Admin@338, also known as Temper Panda, is a China-based cyber threat group. This APT group has been active since at least 2014 and is primarily involved in information theft and espionage 🕵️. They have a history of using newsworthy events as lures to deliver malware 💻. Their targets have largely been organizations involved in financial 💰, economic 📈, and trade policy 🌐. The group has shown a particular interest in political and economic issues in Hong Kong 🇭🇰 and China 🇨🇳, targeting Hong Kong media companies 📰 and pro-democracy movements 🗳️.

The primary motivation of Admin@338 appears to be espionage 📄, with a focus on collecting sensitive information 📊 from targeted organizations 🏢. Their activities suggest an intent to gather intelligence related to financial, economic, and trade policies, as well as political movements 🗳️, especially those related to Hong Kong's pro-democracy activities.

Admin@338 is known by several aliases 🏷️, including Temper Panda 🐼, Team338, and Magnesium. These names have been attributed to the group by various cybersecurity organizations and researchers.

The group is believed to be based in China 🇨🇳.

Admin@338 was first observed in 2014 📆.

The group has been observed targeting sectors such as Defense 🛡️, Financial 💼, Government 🏛️, Media 📺, and Think Tanks 🧠. Geographically, their activities have been primarily focused on Hong Kong 🇭🇰 and the USA 🇺🇸.

Tools Used:

Admin@338 has used a variety of tools in their operations, including but not limited to:

• Bozok
• BUBBLEWRAP
• LOWBALL
• Poison Ivy
• Techniques for 'Living off the Land' (utilizing existing software or system tools to conduct malicious activities)

Their use of these tools demonstrates a capability to employ both publicly available RATs and sophisticated, non-public backdoors for their operations.

The Admin@338 APT group, identified on the MITRE ATT&CK framework as G0018, employs a range of sophisticated techniques in their cyber operations. Here's a detailed look at some of the key techniques used by this group:

• Account Discovery (T1087.001): Admin@338 actors have used commands following the exploitation of a machine with LOWBALL malware to enumerate user accounts. This includes commands like net user >> %temp%\download and net user /domain >> %temp%\download, which help them gather information about local and domain accounts on the compromised system.
• Command and Scripting Interpreter: Windows Command Shell (T1059.003): After exploiting a machine with LOWBALL malware, the actors create a file containing a list of commands to be executed on the compromised computer. This technique allows them to perform various actions using the Windows command shell.
• Exploitation for Client Execution (T1203): Admin@338 has exploited client software vulnerabilities for execution, such as Microsoft Word CVE-2012-0158. This involves taking advantage of software vulnerabilities to execute arbitrary code.
• File and Directory Discovery (T1083): The group uses commands to obtain information about files and directories after exploiting a machine. This includes commands like dir c:\ >> %temp%\download and similar commands for other directories, which helps them understand the file system layout and locate files of interest.
• Masquerading: Match Legitimate Name or Location (T1036.005): Admin@338 actors have used commands to rename one of their tools to a benign file name, such as ren "%temp%\upload" audiodg.exe. This technique helps them evade detection by making their malicious tools appear legitimate.
• Permission Groups Discovery: Local Groups (T1069.001): They use commands like net localgroup administrator >> %temp%\download following the exploitation of a machine with LOWBALL malware to list local groups. This helps them identify administrative groups and other permission sets on the compromised system.
• Phishing: Spearphishing Attachment (T1566.001): Admin@338 has sent emails with malicious Microsoft Office documents attached. This spearphishing technique is a common method for initial access, tricking users into opening malicious attachments.
• System Information Discovery (T1082): The actors use commands to obtain information about the operating system after exploiting a machine, such as ver >> %temp%\download and systeminfo >> %temp%\download. This provides them with detailed information about the compromised system.
• System Network Configuration Discovery (T1016): They acquire information about local networks using commands like ipconfig /all >> %temp%\download after exploiting a machine.
• System Network Connections Discovery (T1049): Admin@338 uses commands to display network connections, such as netstat -ano >> %temp%\download, which helps them understand the network environment of the compromised system.
• System Service Discovery (T1007): They use commands like net start >> %temp%\download to obtain information about services running on the system.
• User Execution: Malicious File (T1204.002): The group attempts to get victims to launch malicious Microsoft Word attachments delivered via spearphishing emails, a tactic that relies on user interaction to execute the malicious payload.

The Admin@338 APT group, as identified in the MITRE ATT&CK framework, uses a variety of software tools in their cyber operations. Here's a summary of the key software tools and the associated techniques they employ:

• BUBBLEWRAP (S0043):
  • Techniques: Application Layer Protocol: Web Protocols, Non-Application Layer Protocol, System Information Discovery.
  • BUBBLEWRAP is a multifunctional tool used for various purposes, including web protocol communication and system information gathering.
• ** 
  • Technique: System Network Configuration Discovery.
  • This common Windows utility is used by Admin@338 to discover network configuration details on compromised systems.
• LOWBALL (S0042):
  • Techniques: Application Layer Protocol: Web Protocols, Ingress Tool Transfer, Web Service: Bidirectional Communication.
  • LOWBALL is a malware tool used for establishing web-based communication channels and transferring tools onto targeted systems.
• Net (S0039):
  • Techniques: Account Discovery (Domain and Local Account), Create Account (Local and Domain Account), Indicator Removal (Network Share Connection Removal), Network Share Discovery, Password Policy Discovery, Permission Groups Discovery (Domain and Local Groups), Remote Services (SMB/Windows Admin Shares), Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services (Service Execution), System Time Discovery.
  • The Net utility is used extensively for a range of activities from account discovery to system service manipulation.
• netstat (S0104):
  • Technique: System Network Connections Discovery.
  • Admin@338 uses netstat to discover network connections on compromised systems, aiding in their reconnaissance efforts.
• PoisonIvy (S0012):
  • Techniques: Application Window Discovery, Boot or Logon Autostart Execution (Registry Run Keys / Startup Folder, Active Setup), Command and Scripting Interpreter (Windows Command Shell), Create or Modify System Process (Windows Service), Data from Local System, Data Staged (Local Data Staging), Encrypted Channel (Symmetric Cryptography), Ingress Tool Transfer, Input Capture (Keylogging), Modify Registry, Obfuscated Files or Information, Process Injection (Dynamic-link Library Injection), Rootkit.
  • PoisonIvy is a well-known Remote Access Trojan (RAT) used for a wide range of malicious activities, from data theft to system manipulation.
• Systeminfo (S0096):
  • Technique: System Information Discovery.
  • This tool is used to gather detailed information about the operating system and hardware configurations of compromised systems.

In summary, Admin@338 is a sophisticated cyber espionage group, primarily focusing on political and economic intelligence gathering, with a strategic emphasis on targets in Hong Kong and the United States. Their operations, marked by a diverse array of cyber tools and techniques, underscore their significant role in the realm of cyber threats and espionage. Demonstrating a highly sophisticated approach, Admin@338 leverages various methods to infiltrate, explore, and extract valuable information from their targets, showcasing their adeptness in navigating and exploiting digital environments for espionage purposes.

Ajax Security Team (AST), active since at least 2010, is a cyber threat group believed to be operating out of Iran 🇮🇷. Initially known for website defacement operations, by 2014, AST transitioned to malware-based cyber espionage campaigns 💻. Their primary targets have been the US defense industrial base 🛡️ and Iranian users of anti-censorship technologies 🌐. The group is notably associated with Operation Saffron Rose.

Ajax Security Team's shift from website defacement to cyber espionage indicates a strategic evolution in their objectives 📄. Their focus on the US defense industry 🏢 and anti-censorship users in Iran 🇮🇷 suggests motivations rooted in political and strategic espionage, likely aimed at gaining intelligence 🕵️ and exerting control over information flow 🌐.

Apart from Ajax Security Team, the group is associated with several other names 🏷️, including Operation Woolen-Goldfish, AjaxTM, Rocket Kitten, Flying Kitten, and Operation Saffron Rose. These aliases reflect the diverse nature of their operations and campaigns.

The group is believed to be based in Iran 🇮🇷, aligning with their targeting patterns and the geopolitical interests reflected in their activities 🌐.

AST's activities date back to at least 2010 📆, marking over a decade of their presence in the cyber threat landscape.

Ajax Security Team has conducted operations against the US defense industry 🛡️ and energy sectors of Middle Eastern countries 🏭, including corporations like Saudi Aramco and Qatar's RasGas. Their shift to more sophisticated cyber espionage tactics marks a significant evolution in their operational capabilities 🌐.

