Skip to content

Archive of publicly available threat INTel reports (mostly APT Reports but not limited to).

Notifications You must be signed in to change notification settings

decart-hub/threat-INTel

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

64 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Threat INTel Reports

Archive of publicly available threat/cybercrime INTel reports (mostly APT Reports but not limited to). Useful as a reference when you emulate threat actors on a daily basis. Please create an issue if I'm missing a relevant Report.

Note: If you are looking for every type of publicly available documents and notes related to APTs have a look at APTnotes and aptnotes. Unfortunately the way they store and sort their data doesn't work for me anymore.

2018

Title Month Source
DRAGONFISH delivers new form of Elise malware Jan Accenture
Diplomats in Eastern Europe bitten by a Turla mosquito Jan ESET
Iran's Cyber Threat: Espionage Sabotage and Revenge Jan Carnegie Endowment
Turla group update Neuron malware Jan NCSC
Dark Caracal: Cyber-espionage at a Global Scale Jan Lookout & EFF
International Security and Estonia Feb Estonian Foreign Intelligence Service
APT37 Reaper: The Overlooked North Korean Actor Feb FireEye
BAD TRAFFIC Sandvines PacketLogic Devices Used to Deploy Government Spyware in Turkey and Redirect Egyptian Users to Affiliate Ads Mar The Citizen Lab
The Slingshot APT Mar Kaspersky
Industrial Control System Threats Mar Dragos
Territorial Dispute - NSA's perspective on APT landscape Mar CrySyS Lab
Targeted Attacks on South Korean Organizations Mar AhnLab
GravityRAT Apr Talos
Hogfish Redleaves Apr Accenture
Mtrends 2018 May FireEye
Burning Umbrella May ProtectWise
Andariel Group - KR May Ahnlab
Irans Hacker Hierarchy Exposed May RecordedFuture
New Bank Attacks May Positive Technologies
Bank Attacks May Positive Technologies
Full Discloser of Andariel - A Subgroup of Lazarus Threat Group Jun AhnLab
Operation Roman Holiday Hunting the Russian APT28 group Jul CSE Zlab
COMMSEC: The Trails of WINDSHIFT APT Aug DarkMatter
TURLA Outlook Backdoor Aug ESET
Chinese Cyberespionage Originating From Tsinghua University Infrastructure Aug Recorded Future
APT38: Un-usual Suspects Oct FireEye
LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group Oct ESET
GREYENERGY A successor to BlackEnergy Oct ESET

