Operation_Ghost)
* Oct 15 - [[Fireeye] LOWKEY: Hunting for the Missing Volume Serial ID](https://www.fireeye.com/blog/threat-research/2019/10/lowkey-hunting-for-the-missing-volume-serial-id.html) | [:closed_book:](../../blob/master/2019/2019.10.15.LOWKEY)
* Oct 14 - [[Marco Ramilli] Is Emotet gang targeting companies with external SOC?](https://marcoramilli.com/2019/10/14/is-emotet-gang-targeting-companies-with-external-soc/) | [:closed_book:](../../blob/master/2019/2019.10.14.Emotet_external_SOC)
* Oct 14 - [[Exatrack] From tweet to rootkit](https://exatrack.com/public/winnti_EN.pdf) | [:closed_book:](../../blob/master/2019/2019.10.14.From_tweet_to_rootkit)
* Oct 14 - [[Crowdstrike] HUGE FAN OF YOUR WORK: TURBINE PANDA ](https://www.crowdstrike.com/resources/wp-content/brochures/reports/huge-fan-of-your-work-intelligence-report.pdf) | [:closed_book:](../../blob/master/2019/2019.10.14.TURBINE_PANDA)
* Oct 10 - [[Fireeye] Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques](https://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html) | [:closed_book:](../../blob/master/2019/2019.10.10.Fin7)
* Oct 10 - [[ESET] CONNECTING THE DOTS Exposing the arsenal and methods of the Winnti Group](https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf) | [:closed_book:](../../blob/master/2019/2019.10.10.Winnti_Group)
* Oct 10 - [[ESET] Attor, a spy platform with curious GSM fingerprinting](https://www.welivesecurity.com/2019/10/10/eset-discovers-attor-spy-platform/) | [:closed_book:](../../blob/master/2019/2019.10.10.Attor_GSM_fingerprinting_spy_platform)
* Oct 09 - [[Trend Micro] FIN6 Compromised E-commerce Platform via Magecart to Inject Credit Card Skimmers Into Thousands of Online Shops](https://blog.trendmicro.com/trendlabs-security-intelligence/fin6-compromised-e-commerce-platform-via-magecart-to-inject-credit-card-skimmers-into-thousands-of-online-shops/) | [:closed_book:](../../blob/master/2019/2019.10.09_FIN6_Magecart)
* Oct 07 - [[CERT-FR] Supply chain attacks: threats targeting service providers and design offices](https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-CTI-005.pdf) | [:closed_book:](../../blob/master/2019/2019.10.07.Supply_Chain_Attacks)
* Oct 07 - [[Clearsky] The Kittens Are Back in Town 2 – Charming Kitten Campaign Keeps Going on, Using New Impersonation Methods](https://www.clearskysec.com/the-kittens-are-back-in-town-2/) | [:closed_book:](../../blob/master/2019/2019.10.07.Charming_Kitten_Back_in_Town_2)
* Oct 07 - [[Anomali] China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations](https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations) | [:closed_book:](../../blob/master/2019/2019.10.07.Panda_minority-groups)
* Oct 04 - [[Avest] GEOST BOTNET. THE STORY OF THE DISCOVERY OF A NEW ANDROID BANKING TROJAN FROM AN OPSEC ERROR](http://public.avast.com/research/VB2019-Garcia-etal.pdf) | [:closed_book:](../../blob/master/2019/2019.10.04.GEOST_BOTNET)
* Oct 03 - [[Palo Alto Networks] PKPLUG: Chinese Cyber Espionage Group Attacking Asia](https://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/) | [:closed_book:](../../blob/master/2019/2019.10.03.PKPLUG)
* Oct 01 - [[Netskope] New Adwind Campaign targets US Petroleum Industry](https://www.netskope.com/blog/new-adwind-campaign-targets-us-petroleum-industry-2) | [:closed_book:](../../blob/master/2019/2019.10.01.Adwind_Campaign_US_Petroleum_Industry)
* Oct 01 - [[Trend Micro] New Fileless Botnet Novter Distributed by KovCoreG Malvertising Campaign](https://blog.trendmicro.com/trendlabs-security-intelligence/new-fileless-botnet-novter-distributed-by-kovcoreg-malvertising-campaign/) | [:closed_book:](../../blob/master/2019/2019.10.01.kovcoreg-malvertising-campaign)
* Sep 30 - [[Lastline] HELO Winnti: Attack or Scan?](https://www.lastline.com/labsblog/helo-winnti-attack-scan/) | [:closed_book:](../../blob/master/2019/2019.09.30_HELO_Winnti)
* Sep 26 - [[GBHackers] Chinese APT Hackers Attack Windows Users via FakeNarrator Malware to Implant PcShare Backdoor](https://gbhackers.com/fakenarrator-malware/) | [:closed_book:](../../blob/master/2019/2019.09.26_China_APT_FakeNarrator_To_PcShare)
* Sep 24 - [[Telsy] DeadlyKiss APT](https://blog.telsy.com/wp-content/uploads/2019/09/DeadlyKiss_TAAR.pdf) | [:closed_book:](../../blob/master/2019/2019.09.24.DeadlyKiss_APT)
* Sep 24 - [[CISCO] How Tortoiseshell created a fake veteran hiring website to host malware](https://blog.talosintelligence.com/2019/09/tortoiseshell-fake-veterans.html) | [:closed_book:](../../blob/master/2019/2019.09.24_New_Tortoiseshell)
* Sep 24 - [[CheckPoint] Mapping the connections inside Russia’s APT Ecosystem](https://research.checkpoint.com/russianaptecosystem/) | [:closed_book:](../../blob/master/2019/2019.09.24_Russia_APT_Ecosystem)
* Sep 18 - [[Symantec] Tortoiseshell Group Targets IT Providers in Saudi Arabia in Probable Supply Chain Attacks](https://www.symantec.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain) | [:closed_book:](../../blob/master/2019/2019.09.18.Tortoiseshell-APT)
* Sep 18 - [[Trend Micro] Magecart Skimming Attack Targets Mobile Users of Hotel Chain Booking Websites](https://blog.trendmicro.com/trendlabs-security-intelligence/magecart-skimming-attack-targets-mobile-users-of-hotel-chain-booking-websites/) | [:closed_book:](../../blob/master/2019/2019.09.18.Magecart_Hotel_Chain_Booking)
* Sep 15 - [[Clearsky] The Kittens Are Back in Town Charming Kitten Campaign Against Academic
Researchers](https://www.clearskysec.com/wp-content/uploads/2019/09/The-Kittens-Are-Back-in-Town-Charming-Kitten-2019.pdf) | [:closed_book:](../../blob/master/2019/2019.09.15_Kittens_back)
* Sep 11 - [[MeltX0R Security] RANCOR APT: Suspected targeted attacks against South East Asia](https://meltx0r.github.io/tech/2019/09/11/rancor-apt.html) | [:closed_book:](../../blob/master/2019/2019.09.11.RANCOR_APT)
* Sep 09 - [[Symantec] Thrip: Ambitious Attacks Against High Level Targets Continue](https://www.symantec.com/blogs/threat-intelligence/thrip-apt-south-east-asia) | [:closed_book:](../../blob/master/2019/2019.09.09.Thrip)
* Sep 06 - [[MeltX0R Security] BITTER APT: Not So Sweet](https://meltx0r.github.io/tech/2019/09/06/bitter-apt-not-so-sweet.html) | [:closed_book:](../../blob/master/2019/2019.09.06.BITTER_APT_Not_So_Sweet)
* Sep 05 - [[CheckPoint] UPSynergy: Chinese-American Spy vs. Spy Story](https://research.checkpoint.com/upsynergy/) | [:closed_book:](../../blob/master/2019/2019.09.05.UPSynergy)
* Sep 04 - [[Trend Micro] Glupteba Campaign Hits Network Routers and Updates C&C Servers with Data from Bitcoin Transactions](https://blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/) | [:closed_book:](../../blob/master/2019/2019.09.04.Glupteba_Campaign)
* Aug 31 - [[StrangerealIntel] Malware analysis on Bitter APT campaign](https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/offshore%20APT%20organization/Bitter/27-08-19/Malware%20analysis%2031-08-19.md) | [:closed_book:](../../blob/master/2019/2019.08.31.Bitter_APT_Malware_analysis)
* Aug 29 - [[AhnLab] Tick Tock - Activities of the Tick Cyber Espionage Group in East Asia Over the Last 10 Years](https://gsec.hitb.org/materials/sg2019/D1%20COMMSEC%20-%20Tick%20Group%20-%20Activities%20Of%20The%20Tick%20Cyber%20Espionage%20Group%20In%20East%20Asia%20Over%20The%20Last%2010%20Years%20-%20Cha%20Minseok.pdf) | [:closed_book:](../../blob/master/2019/2019.08.29_Tick_Tock)
* Aug 29 - [[Trend Micro] ‘Heatstroke’ Campaign Uses Multistage Phishing Attack to Steal PayPal and Credit Card Information](https://blog.trendmicro.com/trendlabs-security-intelligence/heatstroke-campaign-uses-multistage-phishing-attack-to-steal-paypal-and-credit-card-information/) | [:closed_book:](../../blob/master/2019/2019.08.29.Heatstroke_Campaign)
* Aug 29 - [[IBM] More_eggs, Anyone? Threat Actor ITG08 Strikes Again](https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/) | [:closed_book:](../../blob/master/2019/2019.08.29.FIN6_ITG08)
* Aug 29 - [[NSHC] SectorJ04 Group’s Increased Activity in 2019](https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/) | [:closed_book:](../../blob/master/2019/2019.08.29.SectorJ04_2019)
* Aug 27 - [[StrangerealIntel] Malware analysis about sample of APT Patchwork](https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Indian/APT/Patchwork/27-08-19/Malware%20analysis%2027-08-19.md) | [:closed_book:](../../blob/master/2019/2019.08.27.Patchwork_Malware_Analysis)
* Aug 27 - [[Dell] LYCEUM Takes Center Stage in Middle East Campaign](https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign) | [:closed_book:](../../blob/master/2019/2019.08.27.LYCEUM_threat_group)
* Aug 27 - [[CISCO] China Chopper still active 9 years later](https://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html) | [:closed_book:](../../blob/master/2019/2019.08.27.China_Chopper)
* Aug 27 - [[Trend Micro] TA505 At It Again: Variety is the Spice of ServHelper and FlawedAmmyy](https://blog.trendmicro.com/trendlabs-security-intelligence/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy/) | [:closed_book:](../../blob/master/2019/2019.08.27.TA505_Again)
* Aug 26 - [[QianXin] APT-C-09 Reappeared as Conflict Intensified Between India and Pakistan](https://ti.qianxin.com/blog/articles/apt-c-09-reappeared-as-conflict-intensified-between-india-and-pakistan/) | [:closed_book:](../../blob/master/2019/2019.08.26.APT-C-09)
* Aug 22 - [[PTsecurity] Operation TaskMasters: Cyberespionage in the digital economy age](https://www.ptsecurity.com/ww-en/analytics/operation-taskmasters-2019/) | [:closed_book:](../../blob/master/2019/2019.08.22.Operation_TaskMasters)
* Aug 21 - [[Fortinet] The Gamaredon Group: A TTP Profile Analysis](https://www.fortinet.com/blog/threat-research/gamaredon-group-ttp-profile-analysis.html) | [:closed_book:](../../blob/master/2019/2019.08.21.Gamaredon_Group)
* Aug 21 - [[Group-IB] Silence 2.0](https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf) | [:closed_book:](../../blob/master/2019/2019.08.21.Silence_2.0)
* Aug 20 - [[StrangerealIntel] Malware analysis about unknown Chinese APT campaign](https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Unknown/20-08-19/Malware%20analysis%2020-08-19.md) | [:closed_book:](../../blob/master/2019/2019.08.20.unknown_Chinese_APT)
* Aug 14 - [[ESET] In the Balkans, businesses are under fire from a double‑barreled weapon](https://www.welivesecurity.com/2019/08/14/balkans-businesses-double-barreled-weapon/) | [:closed_book:](../../blob/master/2019/2019.08.14.Balkans_Campaign)
* Aug 12 - [[Kaspersky] Recent Cloud Atlas activity](https://securelist.com/recent-cloud-atlas-activity/92016/)| [:closed_book:](../../blob/master/2019/2019.08.12.Cloud_Atlas_activity)
* Aug 08 - [[Anomali] Suspected BITTER APT Continues Targeting Government of China and Chinese Organizations](https://www.anomali.com/blog/suspected-bitter-apt-continues-targeting-government-of-china-and-chinese-organizations) | [:closed_book:](../../blob/master/2019/2019.08.08.BITTER_APT)
* Aug 07 - [[FireEye] APT41: A Dual Espionage and Cyber Crime Operation](https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html) | [:closed_book:](../../blob/master/2019/2019.08.07.APT41)
* Aug 05 - [[Trend Micro] Latest Trickbot Campaign Delivered via Highly Obfuscated JS File](https://blog.trendmicro.com/trendlabs-security-intelligence/latest-trickbot-campaign-delivered-via-highly-obfuscated-js-file/) | [:closed_book:](../../blob/master/2019/2019.08.05.Trickbot_Obfuscated_JS)
* Aug 05 - [[ESET] Sharpening the Machete](https://www.welivesecurity.com/2019/08/05/sharpening-machete-cyberespionage/) | [:closed_book:](../../blob/master/2019/2019.08.05.Sharpening_the_Machete)
* Aug 01 - [[Anity] Analysis of the Attack of Mobile Devices by OceanLotus](https://www.antiy.net/p/analysis-of-the-attack-of-mobile-devices-by-oceanlotus/) | [:closed_book:](../../blob/master/2019/2019.08.01.Mobile_OceanLotus)
* Jul 24 - [[Dell] Resurgent Iron Liberty Targeting Energy Sector](https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector) | [:closed_book:](../../blob/master/2019/2019.07.24.Resurgent_Iron_Liberty)
* Jul 24 - [[] Attacking the Heart of the German Industry](https://web.br.de/interaktiv/winnti/english/) | [:closed_book:](../../blob/master/2019/2019.07.24.Winnti_German)
* Jul 24 - [[Proofpoint] Chinese APT “Operation LagTime IT” Targets Government Information Technology Agencies in Eastern Asia](https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology) | [:closed_book:](../../blob/master/2019/2019.07.24.Operation_LagTime_IT)
* Jul 18 - [[FireEye] Hard Pass: Declining APT34’s Invite to Join Their Professional Network](https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html) | [:closed_book:](../../blob/master/2019/2019.07.18.APT34_Hard_Pass)
* Jul 18 - [[Trend Micro] Spam Campaign Targets Colombian Entities with Custom-made ‘Proyecto RAT,’ Uses Email Service YOPmail for C&C](https://blog.trendmicro.com/trendlabs-security-intelligence/spam-campaign-targets-colombian-entities-with-custom-proyecto-rat-email-service-yopmail-for-cc/) | [:closed_book:](../../blob/master/2019/2019.07.18.Proyecto_RAT_Colombian)
* Jul 18 - [[ESET] OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY ](https://www.welivesecurity.com/2019/07/18/okrum-ke3chang-targets-diplomatic-missions/) | [:closed_book:](../../blob/master/2019/2019.07.18.Okrum)
* Jul 17 - [[AT&T] Newly identified StrongPity operations](https://cybersecurity.att.com/blogs/labs-research/newly-identified-strongpity-operations) | [:closed_book:](../../blob/master/2019/2019.07.17.StrongPity_operations)
* Jul 17 - [[Intezer] EvilGnome: Rare Malware Spying on Linux Desktop Users](https://www.intezer.com/blog-evilgnome-rare-malware-spying-on-linux-desktop-users/) | [:closed_book:](../../blob/master/2019/2019.07.17.EvilGnome)
* Jul 16 - [[Trend Micro] SLUB Gets Rid of GitHub, Intensifies Slack Use](https://blog.trendmicro.com/trendlabs-security-intelligence/slub-gets-rid-of-github-intensifies-slack-use/) | [:closed_book:](../../blob/master/2019/2019.07.16.SLUB)
* Jul 15 - [[CISCO] SWEED: Exposing years of Agent Tesla campaigns](https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html) | [:closed_book:](../../blob/master/2019/2019.07.15.SWEED)
* Jul 11 - [[ESET] Buhtrap group uses zero‑day in latest espionage campaigns](https://www.welivesecurity.com/2019/07/11/buhtrap-zero-day-espionage-campaigns/) | [:closed_book:](../../blob/master/2019/2019.07.11.Buhtrap_Group)
* Jul 09 - [[CISCO] Sea Turtle keeps on swimming, finds new victims, DNS hijacking techniques](https://blog.talosintelligence.com/2019/07/sea-turtle-keeps-on-swimming.html) | [:closed_book:](../../blob/master/2019/2019.07.09.SeaTurtle_swimming)
* Jul 04 - [[Kaspersky] Twas the night before](https://securelist.com/twas-the-night-before/91599/) | [:closed_book:](../../blob/master/2019/2019.07.04.NewsBeef_APT)
* Jul 04 - [[Trend Micro] Latest Spam Campaigns from TA505 Now Using New Malware Tools Gelup and FlowerPippi](https://blog.trendmicro.com/trendlabs-security-intelligence/latest-spam-campaigns-from-ta505-now-using-new-malware-tools-gelup-and-flowerpippi/) | [:closed_book:](../../blob/master/2019/2019.07.04.TA505_Gelup_FlowerPippi)
* Jul 03 - [[Anomali] Multiple Chinese Threat Groups Exploiting CVE-2018-0798 Equation Editor Vulnerability Since Late 2018](https://www.anomali.com/blog/multiple-chinese-threat-groups-exploiting-cve-2018-0798-equation-editor-vulnerability-since-late-2018) | [:closed_book:](../../blob/master/2019/2019.07.03.Chinese_APT_CVE-2018-0798)
* Jul 01 - [[Check Point] Operation Tripoli](https://research.checkpoint.com/operation-tripoli/) | [:closed_book:](../../blob/master/2019/2019.07.01.Operation_Tripoli)
* Jul 01 - [[Cylance] Threat Spotlight: Ratsnif - New Network Vermin from OceanLotus](https://threatvector.cylance.com/en_us/home/threat-spotlight-ratsnif-new-network-vermin-from-oceanlotus.html) | [:closed_book:](../../blob/master/2019/2019.07.01.OceanLotus_Ratsnif)
* Jun 27 - [[Trend Micro] ShadowGate Returns to Worldwide Operations With Evolved Greenflash Sundown Exploit Kit](https://blog.trendmicro.com/trendlabs-security-intelligence/shadowgate-returns-to-worldwide-operations-with-evolved-greenflash-sundown-exploit-kit/) | [:closed_book:](../../blob/master/2019/2019.06.27.ShadowGate_Returns)
* Jun 26 - [[Recorded Future] Iranian Threat Actor Amasses Large Cyber Operations Infrastructure Network to Target Saudi Organizations](https://go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf) | [:closed_book:](../../blob/master/2019/2019.06.26.Iranian_to_Saudi)
* Jun 25 - [[QianXin] Analysis of MuddyC3, a New Weapon Used by MuddyWater](https://ti.qianxin.com/blog/articles/analysis-of-muddyc3-a-new-weapon-used-by-muddywater/) | [:closed_book:](../../blob/master/2019/2019.06.25.MuddyC3)
* Jun 25 - [[Cybereason] OPERATION SOFT CELL: A WORLDWIDE CAMPAIGN AGAINST TELECOMMUNICATIONS PROVIDERS](https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers) | [:closed_book:](../../blob/master/2019/2019.06.25.Operation_Soft_Cell)
* Jun 21 - [[Symantec] Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments](https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments) | [:closed_book:](../../blob/master/2019/2019.06.21.Waterbug)
* Jun 20 - [[QianXin] New Approaches Utilized by OceanLotus to Target An Environmental Group in Vietnam](https://ti.qianxin.com/blog/articles/english-version-of-new-approaches-utilized-by-oceanLotus-to-target-vietnamese-environmentalist/) | [:closed_book:](../../blob/master/2019/2019.06.20.OceanLotus_New_Approaches)
* Jun 12 - [[ThaiCERT] Threat Group Cards: A Threat Actor Encyclopedia](https://www.dropbox.com/s/ds0ra0c8odwsv3m/Threat%20Group%20Cards.pdf?dl) | [:closed_book:](../../blob/master/2019/2019.06.12.Threat_Group_Cards)
* Jun 11 - [[Recorded Future] The Discovery of Fishwrap: A New Social Media Information Operation Methodology](https://www.recordedfuture.com/fishwrap-influence-operation/) | [:closed_book:](../../blob/master/2019/2019.06.11.Fishwrap_Group)
* Jun 10 - [[BlackBerry] Threat Spotlight: MenuPass/QuasarRAT Backdoor](https://blogs.blackberry.com/en/2019/06/threat-spotlight-menupass-quasarrat-backdoor) | [:closed_book:](../../blob/master/2019/2019.06.10.MenuPass_QuasarRAT_Backdoor)
* Jun 10 - [[Trend Micro] MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools](https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/) | [:closed_book:](../../blob/master/2019/2019.06.10.MuddyWater_Resurfaces)
* Jun 05 - [[Agari] Scattered Canary The Evolution and Inner Workings of a West African Cybercriminal Startup Turned BEC Enterprise](https://www.agari.com/cyber-intelligence-research/whitepapers/scattered-canary.pdf) | [:closed_book:](../../blob/master/2019/2019.06.05.Scattered_Canary)
* Jun 04 - [[Bitdefender] An APT Blueprint: Gaining New Visibility into Financial Threats](https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf) | [:closed_book:](../../blob/master/2019/2019.06.04.APT_Blueprint)
* Jun 03 - [[Kaspersky] Zebrocy’s Multilanguage Malware Salad](https://securelist.com/zebrocys-multilanguage-malware-salad/90680/) | [:closed_book:](../../blob/master/2019/2019.06.03.Zebrocy)
* May 30 - [[CISCO] 10 years of virtual dynamite: A high-level retrospective of ATM malware](https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html) | [:closed_book:](../../blob/master/2019/2019.05.30.10_Years_ATM_Malware)
* May 29 - [[ESET] A dive into Turla PowerShell usage](https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/) | [:closed_book:](../../blob/master/2019/2019.05.29.Turla_PowerShell)
* May 29 - [[Yoroi] TA505 is Expanding its Operations](https://blog.yoroi.company/research/ta505-is-expanding-its-operations/) | [:closed_book:](../../blob/master/2019/2019.05.29.TA505)
* May 28 - [[Palo Alto Networks] Emissary Panda Attacks Middle East Government Sharepoint Servers](https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/)  | [:closed_book:](../../blob/master/2019/2019.05.28.Emissary_Panda)
* May 27 - [[360] APT-C-38](http://blogs.360.cn/post/analysis-of-APT-C-38.html) | [:closed_book:](../../blob/master/2019/2019.05.27.APT-C-38)
* May 24 - [[ENSILO] UNCOVERING NEW ACTIVITY BY APT10](https://blog.ensilo.com/uncovering-new-activity-by-apt10) | [:closed_book:](../../blob/master/2019/2019.05.24_APT10_New_Activity)
* May 22 - [[ESET] A journey to Zebrocy land](https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/) | [:closed_book:](../../blob/master/2019/2019.05.22.Zebrocy_Land)
* May 19 - [[Intezer] HiddenWasp Malware Stings Targeted Linux Systems](https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/) | [:closed_book:](../../blob/master/2019/2019.05.19.HiddenWasp_Linux)
* May 18 - [[ADLab] Operation_BlackLion](https://www.secrss.com/articles/10745) | [:closed_book:](../../blob/master/2019/2019.05.18.Operation_BlackLion)
* May 15 - [[Chronicle] Winnti: More than just Windows and Gates](https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a) | [:closed_book:](../../blob/master/2019/2019.05.15.Winnti_More)
* May 13 - [[Kaspersky] ScarCruft continues to evolve, introduces Bluetooth harvester](https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/) | [:closed_book:](../../blob/master/2019/2019.05.13.ScarCruft_Bluetooth)
* May 11 - [[Sebdraven] Chinese Actor APT target Ministry of Justice Vietnamese](https://medium.com/@Sebdraven/chineses-actor-apt-target-ministry-of-justice-vietnamese-14f13cc1c906) | [:closed_book:](../../blob/master/2019/2019.05.11.Chinese_APT_Vietnamese)
* May 09 - [[Clearsky] Iranian Nation-State APT Groups – “Black Box” Leak](https://www.clearskysec.com/wp-content/uploads/2019/05/Iranian-Nation-State-APT-Leak-Analysis-and-Overview.pdf) | [:closed_book:](../../blob/master/2019/2019.05.09.Iranian_APT_Leak)
* May 08 - [[Kaspersky] FIN7.5: the infamous cybercrime rig “FIN7” continues its activities](https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/) | [:closed_book:](../../blob/master/2019/2019.05.08.Fin7.5)
* May 08 - [[QianXin] OceanLotus’ Attacks to Indochinese Peninsula: Evolution of Targets, Techniques and Procedure
](https://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/) | [:closed_book:](../../blob/master/2019/2019.05.08.OceanLotus)
* May 07 - [[Yoroi] ATMitch: New Evidence Spotted In The Wild](https://blog.yoroi.company/research/atmitch-new-evidence-spotted-in-the-wild/) | [:closed_book:](../../blob/master/2019/2019.05.07.ATMitch)
* May 07 - [[ESET] Turla LightNeuron: An email too far](https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf)  | [:closed_book:](../../blob/master/2019/2019.05.07.Turla_LightNeuron)
* May 07 - [[Symantec] Buckeye: Espionage Outfit Used Equation Group Tools Prior to Shadow Brokers Leak](https://www.symantec.com/blogs/threat-intelligence/buckeye-windows-zero-day-exploit) | [:closed_book:](../../blob/master/2019/2019.05.07.Buckeye)
* May 03 - [[Kaspersky] Who’s who in the Zoo Cyberespionage operation targets Android users in the Middle East](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/24122414/ZooPark_for_public_final_edited.pdf) | [:closed_book:](../../blob/master/2019/2019.05.03.ZooPark)
* Apr 30 - [[ThreatRecon] SectorB06 using Mongolian language in lure document](https://threatrecon.nshc.net/2019/04/30/sectorb06-using-mongolian-language-in-lure-document/) | [:closed_book:](../../blob/master/2019/2019.04.30.SectorB06_Mongolian)
* Apr 24 - [[CyberInt] legit remote admin tools turn into threat actors' tools](https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%27%20Tools_Report.pdf) | [:closed_book:](../../blob/master/2019/2019.04.24.TA505_Abusing_Legit_Remote_Admin_Tool)
* Apr 23 - [[Kaspersky] Operation ShadowHammer: a high-profile supply chain attack](https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/) | [:closed_book:](../../blob/master/2019/2019.04.23.Operation_ShadowHammer)
* Apr 22 - [[CheckPoint] FINTEAM: Trojanized TeamViewer Against Government Targets](https://research.checkpoint.com/finteam-trojanized-teamviewer-against-government-targets/) | [:closed_book:](../../blob/master/2019/2019.04.22.FINTEAM)
* Apr 19 - [[MalwareBytes] “Funky malware format” found in Ocean Lotus sample](https://blog.malwarebytes.com/threat-analysis/2019/04/funky-malware-format-found-in-ocean-lotus-sample/) | [:closed_book:](../../blob/master/2019/2019.04.19.Funky_malware_format)
* Apr 17 - [[Palo Alto Networks] Aggah Campaign: Bit.ly, BlogSpot, and Pastebin Used for C2 in Large Scale Campaign](https://unit42.paloaltonetworks.com/aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign/) | [:closed_book:](../../blob/master/2019/2019.04.17.Aggah_Campaign)
* Apr 17 - [[CISCO] DNS Hijacking Abuses Trust In Core Internet Service](https://blog.talosintelligence.com/2019/04/seaturtle.html) | [:closed_book:](../../blob/master/2019/2019.04.17.Operation_Sea_Turtle)
* Apr 10 - [[CheckPoint] The Muddy Waters of APT Attacks](https://research.checkpoint.com/the-muddy-waters-of-apt-attacks/) | [:closed_book:](../../blob/master/2019/2019.04.10.Muddy_Waters)
* Apr 10 - [[Kaspersky] Project TajMahal – a sophisticated new APT framework](https://securelist.com/project-tajmahal/90240/) | [:closed_book:](../../blob/master/2019/2019.04.10.Project_TajMahal)
* Apr 10 - [[Kaspersky] Gaza Cybergang Group1, operation SneakyPastes](https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/) | [:closed_book:](../../blob/master/2019/2019.04.10.Operation_SneakyPastes)
* Apr 02 - [[Cylance] OceanLotus Steganography](https://threatvector.cylance.com/en_us/home/report-oceanlotus-apt-group-leveraging-steganography.html) | [:closed_book:](../../blob/master/2019/2019.04.02.OceanLotus_Steganography)
* Mar 28 - [[Trend Micro] Desktop, Mobile Phishing Campaign Targets South Korean Websites, Steals Credentials Via Watering Hole](https://blog.trendmicro.com/trendlabs-security-intelligence/desktop-mobile-phishing-campaign-targets-south-korean-websites-steals-credentials-via-watering-hole/) | [:closed_book:](../../blob/master/2019/2019.03.28.Desktop_Mobile_Phishing_Campaign)
* Mar 28 - [[C4ADS] Above Us Only Stars: Exposing GPS Spoofing in Russia and Syria](https://static1.squarespace.com/static/566ef8b4d8af107232d5358a/t/5c99488beb39314c45e782da/1553549492554/Above+Us+Only+Stars.pdf) | [:closed_book:](../../blob/master/2019/2019.03.28.Exposing_GPS_Spoofing_in_Russia_and_Syria)
* Mar 28 - [[ThreatRecon] Threat Actor Group using UAC Bypass Module to run BAT File](https://threatrecon.nshc.net/2019/03/28/threat-actor-group-using-uac-bypass-module-to-run-bat-file/) | [:closed_book:](../../blob/master/2019/2019.03.28.UAC_Bypass_BAT_APT)
* Mar 27 - [[Symantec] Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.](https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage) | [:closed_book:](../../blob/master/2019/2019.03.27.Elfin)
* Mar 25 - [[Kaspersky] Operation ShadowHammer](https://securelist.com/operation-shadowhammer/89992/) | [:closed_book:](../../blob/master/2019/2019.03.25.Operation_ShadowHammer)
* Mar 22 - [[Netscout] LUCKY ELEPHANT CAMPAIGN MASQUERADING](https://www.netscout.com/blog/asert/lucky-elephant-campaign-masquerading) | [:closed_book:](../../blob/master/2019/2019.03.22.LUCKY_ELEPHANT)
* Mar 13 - [[CISCO] GlitchPOS: New PoS malware for sale](https://blog.talosintelligence.com/2019/03/glitchpos-new-pos-malware-for-sale.html) | [:closed_book:](../../blob/master/2019/2019.03.13.GlitchPOS_POS_Malware)
* Mar 13 - [[FlashPoint] ‘DMSniff’ POS Malware Actively Leveraged to Target Small-, Medium-Sized Businesses](https://www.flashpoint-intel.com/blog/dmsniff-pos-malware-actively-leveraged-target-medium-sized-businesses/) | [:closed_book:](../../blob/master/2019/2019.03.13.DMSniff_POS_Malware)
* Mar 13 - [[CheckPoint] Operation Sheep: Pilfer-Analytics SDK in Action](https://research.checkpoint.com/operation-sheep-pilfer-analytics-sdk-in-action/) | [:closed_book:](../../blob/master/2019/2019.03.13.Operation_Sheep)
* Mar 12 - [[Pala Alto Network] Operation Comando: How to Run a Cheap and Effective Credit Card Business](https://unit42.paloaltonetworks.com/operation-comando-or-how-to-run-a-cheap-and-effective-credit-card-business/) | [:closed_book:](../../blob/master/2019/2019.03.12.Operation_Comando)
* Mar 11 - [[ESET] Gaming industry still in the scope of attackers in Asia](https://www.welivesecurity.com/2019/03/11/gaming-industry-scope-attackers-asia/) | [:closed_book:](../../blob/master/2019/2019.03.11.Gaming-Industry.Asia)
* Mar 08 - [[Resecurity] Supply Chain – The Major Target of Cyberespionage Groups](https://resecurity.com/blog/supply-chain-the-major-target-of-cyberespionage-groups/) | [:closed_book:](../../blob/master/2019/2019.03.08.Supply_Chain_Groups)
* Mar 07 - [[Trend Micro] New SLUB Backdoor Uses GitHub, Communicates via Slack](https://blog.trendmicro.com/trendlabs-security-intelligence/new-slub-backdoor-uses-github-communicates-via-slack/) | [:closed_book:](../../blob/master/2019/2019.03.07.SLUB_Backdoor)
* Mar 06 - [[Cybaze-Yoroi Z-LAB] Operation Pistacchietto](https://blog.yoroi.company/research/op-pistacchietto-an-italian-job/) | [:closed_book:](../../blob/master/2019/2019.03.06.Operation_Pistacchietto)
* Mar 06 - [[NTT] Targeted attack using Taidoor Analysis report](https://www.nttsecurity.com/docs/librariesprovider3/resources/taidoor%E3%82%92%E7%94%A8%E3%81%84%E3%81%9F%E6%A8%99%E7%9A%84%E5%9E%8B%E6%94%BB%E6%92%83%E8%A7%A3%E6%9E%90%E3%83%AC%E3%83%9D%E3%83%BC%E3%83%88_v1) | [:closed_book:](../../blob/master/2019/2019.03.06_Taidoor_Analysis)
* Mar 06 - [[Symantec] Whitefly: Espionage Group has Singapore in Its Sights](https://www.symantec.com/blogs/threat-intelligence/whitefly-espionage-singapore) | [:closed_book:](../../blob/master/2019/2019.03.06.Whitefly)
* Mar 04 - [[FireEye] APT40: Examining a China-Nexus Espionage Actor](https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html) | [:closed_book:](../../blob/master/2019/2019.03.04.APT40)
* Feb 28 - [[Marco Ramilli] Ransomware, Trojan and Miner together against “PIK-Group”](https://marcoramilli.com/2019/02/28/ransomware-trojan-and-miner-together-against-pik-group/) | [:closed_book:](../../blob/master/2019/2019.02.28_RIK_Group)
* Feb 27 - [[Dell] A Peek into BRONZE UNION’s Toolbox](https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox) | [:closed_book:](../../blob/master/2019/2019.02.27.BRONZE_UNION_Toolbox)
* Feb 26 - [[Cybaze-Yoroi Z-LAB] The Arsenal Behind the Australian Parliament Hack](https://blog.yoroi.company/research/the-arsenal-behind-the-australian-parliament-hack/) | [:closed_book:](../../blob/master/2019/2019.02.26.Australian_Parliament_Hack)
* Feb 25 - [[CarbonBlack] Defeating Compiler Level Obfuscations Used in APT10 Malware](https://www.carbonblack.com/2019/02/25/defeating-compiler-level-obfuscations-used-in-apt10-malware/) | [:closed_book:](../../blob/master/2019/2019.02.25.APT10_Defeating_Compiler_Level)
* Feb 20 - [[SecureSoft] IT IS IDENTIFIED ATTACKS OF THE CIBERCRIMINAL LAZARUS GROUP DIRECTED TO ORGANIZATIONS IN RUSSIA](http://securitysummitperu.com/articulos/se-identifico-ataques-del-grupo-cibercriminal-lazarus-dirigidos-a-organizaciones-en-rusia/) | [:closed_book:](../../blob/master/2019/2019.02.20.LAZARUS_to_RUSSIA)
* Feb 18 - [[360] APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations](https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/) | [:closed_book:](../../blob/master/2019/2019.02.18.APT-C-36.Colombian)
* Feb 14 - [[360] Suspected Molerats' New Attack in the Middle East](https://ti.360.net/blog/articles/suspected-molerats-new-attack-in-the-middle-east-en/) | [:closed_book:](../../blob/master/2019/2019.02.14.Molerats_APT)
* Feb 06 - [[Recorded Future] APT10 Targeted Norwegian MSP and US Companies in Sustained Campaign](https://www.recordedfuture.com/apt10-cyberespionage-campaign/) | [:closed_book:](../../blob/master/2019/2019.02.06.APT10_Sustained_Campaign)
* Feb 05 - [[Anomali] Analyzing Digital Quartermasters in Asia – Do Chinese and Indian APTs Have a Shared Supply Chain?](https://www.anomali.com/blog/analyzing-digital-quartermasters-in-asia-do-chinese-and-indian-apts-have-a-shared-supply-chain) | [:closed_book:](../../blob/master/2019/2019.02.05.China_India_APT_shared)
* Feb 01 - [[Palo Alto Networks] Tracking OceanLotus’ new Downloader, KerrDown](https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/) | [:closed_book:](../../blob/master/2019/2019.02.01.OceanLotus_KerrDown)
* Jan 30 - [[Kaspersky] Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities](https://securelist.com/chafer-used-remexi-malware/89538/) | [:closed_book:](../../blob/master/2019/2019.01.30.Chafer_APT_Spy_Iran)
* Jan 30 - [[NSHC] The Double Life of SectorA05 Nesting in Agora (Operation Kitty Phishing](https://threatrecon.nshc.net/2019/01/30/operation-kitty-phishing) | [:closed_book:](../../blob/master/2019/2019.01.30.Operation_Kitty_Phishing)
* Jan 30 - [[Morphisec] NEW CAMPAIGN DELIVERS ORCUS RAT](http://blog.morphisec.com/new-campaign-delivering-orcus-rat) | [:closed_book:](../../blob/master/2019/2019.01.30.ORCUS_RAT)
* Jan 25 - [[LAB52] WIRTE Group attacking the Middle East](https://www.securityartwork.es/2019/01/25/wirte-group-attacking-the-middle-east/) | [:closed_book:](../../blob/master/2019/2019.01.18.WIRTE_Group_attacking_the_Middle_East)
* Jan 24 - [[Carbon Black] GandCrab and Ursnif Campaign](https://www.carbonblack.com/2019/01/24/carbon-black-tau-threatsight-analysis-gandcrab-and-ursnif-campaign/) | [:closed_book:](../../blob/master/2019/2019.01.24.GandCrab_and_Ursnif)
* Jan 18 - [[Palo Alto Networks] DarkHydrus delivers new Trojan that can use Google Drive for C2 communications](https://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/) | [:closed_book:](../../blob/master/2019/2019.01.18.DarkHydrus)
* Jan 17 - [[Palo Alto Networks] Malware Used by “Rocke” Group Evolves to Evade Detection by Cloud Security Products](https://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products/) | [:closed_book:](../../blob/master/2019/2019.01.17.Rocke_Group)
* Jan 16 - [[360] Latest Target Attack of DarkHydruns Group Against Middle East](https://ti.360.net/blog/articles/latest-target-attack-of-darkhydruns-group-against-middle-east-en/) | [:closed_book:](../../blob/master/2019/2019.01.16.DarkHydruns)