Tools Used:

• Stealer: Developed by AST, Stealer is a powerful spyware capable of stealing sensitive information, including keystrokes and screenshots. It stores the data on the victim's computer before sending it to a command and control (C2) server.
  
• Havij: An automated SQL injection tool distributed by ITSecTeam, an Iranian security company. Released in 2010, Havij is known for its high success injection rate of over 95%. It offers both free and commercial editions and is considered a forerunner of automated SQL injection tools.

  Techniques Used by Ajax Security Team:

• Credentials from Password Stores: Credentials from Web Browsers (T1555.003):
  • The group has used FireMalv, a custom-developed malware, to collect passwords from the Firefox browser storage. This technique involves accessing and extracting stored credentials from web browsers.
• Ingress Tool Transfer (T1105):
  • Ajax Security Team has utilized Wrapper/Gholee, another custom-developed malware, which is capable of downloading additional malware onto the infected system. This technique is crucial for establishing a foothold and expanding control within the target system.
• Input Capture: Keylogging (T1056.001):
  • The group has deployed CWoolger and MPK, custom-developed malware, to record all keystrokes on an infected system. Keylogging is a common method for capturing sensitive information, including passwords and other confidential data.
• Phishing: Spearphishing Attachment (T1566.001):
  • Personalized spearphishing attachments have been used by Ajax Security Team. This method involves sending targeted emails with malicious attachments to trick victims into compromising their systems.
• Phishing: Spearphishing via Service (T1566.003):
  • The group has employed various social media channels to spearphish victims, using these platforms to deliver targeted phishing messages.
• User Execution: Malicious File (T1204.002):
  • Victims have been lured by Ajax Security Team into executing malicious files. This technique relies on social engineering to convince users to run files that compromise their systems.

    Software Used by Ajax Security Team:

• Havij (S0224):
  • Techniques: Exploit Public-Facing Application.
  • Havij is an automated SQL injection tool known for its high success rate in exploiting vulnerabilities in web applications. It's used to gain unauthorized access to databases through SQL injection.
• sqlmap (S0225):
  • Techniques: Exploit Public-Facing Application.
  • Similar to Havij, sqlmap is another tool for automating the process of detecting and exploiting SQL injection flaws. It's used to compromise databases and extract data from them.

In summary, the Ajax Security Team employs a combination of custom-developed malware and well-known exploitation tools to conduct their cyber espionage activities. Their techniques range from sophisticated phishing operations to keylogging and exploiting web application vulnerabilities, demonstrating their capability to adapt and employ various methods for intelligence gathering and system compromise.

ALLANITE, also known as Palmetto Fusion, is a cyber espionage group that focuses on accessing business and industrial control (ICS) networks 🏭. The group conducts reconnaissance 🕵️ and gathers intelligence, particularly in the United States 🇺🇸 and United Kingdom 🇬🇧 electric utility sectors ⚡. ALLANITE's operations are characterized by their focus on understanding operational environments and developing capabilities that could potentially disrupt electric utilities. However, their activities have so far been limited to information gathering without demonstrating any disruptive or damaging capabilities. The group is known for conducting malware-less operations 🦠, primarily leveraging legitimate and available tools in the Windows operating system 💻.

The primary motivation of ALLANITE appears to be espionage 📄, with a specific interest in the electric utility sector ⚡. Their activities suggest an intent to understand and potentially develop capabilities to disrupt operations in this sector. The group's focus on maintaining access to ICS networks indicates a strategic interest in the operational aspects of electric utilities.

ALLANITE is also known as Palmetto Fusion 🏷️.

ALLANITE is a suspected Russian 🇷🇺 cyber espionage group.

ALLANITE has been active at least since May 2017 📆, as reported by the industrial cybersecurity firm Dragos.

ALLANITE has primarily targeted the electric utility sector within the United States 🇺🇸 and the United Kingdom 🇬🇧. Their tactics and techniques are reportedly similar to those of the Dragonfly group 🌐.

ALLANITE uses email phishing campaigns and compromised websites, known as watering holes, to steal credentials and gain access to target networks. This includes collecting and distributing screenshots of industrial control systems. The group conducts operations without relying on traditional malware, instead using legitimate tools available in the Windows operating system. There are no specific malware families currently associated with ALLANITE.

techniques used by ALLANITE:

• Drive-by Compromise (ICS T0817):
  • ALLANITE leverages watering hole attacks as a method to gain access to electric utilities. In these attacks, the group compromises websites frequently visited by their target audience. When users visit these infected sites, malware is silently downloaded onto their systems, providing ALLANITE with unauthorized access.
• Screen Capture (ICS T0852):
  • The group has been identified collecting and distributing screenshots of ICS systems, such as Human-Machine Interfaces (HMIs). This technique allows them to visually capture and analyze information displayed on screens within the targeted industrial control systems, providing insights into operational details and potentially sensitive data.
• Spearphishing Attachment (ICS T0865):
  • ALLANITE has utilized spearphishing emails to gain access to environments within the energy sector. These emails contain malicious attachments that, when opened, can install malware or provide backdoor access to the attackers. Spearphishing is a targeted approach, often using social engineering to trick specific individuals into compromising their systems.
• Valid Accounts (ICS T0859):
  • The group also uses credentials collected through phishing and watering hole attacks. By obtaining legitimate user credentials, ALLANITE can gain unauthorized access to systems and networks while appearing as a legitimate user. This technique reduces the likelihood of detection and allows for deeper penetration into the targeted infrastructure.

These techniques demonstrate ALLANITE's sophisticated approach to cyber espionage, focusing on stealth and the effective use of social engineering and legitimate credentials to infiltrate and gather intelligence from critical infrastructure sectors. Their methods underscore the importance of robust cybersecurity measures in protecting against such advanced threat actors.

Andariel is a North Korean state-sponsored threat group that has been active since at least 2009. The group is primarily focused on conducting destructive attacks against South Korean government agencies 🏛️, military organizations ⚔️, and various domestic companies 🏢. Additionally, Andariel has engaged in cyber financial operations targeting ATMs 💰, banks 🏦, and cryptocurrency exchanges 🪙. Their notable activities include Operation Black Mine, Operation GoldenAxe, and Campaign Rifle. Andariel is considered a subset of the Lazarus Group 🕵️‍♂️ and is attributed to North Korea's Reconnaissance General Bureau 🏢. It's important to note that North Korean group definitions often overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking individual clusters or subgroups.

Andariel's operations are motivated by both political and financial objectives. Their attacks against South Korean entities are likely driven by geopolitical tensions between North and South Korea 🌏. The cyber financial operations suggest a motive of financial gain 💸, particularly through attacks on financial institutions and cryptocurrency platforms.

Andariel is primarily known by this name but is also recognized as a subset of the Lazarus Group 🏷️.

Andariel is a North Korean state-sponsored group 🇰🇵.

The group has been active since at least 2009 📆.

Andariel has been observed targeting South Korean government agencies, military organizations, domestic companies, ATMs, banks, and cryptocurrency exchanges 🏛️⚔️🏢💰🏦🪙. Their operations have included both destructive attacks and cyber financial crimes.

Specific tools used by Andariel were not detailed in the provided source. However, given their affiliation with the Lazarus Group and the nature of their operations, it is likely that they use a range of sophisticated cyber tools and techniques for both destructive attacks and financial theft 💻.

• Data from Local System (T1005): Andariel has been known to collect a large number of files from compromised network systems for later extraction.
  
• Drive-by Compromise (T1189): The group uses watering hole attacks, often with zero-day exploits, to gain initial access to victims within specific IP ranges.
  
• Exploitation for Client Execution (T1203): Andariel exploits numerous ActiveX vulnerabilities, including zero-days, for executing malicious code on victim systems.
  
• Gather Victim Host Information: Software (T1592.002): They insert malicious scripts within compromised websites to collect information such as browser type, system language, Flash Player version, and more.
  
• Gather Victim Network Information: IP Addresses (T1590.005): The group's watering hole attacks are tailored to specific IP address ranges.
  
• Ingress Tool Transfer (T1105): Andariel downloads additional tools and malware onto compromised hosts.
  
• Obfuscated Files or Information: Steganography (T1027.003): The group has hidden malicious executables within PNG files.
  
• Obtain Capabilities: Malware (T1588.001): They use a variety of publicly available remote access Trojans (RATs) for their operations.
  
• Phishing: Spearphishing Attachment (T1566.001): Andariel conducts spearphishing campaigns with malicious Word or Excel attachments.
  
