Threat INTel Reports

Archive of publicly available threat/cybercrime INTel reports (mostly APT Reports but not limited to). Useful as a reference when you emulate threat actors on a daily basis. Please create an issue if I'm missing a relevant Report.

Warning: If you are looking for every type of publicly available documents and notes related to APTs have a look at APTnotes and aptnotes. Unfortunately the way they store and sort their data doesn't work for me anymore.

Note: You can also find a page with an attempt to sort these reports by APT group name, based on the ThaiCert Threat Actor Encyclopedia and the Group pages of the MITRE ATT&CK team. This is work in progress and you can find it here: APT-Groups.

Depending on what you are looking for, you may also find this page useful.

2021

Title	Month	Source
The Evolution of the FIN7 JSSLoader	Jan	Morphisec
A wild Kobalos appears: Tricksy Linux malware goes after HPCs	Feb	ESET

2020

Title	Month	Source
Destructive Attack 'DUSTMAN'	Jan	SA NCSC
Caught in the Act: Running a Realistic Factory Honeypot to Capture Real Threats	Jan	Trend Micro
North American Electric Cyber Threat Perspective	Jan	Dragos
New Destructive Wiper "ZeroCleare" Targets Energy Sector in the Middle East	Jan	IBM
APT10 Threat Analysis Report	Jan	Adeo
Fox Kitten Campaign: Widespread Iranian Espionage-Offensive Campaign	Feb	ClearSky
Crime Without Punishment: In-depth analysis of js-sniffers	Feb	Group IB
International Security and Estonia	Feb	EFIS
And then there were 6: A story of cyberspionage incident response by DART that uncovered five additional threat actors in one environment	Feb	Microsoft
Cloud Snooper attack bypasses firewall security measures	Feb	Sophos
Profiling of TA505 Threat Group That Continues to Attack the Financial Sector	Feb	FSI
The Lazarus Constellation A study on North Korean malware	Feb	Lexfo
Operation Poisoned News: Hong Kong Users Targeted with Mobile Malware via Local News Links	Mar	Trend Micro
Bearing Witness: Uncovering the Logic Behind Russian Military Cyber Operations	Mar	Booz Allen
Operation Overtrap Targets Japanese Online Banking Users Via Bottle Exploit Kit and Brand-New Cinobi Banking Trojan	Mar	Trend Micro
Decade of the RATs: Novel APT Attacks Targeting Linux, Windows and Android	Apr	BlackBerry
Revealing Targets of the Iranian MuddyWater Group, Extracted from their C2	Apr	Clearsky
New dark_nexus IoT Botnet Puts Others to Shame	Apr	Bitdefender
Chinese Influence Operations Evolve in Campaigns Targeting Taiwanese Elections, Hong Kong Protests	Apr	RecordedFuture
APTs and COVID-19: How advanced persistent threats use the coronavirus as a lure	Apr	MalwareBytes
Craft for Resilence - APT Group Chimera - APT Operation Skeleton Key Targets Taiwan Semiconductor Vendors	Apr	CyCraft
The 'Spy Cloud' Operation: Geumseong121 group carries out the APT attack disguising the evidence of North Korean defection	Apr	ESRC
Threat landscape for industrial automation systems	Apr	Kaspersky
Uncovering DRBControl Inside the Cyberespionage Campaign Targeting Gambling Operations	Apr	Trend Micro
Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia	May	Bitdefender
The "Silent Night" Zloader/Zbot	May	Malwarebytes & Hyas
Tactics, Techniques and Procedures Used to Target Australian Networks	May	ACSC
Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia	May	BitDefender
Leery Turtle Threat Report	May	CyberStruggle
AWS Shield Threat Landscape Report Q1 2020	May	AWS
Shifts in Underground Markets	May	Trend Micro
From AGENT.BTZ to COMRAT V4. A ten-year journey	May	ESET
Mobile APT Surveillance Campaigns Targeting Uyghurs	Jun	Lookout
The Dark Overlord Cyber Investigation Report	Jul	Data Viper
Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan	Jul	Dr.Web
The Hacker Infrastructure and Underground Hosting. An overview of the cybercriminal market	Jul	Trend Micro
Worm War: The Botnet Battle for IoT Territory	Jul	Trend Micro
APT29 targets COVID-19 vaccine development	Jul	NCSC
Card Fraud in a PSD2 World: A Few Examples	Jul	Cyber R&D Lab
THE FAKE CISCO: Hunting for backdoors in Counterfeit Cisco devices	Jul	F-Secure
Cosmic Lynx: The Rise of Russian BEC	Jul	Agari
Chinese state-sponsored group 'reddelta' targets the Vatican and Catholic organizations	Jul	Recorded Future
Operation 'Dream Job'. Widespread North Korean Espionage Campaign	Aug	ClearSky
Pillars of Russia's Desinformation and Propaganda Ecosystem	Aug	U.S. Department of State
Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware	Aug	NSA and FBI
No need to hack when it's leaking: GITHUB HEALTHCARE LEAKS	Aug	GitHub
LAZARUS GROUP: Campaign Targetting The Cryptocurrenct Vertical	Aug	F-Secure
Development of the activity of the TA505 Cybercriminal Group	Aug	ANSSI
The Kittens Are Back in Town 3 Charming Kitten Campaign Evolved and Deploying Spear-Phishing link by WhatsApp	Aug	ClearSky
FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks	Aug	USCYBERCOM
ULTRARANK The unexpected twist of a JS-sniffer triple threat	Aug	Group IB
CERBERUS Banking Trojan Analysis	Aug	Cyberwise
REDCURL The pentest you didn't know about	Aug	Group IB
The French Underground Under a Shroud of Extreme Caution	NA	Trend Micro
Cybercrime in West Africa Poised for an Underground Market	NA	Trend Micro
Lock Like a Pro: How QAKBOT Fuels Enterprise Ransomware Campaigns	Sep	Group IB
SideCopy An insight into Transparent Tribe's sub-division which has been incorrectly attributed for years	Sep	Seqrite
ShadowPad: new activity from the Winnti group	NA	PT
LATAM Financial Cybercrime: Competitors-in-crime sharing TTPs	NA	ESET
Threat landscape for industrial automation systems	Sep	Kaspersky
AT commands, Tor-based communications: meet ATTOR, A fantasy creature and also a Spy platform	NA	ESET
Operation Earth Kitsune Tracking SLUB's Current Operations	Oct	Trend Micro
Study of the ShadowPad APT backdoor and its relation to PlugX	Oct	Dr.Web
North Korean Advanced Persistent Threat Focus: Kimsuky	Oct	CISA/FBI/CNMF
Le Malware-as-a-service EMOTET	Oct	ANSSI
Supply Chain Attacks in the Age of Cloud Computing: Risks, Mitigations, and the Importance of Securing Back Ends	Oct	Trend Micro
Operation Quicksand MuddyWater’s Offensive Attack Against Israeli Organizations	Oct	Clear Sky
Banking Web Injects Are Top Cyber Threat for Financial Sector	Oct	Recorded Future
CHAES: Novel Malware Targeting Latin American E-Commerce	Nov	Cybereason
Threat Profile JUPYTER Infostealer	Nov	Morphisec
Analysis of the Bookcodes RAT C2 framework starting with spear phishing	Nov	KR CERT
Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions	Nov	BitDefender
TTPs 2 Analysis of the Bookcodes RAT C2 framework starting with spear phishing	Nov	KrCERT
TRICKBOT Now Offers 'TRICKBOOT': PERSIST, BRICK, PROFIT	Dec	Eclypsium
MOLERATS in the Cloud: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign	Dec	Cybereason
Adversary Tracking Report When a false flag doesn't work: Exploring the digital-crime underground at campaign preparation stage	Dec	Telsy
EyeD4kRAT/ShirBiter Overview	Dec	Nyotron
Egregor Ransomware: The Legacy of Maze Lives on	Dec	Group IB
Finding APTX: Attributing attacks via MITRE TTPs	Dec	Trend Micro
APT27 Turns to Ransomware	Dec	Profero

