APT_CyberCriminal_Campagin_.../README.md

681 lines
133 KiB
Markdown
Raw Normal View History

2017-02-15 04:06:20 +00:00
# APT & CyberCriminal Campaign Collection
2017-02-11 07:00:00 +00:00
2017-02-28 07:03:11 +00:00
This is a collection of APT and CyberCriminal campaigns.
2017-12-12 03:27:14 +00:00
Please fire issue to me if any lost APT/Malware events/campaigns.
2017-02-28 07:03:11 +00:00
2018-04-24 20:46:45 +00:00
🤷The password of malware samples could be 'virus' or 'infected'
2017-10-24 05:54:56 +00:00
## Reference Resources
2017-02-28 07:03:11 +00:00
* [kbandla](https://github.com/kbandla/APTnotes)
* [APTnotes](https://github.com/aptnotes/data)
* [Florian Roth - APT Groups](https://docs.google.com/spreadsheets/u/0/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/pubhtml)
* [Attack Wiki](https://attack.mitre.org/wiki/Groups)
2017-06-18 15:46:39 +00:00
* [threat-INTel](https://github.com/fdiskyou/threat-INTel)
2017-07-19 15:54:46 +00:00
* [targetedthreats](https://github.com/botherder/targetedthreats/wiki/Reports)
2018-03-07 10:07:00 +00:00
* 🍎 [Raw Threat Intelligence](https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit)
2018-05-17 15:32:41 +00:00
* [APT search](https://cse.google.com/cse/publicurl?cx=003248445720253387346:turlh5vi4xc)
2017-12-27 04:42:32 +00:00
2018-01-10 08:31:27 +00:00
## 2018
2018-05-23 04:22:02 +00:00
* May 23 - [[Ahnlab] [KR] Andariel Group Trend Report](http://download.ahnlab.com/kr/site/library/[Report]Andariel_Threat_Group.pdf) | [Local](../../blob/master/2018/2018.05.23.Andariel_Group)
* May 22 - [[ESET] Turla Mosquito: A shift towards more generic tools](https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/) | [Local](../../blob/master/2018/2018.05.22.Turla_Mosquito)
* May 09 - [[Recorded Future] Irans Hacker Hierarchy Exposed](https://go.recordedfuture.com/hubfs/reports/cta-2018-0509.pdf) | [Local](../../blob/master/2018/2018.05.09.Iran_Hacker_Hierarchy_Exposed)
2018-05-10 03:00:17 +00:00
* May 09 - [[360] Analysis of CVE-2018-8174 VBScript 0day and APT actor related to Office targeted attack](http://blogs.360.cn/blog/cve-2018-8174-en/) | [Local](../../blob/master/2018/2018.05.09.APT-C-06_CVE-2018-8174)
2018-05-08 05:40:41 +00:00
* May 03 - [[ProtectWise] Burning Umbrella](https://github.com/401trg/detections/raw/master/pdfs/20180503_Burning_Umbrella.pdf) | [Local](../../blob/master/2018/2018.05.03.Burning_Umbrella)
2018-05-04 04:17:29 +00:00
* May 03 - [[Kaspersky] Whos who in the Zoo: Cyberespionage operation targets Android users in the Middle East](https://securelist.com/whos-who-in-the-zoo/85394/) | [Local](../../blob/master/2018/2018.05.03.whos-who-in-the-zoo)
2018-05-03 03:29:37 +00:00
* Apr 27 - [[Tencent] (CN) OceanLotus new malware analysis](https://s.tencent.com/research/report/471.html) | [Local](../../blob/master/2018/2018.04.27.OceanLotus_new_malware)
2018-04-28 14:15:21 +00:00
* Apr 26 - [[CISCO] GravityRAT - The Two-Year Evolution Of An APT Targeting India](https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html) | [Local](../../blob/master/2018/2018.04.26.GravityRAT)
2018-04-25 15:23:49 +00:00
* Apr 24 - [[FireEye] Metamorfo Campaigns Targeting Brazilian Users](https://www.fireeye.com/blog/threat-research/2018/04/metamorfo-campaign-targeting-brazilian-users.html) | [Local](../../blob/master/2018/2018.04.24.metamorfo-campaign)
2018-04-25 13:15:23 +00:00
* Apr 24 - [[McAfee] Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide](https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/) | [Local](../../blob/master/2018/2018.04.24.Operation_GhostSecret)
* Apr 24 - [[ESET] Sednit update: Analysis of Zebrocy](https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/) | [Local](../../blob/master/2018/2018.04.24.sednit-update-analysis-zebrocy)
2018-05-08 05:54:50 +00:00
* Apr 23 - [[Accenture] HOGFISH REDLEAVES CAMPAIGN](https://www.accenture.com/t20180423T055005Z__w__/us-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf) | [Local](../../blob/master/2018/2018.04.23.HOGFISH_REDLEAVES_CAMPAIGN)
2018-04-25 13:29:50 +00:00
* Apr 23 - [[Symantec] New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia](https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia) | [Local](../../blob/master/2018/2018.04.23.New_Orangeworm)
* Apr 23 - [[Kaspersky] Energetic Bear/Crouching Yeti: attacks on servers](https://securelist.com/energetic-bear-crouching-yeti/85345/) | [Local](../../blob/master/2018/2018.04.23.energetic-bear-crouching-yeti)
2018-04-13 03:45:23 +00:00
* Apr 12 - [[Kaspersky] Operation Parliament, who is doing what?](https://securelist.com/operation-parliament-who-is-doing-what/85237/) | [Local](../../blob/master/2018/2018.04.12.operation-parliament)
2018-04-05 05:23:25 +00:00
* Apr 04 - [[Trend Micro] New MacOS Backdoor Linked to OceanLotus Found](https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/) | [Local](../../blob/master/2018/2018.04.04.MacOS_Backdoor_OceanLotus)
2018-04-03 09:24:32 +00:00
* Mar 29 - [[Trend Micro] ChessMaster Adds Updated Tools to Its Arsenal](https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-adds-updated-tools-to-its-arsenal/) | [Local](../../blob/master/2018/2018.03.29.ChessMaster_Adds_Updated_Tools)
* Mar 27 - [[Arbor] Panda Banker Zeros in on Japanese Targets](https://www.arbornetworks.com/blog/asert/panda-banker-zeros-in-on-japanese-targets/) | [Local](../../blob/master/2018/2018.03.27.panda-banker-zeros-in-on-japanese-targets)
* Mar 23 - [[Ahnlab] Targeted Attacks on South Korean Organizations](http://global.ahnlab.com/global/upload/download/techreport/Tech_Report_Malicious_Hancom.pdf) | [Local](../../blob/master/2018/2018.03.23.Targeted_Attacks_on_South_Korean_Organizations)
* Mar 15 - [[US-CERT] Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors](https://www.us-cert.gov/ncas/alerts/TA18-074A) | [Local](../../blob/master/2018/2018.03.15.Russian_Government_Cyber_Activity_TA18-074A)
2018-03-15 03:32:58 +00:00
* Mar 14 - [[Symantec] Inception Framework: Alive and Well, and Hiding Behind Proxies](https://www.symantec.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies) | [Local](../../blob/master/2018/2018.03.14.Inception_Framework)
2018-03-14 17:15:18 +00:00
* Mar 14 - [[Trend Micro] Tropic Troopers New Strategy](https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/) | [Local](../../blob/master/2018/2018.03.14.tropic-trooper-new-strategy)
2018-04-24 18:52:21 +00:00
* Mar 13 - [[FireEye] Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign](https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html) | [Local](../../blob/master/2018/2018.03.13.Iranian-threat-group)
* Mar 13 - [[Kaspersky] Time of death? A therapeutic postmortem of connected medicine](https://securelist.com/time-of-death-connected-medicine/84315/) | [Local](../../blob/master/2018/2018.03.13.A_therapeutic_postmortem_of_connected_medicine)
2018-03-14 05:56:26 +00:00
* Mar 13 - [[Proofpoint] Drive-by as a service: BlackTDS](https://www.proofpoint.com/us/threat-insight/post/drive-service-blacktds) | [Local](../../blob/master/2018/2018.03.13.BlackTDS)
* Mar 13 - [[ESET] OceanLotus: Old techniques, new backdoor](https://www.welivesecurity.com/wp-content/uploads/2018/03/ESET_OceanLotus.pdf) | [Local](../../blob/master/2018/2018.03.13.OceanLotus_Old_techniques_new_backdoor)
* Mar 12 - [[Trend Micro] Campaign Possibly Connected to “MuddyWater” Surfaces in the Middle East and Central Asia](https://blog.trendmicro.com/trendlabs-security-intelligence/campaign-possibly-connected-muddywater-surfaces-middle-east-central-asia/) | [Local](../../blob/master/2018/2018.03.12.MuddyWater_Middle_East_and_Central_Asia)
2018-03-14 06:14:47 +00:00
* Mar 09 - [[Kaspersky] Masha and these Bears 2018 Sofacy Activity](https://securelist.com/masha-and-these-bears/84311/) | [Local](../../blob/master/2018/2018.03.09.masha-and-these-bears)
2018-03-14 17:23:59 +00:00
* Mar 09 - [[NCC] APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS](https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/?Year=2018&Month=3) | [Local](../../blob/master/2018/2018.03.09.APT15_is_alive_and_strong)
* Mar 09 - [[ESET] New traces of Hacking Team in the wild](https://www.welivesecurity.com/2018/03/09/new-traces-hacking-team-wild/) | [Local](../../blob/master/2018/2018.03.09.new-traces-hacking-team-wild)
* Mar 08 - [[Kaspersky] OlympicDestroyer is here to trick the industry](https://securelist.com/olympicdestroyer-is-here-to-trick-the-industry/84295/) | [Local](../../blob/master/2018/2018.03.08.olympicdestroyer-is-here-to-trick-the-industry)
* Mar 08 - [[Arbor] Donot Team Leverages New Modular Malware Framework in South Asia](https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/) | [Local](../../blob/master/2018/2018.03.08.donot-team-leverages-new-modular)
2018-03-09 07:38:34 +00:00
* Mar 08 - [[Crysis] Territorial Dispute NSAs perspective on APT landscape](https://www.crysys.hu/files/tedi/ukatemicrysys_territorialdispute.pdf) | [Local](../../blob/master/2018/2018.03.08.Territorial_Dispute)
* Mar 07 - [[Palo Alto Networks] Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent](https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/) | [Local](../../blob/master/2018/2018.03.07.patchwork-continues-deliver-badnews-indian-subcontinent)
2018-03-10 15:00:26 +00:00
* Mar 06 - [[Kaspersky] The Slingshot APT](https://s3-eu-west-1.amazonaws.com/khub-media/wp-content/uploads/sites/43/2018/03/09133534/The-Slingshot-APT_report_ENG_final.pdf) | [Local](../../blob/master/2018/2018.03.06.The-Slingshot-APT)
2018-03-10 02:16:15 +00:00
* Mar 05 - [[Palo Alto Networks] Sure, Ill take that! New ComboJack Malware Alters Clipboards to Steal Cryptocurrency](https://researchcenter.paloaltonetworks.com/2018/03/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/) | [Local](../../blob/master/2018/2018.03.05.New_ComboJack_Malware)
2018-03-04 05:47:23 +00:00
* Mar 02 - [[McAfee] McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups](https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/) | [Local](../../blob/master/2018/2018.03.02.Operation_Honeybee)
* Mar 01 - [[Security 0wnage] A Quick Dip into MuddyWater's Recent Activity](https://sec0wn.blogspot.tw/2018/03/a-quick-dip-into-muddywaters-recent.html) | [Local](../../blob/master/2018/2018.03.01.a-quick-dip-into-muddywaters-recent)
2018-03-04 05:47:23 +00:00
* Feb 28 - [[Palo Alto Networks] Sofacy Attacks Multiple Government Entities](https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/) | [Local](../../blob/master/2018/2018.02.28.sofacy-attacks-multiple-government-entities)
* Feb 28 - [[Symantec] Chafer: Latest Attacks Reveal Heightened Ambitions](https://www.symantec.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions) | [Local](../../blob/master/2018/2018.02.28.Chafer_Latest_Attacks_Reveal)
2018-02-22 10:05:40 +00:00
* Feb 21 - [[Avast] Avast tracks down Tempting Cedar Spyware](https://blog.avast.com/avast-tracks-down-tempting-cedar-spyware) | [Local](../../blob/master/2018/2018.02.21.Tempting_Cedar)
* Feb 20 - [[Arbor] Musical Chairs Playing Tetris](https://www.arbornetworks.com/blog/asert/musical-chairs-playing-tetris/) | [Local](../../blob/master/2018/2018.02.20.musical-chairs-playing-tetris)
* Feb 20 - [[Kaspersky] A Slice of 2017 Sofacy Activity](https://securelist.com/a-slice-of-2017-sofacy-activity/83930/) | [Local](../../blob/master/2018/2018.02.20.a-slice-of-2017-sofacy-activity)
2018-02-21 07:36:46 +00:00
* Feb 20 - [[FireEye] APT37 (Reaper): The Overlooked North Korean Actor](https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf) | [Local](../../blob/master/2018/2018.02.20.APT37)
2018-03-15 00:47:30 +00:00
* Feb 13 - [[Trend Micro] Deciphering Confucius Cyberespionage Operations](https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-confucius-cyberespionage-operations/) | [Local](../../blob/master/2018/2018.02.13.deciphering-confucius)
* Feb 07 - [[CISCO] Targeted Attacks In The Middle East](http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html) | [Local](../../blob/master/2018/2018.02.07.targeted-attacks-in-middle-east_VBS_CAMPAIGN)
* Feb 02 - [[McAfee] Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims Systems](https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/) | [Local](../../blob/master/2018/2018.02.02.gold-dragon-widens-olympics-malware)
2018-02-05 07:20:09 +00:00
* Feb 01 - [[Bitdefender] Operation PZChao: a possible return of the Iron Tiger APT](https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/) | [Local](../../blob/master/2018/2018.02.01.operation-pzchao)
* Jan 30 - [[Palo Alto Networks] Comnie Continues to Target Organizations in East Asia](https://researchcenter.paloaltonetworks.com/2018/01/unit42-comnie-continues-target-organizations-east-asia/) | [Local](../../blob/master/2018/2018.01.31.Comnie_Continues_to_Target_Organizations_in_East_Asia)
* Jan 30 - [[RSA] APT32 Continues ASEAN Targeting](https://community.rsa.com/community/products/netwitness/blog/2018/01/30/apt32-continues-asean-targeting) | [Local](../../blob/master/2018/2018.01.30.APT32_Continues_ASEAN_Targeting)
2018-03-15 00:51:48 +00:00
* Jan 29 - [[Trend Micro] Hacking Group Spies on Android Users in India Using PoriewSpy](https://blog.trendmicro.com/trendlabs-security-intelligence/hacking-group-spies-android-users-india-using-poriewspy/) | [Local](../../blob/master/2018/2018.01.29.PoriewSpy.India)
* Jan 29 - [[Palo Alto Networks] VERMIN: Quasar RAT and Custom Malware Used In Ukraine](https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/) | [Local](../../blob/master/2018/2018.01.29.VERMIN_Quasar_RAT_and_Custom_Malware_Used_In_Ukraine)
2018-01-30 17:00:55 +00:00
* Jan 27 - [[Accenture] DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS MEETING AND ASSOCIATES](https://www.accenture.com/t20180127T003755Z__w__/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf) | [Local](../../blob/master/2018/2018.01.27.DRAGONFISH)
* Jan 26 - [[Palo Alto Networks] The TopHat Campaign: Attacks Within The Middle East Region Using Popular Third-Party Services](https://researchcenter.paloaltonetworks.com/2018/01/unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services/) | [Local](../../blob/master/2018/2018.01.26.TopHat_Campaign)
2018-01-29 07:21:44 +00:00
* Jan 25 - [[Palo Alto Networks] OilRig uses RGDoor IIS Backdoor on Targets in the Middle East](https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/) | [Local](../../blob/master/2018/2018.01.25.oilrig_Middle_East)
* Jan 24 - [[Trend Micro] Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More](https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/) | [Local](../../blob/master/2018/2018.01.24.lazarus-campaign-targeting-cryptocurrencies)
* Jan 18 - [[NCSC] Turla group update Neuron malware](https://www.ncsc.gov.uk/content/files/protected_files/article_files/Turla%20Neuron%20Malware%20Update.pdf) | [Local](../../blob/master/2018/2018.01.18.Turla_group_update_Neuron_malware)
2018-03-06 08:27:54 +00:00
* Jan 17 - [[Lookout] Dark Caracal](https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf) | [Local](../../blob/master/2018/2018.01.18.Dark_Caracal)
* Jan 16 - [[Kaspersky] Skygofree: Following in the footsteps of HackingTeam](https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/) | [Local](../../blob/master/2018/2018.01.16.skygofree)
2018-01-17 08:18:09 +00:00
* Jan 16 - [[Recorded Future] North Korea Targeted South Korean Cryptocurrency Users and Exchange in Late 2017 Campaign](https://www.recordedfuture.com/north-korea-cryptocurrency-campaign/) | [Local](../../blob/master/2018/2018.01.16.north-korea-cryptocurrency-campaign)
2018-01-16 07:06:38 +00:00
* Jan 16 - [[CISCO] Korea In The Crosshairs](http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html) | [Local](../../blob/master/2018/2018.01.16.korea-in-crosshairs)
* Jan 15 - [[Trend Micro] New KillDisk Variant Hits Financial Organizations in Latin America](https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-financial-organizations-in-latin-america/) | [Local](../../blob/master/2018/2018.01.15.new-killdisk-variant-hits-financial-organizations-in-latin-america)
2018-01-15 06:29:13 +00:00
* Jan 12 - [[Trend Micro] Update on Pawn Storm: New Targets and Politically Motivated Campaigns](http://blog.trendmicro.com/trendlabs-security-intelligence/update-pawn-storm-new-targets-politically-motivated-campaigns/?utm_campaign=shareaholic&utm_medium=twitter&utm_source=socialnetwork) | [Local](../../blob/master/2018/2018.01.12.update-pawn-storm-new-targets-politically)
