APT_CyberCriminal_Campagin_.../README.md
CyberMonitor a0c59e0d23 new
2018-01-17 16:18:09 +08:00

607 lines
115 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# APT & CyberCriminal Campaign Collection
This is a collection of APT and CyberCriminal campaigns.
Please fire issue to me if any lost APT/Malware events/campaigns.
## Reference Resources
* [kbandla](https://github.com/kbandla/APTnotes)
* [APTnotes](https://github.com/aptnotes/data)
* [Florian Roth - APT Groups](https://docs.google.com/spreadsheets/u/0/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/pubhtml)
* [Attack Wiki](https://attack.mitre.org/wiki/Groups)
* [threat-INTel](https://github.com/fdiskyou/threat-INTel)
* [targetedthreats](https://github.com/botherder/targetedthreats/wiki/Reports)
## 2018
* Jan 16 - [[Recorded Future] North Korea Targeted South Korean Cryptocurrency Users and Exchange in Late 2017 Campaign](https://www.recordedfuture.com/north-korea-cryptocurrency-campaign/) | [Local](../../blob/master/2018/2018.01.16.north-korea-cryptocurrency-campaign)
* Jan 16 - [[CISCO] Korea In The Crosshairs](http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html) | [Local](../../blob/master/2018/2018.01.16.korea-in-crosshairs)
* Jan 15 - [[Trend Micro] New KillDisk Variant Hits Financial Organizations in Latin America](https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-financial-organizations-in-latin-america/) | [Local](../../blob/master/2018/2018.01.15.new-killdisk-variant-hits-financial-organizations-in-latin-america)
* Jan 12 - [[Trend Micro] Update on Pawn Storm: New Targets and Politically Motivated Campaigns](http://blog.trendmicro.com/trendlabs-security-intelligence/update-pawn-storm-new-targets-politically-motivated-campaigns/?utm_campaign=shareaholic&utm_medium=twitter&utm_source=socialnetwork) | [Local](../../blob/master/2018/2018.01.12.update-pawn-storm-new-targets-politically)
* Jan 11 - [[McAfee] North Korean Defectors and Journalists Targeted Using Social Networks and KakaoTalk](https://securingtomorrow.mcafee.com/mcafee-labs/north-korean-defectors-journalists-targeted-using-social-networks-kakaotalk/) | [Local](../../blob/master/2018/2018.01.11.North_Korean_Defectors_and_Journalists_Targeted)
* Jan 09 - [[ESET] Diplomats in Eastern Europe bitten by a Turla mosquito](https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf) | [Local](../../blob/master/2018/2018.01.09.Turla_Mosquito)
* Jan 06 - [[McAfee] Malicious Document Targets Pyeongchang Olympics](https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/) | [Local](../../blob/master/2018/2018.01.06.malicious-document-targets-pyeongchang-olympics)
* Jan 04 - [[Carnegie] Irans Cyber Threat: Espionage, Sabotage, and Revenge](http://carnegieendowment.org/files/Iran_Cyber_Final_Full_v2.pdf) | [Local](../../blob/master/2018/2018.01.04.Iran_Cyber_Threat_Carnegie)
## 2017
* Dec 19 - [[Proofpoint] North Korea Bitten by Bitcoin Bug: Financially motivated campaigns reveal new dimension of the Lazarus Group](https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new) | [Local](../../blob/master/2017/2017.12.19.North_Korea_Bitten_by_Bitcoin_Bug)
* Dec 17 - [[McAfee] Operation Dragonfly Analysis Suggests Links to Earlier Attacks](https://securingtomorrow.mcafee.com/mcafee-labs/operation-dragonfly-analysis-suggests-links-to-earlier-attacks/) | [Local](../../blob/master/2017/2017.12.17.operation-dragonfly-analysis-suggests-links-to-earlier-attacks)
* Dec 11 - [[Group-IB] MoneyTaker, revealed after 1.5 years of silent operations.](https://www.group-ib.com/resources/reports/money-taker.html) | [Local](../../blob/master/2017/2017.12.11.MoneyTaker)
* Dec 11 - [[Trend Micro] Untangling the Patchwork Cyberespionage Group](http://blog.trendmicro.com/trendlabs-security-intelligence/untangling-the-patchwork-cyberespionage-group/) | [Local](../../blob/master/2017/2017.12.11.Patchwork_APT)
* Dec 07 - [[FireEye] New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit](https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html) | [Local](../../blob/master/2017/2017.12.07.New_Targeted_Attack_in_the_Middle_East_by_APT34)
* Dec 05 - [[ClearSky] Charming Kitten: Iranian Cyber Espionage Against Human Rights Activists, Academic Researchers and Media Outlets And the HBO Hacker Connection](http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf) | [Local](../../blob/master/2017/2017.12.05.Charming_Kitten)
* Dec 04 - [[RSA] The Shadows of Ghosts: Inside the Response of a Unique Carbanak Intrusion](https://community.rsa.com/community/products/netwitness/blog/2017/12/04/anatomy-of-an-attack-carbanak) | [Local](../../blob/master/2017/2017.12.04.The_Shadows_of_Ghosts)
* Nov 22 - [[REAQTA] A dive into MuddyWater APT targeting Middle-East](https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/) | [Local](../../blob/master/2017/2017.11.22.MuddyWater_APT)
* Nov 14 - [[Palo Alto Networks] Muddying the Water: Targeted Attacks in the Middle East](https://researchcenter.paloaltonetworks.com/2017/11/2017.11.14.Muddying_the_Water) | [Local](../../blob/master/2017/2017.11.14.Muddying_the_Water)
* Nov 10 - [[Palo Alto Networks] New Malware with Ties to SunOrcal Discovered](https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/) | [Local](../../blob/master/2017/2017.11.10.New_Malware_with_Ties_to_SunOrcal_Discovered)
* Nov 07 - [[McAfee] Threat Group APT28 Slips Office Malware into Doc Citing NYC Terror Attack](https://securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/#sf151634298) | [Local](../../blob/master/2017/2017.11.07.APT28_Slips_Office_Malware)
* Nov 07 - [[Symantec] Sowbug: Cyber espionage group targets South American and Southeast Asian governments](https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments) | [Local](../../blob/master/2017/2017.11.07.sowbug-cyber-espionage-group-targets)
* Nov 06 - [[Trend Micro] ChessMasters New Strategy: Evolving Tools and Tactics](http://blog.trendmicro.com/trendlabs-security-intelligence/chessmasters-new-strategy-evolving-tools-tactics/) | [Local](../../blob/master/2017/2017.11.06.ChessMaster_New_Strategy)
* Nov 02 - [[PwC] The KeyBoys are back in town](http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are-back-in-town.html) | [Local](../../blob/master/2017/2017.11.02.KeyBoys_are_back)
* Oct 31 - [[Cybereason] Night of the Devil: Ransomware or wiper? A look into targeted attacks in Japan using MBR-ONI](https://www.cybereason.com/blog/night-of-the-devil-ransomware-or-wiper-a-look-into-targeted-attacks-in-japan) | [Local](../../blob/master/2017/2017.10.31.MBR-ONI.Japan)
* Oct 30 - [[Kaspersky] Gaza Cybergang updated activity in 2017](https://securelist.com/gaza-cybergang-updated-2017-activity/82765/) | [Local](../../blob/master/2017/2017.10.30.Gaza_Cybergang)
* Oct 27 - [[Bellingcat] Bahamut Revisited, More Cyber Espionage in the Middle East and South Asia](https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/) | [Local](../../blob/master/2017/2017.10.27.bahamut-revisited)
* Oct 24 - [[ClearSky] Iranian Threat Agent Greenbug Impersonates Israeli High-Tech and Cyber Security Companies](http://www.clearskysec.com/greenbug/) | [Local](../../blob/master/2017/2017.10.02.Aurora_Operation_CCleaner_II)
* Oct 16 - [[BAE Systems] Taiwan Heist: Lazarus Tools And Ransomware](https://baesystemsai.blogspot.kr/2017/10/taiwan-heist-lazarus-tools.html) | [Local](../../blob/master/2017/2017.10.16.Taiwan-Heist)
* Oct 16 - [[Kaspersky] BlackOasis APT and new targeted attacks leveraging zero-day exploit](https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/) | [Local](../../blob/master/2017/2017.10.16.BlackOasis_APT)
* Oct 10 - [[Trustwave] Post Soviet Bank Heists](https://www.trustwave.com/Resources/Library/Documents/Post-Soviet-Bank-Heists/) | [Local](../../blob/master/2017/2017.10.02.Aurora_Operation_CCleaner_II)
* Oct 02 - [[intezer] Evidence Aurora Operation Still Active Part 2: More Ties Uncovered Between CCleaner Hack & Chinese Hackers]() | [Local](../../blob/master/2017/2017.10.02.Aurora_Operation_CCleaner_II)
* Sep 28 - [[Palo Alto Networks] Threat Actors Target Government of Belarus Using CMSTAR Trojan](https://researchcenter.paloaltonetworks.com/2017/09/unit42-threat-actors-target-government-belarus-using-cmstar-trojan/) | [Local](../../blob/master/2017/2017.09.28.Belarus_CMSTAR_Trojan)
* Sep 20 - [[intezer] Evidence Aurora Operation Still Active: Supply Chain Attack Through CCleaner](http://www.intezer.com/evidence-aurora-operation-still-active-supply-chain-attack-through-ccleaner/) | [Local](../../blob/master/2017/2017.09.20.Aurora_Operation_CCleaner)
* Sep 20 - [[FireEye] Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware](https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html) | [Local](../../blob/master/2017/2017.09.20.apt33-insights-into-iranian-cyber-espionage)
* Sep 20 - [[CISCO] CCleaner Command and Control Causes Concern](http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html) | [Local](../../blob/master/2017/2017.09.18.CCleanup)
* Sep 18 - [[CISCO] CCleanup: A Vast Number of Machines at Risk](http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html) | [Local](../../blob/master/2017/2017.09.18.CCleanup)
* Sep 12 - [[FireEye] FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY](https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html) | [Local](../../blob/master/2017/2017.09.12.FINSPY_CVE-2017-8759)
* Sep 06 - [[Symantec] Dragonfly: Western energy sector targeted by sophisticated attack group](https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group) | [Local](../../blob/master/2017/2017.09.06.dragonfly-western-energy-sector-targeted-sophisticated-attack-group)
* Sep 06 - [[Treadstone 71] Intelligence Games in the Power Grid](https://treadstone71llc.files.wordpress.com/2017/09/intelligence-games-in-the-power-grid-2016.pdf) | [Local](../../blob/master/2017/2017.09.06.intelligence-games-in-the-power-grid-2016)
* Aug 30 - [[ESET] Gazing at Gazer: Turlas new second stage backdoor](https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/) | [Local](../../blob/master/2017/2017.08.30.Gazing_at_Gazer)
* Aug 30 - [[Kaspersky] Introducing WhiteBear](https://securelist.com/introducing-whitebear/81638/) | [Local](../../blob/master/2017/2017.08.30.Introducing_WhiteBear)
* Aug 25 - [[Proofpoint] Operation RAT Cook: Chinese APT actors use fake Game of Thrones leaks as lures](https://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-apt-actors-use-fake-game-thrones-leaks-lures) | [Local](../../blob/master/2017/2017.08.25.operation-rat-cook)
* Aug 18 - [[RSA] Russian Bank Offices Hit with Broad Phishing Wave](https://community.rsa.com/community/products/netwitness/blog/2017/08/18/russian-bank-offices-hit-with-broad-phishing-wave) | [Local](../../blob/master/2017/2017.08.18.Russian_Bank_Offices_Hit)
* Aug 15 - [[Palo Alto Networks] The Curious Case of Notepad and Chthonic: Exposing a Malicious Infrastructure](https://researchcenter.paloaltonetworks.com/2017/08/unit42-the-curious-case-of-notepad-and-chthonic-exposing-a-malicious-infrastructure/) | [Local](../../blob/master/2017/2017.08.15.Notepad_and_Chthonic)
* Aug 11 - [[FireEye] APT28 Targets Hospitality Sector, Presents Threat to Travelers](https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html) | [Local](../../blob/master/2017/2017.08.11.apt28-targets-hospitality-sector)
* Aug 01 - [[Positive Research] Cobalt strikes back: an evolving multinational threat to finance](http://blog.ptsecurity.com/2017/08/cobalt-group-2017-cobalt-strikes-back.html) | [Local](../../blob/master/2017/2017.08.01.cobalt-group-2017-cobalt-strikes-back)
* Jul 27 - [[Trend Micro] ChessMaster Makes its Move: A Look into the Campaigns Cyberespionage Arsenal](http://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/) | [Local](../../blob/master/2017/2017.07.27.chessmaster-cyber-espionage-campaign)
* Jul 27 - [[Palo Alto Networks] OilRig Uses ISMDoor Variant; Possibly Linked to Greenbug Threat Group](https://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/) | [Local](../../blob/master/2017/2017.07.27.oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group)
* Jul 27 - [[Clearsky, TrendMicro] Operation Wilted Tulip](http://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf) | [Local](../../blob/master/2017/2017.07.27.Operation_Wilted_Tulip)
* Jul 24 - [[Palo Alto Networks] “Tick” Group Continues Attacks](https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/) | [Local](../../blob/master/2017/2017.07.24.Tick_group)
* Jul 18 - [[Clearsky] Recent Winnti Infrastructure and Samples](http://www.clearskysec.com/winnti/) | [Local](../../blob/master/2017/2017.07.18.winnti)
* Jul 18 - [[Bitdefender] Inexsmar: An unusual DarkHotel campaign](https://labs.bitdefender.com/wp-content/uploads/downloads/inexsmar-an-unusual-darkhotel-campaign/) | [Local](../../blob/master/2017/2017.07.18.Inexsmar)
* Jul 11 - [[ProtectWise] Winnti Evolution - Going Open Source](https://www.protectwise.com/blog/winnti-evolution-going-open-source.html) | [Local](../../blob/master/2017/2017.07.11.winnti-evolution-going-open-source)
* Jul 10 - [[Trend Micro] OSX Malware Linked to Operation Emmental Hijacks User Network Traffic](http://blog.trendmicro.com/trendlabs-security-intelligence/osx_dok-mac-malware-emmental-hijacks-user-network-traffic/) | [Local](../../blob/master/2017/2017.07.10.osx_dok-mac-malware-emmental-hijacks-user-network-traffic)
* Jul 06 - [[Malware Party] Operation Desert Eagle](http://mymalwareparty.blogspot.tw/2017/07/operation-desert-eagle.html) | [Local](../../blob/master/2017/2017.07.06.Operation_Desert_Eagle)
* Jul 05 - [[Citizen Lab] Insider Information: An intrusion campaign targeting Chinese language news sites](https://citizenlab.org/2017/07/insider-information-an-intrusion-campaign-targeting-chinese-language-news-sites/) | [Local](../../blob/master/2017/2017.07.05.insider-information)