2019

Title	Month	Source
New Destructive Wiper "ZeroCleare" Targets Energy Sector in the Middle East	Feb	IBM
Above Us Only Stars: Exposing GPS Spoofing in Russia and Syria	Mar	C4ADS
Legit remote admin tools turn into threat actors tools	Apr	Cyberint
Analysis of the APT Campaign 'Smoke Screen' targeting to Korea and US	Apr	ESRC
Pirates of Brazil: Integrating the Strengths of Russian and Chinese Hacking Communities	Apr	Recorded Future
London Blue	Apr	Agari
Iranian Nation-State APT Groups - "Black Box" Leak	May	ClearSky
Turla LightNeuron: An email too far	May	ESET
Who's who in the Zoo Cyberespionage operation targets Android users in the Middle East	May	Kaspersky
Scattered Canary The Evolution and Inner Workings of a West African Cybercriminal Startup Turned BEC Enterprise	Jun	Agari
An APT Blueprint: Gaining New Visibility into Financial Threats	Jun	BitDefender
Threat Group Cards: A Threat Actor Encyclopedia	Jun	ThaiCert
Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers	Jun	Cybereason
The Predator in your Pocket	Jun	Citizen Lab
Iranian APT group MuddyWater Adds Exploits to Their Arsenal Jun	Clearsky
Iranian Threat Actor Amasses Large Cyber Operations Infrastructure Network to Target Saudi Organizations	Jun	Recorded Future
EMOTET: A technical analysis of the destructive, polymorphic malware	Jul	Bromium
Bestsellers in the Underground Economy: Measuring Malware Polularity by Forum	Jul	Recorded Future
Double DragonAPT41, a dual espionage and cyber crime operation	Aug	FireEye
Silence 2.0 Going Global	Aug	Group IB
UPSynergy: Chinese-American Spy vs Spy Story	Sep	CheckPoint
The Kittens are back in town: Charming Kitten Campaign against Academic Researchers	Sep	ClearSky
Simjacker Technical Report	Sep	Simjacker.com
AT commands, TOR-based communications: Meet Attor, a fantasy creature and also a spy platform	Oct	ESET
Operation Ghost The Dukes aren't back - they never left	Oct	ESET
Connecting the dots Exposing the arsenal and methods of the Winnti Group	Oct	ESET
How TURBINE PANDA and China's Top Spies Enabled Beijing to Cut Corners on the C919 Passenger Jet	Oct	CrowdStrike
Turla group exploits Iranian APT to expand coverage of victims	Oct	NCSC
GEOST Botnet. The story of the discovery of a new Android Banking trojan from an OPSEC error	Oct	Garcia et all
Supply Chain Attacks. Threats targeting service providers and design offices	Oct	ANSSI
From tweet to rootkit	Oct	ExaTrack
The Untold Story of the 2018 Olympics Cyberattack, the Most Deceptive Attack in History (Sandworm)	Oct	Wired
Here's the Evidence That Links Russia's Most Brazen Cyberattacks (Sandworm)	Nov	Wired
Operation Wocao Shining a light on one of China’s hidden hacking groups	Dec	FoxIT
Operation Gamework: Infrastructure Overlaps Found Between BlueAlpha and Iranian APTs	Dec	RecordedFuture
Drilling DeepA Look at Cyberattacks on the Oil and Gas Industry	Dec	Trend Micro