2017

Title Month Source
APT28: A Window into Russias Cyber Espionage Operations Jan FireEye
APT28: At the center of the storm. Russia strategically evolves its cyber operations Jan FireEeye
APT28 Under the Scope A Journey into Exfiltrating Intelligence and Government Information Feb BitDefender
KingSlayer A Supply chain attack Feb RSA
Nile Phish: Large-Scale Phishing Campaign Targeting Egyptian Civil Society Feb The Citizen Lab
Bitter Sweet: Supporters of Mexico's Soda Tax Targeted With NSO Exploit Links Feb The Citizen Lab
Enhanced Analysis of GRIZZLY STEPPE Activity Feb US-CERT
Dissecting the APT28 Mac OS X Payload Feb Bitdefender
Read The Manual A guide to the RTM Banking Trojan Feb ESET
Trends in Android Ransomware Feb ESET
From Shamoon to StoneDrill Mar Kaspersky
Carbon Paper: Peering into Turlas second stage backdoor Mar ESET
Lazarus Under the Hood Apr Kaspersky
Appendix B: Moonlight Maze Technical Report Apr Kaspersky
Callisto Group Apr F-Secure
McAfee Labs Threats Report Apr McAfee
Intrusions Affecting Multiple Victims Across Multiple Sectors Apr US-CERT
Two Years of Pawn Storm Examining an Increasingly Relevant Threat May Trend Micro
Sednit adds two zero-day exploits using Trumps attack on Syria as a decoy May ESET
Evolution of the GOLD EVERGREEN Threat Group May SecureWorks
Bachosens: Highly-skilled petty cyber criminal with lofty ambitions targeting large organizations May Symantec
Lazarus: History of mysterious group behind infamous cyber attacks May Symantec
Operation Bachosens: A detailed look into a long-running cyber crime campaign May Symantec
Sednit adds two zero-day exploits using Trumps attack on Syria as a decoy May ESET
Tainted Leaks: Disinformation and Phishing With a Russian Nexus May The Citizen Lab
Lazarus Arisen - full report May Group IB
Lazarus Arisen - article May Group IB
CrashOverride: Analysis of the Threat to Electric Grid Operations Jun Dragos
Behind the CARBANAK Backdoor Jun FireEye
Bahamut Pursuing a Cyber Espionage Actor in the Middle East Jun Collin and Claudio
WIN32/INDUSTROYER A new threat for industrial control systems Jun ESET
FIN10 Anatomy of a Cyber Extortion Operation Jun FireEye
Detecting Lateral Movement through Tracking Event Logs Jun JPCERT
Bronze Buttler Jun SecureWorks
OceanLotus Blossoms: Mass Digital Surveillance andAttacks Targeting ASEAN, Asian Nations, the Media, HumanRights Groups, and Civil Society Jun Volexity
ChessMasters New Strategy: Evolving Tools and Tactics Jun Trend Micro
Everything we know about GoldenEye Jul BitDefender
CYBERATTACKS AGAINST UKRAINIAN ICS Jul Sentryo
Living off the land and fileless attack techniques Jul Symantec
State of Cybersecurity in Asia-Pacific Jul PaloAlto
Operation Wilted Tulip Jul ClearSky & Trend Micro
OilRig Deploys ALMA Communicator - DNS TunnelingTrojan Aug Palo Alto
Intelligence Games in the Power Grid Sep Treadstone 71
Hack ATM with an anti-hacking feature and walk away with $1M in 2 minutes Oct Embedi
Remote Control Interloper: Analyzing New Chinese htpRAT Malware Attacks Against ASEAN Oct RISKIQ
Investigation: WannaCry cyber attack and the NHS Oct National Audit Office
Tracking Subaat: Targeted Phishing Attack Leads toThreat Actors Repository Oct Palo Alto
The CARBANAK/FIN7 Syndicate a historical overview of an evolving threat Nov RSA
The Shadows of Ghosts Inside the Response of a Unique CARBANAK Intrusion Nov RSA
Turla group using Neuron and Nautilus tools alongside Snake malware Nov UK NCSC
Charming Kitten Dec ClearSky
TRISIS Malware Analysis of Safety System Targeted Malware Dec Dragos
North Korea Bitten by Bitcoin Bug Dec Proofpoint
Attackers Deploy New ICS Attack Framework TRITON and Cause Operational Disruption to Critical Infrastructure Dec FireEye