* Jun 30 - [[ESET] TeleBots are back: supply-chain attacks against Ukraine](https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/) | [Local](../../blob/master/2017/2017.06.30.telebots-back-supply-chain)
* Jun 30 - [[Kaspersky] From BlackEnergy to ExPetr](https://securelist.com/from-blackenergy-to-expetr/78937/) | [Local](../../blob/master/2017/2017.06.30.From_BlackEnergy_to_ExPetr)
* Jun 26 - [[Dell] Threat Group-4127 Targets Google Accounts]() | [Local](../../blob/master/2017/2017.06.26.Threat_Group-4127)
* Jun 22 - [[Palo Alto Networks] The New and Improved macOS Backdoor from OceanLotus](https://www.secureworks.com/research/threat-group-4127-targets-google-accounts) | [Local](../../blob/master/2017/2017.06.22.new-improved-macos-backdoor-oceanlotus)
* Jun 22 - [[Trend Micro] Following the Trail of BlackTechs Cyber Espionage Campaigns](http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/) | [Local](../../blob/master/2017/2017.06.22.following-trail-blacktech-cyber-espionage-campaigns)
* Jun 19 - [[root9B] SHELLTEA + POSLURP MALWARE: memory resident point-of-sale malware attacks industry](https://www.root9b.com/sites/default/files/whitepapers/PoS%20Malware%20ShellTea%20PoSlurp_0.pdf) | [Local](../../blob/master/2017/2017.06.19.SHELLTEA_POSLURP_MALWARE)
* Jun 15 - [[Recorded Future] North Korea Is Not Crazy](https://www.recordedfuture.com/north-korea-cyber-activity/) | [Local](../../blob/master/2017/2017.06.15.north-korea-cyber-activity)
* Jun 14 - [[ThreatConnect] KASPERAGENT Malware Campaign resurfaces in the run up to May Palestinian Authority Elections](https://www.threatconnect.com/blog/kasperagent-malware-campaign/) | [Local](../../blob/master/2017/2017.06.14.KASPERAGENT)
* Jun 13 - [[US-CERT] HIDDEN COBRA North Koreas DDoS Botnet Infrastructure](https://www.us-cert.gov/ncas/alerts/TA17-164A) | [Local](../../blob/master/2017/2017.06.13.HIDDEN_COBRA)
* Jun 12 - [[Dragos] CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations](https://dragos.com/blog/crashoverride/CrashOverride-01.pdf) | [Local](../../blob/master/2017/2017.06.12.CRASHOVERRIDE)
* Jun 12 - [[ESET] WIN32/INDUSTROYER A new threat for industrial control systems](https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf) | [Local](../../blob/master/2017/2017.06.12.INDUSTROYER)
* May 30 - [[Group-IB] Lazarus Arisen: Architecture, Techniques and Attribution](http://www.group-ib.com/lazarus.html) | [Local](../../blob/master/2017/2017.05.30.Lazarus_Arisen)
* May 03 - [[Palo Alto Networks] Kazuar: Multiplatform Espionage Backdoor with API Access](http://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-acces) | [Local](../../blob/master/2017/2017.05.03.kazuar-multiplatform-espionage-backdoor-api-access)
* May 03 - [[CISCO] KONNI: A Malware Under The Radar For Years](http://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html) | | [Local](../../blob/master/2017/konni-malware-under-radar-for-years)
* Apr 27 - [[Morphisec] Iranian Fileless Attack Infiltrates Israeli Organizations](http://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability) | [Local](../../blob/master/2017/2017.04.27.iranian-fileless-cyberattack-on-israel-word-vulnerability)
* Apr 13 - [[F-SECURE] Callisto Group](https://www.f-secure.com/documents/996508/1030745/callisto-group) | [Local](../../blob/master/2017/2017.04.13.callisto-group)
* Mar 06 - [[Kaspersky] From Shamoon to StoneDrill](https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/) | [Local](../../blob/master/2017/2017.03.06.from-shamoon-to-stonedrill)
* Feb 28 - [[IBM] Dridexs Cold War: Enter AtomBombing](https://securityintelligence.com/dridexs-cold-war-enter-atombombing/) | [Local](../../blob/master/2017/2017.02.28.dridexs-cold-war-enter-atombombing)
* Feb 27 - [[Palo Alto Networks] The Gamaredon Group Toolset Evolution](http://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/) | [Local](../../blob/master/2017/2017.02.27.gamaredon-group-toolset-evolution/)
* Feb 23 - [[Bitdefender] Dissecting the APT28 Mac OS X Payload](https://download.bitdefender.com/resources/files/News/CaseStudies/study/143/Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf) | [Local](../../blob/master/2017/2017.02.23.APT28_Mac_OS_X_Payload)
* Feb 22 - [[FireEye] Spear Phishing Techniques Used in Attacks Targeting the Mongolian Government](https://www.fireeye.com/blog/threat-research/2017/02/spear_phishing_techn.html) | [Local](../../blob/master/2017/2017.02.22.Spear_Phishing_Mongolian_Government)
* Feb 21 - [[Arbor] Additional Insights on Shamoon2](https://www.arbornetworks.com/blog/asert/additional-insights-on-shamoon2/) | [Local](../../blob/master/2017/2017.02.21.Additional_Insights_on_Shamoon2)
* Feb 20 - [[BAE Systems] azarus' False Flag Malware](http://baesystemsai.blogspot.tw/2017/02/lazarus-false-flag-malware.html) | [Local](../../blob/master/2017/2017.02.20.Lazarus_False_Flag_Malware)
* Feb 17 - [[JPCERT] ChChes - Malware that Communicates with C&C Servers Using Cookie Headers](http://blog.jpcert.or.jp/2017/02/chches-malware--93d6.html) | [Local](../../blob/master/2017/2017.02.17.chches-malware)
* Feb 16 - [[BadCyber] Technical analysis of recent attacks against Polish banks](https://badcyber.com/technical-analysis-of-recent-attacks-against-polish-banks/) | [Local](../../blob/master/2017/2017.02.16.Technical_analysis_Polish_banks)
* Feb 15 - [[Morphick] Deep Dive On The DragonOK Rambo Backdoor](http://www.morphick.com/resources/news/deep-dive-dragonok-rambo-backdoor) | [Local](../../blob/master/2017/2017.02.15.deep-dive-dragonok-rambo-backdoor)
* Feb 15 - [[IBM] The Full Shamoon: How the Devastating Malware Was Inserted Into Networks](https://securityintelligence.com/the-full-shamoon-how-the-devastating-malware-was-inserted-into-networks/) | [Local](../../blob/master/2017/2017.02.15.the-full-shamoon)
* Feb 15 - [[Dell] Iranian PupyRAT Bites Middle Eastern Organizations](https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations) | [Local](../../blob/master/2017/2017.02.15.iranian-pupyrat-bites-middle-eastern-organizations)
* Feb 15 - [[Palo Alto Networks] Magic Hound Campaign Attacks Saudi Targets](http://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/) | [Local](../../blob/master/2017/2017.02.15.magic-hound-campaign)
* Feb 14 - [[Medium Corporation] Operation Kingphish: Uncovering a Campaign of Cyber Attacks against Civil Society in Qatar and Nepal](https://medium.com/amnesty-insights/operation-kingphish-uncovering-a-campaign-of-cyber-attacks-against-civil-society-in-qatar-and-aa40c9e08852#.cly4mg1g8) | [Local](../../blob/master/2017/2017.02.14.Operation_Kingphish)
* Feb 12 - [[BAE Systems] Lazarus & Watering-Hole Attacks](https://baesystemsai.blogspot.tw/2017/02/lazarus-watering-hole-attacks.html) | [Local](../../blob/master/2017/2017.02.12.lazarus-watering-hole-attacks)
* Feb 10 - [[Cysinfo] Cyber Attack Targeting Indian Navy's Submarine And Warship Manufacturer](https://cysinfo.com/cyber-attack-targeting-indian-navys-submarine-warship-manufacturer/) | [Local](../../blob/master/2017/2017.02.10.cyber-attack-targeting-indian-navys-submarine-warship-manufacturer)
* Feb 10 - [[DHS] Enhanced Analysis of GRIZZLY STEPPE Activity](https://www.us-cert.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf) | [Local](../../blob/master/2017/2017.02.10.Enhanced_Analysis_of_GRIZZLY_STEPPE)
* Feb 03 - [[RSA] KingSlayer A Supply chain attack](https://www.rsa.com/content/dam/pdfs/2-2017/kingslayer-a-supply-chain-attack.pdf) | [Local](../../blob/master/2017/2017.02.03.kingslayer-a-supply-chain-attack)
* Feb 03 - [[BadCyber] Several Polish banks hacked, information stolen by unknown attackers](https://badcyber.com/several-polish-banks-hacked-information-stolen-by-unknown-attackers/) | [Local](../../blob/master/2017/2017.02.03.several-polish-banks-hacked)
* Feb 02 - [[Proofpoint] Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX](https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx) | [Local](../../blob/master/2017/2017.02.02.APT_Targets_Russia_and_Belarus_with_ZeroT_and_PlugX)
* Jan 30 - [[Palo Alto Networks] Downeks and Quasar RAT Used in Recent Targeted Attacks Against Governments](http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/) | [Local](../../blob/master/2017/2017.01.30.downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments)
* Jan 19 - [[Cysinfo] URI Terror Attack & Kashmir Protest Themed Spear Phishing Emails Targeting Indian Embassies And Indian Ministry Of External Affairs](https://cysinfo.com/uri-terror-attack-spear-phishing-emails-targeting-indian-embassies-and-indian-mea/) | [Local](../../blob/master/2017/2017.01.19.uri-terror-attack)
* Jan 18 - [[Trustwave] Operation Grand Mars: Defending Against Carbanak Cyber Attacks](https://www.trustwave.com/Resources/Library/Documents/Operation-Grand-Mars--Defending-Against-Carbanak-Cyber-Attacks/) | [Local](../../blob/master/2017/2017.01.18.Operation-Grand-Mars)
* Jan 15 - [[tr1adx] Bear Spotting Vol. 1: Russian Nation State Targeting of Government and Military Interests](https://www.tr1adx.net/intel/TIB-00003.html) | [Local](../../blob/master/2017/2017.01.15.Bear_Spotting_Vol.1)
* Jan 12 - [[Kaspersky] The “EyePyramid” attacks](https://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/) | [Local](../../blob/master/2017/2017.01.12.EyePyramid.attacks)
* Jan 11 - [[FireEye] APT28: AT THE CENTER OF THE STORM](https://www.fireeye.com/blog/threat-research/2017/01/apt28_at_the_center.html) | [Local](../../blob/master/2017/2017.01.11.apt28_at_the_center)
* Jan 09 - [[Palo Alto Networks] Second Wave of Shamoon 2 Attacks Identified](http://researchcenter.paloaltonetworks.com/2017/01/unit42-second-wave-shamoon-2-attacks-identified/) | [Local](../../blob/master/2017/2017.01.09.second-wave-shamoon-2-attacks-identified)
* Jan 05 - [[Clearsky] Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford](http://www.clearskysec.com/oilrig/) | [Local](../../blob/master/2017/2017.01.05.Iranian_Threat_Agent_OilRig)
## 2016
* Dec 15 - [[Microsoft] PROMETHIUM and NEODYMIUM APT groups on Turkish citizens living in Turkey and various other European countries.](http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf) | [Local](../../blob/master/2016/2016.12.15.PROMETHIUM_and_NEODYMIUM)
* Dec 13 - [[ESET] The rise of TeleBots: Analyzing disruptive KillDisk attacks](http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/) | [Local](../../blob/master/2016/2016.12.13.rise-telebots-analyzing-disruptive-killdisk-attacks)
* Nov 22 - [[Palo Alto Networks] Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy](http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/) | [Local](../../blob/master/2016/2016.11.22.tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy)
* Nov 09 - [[Fidelis] Down the H-W0rm Hole with Houdini's RAT](https://www.fidelissecurity.com/threatgeek/2016/11/down-h-w0rm-hole-houdinis-rat) | [Local](../../blob/master/2016/2016.11.09_down-the-h-w0rm-hole-with-houdinis-rat)
* Nov 03 - [[Booz Allen] When The Lights Went Out: Ukraine Cybersecurity Threat Briefing](http://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf) | [Local](../../blob/master/2016/2016.11.03.Ukraine_Cybersecurity_Threat_Briefing)
* Oct 31 - [[Palo Alto Networks] Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?](http://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/) | [Local](../../blob/master/2016/2016.10.31.Emissary_Trojan_Changelog)
* Oct 27 - [[ESET] En Route with Sednit Part 3: A Mysterious Downloader](http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf) | [Local](../../blob/master/2016/2016.10.27.En_Route_Part3)
* Oct 27 - [[Trend Micro] BLACKGEAR Espionage Campaign Evolves, Adds Japan To Target List](http://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-espionage-campaign-evolves-adds-japan-target-list/) | [Local](../../blob/master/2016/2016.10.27.BLACKGEAR_Espionage_Campaign_Evolves)
* Oct 26 - [[Vectra Networks] Moonlight Targeted attacks in the Middle East](http://blog.vectranetworks.com/blog/moonlight-middle-east-targeted-attacks) | [Local](../../blob/master/2016/2016.10.26.Moonlight_Middle_East)
* Oct 25 - [[Palo Alto Networks] Houdinis Magic Reappearance](http://researchcenter.paloaltonetworks.com/2016/10/unit42-houdinis-magic-reappearance/) | [Local](../../blob/master/2016/2016.10.25.Houdini_Magic_Reappearance)
* Oct 25 - [[ESET] En Route with Sednit Part 2: Lifting the lid on Sednit: A closer look at the software it uses](http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf) | [Local](../../blob/master/2016/2016.10.25.Lifting_the_lid_on_Sednit)
* Oct 20 - [[ESET] En Route with Sednit Part 1: Approaching the Target](http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf) | [Local](../../blob/master/2016/2016.10.20.En_Route_with_Sednit)
* Oct 17 - [[ThreatConnect] ThreatConnect identifies Chinese targeting of two companies. Economic espionage or military intelligence? ](https://www.threatconnect.com/blog/threatconnect-discovers-chinese-apt-activity-in-europe/) | [Local](../../blob/master/2016/2016.10.16.A_Tale_of_Two_Targets)
* Oct 05 - [[Kaspersky] Wave your false flags](https://securelist.com/files/2016/10/Bartholomew-GuerreroSaade-VB2016.pdf) | [Local](../../blob/master/2016/2016.10.05_Wave_Your_False_flag)
* Oct 03 - [[Kaspersky] On the StrongPity Waterhole Attacks Targeting Italian and Belgian Encryption Users](https://securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/) | [Local](../../blob/master/2016/2016.10.03.StrongPity)
* Sep 29 - [[NATO CCD COE] China and Cyber: Attitudes, Strategies, Organisation](https://ccdcoe.org/sites/default/files/multimedia/pdf/CS_organisation_CHINA_092016.pdf) | [Local](../../blob/master/2016/2016.09.29.China_and_Cyber_Attitudes_Strategies_Organisation)
