APT Notes

This is a repository for various publicly-available documents and notes related to APT, sorted by year. For malware sample hashes, please see the individual reports

Contributing

For the moment, it would be nice to have a PDF of the article that we add to the list, just to be sure we always have a copy.

To contribute, you can either:

• Fork, add and send me a pull request
• Open a ticket with the data you want to be added

Adding data:

• Add a link to the public document to Documents.md page
• Add the PDF file to the appropriate year

Thanks to the contributors for helping with the project!

 

传送门：http://git.oschina.net/superme/APTnotes

Papers

The papers section contains historical documents.

2006

• “Wicked Rose” and the NCPH Hacking Group

2008

• Aug 10 – Russian Invasion of Georgia Russian Cyberwar on Georgia
• Oct ?? – How China will use cyber warfare to leapfrog in military competitiveness
• Nov 19 – Agent.BTZ
• ??? ?? – China’s Electronic Long-Range Reconnaissance

2009

• Jan 18 – Impact of Alleged Russian Cyber Attacks
• Mar 29 – Tracking GhostNet

2010

• Jan 12 – Operation Aurora
• Jan 13 – The Command Structure of the Aurora Botnet – Damballa
• Jan 27 – Operation Aurora Detect, Diagnose, Respond
• Jan ?? – Case Study: Operation Aurora – Triumfant
• Jan ?? – McAfee Labs: Combating Aurora
• Feb 24 – How Can I Tell if I Was Infected By Aurora? (IOCs)
• Mar 14 – In-depth Analysis of Hydraq
• Apr 06 – Shadows in the cloud: Investigating Cyber Espionage 2.0
• Sep 03 – The “MSUpdater” Trojan And Ongoing Targeted Attacks
• Dec 09 – The Stuxnet Computer Worm: Harbinger of an Emerging Warfare Capability

2011

• Feb ?? – W32.Stuxnet Dossier
• Feb 10 – Global Energy Cyberattacks: Night Dragon
• Feb 18 – Night Dragon Specific Protection Measures for Consideration
• Apr 20 – Stuxnet Under the Microscope
• Aug ?? – Shady RAT
• Aug 04 – Operation Shady RAT
• Aug ?? – Operation Shady rat : Vanity
• Aug 03 – HTran and the Advanced Persistent Threat
• Sep 11 – SK Hack by an Advanced Persistent Threat
• Sep 22 – The “LURID” Downloader
• Oct 12 – Alleged APT Intrusion Set: “1.php” Group
• Oct 26 – Duqu Trojan Questions and Answers
• Oct 31 – The Nitro Attacks: Stealing Secrets from the Chemical Industry

2012

• Jan 03 – The HeartBeat APT
• Feb ?? – Command and Control in the Fifth Domain
• Feb 29 – The Sin Digoo Affair
• Mar 12 – Crouching Tiger, Hidden Dragon, Stolen Data
• Mar 13 – Reversing DarkComet RAT’s crypto
• Mar 26 – Luckycat Redux
• Apr 10 – Anatomy of a Gh0st RAT
• May 18 – Analysis of Flamer C&C Server
• May 22 – IXESHEA An APT Campaign
• May 31 – sKyWIper (Flame/Flamer)
• Jul 10 – Advanced Social Engineering for the Distribution of LURK Malware
• Jul 11 – Wired article on DarkComet creator
• Jul 27 – The Madi Campaign
• Aug 09 – Gauss: Abnormal Distribution
• Sep 06 – The Elderwood Project
• Sep 07 – IEXPLORE RAT
• Sep 12 – The VOHO Campaign: An in depth analysis
• Sep 18 – The Mirage Campaign
• Oct 08 – Matasano notes on DarkComet, Bandook, CyberGate and Xtreme RAT
• Oct 27 – Trojan.Taidoor: Targeting Think Tanks
• Nov 03 – Systematic cyber attacks against Israeli and Palestinian targets going on for a year