2016

Title Month Source
Analyzing a New Variant of BlackEnergy 3 Likely Insider-Based Execution Jan SentinelOne
Operation Dusty Sky Jan ClearSky
Know Your Enemies 2.0: A Primer on Advanced Persistent Threat Groups Feb ICIT
Operation Duststorm Feb Cylance
peration Blockbuster Feb Novetta
From Seoul to Sony Feb Blue Coat
The Four-Element Sword Engagement: Ongoing APT Targeting of Tibetan, Hong Kong, and Taiwanese Interests Mar Arbor Networks
The Four Element Sword Engagement Apr Arbor Networks
Between Hong Kong and Burma: Tracking UP007 and SLServer Espionage Campaigns Apr The Citizen Lab
PLATINUM Targeted attacks in South and Southeast Asia Apr Microsoft
Follow the money: Dissecting the operations of the cyber crime group FIN6 Apr FireEye
Mofang: A politically motivated information stealing adversary May FoxIT
Operation Groundbait:Analysis of a surveillance toolkit May ESET
APT Case RUAG Technical Report May Melani GovCERT
Keep Calm and (Dont) Enable Macros: A New Threat Actor Targets UAE Dissidents May The Citizen Lab
Operation DustySky Part 2 Jun ClearSky
Visiting The Bear Den A Journey in the Land of Cyber-Espionage Jun ESET
REDLINE DRAWN China recalculates its use of cyber espionage Jun FireEye
in the Middle East
Pacifier APT Jul Bitdefender
Unveiling Patchwork the Copy Paste APT Jul Cymmetria
Operation Manul Aug EFF
Monsoon - Analysis of an APT Campaign Aug Forcepoint
Group5: Syria and the Iranian Connection Aug The Citizen Lab
The ProjectSauron APT Aug Kaspersky
Carbanak Oracle Breach Aug VISA
The Million Dollar Dissident: NSO Group's iPhone Zero-Days used against a UAE Human Rights Defender Aug The Citizen Lab
Visa Alert and Update on the Oracle Breach Aug VISA
Ego Market When Greed for Fame Benefits Large-Scale Botnets Sep GoSecure
Hunting Libyan Scorpions Sep Cyberkov
En Route with Sednit Part 1: Approaching the Target Oct ESET
En Route with Sednit Part 2: Observing the Comings and Goings Oct ESET
En Route with Sednit Part 3: A Mysterious Downloader Oct ESET
Rootkit analysis Use case on HideDRV Oct Sekoia
Wave your false flags! Deception tactics muddying attribution in targeted attacks Oct Kaspersky
When The Lights Went Out: Ukraine Cybersecurity Threat Briefing Nov BAH
PROMETHIUM and NEODYMIUM: Parallel zero-day attacks targeting individuals in Europe Dec Microsoft
Use of Fancy Bear Android Malware tracking of Ukrainian Artillery Units Dec Crowdstrike
GRIZZLY STEPPE - Russian Malicious Cyber Activity Dec FBI

2015

Title Month Source
Insight In To A Strategic Web Compromise And Attack Campaign Against Hong Kong Infrastructure Jan Dragon Threat Labs
The Waterbug Attack Group Jan Symantec
CARBANAK APT THE GREAT BANK ROBBERY Feb Kaspersky
Behind The Syrian Conflict's Digital Front Lines Feb FireEye
The Desert Falcons Targeted Attacks Feb Kaspersky
Southeast Asia: An Evolving Cyber Threat Landscape Feb FireEye
Operation Arid Viper: Bypassing The Iron Dome Feb Trend Micro
Plugx Goes To The Registry And India Feb Sophos
ScanBox II Feb PWC
Crowdstrike Global Threat Intel Report Feb Crowdstrike
Equation Group: Questions And Answers Feb Kaspersky
Shooting Elephants Feb CIRCL Luxembourg
Tibetan Uprising Day Malware Attacks Mar The Citizen Lab
Operation Woolen-Goldfish When Kittens Go Phishing Mar Trend Micro
Volatile Cedar Threat Intelligence And Research Mar Check Point
Hacking Team Reloaded? US-Based Ethiopian Journalists Again Targeted with Spyware Mar The Citizen Lab
HACKING THE STREET? FIN4 LIKELY PLAYING THE MARKET Apr FireEye
APT30 And The Mechanics Of A Long-Running Cyber Espionage Operation Apr FireEye
Sofacy II Same Sofacy, Different Day Apr PWC
China's Great Cannon Apr The Citizen Lab
CozyDuke Apr F-Secure
Dissecting Linux/Moose The Analysis of a Linux Router-based Worm Hungry for Social Networks May ESET
Operation Tropic Trooper: Relying On Tried-And-Tested Flaws To Infiltrate Secret Keepers May Trend Micro
Oceanlotus APT-C-00 May SkyEye
APT28 Targets Financial Markets: Zero Day Hashes Released May Root9b
Analysis On APT-To-Be Attack That Focusing On China's Government Agency May Antiy CERT
The Msnmm Campaigns: The Earliest Naikon APT Campaigns May Kaspersky
Operation Oil Tanker: The Phantom Menace May PandaLabs
Thamar Reservoir An Iranian cyber - attack campaign against targets in the Middle East Jun ClearSky
Duqu 2.0: A Comparison To Duqu Jun CrySyS Lab
Operation Lotusblossom Jun PaloAlto
An Iranian Cyber-Attack Campaign Against Targets In The Middle East Jun ClearSky
The Duqu 2.0 Technical Details Jun Kaspersky
Insight in to advances of adversary tactics, techniques and procedures through analysis of an attack against an organisation in the Asia Pacific region Jun Dragon Threat Labs
Target Attacks Against Tibetan And Hong Kong Groups Exploiting CVE-2014-4114 Jun The Citizen Lab
Operation Potao Express: Analysis Of A Cyber-Espionage Toolkit Jul ESET
The Black Vine Cyberespionage Group Jul Symantec
HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group Jul FireEye
Butterfly: Corporate Spies Out For Financial Gain Jul Symantec
RSA Research Terracotta VPN: Enabler Of Advanced Threat Anonymity Aug RSA
What we know about the South Korea NIS's use of Hacking Team's RCS Aug The Citizen Lab
London Calling: Two-Factor Authentication Phishing From Iran Aug The Citizen Lab
THE DUKES: 7 years of Russian cyberespionage Sep F-Secure
The Spy Kittens Are Back: Rocket Kitten 2 Sep Trend Micro
Proactive Threat Identification Neutralizes Remote Access Trojan Efficacy Sep Recorded Future
Pay No Attention to the Server Behind the Proxy: Mapping FinFisher's Continuing Proliferation Oct The Citizen Lab
Targeted Malware Attacks against NGO Linked to Attacks on Burmese Government Websites Oct The Citizen Lab
RUSSIAN FINANCIAL CYBERCRIME: HOW IT WORKS Nov Kaspersky
CopyKittens Attack Group Nov ClearSky
ROCKET KITTEN: A Campaign with 9 lives Nov Check Point
Operation Iron Tiger: Exploring Chinese Cyber-Espionage Attacks on United States Defense Contractors Dec Trend Micro

