:small_blue_diamond: [Analysis of malware and Cyber Threat Intel of APT and cybercriminals groups](https://github.com/StrangerealIntel/CyberThreatIntel) <br>
* Nov 30 - [[Microsoft] Threat actor leverages coin miner techniques to stay under the radar – here’s how to spot them](https://www.microsoft.com/security/blog/2020/11/30/threat-actor-leverages-coin-miner-techniques-to-stay-under-the-radar-heres-how-to-spot-them/) | [:closed_book:](../../blob/master/2020/2020.11.30.BISMUTH_CoinMiner)
* Nov 27 - [[PTSecurity] Investigation with a twist: an accidental APT attack and averted data destruction](https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/) | [:closed_book:](../../blob/master/2020/2020.11.27.Twist_APT27)
* Nov 23 - [[S2W Lab] Analysis of Clop Ransomware suspiciously related to the Recent Incident](https://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-English-088056baf01242409a6e9f844f0c5f2e) | [:closed_book:](../../blob/master/2020/2020.11.23.Clop_Campaign)
* Nov 18 - [[KR-CERT] Analysis of the Bookcodes RAT C2 framework starting with spear phishing](https://www.boho.or.kr/filedownload.do?attach_file_seq=2612&attach_file_id=EpF2612.pdf) | [:closed_book:](../../blob/master/2020/2020.11.18.Bookcodes_C2)
* Nov 17 - [[Cybereason] CHAES: Novel Malware Targeting Latin American E-Commerce](https://www.cybereason.com/hubfs/dam/collateral/reports/11-2020-Chaes-e-commerce-malware-research.pdf) | [:closed_book:](../../blob/master/2020/2020.11.17.CHAES)
* Nov 16 - [[FoxIT] TA505: A Brief History Of Their Time](https://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/) | [:closed_book:](../../blob/master/2020/2020.11.16.TA505_History)
* Nov 16 - [[Bitdefender] A Detailed Timeline of a Chinese APT Espionage Attack Targeting South Eastern Asian Government Institutions](https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf) | [:closed_book:](../../blob/master/2020/2020.11.16.Chinese_APT_South_Eastern_Asian)
* Nov 12 - [[CISCO] CRAT wants to plunder your endpoints](https://blog.talosintelligence.com/2020/11/crat-and-plugins.html) | [:closed_book:](../../blob/master/2020/2020.11.12.CRAT_Lazarus)
* Nov 12 - [[ESET] Hungry for data, ModPipe backdoor hits POS software used in hospitality sector](https://www.welivesecurity.com/2020/11/12/hungry-data-modpipe-backdoor-hits-pos-software-hospitality-sector/) | [:closed_book:](../../blob/master/2020/2020.11.12.ModPipe_POS_Hospitality-Sector)
* Nov 04 - [[Sophos] A new APT uses DLL side-loads to “KilllSomeOne”](https://news.sophos.com/en-us/2020/11/04/a-new-apt-uses-dll-side-loads-to-killlsomeone/) | [:closed_book:](../../blob/master/2020/2020.11.04.KilllSomeOne_DLL_APT)
* Nov 01 - [[Cyberstanc] A look into APT36's (Transparent Tribe) tradecraft](https://cyberstanc.com/blog/a-look-into-apt36-transparent-tribe/) | [:closed_book:](../../blob/master/2020/2020.11.01.Transparent_Tribe_APT)
* Oct 26 - [[DrWeb] Study of the ShadowPad APT backdoor and its relation to PlugX](https://news.drweb.com/show/?i=14048&lng=en) | [:closed_book:](../../blob/master/2020/2020.10.26.ShadowPad_APT_backdoor_PlugX)
* Oct 14 - [[MalwareByte] Silent Librarian APT right on schedule for 20/21 academic year](https://blog.malwarebytes.com/malwarebytes-news/2020/10/silent-librarian-apt-phishing-attack/) | [:closed_book:](../../blob/master/2020/2020.10.14.Silent_Librarian_APT)
* Oct 07 - [[BlackBerry] BlackBerry Uncovers Massive Hack-For-Hire Group Targeting Governments, Businesses, Human Rights Groups and Influential Individuals](https://www.blackberry.com/us/en/company/newsroom/press-releases/2020/blackberry-uncovers-massive-hack-for-hire-group-targeting-governments-businesses-human-rights-groups-and-influential-individuals) | [:closed_book:](../../blob/master/2020/2020.10.07.Massive_Hack-For-Hire_Group)
* Oct 05 - [[Kaspersky] MosaicRegressor: Lurking in the Shadows of UEFI](https://securelist.com/mosaicregressor/98849/) | [:closed_book:](../../blob/master/2020/2020.10.05.MosaicRegressor_Lurking_in_the_Shadows_of_UEFI/2020.10.05_-_MosaicRegressor_Lurking_in_the_Shadows_of_UEFI_Securelist_2020.pdf)
* Sep 29 - [[Symantec] Palmerworm: Espionage Gang Targets the Media, Finance, and Other Sectors](https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt) | [:closed_book:](../../blob/master/2020/2020.09.29.Palmerworm)
* Sep 29 - [[PTSecurity] ShadowPad: new activity from the Winnti group](https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/shadowpad-new-activity-from-the-winnti-group/) | [:closed_book:](../../blob/master/2020/2020.09.29_ShadowPad_-_new_activity_from_the_Winnti_group)
* Sep 25 - [[Amnesty] German-made FinSpy spyware found in Egypt, and Mac and Linux versions revealed](https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/) | [:closed_book:](../../blob/master/2020/2020.09.25.Finspy_in_Egypt)
* Sep 25 - [[360] APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign](https://blog.360totalsecurity.com/en/apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign/) | [:closed_book:](../../blob/master/2020/2020.09.25.APT-C-43_HpReact_campaign)
* Sep 21 - [[CISCO] The art and science of detecting Cobalt Strike](https://blog.talosintelligence.com/2020/09/coverage-strikes-back-cobalt-strike-paper.html) | [:closed_book:](../../blob/master/2020/2020.09.21.coverage-strikes-back-cobalt-strike-paper)
* Sep 01 - [[proofpoint] Chinese APT TA413 Resumes Targeting of Tibet Following COVID-19 Themed Economic Espionage Campaign Delivering Sepulcher Malware Targeting Europe](https://www.proofpoint.com/us/blog/threat-insight/chinese-apt-ta413-resumes-targeting-tibet-following-covid-19-themed-economic) | [:closed_book:](../../blob/master/2020/2020.09.01.Chinese_APT_TA413)
* Aug 27 - [[ClearSky] The Kittens Are Back in Town 3](https://www.clearskysec.com/the-kittens-are-back-in-town-3/) | [:closed_book:](../../blob/master/2020/2020.08.27.Kittens_Are_Back)
* Aug 24 - [[Kaspersky] Lifting the veil on DeathStalker, a mercenary triumvirate](https://securelist.com/deathstalker-mercenary-triumvirate/98177/) | [:closed_book:](../../blob/master/2020/2020.08.24_DeathStalker)
* Aug 20 - [[CertFR] DEVELOPMENT OF THE ACTIVITY OF THE TA505 CYBERCRIMINAL GROUP](https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf) | [:closed_book:](../../blob/master/2020/2020.08.20_DEVELOPMENT_TA505)
* Aug 20 - [[Bitdefender] More Evidence of APT Hackers-for-Hire Used for Industrial Espionage](https://labs.bitdefender.com/2020/08/apt-hackers-for-hire-used-for-industrial-espionage/) | [:closed_book:](../../blob/master/2020/2020.08.20_APT_Hackers_for_Hire)
* Aug 18 - [[F-Secure] LAZARUS GROUP CAMPAIGN TARGETING THE CRYPTOCURRENCY VERTICAL](https://labs.f-secure.com/assets/BlogFiles/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf) | [:closed_book:](../../blob/master/2020/2020.08.18.LAZARUS_GROUP)
* Aug 13 - [[ClearSky] Operation ‘Dream Job’ Widespread North Korean Espionage Campaign](https://www.clearskysec.com/operation-dream-job/) | [:closed_book:](../../blob/master/2020/2020.08.13.Operation_Dream_Job)
* Aug 12 - [[Kaspersky] Internet Explorer and Windows zero-day exploits used in Operation PowerFall](https://securelist.com/ie-and-windows-zero-day-operation-powerfall/97976/) | [:closed_book:](../../blob/master/2020/2020.08.12.Operation_PowerFall)
* Jul 29 - [[McAfee] Operation North Star: A Job Offer That’s Too Good to be True?](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-a-job-offer-thats-too-good-to-be-true/) | [:closed_book:](../../blob/master/2020/2020.07.29.Operation_North_Star)
* Jul 14 - [[ESET] Welcome Chat as a secure messaging app? Nothing could be further from the truth](https://www.welivesecurity.com/2020/07/14/welcome-chat-secure-messaging-app-nothing-further-truth/) | [:closed_book:](../../blob/master/2020/2020.07.14_Molerats_Middle_East_APT)
* Jul 09 - [[ESET] More evil: A deep look at Evilnum and its toolset](https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/) | [:closed_book:](../../blob/master/2020/2020.07.09_Evilnum_Toolset)
* Jul 08 - [[proofpoint] TA410: The Group Behind LookBack Attacks Against U.S. Utilities Sector Returns with New Malware](https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new) | [:closed_book:](../../blob/master/2020/2020.07.08.TA410)
* Jul 06 - [[Sansec] North Korean hackers are skimming US and European shoppers](https://sansec.io/research/north-korea-magecart) | [:closed_book:](../../blob/master/2020/2020.07.06_North_Korean_Magecart)
* Jun 29 - [[CISCO] PROMETHIUM extends global reach with StrongPity3 APT](https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html) | [:closed_book:](../../blob/master/2020/2020.06.29.PROMETHIUM_StrongPity3_APT)
* Jun 26 - [[Symantec] WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations](https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us) | [:closed_book:](../../blob/master/2020/2020.06.26_WastedLocker_Attack)
* Jun 25 - [[Elastic] A close look at the advanced techniques used in a Malaysian-focused APT campaign](https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign) | [:closed_book:](../../blob/master/2020/2020.06.25.Malaysian-focused-APT_campaign)
* Jun 23 - [[NCCGroup] WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group](https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/) | [:closed_book:](../../blob/master/2020/2020.06.23.WastedLocker_Evil_Corp_Group)
* Jun 17 - [[ESET] Operation In(ter)ception: Aerospace and military companies in the crosshairs of cyberspies](https://www.welivesecurity.com/2020/06/17/operation-interception-aerospace-military-companies-cyberspies/) | [:closed_book:](../../blob/master/2020/2020.06.17.Operation_Interception)
* Jun 15 - [[Amnesty] India: Human Rights Defenders Targeted by a Coordinated Spyware Operation](https://www.amnesty.org/en/latest/research/2020/06/india-human-rights-defenders-targeted-by-a-coordinated-spyware-operation/) | [:closed_book:](../../blob/master/2020/2020.06.15.india-human-rights-defenders-targeted)
* Jun 11 - [[Trend Micro] New Android Spyware ActionSpy Revealed via Phishing Attacks from Earth Empusa](https://blog.trendmicro.com/trendlabs-security-intelligence/new-android-spyware-actionspy-revealed-via-phishing-attacks-from-earth-empusa/) | [:closed_book:](../../blob/master/2020/2020.06.11.Earth_Empusa)
* Jun 08 - [[proofpoint] TA410: The Group Behind LookBack Attacks Against U.S. Utilities Sector Returns with New Malware](https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new) | [:closed_book:](../../blob/master/2020/2020.06.08.TA410)
* Jun 08 - [[CheckPoint] GuLoader? No, CloudEyE](https://research.checkpoint.com/2020/guloader-cloudeye/) | [:closed_book:](../../blob/master/2020/2020.06.08.GuLoader_CloudEyE)
* Jun 03 - [[Malwarebyte] New LNK attack tied to Higaisa APT discovered](https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/) | [:closed_book:](../../blob/master/2020/2020.06.03.Higaisa_APT)
* Jun 03 - [[Kaspersky] Cycldek: Bridging the (air) gap](https://securelist.com/cycldek-bridging-the-air-gap/97157/) | [:closed_book:](../../blob/master/2020/2020.06.03.Cycldek)
* May 29 - [[IronNet] Russian Cyber Attack Campaigns and Actors](https://ironnet.com/blog/russian-cyber-attack-campaigns-and-actors/) | [:closed_book:](../../blob/master/2020/2020.05.29_russian-cyber-attack-campaigns-and-actors)
* May 28 - [[Kaspersky] The zero-day exploits of Operation WizardOpium](https://securelist.com/the-zero-day-exploits-of-operation-wizardopium/97086/) | [:closed_book:](../../blob/master/2020/2020.05.28_Operation_WizardOpium)
* May 26 - [[ESET] From Agent.BTZ to ComRAT v4: A ten‑year journey](https://www.welivesecurity.com/2020/05/26/agentbtz-comratv4-ten-year-journey/) | [:closed_book:](../../blob/master/2020/2020.05.26_From_Agent.BTZ_to_ComRAT)
* May 21 - [[Intezer] The Evolution of APT15’s Codebase 2020](https://www.intezer.com/blog/research/the-evolution-of-apt15s-codebase-2020/) | [:closed_book:](../../blob/master/2020/2020.05.21.APT15_Codebase_2020)
* May 21 - [[Bitdefender] Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia](https://www.bitdefender.com/files/News/CaseStudies/study/332/Bitdefender-Whitepaper-Chafer-creat4491-en-EN-interactive.pdf) | [:closed_book:](../../blob/master/2020/2020.05.21.Iranian_Chafer_APT)
* May 21 - [[ESET] No “Game over” for the Winnti Group](https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/) | [:closed_book:](../../blob/master/2020/2020.05.21.No_Game_Over_Winnti)
* May 19 - [[Symantec] Sophisticated Espionage Group Turns Attention to Telecom Providers in South Asia](https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia) | [:closed_book:](../../blob/master/2020/2020.05.19.Greenbug_South_Asia)
* May 14 - [[Sophos] RATicate: an attacker’s waves of information-stealing malware](https://news.sophos.com/en-us/2020/05/14/raticate/) | [:closed_book:](../../blob/master/2020/2020.05.14.RATicate)
* May 14 - [[360] Vendetta-new threat actor from Europe](https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/) | [:closed_book:](../../blob/master/2020/2020.05.14.Vendetta_APT)
* May 14 - [[ESET] Mikroceen: Spying backdoor leveraged in high‑profile networks in Central Asia](https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia/) | [:closed_book:](../../blob/master/2020/2020.05.14.Mikroceen)
* May 14 - [[Avast] APT Group Planted Backdoors Targeting High Profile Networks in Central Asia](https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia/?utm_source=rss&utm_medium=rss&utm_campaign=apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia) | [:closed_book:](../../blob/master/2020/2020.05.14.Central_Asia_APT)
* May 14 - [[Kaspersky] COMpfun authors spoof visa application with HTTP status-based Trojan](https://securelist.com/compfun-http-status-based-trojan/96874/) | [:closed_book:](../../blob/master/2020/2020.05.14.COMpfun)
* May 13 - [[ESET] Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks](https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/) | [:closed_book:](../../blob/master/2020/2020.05.13.Ramsay)
* May 11 - [[Zscaler] Targeted Attacks on Indian Government and Financial Institutions Using the JsOutProx RAT](https://www.zscaler.com/blogs/research/targeted-attacks-indian-government-and-financial-institutions-using-jsoutprox-rat) | [:closed_book:](../../blob/master/2020/2020.05.11.JsOutProx_RAT_Targeted_Attacks)
* May 11 - [[Palo Alto] Updated BackConfig Malware Targeting Government and Military Organizations in South Asia](https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/) | [:closed_book:](../../blob/master/2020/2020.05.11_BackConfig_South_Asia)
* May 07 - [[RedCanary] Introducing Blue Mockingbird](https://redcanary.com/blog/blue-mockingbird-cryptominer/) | [:closed_book:](../../blob/master/2020/2020.05.07_Blue_Mockingbird)
* May 05 - [[CheckPoint] Nazar: Spirits of the Past](https://research.checkpoint.com/2020/nazar-spirits-of-the-past/) | [:closed_book:](../../blob/master/2020/2020.05.05.Nazar_APT)
* Apr 29 - [[Recorded Future] Chinese Influence Operations Evolve in Campaigns Targeting Taiwanese Elections, Hong Kong Protests](https://go.recordedfuture.com/hubfs/reports/cta-2020-0429.pdf) | [:closed_book:](../../blob/master/2020/2020.04.29.Chinese_Influence_Operations_Taiwanese_Elections_Hong_Kong_Protests)
* Apr 28 - [[Yoroi] Outlaw is Back, a New Crypto-Botnet Targets European Organizations](https://yoroi.company/research/outlaw-is-back-a-new-crypto-botnet-targets-european-organizations/) | [:closed_book:](../../blob/master/2020/2020.04.28_Outlaw_is_Back)
* Apr 28 - [[ESET] Grandoreiro: How engorged can an EXE get?](https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/) | [:closed_book:](../../blob/master/2020/2020.04.28.Grandoreiro)
* Apr 16 - [[Trend Micro] Exposing Modular Adware: How DealPly, IsErIk, and ManageX Persist in Systems](https://blog.trendmicro.com/trendlabs-security-intelligence/exposing-modular-adware-how-dealply-iserik-and-managex-persist-in-systems/) | [:closed_book:](../../blob/master/2020/2020.04.16_Exposing_Modular_Adware)
* Apr 16 - [[White Ops] Giving Fraudsters the Cold Shoulder: Inside the Largest Connected TV Bot Attack](https://www.whiteops.com/blog/giving-fraudsters-the-cold-shoulder-inside-the-largest-connected-tv-bot-attack) | [:closed_book:](../../blob/master/2020/2020.04.16_ICEBUCKET_TV_Bot_Attack)
* Apr 07 - [[MalwareBytes] APTs and COVID-19: How advanced persistent threats use the coronavirus as a lure](https://resources.malwarebytes.com/files/2020/04/200407-MWB-COVID-White-Paper_Final.pdf) | [:closed_book:](../../blob/master/2020/2020.04.07_APTs_COVID-19)
* Apr 07 - [[Zscaler] New Ursnif Campaign: A Shift from PowerShell to Mshta](https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta) | [:closed_book:](../../blob/master/2020/2020.04.07_New_Ursnif_Campaign)
* Apr 07 - [[BlackBerry] Decade of the RATs: Novel APT Attacks Targeting Linux, Windows and Android](https://blogs.blackberry.com/en/2020/04/decade-of-the-rats) | [:closed_book:](../../blob/master/2020/2020.04.07_Decade_of_the_RATs)
* Mar 30 - [[Alyac] The 'Spy Cloud' Operation: Geumseong121 group carries out the APT attack disguising the evidence of North Korean defection](https://blog.alyac.co.kr/attachment/cfile8.uf@9977CF405E81A09B1C4CE2.pdf) | [:closed_book:](../../blob/master/2020/2020.03.30_Spy_Cloud_Operation)
* Mar 25 - [[FireEye] This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits](https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html) | [:closed_book:](../../blob/master/2020/2020.03.25_APT41-initiates-global-intrusion-campaign)
* Mar 24 - [[Kaspersky] WildPressure targets industrial-related entities in the Middle East](https://securelist.com/wildpressure-targets-industrial-in-the-middle-east/96360/) | [:closed_book:](../../blob/master/2020/2020.03.24_WildPressure)
* Mar 24 - [[Trend Micro] Operation Poisoned News: Hong Kong Users Targeted With Mobile Malware via Local News Links](https://blog.trendmicro.com/trendlabs-security-intelligence/operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links/) | [:closed_book:](../../blob/master/2020/2020.03.24_Operation_Poisoned_News)
* Mar 12 - [[ESET] Tracking Turla: New backdoor delivered via Armenian watering holes](https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes) | [:closed_book:](../../blob/master/2020/2020.03.12_Tracking_Turla)
* Mar 10 - [[Cybereason] WHO'S HACKING THE HACKERS: NO HONOR AMONG THIEVES](https://www.cybereason.com/blog/whos-hacking-the-hackers-no-honor-among-thieves) | [:closed_book:](../../blob/master/2020/2020.03.10.WHO_HACKING_THE_HACKERS)
* Mar 05 - [[Trend Micro] Dissecting Geost: Exposing the Anatomy of the Android Trojan Targeting Russian Banks](https://blog.trendmicro.com/trendlabs-security-intelligence/dissecting-geost-exposing-the-anatomy-of-the-android-trojan-targeting-russian-banks/) | [:closed_book:](../../blob/master/2020/2020.03.05_Dissecting_Geost)
* Mar 03 - [[F5] New Perl Botnet (Tuyul) Found with Possible Indonesian Attribution](https://www.f5.com/labs/articles/threat-intelligence/new-perl-botnet--tuyul--found-with-possible-indonesian-attributi) | [:closed_book:](../../blob/master/2020/2020.03.03_Tuyul_Botnet_Indonesian)
* Mar 03 - [[Yoroi] The North Korean Kimsuky APT keeps threatening South Korea evolving its TTPs](https://blog.yoroi.company/research/the-north-korean-kimsuky-apt-keeps-threatening-south-korea-evolving-its-ttps/) | [:closed_book:](../../blob/master/2020/2020.03.03_Kimsuky_APT)
* Feb 22 - [[Objective-See] Weaponizing a Lazarus Group Implant](https://objective-see.com/blog/blog_0x54.html) | [:closed_book:](../../blob/master/2020/2020.02.22_Lazarus_Group_Weaponizing)
* Feb 19 - [[lexfo] The Lazarus Constellation](https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf) | [:closed_book:](../../blob/master/2020/2020.02.19_The_Lazarus_Constellation)
* Feb 17 - [[Yoroi] Cyberwarfare: A deep dive into the latest Gamaredon Espionage Campaign](https://blog.yoroi.company/research/cyberwarfare-a-deep-dive-into-the-latest-gamaredon-espionage-campaign/) | [:closed_book:](../../blob/master/2020/2020.02.17.Cyberwarfare_Gamaredon_Campaign)
* Feb 17 - [[Talent-Jump] CLAMBLING - A New Backdoor Base On Dropbox (EN)](http://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/) | [:closed_book:](../../blob/master/2020/2020.02.17_CLAMBLING_Dropbox_Backdoor)
* Feb 17 - [[ClearSky] Fox Kitten Campaign](https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf) | [:closed_book:](../../blob/master/2020/2020.02.17_Fox_Kitten_Campaign)
* Feb 13 - [[Cybereason] NEW CYBER ESPIONAGE CAMPAIGNS TARGETING PALESTINIANS - PART 2: THE DISCOVERY OF THE NEW, MYSTERIOUS PIEROGI BACKDOOR](https://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-2-the-discovery-of-the-new-mysterious-pierogi-backdoor?utm_content=116986912&utm_medium=social&utm_source=twitter&hss_channel=tw-835463838) | [:closed_book:](../../blob/master/2020/2020.02.13.PIEROGI_BACKDOOR_APT)
* Feb 03 - [[PaloAlto Networks] Actors Still Exploiting SharePoint Vulnerability to Attack Middle East Government Organizations](https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/) | [:closed_book:](../../blob/master/2020/2020.02.03.SharePoint_Vulnerability_Middle_East)
* Jan XX - [[IBM] New Destructive Wiper “ZeroCleare” Targets Energy Sector in the Middle East](https://www.ibm.com/downloads/cas/OAJ4VZNJ) | [:closed_book:](../../blob/master/2020/2020.01.xx.ZeroCleare_Wiper)
* Jan 31 - [[ESET] Winnti Group targeting universities in Hong Kong](https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/) | [:closed_book:](../../blob/master/2020/2020.01.31.Winnti_universities_in_HK)
* Jan 13 - [[ShellsSystems] Reviving MuddyC3 Used by MuddyWater (IRAN) APT](https://shells.systems/reviving-leaked-muddyc3-used-by-muddywater-apt/) | [:closed_book:](../../blob/master/2020/2020.01.13.muddyc3.Revived)
* Jan 09 - [[Dragos] The State of Threats to Electric Entities in North America](https://dragos.com/wp-content/uploads/NA-EL-Threat-Perspective-2019.pdf) | [:closed_book:](../../blob/master/2020/2020.01.09.NA-EL-Threat-Perspective)
* Jan 07 - [[Recorded Future] Iranian Cyber Response to Death of IRGC Head Would Likely Use Reported TTPs and Previous Access](https://www.recordedfuture.com/iranian-cyber-response/?utm_content=111464182) | [:closed_book:](../../blob/master/2020/2020.01.07_Iranian_Cyber_Response)
* Jan 06 - [[Trend Micro] First Active Attack Exploiting CVE-2019-2215 Found on Google Play, Linked to SideWinder APT Group](https://blog.trendmicro.com/trendlabs-security-intelligence/first-active-attack-exploiting-cve-2019-2215-found-on-google-play-linked-to-sidewinder-apt-group/) | [:closed_book:](../../blob/master/2020/2020.01.06.SideWinder_Google_Play)
* Dec 26 - [[Pedro Tavares] Targeting Portugal: A new trojan ‘Lampion’ has spread using template emails from the Portuguese Government Finance & Tax](https://seguranca-informatica.pt/targeting-portugal-a-new-trojan-lampion-has-spread-using-template-emails-from-the-portuguese-government-finance-tax/) | [:closed_book:](../../blob/master/2019/2019.12.26.Trojan-Lampion)
* Dec 17 - [[PaloAlto] Rancor: Cyber Espionage Group Uses New Custom Malware to Attack Southeast Asia](https://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/) | [:closed_book:](../../blob/master/2019/2019.12.17.Rancor)
* Dec 16 - [[Sophos] MyKings: The Slow But Steady Growth of a Relentless Botnet](https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-uncut-mykings-report.pdf) | [:closed_book:](../../blob/master/2019/2019.12.16.MyKings)