* Jan 11 - [[McAfee] North Korean Defectors and Journalists Targeted Using Social Networks and KakaoTalk](https://securingtomorrow.mcafee.com/mcafee-labs/north-korean-defectors-journalists-targeted-using-social-networks-kakaotalk/) | [Local](../../blob/master/2018/2018.01.11.North_Korean_Defectors_and_Journalists_Targeted)
2018-01-10 08:31:27 +00:00
* Jan 09 - [[ESET] Diplomats in Eastern Europe bitten by a Turla mosquito](https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf) | [Local](../../blob/master/2018/2018.01.09.Turla_Mosquito)
2018-01-29 10:03:04 +00:00
* Jan 07 - [[Clearsky] Operation DustySky](http://www.clearskysec.com/dustysky/) | [Local](../../blob/master/2018/2018.01.07.Operation_DustySky)
* Jan 06 - [[McAfee] Malicious Document Targets Pyeongchang Olympics](https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/) | [Local](../../blob/master/2018/2018.01.06.malicious-document-targets-pyeongchang-olympics)
2018-01-11 07:06:40 +00:00
* Jan 04 - [[Carnegie] Irans Cyber Threat: Espionage, Sabotage, and Revenge](http://carnegieendowment.org/files/Iran_Cyber_Final_Full_v2.pdf) | [Local](../../blob/master/2018/2018.01.04.Iran_Cyber_Threat_Carnegie)
2018-01-10 08:31:27 +00:00
2017-08-11 13:56:42 +00:00
## 2017
* Dec 19 - [[Proofpoint] North Korea Bitten by Bitcoin Bug: Financially motivated campaigns reveal new dimension of the Lazarus Group](https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new) | [Local](../../blob/master/2017/2017.12.19.North_Korea_Bitten_by_Bitcoin_Bug)
* Dec 17 - [[McAfee] Operation Dragonfly Analysis Suggests Links to Earlier Attacks](https://securingtomorrow.mcafee.com/mcafee-labs/operation-dragonfly-analysis-suggests-links-to-earlier-attacks/) | [Local](../../blob/master/2017/2017.12.17.operation-dragonfly-analysis-suggests-links-to-earlier-attacks)
* Dec 14 - [[FireEye] Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure](https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html) | [Local](../../blob/master/2017/2017.12.14.attackers-deploy-new-ics-attack-framework-triton)
2017-12-12 03:27:14 +00:00
* Dec 11 - [[Group-IB] MoneyTaker, revealed after 1.5 years of silent operations.](https://www.group-ib.com/resources/reports/money-taker.html) | [Local](../../blob/master/2017/2017.12.11.MoneyTaker)
2017-12-12 02:48:11 +00:00
* Dec 11 - [[Trend Micro] Untangling the Patchwork Cyberespionage Group](http://blog.trendmicro.com/trendlabs-security-intelligence/untangling-the-patchwork-cyberespionage-group/) | [Local](../../blob/master/2017/2017.12.11.Patchwork_APT)
2017-12-08 04:37:20 +00:00
* Dec 07 - [[FireEye] New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit](https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html) | [Local](../../blob/master/2017/2017.12.07.New_Targeted_Attack_in_the_Middle_East_by_APT34)
* Dec 05 - [[ClearSky] Charming Kitten: Iranian Cyber Espionage Against Human Rights Activists, Academic Researchers and Media Outlets And the HBO Hacker Connection](http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf) | [Local](../../blob/master/2017/2017.12.05.Charming_Kitten)
2017-12-05 01:51:49 +00:00
* Dec 04 - [[RSA] The Shadows of Ghosts: Inside the Response of a Unique Carbanak Intrusion](https://community.rsa.com/community/products/netwitness/blog/2017/12/04/anatomy-of-an-attack-carbanak) | [Local](../../blob/master/2017/2017.12.04.The_Shadows_of_Ghosts)
2017-12-12 04:07:34 +00:00
* Nov 22 - [[REAQTA] A dive into MuddyWater APT targeting Middle-East](https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/) | [Local](../../blob/master/2017/2017.11.22.MuddyWater_APT)
2017-12-05 01:51:49 +00:00
* Nov 14 - [[Palo Alto Networks] Muddying the Water: Targeted Attacks in the Middle East](https://researchcenter.paloaltonetworks.com/2017/11/2017.11.14.Muddying_the_Water) | [Local](../../blob/master/2017/2017.11.14.Muddying_the_Water)
2017-11-16 08:48:00 +00:00
* Nov 10 - [[Palo Alto Networks] New Malware with Ties to SunOrcal Discovered](https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/) | [Local](../../blob/master/2017/2017.11.10.New_Malware_with_Ties_to_SunOrcal_Discovered)
2017-11-08 07:06:53 +00:00
* Nov 07 - [[McAfee] Threat Group APT28 Slips Office Malware into Doc Citing NYC Terror Attack](https://securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/#sf151634298) | [Local](../../blob/master/2017/2017.11.07.APT28_Slips_Office_Malware)
* Nov 07 - [[Symantec] Sowbug: Cyber espionage group targets South American and Southeast Asian governments](https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments) | [Local](../../blob/master/2017/2017.11.07.sowbug-cyber-espionage-group-targets)
2017-11-07 08:38:55 +00:00
* Nov 06 - [[Trend Micro] ChessMasters New Strategy: Evolving Tools and Tactics](http://blog.trendmicro.com/trendlabs-security-intelligence/chessmasters-new-strategy-evolving-tools-tactics/) | [Local](../../blob/master/2017/2017.11.06.ChessMaster_New_Strategy)
2018-05-03 03:29:37 +00:00
* Nov 06 - [[Volexity] OceanLotus Blossoms: Mass Digital Surveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society](https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/) | [Local](../../blob/master/2017/2017.11.06.oceanlotus-blossomsk)
2017-11-03 08:12:40 +00:00
* Nov 02 - [[PwC] The KeyBoys are back in town](http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are-back-in-town.html) | [Local](../../blob/master/2017/2017.11.02.KeyBoys_are_back)
2018-03-06 08:14:09 +00:00
* Nov 02 - [[Clearsky] LeetMX a Yearlong Cyber-Attack Campaign Against Targets in Latin America](http://www.clearskysec.com/leetmx/) | [Local](../../blob/master/2017/2017.11.02.LeetMX)
* Nov 02 - [[RISKIQ] New Insights into Energetic Bears Watering Hole Attacks on Turkish Critical Infrastructure](https://www.riskiq.com/blog/labs/energetic-bear/) | [Local](../../blob/master/2017/2017.11.02.Energetic_Bear_on_Turkish_Critical_Infrastructure)
2017-11-02 07:44:14 +00:00
* Oct 31 - [[Cybereason] Night of the Devil: Ransomware or wiper? A look into targeted attacks in Japan using MBR-ONI](https://www.cybereason.com/blog/night-of-the-devil-ransomware-or-wiper-a-look-into-targeted-attacks-in-japan) | [Local](../../blob/master/2017/2017.10.31.MBR-ONI.Japan)
2017-10-31 09:06:22 +00:00
* Oct 30 - [[Kaspersky] Gaza Cybergang updated activity in 2017](https://securelist.com/gaza-cybergang-updated-2017-activity/82765/) | [Local](../../blob/master/2017/2017.10.30.Gaza_Cybergang)
2017-10-30 03:55:05 +00:00
* Oct 27 - [[Bellingcat] Bahamut Revisited, More Cyber Espionage in the Middle East and South Asia](https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/) | [Local](../../blob/master/2017/2017.10.27.bahamut-revisited)
2017-10-27 02:11:23 +00:00
* Oct 24 - [[ClearSky] Iranian Threat Agent Greenbug Impersonates Israeli High-Tech and Cyber Security Companies](http://www.clearskysec.com/greenbug/) | [Local](../../blob/master/2017/2017.10.02.Aurora_Operation_CCleaner_II)
2017-10-30 09:08:21 +00:00
* Oct 16 - [[BAE Systems] Taiwan Heist: Lazarus Tools And Ransomware](https://baesystemsai.blogspot.kr/2017/10/taiwan-heist-lazarus-tools.html) | [Local](../../blob/master/2017/2017.10.16.Taiwan-Heist)
* Oct 16 - [[Kaspersky] BlackOasis APT and new targeted attacks leveraging zero-day exploit](https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/) | [Local](../../blob/master/2017/2017.10.16.BlackOasis_APT)
2017-11-03 09:58:58 +00:00
* Oct 10 - [[Trustwave] Post Soviet Bank Heists](https://www.trustwave.com/Resources/Library/Documents/Post-Soviet-Bank-Heists/) | [Local](../../blob/master/2017/2017.10.02.Aurora_Operation_CCleaner_II)
2017-10-24 06:40:58 +00:00
* Oct 02 - [[intezer] Evidence Aurora Operation Still Active Part 2: More Ties Uncovered Between CCleaner Hack & Chinese Hackers]() | [Local](../../blob/master/2017/2017.10.02.Aurora_Operation_CCleaner_II)
* Sep XX - [[MITRE] APT3 Adversary Emulation Plan](https://attack.mitre.org/w/img_auth.php/6/6c/APT3_Adversary_Emulation_Plan.pdf) | [Local](../../blob/master/2017/2017.09.XX.APT3_Adversary_Emulation_Plan)
2017-10-24 06:40:58 +00:00
* Sep 28 - [[Palo Alto Networks] Threat Actors Target Government of Belarus Using CMSTAR Trojan](https://researchcenter.paloaltonetworks.com/2017/09/unit42-threat-actors-target-government-belarus-using-cmstar-trojan/) | [Local](../../blob/master/2017/2017.09.28.Belarus_CMSTAR_Trojan)
* Sep 20 - [[intezer] Evidence Aurora Operation Still Active: Supply Chain Attack Through CCleaner](http://www.intezer.com/evidence-aurora-operation-still-active-supply-chain-attack-through-ccleaner/) | [Local](../../blob/master/2017/2017.09.20.Aurora_Operation_CCleaner)
2017-10-25 09:55:25 +00:00
* Sep 20 - [[FireEye] Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware](https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html) | [Local](../../blob/master/2017/2017.09.20.apt33-insights-into-iranian-cyber-espionage)
2017-10-27 03:05:43 +00:00
* Sep 20 - [[CISCO] CCleaner Command and Control Causes Concern](http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html) | [Local](../../blob/master/2017/2017.09.18.CCleanup)
2017-10-27 02:50:18 +00:00
* Sep 18 - [[CISCO] CCleanup: A Vast Number of Machines at Risk](http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html) | [Local](../../blob/master/2017/2017.09.18.CCleanup)
2017-10-24 09:48:50 +00:00
* Sep 12 - [[FireEye] FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY](https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html) | [Local](../../blob/master/2017/2017.09.12.FINSPY_CVE-2017-8759)
2017-10-25 09:36:20 +00:00
* Sep 06 - [[Symantec] Dragonfly: Western energy sector targeted by sophisticated attack group](https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group) | [Local](../../blob/master/2017/2017.09.06.dragonfly-western-energy-sector-targeted-sophisticated-attack-group)
2017-10-25 09:55:25 +00:00
* Sep 06 - [[Treadstone 71] Intelligence Games in the Power Grid](https://treadstone71llc.files.wordpress.com/2017/09/intelligence-games-in-the-power-grid-2016.pdf) | [Local](../../blob/master/2017/2017.09.06.intelligence-games-in-the-power-grid-2016)
2017-10-25 09:40:14 +00:00
* Aug 30 - [[ESET] Gazing at Gazer: Turlas new second stage backdoor](https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/) | [Local](../../blob/master/2017/2017.08.30.Gazing_at_Gazer)
2017-10-25 09:36:20 +00:00
* Aug 30 - [[Kaspersky] Introducing WhiteBear](https://securelist.com/introducing-whitebear/81638/) | [Local](../../blob/master/2017/2017.08.30.Introducing_WhiteBear)
2017-10-25 09:55:25 +00:00
* Aug 25 - [[Proofpoint] Operation RAT Cook: Chinese APT actors use fake Game of Thrones leaks as lures](https://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-apt-actors-use-fake-game-thrones-leaks-lures) | [Local](../../blob/master/2017/2017.08.25.operation-rat-cook)
2017-10-25 10:05:42 +00:00
* Aug 18 - [[RSA] Russian Bank Offices Hit with Broad Phishing Wave](https://community.rsa.com/community/products/netwitness/blog/2017/08/18/russian-bank-offices-hit-with-broad-phishing-wave) | [Local](../../blob/master/2017/2017.08.18.Russian_Bank_Offices_Hit)
* Aug 17 - [[Proofpoint] Turla APT actor refreshes KopiLuwak JavaScript backdoor for use in G20-themed attack](https://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopiluwak-javascript-backdoor-use-g20-themed-attack) | [Local](../../blob/master/2017/2017.08.17.turla-apt-actor-refreshes-kopiluwak-javascript-backdoor)
2017-10-27 03:25:59 +00:00
* Aug 15 - [[Palo Alto Networks] The Curious Case of Notepad and Chthonic: Exposing a Malicious Infrastructure](https://researchcenter.paloaltonetworks.com/2017/08/unit42-the-curious-case-of-notepad-and-chthonic-exposing-a-malicious-infrastructure/) | [Local](../../blob/master/2017/2017.08.15.Notepad_and_Chthonic)
2017-10-25 09:55:25 +00:00
* Aug 11 - [[FireEye] APT28 Targets Hospitality Sector, Presents Threat to Travelers](https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html) | [Local](../../blob/master/2017/2017.08.11.apt28-targets-hospitality-sector)
* Aug 01 - [[Positive Research] Cobalt strikes back: an evolving multinational threat to finance](http://blog.ptsecurity.com/2017/08/cobalt-group-2017-cobalt-strikes-back.html) | [Local](../../blob/master/2017/2017.08.01.cobalt-group-2017-cobalt-strikes-back)
2017-10-25 10:05:42 +00:00
* Jul 27 - [[Trend Micro] ChessMaster Makes its Move: A Look into the Campaigns Cyberespionage Arsenal](http://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/) | [Local](../../blob/master/2017/2017.07.27.chessmaster-cyber-espionage-campaign)
2017-10-25 10:19:25 +00:00
* Jul 27 - [[Palo Alto Networks] OilRig Uses ISMDoor Variant; Possibly Linked to Greenbug Threat Group](https://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/) | [Local](../../blob/master/2017/2017.07.27.oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group)
2017-10-27 02:11:23 +00:00
* Jul 27 - [[Clearsky, TrendMicro] Operation Wilted Tulip](http://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf) | [Local](../../blob/master/2017/2017.07.27.Operation_Wilted_Tulip)
2017-10-27 02:35:12 +00:00
* Jul 24 - [[Palo Alto Networks] “Tick” Group Continues Attacks](https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/) | [Local](../../blob/master/2017/2017.07.24.Tick_group)
* Jul 18 - [[Clearsky] Recent Winnti Infrastructure and Samples](http://www.clearskysec.com/winnti/) | [Local](../../blob/master/2017/2017.07.18.winnti)
* Jul 18 - [[Bitdefender] Inexsmar: An unusual DarkHotel campaign](https://labs.bitdefender.com/wp-content/uploads/downloads/inexsmar-an-unusual-darkhotel-campaign/) | [Local](../../blob/master/2017/2017.07.18.Inexsmar)
* Jul 11 - [[ProtectWise] Winnti Evolution - Going Open Source](https://www.protectwise.com/blog/winnti-evolution-going-open-source.html) | [Local](../../blob/master/2017/2017.07.11.winnti-evolution-going-open-source)
* Jul 10 - [[Trend Micro] OSX Malware Linked to Operation Emmental Hijacks User Network Traffic](http://blog.trendmicro.com/trendlabs-security-intelligence/osx_dok-mac-malware-emmental-hijacks-user-network-traffic/) | [Local](../../blob/master/2017/2017.07.10.osx_dok-mac-malware-emmental-hijacks-user-network-traffic)
* Jul 06 - [[Malware Party] Operation Desert Eagle](http://mymalwareparty.blogspot.tw/2017/07/operation-desert-eagle.html) | [Local](../../blob/master/2017/2017.07.06.Operation_Desert_Eagle)
2017-10-27 02:35:12 +00:00
* Jul 05 - [[Citizen Lab] Insider Information: An intrusion campaign targeting Chinese language news sites](https://citizenlab.org/2017/07/insider-information-an-intrusion-campaign-targeting-chinese-language-news-sites/) | [Local](../../blob/master/2017/2017.07.05.insider-information)
2017-10-27 02:39:21 +00:00
* Jun 30 - [[ESET] TeleBots are back: supply-chain attacks against Ukraine](https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/) | [Local](../../blob/master/2017/2017.06.30.telebots-back-supply-chain)
* Jun 30 - [[Kaspersky] From BlackEnergy to ExPetr](https://securelist.com/from-blackenergy-to-expetr/78937/) | [Local](../../blob/master/2017/2017.06.30.From_BlackEnergy_to_ExPetr)
2018-02-21 07:36:46 +00:00
* Jun 26 - [[Dell] Threat Group-4127 Targets Google Accounts](https://www.secureworks.com/research/threat-group-4127-targets-google-accounts) | [Local](../../blob/master/2017/2017.06.26.Threat_Group-4127)
2017-11-03 07:07:06 +00:00
* Jun 22 - [[Palo Alto Networks] The New and Improved macOS Backdoor from OceanLotus](https://www.secureworks.com/research/threat-group-4127-targets-google-accounts) | [Local](../../blob/master/2017/2017.06.22.new-improved-macos-backdoor-oceanlotus)
2017-10-27 02:50:18 +00:00
* Jun 22 - [[Trend Micro] Following the Trail of BlackTechs Cyber Espionage Campaigns](http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/) | [Local](../../blob/master/2017/2017.06.22.following-trail-blacktech-cyber-espionage-campaigns)
* Jun 19 - [[root9B] SHELLTEA + POSLURP MALWARE: memory resident point-of-sale malware attacks industry](https://www.root9b.com/sites/default/files/whitepapers/PoS%20Malware%20ShellTea%20PoSlurp_0.pdf) | [Local](../../blob/master/2017/2017.06.19.SHELLTEA_POSLURP_MALWARE)
2018-02-21 07:36:46 +00:00
* Jun 18 - [[Palo Alto Networks] APT3 Uncovered: The code evolution of Pirpi](https://recon.cx/2017/montreal/resources/slides/RECON-MTL-2017-evolution_of_pirpi.pdf) | [Local](../../blob/master/2017/2017.06.18.APT3_Uncovered_The_code_evolution_of_Pirpi)