* Sep 28 - [[ThreatConnect] Belling the BEAR: russia-hacks-bellingcat-mh17-investigation](https://www.threatconnect.com/blog/russia-hacks-bellingcat-mh17-investigation/) | [Local](../../blob/master/2016/2016.09.28.russia-hacks-bellingcat-mh17-investigation)
* Sep 26 - [[Palo Alto Networks] Sofacys Komplex OS X Trojan](http://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/) | [Local](../../blob/master/2016/2016.09.26_Sofacy_Komplex_OSX_Trojan)
* Sep 18 - [[Cyberkov] Hunting Libyan Scorpions](https://cyberkov.com/wp-content/uploads/2016/09/Hunting-Libyan-Scorpions-EN.pdf) | [Local](../../blob/master/2016/2016.09.18.Hunting-Libyan-Scorpions)
* Sep 14 - [[Palo Alto Networks] MILE TEA: Cyber Espionage Campaign Targets Asia Pacific Businesses and Government Agencies](http://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/) | [Local](../../blob/master/2016/2016.09.14.MILE_TEA)
* Sep 06 - [[Symantec] Buckeye cyberespionage group shifts gaze from US to Hong Kong](http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong) | [Local](../../blob/master/2016/2016.09.06.buckeye-cyberespionage-group-shifts-gaze-us-hong-kong)
* Sep 01 - [[IRAN THREATS] MALWARE POSING AS HUMAN RIGHTS ORGANIZATIONS AND COMMERCIAL SOFTWARE TARGETING IRANIANS, FOREIGN POLICY INSTITUTIONS AND MIDDLE EASTERN COUNTRIES](https://iranthreats.github.io/resources/human-rights-impersonation-malware/) | [Local](../../blob/master/2016/2016.09.01.human-rights-impersonation-malware)
* Aug 25 - [[Lookout] Technical Analysis of Pegasus Spyware](https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf) | [Local](../../blob/master/2016/2016.08.25.lookout-pegasus-technical-analysis)
* Aug 24 - [[Citizen Lab] The Million Dollar Dissident: NSO Groups iPhone Zero-Days used against a UAE Human Rights Defender](https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/) | [Local](../../blob/master/2016/2016.08.24.million-dollar-dissident-iphone-zero-day-nso-group-uae)
* Aug 19 - [[ThreatConnect] Russian Cyber Operations on Steroids](https://www.threatconnect.com/blog/fancy-bear-anti-doping-agency-phishing/) | [Local](../../blob/master/2016/2016.08.19.fancy-bear-anti-doping-agency-phishing)
* Aug 17 - [[Kaspersky] Operation Ghoul: targeted attacks on industrial and engineering organizations](https://securelist.com/blog/research/75718/operation-ghoul-targeted-attacks-on-industrial-and-engineering-organizations/) | [Local](../../blob/master/2016/2016.08.17_operation-ghoul)
* Aug 16 - [[Palo Alto Networks] Aveo Malware Family Targets Japanese Speaking Users](http://researchcenter.paloaltonetworks.com/2016/08/unit42-aveo-malware-family-targets-japanese-speaking-users/) | [Local](../../blob/master/2016/2016.08.16.aveo-malware-family-targets-japanese)
* Aug 11 - [[IRAN THREATS] Iran and the Soft War for Internet Dominance](https://iranthreats.github.io/us-16-Guarnieri-Anderson-Iran-And-The-Soft-War-For-Internet-Dominance-paper.pdf) | [Local](../../blob/master/2016/2016.08.11.Iran-And-The-Soft-War-For-Internet-Dominance)
* Aug 08 - [[Forcepoint] MONSOON](https://blogs.forcepoint.com/security-labs/monsoon-analysis-apt-campaign) | [Local](../../blob/master/2016/2016.08.08.monsoon-analysis-apt-campaign)
* Aug 08 - [[Kaspersky] ProjectSauron: top level cyber-espionage platform covertly extracts encrypted government comms](https://securelist.com/analysis/publications/75533/faq-the-projectsauron-apt/) | [Local](../../blob/master/2016/2016.08.08.ProjectSauron)
* Aug 07 - [[Symantec] Strider: Cyberespionage group turns eye of Sauron on targets](http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets) | [Local](../../blob/master/2016/2016.08.07.Strider_Cyberespionage_group_turns_eye_of_Sauron_on_targets)
* Aug 04 - [[Recorded Future] Running for Office: Russian APT Toolkits Revealed](https://www.recordedfuture.com/russian-apt-toolkits/) | [Local](../../blob/master/2016/2016.08.04.russian-apt-toolkits)
* Aug 03 - [[EFF] Operation Manul: I Got a Letter From the Government the Other Day...Unveiling a Campaign of Intimidation, Kidnapping, and Malware in Kazakhstan](https://www.eff.org/files/2016/08/03/i-got-a-letter-from-the-government.pdf) | [Local](../../blob/master/2016/2016.08.03.i-got-a-letter-from-the-government)
* Aug 02 - [[Citizen Lab] Group5: Syria and the Iranian Connection](https://citizenlab.org/2016/08/group5-syria/) | [Local](../../blob/master/2016/2016.08.02.group5-syria)
* Jul 28 - [[ICIT] Chinas Espionage Dynasty](http://icitech.org/wp-content/uploads/2016/07/ICIT-Brief-China-Espionage-Dynasty.pdf) | [Local](../../blob/master/2016/2016.07.28.China_Espionage_Dynasty)
* Jul 26 - [[Palo Alto Networks] Attack Delivers 9002 Trojan Through Google Drive](http://researchcenter.paloaltonetworks.com/2016/07/unit-42-attack-delivers-9002-trojan-through-google-drive/) | [Local](../../blob/master/2016/2016.07.26.Attack_Delivers_9002_Trojan_Through_Google_Drive)
* Jul 21 - [[360] Sphinx (APT-C-15) Targeted cyber-attack in the Middle East](https://ti.360.com/upload/report/file/rmsxden20160721.pdf) | [Local](../../blob/master/2016/2016.07.21.Sphinx_Targeted_cyber-attack_in_the_Middle_East)
* Jul 21 - [[RSA] Hide and Seek: How Threat Actors Respond in the Face of Public Exposure](https://www.rsaconference.com/writable/presentations/file_upload/tta1-f04_hide-and-seek-how-threat-actors-respond-in-the-face-of-public-exposure.pdf) | [Local](../../blob/master/2016/2016.07.21.Hide_and_Seek)
* Jul 13 - [[SentinelOne] State-Sponsored SCADA Malware targeting European Energy Companies](https://sentinelone.com/blogs/sfg-furtims-parent/) | [Local](../../blob/master/2016/2016.07.13.State-Sponsored_SCADA_Malware_targeting_European_Energy_Companies)
* Jul 12 - [[F-SECURE] NanHaiShu: RATing the South China Sea](https://www.f-secure.com/documents/996508/1030745/nanhaishu_whitepaper.pdf) | [Local](../../blob/master/2016/2016.07.12.NanHaiShu_RATing_the_South_China_Sea)
* Jul 08 - [[Kaspersky] The Dropping Elephant aggressive cyber-espionage in the Asian region](https://securelist.com/blog/research/75328/the-dropping-elephant-actor/) | [Local](../../blob/master/2016/2016.07.08.The_Dropping_Elephant)
* Jul 07 - [[Proofpoint] NetTraveler APT Targets Russian, European Interests](https://www.proofpoint.com/us/threat-insight/post/nettraveler-apt-targets-russian-european-interests) | [Local](../../blob/master/2016/2016.07.07.nettraveler-apt-targets-russian-european-interests)
* Jul 07 - [[Cymmetria] UNVEILING PATCHWORK: THE COPY-PASTE APT](https://www.cymmetria.com/wp-content/uploads/2016/07/Unveiling-Patchwork.pdf) | [Local](../../blob/master/2016/2016.07.07.UNVEILING_PATCHWORK)
* Jul 03 - [[Check Point] From HummingBad to Worse ](http://blog.checkpoint.com/wp-content/uploads/2016/07/HummingBad-Research-report_FINAL-62916.pdf) | [Local](../../blob/master/2016/2016.07.03_From_HummingBad_to_Worse)
* Jul 01 - [[Bitdefender] Pacifier APT](http://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf) | [Local](../../blob/master/2016/2016.07.01.Bitdefender_Pacifier_APT)
* Jul 01 - [[ESET] Espionage toolkit targeting Central and Eastern Europe uncovered](http://www.welivesecurity.com/2016/07/01/espionage-toolkit-targeting-central-eastern-europe-uncovered/) | [Local](../../blob/master/2016/2016.07.01.SBDH_toolkit_targeting_Central_and_Eastern_Europe)
* Jun 30 - [[JPCERT] Asruex: Malware Infecting through Shortcut Files](http://blog.jpcert.or.jp/2016/06/asruex-malware-infecting-through-shortcut-files.html) | [Local](../../blob/master/2016/2016.06.30.Asruex)
* Jun 29 - [[Proofpoint] MONSOON ANALYSIS OF AN APT CAMPAIGN](https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf) | [Local](../../blob/master/2016/2016.06.29.MonSoon)
* Jun 28 - [[Palo Alto Networks] Prince of Persia Game Over](http://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/) | [Local](../../blob/master/2016/2016.06.28.prince-of-persia-game-over)
* Jun 28 - [[JPCERT] (Japan)Attack Tool Investigation](https://www.jpcert.or.jp/research/20160628ac-ir_research.pdf) | [Local](../../blob/master/2016/2016.06.28.Attack_Tool_Investigation)
* Jun 26 - [[Trend Micro] The State of the ESILE/Lotus Blossom Campaign](http://blog.trendmicro.com/trendlabs-security-intelligence/the-state-of-the-esilelotus-blossom-campaign/) | [Local](../../blob/master/2016/2016.06.26.The_State_of_the_ESILE_Lotus_Blossom_Campaign)
* Jun 26 - [[Cylance] Nigerian Cybercriminals Target High-Impact Industries in India via Pony](https://blog.cylance.com/threat-update-nigerian-cybercriminals-target-high-impact-indian-industries-via-pony) | [Local](../../blob/master/2016/2016.06.26.Nigerian_Cybercriminals_Target_High_Impact_Industries_in_India)
* Jun 23 - [[Palo Alto Networks] Tracking Elirks Variants in Japan: Similarities to Previous Attacks](http://researchcenter.paloaltonetworks.com/2016/06/unit42-tracking-elirks-variants-in-japan-similarities-to-previous-attacks/) | [Local](../../blob/master/2016/2016.06.23.Tracking_Elirks_Variants_in_Japan)
* Jun 21 - [[Fortinet] The Curious Case of an Unknown Trojan Targeting German-Speaking Users](https://blog.fortinet.com/2016/06/21/the-curious-case-of-an-unknown-trojan-targeting-german-speaking-users) | [Local](../../blob/master/2016/2016.06.21.Unknown_Trojan_Targeting_German_Speaking_Users)
* Jun 21 - [[FireEye] Redline Drawn: China Recalculates Its Use of Cyber Espionage]( https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-china-espionage.pdf) | [Local](../../blob/master/2016/2016.06.21.Redline_Drawn_China_Recalculates_Its_Use_of_Cyber_Espionage)
* Jun 21 - [[ESET] Visiting The Bear Den](http://www.welivesecurity.com/wp-content/uploads/2016/06/visiting_the_bear_den_recon_2016_calvet_campos_dupuy-1.pdf) | [Local](../../blob/master/2016/2016.06.21.visiting_the_bear_den_recon_2016_calvet_campos_dupuy)
* Jun 16 - [[Dell] Threat Group-4127 Targets Hillary Clinton Presidential Campaign](https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign) | [Local](../../blob/master/2016/2016.06.16.DNC)
* Jun 15 - [[CrowdStrike] Bears in the Midst: Intrusion into the Democratic National Committee](https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/) | [Local](../../blob/master/2016/2016.06.09.Operation_DustySky_II/)
* Jun 09 - [[Clearsky] Operation DustySky Part 2](http://www.clearskysec.com/wp-content/uploads/2016/06/Operation-DustySky2_-6.2016_TLP_White.pdf) | [Local](../../blob/master/2016/2016.06.09.Operation_DustySky_II/)
* Jun 02 - [[Trend Micro] FastPOS: Quick and Easy Credit Card Theft](http://documents.trendmicro.com/assets/fastPOS-quick-and-easy-credit-card-theft.pdf) | [Local](../../blob/master/2016/2016.06.02.fastpos-quick-and-easy-credit-card-theft/)
* May 27 - [[Trend Micro] IXESHE Derivative IHEATE Targets Users in America](http://blog.trendmicro.com/trendlabs-security-intelligence/ixeshe-derivative-iheate-targets-users-america/) | [Local](../../blob/master/2016/2016.05.27.IXESHE_Derivative_IHEATE_Targets_Users_in_America/)
* May 26 - [[Palo Alto Networks] The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor](http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/) | [Local](../../blob/master/2016/2016.05.26.OilRig_Campaign/)
* May 25 - [[Kaspersky] CVE-2015-2545: overview of current threats](https://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/) | [Local](../../blob/master/2016/2016.05.25.CVE-2015-2545/)
* May 24 - [[Palo Alto Networks] New Wekby Attacks Use DNS Requests As Command and Control Mechanism](http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/) | [Local](../../blob/master/2016/2016.05.24.New_Wekby_Attacks)
* May 23 - [[MELANI:GovCERT] APT Case RUAG Technical Report](https://www.melani.admin.ch/dam/melani/en/dokumente/2016/technical%20report%20ruag.pdf.download.pdf/Report_Ruag-Espionage-Case.pdf) | [Local](../../blob/master/2016/2016.05.23.APT_Case_RUAG)
* May 22 - [[FireEye] TARGETED ATTACKS AGAINST BANKS IN THE MIDDLE EAST](https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html) | [Local](../../blob/master/2016/2016.05.22.Targeted_Attacks_Against_Banks_in_Middle_East)
* May 22 - [[Palo Alto Networks] Operation Ke3chang Resurfaces With New TidePool Malware](http://researchcenter.paloaltonetworks.com/2016/05/operation-ke3chang-resurfaces-with-new-tidepool-malware/) | [Local](../../blob/master/2016/2016.05.22.Operation_Ke3chang_Resurfaces_With_New_TidePool_Malware/)
* May 18 - [[ESET] Operation Groundbait: Analysis of a surveillance toolkit](http://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf) | [Local](../../blob/master/2016/2016.05.18.Operation_Groundbait/)
* May 17 - [[FOX-IT] Mofang: A politically motivated information stealing adversary](https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf) | [Local](../../blob/master/2016/2016.05.17.Mofang)
* May 17 - [[Symantec] Indian organizations targeted in Suckfly attacks](http://www.symantec.com/connect/ko/blogs/indian-organizations-targeted-suckfly-attacks) | [Local](../../blob/master/2016/2016.05.17.Indian_organizations_targeted_in_Suckfly_attacks/)
* May 10 - [[Trend Micro] Backdoor as a Software Suite: How TinyLoader Distributes and Upgrades PoS Threats](http://blog.trendmicro.com/trendlabs-security-intelligence/how-tinyloader-distributes-and-upgrades-pos-threats/) | [paper](http://documents.trendmicro.com/assets/tinypos-abaddonpos-ties-to-tinyloader.pdf) | [Local](../../blob/master/2016/2016.05.10.tinyPOS_tinyloader/)
* May 09 - [[CMU SEI] Using Honeynets and the Diamond Model for ICS Threat Analysis](http://resources.sei.cmu.edu/asset_files/TechnicalReport/2016_005_001_454247.pdf) | [Local](../../blob/master/2016/2016.05.09_ICS_Threat_Analysis/)
* May 06 - [[PwC] Exploring CVE-2015-2545 and its users](http://pwc.blogs.com/cyber_security_updates/2016/05/exploring-cve-2015-2545-and-its-users.html) | [Local](../../blob/master/2016/2016.05.06_Exploring_CVE-2015-2545/)