* Dec 12 - [[Trend Micro] Drilling Deep: A Look at Cyberattacks on the Oil and Gas Industry](https://documents.trendmicro.com/assets/white_papers/wp-drilling-deep-a-look-at-cyberattacks-on-the-oil-and-gas-industry.pdf) | [:closed_book:](../../blob/master/2019/2019.12.12.Drilling_Deep)
* Dec 12 - [[Microsoft] GALLIUM: Targeting global telecom](https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/) | [:closed_book:](../../blob/master/2019/2019.12.12.GALLIUM)
* Dec 12 - [[Recorded Future] Operation Gamework: Infrastructure Overlaps Found Between BlueAlpha and Iranian APTs](https://go.recordedfuture.com/hubfs/reports/cta-2019-1212.pdf) | [:closed_book:](../../blob/master/2019/2019.12.12.Operation_Gamework)
* Dec 11 - [[Trend Micro] Waterbear is Back, Uses API Hooking to Evade Security Product Detection](https://blog.trendmicro.com/trendlabs-security-intelligence/waterbear-is-back-uses-api-hooking-to-evade-security-product-detection/) | [:closed_book:](../../blob/master/2019/2019.12.11.Waterbear_Back)
* Dec 11 - [[Cyberason] DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE](https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware) | [:closed_book:](../../blob/master/2019/2019.12.11_DROPPING_ANCHOR)
* Dec 10 - [[Sentinel] Anchor Project: The Deadly Planeswalker: How The TrickBot Group United High-Tech Crimeware & APT](https://labs.sentinelone.com/the-deadly-planeswalker-how-the-trickbot-group-united-high-tech-crimeware-apt/#report) | [:closed_book:](../../blob/master/2019/2019.12.10_TrickBot_Planeswalker)
* Dec 06 - [[SCILabs] Cosmic Banker campaign is still active revealing link with Banload malware](https://blog.scilabs.mx/cosmic-banker-campaign-is-still-active-revealing-link-with-banload-malware/) | [:closed_book:](../../blob/master/2019/2019.12.06.Cosmic_Banker_campaign)
* Dec 04 - [[IBM] New Destructive Wiper “ZeroCleare” Targets Energy Sector in the Middle East](https://www.ibm.com/downloads/cas/OAJ4VZNJ) | [:closed_book:](../../blob/master/2019/2019.12.04.ZeroCleare)
* Dec 04 - [[Trend Micro] Obfuscation Tools Found in the Capesand Exploit Kit Possibly Used in “KurdishCoder” Campaign](https://blog.trendmicro.com/trendlabs-security-intelligence/obfuscation-tools-found-in-the-capesand-exploit-kit-possibly-used-in-kurdishcoder-campaign/) | [:closed_book:](../../blob/master/2019/2019.12.04.KurdishCoder_Campaign)
* Dec 03 - [[NSHC] Threat Actor Targeting Hong Kong Pro-Democracy Figures](https://threatrecon.nshc.net/2019/12/03/threat-actor-targeting-hong-kong-activists/) | [:closed_book:](../../blob/master/2019/2019.12.03.Hong_Kong_Pro-Democracy)
* Nov 28 - [[Kaspersky] RevengeHotels: cybercrime targeting hotel front desks worldwide](https://securelist.com/revengehotels/95229/) | [:closed_book:](../../blob/master/2019/2019.11.28.RevengeHotels)
* Nov 26 - [[Microsoft] Insights from one year of tracking a polymorphic threat: Dexphot](https://www.microsoft.com/security/blog/2019/11/26/insights-from-one-year-of-tracking-a-polymorphic-threat/) | [:closed_book:](../../blob/master/2019/2019.11.26.Dexphot)
* Nov 21 - [[ESET] Registers as “Default Print Monitor”, but is a malicious downloader. Meet DePriMon](https://www.welivesecurity.com/2019/11/21/deprimon-default-print-monitor-malicious-downloader/) | [:closed_book:](../../blob/master/2019/2019.11.21.DePriMon)
* Nov 20 - [[360] Golden Eagle (APT-C-34)](http://blogs.360.cn/post/APT-C-34_Golden_Falcon.html) | [:closed_book:](../../blob/master/2019/2019.11.20.Golden_Eagle_APT-C-34)
* Nov 20 - [[Trend Micro] Mac Backdoor Linked to Lazarus Targets Korean Users](https://blog.trendmicro.com/trendlabs-security-intelligence/mac-backdoor-linked-to-lazarus-targets-korean-users/) | [:closed_book:](../../blob/master/2019/2019.11.20.Mac_Lazarus)
* Nov 13 - [[Trend Micro] More than a Dozen Obfuscated APT33 Botnets Used for Extreme Narrow Targeting](https://blog.trendmicro.com/trendlabs-security-intelligence/more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting/) | [:closed_book:](../../blob/master/2019/2019.11.13.APT33_Extreme_Narrow_Targeting)
* Nov 12 - [[Marco Ramilli] TA-505 Cybercrime on System Integrator Companies](https://marcoramilli.com/2019/11/12/ta-505-cybercrime-on-system-integrator-companies/) | [:closed_book:](../../blob/master/2019/2019.11.12_TA-505_On_SI)
* Nov 08 - [[Kapsersky] Titanium: the Platinum group strikes again](https://securelist.com/titanium-the-platinum-group-strikes-again/94961/) | [:closed_book:](../../blob/master/2019/2019.11.08_Titanium_Action_Platinum_group)
* Nov 05 - [[Telsy] THE LAZARUS’ GAZE TO THE WORLD: WHAT IS BEHIND THE FIRST STONE ?](https://blog.telsy.com/the-lazarus-gaze-to-the-world-what-is-behind-the-first-stone/) | [:closed_book:](../../blob/master/2019/2019.11.05.LAZARUS_GAZE)
* Nov 01 - [[Kaspersky] Chrome 0-day exploit CVE-2019-13720 used in Operation WizardOpium](https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/) | [:closed_book:](../../blob/master/2019/2019.11.1.Operation_WizardOpium)
* Oct 31 - [[PTsecurity] Calypso APT: new group attacking state institutions](https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/) | [:closed_book:](../../blob/master/2019/2019.10.31.Calypso_APT)
* Oct 31 - [[Fireeye] MESSAGETAP: Who’s Reading Your Text Messages?](https://www.fireeye.com/blog/threat-research/2019/10/messagetap-who-is-reading-your-text-messages.html) | [:closed_book:](../../blob/master/2019/2019.10.31.MESSAGETAP)
* Oct 21 - [[ESET] Winnti Group’s skip‑2.0: A Microsoft SQL Server backdoor](https://www.welivesecurity.com/2019/10/21/winnti-group-skip2-0-microsoft-sql-server-backdoor/) | [:closed_book:](../../blob/master/2019/2019.10.21.Winnti_skip_2.0)
* Oct 21 - [[VB] Geost botnet. The story of the discovery of a new Android banking trojan from an OpSec error](https://www.virusbulletin.com/uploads/pdf/magazine/2019/VB2019-Garcia-etal.pdf) | [:closed_book:](../../blob/master/2019/2019.10.21_Geost_botnet)
* Oct 17 - [[ESET] Operation Ghost: The Dukes aren’t back – they never left](https://www.welivesecurity.com/2019/10/17/operation-ghost-dukes-never-left/) | [:closed_book:](../../blob/master/2019/2019.10.17.Operation_Ghost)
* Oct 15 - [[Fireeye] LOWKEY: Hunting for the Missing Volume Serial ID](https://www.fireeye.com/blog/threat-research/2019/10/lowkey-hunting-for-the-missing-volume-serial-id.html) | [:closed_book:](../../blob/master/2019/2019.10.15.LOWKEY)
* Oct 14 - [[Marco Ramilli] Is Emotet gang targeting companies with external SOC?](https://marcoramilli.com/2019/10/14/is-emotet-gang-targeting-companies-with-external-soc/) | [:closed_book:](../../blob/master/2019/2019.10.14.Emotet_external_SOC)
* Oct 14 - [[Exatrack] From tweet to rootkit](https://exatrack.com/public/winnti_EN.pdf) | [:closed_book:](../../blob/master/2019/2019.10.14.From_tweet_to_rootkit)
* Oct 14 - [[Crowdstrike] HUGE FAN OF YOUR WORK: TURBINE PANDA ](https://www.crowdstrike.com/resources/wp-content/brochures/reports/huge-fan-of-your-work-intelligence-report.pdf) | [:closed_book:](../../blob/master/2019/2019.10.14.TURBINE_PANDA)
* Oct 10 - [[Fireeye] Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques](https://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html) | [:closed_book:](../../blob/master/2019/2019.10.10.Fin7)
* Oct 10 - [[ESET] CONNECTING THE DOTS Exposing the arsenal and methods of the Winnti Group](https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf) | [:closed_book:](../../blob/master/2019/2019.10.10.Winnti_Group)
* Oct 10 - [[ESET] Attor, a spy platform with curious GSM fingerprinting](https://www.welivesecurity.com/2019/10/10/eset-discovers-attor-spy-platform/) | [:closed_book:](../../blob/master/2019/2019.10.10.Attor_GSM_fingerprinting_spy_platform)
* Oct 09 - [[Trend Micro] FIN6 Compromised E-commerce Platform via Magecart to Inject Credit Card Skimmers Into Thousands of Online Shops](https://blog.trendmicro.com/trendlabs-security-intelligence/fin6-compromised-e-commerce-platform-via-magecart-to-inject-credit-card-skimmers-into-thousands-of-online-shops/) | [:closed_book:](../../blob/master/2019/2019.10.09_FIN6_Magecart)
* Oct 07 - [[Clearsky] The Kittens Are Back in Town 2 – Charming Kitten Campaign Keeps Going on, Using New Impersonation Methods](https://www.clearskysec.com/the-kittens-are-back-in-town-2/) | [:closed_book:](../../blob/master/2019/2019.10.07.Charming_Kitten_Back_in_Town_2)
* Oct 07 - [[Anomali] China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations](https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations) | [:closed_book:](../../blob/master/2019/2019.10.07.Panda_minority-groups)
* Oct 04 - [[Avest] GEOST BOTNET. THE STORY OF THE DISCOVERY OF A NEW ANDROID BANKING TROJAN FROM AN OPSEC ERROR](http://public.avast.com/research/VB2019-Garcia-etal.pdf) | [:closed_book:](../../blob/master/2019/2019.10.04.GEOST_BOTNET)
* Oct 03 - [[Palo Alto Networks] PKPLUG: Chinese Cyber Espionage Group Attacking Asia](https://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/) | [:closed_book:](../../blob/master/2019/2019.10.03.PKPLUG)
* Oct 01 - [[Netskope] New Adwind Campaign targets US Petroleum Industry](https://www.netskope.com/blog/new-adwind-campaign-targets-us-petroleum-industry-2) | [:closed_book:](../../blob/master/2019/2019.10.01.Adwind_Campaign_US_Petroleum_Industry)
* Sep 26 - [[GBHackers] Chinese APT Hackers Attack Windows Users via FakeNarrator Malware to Implant PcShare Backdoor](https://gbhackers.com/fakenarrator-malware/) | [:closed_book:](../../blob/master/2019/2019.09.26_China_APT_FakeNarrator_To_PcShare)
* Sep 24 - [[CISCO] How Tortoiseshell created a fake veteran hiring website to host malware](https://blog.talosintelligence.com/2019/09/tortoiseshell-fake-veterans.html) | [:closed_book:](../../blob/master/2019/2019.09.24_New_Tortoiseshell)
* Sep 18 - [[Symantec] Tortoiseshell Group Targets IT Providers in Saudi Arabia in Probable Supply Chain Attacks](https://www.symantec.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain) | [:closed_book:](../../blob/master/2019/2019.09.18.Tortoiseshell-APT)
* Aug 29 - [[AhnLab] Tick Tock - Activities of the Tick Cyber Espionage Group in East Asia Over the Last 10 Years](https://gsec.hitb.org/materials/sg2019/D1%20COMMSEC%20-%20Tick%20Group%20-%20Activities%20Of%20The%20Tick%20Cyber%20Espionage%20Group%20In%20East%20Asia%20Over%20The%20Last%2010%20Years%20-%20Cha%20Minseok.pdf) | [:closed_book:](../../blob/master/2019/2019.08.29_Tick_Tock)
* Aug 27 - [[StrangerealIntel] Malware analysis about sample of APT Patchwork](https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Indian/APT/Patchwork/27-08-19/Malware%20analysis%2027-08-19.md) | [:closed_book:](../../blob/master/2019/2019.08.27.Patchwork_Malware_Analysis)
* Aug 27 - [[Dell] LYCEUM Takes Center Stage in Middle East Campaign](https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign) | [:closed_book:](../../blob/master/2019/2019.08.27.LYCEUM_threat_group)
* Aug 27 - [[CISCO] China Chopper still active 9 years later](https://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html) | [:closed_book:](../../blob/master/2019/2019.08.27.China_Chopper)
* Aug 27 - [[Trend Micro] TA505 At It Again: Variety is the Spice of ServHelper and FlawedAmmyy](https://blog.trendmicro.com/trendlabs-security-intelligence/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy/) | [:closed_book:](../../blob/master/2019/2019.08.27.TA505_Again)
* Aug 26 - [[QianXin] APT-C-09 Reappeared as Conflict Intensified Between India and Pakistan](https://ti.qianxin.com/blog/articles/apt-c-09-reappeared-as-conflict-intensified-between-india-and-pakistan/) | [:closed_book:](../../blob/master/2019/2019.08.26.APT-C-09)
* Aug 22 - [[PTsecurity] Operation TaskMasters: Cyberespionage in the digital economy age](https://www.ptsecurity.com/ww-en/analytics/operation-taskmasters-2019/) | [:closed_book:](../../blob/master/2019/2019.08.22.Operation_TaskMasters)
* Aug 21 - [[Fortinet] The Gamaredon Group: A TTP Profile Analysis](https://www.fortinet.com/blog/threat-research/gamaredon-group-ttp-profile-analysis.html) | [:closed_book:](../../blob/master/2019/2019.08.21.Gamaredon_Group)
* Aug 21 - [[Group-IB] Silence 2.0](https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf) | [:closed_book:](../../blob/master/2019/2019.08.21.Silence_2.0)
* Aug 20 - [[StrangerealIntel] Malware analysis about unknown Chinese APT campaign](https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Unknown/20-08-19/Malware%20analysis%2020-08-19.md) | [:closed_book:](../../blob/master/2019/2019.08.20.unknown_Chinese_APT)
* Aug 14 - [[ESET] In the Balkans, businesses are under fire from a double‑barreled weapon](https://www.welivesecurity.com/2019/08/14/balkans-businesses-double-barreled-weapon/) | [:closed_book:](../../blob/master/2019/2019.08.14.Balkans_Campaign)
* Aug 08 - [[Anomali] Suspected BITTER APT Continues Targeting Government of China and Chinese Organizations](https://www.anomali.com/blog/suspected-bitter-apt-continues-targeting-government-of-china-and-chinese-organizations) | [:closed_book:](../../blob/master/2019/2019.08.08.BITTER_APT)
* Aug 07 - [[FireEye] APT41: A Dual Espionage and Cyber Crime Operation](https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html) | [:closed_book:](../../blob/master/2019/2019.08.07.APT41)
* Aug 05 - [[ESET] Sharpening the Machete](https://www.welivesecurity.com/2019/08/05/sharpening-machete-cyberespionage/) | [:closed_book:](../../blob/master/2019/2019.08.05.Sharpening_the_Machete)
* Aug 01 - [[Anity] Analysis of the Attack of Mobile Devices by OceanLotus](https://www.antiy.net/p/analysis-of-the-attack-of-mobile-devices-by-oceanlotus/) | [:closed_book:](../../blob/master/2019/2019.08.01.Mobile_OceanLotus)
* Jul 24 - [[Dell] Resurgent Iron Liberty Targeting Energy Sector](https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector) | [:closed_book:](../../blob/master/2019/2019.07.24.Resurgent_Iron_Liberty)
* Jul 24 - [[] Attacking the Heart of the German Industry](https://web.br.de/interaktiv/winnti/english/) | [:closed_book:](../../blob/master/2019/2019.07.24.Winnti_German)
* Jul 24 - [[Proofpoint] Chinese APT “Operation LagTime IT” Targets Government Information Technology Agencies in Eastern Asia](https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology) | [:closed_book:](../../blob/master/2019/2019.07.24.Operation_LagTime_IT)
* Jul 18 - [[FireEye] Hard Pass: Declining APT34’s Invite to Join Their Professional Network](https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html) | [:closed_book:](../../blob/master/2019/2019.07.18.APT34_Hard_Pass)
* Jul 18 - [[Trend Micro] Spam Campaign Targets Colombian Entities with Custom-made ‘Proyecto RAT,’ Uses Email Service YOPmail for C&C](https://blog.trendmicro.com/trendlabs-security-intelligence/spam-campaign-targets-colombian-entities-with-custom-proyecto-rat-email-service-yopmail-for-cc/) | [:closed_book:](../../blob/master/2019/2019.07.18.Proyecto_RAT_Colombian)
* Jul 18 - [[ESET] OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY ](https://www.welivesecurity.com/2019/07/18/okrum-ke3chang-targets-diplomatic-missions/) | [:closed_book:](../../blob/master/2019/2019.07.18.Okrum)
* Jul 15 - [[CISCO] SWEED: Exposing years of Agent Tesla campaigns](https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html) | [:closed_book:](../../blob/master/2019/2019.07.15.SWEED)
* Jul 11 - [[ESET] Buhtrap group uses zero‑day in latest espionage campaigns](https://www.welivesecurity.com/2019/07/11/buhtrap-zero-day-espionage-campaigns/) | [:closed_book:](../../blob/master/2019/2019.07.11.Buhtrap_Group)
* Jul 09 - [[CISCO] Sea Turtle keeps on swimming, finds new victims, DNS hijacking techniques](https://blog.talosintelligence.com/2019/07/sea-turtle-keeps-on-swimming.html) | [:closed_book:](../../blob/master/2019/2019.07.09.SeaTurtle_swimming)
* Jul 04 - [[Kaspersky] Twas the night before](https://securelist.com/twas-the-night-before/91599/) | [:closed_book:](../../blob/master/2019/2019.07.04.NewsBeef_APT)
* Jul 04 - [[Trend Micro] Latest Spam Campaigns from TA505 Now Using New Malware Tools Gelup and FlowerPippi](https://blog.trendmicro.com/trendlabs-security-intelligence/latest-spam-campaigns-from-ta505-now-using-new-malware-tools-gelup-and-flowerpippi/) | [:closed_book:](../../blob/master/2019/2019.07.04.TA505_Gelup_FlowerPippi)
* Jul 03 - [[Anomali] Multiple Chinese Threat Groups Exploiting CVE-2018-0798 Equation Editor Vulnerability Since Late 2018](https://www.anomali.com/blog/multiple-chinese-threat-groups-exploiting-cve-2018-0798-equation-editor-vulnerability-since-late-2018) | [:closed_book:](../../blob/master/2019/2019.07.03.Chinese_APT_CVE-2018-0798)
* Jun 26 - [[Recorded Future] Iranian Threat Actor Amasses Large Cyber Operations Infrastructure Network to Target Saudi Organizations](https://go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf) | [:closed_book:](../../blob/master/2019/2019.06.26.Iranian_to_Saudi)
* Jun 25 - [[QianXin] Analysis of MuddyC3, a New Weapon Used by MuddyWater](https://ti.qianxin.com/blog/articles/analysis-of-muddyc3-a-new-weapon-used-by-muddywater/) | [:closed_book:](../../blob/master/2019/2019.06.25.MuddyC3)
* Jun 21 - [[Symantec] Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments](https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments) | [:closed_book:](../../blob/master/2019/2019.06.21.Waterbug)
* Jun 20 - [[QianXin] New Approaches Utilized by OceanLotus to Target An Environmental Group in Vietnam](https://ti.qianxin.com/blog/articles/english-version-of-new-approaches-utilized-by-oceanLotus-to-target-vietnamese-environmentalist/) | [:closed_book:](../../blob/master/2019/2019.06.20.OceanLotus_New_Approaches)
* Jun 12 - [[ThaiCERT] Threat Group Cards: A Threat Actor Encyclopedia](https://www.dropbox.com/s/ds0ra0c8odwsv3m/Threat%20Group%20Cards.pdf?dl) | [:closed_book:](../../blob/master/2019/2019.06.12.Threat_Group_Cards)
* Jun 11 - [[Recorded Future] The Discovery of Fishwrap: A New Social Media Information Operation Methodology](https://www.recordedfuture.com/fishwrap-influence-operation/) | [:closed_book:](../../blob/master/2019/2019.06.11.Fishwrap_Group)
* Jun 10 - [[Trend Micro] MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools](https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/) | [:closed_book:](../../blob/master/2019/2019.06.10.MuddyWater_Resurfaces)
* Jun 05 - [[Agari] Scattered Canary The Evolution and Inner Workings of a West African Cybercriminal Startup Turned BEC Enterprise](https://www.agari.com/cyber-intelligence-research/whitepapers/scattered-canary.pdf) | [:closed_book:](../../blob/master/2019/2019.06.05.Scattered_Canary)
* Jun 04 - [[Bitdefender] An APT Blueprint: Gaining New Visibility into Financial Threats](https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf) | [:closed_book:](../../blob/master/2019/2019.06.04.APT_Blueprint)
* May 30 - [[CISCO] 10 years of virtual dynamite: A high-level retrospective of ATM malware](https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html) | [:closed_book:](../../blob/master/2019/2019.05.30.10_Years_ATM_Malware)
* May 29 - [[ESET] A dive into Turla PowerShell usage](https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/) | [:closed_book:](../../blob/master/2019/2019.05.29.Turla_PowerShell)
* May 29 - [[Yoroi] TA505 is Expanding its Operations](https://blog.yoroi.company/research/ta505-is-expanding-its-operations/) | [:closed_book:](../../blob/master/2019/2019.05.29.TA505)
* May 28 - [[Palo Alto Networks] Emissary Panda Attacks Middle East Government Sharepoint Servers](https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/) | [:closed_book:](../../blob/master/2019/2019.05.28.Emissary_Panda)
* May 27 - [[360] APT-C-38](http://blogs.360.cn/post/analysis-of-APT-C-38.html) | [:closed_book:](../../blob/master/2019/2019.05.27.APT-C-38)
* May 24 - [[ENSILO] UNCOVERING NEW ACTIVITY BY APT10](https://blog.ensilo.com/uncovering-new-activity-by-apt10) | [:closed_book:](../../blob/master/2019/2019.05.24_APT10_New_Activity)
* May 22 - [[ESET] A journey to Zebrocy land](https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/) | [:closed_book:](../../blob/master/2019/2019.05.22.Zebrocy_Land)
* May 19 - [[Intezer] HiddenWasp Malware Stings Targeted Linux Systems](https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/) | [:closed_book:](../../blob/master/2019/2019.05.19.HiddenWasp_Linux)
* May 18 - [[ADLab] Operation_BlackLion](https://www.secrss.com/articles/10745) | [:closed_book:](../../blob/master/2019/2019.05.18.Operation_BlackLion)
* May 15 - [[Chronicle] Winnti: More than just Windows and Gates](https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a) | [:closed_book:](../../blob/master/2019/2019.05.15.Winnti_More)
* May 13 - [[Kaspersky] ScarCruft continues to evolve, introduces Bluetooth harvester](https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/) | [:closed_book:](../../blob/master/2019/2019.05.13.ScarCruft_Bluetooth)
* May 11 - [[Sebdraven] Chinese Actor APT target Ministry of Justice Vietnamese](https://medium.com/@Sebdraven/chineses-actor-apt-target-ministry-of-justice-vietnamese-14f13cc1c906) | [:closed_book:](../../blob/master/2019/2019.05.11.Chinese_APT_Vietnamese)
* May 09 - [[Clearsky] Iranian Nation-State APT Groups – “Black Box” Leak](https://www.clearskysec.com/wp-content/uploads/2019/05/Iranian-Nation-State-APT-Leak-Analysis-and-Overview.pdf) | [:closed_book:](../../blob/master/2019/2019.05.09.Iranian_APT_Leak)
* May 08 - [[Kaspersky] FIN7.5: the infamous cybercrime rig “FIN7” continues its activities](https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/) | [:closed_book:](../../blob/master/2019/2019.05.08.Fin7.5)
* May 07 - [[Yoroi] ATMitch: New Evidence Spotted In The Wild](https://blog.yoroi.company/research/atmitch-new-evidence-spotted-in-the-wild/) | [:closed_book:](../../blob/master/2019/2019.05.07.ATMitch)
* May 07 - [[ESET] Turla LightNeuron: An email too far](https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf) | [:closed_book:](../../blob/master/2019/2019.05.07.Turla_LightNeuron)
* May 07 - [[Symantec] Buckeye: Espionage Outfit Used Equation Group Tools Prior to Shadow Brokers Leak](https://www.symantec.com/blogs/threat-intelligence/buckeye-windows-zero-day-exploit) | [:closed_book:](../../blob/master/2019/2019.05.07.Buckeye)
* May 03 - [[Kaspersky] Who’s who in the Zoo Cyberespionage operation targets Android users in the Middle East](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/24122414/ZooPark_for_public_final_edited.pdf) | [:closed_book:](../../blob/master/2019/2019.05.03.ZooPark)
* Apr 30 - [[ThreatRecon] SectorB06 using Mongolian language in lure document](https://threatrecon.nshc.net/2019/04/30/sectorb06-using-mongolian-language-in-lure-document/) | [:closed_book:](../../blob/master/2019/2019.04.30.SectorB06_Mongolian)
* Apr 17 - [[Palo Alto Networks] Aggah Campaign: Bit.ly, BlogSpot, and Pastebin Used for C2 in Large Scale Campaign](https://unit42.paloaltonetworks.com/aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign/) | [:closed_book:](../../blob/master/2019/2019.04.17.Aggah_Campaign)
* Apr 17 - [[CISCO] DNS Hijacking Abuses Trust In Core Internet Service](https://blog.talosintelligence.com/2019/04/seaturtle.html) | [:closed_book:](../../blob/master/2019/2019.04.17.Operation_Sea_Turtle)
* Apr 10 - [[CheckPoint] The Muddy Waters of APT Attacks](https://research.checkpoint.com/the-muddy-waters-of-apt-attacks/) | [:closed_book:](../../blob/master/2019/2019.04.10.Muddy_Waters)
* Apr 10 - [[Kaspersky] Project TajMahal – a sophisticated new APT framework](https://securelist.com/project-tajmahal/90240/) | [:closed_book:](../../blob/master/2019/2019.04.10.Project_TajMahal)