• Process Discovery (T1057): The group uses the tasklist command to enumerate processes and find specific strings.
  
• System Network Connections Discovery (T1049): Andariel uses the netstat -naop tcp command to display TCP connections on a victim's machine.
  
• User Execution: Malicious File (T1204.002): They attempt to lure victims into enabling malicious macros within email attachments.

  Software Used by Andariel:

• gh0st RAT (S0032):
  • Techniques: This RAT is used for a range of activities including boot or logon autostart execution, command and scripting interpreter, creating or modifying system processes, data encoding, deobfuscating/decoding information, dynamic resolution, encrypted channels, hijack execution flow, indicator removal, ingress tool transfer, input capture, process discovery, process injection, query registry, screen capture, shared modules, system information discovery, and more.
• Rifdoor (S0433):
  • Techniques: Rifdoor is employed for boot or logon autostart execution, encrypted channels, obfuscated files or information, phishing via spearphishing attachments, system information discovery, system network configuration discovery, system owner/user discovery, and user execution of malicious files.

In summary, Andariel's cyber operations are characterized by a diverse range of sophisticated techniques and software tools. These include exploiting vulnerabilities, conducting spearphishing campaigns, using steganography for obfuscation, and employing RATs like gh0st RAT and Rifdoor. Their approach demonstrates a high level of sophistication and adaptability in executing cyber espionage and cyber warfare activities.

Aoqin Dragon is a cyber espionage group suspected to be of Chinese origin 🇨🇳. Active since at least 2013, they have primarily targeted government 🏛️, education 🎓, and telecommunication organizations 📡 in Australia 🇦🇺, Cambodia 🇰🇭, Hong Kong 🇭🇰, Singapore 🇸🇬, and Vietnam 🇻🇳. The group is known for its sophisticated cyber operations, focusing on espionage 🕵️‍♂️ and information theft 💼. Aoqin Dragon is noted for its use of document exploits 📄 and fake removable devices, such as USB drives 🖇️, for initial access into target systems.

The primary motivation of Aoqin Dragon appears to be espionage 🕵️‍♂️, with a focus on collecting sensitive information 📰 from targeted organizations. Their activities suggest an intent to gather intelligence related to government, education, and telecommunication sectors 📚📡 in Southeast Asia and Australia.

Aoqin Dragon is also potentially associated with UNC94, based on similarities in malware, infrastructure, and targets 🏷️.

The group is believed to be based in China 🇨🇳.

Aoqin Dragon has been active since at least 2013 📆.

The group has targeted a variety of sectors, with a particular focus on government, education, and telecommunication organizations 🏛️🎓📡 in Southeast Asia and Australia. Their operations are characterized by the use of sophisticated cyber techniques and tools 💻.

Aoqin Dragon employs a range of tools in their operations, including document exploits 📄 and fake removable devices like USB drives 🖇️. These tools are used for initial access and subsequent operations within the target networks 🏢💼.

Aoqin Dragon: Techniques and Software

Techniques Used by Aoqin Dragon:

• Develop Capabilities: Malware (T1587.001): Aoqin Dragon has developed custom malware, including Mongall and Heyoka Backdoor, for their cyber operations.
• Exploitation for Client Execution (T1203): The group has exploited vulnerabilities like CVE-2012-0158 and CVE-2010-3333 to execute code on targeted systems.
• File and Directory Discovery (T1083): They have utilized scripts to identify specific file formats, including Microsoft Word documents, within target networks.
• Lateral Tool Transfer (T1570): Aoqin Dragon spreads malware across target networks by copying modules into folders disguised as removable devices.
• Masquerading: Match Legitimate Name or Location (T1036.005): The group has used fake icons, such as antivirus and external drive symbols, to disguise malicious payloads.
• Obfuscated Files or Information: Software Packing (T1027.002): They have employed the Themida packer to obfuscate their malicious payloads, making detection more difficult.
• Obtain Capabilities: Tool (T1588.002): Aoqin Dragon obtained and modified the Heyoka open-source exfiltration tool for their operations.
• Replication Through Removable Media (T1091): The group has used a dropper that employs a worm infection strategy, using removable devices to penetrate secure network environments.
• User Execution: Malicious File (T1204.002): They have tricked victims into opening weaponized documents and fake external drives or antivirus software to execute malicious payloads.

Software Used by Aoqin Dragon:

• Heyoka Backdoor (S1027):
  • Techniques: Application Layer Protocol: DNS, Boot or Logon Autostart Execution, Deobfuscate/Decode Files or Information, File and Directory Discovery, Indicator Removal, Masquerading, Obfuscated Files or Information, Peripheral Device Discovery, Process Discovery, Process Injection, Protocol Tunneling, System Binary Proxy Execution, System Information Discovery, System Service Discovery, User Execution.
  • Heyoka Backdoor is a sophisticated tool used for various malicious activities, including data exfiltration and system information discovery.
• Mongall (S1026):
  • Techniques: Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution, Data Encoding, Data from Local System, Deobfuscate/Decode Files or Information, Encrypted Channel, Exfiltration Over C2 Channel, Ingress Tool Transfer, Obfuscated Files or Information, Peripheral Device Discovery, Process Injection, System Binary Proxy Execution, System Information Discovery, User Execution.
  • Mongall is a multifunctional malware used for data theft, system information discovery, and maintaining persistent access in compromised systems.

Aoqin Dragon's use of these techniques and software tools demonstrates their sophisticated approach to cyber espionage. They leverage a variety of methods to infiltrate, explore, and extract valuable information from their targets, showcasing their adeptness in navigating and exploiting digital environments for espionage purposes.

• Command and Scripting Interpreter: Visual Basic (T1059.005): Embedding VBScript within malicious Word documents that execute upon opening.
  
• Ingress Tool Transfer (T1105): Downloading binary data from a specified domain after opening a malicious document.
  
• Masquerading: Masquerade Task or Service (T1036.004): Disguising scheduled tasks as those used by Google.
  
• Non-Standard Port (T1571): Using port 4050 for C2 communications.
  
• Obfuscated Files or Information (T1027): Using ConfuserEx to obfuscate variants of Imminent Monitor, compress payloads, and password-protect email attachments for evasion.
  
• Obtain Capabilities: Tool (T1588.002): Utilizing a modified variant of Imminent Monitor.
  
• Phishing: Spearphishing Attachment (T1566.001): Employing spearphishing emails with password-protected RAR attachments.
  
• Scheduled Task/Job: Scheduled Task (T1053.005): Using macro functions to set scheduled tasks, disguised as those used by Google.
  
• User Execution: Malicious File (T1204.002): Prompting victims to accept macros to execute the payload. Software Used by APT-C-36 (Blind Eagle)

  Imminent Monitor (ID: S0434)

  Imminent Monitor is a sophisticated Remote Access Trojan (RAT) used by APT-C-36 in their cyber operations. This tool exhibits a wide array of capabilities, making it a versatile choice for the group's espionage activities. The key techniques associated with Imminent Monitor include:
  
• Audio Capture: Ability to record audio from the compromised system's microphone.
  
• Command and Scripting Interpreter: Executing commands and scripts for various malicious purposes.
  
• Credentials from Password Stores: Credentials from Web Browsers: Extracting stored credentials from web browsers.
  
• Deobfuscate/Decode Files or Information: Unraveling obfuscated data or files to reveal their true content.
  
• Exfiltration Over C2 Channel: Transmitting stolen data back to the command and control (C2) server.
  
• File and Directory Discovery: Scanning the compromised system to locate files and directories of interest.
  
• Hide Artifacts: Hidden Files and Directories: Concealing files and directories to evade detection.
  
• Impair Defenses: Disable or Modify Tools: Disabling or altering security tools to prevent detection.
  
• Indicator Removal: File Deletion: Deleting files to remove evidence of the intrusion.
  
• Input Capture: Keylogging: Recording keystrokes to capture sensitive information like passwords and other credentials.
  
• Native API: Using native system application programming interfaces for various malicious activities.
  
• Obfuscated Files or Information: Employing techniques to make files or information difficult to analyze.
  
• Process Discovery: Identifying and analyzing running processes on the compromised system.
  
• Remote Services: Remote Desktop Protocol: Utilizing RDP for remote access and control over the compromised system.
  
• Resource Hijacking: Misusing system resources for malicious purposes, such as cryptocurrency mining.
  
• Video Capture: Recording video from the compromised system's camera.
  