2014

Title Month Source
Targeted Attacks Against The Energy Sector Jan Symantec
Emerging Threat Profile Shell_Crew Jan RSA
New Cdto: A Sneakernet Trojan Solution Jan Fidelis
Intruder File Report- Sneakernet Trojan Jan Fidelis
Uroburos Highly Complex Espionage Software With Russian Roots Feb GDATA
Unveiling Careto - The Masked Apt Feb Kaspersky
Mapping Hacking Teams Untraceable Spyware Feb The Citizen Lab
Gathering In The Middle East, Operation Stteam Feb Fidelis
The Monju Incident Feb Context
Hacking Team and the Targeting of Ethiopian Journalists Feb The Citizen Lab
Hacking Team's US Nexus Mar The Citizen Lab
Snake Campaign & Cyber Espionage Toolkit Mar BAE
Maliciously Repackaged Psiphon Found Mar The Citizen Lab
Deep Panda May Crowdstrike
Operation Saffron Rose May FireEye
Rat In A Jar: A Phishing Campaign Using Unrecom May Fidelis
Illuminating The Etumbot Apt Backdoor Jun Arbor
Putter Panda Jun Crowdstrike
Anatomy Of The Attack: Zombie Zero Jun Trapx
Dragonfly: Cyberespionage Attacks Against Energy Suppliers Jun Symantec
Police Story: Hacking Team Government Surveillance Malware Jun The Citizen Lab
Energetic Bear _ Crouching Yeti Jul Kaspersky
The Eye Of The Tiger (Pitty Tiger) Jul Airbus
Crouching Yeti: Appendixes Jul Kaspersky
Operation Arachnophobia Caught In The Spider's Web Aug Threat Connect
Sidewinder Targeted Attack Against Android In The Golden Age Of Ad Libraries Aug FireEye
Profiling An Enigma: The Mystery Of North Korea's Cyber Threat Landscape Aug HP
The Epic Turla Operation: Solving Some Of The Mysteries Of Snake/Uroboros Aug Kaspersky
Syrian Malware, The Ever-Evolving Threat Aug Kaspersky
Cosmicduke Cosmu With A Twist Of Miniduke Sep F-Secure
Operation Quantum Entanglement Sep FireEye
BLACKENERGY & QUEDAGH The convergence of crimeware and APT attacks Oct F-Secure
Sofacy Phishing Oct PWC
Operation Pawn Storm Using Decoys to Evade Detection Oct Trend Micro
Hikit Analysis Oct Novetta
Apt28: A Window Into Russia's Cyber Espionage Operations Oct FireEye
Micro-Targeted Malvertising Via Real-Time Ad Bidding Oct Invincea
The Rotten Tomato Campaign Oct Sophos
Zoxpng Analysis Oct Novetta
Operation Toohash How Targeted Attacks Work Oct GDATA
The Darkhotel Apt A Story Of Unusual Hospitality Nov Kaspersky
Darkhotel Indicators Of Compromise Nov Kaspersky
Derusbi (Server Variant) Analysis Nov Novetta
Evil Bunny: Suspect #4 Nov Marion
The Regin Platform Nation-State Ownership Of Gsm Networks Nov Kaspersky
Regin: Top-Tier Espionage Tool Enables Stealthy Surveillance Nov Symantec
Anunak: Apt Against Financial Institutions Dec FoxIT
The Inception Framework: Cloud-Hosted Apt Dec Blue Coat
Operation Cleaver Dec Cylance
Bots, Machines, And The Matrix Dec Fidelis
Hacking The Street? Fin4 Likely Playing The Market Dec FireEye
W32/Regin, Stage #1 Dec F-Secure
W64/Regin, Stage #1 Dec F-Secure
Malware Attacks Targeting Syrian ISIS Critics Dec The Citizen Lab