* Mar 28 - [[Trend Micro] Desktop, Mobile Phishing Campaign Targets South Korean Websites, Steals Credentials Via Watering Hole](https://blog.trendmicro.com/trendlabs-security-intelligence/desktop-mobile-phishing-campaign-targets-south-korean-websites-steals-credentials-via-watering-hole/) | [:closed_book:](../../blob/master/2019/2019.03.28.Desktop_Mobile_Phishing_Campaign)
* Mar 28 - [[C4ADS] Above Us Only Stars: Exposing GPS Spoofing in Russia and Syria](https://static1.squarespace.com/static/566ef8b4d8af107232d5358a/t/5c99488beb39314c45e782da/1553549492554/Above+Us+Only+Stars.pdf) | [:closed_book:](../../blob/master/2019/2019.03.28.Exposing_GPS_Spoofing_in_Russia_and_Syria)
* Mar 28 - [[ThreatRecon] Threat Actor Group using UAC Bypass Module to run BAT File](https://threatrecon.nshc.net/2019/03/28/threat-actor-group-using-uac-bypass-module-to-run-bat-file/) | [:closed_book:](../../blob/master/2019/2019.03.28.UAC_Bypass_BAT_APT)
* Mar 27 - [[Symantec] Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.](https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage) | [:closed_book:](../../blob/master/2019/2019.03.27.Elfin)
* Mar 25 - [[Kaspersky] Operation ShadowHammer](https://securelist.com/operation-shadowhammer/89992/) | [:closed_book:](../../blob/master/2019/2019.03.25.Operation_ShadowHammer)
* Mar 13 - [[CISCO] GlitchPOS: New PoS malware for sale](https://blog.talosintelligence.com/2019/03/glitchpos-new-pos-malware-for-sale.html) | [:closed_book:](../../blob/master/2019/2019.03.13.GlitchPOS_POS_Malware)
* Mar 13 - [[FlashPoint] ‘DMSniff’ POS Malware Actively Leveraged to Target Small-, Medium-Sized Businesses](https://www.flashpoint-intel.com/blog/dmsniff-pos-malware-actively-leveraged-target-medium-sized-businesses/) | [:closed_book:](../../blob/master/2019/2019.03.13.DMSniff_POS_Malware)
* Mar 13 - [[CheckPoint] Operation Sheep: Pilfer-Analytics SDK in Action](https://research.checkpoint.com/operation-sheep-pilfer-analytics-sdk-in-action/) | [:closed_book:](../../blob/master/2019/2019.03.13.Operation_Sheep)
* Mar 12 - [[Pala Alto Network] Operation Comando: How to Run a Cheap and Effective Credit Card Business](https://unit42.paloaltonetworks.com/operation-comando-or-how-to-run-a-cheap-and-effective-credit-card-business/) | [:closed_book:](../../blob/master/2019/2019.03.12.Operation_Comando)
* Mar 11 - [[ESET] Gaming industry still in the scope of attackers in Asia](https://www.welivesecurity.com/2019/03/11/gaming-industry-scope-attackers-asia/) | [:closed_book:](../../blob/master/2019/2019.03.11.Gaming-Industry.Asia)
* Mar 08 - [[Resecurity] Supply Chain – The Major Target of Cyberespionage Groups](https://resecurity.com/blog/supply-chain-the-major-target-of-cyberespionage-groups/) | [:closed_book:](../../blob/master/2019/2019.03.08.Supply_Chain_Groups)
* Mar 07 - [[Trend Micro] New SLUB Backdoor Uses GitHub, Communicates via Slack](https://blog.trendmicro.com/trendlabs-security-intelligence/new-slub-backdoor-uses-github-communicates-via-slack/) | [:closed_book:](../../blob/master/2019/2019.03.07.SLUB_Backdoor)
* Mar 06 - [[Cybaze-Yoroi Z-LAB] Operation Pistacchietto](https://blog.yoroi.company/research/op-pistacchietto-an-italian-job/) | [:closed_book:](../../blob/master/2019/2019.03.06.Operation_Pistacchietto)
* Mar 06 - [[NTT] Targeted attack using Taidoor Analysis report](https://www.nttsecurity.com/docs/librariesprovider3/resources/taidoor%E3%82%92%E7%94%A8%E3%81%84%E3%81%9F%E6%A8%99%E7%9A%84%E5%9E%8B%E6%94%BB%E6%92%83%E8%A7%A3%E6%9E%90%E3%83%AC%E3%83%9D%E3%83%BC%E3%83%88_v1) | [:closed_book:](../../blob/master/2019/2019.03.06_Taidoor_Analysis)
* Mar 06 - [[Symantec] Whitefly: Espionage Group has Singapore in Its Sights](https://www.symantec.com/blogs/threat-intelligence/whitefly-espionage-singapore) | [:closed_book:](../../blob/master/2019/2019.03.06.Whitefly)
* Mar 04 - [[FireEye] APT40: Examining a China-Nexus Espionage Actor](https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html) | [:closed_book:](../../blob/master/2019/2019.03.04.APT40)
* Feb 28 - [[Marco Ramilli] Ransomware, Trojan and Miner together against “PIK-Group”](https://marcoramilli.com/2019/02/28/ransomware-trojan-and-miner-together-against-pik-group/) | [:closed_book:](../../blob/master/2019/2019.02.28_RIK_Group)
* Feb 27 - [[Dell] A Peek into BRONZE UNION’s Toolbox](https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox) | [:closed_book:](../../blob/master/2019/2019.02.27.BRONZE_UNION_Toolbox)
* Feb 26 - [[Cybaze-Yoroi Z-LAB] The Arsenal Behind the Australian Parliament Hack](https://blog.yoroi.company/research/the-arsenal-behind-the-australian-parliament-hack/) | [:closed_book:](../../blob/master/2019/2019.02.26.Australian_Parliament_Hack)
* Feb 25 - [[CarbonBlack] Defeating Compiler Level Obfuscations Used in APT10 Malware](https://www.carbonblack.com/2019/02/25/defeating-compiler-level-obfuscations-used-in-apt10-malware/) | [:closed_book:](../../blob/master/2019/2019.02.25.APT10_Defeating_Compiler_Level)
* Feb 20 - [[SecureSoft] IT IS IDENTIFIED ATTACKS OF THE CIBERCRIMINAL LAZARUS GROUP DIRECTED TO ORGANIZATIONS IN RUSSIA](http://securitysummitperu.com/articulos/se-identifico-ataques-del-grupo-cibercriminal-lazarus-dirigidos-a-organizaciones-en-rusia/) | [:closed_book:](../../blob/master/2019/2019.02.20.LAZARUS_to_RUSSIA)
* Feb 18 - [[360] APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations](https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/) | [:closed_book:](../../blob/master/2019/2019.02.18.APT-C-36.Colombian)
* Feb 14 - [[360] Suspected Molerats' New Attack in the Middle East](https://ti.360.net/blog/articles/suspected-molerats-new-attack-in-the-middle-east-en/) | [:closed_book:](../../blob/master/2019/2019.02.14.Molerats_APT)
* Feb 06 - [[Recorded Future] APT10 Targeted Norwegian MSP and US Companies in Sustained Campaign](https://www.recordedfuture.com/apt10-cyberespionage-campaign/) | [:closed_book:](../../blob/master/2019/2019.02.06.APT10_Sustained_Campaign)
* Feb 05 - [[Anomali] Analyzing Digital Quartermasters in Asia – Do Chinese and Indian APTs Have a Shared Supply Chain?](https://www.anomali.com/blog/analyzing-digital-quartermasters-in-asia-do-chinese-and-indian-apts-have-a-shared-supply-chain) | [:closed_book:](../../blob/master/2019/2019.02.05.China_India_APT_shared)
* Feb 01 - [[Palo Alto Networks] Tracking OceanLotus’ new Downloader, KerrDown](https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/) | [:closed_book:](../../blob/master/2019/2019.02.01.OceanLotus_KerrDown)
* Jan 30 - [[Kaspersky] Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities](https://securelist.com/chafer-used-remexi-malware/89538/) | [:closed_book:](../../blob/master/2019/2019.01.30.Chafer_APT_Spy_Iran)
* Jan 30 - [[NSHC] The Double Life of SectorA05 Nesting in Agora (Operation Kitty Phishing](https://threatrecon.nshc.net/2019/01/30/operation-kitty-phishing) | [:closed_book:](../../blob/master/2019/2019.01.30.Operation_Kitty_Phishing)
* Jan 30 - [[Morphisec] NEW CAMPAIGN DELIVERS ORCUS RAT](http://blog.morphisec.com/new-campaign-delivering-orcus-rat) | [:closed_book:](../../blob/master/2019/2019.01.30.ORCUS_RAT)
* Jan 25 - [[LAB52] WIRTE Group attacking the Middle East](https://www.securityartwork.es/2019/01/25/wirte-group-attacking-the-middle-east/) | [:closed_book:](../../blob/master/2019/2019.01.18.WIRTE_Group_attacking_the_Middle_East)
* Jan 18 - [[Palo Alto Networks] DarkHydrus delivers new Trojan that can use Google Drive for C2 communications](https://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/) | [:closed_book:](../../blob/master/2019/2019.01.18.DarkHydrus)
* Jan 17 - [[Palo Alto Networks] Malware Used by “Rocke” Group Evolves to Evade Detection by Cloud Security Products](https://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products/) | [:closed_book:](../../blob/master/2019/2019.01.17.Rocke_Group)
* Jan 16 - [[360] Latest Target Attack of DarkHydruns Group Against Middle East](https://ti.360.net/blog/articles/latest-target-attack-of-darkhydruns-group-against-middle-east-en/) | [:closed_book:](../../blob/master/2019/2019.01.16.DarkHydruns)
* Dec 28 - [[Medium] Goblin Panda changes the dropper and reuses the old infrastructure](https://medium.com/@Sebdraven/goblin-panda-changes-the-dropper-and-reused-the-old-infrastructure-a35915f3e37a) | [:closed_book:](../../blob/master/2018/2018.12.28.Goblin_Panda)
* Dec 20 - [[Objective-See] Middle East Cyber-Espionage: analyzing WindShift's implant: OSX.WindTail](https://objective-see.com/blog/blog_0x3B.html)| [:closed_book:](../../blob/master/2018/2018.12.20.WindShift_Middle_East)
* Dec 18 - [[Trend Micro] URSNIF, EMOTET, DRIDEX and BitPaymer Gangs Linked by a Similar Loader](https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/) | [:closed_book:](../../blob/master/2018/2018.12.18.ursnif-emotet-dridex-and-bitpaymer-gangs)
* Dec 13 - [[Certfa] The Return of The Charming Kitten](https://blog.certfa.com/posts/the-return-of-the-charming-kitten/) | [:closed_book:](../../blob/master/2018/2018.12.13.Charming_Kitten_Return)
* Dec 13 - [[Trend Micro] Tildeb: Analyzing the 18-year-old Implant from the Shadow Brokers’ Leak](https://documents.trendmicro.com/assets/tech-brief-tildeb-analyzing-the-18-year-old-implant-from-the-shadow-brokers-leak.pdf) | [:closed_book:](../../blob/master/2018/2018.12.13.Tildeb_Shadow_Brokers)
* Dec 13 - [[Palo Alto Networks] Shamoon 3 Targets Oil and Gas Organization](https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/) | [:closed_book:](../../blob/master/2018/2018.12.13.Shamoon_3)
* Dec 12 - [[McAfee] ‘Operation Sharpshooter’ Targets Global Defense, Critical Infrastructure](https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf) | [:closed_book:](../../blob/master/2018/2018.12.12.Operation_Sharpshooter)
* Dec 12 - [[360] Donot (APT-C-35) Group Is Targeting Pakistani Businessman Working In China](https://ti.360.net/blog/articles/donot-group-is-targeting-pakistani-businessman-working-in-china-en/) | [:closed_book:](../../blob/master/2018/2018.12.12.Donot_Group)
* Dec 11 - [[Cylance] Poking the Bear: Three-Year Campaign Targets Russian Critical Infrastructure](https://threatvector.cylance.com/en_us/home/poking-the-bear-three-year-campaign-targets-russian-critical-infrastructure.html) | [:closed_book:](../../blob/master/2018/2018.12.11.Poking_the_Bear)
* Nov ?? - [[Google] The Hunt for 3ve](https://services.google.com/fh/files/blogs/3ve_google_whiteops_whitepaper_final_nov_2018.pdf) | [:closed_book:](../../blob/master/2018/2018.11.The_Hunt_for_3ve)
* Nov 30 - [[Trend Micro] New PowerShell-based Backdoor Found in Turkey, Strikingly Similar to MuddyWater Tools](https://blog.trendmicro.com/trendlabs-security-intelligence/new-powershell-based-backdoor-found-in-turkey-strikingly-similar-to-muddywater-tools/) | [:closed_book:](../../blob/master/2018/2018.11.30.MuddyWater_Turkey)
* Nov 29 - [[360] Analysis Of Targeted Attack Against Pakistan By Exploiting InPage Vulnerability And Related APT Groups](https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/) | [:closed_book:](../../blob/master/2018/2018.11.29.Attack_Pakistan_By_Exploiting_InPage)
* Nov 28 - [[Microsoft] Windows Defender ATP device risk score exposes new cyberattack, drives Conditional access to protect networks](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/) | [:closed_book:](../../blob/master/2018/2018.11.28.Tropic_Trooper_microsoft)
* Nov 28 - [[Clearsky] MuddyWater Operations in Lebanon and Oman](https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf) | [:closed_book:](../../blob/master/2018/2018.11.28.MuddyWater-Operations-in-Lebanon-and-Oman)
* Nov 20 - [[Trend Micro] Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America](https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-continues-heists-mounts-attacks-on-financial-organizations-in-latin-america/) | [:closed_book:](../../blob/master/2018/2018.11.20.lazarus-in-latin-america)
* Nov 19 - [[FireEye] Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign](https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html) | [:closed_book:](../../blob/master/2018/2018.11.19.APT29_Phishing)
* Nov 13 - [[Recorded Future] Chinese Threat Actor TEMP.Periscope Targets UK-Based Engineering Company Using Russian APT Techniques ](https://go.recordedfuture.com/hubfs/reports/cta-2018-1113.pdf) | [:closed_book:](../../blob/master/2018/2018.11.13.China.TEMP.Periscope.Using.Russian_APT)
* Nov 08 - [[Symantec] FASTCash: How the Lazarus Group is Emptying Millions from ATMs](https://www.symantec.com/blogs/threat-intelligence/fastcash-lazarus-atm-malware) | [:closed_book:](../../blob/master/2018/2018.11.08.FASTCash)
* Oct 19 - [[Kaspersky] DarkPulsar](https://securelist.com/darkpulsar/88199/) | [:closed_book:](../../blob/master/2018/2018.10.19.DarkPulsar)
* Oct 18 - [[Medium] APT Sidewinder changes theirs TTPs to install their backdoor](https://medium.com/@Sebdraven/apt-sidewinder-changes-theirs-ttps-to-install-their-backdoor-f92604a2739) | [:closed_book:](../../blob/master/2018/2018.10.18.APT_Sidewinder_changes)
* Oct 18 - [[CISCO] Tracking Tick Through Recent Campaigns Targeting East Asia](https://blog.talosintelligence.com/2018/10/tracking-tick-through-recent-campaigns.html) | [:closed_book:](../../blob/master/2018/2018.10.18.Datper_Bronze_Butler)
* Oct 18 - [[McAfee] Operation Oceansalt Attacks South Korea, U.S. and Canada with Source Code from Chinese Hacker Group](https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf) | [:closed_book:](../../blob/master/2018/2018.10.18.Operation_Oceansalt)
* Oct 17 - [[Cylance] The SpyRATs of OceanLotus: Malware Analysis White Paper](https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/SpyRATsofOceanLotusMalwareWhitePaper.pdf) | [:closed_book:](../../blob/master/2018/2018.10.17.OceanLotus_SpyRATs)
* Oct 17 - [[ESET] GreyEnergy: Updated arsenal of one of the most dangerous threat actors](https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/) | [:closed_book:](../../blob/master/2018/2018.10.17.GreyEnergy)
* Oct 17 - [[Yoroi] Cyber-Espionage Campaign Targeting the Naval Industry (“MartyMcFly”)](https://blog.yoroi.company/?p=1829) | [:closed_book:](../../blob/master/2018/2018.10.17.Targeting_the_Naval_Industry)
* Oct 15 - [[Kaspersky] Octopus-infested seas of Central Asia](https://securelist.com/octopus-infested-seas-of-central-asia/88200/) | [:closed_book:](../../blob/master/2018/2018.10.15.Octopus_Central_Asia)
* Oct 11 - [[Symantec] Gallmaker: New Attack Group Eschews Malware to Live off the Land](https://www.symantec.com/blogs/threat-intelligence/gallmaker-attack-group) | [:closed_book:](../../blob/master/2018/2018.10.11.Gallmaker)
* Oct 10 - [[Kaspersky] MuddyWater expands operations](https://securelist.com/muddywater/88059/) | [:closed_book:](../../blob/master/2018/2018.10.10.MuddyWater_expands)
* Oct 03 - [[FireEye] APT38: Details on New North Korean Regime-Backed Threat Group](https://content.fireeye.com/apt/rpt-apt38) | [:closed_book:](../../blob/master/2018/2018.10.03.APT38)
* Sep 27 - [[ESET] LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group](https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf) | [:closed_book:](../../blob/master/2018/2018.09.27.LoJax)
* Sep 13 - [[FireEye] APT10 Targeting Japanese Corporations Using Updated TTPs](https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html) | [:closed_book:](../../blob/master/2018/2018.09.13.APT10_Targeting_Japanese)
* Sep 10 - [[Kaspersky] LuckyMouse signs malicious NDISProxy driver with certificate of Chinese IT company](https://securelist.com/luckymouse-ndisproxy-driver/87914) | [:closed_book:](../../blob/master/2018/2018.09.07.Goblin_Panda_targets_Cambodia)
* Sep 07 - [[Volon] Targeted Attack on Indian Ministry of External Affairs using Crimson RAT](https://volon.io/2018/09/07/targeted-attack-on-indian-ministry-of-external-affairs-using-crimson-rat/) | [:closed_book:](../../blob/master/2018/2018.09.07.indian-ministry_crimson-rat)
* Sep 07 - [[Medium] Goblin Panda targets Cambodia sharing capacities with another Chinese group hackers Temp Periscope](https://medium.com/@Sebdraven/goblin-panda-targets-cambodia-sharing-capacities-with-another-chinese-group-hackers-temp-periscope-7871382ffcc0) | [:closed_book:](../../blob/master/2018/2018.08.28.CeidPageLock)
* Aug 30 - [[MalwareBytes] Reversing malware in a custom format: Hidden Bee elements](https://blog.malwarebytes.com/threat-analysis/2018/08/reversing-malware-in-a-custom-format-hidden-bee-elements/) | [:closed_book:](../../blob/master/2018/2018.08.30.Hidden_Bee_Custom_format)
* Aug 30 - [[CrowdStrike] Two Birds, One STONE PANDA](https://www.crowdstrike.com/blog/two-birds-one-stone-panda/) | [:closed_book:](../../blob/master/2018/2018.08.30.Stone_Panda)
* Aug 30 - [[Arbor] Double the Infection, Double the Fun](https://asert.arbornetworks.com/double-the-infection-double-the-fun/) | [:closed_book:](../../blob/master/2018/2018.08.30.Cobalt_Group_Fun)
* Aug 30 - [[Dark Matter] COMMSEC: The Trails of WINDSHIFT APT](https://gsec.hitb.org/materials/sg2018/D1%20COMMSEC%20-%20In%20the%20Trails%20of%20WINDSHIFT%20APT%20-%20Taha%20Karim.pdf) | [:closed_book:](../../blob/master/2018/2018.08.30.WINDSHIFT_APT)
* Aug 29 - [[Trend Micro] The Urpage Connection to Bahamut, Confucius and Patchwork](https://blog.trendmicro.com/trendlabs-security-intelligence/the-urpage-connection-to-bahamut-confucius-and-patchwork/) | [:closed_book:](../../blob/master/2018/2018.08.29.Bahamut_Confucius_Patchwork)
* Aug 28 - [[CheckPoint] CeidPageLock: A Chinese RootKit](https://research.checkpoint.com/ceidpagelock-a-chinese-rootkit/) | [:closed_book:](../../blob/master/2018/2018.08.28.CeidPageLock)
* Aug 23 - [[Kaspersky] Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware](https://securelist.com/operation-applejeus/87553/) | [:closed_book:](../../blob/master/2018/2018.08.23.Operation_AppleJeus)
* Aug 21 - [[ESET] TURLA OUTLOOK BACKDOOR](https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf) | [:closed_book:](../../blob/master/2018/2018.08.21.Operation_Red_Signature)
* Aug 21 - [[Trend Micro] Supply Chain Attack Operation Red Signature Targets South Korean Organizations](https://blog.trendmicro.com/trendlabs-security-intelligence/supply-chain-attack-operation-red-signature-targets-south-korean-organizations) | [:closed_book:](../../blob/master/2018/2018.08.21.Operation_Red_Signature)
* Aug 16 - [[Recorded Future] Chinese Cyberespionage Originating From Tsinghua University Infrastructure](https://go.recordedfuture.com/hubfs/reports/cta-2018-0816.pdf) | [:closed_book:](../../blob/master/2018/2018.08.16.Chinese_Cyberespionage_Tsinghua_University)
* Aug 09 - [[McAfee] Examining Code Reuse Reveals Undiscovered Links Among North Korea’s Malware Families](https://securingtomorrow.mcafee.com/mcafee-labs/examining-code-reuse-reveals-undiscovered-links-among-north-koreas-malware-families/) | [:closed_book:](../../blob/master/2018/2018.08.09.north-koreas-malware-families)
* Aug 02 - [[Accenture] Goldfin Security Alert](https://www.accenture.com/us-en/blogs/blogs-goldfin-security-alert) | [:closed_book:](../../blob/master/2018/2018.08.02.Goldfin_Security_Alert)
* Aug 02 - [[Palo Alto Networks] The Gorgon Group: Slithering Between Nation State and Cybercrime](https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/) | [:closed_book:](../../blob/master/2018/2018.08.02.Gorgon_Group)
* Aug 02 - [[Medium] Goblin Panda against the Bears](https://medium.com/@Sebdraven/gobelin-panda-against-the-bears-1f462d00e3a4) | [:closed_book:](../../blob/master/2018/2018.08.02.Goblin_Panda)
* Jul 31 - [[Palo Alto Networks] Bisonal Malware Used in Attacks Against Russia and South Korea](https://researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/) | [:closed_book:](../../blob/master/2018/2018.07.31.bisonal-malware-used-attacks-russia-south-korea)
* Jul 27 - [[Palo Alto Networks] New Threat Actor Group DarkHydrus Targets Middle East Government](https://unit42.paloaltonetworks.com/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/) | [:closed_book:](../../blob/master/2018/2018.07.27.DarkHydrus)
* Jul 23 - [[CSE] APT27: A long-term espionage campaign in Syria](http://csecybsec.com/download/zlab/20180723_CSE_APT27_Syria_v1.pdf) | [:closed_book:](../../blob/master/2018/2018.07.23_APT27_Syria)
* Jul 16 - [[Trend Micro] New Andariel Reconnaissance Tactics Hint At Next Targets](https://blog.trendmicro.com/trendlabs-security-intelligence/new-andariel-reconnaissance-tactics-hint-at-next-targets/) | [:closed_book:](../../blob/master/2018/2018.07.16.new-andariel)
* Jul 12 - [[CISCO] Advanced Mobile Malware Campaign in India uses Malicious MDM](https://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html) | [:closed_book:](../../blob/master/2018/2018.07.12.Advanced_Mobile_Malware_Campaign_in_India)
* Jul 09 - [[ESET] Certificates stolen from Taiwanese tech-companies misused in Plead malware campaign](https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/) | [:closed_book:](../../blob/master/2018/2018.07.09.certificates-stolen-taiwanese-tech-companies-plead-malware-campaign)
* Jul 08 - [[CheckPoint] APT Attack In the Middle East: The Big Bang](https://research.checkpoint.com/apt-attack-middle-east-big-bang/) | [:closed_book:](../../blob/master/2018/2018.07.08.Big_Bang)
* Jul 08 - [[Fortinet] Hussarini – Targeted Cyber Attack in the Philippines](https://www.fortinet.com/blog/threat-research/hussarini---targeted-cyber-attack-in-the-philippines.html) | [:closed_book:](../../blob/master/2018/2018.07.08.Hussarini)
* Jun XX - [[Ahnlab] Operation Red Gambler](http://image.ahnlab.com/file_upload/asecissue_files/ASEC%20REPORT_vol.91.pdf) | [:closed_book:](../../blob/master/2018/2018.06.xx.Operation_Red_Gambler)
* Jun 26 - [[Palo Alto Networks] RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families](https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/) | [:closed_book:](../../blob/master/2018/2018.06.26.RANCOR)
* Jun 23 - [[Ahnlab] Full Discloser of Andariel,A Subgroup of Lazarus Threat Group](https://global.ahnlab.com/global/upload/download/techreport/[AhnLab]Andariel_a_Subgroup_of_Lazarus%20(3).pdf) | [:closed_book:](../../blob/master/2018/2018.06.23.Andariel_Group)
* Jun 22 - [[Palo Alto networks] Tick Group Weaponized Secure USB Drives to Target Air-Gapped Critical Systems](https://unit42.paloaltonetworks.com/unit42-tick-group-weaponized-secure-usb-drives-target-air-gapped-critical-systems/) | [:closed_book:](../../blob/master/2018/2018.06.22.Iick.Group-weaponized-secure-usb)
* Jun 20 - [[Symantec] Thrip: Espionage Group Hits Satellite, Telecoms, and Defense Companies](https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets) | [:closed_book:](../../blob/master/2018/2018.06.20.thrip-hits-satellite-telecoms-defense-targets)
* Jun 19 - [[Kaspersky] Olympic Destroyer is still alive](https://securelist.com/olympic-destroyer-is-still-alive/86169/) | [:closed_book:](../../blob/master/2018/2017.06.19.olympic-destroyer-is-still-alive)
* Jun 14 - [[Trend Micro] Another Potential MuddyWater Campaign uses Powershell-based PRB-Backdoor](https://blog.trendmicro.com/trendlabs-security-intelligence/another-potential-muddywater-campaign-uses-powershell-based-prb-backdoor/) | [:closed_book:](../../blob/master/2018/2018.06.14.another-potential-muddywater-campaign)
* Jun 14 - [[intezer] MirageFox: APT15 Resurfaces With New Tools Based On Old Ones](https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/) | [:closed_book:](../../blob/master/2018/2018.06.14.MirageFox_APT15)