2013

• Jan 18 – Ooperation Red October
• Feb 12 – Targeted cyber attacks: examples and challenges ahead
• Feb 13 – Operation SnowMan: DeputyDog Actor Compromises US Veterans of Foreign Wars Website
• Feb 18 – Mandiant APT1 Report
• Feb 22 – Comment Crew: Indicators of Compromise
• Feb 26 – Stuxnet 0.5: The Missing Link
• Feb 27 – The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0x29A Micro Backdoor
• Feb 27 – Miniduke: Indicators v1
• Mar 13 – You Only Click Twice: FinFisher’s Global Proliferation
• Mar 17 – Safe: A Targeted Threat
• Mar 20 – Dissecting Operation Troy
• Mar 27 – APT1: technical backstage (Terminator/Fakem RAT)
• Apr 01 – Trojan.APT.BaneChant
• Apr 13 – “Winnti” More than just a game
• Apr 24 – Operation Hangover
• May ?? – Operation Hangover
• May 13 – Operation Saffron Rose
• Jun ?? – The Chinese Malware Complexes: The Maudi Surveillance Operation
• Jun 01 – Crude Faux: An analysis of cyber conflict within the oil & gas industries
• Jun 04 – The NetTraveller (aka ‘Travnet’)
• Jun 18 – Trojan.APT.Seinup Hitting ASEAN
• Jun 21 – A Call to Harm: New Malware Attacks Target the Syrian Opposition
• Jun 28 – njRAT Uncovered
• Jul ?? – Dark Seoul Cyber Attack: Could it be worse?
• Jul 15 – PlugX revisited: “Smoaler”
• Jul 31 – Secrets of the Comfoo Masters
• Jul 31 – Blackhat: In-Depth Analysis of Escalated APT Attacks (Lstudio,Elirks), video
• Aug ?? – Operation Hangover – Unveiling an Indian Cyberattack Infrastructure
• Aug ?? – APT Attacks on Indian Cyber Space
• Aug 02 – Where There is Smoke, There is Fire: South Asian Cyber Espionage Heats Up
• Aug 02 – Surtr: Malware Family Targeting the Tibetan Community
• Aug 19 – ByeBye Shell and the targeting of Pakistan
• Aug 21 – POISON IVY: Assessing Damage and Extracting Intelligence
• Aug 23 – Operation Molerats: Middle East Cyber Attacks Using Poison Ivy
• Sep ?? – Feature: EvilGrab Campaign Targets Diplomatic Agencies
• Sep 11 – The “Kimsuky” Operation
• Sep 13 – Operation DeputyDog: Zero-Day (CVE-2013-3893) Attack Against Japanese Targets
• Sep 17 – Hidden Lynx – Professional Hackers for Hire
• Sep 25 – The ‘ICEFROG’ APT: A Tale of cloak and three daggers
• Sep 30 – World War C: State of affairs in the APT world
• Oct 24 – Terminator RAT or FakeM RAT
• Nov 10 – Operation Ephemeral Hydra: IE Zero-Day Linked to DeputyDog Uses Diskless Method
• Nov 11 – Supply Chain Analysis
• Dev 02 – njRAT, The Saga Continues
• Dec 11 – Operation “Ke3chang”
• Dec 20 – ETSO APT Attacks Analysis
• ??? ?? – Deep Panda
• ??? ?? – Detecting and Defeating the China Chopper Web Shell