## 2018
* Dec 28 - [[Medium] Goblin Panda changes the dropper and reuses the old infrastructure](https://medium.com/@Sebdraven/goblin-panda-changes-the-dropper-and-reused-the-old-infrastructure-a35915f3e37a) | [:closed_book:](../../blob/master/2018/2018.12.28.Goblin_Panda)
* Dec 27 - [[Cybaze-Yoroi Z-LAB] The Enigmatic “Roma225” Campaign](https://blog.yoroi.company/research/the-enigmatic-roma225-campaign/) | [:closed_book:](../../blob/master/2018/2018.12.27.Roma225_Campaign)
* Dec 20 - [[Objective-See] Middle East Cyber-Espionage: analyzing WindShift's implant: OSX.WindTail](https://objective-see.com/blog/blog_0x3B.html)| [:closed_book:](../../blob/master/2018/2018.12.20.WindShift_Middle_East)
* Dec 18 - [[Trend Micro] URSNIF, EMOTET, DRIDEX and BitPaymer Gangs Linked by a Similar Loader](https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/) | [:closed_book:](../../blob/master/2018/2018.12.18.ursnif-emotet-dridex-and-bitpaymer-gangs)
* Dec 13 - [[Certfa] The Return of The Charming Kitten](https://blog.certfa.com/posts/the-return-of-the-charming-kitten/) | [:closed_book:](../../blob/master/2018/2018.12.13.Charming_Kitten_Return)
* Dec 13 - [[Trend Micro] Tildeb: Analyzing the 18-year-old Implant from the Shadow Brokers’ Leak](https://documents.trendmicro.com/assets/tech-brief-tildeb-analyzing-the-18-year-old-implant-from-the-shadow-brokers-leak.pdf) | [:closed_book:](../../blob/master/2018/2018.12.13.Tildeb_Shadow_Brokers)
* Dec 13 - [[Palo Alto Networks] Shamoon 3 Targets Oil and Gas Organization](https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/) | [:closed_book:](../../blob/master/2018/2018.12.13.Shamoon_3)
* Dec 12 - [[McAfee] ‘Operation Sharpshooter’ Targets Global Defense, Critical Infrastructure](https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf) | [:closed_book:](../../blob/master/2018/2018.12.12.Operation_Sharpshooter)
* Dec 12 - [[360] Donot (APT-C-35) Group Is Targeting Pakistani Businessman Working In China](https://ti.360.net/blog/articles/donot-group-is-targeting-pakistani-businessman-working-in-china-en/) | [:closed_book:](../../blob/master/2018/2018.12.12.Donot_Group)
* Dec 11 - [[Cylance] Poking the Bear: Three-Year Campaign Targets Russian Critical Infrastructure](https://threatvector.cylance.com/en_us/home/poking-the-bear-three-year-campaign-targets-russian-critical-infrastructure.html) | [:closed_book:](../../blob/master/2018/2018.12.11.Poking_the_Bear)
* Nov ?? - [[Google] The Hunt for 3ve](https://services.google.com/fh/files/blogs/3ve_google_whiteops_whitepaper_final_nov_2018.pdf) | [:closed_book:](../../blob/master/2018/2018.11.The_Hunt_for_3ve)
* Nov 30 - [[Trend Micro] New PowerShell-based Backdoor Found in Turkey, Strikingly Similar to MuddyWater Tools](https://blog.trendmicro.com/trendlabs-security-intelligence/new-powershell-based-backdoor-found-in-turkey-strikingly-similar-to-muddywater-tools/) | [:closed_book:](../../blob/master/2018/2018.11.30.MuddyWater_Turkey)
* Nov 29 - [[360] Analysis Of Targeted Attack Against Pakistan By Exploiting InPage Vulnerability And Related APT Groups](https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/) | [:closed_book:](../../blob/master/2018/2018.11.29.Attack_Pakistan_By_Exploiting_InPage)
* Nov 28 - [[Microsoft] Windows Defender ATP device risk score exposes new cyberattack, drives Conditional access to protect networks](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/) | [:closed_book:](../../blob/master/2018/2018.11.28.Tropic_Trooper_microsoft)
* Nov 28 - [[Clearsky] MuddyWater Operations in Lebanon and Oman](https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf) | [:closed_book:](../../blob/master/2018/2018.11.28.MuddyWater-Operations-in-Lebanon-and-Oman)
* Nov 27 - [[CISCO] DNSpionage Campaign Targets Middle East](https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html) | [:closed_book:](../../blob/master/2018/2018.11.27.dnspionage-campaign-targets-middle-east)
* Nov 20 - [[Trend Micro] Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America](https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-continues-heists-mounts-attacks-on-financial-organizations-in-latin-america/) | [:closed_book:](../../blob/master/2018/2018.11.20.lazarus-in-latin-america)
* Nov 19 - [[FireEye] Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign](https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html) | [:closed_book:](../../blob/master/2018/2018.11.19.APT29_Phishing)
* Nov 13 - [[Recorded Future] Chinese Threat Actor TEMP.Periscope Targets UK-Based Engineering Company Using Russian APT Techniques ](https://go.recordedfuture.com/hubfs/reports/cta-2018-1113.pdf) | [:closed_book:](../../blob/master/2018/2018.11.13.China.TEMP.Periscope.Using.Russian_APT)
* Nov 08 - [[Symantec] FASTCash: How the Lazarus Group is Emptying Millions from ATMs](https://www.symantec.com/blogs/threat-intelligence/fastcash-lazarus-atm-malware) | [:closed_book:](../../blob/master/2018/2018.11.08.FASTCash)
* Nov 05 - [[Palo Alto Networks] Inception Attackers Target Europe with Year-old Office Vulnerability](https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/) | [:closed_book:](../../blob/master/2018/2018.11.05.Inception_Attackers_Target_Europe)
* Nov 01 - [[Trend Micro] Outlaw group: Perl-Based Shellbot Looks to Target Organizations via C&C](https://blog.trendmicro.com/trendlabs-security-intelligence/perl-based-shellbot-looks-to-target-organizations-via-cc/) | [:closed_book:](../../blob/master/2018/2018.11.01_Outlaw_group)
* Oct 19 - [[Kaspersky] DarkPulsar](https://securelist.com/darkpulsar/88199/) | [:closed_book:](../../blob/master/2018/2018.10.19.DarkPulsar)
* Oct 18 - [[Medium] APT Sidewinder changes theirs TTPs to install their backdoor](https://medium.com/@Sebdraven/apt-sidewinder-changes-theirs-ttps-to-install-their-backdoor-f92604a2739) | [:closed_book:](../../blob/master/2018/2018.10.18.APT_Sidewinder_changes)
* Oct 18 - [[CISCO] Tracking Tick Through Recent Campaigns Targeting East Asia](https://blog.talosintelligence.com/2018/10/tracking-tick-through-recent-campaigns.html) | [:closed_book:](../../blob/master/2018/2018.10.18.Datper_Bronze_Butler)
* Oct 18 - [[McAfee] Operation Oceansalt Attacks South Korea, U.S. and Canada with Source Code from Chinese Hacker Group](https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf) | [:closed_book:](../../blob/master/2018/2018.10.18.Operation_Oceansalt)
* Oct 17 - [[Marco Ramilli] MartyMcFly Malware: Targeting Naval Industry](https://marcoramilli.com/2018/10/17/martymcfly-malware-targeting-naval-industry/) | [:closed_book:](../../blob/master/2018/2018.10.17_MartyMcFly_Targeting_Naval_Industry)
* Oct 17 - [[Cylance] The SpyRATs of OceanLotus: Malware Analysis White Paper](https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/SpyRATsofOceanLotusMalwareWhitePaper.pdf) | [:closed_book:](../../blob/master/2018/2018.10.17.OceanLotus_SpyRATs)
* Oct 17 - [[ESET] GreyEnergy: Updated arsenal of one of the most dangerous threat actors](https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/) | [:closed_book:](../../blob/master/2018/2018.10.17.GreyEnergy)
* Oct 17 - [[Yoroi] Cyber-Espionage Campaign Targeting the Naval Industry (“MartyMcFly”)](https://blog.yoroi.company/?p=1829) | [:closed_book:](../../blob/master/2018/2018.10.17.Targeting_the_Naval_Industry)
* Oct 15 - [[Kaspersky] Octopus-infested seas of Central Asia](https://securelist.com/octopus-infested-seas-of-central-asia/88200/) | [:closed_book:](../../blob/master/2018/2018.10.15.Octopus_Central_Asia)
* Oct 11 - [[Symantec] Gallmaker: New Attack Group Eschews Malware to Live off the Land](https://www.symantec.com/blogs/threat-intelligence/gallmaker-attack-group) | [:closed_book:](../../blob/master/2018/2018.10.11.Gallmaker)
* Oct 10 - [[Kaspersky] MuddyWater expands operations](https://securelist.com/muddywater/88059/) | [:closed_book:](../../blob/master/2018/2018.10.10.MuddyWater_expands)
* Oct 03 - [[FireEye] APT38: Details on New North Korean Regime-Backed Threat Group](https://content.fireeye.com/apt/rpt-apt38) | [:closed_book:](../../blob/master/2018/2018.10.03.APT38)
* Sep 27 - [[ESET] LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group](https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf) | [:closed_book:](../../blob/master/2018/2018.09.27.LoJax)
* Sep 20 - [[360] (Non-English) (CN) PoisonVine](https://ti.360.net/uploads/2018/09/20/6f8ad451646c9eda1f75c5d31f39f668.pdf) | [:closed_book:](../../blob/master/2018/2018.09.20.Poison_Trumpet_Vine_Operation)
* Sep 19 - [[Antiy] (Non-English) (CN) Green Spot APT](https://www.antiy.cn/report-download/20180919.pdf) | [:closed_book:](../../blob/master/2018/2018.09.19.Green_Spot_APT)
* Sep 13 - [[FireEye] APT10 Targeting Japanese Corporations Using Updated TTPs](https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html) | [:closed_book:](../../blob/master/2018/2018.09.13.APT10_Targeting_Japanese)
* Sep 10 - [[Kaspersky] LuckyMouse signs malicious NDISProxy driver with certificate of Chinese IT company](https://securelist.com/luckymouse-ndisproxy-driver/87914) | [:closed_book:](../../blob/master/2018/2018.09.07.Goblin_Panda_targets_Cambodia)
* Sep 07 - [[Volon] Targeted Attack on Indian Ministry of External Affairs using Crimson RAT](https://volon.io/2018/09/07/targeted-attack-on-indian-ministry-of-external-affairs-using-crimson-rat/) | [:closed_book:](../../blob/master/2018/2018.09.07.indian-ministry_crimson-rat)
* Sep 07 - [[CheckPoint] Domestic Kitten: An Iranian Surveillance Operation](https://research.checkpoint.com/domestic-kitten-an-iranian-surveillance-operation/) | [:closed_book:](../../blob/master/2018/2018.09.07.Domestic_Kitten)
* Sep 07 - [[Medium] Goblin Panda targets Cambodia sharing capacities with another Chinese group hackers Temp Periscope](https://medium.com/@Sebdraven/goblin-panda-targets-cambodia-sharing-capacities-with-another-chinese-group-hackers-temp-periscope-7871382ffcc0) | [:closed_book:](../../blob/master/2018/2018.08.28.CeidPageLock)
* Sep 04 - [[Palo Alto Networks] OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE](https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/) | [:closed_book:](../../blob/master/2018/2018.09.04.OilRig_Targets_Middle_Eastern)
* Sep 04 - [[Group-IB] Silence: Moving into the darkside](https://www.group-ib.com/resources/threat-research/silence_moving-into-the-darkside.pdf) | [:closed_book:](../../blob/master/2018/2018.09.04.Silence)
* Aug 30 - [[MalwareBytes] Reversing malware in a custom format: Hidden Bee elements](https://blog.malwarebytes.com/threat-analysis/2018/08/reversing-malware-in-a-custom-format-hidden-bee-elements/) | [:closed_book:](../../blob/master/2018/2018.08.30.Hidden_Bee_Custom_format)
* Aug 30 - [[CrowdStrike] Two Birds, One STONE PANDA](https://www.crowdstrike.com/blog/two-birds-one-stone-panda/) | [:closed_book:](../../blob/master/2018/2018.08.30.Stone_Panda)
* Aug 30 - [[Arbor] Double the Infection, Double the Fun](https://asert.arbornetworks.com/double-the-infection-double-the-fun/) | [:closed_book:](../../blob/master/2018/2018.08.30.Cobalt_Group_Fun)
* Aug 30 - [[Dark Matter] COMMSEC: The Trails of WINDSHIFT APT](https://gsec.hitb.org/materials/sg2018/D1%20COMMSEC%20-%20In%20the%20Trails%20of%20WINDSHIFT%20APT%20-%20Taha%20Karim.pdf) | [:closed_book:](../../blob/master/2018/2018.08.30.WINDSHIFT_APT)
* Aug 29 - [[Trend Micro] The Urpage Connection to Bahamut, Confucius and Patchwork](https://blog.trendmicro.com/trendlabs-security-intelligence/the-urpage-connection-to-bahamut-confucius-and-patchwork/) | [:closed_book:](../../blob/master/2018/2018.08.29.Bahamut_Confucius_Patchwork)
* Aug 28 - [[CheckPoint] CeidPageLock: A Chinese RootKit](https://research.checkpoint.com/ceidpagelock-a-chinese-rootkit/) | [:closed_book:](../../blob/master/2018/2018.08.28.CeidPageLock)
* Aug 23 - [[Kaspersky] Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware](https://securelist.com/operation-applejeus/87553/) | [:closed_book:](../../blob/master/2018/2018.08.23.Operation_AppleJeus)
* Aug 21 - [[ESET] TURLA OUTLOOK BACKDOOR](https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf) | [:closed_book:](../../blob/master/2018/2018.08.21.Operation_Red_Signature)
* Aug 21 - [[Trend Micro] Supply Chain Attack Operation Red Signature Targets South Korean Organizations](https://blog.trendmicro.com/trendlabs-security-intelligence/supply-chain-attack-operation-red-signature-targets-south-korean-organizations) | [:closed_book:](../../blob/master/2018/2018.08.21.Operation_Red_Signature)
* Aug 16 - [[Recorded Future] Chinese Cyberespionage Originating From Tsinghua University Infrastructure](https://go.recordedfuture.com/hubfs/reports/cta-2018-0816.pdf) | [:closed_book:](../../blob/master/2018/2018.08.16.Chinese_Cyberespionage_Tsinghua_University)
* Aug 09 - [[McAfee] Examining Code Reuse Reveals Undiscovered Links Among North Korea’s Malware Families](https://securingtomorrow.mcafee.com/mcafee-labs/examining-code-reuse-reveals-undiscovered-links-among-north-koreas-malware-families/) | [:closed_book:](../../blob/master/2018/2018.08.09.north-koreas-malware-families)
* Aug 02 - [[Accenture] Goldfin Security Alert](https://www.accenture.com/us-en/blogs/blogs-goldfin-security-alert) | [:closed_book:](../../blob/master/2018/2018.08.02.Goldfin_Security_Alert)
* Aug 02 - [[Palo Alto Networks] The Gorgon Group: Slithering Between Nation State and Cybercrime](https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/) | [:closed_book:](../../blob/master/2018/2018.08.02.Gorgon_Group)
* Aug 02 - [[Medium] Goblin Panda against the Bears](https://medium.com/@Sebdraven/gobelin-panda-against-the-bears-1f462d00e3a4) | [:closed_book:](../../blob/master/2018/2018.08.02.Goblin_Panda)
* Aug 01 - [[Medium] Malicious document targets Vietnamese officials](https://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a) | [:closed_book:](../../blob/master/2018/2018.08.01.Vietnamese_officials_Targets)
* Jul 31 - [[Palo Alto Networks] Bisonal Malware Used in Attacks Against Russia and South Korea](https://researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/) | [:closed_book:](../../blob/master/2018/2018.07.31.bisonal-malware-used-attacks-russia-south-korea)
* Jul 31 - [[Medium] Malicious document targets Vietnamese officials](https://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a) | [:closed_book:](../../blob/master/2018/2018.07.31.APT_SideWinder_Malicious_Doc)
* Jul 27 - [[Palo Alto Networks] New Threat Actor Group DarkHydrus Targets Middle East Government](https://unit42.paloaltonetworks.com/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/) | [:closed_book:](../../blob/master/2018/2018.07.27.DarkHydrus)
* Jul 23 - [[CSE] APT27: A long-term espionage campaign in Syria](http://csecybsec.com/download/zlab/20180723_CSE_APT27_Syria_v1.pdf) | [:closed_book:](../../blob/master/2018/2018.07.23_APT27_Syria)
* Jul 16 - [[Trend Micro] New Andariel Reconnaissance Tactics Hint At Next Targets](https://blog.trendmicro.com/trendlabs-security-intelligence/new-andariel-reconnaissance-tactics-hint-at-next-targets/) | [:closed_book:](../../blob/master/2018/2018.07.16.new-andariel)
* Jul 13 - [[CSE] Operation Roman Holiday – Hunting the Russian
APT28 group](http://csecybsec.com/download/zlab/20180713_CSE_APT28_X-Agent_Op-Roman%20Holiday-Report_v6_1.pdf) | [:closed_book:](../../blob/master/2018/2018.07.13.Operation_Roman_Holiday)
* Jul 12 - [[CISCO] Advanced Mobile Malware Campaign in India uses Malicious MDM](https://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html) | [:closed_book:](../../blob/master/2018/2018.07.12.Advanced_Mobile_Malware_Campaign_in_India)
* Jul 09 - [[ESET] Certificates stolen from Taiwanese tech-companies misused in Plead malware campaign](https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/) | [:closed_book:](../../blob/master/2018/2018.07.09.certificates-stolen-taiwanese-tech-companies-plead-malware-campaign)
* Jul 08 - [[CheckPoint] APT Attack In the Middle East: The Big Bang](https://research.checkpoint.com/apt-attack-middle-east-big-bang/) | [:closed_book:](../../blob/master/2018/2018.07.08.Big_Bang)
* Jul 08 - [[Fortinet] Hussarini – Targeted Cyber Attack in the Philippines](https://www.fortinet.com/blog/threat-research/hussarini---targeted-cyber-attack-in-the-philippines.html) | [:closed_book:](../../blob/master/2018/2018.07.08.Hussarini)
* Jun XX - [[Ahnlab] Operation Red Gambler](http://image.ahnlab.com/file_upload/asecissue_files/ASEC%20REPORT_vol.91.pdf) | [:closed_book:](../../blob/master/2018/2018.06.xx.Operation_Red_Gambler)
* Jun 26 - [[Palo Alto Networks] RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families](https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/) | [:closed_book:](../../blob/master/2018/2018.06.26.RANCOR)
* Jun 23 - [[Ahnlab] Full Discloser of Andariel,A Subgroup of Lazarus Threat Group](https://global.ahnlab.com/global/upload/download/techreport/[AhnLab]Andariel_a_Subgroup_of_Lazarus%20(3).pdf) | [:closed_book:](../../blob/master/2018/2018.06.23.Andariel_Group)
* Jun 22 - [[Palo Alto networks] Tick Group Weaponized Secure USB Drives to Target Air-Gapped Critical Systems](https://unit42.paloaltonetworks.com/unit42-tick-group-weaponized-secure-usb-drives-target-air-gapped-critical-systems/) | [:closed_book:](../../blob/master/2018/2018.06.22.Iick.Group-weaponized-secure-usb)
* Jun 20 - [[Symantec] Thrip: Espionage Group Hits Satellite, Telecoms, and Defense Companies](https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets) | [:closed_book:](../../blob/master/2018/2018.06.20.thrip-hits-satellite-telecoms-defense-targets)
* Jun 19 - [[Kaspersky] Olympic Destroyer is still alive](https://securelist.com/olympic-destroyer-is-still-alive/86169/) | [:closed_book:](../../blob/master/2018/2018.06.19.olympic-destroyer-is-still-alive)
* Jun 15 - [[CrowdStrike] Meet CrowdStrike’s Adversary of the Month for June: MUSTANG PANDA](https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/) | [:closed_book:](../../blob/master/2018/2018.06.15.Mustang_Panda)
* Jun 14 - [[Trend Micro] Another Potential MuddyWater Campaign uses Powershell-based PRB-Backdoor](https://blog.trendmicro.com/trendlabs-security-intelligence/another-potential-muddywater-campaign-uses-powershell-based-prb-backdoor/) | [:closed_book:](../../blob/master/2018/2018.06.14.another-potential-muddywater-campaign)
* Jun 14 - [[intezer] MirageFox: APT15 Resurfaces With New Tools Based On Old Ones](https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/) | [:closed_book:](../../blob/master/2018/2018.06.14.MirageFox_APT15)
* Jun 13 - [[Kaspersky] LuckyMouse hits national data center to organize country-level waterholing campaign](https://securelist.com/luckymouse-hits-national-data-center/86083/) | [:closed_book:](../../blob/master/2018/2018.06.13.LuckyMouse)
* Jun 07 - [[Volexity] Patchwork APT Group Targets US Think Tanks](https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/) | [:closed_book:](../../blob/master/2018/2018.06.07.patchwork-apt-group-targets-us-think-tanks)
* Jun 07 - [[ICEBRG] ADOBE FLASH ZERO-DAY LEVERAGED FOR TARGETED ATTACK IN MIDDLE EAST](https://www.icebrg.io/blog/adobe-flash-zero-day-targeted-attack) | [:closed_book:](../../blob/master/2018/2018.06.07.dobe-flash-zero-day-targeted-attack)
* Jun 07 - [[FireEye] A Totally Tubular Treatise on TRITON and TriStation](https://www.fireeye.com/blog/threat-research/2018/06/totally-tubular-treatise-on-triton-and-tristation.html) | [:closed_book:](../../blob/master/2018/2018.06.07.Totally_Tubular_Treatise_on_TRITON_TriStation)
* Jun 06 - [[CISCO] VPNFilter Update - VPNFilter exploits endpoints, targets new devices](https://blog.talosintelligence.com/2018/06/vpnfilter-update.html) | [:closed_book:](../../blob/master/2018/2018.06.06.vpnfilter-update)
* Jun 06 - [[GuardiCore] OPERATION PROWLI: MONETIZING 40,000 VICTIM MACHINES](https://www.guardicore.com/2018/06/operation-prowli-traffic-manipulation-cryptocurrency-mining/) | [:closed_book:](../../blob/master/2018/2018.06.06.OPERATION_PROWLI)
* Jun 06 - [[Palo Alto Networks] Sofacy Group’s Parallel Attacks](https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/) | [:closed_book:](../../blob/master/2018/2018.06.06.sofacy-groups-parallel-attacks)
* May 31 - [[CISCO] NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea](https://blog.talosintelligence.com/2018/05/navrat.html) | [:closed_book:](../../blob/master/2018/2018.03.31.NavRAT_Uses_US-North_Korea_Summit_As_Decoy)
* May 29 - [[intezer] Iron Cybercrime Group Under The Scope](https://www.intezer.com/iron-cybercrime-group-under-the-scope-2/) | [:closed_book:](../../blob/master/2018/2018.05.29.iron-cybercrime-group)
* May 23 - [[CISCO] New VPNFilter malware targets at least 500K networking devices worldwide](https://blog.talosintelligence.com/2018/05/VPNFilter.html) | [:closed_book:](../../blob/master/2018/2018.05.23.New_VPNFilter)
* May 23 - [[Ahnlab] Andariel Group Trend Report](http://download.ahnlab.com/kr/site/library/[Report]Andariel_Threat_Group.pdf) | [:closed_book:](../../blob/master/2018/2018.05.23.Andariel_Group)
* May 23 - [[Trend Micro] Confucius Update: New Tools and Techniques, Further Connections with Patchwork](https://blog.trendmicro.com/trendlabs-security-intelligence/confucius-update-new-tools-and-techniques-further-connections-with-patchwork/)  | [:closed_book:](../../blob/master/2018/2018.05.23.Confucius_Update)
* May 22 - [[Intrusiontruth] The destruction of APT3](https://intrusiontruth.wordpress.com/2018/05/22/the-destruction-of-apt3/) | [:closed_book:](../../blob/master/2018/2018.05.22.The_destruction_of_APT3)
* May 22 - [[ESET] Turla Mosquito: A shift towards more generic tools](https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/) | [:closed_book:](../../blob/master/2018/2018.05.22.Turla_Mosquito)
* May 09 - [[Recorded Future] Iran’s Hacker Hierarchy Exposed](https://go.recordedfuture.com/hubfs/reports/cta-2018-0509.pdf) | [:closed_book:](../../blob/master/2018/2018.05.09.Iran_Hacker_Hierarchy_Exposed) 
* May 09 - [[360] Analysis of CVE-2018-8174 VBScript 0day and APT actor related to Office targeted attack](http://blogs.360.cn/blog/cve-2018-8174-en/) | [:closed_book:](../../blob/master/2018/2018.05.09.APT-C-06_CVE-2018-8174) 
* May 03 - [[ProtectWise] Burning Umbrella](https://github.com/401trg/detections/raw/master/pdfs/20180503_Burning_Umbrella.pdf) | [:closed_book:](../../blob/master/2018/2018.05.03.Burning_Umbrella) 
* May 03 - [[Kaspersky] Who’s who in the Zoo: Cyberespionage operation targets Android users in the Middle East](https://securelist.com/whos-who-in-the-zoo/85394/) | [:closed_book:](../../blob/master/2018/2018.05.03.whos-who-in-the-zoo) 
* May 03 - [[Ahnlab] Detailed Analysis of Red Eyes Hacking Group](https://global.ahnlab.com/global/upload/download/techreport/[AhnLab]%20Red_Eyes_Hacking_Group_Report%20(1).pdf) | [:closed_book:](../../blob/master/2018/2018.05.03.Red_Eyes_Hacking_Group) 
* Apr 27 - [[Tencent] OceanLotus new malware analysis](https://s.tencent.com/research/report/471.html) | [:closed_book:](../../blob/master/2018/2018.04.27.OceanLotus_new_malware) 
* Apr 26 - [[CISCO] GravityRAT - The Two-Year Evolution Of An APT Targeting India](https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html) | [:closed_book:](../../blob/master/2018/2018.04.26.GravityRAT) 
* Apr 24 - [[FireEye] Metamorfo Campaigns Targeting Brazilian Users](https://www.fireeye.com/blog/threat-research/2018/04/metamorfo-campaign-targeting-brazilian-users.html) | [:closed_book:](../../blob/master/2018/2018.04.24.metamorfo-campaign) 
* Apr 24 - [[McAfee] Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide](https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/) | [:closed_book:](../../blob/master/2018/2018.04.24.Operation_GhostSecret) 
* Apr 24 - [[ESET] Sednit update: Analysis of Zebrocy](https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/) | [:closed_book:](../../blob/master/2018/2018.04.24.sednit-update-analysis-zebrocy) 
* Apr 23 - [[Accenture] HOGFISH REDLEAVES CAMPAIGN](https://www.accenture.com/t20180423T055005Z__w__/us-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf) | [:closed_book:](../../blob/master/2018/2018.04.23.HOGFISH_REDLEAVES_CAMPAIGN) 
* Apr 23 - [[Symantec] New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia](https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia) | [:closed_book:](../../blob/master/2018/2018.04.23.New_Orangeworm) 
* Apr 23 - [[Kaspersky] Energetic Bear/Crouching Yeti: attacks on servers](https://securelist.com/energetic-bear-crouching-yeti/85345/) | [:closed_book:](../../blob/master/2018/2018.04.23.energetic-bear-crouching-yeti) 
* Apr 17 - [[NCCGroup] Decoding network data from a Gh0st RAT variant](https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant) | [:closed_book:](../../blob/master/2018/2018.04.17.Iron_Tiger_Gh0st_RAT_variant) 
* Apr 12 - [[Kaspersky] Operation Parliament, who is doing what?](https://securelist.com/operation-parliament-who-is-doing-what/85237/) | [:closed_book:](../../blob/master/2018/2018.04.12.operation-parliament) 
* Apr 04 - [[Trend Micro] New MacOS Backdoor Linked to OceanLotus Found](https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/) | [:closed_book:](../../blob/master/2018/2018.04.04.MacOS_Backdoor_OceanLotus) 
* Mar 29 - [[Trend Micro] ChessMaster Adds Updated Tools to Its Arsenal](https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-adds-updated-tools-to-its-arsenal/) | [:closed_book:](../../blob/master/2018/2018.03.29.ChessMaster_Adds_Updated_Tools) 
* Mar 27 - [[Arbor] Panda Banker Zeros in on Japanese Targets](https://www.arbornetworks.com/blog/asert/panda-banker-zeros-in-on-japanese-targets/) | [:closed_book:](../../blob/master/2018/2018.03.27.panda-banker-zeros-in-on-japanese-targets) 
* Mar 23 - [[Ahnlab] Targeted Attacks on South Korean Organizations](http://global.ahnlab.com/global/upload/download/techreport/Tech_Report_Malicious_Hancom.pdf) | [:closed_book:](../../blob/master/2018/2018.03.23.Targeted_Attacks_on_South_Korean_Organizations) 
* Mar 15 - [[US-CERT] Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors](https://www.us-cert.gov/ncas/alerts/TA18-074A) | [:closed_book:](../../blob/master/2018/2018.03.15.Russian_Government_Cyber_Activity_TA18-074A) 
* Mar 14 - [[Symantec] Inception Framework: Alive and Well, and Hiding Behind Proxies](https://www.symantec.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies) | [:closed_book:](../../blob/master/2018/2018.03.14.Inception_Framework) 
* Mar 14 - [[Trend Micro] Tropic Trooper’s New Strategy](https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/) | [:closed_book:](../../blob/master/2018/2018.03.14.tropic-trooper-new-strategy) 
* Mar 13 - [[FireEye] Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign](https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html) | [:closed_book:](../../blob/master/2018/2018.03.13.Iranian-threat-group) 
* Mar 13 - [[Kaspersky] Time of death? A therapeutic postmortem of connected medicine](https://securelist.com/time-of-death-connected-medicine/84315/) | [:closed_book:](../../blob/master/2018/2018.03.13.A_therapeutic_postmortem_of_connected_medicine) 
* Mar 13 - [[Proofpoint] Drive-by as a service: BlackTDS](https://www.proofpoint.com/us/threat-insight/post/drive-service-blacktds) | [:closed_book:](../../blob/master/2018/2018.03.13.BlackTDS) 
* Mar 13 - [[ESET] OceanLotus: Old techniques, new backdoor](https://www.welivesecurity.com/wp-content/uploads/2018/03/ESET_OceanLotus.pdf) | [:closed_book:](../../blob/master/2018/2018.03.13.OceanLotus_Old_techniques_new_backdoor) 
* Mar 12 - [[Trend Micro] Campaign Possibly Connected to “MuddyWater” Surfaces in the Middle East and Central Asia](https://blog.trendmicro.com/trendlabs-security-intelligence/campaign-possibly-connected-muddywater-surfaces-middle-east-central-asia/) | [:closed_book:](../../blob/master/2018/2018.03.12.MuddyWater_Middle_East_and_Central_Asia) 
* Mar 09 - [[CitizenLab] BAD TRAFFIC Sandvine’s PacketLogic Devices Used to Deploy Government Spyware in Turkey and Redirect Egyptian Users to Affiliate Ads?](https://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/) | [:closed_book:](../../blob/master/2018/2018.03.09.Sandvine_PacketLogic_Devices_APT) 
* Mar 09 - [[Kaspersky] Masha and these Bears 2018 Sofacy Activity](https://securelist.com/masha-and-these-bears/84311/) | [:closed_book:](../../blob/master/2018/2018.03.09.masha-and-these-bears) 
* Mar 09 - [[NCC] APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS](https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/?Year=2018&Month=3) | [:closed_book:](../../blob/master/2018/2018.03.09.APT15_is_alive_and_strong) 
* Mar 09 - [[ESET] New traces of Hacking Team in the wild](https://www.welivesecurity.com/2018/03/09/new-traces-hacking-team-wild/) | [:closed_book:](../../blob/master/2018/2018.03.09.new-traces-hacking-team-wild) 
* Mar 08 - [[McAfee] Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant](https://securingtomorrow.mcafee.com/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/) | [:closed_book:](../../blob/master/2018/2018.03.08.hidden-cobra-targets-turkish-financial) 
* Mar 08 - [[Kaspersky] OlympicDestroyer is here to trick the industry](https://securelist.com/olympicdestroyer-is-here-to-trick-the-industry/84295/) | [:closed_book:](../../blob/master/2018/2018.03.08.olympicdestroyer-is-here-to-trick-the-industry) 
* Mar 08 - [[Arbor] Donot Team Leverages New Modular Malware Framework in South Asia](https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/) | [:closed_book:](../../blob/master/2018/2018.03.08.donot-team-leverages-new-modular) 
* Mar 08 - [[Crysys] Territorial Dispute – NSA’s perspective on APT landscape](https://www.crysys.hu/files/tedi/ukatemicrysys_territorialdispute.pdf) | [:closed_book:](../../blob/master/2018/2018.03.08.Territorial_Dispute) 
* Mar 07 - [[Palo Alto Networks] Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent](https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/) | [:closed_book:](../../blob/master/2018/2018.03.07.patchwork-continues-deliver-badnews-indian-subcontinent) 
* Mar 06 - [[Kaspersky] The Slingshot APT](https://s3-eu-west-1.amazonaws.com/khub-media/wp-content/uploads/sites/43/2018/03/09133534/The-Slingshot-APT_report_ENG_final.pdf) | [:closed_book:](../../blob/master/2018/2018.03.06.The-Slingshot-APT) 
* Mar 05 - [[Palo Alto Networks] Sure, I’ll take that! New ComboJack Malware Alters Clipboards to Steal Cryptocurrency](https://researchcenter.paloaltonetworks.com/2018/03/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/) | [:closed_book:](../../blob/master/2018/2018.03.05.New_ComboJack_Malware) 
* Mar 02 - [[McAfee] McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups](https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/) | [:closed_book:](../../blob/master/2018/2018.03.02.Operation_Honeybee) 
* Mar 01 - [[Security 0wnage] A Quick Dip into MuddyWater's Recent Activity](https://sec0wn.blogspot.tw/2018/03/a-quick-dip-into-muddywaters-recent.html) | [:closed_book:](../../blob/master/2018/2018.03.01.a-quick-dip-into-muddywaters-recent) 
* Feb 28 - [[Palo Alto Networks] Sofacy Attacks Multiple Government Entities](https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/) | [:closed_book:](../../blob/master/2018/2018.02.28.sofacy-attacks-multiple-government-entities) 
* Feb 28 - [[Symantec] Chafer: Latest Attacks Reveal Heightened Ambitions](https://www.symantec.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions) | [:closed_book:](../../blob/master/2018/2018.02.28.Chafer_Latest_Attacks_Reveal) 
* Feb 21 - [[Avast] Avast tracks down Tempting Cedar Spyware](https://blog.avast.com/avast-tracks-down-tempting-cedar-spyware) | [:closed_book:](../../blob/master/2018/2018.02.21.Tempting_Cedar) 
* Feb 20 - [[Arbor] Musical Chairs Playing Tetris](https://www.arbornetworks.com/blog/asert/musical-chairs-playing-tetris/) | [:closed_book:](../../blob/master/2018/2018.02.20.musical-chairs-playing-tetris)  
* Feb 20 - [[Kaspersky] A Slice of 2017 Sofacy Activity](https://securelist.com/a-slice-of-2017-sofacy-activity/83930/) | [:closed_book:](../../blob/master/2018/2018.02.20.a-slice-of-2017-sofacy-activity)  
* Feb 20 - [[FireEye] APT37 (Reaper): The Overlooked North Korean Actor](https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf) | [:closed_book:](../../blob/master/2018/2018.02.20.APT37)  
* Feb 13 - [[Trend Micro] Deciphering Confucius’ Cyberespionage Operations](https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-confucius-cyberespionage-operations/) | [:closed_book:](../../blob/master/2018/2018.02.13.deciphering-confucius) 
* Feb 13 - [[RSA] Lotus Blossom Continues ASEAN Targeting](https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting) | [:closed_book:](../../blob/master/2018/2018.02.13.Lotus-Blossom-Continues) 
* Feb 07 - [[CISCO] Targeted Attacks In The Middle East](http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html) | [:closed_book:](../../blob/master/2018/2018.02.07.targeted-attacks-in-middle-east_VBS_CAMPAIGN)  
* Feb 02 - [[McAfee] Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems](https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/) | [:closed_book:](../../blob/master/2018/2018.02.02.gold-dragon-widens-olympics-malware)  
* Jan 30 - [[Palo Alto Networks] Comnie Continues to Target Organizations in East Asia](https://researchcenter.paloaltonetworks.com/2018/01/unit42-comnie-continues-target-organizations-east-asia/) | [:closed_book:](../../blob/master/2018/2018.01.31.Comnie_Continues_to_Target_Organizations_in_East_Asia)  
* Jan 30 - [[RSA] APT32 Continues ASEAN Targeting](https://community.rsa.com/community/products/netwitness/blog/2018/01/30/apt32-continues-asean-targeting) | [:closed_book:](../../blob/master/2018/2018.01.30.APT32_Continues_ASEAN_Targeting)  
* Jan 29 - [[Trend Micro] Hacking Group Spies on Android Users in India Using PoriewSpy](https://blog.trendmicro.com/trendlabs-security-intelligence/hacking-group-spies-android-users-india-using-poriewspy/) | [:closed_book:](../../blob/master/2018/2018.01.29.PoriewSpy.India)  
* Jan 29 - [[Palo Alto Networks] VERMIN: Quasar RAT and Custom Malware Used In Ukraine](https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/) | [:closed_book:](../../blob/master/2018/2018.01.29.VERMIN_Quasar_RAT_and_Custom_Malware_Used_In_Ukraine)  
* Jan 27 - [[Accenture] DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS’ MEETING AND ASSOCIATES](https://www.accenture.com/t20180127T003755Z__w__/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf) | [:closed_book:](../../blob/master/2018/2018.01.27.DRAGONFISH)  
* Jan 26 - [[Palo Alto Networks] The TopHat Campaign: Attacks Within The Middle East Region Using Popular Third-Party Services](https://researchcenter.paloaltonetworks.com/2018/01/unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services/) | [:closed_book:](../../blob/master/2018/2018.01.26.TopHat_Campaign)  
* Jan 25 - [[Palo Alto Networks] OilRig uses RGDoor IIS Backdoor on Targets in the Middle East](https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/) | [:closed_book:](../../blob/master/2018/2018.01.25.oilrig_Middle_East)  
* Jan 24 - [[Trend Micro] Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More](https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/) | [:closed_book:](../../blob/master/2018/2018.01.24.lazarus-campaign-targeting-cryptocurrencies)  
* Jan 18 - [[NCSC] Turla group update Neuron malware](https://www.ncsc.gov.uk/content/files/protected_files/article_files/Turla%20Neuron%20Malware%20Update.pdf) | [:closed_book:](../../blob/master/2018/2018.01.18.Turla_group_update_Neuron_malware)  
* Jan 17 - [[Lookout] Dark Caracal](https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf) | [:closed_book:](../../blob/master/2018/2018.01.18.Dark_Caracal)  
* Jan 16 - [[Kaspersky] Skygofree: Following in the footsteps of HackingTeam](https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/) | [:closed_book:](../../blob/master/2018/2018.01.16.skygofree)  
* Jan 16 - [[Recorded Future] North Korea Targeted South Korean Cryptocurrency Users and Exchange in Late 2017 Campaign](https://www.recordedfuture.com/north-korea-cryptocurrency-campaign/) | [:closed_book:](../../blob/master/2018/2018.01.16.north-korea-cryptocurrency-campaign) 
* Jan 16 - [[CISCO] Korea In The Crosshairs](http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html) | [:closed_book:](../../blob/master/2018/2018.01.16.korea-in-crosshairs) 
* Jan 15 - [[Trend Micro] New KillDisk Variant Hits Financial Organizations in Latin America](https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-financial-organizations-in-latin-america/) | [:closed_book:](../../blob/master/2018/2018.01.15.new-killdisk-variant-hits-financial-organizations-in-latin-america)  
* Jan 12 - [[Trend Micro] Update on Pawn Storm: New Targets and Politically Motivated Campaigns](http://blog.trendmicro.com/trendlabs-security-intelligence/update-pawn-storm-new-targets-politically-motivated-campaigns/?utm_campaign=shareaholic&utm_medium=twitter&utm_source=socialnetwork) | [:closed_book:](../../blob/master/2018/2018.01.12.update-pawn-storm-new-targets-politically) 
* Jan 11 - [[McAfee] North Korean Defectors and Journalists Targeted Using Social Networks and KakaoTalk](https://securingtomorrow.mcafee.com/mcafee-labs/north-korean-defectors-journalists-targeted-using-social-networks-kakaotalk/) | [:closed_book:](../../blob/master/2018/2018.01.11.North_Korean_Defectors_and_Journalists_Targeted) 
* Jan 09 - [[ESET] Diplomats in Eastern Europe bitten by a Turla mosquito](https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf) | [:closed_book:](../../blob/master/2018/2018.01.09.Turla_Mosquito) 
* Jan 06 - [[McAfee] Malicious Document Targets Pyeongchang Olympics](https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/) | [:closed_book:](../../blob/master/2018/2018.01.06.malicious-document-targets-pyeongchang-olympics) 
* Jan 04 - [[Carnegie] Iran’s Cyber Threat: Espionage, Sabotage, and Revenge](http://carnegieendowment.org/files/Iran_Cyber_Final_Full_v2.pdf) | [:closed_book:](../../blob/master/2018/2018.01.04.Iran_Cyber_Threat_Carnegie) 