2017-10-27 03:05:43 +00:00
* Jun 15 - [[Recorded Future] North Korea Is Not Crazy](https://www.recordedfuture.com/north-korea-cyber-activity/) | [Local](../../blob/master/2017/2017.06.15.north-korea-cyber-activity)
* Jun 14 - [[ThreatConnect] KASPERAGENT Malware Campaign resurfaces in the run up to May Palestinian Authority Elections](https://www.threatconnect.com/blog/kasperagent-malware-campaign/) | [Local](../../blob/master/2017/2017.06.14.KASPERAGENT)
2017-10-27 02:50:18 +00:00
* Jun 13 - [[US-CERT] HIDDEN COBRA North Koreas DDoS Botnet Infrastructure](https://www.us-cert.gov/ncas/alerts/TA17-164A) | [Local](../../blob/master/2017/2017.06.13.HIDDEN_COBRA)
2017-10-27 03:36:44 +00:00
* Jun 12 - [[Dragos] CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations](https://dragos.com/blog/crashoverride/CrashOverride-01.pdf) | [Local](../../blob/master/2017/2017.06.12.CRASHOVERRIDE)
2017-10-27 09:31:42 +00:00
* Jun 12 - [[ESET] WIN32/INDUSTROYER A new threat for industrial control systems](https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf) | [Local](../../blob/master/2017/2017.06.12.INDUSTROYER)
2017-10-27 02:50:18 +00:00
* May 30 - [[Group-IB] Lazarus Arisen: Architecture, Techniques and Attribution](http://www.group-ib.com/lazarus.html) | [Local](../../blob/master/2017/2017.05.30.Lazarus_Arisen)
2018-04-05 07:38:35 +00:00
* May 24 - [[Cybereason] OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP](https://www.cybereason.com/blog/operation-cobalt-kitty-apt) | [Local](../../blob/master/2017/2017.05.24.OPERATION_COBALT_KITTY)
2018-04-05 07:44:07 +00:00
* May 14 - [[FireEye] Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations](https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html) | [Local](../../blob/master/2017/2017.05.14.cyber-espionage-apt32)
2017-10-27 02:50:18 +00:00
* May 03 - [[Palo Alto Networks] Kazuar: Multiplatform Espionage Backdoor with API Access](http://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-acces) | [Local](../../blob/master/2017/2017.05.03.kazuar-multiplatform-espionage-backdoor-api-access)
2018-02-22 09:32:17 +00:00
* May 03 - [[CISCO] KONNI: A Malware Under The Radar For Years](http://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html) | [Local](../../blob/master/2017/konni-malware-under-radar-for-years)
2017-11-02 08:16:35 +00:00
* Apr 27 - [[Morphisec] Iranian Fileless Attack Infiltrates Israeli Organizations](http://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability) | [Local](../../blob/master/2017/2017.04.27.iranian-fileless-cyberattack-on-israel-word-vulnerability)
* Apr 13 - [[F-SECURE] Callisto Group](https://www.f-secure.com/documents/996508/1030745/callisto-group) | [Local](../../blob/master/2017/2017.04.13.callisto-group)
2018-03-06 08:14:09 +00:00
* Apr 05 - [[Palo Alto Networks, Clearsky] Targeted Attacks in the Middle East Using KASPERAGENT and MICROPSIA](https://researchcenter.paloaltonetworks.com/2017/04/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/) | [Local](../../blob/master/2017/2017.04.05.KASPERAGENT_and_MICROPSIA)
2018-03-06 08:02:20 +00:00
* Mar 14 - [[Clearsky] Operation Electric Powder Who is targeting Israel Electric Company?](http://www.clearskysec.com/iec/) | [Local](../../blob/master/2017/2017.03.14.Operation_Electric_Powder)
2017-11-02 08:28:54 +00:00
* Mar 06 - [[Kaspersky] From Shamoon to StoneDrill](https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/) | [Local](../../blob/master/2017/2017.03.06.from-shamoon-to-stonedrill)
* Feb 28 - [[IBM] Dridexs Cold War: Enter AtomBombing](https://securityintelligence.com/dridexs-cold-war-enter-atombombing/) | [Local](../../blob/master/2017/2017.02.28.dridexs-cold-war-enter-atombombing)
* Feb 27 - [[Palo Alto Networks] The Gamaredon Group Toolset Evolution](http://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/) | [Local](../../blob/master/2017/2017.02.27.gamaredon-group-toolset-evolution/)
* Feb 23 - [[Bitdefender] Dissecting the APT28 Mac OS X Payload](https://download.bitdefender.com/resources/files/News/CaseStudies/study/143/Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf) | [Local](../../blob/master/2017/2017.02.23.APT28_Mac_OS_X_Payload)
* Feb 22 - [[FireEye] Spear Phishing Techniques Used in Attacks Targeting the Mongolian Government](https://www.fireeye.com/blog/threat-research/2017/02/spear_phishing_techn.html) | [Local](../../blob/master/2017/2017.02.22.Spear_Phishing_Mongolian_Government)
* Feb 21 - [[Arbor] Additional Insights on Shamoon2](https://www.arbornetworks.com/blog/asert/additional-insights-on-shamoon2/) | [Local](../../blob/master/2017/2017.02.21.Additional_Insights_on_Shamoon2)
* Feb 20 - [[BAE Systems] azarus' False Flag Malware](http://baesystemsai.blogspot.tw/2017/02/lazarus-false-flag-malware.html) | [Local](../../blob/master/2017/2017.02.20.Lazarus_False_Flag_Malware)
2018-01-10 06:17:42 +00:00
* Feb 17 - [[JPCERT] ChChes - Malware that Communicates with C&C Servers Using Cookie Headers](http://blog.jpcert.or.jp/2017/02/chches-malware--93d6.html) | [Local](../../blob/master/2017/2017.02.17.chches-malware)
* Feb 16 - [[BadCyber] Technical analysis of recent attacks against Polish banks](https://badcyber.com/technical-analysis-of-recent-attacks-against-polish-banks/) | [Local](../../blob/master/2017/2017.02.16.Technical_analysis_Polish_banks)
2017-11-02 08:28:54 +00:00
* Feb 15 - [[Morphick] Deep Dive On The DragonOK Rambo Backdoor](http://www.morphick.com/resources/news/deep-dive-dragonok-rambo-backdoor) | [Local](../../blob/master/2017/2017.02.15.deep-dive-dragonok-rambo-backdoor)
* Feb 15 - [[IBM] The Full Shamoon: How the Devastating Malware Was Inserted Into Networks](https://securityintelligence.com/the-full-shamoon-how-the-devastating-malware-was-inserted-into-networks/) | [Local](../../blob/master/2017/2017.02.15.the-full-shamoon)
* Feb 15 - [[Dell] Iranian PupyRAT Bites Middle Eastern Organizations](https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations) | [Local](../../blob/master/2017/2017.02.15.iranian-pupyrat-bites-middle-eastern-organizations)
* Feb 15 - [[Palo Alto Networks] Magic Hound Campaign Attacks Saudi Targets](http://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/) | [Local](../../blob/master/2017/2017.02.15.magic-hound-campaign)
* Feb 14 - [[Medium Corporation] Operation Kingphish: Uncovering a Campaign of Cyber Attacks against Civil Society in Qatar and Nepal](https://medium.com/amnesty-insights/operation-kingphish-uncovering-a-campaign-of-cyber-attacks-against-civil-society-in-qatar-and-aa40c9e08852#.cly4mg1g8) | [Local](../../blob/master/2017/2017.02.14.Operation_Kingphish)
2017-11-03 10:01:03 +00:00
* Feb 12 - [[BAE Systems] Lazarus & Watering-Hole Attacks](https://baesystemsai.blogspot.tw/2017/02/lazarus-watering-hole-attacks.html) | [Local](../../blob/master/2017/2017.02.12.lazarus-watering-hole-attacks)
* Feb 10 - [[Cysinfo] Cyber Attack Targeting Indian Navy's Submarine And Warship Manufacturer](https://cysinfo.com/cyber-attack-targeting-indian-navys-submarine-warship-manufacturer/) | [Local](../../blob/master/2017/2017.02.10.cyber-attack-targeting-indian-navys-submarine-warship-manufacturer)
* Feb 10 - [[DHS] Enhanced Analysis of GRIZZLY STEPPE Activity](https://www.us-cert.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf) | [Local](../../blob/master/2017/2017.02.10.Enhanced_Analysis_of_GRIZZLY_STEPPE)
* Feb 03 - [[RSA] KingSlayer A Supply chain attack](https://www.rsa.com/content/dam/pdfs/2-2017/kingslayer-a-supply-chain-attack.pdf) | [Local](../../blob/master/2017/2017.02.03.kingslayer-a-supply-chain-attack)
* Feb 03 - [[BadCyber] Several Polish banks hacked, information stolen by unknown attackers](https://badcyber.com/several-polish-banks-hacked-information-stolen-by-unknown-attackers/) | [Local](../../blob/master/2017/2017.02.03.several-polish-banks-hacked)
2017-11-03 09:58:58 +00:00
* Feb 02 - [[Proofpoint] Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX](https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx) | [Local](../../blob/master/2017/2017.02.02.APT_Targets_Russia_and_Belarus_with_ZeroT_and_PlugX)
* Jan 30 - [[Palo Alto Networks] Downeks and Quasar RAT Used in Recent Targeted Attacks Against Governments](http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/) | [Local](../../blob/master/2017/2017.01.30.downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments)
* Jan 19 - [[Cysinfo] URI Terror Attack & Kashmir Protest Themed Spear Phishing Emails Targeting Indian Embassies And Indian Ministry Of External Affairs](https://cysinfo.com/uri-terror-attack-spear-phishing-emails-targeting-indian-embassies-and-indian-mea/) | [Local](../../blob/master/2017/2017.01.19.uri-terror-attack)
* Jan 18 - [[Trustwave] Operation Grand Mars: Defending Against Carbanak Cyber Attacks](https://www.trustwave.com/Resources/Library/Documents/Operation-Grand-Mars--Defending-Against-Carbanak-Cyber-Attacks/) | [Local](../../blob/master/2017/2017.01.18.Operation-Grand-Mars)
* Jan 15 - [[tr1adx] Bear Spotting Vol. 1: Russian Nation State Targeting of Government and Military Interests](https://www.tr1adx.net/intel/TIB-00003.html) | [Local](../../blob/master/2017/2017.01.15.Bear_Spotting_Vol.1)
* Jan 12 - [[Kaspersky] The “EyePyramid” attacks](https://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/) | [Local](../../blob/master/2017/2017.01.12.EyePyramid.attacks)
* Jan 11 - [[FireEye] APT28: AT THE CENTER OF THE STORM](https://www.fireeye.com/blog/threat-research/2017/01/apt28_at_the_center.html) | [Local](../../blob/master/2017/2017.01.11.apt28_at_the_center)
* Jan 09 - [[Palo Alto Networks] Second Wave of Shamoon 2 Attacks Identified](http://researchcenter.paloaltonetworks.com/2017/01/unit42-second-wave-shamoon-2-attacks-identified/) | [Local](../../blob/master/2017/2017.01.09.second-wave-shamoon-2-attacks-identified)
* Jan 05 - [[Clearsky] Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford](http://www.clearskysec.com/oilrig/) | [Local](../../blob/master/2017/2017.01.05.Iranian_Threat_Agent_OilRig)
2017-02-11 07:00:00 +00:00
## 2016
2017-11-03 09:58:58 +00:00
* Dec 15 - [[Microsoft] PROMETHIUM and NEODYMIUM APT groups on Turkish citizens living in Turkey and various other European countries.](http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf) | [Local](../../blob/master/2016/2016.12.15.PROMETHIUM_and_NEODYMIUM)
* Dec 13 - [[ESET] The rise of TeleBots: Analyzing disruptive KillDisk attacks](http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/) | [Local](../../blob/master/2016/2016.12.13.rise-telebots-analyzing-disruptive-killdisk-attacks)
* Nov 22 - [[Palo Alto Networks] Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy](http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/) | [Local](../../blob/master/2016/2016.11.22.tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy)
2018-01-10 06:25:13 +00:00
* Nov 09 - [[Fidelis] Down the H-W0rm Hole with Houdini's RAT](https://www.fidelissecurity.com/threatgeek/2016/11/down-h-w0rm-hole-houdinis-rat) | [Local](../../blob/master/2016/2016.11.09_down-the-h-w0rm-hole-with-houdinis-rat)
2017-11-03 09:58:58 +00:00
* Nov 03 - [[Booz Allen] When The Lights Went Out: Ukraine Cybersecurity Threat Briefing](http://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf) | [Local](../../blob/master/2016/2016.11.03.Ukraine_Cybersecurity_Threat_Briefing)
* Oct 31 - [[Palo Alto Networks] Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?](http://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/) | [Local](../../blob/master/2016/2016.10.31.Emissary_Trojan_Changelog)
* Oct 27 - [[ESET] En Route with Sednit Part 3: A Mysterious Downloader](http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf) | [Local](../../blob/master/2016/2016.10.27.En_Route_Part3)
* Oct 27 - [[Trend Micro] BLACKGEAR Espionage Campaign Evolves, Adds Japan To Target List](http://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-espionage-campaign-evolves-adds-japan-target-list/) | [Local](../../blob/master/2016/2016.10.27.BLACKGEAR_Espionage_Campaign_Evolves)
* Oct 26 - [[Vectra Networks] Moonlight Targeted attacks in the Middle East](http://blog.vectranetworks.com/blog/moonlight-middle-east-targeted-attacks) | [Local](../../blob/master/2016/2016.10.26.Moonlight_Middle_East)
* Oct 25 - [[Palo Alto Networks] Houdinis Magic Reappearance](http://researchcenter.paloaltonetworks.com/2016/10/unit42-houdinis-magic-reappearance/) | [Local](../../blob/master/2016/2016.10.25.Houdini_Magic_Reappearance)
* Oct 25 - [[ESET] En Route with Sednit Part 2: Lifting the lid on Sednit: A closer look at the software it uses](http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf) | [Local](../../blob/master/2016/2016.10.25.Lifting_the_lid_on_Sednit)
* Oct 20 - [[ESET] En Route with Sednit Part 1: Approaching the Target](http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf) | [Local](../../blob/master/2016/2016.10.20.En_Route_with_Sednit)
* Oct 17 - [[ThreatConnect] ThreatConnect identifies Chinese targeting of two companies. Economic espionage or military intelligence? ](https://www.threatconnect.com/blog/threatconnect-discovers-chinese-apt-activity-in-europe/) | [Local](../../blob/master/2016/2016.10.16.A_Tale_of_Two_Targets)
2018-01-10 06:17:42 +00:00
* Oct 05 - [[Kaspersky] Wave your false flags](https://securelist.com/files/2016/10/Bartholomew-GuerreroSaade-VB2016.pdf) | [Local](../../blob/master/2016/2016.10.05_Wave_Your_False_flag)
* Oct 03 - [[Kaspersky] On the StrongPity Waterhole Attacks Targeting Italian and Belgian Encryption Users](https://securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/) | [Local](../../blob/master/2016/2016.10.03.StrongPity)
* Sep 29 - [[NATO CCD COE] China and Cyber: Attitudes, Strategies, Organisation](https://ccdcoe.org/sites/default/files/multimedia/pdf/CS_organisation_CHINA_092016.pdf) | [Local](../../blob/master/2016/2016.09.29.China_and_Cyber_Attitudes_Strategies_Organisation)
* Sep 28 - [[ThreatConnect] Belling the BEAR: russia-hacks-bellingcat-mh17-investigation](https://www.threatconnect.com/blog/russia-hacks-bellingcat-mh17-investigation/) | [Local](../../blob/master/2016/2016.09.28.russia-hacks-bellingcat-mh17-investigation)
* Sep 26 - [[Palo Alto Networks] Sofacys Komplex OS X Trojan](http://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/) | [Local](../../blob/master/2016/2016.09.26_Sofacy_Komplex_OSX_Trojan)
* Sep 18 - [[Cyberkov] Hunting Libyan Scorpions](https://cyberkov.com/wp-content/uploads/2016/09/Hunting-Libyan-Scorpions-EN.pdf) | [Local](../../blob/master/2016/2016.09.18.Hunting-Libyan-Scorpions)
* Sep 14 - [[Palo Alto Networks] MILE TEA: Cyber Espionage Campaign Targets Asia Pacific Businesses and Government Agencies](http://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/) | [Local](../../blob/master/2016/2016.09.14.MILE_TEA)
* Sep 06 - [[Symantec] Buckeye cyberespionage group shifts gaze from US to Hong Kong](http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong) | [Local](../../blob/master/2016/2016.09.06.buckeye-cyberespionage-group-shifts-gaze-us-hong-kong)
* Sep 01 - [[IRAN THREATS] MALWARE POSING AS HUMAN RIGHTS ORGANIZATIONS AND COMMERCIAL SOFTWARE TARGETING IRANIANS, FOREIGN POLICY INSTITUTIONS AND MIDDLE EASTERN COUNTRIES](https://iranthreats.github.io/resources/human-rights-impersonation-malware/) | [Local](../../blob/master/2016/2016.09.01.human-rights-impersonation-malware)
* Aug 25 - [[Lookout] Technical Analysis of Pegasus Spyware](https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf) | [Local](../../blob/master/2016/2016.08.25.lookout-pegasus-technical-analysis)
* Aug 24 - [[Citizen Lab] The Million Dollar Dissident: NSO Groups iPhone Zero-Days used against a UAE Human Rights Defender](https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/) | [Local](../../blob/master/2016/2016.08.24.million-dollar-dissident-iphone-zero-day-nso-group-uae)
* Aug 19 - [[ThreatConnect] Russian Cyber Operations on Steroids](https://www.threatconnect.com/blog/fancy-bear-anti-doping-agency-phishing/) | [Local](../../blob/master/2016/2016.08.19.fancy-bear-anti-doping-agency-phishing)
2018-01-10 06:17:42 +00:00
* Aug 17 - [[Kaspersky] Operation Ghoul: targeted attacks on industrial and engineering organizations](https://securelist.com/blog/research/75718/operation-ghoul-targeted-attacks-on-industrial-and-engineering-organizations/) | [Local](../../blob/master/2016/2016.08.17_operation-ghoul)
