Admin@338, also known as Temper Panda, is a China-based cyber threat group. This APT group has been active since at least 2014 and is primarily involved in information theft and espionage 🕵️. They have a history of using newsworthy events as lures to deliver malware 💻. Their targets have largely been organizations involved in financial 💰, economic 📈, and trade policy 🌐. The group has shown a particular interest in political and economic issues in Hong Kong 🇭🇰 and China 🇨🇳, targeting Hong Kong media companies 📰 and pro-democracy movements 🗳️.
The primary motivation of Admin@338 appears to be espionage 📄, with a focus on collecting sensitive information 📊 from targeted organizations 🏢. Their activities suggest an intent to gather intelligence related to financial, economic, and trade policies, as well as political movements 🗳️, especially those related to Hong Kong's pro-democracy activities.
Admin@338 is known by several aliases 🏷️, including Temper Panda 🐼, Team338, and Magnesium. These names have been attributed to the group by various cybersecurity organizations and researchers.
The group is believed to be based in China 🇨🇳.
Admin@338 was first observed in 2014 📆.
The group has been observed targeting sectors such as Defense 🛡️, Financial 💼, Government 🏛️, Media 📺, and Think Tanks 🧠. Geographically, their activities have been primarily focused on Hong Kong 🇭🇰 and the USA 🇺🇸.
Tools Used:
Admin@338 has used a variety of tools in their operations, including but not limited to:
Their use of these tools demonstrates a capability to employ both publicly available RATs and sophisticated, non-public backdoors for their operations.
The Admin@338 APT group, identified on the MITRE ATT&CK framework as G0018, employs a range of sophisticated techniques in their cyber operations. Here's a detailed look at some of the key techniques used by this group:
The Admin@338 APT group, as identified in the MITRE ATT&CK framework, uses a variety of software tools in their cyber operations. Here's a summary of the key software tools and the associated techniques they employ:
In summary, Admin@338 is a sophisticated cyber espionage group, primarily focusing on political and economic intelligence gathering, with a strategic emphasis on targets in Hong Kong and the United States. Their operations, marked by a diverse array of cyber tools and techniques, underscore their significant role in the realm of cyber threats and espionage. Demonstrating a highly sophisticated approach, Admin@338 leverages various methods to infiltrate, explore, and extract valuable information from their targets, showcasing their adeptness in navigating and exploiting digital environments for espionage purposes.
Ajax Security Team (AST), active since at least 2010, is a cyber threat group believed to be operating out of Iran 🇮🇷. Initially known for website defacement operations, by 2014, AST transitioned to malware-based cyber espionage campaigns 💻. Their primary targets have been the US defense industrial base 🛡️ and Iranian users of anti-censorship technologies 🌐. The group is notably associated with Operation Saffron Rose.
Ajax Security Team's shift from website defacement to cyber espionage indicates a strategic evolution in their objectives 📄. Their focus on the US defense industry 🏢 and anti-censorship users in Iran 🇮🇷 suggests motivations rooted in political and strategic espionage, likely aimed at gaining intelligence 🕵️ and exerting control over information flow 🌐.
Apart from Ajax Security Team, the group is associated with several other names 🏷️, including Operation Woolen-Goldfish, AjaxTM, Rocket Kitten, Flying Kitten, and Operation Saffron Rose. These aliases reflect the diverse nature of their operations and campaigns.
The group is believed to be based in Iran 🇮🇷, aligning with their targeting patterns and the geopolitical interests reflected in their activities 🌐.
AST's activities date back to at least 2010 📆, marking over a decade of their presence in the cyber threat landscape.
Ajax Security Team has conducted operations against the US defense industry 🛡️ and energy sectors of Middle Eastern countries 🏭, including corporations like Saudi Aramco and Qatar's RasGas. Their shift to more sophisticated cyber espionage tactics marks a significant evolution in their operational capabilities 🌐.
Tools Used:
In summary, the Ajax Security Team employs a combination of custom-developed malware and well-known exploitation tools to conduct their cyber espionage activities. Their techniques range from sophisticated phishing operations to keylogging and exploiting web application vulnerabilities, demonstrating their capability to adapt and employ various methods for intelligence gathering and system compromise.
ALLANITE, also known as Palmetto Fusion, is a cyber espionage group that focuses on accessing business and industrial control (ICS) networks 🏭. The group conducts reconnaissance 🕵️ and gathers intelligence, particularly in the United States 🇺🇸 and United Kingdom 🇬🇧 electric utility sectors ⚡. ALLANITE's operations are characterized by their focus on understanding operational environments and developing capabilities that could potentially disrupt electric utilities. However, their activities have so far been limited to information gathering without demonstrating any disruptive or damaging capabilities. The group is known for conducting malware-less operations 🦠, primarily leveraging legitimate and available tools in the Windows operating system 💻.
The primary motivation of ALLANITE appears to be espionage 📄, with a specific interest in the electric utility sector ⚡. Their activities suggest an intent to understand and potentially develop capabilities to disrupt operations in this sector. The group's focus on maintaining access to ICS networks indicates a strategic interest in the operational aspects of electric utilities.
ALLANITE is also known as Palmetto Fusion 🏷️.
ALLANITE is a suspected Russian 🇷🇺 cyber espionage group.
ALLANITE has been active at least since May 2017 📆, as reported by the industrial cybersecurity firm Dragos.
ALLANITE has primarily targeted the electric utility sector within the United States 🇺🇸 and the United Kingdom 🇬🇧. Their tactics and techniques are reportedly similar to those of the Dragonfly group 🌐.
ALLANITE uses email phishing campaigns and compromised websites, known as watering holes, to steal credentials and gain access to target networks. This includes collecting and distributing screenshots of industrial control systems. The group conducts operations without relying on traditional malware, instead using legitimate tools available in the Windows operating system. There are no specific malware families currently associated with ALLANITE.
techniques used by ALLANITE:
These techniques demonstrate ALLANITE's sophisticated approach to cyber espionage, focusing on stealth and the effective use of social engineering and legitimate credentials to infiltrate and gather intelligence from critical infrastructure sectors. Their methods underscore the importance of robust cybersecurity measures in protecting against such advanced threat actors.
Andariel is a North Korean state-sponsored threat group that has been active since at least 2009. The group is primarily focused on conducting destructive attacks against South Korean government agencies 🏛️, military organizations ⚔️, and various domestic companies 🏢. Additionally, Andariel has engaged in cyber financial operations targeting ATMs 💰, banks 🏦, and cryptocurrency exchanges 🪙. Their notable activities include Operation Black Mine, Operation GoldenAxe, and Campaign Rifle. Andariel is considered a subset of the Lazarus Group 🕵️♂️ and is attributed to North Korea's Reconnaissance General Bureau 🏢. It's important to note that North Korean group definitions often overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking individual clusters or subgroups.
Andariel's operations are motivated by both political and financial objectives. Their attacks against South Korean entities are likely driven by geopolitical tensions between North and South Korea 🌏. The cyber financial operations suggest a motive of financial gain 💸, particularly through attacks on financial institutions and cryptocurrency platforms.
Andariel is primarily known by this name but is also recognized as a subset of the Lazarus Group 🏷️.
Andariel is a North Korean state-sponsored group 🇰🇵.
The group has been active since at least 2009 📆.
Andariel has been observed targeting South Korean government agencies, military organizations, domestic companies, ATMs, banks, and cryptocurrency exchanges 🏛️⚔️🏢💰🏦🪙. Their operations have included both destructive attacks and cyber financial crimes.
Specific tools used by Andariel were not detailed in the provided source. However, given their affiliation with the Lazarus Group and the nature of their operations, it is likely that they use a range of sophisticated cyber tools and techniques for both destructive attacks and financial theft 💻.
In summary, Andariel's cyber operations are characterized by a diverse range of sophisticated techniques and software tools. These include exploiting vulnerabilities, conducting spearphishing campaigns, using steganography for obfuscation, and employing RATs like gh0st RAT and Rifdoor. Their approach demonstrates a high level of sophistication and adaptability in executing cyber espionage and cyber warfare activities.
Aoqin Dragon is a cyber espionage group suspected to be of Chinese origin 🇨🇳. Active since at least 2013, they have primarily targeted government 🏛️, education 🎓, and telecommunication organizations 📡 in Australia 🇦🇺, Cambodia 🇰🇭, Hong Kong 🇭🇰, Singapore 🇸🇬, and Vietnam 🇻🇳. The group is known for its sophisticated cyber operations, focusing on espionage 🕵️♂️ and information theft 💼. Aoqin Dragon is noted for its use of document exploits 📄 and fake removable devices, such as USB drives 🖇️, for initial access into target systems.
The primary motivation of Aoqin Dragon appears to be espionage 🕵️♂️, with a focus on collecting sensitive information 📰 from targeted organizations. Their activities suggest an intent to gather intelligence related to government, education, and telecommunication sectors 📚📡 in Southeast Asia and Australia.
Aoqin Dragon is also potentially associated with UNC94, based on similarities in malware, infrastructure, and targets 🏷️.
The group is believed to be based in China 🇨🇳.
Aoqin Dragon has been active since at least 2013 📆.
The group has targeted a variety of sectors, with a particular focus on government, education, and telecommunication organizations 🏛️🎓📡 in Southeast Asia and Australia. Their operations are characterized by the use of sophisticated cyber techniques and tools 💻.
Aoqin Dragon employs a range of tools in their operations, including document exploits 📄 and fake removable devices like USB drives 🖇️. These tools are used for initial access and subsequent operations within the target networks 🏢💼.
Aoqin Dragon: Techniques and Software
Techniques Used by Aoqin Dragon:
Software Used by Aoqin Dragon:
Aoqin Dragon's use of these techniques and software tools demonstrates their sophisticated approach to cyber espionage. They leverage a variety of methods to infiltrate, explore, and extract valuable information from their targets, showcasing their adeptness in navigating and exploiting digital environments for espionage purposes.
APT-C-36, also known as Blind Eagle, is an Advanced Persistent Threat (APT) group suspected to originate from South America. Since April 2018, they have been actively targeting Colombian government institutions and significant corporations in the financial sector, petroleum industry, professional manufacturing, and others.
The primary motivation of APT-C-36 appears to be espionage and intelligence gathering, focusing on government and corporate entities. Their consistent targeting of specific sectors suggests a strategic intent to collect sensitive information for political or economic advantage.
Imminent Monitor's diverse functionalities enable APT-C-36 to conduct comprehensive espionage operations, ranging from data theft to surveillance. Its ability to remain undetected and manipulate system processes makes it a potent tool for cyber espionage campaigns.
APT1, also known as Comment Crew or Comment Group, is a cyber espionage group believed to be associated with the Chinese military. This group is known for its sophisticated cyber operations and has been implicated in numerous cyber espionage campaigns targeting a wide range of industries and government entities around the world. 🕵️♂️💼🏢🌍
APT1's primary motivation appears to be cyber espionage, with a focus on intellectual property theft and gaining strategic advantages in various industries. Their activities suggest an intent to gather sensitive information for economic and political gain. 💻💰📈📊🏭🏛️
APT1 is also known as Comment Crew or Comment Group. These names have been attributed to the group by various cybersecurity organizations and researchers. 📝👥
The group is believed to be based in China. 🇨🇳
APT1 has been active for several years, but their activities gained significant attention in 2013 following a detailed report by Mandiant, a cybersecurity firm. 📆🔍
APT1 has targeted a broad range of corporations and government entities around the world, with a particular focus on English-speaking countries. Their targets span various industries, including information technology, telecommunications, aerospace, public administration, and others. 🎯🌐🚀📡
In summary, APT1 utilized a wide array of techniques and software tools, ranging from basic command-line utilities to sophisticated malware and credential dumping tools. Their operations demonstrate a high level of sophistication and a broad capability to infiltrate, explore, and exfiltrate data from targeted systems.
APT12, also known as IXESHE, Numbered Panda, and Group 22, is a threat actor primarily targeting organizations in Japan, Taiwan, and other parts of East Asia. Their activities mainly focus on espionage and have been directed towards electronics manufacturers and telecommunications companies. 🏢🌏📡💼
The primary motivation of APT12 is espionage. They have been involved in extensive cyber espionage campaigns, targeting sensitive information from various organizations. 🕵️♂️💻🔍
APT12 is known by several aliases:
APT12 is believed to be based in China. 🇨🇳
The group has been active for several years, with notable activities traced back to at least 2013. 📆🔍
APT12 has conducted numerous spear-phishing attacks and has been associated with various malware families, including:
APT12's use of diverse techniques and sophisticated software highlights their capability to conduct complex cyber espionage operations. Their methods include exploiting software vulnerabilities, spearphishing, and utilizing advanced malware, all aimed at infiltrating target networks and exfiltrating sensitive information.
APT16 is a China-based threat group known for spearphishing campaigns targeting organizations primarily in Japan and Taiwan. The group's activities focus on government, financial services, media, and high technology industry sectors. APT16 is believed to be closely aligned with Chinese nation-state activities.
The primary motivation of APT16 appears to be espionage, gathering intelligence from targeted sectors and organizations that align with the interests of the Chinese state.
APT16 is based in China.
APT16 has been responsible for:
APT17, also known as Deputy Dog and Axiom, is a Chinese-based threat actor group. It is sponsored by the Chinese Ministry of State Security and has conducted malicious attacks against government and industry within the United States. APT17 targets various industry sectors, including mining, legal, information technology, and the defense industry. The group is known for using sophisticated techniques, including leveraging Microsoft’s TechNet blog for command-and-control operations by creating bogus profiles and posting encoded CNC within technical forums. This method, known as "hiding in plain sight," helps obfuscate their identity and makes detection less likely.
APT17 primarily engages in espionage activities. They target U.S. government entities, the defense industrial base, law firms, information technology companies, resource extraction companies, and non-governmental organizations. Their operations are believed to be carried out on-demand for the Jinan bureau of the Chinese Ministry of State Security.
These techniques and tools reflect APT17's sophisticated approach to cyber espionage, emphasizing stealth and long-term access to targeted networks.
APT18, also known as Dynamite Panda, Threat Group-0416, Wekby, and Scandium, is a Chinese nation-state-aligned threat group. It has been active since approximately 2009 and is believed to be directly supported by the Chinese People’s Liberation Navy. APT18 has targeted a broad mix of industry sectors, including manufacturing, technology, government, healthcare, defense, telecommunications, and human rights groups, primarily focusing on organizations in North America, especially the United States.
The primary motivation of APT18 appears to be espionage and information theft. They have been involved in medical espionage, exfiltrating patient data from medical device databases, and stealing intellectual property rights, including advanced proprietary designs. Their activities seem to be aimed at advancing China's industries at the expense of U.S. industries.
APT18's techniques and software reflect a sophisticated approach to cyber espionage, leveraging a mix of custom tools and common administrative tools to maintain stealth and effectiveness in their operations.
APT19:
APT19, also known as Deep Panda, KungFu Kittens, and PinkPanther, is a cyber espionage group believed to be operating out of China. The group is known for its sophisticated cyber attacks targeting a variety of sectors, including government, defense, financial, and telecommunications.
APT19's primary motivation appears to be intelligence gathering and espionage, often targeting information that aligns with the Chinese government's interests. This includes sensitive political, economic, and military information.
APT19's operations demonstrate a high level of sophistication and a focus on stealth and persistence. Their use of a variety of techniques and software tools underscores their capability to conduct advanced cyber espionage campaigns.
APT28, also known as Fancy Bear, is a sophisticated and well-resourced cyber espionage group. It is believed to be associated with the Russian military intelligence agency GRU. This group has been active since at least the mid-2000s and is known for its advanced cyber capabilities.
APT28 primarily focuses on collecting intelligence in support of Russian political and military interests. The group has been involved in numerous high-profile cyber espionage campaigns, targeting government, military, security organizations, and other entities perceived as threats or of interest to the Russian government.
APT28's arsenal of techniques and software demonstrates their capability to conduct sophisticated cyber espionage operations. Their methods range from exploiting system vulnerabilities to sophisticated social engineering attacks, underlining the need for robust cybersecurity measures.
APT3, also known as UPS Team, Buckeye, Gothic Panda, and TG-0110, is a sophisticated cyber espionage group believed to be based in China. This group has been active since at least 2009 and is known for its advanced persistent threats (APT) targeting a variety of sectors worldwide, including government, defense, technology, and telecommunications.
APT3's primary motivation appears to be espionage, likely driven by national and economic interests. Their activities suggest an intent to gather intelligence and potentially steal intellectual property or sensitive government and military information.
APT3 is known by various aliases, including UPS Team, Buckeye, Gothic Panda, and TG-0110. These names have been attributed to the group by different cybersecurity organizations and researchers.
APT3 is believed to be operating out of China.
APT3 has been active since at least 2009.
APT3 has targeted a wide range of sectors, including government, defense, technology, and telecommunications, with a global focus. Their operations have been observed in multiple countries, indicating a broad and diverse set of targets.
APT3: Techniques and Software
Below is a detailed overview of the techniques and software used by APT3:
In summary, APT3 is a highly sophisticated group employing a wide range of techniques and custom software to conduct espionage and cyber operations. Their tactics demonstrate advanced capabilities in maintaining persistence, evading detection, and extracting sensitive information.
APT 30, also known as Override Panda, is a cyber espionage group suspected to be associated with the Chinese government. This group has been active since at least 2005 and is known for its decade-long operation focused predominantly on entities in Southeast Asia and India. APT 30 is notable for its sustained activity and regional focus, as well as its success in espionage despite maintaining relatively consistent tools, tactics, and infrastructure over a long period.
