APT_CyberCriminal_Campagin_.../README.md
cybermonitor 7d77876ac6 fix dupe
APT_CyberCriminal_Campagin_Collections/2016/2016.01.07.Operation_DustySky/Operation DustySky_TLP_WHITE.pdf
APT_CyberCriminal_Campagin_Collections/2018/2018.01.07.Operation_DustySky/Operation DustySky_TLP_WHITE.pdf

APT_CyberCriminal_Campagin_Collections/2016/2016.01.07.Operation_DustySky/DusySky-indicators.xlsx
APT_CyberCriminal_Campagin_Collections/2018/2018.01.07.Operation_DustySky/DusySky-indicators.xlsx
2021-02-01 13:45:46 +08:00

1285 lines
293 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# APT & Cybercriminals Campaign Collection
This is collections of APT and cybercriminals campaign.
Please fire issue to me if any lost APT/Malware events/campaigns.
🤷The password of malware samples could be 'virus' or 'infected'
## URL to PDF Tool
* [Print Friendly & PDF](https://www.printfriendly.com/)
## Reference Resources
:small_blue_diamond: [kbandla](https://github.com/kbandla/APTnotes) <br>
:small_blue_diamond: [APTnotes](https://github.com/aptnotes/data) <br>
:small_blue_diamond: [Florian Roth - APT Groups](https://docs.google.com/spreadsheets/u/0/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/pubhtml) <br>
:small_blue_diamond: [Attack Wiki](https://attack.mitre.org/wiki/Groups) <br>
:small_blue_diamond: [threat-INTel](https://github.com/fdiskyou/threat-INTel) <br>
:small_blue_diamond: [targetedthreats](https://securitywithoutborders.org/resources/targeted-surveillance-reports.html) <br>
:small_blue_diamond: [Raw Threat Intelligence](https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit) <br>
:small_blue_diamond: [APT search](https://cse.google.com/cse/publicurl?cx=003248445720253387346:turlh5vi4xc) <br>
:small_blue_diamond: [APT Sample by 0xffff0800](http://0xffff0800.ddns.net/Library/) (https://iec56w4ibovnb4wc.onion.si/) <br>
:small_blue_diamond: [APT Map](https://aptmap.netlify.com/) <br>
:small_blue_diamond: [sapphirex00 - Threat-Hunting](https://github.com/sapphirex00/Threat-Hunting) <br>
:small_blue_diamond: [APTSimulator](https://github.com/NextronSystems/APTSimulator) <br>
:small_blue_diamond: [MITRE Att&CK: Group](https://attack.mitre.org/groups/) <br>
:small_blue_diamond: [APT_REPORT collected by @blackorbird](https://github.com/blackorbird/APT_REPORT) <br>
:small_blue_diamond: [Analysis of malware and Cyber Threat Intel of APT and cybercriminals groups](https://github.com/StrangerealIntel/CyberThreatIntel) <br>
:small_blue_diamond: [APT_Digital_Weapon](https://github.com/RedDrip7/APT_Digital_Weapon) <br>
:small_blue_diamond: [vx-underground](https://vx-underground.org/apts.html) <br>
## 2021
* Jan 31 - [[JPCERT] A41APT case ~ Analysis of the Stealth APT Campaign Threatening Japan](http://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_202_niwa-yanagishita_en.pdf) | [:closed_book:](../../blob/master/2021/2021.01.31.A41APT)
* Jan 28 - [[ClearSky] “Lebanese Cedar” APT: Global Lebanese Espionage Campaign Leveraging Web Servers](https://www.clearskysec.com/wp-content/uploads/2021/01/Lebanese-Cedar-APT.pdf) | [:closed_book:](../../blob/master/2021/2021.01.28.Lebanese_Cedar_APT)
* Jan 20 - [[JPCERT] Commonly Known Tools Used by Lazarus](https://blogs.jpcert.or.jp/en/2021/01/Lazarus_tools.html) | [:closed_book:](../../blob/master/2021/2021.01.20.Commonly_Known_Tools_Lazarus)
* Jan 20 - [[Cybie] A Deep Dive Into Patchwork APT Group](https://cybleinc.com/2021/01/20/a-deep-dive-into-patchwork-apt-group/) | [:closed_book:](../../blob/master/2021/2021.01.20.Deep_Dive_Patchwork)
* Jan 14 - [[Positive] Higaisa or Winnti? APT41 backdoors, old and new](https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/) | [:closed_book:](../../blob/master/2021/2021.01.14.Higaisa_or_Winnti_APT41)
* Jab 12 - [[ESET] Operation Spalax: Targeted malware attacks in Colombia](https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/) | [:closed_book:](../../blob/master/2021/2021.01.12.Operation_Spalax)
* Jan 12 - [[Yoroi] Opening “STEELCORGI”: A Sophisticated APT Swiss Army Knife](https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/) | [:closed_book:](../../blob/master/2021/2021.01.12.STEELCORGI)
* Jan 12 - [[NCCgroup] Abusing cloud services to fly under the radar](https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/) | [:closed_book:](../../blob/master/2021/2021.01.12.Abusing_cloud_services_Chimera)
* Jan 11 - [[Palo Alto Networks] xHunt Campaign: New BumbleBee Webshell and SSH Tunnels Used for Lateral Movement](https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/) | [:closed_book:](../../blob/master/2021/2021.01.11.xHunt_Campaign)
* Jan 11 - [[CrowdStrike] SUNSPOT: An Implant in the Build Process](https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/) | [:closed_book:](../../blob/master/2021/2021.01.11.SUNSPOT)
* Jan 11 - [[Kaspersky] Sunburst backdoor code overlaps with Kazuar](https://securelist.com/sunburst-backdoor-kazuar/99981/) | [:closed_book:](../../blob/master/2021/2021.01.11.Sunburst_Kazuar)
* Jan 08 - [[Certfa] Charming Kittens Christmas Gift](https://blog.certfa.com/posts/charming-kitten-christmas-gift/) | [:closed_book:](../../blob/master/2021/2021.01.08.Charming_Kitten_Christmas_Gift)
* Jan 07 - [[Prodaft] Brunhilda DaaS Malware Analysis Report](https://t.co/mzp7NRDIm1?amp=1) | [:closed_book:](../../blob/master/2021/2021.01.07.Brunhilda_DaaS_Malware)
* Jan 06 - [[CISCO] A Deep Dive into Lokibot Infection Chain](https://blog.talosintelligence.com/2021/01/a-deep-dive-into-lokibot-infection-chain.html) | [:closed_book:](../../blob/master/2021/2021.01.06.Lokibot_Infection_Chain)
* Jan 06 - [[Malwarebytes] Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat](https://blog.malwarebytes.com/threat-analysis/2021/01/retrohunting-apt37-north-korean-apt-used-vba-self-decode-technique-to-inject-rokrat/) | [:closed_book:](../../blob/master/2021/2021.01.06.APT37_North_Korean_APT_RokRat)
* Jan 05 - [[QuoIntelligence] ReconHellcat Uses NIST Theme as Lure To Deliver New BlackSoul Malware](https://quointelligence.eu/2021/01/reconhellcat-uses-nist-theme-as-lure-to-deliver-new-blacksoul-malware/) | [:closed_book:](../../blob/master/2021/2021.01.05.ReconHellcat_APT_BlackSoul_Malware)
* Jan 05 - [[Trend Micro] Earth Wendigo Injects JavaScript Backdoor to Service Worker for Mailbox Exfiltration](https://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html) | [:closed_book:](../../blob/master/2021/2021.01.05.Earth_Wendigo_Mailbox_Exfiltration)
* Jan 04 - [[CheckPoint] Stopping Serial Killer: Catching the Next Strike: Dridex](https://research.checkpoint.com/2021/stopping-serial-killer-catching-the-next-strike/amp/) | [:closed_book:](../../blob/master/2021/2021.01.04.Dridex_Next_Strike)
* Jan 04 - [[Medium] APT27 Turns to Ransomware](https://shared-public-reports.s3-eu-west-1.amazonaws.com/APT27+turns+to+ransomware.pdf) | [:closed_book:](../../blob/master/2021/2021.01.04.APT27_Ransomware)
* Jan 04 - [[Nao-Sec] Royal Road! Re:Dive](https://nao-sec.org/2021/01/royal-road-redive.html) | [:closed_book:](../../blob/master/2021/2021.01.04.Royal_Road_ReDive)
## 2020
* Dec 30 - [[Recorded Future] SolarWinds Attribution: Are We Getting Ahead of Ourselves?](https://go.recordedfuture.com/hubfs/reports/pov-2020-1230.pdf) | [:closed_book:](../../blob/master/2020/2020.12.30.SolarWinds_Attribution)
* Dec 29 - [[Uptycs] Revenge RAT targeting users in South America](https://www.uptycs.com/blog/revenge-rat-targeting-users-in-south-america) | [:closed_book:](../../blob/master/2020/2020.12.29.Revenge_RAT)
* Dec 23 - [[Kaspersky] Lazarus covets COVID-19-related intelligence](https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/) | [:closed_book:](../../blob/master/2020/2020.12.23.Lazarus_COVID-19)
* Dec 22 - [[Truesec] Collaboration between FIN7 and the RYUK group, a Truesec Investigation](https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/) | [:closed_book:](../../blob/master/2020/2020.12.22.FIN7_RYUK)
* Dec 19 - [[VinCSS] Analyzing new malware of China Panda hacker group used to attack supply chain against Vietnam Government Certification Authority](https://blog.vincss.net/2020/12/re018-1-analyzing-new-malware-of-china-panda-hacker-group-used-to-attack-supply-chain-against-vietnam-government-certification-authority.html?m=1) | [:closed_book:](../../blob/master/2020/2020.12.19.Panda_Vietnam)
* Dec 17 - [[ClearSky] Pay2Kitten](https://www.clearskysec.com/wp-content/uploads/2020/12/Pay2Kitten.pdf) | [:closed_book:](../../blob/master/2020/2020.12.17.Pay2Kitten)
* Dec 17 - [[ESET] Operation SignSight: Supplychain attack against a certification authority in Southeast Asia](https://www.welivesecurity.com/2020/12/17/operation-signsight-supply-chain-attack-southeast-asia/) | [:closed_book:](../../blob/master/2020/2020.12.17.Operation_SignSight)
* Dec 16 - [[Team Cymru] Mapping out AridViper Infrastructure Using Augurys Malware Module](https://team-cymru.com/blog/2020/12/16/mapping-out-aridviper-infrastructure-using-augurys-malware-addon/) | [:closed_book:](../../blob/master/2020/2020.12.16.AridViper_Augury)
* Dec 15 - [[WeiXin] APT-C-47 ClickOnce Operation](https://mp.weixin.qq.com/s/h_MUJfa3QGM9SqT_kzcdHQ) | [:closed_book:](../../blob/master/2020/2020.12.15.APT-C-47_ClickOnce)
* Dec 15 - [[hvs consulting] Greetings from Lazarus Anatomy of a cyber espionage campaign](https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf) | [:closed_book:](../../blob/master/2020/2020.12.15.Lazarus_Campaign)
* Dec 13 - [[Fireeye] Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor](https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html) | [:closed_book:](../../blob/master/2020/2020.12.13.SolarWinds_Supply_Chain_SUNBURST_Backdoor)
* Dec 09 - [[Trend Micro] SideWinder Uses South Asian Issues for Spear Phishing, Mobile Attacks](https://www.trendmicro.com/en_us/research/20/l/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html) | [:closed_book:](../../blob/master/2020/2020.12.09.SideWinder)
* Dec 07 - [[Group-IB] The footprints of Raccoon: a story about operators of JS-sniffer FakeSecurity distributing Raccoon stealer](https://www.group-ib.com/blog/fakesecurity_raccoon) | [:closed_book:](../../blob/master/2020/2020.12.07.FakeSecurity)
* Dec 02 - [[ESET] Turla Crutch: Keeping the “back door” open](https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/) | [:closed_book:](../../blob/master/2020/2020.12.02.Turla_Crutch)
* Dec 03 - [[Telsy] Adversary Tracking Report](https://www.telsy.com/wp-content/uploads/ATR_82599-1.pdf) | [:closed_book:](../../blob/master/2020/2020.12.03.Adversary_Tracking_Report)
* Dec 01 - [[CISA] Advanced Persistent Threat Actors Targeting U.S. Think Tanks](https://us-cert.cisa.gov/ncas/alerts/aa20-336a) | [:closed_book:](../../blob/master/2020/2020.12.01.APT_US_Think_Tanks)
* Dec 01 - [[Prevasio] OPERATION RED KANGAROO: INDUSTRY'S FIRST DYNAMIC ANALYSIS OF 4M PUBLIC DOCKER CONTAINER IMAGES](https://blog.prevasio.com/2020/12/operation-red-kangaroo-industrys-first.html) | [:closed_book:](../../blob/master/2020/2020.12.01.Operation_RED_KANGAROO)
* Nov 30 - [[Yoroi] Shadows From the Past Threaten Italian Enterprises](https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/) | [:closed_book:](../../blob/master/2020/2020.11.30.UNC1945)
* Nov 30 - [[Microsoft] Threat actor leverages coin miner techniques to stay under the radar heres how to spot them](https://www.microsoft.com/security/blog/2020/11/30/threat-actor-leverages-coin-miner-techniques-to-stay-under-the-radar-heres-how-to-spot-them/) | [:closed_book:](../../blob/master/2020/2020.11.30.BISMUTH_CoinMiner)
* Nov 27 - [[PTSecurity] Investigation with a twist: an accidental APT attack and averted data destruction](https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/) | [:closed_book:](../../blob/master/2020/2020.11.27.Twist_APT27)
* Nov 26 - [[CheckPoint] Bandook: Signed & Delivered](https://research.checkpoint.com/2020/bandook-signed-delivered/) | [:closed_book:](../../blob/master/2020/2020.11.26.Bandook)
* Nov 23 - [[S2W Lab] Analysis of Clop Ransomware suspiciously related to the Recent Incident](https://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-English-088056baf01242409a6e9f844f0c5f2e) | [:closed_book:](../../blob/master/2020/2020.11.23.Clop_Campaign)
* Nov 19 - [[Cybereason] Cybereason vs. MedusaLocker Ransomware](https://www.cybereason.com/blog/medusalocker-ransomware) | [:closed_book:](../../blob/master/2020/2020.11.19.MedusaLocker_Ransomware)
* Nov 18 - [[KR-CERT] Analysis of the Bookcodes RAT C2 framework starting with spear phishing](https://www.boho.or.kr/filedownload.do?attach_file_seq=2612&attach_file_id=EpF2612.pdf) | [:closed_book:](../../blob/master/2020/2020.11.18.Bookcodes_C2)
* Nov 17 - [[Cybereason] CHAES: Novel Malware Targeting Latin American E-Commerce](https://www.cybereason.com/hubfs/dam/collateral/reports/11-2020-Chaes-e-commerce-malware-research.pdf) | [:closed_book:](../../blob/master/2020/2020.11.17.CHAES)
* Nov 17 - [[Symantec] Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign](https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage) | [:closed_book:](../../blob/master/2020/2020.11.17.Cicada_Japan)
* Nov 16 - [[FoxIT] TA505: A Brief History Of Their Time](https://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/) | [:closed_book:](../../blob/master/2020/2020.11.16.TA505_History)
* Nov 16 - [[Bitdefender] A Detailed Timeline of a Chinese APT Espionage Attack Targeting South Eastern Asian Government Institutions](https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf) | [:closed_book:](../../blob/master/2020/2020.11.16.Chinese_APT_South_Eastern_Asian)
* Nov 12 - [[CISCO] CRAT wants to plunder your endpoints](https://blog.talosintelligence.com/2020/11/crat-and-plugins.html) | [:closed_book:](../../blob/master/2020/2020.11.12.CRAT_Lazarus)
* Nov 12 - [[BlackBerry] The CostaRicto Campaign: Cyber-Espionage Outsourced](https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced) | [:closed_book:](../../blob/master/2020/2020.11.12.CostaRicto_Campaign)
* Nov 12 - [[ESET] Hungry for data, ModPipe backdoor hits POS software used in hospitality sector](https://www.welivesecurity.com/2020/11/12/hungry-data-modpipe-backdoor-hits-pos-software-hospitality-sector/) | [:closed_book:](../../blob/master/2020/2020.11.12.ModPipe_POS_Hospitality-Sector)
* Nov 12 - [[Morphisec] JUPYTER INFOSTEALER](https://blog.morphisec.com/jupyter-infostealer-backdoor-introduction) | [:closed_book:](../../blob/master/2020/2020.11.12.Jupyter_InfoStealer)
* Nov 10 - [[Record Future] New APT32 Malware Campaign Targets Cambodian Government](https://www.recordedfuture.com/apt32-malware-campaign/) | [:closed_book:](../../blob/master/2020/2020.11.10.APT32_Cambodian)
* Nov 06 - [[Volexity] OceanLotus: Extending Cyber Espionage Operations Through Fake Websites](https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/) | [:closed_book:](../../blob/master/2020/2020.11.06.OceanLotus_Fake_Websites)
* Nov 04 - [[Sophos] A new APT uses DLL side-loads to “KilllSomeOne”](https://news.sophos.com/en-us/2020/11/04/a-new-apt-uses-dll-side-loads-to-killlsomeone/) | [:closed_book:](../../blob/master/2020/2020.11.04.KilllSomeOne_DLL_APT)
* Nov 02 - [[FireEye] Live off the Land? How About Bringing Your Own Island? An Overview of UNC1945](https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html) | [:closed_book:](../../blob/master/2020/2020.11.02.UNC1945)
* Nov 01 - [[Cyberstanc] A look into APT36's (Transparent Tribe) tradecraft](https://cyberstanc.com/blog/a-look-into-apt36-transparent-tribe/) | [:closed_book:](../../blob/master/2020/2020.11.01.Transparent_Tribe_APT)
* Oct 27 - [[US-CERT] North Korean Advanced Persistent Threat
Focus: Kimsuky](https://us-cert.cisa.gov/sites/default/files/publications/TLP-WHITE_AA20-301A_North_Korean_APT_Focus_Kimsuky.pdf) | [:closed_book:](../../blob/master/2020/2020.10.27_AA20-301A.North_Korean_APT)
* Oct 26 - [[DrWeb] Study of the ShadowPad APT backdoor and its relation to PlugX](https://news.drweb.com/show/?i=14048&lng=en) | [:closed_book:](../../blob/master/2020/2020.10.26.ShadowPad_APT_backdoor_PlugX)
* Oct 23 - [[360] APT-C-44 NAFox](https://blogs.360.cn/post/APT-C-44.html) | [:closed_book:](../../blob/master/2020/2020.10.23.APT-C-44_NAFox)
* Oct 22 - [[WeiXin] Bitter CHM](https://mp.weixin.qq.com/s/9O4nZV-LNHuBy2ihg2XeIw) | [:closed_book:](../../blob/master/2020/2020.10.22.Bitter_CHM_APT)
* Oct 19 - [[Trend Micro] Operation Earth Kitsune: Tracking SLUBs Current Operations](https://www.trendmicro.com/vinfo/hk-en/security/news/cyber-attacks/operation-earth-kitsune-tracking-slub-s-current-operations) | [:closed_book:](../../blob/master/2020/2020.10.19_-_Operation_Earth_Kitsune_-_Tracking_SLUBs_current_operations/2020.10.19_-_Operation_Earth_Kitsune_-_Tracking_SLUBs_current_operations.pdf)
* Oct 15 - [[ClearSky] Operation Quicksand MuddyWaters Offensive Attack Against Israeli Organizations](https://www.clearskysec.com/operation-quicksand/) | [:closed_book:](../../blob/master/2020/2020.10.15_Operation_Quicksand_MuddyWaters_Offensive_Attack_Against_Israeli/2020.10.15_Operation_Quicksand_MuddyWaters_Offensive_Attack_Against_Israeli.pdf)
* Oct 14 - [[MalwareByte] Silent Librarian APT right on schedule for 20/21 academic year](https://blog.malwarebytes.com/malwarebytes-news/2020/10/silent-librarian-apt-phishing-attack/) | [:closed_book:](../../blob/master/2020/2020.10.14.Silent_Librarian_APT)
* Oct 13 - [[WeiXin] Operation Rubia cordifolia](https://mp.weixin.qq.com/s/omacDXAdio88a_f0Xwu-kg) | [:closed_book:](../../blob/master/2020/2020.10.13.Operation_Rubia_cordifolia)
* Oct 07 - [[BlackBerry] BlackBerry Uncovers Massive Hack-For-Hire Group Targeting Governments, Businesses, Human Rights Groups and Influential Individuals](https://www.blackberry.com/us/en/company/newsroom/press-releases/2020/blackberry-uncovers-massive-hack-for-hire-group-targeting-governments-businesses-human-rights-groups-and-influential-individuals) | [:closed_book:](../../blob/master/2020/2020.10.07.Massive_Hack-For-Hire_Group)
* Oct 06 - [[Malwarebytes] Release the Kraken: Fileless APT attack abuses Windows Error Reporting service](https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/) | [:closed_book:](../../blob/master/2020/2020.10.06.Kraken_Fileless_APT)
* Oct 05 - [[Kaspersky] MosaicRegressor: Lurking in the Shadows of UEFI](https://securelist.com/mosaicregressor/98849/) | [:closed_book:](../../blob/master/2020/2020.10.05.MosaicRegressor_Lurking_in_the_Shadows_of_UEFI/2020.10.05_-_MosaicRegressor_Lurking_in_the_Shadows_of_UEFI_Securelist_2020.pdf)
* Sep 30 - [[ESET] APTC23 group evolves its Android spyware](https://www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/) | [:closed_book:](../../blob/master/2020/2020.09.30.APTC23_Android)
* Sep 29 - [[Symantec] Palmerworm: Espionage Gang Targets the Media, Finance, and Other Sectors](https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt) | [:closed_book:](../../blob/master/2020/2020.09.29.Palmerworm)
* Sep 29 - [[PTSecurity] ShadowPad: new activity from the Winnti group](https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/shadowpad-new-activity-from-the-winnti-group/) | [:closed_book:](../../blob/master/2020/2020.09.29_ShadowPad_-_new_activity_from_the_Winnti_group)
* Sep 25 - [[Amnesty] German-made FinSpy spyware found in Egypt, and Mac and Linux versions revealed](https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/) | [:closed_book:](../../blob/master/2020/2020.09.25.Finspy_in_Egypt)
* Sep 25 - [[360] APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign](https://blog.360totalsecurity.com/en/apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign/) | [:closed_book:](../../blob/master/2020/2020.09.25.APT-C-43_HpReact_campaign)
* Sep 24 - [[Microsoft] detecting empires in the cloud](https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/) | [:closed_book:](../../blob/master/2020/2020.09.24.Empires_in_the_Cloud)
* Sep 23 - [[Seqrite] Operation SideCopy](https://www.seqrite.com/blog/operation-sidecopy/) | [:closed_book:](../../blob/master/2020/2020.09.23.Operation_SideCopy)
* Sep 22 - [[Quointelligence] APT28 Delivers Zebrocy Malware Campaign using NATO Theme as Lure](https://quointelligence.eu/2020/09/apt28-zebrocy-malware-campaign-nato-theme/) | [:closed_book:](../../blob/master/2020/2020.09.22.APT28_Zebrocy_Malware_Campaign)
* Sep 21 - [[CISCO] The art and science of detecting Cobalt Strike](https://blog.talosintelligence.com/2020/09/coverage-strikes-back-cobalt-strike-paper.html) | [:closed_book:](../../blob/master/2020/2020.09.21.coverage-strikes-back-cobalt-strike-paper)
* Sep 17 - [[Qianxin] Operation Tibbar](https://ti.qianxin.com/uploads/2020/09/17/69da886eecc7087e9dac2d3ea4c66ba8.pdf) | [:closed_book:](../../blob/master/2020/2020.09.17.Operation_Tibbar)
* Sep 16 - [[Intel471] Partners in crime: North Koreans and elite Russian-speaking cybercriminals](https://public.intel471.com/blog/partners-in-crime-north-koreans-and-elite-russian-speaking-cybercriminals/) | [:closed_book:](../../blob/master/2020/2020.09.16.Partners_in_crime)
* Sep 08 - [[Microsoft] TeamTNT activity targets Weave Scope deployments](https://techcommunity.microsoft.com/t5/azure-security-center/teamtnt-activity-targets-weave-scope-deployments/ba-p/1645968) | [:closed_book:](../../blob/master/2020/2020.09.08.TeamTNT_Weave-Scope)
* Sep 03 - [[Cybereason] NO REST FOR THE WICKED: EVILNUM UNLEASHES PYVIL RAT](https://www.cybereason.com/blog/no-rest-for-the-wicked-evilnum-unleashes-pyvil-rat) | [:closed_book:](../../blob/master/2020/2020.09.03.Evilnum_Pyvil)
* Sep 01 - [[proofpoint] Chinese APT TA413 Resumes Targeting of Tibet Following COVID-19 Themed Economic Espionage Campaign Delivering Sepulcher Malware Targeting Europe](https://www.proofpoint.com/us/blog/threat-insight/chinese-apt-ta413-resumes-targeting-tibet-following-covid-19-themed-economic) | [:closed_book:](../../blob/master/2020/2020.09.01.Chinese_APT_TA413)
* Aug 27 - [[ClearSky] The Kittens Are Back in Town 3](https://www.clearskysec.com/the-kittens-are-back-in-town-3/) | [:closed_book:](../../blob/master/2020/2020.08.27.Kittens_Are_Back)
* Aug 28 - [[Kaspersky] Transparent Tribe: Evolution analysis, part 2](https://securelist.com/transparent-tribe-part-2/98233/) | [:closed_book:](../../blob/master/2020/2020.08.28_Transparent_Tribe)
* Aug 24 - [[Kaspersky] Lifting the veil on DeathStalker, a mercenary triumvirate](https://securelist.com/deathstalker-mercenary-triumvirate/98177/) | [:closed_book:](../../blob/master/2020/2020.08.24_DeathStalker)
* Aug 20 - [[CertFR] DEVELOPMENT OF THE ACTIVITY OF THE TA505 CYBERCRIMINAL GROUP](https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf) | [:closed_book:](../../blob/master/2020/2020.08.20_DEVELOPMENT_TA505)
* Aug 20 - [[Bitdefender] More Evidence of APT Hackers-for-Hire Used for Industrial Espionage](https://labs.bitdefender.com/2020/08/apt-hackers-for-hire-used-for-industrial-espionage/) | [:closed_book:](../../blob/master/2020/2020.08.20_APT_Hackers_for_Hire)
* Aug 18 - [[F-Secure] LAZARUS GROUP CAMPAIGN TARGETING THE CRYPTOCURRENCY VERTICAL](https://labs.f-secure.com/assets/BlogFiles/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf) | [:closed_book:](../../blob/master/2020/2020.08.18.LAZARUS_GROUP)
* Aug 13 - [[Kaspersky] CactusPete APT groups updated Bisonal backdoor](https://securelist.com/cactuspete-apt-groups-updated-bisonal-backdoor/97962/) | [:closed_book:](../../blob/master/2020/2020.08.13.CactusPete_APT)
* Aug 13 - [[ClearSky] Operation Dream Job Widespread North Korean Espionage Campaign](https://www.clearskysec.com/operation-dream-job/) | [:closed_book:](../../blob/master/2020/2020.08.13.Operation_Dream_Job)
* Aug 13 - [[CISA] Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware](https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF) | [:closed_book:](../../blob/master/2020/2020.08.13.Russian_GRU_85th_GTsSS)
* Aug 12 - [[Kaspersky] Internet Explorer and Windows zero-day exploits used in Operation PowerFall](https://securelist.com/ie-and-windows-zero-day-operation-powerfall/97976/) | [:closed_book:](../../blob/master/2020/2020.08.12.Operation_PowerFall)
* Aug 10 - [[Seqrite] Gorgon APT targeting MSME sector in India](https://www.seqrite.com/blog/gorgon-apt-targeting-msme-sector-in-india/) | [:closed_book:](../../blob/master/2020/2020.08.10.Gorgon_APT)
* Aug 03 - [[CISA] MAR-10292089-1.v2 Chinese Remote Access Trojan: TAIDOOR](https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a) | [:closed_book:](../../blob/master/2020/2020.08.03.TAIDOOR)
* Jul 29 - [[McAfee] Operation North Star: A Job Offer Thats Too Good to be True?](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-a-job-offer-thats-too-good-to-be-true/) | [:closed_book:](../../blob/master/2020/2020.07.29.Operation_North_Star)
* Jul 28 - [[Group-IB] JOLLY ROGERS PATRONS](https://www.group-ib.com/resources/threat-research/black-jack.html) | [:closed_book:](../../blob/master/2020/2020.07.28.black-jack)
* Jul 22 - [[Palo Alto Network] OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory](https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/) | [:closed_book:](../../blob/master/2020/2020.07.22.OilRig_Middle_Eastern_Telecommunication)
* Jul 22 - [[Kaspersky] MATA: Multi-platform targeted malware framework](https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/) | [:closed_book:](../../blob/master/2020/2020.07.22_MATA_APT)
* Jul 20 - [[Dr.Web] Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan](https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf) | [:closed_book:](../../blob/master/2020/2020.07.20.APT_attacks_Kazakhstan_Kyrgyzstan)
* Jul 17 - [[CERT-FR] THE MALWARE DRIDEX: ORIGINS AND USES](https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf) | [:closed_book:](../../blob/master/2020/2020.07.17.DRIDEX)
* Jul 16 - [[NCSC] Advisory: APT29 targets COVID-19 vaccine development](https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development) | [:closed_book:](../../blob/master/2020/2020.07.16.apt29-targets-covid-19-vaccine-development)
* Jul 15 - [[F-Secure] THE FAKE CISCO: Hunting for backdoors in Counterfeit Cisco devices](https://labs.f-secure.com/assets/BlogFiles/2020-07-the-fake-cisco.pdf) | [:closed_book:](../../blob/master/2020/2020.07.15_the_Fake_CISCO)
* Jul 14 - [[Tesly] TURLA / VENOMOUS BEAR UPDATES ITS ARSENAL: “NEWPASS” APPEARS ON THE APT THREAT SCENE](https://www.telsy.com/turla-venomous-bear-updates-its-arsenal-newpass-appears-on-the-apt-threat-scene/) | [:closed_book:](../../blob/master/2020/2020.07.14_Turla_VENOMOUS_BEAR)
* Jul 14 - [[ESET] Welcome Chat as a secure messaging app? Nothing could be further from the truth](https://www.welivesecurity.com/2020/07/14/welcome-chat-secure-messaging-app-nothing-further-truth/) | [:closed_book:](../../blob/master/2020/2020.07.14_Molerats_Middle_East_APT)
* Jul 12 - [[WeiXin] SideWinder 2020 H1](https://mp.weixin.qq.com/s/5mBqxf_v6G006EnjECoTHw) | [:closed_book:](../../blob/master/2020/2020.07.12_SideWinder_2020_H1)
* Jul 09 - [[AGARI] Cosmic Lynx: The Rise of Russian BEC](https://www.agari.com/cyber-intelligence-research/whitepapers/acid-agari-cosmic-lynx.pdf) | [:closed_book:](../../blob/master/2020/2020.07.09_Cosmic_Lynx)
* Jul 09 - [[ESET] More evil: A deep look at Evilnum and its toolset](https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/) | [:closed_book:](../../blob/master/2020/2020.07.09_Evilnum_Toolset)
* Jul 08 - [[Sedbraven] Copy cat of APT Sidewinder ?](https://medium.com/@Sebdraven/copy-cat-of-apt-sidewinder-1893059ca68d) | [:closed_book:](../../blob/master/2020/2020.07.08.Copy_Cat_of_Sidewinder)
* Jul 08 - [[proofpoint] TA410: The Group Behind LookBack Attacks Against U.S. Utilities Sector Returns with New Malware](https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new) | [:closed_book:](../../blob/master/2020/2020.07.08.TA410)
* Jul 08 - [[Seqrite] Operation Honey Trap: APT36 Targets Defense Organizations in India](https://www.seqrite.com/blog/operation-honey-trap-apt36-targets-defense-organizations-in-india/) | [:closed_book:](../../blob/master/2020/2020.07.08_Operation_Honey_Trap)
* Jul 06 - [[Sansec] North Korean hackers are skimming US and European shoppers](https://sansec.io/research/north-korea-magecart) | [:closed_book:](../../blob/master/2020/2020.07.06_North_Korean_Magecart)
* Jul 01 - [[Lookout] Mobile APT Surveillance Campaigns Targeting Uyghurs](https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf) | [:closed_book:](../../blob/master/2020/2020.07.01.Mobile_APT_Uyghurs)
* Jun 30 - [[Bitdefender] StrongPity APT Revealing Trojanized Tools, Working Hours and Infrastructure](https://labs.bitdefender.com/2020/06/strongpity-apt-revealing-trojanized-tools-working-hours-and-infrastructure/) | [:closed_book:](../../blob/master/2020/2020.06.30_StrongPity_APT)
* Jun 29 - [[CISCO] PROMETHIUM extends global reach with StrongPity3 APT](https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html) | [:closed_book:](../../blob/master/2020/2020.06.29.PROMETHIUM_StrongPity3_APT)
* Jun 26 - [[Symantec] WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations](https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us) | [:closed_book:](../../blob/master/2020/2020.06.26_WastedLocker_Attack)
* Jun 25 - [[Elastic] A close look at the advanced techniques used in a Malaysian-focused APT campaign](https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign) | [:closed_book:](../../blob/master/2020/2020.06.25.Malaysian-focused-APT_campaign)
* Jun 24 - [[Dell] BRONZE VINEWOOD Targets Supply Chains](https://www.secureworks.com/research/bronze-vinewood-targets-supply-chains) | [:closed_book:](../../blob/master/2020/2020.06.24.BRONZE_VINEWOOD)
* Jun 23 - [[NCCGroup] WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group](https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/) | [:closed_book:](../../blob/master/2020/2020.06.23.WastedLocker_Evil_Corp_Group)
* Jun 19 - [[Zscaler] Targeted Attack Leverages India-China Border Dispute to Lure Victims](https://www.zscaler.com/blogs/research/targeted-attack-leverages-india-china-border-dispute-lure-victims) | [:closed_book:](../../blob/master/2020/2020.06.19.India-China_Border_Dispute_APT)
* Jun 18 - [[ESET] Digging up InvisiMoles hidden arsenal](https://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal/) | [:closed_book:](../../blob/master/2020/2020.06.18.InvisiMole_hidden_arsenal)
* Jun 17 - [[ESET] Operation In(ter)ception: Aerospace and military companies in the crosshairs of cyberspies](https://www.welivesecurity.com/2020/06/17/operation-interception-aerospace-military-companies-cyberspies/) | [:closed_book:](../../blob/master/2020/2020.06.17.Operation_Interception)
* Jun 17 - [[Palo Alto] AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations](https://unit42.paloaltonetworks.com/acidbox-rare-malware/) | [:closed_book:](../../blob/master/2020/2020.06.17.AcidBox)
* Jun 17 - [[Malwarebytes] Multi-stage APT attack drops Cobalt Strike using Malleable C2 feature](https://blog.malwarebytes.com/threat-analysis/2020/06/multi-stage-apt-attack-drops-cobalt-strike-using-malleable-c2-feature/) | [:closed_book:](../../blob/master/2020/2020.06.17.malleable-c2-feature_APT)
* Jun 16 - [[PTSecurity] Cobalt: tactics and tools update](https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/cobalt_upd_ttps/) | [:closed_book:](../../blob/master/2020/2020.06.16.Cobalt_Update)
* Jun 15 - [[Amnesty] India: Human Rights Defenders Targeted by a Coordinated Spyware Operation](https://www.amnesty.org/en/latest/research/2020/06/india-human-rights-defenders-targeted-by-a-coordinated-spyware-operation/) | [:closed_book:](../../blob/master/2020/2020.06.15.india-human-rights-defenders-targeted)
* Jun 11 - [[Trend Micro] New Android Spyware ActionSpy Revealed via Phishing Attacks from Earth Empusa](https://blog.trendmicro.com/trendlabs-security-intelligence/new-android-spyware-actionspy-revealed-via-phishing-attacks-from-earth-empusa/) | [:closed_book:](../../blob/master/2020/2020.06.11.Earth_Empusa)
* Jul 11 - [[ESET] Gamaredon group grows its game](https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/) | [:closed_book:](../../blob/master/2020/2020.06.11.Gamaredon_group)
* Jun 08 - [[proofpoint] TA410: The Group Behind LookBack Attacks Against U.S. Utilities Sector Returns with New Malware](https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new) | [:closed_book:](../../blob/master/2020/2020.06.08.TA410)
* Jun 08 - [[CheckPoint] GuLoader? No, CloudEyE](https://research.checkpoint.com/2020/guloader-cloudeye/) | [:closed_book:](../../blob/master/2020/2020.06.08.GuLoader_CloudEyE)
* Jun 03 - [[Malwarebyte] New LNK attack tied to Higaisa APT discovered](https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/) | [:closed_book:](../../blob/master/2020/2020.06.03.Higaisa_APT)
* Jun 03 - [[Kaspersky] Cycldek: Bridging the (air) gap](https://securelist.com/cycldek-bridging-the-air-gap/97157/) | [:closed_book:](../../blob/master/2020/2020.06.03.Cycldek)
* May 29 - [[IronNet] Russian Cyber Attack Campaigns and Actors](https://ironnet.com/blog/russian-cyber-attack-campaigns-and-actors/) | [:closed_book:](../../blob/master/2020/2020.05.29_russian-cyber-attack-campaigns-and-actors)
* May 28 - [[Kaspersky] The zero-day exploits of Operation WizardOpium](https://securelist.com/the-zero-day-exploits-of-operation-wizardopium/97086/) | [:closed_book:](../../blob/master/2020/2020.05.28_Operation_WizardOpium)
* May 26 - [[ESET] From Agent.BTZ to ComRAT v4: A tenyear journey](https://www.welivesecurity.com/2020/05/26/agentbtz-comratv4-ten-year-journey/) | [:closed_book:](../../blob/master/2020/2020.05.26_From_Agent.BTZ_to_ComRAT)
* May 21 - [[Intezer] The Evolution of APT15s Codebase 2020](https://www.intezer.com/blog/research/the-evolution-of-apt15s-codebase-2020/) | [:closed_book:](../../blob/master/2020/2020.05.21.APT15_Codebase_2020)
* May 21 - [[Bitdefender] Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia](https://www.bitdefender.com/files/News/CaseStudies/study/332/Bitdefender-Whitepaper-Chafer-creat4491-en-EN-interactive.pdf) | [:closed_book:](../../blob/master/2020/2020.05.21.Iranian_Chafer_APT)
* May 21 - [[ESET] No “Game over” for the Winnti Group](https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/) | [:closed_book:](../../blob/master/2020/2020.05.21.No_Game_Over_Winnti)
* May 19 - [[Symantec] Sophisticated Espionage Group Turns Attention to Telecom Providers in South Asia](https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia) | [:closed_book:](../../blob/master/2020/2020.05.19.Greenbug_South_Asia)
* May 18 - [[360] APT-C-23 middle East](https://blogs.360.cn/post/APT-C-23_target_at_Middle_East.html) | [:closed_book:](../../blob/master/2020/2020.05.18_APT-C-23)
* May 14 - [[Telekom] LOLSnif Tracking Another Ursnif-Based Targeted Campaign](https://www.telekom.com/en/blog/group/article/lolsnif-tracking-another-ursnif-based-targeted-campaign-600062) | [:closed_book:](../../blob/master/2020/2020.05.14.LOLSnif)
* May 14 - [[Sophos] RATicate: an attackers waves of information-stealing malware](https://news.sophos.com/en-us/2020/05/14/raticate/) | [:closed_book:](../../blob/master/2020/2020.05.14.RATicate)
* May 14 - [[360] Vendetta-new threat actor from Europe](https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/) | [:closed_book:](../../blob/master/2020/2020.05.14.Vendetta_APT)