* May 05 - [[Forcepoint] Jaku: an on-going botnet campaign](https://www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf) | [Local](../../blob/master/2016/2016.05.05_Jaku_botnet_campaign/)
* May 02 - [[Team Cymru] GOZNYM MALWARE target US, AT, DE ](https://blog.team-cymru.org/2016/05/goznym-malware/) | [Local](../../blob/master/2016/2016.05.02.GOZNYM_MALWARE)
* May 02 - [[Palo Alto Networks] Prince of Persia: Infy Malware Active In Decade of Targeted Attacks](http://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/) | [Local](../../blob/master/2016/2016.05.02.Prince_of_Persia_Infy_Malware/)
* Apr 27 - [[Kaspersky] Repackaging Open Source BeEF for Tracking and More](https://securelist.com/blog/software/74503/freezer-paper-around-free-meat/) | [Local](../../blob/master/2016/2016.04.27.Repackaging_Open_Source_BeEF)
* Apr 26 - [[Financial Times] Cyber warfare: Iran opens a new front](http://www.ft.com/intl/cms/s/0/15e1acf0-0a47-11e6-b0f1-61f222853ff3.html#axzz478cZz3ao) | [Local](../../blob/master/2016/2016.04.26.Iran_Opens_a_New_Front/)
* Apr 26 - [[Arbor] New Poison Ivy Activity Targeting Myanmar, Asian Countries](https://www.arbornetworks.com/blog/asert/recent-poison-iv/) | [Local](../../blob/master/2016/2016.04.26.New_Poison_Ivy_Activity_Targeting_Myanmar_Asian_Countries/)
* Apr 22 - [[Cylance] The Ghost Dragon](https://blog.cylance.com/the-ghost-dragon) | [Local](../../blob/master/2016/2016.04.22.the-ghost-dragon)
* Apr 21 - [[SentinelOne] Teaching an old RAT new tricks](https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/) | [Local](../../blob/master/2016/2016.04.21.Teaching_an_old_RAT_new_tricks/)
* Apr 21 - [[Palo Alto Networks] New Poison Ivy RAT Variant Targets Hong Kong Pro-Democracy Activists](http://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/) | [Local](../../blob/master/2016/2016.04.21.New_Poison_Ivy_RAT_Variant_Targets_Hong_Kong/)
* Apr 18 - [[Citizen Lab] Between Hong Kong and Burma: Tracking UP007 and SLServer Espionage Campaigns](https://citizenlab.org/2016/04/between-hong-kong-and-burma/) | [Local](../../blob/master/2016/2016.04.18.UP007/)
* Apr 15 - [[SANS] Detecting and Responding Pandas and Bears](http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf) | [Local](../../blob/master/2016/2016.04.15.pandas_and_bears/)
* Apr 12 - [[Microsoft] PLATINUM: Targeted attacks in South and Southeast Asia](http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf) | [Local](../../blob/master/2016/2016.04.12.PLATINUM_Targeted_attacks_in_South_and_Southeast_Asia/)
* Mar 25 - [[Palo Alto Networks] ProjectM: Link Found Between Pakistani Actor and Operation Transparent Tribe](http://researchcenter.paloaltonetworks.com/2016/03/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe/?utm_medium=email&utm_source=Adobe%20Campaign&utm_campaign=Unit%2042%20Blog%20Updates%2031Mar16) | [Local](../../blob/master/2016/2016.03.25.ProjectM/)
* Mar 23 - [[Trend Micro] Operation C-Major: Information Theft Campaign Targets Military Personnel in India](http://blog.trendmicro.com/trendlabs-security-intelligence/indian-military-personnel-targeted-by-information-theft-campaign/) | [Local](../../blob/master/2016/2016.03.23.Operation_C_Major/)
* Mar 18 - [[SANS] Analysis of the Cyber Attack on the Ukrainian Power Grid: Defense Use Case](https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf) | [Local](../../blob/master/2016/2016.03.18.Analysis_of_the_Cyber_Attack_on_the_Ukrainian_Power_Grid/)
* Mar 17 - [[PwC] Taiwan Presidential Election: A Case Study on Thematic Targeting](http://pwc.blogs.com/cyber_security_updates/2016/03/taiwant-election-targetting.html) | [Local](../../blob/master/2016/2016.03.17.Taiwan-election-targetting/)
* Mar 15 - [[Symantec] Suckfly: Revealing the secret life of your code signing certificates](http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates) | [Local](../../blob/master/2016/2016.03.15.Suckfly)
* Mar 14 - [[Proofpoint] Bank robbery in progress: New attacks from Carbanak group target banks in Middle East and US](https://www.proofpoint.com/us/threat-insight/post/carbanak-cybercrime-group-targets-executives-of-financial-organizations-in-middle-east) | [Local](../../blob/master/2016/2016.03.14.Carbanak_cybercrime_group)
* Mar 10 - [[Citizen Lab] Shifting Tactics: Tracking changes in years-long espionage campaign against Tibetans](https://citizenlab.org/2016/03/shifting-tactics/) | [Local](../../blob/master/2016/2016.03.10.shifting-tactics)
* Mar 09 - [[FireEye] LESSONS FROM OPERATION RUSSIANDOLL](https://www.fireeye.com/blog/threat-research/2016/03/lessons-from-operation-russian-doll.html) | [Local](../../blob/master/2016/2016.03.09.Operation_RussianDoll)
* Mar 08 - [[360] Operation OnionDog: A 3 Year Old APT Focused On the Energy and Transportation Industries in Korean-language Countries](http://www.prnewswire.com/news-releases/onion-dog-a-3-year-old-apt-focused-on-the-energy-and-transportation-industries-in-korean-language-countries-is-exposed-by-360-300232441.html) | [Local](../../blob/master/2016/2016.03.08.OnionDog)
* Mar 03 - [[Recorded Future] Shedding Light on BlackEnergy With Open Source Intelligence](https://www.recordedfuture.com/blackenergy-malware-analysis/) | [Local](../../blob/master/2016/2016.03.03.Shedding_Light_BlackEnergy)
* Mar 01 - [[Proofpoint] Operation Transparent Tribe - APT Targeting Indian Diplomatic and Military Interests](https://www.proofpoint.com/us/threat-insight/post/Operation-Transparent-Tribe) | [Local](../../blob/master/2016/2016.03.01.Operation_Transparent_Tribe/)
* Feb 29 - [[Fidelis] The Turbo Campaign, Featuring Derusbi for 64-bit Linux](https://www.fidelissecurity.com/sites/default/files/TA_Fidelis_Turbo_1602_0.pdf) | [Local](../../blob/master/2016/2016.02.24.Operation_Blockbuster)
* Feb 24 - [[NOVETTA] Operation Blockbuster](https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf) | [Local](../../blob/master/2016/2016.02.24.Operation_Blockbuster)
* Feb 23 - [[Cylance] OPERATION DUST STORM](https://www.cylance.com/hubfs/2015_cylance_website/assets/operation-dust-storm/Op_Dust_Storm_Report.pdf?t=1456355696065) | [Local](../../blob/master/2016/2016.02.23.Operation_Dust_Storm)
* Feb 12 - [[Palo Alto Networks] A Look Into Fysbis: Sofacys Linux Backdoor](http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/) | [Local](../../blob/master/2016/2016.02.12.Fysbis_Sofacy_Linux_Backdoor)
* Feb 11 - [[Recorded Future] Hacktivism: India vs. Pakistan](https://www.recordedfuture.com/india-pakistan-cyber-rivalry/) | [Local](../../blob/master/2016/2016.02.11.Hacktivism_India_vs_Pakistan)
* Feb 09 - [[Kaspersky] Poseidon Group: a Targeted Attack Boutique specializing in global cyber-espionage](https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/) | [Local](../../blob/master/2016/2016.02.09_Poseidon_APT_Boutique)
* Feb 08 - [[ICIT] Know Your Enemies 2.0: A Primer on Advanced Persistent Threat Groups](http://icitech.org/know-your-enemies-2-0/) | [Local](../../blob/master/2016/2016.02.08.Know_Your_Enemies_2.0)
* Feb 04 - [[Palo Alto Networks] T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques](http://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/) | [Local](../../blob/master/2016/2016.02.04_PaloAlto_T9000-Advanced-Modular-Backdoor)
* Feb 03 - [[Palo Alto Networks] Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?](http://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/) | [Local](../../blob/master/2016.02.03.Emissary_Trojan_Changelog)
* Feb 01 - [[Sucuri] Massive Admedia/Adverting iFrame Infection](https://blog.sucuri.net/2016/02/massive-admedia-iframe-javascript-infection.html) | [Local](../../blob/master/2016/2016.02.01.Massive_Admedia_Adverting_iFrame_Infection)
* Feb 01 - [[IBM] Organized Cybercrime Big in Japan: URLZone Now on the Scene](https://securityintelligence.com/organized-cybercrime-big-in-japan-urlzone-now-on-the-scene/) | [Local](../../blob/master/2016/2016.02.01.URLzone_Team)
* Jan 29 - [[F5] Tinbapore: Millions of Dollars at Risk](https://devcentral.f5.com/d/tinbapore-millions-of-dollars-at-risk?download=true) | [Local](../../blob/master/2016/2016.01.29.Tinbapore_Attack)
* Jan 29 - [[Zscaler] Malicious Office files dropping Kasidet and Dridex](http://research.zscaler.com/2016/01/malicious-office-files-dropping-kasidet.html) | [Local](../../blob/master/2016/2016.01.29.Malicious_Office_files_dropping_Kasidet_and_Dridex)
* Jan 28 - [[Kaspersky] BlackEnergy APT Attacks in Ukraine employ spearphishing with Word documents](https://securelist.com/blog/research/73440/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/) | [Local](../../blob/master/2016/2016.01.28.BlackEnergy_APT)
* Jan 27 - [[Fidelis] Dissecting the Malware Involved in the INOCNATION Campaign](https://www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL.pdf) | [Local](../../blob/master/2016/2016.01.27.Hi-Zor.RAT)
* Jan 26 - [[SentinelOne] Analyzing a New Variant of BlackEnergy 3](https://www.sentinelone.com/wp-content/uploads/2016/01/BlackEnergy3_WP_012716_1c.pdf) | [Local](../../blob/master/2016/2016.01.26.BlackEnergy3)
* Jan 24 - [[Palo Alto Networks] Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists](http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/) | [Local](../../blob/master/2016/2016.01.24_Scarlet_Minic)
* Jan 21 - [[Palo Alto Networks] NetTraveler Spear-Phishing Email Targets Diplomat of Uzbekistan](http://researchcenter.paloaltonetworks.com/2016/01/nettraveler-spear-phishing-email-targets-diplomat-of-uzbekistan/) | [Local](../../blob/master/2016/2016.01.21.NetTraveler_Uzbekistan)
* Jan 19 - [[360] 2015 APT Annual Report](https://ti.360.com/upload/report/file/2015.APT.Annual_Report.pdf) | [Local](../../blob/master/2016/2016.01.19.360_APT_Report)
* Jan 14 - [[CISCO] RESEARCH SPOTLIGHT: NEEDLES IN A HAYSTACK](http://blog.talosintel.com/2016/01/haystack.html#more) | [Local](../../blob/master/2016/2016.01.14_Cisco_Needles_in_a_Haystack)
* Jan 14 - [[Symantec] The Waterbug attack group](https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf) | [Local](../../blob/master/2016/2016.01.14.The.Waterbug.Attack.Group/)
* Jan 07 - [[Clearsky] Operation DustySky](http://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf) | [Local](../../blob/master/2016/2016.01.07.Operation_DustySky)
* Jan 07 - [[CISCO] RIGGING COMPROMISE - RIG EXPLOIT KIT](http://blog.talosintel.com/2016/01/rigging-compromise.html) | [Local](../../blob/master/2016/2016.01.07.rigging-compromise)
* Jan 03 - [[ESET] BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry](http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/) | [Local](../../blob/master/2016/2016.01.03.BlackEnergy_Ukrainian)
## 2015
* Dec 23 - [[PwC] ELISE: Security Through Obesity](http://pwc.blogs.com/cyber_security_updates/2015/12/elise-security-through-obesity.html) | [Local](../../blob/master/2015/2015.12.13.ELISE)
* Dec 22 - [[Palo Alto Networks] BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger](http://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/) | [Local](../../blob/master/2015/2015.12.22.BBSRAT_Roaming_Tiger)
* Dec 20 - [[FireEye] The EPS Awakens - Part 2](https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html) | [Local](../../blob/master/2015/2015.12.20.EPS_Awakens_Part_II)
* Dec 18 - [[Palo Alto Networks] Attack on French Diplomat Linked to Operation Lotus Blossom](http://researchcenter.paloaltonetworks.com/2015/12/attack-on-french-diplomat-linked-to-operation-lotus-blossom/) | [Local](../../blob/master/2015/2015.12.18.Attack_on_Frence_Diplomat_Linked_To_Operation_Lotus_Blossom)
* Dec 16 - [[Bitdefender] APT28 Under the Scope - A Journey into Exfiltrating Intelligence and Government Information](http://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf) | [Local](../../blob/master/2015/2015.12.17.APT28_Under_The_Scope)
* Dec 16 - [[Trend Micro] Operation Black Atlas, Part 2: Tools and Malware Used and How to Detect Them](http://documents.trendmicro.com/assets/Operation_Black%20Atlas_Technical_Brief.pdf) | [Local](../../blob/master/2015/2015.12.16.INOCNATION.Campaign) <a style="background-color: #207de5; color: #fff;">Financial</a>
* Dec 16 - [[Fidelis] Dissecting the Malware Involved in the INOCNATION Campaign](https://www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL.pdf) | [Local](../../blob/master/2015/2015.12.16.INOCNATION.Campaign)
* Dec 15 - [[AirBus] Newcomers in the Derusbi family](http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family) | [Local](../../blob/master/2015/2015.12.15.Newcomers_in_the_Derusbi_family)
* Dec 08 - [[Citizen Lab] Packrat: Seven Years of a South American Threat Actor](https://citizenlab.org/2015/12/packrat-report/) | [Local](../../blob/master/2015/2015.12.08.Packrat)
* Dec 07 - [[FireEye] Financial Threat Group Targets Volume Boot Record](https://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-record.html) | [Local](../../blob/master/2015/2015.12.07.Thriving_Beyond_The_Operating_System)
* Dec 07 - [[Symantec] Iran-based attackers use back door threats to spy on Middle Eastern targets](http://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets) | [Local](../../blob/master/2015/2015.12.07.Iran-based)
* Dec 04 - [[Kaspersky] Sofacy APT hits high profile targets with updated toolset](https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/) | [Local](../../blob/master/2015/2015.12.04.Sofacy_APT)
* Dec 01 - [[FireEye] China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets](https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html) | [Local](../../blob/master/2015/2015.12.01.China-based_Cyber_Threat_Group_Uses_Dropbox_for_Malware_Communications_and_Targets_Hong_Kong_Media_Outlets)
* Nov 30 - [[FOX-IT] Ponmocup A giant hiding in the shadows](https://foxitsecurity.files.wordpress.com/2015/12/foxit-whitepaper_ponmocup_1_1.pdf) | [Local](../../blob/master/2015/2015.11.30.Ponmocup)