Imminent Monitor's diverse functionalities enable APT-C-36 to conduct comprehensive espionage operations, ranging from data theft to surveillance. Its ability to remain undetected and manipulate system processes makes it a potent tool for cyber espionage campaigns.

APT3, also known as UPS Team, Buckeye, Gothic Panda, and TG-0110, is a sophisticated cyber espionage group believed to be based in China. This group has been active since at least 2009 and is known for its advanced persistent threats (APT) targeting a variety of sectors worldwide, including government, defense, technology, and telecommunications.

APT3's primary motivation appears to be espionage, likely driven by national and economic interests. Their activities suggest an intent to gather intelligence and potentially steal intellectual property or sensitive government and military information.

APT3 is known by various aliases, including UPS Team, Buckeye, Gothic Panda, and TG-0110. These names have been attributed to the group by different cybersecurity organizations and researchers.

APT3 is believed to be operating out of China.

APT3 has been active since at least 2009.

APT3 has targeted a wide range of sectors, including government, defense, technology, and telecommunications, with a global focus. Their operations have been observed in multiple countries, indicating a broad and diverse set of targets.

APT3: Techniques and Software

Below is a detailed overview of the techniques and software used by APT3:

APT 30, also known as Override Panda, is a cyber espionage group suspected to be associated with the Chinese government. This group has been active since at least 2005 and is known for its decade-long operation focused predominantly on entities in Southeast Asia and India. APT 30 is notable for its sustained activity and regional focus, as well as its success in espionage despite maintaining relatively consistent tools, tactics, and infrastructure over a long period.

The primary objective of APT 30 appears to be data theft, particularly targeting government and commercial entities holding key political, economic, and military information about the region. Unlike many cyber threat groups, APT 30 does not seem to be motivated by financial gain, as they have not been observed targeting data that can be readily monetized, such as credit card data or bank transfer credentials. Instead, their tools are designed to identify and steal documents, showing an interest in documents that may be stored on air-gapped networks.

APT 30 is also known as Override Panda. The group has been identified under different names by various cybersecurity organizations.

APT 30 is suspected to be associated with the Chinese government, indicating that their operations are likely based in China.

APT 30 has been active since at least 2005, engaging in cyber espionage activities for over a decade.

APT 30 has shown a distinct interest in organizations and governments associated with the Association of Southeast Asian Nations (ASEAN), especially around the time of official ASEAN meetings. Their decoy documents often relate to Southeast Asia, India, border areas, and broader security and diplomatic issues. In addition to their focus on Southeast Asia and India, APT 30 has also targeted journalists reporting on issues considered focal points for the Chinese Communist Party, such as corruption, the economy, and human rights.

• Phishing: Spearphishing Attachment (T1566.001): APT30 has utilized spearphishing emails with malicious DOC attachments. This technique involves sending targeted emails that contain malicious attachments to trick recipients into opening them, thereby compromising their systems.
  
• User Execution: Malicious File (T1204.002): The group relies on users executing malicious file attachments delivered via spearphishing emails. This tactic depends on user interaction to initiate the execution of the malicious payload.

  Software Tools Used by APT 30

• BACKSPACE (S0031):
  • Techniques: Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution (Registry Run Keys / Startup Folder, Shortcut Modification), Command and Scripting Interpreter (Windows Command Shell), Data Encoding (Non-Standard Encoding), Exfiltration Over C2 Channel, File and Directory Discovery, Impair Defenses (Disable or Modify System Firewall), Modify Registry, Multi-Stage Channels, Process Discovery, Proxy (Internal Proxy), Query Registry, System Information Discovery.
  • Usage: BACKSPACE is a multifunctional tool used for various purposes, including communication over web protocols, data encoding, and exfiltration.
• FLASHFLOOD (S0036):
  • Techniques: Archive Collected Data (Archive via Custom Method), Boot or Logon Autostart Execution (Registry Run Keys / Startup Folder), Data from Local System, Data from Removable Media, Data Staged (Local Data Staging), File and Directory Discovery.
  • Usage: FLASHFLOOD is employed for data collection and staging, including archiving data using custom methods and extracting data from local and removable media.
• NETEAGLE (S0034):
  • Techniques: Application Layer Protocol, Web Protocols, Boot or Logon Autostart Execution (Registry Run Keys / Startup Folder), Command and Scripting Interpreter (Windows Command Shell), Dynamic Resolution, Encrypted Channel (Symmetric Cryptography), Exfiltration Over C2 Channel, Fallback Channels, File and Directory Discovery, Non-Application Layer Protocol, Process Discovery.
  • Usage: NETEAGLE is a sophisticated tool used for encrypted communication, dynamic resolution, and data exfiltration.
• SHIPSHAPE (S0028):
  • Techniques: Boot or Logon Autostart Execution (Registry Run Keys / Startup Folder, Shortcut Modification), Replication Through Removable Media.
  • Usage: SHIPSHAPE is used for persistence and replication, particularly through the use of removable media.
• SPACESHIP (S0035):
  • Techniques: Archive Collected Data (Archive via Custom Method), Boot or Logon Autostart Execution (Registry Run Keys / Startup Folder, Shortcut Modification), Data Staged (Local Data Staging), Exfiltration Over Physical Medium (Exfiltration over USB), File and Directory Discovery.
  • Usage: SPACESHIP focuses on data archiving, staging, and exfiltration, particularly over physical mediums like USB.

These techniques and tools demonstrate APT 30's capabilities in conducting targeted cyber espionage operations, particularly focused on information gathering, document theft, and exploiting user interactions to compromise systems.

APT32, also known as the OceanLotus Group, is a Vietnam-based threat group. It was founded in 2014 and has primarily targeted journalists, dissidents, large private enterprises, and government organizations in Southeast Asia. The group's activities have been concentrated within Vietnam, the Philippines, Cambodia, and Laos. APT32's operations often align with Vietnamese state interests, raising questions about potential nation-state sponsorship.

APT32's motivations appear to be closely aligned with Vietnamese state interests. They have targeted foreign corporations in key commercial sectors such as manufacturing, hospitality, and consumer products, which are significant to Vietnam's economy. Additionally, they have targeted network security and technology corporations, as well as dissidents and journalists, indicating a focus on both economic and political espionage.

APT32 is also known as the OceanLotus Group.

APT32 is based in Vietnam.

APT32 was first identified in 2014.

APT32 has been involved in various cyber espionage activities, including:

• Targeting and compromising a European corporation involved in building manufacturing facilities in Vietnam (2014).
  
• Compromising Vietnamese and foreign corporations in network security, technology infrastructure, media, and banking (2016).
  
• Targeting a large hospitality industry company expanding operations into Vietnam (2016).
  
• Targeting U.S. and Philippine consumer products corporations with operations in Vietnam for spyware and data exfiltration activities.
  
• Conducting spyware attacks on Vietnam-based and non-profit human rights organizations.

  Techniques Used by APT32

• Account Discovery: Local Account (T1087.001): APT32 used commands like net localgroup administrators to enumerate administrative users.
  
• Acquire Infrastructure: Domains (T1583.001) and Web Services (T1583.006): APT32 set up websites for information gathering and malware delivery, and used services like Dropbox, Amazon S3, and Google Drive for hosting malicious downloads.
  
• Application Layer Protocol (T1071): They used JavaScript for communication over HTTP/HTTPS to attacker-controlled domains and downloaded encrypted payloads.
  
• Archive Collected Data (T1560): APT32's backdoor utilized LZMA compression and RC4 encryption before data exfiltration.
  
• Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001): They established persistence using Registry Run keys for executing scripts and their backdoor.
  
• Command and Scripting Interpreter (T1059): APT32 used various scripting methods including PowerShell, cmd.exe, Visual Basic, and JavaScript for execution and C2 communications.
  
• Create or Modify System Process: Windows Service (T1543.003): They modified Windows Services for loading scripts and establishing persistence.
  
• Drive-by Compromise (T1189): Victims were infected by visiting compromised websites.
  
• Exploitation for Client Execution (T1203) and Privilege Escalation (T1068): APT32 exploited vulnerabilities like CVE-2017-11882 and CVE-2016-7255.
  
• File and Directory Discovery (T1083): Their backdoor could list files and directories on infected machines.
  
• Gather Victim Identity Information (T1589): APT32 targeted activists and bloggers for surveillance.
  
• Hide Artifacts (T1564): They used various methods to hide their activities, including hidden files, windows, and NTFS file attributes.
  
• Hijack Execution Flow: DLL Side-Loading (T1574.002): APT32 used legitimately-signed executables to load malicious DLLs.
  