* May 14 - [[ESET] Mikroceen: Spying backdoor leveraged in highprofile networks in Central Asia](https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia/) | [:closed_book:](../../blob/master/2020/2020.05.14.Mikroceen)
* May 14 - [[Avast] APT Group Planted Backdoors Targeting High Profile Networks in Central Asia](https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia/?utm_source=rss&utm_medium=rss&utm_campaign=apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia) | [:closed_book:](../../blob/master/2020/2020.05.14.Central_Asia_APT)
* May 14 - [[Kaspersky] COMpfun authors spoof visa application with HTTP status-based Trojan](https://securelist.com/compfun-http-status-based-trojan/96874/) | [:closed_book:](../../blob/master/2020/2020.05.14.COMpfun)
* May 13 - [[ESET] Ramsay: A cyberespionage toolkit tailored for airgapped networks](https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/) | [:closed_book:](../../blob/master/2020/2020.05.13.Ramsay)
* May 12 - [[Trend Micro] Tropic Troopers Back: USBferry Attack Targets Air-gapped Environments](https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-troopers-back-usbferry-attack-targets-air-gapped-environments/?utm_source=trendmicroresearch&utm_medium=smk&utm_campaign=0520_tropic-trooper) | [:closed_book:](../../blob/master/2020/2020.05.12.Tropic_Trooper_Back)
* May 11 - [[Zscaler] Targeted Attacks on Indian Government and Financial Institutions Using the JsOutProx RAT](https://www.zscaler.com/blogs/research/targeted-attacks-indian-government-and-financial-institutions-using-jsoutprox-rat) | [:closed_book:](../../blob/master/2020/2020.05.11.JsOutProx_RAT_Targeted_Attacks)
* May 11 - [[Palo Alto] Updated BackConfig Malware Targeting Government and Military Organizations in South Asia](https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/) | [:closed_book:](../../blob/master/2020/2020.05.11_BackConfig_South_Asia)
* May 07 - [[RedCanary] Introducing Blue Mockingbird](https://redcanary.com/blog/blue-mockingbird-cryptominer/) | [:closed_book:](../../blob/master/2020/2020.05.07_Blue_Mockingbird)
* May 07 - [[CheckPoint] Naikon APT: Cyber Espionage Reloaded](https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/) | [:closed_book:](../../blob/master/2020/2020.05.07_Naikon_APT_Reloaded)
* May 06 - [[Prevailion] Phantom in the Command Shell
](https://blog.prevailion.com/2020/05/phantom-in-command-shell5.html) | [:closed_book:](../../blob/master/2020/2020.05.06_Phantom_EVILNUM)
* May 06 - [[CyberStruggle] Leery Turtle Threat Report](https://cyberstruggle.org/delta/LeeryTurtleThreatReport_05_20.pdf) | [:closed_book:](../../blob/master/2020/2020.05.06_Leery_Turtle)
* May 05 - [[CheckPoint] Nazar: Spirits of the Past](https://research.checkpoint.com/2020/nazar-spirits-of-the-past/) | [:closed_book:](../../blob/master/2020/2020.05.05.Nazar_APT)
* Apr 29 - [[Recorded Future] Chinese Influence Operations Evolve in Campaigns Targeting Taiwanese Elections, Hong Kong Protests](https://go.recordedfuture.com/hubfs/reports/cta-2020-0429.pdf) | [:closed_book:](../../blob/master/2020/2020.04.29.Chinese_Influence_Operations_Taiwanese_Elections_Hong_Kong_Protests)
* Apr 28 - [[Yoroi] Outlaw is Back, a New Crypto-Botnet Targets European Organizations](https://yoroi.company/research/outlaw-is-back-a-new-crypto-botnet-targets-european-organizations/) | [:closed_book:](../../blob/master/2020/2020.04.28_Outlaw_is_Back)
* Apr 28 - [[ESET] Grandoreiro: How engorged can an EXE get?](https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/) | [:closed_book:](../../blob/master/2020/2020.04.28.Grandoreiro)
* Apr 24 - [[LAC JP] PoshC2](https://www.lac.co.jp/lacwatch/people/20200424_002177.html) | [:closed_book:](../../blob/master/2020/2020.04.24_PoshC2_APT)
* Apr 21 - [[Volexity] Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant](https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/) | [:closed_book:](../../blob/master/2020/2020.04.21.evil-eye-threat-actor)
* Apr 20 - [[QuoIntelligence] WINNTI GROUP: Insights From the Past](https://quointelligence.eu/2020/04/winnti-group-insights-from-the-past/) | [:closed_book:](../../blob/master/2020/2020.04.20_Winnti_from_the_past)
* Apr 17 - [[Trend Micro] Gamaredon APT Group Use Covid-19 Lure in Campaigns](https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns) | [:closed_book:](../../blob/master/2020/2020.04.17_Gamaredon_APT_Covid-19)
* Apr 16 - [[Trend Micro] Exposing Modular Adware: How DealPly, IsErIk, and ManageX Persist in Systems](https://blog.trendmicro.com/trendlabs-security-intelligence/exposing-modular-adware-how-dealply-iserik-and-managex-persist-in-systems/) | [:closed_book:](../../blob/master/2020/2020.04.16_Exposing_Modular_Adware)
* Apr 16 - [[White Ops] Giving Fraudsters the Cold Shoulder: Inside the Largest Connected TV Bot Attack](https://www.whiteops.com/blog/giving-fraudsters-the-cold-shoulder-inside-the-largest-connected-tv-bot-attack) | [:closed_book:](../../blob/master/2020/2020.04.16_ICEBUCKET_TV_Bot_Attack)
* Apr 16 - [[CyCraft] Taiwan High-Tech Ecosystem Targeted by Foreign APT Group](https://cycraft.com/download/%5BTLP-Green%5D20200415%20Chimera_V4.1.pdf) | [:closed_book:](../../blob/master/2020/2020.04.16_Taiwan_High-Tech_APT)
* Apr 15 - [[Lookout] Nation-state Mobile Malware Targets Syrians with COVID-19 Lures](https://blog.lookout.com/nation-state-mobile-malware-targets-syrians-with-covid-19-lures) | [:closed_book:](../../blob/master/2020/2020.04.15_COVID-19_Lures_Syrians)
* Apr 15 - [[Cycraft] Craft for Resilience: APT Group Chimera](https://cycraft.com/download/%5BTLP-White%5D20200415%20Chimera_V4.1.pdf) | [:closed_book:](../../blob/master/2020/2020.04.15_Chimera_APT)
* Apr 07 - [[MalwareBytes] APTs and COVID-19: How advanced persistent threats use the coronavirus as a lure](https://resources.malwarebytes.com/files/2020/04/200407-MWB-COVID-White-Paper_Final.pdf) | [:closed_book:](../../blob/master/2020/2020.04.07_APTs_COVID-19)
* Apr 07 - [[Zscaler] New Ursnif Campaign: A Shift from PowerShell to Mshta](https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta) | [:closed_book:](../../blob/master/2020/2020.04.07_New_Ursnif_Campaign)
* Apr 07 - [[BlackBerry] Decade of the RATs: Novel APT Attacks Targeting Linux, Windows and Android](https://blogs.blackberry.com/en/2020/04/decade-of-the-rats) | [:closed_book:](../../blob/master/2020/2020.04.07_Decade_of_the_RATs)
* Mar 30 - [[Alyac] The 'Spy Cloud' Operation: Geumseong121 group carries out the APT attack disguising the evidence of North Korean defection](https://blog.alyac.co.kr/attachment/cfile8.uf@9977CF405E81A09B1C4CE2.pdf) | [:closed_book:](../../blob/master/2020/2020.03.30_Spy_Cloud_Operation)
* Mar 26 - [[Kaspersky] iOS exploit chain deploys LightSpy feature-rich malware](https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/) | [:closed_book:](../../blob/master/2020/2020.03.26_LightSpy_TwoSail_Junk_APT)
* Mar 25 - [[FireEye] This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits](https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html) | [:closed_book:](../../blob/master/2020/2020.03.25_APT41-initiates-global-intrusion-campaign)
* Mar 24 - [[Kaspersky] WildPressure targets industrial-related entities in the Middle East](https://securelist.com/wildpressure-targets-industrial-in-the-middle-east/96360/) | [:closed_book:](../../blob/master/2020/2020.03.24_WildPressure)
* Mar 24 - [[Trend Micro] Operation Poisoned News: Hong Kong Users Targeted With Mobile Malware via Local News Links](https://blog.trendmicro.com/trendlabs-security-intelligence/operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links/) | [:closed_book:](../../blob/master/2020/2020.03.24_Operation_Poisoned_News)
* Mar 19 - [[Trend Micro] Probing Pawn Storm : Cyberespionage Campaign Through Scanning, Credential Phishing and More](https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/probing-pawn-storm-cyberespionage-campaign-through-scanning-credential-phishing-and-more) | [:closed_book:](../../blob/master/2020/2020.03.19_Probing_Pawn_Storm)
* Mar 15 - [[MalwareBytes] APT36 jumps on the coronavirus bandwagon, delivers Crimson RAT](https://blog.malwarebytes.com/threat-analysis/2020/03/apt36-jumps-on-the-coronavirus-bandwagon-delivers-crimson-rat/) | [:closed_book:](../../blob/master/2020/2020.03.15_APT36_Crimson_RAT)
* Mar 12 - [[Checkpoint] Vicious Panda: The COVID Campaign](https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/) | [:closed_book:](../../blob/master/2020/2020.03.12_Vicious_Panda)
* Mar 12 - [[SecPulse] Two-tailed scorpion APT-C-23](https://www.secpulse.com/archives/125292.html) | [:closed_book:](../../blob/master/2020/2020.03.12_Two-tailed_scorpion)
* Mar 12 - [[ESET] Tracking Turla: New backdoor delivered via Armenian watering holes](https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes) | [:closed_book:](../../blob/master/2020/2020.03.12_Tracking_Turla)
* Mar 11 - [[Trend Micro] Operation Overtrap Targets Japanese Online Banking Users Via Bottle Exploit Kit and Brand-New Cinobi Banking Trojan](https://blog.trendmicro.com/trendlabs-security-intelligence/operation-overtrap-targets-japanese-online-banking-users-via-bottle-exploit-kit-and-brand-new-cinobi-banking-trojan/) | [:closed_book:](../../blob/master/2020/2020.03.11.Operation_Overtrap)
* Mar 10 - [[Cybereason] WHO'S HACKING THE HACKERS: NO HONOR AMONG THIEVES](https://www.cybereason.com/blog/whos-hacking-the-hackers-no-honor-among-thieves) | [:closed_book:](../../blob/master/2020/2020.03.10.WHO_HACKING_THE_HACKERS)
* Mar 05 - [[Trend Micro] Dissecting Geost: Exposing the Anatomy of the Android Trojan Targeting Russian Banks](https://blog.trendmicro.com/trendlabs-security-intelligence/dissecting-geost-exposing-the-anatomy-of-the-android-trojan-targeting-russian-banks/) | [:closed_book:](../../blob/master/2020/2020.03.05_Dissecting_Geost)
* Mar 05 - [[ESET] Guildma: The Devil drives electric](https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/) | [:closed_book:](../../blob/master/2020/2020.03.05_Guildma)
* Mar 03 - [[F5] New Perl Botnet (Tuyul) Found with Possible Indonesian Attribution](https://www.f5.com/labs/articles/threat-intelligence/new-perl-botnet--tuyul--found-with-possible-indonesian-attributi) | [:closed_book:](../../blob/master/2020/2020.03.03_Tuyul_Botnet_Indonesian)
* Mar 03 - [[Yoroi] The North Korean Kimsuky APT keeps threatening South Korea evolving its TTPs](https://blog.yoroi.company/research/the-north-korean-kimsuky-apt-keeps-threatening-south-korea-evolving-its-ttps/) | [:closed_book:](../../blob/master/2020/2020.03.03_Kimsuky_APT)
* Mar 02 - [[Telsy] APT34 (AKA OILRIG, AKA HELIX KITTEN) ATTACKS LEBANON GOVERNMENT ENTITIES WITH MAILDROPPER IMPLANTS](https://blog.telsy.com/apt34-aka-oilrig-attacks-lebanon-government-entities-with-maildropper-implant/) | [:closed_book:](../../blob/master/2020/2020.03.02_APT34_MAILDROPPER)
* Feb 28 - [[Qianxin] Nortrom_Lion_APT](https://ti.qianxin.com/blog/articles/who-is-the-next-silent-lamb-nuo-chong-lions-apt-organization-revealed/) | [:closed_book:](../../blob/master/2020/2020.02.28_Nortrom_Lion_APT)
* Feb 25 - [[Sophos] Cloud Snooper Attack Bypasses Firewall Security Measures](https://news.sophos.com/en-us/2020/02/25/cloud-snooper-attack-bypasses-firewall-security-measures/) | [:closed_book:](../../blob/master/2020/2020.02.25_Cloud_Snooper)
* Feb 22 - [[Objective-See] Weaponizing a Lazarus Group Implant](https://objective-see.com/blog/blog_0x54.html) | [:closed_book:](../../blob/master/2020/2020.02.22_Lazarus_Group_Weaponizing)
* Feb 21 - [[AhnLab] MyKings Botnet](http://download.ahnlab.com/kr/site/library/[AhnLab]Analysis%20Report_MyKings%20Botnet.pdf) | [:closed_book:](../../blob/master/2020/2020.02.21_MyKings_Botnet)
* Feb 19 - [[lexfo] The Lazarus Constellation](https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf) | [:closed_book:](../../blob/master/2020/2020.02.19_The_Lazarus_Constellation)
* Feb 18 - [[Trend Micro] Operation DRBControl](https://documents.trendmicro.com/assets/white_papers/wp-uncovering-DRBcontrol.pdf) | [:closed_book:](../../blob/master/2020/2020.02.18_Operation_DRBControl)
* Feb 17 - [[Yoroi] Cyberwarfare: A deep dive into the latest Gamaredon Espionage Campaign](https://blog.yoroi.company/research/cyberwarfare-a-deep-dive-into-the-latest-gamaredon-espionage-campaign/) | [:closed_book:](../../blob/master/2020/2020.02.17.Cyberwarfare_Gamaredon_Campaign)
* Feb 17 - [[Talent-Jump] CLAMBLING - A New Backdoor Base On Dropbox (EN)](http://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/) | [:closed_book:](../../blob/master/2020/2020.02.17_CLAMBLING_Dropbox_Backdoor)
* Feb 17 - [[ClearSky] Fox Kitten Campaign](https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf) | [:closed_book:](../../blob/master/2020/2020.02.17_Fox_Kitten_Campaign)
* Feb 13 - [[Cybereason] NEW CYBER ESPIONAGE CAMPAIGNS TARGETING PALESTINIANS - PART 2: THE DISCOVERY OF THE NEW, MYSTERIOUS PIEROGI BACKDOOR](https://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-2-the-discovery-of-the-new-mysterious-pierogi-backdoor?utm_content=116986912&utm_medium=social&utm_source=twitter&hss_channel=tw-835463838) | [:closed_book:](../../blob/master/2020/2020.02.13.PIEROGI_BACKDOOR_APT)
* Feb 10 - [[Trend Micro] Outlaw Updates Kit to Kill Older Miner Versions, Targets More Systems](https://blog.trendmicro.com/trendlabs-security-intelligence/outlaw-updates-kit-to-kill-older-miner-versions-targets-more-systems/) | [:closed_book:](../../blob/master/2020/2020.02.10_Outlaw_Updates)
* Feb 03 - [[PaloAlto Networks] Actors Still Exploiting SharePoint Vulnerability to Attack Middle East Government Organizations](https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/) | [:closed_book:](../../blob/master/2020/2020.02.03.SharePoint_Vulnerability_Middle_East)
* Jan XX - [[IBM] New Destructive Wiper “ZeroCleare” Targets Energy Sector in the Middle East](https://www.ibm.com/downloads/cas/OAJ4VZNJ) | [:closed_book:](../../blob/master/2020/2020.01.xx.ZeroCleare_Wiper)
* Jan 31 - [[ESET] Winnti Group targeting universities in Hong Kong](https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/) | [:closed_book:](../../blob/master/2020/2020.01.31.Winnti_universities_in_HK)
* Jan 16 - [[CISCO] JhoneRAT: Cloud based python RAT targeting Middle Eastern countries](https://blog.talosintelligence.com/2020/01/jhonerat.html) | [:closed_book:](../../blob/master/2020/2020.01.16.JhoneRAT)
* Jan 13 - [[ShellsSystems] Reviving MuddyC3 Used by MuddyWater (IRAN) APT](https://shells.systems/reviving-leaked-muddyc3-used-by-muddywater-apt/) | [:closed_book:](../../blob/master/2020/2020.01.13.muddyc3.Revived)
* Jan 13 - [[Lab52] APT27 ZxShell RootKit module updates](https://lab52.io/blog/apt27-rootkit-updates/) | [:closed_book:](../../blob/master/2020/2020.01.13.APT27_ZxShell_RootKit)
* Jan 09 - [[Dragos] The State of Threats to Electric Entities in North America](https://dragos.com/wp-content/uploads/NA-EL-Threat-Perspective-2019.pdf) | [:closed_book:](../../blob/master/2020/2020.01.09.NA-EL-Threat-Perspective)
* Jan 08 - [[Kaspersky] Operation AppleJeus Sequel](https://securelist.com/operation-applejeus-sequel/95596/) | [:closed_book:](../../blob/master/2020/2020.01.08_Operation_AppleJeus_Sequel)
* Jan 07 - [[Recorded Future] Iranian Cyber Response to Death of IRGC Head Would Likely Use Reported TTPs and Previous Access](https://www.recordedfuture.com/iranian-cyber-response/?utm_content=111464182) | [:closed_book:](../../blob/master/2020/2020.01.07_Iranian_Cyber_Response)
* Jan 07 - [[NCA] Destructive Attack: DUSTMAN](https://github.com/blackorbird/APT_REPORT/blob/master/International%20Strategic/Iran/Saudi-Arabia-CNA-report.pdf) | [:closed_book:](../../blob/master/2020/2020.01.07_Destructive_Attack_DUSTMAN)
* Jan 06 - [[Trend Micro] First Active Attack Exploiting CVE-2019-2215 Found on Google Play, Linked to SideWinder APT Group](https://blog.trendmicro.com/trendlabs-security-intelligence/first-active-attack-exploiting-cve-2019-2215-found-on-google-play-linked-to-sidewinder-apt-group/) | [:closed_book:](../../blob/master/2020/2020.01.06.SideWinder_Google_Play)
* Jan 01 - [[WeiXin] Pakistan Sidewinder APT Attack](https://mp.weixin.qq.com/s/CZrdslzEs4iwlaTzJH7Ubg) | [:closed_book:](../../blob/master/2020/2020.01.01.SideWinder_APT)
## 2019
* Dec 29 - [[Dell] BRONZE PRESIDENT Targets NGOs](https://www.secureworks.com/research/bronze-president-targets-ngos) | [:closed_book:](../../blob/master/2019/2019.12.29_BRONZE_PRESIDENT_NGO)
* Dec 26 - [[Pedro Tavares] Targeting Portugal: A new trojan Lampion has spread using template emails from the Portuguese Government Finance & Tax](https://seguranca-informatica.pt/targeting-portugal-a-new-trojan-lampion-has-spread-using-template-emails-from-the-portuguese-government-finance-tax/) | [:closed_book:](../../blob/master/2019/2019.12.26.Trojan-Lampion)
* Dec 19 - [[FoxIT] Operation Wocao](https://resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wacao.pdf) | [:closed_book:](../../blob/master/2019/2019.12.19.Operation_Wocao)
* Dec 17 - [[PaloAlto] Rancor: Cyber Espionage Group Uses New Custom Malware to Attack Southeast Asia](https://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/) | [:closed_book:](../../blob/master/2019/2019.12.17.Rancor)
* Dec 17 - [[360] Dacls, the Dual platform RAT](https://blog.netlab.360.com/dacls-the-dual-platform-rat-en/) | [:closed_book:](../../blob/master/2019/2019.12.17.Dacls_RAT)
* Dec 16 - [[Sophos] MyKings: The Slow But Steady Growth of a Relentless Botnet](https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-uncut-mykings-report.pdf) | [:closed_book:](../../blob/master/2019/2019.12.16.MyKings)
* Dec 12 - [[Trend Micro] Drilling Deep: A Look at Cyberattacks on the Oil and Gas Industry](https://documents.trendmicro.com/assets/white_papers/wp-drilling-deep-a-look-at-cyberattacks-on-the-oil-and-gas-industry.pdf) | [:closed_book:](../../blob/master/2019/2019.12.12.Drilling_Deep)
* Dec 12 - [[Microsoft] GALLIUM: Targeting global telecom](https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/) | [:closed_book:](../../blob/master/2019/2019.12.12.GALLIUM)
* Dec 12 - [[Recorded Future] Operation Gamework: Infrastructure Overlaps Found Between BlueAlpha and Iranian APTs](https://go.recordedfuture.com/hubfs/reports/cta-2019-1212.pdf) | [:closed_book:](../../blob/master/2019/2019.12.12.Operation_Gamework)
* Dec 11 - [[Trend Micro] Waterbear is Back, Uses API Hooking to Evade Security Product Detection](https://blog.trendmicro.com/trendlabs-security-intelligence/waterbear-is-back-uses-api-hooking-to-evade-security-product-detection/) | [:closed_book:](../../blob/master/2019/2019.12.11.Waterbear_Back)
* Dec 11 - [[Cyberason] DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE](https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware) | [:closed_book:](../../blob/master/2019/2019.12.11_DROPPING_ANCHOR)
* Dec 10 - [[Sentinel] Anchor Project: The Deadly Planeswalker: How The TrickBot Group United High-Tech Crimeware & APT](https://labs.sentinelone.com/the-deadly-planeswalker-how-the-trickbot-group-united-high-tech-crimeware-apt/#report) | [:closed_book:](../../blob/master/2019/2019.12.10_TrickBot_Planeswalker)
* Dec 06 - [[SCILabs] Cosmic Banker campaign is still active revealing link with Banload malware](https://blog.scilabs.mx/cosmic-banker-campaign-is-still-active-revealing-link-with-banload-malware/) | [:closed_book:](../../blob/master/2019/2019.12.06.Cosmic_Banker_campaign)
* Dec 04 - [[IBM] New Destructive Wiper “ZeroCleare” Targets Energy Sector in the Middle East](https://www.ibm.com/downloads/cas/OAJ4VZNJ) | [:closed_book:](../../blob/master/2019/2019.12.04.ZeroCleare)
* Dec 04 - [[Trend Micro] Obfuscation Tools Found in the Capesand Exploit Kit Possibly Used in “KurdishCoder” Campaign](https://blog.trendmicro.com/trendlabs-security-intelligence/obfuscation-tools-found-in-the-capesand-exploit-kit-possibly-used-in-kurdishcoder-campaign/) | [:closed_book:](../../blob/master/2019/2019.12.04.KurdishCoder_Campaign)
* Dec 03 - [[NSHC] Threat Actor Targeting Hong Kong Pro-Democracy Figures](https://threatrecon.nshc.net/2019/12/03/threat-actor-targeting-hong-kong-activists/) | [:closed_book:](../../blob/master/2019/2019.12.03.Hong_Kong_Pro-Democracy)
* Nov 29 - [[Trend Micro] Operation ENDTRADE: Finding Multi-Stage Backdoors that TICK](https://blog.trendmicro.com/trendlabs-security-intelligence/operation-endtrade-finding-multi-stage-backdoors-that-tick) | [:closed_book:](../../blob/master/2019/2019.11.29.Operation_ENDTRADE)
* Nov 28 - [[Kaspersky] RevengeHotels: cybercrime targeting hotel front desks worldwide](https://securelist.com/revengehotels/95229/) | [:closed_book:](../../blob/master/2019/2019.11.28.RevengeHotels)
* Nov 26 - [[Microsoft] Insights from one year of tracking a polymorphic threat: Dexphot](https://www.microsoft.com/security/blog/2019/11/26/insights-from-one-year-of-tracking-a-polymorphic-threat/) | [:closed_book:](../../blob/master/2019/2019.11.26.Dexphot)
* Nov 25 - [[Positive] Studying Donot Team](http://blog.ptsecurity.com/2019/11/studying-donot-team.html) | [:closed_book:](../../blob/master/2019/2019.11.25_Donot_Team)
* Nov 21 - [[ESET] Registers as “Default Print Monitor”, but is a malicious downloader. Meet DePriMon](https://www.welivesecurity.com/2019/11/21/deprimon-default-print-monitor-malicious-downloader/) | [:closed_book:](../../blob/master/2019/2019.11.21.DePriMon)
* Nov 20 - [[360] Golden Eagle (APT-C-34)](http://blogs.360.cn/post/APT-C-34_Golden_Falcon.html) | [:closed_book:](../../blob/master/2019/2019.11.20.Golden_Eagle_APT-C-34)
* Nov 20 - [[Trend Micro] Mac Backdoor Linked to Lazarus Targets Korean Users](https://blog.trendmicro.com/trendlabs-security-intelligence/mac-backdoor-linked-to-lazarus-targets-korean-users/) | [:closed_book:](../../blob/master/2019/2019.11.20.Mac_Lazarus)
* Nov 13 - [[Trend Micro] More than a Dozen Obfuscated APT33 Botnets Used for Extreme Narrow Targeting](https://blog.trendmicro.com/trendlabs-security-intelligence/more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting/) | [:closed_book:](../../blob/master/2019/2019.11.13.APT33_Extreme_Narrow_Targeting)
* Nov 12 - [[Marco Ramilli] TA-505 Cybercrime on System Integrator Companies](https://marcoramilli.com/2019/11/12/ta-505-cybercrime-on-system-integrator-companies/) | [:closed_book:](../../blob/master/2019/2019.11.12_TA-505_On_SI)
* Nov 08 - [[Group-IB] Massive malicious campaign by FakeSecurity JS-sniffer](https://www.group-ib.com/blog/fakesecurity) | [:closed_book:](../../blob/master/2019/2019.11.08_FakeSecurity_JS-sniffer)
* Nov 08 - [[Kapsersky] Titanium: the Platinum group strikes again](https://securelist.com/titanium-the-platinum-group-strikes-again/94961/) | [:closed_book:](../../blob/master/2019/2019.11.08_Titanium_Action_Platinum_group)
* Nov 05 - [[Telsy] THE LAZARUS GAZE TO THE WORLD: WHAT IS BEHIND THE FIRST STONE ?](https://blog.telsy.com/the-lazarus-gaze-to-the-world-what-is-behind-the-first-stone/) | [:closed_book:](../../blob/master/2019/2019.11.05.LAZARUS_GAZE)
* Nov 04 - [[Tencent] Higaisa APT](https://s.tencent.com/research/report/836.html) | [:closed_book:](../../blob/master/2019/2019.11.04.Higaisa_APT)
* Nov 04 - [[Marcoramilli] Is Lazarus/APT38 Targeting Critical Infrastructures](https://marcoramilli.com/2019/11/04/is-lazarus-apt38-targeting-critical-infrastructures) | [:closed_book:](../../blob/master/2019/2019.11.04.Lazarus_APT38)
* Nov 01 - [[Kaspersky] Chrome 0-day exploit CVE-2019-13720 used in Operation WizardOpium](https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/) | [:closed_book:](../../blob/master/2019/2019.11.1.Operation_WizardOpium)
* Oct 31 - [[PTsecurity] Calypso APT: new group attacking state institutions](https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/) | [:closed_book:](../../blob/master/2019/2019.10.31.Calypso_APT)
* Oct 31 - [[Fireeye] MESSAGETAP: Whos Reading Your Text Messages?](https://www.fireeye.com/blog/threat-research/2019/10/messagetap-who-is-reading-your-text-messages.html) | [:closed_book:](../../blob/master/2019/2019.10.31.MESSAGETAP)
* Oct 28 - [[Marco Ramilli] SWEED Targeting Precision Engineering Companies in Italy](https://marcoramilli.com/2019/10/28/sweed-targeting-precision-engineering-companies-in-italy/) | [:closed_book:](../../blob/master/2019/2019.10.28_SWEED_Italy)
* Oct 21 - [[ESET] Winnti Groups skip2.0: A Microsoft SQL Server backdoor](https://www.welivesecurity.com/2019/10/21/winnti-group-skip2-0-microsoft-sql-server-backdoor/) | [:closed_book:](../../blob/master/2019/2019.10.21.Winnti_skip_2.0)
* Oct 21 - [[VB] Geost botnet. The story of the discovery of a new Android banking trojan from an OpSec error](https://www.virusbulletin.com/uploads/pdf/magazine/2019/VB2019-Garcia-etal.pdf) | [:closed_book:](../../blob/master/2019/2019.10.21_Geost_botnet)
* Oct 17 - [[ESET] Operation Ghost: The Dukes arent back they never left](https://www.welivesecurity.com/2019/10/17/operation-ghost-dukes-never-left/) | [:closed_book:](../../blob/master/2019/2019.10.17.Operation_Ghost)
* Oct 15 - [[Fireeye] LOWKEY: Hunting for the Missing Volume Serial ID](https://www.fireeye.com/blog/threat-research/2019/10/lowkey-hunting-for-the-missing-volume-serial-id.html) | [:closed_book:](../../blob/master/2019/2019.10.15.LOWKEY)
* Oct 14 - [[Marco Ramilli] Is Emotet gang targeting companies with external SOC?](https://marcoramilli.com/2019/10/14/is-emotet-gang-targeting-companies-with-external-soc/) | [:closed_book:](../../blob/master/2019/2019.10.14.Emotet_external_SOC)
* Oct 14 - [[Exatrack] From tweet to rootkit](https://exatrack.com/public/winnti_EN.pdf) | [:closed_book:](../../blob/master/2019/2019.10.14.From_tweet_to_rootkit)
* Oct 14 - [[Crowdstrike] HUGE FAN OF YOUR WORK: TURBINE PANDA ](https://www.crowdstrike.com/resources/wp-content/brochures/reports/huge-fan-of-your-work-intelligence-report.pdf) | [:closed_book:](../../blob/master/2019/2019.10.14.TURBINE_PANDA)
* Oct 10 - [[Fireeye] Mahalo FIN7: Responding to the Criminal Operators New Tools and Techniques](https://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html) | [:closed_book:](../../blob/master/2019/2019.10.10.Fin7)
* Oct 10 - [[ESET] CONNECTING THE DOTS Exposing the arsenal and methods of the Winnti Group](https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf) | [:closed_book:](../../blob/master/2019/2019.10.10.Winnti_Group)
* Oct 10 - [[ESET] Attor, a spy platform with curious GSM fingerprinting](https://www.welivesecurity.com/2019/10/10/eset-discovers-attor-spy-platform/) | [:closed_book:](../../blob/master/2019/2019.10.10.Attor_GSM_fingerprinting_spy_platform)
* Oct 09 - [[Trend Micro] FIN6 Compromised E-commerce Platform via Magecart to Inject Credit Card Skimmers Into Thousands of Online Shops](https://blog.trendmicro.com/trendlabs-security-intelligence/fin6-compromised-e-commerce-platform-via-magecart-to-inject-credit-card-skimmers-into-thousands-of-online-shops/) | [:closed_book:](../../blob/master/2019/2019.10.09_FIN6_Magecart)
* Oct 07 - [[CERT-FR] Supply chain attacks: threats targeting service providers and design offices](https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-CTI-005.pdf) | [:closed_book:](../../blob/master/2019/2019.10.07.Supply_Chain_Attacks)
* Oct 07 - [[Clearsky] The Kittens Are Back in Town 2 Charming Kitten Campaign Keeps Going on, Using New Impersonation Methods](https://www.clearskysec.com/the-kittens-are-back-in-town-2/) | [:closed_book:](../../blob/master/2019/2019.10.07.Charming_Kitten_Back_in_Town_2)
* Oct 07 - [[Anomali] China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations](https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations) | [:closed_book:](../../blob/master/2019/2019.10.07.Panda_minority-groups)
* Oct 04 - [[Avest] GEOST BOTNET. THE STORY OF THE DISCOVERY OF A NEW ANDROID BANKING TROJAN FROM AN OPSEC ERROR](http://public.avast.com/research/VB2019-Garcia-etal.pdf) | [:closed_book:](../../blob/master/2019/2019.10.04.GEOST_BOTNET)
* Oct 03 - [[Palo Alto Networks] PKPLUG: Chinese Cyber Espionage Group Attacking Asia](https://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/) | [:closed_book:](../../blob/master/2019/2019.10.03.PKPLUG)
* Oct 01 - [[Netskope] New Adwind Campaign targets US Petroleum Industry](https://www.netskope.com/blog/new-adwind-campaign-targets-us-petroleum-industry-2) | [:closed_book:](../../blob/master/2019/2019.10.01.Adwind_Campaign_US_Petroleum_Industry)
* Oct 01 - [[Trend Micro] New Fileless Botnet Novter Distributed by KovCoreG Malvertising Campaign](https://blog.trendmicro.com/trendlabs-security-intelligence/new-fileless-botnet-novter-distributed-by-kovcoreg-malvertising-campaign/) | [:closed_book:](../../blob/master/2019/2019.10.01.kovcoreg-malvertising-campaign)
* Sep 30 - [[Lastline] HELO Winnti: Attack or Scan?](https://www.lastline.com/labsblog/helo-winnti-attack-scan/) | [:closed_book:](../../blob/master/2019/2019.09.30_HELO_Winnti)
* Sep 26 - [[GBHackers] Chinese APT Hackers Attack Windows Users via FakeNarrator Malware to Implant PcShare Backdoor](https://gbhackers.com/fakenarrator-malware/) | [:closed_book:](../../blob/master/2019/2019.09.26_China_APT_FakeNarrator_To_PcShare)
* Sep 24 - [[Telsy] DeadlyKiss APT](https://blog.telsy.com/wp-content/uploads/2019/09/DeadlyKiss_TAAR.pdf) | [:closed_book:](../../blob/master/2019/2019.09.24.DeadlyKiss_APT)
* Sep 24 - [[CISCO] How Tortoiseshell created a fake veteran hiring website to host malware](https://blog.talosintelligence.com/2019/09/tortoiseshell-fake-veterans.html) | [:closed_book:](../../blob/master/2019/2019.09.24_New_Tortoiseshell)
* Sep 24 - [[CheckPoint] Mapping the connections inside Russias APT Ecosystem](https://research.checkpoint.com/russianaptecosystem/) | [:closed_book:](../../blob/master/2019/2019.09.24_Russia_APT_Ecosystem)
* Sep 18 - [[Symantec] Tortoiseshell Group Targets IT Providers in Saudi Arabia in Probable Supply Chain Attacks](https://www.symantec.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain) | [:closed_book:](../../blob/master/2019/2019.09.18.Tortoiseshell-APT)
* Sep 18 - [[Trend Micro] Magecart Skimming Attack Targets Mobile Users of Hotel Chain Booking Websites](https://blog.trendmicro.com/trendlabs-security-intelligence/magecart-skimming-attack-targets-mobile-users-of-hotel-chain-booking-websites/) | [:closed_book:](../../blob/master/2019/2019.09.18.Magecart_Hotel_Chain_Booking)
* Sep 15 - [[Clearsky] The Kittens Are Back in Town Charming Kitten Campaign Against Academic
Researchers](https://www.clearskysec.com/wp-content/uploads/2019/09/The-Kittens-Are-Back-in-Town-Charming-Kitten-2019.pdf) | [:closed_book:](../../blob/master/2019/2019.09.15_Kittens_back)
* Sep 11 - [[MeltX0R Security] RANCOR APT: Suspected targeted attacks against South East Asia](https://meltx0r.github.io/tech/2019/09/11/rancor-apt.html) | [:closed_book:](../../blob/master/2019/2019.09.11.RANCOR_APT)
* Sep 09 - [[Symantec] Thrip: Ambitious Attacks Against High Level Targets Continue](https://www.symantec.com/blogs/threat-intelligence/thrip-apt-south-east-asia) | [:closed_book:](../../blob/master/2019/2019.09.09.Thrip)
* Sep 06 - [[MeltX0R Security] BITTER APT: Not So Sweet](https://meltx0r.github.io/tech/2019/09/06/bitter-apt-not-so-sweet.html) | [:closed_book:](../../blob/master/2019/2019.09.06.BITTER_APT_Not_So_Sweet)
* Sep 05 - [[CheckPoint] UPSynergy: Chinese-American Spy vs. Spy Story](https://research.checkpoint.com/upsynergy/) | [:closed_book:](../../blob/master/2019/2019.09.05.UPSynergy)
* Sep 04 - [[Trend Micro] Glupteba Campaign Hits Network Routers and Updates C&C Servers with Data from Bitcoin Transactions](https://blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/) | [:closed_book:](../../blob/master/2019/2019.09.04.Glupteba_Campaign)
* Aug 31 - [[StrangerealIntel] Malware analysis on Bitter APT campaign](https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/offshore%20APT%20organization/Bitter/27-08-19/Malware%20analysis%2031-08-19.md) | [:closed_book:](../../blob/master/2019/2019.08.31.Bitter_APT_Malware_analysis)
* Aug 29 - [[AhnLab] Tick Tock - Activities of the Tick Cyber Espionage Group in East Asia Over the Last 10 Years](https://gsec.hitb.org/materials/sg2019/D1%20COMMSEC%20-%20Tick%20Group%20-%20Activities%20Of%20The%20Tick%20Cyber%20Espionage%20Group%20In%20East%20Asia%20Over%20The%20Last%2010%20Years%20-%20Cha%20Minseok.pdf) | [:closed_book:](../../blob/master/2019/2019.08.29_Tick_Tock)
* Aug 29 - [[Trend Micro] Heatstroke Campaign Uses Multistage Phishing Attack to Steal PayPal and Credit Card Information](https://blog.trendmicro.com/trendlabs-security-intelligence/heatstroke-campaign-uses-multistage-phishing-attack-to-steal-paypal-and-credit-card-information/) | [:closed_book:](../../blob/master/2019/2019.08.29.Heatstroke_Campaign)
* Aug 29 - [[IBM] More_eggs, Anyone? Threat Actor ITG08 Strikes Again](https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/) | [:closed_book:](../../blob/master/2019/2019.08.29.FIN6_ITG08)
* Aug 29 - [[NSHC] SectorJ04 Groups Increased Activity in 2019](https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/) | [:closed_book:](../../blob/master/2019/2019.08.29.SectorJ04_2019)
* Aug 27 - [[StrangerealIntel] Malware analysis about sample of APT Patchwork](https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Indian/APT/Patchwork/27-08-19/Malware%20analysis%2027-08-19.md) | [:closed_book:](../../blob/master/2019/2019.08.27.Patchwork_Malware_Analysis)
* Aug 27 - [[Dell] LYCEUM Takes Center Stage in Middle East Campaign](https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign) | [:closed_book:](../../blob/master/2019/2019.08.27.LYCEUM_threat_group)
* Aug 27 - [[CISCO] China Chopper still active 9 years later](https://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html) | [:closed_book:](../../blob/master/2019/2019.08.27.China_Chopper)
* Aug 27 - [[Trend Micro] TA505 At It Again: Variety is the Spice of ServHelper and FlawedAmmyy](https://blog.trendmicro.com/trendlabs-security-intelligence/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy/) | [:closed_book:](../../blob/master/2019/2019.08.27.TA505_Again)
* Aug 26 - [[QianXin] APT-C-09 Reappeared as Conflict Intensified Between India and Pakistan](https://ti.qianxin.com/blog/articles/apt-c-09-reappeared-as-conflict-intensified-between-india-and-pakistan/) | [:closed_book:](../../blob/master/2019/2019.08.26.APT-C-09)
* Aug 22 - [[PTsecurity] Operation TaskMasters: Cyberespionage in the digital economy age](https://www.ptsecurity.com/ww-en/analytics/operation-taskmasters-2019/) | [:closed_book:](../../blob/master/2019/2019.08.22.Operation_TaskMasters)
* Aug 21 - [[Fortinet] The Gamaredon Group: A TTP Profile Analysis](https://www.fortinet.com/blog/threat-research/gamaredon-group-ttp-profile-analysis.html) | [:closed_book:](../../blob/master/2019/2019.08.21.Gamaredon_Group)
* Aug 21 - [[Group-IB] Silence 2.0](https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf) | [:closed_book:](../../blob/master/2019/2019.08.21.Silence_2.0)
* Aug 20 - [[StrangerealIntel] Malware analysis about unknown Chinese APT campaign](https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Unknown/20-08-19/Malware%20analysis%2020-08-19.md) | [:closed_book:](../../blob/master/2019/2019.08.20.unknown_Chinese_APT)
* Aug 14 - [[ESET] In the Balkans, businesses are under fire from a doublebarreled weapon](https://www.welivesecurity.com/2019/08/14/balkans-businesses-double-barreled-weapon/) | [:closed_book:](../../blob/master/2019/2019.08.14.Balkans_Campaign)
