Skip to content
Interesting apt report collection and some special ioc express
Python YARA PHP
Branch: master
Clone or download
Latest commit da32213 Nov 12, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
APT-hunting/fn_fuzzy 11 Apr 8, 2019
APT28 Update README.MD Aug 30, 2019
APT3 Add files via upload May 7, 2019
APT34 Add files via upload Jun 26, 2019
Blacktech Update README.MD Sep 20, 2019
Buhtrap Update README.MD Jul 24, 2019
Chafer-APT39 Rename Chafer-APT29/TREKX.YAR to Chafer-APT39/TREKX.YAR Jun 18, 2019
Charming Kitten Update README.MD Sep 20, 2019
Darkhotel/higaisa Update README.MD Nov 4, 2019
DeadlyKiss Add files via upload Sep 25, 2019
Donot Update README.MD Apr 25, 2019
Exploit Create Readme.md May 27, 2019
Gamaredon Add files via upload Jun 6, 2019
International Strategic Update DrillMalware-ioc.MD Sep 27, 2019
Machete Add files via upload Aug 6, 2019
Magecart Create README.MD Sep 26, 2019
Oceanlotus Add files via upload Sep 12, 2019
Tools/Builder Update README.MD Sep 5, 2019
Tortoiseshell Update README.MD Sep 19, 2019
Turla Create IOC.TXT Jun 20, 2019
WhiteCompany Add files via upload Sep 9, 2019
ZooPark Update README.MD May 27, 2019
baby-kimsuky Create babyshark-CVE20188174.php Apr 27, 2019
bitter Update and rename README.MD to Inf.MD Oct 28, 2019
carbanak Update README.MD Apr 23, 2019
data Create mongodb-2.json Sep 6, 2019
exploit_report Update README.MD Jul 23, 2019
group123 Add files via upload Nov 12, 2019
kimsuky Create kimsuky-doc Jun 10, 2019
konni Update ReadME.md Sep 27, 2019
lazarus
londonblue Create london-blue-april-2019.pdf Apr 8, 2019
mobile-APT Add files via upload Aug 1, 2019
muddywater Add files via upload Jun 25, 2019
phpstudyGhost Create README.MD Sep 23, 2019
simjacker Add files via upload Oct 9, 2019
tick Add files via upload Aug 29, 2019
zhishixingqiu/exploit Add files via upload Apr 10, 2019
0day _In the Wild_.xlsx Add files via upload May 17, 2019
README.md Update README.md Sep 27, 2019
Threat Group Cards.pdf Add files via upload Jun 16, 2019

README.md

APT_REPORT collected by @blackorbird https://twitter.com/blackorbird

Interesting apt report collection

APT Group for country

Group123

▶ScarCruft continues to evolve, introduces Bluetooth harvester https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/ (May 13, 2019)

▶Group123 Attempts to attack 'printing paper' APT disguised as a guide to organization and conferences https://blog.alyac.co.kr/2287 (May 2 , 2019)

▶Group123, APT attack impersonating Unification Ministry, spread malicious code to Google Drive https://blog.alyac.co.kr/2268 (April 22 , 2019)

▶ group123 APT organization, 'Operation High Expert' https://blog.alyac.co.kr/2226 (April 2 , 2019)

▶ Rocketman APT Campaign Returned to Operation Holiday Wiper https://blog.alyac.co.kr/2089 (Jan 23, 2019)

▶ 'Operation Blackbird', the mobile invasion of the ' https://blog.alyac.co.kr/2035 (Dec 13, 2018)

▶ group123 'Operation Korean Sword' is underway https://blog.alyac.co.kr/1985 (Nov. 16, 2018)

▶ group123 Group's latest APT campaign - 'Operation Rocket Man' https://blog.alyac.co.kr/1853 (Aug. 22, 2018)

▶ group123, Flash Player Zero-Day (CVE-2018-4878) Attack Attention https://blog.alyac.co.kr/1521 (Feb 02, 2018)

▶ 'group123' group 'survey on the total number of discovery of separated families in North and South' https://blog.alyac.co.kr/1767 (July 28, 2014)

▶ Rocketman APT campaign, 'Operation Golden Bird' https://blog.alyac.co.kr/2205 (March 20, 2013)

▶ Korea In The Crosshairs https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html (Jan 16, 2018)

▶FreeMilk: A Highly Targeted Spear Phishing Campaign https://unit42.paloaltonetworks.com/unit42-freemilk-highly-targeted-spear-phishing-campaign/ (Oct 5, 2017)

baby related kimsuky

▶BabyShark Malware Part Two – Attacks Continue Using KimJongRAT and PCRat (April 26, 2019) https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/

▶Operation Giant Baby, a giant threat (March 28, 2019) https://blog.alyac.co.kr/2223

▶ Malicious code installed with coin purse program(Alibaba) (March 15, 2019) https://asec.ahnlab.com/1209

▶ New BabyShark Malware Targets U.S. National Security Think Tanks (Feb. 22, 2019) https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/