• Indicator Removal (T1070): They cleared event logs, deleted files, and used timestomping to hide their tracks.
  
• Ingress Tool Transfer (T1105): APT32 added JavaScript to websites for downloading additional frameworks.
  
• Input Capture: Keylogging (T1056.001): They monitored and captured account password changes.
  
• Lateral Tool Transfer (T1570): Tools were deployed using administrative accounts after moving laterally.
  
• Masquerading (T1036): APT32 disguised their tools and activities, including renaming utilities and using hidden characters.
  
• Modify Registry (T1112): Their backdoor modified the Windows Registry for storing configuration.
  
• Network Service Discovery (T1046) and Network Share Discovery (T1135): APT32 performed network scanning and discovered network shares.
  
• Non-Standard Port (T1571): Their backdoor used HTTP over non-standard TCP ports.
  
• Obfuscated Files or Information (T1027): APT32 used various obfuscation techniques including Base64 encoding and code obfuscation frameworks.
  
• Obtain Capabilities: Tool (T1588.002): They obtained and used tools like Mimikatz and Cobalt Strike.
  
• Office Application Startup (T1137): APT32 replaced Microsoft Outlook's VbaProject.OTM file for installing a backdoor.
  
• OS Credential Dumping (T1003): They used tools like Mimikatz for harvesting credentials.
  
• Phishing: Spearphishing Attachment (T1566.001) and Link (T1566.002): APT32 sent spearphishing emails with malicious attachments and links.
  
• Process Injection (T1055): Their malware injected a Cobalt Strike beacon into Rundll32.exe.
  
• Query Registry (T1012): The backdoor queried the Windows Registry for system information.
  
• Remote Services: SMB/Windows Admin Shares (T1021.002): APT32 used hidden network shares for copying tools to remote machines.
  
• Remote System Discovery (T1018): They enumerated domain controllers and used the ping command for discovery.
  
• Scheduled Task/Job: Scheduled Task (T1053.005): APT32 used scheduled tasks for persistence.
  
• Server Software Component: Web Shell (T1505.003): They used Web shells for maintaining access to victim websites.
  
• Software Deployment Tools (T1072): APT32 compromised software deployment tools for lateral movement.
  
• Stage Capabilities (T1608): They hosted malicious payloads in cloud storage services.
  
• System Binary Proxy Execution (T1218): APT32 used various system binaries like mshta.exe and regsvr32.exe for execution.
  
• System Information Discovery (T1082): They collected information about the OS version, computer name, and other system details.
  
• System Network Configuration Discovery (T1016): APT32 used the ipconfig command for gathering IP addresses.
  
• System Network Connections Discovery (T1049): They used netstat to display TCP connections.
  
• System Owner/User Discovery (T1033): APT32 collected usernames and executed the whoami command.
  
• System Script Proxy Execution: PubPrn (T1216.001): They used PubPrn.vbs within execution scripts.
  
• System Services: Service Execution (T1569.002): Their backdoor used Windows services for executing payloads.
  
• Unsecured Credentials: Credentials in Registry (T1552.002): APT32 harvested credentials stored in the Windows registry.
  
• Use Alternate Authentication Material: Pass the Hash (T1550.002) and Pass the Ticket (T1550.003): They used techniques like pass the hash and pass the ticket for lateral movement.
  
• User Execution: Malicious Link (T1204.001) and File (T1204.002): APT32 lured targets to download malicious payloads through spearphishing.
  
• Valid Accounts: Local Accounts (T1078.003): They used legitimate local admin account credentials.
  
• Web Service (T1102): APT32 used cloud storage services for hosting malicious downloads.
  
• Windows Management Instrumentation (T1047): They used WMI for deploying tools and gathering information.

  Software Used by APT32

• Arp (S0099): Used for remote system discovery and network configuration discovery.
  
• Cobalt Strike (S0154): A versatile tool used for a wide range of activities including command execution, data exfiltration, and credential dumping.
  
• Denis (S0354): Used for various purposes including command execution, data encoding, and obfuscation.
  
• Goopy (S0477): Employed for DNS communication, data exfiltration, and DLL side-loading.
  
• ipconfig (S0100): Used for system network configuration discovery.
  
• Kerrdown (S0585): Utilized for command execution, data obfuscation, and phishing.
  
• KOMPROGO (S0156): Used for command execution and system information discovery.
  
• Mimikatz (S0002): A well-known tool for credential dumping and manipulation.
  
• Net (S0039): Used for account discovery, remote services, and system discovery.
  
• netsh (S0108): Employed for event-triggered execution and impairing defenses.
  
• OSX_OCEANLOTUS.D (S0352): A macOS backdoor used for data exfiltration and system process modification.
  
• PHOREAL (S0158): Used for command execution and registry modification.
  
• RotaJakiro (S1078): A tool for automated collection and boot or logon autostart execution.
  
• SOUNDBITE (S0157): Employed for DNS communication and system information discovery.
  
• WINDSHIELD (S0155): Used for indicator removal, query registry, and system information discovery.
  

APT32's use of a wide range of sophisticated techniques and software demonstrates their capability to conduct complex cyber espionage operations. Their methods are diverse, covering everything from initial access and persistence to data exfiltration and covering their tracks.

Description:

APT33, a cyber espionage group, is known for its sophisticated cyber operations targeting a variety of sectors. Their activities primarily focus on espionage and data exfiltration, often targeting organizations in the aviation, energy, and government sectors. APT33 is recognized for its advanced techniques and persistent approach in cyber operations.

Motivation:

The primary motivation of APT33 appears to be espionage, with a strong focus on gathering sensitive information and intellectual property from targeted industries and government entities. Their activities suggest an intent to support national strategic objectives, likely for a state-sponsored purpose.

Names:

APT33 is also known by other monikers such as Elfin, MAGNALLIUM, Refined Kitten, HOLMIUM, COBALT TRINITY, G0064, ATK35. These aliases have been used by various cybersecurity organizations to describe the group's activities and operations.

Location:

APT33 is believed to be operating out of Iran.

First Seen:

The group has been active since at least 2013, engaging in numerous sophisticated cyber espionage campaigns.

Observed Activities:

APT33 has been observed targeting a wide range of sectors, including but not limited to aviation, energy, and government organizations. Their activities have been primarily focused on espionage and intellectual property theft.

APT33 Techniques and Software

• Abuse Elevation Control Mechanism (T1548.002): APT37 uses methods to bypass Windows User Account Control (UAC), allowing the execution of payloads with higher privileges.
  
• Application Layer Protocol (T1071.001): The group uses HTTPS to conceal command and control (C2) communications, making detection more challenging.
  
• Audio Capture (T1123): APT37 employs SOUNDWAVE, an audio capturing utility, to record microphone input, likely for surveillance purposes.
  
• Boot or Logon Autostart Execution (T1547.001): They achieve persistence by adding entries in the Registry key HKCU\Software\Microsoft\CurrentVersion\Run.
  
• Command and Scripting Interpreter (T1059): The group uses various scripting languages like Ruby, Python, and Visual Basic to execute payloads and perform malicious activities.
  
• Credentials from Password Stores (T1555.003): APT37 uses ZUMKONG, a credential stealer, to harvest usernames and passwords from web browsers.
  
• Data from Local System (T1005): The group collects sensitive data from victims' local systems.
  
• Disk Wipe (T1561.002): They have access to destructive malware capable of overwriting the Master Boot Record (MBR), potentially rendering the infected systems inoperable.
  
• Drive-by Compromise (T1189): APT37 uses compromised websites, especially South Korean sites, and torrent file-sharing sites to distribute malware.
  
• Exploitation for Client Execution (T1203): The group exploits vulnerabilities in popular software like Flash Player, Word, Internet Explorer, and Microsoft Edge for execution.
  
• Ingress Tool Transfer (T1105): APT37 downloads second-stage malware from compromised websites.
  
• Inter-Process Communication (T1559.002): The group uses Windows DDE for command execution and malicious scripting.
  
• Masquerading (T1036.001): They sign their malware with invalid digital certificates to appear legitimate.
  
• Native API (T1106): APT37 leverages Windows API calls for process injection.
  
• Obfuscated Files or Information (T1027): The group obfuscates strings and payloads to evade detection.
  
• Peripheral Device Discovery (T1120): APT37 uses a Bluetooth device harvester to find information on connected Bluetooth devices.
  
• Phishing (T1566.001): They deliver malware using spearphishing emails with malicious attachments.
  
• Process Discovery (T1057): The group's Freenki malware lists running processes using the Windows API.
  