2013

Title Month Source
"Red October" Diplomatic Cyber Attacks Investigation Jan Kaspersky
The Icefog Apt: A Tale Of Cloak And Three Daggers Jan Kaspersky
A closer look at MiniDuke Feb BitDefender
Stuxnet 0.5: The Missing Link Feb Symantec
The Miniduke Mystery: Pdf 0-Day Government Spy Assembler 0X29A Micro Backdoor Feb Kaspersky
Miniduke: Indicators Feb CrySyS Lab
Apt1 Exposing One Of China's Cyber Espionage Units Feb Mandiant
Command And Control In The Fifth Domain Feb Command Five Pty Ltd
Comment Crew: Indicators Of Compromise Feb Symantec
APT1s GLASSES: Watching a Human Rights Organization Feb The Citizen Lab
Dissecting Operation Troy: Cyberespionage In South Korea Mar McAfee
The Teamspy Story - Abusing Teamviewer In Cyberespionage Campaigns Mar Kaspersky
Analysis Of A Plugx Variant (Plugx Version 7.0) Mar CIRCL
You Only Click Twice: Finfisher's Global Proliferation Mar The Citizen Lab
Apt1: Technical Backstage Mar itrust
Safe A Targeted Threat Mar Trend Micro
Winnti: More Than Just A Game Apr Kaspersky
For Their Eyes Only: The Commercialization of Digital Spying Apr The Citizen Lab
Permission to Spy: An Analysis of Android Malware Targeting Tibetans Apr The Citizen Lab
Analysis Of A Stage 3 Miniduke Sample May CIRCL
Operation Hangover - Unveiling An Indian Cyberattack Infrastructure May Norman
The Chinese Malware Complexes: The Maudi Surveillance Operation Jun Norman
A Call To Harm: New Malware Attacks Target The Syrian Opposition Jun The Citizen Lab
Crude Faux: An Analysis Of Cyber Conflict Within The Oil & Gas Industries Jun Cerias
Njrat Uncovered Jun Fidelis
The Nettraveler (Aka Travnet) Jun Kaspersky
The Plugx Malware Revisited: Introducing Smoaler Jul Sophos
Operation Hangover - Unveiling An Indian Cyberattack Infrastructure (Appendix) Aug FIXME
The Little Malware That Could: Detecting And Defeating The China Chopper Web Shell Aug FireEye
Inside Report _ Apt Attacks On Indian Cyber Space Aug Infosec Consorcium
Surtr: Malware Family Targeting the Tibetan Community Aug The Citizen Lab
Poison Ivy: Assessing Damage And Extracting Intelligence Aug FireEye
2Q Report On Targeted Attack Campaigns Sep Trend Micro
Hidden Lynx: Professional Hackers For Hire Sep Symantec
World War C: Understanding Nation-State Motives Behind Today's Advanced Cyber Attacks Sep FireEye
Fakem Rat: Malware Disguised As Windows Messenger And Yahoo! Messenger Oct Trend Micro
Targeted Threats Index Oct The Citizen Lab
Supply Chain Analysis: From Quartermaster To Sunshopfireeye Nov FireEye
Energy At Risk: A Study Of It Security In The Energy And Natural Resources Industry Dec KPMG
Etso Apt Attacks Analysis Dec AHNLAB
Operation Ke3Chang Targeted Attacks Against Ministries Of Foreign Affairs Dec FireEye
"Njrat" The Saga Continues Dec Fidelis
Quantum of Surveillance: Familiar Actors and Possible False Flags in Syrian Malware Campaigns Dec The Citizen Lab