The primary objective of APT 30 appears to be data theft, particularly targeting government and commercial entities holding key political, economic, and military information about the region. Unlike many cyber threat groups, APT 30 does not seem to be motivated by financial gain, as they have not been observed targeting data that can be readily monetized, such as credit card data or bank transfer credentials. Instead, their tools are designed to identify and steal documents, showing an interest in documents that may be stored on air-gapped networks.
APT 30 is also known as Override Panda. The group has been identified under different names by various cybersecurity organizations.
APT 30 is suspected to be associated with the Chinese government, indicating that their operations are likely based in China.
APT 30 has been active since at least 2005, engaging in cyber espionage activities for over a decade.
APT 30 has shown a distinct interest in organizations and governments associated with the Association of Southeast Asian Nations (ASEAN), especially around the time of official ASEAN meetings. Their decoy documents often relate to Southeast Asia, India, border areas, and broader security and diplomatic issues. In addition to their focus on Southeast Asia and India, APT 30 has also targeted journalists reporting on issues considered focal points for the Chinese Communist Party, such as corruption, the economy, and human rights.
These techniques and tools demonstrate APT 30's capabilities in conducting targeted cyber espionage operations, particularly focused on information gathering, document theft, and exploiting user interactions to compromise systems.
APT32, also known as the OceanLotus Group, is a Vietnam-based threat group. It was founded in 2014 and has primarily targeted journalists, dissidents, large private enterprises, and government organizations in Southeast Asia. The group's activities have been concentrated within Vietnam, the Philippines, Cambodia, and Laos. APT32's operations often align with Vietnamese state interests, raising questions about potential nation-state sponsorship.
APT32's motivations appear to be closely aligned with Vietnamese state interests. They have targeted foreign corporations in key commercial sectors such as manufacturing, hospitality, and consumer products, which are significant to Vietnam's economy. Additionally, they have targeted network security and technology corporations, as well as dissidents and journalists, indicating a focus on both economic and political espionage.
APT32 is also known as the OceanLotus Group.
APT32 is based in Vietnam.
APT32 was first identified in 2014.
APT32 has been involved in various cyber espionage activities, including:
APT32's use of a wide range of sophisticated techniques and software demonstrates their capability to conduct complex cyber espionage operations. Their methods are diverse, covering everything from initial access and persistence to data exfiltration and covering their tracks.
Description:
APT33, a cyber espionage group, is known for its sophisticated cyber operations targeting a variety of sectors. Their activities primarily focus on espionage and data exfiltration, often targeting organizations in the aviation, energy, and government sectors. APT33 is recognized for its advanced techniques and persistent approach in cyber operations.
Motivation:
The primary motivation of APT33 appears to be espionage, with a strong focus on gathering sensitive information and intellectual property from targeted industries and government entities. Their activities suggest an intent to support national strategic objectives, likely for a state-sponsored purpose.
Names:
APT33 is also known by other monikers such as Elfin, MAGNALLIUM, Refined Kitten, HOLMIUM, COBALT TRINITY, G0064, ATK35. These aliases have been used by various cybersecurity organizations to describe the group's activities and operations.
Location:
APT33 is believed to be operating out of Iran.
First Seen:
The group has been active since at least 2013, engaging in numerous sophisticated cyber espionage campaigns.
Observed Activities:
APT33 has been observed targeting a wide range of sectors, including but not limited to aviation, energy, and government organizations. Their activities have been primarily focused on espionage and intellectual property theft.
APT33 Techniques and Software
APT33's techniques and software usage demonstrate a sophisticated and versatile approach to cyber espionage, leveraging a mix of custom tools and publicly available utilities to achieve their objectives.
APT37, also known as Reaper, is a cyber espionage group believed to be operating out of North Korea. It has been active since at least 2012, primarily targeting the public and private sectors in South Korea. By 2017, APT37 expanded its operations to include Japan, Vietnam, and the Middle East, focusing on a range of industries such as chemicals, electronics, manufacturing, aerospace, automotive, and healthcare.
APT37's activities are primarily driven by espionage objectives, likely in support of North Korean state interests. Their operations are characterized by a focus on gathering intelligence and potentially disrupting targets that are of strategic importance to North Korea.
APT37 is known by various aliases including Group 123, InkySquid, Operation Daybreak, Operation Erebus, Reaper Group, Red Eyes, Ricochet Chollima, ScarCruft, Venus 121, ATK4, G0067, and Moldy Pisces.
APT37 is believed to be based in North Korea.
The group has likely been active since at least 2012.
APT37 has expanded its targeting beyond the Korean peninsula since 2017, including Japan, Vietnam, and the Middle East.
APT37's diverse range of techniques and software tools highlights their capability to conduct sophisticated cyber espionage operations. Their focus on stealth and persistence, coupled with the use of custom tools, makes them a significant threat to their targets.
APT38 is a North Korean state-sponsored threat actor primarily targeting banks and financial institutions. It is believed to be directed by or part of the North Korean Reconnaissance General Bureau (RGB), an intelligence agency responsible for the state's covert operations. APT38 has targeted financial institutions, cryptocurrency entities, SWIFT system users and endpoints, and ATMs in over 35 countries.
APT38's primary motivation appears to be financial gain, specifically through sophisticated attacks on banks and financial systems worldwide. Their operations include large-scale heists, such as the $81 million theft from the Bank of Bangladesh in 2016.
APT38 is the primary name used to identify this group.
APT38 is associated with North Korea, operating under the guidance or part of the RGB.
The group has been active for several years, with notable attacks dating back to at least 2016.
APT38's activities include a wide range of cyberattacks against financial institutions. They have been responsible for significant financial thefts, including the Bank of Bangladesh heist in 2016 and attacks on Bancomext and Banco de Chile in 2018. Their methods involve sophisticated multi-stage attacks, including initial research, compromising targets through various means (like watering holes and exploiting vulnerabilities), conducting reconnaissance within the network, impacting SWIFT servers, exfiltrating funds, and covering their tracks by wiping disks and destroying logs.
APT38's sophisticated use of these techniques and software tools highlights their capability to conduct complex cyber operations, ranging from data theft and manipulation to system disruption and destruction.
APT39, also known as Chafer, Remix Kitten, Cobalt Hickman, TA454, and ITG07, is a cyber espionage group believed to be connected to the Iranian government. This group has been active since at least 2014 and is known for its focus on information theft and espionage. APT39's activities are primarily concentrated in the Middle East, but its targeting scope is global.
APT39 was created to consolidate previous activities and methods used by this actor. Its activities largely align with those publicly referred to as “Chafer.” The group leverages backdoors like SEAWEED and CACHEMONEY, along with a specific variant of the POWBAT backdoor. APT39's focus on the telecommunications and travel industries suggests an intent to perform monitoring, tracking, or surveillance operations against specific individuals, collect proprietary or customer data for commercial or operational purposes, and create additional accesses and vectors to facilitate future campaigns. Government entity targeting implies a potential secondary intent to collect geopolitical data beneficial for nation-state decision-making.
The primary mission of APT39 appears to be tracking or monitoring targets of interest, collecting personal information, including travel itineraries, and gathering customer data from telecommunications firms.
APT39 is based in Iran and has been observed targeting various sectors, including Aviation, Engineering, Government, High-Tech, IT, Shipping and Logistics, Telecommunications, and Transportation. The countries targeted include Israel, Jordan, Kuwait, Saudi Arabia, Spain, Turkey, the UAE, the USA, and other parts of the Middle East.
APT39, also known as Chafer, Remix Kitten, Cobalt Hickman, TA454, and ITG07, is a cyber espionage group believed to be connected to the Iranian government. It was first seen in 2014 and has been primarily active in the Middle East, targeting various sectors including aviation, engineering, government, high-tech, IT, shipping and logistics, telecommunications, and transportation. The group's activities are concentrated in the Middle East but have a global scope.
APT39's operations are characterized by the use of a variety of tools and techniques, focusing on information theft and espionage. The group has shown a particular interest in the telecommunications sector, as well as the travel industry and IT firms supporting it, and the high-tech industry. Their activities suggest an intent to perform monitoring, tracking, or surveillance operations against specific individuals, collect proprietary or customer data, and create accesses for future campaigns.
APT39's primary motivation appears to be tracking or monitoring targets of interest, collecting personal information, including travel itineraries, and gathering customer data from telecommunications firms. The targeting of government entities suggests a secondary intent to collect geopolitical data that may benefit nation-state decision-making.
APT39's operations demonstrate a high level of sophistication and a wide range of capabilities in cyber espionage, reflecting their advanced skill set in conducting complex cyber operations.
APT41, a highly sophisticated cyber threat group, is known for its dual espionage and cybercrime operations. This group, active since at least 2012, has been involved in a range of activities from intellectual property theft to financial gain. APT41's operations are characterized by their complexity and precision, often targeting healthcare, high-tech, telecommunications, higher education, video game, and travel industries.
The primary motivation of APT41 appears to be a combination of state-sponsored espionage activities and financially motivated operations. This dual intent is somewhat unique among threat groups, as they engage in espionage to collect intelligence beneficial to the Chinese state while simultaneously pursuing personal financial interests.
APT41 is also known by other aliases, including Barium, Winnti, Wicked Panda, and Wicked Spider. These names reflect the diverse nature of their operations and the various sectors they target.
APT41 is believed to be based in China, with its activities aligning with Chinese state interests.
The group has been active since at least 2012, demonstrating a long history of sophisticated cyber operations.
APT41's operations have been observed worldwide, with a focus on industries that align with China's Five-Year economic development plans. They have targeted organizations globally, including those in the United States, United Kingdom, Germany, Japan, South Korea, and more.
Aquatic Panda
Aquatic Panda is a cyber threat group known for its sophisticated cyber operations. The group has been observed using a variety of techniques and tools to infiltrate and compromise target systems, often focusing on vulnerability scanning and data exfiltration.
The primary motivation of Aquatic Panda appears to be espionage, with activities aimed at acquiring sensitive information from targeted organizations. Their operations suggest a focus on intelligence gathering, which is typical of state-sponsored or state-affiliated cyber espionage groups.
Aquatic Panda is the primary name used to identify this group. However, like many cyber threat groups, they may operate under different aliases or be identified differently by various cybersecurity organizations.
The specific location of Aquatic Panda is not clearly stated in the available data. However, many cyber espionage groups operate from countries with significant state-sponsored cyber capabilities.
The exact date when Aquatic Panda was first observed is not provided in the MITRE ATT&CK database.
Aquatic Panda has been observed employing a range of cyber techniques, including active scanning for vulnerabilities, using PowerShell for command execution, and attempting to disable or modify endpoint detection and response (EDR) tools.
The Axiom cyber espionage group, also known as Group G0001, is a sophisticated and long-standing threat actor. Here is a detailed overview based on the information from the MITRE ATT&CK framework:
Axiom is a highly skilled and persistent cyber espionage group. They are known for their advanced techniques and have been involved in numerous high-profile cyber espionage campaigns. The group is adept at using a combination of custom-developed malware and publicly available tools to achieve their objectives.
The primary motivation of Axiom appears to be cyber espionage. Their activities are typically focused on stealing sensitive information from a variety of targets, which often include government, technology, and media sectors. The nature of their operations suggests a strong interest in gathering intelligence and conducting surveillance.
Axiom is known by several aliases, including Group G0001. They have been identified and tracked under this designation by various cybersecurity organizations.
The exact location of Axiom is not clearly defined, but they are believed to operate out of China.
The exact date of when Axiom was first observed is not specified in the available data.
Axiom has been involved in a wide range of activities, including acquiring infrastructure like DNS servers and virtual private servers, compressing and encrypting data before exfiltration, and using botnets. They have also been known to collect data from local systems and use steganography for hiding C2 communications.
Description:
BackdoorDiplomacy is a cyber espionage group known for its sophisticated cyber operations targeting diplomatic entities and telecommunication companies. The group is adept at exploiting public-facing applications and leveraging various sophisticated techniques to infiltrate and maintain presence in victim networks.
Motivation:
The primary motivation of BackdoorDiplomacy appears to be espionage, focusing on gathering sensitive information from diplomatic and telecommunication entities. Their activities are characterized by stealth and persistence, indicating a strategic interest in long-term intelligence gathering.
Names:
BackdoorDiplomacy is the primary name associated with this group. However, it's common for such groups to operate under multiple aliases or to be identified differently by various cybersecurity organizations.
Location:
The specific location of BackdoorDiplomacy is not clearly defined, but their targets often include entities in the Middle East and Africa, suggesting a possible regional focus.
First Seen:
The exact date of when BackdoorDiplomacy first emerged is not specified in the provided sources. However, their activities have been observed over several years, indicating a long-term operation.
Observed Activities:
BackdoorDiplomacy has been observed targeting diplomatic entities and telecommunication companies, exploiting vulnerabilities in public-facing applications, and conducting sophisticated cyber espionage operations.
Description:
BITTER is an advanced persistent threat (APT) group known for its targeted cyber espionage campaigns. The group is noted for its sophisticated use of malware and phishing techniques to infiltrate and compromise high-value targets.
Motivation:
The primary motivation of BITTER appears to be espionage, focusing on acquiring sensitive information from targeted organizations and individuals. Their activities suggest an intent to gather intelligence that could be of strategic or political value.
Names:
The group is primarily known as BITTER. However, like many APT groups, it may operate under different aliases or be referred to by different names in cybersecurity reports.
Location:
The specific location of BITTER is not clearly defined in the available information. APT groups often operate across international borders, making it challenging to pinpoint a precise location.
First Seen:
The exact date of when BITTER was first observed is not provided in the available sources. APT groups often operate for some time before being detected.
Observed:
BITTER has been observed using a variety of sophisticated techniques and tools in their operations. They have targeted organizations through spearphishing campaigns and have exploited vulnerabilities in software for initial access and escalation of privileges.
Description:
BlackOasis is a Middle Eastern threat group, believed to be a customer of Gamma Group. The group has shown interest in prominent figures in the United Nations, as well as opposition bloggers, activists, regional news correspondents, and think tanks. BlackOasis is associated with operations of a group known by Microsoft as Neodymium, although it's not confirmed if these names refer to the same group.
Motivation:
The primary motivation of BlackOasis is information theft and espionage.
Names:
BlackOasis is the name given by Kaspersky. There is a possible association with Neodymium, as identified by Microsoft, but it's not confirmed if these are aliases for the same group.
Location:
BlackOasis is based in the Middle East.
First Seen:
The group was first observed in 2015.
Observed Activities:
BlackOasis has targeted sectors including Media, Think Tanks, activists, and the UN. Geographically, their activities span across various countries including Afghanistan, Angola, Bahrain, Iran, Iraq, Jordan, Libya, Netherlands, Nigeria, Russia, Saudi Arabia, Tunisia, the UK, and others.
Description:
BlackTech is a suspected Chinese cyber espionage group that has been active since at least 2013. They primarily target organizations in East Asia, particularly Taiwan, Japan, and Hong Kong, as well as the United States. BlackTech employs a combination of custom malware, dual-use tools, and 'living off the land' tactics to compromise networks in various sectors, including media, construction, engineering, electronics, and finance.
Motivation:
The group's primary motivation appears to be information theft and espionage. Their activities are focused on stealing technology and sensitive information from their targets.
Names:
Location:
China
First Seen:
2010
Observed:
BlackTech has been observed targeting sectors such as Construction, Financial, Government, Healthcare, Media, and Technology. Geographically, their activities have been focused on China, Hong Kong, Japan, Taiwan, and the USA.
Blue Mockingbird is a cyber threat group known for exploiting public-facing applications to gain initial access to victim networks. They have been observed using various techniques such as access token manipulation, command and scripting interpreter, and exploiting vulnerabilities in web applications.
The primary motivation of Blue Mockingbird appears to be resource hijacking, specifically for cryptocurrency mining. They use tools like XMRIG to mine cryptocurrency on victim systems.
The group is commonly referred to as Blue Mockingbird.
The specific location of Blue Mockingbird is not clearly identified in the available sources.
The exact date of when Blue Mockingbird was first observed is not provided in the available information.
Blue Mockingbird has been observed engaging in various malicious activities, including:
Bouncing Golf
Bouncing Golf, also known as Domestic Kitten, APT-C-50, and by its MITRE ATT&CK designation G0097, is a cyberespionage campaign primarily targeting Middle Eastern countries. This campaign is believed to be state-sponsored and originates from Iran. It has been active since at least 2016 and is known for its focus on information theft and espionage.
Chimera is a suspected China-based threat group 🇨🇳 that has been active since at least 2018 📅. This group is known for targeting the semiconductor industry in Taiwan 🏭 as well as obtaining data from the airline industry ✈️.
While the specific motivations of Chimera are not detailed in the provided text, their targeting of the semiconductor 🧬 and airline industries ✈️ suggests a focus on industrial espionage 🕵️♀️ and possibly intellectual property theft 🚨.
The group is primarily known as Chimera 🐉.
Chimera is suspected to be based in China 🇨🇳.
The group has been active since at least 2018 📅.
Chimera has been observed engaging in sophisticated cyber espionage activities 🖥️, particularly targeting the semiconductor industry in Taiwan 🏭 and the airline industry ✈️ for data exfiltration and possibly intellectual property theft 🚨.