* Jun 13 - [[Kaspersky] LuckyMouse hits national data center to organize country-level waterholing campaign](https://securelist.com/luckymouse-hits-national-data-center/86083/) | [:closed_book:](../../blob/master/2018/2018.06.13.LuckyMouse)
* Jun 07 - [[Volexity] Patchwork APT Group Targets US Think Tanks](https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/) | [:closed_book:](../../blob/master/2018/2018.06.07.patchwork-apt-group-targets-us-think-tanks)
* Jun 07 - [[ICEBRG] ADOBE FLASH ZERO-DAY LEVERAGED FOR TARGETED ATTACK IN MIDDLE EAST](https://www.icebrg.io/blog/adobe-flash-zero-day-targeted-attack) | [:closed_book:](../../blob/master/2018/2018.06.07.dobe-flash-zero-day-targeted-attack)
* Jun 07 - [[FireEye] A Totally Tubular Treatise on TRITON and TriStation](https://www.fireeye.com/blog/threat-research/2018/06/totally-tubular-treatise-on-triton-and-tristation.html) | [:closed_book:](../../blob/master/2018/2018.06.07.Totally_Tubular_Treatise_on_TRITON_TriStation)
* Jun 06 - [[CISCO] VPNFilter Update - VPNFilter exploits endpoints, targets new devices](https://blog.talosintelligence.com/2018/06/vpnfilter-update.html) | [:closed_book:](../../blob/master/2018/2018.06.06.vpnfilter-update)
* May 31 - [[CISCO] NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea](https://blog.talosintelligence.com/2018/05/navrat.html) | [:closed_book:](../../blob/master/2018/2018.03.31.NavRAT_Uses_US-North_Korea_Summit_As_Decoy)
* May 29 - [[intezer] Iron Cybercrime Group Under The Scope](https://www.intezer.com/iron-cybercrime-group-under-the-scope-2/) | [:closed_book:](../../blob/master/2018/2018.05.29.iron-cybercrime-group)
* May 23 - [[CISCO] New VPNFilter malware targets at least 500K networking devices worldwide](https://blog.talosintelligence.com/2018/05/VPNFilter.html) | [:closed_book:](../../blob/master/2018/2018.05.23.New_VPNFilter)
* May 23 - [[Ahnlab] Andariel Group Trend Report](http://download.ahnlab.com/kr/site/library/[Report]Andariel_Threat_Group.pdf) | [:closed_book:](../../blob/master/2018/2018.05.23.Andariel_Group)
* May 23 - [[Trend Micro] Confucius Update: New Tools and Techniques, Further Connections with Patchwork](https://blog.trendmicro.com/trendlabs-security-intelligence/confucius-update-new-tools-and-techniques-further-connections-with-patchwork/) | [:closed_book:](../../blob/master/2018/2018.05.23.Confucius_Update)
* May 22 - [[Intrusiontruth] The destruction of APT3](https://intrusiontruth.wordpress.com/2018/05/22/the-destruction-of-apt3/) | [:closed_book:](../../blob/master/2018/2018.05.22.The_destruction_of_APT3)
* May 22 - [[ESET] Turla Mosquito: A shift towards more generic tools](https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/) | [:closed_book:](../../blob/master/2018/2018.05.22.Turla_Mosquito)
* May 09 - [[360] Analysis of CVE-2018-8174 VBScript 0day and APT actor related to Office targeted attack](http://blogs.360.cn/blog/cve-2018-8174-en/) | [:closed_book:](../../blob/master/2018/2018.05.09.APT-C-06_CVE-2018-8174)
* May 03 - [[ProtectWise] Burning Umbrella](https://github.com/401trg/detections/raw/master/pdfs/20180503_Burning_Umbrella.pdf) | [:closed_book:](../../blob/master/2018/2018.05.03.Burning_Umbrella)
* May 03 - [[Kaspersky] Who’s who in the Zoo: Cyberespionage operation targets Android users in the Middle East](https://securelist.com/whos-who-in-the-zoo/85394/) | [:closed_book:](../../blob/master/2018/2018.05.03.whos-who-in-the-zoo)
* May 03 - [[Ahnlab] Detailed Analysis of Red Eyes Hacking Group](https://global.ahnlab.com/global/upload/download/techreport/[AhnLab]%20Red_Eyes_Hacking_Group_Report%20(1).pdf) | [:closed_book:](../../blob/master/2018/2018.05.03.Red_Eyes_Hacking_Group)
* Apr 23 - [[Symantec] New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia](https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia) | [:closed_book:](../../blob/master/2018/2018.04.23.New_Orangeworm)
* Apr 17 - [[NCCGroup] Decoding network data from a Gh0st RAT variant](https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant) | [:closed_book:](../../blob/master/2018.04.17.Iron_Tiger_Gh0st_RAT_variant)
* Apr 12 - [[Kaspersky] Operation Parliament, who is doing what?](https://securelist.com/operation-parliament-who-is-doing-what/85237/) | [:closed_book:](../../blob/master/2018/2018.04.12.operation-parliament)
* Apr 04 - [[Trend Micro] New MacOS Backdoor Linked to OceanLotus Found](https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/) | [:closed_book:](../../blob/master/2018/2018.04.04.MacOS_Backdoor_OceanLotus)
* Mar 29 - [[Trend Micro] ChessMaster Adds Updated Tools to Its Arsenal](https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-adds-updated-tools-to-its-arsenal/) | [:closed_book:](../../blob/master/2018/2018.03.29.ChessMaster_Adds_Updated_Tools)
* Mar 27 - [[Arbor] Panda Banker Zeros in on Japanese Targets](https://www.arbornetworks.com/blog/asert/panda-banker-zeros-in-on-japanese-targets/) | [:closed_book:](../../blob/master/2018/2018.03.27.panda-banker-zeros-in-on-japanese-targets)
* Mar 23 - [[Ahnlab] Targeted Attacks on South Korean Organizations](http://global.ahnlab.com/global/upload/download/techreport/Tech_Report_Malicious_Hancom.pdf) | [:closed_book:](../../blob/master/2018/2018.03.23.Targeted_Attacks_on_South_Korean_Organizations)
* Mar 15 - [[US-CERT] Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors](https://www.us-cert.gov/ncas/alerts/TA18-074A) | [:closed_book:](../../blob/master/2018/2018.03.15.Russian_Government_Cyber_Activity_TA18-074A)
* Mar 14 - [[Symantec] Inception Framework: Alive and Well, and Hiding Behind Proxies](https://www.symantec.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies) | [:closed_book:](../../blob/master/2018/2018.03.14.Inception_Framework)
* Mar 14 - [[Trend Micro] Tropic Trooper’s New Strategy](https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/) | [:closed_book:](../../blob/master/2018/2018.03.14.tropic-trooper-new-strategy)
* Mar 13 - [[FireEye] Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign](https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html) | [:closed_book:](../../blob/master/2018/2018.03.13.Iranian-threat-group)
* Mar 13 - [[Kaspersky] Time of death? A therapeutic postmortem of connected medicine](https://securelist.com/time-of-death-connected-medicine/84315/) | [:closed_book:](../../blob/master/2018/2018.03.13.A_therapeutic_postmortem_of_connected_medicine)
* Mar 13 - [[Proofpoint] Drive-by as a service: BlackTDS](https://www.proofpoint.com/us/threat-insight/post/drive-service-blacktds) | [:closed_book:](../../blob/master/2018/2018.03.13.BlackTDS)
* Mar 13 - [[ESET] OceanLotus: Old techniques, new backdoor](https://www.welivesecurity.com/wp-content/uploads/2018/03/ESET_OceanLotus.pdf) | [:closed_book:](../../blob/master/2018/2018.03.13.OceanLotus_Old_techniques_new_backdoor)
* Mar 12 - [[Trend Micro] Campaign Possibly Connected to “MuddyWater” Surfaces in the Middle East and Central Asia](https://blog.trendmicro.com/trendlabs-security-intelligence/campaign-possibly-connected-muddywater-surfaces-middle-east-central-asia/) | [:closed_book:](../../blob/master/2018/2018.03.12.MuddyWater_Middle_East_and_Central_Asia)
* Mar 09 - [[CitizenLab] BAD TRAFFIC Sandvine’s PacketLogic Devices Used to Deploy Government Spyware in Turkey and Redirect Egyptian Users to Affiliate Ads?](https://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/) | [:closed_book:](../../blob/master/2018/2018.03.09.Sandvine_PacketLogic_Devices_APT)
* Mar 09 - [[Kaspersky] Masha and these Bears 2018 Sofacy Activity](https://securelist.com/masha-and-these-bears/84311/) | [:closed_book:](../../blob/master/2018/2018.03.09.masha-and-these-bears)
* Mar 09 - [[NCC] APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS](https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/?Year=2018&Month=3) | [:closed_book:](../../blob/master/2018/2018.03.09.APT15_is_alive_and_strong)
* Mar 09 - [[ESET] New traces of Hacking Team in the wild](https://www.welivesecurity.com/2018/03/09/new-traces-hacking-team-wild/) | [:closed_book:](../../blob/master/2018/2018.03.09.new-traces-hacking-team-wild)
* Mar 08 - [[McAfee] Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant](https://securingtomorrow.mcafee.com/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/) | [:closed_book:](../../blob/master/2018/2018.03.08.hidden-cobra-targets-turkish-financial)
* Mar 08 - [[Kaspersky] OlympicDestroyer is here to trick the industry](https://securelist.com/olympicdestroyer-is-here-to-trick-the-industry/84295/) | [:closed_book:](../../blob/master/2018/2018.03.08.olympicdestroyer-is-here-to-trick-the-industry)
* Mar 08 - [[Arbor] Donot Team Leverages New Modular Malware Framework in South Asia](https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/) | [:closed_book:](../../blob/master/2018/2018.03.08.donot-team-leverages-new-modular)
* Mar 07 - [[Palo Alto Networks] Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent](https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/) | [:closed_book:](../../blob/master/2018/2018.03.07.patchwork-continues-deliver-badnews-indian-subcontinent)
* Mar 06 - [[Kaspersky] The Slingshot APT](https://s3-eu-west-1.amazonaws.com/khub-media/wp-content/uploads/sites/43/2018/03/09133534/The-Slingshot-APT_report_ENG_final.pdf) | [:closed_book:](../../blob/master/2018/2018.03.06.The-Slingshot-APT)
* Mar 05 - [[Palo Alto Networks] Sure, I’ll take that! New ComboJack Malware Alters Clipboards to Steal Cryptocurrency](https://researchcenter.paloaltonetworks.com/2018/03/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/) | [:closed_book:](../../blob/master/2018/2018.03.05.New_ComboJack_Malware)
* Mar 02 - [[McAfee] McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups](https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/) | [:closed_book:](../../blob/master/2018/2018.03.02.Operation_Honeybee)
* Mar 01 - [[Security 0wnage] A Quick Dip into MuddyWater's Recent Activity](https://sec0wn.blogspot.tw/2018/03/a-quick-dip-into-muddywaters-recent.html) | [:closed_book:](../../blob/master/2018/2018.03.01.a-quick-dip-into-muddywaters-recent)
* Feb 28 - [[Palo Alto Networks] Sofacy Attacks Multiple Government Entities](https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/) | [:closed_book:](../../blob/master/2018/2018.02.28.sofacy-attacks-multiple-government-entities)
* Feb 21 - [[Avast] Avast tracks down Tempting Cedar Spyware](https://blog.avast.com/avast-tracks-down-tempting-cedar-spyware) | [:closed_book:](../../blob/master/2018/2018.02.21.Tempting_Cedar)
* Feb 20 - [[Arbor] Musical Chairs Playing Tetris](https://www.arbornetworks.com/blog/asert/musical-chairs-playing-tetris/) | [:closed_book:](../../blob/master/2018/2018.02.20.musical-chairs-playing-tetris)
* Feb 20 - [[Kaspersky] A Slice of 2017 Sofacy Activity](https://securelist.com/a-slice-of-2017-sofacy-activity/83930/) | [:closed_book:](../../blob/master/2018/2018.02.20.a-slice-of-2017-sofacy-activity)
* Feb 20 - [[FireEye] APT37 (Reaper): The Overlooked North Korean Actor](https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf) | [:closed_book:](../../blob/master/2018/2018.02.20.APT37)
* Feb 07 - [[CISCO] Targeted Attacks In The Middle East](http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html) | [:closed_book:](../../blob/master/2018/2018.02.07.targeted-attacks-in-middle-east_VBS_CAMPAIGN)
* Feb 02 - [[McAfee] Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems](https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/) | [:closed_book:](../../blob/master/2018/2018.02.02.gold-dragon-widens-olympics-malware)
* Feb 01 - [[Bitdefender] Operation PZChao: a possible return of the Iron Tiger APT](https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/) | [:closed_book:](../../blob/master/2018/2018.02.01.operation-pzchao)
* Jan 30 - [[Palo Alto Networks] Comnie Continues to Target Organizations in East Asia](https://researchcenter.paloaltonetworks.com/2018/01/unit42-comnie-continues-target-organizations-east-asia/) | [:closed_book:](../../blob/master/2018/2018.01.31.Comnie_Continues_to_Target_Organizations_in_East_Asia)
* Jan 29 - [[Trend Micro] Hacking Group Spies on Android Users in India Using PoriewSpy](https://blog.trendmicro.com/trendlabs-security-intelligence/hacking-group-spies-android-users-india-using-poriewspy/) | [:closed_book:](../../blob/master/2018/2018.01.29.PoriewSpy.India)
* Jan 29 - [[Palo Alto Networks] VERMIN: Quasar RAT and Custom Malware Used In Ukraine](https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/) | [:closed_book:](../../blob/master/2018/2018.01.29.VERMIN_Quasar_RAT_and_Custom_Malware_Used_In_Ukraine)
* Jan 27 - [[Accenture] DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS’ MEETING AND ASSOCIATES](https://www.accenture.com/t20180127T003755Z__w__/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf) | [:closed_book:](../../blob/master/2018/2018.01.27.DRAGONFISH)
* Jan 26 - [[Palo Alto Networks] The TopHat Campaign: Attacks Within The Middle East Region Using Popular Third-Party Services](https://researchcenter.paloaltonetworks.com/2018/01/unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services/) | [:closed_book:](../../blob/master/2018/2018.01.26.TopHat_Campaign)
* Jan 25 - [[Palo Alto Networks] OilRig uses RGDoor IIS Backdoor on Targets in the Middle East](https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/) | [:closed_book:](../../blob/master/2018/2018.01.25.oilrig_Middle_East)
* Jan 24 - [[Trend Micro] Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More](https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/) | [:closed_book:](../../blob/master/2018/2018.01.24.lazarus-campaign-targeting-cryptocurrencies)
* Jan 18 - [[NCSC] Turla group update Neuron malware](https://www.ncsc.gov.uk/content/files/protected_files/article_files/Turla%20Neuron%20Malware%20Update.pdf) | [:closed_book:](../../blob/master/2018/2018.01.18.Turla_group_update_Neuron_malware)
* Jan 17 - [[Lookout] Dark Caracal](https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf) | [:closed_book:](../../blob/master/2018/2018.01.18.Dark_Caracal)
* Jan 16 - [[Kaspersky] Skygofree: Following in the footsteps of HackingTeam](https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/) | [:closed_book:](../../blob/master/2018/2018.01.16.skygofree)
* Jan 16 - [[Recorded Future] North Korea Targeted South Korean Cryptocurrency Users and Exchange in Late 2017 Campaign](https://www.recordedfuture.com/north-korea-cryptocurrency-campaign/) | [:closed_book:](../../blob/master/2018/2018.01.16.north-korea-cryptocurrency-campaign)
* Jan 16 - [[CISCO] Korea In The Crosshairs](http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html) | [:closed_book:](../../blob/master/2018/2018.01.16.korea-in-crosshairs)
* Jan 15 - [[Trend Micro] New KillDisk Variant Hits Financial Organizations in Latin America](https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-financial-organizations-in-latin-america/) | [:closed_book:](../../blob/master/2018/2018.01.15.new-killdisk-variant-hits-financial-organizations-in-latin-america)
* Jan 12 - [[Trend Micro] Update on Pawn Storm: New Targets and Politically Motivated Campaigns](http://blog.trendmicro.com/trendlabs-security-intelligence/update-pawn-storm-new-targets-politically-motivated-campaigns/?utm_campaign=shareaholic&utm_medium=twitter&utm_source=socialnetwork) | [:closed_book:](../../blob/master/2018/2018.01.12.update-pawn-storm-new-targets-politically)
* Jan 11 - [[McAfee] North Korean Defectors and Journalists Targeted Using Social Networks and KakaoTalk](https://securingtomorrow.mcafee.com/mcafee-labs/north-korean-defectors-journalists-targeted-using-social-networks-kakaotalk/) | [:closed_book:](../../blob/master/2018/2018.01.11.North_Korean_Defectors_and_Journalists_Targeted)
* Jan 09 - [[ESET] Diplomats in Eastern Europe bitten by a Turla mosquito](https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf) | [:closed_book:](../../blob/master/2018/2018.01.09.Turla_Mosquito)
* Jan 07 - [[Clearsky] Operation DustySky](http://www.clearskysec.com/dustysky/) | [:closed_book:](../../blob/master/2018/2018.01.07.Operation_DustySky)
* Dec 19 - [[Proofpoint] North Korea Bitten by Bitcoin Bug: Financially motivated campaigns reveal new dimension of the Lazarus Group](https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new) | [:closed_book:](../../blob/master/2017/2017.12.19.North_Korea_Bitten_by_Bitcoin_Bug)
* Dec 17 - [[McAfee] Operation Dragonfly Analysis Suggests Links to Earlier Attacks](https://securingtomorrow.mcafee.com/mcafee-labs/operation-dragonfly-analysis-suggests-links-to-earlier-attacks/) | [:closed_book:](../../blob/master/2017/2017.12.17.operation-dragonfly-analysis-suggests-links-to-earlier-attacks)
* Dec 14 - [[FireEye] Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure](https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html) | [:closed_book:](../../blob/master/2017/2017.12.14.attackers-deploy-new-ics-attack-framework-triton)
* Dec 11 - [[Group-IB] MoneyTaker, revealed after 1.5 years of silent operations.](https://www.group-ib.com/resources/reports/money-taker.html) | [:closed_book:](../../blob/master/2017/2017.12.11.MoneyTaker)
* Dec 11 - [[Trend Micro] Untangling the Patchwork Cyberespionage Group](http://blog.trendmicro.com/trendlabs-security-intelligence/untangling-the-patchwork-cyberespionage-group/) | [:closed_book:](../../blob/master/2017/2017.12.11.Patchwork_APT)
* Dec 07 - [[FireEye] New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit](https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html) | [:closed_book:](../../blob/master/2017/2017.12.07.New_Targeted_Attack_in_the_Middle_East_by_APT34)
* Dec 05 - [[ClearSky] Charming Kitten: Iranian Cyber Espionage Against Human Rights Activists, Academic Researchers and Media Outlets – And the HBO Hacker Connection](http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf) | [:closed_book:](../../blob/master/2017/2017.12.05.Charming_Kitten)
* Dec 04 - [[RSA] The Shadows of Ghosts: Inside the Response of a Unique Carbanak Intrusion](https://community.rsa.com/community/products/netwitness/blog/2017/12/04/anatomy-of-an-attack-carbanak) | [:closed_book:](../../blob/master/2017/2017.12.04.The_Shadows_of_Ghosts)
* Nov 22 - [[REAQTA] A dive into MuddyWater APT targeting Middle-East](https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/) | [:closed_book:](../../blob/master/2017/2017.11.22.MuddyWater_APT)
* Nov 14 - [[Palo Alto Networks] Muddying the Water: Targeted Attacks in the Middle East](https://researchcenter.paloaltonetworks.com/2017/11/2017.11.14.Muddying_the_Water) | [:closed_book:](../../blob/master/2017/2017.11.14.Muddying_the_Water)
* Nov 10 - [[Palo Alto Networks] New Malware with Ties to SunOrcal Discovered](https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/) | [:closed_book:](../../blob/master/2017/2017.11.10.New_Malware_with_Ties_to_SunOrcal_Discovered)
* Nov 07 - [[McAfee] Threat Group APT28 Slips Office Malware into Doc Citing NYC Terror Attack](https://securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/#sf151634298) | [:closed_book:](../../blob/master/2017/2017.11.07.APT28_Slips_Office_Malware)
* Nov 07 - [[Symantec] Sowbug: Cyber espionage group targets South American and Southeast Asian governments](https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments) | [:closed_book:](../../blob/master/2017/2017.11.07.sowbug-cyber-espionage-group-targets)
* Nov 06 - [[Trend Micro] ChessMaster’s New Strategy: Evolving Tools and Tactics](http://blog.trendmicro.com/trendlabs-security-intelligence/chessmasters-new-strategy-evolving-tools-tactics/) | [:closed_book:](../../blob/master/2017/2017.11.06.ChessMaster_New_Strategy)
* Nov 06 - [[Volexity] OceanLotus Blossoms: Mass Digital Surveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society](https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/) | [:closed_book:](../../blob/master/2017/2017.11.06.oceanlotus-blossomsk)
* Nov 02 - [[Palo Alto Networks] Recent InPage Exploits Lead to Multiple Malware Families](https://unit42.paloaltonetworks.com/unit42-recent-inpage-exploits-lead-multiple-malware-families/) | [:closed_book:](../../blob/master/2017/2017.11.02.InPage_Exploits)
* Nov 02 - [[PwC] The KeyBoys are back in town](http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are-back-in-town.html) | [:closed_book:](../../blob/master/2017/2017.11.02.KeyBoys_are_back)
* Nov 02 - [[Clearsky] LeetMX – a Yearlong Cyber-Attack Campaign Against Targets in Latin America](http://www.clearskysec.com/leetmx/) | [:closed_book:](../../blob/master/2017/2017.11.02.LeetMX)
* Nov 02 - [[RISKIQ] New Insights into Energetic Bear’s Watering Hole Attacks on Turkish Critical Infrastructure](https://www.riskiq.com/blog/labs/energetic-bear/) | [:closed_book:](../../blob/master/2017/2017.11.02.Energetic_Bear_on_Turkish_Critical_Infrastructure)
* Oct 31 - [[Cybereason] Night of the Devil: Ransomware or wiper? A look into targeted attacks in Japan using MBR-ONI](https://www.cybereason.com/blog/night-of-the-devil-ransomware-or-wiper-a-look-into-targeted-attacks-in-japan) | [:closed_book:](../../blob/master/2017/2017.10.31.MBR-ONI.Japan)
* Oct 30 - [[Kaspersky] Gaza Cybergang – updated activity in 2017](https://securelist.com/gaza-cybergang-updated-2017-activity/82765/) | [:closed_book:](../../blob/master/2017/2017.10.30.Gaza_Cybergang)
* Oct 27 - [[Bellingcat] Bahamut Revisited, More Cyber Espionage in the Middle East and South Asia](https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/) | [:closed_book:](../../blob/master/2017/2017.10.27.bahamut-revisited)
* Oct 24 - [[ClearSky] Iranian Threat Agent Greenbug Impersonates Israeli High-Tech and Cyber Security Companies](http://www.clearskysec.com/greenbug/) | [:closed_book:](../../blob/master/2017/2017.10.02.Aurora_Operation_CCleaner_II)
* Oct 19 - [[Bitdefender] Operation PZCHAO](https://download.bitdefender.com/resources/files/News/CaseStudies/study/185/Bitdefender-Business-2017-WhitePaper-PZCHAO-crea2452-en-EN-GenericUse.pdf) | [:closed_book:](../../blob/master/2017/2017.10.19.Operation_PZCHAO)
* Oct 16 - [[BAE Systems] Taiwan Heist: Lazarus Tools And Ransomware](https://baesystemsai.blogspot.kr/2017/10/taiwan-heist-lazarus-tools.html) | [:closed_book:](../../blob/master/2017/2017.10.16.Taiwan-Heist)
* Oct 16 - [[Kaspersky] BlackOasis APT and new targeted attacks leveraging zero-day exploit](https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/) | [:closed_book:](../../blob/master/2017/2017.10.16.BlackOasis_APT)
* OCt 16 - [[Proofpoint] Leviathan: Espionage actor spearphishes maritime and defense targets](https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets) | [:closed_book:](../../blob/master/2017/2017.10.16.Leviathan)
* Oct 12 - [[Dell] BRONZE BUTLER Targets Japanese Enterprises](https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses) | [:closed_book:](../../blob/master/2017/2017.10.12.BRONZE_BUTLER)
* Oct 10 - [[Trustwave] Post Soviet Bank Heists](https://www.trustwave.com/Resources/Library/Documents/Post-Soviet-Bank-Heists/) | [:closed_book:](../../blob/master/2017/2017.10.02.Aurora_Operation_CCleaner_II)
* Oct 02 - [[intezer] Evidence Aurora Operation Still Active Part 2: More Ties Uncovered Between CCleaner Hack & Chinese Hackers]() | [:closed_book:](../../blob/master/2017/2017.10.02.Aurora_Operation_CCleaner_II)