• Process Injection (T1055): APT37 injects its ROKRAT malware into the cmd.exe process for stealthy execution.
  
• Scheduled Task/Job (T1053.005): They create scheduled tasks to run malicious scripts on compromised hosts.
  
• System Information Discovery (T1082): APT37 collects detailed system information like computer name and BIOS model.
  
• System Owner/User Discovery (T1033): The group identifies the victim's username.
  
• System Shutdown/Reboot (T1529): APT37 uses malware that can reboot a system after wiping its MBR.
  
• User Execution (T1204.002): The group sends spearphishing attachments to trick users into executing malicious files.
  
• Web Service (T1102.002): APT37 uses social networking sites and cloud platforms for C2 communications.

  Software Used by APT37

• BLUELIGHT: A multifunctional malware tool used for data exfiltration, screen capture, and information gathering.
  
• Cobalt Strike: A commercial penetration testing tool repurposed for malicious activities, including command and control.
  
• CORALDECK: A tool used for data exfiltration and file discovery.
  
• DOGCALL: A multifunctional tool capable of audio capture, keylogging, screen capture, and bidirectional communication.
  
• Final1stspy: A tool used for information gathering and obfuscation.
  
• HAPPYWORK: A tool for system information discovery and data transfer.
  
• KARAE: Used in drive-by compromises and for system information discovery.
  
• NavRAT: A tool for command execution, keylogging, and data staging.
  
• POORAIM: Used for screen capture, information gathering, and web service communication.
  
• ROKRAT: A sophisticated malware variant used for a wide range of activities including audio capture, data exfiltration, and process injection.
  
• SHUTTERSPEED: A tool primarily used for screen capture and system information gathering.
  
• SLOWDRIFT: A tool for system information discovery and web service communication.
  
• WINERACK: A tool used for command execution and system information discovery.
  

APT37's diverse range of techniques and software tools highlights their capability to conduct sophisticated cyber espionage operations. Their focus on stealth and persistence, coupled with the use of custom tools, makes them a significant threat to their targets.

• Application Layer Protocol (T1071.001): APT38 used QUICKRIDE backdoor for C2 communication over HTTP and HTTPS.
  
• Browser Information Discovery (T1217): They collected browser bookmarks to learn about compromised hosts and users.
  
• Brute Force (T1110): Employed brute force techniques for account access.
  
• Clipboard Data (T1115): Used KEYLIME Trojan to collect clipboard data.
  
• Command and Scripting Interpreter (T1059): Utilized PowerShell, VBScript, and a command-line tunneler, NACHOCHEESE, for various operational tasks.
  
• Create or Modify System Process (T1543.003): Installed new Windows services for persistence.
  
• Data Destruction (T1485): Implemented custom secure delete functions.
  
• Data Encrypted for Impact (T1486): Used Hermes ransomware for file encryption.
  
• Data Manipulation (T1565): Employed DYEPACK for manipulating SWIFT transactions and data.
  
• Disk Wipe (T1561.002): Used BOOTWRECK to render systems inoperable.
  
• Drive-by Compromise (T1189): Conducted watering hole schemes for initial access.
  
• File and Directory Discovery (T1083): Enumerated files and directories on compromised hosts.
  
• Impair Defenses (T1562): Disabled or modified system firewalls and command history logging.
  
• Indicator Removal (T1070): Cleared Windows Event logs and used CLOSESHAVE for file deletion.
  
• Ingress Tool Transfer (T1105): Used NESTEGG backdoor for file transfers.
  
• Input Capture (T1056.001): Captured keystrokes using KEYLIME Trojan.
  
• Modify Registry (T1112): Utilized CLEANTOAD tool for registry modifications.
  
• Native API (T1106): Executed code using Windows API.
  
• Network Share Discovery (T1135): Enumerated network shares.
  
• Obfuscated Files or Information (T1027.002): Used various code packing methods.
  
• Obtain Capabilities (T1588.002): Acquired and used tools like Mimikatz.
  
• Phishing (T1566.001): Spearphishing campaigns with malicious attachments.
  
• Process Discovery (T1057): Leveraged Sysmon for process and service discovery.
  
• Scheduled Task/Job (T1053): Used cron and Task Scheduler for persistence.
  
• Server Software Component (T1505.003): Employed web shells for access and persistence.
  
• Software Discovery (T1518.001): Identified security software on compromised systems.
  
• System Binary Proxy Execution (T1218): Used CHM files and rundll32.exe for concealed payload execution.
  
• System Information Discovery (T1082): Gathered detailed information about compromised hosts.
  
• System Network Connections Discovery (T1049): Installed MAPMAKER for monitoring TCP connections.
  
• System Owner/User Discovery (T1033): Identified primary and current users.
  
• System Services (T1569.002): Created or modified services for execution.
  
• System Shutdown/Reboot (T1529): Used BOOTWRECK for system reboots.
  
• User Execution (T1204.002): Lured victims to enable malicious macros.

  Software Used by APT38

• DarkComet (S0334): A multifunctional tool used for various purposes including data collection and system manipulation.
  
• ECCENTRICBANDWAGON (S0593): Employed for command execution, data staging, and information removal.
  
• HOPLIGHT (S0376): A versatile tool used for data encoding, firewall impairment, and system information discovery.
  
• KillDisk (S0607): Used for data destruction and system disruption.
  
• Mimikatz (S0002): A well-known tool for credential dumping and authentication manipulation.
  
• Net (S0039): Utilized for account discovery, network share discovery, and remote system discovery.
  

APT38's sophisticated use of these techniques and software tools highlights their capability to conduct complex cyber operations, ranging from data theft and manipulation to system disruption and destruction.

APT39, also known as Chafer, Remix Kitten, Cobalt Hickman, TA454, and ITG07, is a cyber espionage group believed to be connected to the Iranian government. This group has been active since at least 2014 and is known for its focus on information theft and espionage. APT39's activities are primarily concentrated in the Middle East, but its targeting scope is global.

Aquatic Panda is a cyber threat group known for its sophisticated cyber operations. The group has been observed using a variety of techniques and tools to infiltrate and compromise target systems, often focusing on vulnerability scanning and data exfiltration.

The primary motivation of Aquatic Panda appears to be espionage, with activities aimed at acquiring sensitive information from targeted organizations. Their operations suggest a focus on intelligence gathering, which is typical of state-sponsored or state-affiliated cyber espionage groups.

Aquatic Panda is the primary name used to identify this group. However, like many cyber threat groups, they may operate under different aliases or be identified differently by various cybersecurity organizations.

The specific location of Aquatic Panda is not clearly stated in the available data. However, many cyber espionage groups operate from countries with significant state-sponsored cyber capabilities.

The exact date when Aquatic Panda was first observed is not provided in the MITRE ATT&CK database.

Aquatic Panda has been observed employing a range of cyber techniques, including active scanning for vulnerabilities, using PowerShell for command execution, and attempting to disable or modify endpoint detection and response (EDR) tools.

The Axiom cyber espionage group, also known as Group G0001, is a sophisticated and long-standing threat actor. Here is a detailed overview based on the information from the MITRE ATT&CK framework:

Axiom is a highly skilled and persistent cyber espionage group. They are known for their advanced techniques and have been involved in numerous high-profile cyber espionage campaigns. The group is adept at using a combination of custom-developed malware and publicly available tools to achieve their objectives.

The primary motivation of Axiom appears to be cyber espionage. Their activities are typically focused on stealing sensitive information from a variety of targets, which often include government, technology, and media sectors. The nature of their operations suggests a strong interest in gathering intelligence and conducting surveillance.

Axiom is known by several aliases, including Group G0001. They have been identified and tracked under this designation by various cybersecurity organizations.

The exact location of Axiom is not clearly defined, but they are believed to operate out of China.

The exact date of when Axiom was first observed is not specified in the available data.

Axiom has been involved in a wide range of activities, including acquiring infrastructure like DNS servers and virtual private servers, compressing and encrypting data before exfiltration, and using botnets. They have also been known to collect data from local systems and use steganography for hiding C2 communications.

Description:

BackdoorDiplomacy is a cyber espionage group known for its sophisticated cyber operations targeting diplomatic entities and telecommunication companies. The group is adept at exploiting public-facing applications and leveraging various sophisticated techniques to infiltrate and maintain presence in victim networks.

Motivation:

The primary motivation of BackdoorDiplomacy appears to be espionage, focusing on gathering sensitive information from diplomatic and telecommunication entities. Their activities are characterized by stealth and persistence, indicating a strategic interest in long-term intelligence gathering.