No. | Technique | Description |
---|---|---|
1 | Account Discovery | Used net user for local and domain account discovery. |
2 | Application Layer Protocol | Utilized HTTPS and DNS for C2 communications. |
3 | Archive Collected Data | Employed gzip and modified RAR software for archiving data. |
4 | Automated Collection | Used custom DLLs for continuous data retrieval. |
5 | Browser Information Discovery | Executed commands for bookmark discovery. |
6 | Brute Force | Engaged in password spraying and credential stuffing attacks. |
7 | Command and Scripting Interpreter | Used PowerShell scripts and Windows Command Shell for execution. |
8 | Data from Information Repositories | Collected documents from SharePoint. |
9 | Data from Network Shared Drive | Retrieved data from network shares. |
10 | Data Staged | Staged stolen data locally and remotely. |
11 | Domain Trust Discovery | Used nltest to identify domain trust relationships. |
12 | Email Collection | Harvested data from local and remote email collections. |
13 | Exfiltration Over C2 Channel | Used Cobalt Strike C2 beacons for data exfiltration. |
14 | Exfiltration Over Web Service | Exfiltrated data to OneDrive accounts. |
15 | External Remote Services | Accessed external VPN, Citrix, SSH, and other services. |
16 | File and Directory Discovery | Identified data of interest in file and directory listings. |
17 | Gather Victim Identity Information | Collected credentials from previous breaches. |
18 | Hijack Execution Flow | Employed DLL side-loading. |
19 | Indicator Removal | Cleared event logs, performed file deletion, and used timestomp. |
20 | Ingress Tool Transfer | Remotely copied tools and malware onto targeted systems. |
21 | Lateral Tool Transfer | Copied tools between compromised hosts using SMB. |
22 | Masquerading | Renamed malware to mimic legitimate applications. |
23 | Modify Authentication Process | Altered NTLM authentication on domain controllers. |
24 | Multi-Factor Authentication Interception | Registered alternate phone numbers for 2FA interception. |
25 | Native API | Used direct Windows system calls. |
No. | Software Used |
---|---|
1 | BloodHound |
2 | Cobalt Strike |
3 | esentutl |
4 | Mimikatz |
5 | Net |
6 | PsExec |
Chimera's use of these software tools demonstrates their capabilities in conducting sophisticated cyber espionage operations, including credential theft, lateral movement, and data exfiltration.
Cleaver is a formidable threat group attributed to Iranian actors, responsible for the activities tracked as Operation Cleaver. The group is known for its sophisticated cyber operations and has been linked to Threat Group 2889 (TG-2889).
While the specific motivations of Cleaver are not detailed in the provided text, their advanced cyber operations suggest objectives aligned with state-sponsored espionage or intelligence gathering.
Cleaver is also associated with Threat Group 2889 (TG-2889).
Cleaver is attributed to Iranian actors.
Unfortunately, the specific date of their inaugural activity remains shrouded in mystery within the provided text.
Cleaver has been keenly observed employing a range of sophisticated techniques and tools for cyber operations, including ARP cache poisoning, creating customized tools and payloads, and establishing fake social media accounts. 🌐👁️🗨️🌐
No. | Tactic/Technique | Description |
---|---|---|
1 | Adversary-in-the-Middle: ARP Cache Poisoning | Cleaver has used custom tools for ARP cache poisoning. |
2 | Develop Capabilities: Malware | Created customized tools and payloads for various functions including encryption, credential dumping, and network interface sniffing. |
3 | Establish Accounts: Social Media Accounts | Created fake LinkedIn profiles with detailed information and connections. |
4 | Obtain Capabilities: Tool | Obtained and used open-source tools like PsExec, Windows Credential Editor, and Mimikatz. |
5 | OS Credential Dumping: LSASS Memory | Known for dumping credentials using Mimikatz and Windows Credential Editor. |
Cleaver's use of these software tools demonstrates their capabilities in conducting complex cyber operations, including credential theft, lateral movement, and maintaining access within targeted networks.
The Cobalt Group 🏦 is a financially motivated threat group that has been primarily targeting financial institutions since at least 2016. The group is known for conducting intrusions to steal money 💰 by targeting ATM systems 🏧, card processing 💳, payment systems 💸, and SWIFT systems 🌐. Cobalt Group has mainly targeted banks 🏛️ in Eastern Europe 🌍, Central Asia 🗺️, and Southeast Asia 🌏.
The primary motivation of the Cobalt Group is financial gain 💲, achieved through sophisticated cyber intrusions into banking systems 🏦 and financial infrastructure 💼.
Cobalt Group is also known as GOLD KINGSWOOD 👑, Cobalt Gang 🕴️, and Cobalt Spider 🕷️.
The specific location of the Cobalt Group is not mentioned 🌐, but they have targeted banks 🏛️ in Eastern Europe 🌍, Central Asia 🗺️, and Southeast Asia 🌏.
Cobalt Group has been active since at least 2016 📆.
The group has been observed conducting sophisticated cyberattacks on financial institutions, including ATM systems 🏧 and SWIFT systems 🌐. Despite the arrest of one of its alleged leaders in Spain 🇪🇸 in early 2018, the group remains active 🔒.
No. | Technique | Description |
---|---|---|
1 | Abuse Elevation Control Mechanism: Bypass User Account Control | Cobalt Group has bypassed UAC. |
2 | Application Layer Protocol: Web Protocols, DNS | Used HTTPS and DNS tunneling for C2. |
3 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | Used Registry Run keys and Startup path for persistence. |
4 | Boot or Logon Initialization Scripts: Logon Script (Windows) | Added persistence via HKCU\Environment\UserInitMprLogonScript. |
5 | Command and Scripting Interpreter: PowerShell, Windows Command Shell, Visual Basic, JavaScript | Executed various scripting languages for malicious activities. |
6 | Create or Modify System Process: Windows Service | Created new services for persistence. |
7 | Encrypted Channel: Asymmetric Cryptography | Used Plink utility for SSH tunnels. |
8 | Exploitation for Client Execution | Exploited multiple vulnerabilities for execution. |
9 | Exploitation for Privilege Escalation | Used exploits to increase privileges. |
10 | Indicator Removal: File Deletion | Deleted DLL dropper to cover tracks. |
11 | Ingress Tool Transfer | Used public sites to upload and download files. |
12 | Inter-Process Communication: Dynamic Data Exchange | Sent malicious Word OLE compound documents. |
13 | Network Service Discovery | Leveraged SoftPerfect Network Scanner for scanning. |
14 | Obfuscated Files or Information: Command Obfuscation | Obfuscated scriptlets and code. |
15 | Obtain Capabilities: Tool | Obtained and used tools like Mimikatz, PsExec, Cobalt Strike, and SDelete. |
16 | Phishing: Spearphishing Attachment, Spearphishing Link | Sent spearphishing emails with various attachments and links. |
17 | Process Injection | Injected code into trusted processes. |
18 | Protocol Tunneling | Used Plink utility for SSH tunnels. |
19 | Remote Access Software | Used Ammyy Admin and TeamViewer for remote access. |
20 | Remote Services: Remote Desktop Protocol | Used RDP for lateral movement. |
21 | Scheduled Task/Job: Scheduled Task | Created Windows tasks for persistence. |
22 | Software Discovery: Security Software Discovery | Collected list of security solutions installed. |
23 | Supply Chain Compromise: Compromise Software Supply Chain | Compromised legitimate web browser updates. |
24 | System Binary Proxy Execution: CMSTP, Odbcconf, Regsvr32 | Used various system binaries for proxy execution. |
25 | User Execution: Malicious Link, Malicious File | Sent emails with malicious links and files. |
26 | XSL Script Processing | Used msxsl.exe to bypass AppLocker. |
No. | Tool | Purpose |
---|---|---|
1 | Cobalt Strike | Used for a variety of purposes including network discovery, process injection, and data exfiltration. |
2 | Mimikatz | Utilized for credential dumping and access token manipulation. |
3 | More_eggs | Employed for web protocol communication, command execution, and information discovery. |
4 | PsExec | Used for creating accounts, modifying system processes, and executing system services. |
5 | SDelete | Used for data destruction and file deletion. |
6 | SpicyOmelette | Utilized for command execution, phishing, and software discovery. |
Cobalt Group's use of these software tools demonstrates their focus on financial theft, maintaining access, privilege escalation, and lateral movement within targeted financial networks.
Confucius is a cyber espionage group primarily targeting military personnel 🎖️, high-profile personalities 👤, business persons 🕴️, and government organizations 🏛️ in South Asia 🌏 since at least 2013. The group is known for its custom malware code 💻 and targets, with noted similarities to the Patchwork group 🧩.
The primary motivation of Confucius appears to be espionage 🕵️, focusing on gathering sensitive information 📁 from military 🎖️, governmental 🏛️, and high-profile targets 👤 in South Asia 🌏.
Confucius is also referred to as Confucius APT 🏷️.
Confucius primarily targets entities in South Asia 🌏.
The group has been active since at least 2013 📆.
Confucius has been observed engaging in sophisticated cyber espionage activities, utilizing custom malware 💻 and various techniques 🛠️ to infiltrate and extract information 📜 from its targets 🎯.
No. | Technique | Description |
---|---|---|
1 | Acquire Infrastructure: Web Services | Obtained cloud storage service accounts to host stolen data. |
2 | Application Layer Protocol: Web Protocols | Used HTTP for C2 communications. |
3 | Automated Collection | Employed a file stealer to steal documents and images. |
4 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | Dropped malicious files into the startup folder for persistence. |
5 | Command and Scripting Interpreter: PowerShell, Visual Basic | Executed PowerShell and VBScript for malicious activities. |
6 | Exfiltration Over C2 Channel | Exfiltrated stolen files to its C2 server. |
7 | Exfiltration Over Web Service: Exfiltration to Cloud Storage | Exfiltrated data to cloud storage service accounts. |
8 | Exploitation for Client Execution | Exploited Microsoft Office vulnerabilities for execution. |
9 | File and Directory Discovery | Used a file stealer to check specific folders for documents and images. |
10 | Ingress Tool Transfer | Downloaded additional files and payloads onto compromised hosts. |
11 | Phishing: Spearphishing Attachment, Spearphishing Link | Crafted and sent malicious attachments and links to gain initial access. |
12 | Scheduled Task/Job: Scheduled Task | Created scheduled tasks for persistence. |
13 | System Binary Proxy Execution: Mshta | Used mshta.exe to execute malicious VBScript. |
14 | System Information Discovery | Examined system drives for information. |
15 | Template Injection | Used weaponized Microsoft Word documents with embedded RTF exploits. |
16 | User Execution: Malicious Link, Malicious File | Lured victims to click on malicious links or execute malicious attachments. |
No. | Software | Purpose |
---|---|---|
1 | Hornbill | Used for various purposes including audio capture, data exfiltration, and screen capture. |
2 | Sunbird | Employed for audio capture, data exfiltration, and location tracking. |
3 | WarzoneRAT | Utilized for command execution, credential theft, and process injection. |
Confucius's use of these software tools demonstrates their capabilities in conducting targeted cyber espionage operations, including data theft, surveillance, and maintaining access within targeted networks.
CopyKittens is an Iranian cyber espionage group that has been operating since at least 2013. The group has targeted various countries, including Israel 🇮🇱, Saudi Arabia 🇸🇦, Turkey 🇹🇷, the U.S. 🇺🇸, Jordan 🇯🇴, and Germany 🇩🇪. It is responsible for the campaign known as Operation Wilted Tulip 🌷.
The primary motivation of CopyKittens appears to be espionage 🕵️, focusing on gathering sensitive information 📄 from a range of international targets 🌍.
CopyKittens is the primary name used to identify this group 🏷️.
CopyKittens is an Iranian group 🇮🇷, targeting entities in countries such as Israel 🇮🇱, Saudi Arabia 🇸🇦, Turkey 🇹🇷, the U.S. 🇺🇸, Jordan 🇯🇴, and Germany 🇩🇪.
The group has been active since at least 2013 📆.
CopyKittens has been observed conducting cyber espionage activities 🌐, utilizing various techniques 🛠️ and tools 🖥️ to infiltrate and extract information 📜 from its targets 🎯.
No. | Technique | Description |
---|---|---|
1 | Archive Collected Data: Archive via Utility, Archive via Custom Method | Used ZPP to compress files with ZIP and encrypted data with a substitute cipher. |
2 | Command and Scripting Interpreter: PowerShell | Utilized PowerShell Empire for execution. |
3 | Hide Artifacts: Hidden Window | Concealed PowerShell windows using hidden flags. |
4 | Obtain Capabilities: Tool | Used tools such as Metasploit, Empire, and AirVPN. |
5 | Proxy | Employed the AirVPN service for operational activity. |
6 | Subvert Trust Controls: Code Signing | Digitally signed an executable with a stolen certificate. |
7 | System Binary Proxy Execution: Rundll32 | Used rundll32 to load various tools, including lateral movement tools and Cobalt Strike. |
No. | Software | Purpose |
---|---|---|
1 | Cobalt Strike | Employed for a variety of purposes including network discovery, process injection, and data exfiltration. |
2 | Empire | Utilized for command execution, credential dumping, and lateral movement. |
3 | Matryoshka | Used for DNS communication, keylogging, and screen capture. |
4 | TDTESS | Employed for command execution, process creation, and indicator removal. |
CopyKittens' use of these software tools demonstrates their capabilities in conducting targeted cyber espionage operations, including data theft, surveillance, and maintaining access within targeted networks.
CURIUM is an Iranian threat group first reported in November 2021. The group is known for its unique approach of investing time to build relationships with potential targets via social media 📱 over several months. This method is used to establish trust and confidence before sending malware 💻. CURIUM demonstrates great patience and persistence, engaging in daily chats 💬 with potential targets and sending benign files 📁 to lower their security consciousness.
While the specific motivations of CURIUM are not detailed in the provided text, their methodical approach to targeting individuals suggests objectives aligned with espionage 🕵️ or intelligence gathering 📡.
CURIUM is the primary name used to identify this group 🏷️.
CURIUM is identified as an Iranian threat group 🇮🇷.
The group was first reported in November 2021 📆.
CURIUM has been observed using social engineering tactics 🎭, particularly through social media 📱, to engage with and eventually compromise targets. Their approach indicates a focus on individual targets rather than broad, indiscriminate campaigns 🎯.
No. | Tactic/Technique | Description |
---|---|---|
1 | Data from Local System | CURIUM has exfiltrated data from compromised machines. |
2 | Establish Accounts: Social Media Accounts | Established fictitious social media accounts, including on Facebook and LinkedIn, to build relationships with victims, often posing as an attractive woman. |
3 | Phishing: Spearphishing via Service | Used social media to deliver malicious files to victims. |
4 | User Execution: Malicious File | Lured users into opening malicious files delivered via social media. |
The specific software tools used by CURIUM are not detailed in the provided text. However, their tactics suggest the use of custom malware and social engineering tools designed to engage targets and deliver malicious payloads through social media platforms.
CURIUM's approach, focusing on establishing trust through social media interactions before deploying malicious payloads, highlights their methodical and patient strategy in cyber espionage operations.
Dark Caracal is a threat group attributed to the Lebanese General Directorate of General Security (GDGS). It has been operational since at least 2012 and is known for its global cyber-espionage campaigns 🌐.
While the specific motivations of Dark Caracal are not detailed in the provided text, the group's activities suggest a focus on espionage 🕵️, likely driven by national security 🛡️ or political interests 🗳️.
Dark Caracal is the primary name used to identify this group 🏷️.
Dark Caracal is attributed to the Lebanese General Directorate of General Security (GDGS) 🇱🇧.
The group has been active since at least 2012 📆.
Dark Caracal has been observed conducting cyber-espionage activities 🌐, utilizing various techniques 🛠️ to infiltrate systems, collect data 📈, and maintain persistence 🔒.
No. | Technique | Description |
---|---|---|
1 | Application Layer Protocol: Web Protocols | Used HTTP for C2 communications with Base64 encoded payloads. |
2 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | Added a registry key for persistence. |
3 | Command and Scripting Interpreter: Windows Command Shell | Used macros in Word documents to download a second stage. |
4 | Data from Local System | Collected contents of the 'Pictures' folder from compromised Windows systems. |
5 | Drive-by Compromise | Leveraged a watering hole to serve up malicious code. |
6 | File and Directory Discovery | Collected file listings of all default Windows directories. |
7 | Obfuscated Files or Information | Obfuscated strings in Bandook. |
8 | Phishing: Spearphishing via Service | Spearphished victims via Facebook and Whatsapp. |
9 | Screen Capture | Took screenshots using their Windows malware. |
10 | System Binary Proxy Execution: Compiled HTML File | Leveraged a compiled HTML file to download and run an executable. |
11 | User Execution: Malicious File | Made malware appear like common file types to entice user interaction. |
No. | Software | Purpose |
---|---|---|
1 | Bandook | Used for various purposes including audio capture, data exfiltration, and screen capture. |
2 | CrossRAT | Employed for file and directory discovery and screen capture. |
3 | FinFisher | Utilized for privilege escalation, file discovery, and input capture. |
4 | Pallas | Used for audio capture, location tracking, and data exfiltration. |
Dark Caracal's use of these software tools demonstrates their capabilities in conducting sophisticated cyber espionage operations, including data theft, surveillance, and maintaining access within targeted networks.
Darkhotel is a suspected South Korean threat group that has been active since at least 2004. The group is known for its cyber espionage operations 🌐 conducted via hotel Internet networks 🏨 against traveling executives 👨💼 and other select guests 🌐. Darkhotel has also engaged in spearphishing campaigns 🎣 and infected victims through peer-to-peer and file-sharing networks 📂.