* Aug 12 - [[Kaspersky] Recent Cloud Atlas activity](https://securelist.com/recent-cloud-atlas-activity/92016/)| [:closed_book:](../../blob/master/2019/2019.08.12.Cloud_Atlas_activity)
* Aug 08 - [[Anomali] Suspected BITTER APT Continues Targeting Government of China and Chinese Organizations](https://www.anomali.com/blog/suspected-bitter-apt-continues-targeting-government-of-china-and-chinese-organizations) | [:closed_book:](../../blob/master/2019/2019.08.08.BITTER_APT)
* Aug 07 - [[FireEye] APT41: A Dual Espionage and Cyber Crime Operation](https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html) | [:closed_book:](../../blob/master/2019/2019.08.07.APT41)
* Aug 05 - [[Trend Micro] Latest Trickbot Campaign Delivered via Highly Obfuscated JS File](https://blog.trendmicro.com/trendlabs-security-intelligence/latest-trickbot-campaign-delivered-via-highly-obfuscated-js-file/) | [:closed_book:](../../blob/master/2019/2019.08.05.Trickbot_Obfuscated_JS)
* Aug 05 - [[ESET] Sharpening the Machete](https://www.welivesecurity.com/2019/08/05/sharpening-machete-cyberespionage/) | [:closed_book:](../../blob/master/2019/2019.08.05.Sharpening_the_Machete)
* Aug 01 - [[Anity] Analysis of the Attack of Mobile Devices by OceanLotus](https://www.antiy.net/p/analysis-of-the-attack-of-mobile-devices-by-oceanlotus/) | [:closed_book:](../../blob/master/2019/2019.08.01.Mobile_OceanLotus)
* Jul 24 - [[Dell] Resurgent Iron Liberty Targeting Energy Sector](https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector) | [:closed_book:](../../blob/master/2019/2019.07.24.Resurgent_Iron_Liberty)
* Jul 24 - [[] Attacking the Heart of the German Industry](https://web.br.de/interaktiv/winnti/english/) | [:closed_book:](../../blob/master/2019/2019.07.24.Winnti_German)
* Jul 24 - [[Proofpoint] Chinese APT “Operation LagTime IT” Targets Government Information Technology Agencies in Eastern Asia](https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology) | [:closed_book:](../../blob/master/2019/2019.07.24.Operation_LagTime_IT)
* Jul 18 - [[FireEye] Hard Pass: Declining APT34s Invite to Join Their Professional Network](https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html) | [:closed_book:](../../blob/master/2019/2019.07.18.APT34_Hard_Pass)
* Jul 18 - [[Trend Micro] Spam Campaign Targets Colombian Entities with Custom-made Proyecto RAT, Uses Email Service YOPmail for C&C](https://blog.trendmicro.com/trendlabs-security-intelligence/spam-campaign-targets-colombian-entities-with-custom-proyecto-rat-email-service-yopmail-for-cc/) | [:closed_book:](../../blob/master/2019/2019.07.18.Proyecto_RAT_Colombian)
* Jul 18 - [[ESET] OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY ](https://www.welivesecurity.com/2019/07/18/okrum-ke3chang-targets-diplomatic-missions/) | [:closed_book:](../../blob/master/2019/2019.07.18.Okrum)
* Jul 17 - [[AT&T] Newly identified StrongPity operations](https://cybersecurity.att.com/blogs/labs-research/newly-identified-strongpity-operations) | [:closed_book:](../../blob/master/2019/2019.07.17.StrongPity_operations)
* Jul 17 - [[Intezer] EvilGnome: Rare Malware Spying on Linux Desktop Users](https://www.intezer.com/blog-evilgnome-rare-malware-spying-on-linux-desktop-users/) | [:closed_book:](../../blob/master/2019/2019.07.17.EvilGnome)
* Jul 16 - [[Trend Micro] SLUB Gets Rid of GitHub, Intensifies Slack Use](https://blog.trendmicro.com/trendlabs-security-intelligence/slub-gets-rid-of-github-intensifies-slack-use/) | [:closed_book:](../../blob/master/2019/2019.07.16.SLUB)
* Jul 15 - [[CISCO] SWEED: Exposing years of Agent Tesla campaigns](https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html) | [:closed_book:](../../blob/master/2019/2019.07.15.SWEED)
* Jul 11 - [[ESET] Buhtrap group uses zeroday in latest espionage campaigns](https://www.welivesecurity.com/2019/07/11/buhtrap-zero-day-espionage-campaigns/) | [:closed_book:](../../blob/master/2019/2019.07.11.Buhtrap_Group)
* Jul 09 - [[CISCO] Sea Turtle keeps on swimming, finds new victims, DNS hijacking techniques](https://blog.talosintelligence.com/2019/07/sea-turtle-keeps-on-swimming.html) | [:closed_book:](../../blob/master/2019/2019.07.09.SeaTurtle_swimming)
* Jul 04 - [[Kaspersky] Twas the night before](https://securelist.com/twas-the-night-before/91599/) | [:closed_book:](../../blob/master/2019/2019.07.04.NewsBeef_APT)
* Jul 04 - [[Trend Micro] Latest Spam Campaigns from TA505 Now Using New Malware Tools Gelup and FlowerPippi](https://blog.trendmicro.com/trendlabs-security-intelligence/latest-spam-campaigns-from-ta505-now-using-new-malware-tools-gelup-and-flowerpippi/) | [:closed_book:](../../blob/master/2019/2019.07.04.TA505_Gelup_FlowerPippi)
* Jul 03 - [[Anomali] Multiple Chinese Threat Groups Exploiting CVE-2018-0798 Equation Editor Vulnerability Since Late 2018](https://www.anomali.com/blog/multiple-chinese-threat-groups-exploiting-cve-2018-0798-equation-editor-vulnerability-since-late-2018) | [:closed_book:](../../blob/master/2019/2019.07.03.Chinese_APT_CVE-2018-0798)
* Jul 01 - [[Check Point] Operation Tripoli](https://research.checkpoint.com/operation-tripoli/) | [:closed_book:](../../blob/master/2019/2019.07.01.Operation_Tripoli)
* Jul 01 - [[Cylance] Threat Spotlight: Ratsnif - New Network Vermin from OceanLotus](https://threatvector.cylance.com/en_us/home/threat-spotlight-ratsnif-new-network-vermin-from-oceanlotus.html) | [:closed_book:](../../blob/master/2019/2019.07.01.OceanLotus_Ratsnif)
* Jun 27 - [[Trend Micro] ShadowGate Returns to Worldwide Operations With Evolved Greenflash Sundown Exploit Kit](https://blog.trendmicro.com/trendlabs-security-intelligence/shadowgate-returns-to-worldwide-operations-with-evolved-greenflash-sundown-exploit-kit/) | [:closed_book:](../../blob/master/2019/2019.06.27.ShadowGate_Returns)
* Jun 26 - [[Recorded Future] Iranian Threat Actor Amasses Large Cyber Operations Infrastructure Network to Target Saudi Organizations](https://go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf) | [:closed_book:](../../blob/master/2019/2019.06.26.Iranian_to_Saudi)
* Jun 25 - [[QianXin] Analysis of MuddyC3, a New Weapon Used by MuddyWater](https://ti.qianxin.com/blog/articles/analysis-of-muddyc3-a-new-weapon-used-by-muddywater/) | [:closed_book:](../../blob/master/2019/2019.06.25.MuddyC3)
* Jun 25 - [[Cybereason] OPERATION SOFT CELL: A WORLDWIDE CAMPAIGN AGAINST TELECOMMUNICATIONS PROVIDERS](https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers) | [:closed_book:](../../blob/master/2019/2019.06.25.Operation_Soft_Cell)
* Jun 21 - [[Symantec] Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments](https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments) | [:closed_book:](../../blob/master/2019/2019.06.21.Waterbug)
* Jun 20 - [[QianXin] New Approaches Utilized by OceanLotus to Target An Environmental Group in Vietnam](https://ti.qianxin.com/blog/articles/english-version-of-new-approaches-utilized-by-oceanLotus-to-target-vietnamese-environmentalist/) | [:closed_book:](../../blob/master/2019/2019.06.20.OceanLotus_New_Approaches)
* Jun 12 - [[ThaiCERT] Threat Group Cards: A Threat Actor Encyclopedia](https://www.dropbox.com/s/ds0ra0c8odwsv3m/Threat%20Group%20Cards.pdf?dl) | [:closed_book:](../../blob/master/2019/2019.06.12.Threat_Group_Cards)
* Jun 11 - [[Recorded Future] The Discovery of Fishwrap: A New Social Media Information Operation Methodology](https://www.recordedfuture.com/fishwrap-influence-operation/) | [:closed_book:](../../blob/master/2019/2019.06.11.Fishwrap_Group)
* Jun 10 - [[BlackBerry] Threat Spotlight: MenuPass/QuasarRAT Backdoor](https://blogs.blackberry.com/en/2019/06/threat-spotlight-menupass-quasarrat-backdoor) | [:closed_book:](../../blob/master/2019/2019.06.10.MenuPass_QuasarRAT_Backdoor)
* Jun 10 - [[Trend Micro] MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools](https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/) | [:closed_book:](../../blob/master/2019/2019.06.10.MuddyWater_Resurfaces)
* Jun 05 - [[Agari] Scattered Canary The Evolution and Inner Workings of a West African Cybercriminal Startup Turned BEC Enterprise](https://www.agari.com/cyber-intelligence-research/whitepapers/scattered-canary.pdf) | [:closed_book:](../../blob/master/2019/2019.06.05.Scattered_Canary)
* Jun 04 - [[Bitdefender] An APT Blueprint: Gaining New Visibility into Financial Threats](https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf) | [:closed_book:](../../blob/master/2019/2019.06.04.APT_Blueprint)
* Jun 03 - [[Kaspersky] Zebrocys Multilanguage Malware Salad](https://securelist.com/zebrocys-multilanguage-malware-salad/90680/) | [:closed_book:](../../blob/master/2019/2019.06.03.Zebrocy)
* May 30 - [[CISCO] 10 years of virtual dynamite: A high-level retrospective of ATM malware](https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html) | [:closed_book:](../../blob/master/2019/2019.05.30.10_Years_ATM_Malware)
* May 29 - [[ESET] A dive into Turla PowerShell usage](https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/) | [:closed_book:](../../blob/master/2019/2019.05.29.Turla_PowerShell)
* May 29 - [[Yoroi] TA505 is Expanding its Operations](https://blog.yoroi.company/research/ta505-is-expanding-its-operations/) | [:closed_book:](../../blob/master/2019/2019.05.29.TA505)
* May 28 - [[Palo Alto Networks] Emissary Panda Attacks Middle East Government Sharepoint Servers](https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/) | [:closed_book:](../../blob/master/2019/2019.05.28.Emissary_Panda)
* May 27 - [[360] APT-C-38](http://blogs.360.cn/post/analysis-of-APT-C-38.html) | [:closed_book:](../../blob/master/2019/2019.05.27.APT-C-38)
* May 24 - [[ENSILO] UNCOVERING NEW ACTIVITY BY APT10](https://blog.ensilo.com/uncovering-new-activity-by-apt10) | [:closed_book:](../../blob/master/2019/2019.05.24_APT10_New_Activity)
* May 22 - [[ESET] A journey to Zebrocy land](https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/) | [:closed_book:](../../blob/master/2019/2019.05.22.Zebrocy_Land)
* May 19 - [[Intezer] HiddenWasp Malware Stings Targeted Linux Systems](https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/) | [:closed_book:](../../blob/master/2019/2019.05.19.HiddenWasp_Linux)
* May 18 - [[ADLab] Operation_BlackLion](https://www.secrss.com/articles/10745) | [:closed_book:](../../blob/master/2019/2019.05.18.Operation_BlackLion)
* May 15 - [[Chronicle] Winnti: More than just Windows and Gates](https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a) | [:closed_book:](../../blob/master/2019/2019.05.15.Winnti_More)
* May 13 - [[Kaspersky] ScarCruft continues to evolve, introduces Bluetooth harvester](https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/) | [:closed_book:](../../blob/master/2019/2019.05.13.ScarCruft_Bluetooth)
* May 11 - [[Sebdraven] Chinese Actor APT target Ministry of Justice Vietnamese](https://medium.com/@Sebdraven/chineses-actor-apt-target-ministry-of-justice-vietnamese-14f13cc1c906) | [:closed_book:](../../blob/master/2019/2019.05.11.Chinese_APT_Vietnamese)
* May 09 - [[Clearsky] Iranian Nation-State APT Groups “Black Box” Leak](https://www.clearskysec.com/wp-content/uploads/2019/05/Iranian-Nation-State-APT-Leak-Analysis-and-Overview.pdf) | [:closed_book:](../../blob/master/2019/2019.05.09.Iranian_APT_Leak)
* May 08 - [[Kaspersky] FIN7.5: the infamous cybercrime rig “FIN7” continues its activities](https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/) | [:closed_book:](../../blob/master/2019/2019.05.08.Fin7.5)
* May 08 - [[QianXin] OceanLotus Attacks to Indochinese Peninsula: Evolution of Targets, Techniques and Procedure
](https://ti.qianxin.com/blog/articles/oceanlotus-attacks-to-indochinese-peninsula-evolution-of-targets-techniques-and-procedure/) | [:closed_book:](../../blob/master/2019/2019.05.08.OceanLotus)
* May 07 - [[Yoroi] ATMitch: New Evidence Spotted In The Wild](https://blog.yoroi.company/research/atmitch-new-evidence-spotted-in-the-wild/) | [:closed_book:](../../blob/master/2019/2019.05.07.ATMitch)
* May 07 - [[ESET] Turla LightNeuron: An email too far](https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf) | [:closed_book:](../../blob/master/2019/2019.05.07.Turla_LightNeuron)
* May 07 - [[Symantec] Buckeye: Espionage Outfit Used Equation Group Tools Prior to Shadow Brokers Leak](https://www.symantec.com/blogs/threat-intelligence/buckeye-windows-zero-day-exploit) | [:closed_book:](../../blob/master/2019/2019.05.07.Buckeye)
* May 03 - [[Kaspersky] Whos who in the Zoo Cyberespionage operation targets Android users in the Middle East](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/24122414/ZooPark_for_public_final_edited.pdf) | [:closed_book:](../../blob/master/2019/2019.05.03.ZooPark)
* Apr 30 - [[ThreatRecon] SectorB06 using Mongolian language in lure document](https://threatrecon.nshc.net/2019/04/30/sectorb06-using-mongolian-language-in-lure-document/) | [:closed_book:](../../blob/master/2019/2019.04.30.SectorB06_Mongolian)
* Apr 24 - [[CyberInt] legit remote admin tools turn into threat actors' tools](https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%27%20Tools_Report.pdf) | [:closed_book:](../../blob/master/2019/2019.04.24.TA505_Abusing_Legit_Remote_Admin_Tool)
* Apr 23 - [[Kaspersky] Operation ShadowHammer: a high-profile supply chain attack](https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/) | [:closed_book:](../../blob/master/2019/2019.04.23.Operation_ShadowHammer)
* Apr 22 - [[CheckPoint] FINTEAM: Trojanized TeamViewer Against Government Targets](https://research.checkpoint.com/finteam-trojanized-teamviewer-against-government-targets/) | [:closed_book:](../../blob/master/2019/2019.04.22.FINTEAM)
* Apr 19 - [[MalwareBytes] “Funky malware format” found in Ocean Lotus sample](https://blog.malwarebytes.com/threat-analysis/2019/04/funky-malware-format-found-in-ocean-lotus-sample/) | [:closed_book:](../../blob/master/2019/2019.04.19.Funky_malware_format)
* Apr 17 - [[Palo Alto Networks] Aggah Campaign: Bit.ly, BlogSpot, and Pastebin Used for C2 in Large Scale Campaign](https://unit42.paloaltonetworks.com/aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign/) | [:closed_book:](../../blob/master/2019/2019.04.17.Aggah_Campaign)
* Apr 17 - [[CISCO] DNS Hijacking Abuses Trust In Core Internet Service](https://blog.talosintelligence.com/2019/04/seaturtle.html) | [:closed_book:](../../blob/master/2019/2019.04.17.Operation_Sea_Turtle)
* Apr 10 - [[CheckPoint] The Muddy Waters of APT Attacks](https://research.checkpoint.com/the-muddy-waters-of-apt-attacks/) | [:closed_book:](../../blob/master/2019/2019.04.10.Muddy_Waters)
* Apr 10 - [[Kaspersky] Project TajMahal a sophisticated new APT framework](https://securelist.com/project-tajmahal/90240/) | [:closed_book:](../../blob/master/2019/2019.04.10.Project_TajMahal)
* Apr 10 - [[Kaspersky] Gaza Cybergang Group1, operation SneakyPastes](https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/) | [:closed_book:](../../blob/master/2019/2019.04.10.Operation_SneakyPastes)
* Apr 02 - [[Cylance] OceanLotus Steganography](https://threatvector.cylance.com/en_us/home/report-oceanlotus-apt-group-leveraging-steganography.html) | [:closed_book:](../../blob/master/2019/2019.04.02.OceanLotus_Steganography)
* Mar 28 - [[Trend Micro] Desktop, Mobile Phishing Campaign Targets South Korean Websites, Steals Credentials Via Watering Hole](https://blog.trendmicro.com/trendlabs-security-intelligence/desktop-mobile-phishing-campaign-targets-south-korean-websites-steals-credentials-via-watering-hole/) | [:closed_book:](../../blob/master/2019/2019.03.28.Desktop_Mobile_Phishing_Campaign)
* Mar 28 - [[C4ADS] Above Us Only Stars: Exposing GPS Spoofing in Russia and Syria](https://static1.squarespace.com/static/566ef8b4d8af107232d5358a/t/5c99488beb39314c45e782da/1553549492554/Above+Us+Only+Stars.pdf) | [:closed_book:](../../blob/master/2019/2019.03.28.Exposing_GPS_Spoofing_in_Russia_and_Syria)
* Mar 28 - [[ThreatRecon] Threat Actor Group using UAC Bypass Module to run BAT File](https://threatrecon.nshc.net/2019/03/28/threat-actor-group-using-uac-bypass-module-to-run-bat-file/) | [:closed_book:](../../blob/master/2019/2019.03.28.UAC_Bypass_BAT_APT)
* Mar 27 - [[Symantec] Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.](https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage) | [:closed_book:](../../blob/master/2019/2019.03.27.Elfin)
* Mar 25 - [[Kaspersky] Operation ShadowHammer](https://securelist.com/operation-shadowhammer/89992/) | [:closed_book:](../../blob/master/2019/2019.03.25.Operation_ShadowHammer)
* Mar 22 - [[Netscout] LUCKY ELEPHANT CAMPAIGN MASQUERADING](https://www.netscout.com/blog/asert/lucky-elephant-campaign-masquerading) | [:closed_book:](../../blob/master/2019/2019.03.22.LUCKY_ELEPHANT)
* Mar 13 - [[CISCO] GlitchPOS: New PoS malware for sale](https://blog.talosintelligence.com/2019/03/glitchpos-new-pos-malware-for-sale.html) | [:closed_book:](../../blob/master/2019/2019.03.13.GlitchPOS_POS_Malware)
* Mar 13 - [[FlashPoint] DMSniff POS Malware Actively Leveraged to Target Small-, Medium-Sized Businesses](https://www.flashpoint-intel.com/blog/dmsniff-pos-malware-actively-leveraged-target-medium-sized-businesses/) | [:closed_book:](../../blob/master/2019/2019.03.13.DMSniff_POS_Malware)
* Mar 13 - [[CheckPoint] Operation Sheep: Pilfer-Analytics SDK in Action](https://research.checkpoint.com/operation-sheep-pilfer-analytics-sdk-in-action/) | [:closed_book:](../../blob/master/2019/2019.03.13.Operation_Sheep)
* Mar 12 - [[Pala Alto Network] Operation Comando: How to Run a Cheap and Effective Credit Card Business](https://unit42.paloaltonetworks.com/operation-comando-or-how-to-run-a-cheap-and-effective-credit-card-business/) | [:closed_book:](../../blob/master/2019/2019.03.12.Operation_Comando)
* Mar 11 - [[ESET] Gaming industry still in the scope of attackers in Asia](https://www.welivesecurity.com/2019/03/11/gaming-industry-scope-attackers-asia/) | [:closed_book:](../../blob/master/2019/2019.03.11.Gaming-Industry.Asia)
* Mar 08 - [[Resecurity] Supply Chain The Major Target of Cyberespionage Groups](https://resecurity.com/blog/supply-chain-the-major-target-of-cyberespionage-groups/) | [:closed_book:](../../blob/master/2019/2019.03.08.Supply_Chain_Groups)
* Mar 07 - [[Trend Micro] New SLUB Backdoor Uses GitHub, Communicates via Slack](https://blog.trendmicro.com/trendlabs-security-intelligence/new-slub-backdoor-uses-github-communicates-via-slack/) | [:closed_book:](../../blob/master/2019/2019.03.07.SLUB_Backdoor)
* Mar 06 - [[Cybaze-Yoroi Z-LAB] Operation Pistacchietto](https://blog.yoroi.company/research/op-pistacchietto-an-italian-job/) | [:closed_book:](../../blob/master/2019/2019.03.06.Operation_Pistacchietto)
* Mar 06 - [[NTT] Targeted attack using Taidoor Analysis report](https://www.nttsecurity.com/docs/librariesprovider3/resources/taidoor%E3%82%92%E7%94%A8%E3%81%84%E3%81%9F%E6%A8%99%E7%9A%84%E5%9E%8B%E6%94%BB%E6%92%83%E8%A7%A3%E6%9E%90%E3%83%AC%E3%83%9D%E3%83%BC%E3%83%88_v1) | [:closed_book:](../../blob/master/2019/2019.03.06_Taidoor_Analysis)
* Mar 06 - [[Symantec] Whitefly: Espionage Group has Singapore in Its Sights](https://www.symantec.com/blogs/threat-intelligence/whitefly-espionage-singapore) | [:closed_book:](../../blob/master/2019/2019.03.06.Whitefly)
* Mar 04 - [[FireEye] APT40: Examining a China-Nexus Espionage Actor](https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html) | [:closed_book:](../../blob/master/2019/2019.03.04.APT40)
* Feb 28 - [[Marco Ramilli] Ransomware, Trojan and Miner together against “PIK-Group”](https://marcoramilli.com/2019/02/28/ransomware-trojan-and-miner-together-against-pik-group/) | [:closed_book:](../../blob/master/2019/2019.02.28_RIK_Group)
* Feb 27 - [[Dell] A Peek into BRONZE UNIONs Toolbox](https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox) | [:closed_book:](../../blob/master/2019/2019.02.27.BRONZE_UNION_Toolbox)
* Feb 26 - [[Cybaze-Yoroi Z-LAB] The Arsenal Behind the Australian Parliament Hack](https://blog.yoroi.company/research/the-arsenal-behind-the-australian-parliament-hack/) | [:closed_book:](../../blob/master/2019/2019.02.26.Australian_Parliament_Hack)
* Feb 25 - [[CarbonBlack] Defeating Compiler Level Obfuscations Used in APT10 Malware](https://www.carbonblack.com/2019/02/25/defeating-compiler-level-obfuscations-used-in-apt10-malware/) | [:closed_book:](../../blob/master/2019/2019.02.25.APT10_Defeating_Compiler_Level)
* Feb 20 - [[SecureSoft] IT IS IDENTIFIED ATTACKS OF THE CIBERCRIMINAL LAZARUS GROUP DIRECTED TO ORGANIZATIONS IN RUSSIA](http://securitysummitperu.com/articulos/se-identifico-ataques-del-grupo-cibercriminal-lazarus-dirigidos-a-organizaciones-en-rusia/) | [:closed_book:](../../blob/master/2019/2019.02.20.LAZARUS_to_RUSSIA)
* Feb 18 - [[360] APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations](https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/) | [:closed_book:](../../blob/master/2019/2019.02.18.APT-C-36.Colombian)
* Feb 14 - [[360] Suspected Molerats' New Attack in the Middle East](https://ti.360.net/blog/articles/suspected-molerats-new-attack-in-the-middle-east-en/) | [:closed_book:](../../blob/master/2019/2019.02.14.Molerats_APT)
* Feb 06 - [[Recorded Future] APT10 Targeted Norwegian MSP and US Companies in Sustained Campaign](https://www.recordedfuture.com/apt10-cyberespionage-campaign/) | [:closed_book:](../../blob/master/2019/2019.02.06.APT10_Sustained_Campaign)
* Feb 05 - [[Anomali] Analyzing Digital Quartermasters in Asia Do Chinese and Indian APTs Have a Shared Supply Chain?](https://www.anomali.com/blog/analyzing-digital-quartermasters-in-asia-do-chinese-and-indian-apts-have-a-shared-supply-chain) | [:closed_book:](../../blob/master/2019/2019.02.05.China_India_APT_shared)
* Feb 01 - [[Palo Alto Networks] Tracking OceanLotus new Downloader, KerrDown](https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/) | [:closed_book:](../../blob/master/2019/2019.02.01.OceanLotus_KerrDown)
* Jan 30 - [[Kaspersky] Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities](https://securelist.com/chafer-used-remexi-malware/89538/) | [:closed_book:](../../blob/master/2019/2019.01.30.Chafer_APT_Spy_Iran)
* Jan 30 - [[NSHC] The Double Life of SectorA05 Nesting in Agora (Operation Kitty Phishing](https://threatrecon.nshc.net/2019/01/30/operation-kitty-phishing) | [:closed_book:](../../blob/master/2019/2019.01.30.Operation_Kitty_Phishing)
* Jan 30 - [[Morphisec] NEW CAMPAIGN DELIVERS ORCUS RAT](http://blog.morphisec.com/new-campaign-delivering-orcus-rat) | [:closed_book:](../../blob/master/2019/2019.01.30.ORCUS_RAT)
* Jan 25 - [[LAB52] WIRTE Group attacking the Middle East](https://www.securityartwork.es/2019/01/25/wirte-group-attacking-the-middle-east/) | [:closed_book:](../../blob/master/2019/2019.01.18.WIRTE_Group_attacking_the_Middle_East)
* Jan 24 - [[Carbon Black] GandCrab and Ursnif Campaign](https://www.carbonblack.com/2019/01/24/carbon-black-tau-threatsight-analysis-gandcrab-and-ursnif-campaign/) | [:closed_book:](../../blob/master/2019/2019.01.24.GandCrab_and_Ursnif)
* Jan 18 - [[Palo Alto Networks] DarkHydrus delivers new Trojan that can use Google Drive for C2 communications](https://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/) | [:closed_book:](../../blob/master/2019/2019.01.18.DarkHydrus)
* Jan 17 - [[Palo Alto Networks] Malware Used by “Rocke” Group Evolves to Evade Detection by Cloud Security Products](https://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products/) | [:closed_book:](../../blob/master/2019/2019.01.17.Rocke_Group)
* Jan 16 - [[360] Latest Target Attack of DarkHydruns Group Against Middle East](https://ti.360.net/blog/articles/latest-target-attack-of-darkhydruns-group-against-middle-east-en/) | [:closed_book:](../../blob/master/2019/2019.01.16.DarkHydruns)
## 2018
* Dec 28 - [[Medium] Goblin Panda changes the dropper and reuses the old infrastructure](https://medium.com/@Sebdraven/goblin-panda-changes-the-dropper-and-reused-the-old-infrastructure-a35915f3e37a) | [:closed_book:](../../blob/master/2018/2018.12.28.Goblin_Panda)
* Dec 27 - [[Cybaze-Yoroi Z-LAB] The Enigmatic “Roma225” Campaign](https://blog.yoroi.company/research/the-enigmatic-roma225-campaign/) | [:closed_book:](../../blob/master/2018/2018.12.27.Roma225_Campaign)
* Dec 20 - [[Objective-See] Middle East Cyber-Espionage: analyzing WindShift's implant: OSX.WindTail](https://objective-see.com/blog/blog_0x3B.html)| [:closed_book:](../../blob/master/2018/2018.12.20.WindShift_Middle_East)
* Dec 18 - [[Trend Micro] URSNIF, EMOTET, DRIDEX and BitPaymer Gangs Linked by a Similar Loader](https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/) | [:closed_book:](../../blob/master/2018/2018.12.18.ursnif-emotet-dridex-and-bitpaymer-gangs)
* Dec 13 - [[Certfa] The Return of The Charming Kitten](https://blog.certfa.com/posts/the-return-of-the-charming-kitten/) | [:closed_book:](../../blob/master/2018/2018.12.13.Charming_Kitten_Return)
* Dec 13 - [[Trend Micro] Tildeb: Analyzing the 18-year-old Implant from the Shadow Brokers Leak](https://documents.trendmicro.com/assets/tech-brief-tildeb-analyzing-the-18-year-old-implant-from-the-shadow-brokers-leak.pdf) | [:closed_book:](../../blob/master/2018/2018.12.13.Tildeb_Shadow_Brokers)
* Dec 13 - [[Palo Alto Networks] Shamoon 3 Targets Oil and Gas Organization](https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/) | [:closed_book:](../../blob/master/2018/2018.12.13.Shamoon_3)
* Dec 12 - [[McAfee] Operation Sharpshooter Targets Global Defense, Critical Infrastructure](https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf) | [:closed_book:](../../blob/master/2018/2018.12.12.Operation_Sharpshooter)
* Dec 12 - [[360] Donot (APT-C-35) Group Is Targeting Pakistani Businessman Working In China](https://ti.360.net/blog/articles/donot-group-is-targeting-pakistani-businessman-working-in-china-en/) | [:closed_book:](../../blob/master/2018/2018.12.12.Donot_Group)
* Dec 11 - [[Cylance] Poking the Bear: Three-Year Campaign Targets Russian Critical Infrastructure](https://threatvector.cylance.com/en_us/home/poking-the-bear-three-year-campaign-targets-russian-critical-infrastructure.html) | [:closed_book:](../../blob/master/2018/2018.12.11.Poking_the_Bear)
* Nov ?? - [[Google] The Hunt for 3ve](https://services.google.com/fh/files/blogs/3ve_google_whiteops_whitepaper_final_nov_2018.pdf) | [:closed_book:](../../blob/master/2018/2018.11.The_Hunt_for_3ve)
* Nov 30 - [[Trend Micro] New PowerShell-based Backdoor Found in Turkey, Strikingly Similar to MuddyWater Tools](https://blog.trendmicro.com/trendlabs-security-intelligence/new-powershell-based-backdoor-found-in-turkey-strikingly-similar-to-muddywater-tools/) | [:closed_book:](../../blob/master/2018/2018.11.30.MuddyWater_Turkey)
* Nov 29 - [[360] Analysis Of Targeted Attack Against Pakistan By Exploiting InPage Vulnerability And Related APT Groups](https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/) | [:closed_book:](../../blob/master/2018/2018.11.29.Attack_Pakistan_By_Exploiting_InPage)
* Nov 28 - [[Microsoft] Windows Defender ATP device risk score exposes new cyberattack, drives Conditional access to protect networks](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/) | [:closed_book:](../../blob/master/2018/2018.11.28.Tropic_Trooper_microsoft)
* Nov 28 - [[Clearsky] MuddyWater Operations in Lebanon and Oman](https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf) | [:closed_book:](../../blob/master/2018/2018.11.28.MuddyWater-Operations-in-Lebanon-and-Oman)
* Nov 27 - [[CISCO] DNSpionage Campaign Targets Middle East](https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html) | [:closed_book:](../../blob/master/2018/2018.11.27.dnspionage-campaign-targets-middle-east)
* Nov 20 - [[Trend Micro] Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America](https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-continues-heists-mounts-attacks-on-financial-organizations-in-latin-america/) | [:closed_book:](../../blob/master/2018/2018.11.20.lazarus-in-latin-america)
* Nov 19 - [[FireEye] Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign](https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html) | [:closed_book:](../../blob/master/2018/2018.11.19.APT29_Phishing)
* Nov 13 - [[Recorded Future] Chinese Threat Actor TEMP.Periscope Targets UK-Based Engineering Company Using Russian APT Techniques ](https://go.recordedfuture.com/hubfs/reports/cta-2018-1113.pdf) | [:closed_book:](../../blob/master/2018/2018.11.13.China.TEMP.Periscope.Using.Russian_APT)
* Nov 08 - [[Symantec] FASTCash: How the Lazarus Group is Emptying Millions from ATMs](https://www.symantec.com/blogs/threat-intelligence/fastcash-lazarus-atm-malware) | [:closed_book:](../../blob/master/2018/2018.11.08.FASTCash)
* Nov 05 - [[Palo Alto Networks] Inception Attackers Target Europe with Year-old Office Vulnerability](https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/) | [:closed_book:](../../blob/master/2018/2018.11.05.Inception_Attackers_Target_Europe)
* Nov 01 - [[Trend Micro] Outlaw group: Perl-Based Shellbot Looks to Target Organizations via C&C](https://blog.trendmicro.com/trendlabs-security-intelligence/perl-based-shellbot-looks-to-target-organizations-via-cc/) | [:closed_book:](../../blob/master/2018/2018.11.01_Outlaw_group)
* Oct 19 - [[Kaspersky] DarkPulsar](https://securelist.com/darkpulsar/88199/) | [:closed_book:](../../blob/master/2018/2018.10.19.DarkPulsar)
* Oct 18 - [[Medium] APT Sidewinder changes theirs TTPs to install their backdoor](https://medium.com/@Sebdraven/apt-sidewinder-changes-theirs-ttps-to-install-their-backdoor-f92604a2739) | [:closed_book:](../../blob/master/2018/2018.10.18.APT_Sidewinder_changes)
* Oct 18 - [[CISCO] Tracking Tick Through Recent Campaigns Targeting East Asia](https://blog.talosintelligence.com/2018/10/tracking-tick-through-recent-campaigns.html) | [:closed_book:](../../blob/master/2018/2018.10.18.Datper_Bronze_Butler)
* Oct 18 - [[McAfee] Operation Oceansalt Attacks South Korea, U.S. and Canada with Source Code from Chinese Hacker Group](https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf) | [:closed_book:](../../blob/master/2018/2018.10.18.Operation_Oceansalt)
* Oct 17 - [[Marco Ramilli] MartyMcFly Malware: Targeting Naval Industry](https://marcoramilli.com/2018/10/17/martymcfly-malware-targeting-naval-industry/) | [:closed_book:](../../blob/master/2018/2018.10.17_MartyMcFly_Targeting_Naval_Industry)
* Oct 17 - [[Cylance] The SpyRATs of OceanLotus: Malware Analysis White Paper](https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/SpyRATsofOceanLotusMalwareWhitePaper.pdf) | [:closed_book:](../../blob/master/2018/2018.10.17.OceanLotus_SpyRATs)
* Oct 17 - [[ESET] GreyEnergy: Updated arsenal of one of the most dangerous threat actors](https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/) | [:closed_book:](../../blob/master/2018/2018.10.17.GreyEnergy)
* Oct 17 - [[Yoroi] Cyber-Espionage Campaign Targeting the Naval Industry (“MartyMcFly”)](https://blog.yoroi.company/?p=1829) | [:closed_book:](../../blob/master/2018/2018.10.17.Targeting_the_Naval_Industry)
* Oct 15 - [[Kaspersky] Octopus-infested seas of Central Asia](https://securelist.com/octopus-infested-seas-of-central-asia/88200/) | [:closed_book:](../../blob/master/2018/2018.10.15.Octopus_Central_Asia)
* Oct 11 - [[Symantec] Gallmaker: New Attack Group Eschews Malware to Live off the Land](https://www.symantec.com/blogs/threat-intelligence/gallmaker-attack-group) | [:closed_book:](../../blob/master/2018/2018.10.11.Gallmaker)
* Oct 10 - [[Kaspersky] MuddyWater expands operations](https://securelist.com/muddywater/88059/) | [:closed_book:](../../blob/master/2018/2018.10.10.MuddyWater_expands)
* Oct 03 - [[FireEye] APT38: Details on New North Korean Regime-Backed Threat Group](https://content.fireeye.com/apt/rpt-apt38) | [:closed_book:](../../blob/master/2018/2018.10.03.APT38)
* Sep 27 - [[ESET] LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group](https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf) | [:closed_book:](../../blob/master/2018/2018.09.27.LoJax)
* Sep 20 - [[360] (Non-English) (CN) PoisonVine](https://ti.360.net/uploads/2018/09/20/6f8ad451646c9eda1f75c5d31f39f668.pdf) | [:closed_book:](../../blob/master/2018/2018.09.20.Poison_Trumpet_Vine_Operation)
* Sep 19 - [[Antiy] (Non-English) (CN) Green Spot APT](https://www.antiy.cn/report-download/20180919.pdf) | [:closed_book:](../../blob/master/2018/2018.09.19.Green_Spot_APT)
* Sep 13 - [[FireEye] APT10 Targeting Japanese Corporations Using Updated TTPs](https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html) | [:closed_book:](../../blob/master/2018/2018.09.13.APT10_Targeting_Japanese)
* Sep 10 - [[Kaspersky] LuckyMouse signs malicious NDISProxy driver with certificate of Chinese IT company](https://securelist.com/luckymouse-ndisproxy-driver/87914) | [:closed_book:](../../blob/master/2018/2018.09.07.Goblin_Panda_targets_Cambodia)
* Sep 07 - [[Volon] Targeted Attack on Indian Ministry of External Affairs using Crimson RAT](https://volon.io/2018/09/07/targeted-attack-on-indian-ministry-of-external-affairs-using-crimson-rat/) | [:closed_book:](../../blob/master/2018/2018.09.07.indian-ministry_crimson-rat)
* Sep 07 - [[CheckPoint] Domestic Kitten: An Iranian Surveillance Operation](https://research.checkpoint.com/domestic-kitten-an-iranian-surveillance-operation/) | [:closed_book:](../../blob/master/2018/2018.09.07.Domestic_Kitten)
* Sep 07 - [[Medium] Goblin Panda targets Cambodia sharing capacities with another Chinese group hackers Temp Periscope](https://medium.com/@Sebdraven/goblin-panda-targets-cambodia-sharing-capacities-with-another-chinese-group-hackers-temp-periscope-7871382ffcc0) | [:closed_book:](../../blob/master/2018/2018.08.28.CeidPageLock)
* Sep 04 - [[Palo Alto Networks] OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE](https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/) | [:closed_book:](../../blob/master/2018/2018.09.04.OilRig_Targets_Middle_Eastern)
* Sep 04 - [[Group-IB] Silence: Moving into the darkside](https://www.group-ib.com/resources/threat-research/silence_moving-into-the-darkside.pdf) | [:closed_book:](../../blob/master/2018/2018.09.04.Silence)
* Aug 30 - [[MalwareBytes] Reversing malware in a custom format: Hidden Bee elements](https://blog.malwarebytes.com/threat-analysis/2018/08/reversing-malware-in-a-custom-format-hidden-bee-elements/) | [:closed_book:](../../blob/master/2018/2018.08.30.Hidden_Bee_Custom_format)
* Aug 30 - [[CrowdStrike] Two Birds, One STONE PANDA](https://www.crowdstrike.com/blog/two-birds-one-stone-panda/) | [:closed_book:](../../blob/master/2018/2018.08.30.Stone_Panda)
* Aug 30 - [[Arbor] Double the Infection, Double the Fun](https://asert.arbornetworks.com/double-the-infection-double-the-fun/) | [:closed_book:](../../blob/master/2018/2018.08.30.Cobalt_Group_Fun)
* Aug 30 - [[Dark Matter] COMMSEC: The Trails of WINDSHIFT APT](https://gsec.hitb.org/materials/sg2018/D1%20COMMSEC%20-%20In%20the%20Trails%20of%20WINDSHIFT%20APT%20-%20Taha%20Karim.pdf) | [:closed_book:](../../blob/master/2018/2018.08.30.WINDSHIFT_APT)
* Aug 29 - [[Trend Micro] The Urpage Connection to Bahamut, Confucius and Patchwork](https://blog.trendmicro.com/trendlabs-security-intelligence/the-urpage-connection-to-bahamut-confucius-and-patchwork/) | [:closed_book:](../../blob/master/2018/2018.08.29.Bahamut_Confucius_Patchwork)
