This is a repository for various publicly-available documents and notes related to APT, sorted by year. For malware sample hashes, please see the individual reports.
For the moment, it would be nice to have a PDF of the article that we add to the list, just to be sure we always have a copy.
To contribute, you can either:
- Fork, add the report, and send in a pull request; or
- Open an issue with the data you want to be added.
Adding data:
- Add a link to the public document to README.md page.
- Add the PDF file to the appropriate year. If the document is only available in HTML, print a "clean" version (e.g. with Readability, Clearly, or similar) to PDF and add that.
Thanks to the contributors for helping with the project!
The papers section contains historical documents.
- Aug 10 - Russian Invasion of Georgia Russian Cyberwar on Georgia (OFFLINE)
- Oct 02 - How China will use cyber warfare to leapfrog in military competitiveness
- Nov 04 - China's Electronic Long-Range Reconnaissance
- Nov 19 - Agent.BTZ
- Jan 18 - Impact of Alleged Russian Cyber Attacks
- Mar 29 - Tracking GhostNet
- Jan 12 - Operation Aurora
- Jan 13 - The Command Structure of the Aurora Botnet - Damballa
- Jan 20 - McAfee Labs: Combating Aurora
- Jan 27 - Operation Aurora Detect, Diagnose, Respond (OFFLINE)
- Jan ?? - Case Study: Operation Aurora - Triumfant (OFFLINE)
- Feb 10 - HB Gary Threat Report: Operation Aurora
- Feb 24 - How Can I Tell if I Was Infected By Aurora? (IOCs) (OFFLINE)
- Mar 14 - In-depth Analysis of Hydraq (OFFLINE)
- Apr 06 - Shadows in the cloud: Investigating Cyber Espionage 2.0
- Sep 03 - The "MSUpdater" Trojan And Ongoing Targeted Attacks
- Sep 30 - W32.Stuxnet Dossier
- Dec 09 - The Stuxnet Computer Worm: Harbinger of an Emerging Warfare Capability
- Feb 10 - Global Energy Cyberattacks: Night Dragon
- Feb 18 - Night Dragon Specific Protection Measures for Consideration
- Apr 20 - Stuxnet Under the Microscope
- Aug 04 - Operation Shady RAT
- Aug 02 - Operation Shady rat : Vanity
- Aug 03 - HTran and the Advanced Persistent Threat
- Sep 09 - The RSA Hack
- Sep 11 - SK Hack by an Advanced Persistent Threat
- Sep 22 - The "LURID" Downloader
- Oct 12 - Alleged APT Intrusion Set: "1.php" Group
- Oct 26 - Duqu Trojan Questions and Answers
- Oct 31 - The Nitro Attacks: Stealing Secrets from the Chemical Industry
- Dec 08 - Palebot trojan harvests Palestinian online credentials
- Jan 03 - The HeartBeat APT
- Feb 03 - Command and Control in the Fifth Domain
- Feb 29 - The Sin Digoo Affair
- Mar 12 - Crouching Tiger, Hidden Dragon, Stolen Data
- Mar 13 - Reversing DarkComet RAT's crypto
- Mar 26 - Luckycat Redux
- Apr 10 - Anatomy of a Gh0st RAT
- Apr 16 - OSX.SabPub & Confirmed Mac APT attacks
- May 18 - Analysis of Flamer C&C Server
- May 22 - IXESHE An APT Campaign
- May 31 - sKyWIper (Flame/Flamer)
- Jul 10 - Advanced Social Engineering for the Distribution of LURK Malware
- Jul 11 - Wired article on DarkComet creator
- Jul 27 - The Madi Campaign
- Aug 09 - Gauss: Abnormal Distribution
- Sep 06 - The Elderwood Project
- Sep 07 - IEXPLORE RAT
- Sep 12 - The VOHO Campaign: An in depth analysis
- Sep 18 - The Mirage Campaign
- Oct 08 - Matasano notes on DarkComet, Bandook, CyberGate and Xtreme RAT
- Oct 27 - Trojan.Taidoor: Targeting Think Tanks
- Nov 01 - RECOVERING FROM SHAMOON
- Nov 03 - Systematic cyber attacks against Israeli and Palestinian targets going on for a year