* Sep 28 - [[Palo Alto Networks] Threat Actors Target Government of Belarus Using CMSTAR Trojan](https://researchcenter.paloaltonetworks.com/2017/09/unit42-threat-actors-target-government-belarus-using-cmstar-trojan/) | [:closed_book:](../../blob/master/2017/2017.09.28.Belarus_CMSTAR_Trojan)
* Sep 20 - [[intezer] Evidence Aurora Operation Still Active: Supply Chain Attack Through CCleaner](http://www.intezer.com/evidence-aurora-operation-still-active-supply-chain-attack-through-ccleaner/) | [:closed_book:](../../blob/master/2017/2017.09.20.Aurora_Operation_CCleaner)
* Sep 20 - [[FireEye] Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware](https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html) | [:closed_book:](../../blob/master/2017/2017.09.20.apt33-insights-into-iranian-cyber-espionage)
* Sep 20 - [[CISCO] CCleaner Command and Control Causes Concern](http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html) | [:closed_book:](../../blob/master/2017/2017.09.18.CCleanup)
* Sep 18 - [[CISCO] CCleanup: A Vast Number of Machines at Risk](http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html) | [:closed_book:](../../blob/master/2017/2017.09.18.CCleanup)
* Sep 18 - [[Kaspersky] An (un)documented Word feature abused by attackers](https://securelist.com/an-undocumented-word-feature-abused-by-attackers/81899/)| [:closed_book:](../../blob/master/2017/2017.09.18.Windows_branch_of_the_Cloud_Atlas)
* Sep 12 - [[FireEye] FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY](https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html) | [:closed_book:](../../blob/master/2017/2017.09.12.FINSPY_CVE-2017-8759)
* Sep 06 - [[Symantec] Dragonfly: Western energy sector targeted by sophisticated attack group](https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group) | [:closed_book:](../../blob/master/2017/2017.09.06.dragonfly-western-energy-sector-targeted-sophisticated-attack-group)
* Sep 06 - [[Treadstone 71] Intelligence Games in the Power Grid](https://treadstone71llc.files.wordpress.com/2017/09/intelligence-games-in-the-power-grid-2016.pdf) | [:closed_book:](../../blob/master/2017/2017.09.06.intelligence-games-in-the-power-grid-2016)
* Aug 30 - [[ESET] Gazing at Gazer: Turla’s new second stage backdoor](https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/) | [:closed_book:](../../blob/master/2017/2017.08.30.Gazing_at_Gazer)
* Aug 30 - [[Kaspersky] Introducing WhiteBear](https://securelist.com/introducing-whitebear/81638/) | [:closed_book:](../../blob/master/2017/2017.08.30.Introducing_WhiteBear)
* Aug 25 - [[Proofpoint] Operation RAT Cook: Chinese APT actors use fake Game of Thrones leaks as lures](https://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-apt-actors-use-fake-game-thrones-leaks-lures) | [:closed_book:](../../blob/master/2017/2017.08.25.operation-rat-cook)
* Aug 18 - [[RSA] Russian Bank Offices Hit with Broad Phishing Wave](https://community.rsa.com/community/products/netwitness/blog/2017/08/18/russian-bank-offices-hit-with-broad-phishing-wave) | [:closed_book:](../../blob/master/2017/2017.08.18.Russian_Bank_Offices_Hit)
* Aug 17 - [[Proofpoint] Turla APT actor refreshes KopiLuwak JavaScript backdoor for use in G20-themed attack](https://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopiluwak-javascript-backdoor-use-g20-themed-attack) | [:closed_book:](../../blob/master/2017/2017.08.17.turla-apt-actor-refreshes-kopiluwak-javascript-backdoor)
* Aug 15 - [[Palo Alto Networks] The Curious Case of Notepad and Chthonic: Exposing a Malicious Infrastructure](https://researchcenter.paloaltonetworks.com/2017/08/unit42-the-curious-case-of-notepad-and-chthonic-exposing-a-malicious-infrastructure/) | [:closed_book:](../../blob/master/2017/2017.08.15.Notepad_and_Chthonic)
* Aug 11 - [[FireEye] APT28 Targets Hospitality Sector, Presents Threat to Travelers](https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html) | [:closed_book:](../../blob/master/2017/2017.08.11.apt28-targets-hospitality-sector)
* Aug 01 - [[Positive Research] Cobalt strikes back: an evolving multinational threat to finance](http://blog.ptsecurity.com/2017/08/cobalt-group-2017-cobalt-strikes-back.html) | [:closed_book:](../../blob/master/2017/2017.08.01.cobalt-group-2017-cobalt-strikes-back)
* Jul 27 - [[Trend Micro] ChessMaster Makes its Move: A Look into the Campaign’s Cyberespionage Arsenal](http://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/) | [:closed_book:](../../blob/master/2017/2017.07.27.chessmaster-cyber-espionage-campaign)
* Jul 05 - [[Citizen Lab] Insider Information: An intrusion campaign targeting Chinese language news sites](https://citizenlab.org/2017/07/insider-information-an-intrusion-campaign-targeting-chinese-language-news-sites/) | [:closed_book:](../../blob/master/2017/2017.07.05.insider-information)
* Jun 30 - [[ESET] TeleBots are back: supply-chain attacks against Ukraine](https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/) | [:closed_book:](../../blob/master/2017/2017.06.30.telebots-back-supply-chain)
* Jun 30 - [[Kaspersky] From BlackEnergy to ExPetr](https://securelist.com/from-blackenergy-to-expetr/78937/) | [:closed_book:](../../blob/master/2017/2017.06.30.From_BlackEnergy_to_ExPetr)
* Jun 26 - [[Dell] Threat Group-4127 Targets Google Accounts](https://www.secureworks.com/research/threat-group-4127-targets-google-accounts) | [:closed_book:](../../blob/master/2017/2017.06.26.Threat_Group-4127)
* Jun 22 - [[Palo Alto Networks] The New and Improved macOS Backdoor from OceanLotus](https://www.secureworks.com/research/threat-group-4127-targets-google-accounts) | [:closed_book:](../../blob/master/2017/2017.06.22.new-improved-macos-backdoor-oceanlotus)
* Jun 22 - [[Trend Micro] Following the Trail of BlackTech’s Cyber Espionage Campaigns](http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/) | [:closed_book:](../../blob/master/2017/2017.06.22.following-trail-blacktech-cyber-espionage-campaigns)
* Jun 18 - [[Palo Alto Networks] APT3 Uncovered: The code evolution of Pirpi](https://recon.cx/2017/montreal/resources/slides/RECON-MTL-2017-evolution_of_pirpi.pdf) | [:closed_book:](../../blob/master/2017/2017.06.18.APT3_Uncovered_The_code_evolution_of_Pirpi)
* Jun 15 - [[Recorded Future] North Korea Is Not Crazy](https://www.recordedfuture.com/north-korea-cyber-activity/) | [:closed_book:](../../blob/master/2017/2017.06.15.north-korea-cyber-activity)
* Jun 14 - [[ThreatConnect] KASPERAGENT Malware Campaign resurfaces in the run up to May Palestinian Authority Elections](https://www.threatconnect.com/blog/kasperagent-malware-campaign/) | [:closed_book:](../../blob/master/2017/2017.06.14.KASPERAGENT)
* Jun 13 - [[US-CERT] HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure](https://www.us-cert.gov/ncas/alerts/TA17-164A) | [:closed_book:](../../blob/master/2017/2017.06.13.HIDDEN_COBRA)
* Jun 12 - [[Dragos] CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations](https://dragos.com/blog/crashoverride/CrashOverride-01.pdf) | [:closed_book:](../../blob/master/2017/2017.06.12.CRASHOVERRIDE)
* Jun 12 - [[ESET] WIN32/INDUSTROYER A new threat for industrial control systems](https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf) | [:closed_book:](../../blob/master/2017/2017.06.12.INDUSTROYER)
* May 30 - [[Group-IB] Lazarus Arisen: Architecture, Techniques and Attribution](http://www.group-ib.com/lazarus.html) | [:closed_book:](../../blob/master/2017/2017.05.30.Lazarus_Arisen)
* May 24 - [[Cybereason] OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP](https://www.cybereason.com/blog/operation-cobalt-kitty-apt) | [:closed_book:](../../blob/master/2017/2017.05.24.OPERATION_COBALT_KITTY)
* May 14 - [[FireEye] Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations](https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html) | [:closed_book:](../../blob/master/2017/2017.05.14.cyber-espionage-apt32)
* May 03 - [[Palo Alto Networks] Kazuar: Multiplatform Espionage Backdoor with API Access](http://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-acces) | [:closed_book:](../../blob/master/2017/2017.05.03.kazuar-multiplatform-espionage-backdoor-api-access)
* May 03 - [[CISCO] KONNI: A Malware Under The Radar For Years](http://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html) | [:closed_book:](../../blob/master/2017/konni-malware-under-radar-for-years)
* Apr 10 - [[Symantec] Longhorn: Tools used by cyberespionage group linked to Vault 7](https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7) | [:closed_book:](../../blob/master/2017/2017.04.10_Longhorn)
* Apr 05 - [[Palo Alto Networks, Clearsky] Targeted Attacks in the Middle East Using KASPERAGENT and MICROPSIA](https://researchcenter.paloaltonetworks.com/2017/04/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/) | [:closed_book:](../../blob/master/2017/2017.04.05.KASPERAGENT_and_MICROPSIA)
* Mar 15 - [[JPCERT] FHAPPI Campaign](http://blog.0day.jp/p/english-report-of-fhappi-freehosting.html) | [:closed_book:](../../blob/master/2017/2017.03.15.FHAPPI_Campaign)
* Mar 14 - [[Clearsky] Operation Electric Powder – Who is targeting Israel Electric Company?](http://www.clearskysec.com/iec/) | [:closed_book:](../../blob/master/2017/2017.03.14.Operation_Electric_Powder)
* Mar 08 - [[Netskope] Targeted Attack Campaigns with Multi-Variate Malware Observed in the Cloud](https://www.netskope.com/blog/targeted-attack-campaigns-multi-variate-malware-observed-cloud) | [:closed_book:](../../blob/master/2017/2017.03.08.Targeted_Attack_Campaigns)
* Mar 06 - [[Kaspersky] From Shamoon to StoneDrill](https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/) | [:closed_book:](../../blob/master/2017/2017.03.06.from-shamoon-to-stonedrill)
* Feb 28 - [[IBM] Dridex’s Cold War: Enter AtomBombing](https://securityintelligence.com/dridexs-cold-war-enter-atombombing/) | [:closed_book:](../../blob/master/2017/2017.02.28.dridexs-cold-war-enter-atombombing)
* Feb 27 - [[Palo Alto Networks] The Gamaredon Group Toolset Evolution](http://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/) | [:closed_book:](../../blob/master/2017/2017.02.27.gamaredon-group-toolset-evolution/)
* Feb 23 - [[Bitdefender] Dissecting the APT28 Mac OS X Payload](https://download.bitdefender.com/resources/files/News/CaseStudies/study/143/Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf) | [:closed_book:](../../blob/master/2017/2017.02.23.APT28_Mac_OS_X_Payload)
* Feb 22 - [[FireEye] Spear Phishing Techniques Used in Attacks Targeting the Mongolian Government](https://www.fireeye.com/blog/threat-research/2017/02/spear_phishing_techn.html) | [:closed_book:](../../blob/master/2017/2017.02.22.Spear_Phishing_Mongolian_Government)
* Feb 21 - [[Arbor] Additional Insights on Shamoon2](https://www.arbornetworks.com/blog/asert/additional-insights-on-shamoon2/) | [:closed_book:](../../blob/master/2017/2017.02.21.Additional_Insights_on_Shamoon2)
* Feb 20 - [[BAE Systems] azarus' False Flag Malware](http://baesystemsai.blogspot.tw/2017/02/lazarus-false-flag-malware.html) | [:closed_book:](../../blob/master/2017/2017.02.20.Lazarus_False_Flag_Malware)
* Feb 17 - [[JPCERT] ChChes - Malware that Communicates with C&C Servers Using Cookie Headers](http://blog.jpcert.or.jp/2017/02/chches-malware--93d6.html) | [:closed_book:](../../blob/master/2017/2017.02.17.chches-malware)
* Feb 16 - [[BadCyber] Technical analysis of recent attacks against Polish banks](https://badcyber.com/technical-analysis-of-recent-attacks-against-polish-banks/) | [:closed_book:](../../blob/master/2017/2017.02.16.Technical_analysis_Polish_banks)
* Feb 15 - [[Morphick] Deep Dive On The DragonOK Rambo Backdoor](http://www.morphick.com/resources/news/deep-dive-dragonok-rambo-backdoor) | [:closed_book:](../../blob/master/2017/2017.02.15.deep-dive-dragonok-rambo-backdoor)
* Feb 15 - [[IBM] The Full Shamoon: How the Devastating Malware Was Inserted Into Networks](https://securityintelligence.com/the-full-shamoon-how-the-devastating-malware-was-inserted-into-networks/) | [:closed_book:](../../blob/master/2017/2017.02.15.the-full-shamoon)
* Feb 15 - [[Palo Alto Networks] Magic Hound Campaign Attacks Saudi Targets](http://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/) | [:closed_book:](../../blob/master/2017/2017.02.15.magic-hound-campaign)
* Feb 14 - [[Medium] Operation Kingphish: Uncovering a Campaign of Cyber Attacks against Civil Society in Qatar and Nepal](https://medium.com/amnesty-insights/operation-kingphish-uncovering-a-campaign-of-cyber-attacks-against-civil-society-in-qatar-and-aa40c9e08852#.cly4mg1g8) | [:closed_book:](../../blob/master/2017/2017.02.14.Operation_Kingphish)
* Feb 10 - [[Cysinfo] Cyber Attack Targeting Indian Navy's Submarine And Warship Manufacturer](https://cysinfo.com/cyber-attack-targeting-indian-navys-submarine-warship-manufacturer/) | [:closed_book:](../../blob/master/2017/2017.02.10.cyber-attack-targeting-indian-navys-submarine-warship-manufacturer)
* Feb 10 - [[DHS] Enhanced Analysis of GRIZZLY STEPPE Activity](https://www.us-cert.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf) | [:closed_book:](../../blob/master/2017/2017.02.10.Enhanced_Analysis_of_GRIZZLY_STEPPE)
* Feb 03 - [[RSA] KingSlayer A Supply chain attack](https://www.rsa.com/content/dam/pdfs/2-2017/kingslayer-a-supply-chain-attack.pdf) | [:closed_book:](../../blob/master/2017/2017.02.03.kingslayer-a-supply-chain-attack)
* Feb 03 - [[BadCyber] Several Polish banks hacked, information stolen by unknown attackers](https://badcyber.com/several-polish-banks-hacked-information-stolen-by-unknown-attackers/) | [:closed_book:](../../blob/master/2017/2017.02.03.several-polish-banks-hacked)
* Feb 02 - [[Proofpoint] Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX](https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx) | [:closed_book:](../../blob/master/2017/2017.02.02.APT_Targets_Russia_and_Belarus_with_ZeroT_and_PlugX)
* Jan 30 - [[Palo Alto Networks] Downeks and Quasar RAT Used in Recent Targeted Attacks Against Governments](http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/) | [:closed_book:](../../blob/master/2017/2017.01.30.downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments)
* Jan 25 - [[Microsoft] Detecting threat actors in recent German industrial attacks with Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/?source=mmpc) | [:closed_book:](../../blob/master/2017/2017.01.25.german-industrial-attacks)
* Jan 19 - [[Cysinfo] URI Terror Attack & Kashmir Protest Themed Spear Phishing Emails Targeting Indian Embassies And Indian Ministry Of External Affairs](https://cysinfo.com/uri-terror-attack-spear-phishing-emails-targeting-indian-embassies-and-indian-mea/) | [:closed_book:](../../blob/master/2017/2017.01.19.uri-terror-attack)
* Jan 18 - [[Trustwave] Operation Grand Mars: Defending Against Carbanak Cyber Attacks](https://www.trustwave.com/Resources/Library/Documents/Operation-Grand-Mars--Defending-Against-Carbanak-Cyber-Attacks/) | [:closed_book:](../../blob/master/2017/2017.01.18.Operation-Grand-Mars)
* Jan 15 - [[tr1adx] Bear Spotting Vol. 1: Russian Nation State Targeting of Government and Military Interests](https://www.tr1adx.net/intel/TIB-00003.html) | [:closed_book:](../../blob/master/2017/2017.01.15.Bear_Spotting_Vol.1)
* Jan 12 - [[Kaspersky] The “EyePyramid” attacks](https://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/) | [:closed_book:](../../blob/master/2017/2017.01.12.EyePyramid.attacks)
* Jan 11 - [[FireEye] APT28: AT THE CENTER OF THE STORM](https://www.fireeye.com/blog/threat-research/2017/01/apt28_at_the_center.html) | [:closed_book:](../../blob/master/2017/2017.01.11.apt28_at_the_center)
* Jan 09 - [[Palo Alto Networks] Second Wave of Shamoon 2 Attacks Identified](http://researchcenter.paloaltonetworks.com/2017/01/unit42-second-wave-shamoon-2-attacks-identified/) | [:closed_book:](../../blob/master/2017/2017.01.09.second-wave-shamoon-2-attacks-identified)
* Jan 05 - [[Clearsky] Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford](http://www.clearskysec.com/oilrig/) | [:closed_book:](../../blob/master/2017/2017.01.05.Iranian_Threat_Agent_OilRig)
* Dec 15 - [[Microsoft] PROMETHIUM and NEODYMIUM APT groups on Turkish citizens living in Turkey and various other European countries.](http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf) | [:closed_book:](../../blob/master/2016/2016.12.15.PROMETHIUM_and_NEODYMIUM)
* Dec 13 - [[ESET] The rise of TeleBots: Analyzing disruptive KillDisk attacks](http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/) | [:closed_book:](../../blob/master/2016/2016.12.13.rise-telebots-analyzing-disruptive-killdisk-attacks)
* Nov 30 - [[Cysinfo] MALWARE ACTORS USING NIC CYBER SECURITY THEMED SPEAR PHISHING TO TARGET INDIAN GOVERNMENT ORGANIZATIONS](https://cysinfo.com/malware-actors-using-nic-cyber-security-themed-spear-phishing-target-indian-government-organizations/) | [:closed_book:](../../blob/master/2016/2016.11.30.nic-cyber-security-themed)
* Nov 22 - [[Palo Alto Networks] Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy](http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/) | [:closed_book:](../../blob/master/2016/2016.11.22.tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy)
* Nov 09 - [[Fidelis] Down the H-W0rm Hole with Houdini's RAT](https://www.fidelissecurity.com/threatgeek/2016/11/down-h-w0rm-hole-houdinis-rat) | [:closed_book:](../../blob/master/2016/2016.11.09_down-the-h-w0rm-hole-with-houdinis-rat)
* Nov 03 - [[Booz Allen] When The Lights Went Out: Ukraine Cybersecurity Threat Briefing](http://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf) | [:closed_book:](../../blob/master/2016/2016.11.03.Ukraine_Cybersecurity_Threat_Briefing)
* Oct 31 - [[Palo Alto Networks] Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?](http://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/) | [:closed_book:](../../blob/master/2016/2016.10.31.Emissary_Trojan_Changelog)
* Oct 27 - [[ESET] En Route with Sednit Part 3: A Mysterious Downloader](http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf) | [:closed_book:](../../blob/master/2016/2016.10.27.En_Route_Part3)
* Oct 27 - [[Trend Micro] BLACKGEAR Espionage Campaign Evolves, Adds Japan To Target List](http://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-espionage-campaign-evolves-adds-japan-target-list/) | [:closed_book:](../../blob/master/2016/2016.10.27.BLACKGEAR_Espionage_Campaign_Evolves)
* Oct 26 - [[Vectra Networks] Moonlight – Targeted attacks in the Middle East](http://blog.vectranetworks.com/blog/moonlight-middle-east-targeted-attacks) | [:closed_book:](../../blob/master/2016/2016.10.26.Moonlight_Middle_East)
* Oct 25 - [[ESET] En Route with Sednit Part 2: Lifting the lid on Sednit: A closer look at the software it uses](http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf) | [:closed_book:](../../blob/master/2016/2016.10.25.Lifting_the_lid_on_Sednit)
* Oct 20 - [[ESET] En Route with Sednit Part 1: Approaching the Target](http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf) | [:closed_book:](../../blob/master/2016/2016.10.20.En_Route_with_Sednit)
* Oct 17 - [[ThreatConnect] ThreatConnect identifies Chinese targeting of two companies. Economic espionage or military intelligence? ](https://www.threatconnect.com/blog/threatconnect-discovers-chinese-apt-activity-in-europe/) | [:closed_book:](../../blob/master/2016/2016.10.16.A_Tale_of_Two_Targets)
* Oct 05 - [[Kaspersky] Wave your false flags](https://securelist.com/files/2016/10/Bartholomew-GuerreroSaade-VB2016.pdf) | [:closed_book:](../../blob/master/2016/2016.10.05_Wave_Your_False_flag)
* Oct 03 - [[Kaspersky] On the StrongPity Waterhole Attacks Targeting Italian and Belgian Encryption Users](https://securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/) | [:closed_book:](../../blob/master/2016/2016.10.03.StrongPity)
* Sep 29 - [[NATO CCD COE] China and Cyber: Attitudes, Strategies, Organisation](https://ccdcoe.org/sites/default/files/multimedia/pdf/CS_organisation_CHINA_092016.pdf) | [:closed_book:](../../blob/master/2016/2016.09.29.China_and_Cyber_Attitudes_Strategies_Organisation)
* Sep 28 - [[Palo Alto Networks] Confucius Says…Malware Families Get Further By Abusing Legitimate Websites](https://unit42.paloaltonetworks.com/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/) | [:closed_book:](../../blob/master/2016/2016.09.28.Confucius_Says)
* Sep 14 - [[Palo Alto Networks] MILE TEA: Cyber Espionage Campaign Targets Asia Pacific Businesses and Government Agencies](http://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/) | [:closed_book:](../../blob/master/2016/2016.09.14.MILE_TEA)
* Sep 06 - [[Symantec] Buckeye cyberespionage group shifts gaze from US to Hong Kong](http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong) | [:closed_book:](../../blob/master/2016/2016.09.06.buckeye-cyberespionage-group-shifts-gaze-us-hong-kong)
* Sep 01 - [[IRAN THREATS] MALWARE POSING AS HUMAN RIGHTS ORGANIZATIONS AND COMMERCIAL SOFTWARE TARGETING IRANIANS, FOREIGN POLICY INSTITUTIONS AND MIDDLE EASTERN COUNTRIES](https://iranthreats.github.io/resources/human-rights-impersonation-malware/) | [:closed_book:](../../blob/master/2016/2016.09.01.human-rights-impersonation-malware)
* Aug 25 - [[Lookout] Technical Analysis of Pegasus Spyware](https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf) | [:closed_book:](../../blob/master/2016/2016.08.25.lookout-pegasus-technical-analysis)
* Aug 24 - [[Citizen Lab] The Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender](https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/) | [:closed_book:](../../blob/master/2016/2016.08.24.million-dollar-dissident-iphone-zero-day-nso-group-uae)
* Aug 19 - [[ThreatConnect] Russian Cyber Operations on Steroids](https://www.threatconnect.com/blog/fancy-bear-anti-doping-agency-phishing/) | [:closed_book:](../../blob/master/2016/2016.08.19.fancy-bear-anti-doping-agency-phishing)
* Aug 17 - [[Kaspersky] Operation Ghoul: targeted attacks on industrial and engineering organizations](https://securelist.com/blog/research/75718/operation-ghoul-targeted-attacks-on-industrial-and-engineering-organizations/) | [:closed_book:](../../blob/master/2016/2016.08.17_operation-ghoul)
* Aug 16 - [[Palo Alto Networks] Aveo Malware Family Targets Japanese Speaking Users](http://researchcenter.paloaltonetworks.com/2016/08/unit42-aveo-malware-family-targets-japanese-speaking-users/) | [:closed_book:](../../blob/master/2016/2016.08.16.aveo-malware-family-targets-japanese)
* Aug 11 - [[IRAN THREATS] Iran and the Soft War for Internet Dominance](https://iranthreats.github.io/us-16-Guarnieri-Anderson-Iran-And-The-Soft-War-For-Internet-Dominance-paper.pdf) | [:closed_book:](../../blob/master/2016/2016.08.11.Iran-And-The-Soft-War-For-Internet-Dominance)
* Aug 08 - [[Forcepoint] MONSOON](https://blogs.forcepoint.com/security-labs/monsoon-analysis-apt-campaign) | [:closed_book:](../../blob/master/2016/2016.08.08.monsoon-analysis-apt-campaign)
* Aug 08 - [[Kaspersky] ProjectSauron: top level cyber-espionage platform covertly extracts encrypted government comms](https://securelist.com/analysis/publications/75533/faq-the-projectsauron-apt/) | [:closed_book:](../../blob/master/2016/2016.08.08.ProjectSauron)
* Aug 07 - [[Symantec] Strider: Cyberespionage group turns eye of Sauron on targets](http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets) | [:closed_book:](../../blob/master/2016/2016.08.07.Strider_Cyberespionage_group_turns_eye_of_Sauron_on_targets)
* Aug 06 - [[360] APT-C-09](http://www.nsoad.com/Article/Network-security/20160806/269.html) | [:closed_book:](../../blob/master/2016/2016.08.06.APT-C-09)