2012

Title Month Source
The Heartbeat Apt Campaign Jan Trend Micro
Crouching Tiger, Hidden Dragon, Stolen Data Mar Context
Skywiper (A.K.A. Flame A.K.A. Flamer): A Complex Malware For Targeted Attacks Mar CrySyS Lab
Luckycat Redux: Inside An Apt Campaign With Multiple Targets In India And Japan Mar Trend Micro
Have I Got Newsforyou: Analysis Of Flamer C&C Server May Symantec
Ixeshe An Apt Campaign May Trend Micro
Pest Control: Taming The Rats Jun Matasano
Spoofing the European Parliament: Analysis of the Repurposing of Legitimate Content in Targeted Malware Attacks Jun The Citizen Lab
Syrian Activists Targeted with BlackShades Spy Software Jun The Citizen Lab
From Bahrain With Love: Finfisher Spy Kit Exposed? Jul The Citizen Lab
Recent Observations In Tibet-Related Information Operations: Advanced Social Engineering For The Distribution Of Lurk Malware Jul The Citizen Lab
Iexpl0Re Rat Aug The Citizen Lab
Gauss: Abnormal Distribution Aug Kaspersky
The SmartPhone Who Loved Me: FinFisher Goes Mobile Aug The Citizen Lab
The Voho Campaign: An In Depth Analysis Aug RSA
The Elderwood Project Sep Symantec
Backdoors are Forever: Hacking Team and the Targeting of Dissent Oct The Citizen Lab
Trojan.Taidoor: Targeting Think Tanks Oct Symantec
Recovering From Shamoon Nov Fidelis
Systematic Cyber Attacks Against Israeli And Palestinian Targets Going On For A Year Nov Norman
The Many Faces Of Gh0St Rat: Plotting The Connections Between Malware Attacks Nov Norman

2011

Title Month Source
W32.Stuxnet Dossier Feb Symantec
Global Energy Cyberattacks: Night Dragon Feb McAfee
Stuxnet Under the Microscope Apr ESET
Advanced Persistent Threats: A Decade in Review Jun Command Five Pty Ltd
The Lurid Downloader Aug Trend Micro
Revealed: Operation Shady Rat Aug McAfee
Enter the Cyber-dragon Sep Vanity Fair
SK Hack by an Advanced Persistent Threat Sep Command Five Pty Ltd
Alleged APT Intrusion Set: "1.php" Group Oct Zscaler
The Nitro Attacks: Stealing Secrets From The Chemical Industry Oct Symantec

2010

Title Month Source
The Command Structure Of The Aurora Botnet Jan Damballa
Operation Aurora: Detect, Diagnose, Respond Jan HBGary
Operation Aurora Feb HBGary
Combating Aurora Jan McAfee
In-Depth Analysis Of Hydraq: The Face Of Cyberwar Enemies Unfolds Mar CA
Shadows In The Cloud: Investigating Cyber Espionage 2.0 Apr Shadowserver
The Msupdater Trojan And Ongoing Targeted Attacks Sep Zscaler

2009

Title Month Source
Tracking GhostNet: Investigating a Cyber Espionage Network Mar TheSecDevGroup
DECLAWING THE DRAGON: WHY THE U.S. MUST COUNTER CHINESE CYBER-WARRIORS Jun NA
Capability of the People\92s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation Oct Northrop Grumman
Russian Cyberwar on Georgia Nov georgiaupdate.gov.ge

References

About

Archive of publicly available threat INTel reports (mostly APT Reports but not limited to).

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published