2018

Title	Month	Source
DRAGONFISH delivers new form of Elise malware	Jan	Accenture
Diplomats in Eastern Europe bitten by a Turla mosquito	Jan	ESET
Iran's Cyber Threat: Espionage Sabotage and Revenge	Jan	Carnegie Endowment
Turla group update Neuron malware	Jan	NCSC
Dark Caracal: Cyber-espionage at a Global Scale	Jan	Lookout & EFF
International Security and Estonia	Feb	Estonian Foreign Intelligence Service
APT37 Reaper: The Overlooked North Korean Actor	Feb	FireEye
BAD TRAFFIC Sandvines PacketLogic Devices Used to Deploy Government Spyware in Turkey and Redirect Egyptian Users to Affiliate Ads	Mar	The Citizen Lab
The Slingshot APT	Mar	Kaspersky
Industrial Control System Threats	Mar	Dragos
Territorial Dispute - NSA's perspective on APT landscape	Mar	CrySyS Lab
Targeted Attacks on South Korean Organizations	Mar	AhnLab
GravityRAT	Apr	Talos
Hogfish Redleaves	Apr	Accenture
Mtrends 2018	May	FireEye
Burning Umbrella	May	ProtectWise
Andariel Group - KR	May	Ahnlab
Irans Hacker Hierarchy Exposed	May	RecordedFuture
New Bank Attacks	May	Positive Technologies
Bank Attacks	May	Positive Technologies
Full Discloser of Andariel - A Subgroup of Lazarus Threat Group	Jun	AhnLab
Operation Roman Holiday Hunting the Russian APT28 group	Jul	CSE Zlab
COMMSEC: The Trails of WINDSHIFT APT	Aug	DarkMatter
TURLA Outlook Backdoor	Aug	ESET
Chinese Cyberespionage Originating From Tsinghua University Infrastructure	Aug	Recorded Future
The Untold Story of NotPetya, the Most Devastating Cyberattack in History (Sandworm)	Aug	Wired
Silence: Moving into the darkside	Sep	Group IB
APT38: Un-usual Suspects	Oct	FireEye
Thieves and Geeks: Russian and Chinese Hacking Communities	Oct	Recorded Future
LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group	Oct	ESET
GREYENERGY A successor to BlackEnergy	Oct	ESET
Operation Oceansalt Attacks South Korea, U.S. and Canada with Source Code from Chinese Hacker Group	Oct	McAfee
Buyer beware: cyberthreats targeting e-commerce	Nov	Kaspersky
The SpyRATs of OceanLotus	Oct	Cylance
Chinese Threat Actor TEMP.Periscope Targets UK-Based Engineering Company Using Russian APT Techniques	Nov	RecordedFuture
The Hunt for 3ve	Nov	Google
MuddyWater Operationsin Lebanon and Oman	Nov	ClearSky
Operation Shaheen	Nov	Cylance
Tildeb: Analyzing the 18-year-old Implant from the Shadow Brokers Leak	Dec	Trend Micro
Operation Sharpshooter	Dec	McAfee
The Dark Side of the ForSSHe: A landscape of OpenSSH backdoors	Dec	ESET