* Aug 16 - [[Palo Alto Networks] Aveo Malware Family Targets Japanese Speaking Users](http://researchcenter.paloaltonetworks.com/2016/08/unit42-aveo-malware-family-targets-japanese-speaking-users/) | [Local](../../blob/master/2016/2016.08.16.aveo-malware-family-targets-japanese)
* Aug 11 - [[IRAN THREATS] Iran and the Soft War for Internet Dominance](https://iranthreats.github.io/us-16-Guarnieri-Anderson-Iran-And-The-Soft-War-For-Internet-Dominance-paper.pdf) | [Local](../../blob/master/2016/2016.08.11.Iran-And-The-Soft-War-For-Internet-Dominance)
2017-02-11 07:00:00 +00:00
* Aug 08 - [[Forcepoint] MONSOON](https://blogs.forcepoint.com/security-labs/monsoon-analysis-apt-campaign) | [Local](../../blob/master/2016/2016.08.08.monsoon-analysis-apt-campaign)
2018-01-10 06:17:42 +00:00
* Aug 08 - [[Kaspersky] ProjectSauron: top level cyber-espionage platform covertly extracts encrypted government comms](https://securelist.com/analysis/publications/75533/faq-the-projectsauron-apt/) | [Local](../../blob/master/2016/2016.08.08.ProjectSauron)
* Aug 07 - [[Symantec] Strider: Cyberespionage group turns eye of Sauron on targets](http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets) | [Local](../../blob/master/2016/2016.08.07.Strider_Cyberespionage_group_turns_eye_of_Sauron_on_targets)
* Aug 04 - [[Recorded Future] Running for Office: Russian APT Toolkits Revealed](https://www.recordedfuture.com/russian-apt-toolkits/) | [Local](../../blob/master/2016/2016.08.04.russian-apt-toolkits)
2017-02-11 07:00:00 +00:00
* Aug 03 - [[EFF] Operation Manul: I Got a Letter From the Government the Other Day...Unveiling a Campaign of Intimidation, Kidnapping, and Malware in Kazakhstan](https://www.eff.org/files/2016/08/03/i-got-a-letter-from-the-government.pdf) | [Local](../../blob/master/2016/2016.08.03.i-got-a-letter-from-the-government)
2018-01-10 06:17:42 +00:00
* Aug 02 - [[Citizen Lab] Group5: Syria and the Iranian Connection](https://citizenlab.org/2016/08/group5-syria/) | [Local](../../blob/master/2016/2016.08.02.group5-syria)
* Jul 28 - [[ICIT] Chinas Espionage Dynasty](http://icitech.org/wp-content/uploads/2016/07/ICIT-Brief-China-Espionage-Dynasty.pdf) | [Local](../../blob/master/2016/2016.07.28.China_Espionage_Dynasty)
* Jul 26 - [[Palo Alto Networks] Attack Delivers 9002 Trojan Through Google Drive](http://researchcenter.paloaltonetworks.com/2016/07/unit-42-attack-delivers-9002-trojan-through-google-drive/) | [Local](../../blob/master/2016/2016.07.26.Attack_Delivers_9002_Trojan_Through_Google_Drive)
* Jul 21 - [[360] Sphinx (APT-C-15) Targeted cyber-attack in the Middle East](https://ti.360.com/upload/report/file/rmsxden20160721.pdf) | [Local](../../blob/master/2016/2016.07.21.Sphinx_Targeted_cyber-attack_in_the_Middle_East)
* Jul 21 - [[RSA] Hide and Seek: How Threat Actors Respond in the Face of Public Exposure](https://www.rsaconference.com/writable/presentations/file_upload/tta1-f04_hide-and-seek-how-threat-actors-respond-in-the-face-of-public-exposure.pdf) | [Local](../../blob/master/2016/2016.07.21.Hide_and_Seek)
* Jul 13 - [[SentinelOne] State-Sponsored SCADA Malware targeting European Energy Companies](https://sentinelone.com/blogs/sfg-furtims-parent/) | [Local](../../blob/master/2016/2016.07.13.State-Sponsored_SCADA_Malware_targeting_European_Energy_Companies)
* Jul 12 - [[F-SECURE] NanHaiShu: RATing the South China Sea](https://www.f-secure.com/documents/996508/1030745/nanhaishu_whitepaper.pdf) | [Local](../../blob/master/2016/2016.07.12.NanHaiShu_RATing_the_South_China_Sea)
* Jul 08 - [[Kaspersky] The Dropping Elephant aggressive cyber-espionage in the Asian region](https://securelist.com/blog/research/75328/the-dropping-elephant-actor/) | [Local](../../blob/master/2016/2016.07.08.The_Dropping_Elephant)
* Jul 07 - [[Proofpoint] NetTraveler APT Targets Russian, European Interests](https://www.proofpoint.com/us/threat-insight/post/nettraveler-apt-targets-russian-european-interests) | [Local](../../blob/master/2016/2016.07.07.nettraveler-apt-targets-russian-european-interests)
* Jul 07 - [[Cymmetria] UNVEILING PATCHWORK: THE COPY-PASTE APT](https://www.cymmetria.com/wp-content/uploads/2016/07/Unveiling-Patchwork.pdf) | [Local](../../blob/master/2016/2016.07.07.UNVEILING_PATCHWORK)
* Jul 03 - [[Check Point] From HummingBad to Worse ](http://blog.checkpoint.com/wp-content/uploads/2016/07/HummingBad-Research-report_FINAL-62916.pdf) | [Local](../../blob/master/2016/2016.07.03_From_HummingBad_to_Worse)
* Jul 01 - [[Bitdefender] Pacifier APT](http://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf) | [Local](../../blob/master/2016/2016.07.01.Bitdefender_Pacifier_APT)
* Jul 01 - [[ESET] Espionage toolkit targeting Central and Eastern Europe uncovered](http://www.welivesecurity.com/2016/07/01/espionage-toolkit-targeting-central-eastern-europe-uncovered/) | [Local](../../blob/master/2016/2016.07.01.SBDH_toolkit_targeting_Central_and_Eastern_Europe)
* Jun 30 - [[JPCERT] Asruex: Malware Infecting through Shortcut Files](http://blog.jpcert.or.jp/2016/06/asruex-malware-infecting-through-shortcut-files.html) | [Local](../../blob/master/2016/2016.06.30.Asruex)
2018-01-10 08:31:27 +00:00
* Jun 29 - [[Proofpoint] MONSOON ANALYSIS OF AN APT CAMPAIGN](https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf) | [Local](../../blob/master/2016/2016.06.29.MonSoon)
* Jun 28 - [[Palo Alto Networks] Prince of Persia Game Over](http://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/) | [Local](../../blob/master/2016/2016.06.28.prince-of-persia-game-over)
2018-01-10 06:17:42 +00:00
* Jun 28 - [[JPCERT] (Japan)Attack Tool Investigation](https://www.jpcert.or.jp/research/20160628ac-ir_research.pdf) | [Local](../../blob/master/2016/2016.06.28.Attack_Tool_Investigation)
* Jun 26 - [[Trend Micro] The State of the ESILE/Lotus Blossom Campaign](http://blog.trendmicro.com/trendlabs-security-intelligence/the-state-of-the-esilelotus-blossom-campaign/) | [Local](../../blob/master/2016/2016.06.26.The_State_of_the_ESILE_Lotus_Blossom_Campaign)
* Jun 26 - [[Cylance] Nigerian Cybercriminals Target High-Impact Industries in India via Pony](https://blog.cylance.com/threat-update-nigerian-cybercriminals-target-high-impact-indian-industries-via-pony) | [Local](../../blob/master/2016/2016.06.26.Nigerian_Cybercriminals_Target_High_Impact_Industries_in_India)
* Jun 23 - [[Palo Alto Networks] Tracking Elirks Variants in Japan: Similarities to Previous Attacks](http://researchcenter.paloaltonetworks.com/2016/06/unit42-tracking-elirks-variants-in-japan-similarities-to-previous-attacks/) | [Local](../../blob/master/2016/2016.06.23.Tracking_Elirks_Variants_in_Japan)
* Jun 21 - [[Fortinet] The Curious Case of an Unknown Trojan Targeting German-Speaking Users](https://blog.fortinet.com/2016/06/21/the-curious-case-of-an-unknown-trojan-targeting-german-speaking-users) | [Local](../../blob/master/2016/2016.06.21.Unknown_Trojan_Targeting_German_Speaking_Users)
* Jun 21 - [[FireEye] Redline Drawn: China Recalculates Its Use of Cyber Espionage]( https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-china-espionage.pdf) | [Local](../../blob/master/2016/2016.06.21.Redline_Drawn_China_Recalculates_Its_Use_of_Cyber_Espionage)
* Jun 21 - [[ESET] Visiting The Bear Den](http://www.welivesecurity.com/wp-content/uploads/2016/06/visiting_the_bear_den_recon_2016_calvet_campos_dupuy-1.pdf) | [Local](../../blob/master/2016/2016.06.21.visiting_the_bear_den_recon_2016_calvet_campos_dupuy)
* Jun 16 - [[Dell] Threat Group-4127 Targets Hillary Clinton Presidential Campaign](https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign) | [Local](../../blob/master/2016/2016.06.16.DNC)
* Jun 15 - [[CrowdStrike] Bears in the Midst: Intrusion into the Democratic National Committee](https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/) | [Local](../../blob/master/2016/2016.06.09.Operation_DustySky_II/)
* Jun 09 - [[Clearsky] Operation DustySky Part 2](http://www.clearskysec.com/wp-content/uploads/2016/06/Operation-DustySky2_-6.2016_TLP_White.pdf) | [Local](../../blob/master/2016/2016.06.09.Operation_DustySky_II/)
* Jun 02 - [[Trend Micro] FastPOS: Quick and Easy Credit Card Theft](http://documents.trendmicro.com/assets/fastPOS-quick-and-easy-credit-card-theft.pdf) | [Local](../../blob/master/2016/2016.06.02.fastpos-quick-and-easy-credit-card-theft/)
* May 27 - [[Trend Micro] IXESHE Derivative IHEATE Targets Users in America](http://blog.trendmicro.com/trendlabs-security-intelligence/ixeshe-derivative-iheate-targets-users-america/) | [Local](../../blob/master/2016/2016.05.27.IXESHE_Derivative_IHEATE_Targets_Users_in_America/)
* May 26 - [[Palo Alto Networks] The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor](http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/) | [Local](../../blob/master/2016/2016.05.26.OilRig_Campaign/)
* May 25 - [[Kaspersky] CVE-2015-2545: overview of current threats](https://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/) | [Local](../../blob/master/2016/2016.05.25.CVE-2015-2545/)
* May 24 - [[Palo Alto Networks] New Wekby Attacks Use DNS Requests As Command and Control Mechanism](http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/) | [Local](../../blob/master/2016/2016.05.24.New_Wekby_Attacks)
* May 23 - [[MELANI:GovCERT] APT Case RUAG Technical Report](https://www.melani.admin.ch/dam/melani/en/dokumente/2016/technical%20report%20ruag.pdf.download.pdf/Report_Ruag-Espionage-Case.pdf) | [Local](../../blob/master/2016/2016.05.23.APT_Case_RUAG)
* May 22 - [[FireEye] TARGETED ATTACKS AGAINST BANKS IN THE MIDDLE EAST](https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html) | [Local](../../blob/master/2016/2016.05.22.Targeted_Attacks_Against_Banks_in_Middle_East)
* May 22 - [[Palo Alto Networks] Operation Ke3chang Resurfaces With New TidePool Malware](http://researchcenter.paloaltonetworks.com/2016/05/operation-ke3chang-resurfaces-with-new-tidepool-malware/) | [Local](../../blob/master/2016/2016.05.22.Operation_Ke3chang_Resurfaces_With_New_TidePool_Malware/)
* May 18 - [[ESET] Operation Groundbait: Analysis of a surveillance toolkit](http://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf) | [Local](../../blob/master/2016/2016.05.18.Operation_Groundbait/)
* May 17 - [[FOX-IT] Mofang: A politically motivated information stealing adversary](https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf) | [Local](../../blob/master/2016/2016.05.17.Mofang)
* May 17 - [[Symantec] Indian organizations targeted in Suckfly attacks](http://www.symantec.com/connect/ko/blogs/indian-organizations-targeted-suckfly-attacks) | [Local](../../blob/master/2016/2016.05.17.Indian_organizations_targeted_in_Suckfly_attacks/)
* May 10 - [[Trend Micro] Backdoor as a Software Suite: How TinyLoader Distributes and Upgrades PoS Threats](http://blog.trendmicro.com/trendlabs-security-intelligence/how-tinyloader-distributes-and-upgrades-pos-threats/) | [paper](http://documents.trendmicro.com/assets/tinypos-abaddonpos-ties-to-tinyloader.pdf) | [Local](../../blob/master/2016/2016.05.10.tinyPOS_tinyloader/)
* May 09 - [[CMU SEI] Using Honeynets and the Diamond Model for ICS Threat Analysis](http://resources.sei.cmu.edu/asset_files/TechnicalReport/2016_005_001_454247.pdf) | [Local](../../blob/master/2016/2016.05.09_ICS_Threat_Analysis/)
* May 06 - [[PwC] Exploring CVE-2015-2545 and its users](http://pwc.blogs.com/cyber_security_updates/2016/05/exploring-cve-2015-2545-and-its-users.html) | [Local](../../blob/master/2016/2016.05.06_Exploring_CVE-2015-2545/)
* May 05 - [[Forcepoint] Jaku: an on-going botnet campaign](https://www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf) | [Local](../../blob/master/2016/2016.05.05_Jaku_botnet_campaign/)
* May 02 - [[Team Cymru] GOZNYM MALWARE target US, AT, DE ](https://blog.team-cymru.org/2016/05/goznym-malware/) | [Local](../../blob/master/2016/2016.05.02.GOZNYM_MALWARE)
* May 02 - [[Palo Alto Networks] Prince of Persia: Infy Malware Active In Decade of Targeted Attacks](http://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/) | [Local](../../blob/master/2016/2016.05.02.Prince_of_Persia_Infy_Malware/)
* Apr 27 - [[Kaspersky] Repackaging Open Source BeEF for Tracking and More](https://securelist.com/blog/software/74503/freezer-paper-around-free-meat/) | [Local](../../blob/master/2016/2016.04.27.Repackaging_Open_Source_BeEF)
* Apr 26 - [[Financial Times] Cyber warfare: Iran opens a new front](http://www.ft.com/intl/cms/s/0/15e1acf0-0a47-11e6-b0f1-61f222853ff3.html#axzz478cZz3ao) | [Local](../../blob/master/2016/2016.04.26.Iran_Opens_a_New_Front/)
* Apr 26 - [[Arbor] New Poison Ivy Activity Targeting Myanmar, Asian Countries](https://www.arbornetworks.com/blog/asert/recent-poison-iv/) | [Local](../../blob/master/2016/2016.04.26.New_Poison_Ivy_Activity_Targeting_Myanmar_Asian_Countries/)
* Apr 22 - [[Cylance] The Ghost Dragon](https://blog.cylance.com/the-ghost-dragon) | [Local](../../blob/master/2016/2016.04.22.the-ghost-dragon)
* Apr 21 - [[SentinelOne] Teaching an old RAT new tricks](https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/) | [Local](../../blob/master/2016/2016.04.21.Teaching_an_old_RAT_new_tricks/)
* Apr 21 - [[Palo Alto Networks] New Poison Ivy RAT Variant Targets Hong Kong Pro-Democracy Activists](http://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/) | [Local](../../blob/master/2016/2016.04.21.New_Poison_Ivy_RAT_Variant_Targets_Hong_Kong/)
* Apr 18 - [[Citizen Lab] Between Hong Kong and Burma: Tracking UP007 and SLServer Espionage Campaigns](https://citizenlab.org/2016/04/between-hong-kong-and-burma/) | [Local](../../blob/master/2016/2016.04.18.UP007/)
* Apr 15 - [[SANS] Detecting and Responding Pandas and Bears](http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf) | [Local](../../blob/master/2016/2016.04.15.pandas_and_bears/)
* Apr 12 - [[Microsoft] PLATINUM: Targeted attacks in South and Southeast Asia](http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf) | [Local](../../blob/master/2016/2016.04.12.PLATINUM_Targeted_attacks_in_South_and_Southeast_Asia/)
* Mar 25 - [[Palo Alto Networks] ProjectM: Link Found Between Pakistani Actor and Operation Transparent Tribe](http://researchcenter.paloaltonetworks.com/2016/03/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe/?utm_medium=email&utm_source=Adobe%20Campaign&utm_campaign=Unit%2042%20Blog%20Updates%2031Mar16) | [Local](../../blob/master/2016/2016.03.25.ProjectM/)
* Mar 23 - [[Trend Micro] Operation C-Major: Information Theft Campaign Targets Military Personnel in India](http://blog.trendmicro.com/trendlabs-security-intelligence/indian-military-personnel-targeted-by-information-theft-campaign/) | [Local](../../blob/master/2016/2016.03.23.Operation_C_Major/)
* Mar 18 - [[SANS] Analysis of the Cyber Attack on the Ukrainian Power Grid: Defense Use Case](https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf) | [Local](../../blob/master/2016/2016.03.18.Analysis_of_the_Cyber_Attack_on_the_Ukrainian_Power_Grid/)
* Mar 17 - [[PwC] Taiwan Presidential Election: A Case Study on Thematic Targeting](http://pwc.blogs.com/cyber_security_updates/2016/03/taiwant-election-targetting.html) | [Local](../../blob/master/2016/2016.03.17.Taiwan-election-targetting/)
* Mar 15 - [[Symantec] Suckfly: Revealing the secret life of your code signing certificates](http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates) | [Local](../../blob/master/2016/2016.03.15.Suckfly)
* Mar 14 - [[Proofpoint] Bank robbery in progress: New attacks from Carbanak group target banks in Middle East and US](https://www.proofpoint.com/us/threat-insight/post/carbanak-cybercrime-group-targets-executives-of-financial-organizations-in-middle-east) | [Local](../../blob/master/2016/2016.03.14.Carbanak_cybercrime_group)
* Mar 10 - [[Citizen Lab] Shifting Tactics: Tracking changes in years-long espionage campaign against Tibetans](https://citizenlab.org/2016/03/shifting-tactics/) | [Local](../../blob/master/2016/2016.03.10.shifting-tactics)
* Mar 09 - [[FireEye] LESSONS FROM OPERATION RUSSIANDOLL](https://www.fireeye.com/blog/threat-research/2016/03/lessons-from-operation-russian-doll.html) | [Local](../../blob/master/2016/2016.03.09.Operation_RussianDoll)
* Mar 08 - [[360] Operation OnionDog: A 3 Year Old APT Focused On the Energy and Transportation Industries in Korean-language Countries](http://www.prnewswire.com/news-releases/onion-dog-a-3-year-old-apt-focused-on-the-energy-and-transportation-industries-in-korean-language-countries-is-exposed-by-360-300232441.html) | [Local](../../blob/master/2016/2016.03.08.OnionDog)