* Aug 28 - [[CheckPoint] CeidPageLock: A Chinese RootKit](https://research.checkpoint.com/ceidpagelock-a-chinese-rootkit/) | [:closed_book:](../../blob/master/2018/2018.08.28.CeidPageLock)
* Aug 23 - [[Kaspersky] Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware](https://securelist.com/operation-applejeus/87553/) | [:closed_book:](../../blob/master/2018/2018.08.23.Operation_AppleJeus)
* Aug 21 - [[ESET] TURLA OUTLOOK BACKDOOR](https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf) | [:closed_book:](../../blob/master/2018/2018.08.21.Operation_Red_Signature)
* Aug 21 - [[Trend Micro] Supply Chain Attack Operation Red Signature Targets South Korean Organizations](https://blog.trendmicro.com/trendlabs-security-intelligence/supply-chain-attack-operation-red-signature-targets-south-korean-organizations) | [:closed_book:](../../blob/master/2018/2018.08.21.Operation_Red_Signature)
* Aug 16 - [[Recorded Future] Chinese Cyberespionage Originating From Tsinghua University Infrastructure](https://go.recordedfuture.com/hubfs/reports/cta-2018-0816.pdf) | [:closed_book:](../../blob/master/2018/2018.08.16.Chinese_Cyberespionage_Tsinghua_University)
* Aug 09 - [[McAfee] Examining Code Reuse Reveals Undiscovered Links Among North Koreas Malware Families](https://securingtomorrow.mcafee.com/mcafee-labs/examining-code-reuse-reveals-undiscovered-links-among-north-koreas-malware-families/) | [:closed_book:](../../blob/master/2018/2018.08.09.north-koreas-malware-families)
* Aug 02 - [[Accenture] Goldfin Security Alert](https://www.accenture.com/us-en/blogs/blogs-goldfin-security-alert) | [:closed_book:](../../blob/master/2018/2018.08.02.Goldfin_Security_Alert)
* Aug 02 - [[Palo Alto Networks] The Gorgon Group: Slithering Between Nation State and Cybercrime](https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/) | [:closed_book:](../../blob/master/2018/2018.08.02.Gorgon_Group)
* Aug 02 - [[Medium] Goblin Panda against the Bears](https://medium.com/@Sebdraven/gobelin-panda-against-the-bears-1f462d00e3a4) | [:closed_book:](../../blob/master/2018/2018.08.02.Goblin_Panda)
* Aug 01 - [[Medium] Malicious document targets Vietnamese officials](https://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a) | [:closed_book:](../../blob/master/2018/2018.08.01.Vietnamese_officials_Targets)
* Jul 31 - [[Palo Alto Networks] Bisonal Malware Used in Attacks Against Russia and South Korea](https://researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/) | [:closed_book:](../../blob/master/2018/2018.07.31.bisonal-malware-used-attacks-russia-south-korea)
* Jul 31 - [[Medium] Malicious document targets Vietnamese officials](https://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a) | [:closed_book:](../../blob/master/2018/2018.07.31.APT_SideWinder_Malicious_Doc)
* Jul 27 - [[Palo Alto Networks] New Threat Actor Group DarkHydrus Targets Middle East Government](https://unit42.paloaltonetworks.com/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/) | [:closed_book:](../../blob/master/2018/2018.07.27.DarkHydrus)
* Jul 23 - [[CSE] APT27: A long-term espionage campaign in Syria](http://csecybsec.com/download/zlab/20180723_CSE_APT27_Syria_v1.pdf) | [:closed_book:](../../blob/master/2018/2018.07.23_APT27_Syria)
* Jul 16 - [[Trend Micro] New Andariel Reconnaissance Tactics Hint At Next Targets](https://blog.trendmicro.com/trendlabs-security-intelligence/new-andariel-reconnaissance-tactics-hint-at-next-targets/) | [:closed_book:](../../blob/master/2018/2018.07.16.new-andariel)
* Jul 13 - [[CSE] Operation Roman Holiday Hunting the Russian
APT28 group](http://csecybsec.com/download/zlab/20180713_CSE_APT28_X-Agent_Op-Roman%20Holiday-Report_v6_1.pdf) | [:closed_book:](../../blob/master/2018/2018.07.13.Operation_Roman_Holiday)
* Jul 12 - [[CISCO] Advanced Mobile Malware Campaign in India uses Malicious MDM](https://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html) | [:closed_book:](../../blob/master/2018/2018.07.12.Advanced_Mobile_Malware_Campaign_in_India)
* Jul 09 - [[ESET] Certificates stolen from Taiwanese tech-companies misused in Plead malware campaign](https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/) | [:closed_book:](../../blob/master/2018/2018.07.09.certificates-stolen-taiwanese-tech-companies-plead-malware-campaign)
* Jul 08 - [[CheckPoint] APT Attack In the Middle East: The Big Bang](https://research.checkpoint.com/apt-attack-middle-east-big-bang/) | [:closed_book:](../../blob/master/2018/2018.07.08.Big_Bang)
* Jul 08 - [[Fortinet] Hussarini Targeted Cyber Attack in the Philippines](https://www.fortinet.com/blog/threat-research/hussarini---targeted-cyber-attack-in-the-philippines.html) | [:closed_book:](../../blob/master/2018/2018.07.08.Hussarini)
* Jun XX - [[Ahnlab] Operation Red Gambler](http://image.ahnlab.com/file_upload/asecissue_files/ASEC%20REPORT_vol.91.pdf) | [:closed_book:](../../blob/master/2018/2018.06.xx.Operation_Red_Gambler)
* Jun 26 - [[Palo Alto Networks] RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families](https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/) | [:closed_book:](../../blob/master/2018/2018.06.26.RANCOR)
* Jun 23 - [[Ahnlab] Full Discloser of Andariel,A Subgroup of Lazarus Threat Group](https://global.ahnlab.com/global/upload/download/techreport/[AhnLab]Andariel_a_Subgroup_of_Lazarus%20(3).pdf) | [:closed_book:](../../blob/master/2018/2018.06.23.Andariel_Group)
* Jun 22 - [[Palo Alto networks] Tick Group Weaponized Secure USB Drives to Target Air-Gapped Critical Systems](https://unit42.paloaltonetworks.com/unit42-tick-group-weaponized-secure-usb-drives-target-air-gapped-critical-systems/) | [:closed_book:](../../blob/master/2018/2018.06.22.Iick.Group-weaponized-secure-usb)
* Jun 20 - [[Symantec] Thrip: Espionage Group Hits Satellite, Telecoms, and Defense Companies](https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets) | [:closed_book:](../../blob/master/2018/2018.06.20.thrip-hits-satellite-telecoms-defense-targets)
* Jun 19 - [[Kaspersky] Olympic Destroyer is still alive](https://securelist.com/olympic-destroyer-is-still-alive/86169/) | [:closed_book:](../../blob/master/2018/2017.06.19.olympic-destroyer-is-still-alive)
* Jun 14 - [[Trend Micro] Another Potential MuddyWater Campaign uses Powershell-based PRB-Backdoor](https://blog.trendmicro.com/trendlabs-security-intelligence/another-potential-muddywater-campaign-uses-powershell-based-prb-backdoor/) | [:closed_book:](../../blob/master/2018/2018.06.14.another-potential-muddywater-campaign)
* Jun 14 - [[intezer] MirageFox: APT15 Resurfaces With New Tools Based On Old Ones](https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/) | [:closed_book:](../../blob/master/2018/2018.06.14.MirageFox_APT15)
* Jun 13 - [[Kaspersky] LuckyMouse hits national data center to organize country-level waterholing campaign](https://securelist.com/luckymouse-hits-national-data-center/86083/) | [:closed_book:](../../blob/master/2018/2018.06.13.LuckyMouse)
* Jun 07 - [[Volexity] Patchwork APT Group Targets US Think Tanks](https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/) | [:closed_book:](../../blob/master/2018/2018.06.07.patchwork-apt-group-targets-us-think-tanks)
* Jun 07 - [[ICEBRG] ADOBE FLASH ZERO-DAY LEVERAGED FOR TARGETED ATTACK IN MIDDLE EAST](https://www.icebrg.io/blog/adobe-flash-zero-day-targeted-attack) | [:closed_book:](../../blob/master/2018/2018.06.07.dobe-flash-zero-day-targeted-attack)
* Jun 07 - [[FireEye] A Totally Tubular Treatise on TRITON and TriStation](https://www.fireeye.com/blog/threat-research/2018/06/totally-tubular-treatise-on-triton-and-tristation.html) | [:closed_book:](../../blob/master/2018/2018.06.07.Totally_Tubular_Treatise_on_TRITON_TriStation)
* Jun 06 - [[CISCO] VPNFilter Update - VPNFilter exploits endpoints, targets new devices](https://blog.talosintelligence.com/2018/06/vpnfilter-update.html) | [:closed_book:](../../blob/master/2018/2018.06.06.vpnfilter-update)
* Jun 06 - [[GuardiCore] OPERATION PROWLI: MONETIZING 40,000 VICTIM MACHINES](https://www.guardicore.com/2018/06/operation-prowli-traffic-manipulation-cryptocurrency-mining/) | [:closed_book:](../../blob/master/2018/2018.06.06.OPERATION_PROWLI)
* Jun 06 - [[Palo Alto Networks] Sofacy Groups Parallel Attacks](https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/) | [:closed_book:](../../blob/master/2018/2018.06.06.sofacy-groups-parallel-attacks)
* May 31 - [[CISCO] NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea](https://blog.talosintelligence.com/2018/05/navrat.html) | [:closed_book:](../../blob/master/2018/2018.03.31.NavRAT_Uses_US-North_Korea_Summit_As_Decoy)
* May 29 - [[intezer] Iron Cybercrime Group Under The Scope](https://www.intezer.com/iron-cybercrime-group-under-the-scope-2/) | [:closed_book:](../../blob/master/2018/2018.05.29.iron-cybercrime-group)
* May 23 - [[CISCO] New VPNFilter malware targets at least 500K networking devices worldwide](https://blog.talosintelligence.com/2018/05/VPNFilter.html) | [:closed_book:](../../blob/master/2018/2018.05.23.New_VPNFilter)
* May 23 - [[Ahnlab] Andariel Group Trend Report](http://download.ahnlab.com/kr/site/library/[Report]Andariel_Threat_Group.pdf) | [:closed_book:](../../blob/master/2018/2018.05.23.Andariel_Group)
* May 23 - [[Trend Micro] Confucius Update: New Tools and Techniques, Further Connections with Patchwork](https://blog.trendmicro.com/trendlabs-security-intelligence/confucius-update-new-tools-and-techniques-further-connections-with-patchwork/) | [:closed_book:](../../blob/master/2018/2018.05.23.Confucius_Update)
* May 22 - [[Intrusiontruth] The destruction of APT3](https://intrusiontruth.wordpress.com/2018/05/22/the-destruction-of-apt3/) | [:closed_book:](../../blob/master/2018/2018.05.22.The_destruction_of_APT3)
* May 22 - [[ESET] Turla Mosquito: A shift towards more generic tools](https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/) | [:closed_book:](../../blob/master/2018/2018.05.22.Turla_Mosquito)
* May 09 - [[Recorded Future] Irans Hacker Hierarchy Exposed](https://go.recordedfuture.com/hubfs/reports/cta-2018-0509.pdf) | [:closed_book:](../../blob/master/2018/2018.05.09.Iran_Hacker_Hierarchy_Exposed)
* May 09 - [[360] Analysis of CVE-2018-8174 VBScript 0day and APT actor related to Office targeted attack](http://blogs.360.cn/blog/cve-2018-8174-en/) | [:closed_book:](../../blob/master/2018/2018.05.09.APT-C-06_CVE-2018-8174)
* May 03 - [[ProtectWise] Burning Umbrella](https://github.com/401trg/detections/raw/master/pdfs/20180503_Burning_Umbrella.pdf) | [:closed_book:](../../blob/master/2018/2018.05.03.Burning_Umbrella)
* May 03 - [[Kaspersky] Whos who in the Zoo: Cyberespionage operation targets Android users in the Middle East](https://securelist.com/whos-who-in-the-zoo/85394/) | [:closed_book:](../../blob/master/2018/2018.05.03.whos-who-in-the-zoo)
* May 03 - [[Ahnlab] Detailed Analysis of Red Eyes Hacking Group](https://global.ahnlab.com/global/upload/download/techreport/[AhnLab]%20Red_Eyes_Hacking_Group_Report%20(1).pdf) | [:closed_book:](../../blob/master/2018/2018.05.03.Red_Eyes_Hacking_Group)
* Apr 27 - [[Tencent] OceanLotus new malware analysis](https://s.tencent.com/research/report/471.html) | [:closed_book:](../../blob/master/2018/2018.04.27.OceanLotus_new_malware)
* Apr 26 - [[CISCO] GravityRAT - The Two-Year Evolution Of An APT Targeting India](https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html) | [:closed_book:](../../blob/master/2018/2018.04.26.GravityRAT)
* Apr 24 - [[FireEye] Metamorfo Campaigns Targeting Brazilian Users](https://www.fireeye.com/blog/threat-research/2018/04/metamorfo-campaign-targeting-brazilian-users.html) | [:closed_book:](../../blob/master/2018/2018.04.24.metamorfo-campaign)
* Apr 24 - [[McAfee] Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide](https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/) | [:closed_book:](../../blob/master/2018/2018.04.24.Operation_GhostSecret)
* Apr 24 - [[ESET] Sednit update: Analysis of Zebrocy](https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/) | [:closed_book:](../../blob/master/2018/2018.04.24.sednit-update-analysis-zebrocy)
* Apr 23 - [[Accenture] HOGFISH REDLEAVES CAMPAIGN](https://www.accenture.com/t20180423T055005Z__w__/us-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf) | [:closed_book:](../../blob/master/2018/2018.04.23.HOGFISH_REDLEAVES_CAMPAIGN)
* Apr 23 - [[Symantec] New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia](https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia) | [:closed_book:](../../blob/master/2018/2018.04.23.New_Orangeworm)
* Apr 23 - [[Kaspersky] Energetic Bear/Crouching Yeti: attacks on servers](https://securelist.com/energetic-bear-crouching-yeti/85345/) | [:closed_book:](../../blob/master/2018/2018.04.23.energetic-bear-crouching-yeti)
* Apr 17 - [[NCCGroup] Decoding network data from a Gh0st RAT variant](https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant) | [:closed_book:](../../blob/master/2018.04.17.Iron_Tiger_Gh0st_RAT_variant)
* Apr 12 - [[Kaspersky] Operation Parliament, who is doing what?](https://securelist.com/operation-parliament-who-is-doing-what/85237/) | [:closed_book:](../../blob/master/2018/2018.04.12.operation-parliament)
* Apr 04 - [[Trend Micro] New MacOS Backdoor Linked to OceanLotus Found](https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/) | [:closed_book:](../../blob/master/2018/2018.04.04.MacOS_Backdoor_OceanLotus)
* Mar 29 - [[Trend Micro] ChessMaster Adds Updated Tools to Its Arsenal](https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-adds-updated-tools-to-its-arsenal/) | [:closed_book:](../../blob/master/2018/2018.03.29.ChessMaster_Adds_Updated_Tools)
* Mar 27 - [[Arbor] Panda Banker Zeros in on Japanese Targets](https://www.arbornetworks.com/blog/asert/panda-banker-zeros-in-on-japanese-targets/) | [:closed_book:](../../blob/master/2018/2018.03.27.panda-banker-zeros-in-on-japanese-targets)
* Mar 23 - [[Ahnlab] Targeted Attacks on South Korean Organizations](http://global.ahnlab.com/global/upload/download/techreport/Tech_Report_Malicious_Hancom.pdf) | [:closed_book:](../../blob/master/2018/2018.03.23.Targeted_Attacks_on_South_Korean_Organizations)
* Mar 15 - [[US-CERT] Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors](https://www.us-cert.gov/ncas/alerts/TA18-074A) | [:closed_book:](../../blob/master/2018/2018.03.15.Russian_Government_Cyber_Activity_TA18-074A)
* Mar 14 - [[Symantec] Inception Framework: Alive and Well, and Hiding Behind Proxies](https://www.symantec.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies) | [:closed_book:](../../blob/master/2018/2018.03.14.Inception_Framework)
* Mar 14 - [[Trend Micro] Tropic Troopers New Strategy](https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/) | [:closed_book:](../../blob/master/2018/2018.03.14.tropic-trooper-new-strategy)
* Mar 13 - [[FireEye] Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign](https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html) | [:closed_book:](../../blob/master/2018/2018.03.13.Iranian-threat-group)
* Mar 13 - [[Kaspersky] Time of death? A therapeutic postmortem of connected medicine](https://securelist.com/time-of-death-connected-medicine/84315/) | [:closed_book:](../../blob/master/2018/2018.03.13.A_therapeutic_postmortem_of_connected_medicine)
* Mar 13 - [[Proofpoint] Drive-by as a service: BlackTDS](https://www.proofpoint.com/us/threat-insight/post/drive-service-blacktds) | [:closed_book:](../../blob/master/2018/2018.03.13.BlackTDS)
* Mar 13 - [[ESET] OceanLotus: Old techniques, new backdoor](https://www.welivesecurity.com/wp-content/uploads/2018/03/ESET_OceanLotus.pdf) | [:closed_book:](../../blob/master/2018/2018.03.13.OceanLotus_Old_techniques_new_backdoor)
* Mar 12 - [[Trend Micro] Campaign Possibly Connected to “MuddyWater” Surfaces in the Middle East and Central Asia](https://blog.trendmicro.com/trendlabs-security-intelligence/campaign-possibly-connected-muddywater-surfaces-middle-east-central-asia/) | [:closed_book:](../../blob/master/2018/2018.03.12.MuddyWater_Middle_East_and_Central_Asia)
* Mar 09 - [[CitizenLab] BAD TRAFFIC Sandvines PacketLogic Devices Used to Deploy Government Spyware in Turkey and Redirect Egyptian Users to Affiliate Ads?](https://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/) | [:closed_book:](../../blob/master/2018/2018.03.09.Sandvine_PacketLogic_Devices_APT)
* Mar 09 - [[Kaspersky] Masha and these Bears 2018 Sofacy Activity](https://securelist.com/masha-and-these-bears/84311/) | [:closed_book:](../../blob/master/2018/2018.03.09.masha-and-these-bears)
* Mar 09 - [[NCC] APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS](https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/?Year=2018&Month=3) | [:closed_book:](../../blob/master/2018/2018.03.09.APT15_is_alive_and_strong)
* Mar 09 - [[ESET] New traces of Hacking Team in the wild](https://www.welivesecurity.com/2018/03/09/new-traces-hacking-team-wild/) | [:closed_book:](../../blob/master/2018/2018.03.09.new-traces-hacking-team-wild)
* Mar 08 - [[McAfee] Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant](https://securingtomorrow.mcafee.com/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/) | [:closed_book:](../../blob/master/2018/2018.03.08.hidden-cobra-targets-turkish-financial)
* Mar 08 - [[Kaspersky] OlympicDestroyer is here to trick the industry](https://securelist.com/olympicdestroyer-is-here-to-trick-the-industry/84295/) | [:closed_book:](../../blob/master/2018/2018.03.08.olympicdestroyer-is-here-to-trick-the-industry)
* Mar 08 - [[Arbor] Donot Team Leverages New Modular Malware Framework in South Asia](https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/) | [:closed_book:](../../blob/master/2018/2018.03.08.donot-team-leverages-new-modular)
* Mar 08 - [[Crysys] Territorial Dispute NSAs perspective on APT landscape](https://www.crysys.hu/files/tedi/ukatemicrysys_territorialdispute.pdf) | [:closed_book:](../../blob/master/2018/2018.03.08.Territorial_Dispute)
* Mar 07 - [[Palo Alto Networks] Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent](https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/) | [:closed_book:](../../blob/master/2018/2018.03.07.patchwork-continues-deliver-badnews-indian-subcontinent)
* Mar 06 - [[Kaspersky] The Slingshot APT](https://s3-eu-west-1.amazonaws.com/khub-media/wp-content/uploads/sites/43/2018/03/09133534/The-Slingshot-APT_report_ENG_final.pdf) | [:closed_book:](../../blob/master/2018/2018.03.06.The-Slingshot-APT)
* Mar 05 - [[Palo Alto Networks] Sure, Ill take that! New ComboJack Malware Alters Clipboards to Steal Cryptocurrency](https://researchcenter.paloaltonetworks.com/2018/03/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/) | [:closed_book:](../../blob/master/2018/2018.03.05.New_ComboJack_Malware)
* Mar 02 - [[McAfee] McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups](https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/) | [:closed_book:](../../blob/master/2018/2018.03.02.Operation_Honeybee)
* Mar 01 - [[Security 0wnage] A Quick Dip into MuddyWater's Recent Activity](https://sec0wn.blogspot.tw/2018/03/a-quick-dip-into-muddywaters-recent.html) | [:closed_book:](../../blob/master/2018/2018.03.01.a-quick-dip-into-muddywaters-recent)
* Feb 28 - [[Palo Alto Networks] Sofacy Attacks Multiple Government Entities](https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/) | [:closed_book:](../../blob/master/2018/2018.02.28.sofacy-attacks-multiple-government-entities)
* Feb 28 - [[Symantec] Chafer: Latest Attacks Reveal Heightened Ambitions](https://www.symantec.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions) | [:closed_book:](../../blob/master/2018/2018.02.28.Chafer_Latest_Attacks_Reveal)
* Feb 21 - [[Avast] Avast tracks down Tempting Cedar Spyware](https://blog.avast.com/avast-tracks-down-tempting-cedar-spyware) | [:closed_book:](../../blob/master/2018/2018.02.21.Tempting_Cedar)
* Feb 20 - [[Arbor] Musical Chairs Playing Tetris](https://www.arbornetworks.com/blog/asert/musical-chairs-playing-tetris/) | [:closed_book:](../../blob/master/2018/2018.02.20.musical-chairs-playing-tetris)
* Feb 20 - [[Kaspersky] A Slice of 2017 Sofacy Activity](https://securelist.com/a-slice-of-2017-sofacy-activity/83930/) | [:closed_book:](../../blob/master/2018/2018.02.20.a-slice-of-2017-sofacy-activity)
* Feb 20 - [[FireEye] APT37 (Reaper): The Overlooked North Korean Actor](https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf) | [:closed_book:](../../blob/master/2018/2018.02.20.APT37)
* Feb 13 - [[Trend Micro] Deciphering Confucius Cyberespionage Operations](https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-confucius-cyberespionage-operations/) | [:closed_book:](../../blob/master/2018/2018.02.13.deciphering-confucius)
* Feb 13 - [[RSA] Lotus Blossom Continues ASEAN Targeting](https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting) | [:closed_book:](../../blob/master/2018/2018.02.13.Lotus-Blossom-Continues)
* Feb 07 - [[CISCO] Targeted Attacks In The Middle East](http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html) | [:closed_book:](../../blob/master/2018/2018.02.07.targeted-attacks-in-middle-east_VBS_CAMPAIGN)
* Feb 02 - [[McAfee] Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims Systems](https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/) | [:closed_book:](../../blob/master/2018/2018.02.02.gold-dragon-widens-olympics-malware)
* Feb 01 - [[Bitdefender] Operation PZChao: a possible return of the Iron Tiger APT](https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/) | [:closed_book:](../../blob/master/2018/2018.02.01.operation-pzchao)
* Jan 30 - [[Palo Alto Networks] Comnie Continues to Target Organizations in East Asia](https://researchcenter.paloaltonetworks.com/2018/01/unit42-comnie-continues-target-organizations-east-asia/) | [:closed_book:](../../blob/master/2018/2018.01.31.Comnie_Continues_to_Target_Organizations_in_East_Asia)
* Jan 30 - [[RSA] APT32 Continues ASEAN Targeting](https://community.rsa.com/community/products/netwitness/blog/2018/01/30/apt32-continues-asean-targeting) | [:closed_book:](../../blob/master/2018/2018.01.30.APT32_Continues_ASEAN_Targeting)
* Jan 29 - [[Trend Micro] Hacking Group Spies on Android Users in India Using PoriewSpy](https://blog.trendmicro.com/trendlabs-security-intelligence/hacking-group-spies-android-users-india-using-poriewspy/) | [:closed_book:](../../blob/master/2018/2018.01.29.PoriewSpy.India)
* Jan 29 - [[Palo Alto Networks] VERMIN: Quasar RAT and Custom Malware Used In Ukraine](https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/) | [:closed_book:](../../blob/master/2018/2018.01.29.VERMIN_Quasar_RAT_and_Custom_Malware_Used_In_Ukraine)
* Jan 27 - [[Accenture] DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS MEETING AND ASSOCIATES](https://www.accenture.com/t20180127T003755Z__w__/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf) | [:closed_book:](../../blob/master/2018/2018.01.27.DRAGONFISH)
* Jan 26 - [[Palo Alto Networks] The TopHat Campaign: Attacks Within The Middle East Region Using Popular Third-Party Services](https://researchcenter.paloaltonetworks.com/2018/01/unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services/) | [:closed_book:](../../blob/master/2018/2018.01.26.TopHat_Campaign)
* Jan 25 - [[Palo Alto Networks] OilRig uses RGDoor IIS Backdoor on Targets in the Middle East](https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/) | [:closed_book:](../../blob/master/2018/2018.01.25.oilrig_Middle_East)
* Jan 24 - [[Trend Micro] Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More](https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/) | [:closed_book:](../../blob/master/2018/2018.01.24.lazarus-campaign-targeting-cryptocurrencies)
* Jan 18 - [[NCSC] Turla group update Neuron malware](https://www.ncsc.gov.uk/content/files/protected_files/article_files/Turla%20Neuron%20Malware%20Update.pdf) | [:closed_book:](../../blob/master/2018/2018.01.18.Turla_group_update_Neuron_malware)
* Jan 17 - [[Lookout] Dark Caracal](https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf) | [:closed_book:](../../blob/master/2018/2018.01.18.Dark_Caracal)
* Jan 16 - [[Kaspersky] Skygofree: Following in the footsteps of HackingTeam](https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/) | [:closed_book:](../../blob/master/2018/2018.01.16.skygofree)
* Jan 16 - [[Recorded Future] North Korea Targeted South Korean Cryptocurrency Users and Exchange in Late 2017 Campaign](https://www.recordedfuture.com/north-korea-cryptocurrency-campaign/) | [:closed_book:](../../blob/master/2018/2018.01.16.north-korea-cryptocurrency-campaign)
* Jan 16 - [[CISCO] Korea In The Crosshairs](http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html) | [:closed_book:](../../blob/master/2018/2018.01.16.korea-in-crosshairs)
* Jan 15 - [[Trend Micro] New KillDisk Variant Hits Financial Organizations in Latin America](https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-financial-organizations-in-latin-america/) | [:closed_book:](../../blob/master/2018/2018.01.15.new-killdisk-variant-hits-financial-organizations-in-latin-america)
* Jan 12 - [[Trend Micro] Update on Pawn Storm: New Targets and Politically Motivated Campaigns](http://blog.trendmicro.com/trendlabs-security-intelligence/update-pawn-storm-new-targets-politically-motivated-campaigns/?utm_campaign=shareaholic&utm_medium=twitter&utm_source=socialnetwork) | [:closed_book:](../../blob/master/2018/2018.01.12.update-pawn-storm-new-targets-politically)
* Jan 11 - [[McAfee] North Korean Defectors and Journalists Targeted Using Social Networks and KakaoTalk](https://securingtomorrow.mcafee.com/mcafee-labs/north-korean-defectors-journalists-targeted-using-social-networks-kakaotalk/) | [:closed_book:](../../blob/master/2018/2018.01.11.North_Korean_Defectors_and_Journalists_Targeted)
* Jan 09 - [[ESET] Diplomats in Eastern Europe bitten by a Turla mosquito](https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf) | [:closed_book:](../../blob/master/2018/2018.01.09.Turla_Mosquito)
* Jan 06 - [[McAfee] Malicious Document Targets Pyeongchang Olympics](https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/) | [:closed_book:](../../blob/master/2018/2018.01.06.malicious-document-targets-pyeongchang-olympics)
* Jan 04 - [[Carnegie] Irans Cyber Threat: Espionage, Sabotage, and Revenge](http://carnegieendowment.org/files/Iran_Cyber_Final_Full_v2.pdf) | [:closed_book:](../../blob/master/2018/2018.01.04.Iran_Cyber_Threat_Carnegie)
## 2017
* Dec 19 - [[Proofpoint] North Korea Bitten by Bitcoin Bug: Financially motivated campaigns reveal new dimension of the Lazarus Group](https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new) | [:closed_book:](../../blob/master/2017/2017.12.19.North_Korea_Bitten_by_Bitcoin_Bug)
* Dec 17 - [[McAfee] Operation Dragonfly Analysis Suggests Links to Earlier Attacks](https://securingtomorrow.mcafee.com/mcafee-labs/operation-dragonfly-analysis-suggests-links-to-earlier-attacks/) | [:closed_book:](../../blob/master/2017/2017.12.17.operation-dragonfly-analysis-suggests-links-to-earlier-attacks)
* Dec 14 - [[FireEye] Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure](https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html) | [:closed_book:](../../blob/master/2017/2017.12.14.attackers-deploy-new-ics-attack-framework-triton)
* Dec 11 - [[Group-IB] MoneyTaker, revealed after 1.5 years of silent operations.](https://www.group-ib.com/resources/reports/money-taker.html) | [:closed_book:](../../blob/master/2017/2017.12.11.MoneyTaker)
* Dec 11 - [[Trend Micro] Untangling the Patchwork Cyberespionage Group](http://blog.trendmicro.com/trendlabs-security-intelligence/untangling-the-patchwork-cyberespionage-group/) | [:closed_book:](../../blob/master/2017/2017.12.11.Patchwork_APT)
* Dec 07 - [[FireEye] New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit](https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html) | [:closed_book:](../../blob/master/2017/2017.12.07.New_Targeted_Attack_in_the_Middle_East_by_APT34)
* Dec 05 - [[ClearSky] Charming Kitten: Iranian Cyber Espionage Against Human Rights Activists, Academic Researchers and Media Outlets And the HBO Hacker Connection](http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf) | [:closed_book:](../../blob/master/2017/2017.12.05.Charming_Kitten)
* Dec 04 - [[RSA] The Shadows of Ghosts: Inside the Response of a Unique Carbanak Intrusion](https://community.rsa.com/community/products/netwitness/blog/2017/12/04/anatomy-of-an-attack-carbanak) | [:closed_book:](../../blob/master/2017/2017.12.04.The_Shadows_of_Ghosts)
* Nov 22 - [[REAQTA] A dive into MuddyWater APT targeting Middle-East](https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/) | [:closed_book:](../../blob/master/2017/2017.11.22.MuddyWater_APT)
* Nov 14 - [[Palo Alto Networks] Muddying the Water: Targeted Attacks in the Middle East](https://researchcenter.paloaltonetworks.com/2017/11/2017.11.14.Muddying_the_Water) | [:closed_book:](../../blob/master/2017/2017.11.14.Muddying_the_Water)
* Nov 10 - [[Palo Alto Networks] New Malware with Ties to SunOrcal Discovered](https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/) | [:closed_book:](../../blob/master/2017/2017.11.10.New_Malware_with_Ties_to_SunOrcal_Discovered)
* Nov 07 - [[McAfee] Threat Group APT28 Slips Office Malware into Doc Citing NYC Terror Attack](https://securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/#sf151634298) | [:closed_book:](../../blob/master/2017/2017.11.07.APT28_Slips_Office_Malware)
* Nov 07 - [[Symantec] Sowbug: Cyber espionage group targets South American and Southeast Asian governments](https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments) | [:closed_book:](../../blob/master/2017/2017.11.07.sowbug-cyber-espionage-group-targets)
* Nov 06 - [[Trend Micro] ChessMasters New Strategy: Evolving Tools and Tactics](http://blog.trendmicro.com/trendlabs-security-intelligence/chessmasters-new-strategy-evolving-tools-tactics/) | [:closed_book:](../../blob/master/2017/2017.11.06.ChessMaster_New_Strategy)
* Nov 06 - [[Volexity] OceanLotus Blossoms: Mass Digital Surveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society](https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/) | [:closed_book:](../../blob/master/2017/2017.11.06.oceanlotus-blossomsk)
* Nov 02 - [[Palo Alto Networks] Recent InPage Exploits Lead to Multiple Malware Families](https://unit42.paloaltonetworks.com/unit42-recent-inpage-exploits-lead-multiple-malware-families/) | [:closed_book:](../../blob/master/2017/2017.11.02.InPage_Exploits)
* Nov 02 - [[PwC] The KeyBoys are back in town](http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are-back-in-town.html) | [:closed_book:](../../blob/master/2017/2017.11.02.KeyBoys_are_back)
* Nov 02 - [[Clearsky] LeetMX a Yearlong Cyber-Attack Campaign Against Targets in Latin America](http://www.clearskysec.com/leetmx/) | [:closed_book:](../../blob/master/2017/2017.11.02.LeetMX)
* Nov 02 - [[RISKIQ] New Insights into Energetic Bears Watering Hole Attacks on Turkish Critical Infrastructure](https://www.riskiq.com/blog/labs/energetic-bear/) | [:closed_book:](../../blob/master/2017/2017.11.02.Energetic_Bear_on_Turkish_Critical_Infrastructure)
* Oct 31 - [[Cybereason] Night of the Devil: Ransomware or wiper? A look into targeted attacks in Japan using MBR-ONI](https://www.cybereason.com/blog/night-of-the-devil-ransomware-or-wiper-a-look-into-targeted-attacks-in-japan) | [:closed_book:](../../blob/master/2017/2017.10.31.MBR-ONI.Japan)
* Oct 30 - [[Kaspersky] Gaza Cybergang updated activity in 2017](https://securelist.com/gaza-cybergang-updated-2017-activity/82765/) | [:closed_book:](../../blob/master/2017/2017.10.30.Gaza_Cybergang)
* Oct 27 - [[Bellingcat] Bahamut Revisited, More Cyber Espionage in the Middle East and South Asia](https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/) | [:closed_book:](../../blob/master/2017/2017.10.27.bahamut-revisited)
* Oct 24 - [[ClearSky] Iranian Threat Agent Greenbug Impersonates Israeli High-Tech and Cyber Security Companies](http://www.clearskysec.com/greenbug/) | [:closed_book:](../../blob/master/2017/2017.10.02.Aurora_Operation_CCleaner_II)
* Oct 19 - [[Bitdefender] Operation PZCHAO](https://download.bitdefender.com/resources/files/News/CaseStudies/study/185/Bitdefender-Business-2017-WhitePaper-PZCHAO-crea2452-en-EN-GenericUse.pdf) | [:closed_book:](../../blob/master/2017/2017.10.19.Operation_PZCHAO)
* Oct 16 - [[BAE Systems] Taiwan Heist: Lazarus Tools And Ransomware](https://baesystemsai.blogspot.kr/2017/10/taiwan-heist-lazarus-tools.html) | [:closed_book:](../../blob/master/2017/2017.10.16.Taiwan-Heist)
* Oct 16 - [[Kaspersky] BlackOasis APT and new targeted attacks leveraging zero-day exploit](https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/) | [:closed_book:](../../blob/master/2017/2017.10.16.BlackOasis_APT)
* OCt 16 - [[Proofpoint] Leviathan: Espionage actor spearphishes maritime and defense targets](https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets) | [:closed_book:](../../blob/master/2017/2017.10.16.Leviathan)
* Oct 12 - [[Dell] BRONZE BUTLER Targets Japanese Enterprises](https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses) | [:closed_book:](../../blob/master/2017/2017.10.12.BRONZE_BUTLER)
* Oct 10 - [[Trustwave] Post Soviet Bank Heists](https://www.trustwave.com/Resources/Library/Documents/Post-Soviet-Bank-Heists/) | [:closed_book:](../../blob/master/2017/2017.10.02.Aurora_Operation_CCleaner_II)
* Oct 02 - [[intezer] Evidence Aurora Operation Still Active Part 2: More Ties Uncovered Between CCleaner Hack & Chinese Hackers]() | [:closed_book:](../../blob/master/2017/2017.10.02.Aurora_Operation_CCleaner_II)
* Sep XX - [[MITRE] APT3 Adversary Emulation Plan](https://attack.mitre.org/w/img_auth.php/6/6c/APT3_Adversary_Emulation_Plan.pdf) | [:closed_book:](../../blob/master/2017/2017.09.XX.APT3_Adversary_Emulation_Plan)
* Sep 28 - [[Palo Alto Networks] Threat Actors Target Government of Belarus Using CMSTAR Trojan](https://researchcenter.paloaltonetworks.com/2017/09/unit42-threat-actors-target-government-belarus-using-cmstar-trojan/) | [:closed_book:](../../blob/master/2017/2017.09.28.Belarus_CMSTAR_Trojan)
* Sep 20 - [[intezer] Evidence Aurora Operation Still Active: Supply Chain Attack Through CCleaner](http://www.intezer.com/evidence-aurora-operation-still-active-supply-chain-attack-through-ccleaner/) | [:closed_book:](../../blob/master/2017/2017.09.20.Aurora_Operation_CCleaner)
* Sep 20 - [[FireEye] Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware](https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html) | [:closed_book:](../../blob/master/2017/2017.09.20.apt33-insights-into-iranian-cyber-espionage)
* Sep 20 - [[CISCO] CCleaner Command and Control Causes Concern](http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html) | [:closed_book:](../../blob/master/2017/2017.09.18.CCleanup)
* Sep 18 - [[CISCO] CCleanup: A Vast Number of Machines at Risk](http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html) | [:closed_book:](../../blob/master/2017/2017.09.18.CCleanup)
* Sep 18 - [[Kaspersky] An (un)documented Word feature abused by attackers](https://securelist.com/an-undocumented-word-feature-abused-by-attackers/81899/)| [:closed_book:](../../blob/master/2017/2017.09.18.Windows_branch_of_the_Cloud_Atlas)