2017

Title	Month	Source
APT28: A Window into Russias Cyber Espionage Operations	Jan	FireEye
APT28: At the center of the storm. Russia strategically evolves its cyber operations	Jan	FireEeye
APT28 Under the Scope A Journey into Exfiltrating Intelligence and Government Information	Feb	BitDefender
KingSlayer A Supply chain attack	Feb	RSA
Nile Phish: Large-Scale Phishing Campaign Targeting Egyptian Civil Society	Feb	The Citizen Lab
Bitter Sweet: Supporters of Mexico's Soda Tax Targeted With NSO Exploit Links	Feb	The Citizen Lab
Enhanced Analysis of GRIZZLY STEPPE Activity	Feb	US-CERT
Dissecting the APT28 Mac OS X Payload	Feb	Bitdefender
Read The Manual A guide to the RTM Banking Trojan	Feb	ESET
Trends in Android Ransomware	Feb	ESET
From Shamoon to StoneDrill	Mar	Kaspersky
Carbon Paper: Peering into Turlas second stage backdoor	Mar	ESET
Lazarus Under the Hood	Apr	Kaspersky
Appendix B: Moonlight Maze Technical Report	Apr	Kaspersky
Callisto Group	Apr	F-Secure
McAfee Labs Threats Report	Apr	McAfee
Intrusions Affecting Multiple Victims Across Multiple Sectors	Apr	US-CERT
Two Years of Pawn Storm Examining an Increasingly Relevant Threat	May	Trend Micro
Sednit adds two zero-day exploits using Trumps attack on Syria as a decoy	May	ESET
Evolution of the GOLD EVERGREEN Threat Group	May	SecureWorks
Bachosens: Highly-skilled petty cyber criminal with lofty ambitions targeting large organizations	May	Symantec
Lazarus: History of mysterious group behind infamous cyber attacks	May	Symantec
Operation Bachosens: A detailed look into a long-running cyber crime campaign	May	Symantec
Tainted Leaks: Disinformation and Phishing With a Russian Nexus	May	The Citizen Lab
Lazarus Arisen - Architecture / Tools /Attribution	May	Group IB
Lazarus Arisen - article	May	Group IB
Operation Cobalt Kitty	May	Cybereason
CrashOverride: Analysis of the Threat to Electric Grid Operations	Jun	Dragos
WIN32/INDUSTROYER A new threat for industrial control systems	Jun	ESET
How an Entire Nation Became Russia's Test Lab for Cyberwar (Sandworm)	Jun	Wired
Behind the CARBANAK Backdoor	Jun	FireEye
Bahamut Pursuing a Cyber Espionage Actor in the Middle East	Jun	Collin and Claudio
FIN10 Anatomy of a Cyber Extortion Operation	Jun	FireEye
Detecting Lateral Movement through Tracking Event Logs	Jun	JPCERT
Bronze Buttler	Jun	SecureWorks
OceanLotus Blossoms: Mass Digital Surveillance andAttacks Targeting ASEAN, Asian Nations, the Media, HumanRights Groups, and Civil Society	Jun	Volexity
ChessMasters New Strategy: Evolving Tools and Tactics	Jun	Trend Micro
Everything we know about GoldenEye	Jul	BitDefender
CYBERATTACKS AGAINST UKRAINIAN ICS	Jul	Sentryo
Living off the land and fileless attack techniques	Jul	Symantec
State of Cybersecurity in Asia-Pacific	Jul	PaloAlto
Operation Wilted Tulip	Jul	ClearSky & Trend Micro
OilRig Deploys ALMA Communicator - DNS TunnelingTrojan	Aug	Palo Alto
Intelligence Games in the Power Grid	Sep	Treadstone 71
APT3 Adversary Emulation Plan	Sep	MITRE
Hack ATM with an anti-hacking feature and walk away with $1M in 2 minutes	Oct	Embedi
Remote Control Interloper: Analyzing New Chinese htpRAT Malware Attacks Against ASEAN	Oct	RISKIQ
Investigation: WannaCry cyber attack and the NHS	Oct	National Audit Office
Tracking Subaat: Targeted Phishing Attack Leads toThreat Actors Repository	Oct	Palo Alto
The CARBANAK/FIN7 Syndicate a historical overview of an evolving threat	Nov	RSA
The Shadows of Ghosts Inside the Response of a Unique CARBANAK Intrusion	Nov	RSA
Turla group using Neuron and Nautilus tools alongside Snake malware	Nov	UK NCSC
Charming Kitten	Dec	ClearSky
TRISIS Malware Analysis of Safety System Targeted Malware	Dec	Dragos
North Korea Bitten by Bitcoin Bug	Dec	Proofpoint
Attackers Deploy New ICS Attack Framework TRITON and Cause Operational Disruption to Critical Infrastructure	Dec	FireEye
MoneyTaker 1.5 Years of Silent Operations	Dec	Group IB