While the specific motivations of Darkhotel are not detailed in the provided text, their targeting of executives 👔 and use of espionage tactics 🕵️ suggest motivations related to intelligence gathering 📡, possibly for economic 💰 or political 🗳️ advantage.
Darkhotel is also associated with the name DUBNIUM 🏷️.
Darkhotel is suspected to be based in South Korea 🇰🇷 and primarily targets victims in East Asia 🌏.
The group has been operational since at least 2004 📆.
Darkhotel has been observed conducting sophisticated cyber espionage activities 🌐, utilizing various techniques 🛠️ to infiltrate systems, collect data 📊, and maintain persistence 🔒.
No. | Technique | Description |
---|---|---|
1 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | Established persistence by adding programs to the Run Registry key. |
2 | Command and Scripting Interpreter: Windows Command Shell | Dropped a shell script to download and execute files. |
3 | Deobfuscate/Decode Files or Information | Decrypted strings and imports using RC4, XOR, and RSA. |
4 | Drive-by Compromise | Used embedded iframes on hotel login portals for malware distribution. |
5 | Encrypted Channel: Symmetric Cryptography | Used AES-256 and 3DES for C2 communications. |
6 | Exploitation for Client Execution | Exploited Adobe Flash vulnerability for execution. |
7 | File and Directory Discovery | Searched for files with specific patterns. |
8 | Ingress Tool Transfer | Downloaded additional malware from C2 servers. |
9 | Input Capture: Keylogging | Employed keyloggers. |
10 | Masquerading: Match Legitimate Name or Location | Disguised malware as an SSH tool. |
11 | Obfuscated Files or Information | Obfuscated code using RC4, XOR, and RSA. |
12 | Phishing: Spearphishing Attachment | Sent spearphishing emails with malicious attachments. |
13 | Process Discovery | Collected a list of running processes. |
14 | Replication Through Removable Media | Modified executables on removable media for spreading. |
15 | Software Discovery: Security Software Discovery | Searched for anti-malware strings and processes. |
16 | Subvert Trust Controls: Code Signing | Used stolen or forged code-signing certificates. |
17 | System Information Discovery | Collected system information from compromised hosts. |
18 | System Network Configuration Discovery | Gathered IP address and network adapter information. |
19 | System Time Discovery | Obtained system time from compromised hosts. |
20 | Taint Shared Content | Propagated by infecting executables on shared drives. |
21 | User Execution: Malicious File | Lured users into clicking on malicious attachments. |
22 | Virtualization/Sandbox Evasion | Employed just-in-time decryption and system checks to evade detection. |
No. | Software | Purpose |
---|---|---|
1 | Bandook | Used for various purposes including audio capture, data exfiltration, and screen capture. |
2 | CrossRAT | Employed for file and directory discovery and screen capture. |
3 | FinFisher | Utilized for privilege escalation, file discovery, and input capture. |
4 | Pallas | Used for audio capture, location tracking, and data exfiltration. |
Darkhotel's use of these software tools demonstrates their capabilities in conducting targeted cyber espionage operations, including data theft, surveillance, and maintaining access within targeted networks.
DarkHydrus is a threat group that has been actively targeting government agencies 🏛️ and educational institutions 🎓 in the Middle East 🌍 since at least 2016. The group is known for heavily leveraging open-source tools 🛠️ and custom payloads 💾 to carry out its attacks.
While the specific motivations of DarkHydrus are not detailed in the provided text, their targeting of government 🏛️ and educational institutions 🎓 suggests objectives related to espionage 🕵️ or intelligence gathering 📡, possibly for political 🗳️ or strategic 🌐 purposes.
DarkHydrus is the primary name used to identify this group 🏷️.
DarkHydrus primarily targets entities in the Middle East 🌍.
The group has been active since at least 2016 📆.
DarkHydrus has been observed using a variety of techniques 🛠️ to infiltrate systems 💻, execute commands ⌨️, and exfiltrate data 📤, focusing on government agencies 🏛️ and educational institutions 🎓.
No. | Technique | Description |
---|---|---|
1 | Command and Scripting Interpreter: PowerShell | Leveraged PowerShell to download and execute additional scripts. |
2 | Forced Authentication | Used Template Injection to launch an authentication window for credential harvesting. |
3 | Hide Artifacts: Hidden Window | Concealed PowerShell windows. |
4 | Obtain Capabilities: Tool | Obtained and used tools like Mimikatz, Empire, and Cobalt Strike. |
5 | Phishing: Spearphishing Attachment | Sent spearphishing emails with malicious attachments, including password-protected RAR archives and Microsoft Office documents. |
6 | Template Injection | Used Phishery to inject malicious remote template URLs into Word documents. |
7 | User Execution: Malicious File | Required users to enable execution in Microsoft Excel for .iqy file download. |
No. | Software | Purpose |
---|---|---|
1 | Cobalt Strike | Used for various purposes including command execution, data encoding, and process injection. |
2 | Mimikatz | Employed for credential dumping and access token manipulation. |
3 | RogueRobin | Utilized for command execution, data encoding, and screen capture. |
DarkHydrus's use of these software tools demonstrates their capabilities in conducting sophisticated cyber espionage operations, including credential theft, surveillance, and maintaining access within targeted networks.
DarkVishnya is a financially motivated threat actor known for targeting financial institutions 🏦 in Eastern Europe 🌍. The group has been active in conducting sophisticated cyberattacks 🌐 against at least eight banks 🏛️ in the region during 2017-2018.
The primary motivation of DarkVishnya appears to be financial gain 💰, as evidenced by their focus on attacking financial institutions 🏦.
The group is known as DarkVishnya 🏷️.
DarkVishnya has primarily targeted financial institutions 🏦 in Eastern Europe 🌍.
The group's activities were first reported in 2017 📆.
DarkVishnya has been observed using a variety of techniques 🛠️ to infiltrate financial institutions 🏦, execute commands ⌨️, and potentially exfiltrate sensitive financial data 📈.
No. | Technique | Description |
---|---|---|
1 | Brute Force (T1110) | DarkVishnya used brute-force attacks to obtain login data. |
2 | Command and Scripting Interpreter: PowerShell (T1059.001) | Utilized PowerShell to create shellcode loaders. |
3 | Create or Modify System Process: Windows Service (T1543.003) | Created new services for distributing shellcode loaders. |
4 | Hardware Additions (T1200) | Employed devices like Bash Bunny, Raspberry Pi, netbooks, or inexpensive laptops to connect to local networks. |
5 | Network Service Discovery (T1046) | Performed port scanning to identify active services. |
6 | Network Share Discovery (T1135) | Scanned for public shared folders on the network. |
7 | Network Sniffing (T1040) | Used network sniffing techniques to obtain login data. |
8 | Non-Standard Port (T1571) | Utilized ports 5190, 7900, 4444, 4445, and 31337 for shellcode listeners and C2 communications. |
9 | Obtain Capabilities: Tool (T1588.002) | Acquired and used tools like Impacket, Winexe, and PsExec. |
10 | Remote Access Software (T1219) | Employed DameWare Mini Remote Control for lateral movement within networks. |
No. | Software | Purpose |
---|---|---|
1 | PsExec | Used for creating accounts, modifying system processes, lateral tool transfer, and executing system services. |
2 | Winexe | Utilized for executing system services. |
DarkVishnya's tactics and tools indicate a high level of sophistication in conducting targeted attacks against financial institutions, with a clear focus on gaining unauthorized access, conducting surveillance, and potentially facilitating financial fraud or theft.
Deep Panda is a sophisticated and suspected Chinese threat group 🇨🇳 known for targeting a wide range of industries, including government 🏛️, defense 🛡️, financial 💰, and telecommunications 📡 sectors. The group has been active for several years 📆 and is known for its advanced cyber espionage tactics 🌐.
Deep Panda's primary motivation appears to be cyber espionage 🕵️, gathering intelligence 📊 and sensitive information 📄 from targeted organizations 🎯 and government entities 🏛️.
Deep Panda is also known by several other names 🏷️, including Shell Crew 🐚, WebMasters 🌐, KungFu Kittens 🥋, PinkPanther 🐾, and Black Vine 🍇.
While the specific location of Deep Panda is not explicitly mentioned 🌏, it is suspected to be based in China 🇨🇳.
Deep Panda's activities have been observed for several years 📆, with significant operations noted as early as 2014.
Deep Panda has been observed targeting a variety of sectors 🏢 with sophisticated cyber espionage campaigns 🌐. The group's intrusion into the healthcare company Anthem 🏥 is one of its most notable operations.
No. | Technique | Description |
---|---|---|
1 | Command and Scripting Interpreter: PowerShell (T1059.001) | Used PowerShell scripts for downloading and executing programs in memory. |
2 | Event Triggered Execution: Accessibility Features (T1546.008) | Utilized the sticky-keys technique to bypass RDP login screens. |
3 | Hide Artifacts: Hidden Window (T1564.003) | Concealed PowerShell windows using the -w hidden parameter. |
4 | Obfuscated Files or Information: Indicator Removal from Tools (T1027.005) | Updated and modified malware to evade detection. |
5 | Process Discovery (T1057) | Employed Microsoft Tasklist utility for listing running processes. |
6 | Remote Services: SMB/Windows Admin Shares (T1021.002) | Used net.exe for connecting to network shares. |
7 | Remote System Discovery (T1018) | Utilized ping for identifying other machines of interest. |
8 | Server Software Component: Web Shell (T1505.003) | Deployed Web shells on public web servers. |
9 | System Binary Proxy Execution: Regsvr32 (T1218.010) | Executed server variant of Derusbi using regsvr32.exe. |
10 | Windows Management Instrumentation (T1047) | Used WMI for lateral movement. |
No. | Software | Purpose |
---|---|---|
1 | Derusbi | A multifunctional malware toolkit used for various malicious activities. |
2 | Mivast | Employed for autostart execution and credential dumping. |
3 | Net | Utilized for account discovery, network share discovery, and remote services. |
4 | Ping | Used for remote system discovery. |
5 | Sakula | A backdoor used for gaining persistent access and executing malicious activities. |
6 | StreamEx | Employed for command execution, registry modification, and information gathering. |
7 | Tasklist | Used for process and software discovery. |
Deep Panda's operations demonstrate a high level of sophistication and focus on long-term intelligence gathering. The group's use of advanced techniques and custom malware indicates a well-resourced and skilled adversary capable of conducting significant cyber espionage campaigns.
Dragonfly is a cyber espionage group attributed to Russia's Federal Security Service (FSB) Center 16 🇷🇺. Active since at least 2010, Dragonfly has targeted defense 🛡️ and aviation ✈️ companies, government entities 🏛️, companies related to industrial control systems 🏭, and critical infrastructure sectors 🏭🌐 worldwide. The group employs supply chain attacks ⛓️, spearphishing 🎣, and drive-by compromise attacks 🖥️ in its operations.
Dragonfly's primary motivation appears to be cyber espionage 🕵️, focusing on gathering intelligence 📈 and compromising critical infrastructure 🏭 for strategic advantage 🌍.
Dragonfly is also known by various aliases 🏷️, including TEMP.Isotope, DYMALLOY, Berserk Bear, TG-4192, Crouching Yeti, IRON LIBERTY, and Energetic Bear.
Dragonfly is believed to be operating out of Russia 🇷🇺.
The group has been active since at least 2010 📆.
Dragonfly has been observed conducting sophisticated cyber espionage campaigns 🌐 targeting a wide range of sectors 🏢, particularly those related to national security 🛡️ and critical infrastructure 🏭.
No. | Technique | Description |
---|---|---|
1 | Account Discovery (T1087.002) | Used batch scripts for user enumeration on domain controllers. |
2 | Account Manipulation (T1098) | Added new accounts to administrators group for elevated access. |
3 | Acquire Infrastructure (T1583.001 & .003) | Registered domains and acquired VPS infrastructure for campaigns. |
4 | Active Scanning (T1595.002) | Scanned systems for vulnerable services. |
5 | Application Layer Protocol (T1071.002) | Used SMB for command and control (C2) communications. |
6 | Archive Collected Data (T1560) | Compressed data into .zip files for exfiltration. |
7 | Boot or Logon Autostart Execution (T1547.001) | Established persistence via Registry Run keys. |
8 | Brute Force (T1110 & .002) | Attempted to brute force credentials and used password cracking tools. |
9 | Command and Scripting Interpreter (T1059 & sub-techniques) | Utilized various scripting methods, including PowerShell, batch scripts, and Python for execution. |
10 | Compromise Infrastructure (T1584.004) | Compromised legitimate websites for C2 and malware hosting. |
11 | Create Account (T1136.001) | Created local accounts on victims. |
12 | Data from Local System (T1005) | Collected data from local systems. |
13 | Data Staged (T1074.001) | Staged data in specific directories for exfiltration. |
14 | Drive-by Compromise (T1189) | Used strategic web compromise with exploit kits. |
15 | Email Collection (T1114.002) | Accessed email accounts using Outlook Web Access. |
16 | Exploit Public-Facing Application (T1190) | Exploited vulnerabilities in public-facing applications. |
17 | Exploitation for Client Execution (T1203) | Exploited Adobe Flash Player vulnerability for execution. |
18 | Exploitation of Remote Services (T1210) | Exploited Windows Netlogon vulnerability. |
19 | External Remote Services (T1133) | Used VPNs and OWA for persistent access. |
20 | File and Directory Discovery (T1083) | Gathered file and folder names from hosts. |
21 | Forced Authentication (T1187) | Collected hashed credentials via spearphishing and .LNK file modifications. |
22 | Gather Victim Org Information (T1591.002) | Collected open-source information for targeting. |
23 | Hide Artifacts (T1564.002) | Modified Registry to hide user accounts. |
24 | Impair Defenses (T1562.004) | Disabled host-based firewalls and opened specific ports. |
25 | Indicator Removal (T1070.001 & .004) | Cleared event logs and deleted files used in operations. |
26 | Ingress Tool Transfer (T1105) | Transferred tools for operations within victim environments. |
27 | Masquerading (T1036) | Created accounts disguised as legitimate service accounts. |
28 | Modify Registry (T1112) | Used Reg for various techniques. |
29 | Network Share Discovery (T1135) | Identified and browsed file servers in victim networks. |
30 | Obtain Capabilities (T1588.002) | Used tools like Mimikatz, CrackMapExec, and PsExec. |
31 | OS Credential Dumping (T1003 & sub-techniques) | Used tools to dump password hashes and credentials. |
No. | Software | Purpose |
---|---|---|
1 | Backdoor.Oldrea | A multifunctional backdoor used for various malicious activities. |
2 | CrackMapExec | A tool used for network reconnaissance and credential dumping. |
3 | Impacket | A collection of Python classes for working with network protocols. |
4 | MCMD | A malware used for command execution and data exfiltration. |
5 | Mimikatz | A tool used for credential dumping and lateral movement. |
6 | Net | A Windows command-line tool used for network reconnaissance and remote access. |
7 | netsh | A command-line scripting utility used to modify network configurations. |
8 | PsExec | A tool for executing processes on remote systems. |
9 | Reg | A command-line tool for modifying the Windows Registry. |
DragonOK is a cyber threat group known for targeting Japanese organizations 🇯🇵 through phishing emails 📧. The group's activities are characterized by the use of a variety of malware 💻 and sophisticated techniques 🌐.
The primary motivation of DragonOK appears to be cyber espionage 🕵️, focusing on obtaining sensitive information 📄 from Japanese entities 🏢.
DragonOK is the primary name used to identify this group 🏷️. It is also thought to have a direct or indirect relationship with the threat group Moafee 🕊️.
The specific location of DragonOK is not clearly identified 🌏, but its targeting of Japanese organizations suggests a focus in East Asia 🌐.
The group was first identified in reports dating back to at least 2014 📆.
DragonOK has been observed conducting targeted phishing campaigns 🎣 and deploying a range of custom malware 💻 against Japanese targets 🇯🇵.
DragonOK employs various techniques across different tactics, including but not limited to:
No. | Technique | Description |
---|---|---|
1 | Application Layer Protocol | Utilizes web protocols and DNS for communication. |
2 | Boot or Logon Autostart Execution | Adds programs to the Registry Run keys and Startup folder for persistence. |
3 | Command and Scripting Interpreter | Uses Windows Command Shell for execution. |
4 | Create or Modify System Process | Creates Windows services for its malicious processes. |
5 | Deobfuscate/Decode Files or Information | Employs techniques to decode or deobfuscate files. |
6 | Encrypted Channel | Uses symmetric cryptography for secure communication. |
7 | File and Directory Discovery | Searches for files and directories of interest on the victim's machine. |
8 | Hide Artifacts | Hides files and directories to evade detection. |
9 | Hijack Execution Flow | Employs DLL side-loading and DLL search order hijacking. |
10 | Ingress Tool Transfer | Transfers additional tools or payloads into the victim’s environment. |
11 | Input Capture | Uses keylogging to capture user input. |
12 | Masquerading | Disguises tasks or services and matches legitimate names or locations to blend in. |
13 | Modify Registry | Alters the Windows Registry for various purposes. |
14 | Native API | Uses native API calls for various malicious activities. |
15 | Network Share Discovery | Searches for network shares in the victim environment. |
16 | Non-Application Layer Protocol | Utilizes non-standard protocols for communication. |
17 | Obfuscated Files or Information | Obfuscates files to evade detection. |
18 | Process Discovery | Identifies processes running on the victim’s system. |
19 | Query Registry | Queries the Windows Registry to gather information. |
20 | Screen Capture | Captures screenshots of the victim’s screen. |
21 | System Network Connections Discovery | Discovers network connections and related information. |
22 | Trusted Developer Utilities Proxy Execution | Uses MSBuild for proxy execution. |
23 | Virtualization/Sandbox Evasion | Employs checks to evade detection in virtualized or sandboxed environments. |
24 | Web Service | Uses dead drop resolvers for communication. |
No. | Software | Purpose |
---|---|---|
1 | PlugX (S0013) | A multifunctional backdoor used for remote control and data exfiltration. |
2 | PoisonIvy (S0012) | A well-known remote access tool with capabilities like keylogging, screen capture, and process injection. |
Earth Lusca is a suspected China-based cyber espionage group 🇨🇳, active since at least April 2019 📆. The group is known for targeting a wide range of organizations globally 🌐, including government institutions 🏛️, news media 📰, gambling companies 🎰, educational institutions 🏫, COVID-19 research organizations 🦠, telecommunications 📡, religious movements banned in China 🚫, and cryptocurrency trading platforms 💱. Some of Earth Lusca's operations appear to be financially motivated 💰.