## 2017
* Dec 19 - [[Proofpoint] North Korea Bitten by Bitcoin Bug: Financially motivated campaigns reveal new dimension of the Lazarus Group](https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new) | [:closed_book:](../../blob/master/2017/2017.12.19.North_Korea_Bitten_by_Bitcoin_Bug) 
* Dec 17 - [[McAfee] Operation Dragonfly Analysis Suggests Links to Earlier Attacks](https://securingtomorrow.mcafee.com/mcafee-labs/operation-dragonfly-analysis-suggests-links-to-earlier-attacks/) | [:closed_book:](../../blob/master/2017/2017.12.17.operation-dragonfly-analysis-suggests-links-to-earlier-attacks) 
* Dec 14 - [[FireEye] Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure](https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html) | [:closed_book:](../../blob/master/2017/2017.12.14.attackers-deploy-new-ics-attack-framework-triton) 
* Dec 11 - [[Group-IB] MoneyTaker, revealed after 1.5 years of silent operations.](https://www.group-ib.com/resources/reports/money-taker.html) | [:closed_book:](../../blob/master/2017/2017.12.11.MoneyTaker) 
* Dec 11 - [[Trend Micro] Untangling the Patchwork Cyberespionage Group](http://blog.trendmicro.com/trendlabs-security-intelligence/untangling-the-patchwork-cyberespionage-group/) | [:closed_book:](../../blob/master/2017/2017.12.11.Patchwork_APT) 
* Dec 07 - [[FireEye] New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit](https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html) | [:closed_book:](../../blob/master/2017/2017.12.07.New_Targeted_Attack_in_the_Middle_East_by_APT34)
* Dec 05 - [[ClearSky] Charming Kitten: Iranian Cyber Espionage Against Human Rights Activists, Academic Researchers and Media Outlets – And the HBO Hacker Connection](http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf) | [:closed_book:](../../blob/master/2017/2017.12.05.Charming_Kitten) 
* Dec 04 - [[RSA] The Shadows of Ghosts: Inside the Response of a Unique Carbanak Intrusion](https://community.rsa.com/community/products/netwitness/blog/2017/12/04/anatomy-of-an-attack-carbanak) | [:closed_book:](../../blob/master/2017/2017.12.04.The_Shadows_of_Ghosts)
* Nov 22 - [[REAQTA] A dive into MuddyWater APT targeting Middle-East](https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/) | [:closed_book:](../../blob/master/2017/2017.11.22.MuddyWater_APT)
* Nov 14 - [[Palo Alto Networks] Muddying the Water: Targeted Attacks in the Middle East](https://researchcenter.paloaltonetworks.com/2017/11/2017.11.14.Muddying_the_Water) | [:closed_book:](../../blob/master/2017/2017.11.14.Muddying_the_Water)
* Nov 10 - [[Palo Alto Networks] New Malware with Ties to SunOrcal Discovered](https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/) | [:closed_book:](../../blob/master/2017/2017.11.10.New_Malware_with_Ties_to_SunOrcal_Discovered)
* Nov 07 - [[McAfee] Threat Group APT28 Slips Office Malware into Doc Citing NYC Terror Attack](https://securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/#sf151634298) | [:closed_book:](../../blob/master/2017/2017.11.07.APT28_Slips_Office_Malware)
* Nov 07 - [[Symantec] Sowbug: Cyber espionage group targets South American and Southeast Asian governments](https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments) | [:closed_book:](../../blob/master/2017/2017.11.07.sowbug-cyber-espionage-group-targets)
* Nov 06 - [[Trend Micro] ChessMaster’s New Strategy: Evolving Tools and Tactics](http://blog.trendmicro.com/trendlabs-security-intelligence/chessmasters-new-strategy-evolving-tools-tactics/) | [:closed_book:](../../blob/master/2017/2017.11.06.ChessMaster_New_Strategy)   
* Nov 06 - [[Volexity] OceanLotus Blossoms: Mass Digital Surveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society](https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/) | [:closed_book:](../../blob/master/2017/2017.11.06.oceanlotus-blossoms) 
* Nov 02 - [[Palo Alto Networks] Recent InPage Exploits Lead to Multiple Malware Families](https://unit42.paloaltonetworks.com/unit42-recent-inpage-exploits-lead-multiple-malware-families/) | [:closed_book:](../../blob/master/2017/2017.11.02.InPage_Exploits)
* Nov 02 - [[PwC] The KeyBoys are back in town](http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are-back-in-town.html) | [:closed_book:](../../blob/master/2017/2017.11.02.KeyBoys_are_back)   
* Nov 02 - [[Clearsky] LeetMX – a Yearlong Cyber-Attack Campaign Against Targets in Latin America](http://www.clearskysec.com/leetmx/) | [:closed_book:](../../blob/master/2017/2017.11.02.LeetMX)  
* Nov 02 - [[RISKIQ] New Insights into Energetic Bear’s Watering Hole Attacks on Turkish Critical Infrastructure](https://www.riskiq.com/blog/labs/energetic-bear/) | [:closed_book:](../../blob/master/2017/2017.11.02.Energetic_Bear_on_Turkish_Critical_Infrastructure)  
* Oct 31 - [[Cybereason] Night of the Devil: Ransomware or wiper? A look into targeted attacks in Japan using MBR-ONI](https://www.cybereason.com/blog/night-of-the-devil-ransomware-or-wiper-a-look-into-targeted-attacks-in-japan) | [:closed_book:](../../blob/master/2017/2017.10.31.MBR-ONI.Japan)  
* Oct 30 - [[Kaspersky] Gaza Cybergang – updated activity in 2017](https://securelist.com/gaza-cybergang-updated-2017-activity/82765/) | [:closed_book:](../../blob/master/2017/2017.10.30.Gaza_Cybergang) 
* Oct 27 - [[Bellingcat] Bahamut Revisited, More Cyber Espionage in the Middle East and South Asia](https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/) | [:closed_book:](../../blob/master/2017/2017.10.27.bahamut-revisited) 
* Oct 24 - [[ClearSky] Iranian Threat Agent Greenbug Impersonates Israeli High-Tech and Cyber Security Companies](http://www.clearskysec.com/greenbug/) | [:closed_book:](../../blob/master/2017/2017.10.02.Aurora_Operation_CCleaner_II) 
* Oct 19 - [[Bitdefender] Operation PZCHAO](https://download.bitdefender.com/resources/files/News/CaseStudies/study/185/Bitdefender-Business-2017-WhitePaper-PZCHAO-crea2452-en-EN-GenericUse.pdf) | [:closed_book:](../../blob/master/2017/2017.10.19.Operation_PZCHAO) 
* Oct 16 - [[BAE Systems] Taiwan Heist: Lazarus Tools And Ransomware](https://baesystemsai.blogspot.kr/2017/10/taiwan-heist-lazarus-tools.html) | [:closed_book:](../../blob/master/2017/2017.10.16.Taiwan-Heist)  
* Oct 16 - [[Kaspersky] BlackOasis APT and new targeted attacks leveraging zero-day exploit](https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/) | [:closed_book:](../../blob/master/2017/2017.10.16.BlackOasis_APT) 
* OCt 16 - [[Proofpoint] Leviathan: Espionage actor spearphishes maritime and defense targets](https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets) | [:closed_book:](../../blob/master/2017/2017.10.16.Leviathan) 
* Oct 12 - [[Dell] BRONZE BUTLER Targets Japanese Enterprises](https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses) | [:closed_book:](../../blob/master/2017/2017.10.12.BRONZE_BUTLER) 
* Oct 10 - [[Trustwave] Post Soviet Bank Heists](https://www.trustwave.com/Resources/Library/Documents/Post-Soviet-Bank-Heists/) | [:closed_book:](../../blob/master/2017/2017.10.02.Aurora_Operation_CCleaner_II) 
* Oct 02 - [[intezer] Evidence Aurora Operation Still Active Part 2: More Ties Uncovered Between CCleaner Hack & Chinese Hackers]() | [:closed_book:](../../blob/master/2017/2017.10.02.Aurora_Operation_CCleaner_II) 
* Sep XX - [[MITRE] APT3 Adversary Emulation Plan](https://attack.mitre.org/w/img_auth.php/6/6c/APT3_Adversary_Emulation_Plan.pdf) | [:closed_book:](../../blob/master/2017/2017.09.XX.APT3_Adversary_Emulation_Plan)
* Sep 28 - [[Palo Alto Networks] Threat Actors Target Government of Belarus Using CMSTAR Trojan](https://researchcenter.paloaltonetworks.com/2017/09/unit42-threat-actors-target-government-belarus-using-cmstar-trojan/) | [:closed_book:](../../blob/master/2017/2017.09.28.Belarus_CMSTAR_Trojan) 
* Sep 20 - [[intezer] Evidence Aurora Operation Still Active: Supply Chain Attack Through CCleaner](http://www.intezer.com/evidence-aurora-operation-still-active-supply-chain-attack-through-ccleaner/) | [:closed_book:](../../blob/master/2017/2017.09.20.Aurora_Operation_CCleaner) 
* Sep 20 - [[FireEye] Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware](https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html) | [:closed_book:](../../blob/master/2017/2017.09.20.apt33-insights-into-iranian-cyber-espionage) 
* Sep 20 - [[CISCO] CCleaner Command and Control Causes Concern](http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html) | [:closed_book:](../../blob/master/2017/2017.09.18.CCleanup)  
* Sep 18 - [[CISCO] CCleanup: A Vast Number of Machines at Risk](http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html) | [:closed_book:](../../blob/master/2017/2017.09.18.CCleanup)   
* Sep 18 - [[Kaspersky] An (un)documented Word feature abused by attackers](https://securelist.com/an-undocumented-word-feature-abused-by-attackers/81899/)| [:closed_book:](../../blob/master/2017/2017.09.18.Windows_branch_of_the_Cloud_Atlas)   
* Sep 12 - [[FireEye] FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY](https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html) | [:closed_book:](../../blob/master/2017/2017.09.12.FINSPY_CVE-2017-8759)
* Sep 06 - [[Symantec] Dragonfly: Western energy sector targeted by sophisticated attack group](https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group) | [:closed_book:](../../blob/master/2017/2017.09.06.dragonfly-western-energy-sector-targeted-sophisticated-attack-group)   
* Sep 06 - [[Treadstone 71] Intelligence Games in the Power Grid](https://treadstone71llc.files.wordpress.com/2017/09/intelligence-games-in-the-power-grid-2016.pdf) | [:closed_book:](../../blob/master/2017/2017.09.06.intelligence-games-in-the-power-grid-2016)  
* Aug 30 - [[ESET] Gazing at Gazer: Turla’s new second stage backdoor](https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/) | [:closed_book:](../../blob/master/2017/2017.08.30.Gazing_at_Gazer) 
* Aug 30 - [[Kaspersky] Introducing WhiteBear](https://securelist.com/introducing-whitebear/81638/) | [:closed_book:](../../blob/master/2017/2017.08.30.Introducing_WhiteBear)  
* Aug 25 - [[Proofpoint] Operation RAT Cook: Chinese APT actors use fake Game of Thrones leaks as lures](https://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-apt-actors-use-fake-game-thrones-leaks-lures) | [:closed_book:](../../blob/master/2017/2017.08.25.operation-rat-cook)  
* Aug 18 - [[RSA] Russian Bank Offices Hit with Broad Phishing Wave](https://community.rsa.com/community/products/netwitness/blog/2017/08/18/russian-bank-offices-hit-with-broad-phishing-wave) | [:closed_book:](../../blob/master/2017/2017.08.18.Russian_Bank_Offices_Hit)
* Aug 17 - [[Proofpoint] Turla APT actor refreshes KopiLuwak JavaScript backdoor for use in G20-themed attack](https://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopiluwak-javascript-backdoor-use-g20-themed-attack) | [:closed_book:](../../blob/master/2017/2017.08.17.turla-apt-actor-refreshes-kopiluwak-javascript-backdoor) 
* Aug 15 - [[Palo Alto Networks] The Curious Case of Notepad and Chthonic: Exposing a Malicious Infrastructure](https://researchcenter.paloaltonetworks.com/2017/08/unit42-the-curious-case-of-notepad-and-chthonic-exposing-a-malicious-infrastructure/) | [:closed_book:](../../blob/master/2017/2017.08.15.Notepad_and_Chthonic) 
* Aug 11 - [[FireEye] APT28 Targets Hospitality Sector, Presents Threat to Travelers](https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html) | [:closed_book:](../../blob/master/2017/2017.08.11.apt28-targets-hospitality-sector)  
* Aug 08 - [[Kaspersky] APT Trends report Q2 2017](https://securelist.com/apt-trends-report-q2-2017/79332/) | [:closed_book:](../../blob/master/2017/2017.08.08.APT_Trends_Report_2017Q2) 
* Aug 01 - [[Positive Research] Cobalt strikes back: an evolving multinational threat to finance](http://blog.ptsecurity.com/2017/08/cobalt-group-2017-cobalt-strikes-back.html) | [:closed_book:](../../blob/master/2017/2017.08.01.cobalt-group-2017-cobalt-strikes-back) 
* Jul 27 - [[Trend Micro] ChessMaster Makes its Move: A Look into the Campaign’s Cyberespionage Arsenal](http://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/) | [:closed_book:](../../blob/master/2017/2017.07.27.chessmaster-cyber-espionage-campaign) 
* Jul 27 - [[Palo Alto Networks] OilRig Uses ISMDoor Variant; Possibly Linked to Greenbug Threat Group](https://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/) | [:closed_book:](../../blob/master/2017/2017.07.27.oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group) 
* Jul 27 - [[Clearsky, Trend Micro] Operation Wilted Tulip](http://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf) | [:closed_book:](../../blob/master/2017/2017.07.27.Operation_Wilted_Tulip) 
* Jul 24 - [[Palo Alto Networks] “Tick” Group Continues Attacks](https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/) | [:closed_book:](../../blob/master/2017/2017.07.24.Tick_group)
* Jul 18 - [[Clearsky] Recent Winnti Infrastructure and Samples](http://www.clearskysec.com/winnti/) | [:closed_book:](../../blob/master/2017/2017.07.18.winnti) 
* Jul 18 - [[Bitdefender] Inexsmar: An unusual DarkHotel campaign](https://labs.bitdefender.com/wp-content/uploads/downloads/inexsmar-an-unusual-darkhotel-campaign/) | [:closed_book:](../../blob/master/2017/2017.07.18.Inexsmar) 
* Jul 11 - [[ProtectWise] Winnti Evolution - Going Open Source](https://www.protectwise.com/blog/winnti-evolution-going-open-source.html) | [:closed_book:](../../blob/master/2017/2017.07.11.winnti-evolution-going-open-source)
* Jul 10 - [[Trend Micro] OSX Malware Linked to Operation Emmental Hijacks User Network Traffic](http://blog.trendmicro.com/trendlabs-security-intelligence/osx_dok-mac-malware-emmental-hijacks-user-network-traffic/) | [:closed_book:](../../blob/master/2017/2017.07.10.osx_dok-mac-malware-emmental-hijacks-user-network-traffic)
* Jul 06 - [[Malware Party] Operation Desert Eagle](http://mymalwareparty.blogspot.tw/2017/07/operation-desert-eagle.html) | [:closed_book:](../../blob/master/2017/2017.07.06.Operation_Desert_Eagle)
* Jul 05 - [[Citizen Lab] Insider Information: An intrusion campaign targeting Chinese language news sites](https://citizenlab.org/2017/07/insider-information-an-intrusion-campaign-targeting-chinese-language-news-sites/) | [:closed_book:](../../blob/master/2017/2017.07.05.insider-information)
* Jun 30 - [[ESET] TeleBots are back: supply-chain attacks against Ukraine](https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/) | [:closed_book:](../../blob/master/2017/2017.06.30.telebots-back-supply-chain)
* Jun 30 - [[Kaspersky] From BlackEnergy to ExPetr](https://securelist.com/from-blackenergy-to-expetr/78937/) | [:closed_book:](../../blob/master/2017/2017.06.30.From_BlackEnergy_to_ExPetr)
* Jun 26 - [[Dell] Threat Group-4127 Targets Google Accounts](https://www.secureworks.com/research/threat-group-4127-targets-google-accounts) | [:closed_book:](../../blob/master/2017/2017.06.26.Threat_Group-4127) 
* Jun 22 - [[Palo Alto Networks] The New and Improved macOS Backdoor from OceanLotus](https://www.secureworks.com/research/threat-group-4127-targets-google-accounts) | [:closed_book:](../../blob/master/2017/2017.06.22.new-improved-macos-backdoor-oceanlotus)
* Jun 22 - [[Trend Micro] Following the Trail of BlackTech’s Cyber Espionage Campaigns](http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/) | [:closed_book:](../../blob/master/2017/2017.06.22.following-trail-blacktech-cyber-espionage-campaigns)
* Jun 19 - [[root9B] SHELLTEA + POSLURP MALWARE: memory resident point-of-sale malware attacks industry](https://www.root9b.com/sites/default/files/whitepapers/PoS%20Malware%20ShellTea%20PoSlurp_0.pdf) | [:closed_book:](../../blob/master/2017/2017.06.19.SHELLTEA_POSLURP_MALWARE)
* Jun 18 - [[Palo Alto Networks] APT3 Uncovered: The code evolution of Pirpi](https://recon.cx/2017/montreal/resources/slides/RECON-MTL-2017-evolution_of_pirpi.pdf) | [:closed_book:](../../blob/master/2017/2017.06.18.APT3_Uncovered_The_code_evolution_of_Pirpi)
* Jun 15 - [[Recorded Future] North Korea Is Not Crazy](https://www.recordedfuture.com/north-korea-cyber-activity/) | [:closed_book:](../../blob/master/2017/2017.06.15.north-korea-cyber-activity)
* Jun 14 - [[ThreatConnect] KASPERAGENT Malware Campaign resurfaces in the run up to May Palestinian Authority Elections](https://www.threatconnect.com/blog/kasperagent-malware-campaign/) | [:closed_book:](../../blob/master/2017/2017.06.14.KASPERAGENT)
* Jun 13 - [[US-CERT] HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure](https://www.us-cert.gov/ncas/alerts/TA17-164A) | [:closed_book:](../../blob/master/2017/2017.06.13.HIDDEN_COBRA)
* Jun 12 - [[Dragos] CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations](https://dragos.com/blog/crashoverride/CrashOverride-01.pdf) | [:closed_book:](../../blob/master/2017/2017.06.12.CRASHOVERRIDE)
* Jun 12 - [[ESET] WIN32/INDUSTROYER A new threat for industrial control systems](https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf) | [:closed_book:](../../blob/master/2017/2017.06.12.INDUSTROYER)
* May 30 - [[Group-IB] Lazarus Arisen: Architecture, Techniques and Attribution](http://www.group-ib.com/lazarus.html) | [:closed_book:](../../blob/master/2017/2017.05.30.Lazarus_Arisen)
* May 24 - [[Cybereason] OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP](https://www.cybereason.com/blog/operation-cobalt-kitty-apt) | [:closed_book:](../../blob/master/2017/2017.05.24.OPERATION_COBALT_KITTY)
* May 14 - [[FireEye] Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations](https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html) | [:closed_book:](../../blob/master/2017/2017.05.14.cyber-espionage-apt32)
* May 03 - [[Palo Alto Networks] Kazuar: Multiplatform Espionage Backdoor with API Access](http://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-acces) | [:closed_book:](../../blob/master/2017/2017.05.03.kazuar-multiplatform-espionage-backdoor-api-access)
* May 03 - [[CISCO] KONNI: A Malware Under The Radar For Years](http://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html) | [:closed_book:](../../blob/master/2017/2017.05.03.konni-malware-under-radar-for-years)
* Apr 27 - [[Morphisec] Iranian Fileless Attack Infiltrates Israeli Organizations](http://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability) | [:closed_book:](../../blob/master/2017/2017.04.27.iranian-fileless-cyberattack-on-israel-word-vulnerability)
* Apr 13 - [[F-SECURE] Callisto Group](https://www.f-secure.com/documents/996508/1030745/callisto-group) | [:closed_book:](../../blob/master/2017/2017.04.13.callisto-group)
* Apr 11 - [[Kaspersky] Unraveling the Lamberts Toolkit](https://securelist.com/unraveling-the-lamberts-toolkit/77990/) | [:closed_book:](../../blob/master/2017/2017.04.11.Lamberts_Toolkit)
* Apr 10 - [[Symantec] Longhorn: Tools used by cyberespionage group linked to Vault 7](https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7) | [:closed_book:](../../blob/master/2017/2017.04.10_Longhorn)
* Apr 06 - [[PwC] Operation Cloud Hopper](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf) | [:closed_book:](../../blob/master/2017/2017.04.06.Operation_Cloud_Hopper)
* Apr 05 - [[Palo Alto Networks, Clearsky] Targeted Attacks in the Middle East Using KASPERAGENT and MICROPSIA](https://researchcenter.paloaltonetworks.com/2017/04/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/) | [:closed_book:](../../blob/master/2017/2017.04.05.KASPERAGENT_and_MICROPSIA)
* Mar 15 - [[JPCERT] FHAPPI Campaign](http://blog.0day.jp/p/english-report-of-fhappi-freehosting.html) | [:closed_book:](../../blob/master/2017/2017.03.15.FHAPPI_Campaign)
* Mar 14 - [[Clearsky] Operation Electric Powder – Who is targeting Israel Electric Company?](http://www.clearskysec.com/iec/) | [:closed_book:](../../blob/master/2017/2017.03.14.Operation_Electric_Powder)
* Mar 08 - [[Netskope] Targeted Attack Campaigns with Multi-Variate Malware Observed in the Cloud](https://www.netskope.com/blog/targeted-attack-campaigns-multi-variate-malware-observed-cloud) | [:closed_book:](../../blob/master/2017/2017.03.08.Targeted_Attack_Campaigns)
* Mar 06 - [[Kaspersky] From Shamoon to StoneDrill](https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/) | [:closed_book:](../../blob/master/2017/2017.03.06.from-shamoon-to-stonedrill)
* Feb 28 - [[IBM] Dridex’s Cold War: Enter AtomBombing](https://securityintelligence.com/dridexs-cold-war-enter-atombombing/) | [:closed_book:](../../blob/master/2017/2017.02.28.dridexs-cold-war-enter-atombombing)
* Feb 27 - [[Palo Alto Networks] The Gamaredon Group Toolset Evolution](http://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/) | [:closed_book:](../../blob/master/2017/2017.02.27.gamaredon-group-toolset-evolution/)
* Feb 23 - [[Bitdefender] Dissecting the APT28 Mac OS X Payload](https://download.bitdefender.com/resources/files/News/CaseStudies/study/143/Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf) | [:closed_book:](../../blob/master/2017/2017.02.23.APT28_Mac_OS_X_Payload)
* Feb 22 - [[FireEye] Spear Phishing Techniques Used in Attacks Targeting the Mongolian Government](https://www.fireeye.com/blog/threat-research/2017/02/spear_phishing_techn.html) | [:closed_book:](../../blob/master/2017/2017.02.22.Spear_Phishing_Mongolian_Government)
* Feb 21 - [[Arbor] Additional Insights on Shamoon2](https://www.arbornetworks.com/blog/asert/additional-insights-on-shamoon2/) | [:closed_book:](../../blob/master/2017/2017.02.21.Additional_Insights_on_Shamoon2)
* Feb 20 - [[BAE Systems] azarus' False Flag Malware](http://baesystemsai.blogspot.tw/2017/02/lazarus-false-flag-malware.html) | [:closed_book:](../../blob/master/2017/2017.02.20.Lazarus_False_Flag_Malware)
* Feb 17 - [[JPCERT] ChChes - Malware that Communicates with C&C Servers Using Cookie Headers](http://blog.jpcert.or.jp/2017/02/chches-malware--93d6.html) | [:closed_book:](../../blob/master/2017/2017.02.17.chches-malware)
* Feb 16 - [[BadCyber] Technical analysis of recent attacks against Polish banks](https://badcyber.com/technical-analysis-of-recent-attacks-against-polish-banks/)  | [:closed_book:](../../blob/master/2017/2017.02.16.Technical_analysis_Polish_banks)
* Feb 15 - [[Morphick] Deep Dive On The DragonOK Rambo Backdoor](http://www.morphick.com/resources/news/deep-dive-dragonok-rambo-backdoor) | [:closed_book:](../../blob/master/2017/2017.02.15.deep-dive-dragonok-rambo-backdoor)
* Feb 15 - [[IBM] The Full Shamoon: How the Devastating Malware Was Inserted Into Networks](https://securityintelligence.com/the-full-shamoon-how-the-devastating-malware-was-inserted-into-networks/) | [:closed_book:](../../blob/master/2017/2017.02.15.the-full-shamoon)
* Feb 15 - [[Dell] Iranian PupyRAT Bites Middle Eastern Organizations](https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations) | [:closed_book:](../../blob/master/2017/2017.02.15.iranian-pupyrat-bites-middle-eastern-organizations)
* Feb 15 - [[Palo Alto Networks] Magic Hound Campaign Attacks Saudi Targets](http://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/) | [:closed_book:](../../blob/master/2017/2017.02.15.magic-hound-campaign)
* Feb 14 - [[Medium] Operation Kingphish: Uncovering a Campaign of Cyber Attacks against Civil Society in Qatar and Nepal](https://medium.com/amnesty-insights/operation-kingphish-uncovering-a-campaign-of-cyber-attacks-against-civil-society-in-qatar-and-aa40c9e08852#.cly4mg1g8) | [:closed_book:](../../blob/master/2017/2017.02.14.Operation_Kingphish)
* Feb 12 - [[BAE Systems] Lazarus & Watering-Hole Attacks](https://baesystemsai.blogspot.tw/2017/02/lazarus-watering-hole-attacks.html) | [:closed_book:](../../blob/master/2017/2017.02.12.lazarus-watering-hole-attacks)
* Feb 10 - [[Cysinfo] Cyber Attack Targeting Indian Navy's Submarine And Warship Manufacturer](https://cysinfo.com/cyber-attack-targeting-indian-navys-submarine-warship-manufacturer/) | [:closed_book:](../../blob/master/2017/2017.02.10.cyber-attack-targeting-indian-navys-submarine-warship-manufacturer)
* Feb 10 - [[DHS] Enhanced Analysis of GRIZZLY STEPPE Activity](https://www.us-cert.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf) | [:closed_book:](../../blob/master/2017/2017.02.10.Enhanced_Analysis_of_GRIZZLY_STEPPE)
* Feb 03 - [[RSA] KingSlayer A Supply chain attack](https://www.rsa.com/content/dam/pdfs/2-2017/kingslayer-a-supply-chain-attack.pdf) | [:closed_book:](../../blob/master/2017/2017.02.03.kingslayer-a-supply-chain-attack)
* Feb 03 - [[BadCyber] Several Polish banks hacked, information stolen by unknown attackers](https://badcyber.com/several-polish-banks-hacked-information-stolen-by-unknown-attackers/)  | [:closed_book:](../../blob/master/2017/2017.02.03.several-polish-banks-hacked)
* Feb 02 - [[Proofpoint] Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX](https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx) | [:closed_book:](../../blob/master/2017/2017.02.02.APT_Targets_Russia_and_Belarus_with_ZeroT_and_PlugX)
* Jan 30 - [[Palo Alto Networks] Downeks and Quasar RAT Used in Recent Targeted Attacks Against Governments](http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/) | [:closed_book:](../../blob/master/2017/2017.01.30.downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments)
* Jan 25 - [[Microsoft] Detecting threat actors in recent German industrial attacks with Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/?source=mmpc) | [:closed_book:](../../blob/master/2017/2017.01.25.german-industrial-attacks)
* Jan 19 - [[Cysinfo] URI Terror Attack & Kashmir Protest Themed Spear Phishing Emails Targeting Indian Embassies And Indian Ministry Of External Affairs](https://cysinfo.com/uri-terror-attack-spear-phishing-emails-targeting-indian-embassies-and-indian-mea/) | [:closed_book:](../../blob/master/2017/2017.01.19.uri-terror-attack)
* Jan 18 - [[Trustwave] Operation Grand Mars: Defending Against Carbanak Cyber Attacks](https://www.trustwave.com/Resources/Library/Documents/Operation-Grand-Mars--Defending-Against-Carbanak-Cyber-Attacks/) | [:closed_book:](../../blob/master/2017/2017.01.18.Operation-Grand-Mars)
* Jan 15 - [[tr1adx] Bear Spotting Vol. 1: Russian Nation State Targeting of Government and Military Interests](https://www.tr1adx.net/intel/TIB-00003.html) | [:closed_book:](../../blob/master/2017/2017.01.15.Bear_Spotting_Vol.1)
* Jan 12 - [[Kaspersky] The “EyePyramid” attacks](https://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/) | [:closed_book:](../../blob/master/2017/2017.01.12.EyePyramid.attacks)
* Jan 11 - [[FireEye] APT28: AT THE CENTER OF THE STORM](https://www.fireeye.com/blog/threat-research/2017/01/apt28_at_the_center.html) | [:closed_book:](../../blob/master/2017/2017.01.11.apt28_at_the_center)
* Jan 09 - [[Palo Alto Networks] Second Wave of Shamoon 2 Attacks Identified](http://researchcenter.paloaltonetworks.com/2017/01/unit42-second-wave-shamoon-2-attacks-identified/) | [:closed_book:](../../blob/master/2017/2017.01.09.second-wave-shamoon-2-attacks-identified)
* Jan 05 - [[Clearsky] Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford](http://www.clearskysec.com/oilrig/) | [:closed_book:](../../blob/master/2017/2017.01.05.Iranian_Threat_Agent_OilRig)