2016

Title	Month	Source
Analyzing a New Variant of BlackEnergy 3 Likely Insider-Based Execution	Jan	SentinelOne
Operation Dusty Sky	Jan	ClearSky
Know Your Enemies 2.0: A Primer on Advanced Persistent Threat Groups	Feb	ICIT
Operation Duststorm	Feb	Cylance
Operation Blockbuster	Feb	Novetta
From Seoul to Sony	Feb	Blue Coat
Prologue: Global Criminal Kingpin, Long Held in Secret U.S. Custody, Makes First Court Appearance (The Mastermind)	Mar	Atvist
Episode 1: A journey to understand how a real-estate agent in the Philippines became the target of a criminal mastermind (The Mastermind)	Mar	Atvist
Update to Episode 1: New revelations about Catherine Lee's accused killers (The Mastermind)	Mar	Atvist
Full text of the prosecution’s letter (The Mastermind)	Mar	Atvist
Episode 2: When you doin't know who your boss really is, a dream job can turn into a nightmare (The Mastermind)	Mar	Atvist
Episode 3: How dida usenet troll and encryption genius become a criminal mastermind? (The Mastermind)	Mar	Atvist
Episode 4: How the programmer became an insatiable tyrant (The Mastermind)	Mar	Atvist
Episode 5: A Yatch called "I Dream" washes up in Tonga with some drugs and grisly cargo (The Mastermind)	Mar	Atvist
Episode 6: How a retired american soldier became a brutal enforcer for an international cartel (The Mastermind)	Mar	Atvist
Episode 7: A shroud of secrecy, a legal gambit, and a mistery solved (The Mastermind)	Mar	Atvist
Update: Joseph Rambo Hunter, Paul Le Roux's former enforcer, sentenced to 20 years in prison (The Mastermind)	Mar	Atvist
The Four-Element Sword Engagement: Ongoing APT Targeting of Tibetan, Hong Kong, and Taiwanese Interests	Mar	Arbor Networks
The Four Element Sword Engagement	Apr	Arbor Networks
Between Hong Kong and Burma: Tracking UP007 and SLServer Espionage Campaigns	Apr	The Citizen Lab
PLATINUM Targeted attacks in South and Southeast Asia	Apr	Microsoft
Follow the money: Dissecting the operations of the cyber crime group FIN6	Apr	FireEye
Mofang: A politically motivated information stealing adversary	May	FoxIT
Operation Groundbait:Analysis of a surveillance toolkit	May	ESET
APT Case RUAG Technical Report	May	Melani GovCERT
Keep Calm and (Dont) Enable Macros: A New Threat Actor Targets UAE Dissidents	May	The Citizen Lab
Operation DustySky Part 2	Jun	ClearSky
Visiting The Bear Den A Journey in the Land of Cyber-Espionage	Jun	ESET
Vawtrak v2	Jun	Sophos
REDLINE DRAWN China recalculates its use of cyber espionage	Jun	FireEye
Pacifier APT	Jul	Bitdefender
Unveiling Patchwork the Copy Paste APT	Jul	Cymmetria
Operation Manul	Aug	EFF
Monsoon - Analysis of an APT Campaign	Aug	Forcepoint
Group5: Syria and the Iranian Connection	Aug	The Citizen Lab
The ProjectSauron APT	Aug	Kaspersky
Carbanak Oracle Breach	Aug	VISA
The Million Dollar Dissident: NSO Group's iPhone Zero-Days used against a UAE Human Rights Defender	Aug	The Citizen Lab
Visa Alert and Update on the Oracle Breach	Aug	VISA
Ego Market When Greed for Fame Benefits Large-Scale Botnets	Sep	GoSecure
Hunting Libyan Scorpions	Sep	Cyberkov
En Route with Sednit Part 1: Approaching the Target	Oct	ESET
En Route with Sednit Part 2: Observing the Comings and Goings	Oct	ESET
En Route with Sednit Part 3: A Mysterious Downloader	Oct	ESET
Rootkit analysis Use case on HideDRV	Oct	Sekoia
Wave your false flags! Deception tactics muddying attribution in targeted attacks	Oct	Kaspersky
When The Lights Went Out: Ukraine Cybersecurity Threat Briefing	Nov	BAH
Cobalt Logical Attacks on ATMs	Nov	Group IB
PROMETHIUM and NEODYMIUM: Parallel zero-day attacks targeting individuals in Europe	Dec	Microsoft
Use of Fancy Bear Android Malware tracking of Ukrainian Artillery Units	Dec	Crowdstrike
GRIZZLY STEPPE - Russian Malicious Cyber Activity	Dec	FBI