The primary motivation of Earth Lusca seems to be cyber espionage 🕵️, with a focus on gathering sensitive information 📄. The group's targeting of a diverse set of sectors indicates a broad set of interests, possibly extending beyond traditional espionage to include financial gains 💹.
Earth Lusca is the primary name for the group 🏷️. It is also associated with TAG-22.
While the group is suspected to be based in China 🇨🇳, its operations are global 🌏, affecting countries across multiple continents 🌐.
Earth Lusca's activities were first observed in April 2019 📆.
The group has been observed conducting sophisticated cyber espionage campaigns 🌐 targeting a wide range of sectors worldwide 🏢.
Earth Lusca employs a variety of techniques, including but not limited to:
No. | Technique | Description |
---|---|---|
1 | Abuse Elevation Control Mechanism | Utilizes the Fodhelper UAC bypass technique. |
2 | Account Manipulation | Drops SSH-authorized keys for server access. |
3 | Acquire Infrastructure | Registers domains and acquires servers and web services for operations. |
4 | Active Scanning | Scans for vulnerabilities in public-facing servers. |
5 | Archive Collected Data | Uses WinRAR for data compression before exfiltration. |
6 | Boot or Logon Autostart Execution | Adds keys to the Registry for persistence. |
7 | Command and Scripting Interpreter | Employs PowerShell, Visual Basic, Python, and JavaScript for various tasks. |
8 | Compromise Infrastructure | Compromises web servers and web services. |
9 | Create or Modify System Process | Creates Windows services for persistence. |
10 | Deobfuscate/Decode Files or Information | Uses certutil for decoding. |
11 | Domain Trust Discovery | Utilizes Nltest for domain controller information. |
12 | Drive-by Compromise | Conducts watering hole attacks. |
13 | Exfiltration Over Web Service | Utilizes cloud storage for data exfiltration. |
14 | Exploit Public-Facing Application | Exploits vulnerabilities in servers like Microsoft Exchange and Oracle GlassFish. |
15 | Exploitation of Remote Services | Uses Mimikatz for exploiting domain controllers. |
16 | Hijack Execution Flow | Employs DLL side-loading techniques. |
17 | Masquerading | Matches legitimate names or locations for disguising activities. |
18 | Modify Registry | Alters the Registry for various purposes. |
19 | Obfuscated Files or Information | Uses Base64 encoding and steganography. |
20 | Obtain Capabilities | Acquires malware and tools for operations. |
21 | OS Credential Dumping | Uses tools like ProcDump and Mimikatz for credential dumping. |
22 | Phishing | Sends spearphishing emails with malicious links. |
23 | Process Discovery | Utilizes Tasklist for process information. |
24 | Proxy | Adopts Cloudflare for proxying compromised servers. |
25 | Remote System Discovery | Uses PowerShell and scanning tools for system discovery. |
26 | Scheduled Task/Job | Creates scheduled tasks for persistence. |
27 | Stage Capabilities | Stages malware on compromised servers and web services. |
28 | System Binary Proxy Execution | Uses mshta.exe for executing scripts. |
29 | System Network Configuration Discovery | Employs ipconfig for network information. |
30 | System Network Connections Discovery | Uses scripts and netstat for network connection info. |
31 | System Owner/User Discovery | Collects user account information. |
No. | Software | Description |
---|---|---|
1 | certutil (S0160) | Used for data archiving and decoding. |
2 | Cobalt Strike (S0154) | A sophisticated exploitation tool used for network reconnaissance and data exfiltration. |
3 | Mimikatz (S0002) | A well-known tool used for credential dumping. |
4 | NBTscan (S0590) | Utilized for network service discovery. |
5 | Nltest (S0359) | Employed for domain trust discovery. |
6 | PowerSploit (S0194) | A collection of Microsoft PowerShell modules used for various tasks in a network attack. |
7 | ShadowPad (S0596) | Malware used for network infiltration and data extraction. |
8 | Tasklist (S0057) | Used for process discovery. |
9 | Winnti for Linux (S0430) | A Linux variant of the Winnti malware, used for persistent access and data exfiltration. |
Elderwood is a cyber espionage group, suspected to be based in China 🇨🇳, known for its involvement in the 2009 Google intrusion, dubbed Operation Aurora. The group has targeted a diverse array of entities 🌐, including defense organizations 🛡️, supply chain manufacturers 🏭, human rights and nongovernmental organizations (NGOs) 🕊️, and IT service providers 💼.
Elderwood's primary motivation appears to be espionage 🕵️, with a focus on stealing sensitive information 📄 from a variety of high-value targets that align with strategic interests 🌍.
The group is known as Elderwood 🏷️, and it has been associated with other names 🏷️ including Elderwood Gang, Beijing Group, and Sneaky Panda.
Elderwood is suspected to be operating out of China 🇨🇳.
The group's activities were notably recognized during the Operation Aurora in 2009 📆.
Elderwood has been observed conducting sophisticated cyber espionage campaigns 🌐 targeting a wide range of sectors globally 🏢.
Elderwood employs various techniques, including:
Technique | Description |
---|---|
Drive-by Compromise | Injecting malicious code into public web pages visited by targets. |
Exploitation for Client Execution | Using endpoint software vulnerabilities and zero-day exploits. |
Ingress Tool Transfer | Utilizing the Ritsol backdoor trojan to download files onto compromised hosts. |
Obfuscated Files or Information | Encrypting documents and executables. |
Software Packing | Packing malware payloads before delivery. |
Phishing | Spearphishing with attachments and links to deliver exploits and malware. |
User Execution | Leveraging spearphishing to get users to open links and attachments. |
Elderwood has used a range of software tools, including:
Software | Description |
---|---|
Briba (S0204) | Utilizes various techniques for execution and persistence. |
Hydraq (S0203) | A sophisticated backdoor with data exfiltration and process discovery capabilities. |
Linfo (S0211) | Capable of command execution, data collection, and scheduled data transfer. |
Naid (S0205) | Used for service creation and network information gathering. |
Nerex (S0210) | Employs code signing to subvert trust controls. |
Pasam (S0208) | Collects data from local systems and performs file and directory discovery. |
PoisonIvy (S0012) | A well-known backdoor with keylogging and data exfiltration capabilities. |
Vasport (S0207) | Used for proxying and data ingress. |
Wiarp (S0206) | Executes commands and injects processes. |
Ember Bear is a cyber espionage group suspected to be sponsored by the Russian state 🇷🇺. Active since at least March 2021 📆, the group has primarily focused on operations against Ukraine 🇺🇦 and Georgia 🇬🇪. They have also targeted Western European 🌍 and North American 🌎 foreign ministries 🏛️, pharmaceutical companies 💊, and financial sector organizations 💰. Ember Bear is believed to have conducted the WhisperGate destructive wiper attacks 🌪️ against Ukraine in early 2022.
The primary motivation of Ember Bear appears to be state-sponsored espionage 🕵️, with a focus on geopolitical intelligence gathering 🌍 and potentially causing disruption in targeted regions 🌐.
Ember Bear is also known as Saint Bear 🐻, UNC2589, UAC-0056, Lorec53, Lorec Bear, and Bleeding Bear 🏷️.
The group is suspected to be based in Russia 🇷🇺.
Ember Bear's activities were first identified in March 2021 📆.
The group has been observed targeting a range of entities in Ukraine 🇺🇦, Georgia 🇬🇪, Western Europe 🌍, North America 🌎, and other regions 🌐, with a focus on government 🏛️, pharmaceutical 💊, and financial sectors 💰.
Ember Bear employs various techniques, including:
Technique | Description |
---|---|
Command and Scripting Interpreter | Using PowerShell, Windows Command Shell, and JavaScript for execution. |
Exploitation for Client Execution | Exploiting Microsoft Office vulnerabilities. |
Impair Defenses | Disabling Windows Defender and other security tools. |
Ingress Tool Transfer | Downloading malicious code. |
Modify Registry | Altering registry keys for persistence and evasion. |
Obfuscated Files or Information | Employing binary padding, software packing, and command obfuscation. |
Phishing | Spearphishing with attachments and links. |
Subvert Trust Controls | Using stolen certificates for payload signing. |
System Binary Proxy Execution | Leveraging control panel files for execution. |
User Execution | Luring users to click on malicious links or files. |
Web Service | Using Discord's CDN for malware delivery. |
Ember Bear utilizes various software tools, including:
Equation is a highly sophisticated cyber threat group known for its advanced techniques and capabilities 🔒. The group is particularly notable for its use of zero-day exploits 🛡️ and its unique ability to overwrite the firmware of hard disk drives 💾, making their attacks extremely stealthy and persistent 🕵️.
While the specific motivations of Equation are not explicitly detailed in the available information 🤐, their advanced capabilities and the nature of their operations suggest a focus on cyber espionage 📄 and intelligence gathering 🌍.
The group is primarily known as Equation 🏷️.
The specific location of Equation is not publicly disclosed or identified in the available sources 🌐.
Equation's activities were first identified and reported by Kaspersky Lab's Global Research and Analysis Team in February 2015 📆.
Equation has been observed employing sophisticated techniques and tools 🛠️, targeting a range of systems and devices with advanced malware 🦠.
Equation employs a variety of advanced techniques, including:
While specific software tools used by Equation are not detailed in the provided information, their known capabilities suggest the use of highly sophisticated malware, including:
EXOTIC LILY is a financially motivated cyber threat group, closely associated with Wizard Spider. The group is known for deploying ransomware, including Conti and Diavol. EXOTIC LILY is believed to act as an initial access broker for other malicious actors. Since at least September 2021, they have targeted various industries, including IT, cybersecurity, and healthcare.
The primary motivation of EXOTIC LILY appears to be financial gain. Their activities suggest a focus on ransomware deployment and possibly selling access to compromised systems to other threat actors.
The group is primarily known as EXOTIC LILY.
EXOTIC LILY's specific location is not mentioned, but they have targeted organizations globally.
Their activities were first observed in September 2021.
EXOTIC LILY has been observed using sophisticated phishing techniques, exploiting vulnerabilities, and leveraging various tools for initial access and payload delivery.
EXOTIC LILY employs a range of techniques, including:
EXOTIC LILY is known to use several software tools, including:
Ferocious Kitten is a cyber threat group known for its covert surveillance activities targeting Persian-speaking individuals in Iran. The group has been active since at least 2015 and is noted for its use of sophisticated cyber espionage tactics.
The primary motivation of Ferocious Kitten appears to be intelligence gathering and surveillance, particularly focusing on individuals within Iran.
The group is primarily known as Ferocious Kitten.
While the specific location of Ferocious Kitten is not detailed, their primary target region is Iran.
Their activities were first observed in 2015.
Ferocious Kitten has been observed employing various cyber espionage techniques, including spearphishing, domain masquerading, and the use of open-source tools for malicious purposes.
Ferocious Kitten employs a range of techniques, including:
update.exe
and placing them in common folders.Ferocious Kitten is known to use several software tools, including:
FIN10 is a financially motivated threat group that has been active since at least 2013, primarily targeting organizations in North America. The group is known for using stolen data exfiltrated from victims to extort organizations.
FIN10's primary motivation appears to be financial gain, achieved through cyber extortion and other financially motivated cybercrimes.
The group is commonly referred to as FIN10.
While specific details about the group's location are not provided, their primary targets have been organizations in North America.
FIN10's activities were first observed in 2013.
FIN10 has been observed employing a variety of techniques for extortion, data theft, and maintaining access to victim networks.
FIN13 is a financially motivated cyber threat group that has been active since at least 2016. The group primarily targets the financial, retail, and hospitality industries in Mexico and Latin America. FIN13 is known for stealing intellectual property, financial data, mergers and acquisition information, or personally identifiable information (PII).
The primary motivation of FIN13 is financial gain, achieved through intellectual property theft, financial data exfiltration, and potentially other forms of cybercrime.
FIN13 is also associated with the name Elephant Beetle.
While specific details about the group's location are not provided, their primary targets have been organizations in Mexico and Latin America.
FIN13's activities were first observed in 2016.
FIN13 has been observed employing a variety of techniques for data theft, maintaining access to victim networks, and conducting financial theft.
FIN4 is a financially-motivated threat group known for targeting confidential information related to the public financial market. Active since at least 2013, their primary focus has been on healthcare and pharmaceutical companies. Unlike many cyber threat groups, FIN4 does not typically use persistent malware; instead, they concentrate on capturing credentials authorized to access email and other non-public correspondence.
FIN4's primary motivation appears to be financial gain, achieved through the acquisition of sensitive information related to the stock market, particularly in the healthcare and pharmaceutical sectors.
FIN4 is the primary name associated with this threat group.
The specific location of FIN4 is not detailed in the available information.
FIN4's activities have been observed since at least 2013.
FIN4 has been observed employing various techniques to capture sensitive information and credentials, often focusing on email hijacking and credential theft rather than deploying traditional malware.
FIN4 primarily uses custom tools and techniques tailored to their specific method of operation, focusing on credential theft and email hijacking. Specific software names are not mentioned in the provided information, but their tactics involve the use of VBA macros, .NET-based keyloggers, and possibly other custom-developed tools for credential capture and email manipulation.
FIN5 is a financially motivated threat group known for targeting personally identifiable information (PII) and payment card information. Active since at least 2008, FIN5 has primarily targeted industries such as restaurants, gaming, and hotels. The group consists of actors who likely speak Russian.
FIN5's primary motivation is financial gain, achieved through the theft of sensitive personal and financial data.
FIN5 is the primary name associated with this threat group.
The specific location of FIN5 is not detailed in the available information, but the group is believed to comprise Russian-speaking actors.
FIN5's activities have been observed since at least 2008.
FIN5 has been observed employing various techniques to capture sensitive information, focusing on automated collection, brute force attacks, and the use of external remote services.
FIN6 is a cybercrime group known for stealing payment card data and selling it on underground marketplaces. They have aggressively targeted and compromised Point of Sale (PoS) systems, predominantly in the hospitality and retail sectors.
FIN6 is financially motivated, focusing on the theft and sale of payment card data for profit.
The specific location of FIN6 is not detailed in the available information.
FIN6's activities have been observed since at least 2016.
FIN6 has been noted for its aggressive tactics in compromising PoS systems and its sophisticated methods of data exfiltration and sale.
FIN7 is a financially-motivated threat group that has been active since 2013. Known for targeting a wide range of industries including retail, restaurant, hospitality, and more, FIN7 is notorious for its use of point-of-sale malware and sophisticated cyber attacks. They have been linked to the use of REvil ransomware and their own Ransomware as a Service (RaaS), Darkside.
FIN7's primary motivation is financial gain, achieved through cyber attacks targeting sensitive financial data.
The specific location of FIN7 is not detailed in the available information.
FIN7's activities have been observed since at least 2013.
FIN7 has been noted for its diverse targeting across various industries and its shift to big game hunting (BGH) tactics, including the use of ransomware.
FIN8 is a financially motivated threat group, active since at least January 2016. They are known for targeting various sectors including hospitality, retail, entertainment, insurance, technology, chemical, and financial. Notably, in June 2021, FIN8 shifted focus from targeting point-of-sale (POS) devices to distributing ransomware variants.
FIN8's primary motivation is financial gain, achieved through sophisticated cyber attacks targeting sensitive financial data and systems.
The specific location of FIN8 is not detailed in the available information.
FIN8's activities have been observed since at least January 2016.
FIN8 has been noted for its diverse targeting across various industries and its shift from POS device targeting to ransomware distribution.
Fox Kitten is a threat actor with suspected ties to the Iranian government, active since at least 2017. They have targeted a wide range of entities across the Middle East, North Africa, Europe, Australia, and North America. Fox Kitten's operations span multiple industrial verticals, including oil and gas, technology, government, defense, healthcare, manufacturing, and engineering.
Fox Kitten's primary motivation appears to be espionage and intelligence gathering, likely in support of national interests aligned with the Iranian government.
While specific operational locations are not detailed, Fox Kitten is believed to have a nexus to the Iranian government.
Fox Kitten's activities have been observed since at least 2017.
Fox Kitten has been noted for its broad targeting scope and sophisticated cyber operations across various industries and geographical regions.