* Sep 12 - [[FireEye] FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY](https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html) | [:closed_book:](../../blob/master/2017/2017.09.12.FINSPY_CVE-2017-8759)
* Sep 06 - [[Symantec] Dragonfly: Western energy sector targeted by sophisticated attack group](https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group) | [:closed_book:](../../blob/master/2017/2017.09.06.dragonfly-western-energy-sector-targeted-sophisticated-attack-group)
* Sep 06 - [[Treadstone 71] Intelligence Games in the Power Grid](https://treadstone71llc.files.wordpress.com/2017/09/intelligence-games-in-the-power-grid-2016.pdf) | [:closed_book:](../../blob/master/2017/2017.09.06.intelligence-games-in-the-power-grid-2016)
* Aug 30 - [[ESET] Gazing at Gazer: Turlas new second stage backdoor](https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/) | [:closed_book:](../../blob/master/2017/2017.08.30.Gazing_at_Gazer)
* Aug 30 - [[Kaspersky] Introducing WhiteBear](https://securelist.com/introducing-whitebear/81638/) | [:closed_book:](../../blob/master/2017/2017.08.30.Introducing_WhiteBear)
* Aug 25 - [[Proofpoint] Operation RAT Cook: Chinese APT actors use fake Game of Thrones leaks as lures](https://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-apt-actors-use-fake-game-thrones-leaks-lures) | [:closed_book:](../../blob/master/2017/2017.08.25.operation-rat-cook)
* Aug 18 - [[RSA] Russian Bank Offices Hit with Broad Phishing Wave](https://community.rsa.com/community/products/netwitness/blog/2017/08/18/russian-bank-offices-hit-with-broad-phishing-wave) | [:closed_book:](../../blob/master/2017/2017.08.18.Russian_Bank_Offices_Hit)
* Aug 17 - [[Proofpoint] Turla APT actor refreshes KopiLuwak JavaScript backdoor for use in G20-themed attack](https://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopiluwak-javascript-backdoor-use-g20-themed-attack) | [:closed_book:](../../blob/master/2017/2017.08.17.turla-apt-actor-refreshes-kopiluwak-javascript-backdoor)
* Aug 15 - [[Palo Alto Networks] The Curious Case of Notepad and Chthonic: Exposing a Malicious Infrastructure](https://researchcenter.paloaltonetworks.com/2017/08/unit42-the-curious-case-of-notepad-and-chthonic-exposing-a-malicious-infrastructure/) | [:closed_book:](../../blob/master/2017/2017.08.15.Notepad_and_Chthonic)
* Aug 11 - [[FireEye] APT28 Targets Hospitality Sector, Presents Threat to Travelers](https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html) | [:closed_book:](../../blob/master/2017/2017.08.11.apt28-targets-hospitality-sector)
* Aug 08 - [[Kaspersky] APT Trends report Q2 2017](https://securelist.com/apt-trends-report-q2-2017/79332/) | [:closed_book:](../../blob/master/2017/2017.08.08.APT_Trends_Report_2017Q2)
* Aug 01 - [[Positive Research] Cobalt strikes back: an evolving multinational threat to finance](http://blog.ptsecurity.com/2017/08/cobalt-group-2017-cobalt-strikes-back.html) | [:closed_book:](../../blob/master/2017/2017.08.01.cobalt-group-2017-cobalt-strikes-back)
* Jul 27 - [[Trend Micro] ChessMaster Makes its Move: A Look into the Campaigns Cyberespionage Arsenal](http://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/) | [:closed_book:](../../blob/master/2017/2017.07.27.chessmaster-cyber-espionage-campaign)
* Jul 27 - [[Palo Alto Networks] OilRig Uses ISMDoor Variant; Possibly Linked to Greenbug Threat Group](https://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/) | [:closed_book:](../../blob/master/2017/2017.07.27.oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group)
* Jul 27 - [[Clearsky, Trend Micro] Operation Wilted Tulip](http://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf) | [:closed_book:](../../blob/master/2017/2017.07.27.Operation_Wilted_Tulip)
* Jul 24 - [[Palo Alto Networks] “Tick” Group Continues Attacks](https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/) | [:closed_book:](../../blob/master/2017/2017.07.24.Tick_group)
* Jul 18 - [[Clearsky] Recent Winnti Infrastructure and Samples](http://www.clearskysec.com/winnti/) | [:closed_book:](../../blob/master/2017/2017.07.18.winnti)
* Jul 18 - [[Bitdefender] Inexsmar: An unusual DarkHotel campaign](https://labs.bitdefender.com/wp-content/uploads/downloads/inexsmar-an-unusual-darkhotel-campaign/) | [:closed_book:](../../blob/master/2017/2017.07.18.Inexsmar)
* Jul 11 - [[ProtectWise] Winnti Evolution - Going Open Source](https://www.protectwise.com/blog/winnti-evolution-going-open-source.html) | [:closed_book:](../../blob/master/2017/2017.07.11.winnti-evolution-going-open-source)
* Jul 10 - [[Trend Micro] OSX Malware Linked to Operation Emmental Hijacks User Network Traffic](http://blog.trendmicro.com/trendlabs-security-intelligence/osx_dok-mac-malware-emmental-hijacks-user-network-traffic/) | [:closed_book:](../../blob/master/2017/2017.07.10.osx_dok-mac-malware-emmental-hijacks-user-network-traffic)
* Jul 06 - [[Malware Party] Operation Desert Eagle](http://mymalwareparty.blogspot.tw/2017/07/operation-desert-eagle.html) | [:closed_book:](../../blob/master/2017/2017.07.06.Operation_Desert_Eagle)
* Jul 05 - [[Citizen Lab] Insider Information: An intrusion campaign targeting Chinese language news sites](https://citizenlab.org/2017/07/insider-information-an-intrusion-campaign-targeting-chinese-language-news-sites/) | [:closed_book:](../../blob/master/2017/2017.07.05.insider-information)
* Jun 30 - [[ESET] TeleBots are back: supply-chain attacks against Ukraine](https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/) | [:closed_book:](../../blob/master/2017/2017.06.30.telebots-back-supply-chain)
* Jun 30 - [[Kaspersky] From BlackEnergy to ExPetr](https://securelist.com/from-blackenergy-to-expetr/78937/) | [:closed_book:](../../blob/master/2017/2017.06.30.From_BlackEnergy_to_ExPetr)
* Jun 26 - [[Dell] Threat Group-4127 Targets Google Accounts](https://www.secureworks.com/research/threat-group-4127-targets-google-accounts) | [:closed_book:](../../blob/master/2017/2017.06.26.Threat_Group-4127)
* Jun 22 - [[Palo Alto Networks] The New and Improved macOS Backdoor from OceanLotus](https://www.secureworks.com/research/threat-group-4127-targets-google-accounts) | [:closed_book:](../../blob/master/2017/2017.06.22.new-improved-macos-backdoor-oceanlotus)
* Jun 22 - [[Trend Micro] Following the Trail of BlackTechs Cyber Espionage Campaigns](http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/) | [:closed_book:](../../blob/master/2017/2017.06.22.following-trail-blacktech-cyber-espionage-campaigns)
* Jun 19 - [[root9B] SHELLTEA + POSLURP MALWARE: memory resident point-of-sale malware attacks industry](https://www.root9b.com/sites/default/files/whitepapers/PoS%20Malware%20ShellTea%20PoSlurp_0.pdf) | [:closed_book:](../../blob/master/2017/2017.06.19.SHELLTEA_POSLURP_MALWARE)
* Jun 18 - [[Palo Alto Networks] APT3 Uncovered: The code evolution of Pirpi](https://recon.cx/2017/montreal/resources/slides/RECON-MTL-2017-evolution_of_pirpi.pdf) | [:closed_book:](../../blob/master/2017/2017.06.18.APT3_Uncovered_The_code_evolution_of_Pirpi)
* Jun 15 - [[Recorded Future] North Korea Is Not Crazy](https://www.recordedfuture.com/north-korea-cyber-activity/) | [:closed_book:](../../blob/master/2017/2017.06.15.north-korea-cyber-activity)
* Jun 14 - [[ThreatConnect] KASPERAGENT Malware Campaign resurfaces in the run up to May Palestinian Authority Elections](https://www.threatconnect.com/blog/kasperagent-malware-campaign/) | [:closed_book:](../../blob/master/2017/2017.06.14.KASPERAGENT)
* Jun 13 - [[US-CERT] HIDDEN COBRA North Koreas DDoS Botnet Infrastructure](https://www.us-cert.gov/ncas/alerts/TA17-164A) | [:closed_book:](../../blob/master/2017/2017.06.13.HIDDEN_COBRA)
* Jun 12 - [[Dragos] CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations](https://dragos.com/blog/crashoverride/CrashOverride-01.pdf) | [:closed_book:](../../blob/master/2017/2017.06.12.CRASHOVERRIDE)
* Jun 12 - [[ESET] WIN32/INDUSTROYER A new threat for industrial control systems](https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf) | [:closed_book:](../../blob/master/2017/2017.06.12.INDUSTROYER)
* May 30 - [[Group-IB] Lazarus Arisen: Architecture, Techniques and Attribution](http://www.group-ib.com/lazarus.html) | [:closed_book:](../../blob/master/2017/2017.05.30.Lazarus_Arisen)
* May 24 - [[Cybereason] OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP](https://www.cybereason.com/blog/operation-cobalt-kitty-apt) | [:closed_book:](../../blob/master/2017/2017.05.24.OPERATION_COBALT_KITTY)
* May 14 - [[FireEye] Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations](https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html) | [:closed_book:](../../blob/master/2017/2017.05.14.cyber-espionage-apt32)
* May 03 - [[Palo Alto Networks] Kazuar: Multiplatform Espionage Backdoor with API Access](http://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-acces) | [:closed_book:](../../blob/master/2017/2017.05.03.kazuar-multiplatform-espionage-backdoor-api-access)
* May 03 - [[CISCO] KONNI: A Malware Under The Radar For Years](http://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html) | [:closed_book:](../../blob/master/2017/konni-malware-under-radar-for-years)
* Apr 27 - [[Morphisec] Iranian Fileless Attack Infiltrates Israeli Organizations](http://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability) | [:closed_book:](../../blob/master/2017/2017.04.27.iranian-fileless-cyberattack-on-israel-word-vulnerability)
* Apr 13 - [[F-SECURE] Callisto Group](https://www.f-secure.com/documents/996508/1030745/callisto-group) | [:closed_book:](../../blob/master/2017/2017.04.13.callisto-group)
* Apr 11 - [[Kaspersky] Unraveling the Lamberts Toolkit](https://securelist.com/unraveling-the-lamberts-toolkit/77990/) | [:closed_book:](../../blob/master/2017/2017.04.11.Lamberts_Toolkit)
* Apr 10 - [[Symantec] Longhorn: Tools used by cyberespionage group linked to Vault 7](https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7) | [:closed_book:](../../blob/master/2017/2017.04.10_Longhorn)
* Apr 06 - [[PwC] Operation Cloud Hopper](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf) | [:closed_book:](../../blob/master/2017/2017.04.06.Operation_Cloud_Hopper)
* Apr 05 - [[Palo Alto Networks, Clearsky] Targeted Attacks in the Middle East Using KASPERAGENT and MICROPSIA](https://researchcenter.paloaltonetworks.com/2017/04/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/) | [:closed_book:](../../blob/master/2017/2017.04.05.KASPERAGENT_and_MICROPSIA)
* Mar 15 - [[JPCERT] FHAPPI Campaign](http://blog.0day.jp/p/english-report-of-fhappi-freehosting.html) | [:closed_book:](../../blob/master/2017/2017.03.15.FHAPPI_Campaign)
* Mar 14 - [[Clearsky] Operation Electric Powder Who is targeting Israel Electric Company?](http://www.clearskysec.com/iec/) | [:closed_book:](../../blob/master/2017/2017.03.14.Operation_Electric_Powder)
* Mar 08 - [[Netskope] Targeted Attack Campaigns with Multi-Variate Malware Observed in the Cloud](https://www.netskope.com/blog/targeted-attack-campaigns-multi-variate-malware-observed-cloud) | [:closed_book:](../../blob/master/2017/2017.03.08.Targeted_Attack_Campaigns)
* Mar 06 - [[Kaspersky] From Shamoon to StoneDrill](https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/) | [:closed_book:](../../blob/master/2017/2017.03.06.from-shamoon-to-stonedrill)
* Feb 28 - [[IBM] Dridexs Cold War: Enter AtomBombing](https://securityintelligence.com/dridexs-cold-war-enter-atombombing/) | [:closed_book:](../../blob/master/2017/2017.02.28.dridexs-cold-war-enter-atombombing)
* Feb 27 - [[Palo Alto Networks] The Gamaredon Group Toolset Evolution](http://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/) | [:closed_book:](../../blob/master/2017/2017.02.27.gamaredon-group-toolset-evolution/)
* Feb 23 - [[Bitdefender] Dissecting the APT28 Mac OS X Payload](https://download.bitdefender.com/resources/files/News/CaseStudies/study/143/Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf) | [:closed_book:](../../blob/master/2017/2017.02.23.APT28_Mac_OS_X_Payload)
* Feb 22 - [[FireEye] Spear Phishing Techniques Used in Attacks Targeting the Mongolian Government](https://www.fireeye.com/blog/threat-research/2017/02/spear_phishing_techn.html) | [:closed_book:](../../blob/master/2017/2017.02.22.Spear_Phishing_Mongolian_Government)
* Feb 21 - [[Arbor] Additional Insights on Shamoon2](https://www.arbornetworks.com/blog/asert/additional-insights-on-shamoon2/) | [:closed_book:](../../blob/master/2017/2017.02.21.Additional_Insights_on_Shamoon2)
* Feb 20 - [[BAE Systems] azarus' False Flag Malware](http://baesystemsai.blogspot.tw/2017/02/lazarus-false-flag-malware.html) | [:closed_book:](../../blob/master/2017/2017.02.20.Lazarus_False_Flag_Malware)
* Feb 17 - [[JPCERT] ChChes - Malware that Communicates with C&C Servers Using Cookie Headers](http://blog.jpcert.or.jp/2017/02/chches-malware--93d6.html) | [:closed_book:](../../blob/master/2017/2017.02.17.chches-malware)
* Feb 16 - [[BadCyber] Technical analysis of recent attacks against Polish banks](https://badcyber.com/technical-analysis-of-recent-attacks-against-polish-banks/) | [:closed_book:](../../blob/master/2017/2017.02.16.Technical_analysis_Polish_banks)
* Feb 15 - [[Morphick] Deep Dive On The DragonOK Rambo Backdoor](http://www.morphick.com/resources/news/deep-dive-dragonok-rambo-backdoor) | [:closed_book:](../../blob/master/2017/2017.02.15.deep-dive-dragonok-rambo-backdoor)
* Feb 15 - [[IBM] The Full Shamoon: How the Devastating Malware Was Inserted Into Networks](https://securityintelligence.com/the-full-shamoon-how-the-devastating-malware-was-inserted-into-networks/) | [:closed_book:](../../blob/master/2017/2017.02.15.the-full-shamoon)
* Feb 15 - [[Dell] Iranian PupyRAT Bites Middle Eastern Organizations](https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations) | [:closed_book:](../../blob/master/2017/2017.02.15.iranian-pupyrat-bites-middle-eastern-organizations)
* Feb 15 - [[Palo Alto Networks] Magic Hound Campaign Attacks Saudi Targets](http://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/) | [:closed_book:](../../blob/master/2017/2017.02.15.magic-hound-campaign)
* Feb 14 - [[Medium] Operation Kingphish: Uncovering a Campaign of Cyber Attacks against Civil Society in Qatar and Nepal](https://medium.com/amnesty-insights/operation-kingphish-uncovering-a-campaign-of-cyber-attacks-against-civil-society-in-qatar-and-aa40c9e08852#.cly4mg1g8) | [:closed_book:](../../blob/master/2017/2017.02.14.Operation_Kingphish)
* Feb 12 - [[BAE Systems] Lazarus & Watering-Hole Attacks](https://baesystemsai.blogspot.tw/2017/02/lazarus-watering-hole-attacks.html) | [:closed_book:](../../blob/master/2017/2017.02.12.lazarus-watering-hole-attacks)
* Feb 10 - [[Cysinfo] Cyber Attack Targeting Indian Navy's Submarine And Warship Manufacturer](https://cysinfo.com/cyber-attack-targeting-indian-navys-submarine-warship-manufacturer/) | [:closed_book:](../../blob/master/2017/2017.02.10.cyber-attack-targeting-indian-navys-submarine-warship-manufacturer)
* Feb 10 - [[DHS] Enhanced Analysis of GRIZZLY STEPPE Activity](https://www.us-cert.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf) | [:closed_book:](../../blob/master/2017/2017.02.10.Enhanced_Analysis_of_GRIZZLY_STEPPE)
* Feb 03 - [[RSA] KingSlayer A Supply chain attack](https://www.rsa.com/content/dam/pdfs/2-2017/kingslayer-a-supply-chain-attack.pdf) | [:closed_book:](../../blob/master/2017/2017.02.03.kingslayer-a-supply-chain-attack)
* Feb 03 - [[BadCyber] Several Polish banks hacked, information stolen by unknown attackers](https://badcyber.com/several-polish-banks-hacked-information-stolen-by-unknown-attackers/) | [:closed_book:](../../blob/master/2017/2017.02.03.several-polish-banks-hacked)
* Feb 02 - [[Proofpoint] Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX](https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx) | [:closed_book:](../../blob/master/2017/2017.02.02.APT_Targets_Russia_and_Belarus_with_ZeroT_and_PlugX)
* Jan 30 - [[Palo Alto Networks] Downeks and Quasar RAT Used in Recent Targeted Attacks Against Governments](http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/) | [:closed_book:](../../blob/master/2017/2017.01.30.downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments)
* Jan 25 - [[Microsoft] Detecting threat actors in recent German industrial attacks with Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/?source=mmpc) | [:closed_book:](../../blob/master/2017/2017.01.25.german-industrial-attacks)
* Jan 19 - [[Cysinfo] URI Terror Attack & Kashmir Protest Themed Spear Phishing Emails Targeting Indian Embassies And Indian Ministry Of External Affairs](https://cysinfo.com/uri-terror-attack-spear-phishing-emails-targeting-indian-embassies-and-indian-mea/) | [:closed_book:](../../blob/master/2017/2017.01.19.uri-terror-attack)
* Jan 18 - [[Trustwave] Operation Grand Mars: Defending Against Carbanak Cyber Attacks](https://www.trustwave.com/Resources/Library/Documents/Operation-Grand-Mars--Defending-Against-Carbanak-Cyber-Attacks/) | [:closed_book:](../../blob/master/2017/2017.01.18.Operation-Grand-Mars)
* Jan 15 - [[tr1adx] Bear Spotting Vol. 1: Russian Nation State Targeting of Government and Military Interests](https://www.tr1adx.net/intel/TIB-00003.html) | [:closed_book:](../../blob/master/2017/2017.01.15.Bear_Spotting_Vol.1)
* Jan 12 - [[Kaspersky] The “EyePyramid” attacks](https://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/) | [:closed_book:](../../blob/master/2017/2017.01.12.EyePyramid.attacks)
* Jan 11 - [[FireEye] APT28: AT THE CENTER OF THE STORM](https://www.fireeye.com/blog/threat-research/2017/01/apt28_at_the_center.html) | [:closed_book:](../../blob/master/2017/2017.01.11.apt28_at_the_center)
* Jan 09 - [[Palo Alto Networks] Second Wave of Shamoon 2 Attacks Identified](http://researchcenter.paloaltonetworks.com/2017/01/unit42-second-wave-shamoon-2-attacks-identified/) | [:closed_book:](../../blob/master/2017/2017.01.09.second-wave-shamoon-2-attacks-identified)
* Jan 05 - [[Clearsky] Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford](http://www.clearskysec.com/oilrig/) | [:closed_book:](../../blob/master/2017/2017.01.05.Iranian_Threat_Agent_OilRig)
## 2016
* Dec 15 - [[Microsoft] PROMETHIUM and NEODYMIUM APT groups on Turkish citizens living in Turkey and various other European countries.](http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf) | [:closed_book:](../../blob/master/2016/2016.12.15.PROMETHIUM_and_NEODYMIUM)
* Dec 13 - [[ESET] The rise of TeleBots: Analyzing disruptive KillDisk attacks](http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/) | [:closed_book:](../../blob/master/2016/2016.12.13.rise-telebots-analyzing-disruptive-killdisk-attacks)
* Nov 30 - [[Cysinfo] MALWARE ACTORS USING NIC CYBER SECURITY THEMED SPEAR PHISHING TO TARGET INDIAN GOVERNMENT ORGANIZATIONS](https://cysinfo.com/malware-actors-using-nic-cyber-security-themed-spear-phishing-target-indian-government-organizations/) | [:closed_book:](../../blob/master/2016/2016.11.30.nic-cyber-security-themed)
* Nov 22 - [[Palo Alto Networks] Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy](http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/) | [:closed_book:](../../blob/master/2016/2016.11.22.tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy)
* Nov 09 - [[Fidelis] Down the H-W0rm Hole with Houdini's RAT](https://www.fidelissecurity.com/threatgeek/2016/11/down-h-w0rm-hole-houdinis-rat) | [:closed_book:](../../blob/master/2016/2016.11.09_down-the-h-w0rm-hole-with-houdinis-rat)
* Nov 03 - [[Booz Allen] When The Lights Went Out: Ukraine Cybersecurity Threat Briefing](http://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf) | [:closed_book:](../../blob/master/2016/2016.11.03.Ukraine_Cybersecurity_Threat_Briefing)
* Oct 31 - [[Palo Alto Networks] Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?](http://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/) | [:closed_book:](../../blob/master/2016/2016.10.31.Emissary_Trojan_Changelog)
* Oct 27 - [[ESET] En Route with Sednit Part 3: A Mysterious Downloader](http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf) | [:closed_book:](../../blob/master/2016/2016.10.27.En_Route_Part3)
* Oct 27 - [[Trend Micro] BLACKGEAR Espionage Campaign Evolves, Adds Japan To Target List](http://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-espionage-campaign-evolves-adds-japan-target-list/) | [:closed_book:](../../blob/master/2016/2016.10.27.BLACKGEAR_Espionage_Campaign_Evolves)
* Oct 26 - [[Vectra Networks] Moonlight Targeted attacks in the Middle East](http://blog.vectranetworks.com/blog/moonlight-middle-east-targeted-attacks) | [:closed_book:](../../blob/master/2016/2016.10.26.Moonlight_Middle_East)
* Oct 25 - [[Palo Alto Networks] Houdinis Magic Reappearance](http://researchcenter.paloaltonetworks.com/2016/10/unit42-houdinis-magic-reappearance/) | [:closed_book:](../../blob/master/2016/2016.10.25.Houdini_Magic_Reappearance)
* Oct 25 - [[ESET] En Route with Sednit Part 2: Lifting the lid on Sednit: A closer look at the software it uses](http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf) | [:closed_book:](../../blob/master/2016/2016.10.25.Lifting_the_lid_on_Sednit)
* Oct 20 - [[ESET] En Route with Sednit Part 1: Approaching the Target](http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf) | [:closed_book:](../../blob/master/2016/2016.10.20.En_Route_with_Sednit)
* Oct 17 - [[ThreatConnect] ThreatConnect identifies Chinese targeting of two companies. Economic espionage or military intelligence? ](https://www.threatconnect.com/blog/threatconnect-discovers-chinese-apt-activity-in-europe/) | [:closed_book:](../../blob/master/2016/2016.10.16.A_Tale_of_Two_Targets)
* Oct 05 - [[Kaspersky] Wave your false flags](https://securelist.com/files/2016/10/Bartholomew-GuerreroSaade-VB2016.pdf) | [:closed_book:](../../blob/master/2016/2016.10.05_Wave_Your_False_flag)
* Oct 03 - [[Kaspersky] On the StrongPity Waterhole Attacks Targeting Italian and Belgian Encryption Users](https://securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/) | [:closed_book:](../../blob/master/2016/2016.10.03.StrongPity)
* Sep 29 - [[NATO CCD COE] China and Cyber: Attitudes, Strategies, Organisation](https://ccdcoe.org/sites/default/files/multimedia/pdf/CS_organisation_CHINA_092016.pdf) | [:closed_book:](../../blob/master/2016/2016.09.29.China_and_Cyber_Attitudes_Strategies_Organisation)
* Sep 28 - [[Palo Alto Networks] Confucius Says…Malware Families Get Further By Abusing Legitimate Websites](https://unit42.paloaltonetworks.com/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/) | [:closed_book:](../../blob/master/2016/2016.09.28.Confucius_Says)
* Sep 28 - [[ThreatConnect] Belling the BEAR: russia-hacks-bellingcat-mh17-investigation](https://www.threatconnect.com/blog/russia-hacks-bellingcat-mh17-investigation/) | [:closed_book:](../../blob/master/2016/2016.09.28.russia-hacks-bellingcat-mh17-investigation)
* Sep 26 - [[Palo Alto Networks] Sofacys Komplex OS X Trojan](http://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/) | [:closed_book:](../../blob/master/2016/2016.09.26_Sofacy_Komplex_OSX_Trojan)
* Sep 18 - [[Cyberkov] Hunting Libyan Scorpions](https://cyberkov.com/wp-content/uploads/2016/09/Hunting-Libyan-Scorpions-EN.pdf) | [:closed_book:](../../blob/master/2016/2016.09.18.Hunting-Libyan-Scorpions)
* Sep 14 - [[Palo Alto Networks] MILE TEA: Cyber Espionage Campaign Targets Asia Pacific Businesses and Government Agencies](http://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/) | [:closed_book:](../../blob/master/2016/2016.09.14.MILE_TEA)
* Sep 06 - [[Symantec] Buckeye cyberespionage group shifts gaze from US to Hong Kong](http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong) | [:closed_book:](../../blob/master/2016/2016.09.06.buckeye-cyberespionage-group-shifts-gaze-us-hong-kong)
* Sep 01 - [[IRAN THREATS] MALWARE POSING AS HUMAN RIGHTS ORGANIZATIONS AND COMMERCIAL SOFTWARE TARGETING IRANIANS, FOREIGN POLICY INSTITUTIONS AND MIDDLE EASTERN COUNTRIES](https://iranthreats.github.io/resources/human-rights-impersonation-malware/) | [:closed_book:](../../blob/master/2016/2016.09.01.human-rights-impersonation-malware)
* Aug 25 - [[Lookout] Technical Analysis of Pegasus Spyware](https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf) | [:closed_book:](../../blob/master/2016/2016.08.25.lookout-pegasus-technical-analysis)
* Aug 24 - [[Citizen Lab] The Million Dollar Dissident: NSO Groups iPhone Zero-Days used against a UAE Human Rights Defender](https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/) | [:closed_book:](../../blob/master/2016/2016.08.24.million-dollar-dissident-iphone-zero-day-nso-group-uae)
* Aug 19 - [[ThreatConnect] Russian Cyber Operations on Steroids](https://www.threatconnect.com/blog/fancy-bear-anti-doping-agency-phishing/) | [:closed_book:](../../blob/master/2016/2016.08.19.fancy-bear-anti-doping-agency-phishing)
* Aug 17 - [[Kaspersky] Operation Ghoul: targeted attacks on industrial and engineering organizations](https://securelist.com/blog/research/75718/operation-ghoul-targeted-attacks-on-industrial-and-engineering-organizations/) | [:closed_book:](../../blob/master/2016/2016.08.17_operation-ghoul)
* Aug 16 - [[Palo Alto Networks] Aveo Malware Family Targets Japanese Speaking Users](http://researchcenter.paloaltonetworks.com/2016/08/unit42-aveo-malware-family-targets-japanese-speaking-users/) | [:closed_book:](../../blob/master/2016/2016.08.16.aveo-malware-family-targets-japanese)
* Aug 11 - [[IRAN THREATS] Iran and the Soft War for Internet Dominance](https://iranthreats.github.io/us-16-Guarnieri-Anderson-Iran-And-The-Soft-War-For-Internet-Dominance-paper.pdf) | [:closed_book:](../../blob/master/2016/2016.08.11.Iran-And-The-Soft-War-For-Internet-Dominance)
* Aug 08 - [[Forcepoint] MONSOON](https://blogs.forcepoint.com/security-labs/monsoon-analysis-apt-campaign) | [:closed_book:](../../blob/master/2016/2016.08.08.monsoon-analysis-apt-campaign)
* Aug 08 - [[Kaspersky] ProjectSauron: top level cyber-espionage platform covertly extracts encrypted government comms](https://securelist.com/analysis/publications/75533/faq-the-projectsauron-apt/) | [:closed_book:](../../blob/master/2016/2016.08.08.ProjectSauron)
* Aug 07 - [[Symantec] Strider: Cyberespionage group turns eye of Sauron on targets](http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets) | [:closed_book:](../../blob/master/2016/2016.08.07.Strider_Cyberespionage_group_turns_eye_of_Sauron_on_targets)
* Aug 06 - [[360] APT-C-09](http://www.nsoad.com/Article/Network-security/20160806/269.html) | [:closed_book:](../../blob/master/2016/2016.08.06.APT-C-09)
* Aug 04 - [[Recorded Future] Running for Office: Russian APT Toolkits Revealed](https://www.recordedfuture.com/russian-apt-toolkits/) | [:closed_book:](../../blob/master/2016/2016.08.04.russian-apt-toolkits)
* Aug 03 - [[EFF] Operation Manul: I Got a Letter From the Government the Other Day...Unveiling a Campaign of Intimidation, Kidnapping, and Malware in Kazakhstan](https://www.eff.org/files/2016/08/03/i-got-a-letter-from-the-government.pdf) | [:closed_book:](../../blob/master/2016/2016.08.03.i-got-a-letter-from-the-government)
* Aug 02 - [[Citizen Lab] Group5: Syria and the Iranian Connection](https://citizenlab.org/2016/08/group5-syria/) | [:closed_book:](../../blob/master/2016/2016.08.02.group5-syria)
* Jul 28 - [[ICIT] Chinas Espionage Dynasty](http://icitech.org/wp-content/uploads/2016/07/ICIT-Brief-China-Espionage-Dynasty.pdf) | [:closed_book:](../../blob/master/2016/2016.07.28.China_Espionage_Dynasty)
* Jul 26 - [[Palo Alto Networks] Attack Delivers 9002 Trojan Through Google Drive](http://researchcenter.paloaltonetworks.com/2016/07/unit-42-attack-delivers-9002-trojan-through-google-drive/) | [:closed_book:](../../blob/master/2016/2016.07.26.Attack_Delivers_9002_Trojan_Through_Google_Drive)
* Jul 21 - [[360] Sphinx (APT-C-15) Targeted cyber-attack in the Middle East](https://ti.360.com/upload/report/file/rmsxden20160721.pdf) | [:closed_book:](../../blob/master/2016/2016.07.21.Sphinx_Targeted_cyber-attack_in_the_Middle_East)
* Jul 21 - [[RSA] Hide and Seek: How Threat Actors Respond in the Face of Public Exposure](https://www.rsaconference.com/writable/presentations/file_upload/tta1-f04_hide-and-seek-how-threat-actors-respond-in-the-face-of-public-exposure.pdf) | [:closed_book:](../../blob/master/2016/2016.07.21.Hide_and_Seek)
* Jul 13 - [[SentinelOne] State-Sponsored SCADA Malware targeting European Energy Companies](https://sentinelone.com/blogs/sfg-furtims-parent/) | [:closed_book:](../../blob/master/2016/2016.07.13.State-Sponsored_SCADA_Malware_targeting_European_Energy_Companies)
* Jul 12 - [[F-SECURE] NanHaiShu: RATing the South China Sea](https://www.f-secure.com/documents/996508/1030745/nanhaishu_whitepaper.pdf) | [:closed_book:](../../blob/master/2016/2016.07.12.NanHaiShu_RATing_the_South_China_Sea)
* Jul 08 - [[Kaspersky] The Dropping Elephant aggressive cyber-espionage in the Asian region](https://securelist.com/blog/research/75328/the-dropping-elephant-actor/) | [:closed_book:](../../blob/master/2016/2016.07.08.The_Dropping_Elephant)
* Jul 07 - [[Proofpoint] NetTraveler APT Targets Russian, European Interests](https://www.proofpoint.com/us/threat-insight/post/nettraveler-apt-targets-russian-european-interests) | [:closed_book:](../../blob/master/2016/2016.07.07.nettraveler-apt-targets-russian-european-interests)
* Jul 07 - [[Cymmetria] UNVEILING PATCHWORK: THE COPY-PASTE APT](https://www.cymmetria.com/wp-content/uploads/2016/07/Unveiling-Patchwork.pdf) | [:closed_book:](../../blob/master/2016/2016.07.07.UNVEILING_PATCHWORK)
* Jul 03 - [[Check Point] From HummingBad to Worse ](http://blog.checkpoint.com/wp-content/uploads/2016/07/HummingBad-Research-report_FINAL-62916.pdf) | [:closed_book:](../../blob/master/2016/2016.07.03_From_HummingBad_to_Worse)
* Jul 01 - [[Bitdefender] Pacifier APT](http://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf) | [:closed_book:](../../blob/master/2016/2016.07.01.Bitdefender_Pacifier_APT)
* Jul 01 - [[ESET] Espionage toolkit targeting Central and Eastern Europe uncovered](http://www.welivesecurity.com/2016/07/01/espionage-toolkit-targeting-central-eastern-europe-uncovered/) | [:closed_book:](../../blob/master/2016/2016.07.01.SBDH_toolkit_targeting_Central_and_Eastern_Europe)
* Jun 30 - [[JPCERT] Asruex: Malware Infecting through Shortcut Files](http://blog.jpcert.or.jp/2016/06/asruex-malware-infecting-through-shortcut-files.html) | [:closed_book:](../../blob/master/2016/2016.06.30.Asruex)
* Jun 28 - [[Palo Alto Networks] Prince of Persia Game Over](http://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/) | [:closed_book:](../../blob/master/2016/2016.06.28.prince-of-persia-game-over)
* Jun 28 - [[JPCERT] (Japan)Attack Tool Investigation](https://www.jpcert.or.jp/research/20160628ac-ir_research.pdf) | [:closed_book:](../../blob/master/2016/2016.06.28.Attack_Tool_Investigation)
* Jun 26 - [[Trend Micro] The State of the ESILE/Lotus Blossom Campaign](http://blog.trendmicro.com/trendlabs-security-intelligence/the-state-of-the-esilelotus-blossom-campaign/) | [:closed_book:](../../blob/master/2016/2016.06.26.The_State_of_the_ESILE_Lotus_Blossom_Campaign)
* Jun 26 - [[Cylance] Nigerian Cybercriminals Target High-Impact Industries in India via Pony](https://blog.cylance.com/threat-update-nigerian-cybercriminals-target-high-impact-indian-industries-via-pony) | [:closed_book:](../../blob/master/2016/2016.06.26.Nigerian_Cybercriminals_Target_High_Impact_Industries_in_India)
* Jun 23 - [[Palo Alto Networks] Tracking Elirks Variants in Japan: Similarities to Previous Attacks](http://researchcenter.paloaltonetworks.com/2016/06/unit42-tracking-elirks-variants-in-japan-similarities-to-previous-attacks/) | [:closed_book:](../../blob/master/2016/2016.06.23.Tracking_Elirks_Variants_in_Japan)
* Jun 21 - [[Fortinet] The Curious Case of an Unknown Trojan Targeting German-Speaking Users](https://blog.fortinet.com/2016/06/21/the-curious-case-of-an-unknown-trojan-targeting-german-speaking-users) | [:closed_book:](../../blob/master/2016/2016.06.21.Unknown_Trojan_Targeting_German_Speaking_Users)
* Jun 21 - [[FireEye] Redline Drawn: China Recalculates Its Use of Cyber Espionage]( https://www.fireeye.com/content/dam/FireEye-www/current-threats/pdfs/rpt-china-espionage.pdf) | [:closed_book:](../../blob/master/2016/2016.06.21.Redline_Drawn_China_Recalculates_Its_Use_of_Cyber_Espionage)
* Jun 21 - [[ESET] Visiting The Bear Den](http://www.welivesecurity.com/wp-content/uploads/2016/06/visiting_the_bear_den_recon_2016_calvet_campos_dupuy-1.pdf) | [:closed_book:](../../blob/master/2016/2016.06.21.visiting_the_bear_den_recon_2016_calvet_campos_dupuy)
* Jun 17 - [[Kaspersky] Operation Daybreak](https://securelist.com/operation-daybreak/75100/) | [:closed_book:](../../blob/master/2016/2016.06.17.Operation_Daybreak)
* Jun 16 - [[Dell] Threat Group-4127 Targets Hillary Clinton Presidential Campaign](https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign) | [:closed_book:](../../blob/master/2016/2016.06.16.DNC)
* Jun 15 - [[CrowdStrike] Bears in the Midst: Intrusion into the Democratic National Committee](https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/) | [:closed_book:](../../blob/master/2016/2016.06.09.Operation_DustySky_II/)
* Jun 09 - [[Clearsky] Operation DustySky Part 2](http://www.clearskysec.com/wp-content/uploads/2016/06/Operation-DustySky2_-6.2016_TLP_White.pdf) | [:closed_book:](../../blob/master/2016/2016.06.09.Operation_DustySky_II/)
* Jun 02 - [[Trend Micro] FastPOS: Quick and Easy Credit Card Theft](http://documents.trendmicro.com/assets/fastPOS-quick-and-easy-credit-card-theft.pdf) | [:closed_book:](../../blob/master/2016/2016.06.02.fastpos-quick-and-easy-credit-card-theft/)
* May 27 - [[Trend Micro] IXESHE Derivative IHEATE Targets Users in America](http://blog.trendmicro.com/trendlabs-security-intelligence/ixeshe-derivative-iheate-targets-users-america/) | [:closed_book:](../../blob/master/2016/2016.05.27.IXESHE_Derivative_IHEATE_Targets_Users_in_America/)
* May 26 - [[Palo Alto Networks] The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor](http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/) | [:closed_book:](../../blob/master/2016/2016.05.26.OilRig_Campaign/)
* May 25 - [[Kaspersky] CVE-2015-2545: overview of current threats](https://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/) | [:closed_book:](../../blob/master/2016/2016.05.25.CVE-2015-2545/)
* May 24 - [[Palo Alto Networks] New Wekby Attacks Use DNS Requests As Command and Control Mechanism](http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/) | [:closed_book:](../../blob/master/2016/2016.05.24.New_Wekby_Attacks)
* May 23 - [[MELANI:GovCERT] APT Case RUAG Technical Report](https://www.melani.admin.ch/dam/melani/en/dokumente/2016/technical%20report%20ruag.pdf.download.pdf/Report_Ruag-Espionage-Case.pdf) | [:closed_book:](../../blob/master/2016/2016.05.23.APT_Case_RUAG)
* May 22 - [[FireEye] TARGETED ATTACKS AGAINST BANKS IN THE MIDDLE EAST](https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html) | [:closed_book:](../../blob/master/2016/2016.05.22.Targeted_Attacks_Against_Banks_in_Middle_East)
* May 22 - [[Palo Alto Networks] Operation Ke3chang Resurfaces With New TidePool Malware](http://researchcenter.paloaltonetworks.com/2016/05/operation-ke3chang-resurfaces-with-new-tidepool-malware/) | [:closed_book:](../../blob/master/2016/2016.05.22.Operation_Ke3chang_Resurfaces_With_New_TidePool_Malware/)