2015

Title	Month	Source
Insight In To A Strategic Web Compromise And Attack Campaign Against Hong Kong Infrastructure	Jan	Dragon Threat Labs
The Waterbug Attack Group	Jan	Symantec
CARBANAK APT THE GREAT BANK ROBBERY	Feb	Kaspersky
MEDJACK.4 Medical Device Hijacking	Feb	TrapX
Behind The Syrian Conflict's Digital Front Lines	Feb	FireEye
The Desert Falcons Targeted Attacks	Feb	Kaspersky
Southeast Asia: An Evolving Cyber Threat Landscape	Feb	FireEye
Operation Arid Viper: Bypassing The Iron Dome	Feb	Trend Micro
Plugx Goes To The Registry And India	Feb	Sophos
ScanBox II	Feb	PWC
Crowdstrike Global Threat Intel Report	Feb	Crowdstrike
Equation Group: Questions And Answers	Feb	Kaspersky
Shooting Elephants	Feb	CIRCL Luxembourg
Tibetan Uprising Day Malware Attacks	Mar	The Citizen Lab
Operation Woolen-Goldfish When Kittens Go Phishing	Mar	Trend Micro
Volatile Cedar Threat Intelligence And Research	Mar	Check Point
Hacking Team Reloaded? US-Based Ethiopian Journalists Again Targeted with Spyware	Mar	The Citizen Lab
HACKING THE STREET? FIN4 LIKELY PLAYING THE MARKET	Apr	FireEye
APT30 And The Mechanics Of A Long-Running Cyber Espionage Operation	Apr	FireEye
Sofacy II Same Sofacy, Different Day	Apr	PWC
China's Great Cannon	Apr	The Citizen Lab
CozyDuke	Apr	F-Secure
Dissecting Linux/Moose The Analysis of a Linux Router-based Worm Hungry for Social Networks	May	ESET
Operation Tropic Trooper: Relying On Tried-And-Tested Flaws To Infiltrate Secret Keepers	May	Trend Micro
Oceanlotus APT-C-00	May	SkyEye
APT28 Targets Financial Markets: Zero Day Hashes Released	May	Root9b
Analysis On APT-To-Be Attack That Focusing On China's Government Agency	May	Antiy CERT
The Msnmm Campaigns: The Earliest Naikon APT Campaigns	May	Kaspersky
Operation Oil Tanker: The Phantom Menace	May	PandaLabs
Thamar Reservoir An Iranian cyber - attack campaign against targets in the Middle East	Jun	ClearSky
Duqu 2.0: A Comparison To Duqu	Jun	CrySyS Lab
Operation Lotusblossom	Jun	PaloAlto
An Iranian Cyber-Attack Campaign Against Targets In The Middle East	Jun	ClearSky
The Duqu 2.0 Technical Details	Jun	Kaspersky
Insight in to advances of adversary tactics, techniques and procedures through analysis of an attack against an organisation in the Asia Pacific region	Jun	Dragon Threat Labs
Target Attacks Against Tibetan And Hong Kong Groups Exploiting CVE-2014-4114	Jun	The Citizen Lab
Operation Potao Express: Analysis Of A Cyber-Espionage Toolkit	Jul	ESET
The Black Vine Cyberespionage Group	Jul	Symantec
HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group	Jul	FireEye
Butterfly: Corporate Spies Out For Financial Gain	Jul	Symantec
RSA Research Terracotta VPN: Enabler Of Advanced Threat Anonymity	Aug	RSA
What we know about the South Korea NIS's use of Hacking Team's RCS	Aug	The Citizen Lab
London Calling: Two-Factor Authentication Phishing From Iran	Aug	The Citizen Lab
THE DUKES: 7 years of Russian cyberespionage	Sep	F-Secure
The Spy Kittens Are Back: Rocket Kitten 2	Sep	Trend Micro
Proactive Threat Identification Neutralizes Remote Access Trojan Efficacy	Sep	Recorded Future
Pay No Attention to the Server Behind the Proxy: Mapping FinFisher's Continuing Proliferation	Oct	The Citizen Lab
Targeted Malware Attacks against NGO Linked to Attacks on Burmese Government Websites	Oct	The Citizen Lab
RUSSIAN FINANCIAL CYBERCRIME: HOW IT WORKS	Nov	Kaspersky
CopyKittens Attack Group	Nov	ClearSky
ROCKET KITTEN: A Campaign with 9 lives	Nov	Check Point
Operation Iron Tiger: Exploring Chinese Cyber-Espionage Attacks on United States Defense Contractors	Dec	Trend Micro
The Dukes: 7 years of Russian cyberespionage	Dec	F-Secure