* Aug 04 - [[Recorded Future] Running for Office: Russian APT Toolkits Revealed](https://www.recordedfuture.com/russian-apt-toolkits/) | [:closed_book:](../../blob/master/2016/2016.08.04.russian-apt-toolkits)
* Aug 03 - [[EFF] Operation Manul: I Got a Letter From the Government the Other Day...Unveiling a Campaign of Intimidation, Kidnapping, and Malware in Kazakhstan](https://www.eff.org/files/2016/08/03/i-got-a-letter-from-the-government.pdf) | [:closed_book:](../../blob/master/2016/2016.08.03.i-got-a-letter-from-the-government)
* Aug 02 - [[Citizen Lab] Group5: Syria and the Iranian Connection](https://citizenlab.org/2016/08/group5-syria/) | [:closed_book:](../../blob/master/2016/2016.08.02.group5-syria)
* Jul 26 - [[Palo Alto Networks] Attack Delivers ‘9002’ Trojan Through Google Drive](http://researchcenter.paloaltonetworks.com/2016/07/unit-42-attack-delivers-9002-trojan-through-google-drive/) | [:closed_book:](../../blob/master/2016/2016.07.26.Attack_Delivers_9002_Trojan_Through_Google_Drive)
* Jul 21 - [[360] Sphinx (APT-C-15) Targeted cyber-attack in the Middle East](https://ti.360.com/upload/report/file/rmsxden20160721.pdf) | [:closed_book:](../../blob/master/2016/2016.07.21.Sphinx_Targeted_cyber-attack_in_the_Middle_East)
* Jul 21 - [[RSA] Hide and Seek: How Threat Actors Respond in the Face of Public Exposure](https://www.rsaconference.com/writable/presentations/file_upload/tta1-f04_hide-and-seek-how-threat-actors-respond-in-the-face-of-public-exposure.pdf) | [:closed_book:](../../blob/master/2016/2016.07.21.Hide_and_Seek)
* Jul 13 - [[SentinelOne] State-Sponsored SCADA Malware targeting European Energy Companies](https://sentinelone.com/blogs/sfg-furtims-parent/) | [:closed_book:](../../blob/master/2016/2016.07.13.State-Sponsored_SCADA_Malware_targeting_European_Energy_Companies)
* Jul 12 - [[F-SECURE] NanHaiShu: RATing the South China Sea](https://www.f-secure.com/documents/996508/1030745/nanhaishu_whitepaper.pdf) | [:closed_book:](../../blob/master/2016/2016.07.12.NanHaiShu_RATing_the_South_China_Sea)
* Jul 08 - [[Kaspersky] The Dropping Elephant – aggressive cyber-espionage in the Asian region](https://securelist.com/blog/research/75328/the-dropping-elephant-actor/) | [:closed_book:](../../blob/master/2016/2016.07.08.The_Dropping_Elephant)
* Jul 01 - [[ESET] Espionage toolkit targeting Central and Eastern Europe uncovered](http://www.welivesecurity.com/2016/07/01/espionage-toolkit-targeting-central-eastern-europe-uncovered/) | [:closed_book:](../../blob/master/2016/2016.07.01.SBDH_toolkit_targeting_Central_and_Eastern_Europe)
* Jun 30 - [[JPCERT] Asruex: Malware Infecting through Shortcut Files](http://blog.jpcert.or.jp/2016/06/asruex-malware-infecting-through-shortcut-files.html) | [:closed_book:](../../blob/master/2016/2016.06.30.Asruex)
* Jun 29 - [[Proofpoint] MONSOON – ANALYSIS OF AN APT CAMPAIGN](https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf) | [:closed_book:](../../blob/master/2016/2016.06.29.MonSoon)
* Jun 28 - [[Palo Alto Networks] Prince of Persia – Game Over](http://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/) | [:closed_book:](../../blob/master/2016/2016.06.28.prince-of-persia-game-over)
* Jun 28 - [[JPCERT] (Japan)Attack Tool Investigation](https://www.jpcert.or.jp/research/20160628ac-ir_research.pdf) | [:closed_book:](../../blob/master/2016/2016.06.28.Attack_Tool_Investigation)
* Jun 26 - [[Trend Micro] The State of the ESILE/Lotus Blossom Campaign](http://blog.trendmicro.com/trendlabs-security-intelligence/the-state-of-the-esilelotus-blossom-campaign/) | [:closed_book:](../../blob/master/2016/2016.06.26.The_State_of_the_ESILE_Lotus_Blossom_Campaign)
* Jun 26 - [[Cylance] Nigerian Cybercriminals Target High-Impact Industries in India via Pony](https://blog.cylance.com/threat-update-nigerian-cybercriminals-target-high-impact-indian-industries-via-pony) | [:closed_book:](../../blob/master/2016/2016.06.26.Nigerian_Cybercriminals_Target_High_Impact_Industries_in_India)
* Jun 23 - [[Palo Alto Networks] Tracking Elirks Variants in Japan: Similarities to Previous Attacks](http://researchcenter.paloaltonetworks.com/2016/06/unit42-tracking-elirks-variants-in-japan-similarities-to-previous-attacks/) | [:closed_book:](../../blob/master/2016/2016.06.23.Tracking_Elirks_Variants_in_Japan)
* Jun 21 - [[Fortinet] The Curious Case of an Unknown Trojan Targeting German-Speaking Users](https://blog.fortinet.com/2016/06/21/the-curious-case-of-an-unknown-trojan-targeting-german-speaking-users) | [:closed_book:](../../blob/master/2016/2016.06.21.Unknown_Trojan_Targeting_German_Speaking_Users)
* Jun 21 - [[FireEye] Redline Drawn: China Recalculates Its Use of Cyber Espionage]( https://www.fireeye.com/content/dam/FireEye-www/current-threats/pdfs/rpt-china-espionage.pdf) | [:closed_book:](../../blob/master/2016/2016.06.21.Redline_Drawn_China_Recalculates_Its_Use_of_Cyber_Espionage)
* Jun 21 - [[ESET] Visiting The Bear Den](http://www.welivesecurity.com/wp-content/uploads/2016/06/visiting_the_bear_den_recon_2016_calvet_campos_dupuy-1.pdf) | [:closed_book:](../../blob/master/2016/2016.06.21.visiting_the_bear_den_recon_2016_calvet_campos_dupuy)
* Jun 17 - [[Kaspersky] Operation Daybreak](https://securelist.com/operation-daybreak/75100/) | [:closed_book:](../../blob/master/2016/2016.06.17.Operation_Daybreak)
* Jun 16 - [[Dell] Threat Group-4127 Targets Hillary Clinton Presidential Campaign](https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign) | [:closed_book:](../../blob/master/2016/2016.06.16.DNC)
* Jun 15 - [[CrowdStrike] Bears in the Midst: Intrusion into the Democratic National Committee](https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/) | [:closed_book:](../../blob/master/2016/2016.06.09.Operation_DustySky_II/)
* Jun 09 - [[Clearsky] Operation DustySky Part 2](http://www.clearskysec.com/wp-content/uploads/2016/06/Operation-DustySky2_-6.2016_TLP_White.pdf) | [:closed_book:](../../blob/master/2016/2016.06.09.Operation_DustySky_II/)
* Jun 02 - [[Trend Micro] FastPOS: Quick and Easy Credit Card Theft](http://documents.trendmicro.com/assets/fastPOS-quick-and-easy-credit-card-theft.pdf) | [:closed_book:](../../blob/master/2016/2016.06.02.fastpos-quick-and-easy-credit-card-theft/)
* May 27 - [[Trend Micro] IXESHE Derivative IHEATE Targets Users in America](http://blog.trendmicro.com/trendlabs-security-intelligence/ixeshe-derivative-iheate-targets-users-america/) | [:closed_book:](../../blob/master/2016/2016.05.27.IXESHE_Derivative_IHEATE_Targets_Users_in_America/)
* May 26 - [[Palo Alto Networks] The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor](http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/) | [:closed_book:](../../blob/master/2016/2016.05.26.OilRig_Campaign/)
* May 25 - [[Kaspersky] CVE-2015-2545: overview of current threats](https://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/) | [:closed_book:](../../blob/master/2016/2016.05.25.CVE-2015-2545/)
* May 24 - [[Palo Alto Networks] New Wekby Attacks Use DNS Requests As Command and Control Mechanism](http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/) | [:closed_book:](../../blob/master/2016/2016.05.24.New_Wekby_Attacks)
* May 23 - [[MELANI:GovCERT] APT Case RUAG Technical Report](https://www.melani.admin.ch/dam/melani/en/dokumente/2016/technical%20report%20ruag.pdf.download.pdf/Report_Ruag-Espionage-Case.pdf) | [:closed_book:](../../blob/master/2016/2016.05.23.APT_Case_RUAG)
* May 22 - [[FireEye] TARGETED ATTACKS AGAINST BANKS IN THE MIDDLE EAST](https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html) | [:closed_book:](../../blob/master/2016/2016.05.22.Targeted_Attacks_Against_Banks_in_Middle_East)
* May 22 - [[Palo Alto Networks] Operation Ke3chang Resurfaces With New TidePool Malware](http://researchcenter.paloaltonetworks.com/2016/05/operation-ke3chang-resurfaces-with-new-tidepool-malware/) | [:closed_book:](../../blob/master/2016/2016.05.22.Operation_Ke3chang_Resurfaces_With_New_TidePool_Malware/)
* May 18 - [[ESET] Operation Groundbait: Analysis of a surveillance toolkit](http://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf) | [:closed_book:](../../blob/master/2016/2016.05.18.Operation_Groundbait/)
* May 17 - [[FOX-IT] Mofang: A politically motivated information stealing adversary](https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf) | [:closed_book:](../../blob/master/2016/2016.05.17.Mofang)
* May 17 - [[Symantec] Indian organizations targeted in Suckfly attacks](http://www.symantec.com/connect/ko/blogs/indian-organizations-targeted-suckfly-attacks) | [:closed_book:](../../blob/master/2016/2016.05.17.Indian_organizations_targeted_in_Suckfly_attacks/)
* May 10 - [[Trend Micro] Backdoor as a Software Suite: How TinyLoader Distributes and Upgrades PoS Threats](http://blog.trendmicro.com/trendlabs-security-intelligence/how-tinyloader-distributes-and-upgrades-pos-threats/) | [paper](http://documents.trendmicro.com/assets/tinypos-abaddonpos-ties-to-tinyloader.pdf) | [:closed_book:](../../blob/master/2016/2016.05.10.tinyPOS_tinyloader/)
* May 09 - [[CMU SEI] Using Honeynets and the Diamond Model for ICS Threat Analysis](http://resources.sei.cmu.edu/asset_files/TechnicalReport/2016_005_001_454247.pdf) | [:closed_book:](../../blob/master/2016/2016.05.09_ICS_Threat_Analysis/)
* May 06 - [[PwC] Exploring CVE-2015-2545 and its users](http://pwc.blogs.com/cyber_security_updates/2016/05/exploring-cve-2015-2545-and-its-users.html) | [:closed_book:](../../blob/master/2016/2016.05.06_Exploring_CVE-2015-2545/)
* May 05 - [[Forcepoint] Jaku: an on-going botnet campaign](https://www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf) | [:closed_book:](../../blob/master/2016/2016.05.05_Jaku_botnet_campaign/)
* May 02 - [[Team Cymru] GOZNYM MALWARE target US, AT, DE ](https://blog.team-cymru.org/2016/05/goznym-malware/) | [:closed_book:](../../blob/master/2016/2016.05.02.GOZNYM_MALWARE)
* May 02 - [[Palo Alto Networks] Prince of Persia: Infy Malware Active In Decade of Targeted Attacks](http://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/) | [:closed_book:](../../blob/master/2016/2016.05.02.Prince_of_Persia_Infy_Malware/)
* Apr 27 - [[Kaspersky] Repackaging Open Source BeEF for Tracking and More](https://securelist.com/blog/software/74503/freezer-paper-around-free-meat/) | [:closed_book:](../../blob/master/2016/2016.04.27.Repackaging_Open_Source_BeEF)
* Apr 26 - [[Financial Times] Cyber warfare: Iran opens a new front](http://www.ft.com/intl/cms/s/0/15e1acf0-0a47-11e6-b0f1-61f222853ff3.html#axzz478cZz3ao) | [:closed_book:](../../blob/master/2016/2016.04.26.Iran_Opens_a_New_Front/)
* Apr 26 - [[Arbor] New Poison Ivy Activity Targeting Myanmar, Asian Countries](https://www.arbornetworks.com/blog/asert/recent-poison-iv/) | [:closed_book:](../../blob/master/2016/2016.04.26.New_Poison_Ivy_Activity_Targeting_Myanmar_Asian_Countries/)
* Apr 22 - [[Cylance] The Ghost Dragon](https://blog.cylance.com/the-ghost-dragon) | [:closed_book:](../../blob/master/2016/2016.04.22.the-ghost-dragon)
* Apr 21 - [[SentinelOne] Teaching an old RAT new tricks](https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/) | [:closed_book:](../../blob/master/2016/2016.04.21.Teaching_an_old_RAT_new_tricks/)
* Apr 21 - [[Palo Alto Networks] New Poison Ivy RAT Variant Targets Hong Kong Pro-Democracy Activists](http://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/) | [:closed_book:](../../blob/master/2016/2016.04.21.New_Poison_Ivy_RAT_Variant_Targets_Hong_Kong/)
* Apr 18 - [[Citizen Lab] Between Hong Kong and Burma: Tracking UP007 and SLServer Espionage Campaigns](https://citizenlab.org/2016/04/between-hong-kong-and-burma/) | [:closed_book:](../../blob/master/2016/2016.04.18.UP007/)
* Apr 15 - [[SANS] Detecting and Responding Pandas and Bears](http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf) | [:closed_book:](../../blob/master/2016/2016.04.15.pandas_and_bears/)
* Apr 12 - [[Microsoft] PLATINUM: Targeted attacks in South and Southeast Asia](http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf) | [:closed_book:](../../blob/master/2016/2016.04.12.PLATINUM_Targeted_attacks_in_South_and_Southeast_Asia/)
* Mar 25 - [[Palo Alto Networks] ProjectM: Link Found Between Pakistani Actor and Operation Transparent Tribe](http://researchcenter.paloaltonetworks.com/2016/03/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe/?utm_medium=email&utm_source=Adobe%20Campaign&utm_campaign=Unit%2042%20Blog%20Updates%2031Mar16) | [:closed_book:](../../blob/master/2016/2016.03.25.ProjectM/)
* Mar 23 - [[Trend Micro] Operation C-Major: Information Theft Campaign Targets Military Personnel in India](http://blog.trendmicro.com/trendlabs-security-intelligence/indian-military-personnel-targeted-by-information-theft-campaign/) | [:closed_book:](../../blob/master/2016/2016.03.23.Operation_C_Major/)
* Mar 18 - [[SANS] Analysis of the Cyber Attack on the Ukrainian Power Grid: Defense Use Case](https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf) | [:closed_book:](../../blob/master/2016/2016.03.18.Analysis_of_the_Cyber_Attack_on_the_Ukrainian_Power_Grid/)
* Mar 17 - [[PwC] Taiwan Presidential Election: A Case Study on Thematic Targeting](http://pwc.blogs.com/cyber_security_updates/2016/03/taiwant-election-targetting.html) | [:closed_book:](../../blob/master/2016/2016.03.17.Taiwan-election-targetting/)
* Mar 15 - [[Symantec] Suckfly: Revealing the secret life of your code signing certificates](http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates) | [:closed_book:](../../blob/master/2016/2016.03.15.Suckfly)
* Mar 14 - [[Proofpoint] Bank robbery in progress: New attacks from Carbanak group target banks in Middle East and US](https://www.proofpoint.com/us/threat-insight/post/carbanak-cybercrime-group-targets-executives-of-financial-organizations-in-middle-east) | [:closed_book:](../../blob/master/2016/2016.03.14.Carbanak_cybercrime_group)
* Mar 10 - [[Citizen Lab] Shifting Tactics: Tracking changes in years-long espionage campaign against Tibetans](https://citizenlab.org/2016/03/shifting-tactics/) | [:closed_book:](../../blob/master/2016/2016.03.10.shifting-tactics)
* Mar 09 - [[FireEye] LESSONS FROM OPERATION RUSSIANDOLL](https://www.fireeye.com/blog/threat-research/2016/03/lessons-from-operation-russian-doll.html) | [:closed_book:](../../blob/master/2016/2016.03.09.Operation_RussianDoll)
* Mar 08 - [[360] Operation OnionDog: A 3 Year Old APT Focused On the Energy and Transportation Industries in Korean-language Countries](http://www.prnewswire.com/news-releases/onion-dog-a-3-year-old-apt-focused-on-the-energy-and-transportation-industries-in-korean-language-countries-is-exposed-by-360-300232441.html) | [:closed_book:](../../blob/master/2016/2016.03.08.OnionDog)
* Mar 03 - [[Recorded Future] Shedding Light on BlackEnergy With Open Source Intelligence](https://www.recordedfuture.com/blackenergy-malware-analysis/) | [:closed_book:](../../blob/master/2016/2016.03.03.Shedding_Light_BlackEnergy)
* Mar 01 - [[Proofpoint] Operation Transparent Tribe - APT Targeting Indian Diplomatic and Military Interests](https://www.proofpoint.com/us/threat-insight/post/Operation-Transparent-Tribe) | [:closed_book:](../../blob/master/2016/2016.03.01.Operation_Transparent_Tribe/)
* Feb 29 - [[Fidelis] The Turbo Campaign, Featuring Derusbi for 64-bit Linux](https://www.fidelissecurity.com/sites/default/files/TA_Fidelis_Turbo_1602_0.pdf) | [:closed_book:](../../blob/master/2016/2016.02.24.Operation_Blockbuster)
* Feb 24 - [[NOVETTA] Operation Blockbuster](https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf) | [:closed_book:](../../blob/master/2016/2016.02.24.Operation_Blockbuster)
* Feb 23 - [[Cylance] OPERATION DUST STORM](https://www.cylance.com/hubfs/2015_cylance_website/assets/operation-dust-storm/Op_Dust_Storm_Report.pdf?t=1456355696065) | [:closed_book:](../../blob/master/2016/2016.02.23.Operation_Dust_Storm)
* Feb 12 - [[Palo Alto Networks] A Look Into Fysbis: Sofacy’s Linux Backdoor](http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/) | [:closed_book:](../../blob/master/2016/2016.02.12.Fysbis_Sofacy_Linux_Backdoor)
* Feb 11 - [[Recorded Future] Hacktivism: India vs. Pakistan](https://www.recordedfuture.com/india-pakistan-cyber-rivalry/) | [:closed_book:](../../blob/master/2016/2016.02.11.Hacktivism_India_vs_Pakistan)
* Feb 09 - [[Kaspersky] Poseidon Group: a Targeted Attack Boutique specializing in global cyber-espionage](https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/) | [:closed_book:](../../blob/master/2016/2016.02.09_Poseidon_APT_Boutique)
* Feb 08 - [[ICIT] Know Your Enemies 2.0: A Primer on Advanced Persistent Threat Groups](http://icitech.org/know-your-enemies-2-0/) | [:closed_book:](../../blob/master/2016/2016.02.08.Know_Your_Enemies_2.0)
* Feb 03 - [[Palo Alto Networks] Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?](http://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/) | [:closed_book:](../../blob/master/2016.02.03.Emissary_Trojan_Changelog)
* Feb 01 - [[IBM] Organized Cybercrime Big in Japan: URLZone Now on the Scene](https://securityintelligence.com/organized-cybercrime-big-in-japan-urlzone-now-on-the-scene/) | [:closed_book:](../../blob/master/2016/2016.02.01.URLzone_Team)
* Jan 29 - [[F5] Tinbapore: Millions of Dollars at Risk](https://devcentral.f5.com/d/tinbapore-millions-of-dollars-at-risk?download=true) | [:closed_book:](../../blob/master/2016/2016.01.29.Tinbapore_Attack)
* Jan 29 - [[Zscaler] Malicious Office files dropping Kasidet and Dridex](http://research.zscaler.com/2016/01/malicious-office-files-dropping-kasidet.html) | [:closed_book:](../../blob/master/2016/2016.01.29.Malicious_Office_files_dropping_Kasidet_and_Dridex)
* Jan 28 - [[Kaspersky] BlackEnergy APT Attacks in Ukraine employ spearphishing with Word documents](https://securelist.com/blog/research/73440/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/) | [:closed_book:](../../blob/master/2016/2016.01.28.BlackEnergy_APT)
* Jan 27 - [[Fidelis] Dissecting the Malware Involved in the INOCNATION Campaign](https://www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL.pdf) | [:closed_book:](../../blob/master/2016/2016.01.27.Hi-Zor.RAT)
* Jan 26 - [[SentinelOne] Analyzing a New Variant of BlackEnergy 3](https://www.sentinelone.com/wp-content/uploads/2016/01/BlackEnergy3_WP_012716_1c.pdf) | [:closed_book:](../../blob/master/2016/2016.01.26.BlackEnergy3)
* Jan 14 - [[CISCO] RESEARCH SPOTLIGHT: NEEDLES IN A HAYSTACK](http://blog.talosintel.com/2016/01/haystack.html#more) | [:closed_book:](../../blob/master/2016/2016.01.14_Cisco_Needles_in_a_Haystack)
* Jan 14 - [[Symantec] The Waterbug attack group](https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf) | [:closed_book:](../../blob/master/2016/2016.01.14.The.Waterbug.Attack.Group/)
* Jan 07 - [[Clearsky] Operation DustySky](http://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf) | [:closed_book:](../../blob/master/2016/2016.01.07.Operation_DustySky)
* Jan 03 - [[ESET] BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry](http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/) | [:closed_book:](../../blob/master/2016/2016.01.03.BlackEnergy_Ukrainian)
* Dec 23 - [[PwC] ELISE: Security Through Obesity](http://pwc.blogs.com/cyber_security_updates/2015/12/elise-security-through-obesity.html) | [:closed_book:](../../blob/master/2015/2015.12.13.ELISE)
* Dec 22 - [[Palo Alto Networks] BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger](http://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/) | [:closed_book:](../../blob/master/2015/2015.12.22.BBSRAT_Roaming_Tiger)
* Dec 20 - [[FireEye] The EPS Awakens - Part 2](https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html) | [:closed_book:](../../blob/master/2015/2015.12.20.EPS_Awakens_Part_II)
* Dec 18 - [[Palo Alto Networks] Attack on French Diplomat Linked to Operation Lotus Blossom](http://researchcenter.paloaltonetworks.com/2015/12/attack-on-french-diplomat-linked-to-operation-lotus-blossom/) | [:closed_book:](../../blob/master/2015/2015.12.18.Attack_on_Frence_Diplomat_Linked_To_Operation_Lotus_Blossom)
* Dec 16 - [[Bitdefender] APT28 Under the Scope - A Journey into Exfiltrating Intelligence and Government Information](http://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf) | [:closed_book:](../../blob/master/2015/2015.12.17.APT28_Under_The_Scope)
* Dec 16 - [[Trend Micro] Operation Black Atlas, Part 2: Tools and Malware Used and How to Detect Them](http://documents.trendmicro.com/assets/Operation_Black%20Atlas_Technical_Brief.pdf) | [:closed_book:](../../blob/master/2015/2015.12.16.INOCNATION.Campaign)
* Dec 16 - [[Fidelis] Dissecting the Malware Involved in the INOCNATION Campaign](https://www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL.pdf) | [:closed_book:](../../blob/master/2015/2015.12.16.INOCNATION.Campaign)
* Dec 15 - [[AirBus] Newcomers in the Derusbi family](http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family) | [:closed_book:](../../blob/master/2015/2015.12.15.Newcomers_in_the_Derusbi_family)
* Dec 08 - [[Citizen Lab] Packrat: Seven Years of a South American Threat Actor](https://citizenlab.org/2015/12/packrat-report/) | [:closed_book:](../../blob/master/2015/2015.12.08.Packrat)
* Dec 07 - [[FireEye] Financial Threat Group Targets Volume Boot Record](https://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-record.html) | [:closed_book:](../../blob/master/2015/2015.12.07.Thriving_Beyond_The_Operating_System)
* Dec 07 - [[Symantec] Iran-based attackers use back door threats to spy on Middle Eastern targets](http://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets) | [:closed_book:](../../blob/master/2015/2015.12.07.Iran-based)
* Dec 04 - [[Kaspersky] Sofacy APT hits high profile targets with updated toolset](https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/) | [:closed_book:](../../blob/master/2015/2015.12.04.Sofacy_APT)
* Dec 01 - [[FireEye] China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets](https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html) | [:closed_book:](../../blob/master/2015/2015.12.01.China-based_Cyber_Threat_Group_Uses_Dropbox_for_Malware_Communications_and_Targets_Hong_Kong_Media_Outlets)
* Nov 30 - [[FOX-IT] Ponmocup A giant hiding in the shadows](https://foxitsecurity.files.wordpress.com/2015/12/foxit-whitepaper_ponmocup_1_1.pdf) | [:closed_book:](../../blob/master/2015/2015.11.30.Ponmocup)
* Nov 24 - [[Palo Alto Networks] Attack Campaign on the Government of Thailand Delivers Bookworm Trojan](http://researchcenter.paloaltonetworks.com/2015/11/attack-campaign-on-the-government-of-thailand-delivers-bookworm-trojan/) | [:closed_book:](../../blob/master/2015/2015.11.24.Attack_Campaign_on_the_Government_of_Thailand_Delivers_Bookworm_Trojan)
* Nov 23 - [[RSA] PEERING INTO GLASSRAT](https://blogs.rsa.com/wp-content/uploads/2015/11/GlassRAT-final.pdf) | [:closed_book:](../../blob/master/2015/2015.11.23.PEERING_INTO_GLASSRAT)
* Nov 23 - [[Trend Micro] Prototype Nation: The Chinese Cybercriminal Underground in 2015](http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/prototype-nation-the-chinese-cybercriminal-underground-in-2015/?utm_source=siblog&utm_medium=referral&utm_campaign=2015-cn-ug) | [:closed_book:](../../blob/master/2015/2015.11.23.Prototype_Nation_The_Chinese_Cybercriminal_Underground_in_2015)
* Nov 19 - [[Kaspersky] Russian financial cybercrime: how it works](https://securelist.com/analysis/publications/72782/russian-financial-cybercrime-how-it-works/) | [:closed_book:](../../blob/master/2015/2015.11.18.Russian_financial_cybercrime_how_it_works)