▶ Korea's latest APT attack, Operation Mystery Baby Attention! (Feb 11, 2018) https://blog.alyac.co.kr/1963

▶ Returned to Korea as Operation Baby Coin, APT attacker, overseas target in 2010 (Apr. 19, 2014) https://blog.alyac.co.kr/1640

kimsuky

▶Kimsuky, cyber security bureau Cryptographic Cases (May 28 , 2019) https://blog.alyac.co.kr/2338

▶Kimsuky, Korea Cryptographic Exchange Event Impersonation APT Attack (May 28 , 2019) https://blog.alyac.co.kr/2336

▶Kimsuky 'Fake striker' APT campaign aimed at Korea (May 20 , 2019) https://blog.alyac.co.kr/2315

▶ Analysis of "Smoke Screen" in APT campaign aimed at Korea and America (April 17 , 2019) https://blog.alyac.co.kr/2243

▶ Encrypted APT attack, Kimsuky organization's 'smoke screen' PART 2 (May 13 , 2019) https://blog.alyac.co.kr/2299

▶ Kimsuky Organization, Operation Stealth Power Silence Operation (April 3 , 2019) https://blog.alyac.co.kr/2234

▶ Kimsuky Organization, Watering Hole Started "Operation Low Kick"(March 21, 2019) https://blog.alyac.co.kr/2209

Jaku

▶ SiliVaccine: Inside North Korea’s Anti-Virus (May 1, 2018) https://research.checkpoint.com/silivaccine-a-look-inside-north-koreas-anti-virus/

Lazarus

▶LAZARUS APT TARGETS MAC USERS WITH POISONED WORD DOCUMENT https://www.sentinelone.com/blog/lazarus-apt-targets-mac-users-poisoned-word-document/

Konni

▶Konni's APT Group conducts attacks with Russian-North Korean trade and economic investment documents https://blog.alyac.co.kr/2535

▶APT Campaign 'Konni' & 'Kimsuky' find commonality in organizations (June 10, 2019) https://blog.alyac.co.kr/2347

▶Korean Kusa Konni Organization, Blue Sky Utilizing 'Amadey' Russia Botnet (May 16, 2019) https://blog.alyac.co.kr/2308

▶The Konni APT Campaign and 'Operation Hunter Adonis' (Jan 1 ,2019) https://blog.alyac.co.kr/2061

Oceanlotus

▶Threat Spotlight: Ratsnif - New Network Vermin from OceanLotus (July 1, 2019) https://threatvector.cylance.com/en_us/home/threat-spotlight-ratsnif-new-network-vermin-from-oceanlotus.html

▶Analysis report on the attack on mobile devices by Oceanlotus (May 24, 2019)

https://mp.weixin.qq.com/s/L-tCvLPOOMhP0ndgdqhkNQ

▶ Oceanlotus in the first quarter of 2019 for the attack technology of China.(April 24, 2019) https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A

▶ Deobfuscating APT32 Flow Graphs with Cutter and Radare2 (April 24, 2019) https://research.checkpoint.com/deobfuscating-apt32-flow-graphs-with-cutter-and-radare2/

▶ OceanLotus Steganography Malware Analysis White Paper (April 2 , 2019) https://threatvector.cylance.com/en_us/home/report-oceanlotus-apt-group-leveraging-steganography.html

▶OceanLotus: macOS malware update(April 9 , 2019)

https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/

APT28

▶ CB TAU Threat Intelligence Notification: Hunting APT28 Downloaders (April 5 , 2019) https://www.carbonblack.com/2019/04/05/cb-threat-intelligence-notification-hunting-apt28-downloaders/

Turla

▶ A dive into Turla PowerShell usage (May 29 , 2019) https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/

tick

▶ tick group new campaign, attack north korean and japan https://www.ahnlab.com/kr/site/securityinfo/secunews/secuNewsView.do?curPage=1&menu_dist=2&seq=28186 (April 1 , 2019)

Winnti

▶ bayer-says-has-detected-contained-cyber-attack (April 5 , 2019)

https://www.reuters.com/article/us-bayer-cyber/bayer-says-has-detected-contained-cyber-attack-idUSKCN1RG0NN

https://www.tagesschau.de/inland/hackerangriff-bayer-101.html

Middle East Asia

Muddywater

▶ Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques(May 20,2019)

https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html

ZooPark

▶ APT-C-38 attack activity revealed (May 27,2019) http://blogs.360.cn/post/analysis-of-APT-C-38.html

APT Group for finance

CARBANAK

▶ CARBANAK Week Part One: A Rare Occurrence (April 22, 2019) https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-one-a-rare-occurrence.html

londonblue (Nigeria)

▶ Evolving Tactics: London Blue Starts Spoofing Target Domains (April 4 , 2019) PDF is in the folder https://www.agari.com/email-security-blog/london-blue-evolving-tactics/

Fin6

▶ Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware(April 5 , 2019) https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html

Fin7

▶ On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation (August 01, 2018) https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html

You can’t perform that action at this time.