* Nov 24 - [[Palo Alto Networks] Attack Campaign on the Government of Thailand Delivers Bookworm Trojan](http://researchcenter.paloaltonetworks.com/2015/11/attack-campaign-on-the-government-of-thailand-delivers-bookworm-trojan/) | [Local](../../blob/master/2015/2015.11.24.Attack_Campaign_on_the_Government_of_Thailand_Delivers_Bookworm_Trojan)
* Nov 23 - [[Minerva Labs, ClearSky] CopyKittens Attack Group](https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf) | [Local](../../blob/master/2015/2015.11.23.CopyKittens_Attack_Group)
* Nov 23 - [[RSA] PEERING INTO GLASSRAT](https://blogs.rsa.com/wp-content/uploads/2015/11/GlassRAT-final.pdf) | [Local](../../blob/master/2015/2015.11.23.PEERING_INTO_GLASSRAT)
* Nov 23 - [[Trend Micro] Prototype Nation: The Chinese Cybercriminal Underground in 2015](http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/prototype-nation-the-chinese-cybercriminal-underground-in-2015/?utm_source=siblog&utm_medium=referral&amp;utm_campaign=2015-cn-ug) | [Local](../../blob/master/2015/2015.11.23.Prototype_Nation_The_Chinese_Cybercriminal_Underground_in_2015)
* Nov 19 - [[Kaspersky] Russian financial cybercrime: how it works](https://securelist.com/analysis/publications/72782/russian-financial-cybercrime-how-it-works/) | [Local](../../blob/master/2015/2015.11.18.Russian_financial_cybercrime_how_it_works)
* Nov 19 - [[JPCERT] Decrypting Strings in Emdivi](http://blog.jpcert.or.jp/2015/11/decrypting-strings-in-emdivi.html) | [Local](../../blob/master/2015/2015.11.19.decrypting-strings-in-emdivi)
* Nov 18 - [[Palo Alto Networks] TDrop2 Attacks Suggest Dark Seoul Attackers Return](http://researchcenter.paloaltonetworks.com/2015/11/tdrop2-attacks-suggest-dark-seoul-attackers-return/) | [Local](../../blob/master/2015/2015.11.18.tdrop2)
* Nov 18 - [[CrowdStrike] Sakula Reloaded](http://blog.crowdstrike.com/sakula-reloaded/) | [Local](../../blob/master/2015/2015.11.18.Sakula_Reloaded)
* Nov 18 - [[Damballa] Damballa discovers new toolset linked to Destover Attackers arsenal helps them to broaden attack surface](https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/2015.11.18.Destover/amballa-discovers-new-toolset-linked-to-destover-attackers-arsenal-helps-them-to-broaden-attack-surface.pdf) | [Local](../../blob/master/2015/2015.11.18.Destover)
* Nov 16 - [[FireEye] WitchCoven: Exploiting Web Analytics to Ensnare Victims](https://www2.fireeye.com/threat-intel-report-WITCHCOVEN.html) | [Local](../../blob/master/2015/2015.11.17.Pinpointing_Targets_Exploiting_Web_Analytics_to_Ensnare_Victims)
* Nov 10 - [[Palo Alto Networks] Bookworm Trojan: A Model of Modular Architecture](http://researchcenter.paloaltonetworks.com/2015/11/bookworm-trojan-a-model-of-modular-architecture/) | [Local](../../blob/master/2015/2015.11.10.bookworm-trojan-a-model-of-modular-architecture)
* Nov 09 - [[Check Point] Rocket Kitten: A Campaign With 9 Lives](http://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf) | [Local](../../blob/master/2015/2015.11.09.Rocket_Kitten_A_Campaign_With_9_Lives)
* Nov 04 - [[RSA] Evolving Threats:dissection of a CyberEspionage attack](http://www.rsaconference.com/writable/presentations/file_upload/cct-w08_evolving-threats-dissection-of-a-cyber-espionage-attack.pdf) | [Local](../../blob/master/2015/2015.11.04_Evolving_Threats)
* Oct 16 - [[Citizen Lab] Targeted Malware Attacks against NGO Linked to Attacks on Burmese Government Websites](https://citizenlab.org/2015/10/targeted-attacks-ngo-burma/)(https://otx.alienvault.com/pulse/5621208f4637f21ecf2aac36/) | [Local](../../blob/master/2015/2015.10.targeted-attacks-ngo-burma.pdf)
* Oct 15 - [[Citizen Lab] Pay No Attention to the Server Behind the Proxy: Mapping FinFishers Continuing Proliferation](https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/) | [Local](../../blob/master/2015/Mapping%20FinFisher%E2%80%99s%20Continuing%20Proliferation.pdf)
* Oct 05 - [[Recorded Future] Proactive Threat Identification Neutralizes Remote Access Trojan Efficacy](http://go.recordedfuture.com/hubfs/reports/threat-identification.pdf) | [Local](../../blob/master/2015/2015.10.05.Proactive_Threat_Identification)
* Oct 03 - [[Cybereason] Webmail Server APT: A New Persistent Attack Methodology Targeting Microsoft Outlook Web Application (OWA)](http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Labs-Analysis-Webmail-Sever-APT.pdf) | [Local](../../blob/master/2015/Cybereason-Labs-Analysis-Webmail-Sever-APT.pdf)
* Sep 23 - [[ThreatConnect] PROJECT CAMERASHY: CLOSING THE APERTURE ON CHINAS UNIT 78020](https://www.threatconnect.com/camerashy-intro/) | [PDF](https://cdn2.hubspot.net/hubfs/454298/Project_CAMERASHY_ThreatConnect_Copyright_2015.pdf) | [local](../../blob/master/2015/2015.09.23.CAMERASHY_ThreatConnect)
* Sep 17 - [[F-SECURE] The Dukes 7 Years of Russian Cyber Espionage](https://labsblog.f-secure.com/2015/09/17/the-dukes-7-years-of-russian-cyber-espionage/) - [PDF](https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf) | [Local](../../blob/master/2015/2015.09.17.duke_russian)
* Sep 16 - [[Proofpoint] The shadow knows: Malvertising campaigns use domain shadowing to pull in Angler EK](https://www.proofpoint.com/us/threat-insight/post/The-Shadow-Knows) | [Local](../../blob/master/2015/2015.09.16.The-Shadow-Knows)
* Sep 16 - [[Trend Micro] Operation Iron Tiger: How China-Based Actors Shifted Attacks from APAC to US Targets](http://newsroom.trendmicro.com/blog/operation-iron-tiger-attackers-shift-east-asia-united-states) | [IOC](https://otx.alienvault.com/pulse/55f9910967db8c6fb35179bd/) | [Local](../../blob/master/2015/2015.09.17.Operation_Iron_Tiger)
* Sep 15 - [[Proofpoint] In Pursuit of Optical Fibers and Troop Intel: Targeted Attack Distributes PlugX in Russia](https://www.proofpoint.com/us/threat-insight/post/PlugX-in-Russia) | [Local](../../blob/master/2015/2015.09.15.PlugX_in_Russia)
* Sep 09 - [[Kaspersky] Satellite Turla: APT Command and Control in the Sky](https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/) | [Local](../../blob/master/2015/2015.09.09.satellite-turla-apt)
* Sep 08 - [[Palo Alto Networks] Musical Chairs: Multi-Year Campaign Involving New Variant of Gh0st Malware](http://researchcenter.paloaltonetworks.com/2015/09/musical-chairs-multi-year-campaign-involving-new-variant-of-gh0st-malware/) | [Local](../../blob/master/2015/2015.09.08.Musical_Chairs_Gh0st_Malware)
* Sep 01 - [[Trend Micro, Clearsky] The Spy Kittens Are Back: Rocket Kitten 2](http://www.trendmicro.tw/vinfo/us/security/news/cyber-attacks/rocket-kitten-continues-attacks-on-middle-east-targets) | [PDF](http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-the-spy-kittens-are-back.pdf) | [Local](../../blob/master/2015/2015.09.01.Rocket_Kitten_2)
* Aug 20 - [[Arbor] PlugX Threat Activity in Myanmar](http://pages.arbornetworks.com/rs/082-KNA-087/images/ASERT%20Threat%20Intelligence%20Brief%202015-05%20PlugX%20Threat%20Activity%20in%20Myanmar.pdf) | [Local](../../blob/master/2015/Sep.01.PlugX_Threat_Activity_in_Myanmar)
* Aug 20 - [[Kaspersky] New activity of the Blue Termite APT](https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/) | [Local](../../blob/master/2015/2015.08.20.new-activity-of-the-blue-termite-apt)
* Aug 19 - [[Symantec] New Internet Explorer zero-day exploited in Hong Kong attacks](http://www.symantec.com/connect/blogs/new-internet-explorer-zero-day-exploited-hong-kong-attacks) | [Local](../../blob/master/2015/2015.08.19.new-internet-explorer-zero-day-exploited-hong-kong-attacks)
* Aug 10 - [[ShadowServer] The Italian Connection: An analysis of exploit supply chains and digital quartermasters](http://blog.shadowserver.org/2015/08/10/the-italian-connection-an-analysis-of-exploit-supply-chains-and-digital-quartermasters/) | [Local](../../blob/master/2015/Aug.10.The_Italian_Connection_An_analysis_of_exploit_supply_chains_and_digital_quartermasters)
* Aug 08 - [[cyint.dude] Threat Analysis: Poison Ivy and Links to an Extended PlugX Campaign](http://www.cyintanalysis.com/threat-analysis-poison-ivy-and-links-to-an-extended-plugx-campaign/) | [Local](../../blob/master/2015/Aug.08.Threat_Analysis\:Poison_Ivy_and_Links_to_an_Extended_PlugX_Campaign)
* Aug 05 - [[Dell] Threat Group-3390 Targets Organizations for Cyberespionage](http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/) | [Local](../../blob/master/2015/Aug.05.Threat_Group-3390_Targets_Organizations_for_Cyberespionage)
* Aug 04 - [[RSA] Terracotta VPN: Enabler of Advanced Threat Anonymity](https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity/) | [Local](../../blob/master/2015/2015.08.04.Terracotta_VPN)
* Jul 30 - [[ESET] Operation Potao Express](http://www.welivesecurity.com/2015/07/30/operation-potao-express/) | [IOC](https://github.com/eset/malware-ioc/tree/master/potao) | [Local](../../blob/master/2015/2015.07.30.Operation-Potao-Express)
* Jul 28 - [[Symantec] Black Vine: Formidable cyberespionage group targeted aerospace, healthcare since 2012](http://www.symantec.com/connect/blogs/black-vine-formidable-cyberespionage-group-targeted-aerospace-healthcare-2012) | [Local](../../blob/master/2015/2015.07.28.Black_Vine)
* Jul 27 - [[FireEye] HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group](https://www.fireeye.com/blog/threat-research/2015/07/hammertoss_stealthy.html) | [Local](../../blob/master/2015/2015.07.27.HAMMERTOSS)
* Jul 22 - [[F-SECURE] Duke APT group's latest tools: cloud services and Linux support](https://www.f-secure.com/weblog/archives/00002822.html) | [Local](../../blob/master/2015/2015.07.22.Duke_APT_groups_latest_tools)
* Jul 20 - [[ThreatConnect] China Hacks the Peace Palace: All Your EEZs Are Belong to Us](http://www.threatconnect.com/news/china-hacks-the-peace-palace-all-your-eezs-are-belong-to-us/) | [Local](../../blob/master/2015/2015.07.20.China_Peace_Palace)
* Jul 20 - [[Palo Alto Networks] Watering Hole Attack on Aerospace Firm Exploits CVE-2015-5122 to Install IsSpace Backdoor](http://researchcenter.paloaltonetworks.com/2015/07/watering-hole-attack-on-aerospace-firm-exploits-cve-2015-5122-to-install-isspace-backdoor/) | [Local](../../blob/master/2015/2015.07.20.IsSpace_Backdoor)
* Jul 14 - [[Palo Alto Networks] Tracking MiniDionis: CozyCars New Ride Is Related to Seaduke](http://researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/) | [Local](../../blob/master/2015/2015.07.14.tracking-minidionis-cozycars)
* Jul 14 - [[Trend Micro] An In-Depth Look at How Pawn Storms Java Zero-Day Was Used](http://blog.trendmicro.com/trendlabs-security-intelligence/an-in-depth-look-at-how-pawn-storms-java-zero-day-was-used/) | [Local](../../blob/master/2015/2015.07.14.How_Pawn_Storm_Java_Zero-Day_Was_Used)
* Jul 13 - [[Symantec] "Forkmeiamfamous": Seaduke, latest weapon in the Duke armory](http://www.symantec.com/connect/blogs/forkmeiamfamous-seaduke-latest-weapon-duke-armory) | [Local](../../blob/master/2015/2015.07.13.Forkmeiamfamous)
* Jul 13 - [[FireEye] Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability CVE-2015-5119 Following Hacking Team Leak](https://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html) | [Local](../../blob/master/2015/2015.07.13.Demonstrating_Hustle)
* Jul 10 - [[Palo Alto Networks] APT Group UPS Targets US Government with Hacking Team Flash Exploit](http://researchcenter.paloaltonetworks.com/2015/07/apt-group-ups-targets-us-government-with-hacking-team-flash-exploit/) | [Local](../../blob/master/2015/2015.07.10.APT_Group_UPS_Targets_US_Government)
* Jul 09 - [[Symantec] Butterfly: Corporate spies out for financial gain](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/butterfly-corporate-spies-out-for-financial-gain.pdf) | [Local](../../blob/master/2015/2015.07.09.Butterfly)
* Jul 08 - [[Kaspersky] Wild Neutron Economic espionage threat actor returns with new tricks](https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/) | [Local](../../blob/master/2015/2015.07.08.Wild_Neutron)
* Jul 08 - [[Volexity] APT Group Wekby Leveraging Adobe Flash Exploit (CVE-2015-5119)](http://www.volexity.com/blog/?p=158) | [Local](../../blob/master/2015/2015.07.08.APT_CVE-2015-5119)
* Jun 30 - [[ESET] Dino the latest spying malware from an allegedly French espionage group analyzed](http://www.welivesecurity.com/2015/06/30/dino-spying-malware-analyzed) | [Local](../../blob/master/2015/2015.06.30.dino-spying-malware-analyzed)
* Jun 28 - [[Dragon Threat Labs] APT on Taiwan - insight into advances of adversary TTPs](http://blog.dragonthreatlabs.com/2015/07/dtl-06282015-01-apt-on-taiwan-insight.html) | [Local](../../blob/master/2015/2015.06.28.APT_on_Taiwan)
* Jun 26 - [[FireEye] Operation Clandestine Wolf Adobe Flash Zero-Day in APT3 Phishing Campaign](https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html) | [Local](../../blob/master/2015/2015.06.26.operation-clandestine-wolf)
* Jun 24 - [[PwC] UnFIN4ished Business (FIN4)](http://pwc.blogs.com/cyber_security_updates/2015/06/unfin4ished-business.html) | [Local](../../blob/master/2015/2015.06.24.unfin4ished-business)
* Jun 22 - [[Kaspersky] Winnti targeting pharmaceutical companies](https://securelist.com/blog/research/70991/games-are-over/) | [Local](../../blob/master/2015/2015.06.22.Winnti_targeting_pharmaceutical_companies)
* Jun 16 - [[Palo Alto Networks] Operation Lotus Bloom](https://www.paloaltonetworks.com/resources/research/unit42-operation-lotus-blossom.html) | [Local](../../blob/master/2015/2015.06.16.operation-lotus-blossom)
* Jun 15 - [Targeted Attacks against Tibetan and Hong Kong Groups Exploiting CVE-2014-4114](https://citizenlab.org/2015/06/targeted-attacks-against-tibetan-and-hong-kong-groups-exploiting-cve-2014-4114/)
* Jun 12 - [Afghan Government Compromise: Browser Beware](http://www.volexity.com/blog/?p=134)
* Jun 10 - [The_Mystery_of_Duqu_2_0](https://securelist.com/files/2015/06/The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf) [IOC](https://securelist.com/files/2015/06/7c6ce6b6-fee1-4b7b-b5b5-adaff0d8022f.ioc) [Yara](https://securelist.com/files/2015/06/Duqu_2_Yara_rules.pdf)