* Nov 19 - [[JPCERT] Decrypting Strings in Emdivi](http://blog.jpcert.or.jp/2015/11/decrypting-strings-in-emdivi.html) | [:closed_book:](../../blob/master/2015/2015.11.19.decrypting-strings-in-emdivi)
* Nov 18 - [[Palo Alto Networks] TDrop2 Attacks Suggest Dark Seoul Attackers Return](http://researchcenter.paloaltonetworks.com/2015/11/tdrop2-attacks-suggest-dark-seoul-attackers-return/) | [:closed_book:](../../blob/master/2015/2015.11.18.tdrop2)
* Nov 18 - [[CrowdStrike] Sakula Reloaded](http://blog.crowdstrike.com/sakula-reloaded/) | [:closed_book:](../../blob/master/2015/2015.11.18.Sakula_Reloaded)
* Nov 18 - [[Damballa] Damballa discovers new toolset linked to Destover Attacker’s arsenal helps them to broaden attack surface](https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/2015.11.18.Destover/amballa-discovers-new-toolset-linked-to-destover-attackers-arsenal-helps-them-to-broaden-attack-surface.pdf) | [:closed_book:](../../blob/master/2015/2015.11.18.Destover)
* Nov 16 - [[FireEye] WitchCoven: Exploiting Web Analytics to Ensnare Victims](https://www2.fireeye.com/threat-intel-report-WITCHCOVEN.html) | [:closed_book:](../../blob/master/2015/2015.11.17.Pinpointing_Targets_Exploiting_Web_Analytics_to_Ensnare_Victims)
* Nov 10 - [[Palo Alto Networks] Bookworm Trojan: A Model of Modular Architecture](http://researchcenter.paloaltonetworks.com/2015/11/bookworm-trojan-a-model-of-modular-architecture/) | [:closed_book:](../../blob/master/2015/2015.11.10.bookworm-trojan-a-model-of-modular-architecture)
* Nov 09 - [[Check Point] Rocket Kitten: A Campaign With 9 Lives](http://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf) | [:closed_book:](../../blob/master/2015/2015.11.09.Rocket_Kitten_A_Campaign_With_9_Lives)
* Nov 04 - [[RSA] Evolving Threats:dissection of a CyberEspionage attack](http://www.rsaconference.com/writable/presentations/file_upload/cct-w08_evolving-threats-dissection-of-a-cyber-espionage-attack.pdf) | [:closed_book:](../../blob/master/2015/2015.11.04_Evolving_Threats)
* Oct 16 - [[Citizen Lab] Targeted Malware Attacks against NGO Linked to Attacks on Burmese Government Websites](https://citizenlab.org/2015/10/targeted-attacks-ngo-burma/)(https://otx.alienvault.com/pulse/5621208f4637f21ecf2aac36/) | [:closed_book:](../../blob/master/2015/2015.10.16.NGO_Burmese_Government)
* Oct 15 - [[Citizen Lab] Pay No Attention to the Server Behind the Proxy: Mapping FinFisher’s Continuing Proliferation](https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/) | [:closed_book:](../../blob/master/2015/2015.10.15.FinFisher_Continuing)
* Oct 03 - [[Cybereason] Webmail Server APT: A New Persistent Attack Methodology Targeting Microsoft Outlook Web Application (OWA)](http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Labs-Analysis-Webmail-Sever-APT.pdf) | [:closed_book:](../../blob/master/2015/2015.10.03.Webmail_Server_APT)
* Sep 23 - [[ThreatConnect] PROJECT CAMERASHY: CLOSING THE APERTURE ON CHINA’S UNIT 78020](https://www.threatconnect.com/camerashy-intro/) | [PDF](https://cdn2.hubspot.net/hubfs/454298/Project_CAMERASHY_ThreatConnect_Copyright_2015.pdf) | [:closed_book:](../../blob/master/2015/2015.09.23.CAMERASHY_ThreatConnect)
* Sep 17 - [[F-SECURE] The Dukes 7 Years of Russian Cyber Espionage](https://labsblog.f-secure.com/2015/09/17/the-dukes-7-years-of-russian-cyber-espionage/) - [PDF](https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf) | [:closed_book:](../../blob/master/2015/2015.09.17.duke_russian)
* Sep 16 - [[Proofpoint] The shadow knows: Malvertising campaigns use domain shadowing to pull in Angler EK](https://www.proofpoint.com/us/threat-insight/post/The-Shadow-Knows) | [:closed_book:](../../blob/master/2015/2015.09.16.The-Shadow-Knows)
* Sep 16 - [[Trend Micro] Operation Iron Tiger: How China-Based Actors Shifted Attacks from APAC to US Targets](http://newsroom.trendmicro.com/blog/operation-iron-tiger-attackers-shift-east-asia-united-states) | [IOC](https://otx.alienvault.com/pulse/55f9910967db8c6fb35179bd/) | [:closed_book:](../../blob/master/2015/2015.09.17.Operation_Iron_Tiger)
* Sep 15 - [[Proofpoint] In Pursuit of Optical Fibers and Troop Intel: Targeted Attack Distributes PlugX in Russia](https://www.proofpoint.com/us/threat-insight/post/PlugX-in-Russia) | [:closed_book:](../../blob/master/2015/2015.09.15.PlugX_in_Russia)
* Sep 09 - [[Kaspersky] Satellite Turla: APT Command and Control in the Sky](https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/) | [:closed_book:](../../blob/master/2015/2015.09.09.satellite-turla-apt)
* Sep 08 - [[Palo Alto Networks] Musical Chairs: Multi-Year Campaign Involving New Variant of Gh0st Malware](http://researchcenter.paloaltonetworks.com/2015/09/musical-chairs-multi-year-campaign-involving-new-variant-of-gh0st-malware/) | [:closed_book:](../../blob/master/2015/2015.09.08.Musical_Chairs_Gh0st_Malware)
* Sep 01 - [[Trend Micro, Clearsky] The Spy Kittens Are Back: Rocket Kitten 2](http://www.trendmicro.tw/vinfo/us/security/news/cyber-attacks/rocket-kitten-continues-attacks-on-middle-east-targets) | [PDF](http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-the-spy-kittens-are-back.pdf) | [:closed_book:](../../blob/master/2015/2015.09.01.Rocket_Kitten_2)
* Aug 20 - [[Arbor] PlugX Threat Activity in Myanmar](http://pages.arbornetworks.com/rs/082-KNA-087/images/ASERT%20Threat%20Intelligence%20Brief%202015-05%20PlugX%20Threat%20Activity%20in%20Myanmar.pdf) | [:closed_book:](../../blob/master/2015/2015.08.20.PlugX_Threat_Activity_in_Myanmar)
* Aug 20 - [[Kaspersky] New activity of the Blue Termite APT](https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/) | [:closed_book:](../../blob/master/2015/2015.08.20.new-activity-of-the-blue-termite-apt)
* Aug 19 - [[Symantec] New Internet Explorer zero-day exploited in Hong Kong attacks](http://www.symantec.com/connect/blogs/new-internet-explorer-zero-day-exploited-hong-kong-attacks) | [:closed_book:](../../blob/master/2015/2015.08.19.new-internet-explorer-zero-day-exploited-hong-kong-attacks)
* Aug 10 - [[ShadowServer] The Italian Connection: An analysis of exploit supply chains and digital quartermasters](http://blog.shadowserver.org/2015/08/10/the-italian-connection-an-analysis-of-exploit-supply-chains-and-digital-quartermasters/) | [:closed_book:](../../blob/master/2015/2015.08.10.The_Italian_Connection_An_analysis_of_exploit_supply_chains_and_digital_quartermasters)
* Aug 08 - [[Cyint] Threat Analysis: Poison Ivy and Links to an Extended PlugX Campaign](http://www.cyintanalysis.com/threat-analysis-poison-ivy-and-links-to-an-extended-plugx-campaign/) | [:closed_book:](../../blob/master/2015/2015.08.08.Poison_Ivy_and_Links_to_an_Extended_PlugX_Campaign)
* Aug 05 - [[Dell] Threat Group-3390 Targets Organizations for Cyberespionage](http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/) | [:closed_book:](../../blob/master/2015/2015.08.05.Threat_Group-3390)
* Aug 04 - [[RSA] Terracotta VPN: Enabler of Advanced Threat Anonymity](https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity/) | [:closed_book:](../../blob/master/2015/2015.08.04.Terracotta_VPN)
* Jul 22 - [[F-SECURE] Duke APT group's latest tools: cloud services and Linux support](https://www.f-secure.com/weblog/archives/00002822.html) | [:closed_book:](../../blob/master/2015/2015.07.22.Duke_APT_groups_latest_tools)
* Jul 20 - [[ThreatConnect] China Hacks the Peace Palace: All Your EEZ’s Are Belong to Us](http://www.threatconnect.com/news/china-hacks-the-peace-palace-all-your-eezs-are-belong-to-us/) | [:closed_book:](../../blob/master/2015/2015.07.20.China_Peace_Palace)
* Jul 14 - [[Palo Alto Networks] Tracking MiniDionis: CozyCar’s New Ride Is Related to Seaduke](http://researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/) | [:closed_book:](../../blob/master/2015/2015.07.14.tracking-minidionis-cozycars)
* Jul 14 - [[Trend Micro] An In-Depth Look at How Pawn Storm’s Java Zero-Day Was Used](http://blog.trendmicro.com/trendlabs-security-intelligence/an-in-depth-look-at-how-pawn-storms-java-zero-day-was-used/) | [:closed_book:](../../blob/master/2015/2015.07.14.How_Pawn_Storm_Java_Zero-Day_Was_Used)
* Jul 13 - [[Symantec] "Forkmeiamfamous": Seaduke, latest weapon in the Duke armory](http://www.symantec.com/connect/blogs/forkmeiamfamous-seaduke-latest-weapon-duke-armory) | [:closed_book:](../../blob/master/2015/2015.07.13.Forkmeiamfamous)
* Jul 13 - [[FireEye] Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability CVE-2015-5119 Following Hacking Team Leak](https://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html) | [:closed_book:](../../blob/master/2015/2015.07.13.Demonstrating_Hustle)
* Jul 10 - [[Palo Alto Networks] APT Group UPS Targets US Government with Hacking Team Flash Exploit](http://researchcenter.paloaltonetworks.com/2015/07/apt-group-ups-targets-us-government-with-hacking-team-flash-exploit/) | [:closed_book:](../../blob/master/2015/2015.07.10.APT_Group_UPS_Targets_US_Government)
* Jul 09 - [[Symantec] Butterfly: Corporate spies out for financial gain](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/butterfly-corporate-spies-out-for-financial-gain.pdf) | [:closed_book:](../../blob/master/2015/2015.07.09.Butterfly)
* Jul 08 - [[Kaspersky] Wild Neutron – Economic espionage threat actor returns with new tricks](https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/) | [:closed_book:](../../blob/master/2015/2015.07.08.Wild_Neutron)
* Jun 30 - [[ESET] Dino – the latest spying malware from an allegedly French espionage group analyzed](http://www.welivesecurity.com/2015/06/30/dino-spying-malware-analyzed) | [:closed_book:](../../blob/master/2015/2015.06.30.dino-spying-malware-analyzed)
* Jun 28 - [[Dragon Threat Labs] APT on Taiwan - insight into advances of adversary TTPs](http://blog.dragonthreatlabs.com/2015/07/dtl-06282015-01-apt-on-taiwan-insight.html) | [:closed_book:](../../blob/master/2015/2015.06.28.APT_on_Taiwan)
* Jun 26 - [[FireEye] Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign](https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html) | [:closed_book:](../../blob/master/2015/2015.06.26.operation-clandestine-wolf)
* Jun 24 - [[PwC] UnFIN4ished Business (FIN4)](http://pwc.blogs.com/cyber_security_updates/2015/06/unfin4ished-business.html) | [:closed_book:](../../blob/master/2015/2015.06.24.unfin4ished-business)
* Jun 15 - [[Citizen Lab] Targeted Attacks against Tibetan and Hong Kong Groups Exploiting CVE-2014-4114](https://citizenlab.org/2015/06/targeted-attacks-against-tibetan-and-hong-kong-groups-exploiting-cve-2014-4114/) | [:closed_book:](../../blob/master/2015/2015.06.15.Targeted-Attacks-against-Tibetan-and-Hong-Kong-Groups)
* Jun 12 - [[Volexity] Afghan Government Compromise: Browser Beware](http://www.volexity.com/blog/?p=134) | [:closed_book:](../../blob/master/2015/2015.06.12.Afghan_Government_Compromise)
* Jun 10 - [[Kaspersky] The_Mystery_of_Duqu_2_0](https://securelist.com/files/2015/06/The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf) [IOC](https://securelist.com/files/2015/06/7c6ce6b6-fee1-4b7b-b5b5-adaff0d8022f.ioc) [Yara](https://securelist.com/files/2015/06/Duqu_2_Yara_rules.pdf) | [:closed_book:](../../blob/master/2015/2015.06.10.The_Mystery_of_Duqu_2_0)
* Jun 04 - [[JP Internet Watch] Blue Thermite targeting Japan (CloudyOmega)](http://internet.watch.impress.co.jp/docs/news/20150604_705541.html) | [:closed_book:](../../blob/master/2015/2015.06.09.Duqu_2.0_Win32k_Exploit_Analysis)
* Jun 03 - [[ClearSky] Thamar Reservoir](http://www.clearskysec.com/thamar-reservoir/) | [:closed_book:](../../blob/master/2015/2015.06.03.thamar-reservoir)
* May 29 - [[360] OceanLotusReport](http://blogs.360.cn/blog/oceanlotus-apt/) | [:closed_book:](../../blob/master/2015/2015.05.29.OceanLotus)
* May 28 - [[Kaspersky] Grabit and the RATs](https://securelist.com/blog/research/70087/grabit-and-the-rats/) | [:closed_book:](../../blob/master/2015/2015.05.28.grabit-and-the-rats)
* May 27 - [[Antiy Labs] Analysis On Apt-To-Be Attack That Focusing On China's Government Agency'](http://www.antiy.net/p/analysis-on-apt-to-be-attack-that-focusing-on-chinas-government-agency/) | [:closed_book:](../../blob/master/2015/2015.05.27.APT_to_be)
* May 27 - [[CyberX] BlackEnergy 3 – Exfiltration of Data in ICS Networks](http://cyberx-labs.com/wp-content/uploads/2015/05/BlackEnergy-CyberX-Report_27_May_2015_FINAL.pdf) | [:closed_book:](../../blob/master/2015/2015.05.27.BlackEnergy3)
* May 26 - [[ESET] Dissecting-Linux/Moose](http://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf) | [:closed_book:](../../blob/master/2015/2015.05.26.LinuxMoose)
* May 21 - [[Kaspersky] The Naikon APT and the MsnMM Campaigns](https://securelist.com/blog/research/70029/the-naikon-apt-and-the-msnmm-campaigns/) | [:closed_book:](../../blob/master/2015/2015.05.21.Naikon_APT)
* May 19 - [[Panda] Operation 'Oil Tanker'](http://www.pandasecurity.com/mediacenter/src/uploads/2015/05/oil-tanker-en.pdf) | [:closed_book:](../../blob/master/2015/2015.05.19.Operation_Oil_Tanker)
* May 18 - [[Palo Alto Networks] Cmstar Downloader: Lurid and Enfal’s New Cousin](http://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-enfals-new-cousin/) | [:closed_book:](../../blob/master/2015/2015.05.18.Cmstar)
* May 14 - [[Kaspersky] The Naikon APT](https://securelist.com/analysis/publications/69953/the-naikon-apt/) | [:closed_book:](../../blob/master/2015/2015.05.14.Naikon_APT)
* May 13 - [[Cylance] SPEAR: A Threat Actor Resurfaces](http://blog.cylance.com/spear-a-threat-actor-resurfaces) | [:closed_book:](../../blob/master/2015/2015.05.13.Spear_Threat)
* May 12 - [[PR Newswire] root9B Uncovers Planned Sofacy Cyber Attack Targeting Several International and Domestic Financial Institutions](http://www.prnewswire.com/news-releases/root9b-uncovers-planned-sofacy-cyber-attack-targeting-several-international-and-domestic-financial-institutions-300081634.html) | [:closed_book:](../../blob/master/2015/2015.05.12.Sofacy_root9B)
* Apr 21 - [[Kaspersky] The CozyDuke APT](http://securelist.com/blog/69731/the-cozyduke-apt) | [:closed_book:](../../blob/master/2015/2015.04.21.CozyDuke_APT)
* Apr 20 - [[PWC] Sofacy II – Same Sofacy, Different Day](http://pwc.blogs.com/cyber_security_updates/2015/04/the-sofacy-plot-thickens.html) | [:closed_book:](../../blob/master/2015/2015.04.20.Sofacy_II)
* Apr 18 - [[FireEye] Operation RussianDoll: Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia’s APT28 in Highly-Targeted Attack](https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html) | [:closed_book:](../../blob/master/2015/2015.04.18.Operation_RussianDoll)
* Apr 16 - [[Trend Micro] Operation Pawn Storm Ramps Up its Activities; Targets NATO, White House](http://blog.trendmicro.com/trendlabs-security-intelligence/operation-pawn-storm-ramps-up-its-activities-targets-nato-white-house) | [:closed_book:](../../blob/master/2015/2015.04.16.Operation_Pawn_Storm)
* Apr 15 - [[Kaspersky] The Chronicles of the Hellsing APT: the Empire Strikes Back](http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/) | [:closed_book:](../../blob/master/2015/2015.04.15.Hellsing_APT)
* Apr 12 - [[FireEye] APT 30 and the Mechanics of a Long-Running Cyber Espionage Operation](https://www.fireeye.com/blog/threat-research/2015/04/apt_30_and_the_mecha.html) | [:closed_book:](../../blob/master/2015/2015.04.12.APT30)
* Mar 31 - [[CheckPoint] Volatile Cedar – Analysis of a Global Cyber Espionage Campaign](http://blog.checkpoint.com/2015/03/31/volatilecedar/) | [:closed_book:](../../blob/master/2015/2015.03.31.Volatile_Cedar)
* Mar 19 - [[Trend Micro] Rocket Kitten Showing Its Claws: Operation Woolen-GoldFish and the GHOLE campaign](http://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-woolen-goldfish-when-kittens-go-phishing) | [:closed_book:](../../blob/master/2015/2015.03.19.Goldfish_Phishing)
* Mar 11 - [[Kaspersky] Inside the EquationDrug Espionage Platform](http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/) | [:closed_book:](../../blob/master/2015/2015.03.11.EquationDrug)
* Mar 10 - [[Citizen Lab] Tibetan Uprising Day Malware Attacks](https://citizenlab.org/2015/03/tibetan-uprising-day-malware-attacks/) | [:closed_book:](../../blob/master/2015/2015.03.10.Tibetan_Uprising)
* Mar 06 - [[F-SECURE] Is Babar a Bunny?](https://www.f-secure.com/weblog/archives/00002794.html) | [:closed_book:](../../blob/master/2015/2015.03.06.Babar_or_Bunny)
* Mar 06 - [[Kaspersky] Animals in the APT Farm](https://securelist.com/animals-in-the-apt-farm/69114/) | [:closed_book:](../../blob/master/2015/2015.03.06.Animals_APT_Farm)
* Mar 05 - [[ESET] Casper Malware: After Babar and Bunny, Another Espionage Cartoon](http://www.welivesecurity.com/2015/03/05/casper-malware-babar-bunny-another-espionage-cartoon) | [:closed_book:](../../blob/master/2015/2015.03.05.Casper_Malware)
* Feb 24 - [[PWC] A deeper look into Scanbox](http://pwc.blogs.com/cyber_security_updates/2015/02/a-deeper-look-into-scanbox.html) | [:closed_book:](../../blob/master/2015/2015.02.24.Deeper_Scanbox)
* Feb 27 - [[ThreatConnect] The Anthem Hack: All Roads Lead to China](http://www.threatconnect.com/news/the-anthem-hack-all-roads-lead-to-china/) | [:closed_book:](../../blob/master/2015/2015.02.27.The_Anthem_Hack_All_Roads_Lead_to_China)
* Feb 25 - [[FireEye] Southeast Asia: An Evolving Cyber Threat Landscape](https://www.fireeye.com/content/dam/FireEye-www/current-threats/pdfs/rpt-southeast-asia-threat-landscape.pdf) | [:closed_book:](../../blob/master/2015/2015.02.25.Southeast_Asia_Threat_Landscape)
* Feb 25 - [[Sophos] PlugX goes to the registry (and India)](http://blogs.sophos.com/2015/02/25/sophoslabs-research-uncovers-new-developments-in-plugx-apt-malware/) | [:closed_book:](../../blob/master/2015/2015.02.25.PlugX_to_registry)
* Feb 18 - [[G DATA] Babar: espionage software finally found and put under the microscope](https://blog.gdatasoftware.com/blog/article/babar-espionage-software-finally-found-and-put-under-the-microscope.html) | [:closed_book:](../../blob/master/2015/2015.02.18.Babar)
* Feb 18 - [[CIRCL Luxembourg] Shooting Elephants](https://drive.google.com/file/d/0B9Mrr-en8FX4dzJqLWhDblhseTA/view) | [:closed_book:](../../blob/master/2015/2015.02.18.Shooting_Elephants)
* Feb 17 - [[Kaspersky] Desert Falcons APT](https://securelist.com/blog/research/68817/the-desert-falcons-targeted-attacks/) | [:closed_book:](../../blob/master/2015/2015.02.17.Desert_Falcons_APT)
* Feb 17 - [[Kaspersky] A Fanny Equation: "I am your father, Stuxnet"](http://securelist.com/blog/research/68787/a-fanny-equation-i-am-your-father-stuxnet/) | [:closed_book:](../../blob/master/2015/2015.02.17.A_Fanny_Equation)
* Feb 16 - [[Kaspersky] The Carbanak APT](https://securelist.com/blog/research/68732/the-great-bank-robbery-the-carbanak-apt/) | [:closed_book:](../../blob/master/2015/2015.02.16.Carbanak.APT)
* Feb 16 - [[Kaspersky] Equation: The Death Star of Malware Galaxy](https://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/) | [:closed_book:](../../blob/master/2015/2015.02.16.equation-the-death-star)
* Feb 10 - [[CrowdStrike] CrowdStrike Global Threat Intel Report for 2014](http://go.crowdstrike.com/rs/crowdstrike/images/GlobalThreatIntelReport.pdf) | [:closed_book:](../../blob/master/2015/2015.02.10.CrowdStrike_GlobalThreatIntelReport_2014)
* Feb 02 - [[FireEye] Behind the Syrian Conflict’s Digital Frontlines](https://www.fireeye.com/content/dam/FireEye-www/global/en/current-threats/pdfs/rpt-behind-the-syria-conflict.pdf) | [:closed_book:](../../blob/master/2015/2015.02.02.behind-the-syria-conflict)
* Jan 29 - [[JPCERT] Analysis of PlugX Variant - P2P PlugX ](http://blog.jpcert.or.jp/.s/2015/01/analysis-of-a-r-ff05.html) | [:closed_book:](../../blob/master/2015/2015.01.29.P2P_PlugX)
* Jan 29 - [[Symantec] Backdoor.Winnti attackers and Trojan.Skelky](http://www.symantec.com/connect/blogs/backdoorwinnti-attackers-have-skeleton-their-closet) | [:closed_book:](../../blob/master/2015/2015.01.29.Backdoor.Winnti_attackers)
* Jan 27 - [[Kaspersky] Comparing the Regin module 50251 and the "Qwerty" keylogger](http://securelist.com/blog/research/68525/comparing-the-regin-module-50251-and-the-qwerty-keylogger/) | [:closed_book:](../../blob/master/2015/2015.01.27.QWERTY_keylog_Regin_compare)
* Jan 22 - [[Kaspersky] Regin's Hopscotch and Legspin](http://securelist.com/blog/research/68438/an-analysis-of-regins-hopscotch-and-legspin/) | [:closed_book:](../../blob/master/2015/2015.01.22.Regin_Hopscotch_and_Legspin)
* Jan 22 - [[Symantec] The Waterbug attack group](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf) | [:closed_book:](../../blob/master/2015/2015.01.22.Waterbug.group)
* Jan 20 - [[BlueCoat] Reversing the Inception APT malware](https://www.bluecoat.com/security-blog/2015-01-20/reversing-inception-apt-malware) | [:closed_book:](../../blob/master/2015/2015.01.20.Reversing_the_Inception_APT_malware)
* Jan 20 - [[G DATA] Analysis of Project Cobra](https://blog.gdatasoftware.com/blog/article/analysis-of-project-cobra.html) | [:closed_book:](../../blob/master/2015/2015.01.20.Project_Cobra)
* Jan 15 - [[G DATA] Evolution of Agent.BTZ to ComRAT](https://blog.gdatasoftware.com/blog/article/evolution-of-sophisticated-spyware-from-agentbtz-to-comrat.html) | [:closed_book:](../../blob/master/2015/2015.01.15.Evolution_of_Agent.BTZ_to_ComRAT)
* Jan 11 - [[Dragon Threat Labs] Hong Kong SWC attack](http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html) | [:closed_book:](../../blob/master/2015/2015.01.11.Hong_Kong_SWC_Attack)
* Dec 17 - [[CISCO] Wiper Malware – A Detection Deep Dive](http://blogs.cisco.com/security/talos/wiper-malware) | [:closed_book:](../../blob/master/2014/2014.12.17.Wiper_Malware_Deep_Dive)
* Dec 12 - [[Fidelis] Bots, Machines, and the Matrix](http://www.fidelissecurity.com/sites/default/files/FTA_1014_Bots_Machines_and_the_Matrix.pdf) | [:closed_book:](../../blob/master/2014/2014.12.12.Bots_Machines_and_the_Matrix)
* Dec 12 - [[AirBus] Vinself now with steganography](http://blog.cybersecurity-airbusds.com/post/2014/12/Vinself) | [:closed_book:](../../blob/master/2014/2014.12.12.Vinself)
* Dec 09 - [[BlueCoat] The Inception Framework](https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware) | [:closed_book:](../../blob/master//2014/2014.12.09_The_Inception_Framework)
* Nov 30 - [FIN4: Stealing Insider Information for an Advantage in Stock Trading?](https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html)
* Nov 20 - [[] EvilBunny: Suspect #4](http://0x1338.blogspot.co.uk/2014/11/hunting-bunnies.html) | [:closed_book:](../../blob/master//2014/2014.11.20.EvilBunny)
* Nov 14 - [[] Roaming Tiger (Slides)](http://2014.zeronights.ru/assets/files/slides/roaming_tiger_zeronights_2014.pdf) | [:closed_book:](../../blob/master//2014/2014.11.14.Roaming_Tiger)
* Nov 14 - [[F-Secure] OnionDuke: APT Attacks Via the Tor Network](http://www.f-secure.com/weblog/archives/00002764.html) | [:closed_book:](../../blob/master//2014/2014.11.14.OnionDuke)
* Nov 10 - [[Kaspersky] The Darkhotel APT - A Story of Unusual Hospitality](https://securelist.com/blog/research/66779/the-darkhotel-apt/) | [:closed_book:](../../blob/master//2014/2014.11.10.Darkhotel)
* Nov 03 - [Operation Poisoned Handover: Unveiling Ties Between APT Activity in Hong Kong’s Pro-Democracy Movement](http://www.fireeye.com/blog/technical/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html)
* Nov 03 - [New observations on BlackEnergy2 APT activity](https://securelist.com/blog/research/67353/be2-custom-plugins-router-abuse-and-target-profiles/)