* May 18 - [[ESET] Operation Groundbait: Analysis of a surveillance toolkit](http://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf) | [:closed_book:](../../blob/master/2016/2016.05.18.Operation_Groundbait/)
* May 17 - [[FOX-IT] Mofang: A politically motivated information stealing adversary](https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf) | [:closed_book:](../../blob/master/2016/2016.05.17.Mofang)
* May 17 - [[Symantec] Indian organizations targeted in Suckfly attacks](http://www.symantec.com/connect/ko/blogs/indian-organizations-targeted-suckfly-attacks) | [:closed_book:](../../blob/master/2016/2016.05.17.Indian_organizations_targeted_in_Suckfly_attacks/)
* May 10 - [[Trend Micro] Backdoor as a Software Suite: How TinyLoader Distributes and Upgrades PoS Threats](http://blog.trendmicro.com/trendlabs-security-intelligence/how-tinyloader-distributes-and-upgrades-pos-threats/) | [paper](http://documents.trendmicro.com/assets/tinypos-abaddonpos-ties-to-tinyloader.pdf) | [:closed_book:](../../blob/master/2016/2016.05.10.tinyPOS_tinyloader/)
* May 09 - [[CMU SEI] Using Honeynets and the Diamond Model for ICS Threat Analysis](http://resources.sei.cmu.edu/asset_files/TechnicalReport/2016_005_001_454247.pdf) | [:closed_book:](../../blob/master/2016/2016.05.09_ICS_Threat_Analysis/)
* May 06 - [[PwC] Exploring CVE-2015-2545 and its users](http://pwc.blogs.com/cyber_security_updates/2016/05/exploring-cve-2015-2545-and-its-users.html) | [:closed_book:](../../blob/master/2016/2016.05.06_Exploring_CVE-2015-2545/)
* May 05 - [[Forcepoint] Jaku: an on-going botnet campaign](https://www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf) | [:closed_book:](../../blob/master/2016/2016.05.05_Jaku_botnet_campaign/)
* May 02 - [[Team Cymru] GOZNYM MALWARE target US, AT, DE ](https://blog.team-cymru.org/2016/05/goznym-malware/) | [:closed_book:](../../blob/master/2016/2016.05.02.GOZNYM_MALWARE)
* May 02 - [[Palo Alto Networks] Prince of Persia: Infy Malware Active In Decade of Targeted Attacks](http://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/) | [:closed_book:](../../blob/master/2016/2016.05.02.Prince_of_Persia_Infy_Malware/)
* Apr 27 - [[Kaspersky] Repackaging Open Source BeEF for Tracking and More](https://securelist.com/blog/software/74503/freezer-paper-around-free-meat/) | [:closed_book:](../../blob/master/2016/2016.04.27.Repackaging_Open_Source_BeEF)
* Apr 26 - [[Financial Times] Cyber warfare: Iran opens a new front](http://www.ft.com/intl/cms/s/0/15e1acf0-0a47-11e6-b0f1-61f222853ff3.html#axzz478cZz3ao) | [:closed_book:](../../blob/master/2016/2016.04.26.Iran_Opens_a_New_Front/)
* Apr 26 - [[Arbor] New Poison Ivy Activity Targeting Myanmar, Asian Countries](https://www.arbornetworks.com/blog/asert/recent-poison-iv/) | [:closed_book:](../../blob/master/2016/2016.04.26.New_Poison_Ivy_Activity_Targeting_Myanmar_Asian_Countries/)
* Apr 22 - [[Cylance] The Ghost Dragon](https://blog.cylance.com/the-ghost-dragon) | [:closed_book:](../../blob/master/2016/2016.04.22.the-ghost-dragon)
* Apr 21 - [[SentinelOne] Teaching an old RAT new tricks](https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/) | [:closed_book:](../../blob/master/2016/2016.04.21.Teaching_an_old_RAT_new_tricks/)
* Apr 21 - [[Palo Alto Networks] New Poison Ivy RAT Variant Targets Hong Kong Pro-Democracy Activists](http://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/) | [:closed_book:](../../blob/master/2016/2016.04.21.New_Poison_Ivy_RAT_Variant_Targets_Hong_Kong/)
* Apr 18 - [[Citizen Lab] Between Hong Kong and Burma: Tracking UP007 and SLServer Espionage Campaigns](https://citizenlab.org/2016/04/between-hong-kong-and-burma/) | [:closed_book:](../../blob/master/2016/2016.04.18.UP007/)
* Apr 15 - [[SANS] Detecting and Responding Pandas and Bears](http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf) | [:closed_book:](../../blob/master/2016/2016.04.15.pandas_and_bears/)
* Apr 12 - [[Microsoft] PLATINUM: Targeted attacks in South and Southeast Asia](http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf) | [:closed_book:](../../blob/master/2016/2016.04.12.PLATINUM_Targeted_attacks_in_South_and_Southeast_Asia/)
* Mar 25 - [[Palo Alto Networks] ProjectM: Link Found Between Pakistani Actor and Operation Transparent Tribe](http://researchcenter.paloaltonetworks.com/2016/03/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe/?utm_medium=email&utm_source=Adobe%20Campaign&utm_campaign=Unit%2042%20Blog%20Updates%2031Mar16) | [:closed_book:](../../blob/master/2016/2016.03.25.ProjectM/)
* Mar 23 - [[Trend Micro] Operation C-Major: Information Theft Campaign Targets Military Personnel in India](http://blog.trendmicro.com/trendlabs-security-intelligence/indian-military-personnel-targeted-by-information-theft-campaign/) | [:closed_book:](../../blob/master/2016/2016.03.23.Operation_C_Major/)
* Mar 18 - [[SANS] Analysis of the Cyber Attack on the Ukrainian Power Grid: Defense Use Case](https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf) | [:closed_book:](../../blob/master/2016/2016.03.18.Analysis_of_the_Cyber_Attack_on_the_Ukrainian_Power_Grid/)
* Mar 17 - [[PwC] Taiwan Presidential Election: A Case Study on Thematic Targeting](http://pwc.blogs.com/cyber_security_updates/2016/03/taiwant-election-targetting.html) | [:closed_book:](../../blob/master/2016/2016.03.17.Taiwan-election-targetting/)
* Mar 15 - [[Symantec] Suckfly: Revealing the secret life of your code signing certificates](http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates) | [:closed_book:](../../blob/master/2016/2016.03.15.Suckfly)
* Mar 14 - [[Proofpoint] Bank robbery in progress: New attacks from Carbanak group target banks in Middle East and US](https://www.proofpoint.com/us/threat-insight/post/carbanak-cybercrime-group-targets-executives-of-financial-organizations-in-middle-east) | [:closed_book:](../../blob/master/2016/2016.03.14.Carbanak_cybercrime_group)
* Mar 10 - [[Citizen Lab] Shifting Tactics: Tracking changes in years-long espionage campaign against Tibetans](https://citizenlab.org/2016/03/shifting-tactics/) | [:closed_book:](../../blob/master/2016/2016.03.10.shifting-tactics)
* Mar 09 - [[FireEye] LESSONS FROM OPERATION RUSSIANDOLL](https://www.fireeye.com/blog/threat-research/2016/03/lessons-from-operation-russian-doll.html) | [:closed_book:](../../blob/master/2016/2016.03.09.Operation_RussianDoll)
* Mar 08 - [[360] Operation OnionDog: A 3 Year Old APT Focused On the Energy and Transportation Industries in Korean-language Countries](http://www.prnewswire.com/news-releases/onion-dog-a-3-year-old-apt-focused-on-the-energy-and-transportation-industries-in-korean-language-countries-is-exposed-by-360-300232441.html) | [:closed_book:](../../blob/master/2016/2016.03.08.OnionDog)
* Mar 03 - [[Recorded Future] Shedding Light on BlackEnergy With Open Source Intelligence](https://www.recordedfuture.com/blackenergy-malware-analysis/) | [:closed_book:](../../blob/master/2016/2016.03.03.Shedding_Light_BlackEnergy)
* Mar 01 - [[Proofpoint] Operation Transparent Tribe - APT Targeting Indian Diplomatic and Military Interests](https://www.proofpoint.com/us/threat-insight/post/Operation-Transparent-Tribe) | [:closed_book:](../../blob/master/2016/2016.03.01.Operation_Transparent_Tribe/)
* Feb 29 - [[Fidelis] The Turbo Campaign, Featuring Derusbi for 64-bit Linux](https://www.fidelissecurity.com/sites/default/files/TA_Fidelis_Turbo_1602_0.pdf) | [:closed_book:](../../blob/master/2016/2016.02.24.Operation_Blockbuster)
* Feb 24 - [[NOVETTA] Operation Blockbuster](https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf) | [:closed_book:](../../blob/master/2016/2016.02.24.Operation_Blockbuster)
* Feb 23 - [[Cylance] OPERATION DUST STORM](https://www.cylance.com/hubfs/2015_cylance_website/assets/operation-dust-storm/Op_Dust_Storm_Report.pdf?t=1456355696065) | [:closed_book:](../../blob/master/2016/2016.02.23.Operation_Dust_Storm)
* Feb 12 - [[Palo Alto Networks] A Look Into Fysbis: Sofacys Linux Backdoor](http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/) | [:closed_book:](../../blob/master/2016/2016.02.12.Fysbis_Sofacy_Linux_Backdoor)
* Feb 11 - [[Recorded Future] Hacktivism: India vs. Pakistan](https://www.recordedfuture.com/india-pakistan-cyber-rivalry/) | [:closed_book:](../../blob/master/2016/2016.02.11.Hacktivism_India_vs_Pakistan)
* Feb 09 - [[Kaspersky] Poseidon Group: a Targeted Attack Boutique specializing in global cyber-espionage](https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/) | [:closed_book:](../../blob/master/2016/2016.02.09_Poseidon_APT_Boutique)
* Feb 08 - [[ICIT] Know Your Enemies 2.0: A Primer on Advanced Persistent Threat Groups](http://icitech.org/know-your-enemies-2-0/) | [:closed_book:](../../blob/master/2016/2016.02.08.Know_Your_Enemies_2.0)
* Feb 04 - [[Palo Alto Networks] T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques](http://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/) | [:closed_book:](../../blob/master/2016/2016.02.04_PaloAlto_T9000-Advanced-Modular-Backdoor)
* Feb 03 - [[Palo Alto Networks] Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?](http://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/) | [:closed_book:](../../blob/master/2016.02.03.Emissary_Trojan_Changelog)
* Feb 01 - [[Sucuri] Massive Admedia/Adverting iFrame Infection](https://blog.sucuri.net/2016/02/massive-admedia-iframe-javascript-infection.html) | [:closed_book:](../../blob/master/2016/2016.02.01.Massive_Admedia_Adverting_iFrame_Infection)
* Feb 01 - [[IBM] Organized Cybercrime Big in Japan: URLZone Now on the Scene](https://securityintelligence.com/organized-cybercrime-big-in-japan-urlzone-now-on-the-scene/) | [:closed_book:](../../blob/master/2016/2016.02.01.URLzone_Team)
* Jan 29 - [[F5] Tinbapore: Millions of Dollars at Risk](https://devcentral.f5.com/d/tinbapore-millions-of-dollars-at-risk?download=true) | [:closed_book:](../../blob/master/2016/2016.01.29.Tinbapore_Attack)
* Jan 29 - [[Zscaler] Malicious Office files dropping Kasidet and Dridex](http://research.zscaler.com/2016/01/malicious-office-files-dropping-kasidet.html) | [:closed_book:](../../blob/master/2016/2016.01.29.Malicious_Office_files_dropping_Kasidet_and_Dridex)
* Jan 28 - [[Kaspersky] BlackEnergy APT Attacks in Ukraine employ spearphishing with Word documents](https://securelist.com/blog/research/73440/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/) | [:closed_book:](../../blob/master/2016/2016.01.28.BlackEnergy_APT)
* Jan 27 - [[Fidelis] Dissecting the Malware Involved in the INOCNATION Campaign](https://www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL.pdf) | [:closed_book:](../../blob/master/2016/2016.01.27.Hi-Zor.RAT)
* Jan 26 - [[SentinelOne] Analyzing a New Variant of BlackEnergy 3](https://www.sentinelone.com/wp-content/uploads/2016/01/BlackEnergy3_WP_012716_1c.pdf) | [:closed_book:](../../blob/master/2016/2016.01.26.BlackEnergy3)
* Jan 24 - [[Palo Alto Networks] Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists](http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/) | [:closed_book:](../../blob/master/2016/2016.01.24_Scarlet_Minic)
* Jan 21 - [[Palo Alto Networks] NetTraveler Spear-Phishing Email Targets Diplomat of Uzbekistan](http://researchcenter.paloaltonetworks.com/2016/01/nettraveler-spear-phishing-email-targets-diplomat-of-uzbekistan/) | [:closed_book:](../../blob/master/2016/2016.01.21.NetTraveler_Uzbekistan)
* Jan 19 - [[360] 2015 APT Annual Report](https://ti.360.com/upload/report/file/2015.APT.Annual_Report.pdf) | [:closed_book:](../../blob/master/2016/2016.01.19.360_APT_Report)
* Jan 14 - [[CISCO] RESEARCH SPOTLIGHT: NEEDLES IN A HAYSTACK](http://blog.talosintel.com/2016/01/haystack.html#more) | [:closed_book:](../../blob/master/2016/2016.01.14_Cisco_Needles_in_a_Haystack)
* Jan 14 - [[Symantec] The Waterbug attack group](https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf) | [:closed_book:](../../blob/master/2016/2016.01.14.The.Waterbug.Attack.Group/)
* Jan 07 - [[Clearsky] Operation DustySky](http://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf) | [:closed_book:](../../blob/master/2016/2016.01.07.Operation_DustySky)
* Jan 07 - [[CISCO] RIGGING COMPROMISE - RIG EXPLOIT KIT](http://blog.talosintel.com/2016/01/rigging-compromise.html) | [:closed_book:](../../blob/master/2016/2016.01.07.rigging-compromise)
* Jan 03 - [[ESET] BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry](http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/) | [:closed_book:](../../blob/master/2016/2016.01.03.BlackEnergy_Ukrainian)
## 2015
* Dec 23 - [[PwC] ELISE: Security Through Obesity](http://pwc.blogs.com/cyber_security_updates/2015/12/elise-security-through-obesity.html) | [:closed_book:](../../blob/master/2015/2015.12.13.ELISE)
* Dec 22 - [[Palo Alto Networks] BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger](http://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/) | [:closed_book:](../../blob/master/2015/2015.12.22.BBSRAT_Roaming_Tiger)
* Dec 20 - [[FireEye] The EPS Awakens - Part 2](https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html) | [:closed_book:](../../blob/master/2015/2015.12.20.EPS_Awakens_Part_II)
* Dec 18 - [[Palo Alto Networks] Attack on French Diplomat Linked to Operation Lotus Blossom](http://researchcenter.paloaltonetworks.com/2015/12/attack-on-french-diplomat-linked-to-operation-lotus-blossom/) | [:closed_book:](../../blob/master/2015/2015.12.18.Attack_on_Frence_Diplomat_Linked_To_Operation_Lotus_Blossom)
* Dec 16 - [[Bitdefender] APT28 Under the Scope - A Journey into Exfiltrating Intelligence and Government Information](http://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf) | [:closed_book:](../../blob/master/2015/2015.12.17.APT28_Under_The_Scope)
* Dec 16 - [[Trend Micro] Operation Black Atlas, Part 2: Tools and Malware Used and How to Detect Them](http://documents.trendmicro.com/assets/Operation_Black%20Atlas_Technical_Brief.pdf) | [:closed_book:](../../blob/master/2015/2015.12.16.INOCNATION.Campaign)
* Dec 16 - [[Fidelis] Dissecting the Malware Involved in the INOCNATION Campaign](https://www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL.pdf) | [:closed_book:](../../blob/master/2015/2015.12.16.INOCNATION.Campaign)
* Dec 15 - [[AirBus] Newcomers in the Derusbi family](http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family) | [:closed_book:](../../blob/master/2015/2015.12.15.Newcomers_in_the_Derusbi_family)
* Dec 08 - [[Citizen Lab] Packrat: Seven Years of a South American Threat Actor](https://citizenlab.org/2015/12/packrat-report/) | [:closed_book:](../../blob/master/2015/2015.12.08.Packrat)
* Dec 07 - [[FireEye] Financial Threat Group Targets Volume Boot Record](https://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-record.html) | [:closed_book:](../../blob/master/2015/2015.12.07.Thriving_Beyond_The_Operating_System)
* Dec 07 - [[Symantec] Iran-based attackers use back door threats to spy on Middle Eastern targets](http://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets) | [:closed_book:](../../blob/master/2015/2015.12.07.Iran-based)
* Dec 04 - [[Kaspersky] Sofacy APT hits high profile targets with updated toolset](https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/) | [:closed_book:](../../blob/master/2015/2015.12.04.Sofacy_APT)
* Dec 01 - [[FireEye] China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets](https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html) | [:closed_book:](../../blob/master/2015/2015.12.01.China-based_Cyber_Threat_Group_Uses_Dropbox_for_Malware_Communications_and_Targets_Hong_Kong_Media_Outlets)
* Nov 30 - [[FOX-IT] Ponmocup A giant hiding in the shadows](https://foxitsecurity.files.wordpress.com/2015/12/foxit-whitepaper_ponmocup_1_1.pdf) | [:closed_book:](../../blob/master/2015/2015.11.30.Ponmocup)
* Nov 24 - [[Palo Alto Networks] Attack Campaign on the Government of Thailand Delivers Bookworm Trojan](http://researchcenter.paloaltonetworks.com/2015/11/attack-campaign-on-the-government-of-thailand-delivers-bookworm-trojan/) | [:closed_book:](../../blob/master/2015/2015.11.24.Attack_Campaign_on_the_Government_of_Thailand_Delivers_Bookworm_Trojan)
* Nov 23 - [[Minerva Labs, ClearSky] CopyKittens Attack Group](https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf) | [:closed_book:](../../blob/master/2015/2015.11.23.CopyKittens_Attack_Group)
* Nov 23 - [[RSA] PEERING INTO GLASSRAT](https://blogs.rsa.com/wp-content/uploads/2015/11/GlassRAT-final.pdf) | [:closed_book:](../../blob/master/2015/2015.11.23.PEERING_INTO_GLASSRAT)
* Nov 23 - [[Trend Micro] Prototype Nation: The Chinese Cybercriminal Underground in 2015](http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/prototype-nation-the-chinese-cybercriminal-underground-in-2015/?utm_source=siblog&utm_medium=referral&amp;utm_campaign=2015-cn-ug) | [:closed_book:](../../blob/master/2015/2015.11.23.Prototype_Nation_The_Chinese_Cybercriminal_Underground_in_2015)
* Nov 19 - [[Kaspersky] Russian financial cybercrime: how it works](https://securelist.com/analysis/publications/72782/russian-financial-cybercrime-how-it-works/) | [:closed_book:](../../blob/master/2015/2015.11.18.Russian_financial_cybercrime_how_it_works)
* Nov 19 - [[JPCERT] Decrypting Strings in Emdivi](http://blog.jpcert.or.jp/2015/11/decrypting-strings-in-emdivi.html) | [:closed_book:](../../blob/master/2015/2015.11.19.decrypting-strings-in-emdivi)
* Nov 18 - [[Palo Alto Networks] TDrop2 Attacks Suggest Dark Seoul Attackers Return](http://researchcenter.paloaltonetworks.com/2015/11/tdrop2-attacks-suggest-dark-seoul-attackers-return/) | [:closed_book:](../../blob/master/2015/2015.11.18.tdrop2)
* Nov 18 - [[CrowdStrike] Sakula Reloaded](http://blog.crowdstrike.com/sakula-reloaded/) | [:closed_book:](../../blob/master/2015/2015.11.18.Sakula_Reloaded)
* Nov 18 - [[Damballa] Damballa discovers new toolset linked to Destover Attackers arsenal helps them to broaden attack surface](https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/2015.11.18.Destover/amballa-discovers-new-toolset-linked-to-destover-attackers-arsenal-helps-them-to-broaden-attack-surface.pdf) | [:closed_book:](../../blob/master/2015/2015.11.18.Destover)
* Nov 16 - [[FireEye] WitchCoven: Exploiting Web Analytics to Ensnare Victims](https://www2.fireeye.com/threat-intel-report-WITCHCOVEN.html) | [:closed_book:](../../blob/master/2015/2015.11.17.Pinpointing_Targets_Exploiting_Web_Analytics_to_Ensnare_Victims)
* Nov 10 - [[Palo Alto Networks] Bookworm Trojan: A Model of Modular Architecture](http://researchcenter.paloaltonetworks.com/2015/11/bookworm-trojan-a-model-of-modular-architecture/) | [:closed_book:](../../blob/master/2015/2015.11.10.bookworm-trojan-a-model-of-modular-architecture)
* Nov 09 - [[Check Point] Rocket Kitten: A Campaign With 9 Lives](http://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf) | [:closed_book:](../../blob/master/2015/2015.11.09.Rocket_Kitten_A_Campaign_With_9_Lives)
* Nov 04 - [[RSA] Evolving Threats:dissection of a CyberEspionage attack](http://www.rsaconference.com/writable/presentations/file_upload/cct-w08_evolving-threats-dissection-of-a-cyber-espionage-attack.pdf) | [:closed_book:](../../blob/master/2015/2015.11.04_Evolving_Threats)
* Oct 16 - [[Citizen Lab] Targeted Malware Attacks against NGO Linked to Attacks on Burmese Government Websites](https://citizenlab.org/2015/10/targeted-attacks-ngo-burma/)(https://otx.alienvault.com/pulse/5621208f4637f21ecf2aac36/) | [:closed_book:](../../blob/master/2015/2015.10.16.NGO_Burmese_Government)
* Oct 15 - [[Citizen Lab] Pay No Attention to the Server Behind the Proxy: Mapping FinFishers Continuing Proliferation](https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/) | [:closed_book:](../../blob/master/2015/2015.10.15.FinFisher_Continuing)
* Oct 05 - [[Recorded Future] Proactive Threat Identification Neutralizes Remote Access Trojan Efficacy](http://go.recordedfuture.com/hubfs/reports/threat-identification.pdf) | [:closed_book:](../../blob/master/2015/2015.10.05.Proactive_Threat_Identification)
* Oct 03 - [[Cybereason] Webmail Server APT: A New Persistent Attack Methodology Targeting Microsoft Outlook Web Application (OWA)](http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Labs-Analysis-Webmail-Sever-APT.pdf) | [:closed_book:](../../blob/master/2015/2015.10.03.Webmail_Server_APT)
* Sep 23 - [[ThreatConnect] PROJECT CAMERASHY: CLOSING THE APERTURE ON CHINAS UNIT 78020](https://www.threatconnect.com/camerashy-intro/) | [PDF](https://cdn2.hubspot.net/hubfs/454298/Project_CAMERASHY_ThreatConnect_Copyright_2015.pdf) | [:closed_book:](../../blob/master/2015/2015.09.23.CAMERASHY_ThreatConnect)
* Sep 17 - [[F-SECURE] The Dukes 7 Years of Russian Cyber Espionage](https://labsblog.f-secure.com/2015/09/17/the-dukes-7-years-of-russian-cyber-espionage/) - [PDF](https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf) | [:closed_book:](../../blob/master/2015/2015.09.17.duke_russian)
* Sep 16 - [[Proofpoint] The shadow knows: Malvertising campaigns use domain shadowing to pull in Angler EK](https://www.proofpoint.com/us/threat-insight/post/The-Shadow-Knows) | [:closed_book:](../../blob/master/2015/2015.09.16.The-Shadow-Knows)
* Sep 16 - [[Trend Micro] Operation Iron Tiger: How China-Based Actors Shifted Attacks from APAC to US Targets](http://newsroom.trendmicro.com/blog/operation-iron-tiger-attackers-shift-east-asia-united-states) | [IOC](https://otx.alienvault.com/pulse/55f9910967db8c6fb35179bd/) | [:closed_book:](../../blob/master/2015/2015.09.17.Operation_Iron_Tiger)
* Sep 15 - [[Proofpoint] In Pursuit of Optical Fibers and Troop Intel: Targeted Attack Distributes PlugX in Russia](https://www.proofpoint.com/us/threat-insight/post/PlugX-in-Russia) | [:closed_book:](../../blob/master/2015/2015.09.15.PlugX_in_Russia)
* Sep 09 - [[Trend Micro] Shadow Force Uses DLL Hijacking, Targets South Korean Company](https://blog.trendmicro.com/trendlabs-security-intelligence/shadow-force-uses-dll-hijacking-targets-south-korean-company/) | [:closed_book:](../../blob/master/2015/2015.09.09.Shadow_Force)
* Sep 09 - [[Kaspersky] Satellite Turla: APT Command and Control in the Sky](https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/) | [:closed_book:](../../blob/master/2015/2015.09.09.satellite-turla-apt)
* Sep 08 - [[Palo Alto Networks] Musical Chairs: Multi-Year Campaign Involving New Variant of Gh0st Malware](http://researchcenter.paloaltonetworks.com/2015/09/musical-chairs-multi-year-campaign-involving-new-variant-of-gh0st-malware/) | [:closed_book:](../../blob/master/2015/2015.09.08.Musical_Chairs_Gh0st_Malware)
* Sep 01 - [[Trend Micro, Clearsky] The Spy Kittens Are Back: Rocket Kitten 2](http://www.trendmicro.tw/vinfo/us/security/news/cyber-attacks/rocket-kitten-continues-attacks-on-middle-east-targets) | [PDF](http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-the-spy-kittens-are-back.pdf) | [:closed_book:](../../blob/master/2015/2015.09.01.Rocket_Kitten_2)
* Aug 20 - [[Arbor] PlugX Threat Activity in Myanmar](http://pages.arbornetworks.com/rs/082-KNA-087/images/ASERT%20Threat%20Intelligence%20Brief%202015-05%20PlugX%20Threat%20Activity%20in%20Myanmar.pdf) | [:closed_book:](../../blob/master/2015/2015.08.20.PlugX_Threat_Activity_in_Myanmar)
* Aug 20 - [[Kaspersky] New activity of the Blue Termite APT](https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/) | [:closed_book:](../../blob/master/2015/2015.08.20.new-activity-of-the-blue-termite-apt)
* Aug 19 - [[Symantec] New Internet Explorer zero-day exploited in Hong Kong attacks](http://www.symantec.com/connect/blogs/new-internet-explorer-zero-day-exploited-hong-kong-attacks) | [:closed_book:](../../blob/master/2015/2015.08.19.new-internet-explorer-zero-day-exploited-hong-kong-attacks)
* Aug 10 - [[ShadowServer] The Italian Connection: An analysis of exploit supply chains and digital quartermasters](http://blog.shadowserver.org/2015/08/10/the-italian-connection-an-analysis-of-exploit-supply-chains-and-digital-quartermasters/) | [:closed_book:](../../blob/master/2015/2015.08.10.The_Italian_Connection_An_analysis_of_exploit_supply_chains_and_digital_quartermasters)
* Aug 08 - [[Cyint] Threat Analysis: Poison Ivy and Links to an Extended PlugX Campaign](http://www.cyintanalysis.com/threat-analysis-poison-ivy-and-links-to-an-extended-plugx-campaign/) | [:closed_book:](../../blob/master/2015/2015.08.08.Poison_Ivy_and_Links_to_an_Extended_PlugX_Campaign)
* Aug 05 - [[Dell] Threat Group-3390 Targets Organizations for Cyberespionage](http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/) | [:closed_book:](../../blob/master/2015/2015.08.05.Threat_Group-3390)
* Aug 04 - [[RSA] Terracotta VPN: Enabler of Advanced Threat Anonymity](https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity/) | [:closed_book:](../../blob/master/2015/2015.08.04.Terracotta_VPN)
* Jul 30 - [[ESET] Operation Potao Express](http://www.welivesecurity.com/2015/07/30/operation-potao-express/) | [IOC](https://github.com/eset/malware-ioc/tree/master/potao) | [:closed_book:](../../blob/master/2015/2015.07.30.Operation-Potao-Express)
* Jul 28 - [[Symantec] Black Vine: Formidable cyberespionage group targeted aerospace, healthcare since 2012](http://www.symantec.com/connect/blogs/black-vine-formidable-cyberespionage-group-targeted-aerospace-healthcare-2012) | [:closed_book:](../../blob/master/2015/2015.07.28.Black_Vine)
* Jul 27 - [[FireEye] HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group](https://www.fireeye.com/blog/threat-research/2015/07/hammertoss_stealthy.html) | [:closed_book:](../../blob/master/2015/2015.07.27.HAMMERTOSS)
* Jul 22 - [[F-SECURE] Duke APT group's latest tools: cloud services and Linux support](https://www.f-secure.com/weblog/archives/00002822.html) | [:closed_book:](../../blob/master/2015/2015.07.22.Duke_APT_groups_latest_tools)
* Jul 20 - [[ThreatConnect] China Hacks the Peace Palace: All Your EEZs Are Belong to Us](http://www.threatconnect.com/news/china-hacks-the-peace-palace-all-your-eezs-are-belong-to-us/) | [:closed_book:](../../blob/master/2015/2015.07.20.China_Peace_Palace)
* Jul 20 - [[Palo Alto Networks] Watering Hole Attack on Aerospace Firm Exploits CVE-2015-5122 to Install IsSpace Backdoor](http://researchcenter.paloaltonetworks.com/2015/07/watering-hole-attack-on-aerospace-firm-exploits-cve-2015-5122-to-install-isspace-backdoor/) | [:closed_book:](../../blob/master/2015/2015.07.20.IsSpace_Backdoor)
* Jul 14 - [[Palo Alto Networks] Tracking MiniDionis: CozyCars New Ride Is Related to Seaduke](http://researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/) | [:closed_book:](../../blob/master/2015/2015.07.14.tracking-minidionis-cozycars)
* Jul 14 - [[Trend Micro] An In-Depth Look at How Pawn Storms Java Zero-Day Was Used](http://blog.trendmicro.com/trendlabs-security-intelligence/an-in-depth-look-at-how-pawn-storms-java-zero-day-was-used/) | [:closed_book:](../../blob/master/2015/2015.07.14.How_Pawn_Storm_Java_Zero-Day_Was_Used)
* Jul 13 - [[Symantec] "Forkmeiamfamous": Seaduke, latest weapon in the Duke armory](http://www.symantec.com/connect/blogs/forkmeiamfamous-seaduke-latest-weapon-duke-armory) | [:closed_book:](../../blob/master/2015/2015.07.13.Forkmeiamfamous)
* Jul 13 - [[FireEye] Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability CVE-2015-5119 Following Hacking Team Leak](https://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html) | [:closed_book:](../../blob/master/2015/2015.07.13.Demonstrating_Hustle)
* Jul 10 - [[Palo Alto Networks] APT Group UPS Targets US Government with Hacking Team Flash Exploit](http://researchcenter.paloaltonetworks.com/2015/07/apt-group-ups-targets-us-government-with-hacking-team-flash-exploit/) | [:closed_book:](../../blob/master/2015/2015.07.10.APT_Group_UPS_Targets_US_Government)
* Jul 09 - [[Symantec] Butterfly: Corporate spies out for financial gain](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/butterfly-corporate-spies-out-for-financial-gain.pdf) | [:closed_book:](../../blob/master/2015/2015.07.09.Butterfly)
* Jul 08 - [[Kaspersky] Wild Neutron Economic espionage threat actor returns with new tricks](https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/) | [:closed_book:](../../blob/master/2015/2015.07.08.Wild_Neutron)
* Jul 08 - [[Volexity] APT Group Wekby Leveraging Adobe Flash Exploit (CVE-2015-5119)](http://www.volexity.com/blog/?p=158) | [:closed_book:](../../blob/master/2015/2015.07.08.APT_CVE-2015-5119)
* Jun 30 - [[ESET] Dino the latest spying malware from an allegedly French espionage group analyzed](http://www.welivesecurity.com/2015/06/30/dino-spying-malware-analyzed) | [:closed_book:](../../blob/master/2015/2015.06.30.dino-spying-malware-analyzed)
* Jun 28 - [[Dragon Threat Labs] APT on Taiwan - insight into advances of adversary TTPs](http://blog.dragonthreatlabs.com/2015/07/dtl-06282015-01-apt-on-taiwan-insight.html) | [:closed_book:](../../blob/master/2015/2015.06.28.APT_on_Taiwan)
* Jun 26 - [[FireEye] Operation Clandestine Wolf Adobe Flash Zero-Day in APT3 Phishing Campaign](https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html) | [:closed_book:](../../blob/master/2015/2015.06.26.operation-clandestine-wolf)
* Jun 24 - [[PwC] UnFIN4ished Business (FIN4)](http://pwc.blogs.com/cyber_security_updates/2015/06/unfin4ished-business.html) | [:closed_book:](../../blob/master/2015/2015.06.24.unfin4ished-business)
* Jun 22 - [[Kaspersky] Winnti targeting pharmaceutical companies](https://securelist.com/blog/research/70991/games-are-over/) | [:closed_book:](../../blob/master/2015/2015.06.22.Winnti_targeting_pharmaceutical_companies)
* Jun 16 - [[Palo Alto Networks] Operation Lotus Bloom](https://www.paloaltonetworks.com/resources/research/unit42-operation-lotus-blossom.html) | [:closed_book:](../../blob/master/2015/2015.06.16.operation-lotus-blossom)
* Jun 15 - [[Citizen Lab] Targeted Attacks against Tibetan and Hong Kong Groups Exploiting CVE-2014-4114](https://citizenlab.org/2015/06/targeted-attacks-against-tibetan-and-hong-kong-groups-exploiting-cve-2014-4114/) | [:closed_book:](../../blob/master/2015/2015.06.15.Targeted-Attacks-against-Tibetan-and-Hong-Kong-Groups)
* Jun 12 - [[Volexity] Afghan Government Compromise: Browser Beware](http://www.volexity.com/blog/?p=134) | [:closed_book:](../../blob/master/2015/2015.06.12.Afghan_Government_Compromise)
* Jun 10 - [[Kaspersky] The_Mystery_of_Duqu_2_0](https://securelist.com/files/2015/06/The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf) [IOC](https://securelist.com/files/2015/06/7c6ce6b6-fee1-4b7b-b5b5-adaff0d8022f.ioc) [Yara](https://securelist.com/files/2015/06/Duqu_2_Yara_rules.pdf) | [:closed_book:](../../blob/master/2015/2015.06.10.The_Mystery_of_Duqu_2_0)
* Jun 10 - [[Crysys] Duqu 2.0](http://blog.crysys.hu/2015/06/duqu-2-0/) | [:closed_book:](../../blob/master/2015/2015.06.10.Duqu_2.0)
* Jun 09 - [[Microsoft] Duqu 2.0 Win32k Exploit Analysis](https://www.virusbtn.com/pdf/conference_slides/2015/OhFlorio-VB2015.pdf) | [:closed_book:](../../blob/master/2015/2015.06.09.Duqu_2.0_Win32k_Exploit_Analysis)
* Jun 04 - [[JP Internet Watch] Blue Thermite targeting Japan (CloudyOmega)](http://internet.watch.impress.co.jp/docs/news/20150604_705541.html) | [:closed_book:](../../blob/master/2015/2015.06.09.Duqu_2.0_Win32k_Exploit_Analysis)
* Jun 03 - [[ClearSky] Thamar Reservoir](http://www.clearskysec.com/thamar-reservoir/) | [:closed_book:](../../blob/master/2015/2015.06.03.thamar-reservoir)
* May 29 - [[360] OceanLotusReport](http://blogs.360.cn/blog/oceanlotus-apt/) | [:closed_book:](../../blob/master/2015/2015.05.29.OceanLotus)
* May 28 - [[Kaspersky] Grabit and the RATs](https://securelist.com/blog/research/70087/grabit-and-the-rats/) | [:closed_book:](../../blob/master/2015/2015.05.28.grabit-and-the-rats)
* May 27 - [[Antiy Labs] Analysis On Apt-To-Be Attack That Focusing On China's Government Agency'](http://www.antiy.net/p/analysis-on-apt-to-be-attack-that-focusing-on-chinas-government-agency/) | [:closed_book:](../../blob/master/2015/2015.05.27.APT_to_be)
* May 27 - [[CyberX] BlackEnergy 3 Exfiltration of Data in ICS Networks](http://cyberx-labs.com/wp-content/uploads/2015/05/BlackEnergy-CyberX-Report_27_May_2015_FINAL.pdf) | [:closed_book:](../../blob/master/2015/2015.05.27.BlackEnergy3)
* May 26 - [[ESET] Dissecting-Linux/Moose](http://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf) | [:closed_book:](../../blob/master/2015/2015.05.26.LinuxMoose)
* May 21 - [[Kaspersky] The Naikon APT and the MsnMM Campaigns](https://securelist.com/blog/research/70029/the-naikon-apt-and-the-msnmm-campaigns/) | [:closed_book:](../../blob/master/2015/2015.05.21.Naikon_APT)
* May 19 - [[Panda] Operation 'Oil Tanker'](http://www.pandasecurity.com/mediacenter/src/uploads/2015/05/oil-tanker-en.pdf) | [:closed_book:](../../blob/master/2015/2015.05.19.Operation_Oil_Tanker)
* May 18 - [[Palo Alto Networks] Cmstar Downloader: Lurid and Enfals New Cousin](http://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-enfals-new-cousin/) | [:closed_book:](../../blob/master/2015/2015.05.18.Cmstar)
* May 14 - [[Trend Micro] Operation Tropic Trooper](http://blog.trendmicro.com/trendlabs-security-intelligence/operation-tropic-trooper-old-vulnerabilities-still-pack-a-punch/) | [:closed_book:](../../blob/master/2015/2015.05.14.Operation_Tropic_Trooper)
* May 14 - [[Kaspersky] The Naikon APT](https://securelist.com/analysis/publications/69953/the-naikon-apt/) | [:closed_book:](../../blob/master/2015/2015.05.14.Naikon_APT)
* May 13 - [[Cylance] SPEAR: A Threat Actor Resurfaces](http://blog.cylance.com/spear-a-threat-actor-resurfaces) | [:closed_book:](../../blob/master/2015/2015.05.13.Spear_Threat)
* May 12 - [[PR Newswire] root9B Uncovers Planned Sofacy Cyber Attack Targeting Several International and Domestic Financial Institutions](http://www.prnewswire.com/news-releases/root9b-uncovers-planned-sofacy-cyber-attack-targeting-several-international-and-domestic-financial-institutions-300081634.html) | [:closed_book:](../../blob/master/2015/2015.05.12.Sofacy_root9B)
* May 07 - [[G DATA] Dissecting the Kraken](https://blog.gdatasoftware.com/blog/article/dissecting-the-kraken.html) | [:closed_book:](../../blob/master/2015/2015.05.07.Kraken)
* May 05 - [[Ahnlab] Targeted attack on Frances TV5Monde](http://global.ahnlab.com/global/upload/download/documents/1506306551185339.pdf) | [:closed_book:](../../blob/master/2015/2015.05.05.Targeted_attack_on_France_TV5Monde)
* Apr 27 - [[PWC] Attacks against Israeli & Palestinian interests](http://pwc.blogs.com/cyber_security_updates/2015/04/attacks-against-israeli-palestinian-interests.html) | [:closed_book:](../../blob/master/2015/2015.04.27.Attacks_Israeli_Palestinian)
* Apr 22 - [[F-SECURE] CozyDuke](https://www.f-secure.com/documents/996508/1030745/CozyDuke) | [:closed_book:](../../blob/master/2015/2015.04.22.CozyDuke)
* Apr 21 - [[Kaspersky] The CozyDuke APT](http://securelist.com/blog/69731/the-cozyduke-apt) | [:closed_book:](../../blob/master/2015/2015.04.21.CozyDuke_APT)
* Apr 20 - [[PWC] Sofacy II Same Sofacy, Different Day](http://pwc.blogs.com/cyber_security_updates/2015/04/the-sofacy-plot-thickens.html) | [:closed_book:](../../blob/master/2015/2015.04.20.Sofacy_II)
* Apr 18 - [[FireEye] Operation RussianDoll: Adobe & Windows Zero-Day Exploits Likely Leveraged by Russias APT28 in Highly-Targeted Attack](https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html) | [:closed_book:](../../blob/master/2015/2015.04.18.Operation_RussianDoll)