2014

• Jan 06 – PlugX: some uncovered points
• Jan 13 – Targeted attacks against the Energy Sector
• Jan 14 – The Icefog APT Hits US Targets With Java Backdoor
• Jan 21 – Shell_Crew (Deep Panda)
• Feb 11 – Unveiling “Careto” – The Masked APT
• Feb 13 – Operation SnowMan: DeputyDog Actor Compromises US Veterans of Foreign Wars Website
• Feb 19 – The Monju Incident
• Feb 19 – XtremeRAT: Nuisance or Threat?
• Feb 20 – Operation GreedyWonk: Multiple Economic and Foreign Policy Sites Compromised, Serving Up Flash Zero-Day Exploit
• Feb 20 – Mo’ Shells Mo’ Problems – Deep Panda Web Shells
• Feb 28 – Uroburos: Highly complex espionage software with Russian roots
• Mar 06 – The Siesta Campaign
• Mar 07 – Snake Campaign & Cyber Espionage Toolkit
• Mar 08 – Russian spyware Turla
• Apr 26 – CVE-2014-1776: Operation Clandestine Fox
• May 21 – RAT in jar: A phishing campaign using Unrecom
• Jun 06 – Illuminating The Etumbot APT Backdoor (APT12)
• Jun 09 – Putter Panda
• Jun 30 – Dragonfly: Cyberespionage Attacks Against Energy Suppliers
• Jun 10 – Anatomy of the Attack: Zombie Zero
• Jul 11 – Pitty Tiger
• Jul 31 – Energetic Bear/Crouching Yeti
• Jul 31 – Energetic Bear/Crouching Yeti Appendix
• Aug 04 – Sidewinder Targeted Attack Against Android
• Aug 05 – Operation Arachnophobia
• Aug 06 – Operation Poisoned Hurricane
• Aug 07 – The Epic Turla Operation Appendix
• Aug 12 – New York Times Attackers Evolve Quickly (Aumlib/Ixeshe/APT12)
• Aug 13 – A Look at Targeted Attacks Through the Lense of an NGO
• Aug 18 – The Syrian Malware House of Cards
• Aug 20 – El Machete
• Aug 25 – Vietnam APT Campaign
• Aug 27 – NetTraveler APT Gets a Makeover for 10th Birthday
• Aug 27 – North Korea’s cyber threat landscape
• Aug 28 – Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks
• Aug 29 – Syrian Malware Team Uses BlackWorm for Attacks
• Sep 03 – Darwin’s Favorite APT Group (APT12)
• Sep 04 – Forced to Adapt: XSLCmd Backdoor Now on OS X
• Sep 08 – Targeted Threat Index: Characterizingand Quantifying Politically-MotivatedTargeted Malware video
• Sep 08 – When Governments Hack Opponents: A Look at Actors and Technology video
• Sep 10 – Operation Quantum Entanglement
• Sep 17 – Chinese intrusions into key defense contractors
• Sep 18 – COSMICDUKE: Cosmu with a twist of MiniDuke
• Sep 19 – Watering Hole Attacks using Poison Ivy by “th3bug” group
• Sep 23 – Ukraine and Poland Targeted by BlackEnergy (video)
• Sep 26 – Aided Frame, Aided Direction (Sunshop Digital Quartermaster)
• Sep 26 – BlackEnergy & Quedagh
• Oct 03 – New indicators for APT group Nitro
• Oct 09 – Democracy in Hong Kong Under Attack
• Oct 14 – ZoxPNG Preliminary Analysis
• Oct 14 – Hikit Preliminary Analysis
• Oct 14 – Derusbi Preliminary Analysis
• Oct 14 – Group 72 (Axiom)
• Oct 14 – Sandworm – CVE-2104-4114
• Oct 20 – OrcaRAT – A whale of a tale
• Oct 22 – Operation Pawn Storm: The Red in SEDNIT
• Oct 22 – Sofacy Phishing by PWC
• Oct 23 – Modified Tor Binaries
• Oct 24 – LeoUncia and OrcaRat
• Oct 27 – Full Disclosure of Havex Trojans – ICS Havex backdoors
• Oct 27 – ScanBox framework – who’s affected, and who’s using it?
• Oct 28 – APT28 – A Window Into Russia’s Cyber Espionage Operations
• Oct 28 – Group 72, Opening the ZxShell
• Oct 30 – The Rotten Tomato Campaign
• Oct 31 – Operation TooHash
• Nov 03 – New observations on BlackEnergy2 APT activity
• Nov 03 – Operation Poisoned Handover: Unveiling Ties Between APT Activity in Hong Kong’s Pro-Democracy Movement
• Nov 10 – The Darkhotel APT – A Story of Unusual Hospitality
• Nov 11 – The Uroburos case- Agent.BTZ’s successor, ComRAT
• Nov 12 – Korplug military targeted attacks: Afghanistan & Tajikistan
• Nov 13 – Operation CloudyOmega: Ichitaro 0-day targeting Japan
• Nov 14 – OnionDuke: APT Attacks Via the Tor Network