- Jan 14 - The Red October Campaign
- Jan 14 - Red October Diplomatic Cyber Attacks Investigation
- Jan 18 - Operation Red October
- Feb 12 - Targeted cyber attacks: examples and challenges ahead
- Feb 18 - Mandiant APT1 Report
- Feb 22 - Comment Crew: Indicators of Compromise
- Feb 26 - Stuxnet 0.5: The Missing Link
- Feb 27 - The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0x29A Micro Backdoor
- Feb 27 - Miniduke: Indicators v1
- Mar 13 - You Only Click Twice: FinFisher’s Global Proliferation
- Mar 17 - Safe: A Targeted Threat
- Mar 20 - Dissecting Operation Troy
- Mar 20 - The TeamSpy Crew Attacks
- Mar 21 - Darkseoul/Jokra Analysis And Recovery
- Mar 27 - APT1: technical backstage (Terminator/Fakem RAT)
- Mar 28 - TR-12 - Analysis of a PlugX malware variant used for targeted attacks
- Apr 01 - Trojan.APT.BaneChant
- Apr 13 - "Winnti" More than just a game
- Apr 24 - Operation Hangover
- May ?? - Operation Hangover
- May 30 - TR-14 - Analysis of a stage 3 Miniduke malware sample
- Jun ?? - The Chinese Malware Complexes: The Maudi Surveillance Operation
- Jun 01 - Crude Faux: An analysis of cyber conflict within the oil & gas industries
- Jun 04 - The NetTraveller (aka 'Travnet')
- Jun 07 - KeyBoy, Targeted Attacks against Vietnam and India
- Jun 18 - Trojan.APT.Seinup Hitting ASEAN
- Jun 21 - A Call to Harm: New Malware Attacks Target the Syrian Opposition
- Jun 28 - njRAT Uncovered
- Jul 09 - Dark Seoul Cyber Attack: Could it be worse?
- Jul 15 - PlugX revisited: "Smoaler"
- Jul 31 - Secrets of the Comfoo Masters
- Jul 31 - Blackhat: In-Depth Analysis of Escalated APT Attacks (Lstudio,Elirks), video
- Aug ?? - Operation Hangover - Unveiling an Indian Cyberattack Infrastructure
- Aug ?? - APT Attacks on Indian Cyber Space
- Aug 02 - Where There is Smoke, There is Fire: South Asian Cyber Espionage Heats Up
- Aug 02 - Surtr: Malware Family Targeting the Tibetan Community
- Aug 19 - ByeBye Shell and the targeting of Pakistan
- Aug 21 - POISON IVY: Assessing Damage and Extracting Intelligence
- Aug 23 - Operation Molerats: Middle East Cyber Attacks Using Poison Ivy
- Sep ?? - Feature: EvilGrab Campaign Targets Diplomatic Agencies
- Sep 11 - The "Kimsuky" Operation
- Sep 13 - Operation DeputyDog: Zero-Day (CVE-2013-3893) Attack Against Japanese Targets
- Sep 17 - Hidden Lynx - Professional Hackers for Hire
- Sep 25 - The 'ICEFROG' APT: A Tale of cloak and three daggers
- Sep 30 - World War C: State of affairs in the APT world
- Oct 24 - Terminator RAT or FakeM RAT
- Nov 10 - Operation Ephemeral Hydra: IE Zero-Day Linked to DeputyDog Uses Diskless Method
- Nov 11 - Supply Chain Analysis
- Dev 02 - njRAT, The Saga Continues
- Dec 11 - Operation "Ke3chang"
- Dec 20 - ETSO APT Attacks Analysis
- ??? ?? - Deep Panda (OFFLINE)
- ??? ?? - Detecting and Defeating the China Chopper Web Shell
- Jan 06 - PlugX: some uncovered points
- Jan 13 - Targeted attacks against the Energy Sector
- Jan 14 - The Icefog APT Hits US Targets With Java Backdoor
- Jan 15 - “New'CDTO:'A'Sneakernet'Trojan'Solution
- Jan 21 - Shell_Crew (Deep Panda)
- Jan 31 - Intruder File Report- Sneakernet Trojan
- Feb 11 - Unveiling "Careto" - The Masked APT
- Feb 13 - Operation SnowMan: DeputyDog Actor Compromises US Veterans of Foreign Wars Website
- Feb 19 - The Monju Incident
- Feb 19 - XtremeRAT: Nuisance or Threat?