GALLIUM is a cyberespionage group active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities. Their activities have been observed in various countries including Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. GALLIUM is identified as a likely Chinese state-sponsored group, based on their tools and tactics, techniques, and procedures (TTPs) commonly associated with Chinese threat actors.
GALLIUM's primary motivation appears to be espionage, likely driven by state-sponsored objectives to gather intelligence from targeted countries and industries.
While specific operational locations are not detailed, GALLIUM is believed to be based in China.
GALLIUM's activities have been observed since at least 2012.
GALLIUM has been noted for its sophisticated cyber operations targeting a range of sectors and geographical regions, indicative of a broad intelligence-gathering mission.
Gallmaker is a cyberespionage group known for targeting entities in the Middle East, particularly in the defense, military, and government sectors. Active since at least December 2017, Gallmaker is noted for its use of 'living off the land' tactics, relying on tools that are already present on the victim's system rather than deploying their own malware.
The primary motivation of Gallmaker appears to be espionage, with a focus on gathering intelligence from defense, military, and government sectors.
While specific operational locations are not detailed, Gallmaker's activities have predominantly targeted entities in the Middle East.
Gallmaker's activities have been observed since at least December 2017.
Gallmaker has been noted for its sophisticated cyber operations targeting specific sectors, indicative of a targeted intelligence-gathering mission.
Gallmaker's approach of 'living off the land' suggests a reliance on pre-existing software and system tools rather than deploying custom malware. This strategy involves the use of legitimate system tools for malicious purposes, making detection more challenging. Specific software or tools used by Gallmaker, as per the provided information, include:
Gamaredon Group is a cyber espionage threat group suspected to be linked to Russia's Federal Security Service (FSB). Active since at least 2013, the group primarily targets military, NGO, judiciary, law enforcement, and non-profit organizations in Ukraine. The group's name, "Gamaredon," is derived from a misspelling of "Armageddon," found in their early campaigns.
The group's activities suggest a focus on intelligence gathering, likely for geopolitical purposes, given its targeting of Ukrainian entities and attribution to Russian state interests.
While the group's exact location is not specified, it is attributed to Russia's FSB, indicating a potential base of operations in Russia.
Gamaredon Group's activities have been documented since at least 2013.
The group has been observed conducting sophisticated cyber espionage operations, primarily targeting Ukrainian entities across various sectors.
GCMAN is a cyber threat group known for targeting banks with the primary goal of transferring money to e-currency services. The group's activities involve sophisticated cyber attacks against financial institutions.
GCMAN's primary motivation appears to be financial gain, achieved through unauthorized bank transfers to e-currency services.
The specific location of GCMAN is not detailed in the available information.
The group's activities were first reported in 2016.
GCMAN has been observed conducting targeted attacks against banks, focusing on the illicit transfer of funds.
GOLD SOUTHFIELD is a financially motivated threat group known for operating the REvil Ransomware-as-a-Service (RaaS). Active since at least 2018, the group provides backend infrastructure for affiliates recruited on underground forums to carry out high-value ransomware deployments. In early 2020, GOLD SOUTHFIELD began stealing data and extorting victims to pay for their data to prevent public leaks.
The primary motivation of GOLD SOUTHFIELD is financial gain, achieved through ransomware attacks and data extortion.
The specific location of GOLD SOUTHFIELD is not detailed in the available information.
The group's activities were first reported in 2018.
GOLD SOUTHFIELD has been observed targeting a wide range of sectors, including exploiting public-facing applications and conducting phishing campaigns.
Gorgon Group is a threat actor suspected to have connections to Pakistan. The group has engaged in a mix of criminal and targeted attacks, including campaigns against government organizations in the United Kingdom, Spain, Russia, and the United States.
The Gorgon Group's activities suggest a combination of criminal financial motives and targeted attacks, possibly for espionage.
The group is suspected to be Pakistan-based or have connections to Pakistan.
The specific date of the group's first activities is not provided in the available information.
Gorgon Group has been observed targeting a variety of sectors, including government organizations in several countries.
Group5 is a threat group with suspected ties to Iran, although this attribution is not definitive. The group has primarily targeted individuals connected to the Syrian opposition, employing spearphishing and watering hole attacks. Their campaigns often revolve around Syrian and Iranian themes.
The group's activities suggest a focus on espionage, particularly targeting opposition groups and individuals, likely for political intelligence gathering.
The group is suspected to have an Iranian nexus.
The specific date of the group's first activities is not detailed in the provided information.
Group5 has been observed targeting individuals connected to the Syrian opposition, using themes relevant to Syrian and Iranian interests.
HAFNIUM is a cyber espionage group believed to be state-sponsored and operating out of China. Active since at least January 2021, HAFNIUM primarily targets a wide range of entities in the United States, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.
The group's activities suggest a focus on intelligence gathering, likely for strategic national interests.
HAFNIUM is believed to operate out of China.
The group has been active since at least January 2021.
HAFNIUM has been observed targeting a diverse set of sectors in the United States, indicating a broad intelligence collection mandate.
HEXANE is a cyber espionage threat group that has been active since at least 2017. The group primarily targets organizations in the oil & gas, telecommunications, aviation, and internet service provider sectors. Their activities have predominantly focused on entities located in the Middle East and Africa, including Israel, Saudi Arabia, Kuwait, Morocco, and Tunisia. HEXANE's tactics, techniques, and procedures (TTPs) bear similarities to APT33 and OilRig, but due to differences in victims and tools, it is tracked as a separate entity.
The group's activities suggest a focus on espionage, likely aimed at gathering strategic intelligence in the energy and telecommunications sectors.
HEXANE's operations have primarily targeted the Middle East and Africa.
The group has been active since at least 2017.
HEXANE has been observed targeting a variety of sectors, with a focus on oil & gas, telecommunications, aviation, and internet service providers.
Higaisa is a cyber threat group suspected to have origins in South Korea. The group has been active in targeting government, public, and trade organizations primarily in North Korea, but their activities have also extended to China, Japan, Russia, Poland, and other nations. Higaisa's operations include a mix of cyber espionage and targeted attacks, and the group has been active since at least 2009, with its activities first disclosed in early 2019.
Higaisa's activities suggest a focus on espionage and intelligence gathering, particularly targeting entities related to government and trade.
The group has targeted entities primarily in North Korea, with additional activities in China, Japan, Russia, Poland, and other countries.
Higaisa has been operational since at least 2009, with public disclosure of its activities occurring in early 2019.
Higaisa has been observed targeting a variety of sectors, with a particular focus on government, public, and trade organizations.
Inception is a sophisticated cyber espionage group that has been active since at least 2014. This group is known for its complex and multifaceted attacks, targeting multiple industries and governmental entities primarily in Russia. However, their activities have also spanned the United States, Europe, Asia, Africa, and the Middle East.
The primary motivation of Inception appears to be espionage, with a focus on gathering intelligence from a wide range of global targets.
Inception has targeted entities primarily in Russia but has also been active in the United States, Europe, Asia, Africa, and the Middle East.
The group has been operational since at least 2014.
Inception has been observed targeting a variety of sectors, including government organizations, across multiple regions.
IndigoZebra is a cyber espionage group suspected to have Chinese origins. Active since at least 2014, the group primarily targets Central Asian governments, employing sophisticated cyber espionage tactics.
The primary motivation of IndigoZebra appears to be espionage, focusing on gathering sensitive information from government entities in Central Asia.
The group primarily targets Central Asian governments.
IndigoZebra has been active since at least 2014.
The group has been observed conducting cyber espionage activities against Central Asian governments.
Indrik Spider is a Russia-based cybercriminal group, active since at least 2014. Initially known for deploying the Dridex banking Trojan, the group shifted to ransomware operations around 2017, using BitPaymer, WastedLocker, and Hades ransomware. Following U.S. sanctions and an indictment in 2019, Indrik Spider diversified their tactics and toolset.
The primary motivation of Indrik Spider appears to be financial gain, primarily through banking Trojans and ransomware operations.
Based in Russia, with global targets.
Active since at least 2014.
Observed conducting banking fraud and ransomware operations globally.
Ke3chang, attributed to actors operating out of China, is a threat group known for targeting a variety of sectors including oil, government, diplomatic, military, and NGOs. Their activities have been observed in Central and South America, the Caribbean, Europe, and North America since at least 2010.
Ke3chang's primary motivation appears to be cyber espionage, targeting a wide range of international governmental and diplomatic entities.
Based in China, with global targeting scope.
Active since at least 2010.
Observed conducting espionage activities against a variety of international targets.
net localgroup administrators
for account discovery.Kimsuky is a North Korea-based cyber espionage group, active since at least 2012. The group has primarily targeted South Korean government entities, think tanks, and individuals identified as experts in various fields. Over time, Kimsuky expanded its operations to include the United States, Russia, Europe, and the UN, focusing on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions.
Kimsuky's primary motivation appears to be gathering intelligence on foreign policy and national security issues, particularly those related to North Korea's geopolitical interests.
Based in North Korea, with global targeting scope.
Active since at least 2012.
Notable campaigns include the 2014 Korea Hydro & Nuclear Power Co. compromise, Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).
net localgroup
.net user
.LAPSUS$ is a cyber criminal threat group that has been active since at least mid-2021. The group is known for its large-scale social engineering and extortion operations, including destructive attacks without the use of ransomware. LAPSUS$ has targeted a wide range of sectors globally, including government, manufacturing, higher education, energy, healthcare, technology, telecommunications, and media.
The primary motivation of LAPSUS$ appears to be financial gain through extortion and possibly disruption.
Not specified, but the group has targeted organizations globally.
Active since at least mid-2021.
LAPSUS$ has been involved in various high-profile attacks and extortion campaigns against major organizations across different sectors.
Lazarus Group is a North Korean state-sponsored cyber threat group, attributed to the Reconnaissance General Bureau. Active since at least 2009, it has been involved in high-profile cyber attacks, including the 2014 destructive wiper attack against Sony Pictures Entertainment as part of Operation Blockbuster. The group's malware has been linked to various campaigns like Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.
The primary motivations of the Lazarus Group include espionage, data theft, financial gain, and disruption of targeted organizations.
North Korea
Active since at least 2009.
Lazarus Group has been involved in numerous cyber espionage and sabotage operations, targeting a wide range of industries and organizations worldwide.
LazyScripter is a threat group that has been actively targeting the airline industry since at least 2018. This group primarily utilizes open-source toolsets in its operations.
The specific motivations of LazyScripter are not detailed in the provided text. However, given their targeted attacks on the airline industry, it can be inferred that their motivations could be related to espionage, data theft, or disruption of industry operations.
LazyScripter
The location of LazyScripter is not explicitly mentioned in the provided text.
LazyScripter has been active since at least 2018.
LazyScripter has been observed using a variety of techniques and software, mainly focusing on open-source tools for executing their attacks.
mshta.exe
and rundll32.exe
to execute Koadic stagers.Leafminer is an Iranian threat group known for targeting government organizations and business entities in the Middle East. The group has been active since at least early 2017 and is known for its sophisticated cyber espionage campaigns.
While the specific motivations of Leafminer are not detailed in the provided text, their targeting of government and business entities suggests motivations likely include espionage, intelligence gathering, and possibly disruption of governmental and business operations.
Iran
Leafminer has been active since at least early 2017.
Leafminer has been observed using a variety of cyber attack techniques and tools, focusing on espionage and data exfiltration.
Leviathan is a Chinese state-sponsored cyber espionage group. It has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company. Active since at least 2009, Leviathan has targeted a wide range of sectors including academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across various regions including the US, Canada, Europe, the Middle East, and Southeast Asia.
The primary motivation of Leviathan appears to be espionage, given its state-sponsored nature and the wide range of high-value sectors it targets.
China
The group has been active since at least 2009.
Leviathan has been observed employing a variety of sophisticated cyber espionage techniques and tools.
Lotus Blossom is a threat group known for targeting government and military organizations in Southeast Asia. The group is noted for its focused attacks on high-value targets within this region.
While the specific motivations of Lotus Blossom are not detailed in the provided text, the targeting of government and military organizations suggests motivations likely include espionage, intelligence gathering, and possibly influencing political or military decisions.
The group primarily targets entities in Southeast Asia.
The first recorded activities of Lotus Blossom date back to at least 2015.
Lotus Blossom has been observed employing a variety of cyber attack techniques and tools, focusing on espionage and data exfiltration.
The specific techniques used by Lotus Blossom are not detailed in the provided text. However, given their targeting of government and military organizations, it can be inferred that they likely employ advanced persistent threat tactics including spearphishing, exploitation of vulnerabilities, and use of custom malware.
Machete is a cyber espionage group suspected to be Spanish-speaking, active since at least 2010. The group has primarily focused its operations within Latin America, particularly in Venezuela, but also has a presence in the US, Europe, Russia, and parts of Asia. Machete typically targets high-profile organizations such as government institutions, intelligence services, military units, telecommunications, and power companies.
While the specific motivations of Machete are not detailed in the provided text, their targeting of government, military, and critical infrastructure suggests motivations likely include espionage, intelligence gathering, political influence, and possibly disruption of critical services.
Machete primarily operates in Latin America, with significant activities in Venezuela and additional operations in the US, Europe, Russia, and parts of Asia.
The group has been active since at least 2010.
Machete has been observed employing a variety of sophisticated cyber espionage techniques and tools, focusing on espionage and data exfiltration.
Magic Hound is an Iranian-sponsored threat group known for conducting long-term, resource-intensive cyber espionage operations. This group is likely operating on behalf of the Islamic Revolutionary Guard Corps. Since at least 2014, Magic Hound has targeted European, U.S., and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), using complex social engineering campaigns.
The primary motivation of Magic Hound appears to be espionage, likely driven by geopolitical interests, given its focus on government, military, and international organizations.
Magic Hound primarily targets entities in Europe, the United States, and the Middle East.
The group has been active since at least 2014.
Magic Hound has been observed employing a variety of sophisticated cyber espionage techniques and tools, focusing on espionage and data exfiltration.
menuPass, also known as APT10, is a threat group that has been active since at least 2006. This group is known for its association with the Chinese Ministry of State Security's (MSS) Tianjin State Security Bureau and has worked for the Huaying Haitai Science and Technology Development Company. menuPass has targeted a wide range of sectors globally, including healthcare, defense, aerospace, finance, maritime, biotechnology, energy, and government, with a particular emphasis on Japanese organizations. The group has also targeted managed IT service providers (MSPs), manufacturing and mining companies, and a university.
The primary motivation of menuPass appears to be espionage, likely driven by geopolitical and economic interests, given its focus on a wide range of critical sectors and global targets.
menuPass primarily targets global entities, with a significant focus on Japanese organizations.
The group has been active since at least 2006.
menuPass has been observed employing a variety of sophisticated cyber espionage techniques and tools, focusing on espionage and data exfiltration.
Metador is a suspected cyber espionage group that emerged in September 2022. The group has primarily targeted telecommunications companies, internet service providers, and universities in the Middle East and Africa. The name "Metador" is derived from the string "I am meta" found in one of the group's malware samples and the anticipated Spanish-language responses from their command and control (C2) servers.
While the specific motivations of Metador are not explicitly stated, the nature of their targets suggests interests in intelligence gathering and espionage, particularly in the telecommunications and academic sectors.
Metador's activities have been focused on entities in the Middle East and Africa.
The group was first reported in September 2022.
Metador has been observed using sophisticated techniques and unique malware in their operations, indicating a high level of skill and specific targeting objectives.
Mafalda:
metaMain:
Moafee is a cyber threat group believed to be operating out of the Guangdong Province in China. This group is known for its sophisticated cyber attacks and is thought to have connections with another threat group, DragonOK, due to similarities in tactics, techniques, and procedures (TTPs), including the use of custom tools.
While specific motivations for Moafee's activities are not detailed, the group's sophisticated nature and the overlap with other known threat groups suggest a focus on cyber espionage and intelligence gathering.
Moafee is believed to be operating from the Guangdong Province of China.
The group was first identified and reported in cybersecurity literature in 2014.
Moafee has been observed employing advanced cyber techniques and using custom tools in its operations, indicating a high level of technical proficiency and strategic planning in its cyber espionage activities.
Mofang is a cyber espionage group, likely based in China, known for its sophisticated cyber operations. The group has been active since at least May 2012 and is characterized by its strategy of imitating the infrastructure of its victims. Mofang primarily targets government entities and critical infrastructure sectors in Myanmar and other countries, including military, automobile, and weapons industries.
Mofang's activities suggest a focus on espionage, likely driven by political and strategic interests. The group's targeting of government and critical infrastructure sectors indicates an intent to gather sensitive information and possibly disrupt operations in these areas.
Mofang is believed to be based in China.
The group was first identified and reported in cybersecurity literature in May 2012.
Mofang has been observed conducting focused attacks against a variety of targets, employing sophisticated techniques to evade detection and successfully infiltrate target networks.
ShimRat:
ShimRatReporter:
Molerats, an Arabic-speaking, politically-motivated threat group, has been active since 2012. The group primarily targets entities in the Middle East, Europe, and the United States. Their operations are characterized by sophisticated cyber espionage tactics.
Molerats' activities suggest a focus on gathering intelligence and possibly influencing political scenarios in the targeted regions. Their consistent targeting of specific geographic areas indicates a strategic intent behind their operations.
The group is believed to operate from an undisclosed location, with a focus on the Middle East, Europe, and the United States.
Molerats was first identified in 2012.