## 2016
* Dec 15 - [[Microsoft] PROMETHIUM and NEODYMIUM APT groups on Turkish citizens living in Turkey and various other European countries.](http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf) | [:closed_book:](../../blob/master/2016/2016.12.15.PROMETHIUM_and_NEODYMIUM)
* Dec 13 - [[ESET] The rise of TeleBots: Analyzing disruptive KillDisk attacks](http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/) | [:closed_book:](../../blob/master/2016/2016.12.13.rise-telebots-analyzing-disruptive-killdisk-attacks)
* Nov 30 - [[Cysinfo] MALWARE ACTORS USING NIC CYBER SECURITY THEMED SPEAR PHISHING TO TARGET INDIAN GOVERNMENT ORGANIZATIONS](https://cysinfo.com/malware-actors-using-nic-cyber-security-themed-spear-phishing-target-indian-government-organizations/) | [:closed_book:](../../blob/master/2016/2016.11.30.nic-cyber-security-themed)
* Nov 22 - [[Palo Alto Networks] Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy](http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/) | [:closed_book:](../../blob/master/2016/2016.11.22.tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy)
* Nov 09 - [[Fidelis] Down the H-W0rm Hole with Houdini's RAT](https://www.fidelissecurity.com/threatgeek/2016/11/down-h-w0rm-hole-houdinis-rat) | [:closed_book:](../../blob/master/2016/2016.11.09_down-the-h-w0rm-hole-with-houdinis-rat)
* Nov 03 - [[Booz Allen] When The Lights Went Out: Ukraine Cybersecurity Threat Briefing](http://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf) | [:closed_book:](../../blob/master/2016/2016.11.03.Ukraine_Cybersecurity_Threat_Briefing)
* Oct 31 - [[Palo Alto Networks] Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?](http://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/) | [:closed_book:](../../blob/master/2016/2016.10.31.Emissary_Trojan_Changelog)
* Oct 27 - [[ESET] En Route with Sednit Part 3: A Mysterious Downloader](http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf) | [:closed_book:](../../blob/master/2016/2016.10.27.En_Route_Part3)
* Oct 27 - [[Trend Micro] BLACKGEAR Espionage Campaign Evolves, Adds Japan To Target List](http://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-espionage-campaign-evolves-adds-japan-target-list/) | [:closed_book:](../../blob/master/2016/2016.10.27.BLACKGEAR_Espionage_Campaign_Evolves)
* Oct 26 - [[Vectra Networks] Moonlight – Targeted attacks in the Middle East](http://blog.vectranetworks.com/blog/moonlight-middle-east-targeted-attacks) | [:closed_book:](../../blob/master/2016/2016.10.26.Moonlight_Middle_East)
* Oct 25 - [[Palo Alto Networks] Houdini’s Magic Reappearance](http://researchcenter.paloaltonetworks.com/2016/10/unit42-houdinis-magic-reappearance/) | [:closed_book:](../../blob/master/2016/2016.10.25.Houdini_Magic_Reappearance)
* Oct 25 - [[ESET] En Route with Sednit Part 2: Lifting the lid on Sednit: A closer look at the software it uses](http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf) | [:closed_book:](../../blob/master/2016/2016.10.25.Lifting_the_lid_on_Sednit)
* Oct 20 - [[ESET] En Route with Sednit Part 1: Approaching the Target](http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf) |  [:closed_book:](../../blob/master/2016/2016.10.20.En_Route_with_Sednit)
* Oct 17 - [[ThreatConnect] ThreatConnect identifies Chinese targeting of two companies. Economic espionage or military intelligence? ](https://www.threatconnect.com/blog/threatconnect-discovers-chinese-apt-activity-in-europe/) | [:closed_book:](../../blob/master/2016/2016.10.16.A_Tale_of_Two_Targets)
* Oct 05 - [[Kaspersky] Wave your false flags](https://securelist.com/files/2016/10/Bartholomew-GuerreroSaade-VB2016.pdf) | [:closed_book:](../../blob/master/2016/2016.10.05_Wave_Your_False_flag)
* Oct 03 - [[Kaspersky] On the StrongPity Waterhole Attacks Targeting Italian and Belgian Encryption Users](https://securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/) | [:closed_book:](../../blob/master/2016/2016.10.03.StrongPity)
* Sep 29 - [[NATO CCD COE] China and Cyber: Attitudes, Strategies, Organisation](https://ccdcoe.org/sites/default/files/multimedia/pdf/CS_organisation_CHINA_092016.pdf) | [:closed_book:](../../blob/master/2016/2016.09.29.China_and_Cyber_Attitudes_Strategies_Organisation)
* Sep 28 - [[Palo Alto Networks] Confucius Says…Malware Families Get Further By Abusing Legitimate Websites](https://unit42.paloaltonetworks.com/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/) | [:closed_book:](../../blob/master/2016/2016.09.28.Confucius_Says)
* Sep 28 - [[ThreatConnect] Belling the BEAR: russia-hacks-bellingcat-mh17-investigation](https://www.threatconnect.com/blog/russia-hacks-bellingcat-mh17-investigation/) | [:closed_book:](../../blob/master/2016/2016.09.28.russia-hacks-bellingcat-mh17-investigation)
* Sep 26 - [[Palo Alto Networks] Sofacy’s ‘Komplex’ OS X Trojan](http://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/) | [:closed_book:](../../blob/master/2016/2016.09.26_Sofacy_Komplex_OSX_Trojan)
* Sep 18 - [[Cyberkov] Hunting Libyan Scorpions](https://cyberkov.com/wp-content/uploads/2016/09/Hunting-Libyan-Scorpions-EN.pdf) | [:closed_book:](../../blob/master/2016/2016.09.18.Hunting-Libyan-Scorpions)
* Sep 14 - [[Palo Alto Networks] MILE TEA: Cyber Espionage Campaign Targets Asia Pacific Businesses and Government Agencies](http://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/) | [:closed_book:](../../blob/master/2016/2016.09.14.MILE_TEA)
* Sep 06 - [[Symantec] Buckeye cyberespionage group shifts gaze from US to Hong Kong](http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong) | [:closed_book:](../../blob/master/2016/2016.09.06.buckeye-cyberespionage-group-shifts-gaze-us-hong-kong)
* Sep 01 - [[IRAN THREATS] MALWARE POSING AS HUMAN RIGHTS ORGANIZATIONS AND COMMERCIAL SOFTWARE TARGETING IRANIANS, FOREIGN POLICY INSTITUTIONS AND MIDDLE EASTERN COUNTRIES](https://iranthreats.github.io/resources/human-rights-impersonation-malware/) | [:closed_book:](../../blob/master/2016/2016.09.01.human-rights-impersonation-malware)
* Aug 25 - [[Lookout] Technical Analysis of Pegasus Spyware](https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf) | [:closed_book:](../../blob/master/2016/2016.08.25.lookout-pegasus-technical-analysis)
* Aug 24 - [[Citizen Lab] The Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender](https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/) | [:closed_book:](../../blob/master/2016/2016.08.24.million-dollar-dissident-iphone-zero-day-nso-group-uae)
* Aug 19 - [[ThreatConnect] Russian Cyber Operations on Steroids](https://www.threatconnect.com/blog/fancy-bear-anti-doping-agency-phishing/) | [:closed_book:](../../blob/master/2016/2016.08.19.fancy-bear-anti-doping-agency-phishing)
* Aug 17 - [[Kaspersky] Operation Ghoul: targeted attacks on industrial and engineering organizations](https://securelist.com/blog/research/75718/operation-ghoul-targeted-attacks-on-industrial-and-engineering-organizations/) | [:closed_book:](../../blob/master/2016/2016.08.17_operation-ghoul)
* Aug 16 - [[Palo Alto Networks] Aveo Malware Family Targets Japanese Speaking Users](http://researchcenter.paloaltonetworks.com/2016/08/unit42-aveo-malware-family-targets-japanese-speaking-users/) | [:closed_book:](../../blob/master/2016/2016.08.16.aveo-malware-family-targets-japanese)
* Aug 11 - [[IRAN THREATS] Iran and the Soft War for Internet Dominance](https://iranthreats.github.io/us-16-Guarnieri-Anderson-Iran-And-The-Soft-War-For-Internet-Dominance-paper.pdf) | [:closed_book:](../../blob/master/2016/2016.08.11.Iran-And-The-Soft-War-For-Internet-Dominance)
* Aug 08 - [[Forcepoint] MONSOON](https://blogs.forcepoint.com/security-labs/monsoon-analysis-apt-campaign) | [:closed_book:](../../blob/master/2016/2016.08.08.monsoon-analysis-apt-campaign)
* Aug 08 - [[Kaspersky] ProjectSauron: top level cyber-espionage platform covertly extracts encrypted government comms](https://securelist.com/analysis/publications/75533/faq-the-projectsauron-apt/)  | [:closed_book:](../../blob/master/2016/2016.08.08.ProjectSauron)
* Aug 07 - [[Symantec] Strider: Cyberespionage group turns eye of Sauron on targets](http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets) | [:closed_book:](../../blob/master/2016/2016.08.07.Strider_Cyberespionage_group_turns_eye_of_Sauron_on_targets)
* Aug 06 - [[360] APT-C-09](http://www.nsoad.com/Article/Network-security/20160806/269.html) | [:closed_book:](../../blob/master/2016/2016.08.06.APT-C-09)
* Aug 04 - [[Recorded Future] Running for Office: Russian APT Toolkits Revealed](https://www.recordedfuture.com/russian-apt-toolkits/) | [:closed_book:](../../blob/master/2016/2016.08.04.russian-apt-toolkits)
* Aug 03 - [[EFF] Operation Manul: I Got a Letter From the Government the Other Day...Unveiling a Campaign of Intimidation, Kidnapping, and Malware in Kazakhstan](https://www.eff.org/files/2016/08/03/i-got-a-letter-from-the-government.pdf) | [:closed_book:](../../blob/master/2016/2016.08.03.i-got-a-letter-from-the-government)
* Aug 02 - [[Citizen Lab] Group5: Syria and the Iranian Connection](https://citizenlab.org/2016/08/group5-syria/) | [:closed_book:](../../blob/master/2016/2016.08.02.group5-syria)
* Jul 28 - [[ICIT] China’s Espionage Dynasty](http://icitech.org/wp-content/uploads/2016/07/ICIT-Brief-China-Espionage-Dynasty.pdf) | [:closed_book:](../../blob/master/2016/2016.07.28.China_Espionage_Dynasty)
* Jul 26 - [[Palo Alto Networks] Attack Delivers ‘9002’ Trojan Through Google Drive](http://researchcenter.paloaltonetworks.com/2016/07/unit-42-attack-delivers-9002-trojan-through-google-drive/) | [:closed_book:](../../blob/master/2016/2016.07.26.Attack_Delivers_9002_Trojan_Through_Google_Drive)
* Jul 21 - [[360] Sphinx (APT-C-15) Targeted cyber-attack in the Middle East](https://ti.360.com/upload/report/file/rmsxden20160721.pdf) | [:closed_book:](../../blob/master/2016/2016.07.21.Sphinx_Targeted_cyber-attack_in_the_Middle_East)
* Jul 21 - [[RSA] Hide and Seek: How Threat Actors Respond in the Face of Public Exposure](https://www.rsaconference.com/writable/presentations/file_upload/tta1-f04_hide-and-seek-how-threat-actors-respond-in-the-face-of-public-exposure.pdf) | [:closed_book:](../../blob/master/2016/2016.07.21.Hide_and_Seek)
* Jul 13 - [[SentinelOne] State-Sponsored SCADA Malware targeting European Energy Companies](https://sentinelone.com/blogs/sfg-furtims-parent/) | [:closed_book:](../../blob/master/2016/2016.07.13.State-Sponsored_SCADA_Malware_targeting_European_Energy_Companies)
* Jul 12 - [[F-SECURE] NanHaiShu: RATing the South China Sea](https://www.f-secure.com/documents/996508/1030745/nanhaishu_whitepaper.pdf) | [:closed_book:](../../blob/master/2016/2016.07.12.NanHaiShu_RATing_the_South_China_Sea) 
* Jul 08 - [[Kaspersky] The Dropping Elephant – aggressive cyber-espionage in the Asian region](https://securelist.com/blog/research/75328/the-dropping-elephant-actor/) | [:closed_book:](../../blob/master/2016/2016.07.08.The_Dropping_Elephant)
* Jul 07 - [[Proofpoint] NetTraveler APT Targets Russian, European Interests](https://www.proofpoint.com/us/threat-insight/post/nettraveler-apt-targets-russian-european-interests)  | [:closed_book:](../../blob/master/2016/2016.07.07.nettraveler-apt-targets-russian-european-interests)
* Jul 07 - [[Cymmetria] UNVEILING PATCHWORK: THE COPY-PASTE APT](https://www.cymmetria.com/wp-content/uploads/2016/07/Unveiling-Patchwork.pdf) | [:closed_book:](../../blob/master/2016/2016.07.07.UNVEILING_PATCHWORK)
* Jul 03 - [[Check Point] From HummingBad to Worse ](http://blog.checkpoint.com/wp-content/uploads/2016/07/HummingBad-Research-report_FINAL-62916.pdf) |  [:closed_book:](../../blob/master/2016/2016.07.03_From_HummingBad_to_Worse)
* Jul 01 - [[Bitdefender] Pacifier APT](http://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf) | [:closed_book:](../../blob/master/2016/2016.07.01.Bitdefender_Pacifier_APT)
* Jul 01 - [[ESET] Espionage toolkit targeting Central and Eastern Europe uncovered](http://www.welivesecurity.com/2016/07/01/espionage-toolkit-targeting-central-eastern-europe-uncovered/)  | [:closed_book:](../../blob/master/2016/2016.07.01.SBDH_toolkit_targeting_Central_and_Eastern_Europe)
* Jun 30 - [[JPCERT] Asruex: Malware Infecting through Shortcut Files](http://blog.jpcert.or.jp/2016/06/asruex-malware-infecting-through-shortcut-files.html) | [:closed_book:](../../blob/master/2016/2016.06.30.Asruex)
* Jun 28 - [[Palo Alto Networks] Prince of Persia – Game Over](http://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/) |  [:closed_book:](../../blob/master/2016/2016.06.28.prince-of-persia-game-over)
* Jun 28 - [[JPCERT] (Japan)Attack Tool Investigation](https://www.jpcert.or.jp/research/20160628ac-ir_research.pdf) | [:closed_book:](../../blob/master/2016/2016.06.28.Attack_Tool_Investigation)
* Jun 26 - [[Trend Micro] The State of the ESILE/Lotus Blossom Campaign](http://blog.trendmicro.com/trendlabs-security-intelligence/the-state-of-the-esilelotus-blossom-campaign/)  | [:closed_book:](../../blob/master/2016/2016.06.26.The_State_of_the_ESILE_Lotus_Blossom_Campaign) 
* Jun 26 - [[Cylance] Nigerian Cybercriminals Target High-Impact Industries in India via Pony](https://blog.cylance.com/threat-update-nigerian-cybercriminals-target-high-impact-indian-industries-via-pony) | [:closed_book:](../../blob/master/2016/2016.06.26.Nigerian_Cybercriminals_Target_High_Impact_Industries_in_India) 
* Jun 23 - [[Palo Alto Networks] Tracking Elirks Variants in Japan: Similarities to Previous Attacks](http://researchcenter.paloaltonetworks.com/2016/06/unit42-tracking-elirks-variants-in-japan-similarities-to-previous-attacks/) | [:closed_book:](../../blob/master/2016/2016.06.23.Tracking_Elirks_Variants_in_Japan)
* Jun 21 - [[Fortinet] The Curious Case of an Unknown Trojan Targeting German-Speaking Users](https://blog.fortinet.com/2016/06/21/the-curious-case-of-an-unknown-trojan-targeting-german-speaking-users) | [:closed_book:](../../blob/master/2016/2016.06.21.Unknown_Trojan_Targeting_German_Speaking_Users)
* Jun 21 - [[FireEye] Redline Drawn: China Recalculates Its Use of Cyber Espionage]( https://www.fireeye.com/content/dam/FireEye-www/current-threats/pdfs/rpt-china-espionage.pdf) | [:closed_book:](../../blob/master/2016/2016.06.21.Redline_Drawn_China_Recalculates_Its_Use_of_Cyber_Espionage)
* Jun 21 - [[ESET] Visiting The Bear Den](http://www.welivesecurity.com/wp-content/uploads/2016/06/visiting_the_bear_den_recon_2016_calvet_campos_dupuy-1.pdf) | [:closed_book:](../../blob/master/2016/2016.06.21.visiting_the_bear_den_recon_2016_calvet_campos_dupuy)
* Jun 17 - [[Kaspersky] Operation Daybreak](https://securelist.com/operation-daybreak/75100/) | [:closed_book:](../../blob/master/2016/2016.06.17.Operation_Daybreak)
* Jun 16 - [[Dell] Threat Group-4127 Targets Hillary Clinton Presidential Campaign](https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign) | [:closed_book:](../../blob/master/2016/2016.06.16.DNC)
* Jun 15 - [[CrowdStrike] Bears in the Midst: Intrusion into the Democratic National Committee](https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/) | [:closed_book:](../../blob/master/2016/2016.06.09.Operation_DustySky_II/)
* Jun 09 - [[Clearsky] Operation DustySky Part 2](http://www.clearskysec.com/wp-content/uploads/2016/06/Operation-DustySky2_-6.2016_TLP_White.pdf) | [:closed_book:](../../blob/master/2016/2016.06.09.Operation_DustySky_II/)
* Jun 02 - [[Trend Micro] FastPOS: Quick and Easy Credit Card Theft](http://documents.trendmicro.com/assets/fastPOS-quick-and-easy-credit-card-theft.pdf) | [:closed_book:](../../blob/master/2016/2016.06.02.fastpos-quick-and-easy-credit-card-theft/)
* May 27 - [[Trend Micro] IXESHE Derivative IHEATE Targets Users in America](http://blog.trendmicro.com/trendlabs-security-intelligence/ixeshe-derivative-iheate-targets-users-america/) | [:closed_book:](../../blob/master/2016/2016.05.27.IXESHE_Derivative_IHEATE_Targets_Users_in_America/)
* May 26 - [[Palo Alto Networks] The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor](http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/) | [:closed_book:](../../blob/master/2016/2016.05.26.OilRig_Campaign/)
* May 25 - [[Kaspersky] CVE-2015-2545: overview of current threats](https://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/) | [:closed_book:](../../blob/master/2016/2016.05.25.CVE-2015-2545/)
* May 24 - [[Palo Alto Networks] New Wekby Attacks Use DNS Requests As Command and Control Mechanism](http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/)  | [:closed_book:](../../blob/master/2016/2016.05.24.New_Wekby_Attacks)
* May 23 - [[MELANI:GovCERT] APT Case RUAG Technical Report](https://www.melani.admin.ch/dam/melani/en/dokumente/2016/technical%20report%20ruag.pdf.download.pdf/Report_Ruag-Espionage-Case.pdf) | [:closed_book:](../../blob/master/2016/2016.05.23.APT_Case_RUAG)
* May 22 - [[FireEye] TARGETED ATTACKS AGAINST BANKS IN THE MIDDLE EAST](https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html) | [:closed_book:](../../blob/master/2016/2016.05.22.Targeted_Attacks_Against_Banks_in_Middle_East)
* May 22 - [[Palo Alto Networks] Operation Ke3chang Resurfaces With New TidePool Malware](http://researchcenter.paloaltonetworks.com/2016/05/operation-ke3chang-resurfaces-with-new-tidepool-malware/) | [:closed_book:](../../blob/master/2016/2016.05.22.Operation_Ke3chang_Resurfaces_With_New_TidePool_Malware/)
* May 18 - [[ESET] Operation Groundbait: Analysis of a surveillance toolkit](http://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf) | [:closed_book:](../../blob/master/2016/2016.05.18.Operation_Groundbait/)
* May 17 - [[FOX-IT] Mofang: A politically motivated information stealing adversary](https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf)  | [:closed_book:](../../blob/master/2016/2016.05.17.Mofang)
* May 17 - [[Symantec] Indian organizations targeted in Suckfly attacks](http://www.symantec.com/connect/ko/blogs/indian-organizations-targeted-suckfly-attacks) | [:closed_book:](../../blob/master/2016/2016.05.17.Indian_organizations_targeted_in_Suckfly_attacks/)
* May 10 - [[Trend Micro] Backdoor as a Software Suite: How TinyLoader Distributes and Upgrades PoS Threats](http://blog.trendmicro.com/trendlabs-security-intelligence/how-tinyloader-distributes-and-upgrades-pos-threats/) | [paper](http://documents.trendmicro.com/assets/tinypos-abaddonpos-ties-to-tinyloader.pdf) | [:closed_book:](../../blob/master/2016/2016.05.10.tinyPOS_tinyloader/)
* May 09 - [[CMU SEI] Using Honeynets and the Diamond Model for ICS Threat Analysis](http://resources.sei.cmu.edu/asset_files/TechnicalReport/2016_005_001_454247.pdf) | [:closed_book:](../../blob/master/2016/2016.05.09_ICS_Threat_Analysis/)
* May 06 - [[PwC] Exploring CVE-2015-2545 and its users](http://pwc.blogs.com/cyber_security_updates/2016/05/exploring-cve-2015-2545-and-its-users.html) | [:closed_book:](../../blob/master/2016/2016.05.06_Exploring_CVE-2015-2545/)
* May 05 - [[Forcepoint] Jaku: an on-going botnet campaign](https://www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf) | [:closed_book:](../../blob/master/2016/2016.05.05_Jaku_botnet_campaign/)
* May 02 - [[Team Cymru] GOZNYM MALWARE target US, AT, DE ](https://blog.team-cymru.org/2016/05/goznym-malware/) | [:closed_book:](../../blob/master/2016/2016.05.02.GOZNYM_MALWARE)
* May 02 - [[Palo Alto Networks] Prince of Persia: Infy Malware Active In Decade of Targeted Attacks](http://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/) | [:closed_book:](../../blob/master/2016/2016.05.02.Prince_of_Persia_Infy_Malware/)
* Apr 27 - [[Kaspersky] Repackaging Open Source BeEF for Tracking and More](https://securelist.com/blog/software/74503/freezer-paper-around-free-meat/) | [:closed_book:](../../blob/master/2016/2016.04.27.Repackaging_Open_Source_BeEF)
* Apr 26 - [[Financial Times] Cyber warfare: Iran opens a new front](http://www.ft.com/intl/cms/s/0/15e1acf0-0a47-11e6-b0f1-61f222853ff3.html#axzz478cZz3ao) | [:closed_book:](../../blob/master/2016/2016.04.26.Iran_Opens_a_New_Front/)
* Apr 26 - [[Arbor] New Poison Ivy Activity Targeting Myanmar, Asian Countries](https://www.arbornetworks.com/blog/asert/recent-poison-iv/) | [:closed_book:](../../blob/master/2016/2016.04.26.New_Poison_Ivy_Activity_Targeting_Myanmar_Asian_Countries/)
* Apr 22 - [[Cylance] The Ghost Dragon](https://blog.cylance.com/the-ghost-dragon) | [:closed_book:](../../blob/master/2016/2016.04.22.the-ghost-dragon)
* Apr 21 - [[SentinelOne] Teaching an old RAT new tricks](https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/) | [:closed_book:](../../blob/master/2016/2016.04.21.Teaching_an_old_RAT_new_tricks/)
* Apr 21 - [[Palo Alto Networks] New Poison Ivy RAT Variant Targets Hong Kong Pro-Democracy Activists](http://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/) | [:closed_book:](../../blob/master/2016/2016.04.21.New_Poison_Ivy_RAT_Variant_Targets_Hong_Kong/)
* Apr 18 - [[Citizen Lab] Between Hong Kong and Burma: Tracking UP007 and SLServer Espionage Campaigns](https://citizenlab.org/2016/04/between-hong-kong-and-burma/) | [:closed_book:](../../blob/master/2016/2016.04.18.UP007/)
* Apr 15 - [[SANS] Detecting and Responding Pandas and Bears](http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf) | [:closed_book:](../../blob/master/2016/2016.04.15.pandas_and_bears/)
* Apr 12 - [[Microsoft] PLATINUM: Targeted attacks in South and Southeast Asia](http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf) | [:closed_book:](../../blob/master/2016/2016.04.12.PLATINUM_Targeted_attacks_in_South_and_Southeast_Asia/)
* Mar 25 - [[Palo Alto Networks] ProjectM: Link Found Between Pakistani Actor and Operation Transparent Tribe](http://researchcenter.paloaltonetworks.com/2016/03/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe/?utm_medium=email&utm_source=Adobe%20Campaign&utm_campaign=Unit%2042%20Blog%20Updates%2031Mar16) | [:closed_book:](../../blob/master/2016/2016.03.25.ProjectM/)
* Mar 23 - [[Trend Micro] Operation C-Major: Information Theft Campaign Targets Military Personnel in India](http://blog.trendmicro.com/trendlabs-security-intelligence/indian-military-personnel-targeted-by-information-theft-campaign/) | [:closed_book:](../../blob/master/2016/2016.03.23.Operation_C_Major/)
* Mar 18 - [[SANS] Analysis of the Cyber Attack on the Ukrainian Power Grid: Defense Use Case](https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf) | [:closed_book:](../../blob/master/2016/2016.03.18.Analysis_of_the_Cyber_Attack_on_the_Ukrainian_Power_Grid/)
* Mar 17 - [[PwC] Taiwan Presidential Election: A Case Study on Thematic Targeting](http://pwc.blogs.com/cyber_security_updates/2016/03/taiwant-election-targetting.html) | [:closed_book:](../../blob/master/2016/2016.03.17.Taiwan-election-targetting/)
* Mar 15 - [[Symantec] Suckfly: Revealing the secret life of your code signing certificates](http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates) | [:closed_book:](../../blob/master/2016/2016.03.15.Suckfly)
* Mar 14 - [[Proofpoint] Bank robbery in progress: New attacks from Carbanak group target banks in Middle East and US](https://www.proofpoint.com/us/threat-insight/post/carbanak-cybercrime-group-targets-executives-of-financial-organizations-in-middle-east) | [:closed_book:](../../blob/master/2016/2016.03.14.Carbanak_cybercrime_group)
* Mar 10 - [[Citizen Lab] Shifting Tactics: Tracking changes in years-long espionage campaign against Tibetans](https://citizenlab.org/2016/03/shifting-tactics/) | [:closed_book:](../../blob/master/2016/2016.03.10.shifting-tactics)
* Mar 09 - [[FireEye] LESSONS FROM OPERATION RUSSIANDOLL](https://www.fireeye.com/blog/threat-research/2016/03/lessons-from-operation-russian-doll.html) | [:closed_book:](../../blob/master/2016/2016.03.09.Operation_RussianDoll)
* Mar 08 - [[360] Operation OnionDog: A 3 Year Old APT Focused On the Energy and Transportation Industries in Korean-language Countries](http://www.prnewswire.com/news-releases/onion-dog-a-3-year-old-apt-focused-on-the-energy-and-transportation-industries-in-korean-language-countries-is-exposed-by-360-300232441.html) | [:closed_book:](../../blob/master/2016/2016.03.08.OnionDog)
* Mar 03 - [[Recorded Future] Shedding Light on BlackEnergy With Open Source Intelligence](https://www.recordedfuture.com/blackenergy-malware-analysis/) | [:closed_book:](../../blob/master/2016/2016.03.03.Shedding_Light_BlackEnergy)
* Mar 01 - [[Proofpoint] Operation Transparent Tribe - APT Targeting Indian Diplomatic and Military Interests](https://www.proofpoint.com/us/threat-insight/post/Operation-Transparent-Tribe) | [:closed_book:](../../blob/master/2016/2016.03.01.Operation_Transparent_Tribe/)
* Feb 29 - [[Fidelis] The Turbo Campaign, Featuring Derusbi for 64-bit Linux](https://www.fidelissecurity.com/sites/default/files/TA_Fidelis_Turbo_1602_0.pdf)  | [:closed_book:](../../blob/master/2016/2016.02.24.Operation_Blockbuster)
* Feb 24 - [[NOVETTA] Operation Blockbuster](https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf) | [:closed_book:](../../blob/master/2016/2016.02.24.Operation_Blockbuster)
* Feb 23 - [[Cylance] OPERATION DUST STORM](https://www.cylance.com/hubfs/2015_cylance_website/assets/operation-dust-storm/Op_Dust_Storm_Report.pdf?t=1456355696065) | [:closed_book:](../../blob/master/2016/2016.02.23.Operation_Dust_Storm)
* Feb 12 - [[Palo Alto Networks] A Look Into Fysbis: Sofacy’s Linux Backdoor](http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/) | [:closed_book:](../../blob/master/2016/2016.02.12.Fysbis_Sofacy_Linux_Backdoor)
* Feb 11 - [[Recorded Future] Hacktivism: India vs. Pakistan](https://www.recordedfuture.com/india-pakistan-cyber-rivalry/) | [:closed_book:](../../blob/master/2016/2016.02.11.Hacktivism_India_vs_Pakistan)
* Feb 09 - [[Kaspersky] Poseidon Group: a Targeted Attack Boutique specializing in global cyber-espionage](https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/) | [:closed_book:](../../blob/master/2016/2016.02.09_Poseidon_APT_Boutique)
* Feb 08 - [[ICIT] Know Your Enemies 2.0: A Primer on Advanced Persistent Threat Groups](http://icitech.org/know-your-enemies-2-0/) |  [:closed_book:](../../blob/master/2016/2016.02.08.Know_Your_Enemies_2.0)
* Feb 04 - [[Palo Alto Networks] T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques](http://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/) | [:closed_book:](../../blob/master/2016/2016.02.04_PaloAlto_T9000-Advanced-Modular-Backdoor)
* Feb 03 - [[Palo Alto Networks] Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?](http://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/) | [:closed_book:](../../blob/master/2016.02.03.Emissary_Trojan_Changelog)
* Feb 01 - [[Sucuri] Massive Admedia/Adverting iFrame Infection](https://blog.sucuri.net/2016/02/massive-admedia-iframe-javascript-infection.html) | [:closed_book:](../../blob/master/2016/2016.02.01.Massive_Admedia_Adverting_iFrame_Infection)
* Feb 01 - [[IBM] Organized Cybercrime Big in Japan: URLZone Now on the Scene](https://securityintelligence.com/organized-cybercrime-big-in-japan-urlzone-now-on-the-scene/) | [:closed_book:](../../blob/master/2016/2016.02.01.URLzone_Team)
* Jan 29 - [[F5] Tinbapore: Millions of Dollars at Risk](https://devcentral.f5.com/d/tinbapore-millions-of-dollars-at-risk?download=true) | [:closed_book:](../../blob/master/2016/2016.01.29.Tinbapore_Attack)
* Jan 29 - [[Zscaler] Malicious Office files dropping Kasidet and Dridex](http://research.zscaler.com/2016/01/malicious-office-files-dropping-kasidet.html) | [:closed_book:](../../blob/master/2016/2016.01.29.Malicious_Office_files_dropping_Kasidet_and_Dridex)
* Jan 28 - [[Kaspersky] BlackEnergy APT Attacks in Ukraine employ spearphishing with Word documents](https://securelist.com/blog/research/73440/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/) | [:closed_book:](../../blob/master/2016/2016.01.28.BlackEnergy_APT)
* Jan 27 - [[Fidelis] Dissecting the Malware Involved in the INOCNATION Campaign](https://www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL.pdf) | [:closed_book:](../../blob/master/2016/2016.01.27.Hi-Zor.RAT)
* Jan 26 - [[SentinelOne] Analyzing a New Variant of BlackEnergy 3](https://www.sentinelone.com/wp-content/uploads/2016/01/BlackEnergy3_WP_012716_1c.pdf) | [:closed_book:](../../blob/master/2016/2016.01.26.BlackEnergy3)
* Jan 24 - [[Palo Alto Networks] Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists](http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/)  | [:closed_book:](../../blob/master/2016/2016.01.24_Scarlet_Minic)
* Jan 21 - [[Palo Alto Networks] NetTraveler Spear-Phishing Email Targets Diplomat of Uzbekistan](http://researchcenter.paloaltonetworks.com/2016/01/nettraveler-spear-phishing-email-targets-diplomat-of-uzbekistan/) | [:closed_book:](../../blob/master/2016/2016.01.21.NetTraveler_Uzbekistan)
* Jan 19 - [[360] 2015 APT Annual Report](https://ti.360.com/upload/report/file/2015.APT.Annual_Report.pdf) | [:closed_book:](../../blob/master/2016/2016.01.19.360_APT_Report)
* Jan 14 - [[CISCO] RESEARCH SPOTLIGHT: NEEDLES IN A HAYSTACK](http://blog.talosintel.com/2016/01/haystack.html#more) | [:closed_book:](../../blob/master/2016/2016.01.14_Cisco_Needles_in_a_Haystack)
* Jan 14 - [[Symantec] The Waterbug attack group](https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf) | [:closed_book:](../../blob/master/2016/2016.01.14.The.Waterbug.Attack.Group/)
* Jan 07 - [[Clearsky] Operation DustySky](http://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf) | [:closed_book:](../../blob/master/2016/2016.01.07.Operation_DustySky)
* Jan 07 - [[CISCO] RIGGING COMPROMISE - RIG EXPLOIT KIT](http://blog.talosintel.com/2016/01/rigging-compromise.html) | [:closed_book:](../../blob/master/2016/2016.01.07.rigging-compromise)
* Jan 03 - [[ESET] BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry](http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/) | [:closed_book:](../../blob/master/2016/2016.01.03.BlackEnergy_Ukrainian)