- Feb 20 - Operation GreedyWonk: Multiple Economic and Foreign Policy Sites Compromised, Serving Up Flash Zero-Day Exploit
- Feb 20 - Mo' Shells Mo' Problems - Deep Panda Web Shells
- Feb 23 - Gathering in the Middle East, Operation STTEAM
- Feb 28 - Uroburos: Highly complex espionage software with Russian roots
- Mar 06 - The Siesta Campaign
- Mar 07 - Snake Campaign & Cyber Espionage Toolkit
- Mar 08 - Russian spyware Turla
- Apr 26 - CVE-2014-1776: Operation Clandestine Fox
- May 13 - Operation Saffron Rose (aka Flying Kitten)
- May 13 - CrowdStrike's report on Flying Kitten
- May 20 - Miniduke Twitter C&C
- May 21 - RAT in jar: A phishing campaign using Unrecom
- Jun 06 - Illuminating The Etumbot APT Backdoor (APT12)
- Jun 09 - Putter Panda
- Jun 20 - Embassy of Greece Beijing
- Jun 30 - Dragonfly: Cyberespionage Attacks Against Energy Suppliers
- Jun 10 - Anatomy of the Attack: Zombie Zero
- Jul 07 - Deep Pandas
- Jul 10 - TR-25 Analysis - Turla / Pfinet / Snake/ Uroburos
- Jul 11 - Pitty Tiger
- Jul 20 - Sayad (Flying Kitten) Analysis & IOCs
- Jul 31 - Energetic Bear/Crouching Yeti
- Jul 31 - Energetic Bear/Crouching Yeti Appendix
- Aug 04 - Sidewinder Targeted Attack Against Android
- Aug 05 - Operation Arachnophobia
- Aug 06 - Operation Poisoned Hurricane
- Aug 07 - The Epic Turla Operation Appendix
- Aug 12 - New York Times Attackers Evolve Quickly (Aumlib/Ixeshe/APT12)
- Aug 13 - A Look at Targeted Attacks Through the Lense of an NGO
- Aug 18 - The Syrian Malware House of Cards
- Aug 20 - El Machete
- Aug 25 - Vietnam APT Campaign
- Aug 27 - NetTraveler APT Gets a Makeover for 10th Birthday
- Aug 27 - North Korea’s cyber threat landscape
- Aug 28 - Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks
- Aug 29 - Syrian Malware Team Uses BlackWorm for Attacks
- Sep 03 - Darwin’s Favorite APT Group (APT12)
- Sep 04 - Forced to Adapt: XSLCmd Backdoor Now on OS X
- Sep 04 - Gholee – a “Protective Edge” themed spear phishing campaign
- Sep 08 - Targeted Threat Index: Characterizingand Quantifying Politically-MotivatedTargeted Malware video
- Sep 08 - When Governments Hack Opponents: A Look at Actors and Technology video
- Sep 10 - Operation Quantum Entanglement
- Sep 17 - Chinese intrusions into key defense contractors
- Sep 18 - COSMICDUKE: Cosmu with a twist of MiniDuke
- Sep 19 - Watering Hole Attacks using Poison Ivy by "th3bug" group
- Sep 23 - Ukraine and Poland Targeted by BlackEnergy (video)
- Sep 26 - Aided Frame, Aided Direction (Sunshop Digital Quartermaster)
- Sep 26 - BlackEnergy & Quedagh
- Oct 03 - New indicators for APT group Nitro
- Oct 09 - Democracy in Hong Kong Under Attack
- Oct 14 - ZoxPNG Preliminary Analysis
- Oct 14 - Hikit Preliminary Analysis
- Oct 14 - Derusbi Preliminary Analysis
- Oct 14 - Group 72 (Axiom)
- Oct 14 - Sandworm - CVE-2104-4114
- Oct 20 - OrcaRAT - A whale of a tale
- Oct 22 - Operation Pawn Storm: The Red in SEDNIT
- Oct 22 - Sofacy Phishing by PWC
- Oct 23 - Modified Tor Binaries
- Oct 24 - LeoUncia and OrcaRat
- Oct 27 - Full Disclosure of Havex Trojans - ICS Havex backdoors
- Oct 27 - ScanBox framework – who’s affected, and who’s using it?