* Jun 10 - [Crysys Lab - Duqu 2.0](http://blog.crysys.hu/2015/06/duqu-2-0/)
* Jun 09 - [Duqu 2.0 Win32k Exploit Analysis](https://www.virusbtn.com/pdf/conference_slides/2015/OhFlorio-VB2015.pdf)
* Jun 04 - [Blue Thermite targeting Japan (CloudyOmega)](http://internet.watch.impress.co.jp/docs/news/20150604_705541.html)
* Jun 03 - [Thamar Reservoir](http://www.clearskysec.com/thamar-reservoir/)
* May 29 - [OceanLotusReport](http://blogs.360.cn/blog/oceanlotus-apt/)
* May 28 - [Grabit and the RATs](https://securelist.com/blog/research/70087/grabit-and-the-rats/)
* May 27 - [Analysis On Apt-To-Be Attack That Focusing On China's Government Agency'](http://www.antiy.net/p/analysis-on-apt-to-be-attack-that-focusing-on-chinas-government-agency/)
* May 27 - [BlackEnergy 3 Exfiltration of Data in ICS Networks](http://cyberx-labs.com/wp-content/uploads/2015/05/BlackEnergy-CyberX-Report_27_May_2015_FINAL.pdf) | [Local](../../blob/master/2015/2015.05.27.BlackEnergy3)
* May 26 - [Dissecting-Linux/Moose](http://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf)
* May 21 - [The Naikon APT and the MsnMM Campaigns](https://securelist.com/blog/research/70029/the-naikon-apt-and-the-msnmm-campaigns/)
* May 19 - [Operation 'Oil Tanker'](http://www.pandasecurity.com/mediacenter/src/uploads/2015/05/oil-tanker-en.pdf)
* May 18 - [Cmstar Downloader: Lurid and Enfals New Cousin](http://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-enfals-new-cousin/)
* May 14 - [Operation Tropic Trooper](http://blog.trendmicro.com/trendlabs-security-intelligence/operation-tropic-trooper-old-vulnerabilities-still-pack-a-punch/)
* May 14 - [The Naikon APT](https://securelist.com/analysis/publications/69953/the-naikon-apt/)
* May 13 - [SPEAR: A Threat Actor Resurfaces](http://blog.cylance.com/spear-a-threat-actor-resurfaces)
* May 12 - [root9B Uncovers Planned Sofacy Cyber Attack Targeting Several International and Domestic Financial Institutions](http://www.prnewswire.com/news-releases/root9b-uncovers-planned-sofacy-cyber-attack-targeting-several-international-and-domestic-financial-institutions-300081634.html)
* May 07 - [Dissecting the Kraken](https://blog.gdatasoftware.com/blog/article/dissecting-the-kraken.html)
* May 05 - [Targeted attack on Frances TV5Monde](http://global.ahnlab.com/global/upload/download/documents/1506306551185339.pdf) | [Local](../../blob/master/2015/2015.05.05.Targeted_attack_on_France_TV5Monde)
* Apr 27 - [Attacks against Israeli & Palestinian interests](http://pwc.blogs.com/cyber_security_updates/2015/04/attacks-against-israeli-palestinian-interests.html)
* Apr 22 - [CozyDuke](https://www.f-secure.com/documents/996508/1030745/CozyDuke)
* Apr 21 - [The CozyDuke APT](http://securelist.com/blog/69731/the-cozyduke-apt)
* Apr 20 - [Sofacy II Same Sofacy, Different Day](http://pwc.blogs.com/cyber_security_updates/2015/04/the-sofacy-plot-thickens.html)
* Apr 18 - [Operation RussianDoll: Adobe & Windows Zero-Day Exploits Likely Leveraged by Russias APT28 in Highly-Targeted Attack](https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html)
* Apr 16 - [Operation Pawn Storm Ramps Up its Activities; Targets NATO, White House](http://blog.trendmicro.com/trendlabs-security-intelligence/operation-pawn-storm-ramps-up-its-activities-targets-nato-white-house)
* Apr 15 - [The Chronicles of the Hellsing APT: the Empire Strikes Back](http://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/)
* Apr 12 - [APT 30 and the Mechanics of a Long-Running Cyber Espionage Operation](https://www.fireeye.com/blog/threat-research/2015/04/apt_30_and_the_mecha.html)
* Mar 31 - [Volatile Cedar Analysis of a Global Cyber Espionage Campaign](http://blog.checkpoint.com/2015/03/31/volatilecedar/)
* Mar 19 - [Rocket Kitten Showing Its Claws: Operation Woolen-GoldFish and the GHOLE campaign](http://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-woolen-goldfish-when-kittens-go-phishing)
* Mar 11 - [Inside the EquationDrug Espionage Platform](http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/)
* Mar 10 - [Tibetan Uprising Day Malware Attacks](https://citizenlab.org/2015/03/tibetan-uprising-day-malware-attacks/)
* Mar 06 - [Is Babar a Bunny?](https://www.f-secure.com/weblog/archives/00002794.html)
* Mar 06 - [Animals in the APT Farm](http://securelist.com/blog/research/69114/animals-in-the-apt-farm/)
* Mar 05 - [Casper Malware: After Babar and Bunny, Another Espionage Cartoon](http://www.welivesecurity.com/2015/03/05/casper-malware-babar-bunny-another-espionage-cartoon)
* Feb 24 - [A deeper look into Scanbox](http://pwc.blogs.com/cyber_security_updates/2015/02/a-deeper-look-into-scanbox.html)
* Feb 27 - [The Anthem Hack: All Roads Lead to China](http://www.threatconnect.com/news/the-anthem-hack-all-roads-lead-to-china/) | [Local](../../blob/master/2015/2015.02.27.The_Anthem_Hack_All_Roads_Lead_to_China)
* Feb 25 - [Southeast Asia: An Evolving Cyber Threat Landscape](https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-southeast-asia-threat-landscape.pdf)
* Feb 25 - [PlugX goes to the registry (and India)](http://blogs.sophos.com/2015/02/25/sophoslabs-research-uncovers-new-developments-in-plugx-apt-malware/)
* Feb 18 - [[G DATA] Babar: espionage software finally found and put under the microscope](https://blog.gdatasoftware.com/blog/article/babar-espionage-software-finally-found-and-put-under-the-microscope.html) | [Local](../../blob/master/2015/2015.02.18.Babar)
* Feb 18 - [[CIRCL Luxembourg] Shooting Elephants](https://drive.google.com/file/d/0B9Mrr-en8FX4dzJqLWhDblhseTA/view) | [Local](../../blob/master/2015/2015.02.18.Shooting_Elephants)
* Feb 17 - [[Kaspersky] Desert Falcons APT](https://securelist.com/blog/research/68817/the-desert-falcons-targeted-attacks/) | [Local](../../blob/master/2015/2015.02.17.Desert_Falcons_APT)
* Feb 17 - [[Kaspersky] A Fanny Equation: "I am your father, Stuxnet"](http://securelist.com/blog/research/68787/a-fanny-equation-i-am-your-father-stuxnet/) | [Local](../../blob/master/2015/2015.02.17.A_Fanny_Equation)
* Feb 16 - [[Trend Micro] Operation Arid Viper](http://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-arid-viper-bypassing-the-iron-dome) | [Local](../../blob/master/2015/2015.02.16.Operation_Arid_Viper)
* Feb 16 - [[Kaspersky] The Carbanak APT](https://securelist.com/blog/research/68732/the-great-bank-robbery-the-carbanak-apt/) | [Local](../../blob/master/2015/2015.02.16.Carbanak.APT)
* Feb 16 - [[Kaspersky] Equation: The Death Star of Malware Galaxy](https://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/) | [Local](../../blob/master/2015/2015.02.16.equation-the-death-star)
* Feb 10 - [[CrowdStrike] CrowdStrike Global Threat Intel Report for 2014](http://go.crowdstrike.com/rs/crowdstrike/images/GlobalThreatIntelReport.pdf) | [Local](../../blob/master/2015/2015.02.10.CrowdStrike_GlobalThreatIntelReport_2014)
* Feb 04 - [[Trend Micro] Pawn Storm Update: iOS Espionage App Found](http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/) | [Local](../../blob/master/2015/2015.02.04.Pawn_Storm_Update_iOS_Espionage)
* Feb 02 - [[FireEye] Behind the Syrian Conflicts Digital Frontlines](https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-behind-the-syria-conflict.pdf) | [Local](../../blob/master/2015/2015.02.02.behind-the-syria-conflict)
* Jan 29 - [[JPCERT] Analysis of PlugX Variant - P2P PlugX ](http://blog.jpcert.or.jp/.s/2015/01/analysis-of-a-r-ff05.html) | [Local](../../blob/master/2015/2015.01.29.P2P_PlugX)
* Jan 29 - [[Symantec] Backdoor.Winnti attackers and Trojan.Skelky](http://www.symantec.com/connect/blogs/backdoorwinnti-attackers-have-skeleton-their-closet) | [Local](../../blob/master/2015/2015.01.29.Backdoor.Winnti_attackers)
* Jan 27 - [[Kaspersky] Comparing the Regin module 50251 and the "Qwerty" keylogger](http://securelist.com/blog/research/68525/comparing-the-regin-module-50251-and-the-qwerty-keylogger/) | [Local](../../blob/master/2015/2015.01.27.QWERTY_keylog_Regin_compare)
* Jan 22 - [[Kaspersky] Regin's Hopscotch and Legspin](http://securelist.com/blog/research/68438/an-analysis-of-regins-hopscotch-and-legspin/) | [Local](../../blob/master/2015/2015.01.22.Regin_Hopscotch_and_Legspin)
* Jan 22 - [[Symantec] Scarab attackers Russian targets](http://www.symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012) | [IOCs](http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/Scarab_IOCs_January_2015.txt) | [Local](../../blob/master/2015/2015.01.22.Scarab_attackers_Russian_targets)
* Jan 22 - [[Symantec] The Waterbug attack group](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf) | [Local](../../blob/master/2015/2015.01.22.Waterbug.group)
* Jan 20 - [[BlueCoat] Reversing the Inception APT malware](https://www.bluecoat.com/security-blog/2015-01-20/reversing-inception-apt-malware) | [Local](../../blob/master/2015/2015.01.20.Reversing_the_Inception_APT_malware)
* Jan 20 - [[G DATA] Analysis of Project Cobra](https://blog.gdatasoftware.com/blog/article/analysis-of-project-cobra.html) | [Local](../../blob/master/2015/2015.01.20.Project_Cobra)
* Jan 15 - [[G DATA] Evolution of Agent.BTZ to ComRAT](https://blog.gdatasoftware.com/blog/article/evolution-of-sophisticated-spyware-from-agentbtz-to-comrat.html) | [Local](../../blob/master/2015/2015.01.15.Evolution_of_Agent.BTZ_to_ComRAT)
* Jan 12 - [[Dell] Skeleton Key Malware Analysis](http://www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis/) | [Local](../../blob/master/2015/2015.01.12.skeleton-key-malware-analysis)
* Jan 11 - [[Dragon Threat Labs] Hong Kong SWC attack](http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html) | [Local](../../blob/master/2015/2015.01.11.Hong_Kong_SWC_Attack)
## 2014
* Dec 22 - [Anunak: APT against financial institutions](http://www.group-ib.com/files/Anunak_APT_against_financial_institutions.pdf)
* Dec 21 - [Operation Poisoned Helmand](http://www.threatconnect.com/news/operation-poisoned-helmand/)
* Dec 19 - [TA14-353A: Targeted Destructive Malware (wiper)](https://www.us-cert.gov/ncas/alerts/TA14-353A)
* Dec 18 - [Malware Attack Targeting Syrian ISIS Critics](https://citizenlab.org/2014/12/malware-attack-targeting-syrian-isis-critics/)
* Dec 17 - [Wiper Malware A Detection Deep Dive](http://blogs.cisco.com/security/talos/wiper-malware)
* Dec 12 - [Bots, Machines, and the Matrix](http://www.fidelissecurity.com/sites/default/files/FTA_1014_Bots_Machines_and_the_Matrix.pdf)
* Dec 12 - [Vinself now with steganography](http://blog.cybersecurity-airbusds.com/post/2014/12/Vinself)
* Dec 10 - [South Korea MBR Wiper](http://asec.ahnlab.com/1015)
* Dec 10 - [W64/Regin, Stage #1](https://www.f-secure.com/documents/996508/1030745/w64_regin_stage_1.pdf)
* Dec 10 - [W32/Regin, Stage #1](https://www.f-secure.com/documents/996508/1030745/w32_regin_stage_1.pdf)
* Dec 10 - [Cloud Atlas: RedOctober APT](http://securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-back-in-style/)
* Dec 09 - [The Inception Framework](https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware)
* Dec 08 - [The 'Penquin' Turla](http://securelist.com/blog/research/67962/the-penquin-turla-2/)
* Dec 03 - [Operation Cleaver: The Notepad Files](http://blog.cylance.com/operation-cleaver-the-notepad-files) | [Local](../../blob/master//2014/2014.12.03_operation-cleaver-the-notepad-files)
* Dec 02 - [Operation Cleaver](http://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf) | [IOCs](http://www.cylance.com/assets/Cleaver/cleaver.yar) | [Local](../../blob/master//2014/2014.12.02.Operation_Cleaver)
* Nov 30 - [FIN4: Stealing Insider Information for an Advantage in Stock Trading?](https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html)
* Nov 24 - [Deep Panda Uses Sakula Malware](http://blog.crowdstrike.com/ironman-deep-panda-uses-sakula-malware-target-organizations-multiple-sectors/) | [Local](../../blob/master//2014/2014.11.24.Ironman)
* Nov 24 - [TheIntercept's report on The Regin Platform](https://firstlook.org/theintercept/2014/11/24/secret-regin-malware-belgacom-nsa-gchq/)
* Nov 24 - [Kaspersky's report on The Regin Platform](http://securelist.com/blog/research/67741/regin-nation-state-ownage-of-gsm-networks/)
* Nov 23 - [Symantec's report on Regin](http://www.symantec.com/connect/blogs/regin-top-tier-espionage-tool-enables-stealthy-surveillance)
* Nov 21 - [Operation Double Tap](https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html) | [IOCs](https://github.com/fireeye/iocs/tree/master/APT3)
* Nov 20 - [EvilBunny: Suspect #4](http://0x1338.blogspot.co.uk/2014/11/hunting-bunnies.html)
* Nov 14 - [Roaming Tiger (Slides)](http://2014.zeronights.ru/assets/files/slides/roaming_tiger_zeronights_2014.pdf)
* Nov 14 - [OnionDuke: APT Attacks Via the Tor Network](http://www.f-secure.com/weblog/archives/00002764.html)
* Nov 13 - [Operation CloudyOmega: Ichitaro 0-day targeting Japan](http://www.symantec.com/connect/blogs/operation-cloudyomega-ichitaro-zero-day-and-ongoing-cyberespionage-campaign-targeting-japan)
* Nov 12 - [Korplug military targeted attacks: Afghanistan & Tajikistan](http://www.welivesecurity.com/2014/11/12/korplug-military-targeted-attacks-afghanistan-tajikistan/)
* Nov 11 - [The Uroburos case- Agent.BTZs successor, ComRAT](http://blog.gdatasoftware.com/blog/article/the-uroburos-case-new-sophisticated-rat-identified.html)
* Nov 10 - [The Darkhotel APT - A Story of Unusual Hospitality](https://securelist.com/blog/research/66779/the-darkhotel-apt/)
* Nov 03 - [Operation Poisoned Handover: Unveiling Ties Between APT Activity in Hong Kongs Pro-Democracy Movement](http://www.fireeye.com/blog/technical/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html)
* Nov 03 - [New observations on BlackEnergy2 APT activity](https://securelist.com/blog/research/67353/be2-custom-plugins-router-abuse-and-target-profiles/)