* Apr 16 - [[Trend Micro] Operation Pawn Storm Ramps Up its Activities; Targets NATO, White House](http://blog.trendmicro.com/trendlabs-security-intelligence/operation-pawn-storm-ramps-up-its-activities-targets-nato-white-house) | [:closed_book:](../../blob/master/2015/2015.04.16.Operation_Pawn_Storm)
* Apr 15 - [[Kaspersky] The Chronicles of the Hellsing APT: the Empire Strikes Back](http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/) | [:closed_book:](../../blob/master/2015/2015.04.15.Hellsing_APT)
* Apr 12 - [[FireEye] APT 30 and the Mechanics of a Long-Running Cyber Espionage Operation](https://www.fireeye.com/blog/threat-research/2015/04/apt_30_and_the_mecha.html) | [:closed_book:](../../blob/master/2015/2015.04.12.APT30)
* Mar 31 - [[CheckPoint] Volatile Cedar Analysis of a Global Cyber Espionage Campaign](http://blog.checkpoint.com/2015/03/31/volatilecedar/) | [:closed_book:](../../blob/master/2015/2015.03.31.Volatile_Cedar)
* Mar 30 - [[CrowdStrike] Chopping packets: Decoding China Chopper Web shell traffic over SSL]() | [:closed_book:](../../blob/master/2015/2015.03.30.Decoding_China_Chopper)
* Mar 19 - [[Trend Micro] Rocket Kitten Showing Its Claws: Operation Woolen-GoldFish and the GHOLE campaign](http://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-woolen-goldfish-when-kittens-go-phishing) | [:closed_book:](../../blob/master/2015/2015.03.19.Goldfish_Phishing)
* Mar 11 - [[Kaspersky] Inside the EquationDrug Espionage Platform](http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/) | [:closed_book:](../../blob/master/2015/2015.03.11.EquationDrug)
* Mar 10 - [[Citizen Lab] Tibetan Uprising Day Malware Attacks](https://citizenlab.org/2015/03/tibetan-uprising-day-malware-attacks/) | [:closed_book:](../../blob/master/2015/2015.03.10.Tibetan_Uprising)
* Mar 06 - [[F-SECURE] Is Babar a Bunny?](https://www.f-secure.com/weblog/archives/00002794.html) | [:closed_book:](../../blob/master/2015/2015.03.06.Babar_or_Bunny)
* Mar 06 - [[Kaspersky] Animals in the APT Farm](https://securelist.com/animals-in-the-apt-farm/69114/) | [:closed_book:](../../blob/master/2015/2015.03.06.Animals_APT_Farm)
* Mar 05 - [[ESET] Casper Malware: After Babar and Bunny, Another Espionage Cartoon](http://www.welivesecurity.com/2015/03/05/casper-malware-babar-bunny-another-espionage-cartoon) | [:closed_book:](../../blob/master/2015/2015.03.05.Casper_Malware)
* Feb 24 - [[PWC] A deeper look into Scanbox](http://pwc.blogs.com/cyber_security_updates/2015/02/a-deeper-look-into-scanbox.html) | [:closed_book:](../../blob/master/2015/2015.02.24.Deeper_Scanbox)
* Feb 27 - [[ThreatConnect] The Anthem Hack: All Roads Lead to China](http://www.threatconnect.com/news/the-anthem-hack-all-roads-lead-to-china/) | [:closed_book:](../../blob/master/2015/2015.02.27.The_Anthem_Hack_All_Roads_Lead_to_China)
* Feb 25 - [[FireEye] Southeast Asia: An Evolving Cyber Threat Landscape](https://www.fireeye.com/content/dam/FireEye-www/current-threats/pdfs/rpt-southeast-asia-threat-landscape.pdf) | [:closed_book:](../../blob/master/2015/2015.02.25.Southeast_Asia_Threat_Landscape)
* Feb 25 - [[Sophos] PlugX goes to the registry (and India)](http://blogs.sophos.com/2015/02/25/sophoslabs-research-uncovers-new-developments-in-plugx-apt-malware/) | [:closed_book:](../../blob/master/2015/2015.02.25.PlugX_to_registry)
* Feb 18 - [[G DATA] Babar: espionage software finally found and put under the microscope](https://blog.gdatasoftware.com/blog/article/babar-espionage-software-finally-found-and-put-under-the-microscope.html) | [:closed_book:](../../blob/master/2015/2015.02.18.Babar)
* Feb 18 - [[CIRCL Luxembourg] Shooting Elephants](https://drive.google.com/file/d/0B9Mrr-en8FX4dzJqLWhDblhseTA/view) | [:closed_book:](../../blob/master/2015/2015.02.18.Shooting_Elephants)
* Feb 17 - [[Kaspersky] Desert Falcons APT](https://securelist.com/blog/research/68817/the-desert-falcons-targeted-attacks/) | [:closed_book:](../../blob/master/2015/2015.02.17.Desert_Falcons_APT)
* Feb 17 - [[Kaspersky] A Fanny Equation: "I am your father, Stuxnet"](http://securelist.com/blog/research/68787/a-fanny-equation-i-am-your-father-stuxnet/) | [:closed_book:](../../blob/master/2015/2015.02.17.A_Fanny_Equation)
* Feb 16 - [[Trend Micro] Operation Arid Viper](http://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-arid-viper-bypassing-the-iron-dome) | [:closed_book:](../../blob/master/2015/2015.02.16.Operation_Arid_Viper)
* Feb 16 - [[Kaspersky] The Carbanak APT](https://securelist.com/blog/research/68732/the-great-bank-robbery-the-carbanak-apt/) | [:closed_book:](../../blob/master/2015/2015.02.16.Carbanak.APT)
* Feb 16 - [[Kaspersky] Equation: The Death Star of Malware Galaxy](https://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/) | [:closed_book:](../../blob/master/2015/2015.02.16.equation-the-death-star)
* Feb 10 - [[CrowdStrike] CrowdStrike Global Threat Intel Report for 2014](http://go.crowdstrike.com/rs/crowdstrike/images/GlobalThreatIntelReport.pdf) | [:closed_book:](../../blob/master/2015/2015.02.10.CrowdStrike_GlobalThreatIntelReport_2014)
* Feb 04 - [[Trend Micro] Pawn Storm Update: iOS Espionage App Found](http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/) | [:closed_book:](../../blob/master/2015/2015.02.04.Pawn_Storm_Update_iOS_Espionage)
* Feb 02 - [[FireEye] Behind the Syrian Conflicts Digital Frontlines](https://www.fireeye.com/content/dam/FireEye-www/global/en/current-threats/pdfs/rpt-behind-the-syria-conflict.pdf) | [:closed_book:](../../blob/master/2015/2015.02.02.behind-the-syria-conflict)
* Jan 29 - [[JPCERT] Analysis of PlugX Variant - P2P PlugX ](http://blog.jpcert.or.jp/.s/2015/01/analysis-of-a-r-ff05.html) | [:closed_book:](../../blob/master/2015/2015.01.29.P2P_PlugX)
* Jan 29 - [[Symantec] Backdoor.Winnti attackers and Trojan.Skelky](http://www.symantec.com/connect/blogs/backdoorwinnti-attackers-have-skeleton-their-closet) | [:closed_book:](../../blob/master/2015/2015.01.29.Backdoor.Winnti_attackers)
* Jan 27 - [[Kaspersky] Comparing the Regin module 50251 and the "Qwerty" keylogger](http://securelist.com/blog/research/68525/comparing-the-regin-module-50251-and-the-qwerty-keylogger/) | [:closed_book:](../../blob/master/2015/2015.01.27.QWERTY_keylog_Regin_compare)
* Jan 22 - [[Kaspersky] Regin's Hopscotch and Legspin](http://securelist.com/blog/research/68438/an-analysis-of-regins-hopscotch-and-legspin/) | [:closed_book:](../../blob/master/2015/2015.01.22.Regin_Hopscotch_and_Legspin)
* Jan 22 - [[Symantec] Scarab attackers Russian targets](http://www.symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012) | [IOCs](http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/Scarab_IOCs_January_2015.txt) | [:closed_book:](../../blob/master/2015/2015.01.22.Scarab_attackers_Russian_targets)
* Jan 22 - [[Symantec] The Waterbug attack group](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf) | [:closed_book:](../../blob/master/2015/2015.01.22.Waterbug.group)
* Jan 20 - [[BlueCoat] Reversing the Inception APT malware](https://www.bluecoat.com/security-blog/2015-01-20/reversing-inception-apt-malware) | [:closed_book:](../../blob/master/2015/2015.01.20.Reversing_the_Inception_APT_malware)
* Jan 20 - [[G DATA] Analysis of Project Cobra](https://blog.gdatasoftware.com/blog/article/analysis-of-project-cobra.html) | [:closed_book:](../../blob/master/2015/2015.01.20.Project_Cobra)
* Jan 15 - [[G DATA] Evolution of Agent.BTZ to ComRAT](https://blog.gdatasoftware.com/blog/article/evolution-of-sophisticated-spyware-from-agentbtz-to-comrat.html) | [:closed_book:](../../blob/master/2015/2015.01.15.Evolution_of_Agent.BTZ_to_ComRAT)
* Jan 12 - [[Dell] Skeleton Key Malware Analysis](http://www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis/) | [:closed_book:](../../blob/master/2015/2015.01.12.skeleton-key-malware-analysis)
* Jan 11 - [[Dragon Threat Labs] Hong Kong SWC attack](http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html) | [:closed_book:](../../blob/master/2015/2015.01.11.Hong_Kong_SWC_Attack)
## 2014
* Dec 22 - [[Group-IB] Anunak: APT against financial institutions](http://www.group-ib.com/files/Anunak_APT_against_financial_institutions.pdf) | [:closed_book:](../../blob/master/2014/2014.12.22.Anunak_APT)
* Dec 21 - [[ThreatConnect] Operation Poisoned Helmand](http://www.threatconnect.com/news/operation-poisoned-helmand/) | [:closed_book:](../../blob/master/2014/2014.12.21.Operation_Poisoned_Helmand)
* Dec 19 - [[US-CERT] TA14-353A: Targeted Destructive Malware (wiper)](https://www.us-cert.gov/ncas/alerts/TA14-353A) | [:closed_book:](../../blob/master/2014/2014.12.19.Targeted_Destructive_Malware)
* Dec 18 - [[Citizen Lab] Malware Attack Targeting Syrian ISIS Critics](https://citizenlab.org/2014/12/malware-attack-targeting-syrian-isis-critics/) | [:closed_book:](../../blob/master/2014/2014.12.18.Syrian_ISIS_Critics)
* Dec 17 - [[CISCO] Wiper Malware A Detection Deep Dive](http://blogs.cisco.com/security/talos/wiper-malware) | [:closed_book:](../../blob/master/2014/2014.12.17.Wiper_Malware_Deep_Dive)
* Dec 12 - [[Fidelis] Bots, Machines, and the Matrix](http://www.fidelissecurity.com/sites/default/files/FTA_1014_Bots_Machines_and_the_Matrix.pdf) | [:closed_book:](../../blob/master/2014/2014.12.12.Bots_Machines_and_the_Matrix)
* Dec 12 - [[AirBus] Vinself now with steganography](http://blog.cybersecurity-airbusds.com/post/2014/12/Vinself) | [:closed_book:](../../blob/master/2014/2014.12.12.Vinself)
* Dec 10 - [[Ahnlab] South Korea MBR Wiper](http://asec.ahnlab.com/1015) | [:closed_book:](../../blob/master/2014/2014.12.10_South_Korea_MBR_Wiper)
* Dec 10 - [[F-Secure] W64/Regin, Stage #1](https://www.f-secure.com/documents/996508/1030745/w64_regin_stage_1.pdf) | [:closed_book:](../../blob/master/2014/2014.12.10.W64_Regin)
* Dec 10 - [[F-Secure] W32/Regin, Stage #1](https://www.f-secure.com/documents/996508/1030745/w32_regin_stage_1.pdf) | [:closed_book:](../../blob/master/2014/2014.12.10_W32_Regin)
* Dec 10 - [[Kaspersky] Cloud Atlas: RedOctober APT](http://securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-back-in-style/) | [:closed_book:](../../blob/master/2014/2014.12.10.RedOctober_APT)
* Dec 09 - [[BlueCoat] The Inception Framework](https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware) | [:closed_book:](../../blob/master/2014/2014.12.09_The_Inception_Framework)
* Dec 08 - [[Kaspersky] The 'Penquin' Turla](http://securelist.com/blog/research/67962/the-penquin-turla-2/) | [:closed_book:](../../blob/master/2014/2014.12.08.Penquin_Turla)
* Dec 05 - [[Cylance] Operation Cleaver: The Notepad Files](http://blog.cylance.com/operation-cleaver-the-notepad-files) | [:closed_book:](../../blob/master/2014/2014.12.05.Operation_Cleaver)
* Dec 02 - [[Cylance] Operation Cleaver](http://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf) | [IOCs](http://www.cylance.com/assets/Cleaver/cleaver.yar) | [:closed_book:](../../blob/master//2014/2014.12.02.Operation_Cleaver)
* Nov 30 - [[FireEye] FIN4: Stealing Insider Information for an Advantage in Stock Trading?](https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html) | [:closed_book:](../../blob/master/2014/2014.11.30.FIN4)
* Nov 24 - [[CrowdStrike] Deep Panda Uses Sakula Malware](http://blog.crowdstrike.com/ironman-deep-panda-uses-sakula-malware-target-organizations-multiple-sectors/) | [:closed_book:](../../blob/master/2014/2014.11.24.Ironman)
* Nov 24 - [[TheIntercept] Regin: SECRET MALWARE IN EUROPEAN UNION ATTACK LINKED TO U.S. AND BRITISH INTELLIGENCE](https://firstlook.org/theintercept/2014/11/24/secret-regin-malware-belgacom-nsa-gchq/) | [:closed_book:](../../blob/master/2014/2014.11.24.Regin_TheIntercept)
* Nov 24 - [[Kaspersky] Kaspersky's report on The Regin Platform](http://securelist.com/blog/research/67741/regin-nation-state-ownage-of-gsm-networks/) | [:closed_book:](../../blob/master/2014/2014.11.24.Regin_Platform)
* Nov 24 - [[Symantec] Regin: Top-tier espionage tool enables stealthy surveillance](http://www.symantec.com/connect/blogs/regin-top-tier-espionage-tool-enables-stealthy-surveillance) | [:closed_book:](../../blob/master/2014/2014.11.24.Regin_Top-tier_espionage)
* Nov 21 - [[FireEye] Operation Double Tap](https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html) | [IOCs](https://github.com/FireEye/iocs/tree/master/APT3) | [:closed_book:](../../blob/master//2014/2014.11.21.Operation_Double_Tap)
* Nov 20 - [[0x1338] EvilBunny: Suspect #4](http://0x1338.blogspot.co.uk/2014/11/hunting-bunnies.html) | [:closed_book:](../../blob/master//2014/2014.11.20.EvilBunny)
* Nov 14 - [[ESET] Roaming Tiger (Slides)](http://2014.zeronights.ru/assets/files/slides/roaming_tiger_zeronights_2014.pdf) | [:closed_book:](../../blob/master/2014/2014.11.14.Roaming_Tiger)
* Nov 14 - [[F-Secure] OnionDuke: APT Attacks Via the Tor Network](http://www.f-secure.com/weblog/archives/00002764.html) | [:closed_book:](../../blob/master/2014/2014.11.14.OnionDuke)
* Nov 13 - [[Symantec] Operation CloudyOmega: Ichitaro 0-day targeting Japan](http://www.symantec.com/connect/blogs/operation-cloudyomega-ichitaro-zero-day-and-ongoing-cyberespionage-campaign-targeting-japan) | [:closed_book:](../../blob/master/2014/2014.11.13.Operation_CloudyOmega)
* Nov 12 - [[ESET] Korplug military targeted attacks: Afghanistan & Tajikistan](http://www.welivesecurity.com/2014/11/12/korplug-military-targeted-attacks-afghanistan-tajikistan/) | [:closed_book:](../../blob/master/2014/2014.11.12.Korplug)
* Nov 11 - [[GDATA] The Uroburos case- Agent.BTZs successor, ComRAT](http://blog.gdatasoftware.com/blog/article/the-uroburos-case-new-sophisticated-rat-identified.html) | [:closed_book:](../../blob/master/2014/2014.11.11.ComRAT)
* Nov 10 - [[Kaspersky] The Darkhotel APT - A Story of Unusual Hospitality](https://securelist.com/blog/research/66779/the-darkhotel-apt/) | [:closed_book:](../../blob/master/2014/2014.11.10.Darkhotel)
* Nov 03 - [[FireEye] Operation Poisoned Handover: Unveiling Ties Between APT Activity in Hong Kongs Pro-Democracy Movement](http://www.fireeye.com/blog/technical/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html) | [:closed_book:](../../blob/master/2014/2014.11.03.Operation_Poisoned_Handover)
* Nov 03 - [[Kaspersky] New observations on BlackEnergy2 APT activity](https://securelist.com/blog/research/67353/be2-custom-plugins-router-abuse-and-target-profiles/) | [:closed_book:](../../blob/master/2014/2014.11.03.BlackEnergy2_APT)
* Oct 31 - [[GData] Operation TooHash](https://blog.gdatasoftware.com/blog/article/operation-toohash-how-targeted-attacks-work.html) | [:closed_book:](../../blob/master/2014/2014.10.31.Operation_TooHash)
* Oct 30 - [[Sophos] The Rotten Tomato Campaign](http://blogs.sophos.com/2014/10/30/the-rotten-tomato-campaign-new-sophoslabs-research-on-apts/) | [:closed_book:](../../blob/master/2014/2014.10.30.Rotten_Tomato_Campaign)
* Oct 28 - [[CISCO] Group 72, Opening the ZxShell](http://blogs.cisco.com/talos/opening-zxshell/) | [:closed_book:](../../blob/master/2014/2014.10.28.Group_72_ZxShell)
* Oct 28 - [[FireEye] APT28 - A Window Into Russia's Cyber Espionage Operations](https://www.fireeye.com/resources/pdfs/apt28.pdf) | [:closed_book:](../../blob/master/2014/2014.10.28.APT28)
* Oct 27 - [[Invincea] Micro-Targeted Malvertising via Real-time Ad Bidding](http://www.invincea.com/wp-content/uploads/2014/10/Micro-Targeted-Malvertising-WP-10-27-14-1.pdf) | [:closed_book:](../../blob/master/2014/2014.10.27.Micro-Targeted_Malvertising)
* Oct 27 - [[PWC] ScanBox framework whos affected, and whos using it?](http://pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whos-affected-and-whos-using-it-1.html) | [:closed_book:](../../blob/master/2014/2014.10.27.ScanBox_framework)
* Oct 27 - [[Netresec] Full Disclosure of Havex Trojans - ICS Havex backdoors](http://www.netresec.com/?page=Blog&month=2014-10&post=Full-Disclosure-of-Havex-Trojans) | [:closed_book:](../../blob/master/2014/2014.10.27.Havex_Trojans)
* Oct 24 - [[AirBus] LeoUncia and OrcaRat](http://blog.airbuscybersecurity.com/post/2014/10/LeoUncia-and-OrcaRat) | [:closed_book:](../../blob/master/2014/2014.10.24.LeoUncia_and_OrcaRat)
* Oct 23 - [[LEVIATHAN] THE CASE OF THE MODIFIED BINARIES](http://www.leviathansecurity.com/blog/the-case-of-the-modified-binaries/) | [:closed_book:](../../blob/master/2014/2014.10.23.Modified_Binaries)
* Oct 22 - [[PWC] Sofacy Phishing by PWC](http://pwc.blogs.com/files/tactical-intelligence-bulletin---sofacy-phishing-.pdf) | [:closed_book:](../../blob/master/2014/2014.10.22.Sofacy_Phishing)
* Oct 22 - [[Trend Micro] Operation Pawn Storm: The Red in SEDNIT](http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf) | [:closed_book:](../../blob/master/2014/2014.10.22.Operation_Pawn_Storm)
* Oct 20 - [[PWC] OrcaRAT - A whale of a tale](http://pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html) | [:closed_book:](../../blob/master/2014/2014.10.20.OrcaRAT_tale)
* Oct 14 - [[iSightPartners] Sandworm - CVE-2104-4114](http://www.isightpartners.com/2014/10/cve-2014-4114/) | [:closed_book:](../../blob/master/2014/2014.10.14.Sandworm)
* Oct 14 - [[CISCO] Group 72](http://blogs.cisco.com/security/talos/threat-spotlight-group-72/) | [:closed_book:](../../blob/master/2014/2014.10.14.Group_72)
* Oct 14 - [[Novetta] Derusbi Preliminary Analysis](http://www.novetta.com/wp-content/uploads/2014/11/Derusbi.pdf) | [:closed_book:](../../blob/master/2014/2014.10.14.Derusbi_Analysis)
* Oct 14 - [[Novetta] Hikit Preliminary Analysis](http://www.novetta.com/wp-content/uploads/2014/11/HiKit.pdf) | [:closed_book:](../../blob/master/2014/2014.10.14.Hikit_Preliminary_Analysis)
* Oct 14 - [[Novetta] ZoxPNG Preliminary Analysis](http://www.novetta.com/wp-content/uploads/2014/11/ZoxPNG.pdf) | [:closed_book:](../../blob/master/2014/2014.10.14.ZoxPNG)
* Oct 09 - [[Volexity] Democracy in Hong Kong Under Attack](http://www.volexity.com/blog/?p=33) | [:closed_book:](../../blob/master/2014/2014.10.09.Democracy_Hong_Kong_Under_Attack)
* Oct 03 - [[Palo Alto Networks] New indicators for APT group Nitro](http://researchcenter.paloaltonetworks.com/2014/10/new-indicators-compromise-apt-group-nitro-uncovered/) | [:closed_book:](../../blob/master/2014/2014.10.03.Nitro_APT)
* Sep 26 - [[F-Secure] BlackEnergy & Quedagh](https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf) | [:closed_book:](../../blob/master/2014/2014.09.26.BlackEnergy_Quedagh)
* Sep 26 - [[FireEye] Aided Frame, Aided Direction (Sunshop Digital Quartermaster)](http://www.fireeye.com/blog/technical/2014/09/aided-frame-aided-direction-because-its-a-redirect.html) | [:closed_book:](../../blob/master/2014/2014.09.26.Aided_Frame_Aided_Direction)
* Sep 23 - [[Kaspersky] Ukraine and Poland Targeted by BlackEnergy (video)](https://www.youtube.com/watch?v=I77CGqQvPE4)
* Sep 19 - [[Palo Alto Networks] Watering Hole Attacks using Poison Ivy by "th3bug" group](http://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy/) | [:closed_book:](../../blob/master/2014/2014.09.19.th3bug_Poison_Ivy)
* Sep 18 - [[F-Secure] COSMICDUKE: Cosmu with a twist of MiniDuke](http://www.f-secure.com/documents/996508/1030745/cosmicduke_whitepaper.pdf) | [:closed_book:](../../blob/master/2014/2014.09.18.COSMICDUKE)
* Sep 17 - [[U.S. Senate Committee] Chinese intrusions into key defense contractors](http://www.armed-services.senate.gov/press-releases/sasc-investigation-finds-chinese-intrusions-into-key-defense-contractors) | [:closed_book:](../../blob/master/2014/2014.09.17.Chinese_APT_defense_contractors)
* Sep 10 - [[FireEye] Operation Quantum Entanglement](http://www.fireeye.com/resources/pdfs/white-papers/FireEye-operation-quantum-entanglement.pdf) | [:closed_book:](../../blob/master/2014/2014.09.10.Operation_Quantum_Entanglement)
* Sep 08 - [[Usenix] When Governments Hack Opponents: A Look at Actors and Technology](https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-marczak.pdf) [video](https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/marczak) | [:closed_book:](../../blob/master/2014/2014.09.08.When_Governments_Hack_Opponents)
* Sep 08 - [[Usenix] Targeted Threat Index: Characterizingand Quantifying Politically-MotivatedTargeted Malware](https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-hardy.pdf) [video](https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/hardy) | [:closed_book:](../../blob/master/2014/2014.09.08.Targeted_Threat_Index)
* Sep 04 - [[ClearSky] Gholee a “Protective Edge” themed spear phishing campaign](http://www.clearskysec.com/gholee-a-protective-edge-themed-spear-phishing-campaign/) | [:closed_book:](../../blob/master/2014/2014.09.04.Gholee)
* Sep 04 - [[FireEye] Forced to Adapt: XSLCmd Backdoor Now on OS X](http://www.fireeye.com/blog/technical/malware-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html) | [:closed_book:](../../blob/master/2014/2014.09.04.XSLCmd_OSX)
* Sep 04 - [[Netresec] Analysis of Chinese MITM on Google](https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/Chinese_MITM_Google.pdf) | [:closed_book:](../../blob/master/2014/2014.09.04.Analysis_of_Chinese_MITM_on_Google)
* Sep 03 - [[FireEye] Darwins Favorite APT Group (APT12)](http://www.fireeye.com/blog/technical/botnet-activities-research/2014/09/darwins-favorite-apt-group-2.html) | [:closed_book:](../../blob/master/2014/2014.09.03.Darwin_APT)
* Aug 29 - [[FireEye] Syrian Malware Team Uses BlackWorm for Attacks](http://www.fireeye.com/blog/technical/2014/08/connecting-the-dots-syrian-malware-team-uses-blackworm-for-attacks.html) | [:closed_book:](../../blob/master/2014/2014.08.29.BlackWorm_Syrian)
* Aug 28 - [[AlienVault] Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks](https://www.alienvault.com/open-threat-exchange/blog/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks) | [:closed_book:](../../blob/master/2014/2014.08.28.Scanbox_Framework_Watering_Hole_Attack)
* Aug 27 - [[Kaspersky] NetTraveler APT Gets a Makeover for 10th Birthday](https://securelist.com/blog/research/66272/nettraveler-apt-gets-a-makeover-for-10th-birthday/) | [:closed_book:](../../blob/master/2014/2014.08.27.NetTraveler)
* Aug 25 - [[Malware Must Die] Vietnam APT Campaign](http://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html) | [:closed_book:](../../blob/master/2014/2014.08.25.Vietnam_APT)
* Aug 20 - [[Kaspersky] El Machete](https://securelist.com/blog/research/66108/el-machete/) | [:closed_book:](../../blob/master/2014/2014.08.20.El_Machete)
* Aug 18 - [[Kaspersky] The Syrian Malware House of Cards](https://securelist.com/blog/research/66051/the-syrian-malware-house-of-cards/) | [:closed_book:](../../blob/master/2014/2014.08.18.Syrian_Malware_House_of_Cards)
* Aug 16 - [[HP] Profiling an enigma: The mystery of North Koreas cyber threat landscape](https://time.com/wp-content/uploads/2014/12/hpsr_securitybriefing_episode16_northkorea.pdf) | [:closed_book:](../../blob/master/2014/2014.08.16.North_Korea_cyber_threat_landscape)
* Aug 13 - [[USENIX] A Look at Targeted Attacks Through the Lense of an NGO](http://www.mpi-sws.org/~stevens/pubs/sec14.pdf) | [:closed_book:](../../blob/master/2014/2014.08.13.TargetAttack.NGO)
* Aug 12 - [[FireEye] New York Times Attackers Evolve Quickly (Aumlib/Ixeshe/APT12)](http://www.fireeye.com/blog/technical/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html) | [:closed_book:](../../blob/master/2014/2014.08.12.New_York_Times_Attackers)
* Aug 07 - [[Kaspersky] The Epic Turla Operation Appendix](https://securelist.com/files/2014/08/KL_Epic_Turla_Technical_Appendix_20140806.pdf) | [:closed_book:](../../blob/master/2014/2014.08.07.Epic_Turla_Operation_Appendix)
* Aug 06 - [[FireEye] Operation Poisoned Hurricane](http://www.fireeye.com/blog/technical/targeted-attack/2014/08/operation-poisoned-hurricane.html) | [:closed_book:](../../blob/master/2014/2014.08.06.Operation_Poisoned_Hurricane)
* Aug 05 - [[ThreatConnect] Operation Arachnophobia](http://threatc.s3-website-us-east-1.amazonaws.com/?/arachnophobia) | [:closed_book:](../../blob/master/2014/2014.08.05.Operation_Arachnophobia)
* Aug 04 - [[FireEye] SIDEWINDER TARGETED ATTACK AGAINST ANDROID IN THE GOLDEN AGE OF AD LIBRARIES](http://www.fireeye.com/resources/pdfs/FireEye-sidewinder-targeted-attack.pdf) | [:closed_book:](../../blob/master/2014/2014.08.04.Sidewinder_GoldenAge)
* Jul 31 - [[Kaspersky] Energetic Bear/Crouching Yeti](https://kasperskycontenthub.com/securelist/files/2014/07/EB-YetiJuly2014-Public.pdf) | [:closed_book:](../../blob/master/2014/2014.07.31.Energetic_Bear)
* Jul 29 - [[Dell] Threat Group-3279 Targets the Video Game Industry](https://www.secureworks.com/research/threat-group-3279-targets-the-video-game-industry) | [:closed_book:](../../blob/master/2014/2014.07.29.Threat_Group-3279_Targets_the_Video_Game_Industry)
* Jul 20 - [[Vinsula] Sayad (Flying Kitten) Analysis & IOCs](http://vinsula.com/2014/07/20/sayad-flying-kitten-infostealer-malware/) | [:closed_book:](../../blob/master/2014/2014.07.20.Flying_Kitten)
* Jul 11 - [[AirBus] Pitty Tiger](https://bitbucket.org/cybertools/whitepapers/downloads/Pitty%20Tiger%20Final%20Report.pdf) | [:closed_book:](../../blob/master/2014/2014.07.11.Pitty_Tiger)
* Jul 10 - [[CIRCL] TR-25 Analysis - Turla / Pfinet / Snake/ Uroburos](http://www.circl.lu/pub/tr-25/) | [:closed_book:](../../blob/master/2014/2014.07.10.Turla_Pfinet_Snake_Uroburos)
* Jul 07 - [[CrowdStrike] Deep Pandas, Deep in Thought: Chinese Targeting of National Security Think Tanks](http://blog.crowdstrike.com/deep-thought-chinese-targeting-national-security-think-tanks/) | [:closed_book:](../../blob/master/2014/2014.07.07.Deep_in_Thought)
* Jul 10 - [[TrapX] Anatomy of the Attack: Zombie Zero](http://www.trapx.com/wp-content/uploads/2014/07/TrapX_ZOMBIE_Report_Final.pdf) | [:closed_book:](../../blob/master/2014/2014.07.10.Zombie_Zero)
* Jun 30 - [[Symantec] Dragonfly: Cyberespionage Attacks Against Energy Suppliers](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf) | [:closed_book:](../../blob/master/2014/2014.06.30.Dragonfly)
* Jun 20 - [[Blitzanalysis] Embassy of Greece Beijing](http://thegoldenmessenger.blogspot.de/2014/06/blitzanalysis-embassy-of-greece-beijing.html) | [:closed_book:](../../blob/master/2014/2014.06.20.Embassy_of_Greece_Beijing)
* Jun 09 - [[CrowdStrike] Putter Panda](http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf) | [:closed_book:](../../blob/master/2014/2014.06.09.Putter_Panda)
* Jun 06 - [[Arbor] Illuminating The Etumbot APT Backdoor (APT12)](http://www.arbornetworks.com/asert/wp-content/uploads/2014/06/ASERT-Threat-Intelligence-Brief-2014-07-Illuminating-Etumbot-APT.pdf) | [:closed_book:](../../blob/master/2014/2014.06.06.Etumbot_APT_Backdoor)
* May 28 - [[iSightPartners] NewsCaster_An_Iranian_Threat_Within_Social_Networks](https://www.isightpartners.com/2014/05/newscaster-iranian-threat-inside-social-media/) | [:closed_book:](../../blob/master/2014/2014.05.28.NewsCaster_An_Iranian_Threat_Within_Social_Networks)
* May 21 - [[Fidelis] RAT in jar: A phishing campaign using Unrecom](http://www.fidelissecurity.com/sites/default/files/FTA_1013_RAT_in_a_jar.pdf) | [:closed_book:](../../blob/master/2014/2014.05.21.Unrecom_Rat)
* May 20 - [[ESET] Miniduke Twitter C&C](http://www.welivesecurity.com/2014/05/20/miniduke-still-duking/) | [:closed_book:](../../blob/master/2014/2014.05.20.Miniduke_Twitter_CnC)
* May 13 - [[CrowdStrike] Cat Scratch Fever: CrowdStrike Tracks Newly Reported Iranian Actor as FLYING KITTEN](http://blog.crowdstrike.com/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/) | [:closed_book:](../../blob/master/2014/2014.05.13.Flying.Kitten)
* May 13 - [[FireEye] Operation Saffron Rose (aka Flying Kitten)](http://www.fireeye.com/resources/pdfs/FireEye-operation-saffron-rose.pdf) | [:closed_book:](../../blob/master/2014/2014.05.13.Operation_Saffron_Rose)
* Apr 26 - [[FireEye] CVE-2014-1776: Operation Clandestine Fox](https://www.fireeye.com/blog/threat-research/2014/05/operation-clandestine-fox-now-attacking-windows-xp-using-recently-discovered-ie-vulnerability.html) | [:closed_book:](../../blob/master/2014/2014.04.26.Operation_Clandestine_Fox)
* Mar 12 - [[FireEye] A Detailed Examination of the Siesta Campaign](https://www.fireeye.com/blog/threat-research/2014/03/a-detailed-examination-of-the-siesta-campaign.html) | [:closed_book:](../../blob/master/2014/2014.03.12.Detailed_Siesta_Campaign)
* Mar 08 - [[Reuters] Russian spyware Turla](http://www.reuters.com/article/2014/03/07/us-russia-cyberespionage-insight-idUSBREA260YI20140307) | [:closed_book:](../../blob/master/2014/2014.03.08.Russian_spyware_Turla)
* Mar 07 - [[BAE] Snake Campaign & Cyber Espionage Toolkit](http://info.baesystemsdetica.com/rs/baesystems/images/snake_whitepaper.pdf) | [:closed_book:](../../blob/master/2014/2014.03.07.Snake_Campaign)
* Mar 06 - [[Trend Micro] The Siesta Campaign](http://blog.trendmicro.com/trendlabs-security-intelligence/the-siesta-campaign-a-new-targeted-attack-awakens/) | [:closed_book:](../../blob/master/2014/2014.03.06.The_Siesta_Campaign)
* Feb 28 - [[GData] Uroburos: Highly complex espionage software with Russian roots](https://public.gdatasoftware.com/Web/Content/INT/Blog/2014/02_2014/documents/GData_Uroburos_RedPaper_EN_v1.pdf) | [:closed_book:](../../blob/master/2014/2014.02.28.Uroburos)
* Feb 25 - [[CrowdStrike] The French Connection: French Aerospace-Focused CVE-2014-0322 Attack Shares Similarities with 2012 Capstone Turbine Activity](http://blog.crowdstrike.com/french-connection-french-aerospace-focused-cve-2014-0322-attack-shares-similarities-2012/) | [:closed_book:](../../blob/master/2014/2014.02.25.The_French_Connection)
* Feb 23 - [[Fidelis] Gathering in the Middle East, Operation STTEAM](http://www.fidelissecurity.com/sites/default/files/FTA%201012%20STTEAM%20Final.pdf) | [:closed_book:](../../blob/master/2014/2014.02.23.Operation_STTEAM)
* Feb 20 - [[CrowdStrike] Mo' Shells Mo' Problems - Deep Panda Web Shells](http://www.crowdstrike.com/blog/mo-shells-mo-problems-deep-panda-web-shells/) | [:closed_book:](../../blob/master/2014/2014.02.20.deep-panda-webshells)
* Feb 20 - [[FireEye] Operation GreedyWonk: Multiple Economic and Foreign Policy Sites Compromised, Serving Up Flash Zero-Day Exploit](http://www.fireeye.com/blog/technical/targeted-attack/2014/02/operation-greedywonk-multiple-economic-and-foreign-policy-sites-compromised-serving-up-flash-zero-day-exploit.html) | [:closed_book:](../../blob/master/2014/2014.02.20.Operation_GreedyWonk)
* Feb 19 - [[FireEye] XtremeRAT: Nuisance or Threat?](http://www.fireeye.com/blog/technical/2014/02/xtremerat-nuisance-or-threat.html) | [:closed_book:](../../blob/master/2014/2014.02.19.XtremeRAT)
* Feb 19 - [[Context Information Security] The Monju Incident](http://contextis.com/resources/blog/context-threat-intelligence-monju-incident/) | [:closed_book:](../../blob/master/2014/2014.02.19.Monju_Incident)
* Feb 13 - [[FireEye] Operation SnowMan: DeputyDog Actor Compromises US Veterans of Foreign Wars Website](http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html) | [:closed_book:](../../blob/master/2014/2014.02.13_Operation_SnowMan)
* Feb 11 - [[Kaspersky] Unveiling "Careto" - The Masked APT](http://www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf) | [:closed_book:](../../blob/master/2014/2014.02.11_Careto_APT)
* Jan 31 - [[Fidelis] Intruder File Report- Sneakernet Trojan](http://www.fidelissecurity.com/sites/default/files/FTA%201011%20Follow%20UP.pdf) | [:closed_book:](../../blob/master/2014/2014.01.31.Sneakernet_Trojan)
* Jan 21 - [[RSA] Shell_Crew (Deep Panda)](http://www.emc.com/collateral/white-papers/h12756-wp-shell-crew.pdf) | [:closed_book:](../../blob/master/2014/2014.01.21.Shell_Crew)
* Jan 15 - [[Fidelis] New CDTO: A Sneakernet Trojan Solution](http://www.fidelissecurity.com/sites/default/files/FTA%201001%20FINAL%201.15.14.pdf) | [:closed_book:](../../blob/master/2014/2014.01.15.Sneakernet_Trojan)
* Jan 14 - [[Kaspersky] The Icefog APT Hits US Targets With Java Backdoor](https://www.securelist.com/en/blog/208214213/The_Icefog_APT_Hits_US_Targets_With_Java_Backdoor) | [:closed_book:](../../blob/master/2014/2014.01.14.Icefog_APT)
* Jan 13 - [[Symantec] Targeted attacks against the Energy Sector](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/targeted_attacks_against_the_energy_sector.pdf) | [:closed_book:](../../blob/master/2014/2014.01.13.Targeted_Attacks_Energy_Sector)
* Jan 06 - [[AirBus] PlugX: some uncovered points](https://airbus-cyber-security.com/plugx-some-uncovered-points/) | [:closed_book:](../../blob/master/2014/2014.01.06.PlugX)
## 2013
* XXX XX - [[CERT-ISAC] Inside Report APT Attacks on Indian Cyber Space]() | [:closed_book:](../../blob/master/2013/2013.00.00.APT_Attacks_on_Indian_Cyber_Space)
* XXX XX - [[KPMG] Energy at Risk: A Study of IT Security in the Energy and Natural Resources Industry]() | [:closed_book:](../../blob/master/2013/2013.00.00.Energy_at_Risk)
* XXX XX - [[FireEye] THE LITTLE MALWARE THAT COULD: Detecting and Defeating the China Chopper Web Shell](https://www.fireeye.com/content/dam/FireEye-www/global/en/current-threats/pdfs/rpt-china-chopper.pdf) | [:closed_book:](../../blob/master/2013/2013.00.00.China_Chopper_Web_Shell)
* XXX XX - [[CrowdStrike] Deep Panda](http://www.crowdstrike.com/sites/default/files/AdversaryIntelligenceReport_DeepPanda_0.pdf) | [:closed_book:](../../blob/master/2013/2013.00.00.Deep.Panda)
* XXX XX - [[CISAK] Dark Seoul Cyber Attack: Could it be worse?](http://cisak.perpika.kr/2013/wp-content/uploads/2013/06/Accepted-Papers.xlsx) | [:closed_book:](../../blob/master/2013/2013.00.00.Dark_Seoul_Cyber_Attack)
* XXX XX - [[Fireeye] OPERATION SAFFRON ROSE](https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-operation-saffron-rose.pdf) | [:closed_book:](../../blob/master/2013/2013.00.00.OPERATION_SAFFRON_ROSE)
* Dec 20 - [[Ahnlab] ETSO APT Attacks Analysis](http://image.ahnlab.com/global/upload/download/documents/1401223631603288.pdf) | [:closed_book:](../../blob/master/2013/2013.12.20.ETSO)
* Dec 12 - [[FireEye] Operation Ke3chang: Targeted Attacks Against Ministries of Foreign Affairs](https://www.fireeye.com/blog/executive-perspective/2013/12/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs.html) | [:closed_book:](../../blob/master/2013/2013.12.12.Operation_Ke3chang)
* Dec 02 - [[Fidelis] njRAT, The Saga Continues](http://www.fidelissecurity.com/files/files/FTA%201010%20-%20njRAT%20The%20Saga%20Continues.pdf) | [:closed_book:](../../blob/master/2013/2013.12.02.njRAT_Saga_Continues)
* Nov 10 - [[FireEye] Operation Ephemeral Hydra: IE Zero-Day Linked to DeputyDog Uses Diskless Method](http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html) | [:closed_book:](../../blob/master/2013/2013.11.10.Operation_Ephemeral_Hydra)
* Oct 25 - [[FireEye] Evasive Tactics: Terminator RAT](https://www.fireeye.com/blog/threat-research/2013/10/evasive-tactics-terminator-rat.html) | [:closed_book:](../../blob/master/2013/2013.10.25.Terminator_RAT)
* Oct 24 - [[Trend Micro] FakeM RAT](http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-fakem-rat.pdf) | [:closed_book:](../../blob/master/2013/2013.10.24.FakeM_RAT)
* Sep 25 - [[Kaspersky] The 'ICEFROG' APT: A Tale of cloak and three daggers](http://www.securelist.com/en/downloads/vlpdfs/icefog.pdf) | [:closed_book:](../../blob/master/2013/2013.09.25.ICEFROG_APT)