Names:

BackdoorDiplomacy is the primary name associated with this group. However, it's common for such groups to operate under multiple aliases or to be identified differently by various cybersecurity organizations.

Location:

The specific location of BackdoorDiplomacy is not clearly defined, but their targets often include entities in the Middle East and Africa, suggesting a possible regional focus.

First Seen:

The exact date of when BackdoorDiplomacy first emerged is not specified in the provided sources. However, their activities have been observed over several years, indicating a long-term operation.

Observed Activities:

BackdoorDiplomacy has been observed targeting diplomatic entities and telecommunication companies, exploiting vulnerabilities in public-facing applications, and conducting sophisticated cyber espionage operations.

Description:

BITTER is an advanced persistent threat (APT) group known for its targeted cyber espionage campaigns. The group is noted for its sophisticated use of malware and phishing techniques to infiltrate and compromise high-value targets.

Motivation:

The primary motivation of BITTER appears to be espionage, focusing on acquiring sensitive information from targeted organizations and individuals. Their activities suggest an intent to gather intelligence that could be of strategic or political value.

Names:

The group is primarily known as BITTER. However, like many APT groups, it may operate under different aliases or be referred to by different names in cybersecurity reports.

Location:

The specific location of BITTER is not clearly defined in the available information. APT groups often operate across international borders, making it challenging to pinpoint a precise location.

First Seen:

The exact date of when BITTER was first observed is not provided in the available sources. APT groups often operate for some time before being detected.

Observed:

BITTER has been observed using a variety of sophisticated techniques and tools in their operations. They have targeted organizations through spearphishing campaigns and have exploited vulnerabilities in software for initial access and escalation of privileges.

Description:

BlackOasis is a Middle Eastern threat group, believed to be a customer of Gamma Group. The group has shown interest in prominent figures in the United Nations, as well as opposition bloggers, activists, regional news correspondents, and think tanks. BlackOasis is associated with operations of a group known by Microsoft as Neodymium, although it's not confirmed if these names refer to the same group.

Motivation:

The primary motivation of BlackOasis is information theft and espionage.

Names:

BlackOasis is the name given by Kaspersky. There is a possible association with Neodymium, as identified by Microsoft, but it's not confirmed if these are aliases for the same group.

Location:

BlackOasis is based in the Middle East.

First Seen:

The group was first observed in 2015.

Observed Activities:

BlackOasis has targeted sectors including Media, Think Tanks, activists, and the UN. Geographically, their activities span across various countries including Afghanistan, Angola, Bahrain, Iran, Iraq, Jordan, Libya, Netherlands, Nigeria, Russia, Saudi Arabia, Tunisia, the UK, and others.

Description:

BlackTech is a suspected Chinese cyber espionage group that has been active since at least 2013. They primarily target organizations in East Asia, particularly Taiwan, Japan, and Hong Kong, as well as the United States. BlackTech employs a combination of custom malware, dual-use tools, and 'living off the land' tactics to compromise networks in various sectors, including media, construction, engineering, electronics, and finance.

Motivation:

The group's primary motivation appears to be information theft and espionage. Their activities are focused on stealing technology and sensitive information from their targets.

Names:

• BlackTech (Trend Micro)
• Circuit Panda (CrowdStrike)
• Radio Panda (CrowdStrike)
• Palmerworm (Symantec)
• TEMP.Overboard (FireEye)
• T-APT-03 (Tencent)

Location:

China

First Seen:

2010

Observed:

BlackTech has been observed targeting sectors such as Construction, Financial, Government, Healthcare, Media, and Technology. Geographically, their activities have been focused on China, Hong Kong, Japan, Taiwan, and the USA.

• Bouncing Golf/Domestic Kitten: This campaign is notable for its use of mobile applications loaded with spyware to collect sensitive information. The attackers use fake decoy content to entice victims to download these applications, which then enable the collection of a wide range of data, including contact lists, call records, SMS messages, browser history, geo-location, photos, voice recordings, and more.

  Motivation

• Information Theft and Espionage: The primary motivation behind Bouncing Golf is to gather sensitive information, particularly from Kurdish and Turkish natives, ISIS supporters, and Iranian citizens. This data is likely used for further actions against these groups.

  Names

• Aliases: Domestic Kitten (Check Point), APT-C-50 (Check Point), Bouncing Golf (Trend Micro).

  Location

• Country: Iran.

  First Seen

• Initial Activity: The campaign was first observed in 2016.

  Observed Activities

• Target Regions: Afghanistan, Iran, Iraq, Pakistan, Turkey, the UK, the USA, and Uzbekistan.
  
• Notable Operations:
  • June 2019: Mobile Campaign ‘Bouncing Golf’ Affects the Middle East.
  • November 2020: Over 1,200 individuals targeted, with more than 600 successful infections across 10 unique campaigns.
  • October 2022: Domestic Kitten campaign using new FurBall malware to spy on Iranian citizens.

Cleaver is a formidable threat group attributed to Iranian actors, responsible for the activities tracked as Operation Cleaver. The group is known for its sophisticated cyber operations and has been linked to Threat Group 2889 (TG-2889).

While the specific motivations of Cleaver are not detailed in the provided text, their advanced cyber operations suggest objectives aligned with state-sponsored espionage or intelligence gathering.

Cleaver is also associated with Threat Group 2889 (TG-2889).

Cleaver is attributed to Iranian actors.

Unfortunately, the specific date of their inaugural activity remains shrouded in mystery within the provided text.

Cleaver has been keenly observed employing a range of sophisticated techniques and tools for cyber operations, including ARP cache poisoning, creating customized tools and payloads, and establishing fake social media accounts. 🌐👁️‍🗨️🌐

The Cobalt Group 🏦 is a financially motivated threat group that has been primarily targeting financial institutions since at least 2016. The group is known for conducting intrusions to steal money 💰 by targeting ATM systems 🏧, card processing 💳, payment systems 💸, and SWIFT systems 🌐. Cobalt Group has mainly targeted banks 🏛️ in Eastern Europe 🌍, Central Asia 🗺️, and Southeast Asia 🌏.

The primary motivation of the Cobalt Group is financial gain 💲, achieved through sophisticated cyber intrusions into banking systems 🏦 and financial infrastructure 💼.

Cobalt Group is also known as GOLD KINGSWOOD 👑, Cobalt Gang 🕴️, and Cobalt Spider 🕷️.

The specific location of the Cobalt Group is not mentioned 🌐, but they have targeted banks 🏛️ in Eastern Europe 🌍, Central Asia 🗺️, and Southeast Asia 🌏.

Cobalt Group has been active since at least 2016 📆.

The group has been observed conducting sophisticated cyberattacks on financial institutions, including ATM systems 🏧 and SWIFT systems 🌐. Despite the arrest of one of its alleged leaders in Spain 🇪🇸 in early 2018, the group remains active 🔒.

Confucius is a cyber espionage group primarily targeting military personnel 🎖️, high-profile personalities 👤, business persons 🕴️, and government organizations 🏛️ in South Asia 🌏 since at least 2013. The group is known for its custom malware code 💻 and targets, with noted similarities to the Patchwork group 🧩.

The primary motivation of Confucius appears to be espionage 🕵️, focusing on gathering sensitive information 📁 from military 🎖️, governmental 🏛️, and high-profile targets 👤 in South Asia 🌏.

Confucius is also referred to as Confucius APT 🏷️.

Confucius primarily targets entities in South Asia 🌏.

The group has been active since at least 2013 📆.

Confucius has been observed engaging in sophisticated cyber espionage activities, utilizing custom malware 💻 and various techniques 🛠️ to infiltrate and extract information 📜 from its targets 🎯.

CopyKittens is an Iranian cyber espionage group that has been operating since at least 2013. The group has targeted various countries, including Israel 🇮🇱, Saudi Arabia 🇸🇦, Turkey 🇹🇷, the U.S. 🇺🇸, Jordan 🇯🇴, and Germany 🇩🇪. It is responsible for the campaign known as Operation Wilted Tulip 🌷.

The primary motivation of CopyKittens appears to be espionage 🕵️, focusing on gathering sensitive information 📄 from a range of international targets 🌍.

CopyKittens is the primary name used to identify this group 🏷️.

CopyKittens is an Iranian group 🇮🇷, targeting entities in countries such as Israel 🇮🇱, Saudi Arabia 🇸🇦, Turkey 🇹🇷, the U.S. 🇺🇸, Jordan 🇯🇴, and Germany 🇩🇪.

The group has been active since at least 2013 📆.