* Mar 03 - [[Recorded Future] Shedding Light on BlackEnergy With Open Source Intelligence](https://www.recordedfuture.com/blackenergy-malware-analysis/) | [Local](../../blob/master/2016/2016.03.03.Shedding_Light_BlackEnergy)
* Mar 01 - [[Proofpoint] Operation Transparent Tribe - APT Targeting Indian Diplomatic and Military Interests](https://www.proofpoint.com/us/threat-insight/post/Operation-Transparent-Tribe) | [Local](../../blob/master/2016/2016.03.01.Operation_Transparent_Tribe/)
* Feb 29 - [[Fidelis] The Turbo Campaign, Featuring Derusbi for 64-bit Linux](https://www.fidelissecurity.com/sites/default/files/TA_Fidelis_Turbo_1602_0.pdf) | [Local](../../blob/master/2016/2016.02.24.Operation_Blockbuster)
* Feb 24 - [[NOVETTA] Operation Blockbuster](https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf) | [Local](../../blob/master/2016/2016.02.24.Operation_Blockbuster)
* Feb 23 - [[Cylance] OPERATION DUST STORM](https://www.cylance.com/hubfs/2015_cylance_website/assets/operation-dust-storm/Op_Dust_Storm_Report.pdf?t=1456355696065) | [Local](../../blob/master/2016/2016.02.23.Operation_Dust_Storm)
* Feb 12 - [[Palo Alto Networks] A Look Into Fysbis: Sofacys Linux Backdoor](http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/) | [Local](../../blob/master/2016/2016.02.12.Fysbis_Sofacy_Linux_Backdoor)
* Feb 11 - [[Recorded Future] Hacktivism: India vs. Pakistan](https://www.recordedfuture.com/india-pakistan-cyber-rivalry/) | [Local](../../blob/master/2016/2016.02.11.Hacktivism_India_vs_Pakistan)
* Feb 09 - [[Kaspersky] Poseidon Group: a Targeted Attack Boutique specializing in global cyber-espionage](https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/) | [Local](../../blob/master/2016/2016.02.09_Poseidon_APT_Boutique)
* Feb 08 - [[ICIT] Know Your Enemies 2.0: A Primer on Advanced Persistent Threat Groups](http://icitech.org/know-your-enemies-2-0/) | [Local](../../blob/master/2016/2016.02.08.Know_Your_Enemies_2.0)
* Feb 04 - [[Palo Alto Networks] T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques](http://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/) | [Local](../../blob/master/2016/2016.02.04_PaloAlto_T9000-Advanced-Modular-Backdoor)
* Feb 03 - [[Palo Alto Networks] Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?](http://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/) | [Local](../../blob/master/2016.02.03.Emissary_Trojan_Changelog)
* Feb 01 - [[Sucuri] Massive Admedia/Adverting iFrame Infection](https://blog.sucuri.net/2016/02/massive-admedia-iframe-javascript-infection.html) | [Local](../../blob/master/2016/2016.02.01.Massive_Admedia_Adverting_iFrame_Infection)
* Feb 01 - [[IBM] Organized Cybercrime Big in Japan: URLZone Now on the Scene](https://securityintelligence.com/organized-cybercrime-big-in-japan-urlzone-now-on-the-scene/) | [Local](../../blob/master/2016/2016.02.01.URLzone_Team)
* Jan 29 - [[F5] Tinbapore: Millions of Dollars at Risk](https://devcentral.f5.com/d/tinbapore-millions-of-dollars-at-risk?download=true) | [Local](../../blob/master/2016/2016.01.29.Tinbapore_Attack)
* Jan 29 - [[Zscaler] Malicious Office files dropping Kasidet and Dridex](http://research.zscaler.com/2016/01/malicious-office-files-dropping-kasidet.html) | [Local](../../blob/master/2016/2016.01.29.Malicious_Office_files_dropping_Kasidet_and_Dridex)
* Jan 28 - [[Kaspersky] BlackEnergy APT Attacks in Ukraine employ spearphishing with Word documents](https://securelist.com/blog/research/73440/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/) | [Local](../../blob/master/2016/2016.01.28.BlackEnergy_APT)
* Jan 27 - [[Fidelis] Dissecting the Malware Involved in the INOCNATION Campaign](https://www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL.pdf) | [Local](../../blob/master/2016/2016.01.27.Hi-Zor.RAT)
* Jan 26 - [[SentinelOne] Analyzing a New Variant of BlackEnergy 3](https://www.sentinelone.com/wp-content/uploads/2016/01/BlackEnergy3_WP_012716_1c.pdf) | [Local](../../blob/master/2016/2016.01.26.BlackEnergy3)
* Jan 24 - [[Palo Alto Networks] Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists](http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/) | [Local](../../blob/master/2016/2016.01.24_Scarlet_Minic)
* Jan 21 - [[Palo Alto Networks] NetTraveler Spear-Phishing Email Targets Diplomat of Uzbekistan](http://researchcenter.paloaltonetworks.com/2016/01/nettraveler-spear-phishing-email-targets-diplomat-of-uzbekistan/) | [Local](../../blob/master/2016/2016.01.21.NetTraveler_Uzbekistan)
* Jan 19 - [[360] 2015 APT Annual Report](https://ti.360.com/upload/report/file/2015.APT.Annual_Report.pdf) | [Local](../../blob/master/2016/2016.01.19.360_APT_Report)
* Jan 14 - [[CISCO] RESEARCH SPOTLIGHT: NEEDLES IN A HAYSTACK](http://blog.talosintel.com/2016/01/haystack.html#more) | [Local](../../blob/master/2016/2016.01.14_Cisco_Needles_in_a_Haystack)
* Jan 14 - [[Symantec] The Waterbug attack group](https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf) | [Local](../../blob/master/2016/2016.01.14.The.Waterbug.Attack.Group/)
* Jan 07 - [[Clearsky] Operation DustySky](http://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf) | [Local](../../blob/master/2016/2016.01.07.Operation_DustySky)
* Jan 07 - [[CISCO] RIGGING COMPROMISE - RIG EXPLOIT KIT](http://blog.talosintel.com/2016/01/rigging-compromise.html) | [Local](../../blob/master/2016/2016.01.07.rigging-compromise)
* Jan 03 - [[ESET] BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry](http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/) | [Local](../../blob/master/2016/2016.01.03.BlackEnergy_Ukrainian)
2017-02-11 07:00:00 +00:00
## 2015
2018-01-10 06:25:13 +00:00
* Dec 23 - [[PwC] ELISE: Security Through Obesity](http://pwc.blogs.com/cyber_security_updates/2015/12/elise-security-through-obesity.html) | [Local](../../blob/master/2015/2015.12.13.ELISE)
* Dec 22 - [[Palo Alto Networks] BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger](http://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/) | [Local](../../blob/master/2015/2015.12.22.BBSRAT_Roaming_Tiger)
* Dec 20 - [[FireEye] The EPS Awakens - Part 2](https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html) | [Local](../../blob/master/2015/2015.12.20.EPS_Awakens_Part_II)
* Dec 18 - [[Palo Alto Networks] Attack on French Diplomat Linked to Operation Lotus Blossom](http://researchcenter.paloaltonetworks.com/2015/12/attack-on-french-diplomat-linked-to-operation-lotus-blossom/) | [Local](../../blob/master/2015/2015.12.18.Attack_on_Frence_Diplomat_Linked_To_Operation_Lotus_Blossom)
2018-01-10 06:46:12 +00:00
* Dec 16 - [[Bitdefender] APT28 Under the Scope - A Journey into Exfiltrating Intelligence and Government Information](http://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf) | [Local](../../blob/master/2015/2015.12.17.APT28_Under_The_Scope)
2018-02-22 09:32:17 +00:00
* Dec 16 - [[Trend Micro] Operation Black Atlas, Part 2: Tools and Malware Used and How to Detect Them](http://documents.trendmicro.com/assets/Operation_Black%20Atlas_Technical_Brief.pdf) | [Local](../../blob/master/2015/2015.12.16.INOCNATION.Campaign)
2018-01-10 06:33:54 +00:00
* Dec 16 - [[Fidelis] Dissecting the Malware Involved in the INOCNATION Campaign](https://www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL.pdf) | [Local](../../blob/master/2015/2015.12.16.INOCNATION.Campaign)
2018-01-10 06:46:12 +00:00
* Dec 15 - [[AirBus] Newcomers in the Derusbi family](http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family) | [Local](../../blob/master/2015/2015.12.15.Newcomers_in_the_Derusbi_family)
* Dec 08 - [[Citizen Lab] Packrat: Seven Years of a South American Threat Actor](https://citizenlab.org/2015/12/packrat-report/) | [Local](../../blob/master/2015/2015.12.08.Packrat)
* Dec 07 - [[FireEye] Financial Threat Group Targets Volume Boot Record](https://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-record.html) | [Local](../../blob/master/2015/2015.12.07.Thriving_Beyond_The_Operating_System)
* Dec 07 - [[Symantec] Iran-based attackers use back door threats to spy on Middle Eastern targets](http://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets) | [Local](../../blob/master/2015/2015.12.07.Iran-based)
* Dec 04 - [[Kaspersky] Sofacy APT hits high profile targets with updated toolset](https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/) | [Local](../../blob/master/2015/2015.12.04.Sofacy_APT)
* Dec 01 - [[FireEye] China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets](https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html) | [Local](../../blob/master/2015/2015.12.01.China-based_Cyber_Threat_Group_Uses_Dropbox_for_Malware_Communications_and_Targets_Hong_Kong_Media_Outlets)
* Nov 30 - [[FOX-IT] Ponmocup A giant hiding in the shadows](https://foxitsecurity.files.wordpress.com/2015/12/foxit-whitepaper_ponmocup_1_1.pdf) | [Local](../../blob/master/2015/2015.11.30.Ponmocup)
* Nov 24 - [[Palo Alto Networks] Attack Campaign on the Government of Thailand Delivers Bookworm Trojan](http://researchcenter.paloaltonetworks.com/2015/11/attack-campaign-on-the-government-of-thailand-delivers-bookworm-trojan/) | [Local](../../blob/master/2015/2015.11.24.Attack_Campaign_on_the_Government_of_Thailand_Delivers_Bookworm_Trojan)
* Nov 23 - [[Minerva Labs, ClearSky] CopyKittens Attack Group](https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf) | [Local](../../blob/master/2015/2015.11.23.CopyKittens_Attack_Group)
* Nov 23 - [[RSA] PEERING INTO GLASSRAT](https://blogs.rsa.com/wp-content/uploads/2015/11/GlassRAT-final.pdf) | [Local](../../blob/master/2015/2015.11.23.PEERING_INTO_GLASSRAT)
* Nov 23 - [[Trend Micro] Prototype Nation: The Chinese Cybercriminal Underground in 2015](http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/prototype-nation-the-chinese-cybercriminal-underground-in-2015/?utm_source=siblog&utm_medium=referral&utm_campaign=2015-cn-ug) | [Local](../../blob/master/2015/2015.11.23.Prototype_Nation_The_Chinese_Cybercriminal_Underground_in_2015)
* Nov 19 - [[Kaspersky] Russian financial cybercrime: how it works](https://securelist.com/analysis/publications/72782/russian-financial-cybercrime-how-it-works/) | [Local](../../blob/master/2015/2015.11.18.Russian_financial_cybercrime_how_it_works)
* Nov 19 - [[JPCERT] Decrypting Strings in Emdivi](http://blog.jpcert.or.jp/2015/11/decrypting-strings-in-emdivi.html) | [Local](../../blob/master/2015/2015.11.19.decrypting-strings-in-emdivi)
* Nov 18 - [[Palo Alto Networks] TDrop2 Attacks Suggest Dark Seoul Attackers Return](http://researchcenter.paloaltonetworks.com/2015/11/tdrop2-attacks-suggest-dark-seoul-attackers-return/) | [Local](../../blob/master/2015/2015.11.18.tdrop2)
* Nov 18 - [[CrowdStrike] Sakula Reloaded](http://blog.crowdstrike.com/sakula-reloaded/) | [Local](../../blob/master/2015/2015.11.18.Sakula_Reloaded)
2017-10-25 10:17:47 +00:00
* Nov 18 - [[Damballa] Damballa discovers new toolset linked to Destover Attackers arsenal helps them to broaden attack surface](https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/2015.11.18.Destover/amballa-discovers-new-toolset-linked-to-destover-attackers-arsenal-helps-them-to-broaden-attack-surface.pdf) | [Local](../../blob/master/2015/2015.11.18.Destover)
2018-01-10 06:46:12 +00:00
* Nov 16 - [[FireEye] WitchCoven: Exploiting Web Analytics to Ensnare Victims](https://www2.fireeye.com/threat-intel-report-WITCHCOVEN.html) | [Local](../../blob/master/2015/2015.11.17.Pinpointing_Targets_Exploiting_Web_Analytics_to_Ensnare_Victims)
* Nov 10 - [[Palo Alto Networks] Bookworm Trojan: A Model of Modular Architecture](http://researchcenter.paloaltonetworks.com/2015/11/bookworm-trojan-a-model-of-modular-architecture/) | [Local](../../blob/master/2015/2015.11.10.bookworm-trojan-a-model-of-modular-architecture)
* Nov 09 - [[Check Point] Rocket Kitten: A Campaign With 9 Lives](http://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf) | [Local](../../blob/master/2015/2015.11.09.Rocket_Kitten_A_Campaign_With_9_Lives)
* Nov 04 - [[RSA] Evolving Threats:dissection of a CyberEspionage attack](http://www.rsaconference.com/writable/presentations/file_upload/cct-w08_evolving-threats-dissection-of-a-cyber-espionage-attack.pdf) | [Local](../../blob/master/2015/2015.11.04_Evolving_Threats)
* Oct 16 - [[Citizen Lab] Targeted Malware Attacks against NGO Linked to Attacks on Burmese Government Websites](https://citizenlab.org/2015/10/targeted-attacks-ngo-burma/)(https://otx.alienvault.com/pulse/5621208f4637f21ecf2aac36/) | [Local](../../blob/master/2015/2015.10.targeted-attacks-ngo-burma.pdf)
* Oct 15 - [[Citizen Lab] Pay No Attention to the Server Behind the Proxy: Mapping FinFishers Continuing Proliferation](https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/) | [Local](../../blob/master/2015/Mapping%20FinFisher%E2%80%99s%20Continuing%20Proliferation.pdf)
* Oct 05 - [[Recorded Future] Proactive Threat Identification Neutralizes Remote Access Trojan Efficacy](http://go.recordedfuture.com/hubfs/reports/threat-identification.pdf) | [Local](../../blob/master/2015/2015.10.05.Proactive_Threat_Identification)
* Oct 03 - [[Cybereason] Webmail Server APT: A New Persistent Attack Methodology Targeting Microsoft Outlook Web Application (OWA)](http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Labs-Analysis-Webmail-Sever-APT.pdf) | [Local](../../blob/master/2015/Cybereason-Labs-Analysis-Webmail-Sever-APT.pdf)
* Sep 23 - [[ThreatConnect] PROJECT CAMERASHY: CLOSING THE APERTURE ON CHINAS UNIT 78020](https://www.threatconnect.com/camerashy-intro/) | [PDF](https://cdn2.hubspot.net/hubfs/454298/Project_CAMERASHY_ThreatConnect_Copyright_2015.pdf) | [local](../../blob/master/2015/2015.09.23.CAMERASHY_ThreatConnect)
* Sep 17 - [[F-SECURE] The Dukes 7 Years of Russian Cyber Espionage](https://labsblog.f-secure.com/2015/09/17/the-dukes-7-years-of-russian-cyber-espionage/) - [PDF](https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf) | [Local](../../blob/master/2015/2015.09.17.duke_russian)
* Sep 16 - [[Proofpoint] The shadow knows: Malvertising campaigns use domain shadowing to pull in Angler EK](https://www.proofpoint.com/us/threat-insight/post/The-Shadow-Knows) | [Local](../../blob/master/2015/2015.09.16.The-Shadow-Knows)
* Sep 16 - [[Trend Micro] Operation Iron Tiger: How China-Based Actors Shifted Attacks from APAC to US Targets](http://newsroom.trendmicro.com/blog/operation-iron-tiger-attackers-shift-east-asia-united-states) | [IOC](https://otx.alienvault.com/pulse/55f9910967db8c6fb35179bd/) | [Local](../../blob/master/2015/2015.09.17.Operation_Iron_Tiger)
2018-01-10 08:31:27 +00:00
* Sep 15 - [[Proofpoint] In Pursuit of Optical Fibers and Troop Intel: Targeted Attack Distributes PlugX in Russia](https://www.proofpoint.com/us/threat-insight/post/PlugX-in-Russia) | [Local](../../blob/master/2015/2015.09.15.PlugX_in_Russia)
* Sep 09 - [[Kaspersky] Satellite Turla: APT Command and Control in the Sky](https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/) | [Local](../../blob/master/2015/2015.09.09.satellite-turla-apt)
* Sep 08 - [[Palo Alto Networks] Musical Chairs: Multi-Year Campaign Involving New Variant of Gh0st Malware](http://researchcenter.paloaltonetworks.com/2015/09/musical-chairs-multi-year-campaign-involving-new-variant-of-gh0st-malware/) | [Local](../../blob/master/2015/2015.09.08.Musical_Chairs_Gh0st_Malware)
* Sep 01 - [[Trend Micro, Clearsky] The Spy Kittens Are Back: Rocket Kitten 2](http://www.trendmicro.tw/vinfo/us/security/news/cyber-attacks/rocket-kitten-continues-attacks-on-middle-east-targets) | [PDF](http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-the-spy-kittens-are-back.pdf) | [Local](../../blob/master/2015/2015.09.01.Rocket_Kitten_2)
* Aug 20 - [[Arbor] PlugX Threat Activity in Myanmar](http://pages.arbornetworks.com/rs/082-KNA-087/images/ASERT%20Threat%20Intelligence%20Brief%202015-05%20PlugX%20Threat%20Activity%20in%20Myanmar.pdf) | [Local](../../blob/master/2015/Sep.01.PlugX_Threat_Activity_in_Myanmar)
* Aug 20 - [[Kaspersky] New activity of the Blue Termite APT](https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/) | [Local](../../blob/master/2015/2015.08.20.new-activity-of-the-blue-termite-apt)