2014

Title	Month	Source
Targeted Attacks Against The Energy Sector	Jan	Symantec
Emerging Threat Profile Shell_Crew	Jan	RSA
New Cdto: A Sneakernet Trojan Solution	Jan	Fidelis
Intruder File Report- Sneakernet Trojan	Jan	Fidelis
Uroburos Highly Complex Espionage Software With Russian Roots	Feb	GDATA
Unveiling Careto - The Masked Apt	Feb	Kaspersky
Mapping Hacking Teams Untraceable Spyware	Feb	The Citizen Lab
Gathering In The Middle East, Operation Stteam	Feb	Fidelis
The Monju Incident	Feb	Context
Hacking Team and the Targeting of Ethiopian Journalists	Feb	The Citizen Lab
Hacking Team's US Nexus	Mar	The Citizen Lab
Snake Campaign & Cyber Espionage Toolkit	Mar	BAE
Maliciously Repackaged Psiphon Found	Mar	The Citizen Lab
Deep Panda	May	Crowdstrike
Operation Saffron Rose	May	FireEye
Rat In A Jar: A Phishing Campaign Using Unrecom	May	Fidelis
Illuminating The Etumbot Apt Backdoor	Jun	Arbor
Putter Panda	Jun	Crowdstrike
Anatomy Of The Attack: Zombie Zero	Jun	Trapx
Dragonfly: Cyberespionage Attacks Against Energy Suppliers	Jun	Symantec
Police Story: Hacking Team Government Surveillance Malware	Jun	The Citizen Lab
Energetic Bear _ Crouching Yeti	Jul	Kaspersky
The Eye Of The Tiger (Pitty Tiger)	Jul	Airbus
Crouching Yeti: Appendixes	Jul	Kaspersky
Operation Arachnophobia Caught In The Spider's Web	Aug	Threat Connect
Sidewinder Targeted Attack Against Android In The Golden Age Of Ad Libraries	Aug	FireEye
Profiling An Enigma: The Mystery Of North Korea's Cyber Threat Landscape	Aug	HP
The Epic Turla Operation: Solving Some Of The Mysteries Of Snake/Uroboros	Aug	Kaspersky
Syrian Malware, The Ever-Evolving Threat	Aug	Kaspersky
Cosmicduke Cosmu With A Twist Of Miniduke	Sep	F-Secure
Operation Quantum Entanglement	Sep	FireEye
BLACKENERGY & QUEDAGH The convergence of crimeware and APT attacks	Oct	F-Secure
Sofacy Phishing	Oct	PWC
Operation Pawn Storm Using Decoys to Evade Detection	Oct	Trend Micro
Hikit Analysis	Oct	Novetta
Apt28: A Window Into Russia's Cyber Espionage Operations	Oct	FireEye
Micro-Targeted Malvertising Via Real-Time Ad Bidding	Oct	Invincea
The Rotten Tomato Campaign	Oct	Sophos
Zoxpng Analysis	Oct	Novetta
Operation Toohash How Targeted Attacks Work	Oct	GDATA
The Darkhotel Apt A Story Of Unusual Hospitality	Nov	Kaspersky
Darkhotel Indicators Of Compromise	Nov	Kaspersky
Derusbi (Server Variant) Analysis	Nov	Novetta
Evil Bunny: Suspect #4	Nov	Marion
The Regin Platform Nation-State Ownership Of Gsm Networks	Nov	Kaspersky
Regin: Top-Tier Espionage Tool Enables Stealthy Surveillance	Nov	Symantec
Anunak: Apt Against Financial Institutions	Dec	FoxIT
The Inception Framework: Cloud-Hosted Apt	Dec	Blue Coat
Operation Cleaver	Dec	Cylance
Bots, Machines, And The Matrix	Dec	Fidelis
Hacking The Street? Fin4 Likely Playing The Market	Dec	FireEye
W32/Regin, Stage #1	Dec	F-Secure
W64/Regin, Stage #1	Dec	F-Secure
Malware Attacks Targeting Syrian ISIS Critics	Dec	The Citizen Lab

2013

Title	Month	Source
"Red October" Diplomatic Cyber Attacks Investigation	Jan	Kaspersky
The Icefog Apt: A Tale Of Cloak And Three Daggers	Jan	Kaspersky
A closer look at MiniDuke	Feb	BitDefender
Stuxnet 0.5: The Missing Link	Feb	Symantec
The Miniduke Mystery: Pdf 0-Day Government Spy Assembler 0X29A Micro Backdoor	Feb	Kaspersky
Miniduke: Indicators	Feb	CrySyS Lab
Apt1 Exposing One Of China's Cyber Espionage Units	Feb	Mandiant
Command And Control In The Fifth Domain	Feb	Command Five Pty Ltd
Comment Crew: Indicators Of Compromise	Feb	Symantec
APT1s GLASSES: Watching a Human Rights Organization	Feb	The Citizen Lab
Dissecting Operation Troy: Cyberespionage In South Korea	Mar	McAfee
The Teamspy Story - Abusing Teamviewer In Cyberespionage Campaigns	Mar	Kaspersky
Analysis Of A Plugx Variant (Plugx Version 7.0)	Mar	CIRCL
You Only Click Twice: Finfisher's Global Proliferation	Mar	The Citizen Lab
Apt1: Technical Backstage	Mar	itrust
Safe A Targeted Threat	Mar	Trend Micro
Winnti: More Than Just A Game	Apr	Kaspersky
For Their Eyes Only: The Commercialization of Digital Spying	Apr	The Citizen Lab
Permission to Spy: An Analysis of Android Malware Targeting Tibetans	Apr	The Citizen Lab
Analysis Of A Stage 3 Miniduke Sample	May	CIRCL
Operation Hangover - Unveiling An Indian Cyberattack Infrastructure	May	Norman
The Chinese Malware Complexes: The Maudi Surveillance Operation	Jun	Norman
A Call To Harm: New Malware Attacks Target The Syrian Opposition	Jun	The Citizen Lab
Crude Faux: An Analysis Of Cyber Conflict Within The Oil & Gas Industries	Jun	Cerias
Njrat Uncovered	Jun	Fidelis
The Nettraveler (Aka Travnet)	Jun	Kaspersky
The Plugx Malware Revisited: Introducing Smoaler	Jul	Sophos
Operation Hangover - Unveiling An Indian Cyberattack Infrastructure (Appendix)	Aug	FIXME
The Little Malware That Could: Detecting And Defeating The China Chopper Web Shell	Aug	FireEye
Inside Report _ Apt Attacks On Indian Cyber Space	Aug	Infosec Consorcium
Surtr: Malware Family Targeting the Tibetan Community	Aug	The Citizen Lab
Poison Ivy: Assessing Damage And Extracting Intelligence	Aug	FireEye
2Q Report On Targeted Attack Campaigns	Sep	Trend Micro
Hidden Lynx: Professional Hackers For Hire	Sep	Symantec
World War C: Understanding Nation-State Motives Behind Today's Advanced Cyber Attacks	Sep	FireEye
Fakem Rat: Malware Disguised As Windows Messenger And Yahoo! Messenger	Oct	Trend Micro
Targeted Threats Index	Oct	The Citizen Lab
Supply Chain Analysis: From Quartermaster To Sunshopfireeye	Nov	FireEye
Energy At Risk: A Study Of It Security In The Energy And Natural Resources Industry	Dec	KPMG
Etso Apt Attacks Analysis	Dec	AHNLAB
Operation Ke3Chang Targeted Attacks Against Ministries Of Foreign Affairs	Dec	FireEye
"Njrat" The Saga Continues	Dec	Fidelis
Quantum of Surveillance: Familiar Actors and Possible False Flags in Syrian Malware Campaigns	Dec	The Citizen Lab