## 2015
* Dec 23 - [[PwC] ELISE: Security Through Obesity](http://pwc.blogs.com/cyber_security_updates/2015/12/elise-security-through-obesity.html) | [:closed_book:](../../blob/master/2015/2015.12.13.ELISE)
* Dec 22 - [[Palo Alto Networks] BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger](http://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/) | [:closed_book:](../../blob/master/2015/2015.12.22.BBSRAT_Roaming_Tiger)
* Dec 20 - [[FireEye] The EPS Awakens - Part 2](https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html) | [:closed_book:](../../blob/master/2015/2015.12.20.EPS_Awakens_Part_II)
* Dec 18 - [[Palo Alto Networks] Attack on French Diplomat Linked to Operation Lotus Blossom](http://researchcenter.paloaltonetworks.com/2015/12/attack-on-french-diplomat-linked-to-operation-lotus-blossom/) | [:closed_book:](../../blob/master/2015/2015.12.18.Attack_on_Frence_Diplomat_Linked_To_Operation_Lotus_Blossom)
* Dec 16 - [[Bitdefender] APT28 Under the Scope - A Journey into Exfiltrating Intelligence and Government Information](http://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf) | [:closed_book:](../../blob/master/2015/2015.12.17.APT28_Under_The_Scope) 
* Dec 16 - [[Trend Micro] Operation Black Atlas, Part 2: Tools and Malware Used and How to Detect Them](http://documents.trendmicro.com/assets/Operation_Black%20Atlas_Technical_Brief.pdf) | [:closed_book:](../../blob/master/2015/2015.12.16.INOCNATION.Campaign)
* Dec 16 - [[Fidelis] Dissecting the Malware Involved in the INOCNATION Campaign](https://www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL.pdf) | [:closed_book:](../../blob/master/2015/2015.12.16.INOCNATION.Campaign)
* Dec 15 - [[AirBus] Newcomers in the Derusbi family](http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family) | [:closed_book:](../../blob/master/2015/2015.12.15.Newcomers_in_the_Derusbi_family)
* Dec 08 - [[Citizen Lab] Packrat: Seven Years of a South American Threat Actor](https://citizenlab.org/2015/12/packrat-report/) | [:closed_book:](../../blob/master/2015/2015.12.08.Packrat)
* Dec 07 - [[FireEye] Financial Threat Group Targets Volume Boot Record](https://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-record.html) | [:closed_book:](../../blob/master/2015/2015.12.07.Thriving_Beyond_The_Operating_System)
* Dec 07 - [[Symantec] Iran-based attackers use back door threats to spy on Middle Eastern targets](http://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets) | [:closed_book:](../../blob/master/2015/2015.12.07.Iran-based)
* Dec 04 - [[Kaspersky] Sofacy APT hits high profile targets with updated toolset](https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/) | [:closed_book:](../../blob/master/2015/2015.12.04.Sofacy_APT)
* Dec 01 - [[FireEye] China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets](https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html) | [:closed_book:](../../blob/master/2015/2015.12.01.China-based_Cyber_Threat_Group_Uses_Dropbox_for_Malware_Communications_and_Targets_Hong_Kong_Media_Outlets)
* Nov 30 - [[FOX-IT] Ponmocup A giant hiding in the shadows](https://foxitsecurity.files.wordpress.com/2015/12/foxit-whitepaper_ponmocup_1_1.pdf) | [:closed_book:](../../blob/master/2015/2015.11.30.Ponmocup)
* Nov 24 - [[Palo Alto Networks] Attack Campaign on the Government of Thailand Delivers Bookworm Trojan](http://researchcenter.paloaltonetworks.com/2015/11/attack-campaign-on-the-government-of-thailand-delivers-bookworm-trojan/) | [:closed_book:](../../blob/master/2015/2015.11.24.Attack_Campaign_on_the_Government_of_Thailand_Delivers_Bookworm_Trojan)
* Nov 23 - [[Minerva Labs, ClearSky] CopyKittens Attack Group](https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf) | [:closed_book:](../../blob/master/2015/2015.11.23.CopyKittens_Attack_Group)
* Nov 23 - [[RSA] PEERING INTO GLASSRAT](https://blogs.rsa.com/wp-content/uploads/2015/11/GlassRAT-final.pdf) | [:closed_book:](../../blob/master/2015/2015.11.23.PEERING_INTO_GLASSRAT)
* Nov 23 - [[Trend Micro] Prototype Nation: The Chinese Cybercriminal Underground in 2015](http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/prototype-nation-the-chinese-cybercriminal-underground-in-2015/?utm_source=siblog&utm_medium=referral&amp;utm_campaign=2015-cn-ug) | [:closed_book:](../../blob/master/2015/2015.11.23.Prototype_Nation_The_Chinese_Cybercriminal_Underground_in_2015)
* Nov 19 - [[Kaspersky] Russian financial cybercrime: how it works](https://securelist.com/analysis/publications/72782/russian-financial-cybercrime-how-it-works/) | [:closed_book:](../../blob/master/2015/2015.11.18.Russian_financial_cybercrime_how_it_works)
* Nov 19 - [[JPCERT] Decrypting Strings in Emdivi](http://blog.jpcert.or.jp/2015/11/decrypting-strings-in-emdivi.html) | [:closed_book:](../../blob/master/2015/2015.11.19.decrypting-strings-in-emdivi)
* Nov 18 - [[Palo Alto Networks] TDrop2 Attacks Suggest Dark Seoul Attackers Return](http://researchcenter.paloaltonetworks.com/2015/11/tdrop2-attacks-suggest-dark-seoul-attackers-return/) | [:closed_book:](../../blob/master/2015/2015.11.18.tdrop2)
* Nov 18 - [[CrowdStrike] Sakula Reloaded](http://blog.crowdstrike.com/sakula-reloaded/) | [:closed_book:](../../blob/master/2015/2015.11.18.Sakula_Reloaded)
* Nov 18 - [[Damballa] Damballa discovers new toolset linked to Destover Attacker’s arsenal helps them to broaden attack surface](https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/2015.11.18.Destover/amballa-discovers-new-toolset-linked-to-destover-attackers-arsenal-helps-them-to-broaden-attack-surface.pdf) | [:closed_book:](../../blob/master/2015/2015.11.18.Destover)
* Nov 16 - [[FireEye] WitchCoven: Exploiting Web Analytics to Ensnare Victims](https://www2.fireeye.com/threat-intel-report-WITCHCOVEN.html) | [:closed_book:](../../blob/master/2015/2015.11.17.Pinpointing_Targets_Exploiting_Web_Analytics_to_Ensnare_Victims)
* Nov 10 - [[Palo Alto Networks] Bookworm Trojan: A Model of Modular Architecture](http://researchcenter.paloaltonetworks.com/2015/11/bookworm-trojan-a-model-of-modular-architecture/) | [:closed_book:](../../blob/master/2015/2015.11.10.bookworm-trojan-a-model-of-modular-architecture)
* Nov 09 - [[Check Point] Rocket Kitten: A Campaign With 9 Lives](http://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf) | [:closed_book:](../../blob/master/2015/2015.11.09.Rocket_Kitten_A_Campaign_With_9_Lives)
* Nov 04 - [[RSA] Evolving Threats:dissection of a CyberEspionage attack](http://www.rsaconference.com/writable/presentations/file_upload/cct-w08_evolving-threats-dissection-of-a-cyber-espionage-attack.pdf) | [:closed_book:](../../blob/master/2015/2015.11.04_Evolving_Threats)
* Oct 16 - [[Citizen Lab] Targeted Malware Attacks against NGO Linked to Attacks on Burmese Government Websites](https://citizenlab.org/2015/10/targeted-attacks-ngo-burma/)(https://otx.alienvault.com/pulse/5621208f4637f21ecf2aac36/) | [:closed_book:](../../blob/master/2015/2015.10.16.NGO_Burmese_Government)
* Oct 15 - [[Citizen Lab] Pay No Attention to the Server Behind the Proxy: Mapping FinFisher’s Continuing Proliferation](https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/)  | [:closed_book:](../../blob/master/2015/2015.10.15.FinFisher_Continuing)
* Oct 05 - [[Recorded Future] Proactive Threat Identification Neutralizes Remote Access Trojan Efficacy](http://go.recordedfuture.com/hubfs/reports/threat-identification.pdf) | [:closed_book:](../../blob/master/2015/2015.10.05.Proactive_Threat_Identification)
* Oct 03 - [[Cybereason] Webmail Server APT: A New Persistent Attack Methodology Targeting Microsoft Outlook Web Application (OWA)](http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Labs-Analysis-Webmail-Sever-APT.pdf) |  [:closed_book:](../../blob/master/2015/2015.10.03.Webmail_Server_APT)
* Sep 23 - [[ThreatConnect] PROJECT CAMERASHY: CLOSING THE APERTURE ON CHINA’S UNIT 78020](https://www.threatconnect.com/camerashy-intro/) | [PDF](https://cdn2.hubspot.net/hubfs/454298/Project_CAMERASHY_ThreatConnect_Copyright_2015.pdf) | [:closed_book:](../../blob/master/2015/2015.09.23.CAMERASHY_ThreatConnect)
* Sep 17 - [[F-SECURE] The Dukes 7 Years of Russian Cyber Espionage](https://labsblog.f-secure.com/2015/09/17/the-dukes-7-years-of-russian-cyber-espionage/) - [PDF](https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf) | [:closed_book:](../../blob/master/2015/2015.09.17.duke_russian)
* Sep 16 - [[Proofpoint] The shadow knows: Malvertising campaigns use domain shadowing to pull in Angler EK](https://www.proofpoint.com/us/threat-insight/post/The-Shadow-Knows) | [:closed_book:](../../blob/master/2015/2015.09.16.The-Shadow-Knows)
* Sep 16 - [[Trend Micro] Operation Iron Tiger: How China-Based Actors Shifted Attacks from APAC to US Targets](http://newsroom.trendmicro.com/blog/operation-iron-tiger-attackers-shift-east-asia-united-states) | [IOC](https://otx.alienvault.com/pulse/55f9910967db8c6fb35179bd/) | [:closed_book:](../../blob/master/2015/2015.09.17.Operation_Iron_Tiger)
* Sep 15 - [[Proofpoint] In Pursuit of Optical Fibers and Troop Intel: Targeted Attack Distributes PlugX in Russia](https://www.proofpoint.com/us/threat-insight/post/PlugX-in-Russia) | [:closed_book:](../../blob/master/2015/2015.09.15.PlugX_in_Russia)
* Sep 09 - [[Trend Micro] Shadow Force Uses DLL Hijacking, Targets South Korean Company](https://blog.trendmicro.com/trendlabs-security-intelligence/shadow-force-uses-dll-hijacking-targets-south-korean-company/) | [:closed_book:](../../blob/master/2015/2015.09.09.Shadow_Force)
* Sep 09 - [[Kaspersky] Satellite Turla: APT Command and Control in the Sky](https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/) | [:closed_book:](../../blob/master/2015/2015.09.09.satellite-turla-apt)
* Sep 08 - [[Palo Alto Networks] Musical Chairs: Multi-Year Campaign Involving New Variant of Gh0st Malware](http://researchcenter.paloaltonetworks.com/2015/09/musical-chairs-multi-year-campaign-involving-new-variant-of-gh0st-malware/) | [:closed_book:](../../blob/master/2015/2015.09.08.Musical_Chairs_Gh0st_Malware)
* Sep 01 - [[Trend Micro, Clearsky] The Spy Kittens Are Back: Rocket Kitten 2](http://www.trendmicro.tw/vinfo/us/security/news/cyber-attacks/rocket-kitten-continues-attacks-on-middle-east-targets) | [PDF](http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-the-spy-kittens-are-back.pdf) | [:closed_book:](../../blob/master/2015/2015.09.01.Rocket_Kitten_2)
* Aug 20 - [[Arbor] PlugX Threat Activity in Myanmar](http://pages.arbornetworks.com/rs/082-KNA-087/images/ASERT%20Threat%20Intelligence%20Brief%202015-05%20PlugX%20Threat%20Activity%20in%20Myanmar.pdf) | [:closed_book:](../../blob/master/2015/2015.08.20.PlugX_Threat_Activity_in_Myanmar)
* Aug 20 - [[Kaspersky] New activity of the Blue Termite APT](https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/) | [:closed_book:](../../blob/master/2015/2015.08.20.new-activity-of-the-blue-termite-apt)
* Aug 19 - [[Symantec] New Internet Explorer zero-day exploited in Hong Kong attacks](http://www.symantec.com/connect/blogs/new-internet-explorer-zero-day-exploited-hong-kong-attacks) | [:closed_book:](../../blob/master/2015/2015.08.19.new-internet-explorer-zero-day-exploited-hong-kong-attacks)
* Aug 10 - [[ShadowServer] The Italian Connection: An analysis of exploit supply chains and digital quartermasters](http://blog.shadowserver.org/2015/08/10/the-italian-connection-an-analysis-of-exploit-supply-chains-and-digital-quartermasters/) | [:closed_book:](../../blob/master/2015/2015.08.10.The_Italian_Connection_An_analysis_of_exploit_supply_chains_and_digital_quartermasters)
* Aug 08 - [[Cyint] Threat Analysis: Poison Ivy and Links to an Extended PlugX Campaign](http://www.cyintanalysis.com/threat-analysis-poison-ivy-and-links-to-an-extended-plugx-campaign/) | [:closed_book:](../../blob/master/2015/2015.08.08.Poison_Ivy_and_Links_to_an_Extended_PlugX_Campaign)
* Aug 05 - [[Dell] Threat Group-3390 Targets Organizations for Cyberespionage](http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/) | [:closed_book:](../../blob/master/2015/2015.08.05.Threat_Group-3390)
* Aug 04 - [[RSA] Terracotta VPN: Enabler of Advanced Threat Anonymity](https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity/) | [:closed_book:](../../blob/master/2015/2015.08.04.Terracotta_VPN) 
* Jul 30 - [[ESET] Operation Potao Express](http://www.welivesecurity.com/2015/07/30/operation-potao-express/) | [IOC](https://github.com/eset/malware-ioc/tree/master/potao) | [:closed_book:](../../blob/master/2015/2015.07.30.Operation-Potao-Express) 
* Jul 28 - [[Symantec] Black Vine: Formidable cyberespionage group targeted aerospace, healthcare since 2012](http://www.symantec.com/connect/blogs/black-vine-formidable-cyberespionage-group-targeted-aerospace-healthcare-2012) | [:closed_book:](../../blob/master/2015/2015.07.28.Black_Vine)
* Jul 27 - [[FireEye] HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group](https://www.fireeye.com/blog/threat-research/2015/07/hammertoss_stealthy.html) | [:closed_book:](../../blob/master/2015/2015.07.27.HAMMERTOSS)
* Jul 22 - [[F-SECURE] Duke APT group's latest tools: cloud services and Linux support](https://www.f-secure.com/weblog/archives/00002822.html) | [:closed_book:](../../blob/master/2015/2015.07.22.Duke_APT_groups_latest_tools)
* Jul 20 - [[ThreatConnect] China Hacks the Peace Palace: All Your EEZ’s Are Belong to Us](http://www.threatconnect.com/news/china-hacks-the-peace-palace-all-your-eezs-are-belong-to-us/) | [:closed_book:](../../blob/master/2015/2015.07.20.China_Peace_Palace)
* Jul 20 - [[Palo Alto Networks] Watering Hole Attack on Aerospace Firm Exploits CVE-2015-5122 to Install IsSpace Backdoor](http://researchcenter.paloaltonetworks.com/2015/07/watering-hole-attack-on-aerospace-firm-exploits-cve-2015-5122-to-install-isspace-backdoor/) | [:closed_book:](../../blob/master/2015/2015.07.20.IsSpace_Backdoor)
* Jul 14 - [[Palo Alto Networks] Tracking MiniDionis: CozyCar’s New Ride Is Related to Seaduke](http://researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/) | [:closed_book:](../../blob/master/2015/2015.07.14.tracking-minidionis-cozycars)
* Jul 14 - [[Trend Micro] An In-Depth Look at How Pawn Storm’s Java Zero-Day Was Used](http://blog.trendmicro.com/trendlabs-security-intelligence/an-in-depth-look-at-how-pawn-storms-java-zero-day-was-used/) | [:closed_book:](../../blob/master/2015/2015.07.14.How_Pawn_Storm_Java_Zero-Day_Was_Used)
* Jul 13 - [[Symantec] "Forkmeiamfamous": Seaduke, latest weapon in the Duke armory](http://www.symantec.com/connect/blogs/forkmeiamfamous-seaduke-latest-weapon-duke-armory) | [:closed_book:](../../blob/master/2015/2015.07.13.Forkmeiamfamous)
* Jul 13 - [[FireEye] Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability CVE-2015-5119 Following Hacking Team Leak](https://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html) | [:closed_book:](../../blob/master/2015/2015.07.13.Demonstrating_Hustle)
* Jul 10 - [[Palo Alto Networks] APT Group UPS Targets US Government with Hacking Team Flash Exploit](http://researchcenter.paloaltonetworks.com/2015/07/apt-group-ups-targets-us-government-with-hacking-team-flash-exploit/) | [:closed_book:](../../blob/master/2015/2015.07.10.APT_Group_UPS_Targets_US_Government)
* Jul 09 - [[Symantec] Butterfly: Corporate spies out for financial gain](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/butterfly-corporate-spies-out-for-financial-gain.pdf) | [:closed_book:](../../blob/master/2015/2015.07.09.Butterfly)
* Jul 08 - [[Kaspersky] Wild Neutron – Economic espionage threat actor returns with new tricks](https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/) | [:closed_book:](../../blob/master/2015/2015.07.08.Wild_Neutron)
* Jul 08 - [[Volexity] APT Group Wekby Leveraging Adobe Flash Exploit (CVE-2015-5119)](http://www.volexity.com/blog/?p=158) | [:closed_book:](../../blob/master/2015/2015.07.08.APT_CVE-2015-5119)
* Jun 30 - [[ESET] Dino – the latest spying malware from an allegedly French espionage group analyzed](http://www.welivesecurity.com/2015/06/30/dino-spying-malware-analyzed) | [:closed_book:](../../blob/master/2015/2015.06.30.dino-spying-malware-analyzed)
* Jun 28 - [[Dragon Threat Labs] APT on Taiwan - insight into advances of adversary TTPs](http://blog.dragonthreatlabs.com/2015/07/dtl-06282015-01-apt-on-taiwan-insight.html) | [:closed_book:](../../blob/master/2015/2015.06.28.APT_on_Taiwan)
* Jun 26 - [[FireEye] Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign](https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html) | [:closed_book:](../../blob/master/2015/2015.06.26.operation-clandestine-wolf)
* Jun 24 - [[PwC] UnFIN4ished Business (FIN4)](http://pwc.blogs.com/cyber_security_updates/2015/06/unfin4ished-business.html) | [:closed_book:](../../blob/master/2015/2015.06.24.unfin4ished-business)
* Jun 22 - [[Kaspersky] Winnti targeting pharmaceutical companies](https://securelist.com/blog/research/70991/games-are-over/) | [:closed_book:](../../blob/master/2015/2015.06.22.Winnti_targeting_pharmaceutical_companies)
* Jun 16 - [[Palo Alto Networks] Operation Lotus Bloom](https://www.paloaltonetworks.com/resources/research/unit42-operation-lotus-blossom.html) | [:closed_book:](../../blob/master/2015/2015.06.16.operation-lotus-blossom)
* Jun 15 - [[Citizen Lab] Targeted Attacks against Tibetan and Hong Kong Groups Exploiting CVE-2014-4114](https://citizenlab.org/2015/06/targeted-attacks-against-tibetan-and-hong-kong-groups-exploiting-cve-2014-4114/) | [:closed_book:](../../blob/master/2015/2015.06.15.Targeted-Attacks-against-Tibetan-and-Hong-Kong-Groups)
* Jun 12 - [[Volexity] Afghan Government Compromise: Browser Beware](http://www.volexity.com/blog/?p=134) | [:closed_book:](../../blob/master/2015/2015.06.12.Afghan_Government_Compromise)
* Jun 10 - [[Kaspersky] The_Mystery_of_Duqu_2_0](https://securelist.com/files/2015/06/The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf) [IOC](https://securelist.com/files/2015/06/7c6ce6b6-fee1-4b7b-b5b5-adaff0d8022f.ioc) [Yara](https://securelist.com/files/2015/06/Duqu_2_Yara_rules.pdf) | [:closed_book:](../../blob/master/2015/2015.06.10.The_Mystery_of_Duqu_2_0)
* Jun 10 - [[Crysys] Duqu 2.0](http://blog.crysys.hu/2015/06/duqu-2-0/) | [:closed_book:](../../blob/master/2015/2015.06.10.Duqu_2.0)
* Jun 09 - [[Microsoft] Duqu 2.0 Win32k Exploit Analysis](https://www.virusbtn.com/pdf/conference_slides/2015/OhFlorio-VB2015.pdf) | [:closed_book:](../../blob/master/2015/2015.06.09.Duqu_2.0_Win32k_Exploit_Analysis)
* Jun 04 - [[JP Internet Watch] Blue Thermite targeting Japan (CloudyOmega)](http://internet.watch.impress.co.jp/docs/news/20150604_705541.html) | [:closed_book:](../../blob/master/2015/2015.06.09.Duqu_2.0_Win32k_Exploit_Analysis)
* Jun 03 - [[ClearSky] Thamar Reservoir](http://www.clearskysec.com/thamar-reservoir/) | [:closed_book:](../../blob/master/2015/2015.06.03.thamar-reservoir)
* May 29 - [[360] OceanLotusReport](http://blogs.360.cn/blog/oceanlotus-apt/) | [:closed_book:](../../blob/master/2015/2015.05.29.OceanLotus)
* May 28 - [[Kaspersky] Grabit and the RATs](https://securelist.com/blog/research/70087/grabit-and-the-rats/) | [:closed_book:](../../blob/master/2015/2015.05.28.grabit-and-the-rats)
* May 27 - [[Antiy Labs] Analysis On Apt-To-Be Attack That Focusing On China's Government Agency'](http://www.antiy.net/p/analysis-on-apt-to-be-attack-that-focusing-on-chinas-government-agency/) | [:closed_book:](../../blob/master/2015/2015.05.27.APT_to_be)
* May 27 - [[CyberX] BlackEnergy 3 – Exfiltration of Data in ICS Networks](http://cyberx-labs.com/wp-content/uploads/2015/05/BlackEnergy-CyberX-Report_27_May_2015_FINAL.pdf) | [:closed_book:](../../blob/master/2015/2015.05.27.BlackEnergy3)
* May 26 - [[ESET] Dissecting-Linux/Moose](http://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf) | [:closed_book:](../../blob/master/2015/2015.05.26.LinuxMoose)
* May 21 - [[Kaspersky] The Naikon APT and the MsnMM Campaigns](https://securelist.com/blog/research/70029/the-naikon-apt-and-the-msnmm-campaigns/) | [:closed_book:](../../blob/master/2015/2015.05.21.Naikon_APT)
* May 19 - [[Panda] Operation 'Oil Tanker'](http://www.pandasecurity.com/mediacenter/src/uploads/2015/05/oil-tanker-en.pdf) | [:closed_book:](../../blob/master/2015/2015.05.19.Operation_Oil_Tanker)
* May 18 - [[Palo Alto Networks] Cmstar Downloader: Lurid and Enfal’s New Cousin](http://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-enfals-new-cousin/) | [:closed_book:](../../blob/master/2015/2015.05.18.Cmstar)
* May 14 - [[Trend Micro] Operation Tropic Trooper](http://blog.trendmicro.com/trendlabs-security-intelligence/operation-tropic-trooper-old-vulnerabilities-still-pack-a-punch/) | [:closed_book:](../../blob/master/2015/2015.05.14.Operation_Tropic_Trooper)
* May 14 - [[Kaspersky] The Naikon APT](https://securelist.com/analysis/publications/69953/the-naikon-apt/) | [:closed_book:](../../blob/master/2015/2015.05.14.Naikon_APT)
* May 13 - [[Cylance] SPEAR: A Threat Actor Resurfaces](http://blog.cylance.com/spear-a-threat-actor-resurfaces) | [:closed_book:](../../blob/master/2015/2015.05.13.Spear_Threat)
* May 12 - [[PR Newswire] root9B Uncovers Planned Sofacy Cyber Attack Targeting Several International and Domestic Financial Institutions](http://www.prnewswire.com/news-releases/root9b-uncovers-planned-sofacy-cyber-attack-targeting-several-international-and-domestic-financial-institutions-300081634.html) | [:closed_book:](../../blob/master/2015/2015.05.12.Sofacy_root9B)
* May 07 - [[G DATA] Dissecting the Kraken](https://blog.gdatasoftware.com/blog/article/dissecting-the-kraken.html) | [:closed_book:](../../blob/master/2015/2015.05.07.Kraken)
* May 05 - [[Ahnlab] Targeted attack on France’s TV5Monde](http://global.ahnlab.com/global/upload/download/documents/1506306551185339.pdf) | [:closed_book:](../../blob/master/2015/2015.05.05.Targeted_attack_on_France_TV5Monde)
* Apr 27 - [[PWC] Attacks against Israeli & Palestinian interests](http://pwc.blogs.com/cyber_security_updates/2015/04/attacks-against-israeli-palestinian-interests.html) | [:closed_book:](../../blob/master/2015/2015.04.27.Attacks_Israeli_Palestinian)
* Apr 22 - [[F-SECURE] CozyDuke](https://www.f-secure.com/documents/996508/1030745/CozyDuke) | [:closed_book:](../../blob/master/2015/2015.04.22.CozyDuke)
* Apr 21 - [[Kaspersky] The CozyDuke APT](http://securelist.com/blog/69731/the-cozyduke-apt) | [:closed_book:](../../blob/master/2015/2015.04.21.CozyDuke_APT)
* Apr 20 - [[PWC] Sofacy II – Same Sofacy, Different Day](http://pwc.blogs.com/cyber_security_updates/2015/04/the-sofacy-plot-thickens.html) | [:closed_book:](../../blob/master/2015/2015.04.20.Sofacy_II)
* Apr 18 - [[FireEye] Operation RussianDoll: Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia’s APT28 in Highly-Targeted Attack](https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html) | [:closed_book:](../../blob/master/2015/2015.04.18.Operation_RussianDoll)
* Apr 16 - [[Trend Micro] Operation Pawn Storm Ramps Up its Activities; Targets NATO, White House](http://blog.trendmicro.com/trendlabs-security-intelligence/operation-pawn-storm-ramps-up-its-activities-targets-nato-white-house) | [:closed_book:](../../blob/master/2015/2015.04.16.Operation_Pawn_Storm)
* Apr 15 - [[Kaspersky] The Chronicles of the Hellsing APT: the Empire Strikes Back](http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/) | [:closed_book:](../../blob/master/2015/2015.04.15.Hellsing_APT)
* Apr 12 - [[FireEye] APT 30 and the Mechanics of a Long-Running Cyber Espionage Operation](https://www.fireeye.com/blog/threat-research/2015/04/apt_30_and_the_mecha.html) | [:closed_book:](../../blob/master/2015/2015.04.12.APT30)
* Mar 31 - [[CheckPoint] Volatile Cedar – Analysis of a Global Cyber Espionage Campaign](http://blog.checkpoint.com/2015/03/31/volatilecedar/) | [:closed_book:](../../blob/master/2015/2015.03.31.Volatile_Cedar)
* Mar 30 - [[CrowdStrike]  Chopping packets: Decoding China Chopper Web shell traffic over SSL]() | [:closed_book:](../../blob/master/2015/2015.03.30.Decoding_China_Chopper)
* Mar 19 - [[Trend Micro] Rocket Kitten Showing Its Claws: Operation Woolen-GoldFish and the GHOLE campaign](http://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-woolen-goldfish-when-kittens-go-phishing) | [:closed_book:](../../blob/master/2015/2015.03.19.Goldfish_Phishing)
* Mar 11 - [[Kaspersky] Inside the EquationDrug Espionage Platform](http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/) | [:closed_book:](../../blob/master/2015/2015.03.11.EquationDrug)
* Mar 10 - [[Citizen Lab] Tibetan Uprising Day Malware Attacks](https://citizenlab.org/2015/03/tibetan-uprising-day-malware-attacks/) | [:closed_book:](../../blob/master/2015/2015.03.10.Tibetan_Uprising)
* Mar 06 - [[F-SECURE] Is Babar a Bunny?](https://www.f-secure.com/weblog/archives/00002794.html) | [:closed_book:](../../blob/master/2015/2015.03.06.Babar_or_Bunny)
* Mar 06 - [[Kaspersky] Animals in the APT Farm](https://securelist.com/animals-in-the-apt-farm/69114/) | [:closed_book:](../../blob/master/2015/2015.03.06.Animals_APT_Farm)
* Mar 05 - [[ESET] Casper Malware: After Babar and Bunny, Another Espionage Cartoon](http://www.welivesecurity.com/2015/03/05/casper-malware-babar-bunny-another-espionage-cartoon) | [:closed_book:](../../blob/master/2015/2015.03.05.Casper_Malware)
* Feb 24 - [[PWC] A deeper look into Scanbox](http://pwc.blogs.com/cyber_security_updates/2015/02/a-deeper-look-into-scanbox.html) | [:closed_book:](../../blob/master/2015/2015.02.24.Deeper_Scanbox)
* Feb 27 - [[ThreatConnect] The Anthem Hack: All Roads Lead to China](http://www.threatconnect.com/news/the-anthem-hack-all-roads-lead-to-china/) | [:closed_book:](../../blob/master/2015/2015.02.27.The_Anthem_Hack_All_Roads_Lead_to_China)
* Feb 25 - [[FireEye] Southeast Asia: An Evolving Cyber Threat Landscape](https://www.fireeye.com/content/dam/FireEye-www/current-threats/pdfs/rpt-southeast-asia-threat-landscape.pdf) | [:closed_book:](../../blob/master/2015/2015.02.25.Southeast_Asia_Threat_Landscape)
* Feb 25 - [[Sophos] PlugX goes to the registry (and India)](http://blogs.sophos.com/2015/02/25/sophoslabs-research-uncovers-new-developments-in-plugx-apt-malware/) | [:closed_book:](../../blob/master/2015/2015.02.25.PlugX_to_registry)
* Feb 18 - [[G DATA] Babar: espionage software finally found and put under the microscope](https://blog.gdatasoftware.com/blog/article/babar-espionage-software-finally-found-and-put-under-the-microscope.html) | [:closed_book:](../../blob/master/2015/2015.02.18.Babar)
* Feb 18 - [[CIRCL Luxembourg] Shooting Elephants](https://drive.google.com/file/d/0B9Mrr-en8FX4dzJqLWhDblhseTA/view) | [:closed_book:](../../blob/master/2015/2015.02.18.Shooting_Elephants)
* Feb 17 - [[Kaspersky] Desert Falcons APT](https://securelist.com/blog/research/68817/the-desert-falcons-targeted-attacks/) | [:closed_book:](../../blob/master/2015/2015.02.17.Desert_Falcons_APT)
* Feb 17 - [[Kaspersky] A Fanny Equation: "I am your father, Stuxnet"](http://securelist.com/blog/research/68787/a-fanny-equation-i-am-your-father-stuxnet/) | [:closed_book:](../../blob/master/2015/2015.02.17.A_Fanny_Equation)
* Feb 16 - [[Trend Micro] Operation Arid Viper](http://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-arid-viper-bypassing-the-iron-dome) | [:closed_book:](../../blob/master/2015/2015.02.16.Operation_Arid_Viper)
* Feb 16 - [[Kaspersky] The Carbanak APT](https://securelist.com/blog/research/68732/the-great-bank-robbery-the-carbanak-apt/) | [:closed_book:](../../blob/master/2015/2015.02.16.Carbanak.APT)
* Feb 16 - [[Kaspersky] Equation: The Death Star of Malware Galaxy](https://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/) | [:closed_book:](../../blob/master/2015/2015.02.16.equation-the-death-star)
* Feb 10 - [[CrowdStrike] CrowdStrike Global Threat Intel Report for 2014](http://go.crowdstrike.com/rs/crowdstrike/images/GlobalThreatIntelReport.pdf) | [:closed_book:](../../blob/master/2015/2015.02.10.CrowdStrike_GlobalThreatIntelReport_2014)
* Feb 04 - [[Trend Micro] Pawn Storm Update: iOS Espionage App Found](http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/) | [:closed_book:](../../blob/master/2015/2015.02.04.Pawn_Storm_Update_iOS_Espionage)
* Feb 02 - [[FireEye] Behind the Syrian Conflict’s Digital Frontlines](https://www.fireeye.com/content/dam/FireEye-www/global/en/current-threats/pdfs/rpt-behind-the-syria-conflict.pdf) | [:closed_book:](../../blob/master/2015/2015.02.02.behind-the-syria-conflict)
* Jan 29 - [[JPCERT] Analysis of PlugX Variant - P2P PlugX ](http://blog.jpcert.or.jp/.s/2015/01/analysis-of-a-r-ff05.html) | [:closed_book:](../../blob/master/2015/2015.01.29.P2P_PlugX)
* Jan 29 - [[Symantec] Backdoor.Winnti attackers and Trojan.Skelky](http://www.symantec.com/connect/blogs/backdoorwinnti-attackers-have-skeleton-their-closet) | [:closed_book:](../../blob/master/2015/2015.01.29.Backdoor.Winnti_attackers)
* Jan 27 - [[Kaspersky] Comparing the Regin module 50251 and the "Qwerty" keylogger](http://securelist.com/blog/research/68525/comparing-the-regin-module-50251-and-the-qwerty-keylogger/) | [:closed_book:](../../blob/master/2015/2015.01.27.QWERTY_keylog_Regin_compare)
* Jan 22 - [[Kaspersky] Regin's Hopscotch and Legspin](http://securelist.com/blog/research/68438/an-analysis-of-regins-hopscotch-and-legspin/) | [:closed_book:](../../blob/master/2015/2015.01.22.Regin_Hopscotch_and_Legspin)
* Jan 22 - [[Symantec] Scarab attackers Russian targets](http://www.symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012) | [IOCs](http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/Scarab_IOCs_January_2015.txt) | [:closed_book:](../../blob/master/2015/2015.01.22.Scarab_attackers_Russian_targets)
* Jan 22 - [[Symantec] The Waterbug attack group](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf) | [:closed_book:](../../blob/master/2015/2015.01.22.Waterbug.group)
* Jan 20 - [[BlueCoat] Reversing the Inception APT malware](https://www.bluecoat.com/security-blog/2015-01-20/reversing-inception-apt-malware) | [:closed_book:](../../blob/master/2015/2015.01.20.Reversing_the_Inception_APT_malware)
* Jan 20 - [[G DATA] Analysis of Project Cobra](https://blog.gdatasoftware.com/blog/article/analysis-of-project-cobra.html) | [:closed_book:](../../blob/master/2015/2015.01.20.Project_Cobra)
* Jan 15 - [[G DATA] Evolution of Agent.BTZ to ComRAT](https://blog.gdatasoftware.com/blog/article/evolution-of-sophisticated-spyware-from-agentbtz-to-comrat.html) | [:closed_book:](../../blob/master/2015/2015.01.15.Evolution_of_Agent.BTZ_to_ComRAT)
* Jan 12 - [[Dell] Skeleton Key Malware Analysis](http://www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis/) | [:closed_book:](../../blob/master/2015/2015.01.12.skeleton-key-malware-analysis)
* Jan 11 - [[Dragon Threat Labs] Hong Kong SWC attack](http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html) | [:closed_book:](../../blob/master/2015/2015.01.11.Hong_Kong_SWC_Attack)