The group has been observed conducting cyber espionage campaigns, employing a range of sophisticated techniques to infiltrate and extract information from target networks.
Moses Staff is a suspected Iranian threat group that has been active since at least September 2021. The group is known for its targeted cyber attacks against Israeli companies, aiming to cause damage by leaking sensitive data and encrypting networks without demanding a ransom.
Moses Staff's operations are politically motivated, with a clear focus on causing disruption and extracting sensitive information from Israeli entities. Their activities also extend to government, finance, travel, energy, manufacturing, and utility sectors in various countries, including Italy, India, Germany, Chile, Turkey, the UAE, and the US.
While the exact location is undisclosed, the group is suspected to be operating from Iran.
Moses Staff was first reported in September 2021.
The group has been observed targeting a range of sectors with sophisticated cyber espionage tactics, primarily focusing on Israeli companies but also extending their operations globally.
MuddyWater is a cyber espionage group, believed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS). Active since at least 2017, MuddyWater has been involved in numerous cyber operations targeting a wide range of sectors, including telecommunications, local government, defense, and oil and natural gas organizations. Their activities span across the Middle East, Asia, Africa, Europe, and North America.
MuddyWater's operations are primarily driven by espionage motives, focusing on gathering sensitive information from government and private organizations. Their activities suggest a state-sponsored agenda, likely aimed at advancing Iran's national interests.
The group is also known by various aliases, including Earth Vetala, MERCURY, Static Kitten, Seedworm, and TEMP.Zagros.
MuddyWater is assessed to operate from Iran.
The group's activities were first identified in 2017.
MuddyWater has been observed employing a range of sophisticated cyber tactics and techniques. They have targeted various entities across multiple regions, indicating a broad and persistent threat landscape.
makecab.exe
for compressing stolen data.CMSTP.exe
, Mshta.exe
, and Rundll32.exe
for execution.Mustang Panda is a China-based cyber espionage threat actor, first observed in 2017, but potentially active since 2014. The group has targeted a diverse set of entities including government organizations, nonprofits, religious groups, and other non-governmental organizations across various countries such as the U.S., Europe, Mongolia, Myanmar, Pakistan, and Vietnam.
The primary motivation of Mustang Panda appears to be espionage, with a focus on gathering sensitive information from a wide range of international targets.
Mustang Panda is also known by other names including TA416, RedDelta, and BRONZE PRESIDENT.
The group is believed to be operating out of China.
Mustang Panda's activities were first identified in 2017.
The group has been observed conducting cyber espionage operations against a variety of targets worldwide, indicating a broad and persistent campaign.
Naikon is a state-sponsored cyber espionage group attributed to the Chinese People’s Liberation Army’s Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020). Active since at least 2010, Naikon has primarily targeted government, military, and civil organizations in Southeast Asia, as well as international bodies such as the United Nations Development Programme (UNDP) and the Association of Southeast Asian Nations (ASEAN).
Naikon's primary motivation appears to be gathering intelligence and conducting espionage activities in line with state-sponsored objectives.
Naikon is also known by other identifiers, including its Military Unit Cover Designator 78020.
The group is believed to be operating out of China, specifically linked to the Chinese PLA's Chengdu Military Region.
Naikon's activities date back to at least 2010.
The group has been observed conducting espionage operations against a range of targets in Southeast Asia and international organizations.
NEODYMIUM is an activity group known for its cyber campaign in May 2016, primarily targeting Turkish victims. The group displays similarities to another activity group, PROMETHIUM, due to overlapping victim profiles and campaign characteristics. NEODYMIUM is also reportedly associated with BlackOasis operations, although there is no conclusive evidence to suggest that these group names are aliases.
NEODYMIUM's specific motivations are not detailed in the provided information, but their targeted attacks suggest a focus on intelligence gathering, possibly for political or strategic purposes.
NEODYMIUM is the primary name used to identify this group. There are indications of a possible association with BlackOasis, but this remains unconfirmed.
The exact location of NEODYMIUM is not specified, but their targeting of Turkish victims suggests a possible interest in the region or connections to it.
NEODYMIUM's activities were first observed in May 2016.
The group has been notably active in targeting individuals and entities in Europe, with a heavy focus on Turkish victims. Their operations are characterized by the use of specific malware and tactics.
Nomadic Octopus is a Russian-speaking cyber espionage threat group. Active since at least 2014, they have primarily targeted Central Asia, focusing on local governments, diplomatic missions, and individuals. The group is known for its campaigns involving both Android and Windows malware, predominantly developed using the Delphi programming language. They have been observed creating custom variants for their operations.
While specific motivations are not detailed, the targeting of government and diplomatic entities suggests a focus on intelligence gathering, possibly for political or strategic purposes.
The group primarily targets Central Asia, indicating a regional focus in their operations.
Nomadic Octopus has been active since at least 2014.
The group has been observed conducting espionage campaigns involving sophisticated malware targeting various entities in Central Asia.
OilRig is a suspected Iranian threat group that has been active since at least 2014. The group has targeted a diverse range of sectors, including financial, government, energy, chemical, and telecommunications. Notably, OilRig is known for carrying out supply chain attacks, exploiting the trust relationship between organizations to reach their primary targets. The group's activities are believed to be conducted on behalf of the Iranian government, as suggested by infrastructure details referencing Iran, the use of Iranian infrastructure, and targeting that aligns with nation-state interests.
OilRig's operations are primarily driven by espionage, with a focus on collecting sensitive information from targeted sectors. Their activities align with the strategic interests of the Iranian state, indicating a nation-state backed cyber espionage motive.
OilRig primarily targets entities in the Middle East and has international reach.
The group has been active since at least 2014.
OilRig has been observed targeting a variety of sectors with sophisticated cyber espionage tactics.
net user
for account listings.certutil
for decoding files.tasklist
for active process information.hostname
.ipconfig /all
for network configuration.netstat -an
for network connections.whoami
for user information.sc query
for service information.OilRig's sophisticated and diverse set of tactics, techniques, and procedures (TTPs) highlight its capability as a significant player in the realm of state-sponsored cyber espionage. The group's focus on Middle Eastern and international targets, along with its advanced methods of attack, demonstrate a high level of expertise and resources likely backed by a nation-state.
Orangeworm is a cyber threat group that has been actively targeting organizations in the healthcare sector across the United States, Europe, and Asia since at least 2015. The group's primary focus appears to be corporate espionage, gathering sensitive information from healthcare-related organizations.
The main motive of Orangeworm seems to be corporate espionage. Their consistent targeting of healthcare organizations indicates a specific interest in acquiring confidential and proprietary information related to this sector.
Orangeworm has targeted organizations in the United States, Europe, and Asia, indicating a broad geographical focus.
The group has been active since at least 2015.
Orangeworm has been observed conducting targeted attacks against the healthcare sector, likely for espionage purposes.
Orangeworm's targeted approach, focusing on the healthcare sector, demonstrates a clear intent and capability to infiltrate and extract valuable information from this industry. The use of specific tools like Kwampirs further indicates a sophisticated level of technical expertise and a focused operational objective.
Patchwork, also known as Hangover Group, Dropping Elephant, Chinastrats, MONSOON, and Operation Hangover, is a cyber espionage group first observed in December 2015. While definitive attribution is unclear, circumstantial evidence suggests it may be a pro-Indian or Indian entity. The group has targeted diplomatic and government agencies, and has been known for its spearphishing campaigns targeting U.S. think tanks.
Patchwork's activities suggest a focus on espionage, likely driven by political and strategic interests, particularly in gathering intelligence from government and diplomatic entities.
Patchwork has targeted entities globally, with a focus on the Indian subcontinent and U.S. think tanks.
The group was first observed in December 2015.
Patchwork has been active in conducting cyber espionage campaigns, primarily targeting diplomatic and government sectors. The group is known for its use of copied and pasted code from online forums and spearphishing techniques.
Patchwork's operations demonstrate a significant focus on espionage through a variety of sophisticated techniques and tools, indicating a well-resourced and technically capable actor with specific intelligence-gathering objectives.
PittyTiger is a cyber threat group believed to be operating out of China. This group is known for using a variety of malware types to establish and maintain command and control over compromised systems.
While specific motivations are not detailed, the typical behavior of PittyTiger suggests objectives aligned with espionage, likely driven by political, economic, or strategic interests.
The primary name for this group is PittyTiger.
PittyTiger is believed to operate out of China, based on the nature of its attacks and tools used.
The exact date of PittyTiger's first observed activities is not specified in the provided information.
PittyTiger has been observed engaging in cyber espionage activities, utilizing various types of malware for command and control operations.
PittyTiger's use of a diverse set of tools and techniques indicates a focus on gaining access to systems and exfiltrating sensitive information, consistent with the objectives of a sophisticated cyber espionage group.
PLATINUM is a sophisticated cyber espionage group known for its advanced techniques and focus on targets in South and Southeast Asia. Active since at least 2009, the group has primarily targeted government entities and related organizations.
While specific motivations are not detailed, the group's activities suggest a focus on intelligence gathering and surveillance, likely driven by geopolitical interests.
The group is predominantly known as PLATINUM.
PLATINUM's operations primarily target regions in South and Southeast Asia.
The group has been active since at least 2009.
PLATINUM has been observed conducting cyber espionage campaigns against government and related organizations in South and Southeast Asia.
PLATINUM's sophisticated use of a variety of techniques and custom software indicates a high level of expertise in conducting cyber espionage operations, with a clear focus on maintaining stealth and gathering intelligence from high-value targets in specific geographic regions.
POLONIUM is a Lebanon-based cyber espionage group known for targeting Israeli organizations, including those in critical manufacturing, information technology, and defense industries. Active since at least February 2022, the group is noted for its sophisticated operations and coordination with entities affiliated with Iran's Ministry of Intelligence and Security (MOIS).
POLONIUM's activities suggest a focus on gathering intelligence and possibly disrupting operations in Israeli organizations. The group's alignment with Iranian interests indicates a geopolitical motivation, likely driven by regional tensions and strategic objectives.
The group is primarily known as POLONIUM.
POLONIUM is based in Lebanon and has primarily targeted Israeli entities.
POLONIUM's activities were first observed in February 2022.
The group has been observed conducting espionage campaigns against Israeli organizations, leveraging sophisticated techniques and tools.
POLONIUM's operations reflect a high level of sophistication and strategic focus, aligning with broader geopolitical objectives and showcasing advanced capabilities in cyber espionage. The group's use of legitimate web services for exfiltration and C2, along with its ability to exploit trusted relationships, indicates a nuanced understanding of digital environments and operational security.
Poseidon Group is a Portuguese-speaking threat group known for its unique approach to cyber-espionage. Active since at least 2005, this group is distinctive for using information exfiltrated from victims to blackmail them into contracting the Poseidon Group as a security firm.
The primary motivation of the Poseidon Group appears to be financial gain through a combination of cyber-espionage and blackmail. By exfiltrating sensitive information, they coerce victim companies into hiring them under the guise of a security firm, thus monetizing their cyber-espionage activities.
The group is predominantly known as the Poseidon Group.
The Poseidon Group is a Portuguese-speaking entity, but specific geographic location details are not provided.
The group's activities date back to at least 2005.
Poseidon Group has been observed engaging in targeted cyber-espionage campaigns, primarily focusing on information theft and subsequent blackmail.
Poseidon Group's operations are marked by a blend of technical sophistication and unconventional tactics, including leveraging the stolen data for blackmail. Their focus on credential and service discovery, along with masquerading techniques, indicates a methodical approach to maintaining persistence and avoiding detection in targeted environments.
PROMETHIUM is an espionage-focused activity group that has been active since at least 2012. The group is known for its global operations, with a significant emphasis on targeting Turkish entities. PROMETHIUM is characterized by its use of sophisticated techniques and overlaps in victim and campaign characteristics with another activity group, NEODYMIUM.
The primary motivation of PROMETHIUM appears to be espionage. Their activities suggest a focus on gathering intelligence and compromising information from targeted entities, particularly in Turkey.
PROMETHIUM is also associated with the name StrongPity.
While specific geographic origins are not detailed, PROMETHIUM's targeted campaigns have a global reach, with a notable focus on Turkish targets.
The group's activities date back to at least 2012.
PROMETHIUM has been observed conducting global espionage campaigns, with a particular focus on Turkish targets. Their operations are marked by the use of sophisticated techniques and tools.
PROMETHIUM's operations demonstrate a high level of technical sophistication and strategic planning. Their focus on creating and using self-signed certificates, masquerading techniques, and leveraging legitimate software installers for malicious purposes indicates a methodical approach to infiltrating and maintaining persistence in targeted environments.
Putter Panda is a Chinese threat group known for its cyber espionage activities. It has been attributed to Unit 61486 of the 12th Bureau of the PLA’s 3rd General Staff Department (GSD), indicating state-sponsored operations.
The primary motivation of Putter Panda is likely espionage, gathering intelligence, and possibly conducting cyber warfare activities, consistent with the objectives of a state-sponsored group.
Putter Panda is also known as APT2 and MSUpdater.
The group is believed to be based in China, given its attribution to a unit of the People's Liberation Army.
The specific date of the group's first observed activity is not mentioned, but it has been active for several years, at least since the early 2010s.
Putter Panda has been observed conducting cyber espionage campaigns, primarily targeting information related to satellite and aerospace sectors.
Putter Panda's activities demonstrate a focus on stealth and persistence, employing techniques to maintain long-term access to compromised systems and networks. The use of RATs and other custom malware indicates a high level of sophistication and the ability to adapt tools to specific targets or objectives.
Rancor is a cyber threat group known for its targeted campaigns primarily against the South East Asia region. The group is notable for using politically-motivated lures to entice victims into opening malicious documents.
The primary motivation of Rancor appears to be espionage, likely driven by political interests, as indicated by their use of politically-themed lures.
The group is primarily known as Rancor.
While the specific location of Rancor is not detailed, their primary target region is South East Asia.
The exact date of Rancor's first observed activity is not provided, but they have been active at least since the report's creation date in 2018.
Rancor has been observed conducting targeted cyber espionage campaigns, using spearphishing and other tactics to compromise victims in the South East Asia region.
Rancor's activities demonstrate a focus on targeted espionage using socially engineered lures and a variety of custom tools and techniques to infiltrate and maintain presence within victim networks. The group's use of scheduled tasks for persistence and system binary proxy execution methods indicates a sophisticated understanding of Windows environments and evasion techniques.
Rocke is an alleged Chinese-speaking cyber threat group primarily engaged in cryptojacking, which involves the unauthorized use of victim system resources for mining cryptocurrency. The group's name, "Rocke," originates from the email address "[email protected]," associated with the cryptocurrency wallet they use.
Rocke's primary objective appears to be financial gain through cryptojacking, exploiting system resources of compromised networks to mine cryptocurrency.
The group is known as Rocke, derived from their associated email address. There are also detected overlaps with the Iron Cybercrime Group, though this attribution is not definitively confirmed.
The specific location of Rocke is not detailed, but they are described as a Chinese-speaking group.
The exact date of Rocke's inception is not provided, but they have been active at least since the report's creation date in 2020.
Rocke has been observed conducting cryptojacking operations, exploiting vulnerabilities in public-facing applications, and using various techniques for persistence, defense evasion, and command and control.
Rocke's operations demonstrate a focus on financial gain through the exploitation of network resources for cryptocurrency mining. Their use of various evasion techniques, exploitation of public-facing applications, and persistence mechanisms indicate a sophisticated understanding of network environments and security evasion.
RTM is a cybercriminal group active since at least 2015, primarily targeting users of remote banking systems in Russia and neighboring countries. The group is known for its use of a Trojan, also named RTM, to conduct its operations.
RTM's primary motivation appears to be financial, focusing on the theft of funds and financial information from users of remote banking systems.
The group is known as RTM, which is also the name of the Trojan they use for their cybercriminal activities.
RTM primarily targets Russia and neighboring countries, suggesting a focus on this geographical region.
The group has been active since at least 2015.
RTM has been observed using various techniques for initial access, execution, persistence, and command and control. Their operations are characterized by the use of spearphishing, exploit kits, and remote access tools.
RTM's activities demonstrate a sophisticated understanding of banking systems and the financial sector, employing a range of techniques to evade detection, maintain persistence, and achieve their financial objectives. Their focus on remote banking systems in Russia and neighboring countries highlights a regional specialization in their operations.
Sandworm Team is a destructive cyber threat group attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST), military unit 74455. Active since at least 2009, Sandworm Team is known for its high-profile cyber operations against various international targets.
The primary motivation of Sandworm Team appears to be geopolitical, conducting cyber operations that align with Russian state interests. Their activities often target governmental, energy, and infrastructural sectors in various countries.
Sandworm Team is associated with several aliases, including ELECTRUM, Telebots, IRON VIKING, BlackEnergy Group, Quedagh, Voodoo Bear, and IRIDIUM.
While the group is attributed to Russia, their operations have a global impact, targeting entities worldwide.
The group has been active since at least 2009.
Sandworm Team has been implicated in numerous high-profile cyber operations, including attacks on Ukrainian electrical companies, the worldwide NotPetya attack, targeting the 2017 French presidential campaign, the 2018 Olympic Destroyer attack, operations against the Organisation for the Prohibition of Chemical Weapons, and attacks in Georgia.
Sandworm Team's operations demonstrate a sophisticated and broad range of capabilities, from destructive attacks to espionage, impacting critical infrastructure and geopolitical landscapes. Their activities are characterized by a combination of technical sophistication and strategic targeting, aligning with Russian state interests.