* Oct 31 - [Operation TooHash](https://blog.gdatasoftware.com/blog/article/operation-toohash-how-targeted-attacks-work.html)
* Oct 30 - [The Rotten Tomato Campaign](http://blogs.sophos.com/2014/10/30/the-rotten-tomato-campaign-new-sophoslabs-research-on-apts/)
* Oct 28 - [Group 72, Opening the ZxShell](http://blogs.cisco.com/talos/opening-zxshell/)
* Oct 28 - [APT28 - A Window Into Russia's Cyber Espionage Operations](https://www.fireeye.com/resources/pdfs/apt28.pdf)
* Oct 27 - [Micro-Targeted Malvertising via Real-time Ad Bidding](http://www.invincea.com/wp-content/uploads/2014/10/Micro-Targeted-Malvertising-WP-10-27-14-1.pdf)
* Oct 27 - [ScanBox framework whos affected, and whos using it?](http://pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whos-affected-and-whos-using-it-1.html)
* Oct 27 - [Full Disclosure of Havex Trojans - ICS Havex backdoors](http://www.netresec.com/?page=Blog&month=2014-10&post=Full-Disclosure-of-Havex-Trojans)
* Oct 24 - [LeoUncia and OrcaRat](http://blog.airbuscybersecurity.com/post/2014/10/LeoUncia-and-OrcaRat)
* Oct 23 - [Modified Tor Binaries](http://www.leviathansecurity.com/blog/the-case-of-the-modified-binaries/)
* Oct 22 - [Sofacy Phishing by PWC](http://pwc.blogs.com/files/tactical-intelligence-bulletin---sofacy-phishing-.pdf)
* Oct 22 - [Operation Pawn Storm: The Red in SEDNIT](http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf)
* Oct 20 - [OrcaRAT - A whale of a tale](http://pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html)
* Oct 14 - [Sandworm - CVE-2104-4114](http://www.isightpartners.com/2014/10/cve-2014-4114/)
* Oct 14 - [Group 72 (Axiom)](http://blogs.cisco.com/security/talos/threat-spotlight-group-72/)
* Oct 14 - [Derusbi Preliminary Analysis](http://www.novetta.com/wp-content/uploads/2014/11/Derusbi.pdf)
* Oct 14 - [Hikit Preliminary Analysis](http://www.novetta.com/wp-content/uploads/2014/11/HiKit.pdf)
* Oct 14 - [ZoxPNG Preliminary Analysis](http://www.novetta.com/wp-content/uploads/2014/11/ZoxPNG.pdf)
* Oct 09 - [Democracy in Hong Kong Under Attack](http://www.volexity.com/blog/?p=33)
* Oct 03 - [New indicators for APT group Nitro](http://researchcenter.paloaltonetworks.com/2014/10/new-indicators-compromise-apt-group-nitro-uncovered/)
* Sep 26 - [BlackEnergy & Quedagh](https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf)
* Sep 26 - [Aided Frame, Aided Direction (Sunshop Digital Quartermaster)](http://www.fireeye.com/blog/technical/2014/09/aided-frame-aided-direction-because-its-a-redirect.html)
* Sep 23 - [Ukraine and Poland Targeted by BlackEnergy (video)](https://www.youtube.com/watch?v=I77CGqQvPE4)
* Sep 19 - [Watering Hole Attacks using Poison Ivy by "th3bug" group](http://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy/)
* Sep 18 - [COSMICDUKE: Cosmu with a twist of MiniDuke](http://www.f-secure.com/documents/996508/1030745/cosmicduke_whitepaper.pdf)
* Sep 17 - [Chinese intrusions into key defense contractors](http://www.armed-services.senate.gov/press-releases/sasc-investigation-finds-chinese-intrusions-into-key-defense-contractors)
* Sep 10 - [Operation Quantum Entanglement](http://www.fireeye.com/resources/pdfs/white-papers/fireeye-operation-quantum-entanglement.pdf)
* Sep 08 - [When Governments Hack Opponents: A Look at Actors and Technology](https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-marczak.pdf) [video](https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/marczak)
* Sep 08 - [Targeted Threat Index: Characterizingand Quantifying Politically-MotivatedTargeted Malware](https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-hardy.pdf) [video](https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/hardy)
* Sep 04 - [Gholee a “Protective Edge” themed spear phishing campaign](http://www.clearskysec.com/gholee-a-protective-edge-themed-spear-phishing-campaign/) | [Local](../../blob/master//2014/2014.09.04.Gholee)
* Sep 04 - [Forced to Adapt: XSLCmd Backdoor Now on OS X](http://www.fireeye.com/blog/technical/malware-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html)
* Sep 03 - [Darwins Favorite APT Group (APT12)](http://www.fireeye.com/blog/technical/botnet-activities-research/2014/09/darwins-favorite-apt-group-2.html)
* Aug 29 - [Syrian Malware Team Uses BlackWorm for Attacks](http://www.fireeye.com/blog/technical/2014/08/connecting-the-dots-syrian-malware-team-uses-blackworm-for-attacks.html)
* Aug 28 - [Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks](https://www.alienvault.com/open-threat-exchange/blog/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks)
* Aug 27 - [North Koreas cyber threat landscape](http://h30499.www3.hp.com/hpeb/attachments/hpeb/off-by-on-software-security-blog/388/2/HPSR%20SecurityBriefing_Episode16_NorthKorea.pdf)
* Aug 27 - [NetTraveler APT Gets a Makeover for 10th Birthday](https://securelist.com/blog/research/66272/nettraveler-apt-gets-a-makeover-for-10th-birthday/)
* Aug 25 - [Vietnam APT Campaign](http://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html)
* Aug 20 - [El Machete](https://securelist.com/blog/research/66108/el-machete/)
* Aug 18 - [The Syrian Malware House of Cards](https://securelist.com/blog/research/66051/the-syrian-malware-house-of-cards/) | [Local](../../blob/master//2014/2014.08.18.Syrian_Malware_House_of_Cards)
* Aug 13 - [A Look at Targeted Attacks Through the Lense of an NGO](http://www.mpi-sws.org/~stevens/pubs/sec14.pdf) | [Local](../../blob/master//2014/2014.08.13.TargetAttack.NGO)
* Aug 12 - [New York Times Attackers Evolve Quickly (Aumlib/Ixeshe/APT12)](http://www.fireeye.com/blog/technical/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html)
* Aug 07 - [The Epic Turla Operation Appendix](https://securelist.com/files/2014/08/KL_Epic_Turla_Technical_Appendix_20140806.pdf)
* Aug 06 - [Operation Poisoned Hurricane](http://www.fireeye.com/blog/technical/targeted-attack/2014/08/operation-poisoned-hurricane.html)
* Aug 05 - [Operation Arachnophobia](http://threatc.s3-website-us-east-1.amazonaws.com/?/arachnophobia)
* Aug 04 - [Sidewinder Targeted Attack Against Android](http://www.fireeye.com/resources/pdfs/fireeye-sidewinder-targeted-attack.pdf)
* Jul 31 - [Energetic Bear/Crouching Yeti Appendix](http://25zbkz3k00wn2tp5092n6di7b5k.wpengine.netdna-cdn.com/files/2014/07/Kaspersky_Lab_crouching_yeti_appendixes_eng_final.pdf)
* Jul 31 - [Energetic Bear/Crouching Yeti](https://kasperskycontenthub.com/securelist/files/2014/07/EB-YetiJuly2014-Public.pdf)
* Jul 20 - [Sayad (Flying Kitten) Analysis & IOCs](http://vinsula.com/2014/07/20/sayad-flying-kitten-infostealer-malware/)
* Jul 11 - [Pitty Tiger](https://bitbucket.org/cybertools/whitepapers/downloads/Pitty%20Tiger%20Final%20Report.pdf) | [Local](../../blob/master/2014/2014.07.11.Pitty_Tiger)
* Jul 10 - [TR-25 Analysis - Turla / Pfinet / Snake/ Uroburos](http://www.circl.lu/pub/tr-25/)
* Jul 07 - [Deep Pandas, Deep in Thought: Chinese Targeting of National Security Think Tanks](http://blog.crowdstrike.com/deep-thought-chinese-targeting-national-security-think-tanks/) | [Local](../../blob/master/2014/2014.07.07.Deep_in_Thought)
* Jun 10 - [Anatomy of the Attack: Zombie Zero](http://www.trapx.com/wp-content/uploads/2014/07/TrapX_ZOMBIE_Report_Final.pdf)
* Jun 30 - [Dragonfly: Cyberespionage Attacks Against Energy Suppliers](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf)
* Jun 20 - [Embassy of Greece Beijing](http://thegoldenmessenger.blogspot.de/2014/06/blitzanalysis-embassy-of-greece-beijing.html)
* Jun 09 - [Putter Panda](http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf)
* Jun 06 - [Illuminating The Etumbot APT Backdoor (APT12)](http://www.arbornetworks.com/asert/wp-content/uploads/2014/06/ASERT-Threat-Intelligence-Brief-2014-07-Illuminating-Etumbot-APT.pdf)
* May 28 - [NewsCaster_An_Iranian_Threat_Within_Social_Networks](https://www.isightpartners.com/2014/05/newscaster-iranian-threat-inside-social-media/) | [Local](../../blob/master/2014/2014.05.28.NewsCaster_An_Iranian_Threat_Within_Social_Networks)
* May 21 - [RAT in jar: A phishing campaign using Unrecom](http://www.fidelissecurity.com/sites/default/files/FTA_1013_RAT_in_a_jar.pdf)
* May 20 - [Miniduke Twitter C&C](http://www.welivesecurity.com/2014/05/20/miniduke-still-duking/)
* May 13 - [CrowdStrike's report on Flying Kitten](http://blog.crowdstrike.com/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/)
* May 13 - [Operation Saffron Rose (aka Flying Kitten)](http://www.fireeye.com/resources/pdfs/fireeye-operation-saffron-rose.pdf)
* Apr 26 - [CVE-2014-1776: Operation Clandestine Fox](https://www.fireeye.com/blog/threat-research/2014/05/operation-clandestine-fox-now-attacking-windows-xp-using-recently-discovered-ie-vulnerability.html)
* Mar 08 - [Russian spyware Turla](http://www.reuters.com/article/2014/03/07/us-russia-cyberespionage-insight-idUSBREA260YI20140307)
* Mar 07 - [Snake Campaign & Cyber Espionage Toolkit](http://info.baesystemsdetica.com/rs/baesystems/images/snake_whitepaper.pdf)
* Mar 06 - [The Siesta Campaign](http://blog.trendmicro.com/trendlabs-security-intelligence/the-siesta-campaign-a-new-targeted-attack-awakens/)
* Feb 28 - [Uroburos: Highly complex espionage software with Russian roots](https://public.gdatasoftware.com/Web/Content/INT/Blog/2014/02_2014/documents/GData_Uroburos_RedPaper_EN_v1.pdf)
* Feb 25 - [The French Connection: French Aerospace-Focused CVE-2014-0322 Attack Shares Similarities with 2012 Capstone Turbine Activity](http://blog.crowdstrike.com/french-connection-french-aerospace-focused-cve-2014-0322-attack-shares-similarities-2012/) | [Local](../../blob/master/2014/2014.02.25.The_French_Connection)
* Feb 23 - [Gathering in the Middle East, Operation STTEAM](http://www.fidelissecurity.com/sites/default/files/FTA%201012%20STTEAM%20Final.pdf)
* Feb 20 - [Mo' Shells Mo' Problems - Deep Panda Web Shells](http://www.crowdstrike.com/blog/mo-shells-mo-problems-deep-panda-web-shells/) | [Local](../../blob/master/2014/2014.02.20.deep-panda-webshells)
* Feb 20 - [Operation GreedyWonk: Multiple Economic and Foreign Policy Sites Compromised, Serving Up Flash Zero-Day Exploit](http://www.fireeye.com/blog/technical/targeted-attack/2014/02/operation-greedywonk-multiple-economic-and-foreign-policy-sites-compromised-serving-up-flash-zero-day-exploit.html)
* Feb 19 - [XtremeRAT: Nuisance or Threat?](http://www.fireeye.com/blog/technical/2014/02/xtremerat-nuisance-or-threat.html)
* Feb 19 - [The Monju Incident](http://contextis.com/resources/blog/context-threat-intelligence-monju-incident/)
* Feb 13 - [Operation SnowMan: DeputyDog Actor Compromises US Veterans of Foreign Wars Website](http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html)
* Feb 11 - [Unveiling "Careto" - The Masked APT](http://www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf)
* Jan 31 - [Intruder File Report- Sneakernet Trojan](http://www.fidelissecurity.com/sites/default/files/FTA%201011%20Follow%20UP.pdf)
* Jan 21 - [[RSA] Shell_Crew (Deep Panda)](http://www.emc.com/collateral/white-papers/h12756-wp-shell-crew.pdf) | [Local](../../blob/master/2014/2014.01.21.Shell_Crew)
* Jan 15 - [“New'CDTO:'A'Sneakernet'Trojan'Solution](http://www.fidelissecurity.com/sites/default/files/FTA%201001%20FINAL%201.15.14.pdf)
* Jan 14 - [The Icefog APT Hits US Targets With Java Backdoor](https://www.securelist.com/en/blog/208214213/The_Icefog_APT_Hits_US_Targets_With_Java_Backdoor)
* Jan 13 - [Targeted attacks against the Energy Sector](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/targeted_attacks_against_the_energy_sector.pdf)
* Jan 06 - [PlugX: some uncovered points](http://blog.cassidiancybersecurity.com/2014/01/plugx-some-uncovered-points.html)
## 2013
* ??? ?? - [THE LITTLE MALWARE THAT COULD: Detecting and Defeating the China Chopper Web Shell](https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-china-chopper.pdf) | [Local](../../blob/master/2013/2013.China_Chopper_Web_Shell)
* ??? ?? - [Deep Panda](http://www.crowdstrike.com/sites/default/files/AdversaryIntelligenceReport_DeepPanda_0.pdf) (OFFLINE) | [Local](../../blob/master//2013/2013.Deep.Panda)
* Dec 20 - [ETSO APT Attacks Analysis](http://image.ahnlab.com/global/upload/download/documents/1401223631603288.pdf) | [Local](../../blob/master//2013/2013.12.20.ETSO)
* Dec 11 - [Operation "Ke3chang"](http://www.fireeye.com/resources/pdfs/fireeye-operation-ke3chang.pdf)
* Dec 02 - [njRAT, The Saga Continues](http://www.fidelissecurity.com/files/files/FTA%201010%20-%20njRAT%20The%20Saga%20Continues.pdf)
* Nov 11 - [Supply Chain Analysis](http://www.fireeye.com/resources/pdfs/fireeye-malware-supply-chain.pdf)
* Nov 10 - [Operation Ephemeral Hydra: IE Zero-Day Linked to DeputyDog Uses Diskless Method](http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html)
* Oct 24 - [Terminator RAT](https://www.fireeye.com/blog/threat-research/2013/10/evasive-tactics-terminator-rat.html) or [FakeM RAT](http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-fakem-rat.pdf) | [Local](../../blob/master//2013/2013.10.24)
* Sep 30 - [World War C: State of affairs in the APT world](https://www.fireeye.com/blog/threat-research/2013/09/new-fireeye-report-world-war-c.html)
* Sep 25 - [The 'ICEFROG' APT: A Tale of cloak and three daggers](http://www.securelist.com/en/downloads/vlpdfs/icefog.pdf)
* Sep 17 - [Hidden Lynx - Professional Hackers for Hire](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdf)
* Sep 13 - [Operation DeputyDog: Zero-Day (CVE-2013-3893) Attack Against Japanese Targets](http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html)
* Sep 11 - [The "Kimsuky" Operation](https://securelist.com/analysis/57915/the-kimsuky-operation-a-north-korean-apt/)
* Sep 06 - [Evasive Tactics: Taidoor](https://www.fireeye.com/blog/threat-research/2013/09/evasive-tactics-taidoor-3.html) | | [Local](../../blob/master//2013/2013.09.06.EvasiveTactics_Taidoor)