## 2014
* Dec 22 - [[Group-IB] Anunak: APT against financial institutions](http://www.group-ib.com/files/Anunak_APT_against_financial_institutions.pdf) | [:closed_book:](../../blob/master/2014/2014.12.22.Anunak_APT)
* Dec 21 - [[ThreatConnect] Operation Poisoned Helmand](http://www.threatconnect.com/news/operation-poisoned-helmand/) | [:closed_book:](../../blob/master/2014/2014.12.21.Operation_Poisoned_Helmand)
* Dec 19 - [[US-CERT] TA14-353A: Targeted Destructive Malware (wiper)](https://www.us-cert.gov/ncas/alerts/TA14-353A) | [:closed_book:](../../blob/master/2014/2014.12.19.Targeted_Destructive_Malware)
* Dec 18 - [[Citizen Lab] Malware Attack Targeting Syrian ISIS Critics](https://citizenlab.org/2014/12/malware-attack-targeting-syrian-isis-critics/) | [:closed_book:](../../blob/master/2014/2014.12.18.Syrian_ISIS_Critics)
* Dec 17 - [[CISCO] Wiper Malware – A Detection Deep Dive](http://blogs.cisco.com/security/talos/wiper-malware) | [:closed_book:](../../blob/master/2014/2014.12.17.Wiper_Malware_Deep_Dive)
* Dec 12 - [[Fidelis] Bots, Machines, and the Matrix](http://www.fidelissecurity.com/sites/default/files/FTA_1014_Bots_Machines_and_the_Matrix.pdf) | [:closed_book:](../../blob/master/2014/2014.12.12.Bots_Machines_and_the_Matrix)
* Dec 12 - [[AirBus] Vinself now with steganography](http://blog.cybersecurity-airbusds.com/post/2014/12/Vinself) | [:closed_book:](../../blob/master/2014/2014.12.12.Vinself)
* Dec 10 - [[Ahnlab] South Korea MBR Wiper](http://asec.ahnlab.com/1015) | [:closed_book:](../../blob/master/2014/2014.12.10_South_Korea_MBR_Wiper)
* Dec 10 - [[F-Secure] W64/Regin, Stage #1](https://www.f-secure.com/documents/996508/1030745/w64_regin_stage_1.pdf) | [:closed_book:](../../blob/master/2014/2014.12.10.W64_Regin)
* Dec 10 - [[F-Secure] W32/Regin, Stage #1](https://www.f-secure.com/documents/996508/1030745/w32_regin_stage_1.pdf) | [:closed_book:](../../blob/master/2014/2014.12.10_W32_Regin)
* Dec 10 - [[Kaspersky] Cloud Atlas: RedOctober APT](http://securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-back-in-style/) | [:closed_book:](../../blob/master/2014/2014.12.10.RedOctober_APT)
* Dec 09 - [[BlueCoat] The Inception Framework](https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware) | [:closed_book:](../../blob/master/2014/2014.12.09_The_Inception_Framework)
* Dec 08 - [[Kaspersky] The 'Penquin' Turla](http://securelist.com/blog/research/67962/the-penquin-turla-2/) | [:closed_book:](../../blob/master/2014/2014.12.08.Penquin_Turla)
* Dec 05 - [[Cylance] Operation Cleaver: The Notepad Files](http://blog.cylance.com/operation-cleaver-the-notepad-files) | [:closed_book:](../../blob/master/2014/2014.12.05.Operation_Cleaver)
* Dec 02 - [[Cylance] Operation Cleaver](http://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf) | [IOCs](http://www.cylance.com/assets/Cleaver/cleaver.yar)  | [:closed_book:](../../blob/master//2014/2014.12.02.Operation_Cleaver)
* Nov 30 - [[FireEye] FIN4: Stealing Insider Information for an Advantage in Stock Trading?](https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html) | [:closed_book:](../../blob/master/2014/2014.11.30.FIN4)
* Nov 24 - [[CrowdStrike] Deep Panda Uses Sakula Malware](http://blog.crowdstrike.com/ironman-deep-panda-uses-sakula-malware-target-organizations-multiple-sectors/) | [:closed_book:](../../blob/master/2014/2014.11.24.Ironman)
* Nov 24 - [[TheIntercept] Regin: SECRET MALWARE IN EUROPEAN UNION ATTACK LINKED TO U.S. AND BRITISH INTELLIGENCE](https://firstlook.org/theintercept/2014/11/24/secret-regin-malware-belgacom-nsa-gchq/) | [:closed_book:](../../blob/master/2014/2014.11.24.Regin_TheIntercept)
* Nov 24 - [[Kaspersky] Kaspersky's report on The Regin Platform](http://securelist.com/blog/research/67741/regin-nation-state-ownage-of-gsm-networks/) | [:closed_book:](../../blob/master/2014/2014.11.24.Regin_Platform)
* Nov 24 - [[Symantec] Regin: Top-tier espionage tool enables stealthy surveillance](http://www.symantec.com/connect/blogs/regin-top-tier-espionage-tool-enables-stealthy-surveillance) | [:closed_book:](../../blob/master/2014/2014.11.24.Regin_Top-tier_espionage)
* Nov 21 - [[FireEye] Operation Double Tap](https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html) | [IOCs](https://github.com/FireEye/iocs/tree/master/APT3) | [:closed_book:](../../blob/master//2014/2014.11.21.Operation_Double_Tap)
* Nov 20 - [[0x1338] EvilBunny: Suspect #4](http://0x1338.blogspot.co.uk/2014/11/hunting-bunnies.html) | [:closed_book:](../../blob/master//2014/2014.11.20.EvilBunny)
* Nov 14 - [[ESET] Roaming Tiger (Slides)](http://2014.zeronights.ru/assets/files/slides/roaming_tiger_zeronights_2014.pdf) | [:closed_book:](../../blob/master/2014/2014.11.14.Roaming_Tiger)
* Nov 14 - [[F-Secure] OnionDuke: APT Attacks Via the Tor Network](http://www.f-secure.com/weblog/archives/00002764.html) | [:closed_book:](../../blob/master/2014/2014.11.14.OnionDuke)
* Nov 13 - [[Symantec] Operation CloudyOmega: Ichitaro 0-day targeting Japan](http://www.symantec.com/connect/blogs/operation-cloudyomega-ichitaro-zero-day-and-ongoing-cyberespionage-campaign-targeting-japan) | [:closed_book:](../../blob/master/2014/2014.11.13.Operation_CloudyOmega)
* Nov 12 - [[ESET] Korplug military targeted attacks: Afghanistan & Tajikistan](http://www.welivesecurity.com/2014/11/12/korplug-military-targeted-attacks-afghanistan-tajikistan/) | [:closed_book:](../../blob/master/2014/2014.11.12.Korplug)
* Nov 11 - [[GDATA] The Uroburos case- Agent.BTZ’s successor, ComRAT](http://blog.gdatasoftware.com/blog/article/the-uroburos-case-new-sophisticated-rat-identified.html) | [:closed_book:](../../blob/master/2014/2014.11.11.ComRAT)
* Nov 10 - [[Kaspersky] The Darkhotel APT - A Story of Unusual Hospitality](https://securelist.com/blog/research/66779/the-darkhotel-apt/) | [:closed_book:](../../blob/master/2014/2014.11.10.Darkhotel)
* Nov 03 - [[FireEye] Operation Poisoned Handover: Unveiling Ties Between APT Activity in Hong Kong’s Pro-Democracy Movement](http://www.fireeye.com/blog/technical/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html) | [:closed_book:](../../blob/master/2014/2014.11.03.Operation_Poisoned_Handover)
* Nov 03 - [[Kaspersky] New observations on BlackEnergy2 APT activity](https://securelist.com/blog/research/67353/be2-custom-plugins-router-abuse-and-target-profiles/) | [:closed_book:](../../blob/master/2014/2014.11.03.BlackEnergy2_APT)
* Oct 31 - [[GData] Operation TooHash](https://blog.gdatasoftware.com/blog/article/operation-toohash-how-targeted-attacks-work.html) | [:closed_book:](../../blob/master/2014/2014.10.31.Operation_TooHash)
* Oct 30 - [[Sophos] The Rotten Tomato Campaign](http://blogs.sophos.com/2014/10/30/the-rotten-tomato-campaign-new-sophoslabs-research-on-apts/) | [:closed_book:](../../blob/master/2014/2014.10.30.Rotten_Tomato_Campaign)
* Oct 28 - [[CISCO] Group 72, Opening the ZxShell](http://blogs.cisco.com/talos/opening-zxshell/) | [:closed_book:](../../blob/master/2014/2014.10.28.Group_72_ZxShell)
* Oct 28 - [[FireEye] APT28 - A Window Into Russia's Cyber Espionage Operations](https://www.fireeye.com/resources/pdfs/apt28.pdf) | [:closed_book:](../../blob/master/2014/2014.10.28.APT28)
* Oct 27 - [[Invincea] Micro-Targeted Malvertising via Real-time Ad Bidding](http://www.invincea.com/wp-content/uploads/2014/10/Micro-Targeted-Malvertising-WP-10-27-14-1.pdf) | [:closed_book:](../../blob/master/2014/2014.10.27.Micro-Targeted_Malvertising)
* Oct 27 - [[PWC] ScanBox framework – who’s affected, and who’s using it?](http://pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whos-affected-and-whos-using-it-1.html) | [:closed_book:](../../blob/master/2014/2014.10.27.ScanBox_framework)
* Oct 27 - [[Netresec] Full Disclosure of Havex Trojans - ICS Havex backdoors](http://www.netresec.com/?page=Blog&month=2014-10&post=Full-Disclosure-of-Havex-Trojans) | [:closed_book:](../../blob/master/2014/2014.10.27.Havex_Trojans)
* Oct 24 - [[AirBus] LeoUncia and OrcaRat](http://blog.airbuscybersecurity.com/post/2014/10/LeoUncia-and-OrcaRat) | [:closed_book:](../../blob/master/2014/2014.10.24.LeoUncia_and_OrcaRat)
* Oct 23 - [[LEVIATHAN] THE CASE OF THE MODIFIED BINARIES](http://www.leviathansecurity.com/blog/the-case-of-the-modified-binaries/) | [:closed_book:](../../blob/master/2014/2014.10.23.Modified_Binaries)
* Oct 22 - [[PWC] Sofacy Phishing by PWC](http://pwc.blogs.com/files/tactical-intelligence-bulletin---sofacy-phishing-.pdf) | [:closed_book:](../../blob/master/2014/2014.10.22.Sofacy_Phishing)
* Oct 22 - [[Trend Micro] Operation Pawn Storm: The Red in SEDNIT](http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf) | [:closed_book:](../../blob/master/2014/2014.10.22.Operation_Pawn_Storm)
* Oct 20 - [[PWC] OrcaRAT - A whale of a tale](http://pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html) | [:closed_book:](../../blob/master/2014/2014.10.20.OrcaRAT_tale)
* Oct 14 - [[iSightPartners] Sandworm - CVE-2104-4114](http://www.isightpartners.com/2014/10/cve-2014-4114/) | [:closed_book:](../../blob/master/2014/2014.10.14.Sandworm)
* Oct 14 - [[CISCO] Group 72](http://blogs.cisco.com/security/talos/threat-spotlight-group-72/) | [:closed_book:](../../blob/master/2014/2014.10.14.Group_72)
* Oct 14 - [[Novetta] Derusbi Preliminary Analysis](http://www.novetta.com/wp-content/uploads/2014/11/Derusbi.pdf) | [:closed_book:](../../blob/master/2014/2014.10.14.Derusbi_Analysis)
* Oct 14 - [[Novetta] Hikit Preliminary Analysis](http://www.novetta.com/wp-content/uploads/2014/11/HiKit.pdf) | [:closed_book:](../../blob/master/2014/2014.10.14.Hikit_Preliminary_Analysis)
* Oct 14 - [[Novetta] ZoxPNG Preliminary Analysis](http://www.novetta.com/wp-content/uploads/2014/11/ZoxPNG.pdf) | [:closed_book:](../../blob/master/2014/2014.10.14.ZoxPNG)
* Oct 09 - [[Volexity] Democracy in Hong Kong Under Attack](http://www.volexity.com/blog/?p=33) | [:closed_book:](../../blob/master/2014/2014.10.09.Democracy_Hong_Kong_Under_Attack)
* Oct 03 - [[Palo Alto Networks] New indicators for APT group Nitro](http://researchcenter.paloaltonetworks.com/2014/10/new-indicators-compromise-apt-group-nitro-uncovered/) | [:closed_book:](../../blob/master/2014/2014.10.03.Nitro_APT)
* Sep 26 - [[F-Secure] BlackEnergy & Quedagh](https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf) | [:closed_book:](../../blob/master/2014/2014.09.26.BlackEnergy_Quedagh)
* Sep 26 - [[FireEye] Aided Frame, Aided Direction (Sunshop Digital Quartermaster)](http://www.fireeye.com/blog/technical/2014/09/aided-frame-aided-direction-because-its-a-redirect.html) | [:closed_book:](../../blob/master/2014/2014.09.26.Aided_Frame_Aided_Direction)
* Sep 23 - [[Kaspersky] Ukraine and Poland Targeted by BlackEnergy (video)](https://www.youtube.com/watch?v=I77CGqQvPE4)
* Sep 19 - [[Palo Alto Networks] Watering Hole Attacks using Poison Ivy by "th3bug" group](http://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy/) | [:closed_book:](../../blob/master/2014/2014.09.19.th3bug_Poison_Ivy)
* Sep 18 - [[F-Secure] COSMICDUKE: Cosmu with a twist of MiniDuke](http://www.f-secure.com/documents/996508/1030745/cosmicduke_whitepaper.pdf) | [:closed_book:](../../blob/master/2014/2014.09.18.COSMICDUKE)
* Sep 17 - [[U.S. Senate Committee] Chinese intrusions into key defense contractors](http://www.armed-services.senate.gov/press-releases/sasc-investigation-finds-chinese-intrusions-into-key-defense-contractors) | [:closed_book:](../../blob/master/2014/2014.09.17.Chinese_APT_defense_contractors)
* Sep 10 - [[FireEye] Operation Quantum Entanglement](http://www.fireeye.com/resources/pdfs/white-papers/FireEye-operation-quantum-entanglement.pdf) | [:closed_book:](../../blob/master/2014/2014.09.10.Operation_Quantum_Entanglement)
* Sep 08 - [[Usenix] When Governments Hack Opponents: A Look at Actors and Technology](https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-marczak.pdf) [video](https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/marczak) | [:closed_book:](../../blob/master/2014/2014.09.08.When_Governments_Hack_Opponents)
* Sep 08 - [[Usenix] Targeted Threat Index: Characterizingand Quantifying Politically-MotivatedTargeted Malware](https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-hardy.pdf) [video](https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/hardy) | [:closed_book:](../../blob/master/2014/2014.09.08.Targeted_Threat_Index)
* Sep 04 - [[ClearSky] Gholee – a “Protective Edge” themed spear phishing campaign](http://www.clearskysec.com/gholee-a-protective-edge-themed-spear-phishing-campaign/) | [:closed_book:](../../blob/master/2014/2014.09.04.Gholee)
* Sep 04 - [[FireEye] Forced to Adapt: XSLCmd Backdoor Now on OS X](http://www.fireeye.com/blog/technical/malware-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html) | [:closed_book:](../../blob/master/2014/2014.09.04.XSLCmd_OSX)
* Sep 04 - [[Netresec] Analysis of Chinese MITM on Google](https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/Chinese_MITM_Google.pdf) | [:closed_book:](../../blob/master/2014/2014.09.04.Analysis_of_Chinese_MITM_on_Google)
* Sep 03 - [[FireEye] Darwin’s Favorite APT Group (APT12)](http://www.fireeye.com/blog/technical/botnet-activities-research/2014/09/darwins-favorite-apt-group-2.html) | [:closed_book:](../../blob/master/2014/2014.09.03.Darwin_APT)
* Aug 29 - [[FireEye] Syrian Malware Team Uses BlackWorm for Attacks](http://www.fireeye.com/blog/technical/2014/08/connecting-the-dots-syrian-malware-team-uses-blackworm-for-attacks.html) | [:closed_book:](../../blob/master/2014/2014.08.29.BlackWorm_Syrian)
* Aug 28 - [[AlienVault] Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks](https://www.alienvault.com/open-threat-exchange/blog/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks) | [:closed_book:](../../blob/master/2014/2014.08.28.Scanbox_Framework_Watering_Hole_Attack)
* Aug 27 - [[Kaspersky] NetTraveler APT Gets a Makeover for 10th Birthday](https://securelist.com/blog/research/66272/nettraveler-apt-gets-a-makeover-for-10th-birthday/) | [:closed_book:](../../blob/master/2014/2014.08.27.NetTraveler)
* Aug 25 - [[Malware Must Die] Vietnam APT Campaign](http://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html) | [:closed_book:](../../blob/master/2014/2014.08.25.Vietnam_APT)
* Aug 20 - [[Kaspersky] El Machete](https://securelist.com/blog/research/66108/el-machete/) | [:closed_book:](../../blob/master/2014/2014.08.20.El_Machete)
* Aug 18 - [[Kaspersky] The Syrian Malware House of Cards](https://securelist.com/blog/research/66051/the-syrian-malware-house-of-cards/) | [:closed_book:](../../blob/master/2014/2014.08.18.Syrian_Malware_House_of_Cards)
* Aug 16 - [[HP] Profiling an enigma: The mystery of North Korea’s cyber threat landscape](https://time.com/wp-content/uploads/2014/12/hpsr_securitybriefing_episode16_northkorea.pdf) | [:closed_book:](../../blob/master/2014/2014.08.16.North_Korea_cyber_threat_landscape)
* Aug 13 - [[USENIX] A Look at Targeted Attacks Through the Lense of an NGO](http://www.mpi-sws.org/~stevens/pubs/sec14.pdf) | [:closed_book:](../../blob/master/2014/2014.08.13.TargetAttack.NGO)
* Aug 12 - [[FireEye] New York Times Attackers Evolve Quickly (Aumlib/Ixeshe/APT12)](http://www.fireeye.com/blog/technical/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html) | [:closed_book:](../../blob/master/2014/2014.08.12.New_York_Times_Attackers)
* Aug 07 - [[Kaspersky] The Epic Turla Operation Appendix](https://securelist.com/files/2014/08/KL_Epic_Turla_Technical_Appendix_20140806.pdf) | [:closed_book:](../../blob/master/2014/2014.08.07.Epic_Turla_Operation_Appendix)
* Aug 06 - [[FireEye] Operation Poisoned Hurricane](http://www.fireeye.com/blog/technical/targeted-attack/2014/08/operation-poisoned-hurricane.html) | [:closed_book:](../../blob/master/2014/2014.08.06.Operation_Poisoned_Hurricane)
* Aug 05 - [[ThreatConnect] Operation Arachnophobia](http://threatc.s3-website-us-east-1.amazonaws.com/?/arachnophobia) | [:closed_book:](../../blob/master/2014/2014.08.05.Operation_Arachnophobia)
* Aug 04 - [[FireEye] SIDEWINDER TARGETED ATTACK AGAINST ANDROID IN THE GOLDEN AGE OF AD LIBRARIES](http://www.fireeye.com/resources/pdfs/FireEye-sidewinder-targeted-attack.pdf) | [:closed_book:](../../blob/master/2014/2014.08.04.Sidewinder_GoldenAge)
* Jul 31 - [[Kaspersky] Energetic Bear/Crouching Yeti](https://kasperskycontenthub.com/securelist/files/2014/07/EB-YetiJuly2014-Public.pdf) | [:closed_book:](../../blob/master/2014/2014.07.31.Energetic_Bear)
* Jul 29 - [[Dell] Threat Group-3279 Targets the Video Game Industry](https://www.secureworks.com/research/threat-group-3279-targets-the-video-game-industry) | [:closed_book:](../../blob/master/2014/2014.07.29.Threat_Group-3279_Targets_the_Video_Game_Industry)
* Jul 20 - [[Vinsula] Sayad (Flying Kitten) Analysis & IOCs](http://vinsula.com/2014/07/20/sayad-flying-kitten-infostealer-malware/) | [:closed_book:](../../blob/master/2014/2014.07.20.Flying_Kitten)
* Jul 11 - [[AirBus] Pitty Tiger](https://bitbucket.org/cybertools/whitepapers/downloads/Pitty%20Tiger%20Final%20Report.pdf) | [:closed_book:](../../blob/master/2014/2014.07.11.Pitty_Tiger)
* Jul 10 - [[CIRCL] TR-25 Analysis - Turla / Pfinet / Snake/ Uroburos](http://www.circl.lu/pub/tr-25/) | [:closed_book:](../../blob/master/2014/2014.07.10.Turla_Pfinet_Snake_Uroburos)
* Jul 07 - [[CrowdStrike] Deep Pandas, Deep in Thought: Chinese Targeting of National Security Think Tanks](http://blog.crowdstrike.com/deep-thought-chinese-targeting-national-security-think-tanks/) | [:closed_book:](../../blob/master/2014/2014.07.07.Deep_in_Thought)
* Jul 10 - [[TrapX] Anatomy of the Attack: Zombie Zero](http://www.trapx.com/wp-content/uploads/2014/07/TrapX_ZOMBIE_Report_Final.pdf) | [:closed_book:](../../blob/master/2014/2014.07.10.Zombie_Zero)
* Jun 30 - [[Symantec] Dragonfly: Cyberespionage Attacks Against Energy Suppliers](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf) | [:closed_book:](../../blob/master/2014/2014.06.30.Dragonfly)
* Jun 20 - [[Blitzanalysis] Embassy of Greece Beijing](http://thegoldenmessenger.blogspot.de/2014/06/blitzanalysis-embassy-of-greece-beijing.html) | [:closed_book:](../../blob/master/2014/2014.06.20.Embassy_of_Greece_Beijing)
* Jun 09 - [[CrowdStrike] Putter Panda](http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf) | [:closed_book:](../../blob/master/2014/2014.06.09.Putter_Panda)
* Jun 06 - [[Arbor] Illuminating The Etumbot APT Backdoor (APT12)](http://www.arbornetworks.com/asert/wp-content/uploads/2014/06/ASERT-Threat-Intelligence-Brief-2014-07-Illuminating-Etumbot-APT.pdf) | [:closed_book:](../../blob/master/2014/2014.06.06.Etumbot_APT_Backdoor)
* May 28 - [[iSightPartners] NewsCaster_An_Iranian_Threat_Within_Social_Networks](https://www.isightpartners.com/2014/05/newscaster-iranian-threat-inside-social-media/) | [:closed_book:](../../blob/master/2014/2014.05.28.NewsCaster_An_Iranian_Threat_Within_Social_Networks)
* May 21 - [[Fidelis] RAT in jar: A phishing campaign using Unrecom](http://www.fidelissecurity.com/sites/default/files/FTA_1013_RAT_in_a_jar.pdf) | [:closed_book:](../../blob/master/2014/2014.05.21.Unrecom_Rat)
* May 20 - [[ESET] Miniduke Twitter C&C](http://www.welivesecurity.com/2014/05/20/miniduke-still-duking/) | [:closed_book:](../../blob/master/2014/2014.05.20.Miniduke_Twitter_CnC)
* May 13 - [[CrowdStrike] Cat Scratch Fever: CrowdStrike Tracks Newly Reported Iranian Actor as FLYING KITTEN](http://blog.crowdstrike.com/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/) | [:closed_book:](../../blob/master/2014/2014.05.13.Flying.Kitten)
* May 13 - [[FireEye] Operation Saffron Rose (aka Flying Kitten)](http://www.fireeye.com/resources/pdfs/FireEye-operation-saffron-rose.pdf) | [:closed_book:](../../blob/master/2014/2014.05.13.Operation_Saffron_Rose)
* Apr 26 - [[FireEye] CVE-2014-1776: Operation Clandestine Fox](https://www.fireeye.com/blog/threat-research/2014/05/operation-clandestine-fox-now-attacking-windows-xp-using-recently-discovered-ie-vulnerability.html) | [:closed_book:](../../blob/master/2014/2014.04.26.Operation_Clandestine_Fox)
* Mar 12 - [[FireEye] A Detailed Examination of the Siesta Campaign](https://www.fireeye.com/blog/threat-research/2014/03/a-detailed-examination-of-the-siesta-campaign.html) | [:closed_book:](../../blob/master/2014/2014.03.12.Detailed_Siesta_Campaign)
* Mar 08 - [[Reuters] Russian spyware Turla](http://www.reuters.com/article/2014/03/07/us-russia-cyberespionage-insight-idUSBREA260YI20140307) | [:closed_book:](../../blob/master/2014/2014.03.08.Russian_spyware_Turla)
* Mar 07 - [[BAE] Snake Campaign & Cyber Espionage Toolkit](http://info.baesystemsdetica.com/rs/baesystems/images/snake_whitepaper.pdf) | [:closed_book:](../../blob/master/2014/2014.03.07.Snake_Campaign)
* Mar 06 - [[Trend Micro] The Siesta Campaign](http://blog.trendmicro.com/trendlabs-security-intelligence/the-siesta-campaign-a-new-targeted-attack-awakens/) | [:closed_book:](../../blob/master/2014/2014.03.06.The_Siesta_Campaign)
* Feb 28 - [[GData] Uroburos: Highly complex espionage software with Russian roots](https://public.gdatasoftware.com/Web/Content/INT/Blog/2014/02_2014/documents/GData_Uroburos_RedPaper_EN_v1.pdf) | [:closed_book:](../../blob/master/2014/2014.02.28.Uroburos)
* Feb 25 - [[CrowdStrike] The French Connection: French Aerospace-Focused CVE-2014-0322 Attack Shares Similarities with 2012 Capstone Turbine Activity](http://blog.crowdstrike.com/french-connection-french-aerospace-focused-cve-2014-0322-attack-shares-similarities-2012/) | [:closed_book:](../../blob/master/2014/2014.02.25.The_French_Connection)
* Feb 23 - [[Fidelis] Gathering in the Middle East, Operation STTEAM](http://www.fidelissecurity.com/sites/default/files/FTA%201012%20STTEAM%20Final.pdf)  | [:closed_book:](../../blob/master/2014/2014.02.23.Operation_STTEAM)
* Feb 20 - [[CrowdStrike] Mo' Shells Mo' Problems - Deep Panda Web Shells](http://www.crowdstrike.com/blog/mo-shells-mo-problems-deep-panda-web-shells/) | [:closed_book:](../../blob/master/2014/2014.02.20.deep-panda-webshells)
* Feb 20 - [[FireEye] Operation GreedyWonk: Multiple Economic and Foreign Policy Sites Compromised, Serving Up Flash Zero-Day Exploit](http://www.fireeye.com/blog/technical/targeted-attack/2014/02/operation-greedywonk-multiple-economic-and-foreign-policy-sites-compromised-serving-up-flash-zero-day-exploit.html) | [:closed_book:](../../blob/master/2014/2014.02.20.Operation_GreedyWonk)
* Feb 19 - [[FireEye] XtremeRAT: Nuisance or Threat?](http://www.fireeye.com/blog/technical/2014/02/xtremerat-nuisance-or-threat.html) | [:closed_book:](../../blob/master/2014/2014.02.19.XtremeRAT)
* Feb 19 - [[Context Information Security] The Monju Incident](http://contextis.com/resources/blog/context-threat-intelligence-monju-incident/) | [:closed_book:](../../blob/master/2014/2014.02.19.Monju_Incident)
* Feb 13 - [[FireEye] Operation SnowMan: DeputyDog Actor Compromises US Veterans of Foreign Wars Website](http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html)  | [:closed_book:](../../blob/master/2014/2014.02.13_Operation_SnowMan)
* Feb 11 - [[Kaspersky] Unveiling "Careto" - The Masked APT](http://www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf) | [:closed_book:](../../blob/master/2014/2014.02.11_Careto_APT)
* Jan 31 - [[Fidelis] Intruder File Report- Sneakernet Trojan](http://www.fidelissecurity.com/sites/default/files/FTA%201011%20Follow%20UP.pdf) | [:closed_book:](../../blob/master/2014/2014.01.31.Sneakernet_Trojan)
* Jan 21 - [[RSA] Shell_Crew (Deep Panda)](http://www.emc.com/collateral/white-papers/h12756-wp-shell-crew.pdf) | [:closed_book:](../../blob/master/2014/2014.01.21.Shell_Crew)
* Jan 15 - [[Fidelis] New CDTO: A Sneakernet Trojan Solution](http://www.fidelissecurity.com/sites/default/files/FTA%201001%20FINAL%201.15.14.pdf) | [:closed_book:](../../blob/master/2014/2014.01.15.Sneakernet_Trojan)
* Jan 14 - [[Kaspersky] The Icefog APT Hits US Targets With Java Backdoor](https://www.securelist.com/en/blog/208214213/The_Icefog_APT_Hits_US_Targets_With_Java_Backdoor) | [:closed_book:](../../blob/master/2014/2014.01.14.Icefog_APT)
* Jan 13 - [[Symantec] Targeted attacks against the Energy Sector](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/targeted_attacks_against_the_energy_sector.pdf) | [:closed_book:](../../blob/master/2014/2014.01.13.Targeted_Attacks_Energy_Sector)
* Jan 06 - [[AirBus] PlugX: some uncovered points](https://airbus-cyber-security.com/plugx-some-uncovered-points/) | [:closed_book:](../../blob/master/2014/2014.01.06.PlugX)