* Aug 19 - [[Symantec] New Internet Explorer zero-day exploited in Hong Kong attacks](http://www.symantec.com/connect/blogs/new-internet-explorer-zero-day-exploited-hong-kong-attacks) | [Local](../../blob/master/2015/2015.08.19.new-internet-explorer-zero-day-exploited-hong-kong-attacks)
* Aug 10 - [[ShadowServer] The Italian Connection: An analysis of exploit supply chains and digital quartermasters](http://blog.shadowserver.org/2015/08/10/the-italian-connection-an-analysis-of-exploit-supply-chains-and-digital-quartermasters/) | [Local](../../blob/master/2015/Aug.10.The_Italian_Connection_An_analysis_of_exploit_supply_chains_and_digital_quartermasters)
2018-01-10 09:54:50 +00:00
* Aug 08 - [[cyint.dude] Threat Analysis: Poison Ivy and Links to an Extended PlugX Campaign](http://www.cyintanalysis.com/threat-analysis-poison-ivy-and-links-to-an-extended-plugx-campaign/) | [Local](../../blob/master/2015/Aug.08.Threat_Analysis\:Poison_Ivy_and_Links_to_an_Extended_PlugX_Campaign)
* Aug 05 - [[Dell] Threat Group-3390 Targets Organizations for Cyberespionage](http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/) | [Local](../../blob/master/2015/Aug.05.Threat_Group-3390_Targets_Organizations_for_Cyberespionage)
* Aug 04 - [[RSA] Terracotta VPN: Enabler of Advanced Threat Anonymity](https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity/) | [Local](../../blob/master/2015/2015.08.04.Terracotta_VPN)
2018-01-10 10:22:50 +00:00
* Jul 30 - [[ESET] Operation Potao Express](http://www.welivesecurity.com/2015/07/30/operation-potao-express/) | [IOC](https://github.com/eset/malware-ioc/tree/master/potao) | [Local](../../blob/master/2015/2015.07.30.Operation-Potao-Express)
* Jul 28 - [[Symantec] Black Vine: Formidable cyberespionage group targeted aerospace, healthcare since 2012](http://www.symantec.com/connect/blogs/black-vine-formidable-cyberespionage-group-targeted-aerospace-healthcare-2012) | [Local](../../blob/master/2015/2015.07.28.Black_Vine)
* Jul 27 - [[FireEye] HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group](https://www.fireeye.com/blog/threat-research/2015/07/hammertoss_stealthy.html) | [Local](../../blob/master/2015/2015.07.27.HAMMERTOSS)
* Jul 22 - [[F-SECURE] Duke APT group's latest tools: cloud services and Linux support](https://www.f-secure.com/weblog/archives/00002822.html) | [Local](../../blob/master/2015/2015.07.22.Duke_APT_groups_latest_tools)
* Jul 20 - [[ThreatConnect] China Hacks the Peace Palace: All Your EEZs Are Belong to Us](http://www.threatconnect.com/news/china-hacks-the-peace-palace-all-your-eezs-are-belong-to-us/) | [Local](../../blob/master/2015/2015.07.20.China_Peace_Palace)
* Jul 20 - [[Palo Alto Networks] Watering Hole Attack on Aerospace Firm Exploits CVE-2015-5122 to Install IsSpace Backdoor](http://researchcenter.paloaltonetworks.com/2015/07/watering-hole-attack-on-aerospace-firm-exploits-cve-2015-5122-to-install-isspace-backdoor/) | [Local](../../blob/master/2015/2015.07.20.IsSpace_Backdoor)
* Jul 14 - [[Palo Alto Networks] Tracking MiniDionis: CozyCars New Ride Is Related to Seaduke](http://researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/) | [Local](../../blob/master/2015/2015.07.14.tracking-minidionis-cozycars)
2018-01-17 08:18:09 +00:00
* Jul 14 - [[Trend Micro] An In-Depth Look at How Pawn Storms Java Zero-Day Was Used](http://blog.trendmicro.com/trendlabs-security-intelligence/an-in-depth-look-at-how-pawn-storms-java-zero-day-was-used/) | [Local](../../blob/master/2015/2015.07.14.How_Pawn_Storm_Java_Zero-Day_Was_Used)
* Jul 13 - [[Symantec] "Forkmeiamfamous": Seaduke, latest weapon in the Duke armory](http://www.symantec.com/connect/blogs/forkmeiamfamous-seaduke-latest-weapon-duke-armory) | [Local](../../blob/master/2015/2015.07.13.Forkmeiamfamous)
* Jul 13 - [[FireEye] Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability CVE-2015-5119 Following Hacking Team Leak](https://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html) | [Local](../../blob/master/2015/2015.07.13.Demonstrating_Hustle)
* Jul 10 - [[Palo Alto Networks] APT Group UPS Targets US Government with Hacking Team Flash Exploit](http://researchcenter.paloaltonetworks.com/2015/07/apt-group-ups-targets-us-government-with-hacking-team-flash-exploit/) | [Local](../../blob/master/2015/2015.07.10.APT_Group_UPS_Targets_US_Government)
* Jul 09 - [[Symantec] Butterfly: Corporate spies out for financial gain](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/butterfly-corporate-spies-out-for-financial-gain.pdf) | [Local](../../blob/master/2015/2015.07.09.Butterfly)
* Jul 08 - [[Kaspersky] Wild Neutron Economic espionage threat actor returns with new tricks](https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/) | [Local](../../blob/master/2015/2015.07.08.Wild_Neutron)
* Jul 08 - [[Volexity] APT Group Wekby Leveraging Adobe Flash Exploit (CVE-2015-5119)](http://www.volexity.com/blog/?p=158) | [Local](../../blob/master/2015/2015.07.08.APT_CVE-2015-5119)
* Jun 30 - [[ESET] Dino the latest spying malware from an allegedly French espionage group analyzed](http://www.welivesecurity.com/2015/06/30/dino-spying-malware-analyzed) | [Local](../../blob/master/2015/2015.06.30.dino-spying-malware-analyzed)
* Jun 28 - [[Dragon Threat Labs] APT on Taiwan - insight into advances of adversary TTPs](http://blog.dragonthreatlabs.com/2015/07/dtl-06282015-01-apt-on-taiwan-insight.html) | [Local](../../blob/master/2015/2015.06.28.APT_on_Taiwan)
* Jun 26 - [[FireEye] Operation Clandestine Wolf Adobe Flash Zero-Day in APT3 Phishing Campaign](https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html) | [Local](../../blob/master/2015/2015.06.26.operation-clandestine-wolf)
* Jun 24 - [[PwC] UnFIN4ished Business (FIN4)](http://pwc.blogs.com/cyber_security_updates/2015/06/unfin4ished-business.html) | [Local](../../blob/master/2015/2015.06.24.unfin4ished-business)
* Jun 22 - [[Kaspersky] Winnti targeting pharmaceutical companies](https://securelist.com/blog/research/70991/games-are-over/) | [Local](../../blob/master/2015/2015.06.22.Winnti_targeting_pharmaceutical_companies)
* Jun 16 - [[Palo Alto Networks] Operation Lotus Bloom](https://www.paloaltonetworks.com/resources/research/unit42-operation-lotus-blossom.html) | [Local](../../blob/master/2015/2015.06.16.operation-lotus-blossom)
2018-02-22 09:32:17 +00:00
* Jun 15 - [[Citizen Lab] Targeted Attacks against Tibetan and Hong Kong Groups Exploiting CVE-2014-4114](https://citizenlab.org/2015/06/targeted-attacks-against-tibetan-and-hong-kong-groups-exploiting-cve-2014-4114/) | [Local](../../blob/master/2015/2015.06.15.Targeted-Attacks-against-Tibetan-and-Hong-Kong-Groups)
* Jun 12 - [[Volexity] Afghan Government Compromise: Browser Beware](http://www.volexity.com/blog/?p=134) | [Local](../../blob/master/2015/2015.06.12.Afghan_Government_Compromise)
* Jun 10 - [[Kaspersky] The_Mystery_of_Duqu_2_0](https://securelist.com/files/2015/06/The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf) [IOC](https://securelist.com/files/2015/06/7c6ce6b6-fee1-4b7b-b5b5-adaff0d8022f.ioc) [Yara](https://securelist.com/files/2015/06/Duqu_2_Yara_rules.pdf) | [Local](../../blob/master/2015/2015.06.10.The_Mystery_of_Duqu_2_0)
* Jun 10 - [[Crysys Lab] Duqu 2.0](http://blog.crysys.hu/2015/06/duqu-2-0/) | [Local](../../blob/master/2015/2015.06.10.Duqu_2.0)
* Jun 09 - [[Microsoft] Duqu 2.0 Win32k Exploit Analysis](https://www.virusbtn.com/pdf/conference_slides/2015/OhFlorio-VB2015.pdf) | [Local](../../blob/master/2015/2015.06.09.Duqu_2.0_Win32k_Exploit_Analysis)
* Jun 04 - [[JP Internet Watch] Blue Thermite targeting Japan (CloudyOmega)](http://internet.watch.impress.co.jp/docs/news/20150604_705541.html) | [Local](../../blob/master/2015/2015.06.09.Duqu_2.0_Win32k_Exploit_Analysis)
2018-02-22 10:05:40 +00:00
* Jun 03 - [[ClearSky] Thamar Reservoir](http://www.clearskysec.com/thamar-reservoir/) | [Local](../../blob/master/2015/2015.06.03.thamar-reservoir)
2017-02-11 07:00:00 +00:00
* May 29 - [OceanLotusReport](http://blogs.360.cn/blog/oceanlotus-apt/)
* May 28 - [Grabit and the RATs](https://securelist.com/blog/research/70087/grabit-and-the-rats/)
* May 27 - [Analysis On Apt-To-Be Attack That Focusing On China's Government Agency'](http://www.antiy.net/p/analysis-on-apt-to-be-attack-that-focusing-on-chinas-government-agency/)
2018-01-10 06:46:12 +00:00
* May 27 - [BlackEnergy 3 Exfiltration of Data in ICS Networks](http://cyberx-labs.com/wp-content/uploads/2015/05/BlackEnergy-CyberX-Report_27_May_2015_FINAL.pdf) | [Local](../../blob/master/2015/2015.05.27.BlackEnergy3)
2017-02-11 07:00:00 +00:00
* May 26 - [Dissecting-Linux/Moose](http://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf)
* May 21 - [The Naikon APT and the MsnMM Campaigns](https://securelist.com/blog/research/70029/the-naikon-apt-and-the-msnmm-campaigns/)
* May 19 - [Operation 'Oil Tanker'](http://www.pandasecurity.com/mediacenter/src/uploads/2015/05/oil-tanker-en.pdf)
* May 18 - [Cmstar Downloader: Lurid and Enfals New Cousin](http://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-enfals-new-cousin/)
* May 14 - [Operation Tropic Trooper](http://blog.trendmicro.com/trendlabs-security-intelligence/operation-tropic-trooper-old-vulnerabilities-still-pack-a-punch/)
* May 14 - [The Naikon APT](https://securelist.com/analysis/publications/69953/the-naikon-apt/)
* May 13 - [SPEAR: A Threat Actor Resurfaces](http://blog.cylance.com/spear-a-threat-actor-resurfaces)
* May 12 - [root9B Uncovers Planned Sofacy Cyber Attack Targeting Several International and Domestic Financial Institutions](http://www.prnewswire.com/news-releases/root9b-uncovers-planned-sofacy-cyber-attack-targeting-several-international-and-domestic-financial-institutions-300081634.html)
* May 07 - [Dissecting the Kraken](https://blog.gdatasoftware.com/blog/article/dissecting-the-kraken.html)
2018-01-10 06:46:12 +00:00
* May 05 - [Targeted attack on Frances TV5Monde](http://global.ahnlab.com/global/upload/download/documents/1506306551185339.pdf) | [Local](../../blob/master/2015/2015.05.05.Targeted_attack_on_France_TV5Monde)
2017-02-11 07:00:00 +00:00
* Apr 27 - [Attacks against Israeli & Palestinian interests](http://pwc.blogs.com/cyber_security_updates/2015/04/attacks-against-israeli-palestinian-interests.html)
* Apr 22 - [CozyDuke](https://www.f-secure.com/documents/996508/1030745/CozyDuke)
* Apr 21 - [The CozyDuke APT](http://securelist.com/blog/69731/the-cozyduke-apt)
* Apr 20 - [Sofacy II Same Sofacy, Different Day](http://pwc.blogs.com/cyber_security_updates/2015/04/the-sofacy-plot-thickens.html)
* Apr 18 - [Operation RussianDoll: Adobe & Windows Zero-Day Exploits Likely Leveraged by Russias APT28 in Highly-Targeted Attack](https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html)
* Apr 16 - [Operation Pawn Storm Ramps Up its Activities; Targets NATO, White House](http://blog.trendmicro.com/trendlabs-security-intelligence/operation-pawn-storm-ramps-up-its-activities-targets-nato-white-house)
* Apr 15 - [The Chronicles of the Hellsing APT: the Empire Strikes Back](http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/)
* Apr 12 - [APT 30 and the Mechanics of a Long-Running Cyber Espionage Operation](https://www.fireeye.com/blog/threat-research/2015/04/apt_30_and_the_mecha.html)
* Mar 31 - [Volatile Cedar Analysis of a Global Cyber Espionage Campaign](http://blog.checkpoint.com/2015/03/31/volatilecedar/)
* Mar 19 - [Rocket Kitten Showing Its Claws: Operation Woolen-GoldFish and the GHOLE campaign](http://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-woolen-goldfish-when-kittens-go-phishing)
* Mar 11 - [Inside the EquationDrug Espionage Platform](http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/)
* Mar 10 - [Tibetan Uprising Day Malware Attacks](https://citizenlab.org/2015/03/tibetan-uprising-day-malware-attacks/)
* Mar 06 - [Is Babar a Bunny?](https://www.f-secure.com/weblog/archives/00002794.html)
* Mar 06 - [Animals in the APT Farm](http://securelist.com/blog/research/69114/animals-in-the-apt-farm/)
* Mar 05 - [Casper Malware: After Babar and Bunny, Another Espionage Cartoon](http://www.welivesecurity.com/2015/03/05/casper-malware-babar-bunny-another-espionage-cartoon)
* Feb 24 - [A deeper look into Scanbox](http://pwc.blogs.com/cyber_security_updates/2015/02/a-deeper-look-into-scanbox.html)
2018-01-10 06:46:12 +00:00
* Feb 27 - [The Anthem Hack: All Roads Lead to China](http://www.threatconnect.com/news/the-anthem-hack-all-roads-lead-to-china/) | [Local](../../blob/master/2015/2015.02.27.The_Anthem_Hack_All_Roads_Lead_to_China)
2017-02-11 07:00:00 +00:00
* Feb 25 - [Southeast Asia: An Evolving Cyber Threat Landscape](https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-southeast-asia-threat-landscape.pdf)
* Feb 25 - [PlugX goes to the registry (and India)](http://blogs.sophos.com/2015/02/25/sophoslabs-research-uncovers-new-developments-in-plugx-apt-malware/)
* Feb 18 - [[G DATA] Babar: espionage software finally found and put under the microscope](https://blog.gdatasoftware.com/blog/article/babar-espionage-software-finally-found-and-put-under-the-microscope.html) | [Local](../../blob/master/2015/2015.02.18.Babar)
* Feb 18 - [[CIRCL Luxembourg] Shooting Elephants](https://drive.google.com/file/d/0B9Mrr-en8FX4dzJqLWhDblhseTA/view) | [Local](../../blob/master/2015/2015.02.18.Shooting_Elephants)
* Feb 17 - [[Kaspersky] Desert Falcons APT](https://securelist.com/blog/research/68817/the-desert-falcons-targeted-attacks/) | [Local](../../blob/master/2015/2015.02.17.Desert_Falcons_APT)
* Feb 17 - [[Kaspersky] A Fanny Equation: "I am your father, Stuxnet"](http://securelist.com/blog/research/68787/a-fanny-equation-i-am-your-father-stuxnet/) | [Local](../../blob/master/2015/2015.02.17.A_Fanny_Equation)
* Feb 16 - [[Trend Micro] Operation Arid Viper](http://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-arid-viper-bypassing-the-iron-dome) | [Local](../../blob/master/2015/2015.02.16.Operation_Arid_Viper)
* Feb 16 - [[Kaspersky] The Carbanak APT](https://securelist.com/blog/research/68732/the-great-bank-robbery-the-carbanak-apt/) | [Local](../../blob/master/2015/2015.02.16.Carbanak.APT)
* Feb 16 - [[Kaspersky] Equation: The Death Star of Malware Galaxy](https://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/) | [Local](../../blob/master/2015/2015.02.16.equation-the-death-star)
* Feb 10 - [[CrowdStrike] CrowdStrike Global Threat Intel Report for 2014](http://go.crowdstrike.com/rs/crowdstrike/images/GlobalThreatIntelReport.pdf) | [Local](../../blob/master/2015/2015.02.10.CrowdStrike_GlobalThreatIntelReport_2014)
* Feb 04 - [[Trend Micro] Pawn Storm Update: iOS Espionage App Found](http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/) | [Local](../../blob/master/2015/2015.02.04.Pawn_Storm_Update_iOS_Espionage)
* Feb 02 - [[FireEye] Behind the Syrian Conflicts Digital Frontlines](https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-behind-the-syria-conflict.pdf) | [Local](../../blob/master/2015/2015.02.02.behind-the-syria-conflict)
* Jan 29 - [[JPCERT] Analysis of PlugX Variant - P2P PlugX ](http://blog.jpcert.or.jp/.s/2015/01/analysis-of-a-r-ff05.html) | [Local](../../blob/master/2015/2015.01.29.P2P_PlugX)
* Jan 29 - [[Symantec] Backdoor.Winnti attackers and Trojan.Skelky](http://www.symantec.com/connect/blogs/backdoorwinnti-attackers-have-skeleton-their-closet) | [Local](../../blob/master/2015/2015.01.29.Backdoor.Winnti_attackers)
* Jan 27 - [[Kaspersky] Comparing the Regin module 50251 and the "Qwerty" keylogger](http://securelist.com/blog/research/68525/comparing-the-regin-module-50251-and-the-qwerty-keylogger/) | [Local](../../blob/master/2015/2015.01.27.QWERTY_keylog_Regin_compare)
* Jan 22 - [[Kaspersky] Regin's Hopscotch and Legspin](http://securelist.com/blog/research/68438/an-analysis-of-regins-hopscotch-and-legspin/) | [Local](../../blob/master/2015/2015.01.22.Regin_Hopscotch_and_Legspin)
* Jan 22 - [[Symantec] Scarab attackers Russian targets](http://www.symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012) | [IOCs](http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/Scarab_IOCs_January_2015.txt) | [Local](../../blob/master/2015/2015.01.22.Scarab_attackers_Russian_targets)
2018-01-11 07:20:10 +00:00
* Jan 22 - [[Symantec] The Waterbug attack group](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf) | [Local](../../blob/master/2015/2015.01.22.Waterbug.group)
* Jan 20 - [[BlueCoat] Reversing the Inception APT malware](https://www.bluecoat.com/security-blog/2015-01-20/reversing-inception-apt-malware) | [Local](../../blob/master/2015/2015.01.20.Reversing_the_Inception_APT_malware)