* Sep ?? - [Feature: EvilGrab Campaign Targets Diplomatic Agencies](http://about-threats.trendmicro.com/cloud-content/us/ent-primers/pdf/2q-report-on-targeted-attack-campaigns.pdf)
* Aug 23 - [Operation Molerats: Middle East Cyber Attacks Using Poison Ivy](http://www.fireeye.com/blog/technical/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html)
* Aug 21 - [POISON IVY: Assessing Damage and Extracting Intelligence](http://www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf)
* Aug 19 - [ByeBye Shell and the targeting of Pakistan](https://community.rapid7.com/community/infosec/blog/2013/08/19/byebye-and-the-targeting-of-pakistan)
* Aug 02 - [Surtr: Malware Family Targeting the Tibetan Community](https://citizenlab.org/2013/08/surtr-malware-family-targeting-the-tibetan-community/)
* Aug 02 - [Where There is Smoke, There is Fire: South Asian Cyber Espionage Heats Up](http://www.threatconnect.com/news/where-there-is-smoke-there-is-fire-south-asian-cyber-espionage-heats-up/)
* Aug ?? - [APT Attacks on Indian Cyber Space](http://g0s.org/wp-content/uploads/2013/downloads/Inside_Report_by_Infosec_Consortium.pdf)
* Aug ?? - [Operation Hangover - Unveiling an Indian Cyberattack Infrastructure](http://normanshark.com/wp-content/uploads/2013/08/NS-Unveiling-an-Indian-Cyberattack-Infrastructure_FINAL_Web.pdf)
* Jul 31 - [Blackhat: In-Depth Analysis of Escalated APT Attacks (Lstudio,Elirks)](https://media.blackhat.com/us-13/US-13-Yarochkin-In-Depth-Analysis-of-Escalated-APT-Attacks-Slides.pdf), [video](https://www.youtube.com/watch?v=SoFVRsvh8s0)
* Jul 31 - [Secrets of the Comfoo Masters](http://www.secureworks.com/cyber-threat-intelligence/threats/secrets-of-the-comfoo-masters/)
* Jul 15 - [PlugX revisited: "Smoaler"](http://sophosnews.files.wordpress.com/2013/07/sophosszappanosplugxrevisitedintroducingsmoaler-rev1.pdf)
* Jul 09 - [Dark Seoul Cyber Attack: Could it be worse?](http://cisak.perpika.kr/wp-content/uploads/2013/07/2013-08.pdf)
* Jun 30 - [Targeted Campaign Steals Credentials in Gulf States and Caribbean](https://blogs.mcafee.com/mcafee-labs/targeted-campaign-steals-credentials-in-gulf-states-and-caribbean)
* Jun 28 - [njRAT Uncovered](http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf)
* Jun 21 - [A Call to Harm: New Malware Attacks Target the Syrian Opposition](https://citizenlab.org/wp-content/uploads/2013/07/19-2013-acalltoharm.pdf)
* Jun 18 - [Trojan.APT.Seinup Hitting ASEAN](http://www.fireeye.com/blog/technical/malware-research/2013/06/trojan-apt-seinup-hitting-asean.html)
* Jun 07 - [KeyBoy, Targeted Attacks against Vietnam and India](https://community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india)
* Jun 04 - [The NetTraveller (aka 'Travnet')](http://www.securelist.com/en/downloads/vlpdfs/kaspersky-the-net-traveler-part1-final.pdf)
* Jun 01 - [Crude Faux: An analysis of cyber conflict within the oil & gas industries](https://www.cerias.purdue.edu/assets/pdf/bibtex_archive/2013-9.pdf)
* Jun ?? - [The Chinese Malware Complexes: The Maudi Surveillance Operation](https://bluecoat.com/documents/download/2c832f0f-45d2-4145-bdb7-70fc78c22b0f&ei=ZGP-VMCbMsuxggSThYDgDg&usg=AFQjCNFjXSkn_AIiXge1X9oWZHzQOiNDJw&sig2=B6e2is0sCnGEbLPL9q0eZg&bvm=bv.87611401,d.eXY)
* May 30 - [TR-14 - Analysis of a stage 3 Miniduke malware sample](http://www.circl.lu/pub/tr-14/)
* May ?? - [Operation Hangover](https://www.bluecoat.com/security-blog/2013-05-20/hangover-report)
* Apr 24 - [Operation Hangover](http://normanshark.com/pdf/Norman_HangOver%20report_Executive%20Summary_042513.pdf)
* Apr 21 - [MiniDuke - The Final Cut](http://labs.bitdefender.com/2013/04/miniduke-the-final-cut)
* Apr 13 - ["Winnti" More than just a game](http://www.securelist.com/en/downloads/vlpdfs/winnti-more-than-just-a-game-130410.pdf)
* Apr 01 - [Trojan.APT.BaneChant](http://www.fireeye.com/blog/technical/malware-research/2013/04/trojan-apt-banechant-in-memory-trojan-that-observes-for-multiple-mouse-clicks.html)
* Mar 28 - [TR-12 - Analysis of a PlugX malware variant used for targeted attacks](http://www.circl.lu/pub/tr-12/)
* Mar 27 - [APT1: technical backstage (Terminator/Fakem RAT)](http://www.malware.lu/assets/files/articles/RAP002_APT1_Technical_backstage.1.0.pdf)
* Mar 21 - [Darkseoul/Jokra Analysis And Recovery](http://www.fidelissecurity.com/sites/default/files/FTA%201008%20-%20Darkseoul-Jokra%20Analysis%20and%20Recovery.pdf)
* Mar 20 - [The TeamSpy Crew Attacks](http://securelist.com/blog/incidents/35520/the-teamspy-crew-attacks-abusing-teamviewer-for-cyberespionage-8/)
* Mar 20 - [Dissecting Operation Troy](http://www.mcafee.com/sg/resources/white-papers/wp-dissecting-operation-troy.pdf)
* Mar 17 - [Safe: A Targeted Threat](http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-safe-a-targeted-threat.pdf)
* Mar 13 - [You Only Click Twice: FinFishers Global Proliferation](https://citizenlab.org/wp-content/uploads/2013/07/15-2013-youonlyclicktwice.pdf)
* Feb 27 - [Miniduke: Indicators v1](http://www.crysys.hu/miniduke/miniduke_indicators_public.pdf)
* Feb 27 - [The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0x29A Micro Backdoor](https://www.securelist.com/en/downloads/vlpdfs/themysteryofthepdf0-dayassemblermicrobackdoor.pdf)
* Feb 26 - [Stuxnet 0.5: The Missing Link](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/stuxnet_0_5_the_missing_link.pdf)
* Feb 22 - [Comment Crew: Indicators of Compromise](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/comment_crew_indicators_of_compromise.pdf)
* Feb 18 - [Mandiant APT1 Report](http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf)
* Feb 12 - [Targeted cyber attacks: examples and challenges ahead](http://www.ait.ac.at/uploads/media/Presentation_Targeted-Attacks_EN.pdf)
* Jan 18 - [Operation Red October](https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/24000/PD24250/en_US/McAfee_Labs_Threat_Advisory_Exploit_Operation_Red_Oct.pdf)
* Jan 14 - [Red October Diplomatic Cyber Attacks Investigation](http://securelist.com/analysis/publications/36740/red-october-diplomatic-cyber-attacks-investigation)
* Jan 14 - [The Red October Campaign](https://securelist.com/blog/incidents/57647/the-red-october-campaign)
## 2012
* Nov 03 - [Systematic cyber attacks against Israeli and Palestinian targets going on for a year](http://cyber-peace.org/wp-content/uploads/2014/01/Cyberattack_against_Israeli_and_Palestinian_targets.pdf)
* Nov 01 - [RECOVERING FROM SHAMOON](http://www.fidelissecurity.com/sites/default/files/FTA%201007%20-%20Shamoon.pdf)
* Oct 31 - [CYBER ESPIONAGE Against Georgian Government (Georbot Botnet)](http://dea.gov.ge/uploads/CERT%20DOCS/Cyber%20Espionage.pdf)
* Oct 27 - [Trojan.Taidoor: Targeting Think Tanks](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/trojan_taidoor-targeting_think_tanks.pdf)
* Oct 08 - [Matasano notes on DarkComet, Bandook, CyberGate and Xtreme RAT](http://matasano.com/research/PEST-CONTROL.pdf)
* Sep 18 - [The Mirage Campaign](http://www.secureworks.com/cyber-threat-intelligence/threats/the-mirage-campaign/)
* Sep 12 - [The VOHO Campaign: An in depth analysis](http://blogsdev.rsa.com/wp-content/uploads/VOHO_WP_FINAL_READY-FOR-Publication-09242012_AC.pdf)
* Sep 07 - [IEXPLORE RAT](https://citizenlab.org/wp-content/uploads/2012/09/IEXPL0RE_RAT.pdf)
* Sep 06 - [The Elderwood Project](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf)
* Aug 18 - [The Taidoor Campaign AN IN-DEPTH ANALYSIS ](http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_campaign.pdf) | [Local](../../blob/master//2012/2012.08.18.Taidoor_Campaign)
* Aug 09 - [Gauss: Abnormal Distribution](http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/kaspersky-lab-gauss.pdf)
* Jul 27 - [The Madi Campaign](https://securelist.com/analysis/36609/the-madi-infostealers-a-detailed-analysis/)
* Jul 25 - [From Bahrain With Love: FinFishers Spy Kit Exposed?](https://citizenlab.org/2012/07/from-bahrain-with-love-finfishers-spy-kit-exposed/)
* Jul 11 - [Wired article on DarkComet creator](http://www.wired.com/2012/07/dark-comet-syrian-spy-tool/)
* Jul 10 - [Advanced Social Engineering for the Distribution of LURK Malware](https://citizenlab.org/wp-content/uploads/2012/07/10-2012-recentobservationsintibet.pdf)
* May 31 - [sKyWIper (Flame/Flamer)](http://www.crysys.hu/skywiper/skywiper.pdf)
* May 22 - [IXESHE An APT Campaign](http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_ixeshe.pdf)
* May 18 - [Analysis of Flamer C&C Server](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_flamer_newsforyou.pdf)
* Apr 16 - [OSX.SabPub & Confirmed Mac APT attacks](http://securelist.com/blog/incidents/33208/new-version-of-osx-sabpub-confirmed-mac-apt-attacks-19/)
* Apr 10 - [Anatomy of a Gh0st RAT](http://www.mcafee.com/us/resources/white-papers/foundstone/wp-know-your-digital-enemy.pdf)
* Mar 26 - [Luckycat Redux](http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf)
* Mar 13 - [Reversing DarkComet RAT's crypto](http://www.arbornetworks.com/asert/wp-content/uploads/2012/07/Crypto-DarkComet-Report.pdf)
* Mar 12 - [Crouching Tiger, Hidden Dragon, Stolen Data](http://www.contextis.com/services/research/white-papers/crouching-tiger-hidden-dragon-stolen-data/)
* Feb 29 - [The Sin Digoo Affair](http://www.secureworks.com/cyber-threat-intelligence/threats/sindigoo/)
* Feb 03 - [Command and Control in the Fifth Domain](http://www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf)
* Jan 03 - [The HeartBeat APT](http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the-heartbeat-apt-campaign.pdf)
## 2011
* Dec 08 - [Palebot trojan harvests Palestinian online credentials](https://web.archive.org/web/20130308090454/http://blogs.norman.com/2011/malware-detection-team/palebot-trojan-harvests-palestinian-online-credentials)
* Oct 31 - [The Nitro Attacks: Stealing Secrets from the Chemical Industry](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_nitro_attacks.pdf)
* Oct 26 - [Duqu Trojan Questions and Answers](http://www.secureworks.com/cyber-threat-intelligence/threats/duqu/)
* Oct 12 - [Alleged APT Intrusion Set: "1.php" Group](http://www.zscaler.com/pdf/technicalbriefs/tb_advanced_persistent_threats.pdf)
* Sep 22 - [The "LURID" Downloader](http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_dissecting-lurid-apt.pdf)
* Sep 11 - [SK Hack by an Advanced Persistent Threat](http://www.commandfive.com/papers/C5_APT_SKHack.pdf)
* Sep 09 - [The RSA Hack](http://www.fidelissecurity.com/sites/default/files/FTA1001-The_RSA_Hack.pdf)
* Aug 03 - [HTran and the Advanced Persistent Threat](http://www.secureworks.com/cyber-threat-intelligence/threats/htran/)
* Aug 02 - [Operation Shady rat : Vanity](http://www.vanityfair.com/culture/features/2011/09/operation-shady-rat-201109)
* Aug 04 - [Operation Shady RAT](http://www.mcafee.com/us/resources/white-papers/wp-operation-shady-rat.pdf)
* Apr 20 - [Stuxnet Under the Microscope](http://www.eset.com/us/resources/white-papers/Stuxnet_Under_the_Microscope.pdf)
* Feb 18 - [Night Dragon Specific Protection Measures for Consideration](http://www.nerc.com/pa/rrm/bpsa/Alerts%20DL/2011%20Alerts/A-2011-02-18-01%20Night%20Dragon%20Attachment%201.pdf)
* Feb 10 - [Global Energy Cyberattacks: Night Dragon](http://www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf)
## 2010
* Dec 09 - [The Stuxnet Computer Worm: Harbinger of an Emerging Warfare Capability ](http://www.fas.org/sgp/crs/natsec/R41524.pdf)
* Sep 30 - [W32.Stuxnet Dossier](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf)
* Sep 03 - [The "MSUpdater" Trojan And Ongoing Targeted Attacks](http://www.seculert.com/reports/MSUpdaterTrojanWhitepaper.pdf)
* Apr 06 - [Shadows in the cloud: Investigating Cyber Espionage 2.0](http://www.nartv.org/mirror/shadows-in-the-cloud.pdf)
* Mar 14 - [In-depth Analysis of Hydraq](http://www.totaldefense.com/Core/DownloadDoc.aspx?documentID=1052) (OFFLINE)
* Feb 24 - [How Can I Tell if I Was Infected By Aurora? (IOCs)](http://www.crowdstrike.com/sites/default/files/AdversaryIntelligenceReport_DeepPanda_0.pdf) (OFFLINE)
* Feb 10 - [HB Gary Threat Report: Operation Aurora](http://hbgary.com/sites/default/files/publications/WhitePaper%20HBGary%20Threat%20Report,%20Operation%20Aurora.pdf)
* Jan ?? - [Case Study: Operation Aurora - Triumfant](http://www.triumfant.com/pdfs/Case_Study_Operation_Aurora_V11.pdf) (OFFLINE)
* Jan 27 - [Operation Aurora Detect, Diagnose, Respond](http://albertsblog.stickypatch.org/files/3/5/1/4/7/282874-274153/Aurora_HBGARY_DRAFT.pdf) (OFFLINE)
* Jan 20 - [McAfee Labs: Combating Aurora](https://kc.mcafee.com/resources/sites/MCAFEE/content/live/CORP_KNOWLEDGEBASE/67000/KB67957/en_US/Combating%20Threats%20-%20Operation%20Aurora.pdf)
* Jan 13 - [The Command Structure of the Aurora Botnet - Damballa](https://www.damballa.com/downloads/r_pubs/Aurora_Botnet_Command_Structure.pdf)
* Jan 12 - [Operation Aurora](http://en.wikipedia.org/wiki/Operation_Aurora)
## 2009
* Mar 29 - [Tracking GhostNet](http://www.nartv.org/mirror/ghostnet.pdf)
* Jan 18 - [Impact of Alleged Russian Cyber Attacks](https://www.baltdefcol.org/files/files/documents/Research/BSDR2009/1_%20Ashmore%20-%20Impact%20of%20Alleged%20Russian%20Cyber%20Attacks%20.pdf)
## 2008
* Nov 19 - [Agent.BTZ](http://www.wired.com/dangerroom/2008/11/army-bans-usb-d/)
* Nov 04 - [China's Electronic Long-Range Reconnaissance](http://fmso.leavenworth.army.mil/documents/chinas-electronic.pdf)
* Oct 02 - [How China will use cyber warfare to leapfrog in military competitiveness](http://www.international-relations.com/CM8-1/Cyberwar.pdf)
* Aug 10 - [Russian Invasion of Georgia Russian Cyberwar on Georgia](http://www.mfa.gov.ge/files/556_10535_798405_Annex87_CyberAttacks.pdf) (OFFLINE)
## 2006
* ["Wicked Rose" and the NCPH Hacking Group](http://krebsonsecurity.com/wp-content/uploads/2012/11/WickedRose_andNCPH.pdf)