2012

Title	Month	Source
The Heartbeat Apt Campaign	Jan	Trend Micro
Crouching Tiger, Hidden Dragon, Stolen Data	Mar	Context
Skywiper (A.K.A. Flame A.K.A. Flamer): A Complex Malware For Targeted Attacks	Mar	CrySyS Lab
Luckycat Redux: Inside An Apt Campaign With Multiple Targets In India And Japan	Mar	Trend Micro
Have I Got Newsforyou: Analysis Of Flamer C&C Server	May	Symantec
Ixeshe An Apt Campaign	May	Trend Micro
Pest Control: Taming The Rats	Jun	Matasano
Spoofing the European Parliament: Analysis of the Repurposing of Legitimate Content in Targeted Malware Attacks	Jun	The Citizen Lab
Syrian Activists Targeted with BlackShades Spy Software	Jun	The Citizen Lab
From Bahrain With Love: Finfisher Spy Kit Exposed?	Jul	The Citizen Lab
Recent Observations In Tibet-Related Information Operations: Advanced Social Engineering For The Distribution Of Lurk Malware	Jul	The Citizen Lab
Iexpl0Re Rat	Aug	The Citizen Lab
Gauss: Abnormal Distribution	Aug	Kaspersky
The SmartPhone Who Loved Me: FinFisher Goes Mobile	Aug	The Citizen Lab
The Voho Campaign: An In Depth Analysis	Aug	RSA
The Elderwood Project	Sep	Symantec
Backdoors are Forever: Hacking Team and the Targeting of Dissent	Oct	The Citizen Lab
Trojan.Taidoor: Targeting Think Tanks	Oct	Symantec
Recovering From Shamoon	Nov	Fidelis
Systematic Cyber Attacks Against Israeli And Palestinian Targets Going On For A Year	Nov	Norman
The Many Faces Of Gh0St Rat: Plotting The Connections Between Malware Attacks	Nov	Norman

2011

Title	Month	Source
W32.Stuxnet Dossier	Feb	Symantec
Global Energy Cyberattacks: Night Dragon	Feb	McAfee
Stuxnet Under the Microscope	Apr	ESET
Advanced Persistent Threats: A Decade in Review	Jun	Command Five Pty Ltd
The Lurid Downloader	Aug	Trend Micro
Revealed: Operation Shady Rat	Aug	McAfee
Enter the Cyber-dragon	Sep	Vanity Fair
SK Hack by an Advanced Persistent Threat	Sep	Command Five Pty Ltd
Alleged APT Intrusion Set: "1.php" Group	Oct	Zscaler
The Nitro Attacks: Stealing Secrets From The Chemical Industry	Oct	Symantec

2010

Title	Month	Source
The Command Structure Of The Aurora Botnet	Jan	Damballa
Operation Aurora: Detect, Diagnose, Respond	Jan	HBGary
Operation Aurora	Feb	HBGary
Combating Aurora	Jan	McAfee
In-Depth Analysis Of Hydraq: The Face Of Cyberwar Enemies Unfolds	Mar	CA
Shadows In The Cloud: Investigating Cyber Espionage 2.0	Apr	Shadowserver
The Msupdater Trojan And Ongoing Targeted Attacks	Sep	Zscaler

2009

Title	Month	Source
Tracking GhostNet: Investigating a Cyber Espionage Network	Mar	TheSecDevGroup
DECLAWING THE DRAGON: WHY THE U.S. MUST COUNTER CHINESE CYBER-WARRIORS	Jun	NA
Capability of the People\92s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation	Oct	Northrop Grumman
Russian Cyberwar on Georgia	Nov	georgiaupdate.gov.ge

References

• APT Groups
• Mitre Attack Wiki Groups
• Threat Group Cards: A Threat Actor Encyclopedia
• APT CyberCriminal Campaign Collections