Scarlet Mimic is a cyber threat group known for targeting minority rights activists. The group's activities have not been conclusively linked to a government source, but their motivations appear to overlap with those of the Chinese government. The group employs sophisticated cyber espionage tactics and has been active in its campaigns for several years.
While direct government affiliation is not established, Scarlet Mimic's operations align closely with the interests of the Chinese government, particularly in monitoring and potentially disrupting minority rights movements.
The group is primarily known as Scarlet Mimic. There is some overlap in IP addresses used by this group and Putter Panda, another known threat group, but it is unclear if they are the same entity.
The specific location of Scarlet Mimic is not disclosed, but their activities suggest an alignment with Chinese government interests.
Scarlet Mimic has been active since at least the early 2010s, with documented activities dating back several years.
The group has been observed conducting cyber espionage campaigns targeting minority rights activists. Their operations are characterized by the use of sophisticated malware and spearphishing techniques.
CallMe (S0077):
FakeM (S0076):
MobileOrder (S0079):
Psylo (S0078):
Scattered Spider is a cybercriminal group that has been active since at least 2022. They primarily target customer relationship management (CRM) and business-process outsourcing (BPO) firms, as well as telecommunications and technology companies. The group is known for leveraging targeted social-engineering techniques and attempting to bypass popular endpoint security tools.
The primary motivation of Scattered Spider appears to be gaining unauthorized access to sensitive information and systems within targeted organizations. Their focus on CRM and BPO firms, as well as telecommunications and technology companies, suggests a motive aligned with economic or industrial espionage.
Scattered Spider is the primary name of the group. They are also associated with the name Roasted 0ktapus.
The specific location of Scattered Spider is not disclosed in the provided information.
The group has been active since at least June 2022.
Scattered Spider has been observed conducting campaigns targeting specific industries with sophisticated social engineering and technical intrusion techniques.
SideCopy is a Pakistani threat group that has been active since at least 2019. The group primarily targets South Asian countries, focusing on Indian and Afghani government personnel. SideCopy is known for its infection chain that mimics the tactics of Sidewinder, a suspected Indian threat group.
The primary motivation of SideCopy appears to be espionage, particularly targeting government entities in South Asia. This aligns with geopolitical interests in the region, suggesting a focus on gathering intelligence and possibly influencing regional affairs.
The group is primarily known as SideCopy.
SideCopy is believed to be based in Pakistan.
The group has been active since at least 2019.
SideCopy has been observed engaging in sophisticated cyber espionage activities targeting government personnel in South Asia, particularly in India and Afghanistan.
Sidewinder is a suspected Indian threat actor group that has been active since at least 2012. The group is known for targeting government, military, and business entities across Asia, with a primary focus on Pakistan, China, Nepal, and Afghanistan.
Sidewinder's activities suggest a motivation centered around espionage and intelligence gathering, particularly in regions and countries of strategic interest to India.
The group is suspected to be based in India.
Sidewinder has been active since at least 2012.
The group has been observed conducting sophisticated cyber espionage campaigns targeting a range of entities in Asia, including government and military organizations.
Silence is a financially motivated threat actor primarily targeting financial institutions in various countries. The group has been active since June 2016, with their main targets located in Russia, Ukraine, Belarus, Azerbaijan, Poland, and Kazakhstan. They are known for compromising banking systems, including the Russian Central Bank's Automated Workstation Client, ATMs, and card processing systems.
Silence's primary motivation appears to be financial gain through the compromise of banking systems and financial institutions.
The specific location of Silence is not clearly identified, but their targets are primarily in Eastern Europe and Central Asia.
The group was first observed in June 2016.
Silence has been noted for its sophisticated attacks on financial institutions, compromising various banking systems and conducting operations that lead to financial theft.
Silent Librarian is a cyber threat group known for targeting research and proprietary data at universities, government agencies, and private sector companies worldwide. Active since at least 2013, the group is affiliated with the Iran-based Mabna Institute, which conducts cyber intrusions on behalf of the Iranian government, specifically the Islamic Revolutionary Guard Corps (IRGC).
The primary motivation of Silent Librarian appears to be intelligence gathering and accessing sensitive research and data, aligning with the strategic interests of the Iranian government.
While the exact location of Silent Librarian is not specified, their affiliation with the Iran-based Mabna Institute suggests an Iranian origin.
The group has been active since at least 2013.
Silent Librarian has been observed conducting extensive cyber espionage campaigns, primarily targeting academic institutions and research organizations globally.
SilverTerrier is a Nigerian threat group, active since 2014, known for its cybercriminal activities. The group primarily targets organizations in high technology, higher education, and manufacturing sectors.
SilverTerrier's primary motivation appears to be financial gain, primarily through business email compromise (BEC) campaigns.
Based in Nigeria.
The group has been active since at least 2014.
SilverTerrier has been observed engaging in sophisticated cybercriminal activities, targeting various organizations for financial theft.
Sowbug is a threat group known for conducting targeted cyberattacks against organizations in South America and Southeast Asia, with a particular focus on government entities. The group has been active since at least 2015.
Sowbug's motivations appear to be centered around cyber espionage, with a focus on collecting sensitive information from government organizations.
Sowbug primarily targets organizations in South America and Southeast Asia.
Sowbug's activities have been observed since at least 2015.
Sowbug has been observed conducting cyber espionage operations, extracting sensitive documents, and engaging in various tactics to achieve its objectives.
Stealth Falcon is a threat group known for conducting targeted spyware attacks against Emirati journalists, activists, and dissidents since at least 2012. While there is circumstantial evidence suggesting a link between the group and the United Arab Emirates (UAE) government, this connection has not been officially confirmed.
Stealth Falcon's primary motivation is to conduct cyber espionage activities against individuals and entities it targets, including Emirati journalists, activists, and dissidents.
Stealth Falcon's operations are primarily targeted against individuals and organizations within the United Arab Emirates (UAE).
Stealth Falcon's activities have been observed since at least 2012.
Stealth Falcon has been observed employing various techniques and tactics to conduct cyber espionage, gather sensitive information, and maintain persistence within victim systems.
Strider is a threat group that has been active since at least 2011 and has targeted victims in Russia, China, Sweden, Belgium, Iran, and Rwanda. It is associated with ProjectSauron, which refers both to the threat group (G0041) and the malware platform (S0125) used by Strider.
The primary motivation of Strider is cyber espionage, and it targets victims in multiple countries, particularly those of strategic interest.
Strider's activities have been observed in various countries, including Russia, China, Sweden, Belgium, Iran, and Rwanda.
Strider's activities have been observed since at least 2011.
Strider has been involved in various cyber espionage activities, targeting victims in different geographic regions and employing sophisticated techniques and tools.
Suckfly is a China-based threat group that has been active since at least 2014. This group is known for its cyber espionage activities and has been observed conducting targeted attacks.
The primary motivation of Suckfly is cyber espionage, and it is known for conducting attacks to gather intelligence and steal sensitive information.
Suckfly is believed to operate from China.
Suckfly's activities have been observed since at least 2014.
Suckfly has been involved in various cyber espionage campaigns, targeting organizations and individuals to gather valuable information.
APT - Group Overview: TA2541
TA2541 is a cybercriminal group that has been targeting the aviation, aerospace, transportation, manufacturing, and defense industries since at least 2017. Known for their high-volume campaigns, TA2541 employs various techniques and tools in their cybercriminal activities.
TA2541's primary motivation is financial gain through cybercriminal activities. They target industries where valuable intellectual property and sensitive information can be monetized.
The exact location of TA2541 is not disclosed, but their cybercriminal activities are known to target organizations globally.
TA2541's activities have been observed since at least 2017.
TA2541 is known for conducting cybercriminal campaigns, particularly in the aviation, aerospace, transportation, manufacturing, and defense sectors. Their campaigns often involve the use of commodity remote access tools and various evasion techniques.
TA459 is a threat group believed to operate out of China, and it has been associated with cyber-espionage activities targeting countries such as Russia, Belarus, Mongolia, and others. Their operations have involved various techniques and tools to achieve their objectives.
TA459's primary motivation appears to be conducting cyber-espionage activities for political, economic, or strategic gains. They focus on infiltrating and gathering sensitive information from their targeted regions.
TA459 is believed to operate from China, although their activities extend beyond their home country to various international targets.
The activities of TA459 have been observed since at least April 18, 2018.
TA459 is known for conducting cyber-espionage operations, primarily through spearphishing campaigns and exploiting vulnerabilities in Microsoft Word. They have also employed various techniques and tools to gain access to and gather information from their targets.
TA505 - Group Overview
Description: TA505 is a cyber criminal group that has been active since at least 2014. TA505 is known for frequently changing malware, driving global trends in criminal malware distribution, and ransomware campaigns involving Clop.
Motivation: TA505 primarily engages in cybercriminal activities for financial gain. They have been associated with a wide range of cyberattacks, including phishing campaigns, ransomware attacks, and the distribution of various malware families.
Names: TA505, also associated with Hive0065.
Location: The exact location of TA505's operations is unclear, but they are known to operate on a global scale, targeting victims worldwide.
First Seen: TA505 was first observed in cyber threat landscapes in 2014.
Observed: TA505 has been actively observed and analyzed by cybersecurity researchers and organizations, with various campaigns and attacks attributed to the group.
net group /domain
.Description: Matrices is a financially-motivated threat group that has been active since at least 2018. The group primarily targets English, German, Italian, and Japanese speakers through email-based malware distribution campaigns.
Motivation: Matrices is primarily motivated by financial gain and conducts cyberattacks to achieve their monetary objectives.
Names: Matrices is also associated with the aliases "GOLD CABIN" and "Shathak."
Location: The exact location of Matrices' operations is not specified, but they target victims globally, with a focus on specific language groups.
First Seen: Matrices has been observed in the threat landscape since at least 2018.
Observed: Matrices' activities have been observed and analyzed by cybersecurity researchers and organizations. They are known for their use of various techniques and software in their campaigns.
Description: TeamTNT is a threat group that has been active since at least October 2019, primarily targeting cloud and containerized environments. Their main objective is to leverage cloud and container resources to deploy cryptocurrency miners in victim environments.
Motivation: The group's motivation appears to be financial gain through cryptocurrency mining activities.
Names: TeamTNT
Location: Global
First Seen: October 2019
Observed: Ongoing
These tools and techniques provide TeamTNT with the means to infiltrate, maintain persistence, and execute cryptocurrency mining operations in cloud and containerized environments.
Description: TEMP.Veles is a Russia-based threat group known for targeting critical infrastructure. They have been observed utilizing TRITON, a sophisticated malware framework designed to manipulate industrial safety systems.
Motivation: TEMP.Veles' primary motivation appears to be conducting cyber-espionage and potentially disrupting critical infrastructure operations.
Names: TEMP.Veles
Location: Russia
First Seen: April 16, 2019
Observed: Ongoing
These techniques and tools enable TEMP.Veles to conduct cyber-espionage and potentially disrupt critical infrastructure by manipulating industrial safety systems, making them a significant threat to national security.
Description: The White Company is a likely state-sponsored threat actor known for its advanced capabilities. From 2017 through 2018, the group conducted an espionage campaign called Operation Shaheen, primarily targeting government and military organizations in Pakistan.
Motivation: The White Company's primary motivation appears to be conducting state-sponsored cyber-espionage.
Names: The White Company
Location: Unknown
First Seen: May 2, 2019
Observed: Activities are known to have occurred until at least March 30, 2020.
The White Company's use of advanced techniques and software indicates their involvement in state-sponsored cyber-espionage, and their campaigns have primarily targeted government and military organizations in Pakistan.
Description: Threat Group-1314 is an unattributed threat group known for using compromised credentials to log into a victim's remote access infrastructure.
Motivation: The specific motivations and objectives of Threat Group-1314 are not detailed in the provided information.
Names: Threat Group-1314 (also associated with the abbreviation TG-1314)
Location: Unknown
First Seen: May 31, 2017
Observed: Activities are known to have occurred until at least March 19, 2020.
Threat Group-1314's tactics primarily involve using compromised credentials and various techniques to gain unauthorized access to remote systems and network shares, facilitating lateral movement within a victim's network. Their motivations and specific targeting information are not provided in the available data.
Description: Thrip is an espionage group known for its activities targeting satellite communications, telecoms, and defense contractor companies in the United States and Southeast Asia. The group employs custom malware and "living off the land" techniques for its operations.
Motivation: Thrip's specific motivations and objectives are not provided in the available information.
Names: Thrip
Location: Not specified, but the group has targeted organizations in the U.S. and Southeast Asia.
First Seen: October 17, 2018
Observed: Thrip's activities have been observed until at least October 12, 2021.
Thrip's tactics involve using a combination of custom malware, PowerShell, legitimate tools, and cloud-based remote access software to carry out espionage activities. Their motivations and specific targeting information remain undisclosed in the provided data.
Description: Tonto Team is a suspected Chinese state-sponsored cyber espionage threat group known for conducting cyberattacks primarily targeting South Korea, Japan, Taiwan, and the United States since at least 2009. By 2020, the group expanded its operations to include other Asian and Eastern European countries. Tonto Team has a wide range of targets, including government, military, energy, mining, financial, education, healthcare, and technology organizations. Notable campaigns associated with Tonto Team include the Heartbeat Campaign (2009-2012) and Operation Bitter Biscuit (2017).
Motivation: Tonto Team's specific motivations and objectives are not provided in the available information.
Names: Tonto Team
Location: Suspected to be associated with China
First Seen: 2009
Observed: Tonto Team's activities have been observed until at least January 27, 2022.
Tonto Team employs a diverse set of techniques and software tools to conduct cyber espionage activities, with a particular focus on exploiting vulnerabilities and conducting spearphishing campaigns. Their motivations and specific targeting information remain undisclosed in the provided data.
Description: Transparent Tribe is a suspected Pakistan-based threat group known for its activities since at least 2013. The group primarily targets diplomatic, defense, and research organizations in India and Afghanistan. Transparent Tribe has been associated with various campaigns and has a history of using phishing attacks, malicious links, and weaponized documents to compromise its targets.
Motivation: Transparent Tribe's specific motivations and objectives are not provided in the available information.
Names: Transparent Tribe
Location: Suspected to be based in Pakistan
First Seen: Since at least 2013
Observed: Transparent Tribe's activities have been observed until at least July 2022.
Transparent Tribe employs a wide range of techniques and uses multiple software tools to conduct its cyber espionage activities, with a focus on compromising targets in India and Afghanistan. Their motivations and specific targeting information remain undisclosed in the provided data.
Description: Tropic Trooper is an unaffiliated threat group known for conducting targeted campaigns against entities in Taiwan, the Philippines, and Hong Kong. The group has a history of focusing on government, healthcare, transportation, and high-tech industries as its primary targets. Tropic Trooper's activities have been ongoing since 2011.
Motivation: The specific motivations and objectives of Tropic Trooper are not provided in the available information.
Names: Tropic Trooper
Location: Unknown
First Seen: Since 2011
Observed: Tropic Trooper's activities have been observed as of the last available data.
Tropic Trooper utilizes a wide array of techniques and software tools for its targeted campaigns, with a focus on various industries and regions. However, the group's specific motivations and goals are not provided in the available data.
Description: Turla is a sophisticated cyber espionage threat group associated with Russia's Federal Security Service (FSB). This group has been active since at least 2004 and is known for targeting various industries, including government, embassies, military, education, research, and pharmaceutical companies. Turla conducts watering hole and spearphishing campaigns and utilizes in-house tools and malware, such as Uroburos.
Motivation: Turla primarily focuses on conducting cyber espionage activities, collecting sensitive information, and advancing Russian interests on the global stage.
Names: Turla is also associated with the following groups: IRON HUNTER, Group 88, Belugasturgeon, Waterbug, WhiteBear, Snake, Krypton, Venomous Bear.
Location: Turla's operations have been detected in over 50 countries worldwide.
First Seen: Turla was first identified and documented in 2004.
Observed: Turla's activities have been observed and documented up to August 2023.
Description: Volatile Cedar is a Lebanese threat group that has been active since 2012, targeting individuals, companies, and institutions worldwide. This group is primarily motivated by political and ideological interests.
Motivation: Volatile Cedar is motivated by political and ideological objectives, which drive its cyber activities.
Names: Volatile Cedar is also associated with the group "Lebanese Cedar."
Location: Volatile Cedar's exact location is not publicly disclosed, but it is known to operate globally.
First Seen: Volatile Cedar was first detected in cyber activities in 2012.
Observed: Volatile Cedar's activities have been observed up to April 20, 2022.
Description: Volt Typhoon is a state-sponsored threat actor based in the People's Republic of China (PRC), known to have been active since at least 2021. This group primarily engages in espionage and information gathering activities, with a particular focus on critical infrastructure organizations in the United States, including Guam. Volt Typhoon is characterized by its emphasis on stealth in operations, employing web shells, living-off-the-land (LOTL) binaries, hands-on-keyboard activities, and stolen credentials in its cyber operations.
Motivation: Volt Typhoon's primary motivation is to engage in espionage and gather sensitive information. The group's activities align with state-sponsored interests.
Names: Volt Typhoon is also associated with the group "BRONZE SILHOUETTE."
Location: Volt Typhoon is believed to operate from the People's Republic of China (PRC).
First Seen: The activities of Volt Typhoon were first detected in at least 2021.
Observed: Volt Typhoon's activities have been observed as of October 3, 2023.