## 2013
* XXX XX - [[CERT-ISAC] Inside Report – APT Attacks on Indian Cyber Space]() | [:closed_book:](../../blob/master/2013/2013.00.00.APT_Attacks_on_Indian_Cyber_Space)
* XXX XX - [[KPMG] Energy at Risk: A Study of IT Security in the Energy and Natural Resources Industry]() | [:closed_book:](../../blob/master/2013/2013.00.00.Energy_at_Risk)
* XXX XX - [[FireEye] THE LITTLE MALWARE THAT COULD: Detecting and Defeating the China Chopper Web Shell](https://www.fireeye.com/content/dam/FireEye-www/global/en/current-threats/pdfs/rpt-china-chopper.pdf) | [:closed_book:](../../blob/master/2013/2013.00.00.China_Chopper_Web_Shell)
* XXX XX - [[CrowdStrike] Deep Panda](http://www.crowdstrike.com/sites/default/files/AdversaryIntelligenceReport_DeepPanda_0.pdf) | [:closed_book:](../../blob/master/2013/2013.00.00.Deep.Panda)
* XXX XX - [[CISAK] Dark Seoul Cyber Attack: Could it be worse?](http://cisak.perpika.kr/2013/wp-content/uploads/2013/06/Accepted-Papers.xlsx) | [:closed_book:](../../blob/master/2013/2013.00.00.Dark_Seoul_Cyber_Attack)
* XXX XX - [[Fireeye] OPERATION SAFFRON ROSE](https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-operation-saffron-rose.pdf) | [:closed_book:](../../blob/master/2013/2013.00.00.OPERATION_SAFFRON_ROSE)
* Dec 20 - [[Ahnlab] ETSO APT Attacks Analysis](http://image.ahnlab.com/global/upload/download/documents/1401223631603288.pdf) | [:closed_book:](../../blob/master/2013/2013.12.20.ETSO)
* Dec 12 - [[FireEye] Operation Ke3chang: Targeted Attacks Against Ministries of Foreign Affairs](https://www.fireeye.com/blog/executive-perspective/2013/12/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs.html) | [:closed_book:](../../blob/master/2013/2013.12.12.Operation_Ke3chang)
* Dec 02 - [[Fidelis] njRAT, The Saga Continues](http://www.fidelissecurity.com/files/files/FTA%201010%20-%20njRAT%20The%20Saga%20Continues.pdf) | [:closed_book:](../../blob/master/2013/2013.12.02.njRAT_Saga_Continues)
* Nov 10 - [[FireEye] Operation Ephemeral Hydra: IE Zero-Day Linked to DeputyDog Uses Diskless Method](http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html) | [:closed_book:](../../blob/master/2013/2013.11.10.Operation_Ephemeral_Hydra)
* Oct 25 - [[FireEye] Evasive Tactics: Terminator RAT](https://www.fireeye.com/blog/threat-research/2013/10/evasive-tactics-terminator-rat.html) | [:closed_book:](../../blob/master/2013/2013.10.25.Terminator_RAT)
* Oct 24 - [[Trend Micro] FakeM RAT](http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-fakem-rat.pdf) | [:closed_book:](../../blob/master/2013/2013.10.24.FakeM_RAT)
* Sep 25 - [[Kaspersky] The 'ICEFROG' APT: A Tale of cloak and three daggers](http://www.securelist.com/en/downloads/vlpdfs/icefog.pdf) | [:closed_book:](../../blob/master/2013/2013.09.25.ICEFROG_APT)
* Sep 21 - [[FireEye] Operation DeputyDog: Zero-Day (CVE-2013-3893) Attack Against Japanese Targets](https://www.fireeye.com/blog/threat-research/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html) | [:closed_book:](../../blob/master/2013/2013.09.21.Operation_DeputyDog)
* Sep 19 - [[Trend Micro] 2Q 2013 Report on Targeted Attack Campaigns: A Look Into EvilGrab](https://www.trendmicro.tw/vinfo/hk/security/news/cyber-attacks/2q-2013-report-on-targeted-attack-campaigns-a-look-into-evilgrab) | [:closed_book:](../../blob/master/2013/2013.09.19.EvilGrab)
* Sep 17 - [[Symantec] Hidden Lynx - Professional Hackers for Hire](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdf) | [:closed_book:](../../blob/master/2013/2013.09.17.Hidden_Lynx)
* Sep 11 - [[Kaspersky] The "Kimsuky" Operation](https://securelist.com/analysis/57915/the-kimsuky-operation-a-north-korean-apt/) | [:closed_book:](../../blob/master/2013/2013.09.11.Kimsuky_Operation)
* Sep 06 - [[FireEye] Evasive Tactics: Taidoor](https://www.fireeye.com/blog/threat-research/2013/09/evasive-tactics-taidoor-3.html) | [:closed_book:](../../blob/master/2013/2013.09.06.EvasiveTactics_Taidoor)
* Aug 23 - [[FireEye] Operation Molerats: Middle East Cyber Attacks Using Poison Ivy](http://www.fireeye.com/blog/technical/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html) | [:closed_book:](../../blob/master/2013/2013.08.23.Operation_Molerats)
* Aug 21 - [[FireEye] POISON IVY: Assessing Damage and Extracting Intelligence](http://www.fireeye.com/resources/pdfs/FireEye-poison-ivy-report.pdf) | [:closed_book:](../../blob/master/2013/2013.08.21.POISON_IVY)
* Aug 19 - [[Rapid7] ByeBye Shell and the targeting of Pakistan](https://community.rapid7.com/community/infosec/blog/2013/08/19/byebye-and-the-targeting-of-pakistan) | [:closed_book:](../../blob/master/2013/2013.08.19.ByeBye_Shell)
* Aug 02 - [[CitizenLab] Surtr: Malware Family Targeting the Tibetan Community](https://citizenlab.org/2013/08/surtr-malware-family-targeting-the-tibetan-community/) | [:closed_book:](../../blob/master/2013/2013.08.02.Surtr_Targeting_Tibetan)
* Aug 02 - [[ThreatConnect] Where There is Smoke, There is Fire: South Asian Cyber Espionage Heats Up](http://www.threatconnect.com/news/where-there-is-smoke-there-is-fire-south-asian-cyber-espionage-heats-up/) | [:closed_book:](../../blob/master/2013/2013.08.02.Smoke_Fire_South_Asian_Cyber_Espionage)
* Jul 31 - [[BlackHat] Hunting the Shadows: In Depth Analysis of Escalated APT Attacks](https://media.blackhat.com/us-13/US-13-Yarochkin-In-Depth-Analysis-of-Escalated-APT-Attacks-Slides.pdf) | [:closed_book:](../../blob/master/2013/2013.07.31.Hunting_the_Shadows)
* Jul 31 - [[Dell] Secrets of the Comfoo Masters](http://www.secureworks.com/cyber-threat-intelligence/threats/secrets-of-the-comfoo-masters/) | [:closed_book:](../../blob/master/2013/2013.07.31.ecrets_of_the_Comfoo_Masters)
* Jul 15 - [[Sophos] The PlugX malware revisited: introducing "Smoaler"](http://sophosnews.files.wordpress.com/2013/07/sophosszappanosplugxrevisitedintroducingsmoaler-rev1.pdf) | [:closed_book:](../../blob/master/2013/2013.07.15.PlugX_Smoaler)
* Jul 01 - [[McAfee] Targeted Campaign Steals Credentials in Gulf States and Caribbean](https://www.kashifali.ca/2013/07/01/targeted-campaign-steals-credentials-in-gulf-states-and-caribbean/) | [:closed_book:](../../blob/master/2013/2013.07.01.Gulf_States_APT)
* Jun 28 - [[ThreatGeek] njRAT Uncovered](http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf) | [:closed_book:](../../blob/master//2013/2013.06.28.njRAT_Uncovered)
* Jun 21 - [[Citizen Lab] A Call to Harm: New Malware Attacks Target the Syrian Opposition](https://citizenlab.org/wp-content/uploads/2013/07/19-2013-acalltoharm.pdf) | [:closed_book:](../../blob/master/2013/2013.06.21.Syrian_Attack)
* Jun 18 - [[FireEye] Trojan.APT.Seinup Hitting ASEAN](http://www.fireeye.com/blog/technical/malware-research/2013/06/trojan-apt-seinup-hitting-asean.html) | [:closed_book:](../../blob/master/2013/2013.06.18.APT_Seinup)
* Jun 07 - [[Rapid7] KeyBoy, Targeted Attacks against Vietnam and India](https://community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india) | [:closed_book:](../../blob/master/2013/2013.06.07.KeyBoy_APT)
* Jun 04 - [[Kaspersky] The NetTraveller (aka 'Travnet')](http://www.securelist.com/en/downloads/vlpdfs/kaspersky-the-net-traveler-part1-final.pdf) | [:closed_book:](../../blob/master/2013/2013.06.04.NetTraveller)
* Jun 01 - [[Purdue] Crude Faux: An analysis of cyber conflict within the oil & gas industries](https://www.cerias.purdue.edu/assets/pdf/bibtex_archive/2013-9.pdf) | [:closed_book:](../../blob/master/2013/2013.06.01.cyber_conflict_Oil_Gas)
* Jun XX - [[BlueCoat] The Chinese Malware Complexes: The Maudi Surveillance Operation](https://bluecoat.com/documents/download/2c832f0f-45d2-4145-bdb7-70fc78c22b0f&ei=ZGP-VMCbMsuxggSThYDgDg&usg=AFQjCNFjXSkn_AIiXge1X9oWZHzQOiNDJw&sig2=B6e2is0sCnGEbLPL9q0eZg&bvm=bv.87611401,d.eXY) | [:closed_book:](../../blob/master/2013/2013.06.00.Maudi_Surveillance_Operation)
* May 30 - [[CIRCL] TR-14 - Analysis of a stage 3 Miniduke malware sample](http://www.circl.lu/pub/tr-14/) | [:closed_book:](../../blob/master/2013/2013.05.20.Miniduke.Analysis)
* May 20 - [[Norman] OPERATION HANGOVER: Unveiling an Indian Cyberattack Infrastructure](http://www.thecre.com/fnews/wp-content/uploads/2013/05/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf) | [:closed_book:](../../blob/master/2013/2013.05.20.Operation_Hangover)
* May 16 - [[ESET] Targeted information stealing attacks in South Asia use email, signed binaries](https://www.welivesecurity.com/2013/05/16/targeted-threat-pakistan-india/) | [:closed_book:](../../blob/master/2013/2013.05.16.targeted-threat-pakistan-india)
* Apr 21 - [[Bitdefender] MiniDuke - The Final Cut](http://labs.bitdefender.com/2013/04/miniduke-the-final-cut) | [:closed_book:](../../blob/master/2013/2013.04.21.MiniDuke)
* Apr 13 - [[Kaspersky] "Winnti" More than just a game](http://www.securelist.com/en/downloads/vlpdfs/winnti-more-than-just-a-game-130410.pdf) | [:closed_book:](../../blob/master/2013/2013.04.13.Winnti) 
* Apr 07 - [[FireEye] WORLD WAR C](https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/fireeye-wwc-report.pdf) | [:closed_book:](../../blob/master/2013/2013.04.07_WORLD_WAR_C)
* Apr 01 - [[FireEye] Trojan.APT.BaneChant](http://www.fireeye.com/blog/technical/malware-research/2013/04/trojan-apt-banechant-in-memory-trojan-that-observes-for-multiple-mouse-clicks.html) | [:closed_book:](../../blob/master/2013/2013.04.01.APT_BaneChant)
* Mar 28 - [[Circl] TR-12 - Analysis of a PlugX malware variant used for targeted attacks](http://www.circl.lu/pub/tr-12/) | [:closed_book:](../../blob/master/2013/2013.03.28.TR-12_PlugX_malware)
* Mar 27 - [[malware.lu] APT1: technical backstage (Terminator/Fakem RAT)](http://www.malware.lu/assets/files/articles/RAP002_APT1_Technical_backstage.1.0.pdf) | [:closed_book:](../../blob/master/2013/2013.03.27.APT1_technical_backstage)
* Mar 21 - [[Fidelis] Darkseoul/Jokra Analysis And Recovery](https://old.fidelissecurity.com/sites/default/files/FTA%201008%20-%20Darkseoul-Jokra%20Analysis%20and%20Recovery.pdf) | [:closed_book:](../../blob/master/2013/2013.03.21.Darkseoul)
* Mar 20 - [[Kaspersky] The TeamSpy Crew Attacks](http://securelist.com/blog/incidents/35520/the-teamspy-crew-attacks-abusing-teamviewer-for-cyberespionage-8/) | [:closed_book:](../../blob/master/2013/2013.03.20.TeamSpy_Crew)
* Mar 20 - [[McAfee] Dissecting Operation Troy](http://www.mcafee.com/sg/resources/white-papers/wp-dissecting-operation-troy.pdf) | [:closed_book:](../../blob/master/2013/2013.03.20.Operation_Troy)
* Mar 17 - [[Trend Micro] Safe: A Targeted Threat](http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-safe-a-targeted-threat.pdf) | [:closed_book:](../../blob/master/2013/2013.03.17.Targeted_Threat)
* Mar 13 - [[Citizen lab] You Only Click Twice: FinFisher’s Global Proliferation](https://citizenlab.org/wp-content/uploads/2013/07/15-2013-youonlyclicktwice.pdf) | [:closed_book:](../../blob/master/2013/2013.03.13.FinFisher)
* Feb 27 - [[Crysys] Miniduke: Indicators v1](http://www.crysys.hu/miniduke/miniduke_indicators_public.pdf) | [:closed_book:](../../blob/master/2013/2013.02.27.MiniDuke_Indicators)
* Feb 27 - [[Kaspersky] The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0x29A Micro Backdoor](https://www.securelist.com/en/downloads/vlpdfs/themysteryofthepdf0-dayassemblermicrobackdoor.pdf) | [:closed_book:](../../blob/master/2013/2013.02.27.MiniDuke_Mystery)
* Feb 26 - [[Symantec] Stuxnet 0.5: The Missing Link](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/stuxnet_0_5_the_missing_link.pdf) | [:closed_book:](../../blob/master/2013/2013.02.26.Stuxnet_0.5)
* Feb 22 - [[Symantec] Comment Crew: Indicators of Compromise](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/comment_crew_indicators_of_compromise.pdf) | [:closed_book:](../../blob/master/2013/2013.02.22.Comment_Crew)
* Feb 18 - [[FireEye] Mandiant APT1 Report](http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf) | [:closed_book:](../../blob/master/2013/2013.02.18.APT1)
* Feb 12 - [[AIT] Targeted cyber attacks: examples and challenges ahead](http://www.ait.ac.at/uploads/media/Presentation_Targeted-Attacks_EN.pdf) | [:closed_book:](../../blob/master/2013/2013.02.12.Targeted-Attacks)
* Jan 18 - [[McAfee] Operation Red October](https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/24000/PD24250/en_US/McAfee_Labs_Threat_Advisory_Exploit_Operation_Red_Oct.pdf) | [:closed_book:](../../blob/master/2013/2013.01.18.Operation_Red_Oct)
* Jan 14 - [[Kaspersky] The Red October Campaign](https://securelist.com/blog/incidents/57647/the-red-october-campaign) | [:closed_book:](../../blob/master/2013/2013.01.14.Red_October_Campaign)
* Jan 02 - [[FireEye] SUPPLY CHAIN ANALYSIS: From Quartermaster to SunshopFireEye](https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-malware-supply-chain.pdf) | [:closed_book:](../../blob/master/2013/2013.01.02.SUPPLY_CHAIN_ANALYSIS)

## 2012
* Nov 13 - [[FireEye] Poison Ivy Malware Analysis](https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf) | [:closed_book:](../../blob/master/2012/2012.11.13.Poison_Ivy)
* Nov 03 - [[CyberPeace] Systematic cyber attacks against Israeli and Palestinian targets going on for a year](http://cyber-peace.org/wp-content/uploads/2014/01/Cyberattack_against_Israeli_and_Palestinian_targets.pdf) | [:closed_book:](../../blob/master/2012/2012.11.03.Israeli_and_Palestinian_Attack)
* Nov 01 - [[Fidelis] RECOVERING FROM SHAMOON](http://www.fidelissecurity.com/sites/default/files/FTA%201007%20-%20Shamoon.pdf) | [:closed_book:](../../blob/master/2012/2012.11.01.RECOVERING_FROM_SHAMOON)
* Oct 31 - [[DEA] CYBER ESPIONAGE Against Georgian Government (Georbot Botnet)](http://dea.gov.ge/uploads/CERT%20DOCS/Cyber%20Espionage.pdf) | [:closed_book:](../../blob/master/2012/2012.10.31.CYBER_ESPIONAGE_Georbot_Botnet)
* Oct 27 - [[Symantec] Trojan.Taidoor: Targeting Think Tanks](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/trojan_taidoor-targeting_think_tanks.pdf) | [:closed_book:](../../blob/master/2012/2012.10.27.Taidoor)
* Oct 08 - [[Matasano] pest control: taming the rats](http://matasano.com/research/PEST-CONTROL.pdf) | [:closed_book:](../../blob/master/2012/2012.10.08.Pest_Control)
* Sep 18 - [[Dell] The Mirage Campaign](http://www.secureworks.com/cyber-threat-intelligence/threats/the-mirage-campaign/) | [:closed_book:](../../blob/master/2012/2012.09.18.Mirage_Campaign)
* Sep 12 - [[RSA] The VOHO Campaign: An in depth analysis](http://blogsdev.rsa.com/wp-content/uploads/VOHO_WP_FINAL_READY-FOR-Publication-09242012_AC.pdf) | [:closed_book:](../../blob/master/2012/2012.09.12.VOHO_Campaign)
* Sep 07 - [[Citizen lab] IEXPLORE RAT](https://citizenlab.org/wp-content/uploads/2012/09/IEXPL0RE_RAT.pdf) | [:closed_book:](../../blob/master/2012/2012.09.07.IEXPLORE_RAT)
* Sep 06 - [[Symantec] The Elderwood Project](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf)  | [:closed_book:](../../blob/master/2012/2012.09.06.Elderwood)
* Aug 19 - [[Rapid7] ByeBye Shell and the targeting of Pakistan](https://blog.rapid7.com/2013/08/19/byebye-and-the-targeting-of-pakistan/) | [:closed_book:](../../blob/master/2012/2012.08.19.ByeBye_Shell)
* Aug 18 - [[Trend Micro] The Taidoor Campaign AN IN-DEPTH ANALYSIS ](http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_campaign.pdf) | [:closed_book:](../../blob/master/2012/2012.08.18.Taidoor_Campaign)
* Aug 09 - [[Kaspersky] Gauss: Abnormal Distribution](http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/kaspersky-lab-gauss.pdf) | [:closed_book:](../../blob/master/2012/2012.08.09.Gauss)
* Jul 27 - [[Kaspersky] The Madi Campaign](https://securelist.com/analysis/36609/the-madi-infostealers-a-detailed-analysis/) | [:closed_book:](../../blob/master/2012/2012.07.27.Madi_Campaign)
* Jul 25 - [[Citizen lab] From Bahrain With Love: FinFisher’s Spy Kit Exposed?](https://citizenlab.org/2012/07/from-bahrain-with-love-finfishers-spy-kit-exposed/) | [:closed_book:](../../blob/master/2012/2012.07.25.FinFisher_Spy_Kit)
* Jul 11 - [[Wired] Wired article on DarkComet creator](http://www.wired.com/2012/07/dark-comet-syrian-spy-tool/) | [:closed_book:](../../blob/master/2012/2012.07.11.DarkComet_Creator)
* Jul 10 - [[Citizenlab] Advanced Social Engineering for the Distribution of LURK Malware](https://citizenlab.org/wp-content/uploads/2012/07/10-2012-recentobservationsintibet.pdf) | [:closed_book:](../../blob/master/2012/2012.07.10.SE_LURK_Malware)
* May 31 - [[Crysys] sKyWIper (Flame/Flamer)](http://www.crysys.hu/skywiper/skywiper.pdf) | [:closed_book:](../../blob/master/2012/2012.05.31.Flame_sKyWIper)
* May 22 - [[Trend Micro] IXESHE An APT Campaign](http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_ixeshe.pdf) | [:closed_book:](../../blob/master/2012/2012.05.22.IXESHE)
* May 18 - [[Symantec] Analysis of Flamer C&C Server](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_flamer_newsforyou.pdf) | [:closed_book:](../../blob/master/2012/2012.05.18.Flamer_CnC)
* Apr 16 - [[Kaspersky] OSX.SabPub & Confirmed Mac APT attacks](http://securelist.com/blog/incidents/33208/new-version-of-osx-sabpub-confirmed-mac-apt-attacks-19/) | [:closed_book:](../../blob/master/2012/2012.04.16.OSX.SabPub)
* Apr 10 - [[McAfee] Anatomy of a Gh0st RAT](http://www.mcafee.com/us/resources/white-papers/foundstone/wp-know-your-digital-enemy.pdf) | [:closed_book:](../../blob/master/2012/2012.04.10.Gh0st_RAT)
* Mar 26 - [[Trend Micro] Luckycat Redux](http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf) | [:closed_book:](../../blob/master/2012/2012.03.26.Luckycat_Redux)
* Mar 13 - [[Arbor] Reversing DarkComet RAT's crypto](http://www.arbornetworks.com/asert/wp-content/uploads/2012/07/Crypto-DarkComet-Report.pdf) | [:closed_book:](../../blob/master/2012/2012.03.13.DarkComet_RAT)
* Mar 12 - [[contextis] Crouching Tiger, Hidden Dragon, Stolen Data](http://www.contextis.com/services/research/white-papers/crouching-tiger-hidden-dragon-stolen-data/) | [:closed_book:](../../blob/master/2012/2012.03.12.Crouching_Tiger)
* Feb 29 - [[Dell] The Sin Digoo Affair](http://www.secureworks.com/cyber-threat-intelligence/threats/sindigoo/) | [:closed_book:](../../blob/master/2012/2012.02.29.Sin_Digoo_Affair)
* Feb 03 - [[CommandFive] Command and Control in the Fifth Domain](http://www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf) | [:closed_book:](../../blob/master/2012/2012.02.03.Fifth_Domain_CnC)
* Jan 03 - [[Trend Micro] The HeartBeat APT](http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the-heartbeat-apt-campaign.pdf) | [:closed_book:](../../blob/master/2012/2012.01.03.HeartBeat_APT)