- Oct 27 - Micro-Targeted Malvertising via Real-time Ad Bidding
- Oct 28 - APT28 - A Window Into Russia's Cyber Espionage Operations
- Oct 28 - Group 72, Opening the ZxShell
- Oct 30 - The Rotten Tomato Campaign
- Oct 31 - Operation TooHash
- Nov 03 - New observations on BlackEnergy2 APT activity
- Nov 03 - Operation Poisoned Handover: Unveiling Ties Between APT Activity in Hong Kong’s Pro-Democracy Movement
- Nov 10 - The Darkhotel APT - A Story of Unusual Hospitality
- Nov 11 - The Uroburos case- Agent.BTZ’s successor, ComRAT
- Nov 12 - Korplug military targeted attacks: Afghanistan & Tajikistan
- Nov 13 - Operation CloudyOmega: Ichitaro 0-day targeting Japan
- Nov 14 - OnionDuke: APT Attacks Via the Tor Network
- Nov 14 - Roaming Tiger (Slides)
- Nov 20 - EvilBunny: Suspect #4
- Nov 21 - Operation Double Tap | IOCs
- Nov 23 - Symantec's report on Regin
- Nov 24 - Kaspersky's report on The Regin Platform
- Nov 24 - [TheIntercept's report on The Regin Platform] (https://firstlook.org/theintercept/2014/11/24/secret-regin-malware-belgacom-nsa-gchq/)
- Nov 24 - Deep Panda Uses Sakula Malware
- Nov 30 - FIN4: Stealing Insider Information for an Advantage in Stock Trading?
- Dec 02 - Operation Cleaver | IOCs
- Dec 03 - Operation Cleaver: The Notepad Files
- Dec 08 - The 'Penquin' Turla
- Dec 09 - The Inception Framework
- Dec 10 - Cloud Atlas: RedOctober APT
- Dec 10 - W32/Regin, Stage #1
- Dec 10 - W64/Regin, Stage #1
- Dec 10 - South Korea MBR Wiper
- Dec 12 - Vinself now with steganography
- Dec 12 - Bots, Machines, and the Matrix
- Dec 17 - Wiper Malware – A Detection Deep Dive
- Dec 18 - Malware Attack Targeting Syrian ISIS Critics
- Dec 19 - TA14-353A: Targeted Destructive Malware (wiper)
- Dec 21 - Operation Poisoned Helmand
- Dec 22 - Anunak: APT against financial institutions
- Jan 11 - Hong Kong SWC attack
- Jan 12 - Skeleton Key Malware Analysis
- Jan 15 - Evolution of Agent.BTZ to ComRAT
- Jan 20 - Analysis of Project Cobra
- Jan 20 - Reversing the Inception APT malware
- Jan 22 - The Waterbug attack group
- Jan 22 - Scarab attackers Russian targets | IOCs
- Jan 22 - Regin's Hopscotch and Legspin
- Jan 27 - Comparing the Regin module 50251 and the "Qwerty" keylogger
- Jan 29 - Backdoor.Winnti attackers and Trojan.Skelky
- Jan 29 - Analysis of PlugX Variant - P2P PlugX
- Feb 02 - Behind the Syrian Conflict’s Digital Frontlines
- Feb 04 - Pawn Storm Update: iOS Espionage App Found
- Feb 10 - CrowdStrike Global Threat Intel Report for 2014
- Feb 16 - Equation: The Death Star of Malware Galaxy
- Feb 16 - The Carbanak APT
- Feb 16 - Operation Arid Viper
- Feb 17 - A Fanny Equation: "I am your father, Stuxnet"
- Feb 17 - Desert Falcons APT
- Feb 18 - Shooting Elephants
- Feb 18 - Babar: espionage software finally found and put under the microscope
- Feb 25 - PlugX goes to the registry (and India)
- Feb 25 - Southeast Asia: An Evolving Cyber Threat Landscape
- Feb 27 - The Anthem Hack: All Roads Lead to China
- Feb 24 - A deeper look into Scanbox
- Mar 05 - Casper Malware: After Babar and Bunny, Another Espionage Cartoon
- Mar 06 - Animals in the APT Farm
- Mar 06 - Is Babar a Bunny?
- Mar 10 - Tibetan Uprising Day Malware Attacks
- Mar 11 - Inside the EquationDrug Espionage Platform
- Mar 19 - Rocket Kitten Showing Its Claws: Operation Woolen-GoldFish and the GHOLE campaign
- Mar 31 - Volatile Cedar – Analysis of a Global Cyber Espionage Campaign