CopyKittens has been observed conducting cyber espionage activities 🌐, utilizing various techniques 🛠️ and tools 🖥️ to infiltrate and extract information 📜 from its targets 🎯.

CURIUM is an Iranian threat group first reported in November 2021. The group is known for its unique approach of investing time to build relationships with potential targets via social media 📱 over several months. This method is used to establish trust and confidence before sending malware 💻. CURIUM demonstrates great patience and persistence, engaging in daily chats 💬 with potential targets and sending benign files 📁 to lower their security consciousness.

While the specific motivations of CURIUM are not detailed in the provided text, their methodical approach to targeting individuals suggests objectives aligned with espionage 🕵️ or intelligence gathering 📡.

CURIUM is the primary name used to identify this group 🏷️.

CURIUM is identified as an Iranian threat group 🇮🇷.

The group was first reported in November 2021 📆.

CURIUM has been observed using social engineering tactics 🎭, particularly through social media 📱, to engage with and eventually compromise targets. Their approach indicates a focus on individual targets rather than broad, indiscriminate campaigns 🎯.

Dark Caracal is a threat group attributed to the Lebanese General Directorate of General Security (GDGS). It has been operational since at least 2012 and is known for its global cyber-espionage campaigns 🌐.

While the specific motivations of Dark Caracal are not detailed in the provided text, the group's activities suggest a focus on espionage 🕵️, likely driven by national security 🛡️ or political interests 🗳️.

Dark Caracal is the primary name used to identify this group 🏷️.

Dark Caracal is attributed to the Lebanese General Directorate of General Security (GDGS) 🇱🇧.

The group has been active since at least 2012 📆.

Dark Caracal has been observed conducting cyber-espionage activities 🌐, utilizing various techniques 🛠️ to infiltrate systems, collect data 📈, and maintain persistence 🔒.

Darkhotel is a suspected South Korean threat group that has been active since at least 2004. The group is known for its cyber espionage operations 🌐 conducted via hotel Internet networks 🏨 against traveling executives 👨‍💼 and other select guests 🌐. Darkhotel has also engaged in spearphishing campaigns 🎣 and infected victims through peer-to-peer and file-sharing networks 📂.

While the specific motivations of Darkhotel are not detailed in the provided text, their targeting of executives 👔 and use of espionage tactics 🕵️ suggest motivations related to intelligence gathering 📡, possibly for economic 💰 or political 🗳️ advantage.

Darkhotel is also associated with the name DUBNIUM 🏷️.

Darkhotel is suspected to be based in South Korea 🇰🇷 and primarily targets victims in East Asia 🌏.

The group has been operational since at least 2004 📆.

Darkhotel has been observed conducting sophisticated cyber espionage activities 🌐, utilizing various techniques 🛠️ to infiltrate systems, collect data 📊, and maintain persistence 🔒.

DarkHydrus is a threat group that has been actively targeting government agencies 🏛️ and educational institutions 🎓 in the Middle East 🌍 since at least 2016. The group is known for heavily leveraging open-source tools 🛠️ and custom payloads 💾 to carry out its attacks.

While the specific motivations of DarkHydrus are not detailed in the provided text, their targeting of government 🏛️ and educational institutions 🎓 suggests objectives related to espionage 🕵️ or intelligence gathering 📡, possibly for political 🗳️ or strategic 🌐 purposes.

DarkHydrus is the primary name used to identify this group 🏷️.

DarkHydrus primarily targets entities in the Middle East 🌍.

The group has been active since at least 2016 📆.

DarkHydrus has been observed using a variety of techniques 🛠️ to infiltrate systems 💻, execute commands ⌨️, and exfiltrate data 📤, focusing on government agencies 🏛️ and educational institutions 🎓.

DarkVishnya is a financially motivated threat actor known for targeting financial institutions 🏦 in Eastern Europe 🌍. The group has been active in conducting sophisticated cyberattacks 🌐 against at least eight banks 🏛️ in the region during 2017-2018.

The primary motivation of DarkVishnya appears to be financial gain 💰, as evidenced by their focus on attacking financial institutions 🏦.

The group is known as DarkVishnya 🏷️.

DarkVishnya has primarily targeted financial institutions 🏦 in Eastern Europe 🌍.

The group's activities were first reported in 2017 📆.

DarkVishnya has been observed using a variety of techniques 🛠️ to infiltrate financial institutions 🏦, execute commands ⌨️, and potentially exfiltrate sensitive financial data 📈.

Deep Panda is a sophisticated and suspected Chinese threat group 🇨🇳 known for targeting a wide range of industries, including government 🏛️, defense 🛡️, financial 💰, and telecommunications 📡 sectors. The group has been active for several years 📆 and is known for its advanced cyber espionage tactics 🌐.

Deep Panda's primary motivation appears to be cyber espionage 🕵️, gathering intelligence 📊 and sensitive information 📄 from targeted organizations 🎯 and government entities 🏛️.

Deep Panda is also known by several other names 🏷️, including Shell Crew 🐚, WebMasters 🌐, KungFu Kittens 🥋, PinkPanther 🐾, and Black Vine 🍇.

While the specific location of Deep Panda is not explicitly mentioned 🌏, it is suspected to be based in China 🇨🇳.

Deep Panda's activities have been observed for several years 📆, with significant operations noted as early as 2014.

Deep Panda has been observed targeting a variety of sectors 🏢 with sophisticated cyber espionage campaigns 🌐. The group's intrusion into the healthcare company Anthem 🏥 is one of its most notable operations.

Dragonfly is a cyber espionage group attributed to Russia's Federal Security Service (FSB) Center 16 🇷🇺. Active since at least 2010, Dragonfly has targeted defense 🛡️ and aviation ✈️ companies, government entities 🏛️, companies related to industrial control systems 🏭, and critical infrastructure sectors 🏭🌐 worldwide. The group employs supply chain attacks ⛓️, spearphishing 🎣, and drive-by compromise attacks 🖥️ in its operations.

Dragonfly's primary motivation appears to be cyber espionage 🕵️, focusing on gathering intelligence 📈 and compromising critical infrastructure 🏭 for strategic advantage 🌍.

Dragonfly is also known by various aliases 🏷️, including TEMP.Isotope, DYMALLOY, Berserk Bear, TG-4192, Crouching Yeti, IRON LIBERTY, and Energetic Bear.

Dragonfly is believed to be operating out of Russia 🇷🇺.

The group has been active since at least 2010 📆.

Dragonfly has been observed conducting sophisticated cyber espionage campaigns 🌐 targeting a wide range of sectors 🏢, particularly those related to national security 🛡️ and critical infrastructure 🏭.

DragonOK is a cyber threat group known for targeting Japanese organizations 🇯🇵 through phishing emails 📧. The group's activities are characterized by the use of a variety of malware 💻 and sophisticated techniques 🌐.

The primary motivation of DragonOK appears to be cyber espionage 🕵️, focusing on obtaining sensitive information 📄 from Japanese entities 🏢.

DragonOK is the primary name used to identify this group 🏷️. It is also thought to have a direct or indirect relationship with the threat group Moafee 🕊️.

The specific location of DragonOK is not clearly identified 🌏, but its targeting of Japanese organizations suggests a focus in East Asia 🌐.

The group was first identified in reports dating back to at least 2014 📆.

DragonOK has been observed conducting targeted phishing campaigns 🎣 and deploying a range of custom malware 💻 against Japanese targets 🇯🇵.

Earth Lusca is a suspected China-based cyber espionage group 🇨🇳, active since at least April 2019 📆. The group is known for targeting a wide range of organizations globally 🌐, including government institutions 🏛️, news media 📰, gambling companies 🎰, educational institutions 🏫, COVID-19 research organizations 🦠, telecommunications 📡, religious movements banned in China 🚫, and cryptocurrency trading platforms 💱. Some of Earth Lusca's operations appear to be financially motivated 💰.

The primary motivation of Earth Lusca seems to be cyber espionage 🕵️, with a focus on gathering sensitive information 📄. The group's targeting of a diverse set of sectors indicates a broad set of interests, possibly extending beyond traditional espionage to include financial gains 💹.

Earth Lusca is the primary name for the group 🏷️. It is also associated with TAG-22.

While the group is suspected to be based in China 🇨🇳, its operations are global 🌏, affecting countries across multiple continents 🌐.

Earth Lusca's activities were first observed in April 2019 📆.

The group has been observed conducting sophisticated cyber espionage campaigns 🌐 targeting a wide range of sectors worldwide 🏢.