## 2011
* Dec 08 - [[Norman] Palebot trojan harvests Palestinian online credentials](https://web.archive.org/web/20130308090454/http://blogs.norman.com/2011/malware-detection-team/palebot-trojan-harvests-palestinian-online-credentials) | [:closed_book:](../../blob/master/2011/2011.12.08.Palebot_Trojan)
* Nov 15 - [[Norman] The many faces of Gh0st Rat](http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf) | [:closed_book:](../../blob/master/2011/2011.11.15.Many_Faces_Gh0st_Rat)
* Oct 31 - [[Symantec] The Nitro Attacks: Stealing Secrets from the Chemical Industry](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_nitro_attacks.pdf) | [:closed_book:](../../blob/master/2011/2011.10.31.Nitro)
* Oct 26 - [[Dell] Duqu Trojan Questions and Answers](http://www.secureworks.com/cyber-threat-intelligence/threats/duqu/) | [:closed_book:](../../blob/master/2011/2011.10.26.Duqu)
* Oct 12 - [[Zscaler] Alleged APT Intrusion Set: "1.php" Group](http://www.zscaler.com/pdf/technicalbriefs/tb_advanced_persistent_threats.pdf) | [:closed_book:](../../blob/master/2011/2011.10.12.1.php.group)
* Sep 22 - [[Trend Micro] The "LURID" Downloader](http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_dissecting-lurid-apt.pdf) | [:closed_book:](../../blob/master/2011/2011.09.22.LURID_Downloader)
* Sep 11 - [[CommandFive] SK Hack by an Advanced Persistent Threat](http://www.commandfive.com/papers/C5_APT_SKHack.pdf) | [:closed_book:](../../blob/master/2011/2011.09.11.SK_Hack)
* Sep 09 - [[Fidelis] The RSA Hack](http://www.fidelissecurity.com/sites/default/files/FTA1001-The_RSA_Hack.pdf) | [:closed_book:](../../blob/master/2011/2011.09.09.RSA_Hack)
* Aug 04 - [[McAfee] Operation Shady RAT](http://www.mcafee.com/us/resources/white-papers/wp-operation-shady-rat.pdf) | [:closed_book:](../../blob/master/2011/2011.08.04.Operation_Shady_RAT)
* Aug 03 - [[Dell] HTran and the Advanced Persistent Threat](http://www.secureworks.com/cyber-threat-intelligence/threats/htran/) | [:closed_book:](../../blob/master/2011/2011.08.03.HTran)
* Aug 02 - [[vanityfair] Operation Shady rat : Vanity](http://www.vanityfair.com/culture/features/2011/09/operation-shady-rat-201109) | [:closed_book:](../../blob/master/2011/2011.08.02.Operation_Shady_RAT_Vanity)
* Jun ?? - [[CommandFive] Advanced Persistent Threats:A Decade in Review]() | [:closed_book:](../../blob/master/2011/2011.06.APT)
* Apr 20 - [[ESET] Stuxnet Under the Microscope](http://www.eset.com/us/resources/white-papers/Stuxnet_Under_the_Microscope.pdf) | [:closed_book:](../../blob/master/2011/2011.04.20.Stuxnet)
* Feb 18 - [[NERC] Night Dragon Specific Protection Measures for Consideration](http://www.nerc.com/pa/rrm/bpsa/Alerts%20DL/2011%20Alerts/A-2011-02-18-01%20Night%20Dragon%20Attachment%201.pdf) | [:closed_book:](../../blob/master/2011/2011.02.18.Night_Dragon.Specific)
* Feb 10 - [[McAfee] Global Energy Cyberattacks: Night Dragon](http://www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf) | [:closed_book:](../../blob/master/2011/2011.02.10.Night_Dragon)

## 2010
* Dec 09 - [[CRS] The Stuxnet Computer Worm: Harbinger of an Emerging Warfare Capability ](http://www.fas.org/sgp/crs/natsec/R41524.pdf)  | [:closed_book:](../../blob/master/2010/2010.12.09.Stuxnet_Worm)
* Sep 30 - [[Symantec] W32.Stuxnet Dossier](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf) | [:closed_book:](../../blob/master/2010/2010.09.30.W32.Stuxnet_Dossier)
* Sep 03 - [[Seculert] The "MSUpdater" Trojan And Ongoing Targeted Attacks](http://www.seculert.com/reports/MSUpdaterTrojanWhitepaper.pdf) | [:closed_book:](../../blob/master/2010/2010.09.03.MSUpdater.Trojan)
* Apr 06 - [[ShadowServer] Shadows in the cloud: Investigating Cyber Espionage 2.0](http://www.nartv.org/mirror/shadows-in-the-cloud.pdf) | [:closed_book:](../../blob/master/2010/2010.04.06.Shadows_in_the_cloud)
* Mar 14 - [[CA] In-depth Analysis of Hydraq](http://www.totaldefense.com/Core/DownloadDoc.aspx?documentID=1052) | [:closed_book:](../../blob/master/2010/2010.03.14.Hydraq)
* Feb 10 - [[HB Gary] Threat Report: Operation Aurora](http://hbgary.com/sites/default/files/publications/WhitePaper%20HBGary%20Threat%20Report,%20Operation%20Aurora.pdf) | [:closed_book:](../../blob/master/2010/2010.02.10.Threat_Report_Operation_Aurora)
* Jan ?? - [[Triumfant] Case Study: Operation Aurora](http://www.triumfant.com/pdfs/Case_Study_Operation_Aurora_V11.pdf) | [:closed_book:](../../blob/master/2010/2010.01.Case_Study_Operation_Aurora)
* Jan 27 - [[Alberts] Operation Aurora Detect, Diagnose, Respond](http://albertsblog.stickypatch.org/files/3/5/1/4/7/282874-274153/Aurora_HBGARY_DRAFT.pdf) | [:closed_book:](../../blob/master/2010/2010.01.27.Operation_Aurora_Detect_Diagnose_Respond)
* Jan 26 - [[McAfee] How Can I Tell if I Was Infected By Aurora?  (IOCs)]()  | [:closed_book:](../../blob/master/2010/2010.01.26.Operation_Aurora_IoC)
* Jan 20 - [[McAfee] Combating Aurora](https://kc.mcafee.com/resources/sites/MCAFEE/content/live/CORP_KNOWLEDGEBASE/67000/KB67957/en_US/Combating%20Threats%20-%20Operation%20Aurora.pdf)| [:closed_book:](../../blob/master/2010/2010.01.20.Combating_Aurora)
* Jan 13 - [[Damballa] The Command Structure of the Aurora Botnet](https://www.damballa.com/downloads/r_pubs/Aurora_Botnet_Command_Structure.pdf) | [:closed_book:](../../blob/master/2010/2010.01.13.Aurora_Botnet)
* Jan 12 - [[Google] Operation Aurora](http://en.wikipedia.org/wiki/Operation_Aurora) | [:closed_book:](../../blob/master/2010/2010.01.12.Operation_Aurora)

## 2009
* Oct 19 - [[Northrop Grumman] Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation ](https://nsarchive2.gwu.edu//NSAEBB/NSAEBB424/docs/Cyber-030.pdf) | [:closed_book:](../../blob/master/2009/2009.10.19.Capability_China_Cyber_Warfare)
* Mar 29 - [[TheSecDevGroup] Tracking GhostNet](http://www.nartv.org/mirror/ghostnet.pdf) | [:closed_book:](../../blob/master/2009/2009.03.29.GhostNet)
* Jan 18 - [[Baltic] Impact of Alleged Russian Cyber Attacks](https://www.baltdefcol.org/files/files/documents/Research/BSDR2009/1_%20Ashmore%20-%20Impact%20of%20Alleged%20Russian%20Cyber%20Attacks%20.pdf) | [:closed_book:](../../blob/master/2009/2009.01.18.Russian_Cyber_Attacks)

## 2008
* Nov XX - [[Military Review] CHINA_CHINA_CYBER_WARFARE](https://www.armyupress.army.mil/Portals/7/military-review/Archives/English/MilitaryReview_20081231_art009.pdf)| [:closed_book:](../../blob/master/2008/2008.CHINA_CHINA_CYBER_WARFARE)
* Nov 19 - [[Wired] Agent.BTZ](http://www.wired.com/dangerroom/2008/11/army-bans-usb-d/) | [:closed_book:](../../blob/master/2008/2008.11.19.UNDER_WORM_ASSAULT)
* Nov 04 - [[DTIC] China's Electronic Long-Range Reconnaissance](http://www.dtic.mil/dtic/tr/fulltext/u2/a492659.pdf) | [:closed_book:](../../blob/master/2008/2008.11.04.China_Electornic_Long_Range_Reconnaissance)
* Oct 02 - [[Culture Mandala] How China will use cyber warfare to leapfrog in military competitiveness](http://www.international-relations.com/CM8-1/Cyberwar.pdf) | [:closed_book:](../../blob/master/2008/2008.10.02.China_Cyber_Warfare)
* Aug 10 - [[Georgia] Russian Invasion of Georgia Russian Cyberwar on Georgia](http://georgiaupdate.gov.ge/doc/10006922/CYBERWAR-%20fd_2_.pdf) | [:closed_book:](../../blob/master/2008/2008.08.10.Russian_Cyberwar_on_Georgia)

## 2006
* [[Krebs on Security] "Wicked Rose" and the NCPH Hacking Group](http://krebsonsecurity.com/wp-content/uploads/2012/11/WickedRose_andNCPH.pdf) | [:closed_book:](../../blob/master/2006/2006.Wicked_Rose)

## Report

### SentinelOne 
:small_orange_diamond: 2024 - [[SentinelOne] WatchTower 2023 Intelligence-Driven Threat Hunting](https://www.sentinelone.com/resources/watchtower-end-of-year-report-2023/) | [:closed_book:](../../blob/master/Report/SentinelOne/watchtower-2023-eoy-report-en.pdf)<br>

### Red Canary 
:small_orange_diamond: 2021 - [[Red_Canary] 2021 Threat Detection Report](https://redcanary.com/threat-detection-report/) | [:closed_book:](../../blob/master/Report/Red_Canary/2021-Threat-Detection-Report)<br>

### NSA
:small_orange_diamond: Jan 08 2021 - [[NSA] 2020 Cybersecurity Year in Review report](https://media.defense.gov/2021/Jan/08/2002561651/-1/-1/0/NSA%20CYBERSECURITY%202020%20YEAR%20IN%20REVIEW.PDF/NSA%20CYBERSECURITY%202020%20YEAR%20IN%20REVIEW.PDF) | [:closed_book:](../../blob/master/Report/NSA/NSA_CYBERSECURITY_2020_YEAR_IN_REVIEW.PDF)<br>

### Objective-See
:small_orange_diamond: Jan 01 2024 - [[Objective-See] The Mac Malware of 2023](https://objective-see.org/downloads/MacMalware_2023.pdf) | [:closed_book:](../../blob/master/Report/Objective-See/MacMalware_2023.pdf)<br>
:small_orange_diamond: Jan 01 2023 - [[Objective-See] The Mac Malware of 2022](https://objective-see.org/downloads/MacMalware_2022.pdf) | [:closed_book:](../../blob/master/Report/Objective-See/MacMalware_2022.pdf)<br>
:small_orange_diamond: Jan 01 2022 - [[Objective-See] The Mac Malware of 2021](https://objective-see.com/downloads/MacMalware_2021.pdf) | [:closed_book:](../../blob/master/Report/Objective-See/MacMalware_2021.pdf)<br>
:small_orange_diamond: Jan 04 2021 - [[Objective-See] The Mac Malware of 2020](https://objective-see.com/downloads/MacMalware_2020.pdf/) | [:closed_book:](../../blob/master/Report/Objective-See/MacMalware_2020.pdf)<br>
### ESET
:small_orange_diamond: Q3 2023 - [[ESET] 2023 Q2-Q3 APT Activity Report](https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-apt-activity-report-q2-2023-q3-2023.pdf) | [:closed_book:](../../blob/master/Report/ESET/eset-apt-activity-report-q2-2023-q3-2023.pdf)<br>
:small_orange_diamond: Jun 2022 - [[ESET] ESET Threat Report T1 2022](https://www.welivesecurity.com/wp-content/uploads/2022/06/eset_threat_report_t12022.pdf) | [:closed_book:](../../blob/master/Report/ESET/eset_threat_report_t12022.pdf)<br>
:small_orange_diamond: Feb 09 2022 - [[ESET] ESET Threat Report T3 2021](https://www.welivesecurity.com/2022/02/09/eset-threat-report-t32021/) | [:closed_book:](../../blob/master/Report/ESET/eset_threat_report_t32021.pdf)<br>
:small_orange_diamond: Sep 30 2021 - [[ESET] ESET Threat Report T2 2021](https://www.welivesecurity.com/2021/09/30/eset-threat-report-t22021/) | [:closed_book:](../../blob/master/Report/ESET/eset_threat_report_t22021.pdf)<br>
:small_orange_diamond: Jun 03 2021 - [[ESET] ESET Threat Report T1 2021](https://www.welivesecurity.com/2021/06/03/eset-threat-report-t12021/) | [:closed_book:](../../blob/master/Report/ESET/eset_threat_report_t12021.pdf)<br>
:small_orange_diamond: Oct 18 2020 - [[ESET] 2020 Q3 Threat Report](https://www.welivesecurity.com/2020/10/28/eset-threat-report-q32020/) | [:closed_book:](../../blob/master/Report/ESET/ESET_Threat_Report_Q32020.pdf)<br>
:small_orange_diamond: Jul 29 2020 - [[ESET] 2020 Q2 Threat Report](https://www.welivesecurity.com/2020/07/29/eset-threat-report-q22020/) | [:closed_book:](../../blob/master/Report/ESET/ESET_Threat_Report_Q22020.pdf) <br>
:small_orange_diamond: Apr 2020 - [[ESET] 2020 Q1 Threat Report](https://www.welivesecurity.com/wp-content/uploads/2020/04/ESET_Threat_Report_Q12020.pdf) | [:closed_book:](../../blob/master/Report/ESET/ESET_Threat_Report_Q12020.pdf) <br>
### Kaspersky
:small_orange_diamond: Apr 27 2022 - [[Kaspersky] APT trends report Q2 2022](https://securelist.com/apt-trends-report-q1-2022/106351/) | [:closed_book:](../../blob/master/Report/Kaspersky/APT_trends_report_Q2_2022_Securelist.pdf) <br>
:small_orange_diamond: Jul 29 2021 - [[Kaspersky] APT trends report Q2 2021](https://securelist.com/apt-trends-report-q2-2021/103517/) | [:closed_book:](../../blob/master/Report/Kaspersky/APT_trends_report_Q2_2021_Securelist.pdf) <br>
:small_orange_diamond: Apr 27 2021 - [[Kaspersky] APT trends report Q1 2021](https://securelist.com/apt-trends-report-q1-2021/101967/) | [:closed_book:](../../blob/master/Report/Kaspersky/APT_trends_report_Q1_2021_Securelist.pdf) <br>
:small_orange_diamond: Nov 04 2020 - [[Kaspersky] APT trends report Q3 2020](https://securelist.com/apt-trends-report-q3-2020/99204/) | [:closed_book:](../../blob/master/Report/Kaspersky/APT_trends_report_Q3_2020_Securelist.pdf) <br>
:small_orange_diamond: July 29 2020 - [[Kaspersky] APT trends report Q2 2020](https://securelist.com/apt-trends-report-q2-2020/97937/) | [:closed_book:](../../blob/master/Report/Kaspersky/APT_trends_report_Q2_2020_Securelist.pdf) <br>
:small_orange_diamond: Aug 01 2019 - [[Kaspersky] APT trends report Q2 2019](https://securelist.com/apt-trends-report-q2-2019/91897/) | [:closed_book:](../../blob/master/Report/Kaspersky/APT_trends_report_Q2_2019_Securelist.pdf) <br>
:small_orange_diamond: Apr 30 2019 - [[Kaspersky] APT trends report Q1 2019](https://securelist.com/apt-trends-report-q1-2019/90643/) | [:closed_book:](../../blob/master/Report/Kaspersky/APT_trends_report_Q1_2019_Securelist.pdf) <br>
### FireEye
:small_orange_diamond: Apr 15 2021 - [[FireEye] M-Trends 2021](https://content.fireeye.com/m-trends/rpt-m-trends-2021) | [:closed_book:](../../blob/master/Report/FireEye/rpt-mtrends-2021.pdf) <br>
:small_orange_diamond: Feb 20 2020 - [[FireEye] M-Trends 2020](https://content.fireeye.com/m-trends/rpt-m-trends-2020) | [:closed_book:](../../blob/master/Report/FireEye/mtrends-2020.pdf) <br>
:small_orange_diamond: Mar 04 2019 - [[FireEye] M-Trends 2019](https://content.fireeye.com/m-trends/rpt-m-trends-2019) | [:closed_book:](../../blob/master/Report/FireEye/rpt-mtrends-2019.pdf) <br>
### AhnLab
:small_orange_diamond: Q2 2021 - [[AhnLab] ASEC Report Q2 2021](https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.103_ENG.pdf) | [:closed_book:](../../blob/master/Report/AhnLab/ASEC_REPORT_vol.103_ENG.pdf) <br>
:small_orange_diamond: Q1 2021 - [[AhnLab] ASEC Report Q1 2021](https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.102_ENG.pdf) | [:closed_book:](../../blob/master/Report/AhnLab/ASEC_REPORT_vol.102_ENG.pdf) <br>
:small_orange_diamond: Q4 2020 - [[AhnLab] ASEC Report Q4 2020](https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.101_ENG.pdf) | [:closed_book:](../../blob/master/Report/AhnLab/ASEC_REPORT_vol.101_ENG.pdf) <br>
:small_orange_diamond: Q3 2020 - [[AhnLab] ASEC Report Q3 2020](https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.100_ENG.pdf) | [:closed_book:](../../blob/master/Report/AhnLab/ASEC_REPORT_vol.100_ENG.pdf) <br>
:small_orange_diamond: Q2 2020 - [[AhnLab] ASEC Report Q2 2020](https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.99_ENG.pdf) | [:closed_book:](../../blob/master/Report/AhnLab/ASEC_REPORT_vol.99_ENG.pdf) <br>
:small_orange_diamond: Q1 2020 - [[AhnLab] ASEC Report Q1 2020](https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.98_ENG.pdf) | [:closed_book:](../../blob/master/Report/AhnLab/ASEC_REPORT_vol.98_ENG.pdf) <br>
:small_orange_diamond: Q4 2019 - [[AhnLab] ASEC Report Q4 2019](https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.97_ENG.pdf) | [:closed_book:](../../blob/master/Report/AhnLab/ASEC_REPORT_vol.97_ENG.pdf) <br>
:small_orange_diamond: Q3 2019 - [[AhnLab] ASEC Report Q3 2019](https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.96_ENG.pdf) | [:closed_book:](../../blob/master/Report/AhnLab/ASEC_REPORT_vol.96_ENG.pdf) <br>
:small_orange_diamond: Q2 2019 - [[AhnLab] ASEC Report Q2 2019](https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.95_ENG.pdf) | [:closed_book:](../../blob/master/Report/AhnLab/ASEC_REPORT_vol.95_ENG.pdf) <br>
:small_orange_diamond: Q1 2019 - [[AhnLab] ASEC Report Q1 2019](https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.94_ENG.pdf) | [:closed_book:](../../blob/master/Report/AhnLab/ASEC_REPORT_vol.94_ENG.pdf) <br>
### Group-IB
:small_orange_diamond: Nov 24 2020 - [[Group-IB] Hi-Tech Crime Trends 2020-2021](https://www.group-ib.com/resources/threat-research/2020-report.html) | [:closed_book:](../../blob/master/Report/Group-IB/Group-IB_Hi-Tech_Crime_Trends_2019-2020_en.pdf) <br>
:small_orange_diamond: Nov 29 2019 - [[Group-IB] Hi-Tech Crime Trends 2019-2020](https://www.group-ib.com/resources/threat-research/2019-report.html) | [:closed_book:](../../blob/master/Report/Group-IB/Group-IB_Hi-Tech_Crime_Trends_2020-2021_en.pdf) <br>
### PTSecurity
:small_orange_diamond: Q1 2021 - [[PTSecurity] Cybersecurity threatscape Q1 2021](https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cybersecurity_threats_2021-Q1-eng.pdf) | [:closed_book:](../../blob/master/Report/PTSecurity/Cybersecurity_threats_2021-Q1-eng.pdf) <br>
:small_orange_diamond: Q4 2020 - [[PTSecurity] Cybersecurity threatscape Q4 2020](https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cybersecurity_threatscape-2020-Q4_eng.pdf) | [:closed_book:](../../blob/master/Report/PTSecurity/Cybersecurity_threatscape-2020-Q4_eng.pdf) <br>
:small_orange_diamond: Q3 2020 - [[PTSecurity] Cybersecurity threatscape Q3 2020]( https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cybersecurity_threatscape-2020-Q3.ENG.pdf) | [:closed_book:](../../blob/master/Report/PTSecurity/Cybersecurity_threatscape-2020-Q3.ENG.pdf) <br>
:small_orange_diamond: Q2 2020 - [[PTSecurity] Cybersecurity threatscape Q2 2020](https://www.ptsecurity.com/upload/corporate/ww-en/analytics/cybersecurity-threatscape-2020-q2-eng.pdf) | [:closed_book:](../../blob/master/Report/PTSecurity/cybersecurity-threatscape-2020-q2-eng.pdf) <br>
:small_orange_diamond: Q1 2020 - [[PTSecurity] Cybersecurity threatscape Q1 2020](https://www.ptsecurity.com/upload/corporate/ww-en/analytics/cybersecurity-threatscape-2020-q1-eng.pdf) | [:closed_book:](../../blob/master/Report/PTSecurity/cybersecurity-threatscape-2020-q1-eng.pdf) <br>
:small_orange_diamond: Q4 2019 - [[PTSecurity] Cybersecurity threatscape Q4 2019](https://www.ptsecurity.com/upload/corporate/ww-en/analytics/cybersecurity-threatscape-2019-q4-eng.pdf) | [:closed_book:](../../blob/master/Report/PTSecurity/cybersecurity-threatscape-2019-q4-eng.pdf) <br>
:small_orange_diamond: Q3 2019 - [[PTSecurity] Cybersecurity threatscape Q3 2019](https://www.ptsecurity.com/upload/corporate/ww-en/analytics/cybersecurity-threatscape-2019-q3-eng.pdf) | [:closed_book:](../../blob/master/Report/PTSecurity/cybersecurity-threatscape-2019-q3-eng.pdf) <br>
:small_orange_diamond: Q2 2019 - [[PTSecurity] Cybersecurity threatscape Q2 2019](https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cybersecurity-threatscape-2019-Q2-eng.pdf) | [:closed_book:](../../blob/master/Report/PTSecurity/Cybersecurity-threatscape-2019-Q2-eng.pdf) <br>
:small_orange_diamond: Q1 2019 - [[PTSecurity] Cybersecurity threatscape Q1 2019](https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cybersecurity-threatscape-2019-Q1-eng.pdf) | [:closed_book:](../../blob/master/Report/PTSecurity/Cybersecurity-threatscape-2019-Q1-eng.pdf) <br>
### ENISA
:small_orange_diamond: Oct 20 2020 - [[ENISA] ENISA Threat Landscape 2020 - Main Incidents](https://www.enisa.europa.eu/publications/enisa-threat-landscape-2020-main-incidents) | [:closed_book:](../../blob/master/Report/ENISA/ETL2020_Incidents_A4.pdf) <br>
:small_orange_diamond: Jan 28 2019 - [[ENISA] ENISA Threat Landscape Report 2018](https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-2018) | [:closed_book:](../../blob/master/Report/ENISA/ENISA_Threat_Landscape_2018.pdf) <br>
### CrowdStrike
:small_orange_diamond: Sep 14 2021 - [[CrowdStrike] nowhere to hide: 2021 Threat Hunting Report](https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021ThreatHunting.pdf) | [:closed_book:](../../blob/master/Report/CrowdStrike/Report2021ThreatHunting.pdf) <br>
:small_orange_diamond: Feb 24 2021 - [[CrowdStrike] 2021 GLOBAL THREAT REPORT](https://www.crowdstrike.com/resources/reports/global-threat-report/) | [:closed_book:](../../blob/master/Report/CrowdStrike/The_CrowdStrike_2021_Global_Threat_Report.pdf) <br>
:small_orange_diamond: Mar 03 2020 - [[CrowdStrike] 2020 GLOBAL THREAT REPORT](https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf) | [:closed_book:](../../blob/master/Report/CrowdStrike/Report2020CrowdStrikeGlobalThreatReport.pdf) <br>
:small_orange_diamond: Feb 19 2019 - [[CrowdStrike] 2019 GLOBAL THREAT REPORT](https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2019GlobalThreatReport.pdf?lb_email=&utm_source=Marketo&utm_medium=Web&utm_campaign=Threat_Report_2019) | [:closed_book:](../../blob/master/Report/CrowdStrike/Report2019GlobalThreatReport.pdf) <br>
### QianXin
:small_orange_diamond: Jun 29 2020 - [[QianXin] APT threat report 2020 1H CN version](https://ti.qianxin.com/uploads/2020/06/29/e4663b4f11f01e5ec8a1a5d91a71dc72.pdf) | [:closed_book:](../../blob/master/Report/QianXin/2020.06.29_APT_threat_report_2020_1H_CN_version.pdf) <br>
:small_orange_diamond: Feb 02 2019 - [[QianXin] APT threat report 2019 CN version](https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf) | [:closed_book:](../../blob/master/Report/QianXin/2020.02.22_APT_threat_report_2019_CN_version.pdf) <br>
### Tencent
:small_orange_diamond: Mar 05 2020 - [[Tencent] [CN] 2019 APT Summary Report](http://pc1.gtimg.com/softmgr/files/apt_report_2019.pdf)  | [:closed_book:](../../blob/master/Report/Tencent/apt_report_2019.CN_Version.pdf) <br>
:small_orange_diamond: Jan 03 2019 - [[Tencent] [CN] 2018 APT Summary Report](https://www.freebuf.com/articles/network/193420.html)  | [:closed_book:](../../blob/master/Report/Tencent/2019.01.03.Tencent_APT_Summary_report_2018_CN_Version.pdf) <br>
### Verizon
:small_orange_diamond: Nov 16 2020 - [[Verizon] Cyber-Espionage Report 2020-2021](https://www.infopoint-security.de/media/2020-2021-cyber-espionage-report.pdf)  | [:closed_book:](../../blob/master/Report/Verizon/2020-2021-cyber-espionage-report.pdf) <br>
### Sophos
:small_orange_diamond: Nov 18 2020 - [[Sophos] SOPHOS 2021 THREAT REPORT](https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf)  | [:closed_book:](../../blob/master/Report/Sophos/sophos-2021-threat-report.pdf) <br>
:small_orange_diamond: Dec 02 2019 - [[Sophos] SOPHOS 2020 THREAT REPORT](https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-uncut-2020-threat-report.pdf)  | [:closed_book:](../../blob/master/Report/Sophos/sophoslabs-uncut-2020-threat-report.pdf) <br>
### 360
:small_orange_diamond: Oct xx 2021 - [[360] Global APT Research Report for the first half of 2021](https://github.com/blackorbird/APT_REPORT/blob/master/summary/2021/Global%20APT%20Research%20Report%20for%20the%20first%20half%20of%202021-360.pdf)  | [:closed_book:](../../blob/master/Report/360/Global_APT_Research_Report_for_the_first_half_of_2021-360.pdf) <br>
### Microsoft
:small_orange_diamond: Oct xx 2021 - [[Microsoft] Microsoft Digital Defense Report October 2021](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi)  | [:closed_book:](../../blob/master/Report/Microsoft/FY21_Microsoft_Digital_Defense_Report.pdf) <br>
### Other
:small_orange_diamond: Nov 18 2020 - [[KELA] Zooming into Darknet Threats Targeting Japanese Organizations](https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/) | [:closed_book:](../../blob/master/Report/2020.11.18_Zooming_into_Darknet_Threats_Targeting_Japanese_Organizations/) <br>
:small_orange_diamond: Nov 04 2020 - [[WEF] Partnership against
Cybercrime](http://www3.weforum.org/docs/WEF_Partnership_against_Cybercrime_report_2020.pdf) | [:closed_book:](../../blob/master/Report/2020.11.04_-_WorldEconomicForum_-_Partnership_against_Cybercrime/) <br>
:small_orange_diamond: May 01 2020 - [[Macnia Networks, TeamT5] 2019 H2 APT Report](https://www.macnica.net/file/mpressioncss_ta_report_2019_4.pdf) | [:closed_book:](../../blob/master/Report/2019.H2_macnica_TeamT5) <br>
:small_orange_diamond: Feb 02 2019 - [[threatinte] Threat Intel Reads – January 2019](https://threatintel.eu/2019/02/02/threat-intel-reads-january-2019/) | [:closed_book:](../../blob/master/Report/2019.02.02.Threat_Intel_Reads_January_2019) <br>
:small_orange_diamond: Feb 2019 - [[SWISSCOM] Targeted Attacks: Cyber Security Report 2019](https://www.swisscom.ch/content/dam/swisscom/en/about/company/portrait/network/security/documents/security-report-2019.pdf) | [:closed_book:](../../blob/master/Report/2019.02.Targeted_Attacks) <br>
:small_orange_diamond: Jan 30 2019 - [[Dragos] Webinar Summary: Uncovering ICS Threat Activity Groups](https://dragos.com/blog/industry-news/webinar-summary-uncovering-ics-threat-activity-groups/) | [:closed_book:](../../blob/master/Report/2019.01.30.Uncovering_ICS_Threat_Activity_Groups) <br>
:small_orange_diamond: Jan 15 2019 - [[Hackmageddon] 2018: A Year of Cyber Attacks](https://www.hackmageddon.com/2019/01/15/2018-a-year-of-cyber-attacks/) | [:closed_book:](../../blob/master/Report/2019.01.15.2018-a-year-of-cyber-attacks) <br>
:small_orange_diamond: Jan 09 2019 - [[360] [CN] 2018 APT Summary Report](https://www.freebuf.com/articles/paper/193553.html) | [:closed_book:](../../blob/master/Report/2019.01.09.360_APT_Summary_report_2018_CN_Version) <br>
:small_orange_diamond: Jan 07 2019 - [[Medium] APT_chronicles_december_2018_edition](https://medium.com/@z3roTrust/the-apt-chronicles-december-2018-edition-e3e5125ffcd2) | [:closed_book:](../../blob/master/Report/2019.01.07.APT_chronicles_december_2018_edition) <br>
:small_orange_diamond: Sep 07 2020 - [[SWIFT & BAE] Follow the Money](https://www.swift.com/sites/default/files/files/swift_bae_report_Follow-The%20Money.pdf)  | [:closed_book:](../../blob/master/Report/2020.09.07_Follow_the_Money) <br>