2018-01-11 07:16:17 +00:00
* Jan 20 - [[G DATA] Analysis of Project Cobra](https://blog.gdatasoftware.com/blog/article/analysis-of-project-cobra.html) | [Local](../../blob/master/2015/2015.01.20.Project_Cobra)
* Jan 15 - [[G DATA] Evolution of Agent.BTZ to ComRAT](https://blog.gdatasoftware.com/blog/article/evolution-of-sophisticated-spyware-from-agentbtz-to-comrat.html) | [Local](../../blob/master/2015/2015.01.15.Evolution_of_Agent.BTZ_to_ComRAT)
* Jan 12 - [[Dell] Skeleton Key Malware Analysis](http://www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis/) | [Local](../../blob/master/2015/2015.01.12.skeleton-key-malware-analysis)
* Jan 11 - [[Dragon Threat Labs] Hong Kong SWC attack](http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html) | [Local](../../blob/master/2015/2015.01.11.Hong_Kong_SWC_Attack)
2017-02-11 07:00:00 +00:00
## 2014
* Dec 22 - [Anunak: APT against financial institutions](http://www.group-ib.com/files/Anunak_APT_against_financial_institutions.pdf)
* Dec 21 - [Operation Poisoned Helmand](http://www.threatconnect.com/news/operation-poisoned-helmand/)
* Dec 19 - [TA14-353A: Targeted Destructive Malware (wiper)](https://www.us-cert.gov/ncas/alerts/TA14-353A)
* Dec 18 - [Malware Attack Targeting Syrian ISIS Critics](https://citizenlab.org/2014/12/malware-attack-targeting-syrian-isis-critics/)
* Dec 17 - [Wiper Malware A Detection Deep Dive](http://blogs.cisco.com/security/talos/wiper-malware)
* Dec 12 - [Bots, Machines, and the Matrix](http://www.fidelissecurity.com/sites/default/files/FTA_1014_Bots_Machines_and_the_Matrix.pdf)
* Dec 12 - [Vinself now with steganography](http://blog.cybersecurity-airbusds.com/post/2014/12/Vinself)
* Dec 10 - [South Korea MBR Wiper](http://asec.ahnlab.com/1015)
* Dec 10 - [W64/Regin, Stage #1](https://www.f-secure.com/documents/996508/1030745/w64_regin_stage_1.pdf)
* Dec 10 - [W32/Regin, Stage #1](https://www.f-secure.com/documents/996508/1030745/w32_regin_stage_1.pdf)
* Dec 10 - [Cloud Atlas: RedOctober APT](http://securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-back-in-style/)
* Dec 09 - [The Inception Framework](https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware)
* Dec 08 - [The 'Penquin' Turla](http://securelist.com/blog/research/67962/the-penquin-turla-2/)
* Dec 03 - [Operation Cleaver: The Notepad Files](http://blog.cylance.com/operation-cleaver-the-notepad-files) | [Local](../../blob/master//2014/2014.12.03_operation-cleaver-the-notepad-files)
* Dec 02 - [Operation Cleaver](http://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf) | [IOCs](http://www.cylance.com/assets/Cleaver/cleaver.yar) | [Local](../../blob/master//2014/2014.12.02.Operation_Cleaver)
* Nov 30 - [FIN4: Stealing Insider Information for an Advantage in Stock Trading?](https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html)
* Nov 24 - [Deep Panda Uses Sakula Malware](http://blog.crowdstrike.com/ironman-deep-panda-uses-sakula-malware-target-organizations-multiple-sectors/) | [Local](../../blob/master//2014/2014.11.24.Ironman)
* Nov 24 - [TheIntercept's report on The Regin Platform](https://firstlook.org/theintercept/2014/11/24/secret-regin-malware-belgacom-nsa-gchq/)
* Nov 24 - [Kaspersky's report on The Regin Platform](http://securelist.com/blog/research/67741/regin-nation-state-ownage-of-gsm-networks/)
* Nov 23 - [Symantec's report on Regin](http://www.symantec.com/connect/blogs/regin-top-tier-espionage-tool-enables-stealthy-surveillance)
2018-02-21 07:36:46 +00:00
* Nov 21 - [[FireEye] Operation Double Tap](https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html) | [IOCs](https://github.com/fireeye/iocs/tree/master/APT3) | [Local](../../blob/master//2014/2014.11.21.Operation_Double_Tap)
2017-02-11 07:00:00 +00:00
* Nov 20 - [EvilBunny: Suspect #4](http://0x1338.blogspot.co.uk/2014/11/hunting-bunnies.html)
* Nov 14 - [Roaming Tiger (Slides)](http://2014.zeronights.ru/assets/files/slides/roaming_tiger_zeronights_2014.pdf)
* Nov 14 - [OnionDuke: APT Attacks Via the Tor Network](http://www.f-secure.com/weblog/archives/00002764.html)
* Nov 13 - [Operation CloudyOmega: Ichitaro 0-day targeting Japan](http://www.symantec.com/connect/blogs/operation-cloudyomega-ichitaro-zero-day-and-ongoing-cyberespionage-campaign-targeting-japan)
2018-04-13 03:45:23 +00:00
* Nov 12 - [[ESET] Korplug military targeted attacks: Afghanistan & Tajikistan](http://www.welivesecurity.com/2014/11/12/korplug-military-targeted-attacks-afghanistan-tajikistan/)
2017-02-11 07:00:00 +00:00
* Nov 11 - [The Uroburos case- Agent.BTZs successor, ComRAT](http://blog.gdatasoftware.com/blog/article/the-uroburos-case-new-sophisticated-rat-identified.html)
* Nov 10 - [The Darkhotel APT - A Story of Unusual Hospitality](https://securelist.com/blog/research/66779/the-darkhotel-apt/)
* Nov 03 - [Operation Poisoned Handover: Unveiling Ties Between APT Activity in Hong Kongs Pro-Democracy Movement](http://www.fireeye.com/blog/technical/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html)
* Nov 03 - [New observations on BlackEnergy2 APT activity](https://securelist.com/blog/research/67353/be2-custom-plugins-router-abuse-and-target-profiles/)
* Oct 31 - [Operation TooHash](https://blog.gdatasoftware.com/blog/article/operation-toohash-how-targeted-attacks-work.html)
* Oct 30 - [The Rotten Tomato Campaign](http://blogs.sophos.com/2014/10/30/the-rotten-tomato-campaign-new-sophoslabs-research-on-apts/)
* Oct 28 - [Group 72, Opening the ZxShell](http://blogs.cisco.com/talos/opening-zxshell/)
* Oct 28 - [APT28 - A Window Into Russia's Cyber Espionage Operations](https://www.fireeye.com/resources/pdfs/apt28.pdf)
* Oct 27 - [Micro-Targeted Malvertising via Real-time Ad Bidding](http://www.invincea.com/wp-content/uploads/2014/10/Micro-Targeted-Malvertising-WP-10-27-14-1.pdf)
* Oct 27 - [ScanBox framework whos affected, and whos using it?](http://pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whos-affected-and-whos-using-it-1.html)
* Oct 27 - [Full Disclosure of Havex Trojans - ICS Havex backdoors](http://www.netresec.com/?page=Blog&month=2014-10&post=Full-Disclosure-of-Havex-Trojans)
* Oct 24 - [LeoUncia and OrcaRat](http://blog.airbuscybersecurity.com/post/2014/10/LeoUncia-and-OrcaRat)
* Oct 23 - [Modified Tor Binaries](http://www.leviathansecurity.com/blog/the-case-of-the-modified-binaries/)
* Oct 22 - [Sofacy Phishing by PWC](http://pwc.blogs.com/files/tactical-intelligence-bulletin---sofacy-phishing-.pdf)
* Oct 22 - [Operation Pawn Storm: The Red in SEDNIT](http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf)
* Oct 20 - [OrcaRAT - A whale of a tale](http://pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html)
* Oct 14 - [Sandworm - CVE-2104-4114](http://www.isightpartners.com/2014/10/cve-2014-4114/)
* Oct 14 - [Group 72 (Axiom)](http://blogs.cisco.com/security/talos/threat-spotlight-group-72/)
* Oct 14 - [Derusbi Preliminary Analysis](http://www.novetta.com/wp-content/uploads/2014/11/Derusbi.pdf)
* Oct 14 - [Hikit Preliminary Analysis](http://www.novetta.com/wp-content/uploads/2014/11/HiKit.pdf)
* Oct 14 - [ZoxPNG Preliminary Analysis](http://www.novetta.com/wp-content/uploads/2014/11/ZoxPNG.pdf)
* Oct 09 - [Democracy in Hong Kong Under Attack](http://www.volexity.com/blog/?p=33)
* Oct 03 - [New indicators for APT group Nitro](http://researchcenter.paloaltonetworks.com/2014/10/new-indicators-compromise-apt-group-nitro-uncovered/)
* Sep 26 - [BlackEnergy & Quedagh](https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf)
* Sep 26 - [Aided Frame, Aided Direction (Sunshop Digital Quartermaster)](http://www.fireeye.com/blog/technical/2014/09/aided-frame-aided-direction-because-its-a-redirect.html)
* Sep 23 - [Ukraine and Poland Targeted by BlackEnergy (video)](https://www.youtube.com/watch?v=I77CGqQvPE4)
* Sep 19 - [Watering Hole Attacks using Poison Ivy by "th3bug" group](http://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy/)
* Sep 18 - [COSMICDUKE: Cosmu with a twist of MiniDuke](http://www.f-secure.com/documents/996508/1030745/cosmicduke_whitepaper.pdf)
* Sep 17 - [Chinese intrusions into key defense contractors](http://www.armed-services.senate.gov/press-releases/sasc-investigation-finds-chinese-intrusions-into-key-defense-contractors)
* Sep 10 - [Operation Quantum Entanglement](http://www.fireeye.com/resources/pdfs/white-papers/fireeye-operation-quantum-entanglement.pdf)
* Sep 08 - [When Governments Hack Opponents: A Look at Actors and Technology](https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-marczak.pdf) [video](https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/marczak)
* Sep 08 - [Targeted Threat Index: Characterizingand Quantifying Politically-MotivatedTargeted Malware](https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-hardy.pdf) [video](https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/hardy)
* Sep 04 - [Gholee a “Protective Edge” themed spear phishing campaign](http://www.clearskysec.com/gholee-a-protective-edge-themed-spear-phishing-campaign/) | [Local](../../blob/master//2014/2014.09.04.Gholee)
* Sep 04 - [Forced to Adapt: XSLCmd Backdoor Now on OS X](http://www.fireeye.com/blog/technical/malware-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html)
* Sep 03 - [Darwins Favorite APT Group (APT12)](http://www.fireeye.com/blog/technical/botnet-activities-research/2014/09/darwins-favorite-apt-group-2.html)
* Aug 29 - [Syrian Malware Team Uses BlackWorm for Attacks](http://www.fireeye.com/blog/technical/2014/08/connecting-the-dots-syrian-malware-team-uses-blackworm-for-attacks.html)
* Aug 28 - [Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks](https://www.alienvault.com/open-threat-exchange/blog/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks)
* Aug 27 - [North Koreas cyber threat landscape](http://h30499.www3.hp.com/hpeb/attachments/hpeb/off-by-on-software-security-blog/388/2/HPSR%20SecurityBriefing_Episode16_NorthKorea.pdf)
* Aug 27 - [NetTraveler APT Gets a Makeover for 10th Birthday](https://securelist.com/blog/research/66272/nettraveler-apt-gets-a-makeover-for-10th-birthday/)
* Aug 25 - [Vietnam APT Campaign](http://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html)
* Aug 20 - [El Machete](https://securelist.com/blog/research/66108/el-machete/)
* Aug 18 - [The Syrian Malware House of Cards](https://securelist.com/blog/research/66051/the-syrian-malware-house-of-cards/) | [Local](../../blob/master//2014/2014.08.18.Syrian_Malware_House_of_Cards)
* Aug 13 - [A Look at Targeted Attacks Through the Lense of an NGO](http://www.mpi-sws.org/~stevens/pubs/sec14.pdf) | [Local](../../blob/master//2014/2014.08.13.TargetAttack.NGO)
* Aug 12 - [New York Times Attackers Evolve Quickly (Aumlib/Ixeshe/APT12)](http://www.fireeye.com/blog/technical/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html)
* Aug 07 - [The Epic Turla Operation Appendix](https://securelist.com/files/2014/08/KL_Epic_Turla_Technical_Appendix_20140806.pdf)
* Aug 06 - [Operation Poisoned Hurricane](http://www.fireeye.com/blog/technical/targeted-attack/2014/08/operation-poisoned-hurricane.html)
* Aug 05 - [Operation Arachnophobia](http://threatc.s3-website-us-east-1.amazonaws.com/?/arachnophobia)
* Aug 04 - [Sidewinder Targeted Attack Against Android](http://www.fireeye.com/resources/pdfs/fireeye-sidewinder-targeted-attack.pdf)
* Jul 31 - [Energetic Bear/Crouching Yeti Appendix](http://25zbkz3k00wn2tp5092n6di7b5k.wpengine.netdna-cdn.com/files/2014/07/Kaspersky_Lab_crouching_yeti_appendixes_eng_final.pdf)
* Jul 31 - [Energetic Bear/Crouching Yeti](https://kasperskycontenthub.com/securelist/files/2014/07/EB-YetiJuly2014-Public.pdf)
* Jul 20 - [Sayad (Flying Kitten) Analysis & IOCs](http://vinsula.com/2014/07/20/sayad-flying-kitten-infostealer-malware/)
* Jul 11 - [Pitty Tiger](https://bitbucket.org/cybertools/whitepapers/downloads/Pitty%20Tiger%20Final%20Report.pdf) | [Local](../../blob/master/2014/2014.07.11.Pitty_Tiger)
* Jul 10 - [TR-25 Analysis - Turla / Pfinet / Snake/ Uroburos](http://www.circl.lu/pub/tr-25/)
* Jul 07 - [Deep Pandas, Deep in Thought: Chinese Targeting of National Security Think Tanks](http://blog.crowdstrike.com/deep-thought-chinese-targeting-national-security-think-tanks/) | [Local](../../blob/master/2014/2014.07.07.Deep_in_Thought)
* Jun 10 - [Anatomy of the Attack: Zombie Zero](http://www.trapx.com/wp-content/uploads/2014/07/TrapX_ZOMBIE_Report_Final.pdf)
* Jun 30 - [Dragonfly: Cyberespionage Attacks Against Energy Suppliers](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf)
* Jun 20 - [Embassy of Greece Beijing](http://thegoldenmessenger.blogspot.de/2014/06/blitzanalysis-embassy-of-greece-beijing.html)
* Jun 09 - [Putter Panda](http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf)
* Jun 06 - [Illuminating The Etumbot APT Backdoor (APT12)](http://www.arbornetworks.com/asert/wp-content/uploads/2014/06/ASERT-Threat-Intelligence-Brief-2014-07-Illuminating-Etumbot-APT.pdf)
* May 28 - [NewsCaster_An_Iranian_Threat_Within_Social_Networks](https://www.isightpartners.com/2014/05/newscaster-iranian-threat-inside-social-media/) | [Local](../../blob/master/2014/2014.05.28.NewsCaster_An_Iranian_Threat_Within_Social_Networks)
* May 21 - [RAT in jar: A phishing campaign using Unrecom](http://www.fidelissecurity.com/sites/default/files/FTA_1013_RAT_in_a_jar.pdf)
* May 20 - [Miniduke Twitter C&C](http://www.welivesecurity.com/2014/05/20/miniduke-still-duking/)
* May 13 - [CrowdStrike's report on Flying Kitten](http://blog.crowdstrike.com/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/)
* May 13 - [Operation Saffron Rose (aka Flying Kitten)](http://www.fireeye.com/resources/pdfs/fireeye-operation-saffron-rose.pdf)
* Apr 26 - [CVE-2014-1776: Operation Clandestine Fox](https://www.fireeye.com/blog/threat-research/2014/05/operation-clandestine-fox-now-attacking-windows-xp-using-recently-discovered-ie-vulnerability.html)
* Mar 08 - [Russian spyware Turla](http://www.reuters.com/article/2014/03/07/us-russia-cyberespionage-insight-idUSBREA260YI20140307)
* Mar 07 - [Snake Campaign & Cyber Espionage Toolkit](http://info.baesystemsdetica.com/rs/baesystems/images/snake_whitepaper.pdf)
* Mar 06 - [The Siesta Campaign](http://blog.trendmicro.com/trendlabs-security-intelligence/the-siesta-campaign-a-new-targeted-attack-awakens/)
* Feb 28 - [Uroburos: Highly complex espionage software with Russian roots](https://public.gdatasoftware.com/Web/Content/INT/Blog/2014/02_2014/documents/GData_Uroburos_RedPaper_EN_v1.pdf)
* Feb 25 - [The French Connection: French Aerospace-Focused CVE-2014-0322 Attack Shares Similarities with 2012 Capstone Turbine Activity](http://blog.crowdstrike.com/french-connection-french-aerospace-focused-cve-2014-0322-attack-shares-similarities-2012/) | [Local](../../blob/master/2014/2014.02.25.The_French_Connection)
* Feb 23 - [Gathering in the Middle East, Operation STTEAM](http://www.fidelissecurity.com/sites/default/files/FTA%201012%20STTEAM%20Final.pdf)
* Feb 20 - [Mo' Shells Mo' Problems - Deep Panda Web Shells](http://www.crowdstrike.com/blog/mo-shells-mo-problems-deep-panda-web-shells/) | [Local](../../blob/master/2014/2014.02.20.deep-panda-webshells)
* Feb 20 - [Operation GreedyWonk: Multiple Economic and Foreign Policy Sites Compromised, Serving Up Flash Zero-Day Exploit](http://www.fireeye.com/blog/technical/targeted-attack/2014/02/operation-greedywonk-multiple-economic-and-foreign-policy-sites-compromised-serving-up-flash-zero-day-exploit.html)
* Feb 19 - [XtremeRAT: Nuisance or Threat?](http://www.fireeye.com/blog/technical/2014/02/xtremerat-nuisance-or-threat.html)
* Feb 19 - [The Monju Incident](http://contextis.com/resources/blog/context-threat-intelligence-monju-incident/)
* Feb 13 - [Operation SnowMan: DeputyDog Actor Compromises US Veterans of Foreign Wars Website](http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html)
* Feb 11 - [Unveiling "Careto" - The Masked APT](http://www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf)
* Jan 31 - [Intruder File Report- Sneakernet Trojan](http://www.fidelissecurity.com/sites/default/files/FTA%201011%20Follow%20UP.pdf)
2017-12-05 02:31:35 +00:00
* Jan 21 - [[RSA] Shell_Crew (Deep Panda)](http://www.emc.com/collateral/white-papers/h12756-wp-shell-crew.pdf) | [Local](../../blob/master/2014/2014.01.21.Shell_Crew)
2017-02-11 07:00:00 +00:00
* Jan 15 - [“New'CDTO:'A'Sneakernet'Trojan'Solution](http://www.fidelissecurity.com/sites/default/files/FTA%201001%20FINAL%201.15.14.pdf)