* Oct 31 - [Operation TooHash](https://blog.gdatasoftware.com/blog/article/operation-toohash-how-targeted-attacks-work.html)
* Oct 30 - [The Rotten Tomato Campaign](http://blogs.sophos.com/2014/10/30/the-rotten-tomato-campaign-new-sophoslabs-research-on-apts/)
* Oct 28 - [Group 72, Opening the ZxShell](http://blogs.cisco.com/talos/opening-zxshell/)
* Oct 28 - [APT28 - A Window Into Russia's Cyber Espionage Operations](https://www.fireeye.com/resources/pdfs/apt28.pdf)
* Oct 27 - [Micro-Targeted Malvertising via Real-time Ad Bidding](http://www.invincea.com/wp-content/uploads/2014/10/Micro-Targeted-Malvertising-WP-10-27-14-1.pdf)
* Oct 27 - [ScanBox framework – who’s affected, and who’s using it?](http://pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whos-affected-and-whos-using-it-1.html)
* Oct 27 - [Full Disclosure of Havex Trojans - ICS Havex backdoors](http://www.netresec.com/?page=Blog&month=2014-10&post=Full-Disclosure-of-Havex-Trojans)
* Oct 24 - [LeoUncia and OrcaRat](http://blog.airbuscybersecurity.com/post/2014/10/LeoUncia-and-OrcaRat)
* Oct 23 - [Modified Tor Binaries](http://www.leviathansecurity.com/blog/the-case-of-the-modified-binaries/)
* Oct 22 - [Sofacy Phishing by PWC](http://pwc.blogs.com/files/tactical-intelligence-bulletin---sofacy-phishing-.pdf)
* Oct 22 - [[Trend Micro] Operation Pawn Storm: The Red in SEDNIT](http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf) | [:closed_book:](../../blob/master//2014/2014.10.22.Operation_Pawn_Storm)
* Oct 20 - [OrcaRAT - A whale of a tale](http://pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html)
* Oct 14 - [Sandworm - CVE-2104-4114](http://www.isightpartners.com/2014/10/cve-2014-4114/)
* Oct 14 - [Group 72 (Axiom)](http://blogs.cisco.com/security/talos/threat-spotlight-group-72/)
* Oct 14 - [Derusbi Preliminary Analysis](http://www.novetta.com/wp-content/uploads/2014/11/Derusbi.pdf)
* Oct 14 - [Hikit Preliminary Analysis](http://www.novetta.com/wp-content/uploads/2014/11/HiKit.pdf)
* Oct 14 - [ZoxPNG Preliminary Analysis](http://www.novetta.com/wp-content/uploads/2014/11/ZoxPNG.pdf)
* Oct 09 - [Democracy in Hong Kong Under Attack](http://www.volexity.com/blog/?p=33)
* Oct 03 - [New indicators for APT group Nitro](http://researchcenter.paloaltonetworks.com/2014/10/new-indicators-compromise-apt-group-nitro-uncovered/)
* Sep 08 - [When Governments Hack Opponents: A Look at Actors and Technology](https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-marczak.pdf) [video](https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/marczak)
* Sep 04 - [Forced to Adapt: XSLCmd Backdoor Now on OS X](http://www.fireeye.com/blog/technical/malware-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html)
* Sep 03 - [Darwin’s Favorite APT Group (APT12)](http://www.fireeye.com/blog/technical/botnet-activities-research/2014/09/darwins-favorite-apt-group-2.html)
* Aug 29 - [Syrian Malware Team Uses BlackWorm for Attacks](http://www.fireeye.com/blog/technical/2014/08/connecting-the-dots-syrian-malware-team-uses-blackworm-for-attacks.html)
* Aug 28 - [Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks](https://www.alienvault.com/open-threat-exchange/blog/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks)
* Aug 27 - [North Korea’s cyber threat landscape](http://h30499.www3.hp.com/hpeb/attachments/hpeb/off-by-on-software-security-blog/388/2/HPSR%20SecurityBriefing_Episode16_NorthKorea.pdf)
* Aug 27 - [NetTraveler APT Gets a Makeover for 10th Birthday](https://securelist.com/blog/research/66272/nettraveler-apt-gets-a-makeover-for-10th-birthday/)
* Aug 25 - [Vietnam APT Campaign](http://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html)
* Aug 20 - [El Machete](https://securelist.com/blog/research/66108/el-machete/)
* Aug 18 - [The Syrian Malware House of Cards](https://securelist.com/blog/research/66051/the-syrian-malware-house-of-cards/) | [:closed_book:](../../blob/master//2014/2014.08.18.Syrian_Malware_House_of_Cards)
* Aug 13 - [A Look at Targeted Attacks Through the Lense of an NGO](http://www.mpi-sws.org/~stevens/pubs/sec14.pdf) | [:closed_book:](../../blob/master//2014/2014.08.13.TargetAttack.NGO)
* Aug 12 - [New York Times Attackers Evolve Quickly (Aumlib/Ixeshe/APT12)](http://www.fireeye.com/blog/technical/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html)
* Aug 07 - [The Epic Turla Operation Appendix](https://securelist.com/files/2014/08/KL_Epic_Turla_Technical_Appendix_20140806.pdf)
* Aug 06 - [Operation Poisoned Hurricane](http://www.fireeye.com/blog/technical/targeted-attack/2014/08/operation-poisoned-hurricane.html)
* Aug 05 - [Operation Arachnophobia](http://threatc.s3-website-us-east-1.amazonaws.com/?/arachnophobia)
* Jul 29 - [[Dell] Threat Group-3279 Targets the Video Game Industry](https://www.secureworks.com/research/threat-group-3279-targets-the-video-game-industry) | [:closed_book:](../../blob/master/2014/2014.07.29.Threat_Group-3279_Targets_the_Video_Game_Industry)
* Jul 07 - [Deep Pandas, Deep in Thought: Chinese Targeting of National Security Think Tanks](http://blog.crowdstrike.com/deep-thought-chinese-targeting-national-security-think-tanks/) | [:closed_book:](../../blob/master/2014/2014.07.07.Deep_in_Thought)
* Jun 10 - [Anatomy of the Attack: Zombie Zero](http://www.trapx.com/wp-content/uploads/2014/07/TrapX_ZOMBIE_Report_Final.pdf)
* Jun 30 - [Dragonfly: Cyberespionage Attacks Against Energy Suppliers](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf)
* Jun 20 - [Embassy of Greece Beijing](http://thegoldenmessenger.blogspot.de/2014/06/blitzanalysis-embassy-of-greece-beijing.html)
* Jun 09 - [Putter Panda](http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf)
* Jun 06 - [Illuminating The Etumbot APT Backdoor (APT12)](http://www.arbornetworks.com/asert/wp-content/uploads/2014/06/ASERT-Threat-Intelligence-Brief-2014-07-Illuminating-Etumbot-APT.pdf)
* May 21 - [RAT in jar: A phishing campaign using Unrecom](http://www.fidelissecurity.com/sites/default/files/FTA_1013_RAT_in_a_jar.pdf)
* May 20 - [Miniduke Twitter C&C](http://www.welivesecurity.com/2014/05/20/miniduke-still-duking/)
* May 13 - [CrowdStrike's report on Flying Kitten](http://blog.crowdstrike.com/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/)
* Mar 12 - [[FireEye] A Detailed Examination of the Siesta Campaign](https://www.fireeye.com/blog/threat-research/2014/03/a-detailed-examination-of-the-siesta-campaign.html)| [:closed_book:](../../blob/master/2014/2014.03.12.Detailed_Siesta_Campaign)
* Feb 25 - [The French Connection: French Aerospace-Focused CVE-2014-0322 Attack Shares Similarities with 2012 Capstone Turbine Activity](http://blog.crowdstrike.com/french-connection-french-aerospace-focused-cve-2014-0322-attack-shares-similarities-2012/) | [:closed_book:](../../blob/master/2014/2014.02.25.The_French_Connection)
* Feb 20 - [Mo' Shells Mo' Problems - Deep Panda Web Shells](http://www.crowdstrike.com/blog/mo-shells-mo-problems-deep-panda-web-shells/) | [:closed_book:](../../blob/master/2014/2014.02.20.deep-panda-webshells)
* Feb 20 - [[FireEye] Operation GreedyWonk: Multiple Economic and Foreign Policy Sites Compromised, Serving Up Flash Zero-Day Exploit](http://www.fireeye.com/blog/technical/targeted-attack/2014/02/operation-greedywonk-multiple-economic-and-foreign-policy-sites-compromised-serving-up-flash-zero-day-exploit.html) | [:closed_book:](../../blob/master/2014/2014.02.20.Operation_GreedyWonk)
* Feb 13 - [[FireEye] Operation SnowMan: DeputyDog Actor Compromises US Veterans of Foreign Wars Website](http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html) | [:closed_book:](../../blob/master/2014/2014.02.13_Operation_SnowMan)
* Feb 11 - [[Kaspersky] Unveiling "Careto" - The Masked APT](http://www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf) | [:closed_book:](../../blob/master/2014/2014.02.11_Careto_APT)
* Jan 15 - [“New'CDTO:'A'Sneakernet'Trojan'Solution](http://www.fidelissecurity.com/sites/default/files/FTA%201001%20FINAL%201.15.14.pdf)
* Jan 14 - [The Icefog APT Hits US Targets With Java Backdoor](https://www.securelist.com/en/blog/208214213/The_Icefog_APT_Hits_US_Targets_With_Java_Backdoor)
* Jan 13 - [Targeted attacks against the Energy Sector](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/targeted_attacks_against_the_energy_sector.pdf)
* Jan 06 - [PlugX: some uncovered points](http://blog.cassidiancybersecurity.com/2014/01/plugx-some-uncovered-points.html)
* ??? ?? - [THE LITTLE MALWARE THAT COULD: Detecting and Defeating the China Chopper Web Shell](https://www.fireeye.com/content/dam/FireEye-www/global/en/current-threats/pdfs/rpt-china-chopper.pdf) | [:closed_book:](../../blob/master/2013/2013.China_Chopper_Web_Shell)
* Sep 30 - [[FireEye] World War C: State of affairs in the APT world](https://www.fireeye.com/blog/threat-research/2013/09/new-FireEye-report-world-war-c.html)
* Aug 23 - [Operation Molerats: Middle East Cyber Attacks Using Poison Ivy](http://www.fireeye.com/blog/technical/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html)
* Aug 19 - [ByeBye Shell and the targeting of Pakistan](https://community.rapid7.com/community/infosec/blog/2013/08/19/byebye-and-the-targeting-of-pakistan)
* Aug 02 - [Surtr: Malware Family Targeting the Tibetan Community](https://citizenlab.org/2013/08/surtr-malware-family-targeting-the-tibetan-community/)
* Aug 02 - [Where There is Smoke, There is Fire: South Asian Cyber Espionage Heats Up](http://www.threatconnect.com/news/where-there-is-smoke-there-is-fire-south-asian-cyber-espionage-heats-up/)
* Aug ?? - [APT Attacks on Indian Cyber Space](http://g0s.org/wp-content/uploads/2013/downloads/Inside_Report_by_Infosec_Consortium.pdf)
* Aug ?? - [Operation Hangover - Unveiling an Indian Cyberattack Infrastructure](http://normanshark.com/wp-content/uploads/2013/08/NS-Unveiling-an-Indian-Cyberattack-Infrastructure_FINAL_Web.pdf)
* Jul 09 - [Dark Seoul Cyber Attack: Could it be worse?](http://cisak.perpika.kr/wp-content/uploads/2013/07/2013-08.pdf)
* Jun 30 - [Targeted Campaign Steals Credentials in Gulf States and Caribbean](https://blogs.mcafee.com/mcafee-labs/targeted-campaign-steals-credentials-in-gulf-states-and-caribbean)
* Jun 28 - [njRAT Uncovered](http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf)
* Jun 21 - [[Citizen Lab] A Call to Harm: New Malware Attacks Target the Syrian Opposition](https://citizenlab.org/wp-content/uploads/2013/07/19-2013-acalltoharm.pdf) | [:closed_book:](../../blob/master/2013/2013.06.21.Syrian_Attack)
* Jun 18 - [[FireEye] Trojan.APT.Seinup Hitting ASEAN](http://www.fireeye.com/blog/technical/malware-research/2013/06/trojan-apt-seinup-hitting-asean.html) | [:closed_book:](../../blob/master/2013/2013.06.18.APT_Seinup)
* Jun 07 - [[Rapid7] KeyBoy, Targeted Attacks against Vietnam and India](https://community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india) | [:closed_book:](../../blob/master/2013/2013.06.07.KeyBoy_APT)
* Jun 04 - [[Kaspersky] The NetTraveller (aka 'Travnet')](http://www.securelist.com/en/downloads/vlpdfs/kaspersky-the-net-traveler-part1-final.pdf) | [:closed_book:](../../blob/master/2013/2013.06.04.NetTraveller)
* Jun 01 - [[Purdue] Crude Faux: An analysis of cyber conflict within the oil & gas industries](https://www.cerias.purdue.edu/assets/pdf/bibtex_archive/2013-9.pdf) | [:closed_book:](../../blob/master/2013/2013.06.01.cyber_conflict_Oil_Gas)
* Jun ?? - [[BlueCoat] The Chinese Malware Complexes: The Maudi Surveillance Operation](https://bluecoat.com/documents/download/2c832f0f-45d2-4145-bdb7-70fc78c22b0f&ei=ZGP-VMCbMsuxggSThYDgDg&usg=AFQjCNFjXSkn_AIiXge1X9oWZHzQOiNDJw&sig2=B6e2is0sCnGEbLPL9q0eZg&bvm=bv.87611401,d.eXY) | [:closed_book:](../../blob/master/2013/2013.06.00.Maudi_Surveillance_Operation)
* May 30 - [[CIRCL] TR-14 - Analysis of a stage 3 Miniduke malware sample](http://www.circl.lu/pub/tr-14/) | [:closed_book:](../../blob/master/2013/2013.05.20.Miniduke.Analysis)
* May 20 - [[Norman] OPERATION HANGOVER: Unveiling an Indian Cyberattack Infrastructure](http://www.thecre.com/fnews/wp-content/uploads/2013/05/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf) | [:closed_book:](../../blob/master/2013/2013.05.20.Operation_Hangover)
* May 16 - [[ESET] Targeted information stealing attacks in South Asia use email, signed binaries](https://www.welivesecurity.com/2013/05/16/targeted-threat-pakistan-india/) | [:closed_book:](../../blob/master/2013/2013.05.16.targeted-threat-pakistan-india)
* Apr 21 - [[Bitdefender] MiniDuke - The Final Cut](http://labs.bitdefender.com/2013/04/miniduke-the-final-cut) | [:closed_book:](../../blob/master/2013/2013.04.21.MiniDuke)
* Apr 13 - [[Kaspersky] "Winnti" More than just a game](http://www.securelist.com/en/downloads/vlpdfs/winnti-more-than-just-a-game-130410.pdf) | [:closed_book:](../../blob/master/2013/2013.04.13.Winnti)
* Mar 28 - [[Circl] TR-12 - Analysis of a PlugX malware variant used for targeted attacks](http://www.circl.lu/pub/tr-12/) | [:closed_book:](../../blob/master/2013/2013.03.28.TR-12_PlugX_malware)
* Mar 21 - [[Fidelis] Darkseoul/Jokra Analysis And Recovery](https://old.fidelissecurity.com/sites/default/files/FTA%201008%20-%20Darkseoul-Jokra%20Analysis%20and%20Recovery.pdf) | [:closed_book:](../../blob/master/2013/2013.03.21.Darkseoul)
* Mar 20 - [[Kaspersky] The TeamSpy Crew Attacks](http://securelist.com/blog/incidents/35520/the-teamspy-crew-attacks-abusing-teamviewer-for-cyberespionage-8/) | [:closed_book:](../../blob/master/2013/2013.03.20.TeamSpy_Crew)
* Mar 20 - [[McAfee] Dissecting Operation Troy](http://www.mcafee.com/sg/resources/white-papers/wp-dissecting-operation-troy.pdf) | [:closed_book:](../../blob/master/2013/2013.03.20.Operation_Troy)
* Mar 17 - [[Trend Micro] Safe: A Targeted Threat](http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-safe-a-targeted-threat.pdf) | [:closed_book:](../../blob/master/2013/2013.03.17.Targeted_Threat)
* Mar 13 - [[Citizen lab] You Only Click Twice: FinFisher’s Global Proliferation](https://citizenlab.org/wp-content/uploads/2013/07/15-2013-youonlyclicktwice.pdf) | [:closed_book:](../../blob/master/2013/2013.03.13.FinFisher)
* Feb 27 - [[Kaspersky] The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0x29A Micro Backdoor](https://www.securelist.com/en/downloads/vlpdfs/themysteryofthepdf0-dayassemblermicrobackdoor.pdf) | [:closed_book:](../../blob/master/2013/2013.02.27.MiniDuke_Mystery)
* Feb 26 - [[Symantec] Stuxnet 0.5: The Missing Link](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/stuxnet_0_5_the_missing_link.pdf) | [:closed_book:](../../blob/master/2013/2013.02.26.Stuxnet_0.5)
* Feb 22 - [[Symantec] Comment Crew: Indicators of Compromise](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/comment_crew_indicators_of_compromise.pdf) | [:closed_book:](../../blob/master/2013/2013.02.22.Comment_Crew)
* Feb 18 - [[FireEye] Mandiant APT1 Report](http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf) | [:closed_book:](../../blob/master/2013/2013.02.18.APT1)
* Feb 12 - [[AIT] Targeted cyber attacks: examples and challenges ahead](http://www.ait.ac.at/uploads/media/Presentation_Targeted-Attacks_EN.pdf) | [:closed_book:](../../blob/master/2013/2013.02.12.Targeted-Attacks)
* Jan 18 - [[McAfee] Operation Red October](https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/24000/PD24250/en_US/McAfee_Labs_Threat_Advisory_Exploit_Operation_Red_Oct.pdf) | [:closed_book:](../../blob/master/2013/2013.01.18.Operation_Red_Oct)
* Jan 14 - [[Kaspersky] The Red October Campaign](https://securelist.com/blog/incidents/57647/the-red-october-campaign) | [:closed_book:](../../blob/master/2013/2013.01.14.Red_October_Campaign)
* Nov ?? - [[KrebsonSecurity] "Wicked Rose" and the NCPH Hacking Group](https://krebsonsecurity.com/wp-content/uploads/2012/11/WickedRose_andNCPH.pdf) | [:closed_book:](../../blob/master/2012/2012.11.00_Wicked_Rose)
* Nov 03 - [[CyberPeace] Systematic cyber attacks against Israeli and Palestinian targets going on for a year](http://cyber-peace.org/wp-content/uploads/2014/01/Cyberattack_against_Israeli_and_Palestinian_targets.pdf) | [:closed_book:](../../blob/master/2012/2012.11.03.Israeli_and_Palestinian_Attack)
* Nov 01 - [[Fidelis] RECOVERING FROM SHAMOON](http://www.fidelissecurity.com/sites/default/files/FTA%201007%20-%20Shamoon.pdf) | [:closed_book:](../../blob/master/2012/2012.11.01.RECOVERING_FROM_SHAMOON)
* Oct 31 - [[DEA] CYBER ESPIONAGE Against Georgian Government (Georbot Botnet)](http://dea.gov.ge/uploads/CERT%20DOCS/Cyber%20Espionage.pdf) | [:closed_book:](../../blob/master/2012/2012.10.31.CYBER_ESPIONAGE_Georbot_Botnet)
* Oct 08 - [[Matasano] pest control: taming the rats](http://matasano.com/research/PEST-CONTROL.pdf) | [:closed_book:](../../blob/master/2012/2012.10.08.Pest_Control)
* Sep 18 - [[Dell] The Mirage Campaign](http://www.secureworks.com/cyber-threat-intelligence/threats/the-mirage-campaign/) | [:closed_book:](../../blob/master/2012/2012.09.18.Mirage_Campaign)
* Sep 12 - [[RSA] The VOHO Campaign: An in depth analysis](http://blogsdev.rsa.com/wp-content/uploads/VOHO_WP_FINAL_READY-FOR-Publication-09242012_AC.pdf) | [:closed_book:](../../blob/master/2012/2012.09.12.VOHO_Campaign)
* Sep 06 - [[Symantec] The Elderwood Project](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf) | [:closed_book:](../../blob/master/2012/2012.09.06.Elderwood)
* Aug 18 - [[Trend Micro] The Taidoor Campaign AN IN-DEPTH ANALYSIS ](http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_campaign.pdf) | [:closed_book:](../../blob/master/2012/2012.08.18.Taidoor_Campaign)
* Jul 10 - [[Citizenlab] Advanced Social Engineering for the Distribution of LURK Malware](https://citizenlab.org/wp-content/uploads/2012/07/10-2012-recentobservationsintibet.pdf) | [:closed_book:](../../blob/master/2012/2012.07.10.SE_LURK_Malware)
* May 31 - [[Crysys] sKyWIper (Flame/Flamer)](http://www.crysys.hu/skywiper/skywiper.pdf) | [:closed_book:](../../blob/master/2012/2012.05.31.Flame_sKyWIper)
* May 22 - [[Trend Micro] IXESHE An APT Campaign](http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_ixeshe.pdf) | [:closed_book:](../../blob/master/2012/2012.05.22.IXESHE)
* May 18 - [[Symantec] Analysis of Flamer C&C Server](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_flamer_newsforyou.pdf) | [:closed_book:](../../blob/master/2012/2012.05.18.Flamer_CnC)
* Feb 29 - [[Dell] The Sin Digoo Affair](http://www.secureworks.com/cyber-threat-intelligence/threats/sindigoo/) | [:closed_book:](../../blob/master/2012/2012.02.29.Sin_Digoo_Affair)
* Feb 03 - [[CommandFive] Command and Control in the Fifth Domain](http://www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf) | [:closed_book:](../../blob/master/2012/2012.02.03.Fifth_Domain_CnC)
* Jan 03 - [[Trend Micro] The HeartBeat APT](http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the-heartbeat-apt-campaign.pdf) | [:closed_book:](../../blob/master/2012/2012.01.03.HeartBeat_APT)
* Nov 15 - [[Norman] The many faces of Gh0st Rat](http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf) | [:closed_book:](../../blob/master/2011/2011.11.15.Many_Faces_Gh0st_Rat)
* Oct 31 - [[Symantec] The Nitro Attacks: Stealing Secrets from the Chemical Industry](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_nitro_attacks.pdf) | [:closed_book:](../../blob/master/2011/2011.10.31.Nitro)
* Oct 26 - [[Dell] Duqu Trojan Questions and Answers](http://www.secureworks.com/cyber-threat-intelligence/threats/duqu/) | [:closed_book:](../../blob/master/2011/2011.10.26.Duqu)
* Sep 11 - [[CommandFive] SK Hack by an Advanced Persistent Threat](http://www.commandfive.com/papers/C5_APT_SKHack.pdf) | [:closed_book:](../../blob/master/2011/2011.09.11.SK_Hack)
* Sep 09 - [[Fidelis] The RSA Hack](http://www.fidelissecurity.com/sites/default/files/FTA1001-The_RSA_Hack.pdf) | [:closed_book:](../../blob/master/2011/2011.09.09.RSA_Hack)
* Aug 04 - [[McAfee] Operation Shady RAT](http://www.mcafee.com/us/resources/white-papers/wp-operation-shady-rat.pdf) | [:closed_book:](../../blob/master/2011/2011.08.04.Operation_Shady_RAT)
* Aug 03 - [[Dell] HTran and the Advanced Persistent Threat](http://www.secureworks.com/cyber-threat-intelligence/threats/htran/) | [:closed_book:](../../blob/master/2011/2011.08.03.HTran)
* Aug 02 - [[vanityfair] Operation Shady rat : Vanity](http://www.vanityfair.com/culture/features/2011/09/operation-shady-rat-201109) | [:closed_book:](../../blob/master/2011/2011.08.02.Operation_Shady_RAT_Vanity)
* Jun ?? - [[CommandFive] Advanced Persistent Threats:A Decade in Review]() | [:closed_book:](../../blob/master/2011/2011.06.APT)
* Apr 20 - [[ESET] Stuxnet Under the Microscope](http://www.eset.com/us/resources/white-papers/Stuxnet_Under_the_Microscope.pdf) | [:closed_book:](../../blob/master/2011/2011.04.20.Stuxnet)
* Feb 18 - [[NERC] Night Dragon Specific Protection Measures for Consideration](http://www.nerc.com/pa/rrm/bpsa/Alerts%20DL/2011%20Alerts/A-2011-02-18-01%20Night%20Dragon%20Attachment%201.pdf) | [:closed_book:](../../blob/master/2011/2011.02.18.Night_Dragon.Specific)
* Feb 10 - [[McAfee] Global Energy Cyberattacks: Night Dragon](http://www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf) | [:closed_book:](../../blob/master/2011/2011.02.10.Night_Dragon)
* Dec 09 - [[CRS] The Stuxnet Computer Worm: Harbinger of an Emerging Warfare Capability ](http://www.fas.org/sgp/crs/natsec/R41524.pdf) | [:closed_book:](../../blob/master/2010/2010.12.09.Stuxnet_Worm)
* Jan 26 - [[McAfee] How Can I Tell if I Was Infected By Aurora? (IOCs)]() | [:closed_book:](../../blob/master/2010/2010.01.26.Operation_Aurora_IoC)
* Jan 20 - [[McAfee] Combating Aurora](https://kc.mcafee.com/resources/sites/MCAFEE/content/live/CORP_KNOWLEDGEBASE/67000/KB67957/en_US/Combating%20Threats%20-%20Operation%20Aurora.pdf)| [:closed_book:](../../blob/master/2010/2010.01.20.Combating_Aurora)
* Jan 13 - [[Damballa] The Command Structure of the Aurora Botnet](https://www.damballa.com/downloads/r_pubs/Aurora_Botnet_Command_Structure.pdf) | [:closed_book:](../../blob/master/2010/2010.01.13.Aurora_Botnet)
* Jan 12 - [[Google] Operation Aurora](http://en.wikipedia.org/wiki/Operation_Aurora) | [:closed_book:](../../blob/master/2010/2010.01.12.Operation_Aurora)
* Oct 19 - [[Northrop Grumman] Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation ](https://nsarchive2.gwu.edu//NSAEBB/NSAEBB424/docs/Cyber-030.pdf) | [:closed_book:](../../blob/master/2009/2009.10.19.Capability_China_Cyber_Warfare)
* ??? - [[Culture Mandala] HOW CHINA WILL USE CYBER WARFARE TO LEAPFROG IN MILITARY COMPETITIVENESS ](http://www.international-relations.com/CM8-1/Cyberwar.pdf) | [:closed_book:](../../blob/master/2008/2008.HOW_CHINA_WILL_USE_CYBER_WARFARE)
* Oct 02 - [[Culture Mandala] How China will use cyber warfare to leapfrog in military competitiveness](http://www.international-relations.com/CM8-1/Cyberwar.pdf) | [:closed_book:](../../blob/master/2008/2008.10.02.China_Cyber_Warfare)
* Aug 10 - [[Georgia] Russian Invasion of Georgia Russian Cyberwar on Georgia](http://georgiaupdate.gov.ge/doc/10006922/CYBERWAR-%20fd_2_.pdf) | [:closed_book:](../../blob/master/2008/2008.08.10.Russian_Cyberwar_on_Georgia)
* [[Krebs on Security] "Wicked Rose" and the NCPH Hacking Group](http://krebsonsecurity.com/wp-content/uploads/2012/11/WickedRose_andNCPH.pdf) | [:closed_book:](../../blob/master/2006/2006.Wicked_Rose)
:small_orange_diamond: Jan 15 2019 - [[Hackmageddon] 2018: A Year of Cyber Attacks](https://www.hackmageddon.com/2019/01/15/2018-a-year-of-cyber-attacks/) | [:closed_book:](../../blob/master/Report/2019.01.15.2018-a-year-of-cyber-attacks) <br>