* Sep 21 - [[FireEye] Operation DeputyDog: Zero-Day (CVE-2013-3893) Attack Against Japanese Targets](https://www.fireeye.com/blog/threat-research/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html) | [:closed_book:](../../blob/master/2013/2013.09.21.Operation_DeputyDog)
* Sep 19 - [[Trend Micro] 2Q 2013 Report on Targeted Attack Campaigns: A Look Into EvilGrab](https://www.trendmicro.tw/vinfo/hk/security/news/cyber-attacks/2q-2013-report-on-targeted-attack-campaigns-a-look-into-evilgrab) | [:closed_book:](../../blob/master/2013/2013.09.19.EvilGrab)
* Sep 17 - [[Symantec] Hidden Lynx - Professional Hackers for Hire](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdf) | [:closed_book:](../../blob/master/2013/2013.09.17.Hidden_Lynx)
* Sep 11 - [[Kaspersky] The "Kimsuky" Operation](https://securelist.com/analysis/57915/the-kimsuky-operation-a-north-korean-apt/) | [:closed_book:](../../blob/master/2013/2013.09.11.Kimsuky_Operation)
* Sep 06 - [[FireEye] Evasive Tactics: Taidoor](https://www.fireeye.com/blog/threat-research/2013/09/evasive-tactics-taidoor-3.html) | [:closed_book:](../../blob/master/2013/2013.09.06.EvasiveTactics_Taidoor)
* Aug 23 - [[FireEye] Operation Molerats: Middle East Cyber Attacks Using Poison Ivy](http://www.fireeye.com/blog/technical/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html) | [:closed_book:](../../blob/master/2013/2013.08.23.Operation_Molerats)
* Aug 21 - [[FireEye] POISON IVY: Assessing Damage and Extracting Intelligence](http://www.fireeye.com/resources/pdfs/FireEye-poison-ivy-report.pdf) | [:closed_book:](../../blob/master/2013/2013.08.21.POISON_IVY)
* Aug 19 - [[Rapid7] ByeBye Shell and the targeting of Pakistan](https://community.rapid7.com/community/infosec/blog/2013/08/19/byebye-and-the-targeting-of-pakistan) | [:closed_book:](../../blob/master/2013/2013.08.19.ByeBye_Shell)
* Aug 02 - [[CitizenLab] Surtr: Malware Family Targeting the Tibetan Community](https://citizenlab.org/2013/08/surtr-malware-family-targeting-the-tibetan-community/) | [:closed_book:](../../blob/master/2013/2013.08.02.Surtr_Targeting_Tibetan)
* Aug 02 - [[ThreatConnect] Where There is Smoke, There is Fire: South Asian Cyber Espionage Heats Up](http://www.threatconnect.com/news/where-there-is-smoke-there-is-fire-south-asian-cyber-espionage-heats-up/) | [:closed_book:](../../blob/master/2013/2013.08.02.Smoke_Fire_South_Asian_Cyber_Espionage)
* Jul 31 - [[BlackHat] Hunting the Shadows: In Depth Analysis of Escalated APT Attacks](https://media.blackhat.com/us-13/US-13-Yarochkin-In-Depth-Analysis-of-Escalated-APT-Attacks-Slides.pdf) | [:closed_book:](../../blob/master/2013/2013.07.31.Hunting_the_Shadows)
* Jul 31 - [[Dell] Secrets of the Comfoo Masters](http://www.secureworks.com/cyber-threat-intelligence/threats/secrets-of-the-comfoo-masters/) | [:closed_book:](../../blob/master/2013/2013.07.31.ecrets_of_the_Comfoo_Masters)
* Jul 15 - [[Sophos] The PlugX malware revisited: introducing "Smoaler"](http://sophosnews.files.wordpress.com/2013/07/sophosszappanosplugxrevisitedintroducingsmoaler-rev1.pdf) | [:closed_book:](../../blob/master/2013/2013.07.15.PlugX_Smoaler)
* Jul 01 - [[McAfee] Targeted Campaign Steals Credentials in Gulf States and Caribbean](https://www.kashifali.ca/2013/07/01/targeted-campaign-steals-credentials-in-gulf-states-and-caribbean/) | [:closed_book:](../../blob/master/2013/2013.07.01.Gulf_States_APT)
* Jun 28 - [[ThreatGeek] njRAT Uncovered](http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf) | [:closed_book:](../../blob/master//2013/2013.06.28.njRAT_Uncovered)
* Jun 21 - [[Citizen Lab] A Call to Harm: New Malware Attacks Target the Syrian Opposition](https://citizenlab.org/wp-content/uploads/2013/07/19-2013-acalltoharm.pdf) | [:closed_book:](../../blob/master/2013/2013.06.21.Syrian_Attack)
* Jun 18 - [[FireEye] Trojan.APT.Seinup Hitting ASEAN](http://www.fireeye.com/blog/technical/malware-research/2013/06/trojan-apt-seinup-hitting-asean.html) | [:closed_book:](../../blob/master/2013/2013.06.18.APT_Seinup)
* Jun 07 - [[Rapid7] KeyBoy, Targeted Attacks against Vietnam and India](https://community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india) | [:closed_book:](../../blob/master/2013/2013.06.07.KeyBoy_APT)
* Jun 04 - [[Kaspersky] The NetTraveller (aka 'Travnet')](http://www.securelist.com/en/downloads/vlpdfs/kaspersky-the-net-traveler-part1-final.pdf) | [:closed_book:](../../blob/master/2013/2013.06.04.NetTraveller)
* Jun 01 - [[Purdue] Crude Faux: An analysis of cyber conflict within the oil & gas industries](https://www.cerias.purdue.edu/assets/pdf/bibtex_archive/2013-9.pdf) | [:closed_book:](../../blob/master/2013/2013.06.01.cyber_conflict_Oil_Gas)
* Jun XX - [[BlueCoat] The Chinese Malware Complexes: The Maudi Surveillance Operation](https://bluecoat.com/documents/download/2c832f0f-45d2-4145-bdb7-70fc78c22b0f&ei=ZGP-VMCbMsuxggSThYDgDg&usg=AFQjCNFjXSkn_AIiXge1X9oWZHzQOiNDJw&sig2=B6e2is0sCnGEbLPL9q0eZg&bvm=bv.87611401,d.eXY) | [:closed_book:](../../blob/master/2013/2013.06.00.Maudi_Surveillance_Operation)
* May 30 - [[CIRCL] TR-14 - Analysis of a stage 3 Miniduke malware sample](http://www.circl.lu/pub/tr-14/) | [:closed_book:](../../blob/master/2013/2013.05.20.Miniduke.Analysis)
* May 20 - [[Norman] OPERATION HANGOVER: Unveiling an Indian Cyberattack Infrastructure](http://www.thecre.com/fnews/wp-content/uploads/2013/05/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf) | [:closed_book:](../../blob/master/2013/2013.05.20.Operation_Hangover)
* May 16 - [[ESET] Targeted information stealing attacks in South Asia use email, signed binaries](https://www.welivesecurity.com/2013/05/16/targeted-threat-pakistan-india/) | [:closed_book:](../../blob/master/2013/2013.05.16.targeted-threat-pakistan-india)
* Apr 21 - [[Bitdefender] MiniDuke - The Final Cut](http://labs.bitdefender.com/2013/04/miniduke-the-final-cut) | [:closed_book:](../../blob/master/2013/2013.04.21.MiniDuke)
* Apr 13 - [[Kaspersky] "Winnti" More than just a game](http://www.securelist.com/en/downloads/vlpdfs/winnti-more-than-just-a-game-130410.pdf) | [:closed_book:](../../blob/master/2013/2013.04.13.Winnti)
* Apr 07 - [[FireEye] WORLD WAR C](https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/fireeye-wwc-report.pdf) | [:closed_book:](../../blob/master/2013/2013.04.07_WORLD_WAR_C)
* Apr 01 - [[FireEye] Trojan.APT.BaneChant](http://www.fireeye.com/blog/technical/malware-research/2013/04/trojan-apt-banechant-in-memory-trojan-that-observes-for-multiple-mouse-clicks.html) | [:closed_book:](../../blob/master/2013/2013.04.01.APT_BaneChant)
* Mar 28 - [[Circl] TR-12 - Analysis of a PlugX malware variant used for targeted attacks](http://www.circl.lu/pub/tr-12/) | [:closed_book:](../../blob/master/2013/2013.03.28.TR-12_PlugX_malware)
* Mar 27 - [[malware.lu] APT1: technical backstage (Terminator/Fakem RAT)](http://www.malware.lu/assets/files/articles/RAP002_APT1_Technical_backstage.1.0.pdf) | [:closed_book:](../../blob/master/2013/2013.03.27.APT1_technical_backstage)
* Mar 21 - [[Fidelis] Darkseoul/Jokra Analysis And Recovery](https://old.fidelissecurity.com/sites/default/files/FTA%201008%20-%20Darkseoul-Jokra%20Analysis%20and%20Recovery.pdf) | [:closed_book:](../../blob/master/2013/2013.03.21.Darkseoul)
* Mar 20 - [[Kaspersky] The TeamSpy Crew Attacks](http://securelist.com/blog/incidents/35520/the-teamspy-crew-attacks-abusing-teamviewer-for-cyberespionage-8/) | [:closed_book:](../../blob/master/2013/2013.03.20.TeamSpy_Crew)
* Mar 20 - [[McAfee] Dissecting Operation Troy](http://www.mcafee.com/sg/resources/white-papers/wp-dissecting-operation-troy.pdf) | [:closed_book:](../../blob/master/2013/2013.03.20.Operation_Troy)
* Mar 17 - [[Trend Micro] Safe: A Targeted Threat](http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-safe-a-targeted-threat.pdf) | [:closed_book:](../../blob/master/2013/2013.03.17.Targeted_Threat)
* Mar 13 - [[Citizen lab] You Only Click Twice: FinFishers Global Proliferation](https://citizenlab.org/wp-content/uploads/2013/07/15-2013-youonlyclicktwice.pdf) | [:closed_book:](../../blob/master/2013/2013.03.13.FinFisher)
* Feb 27 - [[Crysys] Miniduke: Indicators v1](http://www.crysys.hu/miniduke/miniduke_indicators_public.pdf) | [:closed_book:](../../blob/master/2013/2013.02.27.MiniDuke_Indicators)
* Feb 27 - [[Kaspersky] The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0x29A Micro Backdoor](https://www.securelist.com/en/downloads/vlpdfs/themysteryofthepdf0-dayassemblermicrobackdoor.pdf) | [:closed_book:](../../blob/master/2013/2013.02.27.MiniDuke_Mystery)
* Feb 26 - [[Symantec] Stuxnet 0.5: The Missing Link](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/stuxnet_0_5_the_missing_link.pdf) | [:closed_book:](../../blob/master/2013/2013.02.26.Stuxnet_0.5)
* Feb 22 - [[Symantec] Comment Crew: Indicators of Compromise](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/comment_crew_indicators_of_compromise.pdf) | [:closed_book:](../../blob/master/2013/2013.02.22.Comment_Crew)
* Feb 18 - [[FireEye] Mandiant APT1 Report](http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf) | [:closed_book:](../../blob/master/2013/2013.02.18.APT1)
* Feb 12 - [[AIT] Targeted cyber attacks: examples and challenges ahead](http://www.ait.ac.at/uploads/media/Presentation_Targeted-Attacks_EN.pdf) | [:closed_book:](../../blob/master/2013/2013.02.12.Targeted-Attacks)
* Jan 18 - [[McAfee] Operation Red October](https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/24000/PD24250/en_US/McAfee_Labs_Threat_Advisory_Exploit_Operation_Red_Oct.pdf) | [:closed_book:](../../blob/master/2013/2013.01.18.Operation_Red_Oct)
* Jan 14 - [[Kaspersky] The Red October Campaign](https://securelist.com/blog/incidents/57647/the-red-october-campaign) | [:closed_book:](../../blob/master/2013/2013.01.14.Red_October_Campaign)
* Jan 02 - [[FireEye] SUPPLY CHAIN ANALYSIS: From Quartermaster to SunshopFireEye](https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-malware-supply-chain.pdf) | [:closed_book:](../../blob/master/2013/2013.01.02.SUPPLY_CHAIN_ANALYSIS)
## 2012
* Nov ?? - [[KrebsonSecurity] "Wicked Rose" and the NCPH Hacking Group](https://krebsonsecurity.com/wp-content/uploads/2012/11/WickedRose_andNCPH.pdf) | [:closed_book:](../../blob/master/2012/2012.11.00_Wicked_Rose)
* Nov 13 - [[FireEye] Poison Ivy Malware Analysis](https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf) | [:closed_book:](../../blob/master/2012/2012.11.13.Poison_Ivy)
* Nov 03 - [[CyberPeace] Systematic cyber attacks against Israeli and Palestinian targets going on for a year](http://cyber-peace.org/wp-content/uploads/2014/01/Cyberattack_against_Israeli_and_Palestinian_targets.pdf) | [:closed_book:](../../blob/master/2012/2012.11.03.Israeli_and_Palestinian_Attack)
* Nov 01 - [[Fidelis] RECOVERING FROM SHAMOON](http://www.fidelissecurity.com/sites/default/files/FTA%201007%20-%20Shamoon.pdf) | [:closed_book:](../../blob/master/2012/2012.11.01.RECOVERING_FROM_SHAMOON)
* Oct 31 - [[DEA] CYBER ESPIONAGE Against Georgian Government (Georbot Botnet)](http://dea.gov.ge/uploads/CERT%20DOCS/Cyber%20Espionage.pdf) | [:closed_book:](../../blob/master/2012/2012.10.31.CYBER_ESPIONAGE_Georbot_Botnet)
* Oct 27 - [[Symantec] Trojan.Taidoor: Targeting Think Tanks](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/trojan_taidoor-targeting_think_tanks.pdf) | [:closed_book:](../../blob/master/2012/2012.10.27.Taidoor)
* Oct 08 - [[Matasano] pest control: taming the rats](http://matasano.com/research/PEST-CONTROL.pdf) | [:closed_book:](../../blob/master/2012/2012.10.08.Pest_Control)
* Sep 18 - [[Dell] The Mirage Campaign](http://www.secureworks.com/cyber-threat-intelligence/threats/the-mirage-campaign/) | [:closed_book:](../../blob/master/2012/2012.09.18.Mirage_Campaign)
* Sep 12 - [[RSA] The VOHO Campaign: An in depth analysis](http://blogsdev.rsa.com/wp-content/uploads/VOHO_WP_FINAL_READY-FOR-Publication-09242012_AC.pdf) | [:closed_book:](../../blob/master/2012/2012.09.12.VOHO_Campaign)
* Sep 07 - [[Citizen lab] IEXPLORE RAT](https://citizenlab.org/wp-content/uploads/2012/09/IEXPL0RE_RAT.pdf) | [:closed_book:](../../blob/master/2012/2012.09.07.IEXPLORE_RAT)
* Sep 06 - [[Symantec] The Elderwood Project](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf) | [:closed_book:](../../blob/master/2012/2012.09.06.Elderwood)
* Aug 19 - [[Rapid7] ByeBye Shell and the targeting of Pakistan](https://blog.rapid7.com/2013/08/19/byebye-and-the-targeting-of-pakistan/) | [:closed_book:](../../blob/master/2012/2012.08.19.ByeBye_Shell)
* Aug 18 - [[Trend Micro] The Taidoor Campaign AN IN-DEPTH ANALYSIS ](http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_campaign.pdf) | [:closed_book:](../../blob/master/2012/2012.08.18.Taidoor_Campaign)
* Aug 09 - [[Kaspersky] Gauss: Abnormal Distribution](http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/kaspersky-lab-gauss.pdf) | [:closed_book:](../../blob/master/2012/2012.08.09.Gauss)
* Jul 27 - [[Kaspersky] The Madi Campaign](https://securelist.com/analysis/36609/the-madi-infostealers-a-detailed-analysis/) | [:closed_book:](../../blob/master/2012/2012.07.27.Madi_Campaign)
* Jul 25 - [[Citizen lab] From Bahrain With Love: FinFishers Spy Kit Exposed?](https://citizenlab.org/2012/07/from-bahrain-with-love-finfishers-spy-kit-exposed/) | [:closed_book:](../../blob/master/2012/2012.07.25.FinFisher_Spy_Kit)
* Jul 11 - [[Wired] Wired article on DarkComet creator](http://www.wired.com/2012/07/dark-comet-syrian-spy-tool/) | [:closed_book:](../../blob/master/2012/2012.07.11.DarkComet_Creator)
* Jul 10 - [[Citizenlab] Advanced Social Engineering for the Distribution of LURK Malware](https://citizenlab.org/wp-content/uploads/2012/07/10-2012-recentobservationsintibet.pdf) | [:closed_book:](../../blob/master/2012/2012.07.10.SE_LURK_Malware)
* May 31 - [[Crysys] sKyWIper (Flame/Flamer)](http://www.crysys.hu/skywiper/skywiper.pdf) | [:closed_book:](../../blob/master/2012/2012.05.31.Flame_sKyWIper)
* May 22 - [[Trend Micro] IXESHE An APT Campaign](http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_ixeshe.pdf) | [:closed_book:](../../blob/master/2012/2012.05.22.IXESHE)
* May 18 - [[Symantec] Analysis of Flamer C&C Server](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_flamer_newsforyou.pdf) | [:closed_book:](../../blob/master/2012/2012.05.18.Flamer_CnC)
* Apr 16 - [[Kaspersky] OSX.SabPub & Confirmed Mac APT attacks](http://securelist.com/blog/incidents/33208/new-version-of-osx-sabpub-confirmed-mac-apt-attacks-19/) | [:closed_book:](../../blob/master/2012/2012.04.16.OSX.SabPub)
* Apr 10 - [[McAfee] Anatomy of a Gh0st RAT](http://www.mcafee.com/us/resources/white-papers/foundstone/wp-know-your-digital-enemy.pdf) | [:closed_book:](../../blob/master/2012/2012.04.10.Gh0st_RAT)
* Mar 26 - [[Trend Micro] Luckycat Redux](http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf) | [:closed_book:](../../blob/master/2012/2012.03.26.Luckycat_Redux)
* Mar 13 - [[Arbor] Reversing DarkComet RAT's crypto](http://www.arbornetworks.com/asert/wp-content/uploads/2012/07/Crypto-DarkComet-Report.pdf) | [:closed_book:](../../blob/master/2012/2012.03.13.DarkComet_RAT)
* Mar 12 - [[contextis] Crouching Tiger, Hidden Dragon, Stolen Data](http://www.contextis.com/services/research/white-papers/crouching-tiger-hidden-dragon-stolen-data/) | [:closed_book:](../../blob/master/2012/2012.03.12.Crouching_Tiger)
* Feb 29 - [[Dell] The Sin Digoo Affair](http://www.secureworks.com/cyber-threat-intelligence/threats/sindigoo/) | [:closed_book:](../../blob/master/2012/2012.02.29.Sin_Digoo_Affair)
* Feb 03 - [[CommandFive] Command and Control in the Fifth Domain](http://www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf) | [:closed_book:](../../blob/master/2012/2012.02.03.Fifth_Domain_CnC)
* Jan 03 - [[Trend Micro] The HeartBeat APT](http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the-heartbeat-apt-campaign.pdf) | [:closed_book:](../../blob/master/2012/2012.01.03.HeartBeat_APT)
## 2011
* Dec 08 - [[Norman] Palebot trojan harvests Palestinian online credentials](https://web.archive.org/web/20130308090454/http://blogs.norman.com/2011/malware-detection-team/palebot-trojan-harvests-palestinian-online-credentials) | [:closed_book:](../../blob/master/2011/2011.12.08.Palebot_Trojan)
* Nov 15 - [[Norman] The many faces of Gh0st Rat](http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf) | [:closed_book:](../../blob/master/2011/2011.11.15.Many_Faces_Gh0st_Rat)
* Oct 31 - [[Symantec] The Nitro Attacks: Stealing Secrets from the Chemical Industry](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_nitro_attacks.pdf) | [:closed_book:](../../blob/master/2011/2011.10.31.Nitro)
* Oct 26 - [[Dell] Duqu Trojan Questions and Answers](http://www.secureworks.com/cyber-threat-intelligence/threats/duqu/) | [:closed_book:](../../blob/master/2011/2011.10.26.Duqu)
* Oct 12 - [[Zscaler] Alleged APT Intrusion Set: "1.php" Group](http://www.zscaler.com/pdf/technicalbriefs/tb_advanced_persistent_threats.pdf) | [:closed_book:](../../blob/master/2011/2011.10.12.1.php.group)
* Sep 22 - [[Trend Micro] The "LURID" Downloader](http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_dissecting-lurid-apt.pdf) | [:closed_book:](../../blob/master/2011/2011.09.22.LURID_Downloader)
* Sep 11 - [[CommandFive] SK Hack by an Advanced Persistent Threat](http://www.commandfive.com/papers/C5_APT_SKHack.pdf) | [:closed_book:](../../blob/master/2011/2011.09.11.SK_Hack)
* Sep 09 - [[Fidelis] The RSA Hack](http://www.fidelissecurity.com/sites/default/files/FTA1001-The_RSA_Hack.pdf) | [:closed_book:](../../blob/master/2011/2011.09.09.RSA_Hack)
* Aug 04 - [[McAfee] Operation Shady RAT](http://www.mcafee.com/us/resources/white-papers/wp-operation-shady-rat.pdf) | [:closed_book:](../../blob/master/2011/2011.08.04.Operation_Shady_RAT)
* Aug 03 - [[Dell] HTran and the Advanced Persistent Threat](http://www.secureworks.com/cyber-threat-intelligence/threats/htran/) | [:closed_book:](../../blob/master/2011/2011.08.03.HTran)
* Aug 02 - [[vanityfair] Operation Shady rat : Vanity](http://www.vanityfair.com/culture/features/2011/09/operation-shady-rat-201109) | [:closed_book:](../../blob/master/2011/2011.08.02.Operation_Shady_RAT_Vanity)
* Jun ?? - [[CommandFive] Advanced Persistent Threats:A Decade in Review]() | [:closed_book:](../../blob/master/2011/2011.06.APT)
* Apr 20 - [[ESET] Stuxnet Under the Microscope](http://www.eset.com/us/resources/white-papers/Stuxnet_Under_the_Microscope.pdf) | [:closed_book:](../../blob/master/2011/2011.04.20.Stuxnet)
* Feb 18 - [[NERC] Night Dragon Specific Protection Measures for Consideration](http://www.nerc.com/pa/rrm/bpsa/Alerts%20DL/2011%20Alerts/A-2011-02-18-01%20Night%20Dragon%20Attachment%201.pdf) | [:closed_book:](../../blob/master/2011/2011.02.18.Night_Dragon.Specific)
* Feb 10 - [[McAfee] Global Energy Cyberattacks: Night Dragon](http://www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf) | [:closed_book:](../../blob/master/2011/2011.02.10.Night_Dragon)
## 2010
* Dec 09 - [[CRS] The Stuxnet Computer Worm: Harbinger of an Emerging Warfare Capability ](http://www.fas.org/sgp/crs/natsec/R41524.pdf) | [:closed_book:](../../blob/master/2010/2010.12.09.Stuxnet_Worm)
* Sep 30 - [[Symantec] W32.Stuxnet Dossier](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf) | [:closed_book:](../../blob/master/2010/2010.09.30.W32.Stuxnet_Dossier)
* Sep 03 - [[Seculert] The "MSUpdater" Trojan And Ongoing Targeted Attacks](http://www.seculert.com/reports/MSUpdaterTrojanWhitepaper.pdf) | [:closed_book:](../../blob/master/2010/2010.09.03.MSUpdater.Trojan)
* Apr 06 - [[ShadowServer] Shadows in the cloud: Investigating Cyber Espionage 2.0](http://www.nartv.org/mirror/shadows-in-the-cloud.pdf) | [:closed_book:](../../blob/master/2010/2010.04.06.Shadows_in_the_cloud)
* Mar 14 - [[CA] In-depth Analysis of Hydraq](http://www.totaldefense.com/Core/DownloadDoc.aspx?documentID=1052) | [:closed_book:](../../blob/master/2010/2010.03.14.Hydraq)
* Feb 10 - [[HB Gary] Threat Report: Operation Aurora](http://hbgary.com/sites/default/files/publications/WhitePaper%20HBGary%20Threat%20Report,%20Operation%20Aurora.pdf) | [:closed_book:](../../blob/master/2010/2010.02.10.Threat_Report_Operation_Aurora)
* Jan ?? - [[Triumfant] Case Study: Operation Aurora](http://www.triumfant.com/pdfs/Case_Study_Operation_Aurora_V11.pdf) | [:closed_book:](../../blob/master/2010/2010.01.Case_Study_Operation_Aurora)
* Jan 27 - [[Alberts] Operation Aurora Detect, Diagnose, Respond](http://albertsblog.stickypatch.org/files/3/5/1/4/7/282874-274153/Aurora_HBGARY_DRAFT.pdf) | [:closed_book:](../../blob/master/2010/2010.01.27.Operation_Aurora_Detect_Diagnose_Respond)
* Jan 26 - [[McAfee] How Can I Tell if I Was Infected By Aurora? (IOCs)]() | [:closed_book:](../../blob/master/2010/2010.01.26.Operation_Aurora_IoC)
* Jan 20 - [[McAfee] Combating Aurora](https://kc.mcafee.com/resources/sites/MCAFEE/content/live/CORP_KNOWLEDGEBASE/67000/KB67957/en_US/Combating%20Threats%20-%20Operation%20Aurora.pdf)| [:closed_book:](../../blob/master/2010/2010.01.20.Combating_Aurora)
* Jan 13 - [[Damballa] The Command Structure of the Aurora Botnet](https://www.damballa.com/downloads/r_pubs/Aurora_Botnet_Command_Structure.pdf) | [:closed_book:](../../blob/master/2010/2010.01.13.Aurora_Botnet)
* Jan 12 - [[Google] Operation Aurora](http://en.wikipedia.org/wiki/Operation_Aurora) | [:closed_book:](../../blob/master/2010/2010.01.12.Operation_Aurora)
## 2009
* Oct 19 - [[Northrop Grumman] Capability of the Peoples Republic of China to Conduct Cyber Warfare and Computer Network Exploitation ](https://nsarchive2.gwu.edu//NSAEBB/NSAEBB424/docs/Cyber-030.pdf) | [:closed_book:](../../blob/master/2009/2009.10.19.Capability_China_Cyber_Warfare)
* Mar 29 - [[TheSecDevGroup] Tracking GhostNet](http://www.nartv.org/mirror/ghostnet.pdf) | [:closed_book:](../../blob/master/2009/2009.03.29.GhostNet)
* Jan 18 - [[Baltic] Impact of Alleged Russian Cyber Attacks](https://www.baltdefcol.org/files/files/documents/Research/BSDR2009/1_%20Ashmore%20-%20Impact%20of%20Alleged%20Russian%20Cyber%20Attacks%20.pdf) | [:closed_book:](../../blob/master/2009/2009.01.18.Russian_Cyber_Attacks)
## 2008
* Nov XX - [[Military Review] CHINA_CHINA_CYBER_WARFARE](https://www.armyupress.army.mil/Portals/7/military-review/Archives/English/MilitaryReview_20081231_art009.pdf)| [:closed_book:](../../blob/master/2008/2008.CHINA_CHINA_CYBER_WARFARE)
* Nov 19 - [[Wired] Agent.BTZ](http://www.wired.com/dangerroom/2008/11/army-bans-usb-d/) | [:closed_book:](../../blob/master/2008/2008.11.19.UNDER_WORM_ASSAULT)
* Nov 04 - [[DTIC] China's Electronic Long-Range Reconnaissance](http://www.dtic.mil/dtic/tr/fulltext/u2/a492659.pdf) | [:closed_book:](../../blob/master/2008/2008.11.04.China_Electornic_Long_Range_Reconnaissance)
* Oct XX - [[Culture Mandala] HOW CHINA WILL USE CYBER WARFARE TO LEAPFROG IN MILITARY COMPETITIVENESS ](http://www.international-relations.com/CM8-1/Cyberwar.pdf) | [:closed_book:](../../blob/master/2008/2008.HOW_CHINA_WILL_USE_CYBER_WARFARE)
* Oct 02 - [[Culture Mandala] How China will use cyber warfare to leapfrog in military competitiveness](http://www.international-relations.com/CM8-1/Cyberwar.pdf) | [:closed_book:](../../blob/master/2008/2008.10.02.China_Cyber_Warfare)
* Aug 10 - [[Georgia] Russian Invasion of Georgia Russian Cyberwar on Georgia](http://georgiaupdate.gov.ge/doc/10006922/CYBERWAR-%20fd_2_.pdf) | [:closed_book:](../../blob/master/2008/2008.08.10.Russian_Cyberwar_on_Georgia)
## 2006
* [[Krebs on Security] "Wicked Rose" and the NCPH Hacking Group](http://krebsonsecurity.com/wp-content/uploads/2012/11/WickedRose_andNCPH.pdf) | [:closed_book:](../../blob/master/2006/2006.Wicked_Rose)
## Report
### NSA
:small_orange_diamond: Jan 08 2021 - [[NSA] 2020 Cybersecurity Year in Review report](https://media.defense.gov/2021/Jan/08/2002561651/-1/-1/0/NSA%20CYBERSECURITY%202020%20YEAR%20IN%20REVIEW.PDF/NSA%20CYBERSECURITY%202020%20YEAR%20IN%20REVIEW.PDF) | [:closed_book:](../../blob/master/Report/NSA/NSA_CYBERSECURITY_2020_YEAR_IN_REVIEW.PDF)<br>
### Objective-See
:small_orange_diamond: Jan 04 2021 - [[Objective-See] The Mac Malware of 2020](https://objective-see.com/downloads/MacMalware_2020.pdf/) | [:closed_book:](../../blob/master/Report/Objective-See/MacMalware_2020.pdf)<br>
### ESET
:small_orange_diamond: Oct 18 2020 - [[ESET] 2020 Q3 Threat Report](https://www.welivesecurity.com/2020/10/28/eset-threat-report-q32020/) | [:closed_book:](../../blob/master/Report/ESET/ESET_Threat_Report_Q32020.pdf)<br>
:small_orange_diamond: Jul 29 2020 - [[ESET] 2020 Q2 Threat Report](https://www.welivesecurity.com/2020/07/29/eset-threat-report-q22020/) | [:closed_book:](../../blob/master/Report/ESET/ESET_Threat_Report_Q22020.pdf) <br>
:small_orange_diamond: Apr 2020 - [[ESET] 2020 Q1 Threat Report](https://www.welivesecurity.com/wp-content/uploads/2020/04/ESET_Threat_Report_Q12020.pdf) | [:closed_book:](../../blob/master/Report/ESET/ESET_Threat_Report_Q12020.pdf) <br>
### Kaspersky
:small_orange_diamond: Nov 04 2020 - [[Kaspersky] APT trends report Q3 2020](https://securelist.com/apt-trends-report-q3-2020/99204/) | [:closed_book:](../../blob/master/Report/Kaspersky/APT_trends_report_Q3_2020_Securelist.pdf) <br>
:small_orange_diamond: July 29 2020 - [[Kaspersky] APT trends report Q2 2020](https://securelist.com/apt-trends-report-q2-2020/97937/) | [:closed_book:](../../blob/master/Report/Kaspersky/APT_trends_report_Q2_2020_Securelist.pdf) <br>
:small_orange_diamond: Aug 01 2019 - [[Kaspersky] APT trends report Q2 2019](https://securelist.com/apt-trends-report-q2-2019/91897/) | [:closed_book:](../../blob/master/Report/Kaspersky/APT_trends_report_Q2_2019_Securelist.pdf) <br>
:small_orange_diamond: Apr 30 2019 - [[Kaspersky] APT trends report Q1 2019](https://securelist.com/apt-trends-report-q1-2019/90643/) | [:closed_book:](../../blob/master/Report/Kaspersky/APT_trends_report_Q1_2019_Securelist.pdf) <br>
### FireEye
:small_orange_diamond: Feb 20 2020 - [[FireEye] M-Trends 2020](https://content.fireeye.com/m-trends/rpt-m-trends-2020) | [:closed_book:](../../blob/master/Report/FireEye/mtrends-2020.pdf) <br>
:small_orange_diamond: Mar 04 2019 - [[FireEye] M-Trends 2019](https://content.fireeye.com/m-trends/rpt-m-trends-2019) | [:closed_book:](../../blob/master/Report/FireEye/rpt-mtrends-2019.pdf) <br>
### AhnLab
:small_orange_diamond: Q3 2020 - [[AhnLab] ASEC Report Q3 2020](https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.100_ENG.pdf) | [:closed_book:](../../blob/master/Report/AhnLab/ASEC_REPORT_vol.100_ENG.pdf) <br>
:small_orange_diamond: Q2 2020 - [[AhnLab] ASEC Report Q2 2020](https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.99_ENG.pdf) | [:closed_book:](../../blob/master/Report/AhnLab/ASEC_REPORT_vol.99_ENG.pdf) <br>
:small_orange_diamond: Q1 2020 - [[AhnLab] ASEC Report Q1 2020](https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.98_ENG.pdf) | [:closed_book:](../../blob/master/Report/AhnLab/ASEC_REPORT_vol.98_ENG.pdf) <br>
:small_orange_diamond: Q4 2019 - [[AhnLab] ASEC Report Q4 2019](https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.97_ENG.pdf) | [:closed_book:](../../blob/master/Report/AhnLab/ASEC_REPORT_vol.97_ENG.pdf) <br>
:small_orange_diamond: Q3 2019 - [[AhnLab] ASEC Report Q3 2019](https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.96_ENG.pdf) | [:closed_book:](../../blob/master/Report/AhnLab/ASEC_REPORT_vol.96_ENG.pdf) <br>
:small_orange_diamond: Q2 2019 - [[AhnLab] ASEC Report Q2 2019](https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.95_ENG.pdf) | [:closed_book:](../../blob/master/Report/AhnLab/ASEC_REPORT_vol.95_ENG.pdf) <br>
:small_orange_diamond: Q1 2019 - [[AhnLab] ASEC Report Q1 2019](https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.94_ENG.pdf) | [:closed_book:](../../blob/master/Report/AhnLab/ASEC_REPORT_vol.94_ENG.pdf) <br>
### Group-IB
:small_orange_diamond: Nov 24 2020 - [[Group-IB] Hi-Tech Crime Trends 2020-2021](https://www.group-ib.com/resources/threat-research/2020-report.html) | [:closed_book:](../../blob/master/Report/Group-IB/Group-IB_Hi-Tech_Crime_Trends_2019-2020_en.pdf) <br>
:small_orange_diamond: Nov 29 2019 - [[Group-IB] Hi-Tech Crime Trends 2019-2020](https://www.group-ib.com/resources/threat-research/2019-report.html) | [:closed_book:](../../blob/master/Report/Group-IB/Group-IB_Hi-Tech_Crime_Trends_2020-2021_en.pdf) <br>
### PTSecurity
:small_orange_diamond: Q2 2020 - [[PTSecurity] Cybersecurity threatscape Q2 2020](https://www.ptsecurity.com/upload/corporate/ww-en/analytics/cybersecurity-threatscape-2020-q2-eng.pdf) | [:closed_book:](../../blob/master/Report/PTSecurity/cybersecurity-threatscape-2020-q2-eng.pdf) <br>
:small_orange_diamond: Q1 2020 - [[PTSecurity] Cybersecurity threatscape Q1 2020](https://www.ptsecurity.com/upload/corporate/ww-en/analytics/cybersecurity-threatscape-2020-q1-eng.pdf) | [:closed_book:](../../blob/master/Report/PTSecurity/cybersecurity-threatscape-2020-q1-eng.pdf) <br>
:small_orange_diamond: Q4 2019 - [[PTSecurity] Cybersecurity threatscape Q4 2019](https://www.ptsecurity.com/upload/corporate/ww-en/analytics/cybersecurity-threatscape-2019-q4-eng.pdf) | [:closed_book:](../../blob/master/Report/PTSecurity/cybersecurity-threatscape-2019-q4-eng.pdf) <br>
:small_orange_diamond: Q3 2019 - [[PTSecurity] Cybersecurity threatscape Q3 2019](https://www.ptsecurity.com/upload/corporate/ww-en/analytics/cybersecurity-threatscape-2019-q3-eng.pdf) | [:closed_book:](../../blob/master/Report/PTSecurity/cybersecurity-threatscape-2019-q3-eng.pdf) <br>
:small_orange_diamond: Q2 2019 - [[PTSecurity] Cybersecurity threatscape Q2 2019](https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cybersecurity-threatscape-2019-Q2-eng.pdf) | [:closed_book:](../../blob/master/Report/PTSecurity/Cybersecurity-threatscape-2019-Q2-eng.pdf) <br>
:small_orange_diamond: Q1 2019 - [[PTSecurity] Cybersecurity threatscape Q1 2019](https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cybersecurity-threatscape-2019-Q1-eng.pdf) | [:closed_book:](../../blob/master/Report/PTSecurity/Cybersecurity-threatscape-2019-Q1-eng.pdf) <br>
### ENISA
:small_orange_diamond: Oct 20 2020 - [[ENISA] ENISA Threat Landscape 2020 - Main Incidents](https://www.enisa.europa.eu/publications/enisa-threat-landscape-2020-main-incidents) | [:closed_book:](../../blob/master/Report/ENISA/ETL2020_Incidents_A4.pdf) <br>
:small_orange_diamond: Jan 28 2019 - [[ENISA] ENISA Threat Landscape Report 2018](https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-2018) | [:closed_book:](../../blob/master/Report/ENISA/ENISA_Threat_Landscape_2018.pdf) <br>
### CrowdStrike
:small_orange_diamond: Mar 03 2020 - [[CrowdStrike] 2020 GLOBAL THREAT REPORT](https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf) | [:closed_book:](../../blob/master/Report/CrowdStrike/Report2020CrowdStrikeGlobalThreatReport.pdf) <br>
:small_orange_diamond: Feb 19 2019 - [[CrowdStrike] 2019 GLOBAL THREAT REPORT](https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2019GlobalThreatReport.pdf?lb_email=&utm_source=Marketo&utm_medium=Web&utm_campaign=Threat_Report_2019) | [:closed_book:](../../blob/master/Report/CrowdStrike/Report2019GlobalThreatReport.pdf) <br>
### QianXin
:small_orange_diamond: Jun 29 2020 - [[QianXin] APT threat report 2020 1H CN version](https://ti.qianxin.com/uploads/2020/06/29/e4663b4f11f01e5ec8a1a5d91a71dc72.pdf) | [:closed_book:](../../blob/master/Report/QianXin/2020.06.29_APT_threat_report_2020_1H_CN_version.pdf) <br>
:small_orange_diamond: Feb 02 2019 - [[QianXin] APT threat report 2019 CN version](https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf) | [:closed_book:](../../blob/master/Report/QianXin/2020.02.22_APT_threat_report_2019_CN_version.pdf) <br>
### Tencent
:small_orange_diamond: Mar 05 2020 - [[Tencent] [CN] 2019 APT Summary Report](http://pc1.gtimg.com/softmgr/files/apt_report_2019.pdf) | [:closed_book:](../../blob/master/Report/Tencent/apt_report_2019.CN_Version.pdf) <br>
:small_orange_diamond: Jan 03 2019 - [[Tencent] [CN] 2018 APT Summary Report](https://www.freebuf.com/articles/network/193420.html) | [:closed_book:](../../blob/master/Report/Tencent/2019.01.03.Tencent_APT_Summary_report_2018_CN_Version.pdf) <br>
### Verizon
:small_orange_diamond: Nov 16 2020 - [[Verizon] Cyber-Espionage Report 2020-2021](https://www.infopoint-security.de/media/2020-2021-cyber-espionage-report.pdf) | [:closed_book:](../../blob/master/Report/Verizon/2020-2021-cyber-espionage-report.pdf) <br>
### Sophos
:small_orange_diamond: Nov 18 2020 - [[Sophos] SOPHOS 2021 THREAT REPORT](https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf) | [:closed_book:](../../blob/master/Report/Sophos/sophos-2021-threat-report.pdf) <br>
:small_orange_diamond: Dec 02 2019 - [[Sophos] SOPHOS 2020 THREAT REPORT](https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-uncut-2020-threat-report.pdf) | [:closed_book:](../../blob/master/Report/Sophos/sophoslabs-uncut-2020-threat-report.pdf) <br>
### Other
:small_orange_diamond: Nov 18 2020 - [[KELA] Zooming into Darknet Threats Targeting Japanese Organizations](https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/) | [:closed_book:](../../blob/master/Report/2020.11.18_Zooming_into_Darknet_Threats_Targeting_Japanese_Organizations/) <br>
:small_orange_diamond: Nov 04 2020 - [[WEF] Partnership against
Cybercrime](http://www3.weforum.org/docs/WEF_Partnership_against_Cybercrime_report_2020.pdf) | [:closed_book:](../../blob/master/Report/2020.11.04_-_WorldEconomicForum_-_Partnership_against_Cybercrime/) <br>
:small_orange_diamond: May 01 2020 - [[Macnia Networks, TeamT5] 2019 H2 APT Report](https://www.macnica.net/file/mpressioncss_ta_report_2019_4.pdf) | [:closed_book:](../../blob/master/Report/2019.H2_macnica_TeamT5) <br>
:small_orange_diamond: Feb 02 2019 - [[threatinte] Threat Intel Reads January 2019](https://threatintel.eu/2019/02/02/threat-intel-reads-january-2019/) | [:closed_book:](../../blob/master/Report/2019.02.02.Threat_Intel_Reads_January_2019) <br>
:small_orange_diamond: Feb 2019 - [[SWISSCOM] Targeted Attacks: Cyber Security Report 2019](https://www.swisscom.ch/content/dam/swisscom/en/about/company/portrait/network/security/documents/security-report-2019.pdf) | [:closed_book:](../../blob/master/Report/2019.02.Targeted_Attacks) <br>
:small_orange_diamond: Jan 30 2019 - [[Dragos] Webinar Summary: Uncovering ICS Threat Activity Groups](https://dragos.com/blog/industry-news/webinar-summary-uncovering-ics-threat-activity-groups/) | [:closed_book:](../../blob/master/Report/2019.01.30.Uncovering_ICS_Threat_Activity_Groups) <br>
:small_orange_diamond: Jan 15 2019 - [[Hackmageddon] 2018: A Year of Cyber Attacks](https://www.hackmageddon.com/2019/01/15/2018-a-year-of-cyber-attacks/) | [:closed_book:](../../blob/master/Report/2019.01.15.2018-a-year-of-cyber-attacks) <br>
:small_orange_diamond: Jan 09 2019 - [[360] [CN] 2018 APT Summary Report](https://www.freebuf.com/articles/paper/193553.html) | [:closed_book:](../../blob/master/Report/2019.01.09.360_APT_Summary_report_2018_CN_Version) <br>
:small_orange_diamond: Jan 07 2019 - [[Medium] APT_chronicles_december_2018_edition](https://medium.com/@z3roTrust/the-apt-chronicles-december-2018-edition-e3e5125ffcd2) | [:closed_book:](../../blob/master/Report/2019.01.07.APT_chronicles_december_2018_edition) <br>
:small_orange_diamond: Sep 07 2020 - [[SWIFT & BAE] Follow the Money](https://www.swift.com/sites/default/files/files/swift_bae_report_Follow-The%20Money.pdf) | [:closed_book:](../../blob/master/Report/2020.09.07_Follow_the_Money) <br>