* Jan 14 - [The Icefog APT Hits US Targets With Java Backdoor](https://www.securelist.com/en/blog/208214213/The_Icefog_APT_Hits_US_Targets_With_Java_Backdoor)
* Jan 13 - [Targeted attacks against the Energy Sector](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/targeted_attacks_against_the_energy_sector.pdf)
* Jan 06 - [PlugX: some uncovered points](http://blog.cassidiancybersecurity.com/2014/01/plugx-some-uncovered-points.html)
## 2013
* ??? ?? - [THE LITTLE MALWARE THAT COULD: Detecting and Defeating the China Chopper Web Shell](https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-china-chopper.pdf) | [Local](../../blob/master/2013/2013.China_Chopper_Web_Shell)
* ??? ?? - [Deep Panda](http://www.crowdstrike.com/sites/default/files/AdversaryIntelligenceReport_DeepPanda_0.pdf) (OFFLINE) | [Local](../../blob/master//2013/2013.Deep.Panda)
* Dec 20 - [ETSO APT Attacks Analysis](http://image.ahnlab.com/global/upload/download/documents/1401223631603288.pdf) | [Local](../../blob/master//2013/2013.12.20.ETSO)
* Dec 11 - [Operation "Ke3chang"](http://www.fireeye.com/resources/pdfs/fireeye-operation-ke3chang.pdf)
* Dec 02 - [njRAT, The Saga Continues](http://www.fidelissecurity.com/files/files/FTA%201010%20-%20njRAT%20The%20Saga%20Continues.pdf)
* Nov 11 - [Supply Chain Analysis](http://www.fireeye.com/resources/pdfs/fireeye-malware-supply-chain.pdf)
* Nov 10 - [Operation Ephemeral Hydra: IE Zero-Day Linked to DeputyDog Uses Diskless Method](http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html)
* Oct 24 - [Terminator RAT](https://www.fireeye.com/blog/threat-research/2013/10/evasive-tactics-terminator-rat.html) or [FakeM RAT](http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-fakem-rat.pdf) | [Local](../../blob/master//2013/2013.10.24)
* Sep 30 - [World War C: State of affairs in the APT world](https://www.fireeye.com/blog/threat-research/2013/09/new-fireeye-report-world-war-c.html)
* Sep 25 - [The 'ICEFROG' APT: A Tale of cloak and three daggers](http://www.securelist.com/en/downloads/vlpdfs/icefog.pdf)
* Sep 17 - [Hidden Lynx - Professional Hackers for Hire](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdf)
* Sep 13 - [Operation DeputyDog: Zero-Day (CVE-2013-3893) Attack Against Japanese Targets](http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html)
* Sep 11 - [The "Kimsuky" Operation](https://securelist.com/analysis/57915/the-kimsuky-operation-a-north-korean-apt/)
* Sep 06 - [Evasive Tactics: Taidoor](https://www.fireeye.com/blog/threat-research/2013/09/evasive-tactics-taidoor-3.html) | | [Local](../../blob/master//2013/2013.09.06.EvasiveTactics_Taidoor)
* Sep ?? - [Feature: EvilGrab Campaign Targets Diplomatic Agencies](http://about-threats.trendmicro.com/cloud-content/us/ent-primers/pdf/2q-report-on-targeted-attack-campaigns.pdf)
* Aug 23 - [Operation Molerats: Middle East Cyber Attacks Using Poison Ivy](http://www.fireeye.com/blog/technical/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html)
* Aug 21 - [POISON IVY: Assessing Damage and Extracting Intelligence](http://www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf)
* Aug 19 - [ByeBye Shell and the targeting of Pakistan](https://community.rapid7.com/community/infosec/blog/2013/08/19/byebye-and-the-targeting-of-pakistan)
* Aug 02 - [Surtr: Malware Family Targeting the Tibetan Community](https://citizenlab.org/2013/08/surtr-malware-family-targeting-the-tibetan-community/)
* Aug 02 - [Where There is Smoke, There is Fire: South Asian Cyber Espionage Heats Up](http://www.threatconnect.com/news/where-there-is-smoke-there-is-fire-south-asian-cyber-espionage-heats-up/)
* Aug ?? - [APT Attacks on Indian Cyber Space](http://g0s.org/wp-content/uploads/2013/downloads/Inside_Report_by_Infosec_Consortium.pdf)
* Aug ?? - [Operation Hangover - Unveiling an Indian Cyberattack Infrastructure](http://normanshark.com/wp-content/uploads/2013/08/NS-Unveiling-an-Indian-Cyberattack-Infrastructure_FINAL_Web.pdf)
* Jul 31 - [Blackhat: In-Depth Analysis of Escalated APT Attacks (Lstudio,Elirks)](https://media.blackhat.com/us-13/US-13-Yarochkin-In-Depth-Analysis-of-Escalated-APT-Attacks-Slides.pdf), [video](https://www.youtube.com/watch?v=SoFVRsvh8s0)
* Jul 31 - [Secrets of the Comfoo Masters](http://www.secureworks.com/cyber-threat-intelligence/threats/secrets-of-the-comfoo-masters/)
* Jul 15 - [PlugX revisited: "Smoaler"](http://sophosnews.files.wordpress.com/2013/07/sophosszappanosplugxrevisitedintroducingsmoaler-rev1.pdf)
* Jul 09 - [Dark Seoul Cyber Attack: Could it be worse?](http://cisak.perpika.kr/wp-content/uploads/2013/07/2013-08.pdf)
* Jun 30 - [Targeted Campaign Steals Credentials in Gulf States and Caribbean](https://blogs.mcafee.com/mcafee-labs/targeted-campaign-steals-credentials-in-gulf-states-and-caribbean)
* Jun 28 - [njRAT Uncovered](http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf)
* Jun 21 - [A Call to Harm: New Malware Attacks Target the Syrian Opposition](https://citizenlab.org/wp-content/uploads/2013/07/19-2013-acalltoharm.pdf)
* Jun 18 - [Trojan.APT.Seinup Hitting ASEAN](http://www.fireeye.com/blog/technical/malware-research/2013/06/trojan-apt-seinup-hitting-asean.html)
* Jun 07 - [KeyBoy, Targeted Attacks against Vietnam and India](https://community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india)
* Jun 04 - [The NetTraveller (aka 'Travnet')](http://www.securelist.com/en/downloads/vlpdfs/kaspersky-the-net-traveler-part1-final.pdf)
* Jun 01 - [Crude Faux: An analysis of cyber conflict within the oil & gas industries](https://www.cerias.purdue.edu/assets/pdf/bibtex_archive/2013-9.pdf)
* Jun ?? - [The Chinese Malware Complexes: The Maudi Surveillance Operation](https://bluecoat.com/documents/download/2c832f0f-45d2-4145-bdb7-70fc78c22b0f&ei=ZGP-VMCbMsuxggSThYDgDg&usg=AFQjCNFjXSkn_AIiXge1X9oWZHzQOiNDJw&sig2=B6e2is0sCnGEbLPL9q0eZg&bvm=bv.87611401,d.eXY)
* May 30 - [TR-14 - Analysis of a stage 3 Miniduke malware sample](http://www.circl.lu/pub/tr-14/)
* May ?? - [Operation Hangover](https://www.bluecoat.com/security-blog/2013-05-20/hangover-report)
* Apr 24 - [Operation Hangover](http://normanshark.com/pdf/Norman_HangOver%20report_Executive%20Summary_042513.pdf)
* Apr 21 - [MiniDuke - The Final Cut](http://labs.bitdefender.com/2013/04/miniduke-the-final-cut)
* Apr 13 - ["Winnti" More than just a game](http://www.securelist.com/en/downloads/vlpdfs/winnti-more-than-just-a-game-130410.pdf)
* Apr 01 - [Trojan.APT.BaneChant](http://www.fireeye.com/blog/technical/malware-research/2013/04/trojan-apt-banechant-in-memory-trojan-that-observes-for-multiple-mouse-clicks.html)
* Mar 28 - [TR-12 - Analysis of a PlugX malware variant used for targeted attacks](http://www.circl.lu/pub/tr-12/)
* Mar 27 - [APT1: technical backstage (Terminator/Fakem RAT)](http://www.malware.lu/assets/files/articles/RAP002_APT1_Technical_backstage.1.0.pdf)
* Mar 21 - [Darkseoul/Jokra Analysis And Recovery](http://www.fidelissecurity.com/sites/default/files/FTA%201008%20-%20Darkseoul-Jokra%20Analysis%20and%20Recovery.pdf)
* Mar 20 - [The TeamSpy Crew Attacks](http://securelist.com/blog/incidents/35520/the-teamspy-crew-attacks-abusing-teamviewer-for-cyberespionage-8/)
* Mar 20 - [Dissecting Operation Troy](http://www.mcafee.com/sg/resources/white-papers/wp-dissecting-operation-troy.pdf)
* Mar 17 - [Safe: A Targeted Threat](http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-safe-a-targeted-threat.pdf)
* Mar 13 - [You Only Click Twice: FinFishers Global Proliferation](https://citizenlab.org/wp-content/uploads/2013/07/15-2013-youonlyclicktwice.pdf)
* Feb 27 - [Miniduke: Indicators v1](http://www.crysys.hu/miniduke/miniduke_indicators_public.pdf)
* Feb 27 - [The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0x29A Micro Backdoor](https://www.securelist.com/en/downloads/vlpdfs/themysteryofthepdf0-dayassemblermicrobackdoor.pdf)
* Feb 26 - [Stuxnet 0.5: The Missing Link](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/stuxnet_0_5_the_missing_link.pdf)
* Feb 22 - [Comment Crew: Indicators of Compromise](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/comment_crew_indicators_of_compromise.pdf)
* Feb 18 - [Mandiant APT1 Report](http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf)
* Feb 12 - [Targeted cyber attacks: examples and challenges ahead](http://www.ait.ac.at/uploads/media/Presentation_Targeted-Attacks_EN.pdf)
* Jan 18 - [Operation Red October](https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/24000/PD24250/en_US/McAfee_Labs_Threat_Advisory_Exploit_Operation_Red_Oct.pdf)
* Jan 14 - [Red October Diplomatic Cyber Attacks Investigation](http://securelist.com/analysis/publications/36740/red-october-diplomatic-cyber-attacks-investigation)
* Jan 14 - [The Red October Campaign](https://securelist.com/blog/incidents/57647/the-red-october-campaign)
## 2012
* Nov 03 - [Systematic cyber attacks against Israeli and Palestinian targets going on for a year](http://cyber-peace.org/wp-content/uploads/2014/01/Cyberattack_against_Israeli_and_Palestinian_targets.pdf)
* Nov 01 - [RECOVERING FROM SHAMOON](http://www.fidelissecurity.com/sites/default/files/FTA%201007%20-%20Shamoon.pdf)
* Oct 31 - [CYBER ESPIONAGE Against Georgian Government (Georbot Botnet)](http://dea.gov.ge/uploads/CERT%20DOCS/Cyber%20Espionage.pdf)
* Oct 27 - [Trojan.Taidoor: Targeting Think Tanks](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/trojan_taidoor-targeting_think_tanks.pdf)
* Oct 08 - [Matasano notes on DarkComet, Bandook, CyberGate and Xtreme RAT](http://matasano.com/research/PEST-CONTROL.pdf)
* Sep 18 - [The Mirage Campaign](http://www.secureworks.com/cyber-threat-intelligence/threats/the-mirage-campaign/)
* Sep 12 - [The VOHO Campaign: An in depth analysis](http://blogsdev.rsa.com/wp-content/uploads/VOHO_WP_FINAL_READY-FOR-Publication-09242012_AC.pdf)
* Sep 07 - [IEXPLORE RAT](https://citizenlab.org/wp-content/uploads/2012/09/IEXPL0RE_RAT.pdf)
* Sep 06 - [The Elderwood Project](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf)
* Aug 18 - [The Taidoor Campaign AN IN-DEPTH ANALYSIS ](http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_campaign.pdf) | [Local](../../blob/master//2012/2012.08.18.Taidoor_Campaign)
* Aug 09 - [Gauss: Abnormal Distribution](http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/kaspersky-lab-gauss.pdf)
* Jul 27 - [The Madi Campaign](https://securelist.com/analysis/36609/the-madi-infostealers-a-detailed-analysis/)
* Jul 25 - [From Bahrain With Love: FinFishers Spy Kit Exposed?](https://citizenlab.org/2012/07/from-bahrain-with-love-finfishers-spy-kit-exposed/)
* Jul 11 - [Wired article on DarkComet creator](http://www.wired.com/2012/07/dark-comet-syrian-spy-tool/)
* Jul 10 - [Advanced Social Engineering for the Distribution of LURK Malware](https://citizenlab.org/wp-content/uploads/2012/07/10-2012-recentobservationsintibet.pdf)
* May 31 - [sKyWIper (Flame/Flamer)](http://www.crysys.hu/skywiper/skywiper.pdf)
* May 22 - [IXESHE An APT Campaign](http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_ixeshe.pdf)
* May 18 - [Analysis of Flamer C&C Server](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_flamer_newsforyou.pdf)
* Apr 16 - [OSX.SabPub & Confirmed Mac APT attacks](http://securelist.com/blog/incidents/33208/new-version-of-osx-sabpub-confirmed-mac-apt-attacks-19/)
* Apr 10 - [Anatomy of a Gh0st RAT](http://www.mcafee.com/us/resources/white-papers/foundstone/wp-know-your-digital-enemy.pdf)
* Mar 26 - [Luckycat Redux](http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf)
* Mar 13 - [Reversing DarkComet RAT's crypto](http://www.arbornetworks.com/asert/wp-content/uploads/2012/07/Crypto-DarkComet-Report.pdf)
* Mar 12 - [Crouching Tiger, Hidden Dragon, Stolen Data](http://www.contextis.com/services/research/white-papers/crouching-tiger-hidden-dragon-stolen-data/)
* Feb 29 - [The Sin Digoo Affair](http://www.secureworks.com/cyber-threat-intelligence/threats/sindigoo/)
* Feb 03 - [Command and Control in the Fifth Domain](http://www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf)
* Jan 03 - [The HeartBeat APT](http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the-heartbeat-apt-campaign.pdf)
## 2011
* Dec 08 - [Palebot trojan harvests Palestinian online credentials](https://web.archive.org/web/20130308090454/http://blogs.norman.com/2011/malware-detection-team/palebot-trojan-harvests-palestinian-online-credentials)
* Oct 31 - [The Nitro Attacks: Stealing Secrets from the Chemical Industry](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_nitro_attacks.pdf)
* Oct 26 - [Duqu Trojan Questions and Answers](http://www.secureworks.com/cyber-threat-intelligence/threats/duqu/)
* Oct 12 - [Alleged APT Intrusion Set: "1.php" Group](http://www.zscaler.com/pdf/technicalbriefs/tb_advanced_persistent_threats.pdf)
* Sep 22 - [The "LURID" Downloader](http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_dissecting-lurid-apt.pdf)
* Sep 11 - [SK Hack by an Advanced Persistent Threat](http://www.commandfive.com/papers/C5_APT_SKHack.pdf)
* Sep 09 - [The RSA Hack](http://www.fidelissecurity.com/sites/default/files/FTA1001-The_RSA_Hack.pdf)
* Aug 03 - [HTran and the Advanced Persistent Threat](http://www.secureworks.com/cyber-threat-intelligence/threats/htran/)
* Aug 02 - [Operation Shady rat : Vanity](http://www.vanityfair.com/culture/features/2011/09/operation-shady-rat-201109)
* Aug 04 - [Operation Shady RAT](http://www.mcafee.com/us/resources/white-papers/wp-operation-shady-rat.pdf)
* Apr 20 - [Stuxnet Under the Microscope](http://www.eset.com/us/resources/white-papers/Stuxnet_Under_the_Microscope.pdf)
* Feb 18 - [Night Dragon Specific Protection Measures for Consideration](http://www.nerc.com/pa/rrm/bpsa/Alerts%20DL/2011%20Alerts/A-2011-02-18-01%20Night%20Dragon%20Attachment%201.pdf)
* Feb 10 - [Global Energy Cyberattacks: Night Dragon](http://www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf)
## 2010
* Dec 09 - [The Stuxnet Computer Worm: Harbinger of an Emerging Warfare Capability ](http://www.fas.org/sgp/crs/natsec/R41524.pdf)
* Sep 30 - [W32.Stuxnet Dossier](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf)
* Sep 03 - [The "MSUpdater" Trojan And Ongoing Targeted Attacks](http://www.seculert.com/reports/MSUpdaterTrojanWhitepaper.pdf)
* Apr 06 - [Shadows in the cloud: Investigating Cyber Espionage 2.0](http://www.nartv.org/mirror/shadows-in-the-cloud.pdf)
* Mar 14 - [In-depth Analysis of Hydraq](http://www.totaldefense.com/Core/DownloadDoc.aspx?documentID=1052) (OFFLINE)
* Feb 24 - [How Can I Tell if I Was Infected By Aurora? (IOCs)](http://www.crowdstrike.com/sites/default/files/AdversaryIntelligenceReport_DeepPanda_0.pdf) (OFFLINE)
* Feb 10 - [HB Gary Threat Report: Operation Aurora](http://hbgary.com/sites/default/files/publications/WhitePaper%20HBGary%20Threat%20Report,%20Operation%20Aurora.pdf)
* Jan ?? - [Case Study: Operation Aurora - Triumfant](http://www.triumfant.com/pdfs/Case_Study_Operation_Aurora_V11.pdf) (OFFLINE)
* Jan 27 - [Operation Aurora Detect, Diagnose, Respond](http://albertsblog.stickypatch.org/files/3/5/1/4/7/282874-274153/Aurora_HBGARY_DRAFT.pdf) (OFFLINE)
* Jan 20 - [McAfee Labs: Combating Aurora](https://kc.mcafee.com/resources/sites/MCAFEE/content/live/CORP_KNOWLEDGEBASE/67000/KB67957/en_US/Combating%20Threats%20-%20Operation%20Aurora.pdf)
* Jan 13 - [The Command Structure of the Aurora Botnet - Damballa](https://www.damballa.com/downloads/r_pubs/Aurora_Botnet_Command_Structure.pdf)
* Jan 12 - [Operation Aurora](http://en.wikipedia.org/wiki/Operation_Aurora)
## 2009
* Mar 29 - [Tracking GhostNet](http://www.nartv.org/mirror/ghostnet.pdf)
* Jan 18 - [Impact of Alleged Russian Cyber Attacks](https://www.baltdefcol.org/files/files/documents/Research/BSDR2009/1_%20Ashmore%20-%20Impact%20of%20Alleged%20Russian%20Cyber%20Attacks%20.pdf)
## 2008
* Nov 19 - [Agent.BTZ](http://www.wired.com/dangerroom/2008/11/army-bans-usb-d/)
* Nov 04 - [China's Electronic Long-Range Reconnaissance](http://fmso.leavenworth.army.mil/documents/chinas-electronic.pdf)
* Oct 02 - [How China will use cyber warfare to leapfrog in military competitiveness](http://www.international-relations.com/CM8-1/Cyberwar.pdf)
* Aug 10 - [Russian Invasion of Georgia Russian Cyberwar on Georgia](http://www.mfa.gov.ge/files/556_10535_798405_Annex87_CyberAttacks.pdf) (OFFLINE)
## 2006
* ["Wicked Rose" and the NCPH Hacking Group](http://krebsonsecurity.com/wp-content/uploads/2012/11/WickedRose_andNCPH.pdf)