CyberMonitor/APT_CyberCriminal_Campagin_Collections

GitHub: CyberMonitor/APT_CyberCriminal_Campagin_Collections

一个按年份整理的 APT 组织与网络犯罪活动技术报告合集，汇集了全球主流安全厂商的威胁情报分析文档。

Stars: 4044 | Forks: 973

# APT 与网络犯罪活动合集这是 APT 和网络犯罪活动的合集。如果有任何遗漏的 APT/恶意软件事件/活动，请向我提交 issue。 🤷恶意软件样本的密码可能是 'virus' 或 'infected' ## URL 转 PDF 工具 * [Print Friendly & PDF](https://www.printfriendly.com/) ## 参考资源 :small_blue_diamond: [kbandla](https://github.com/kbandla/APTnotes)
:small_blue_diamond: [APTnotes](https://github.com/aptnotes/data)
:small_blue_diamond: [Florian Roth - APT Groups](https://docs.google.com/spreadsheets/u/0/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/pubhtml)
:small_blue_diamond: [Attack Wiki](https://attack.mitre.org/wiki/Groups)
:small_blue_diamond: [threat-INTel](https://github.com/fdiskyou/threat-INTel)
:small_blue_diamond: [targetedthreats](https://securitywithoutborders.org/resources/targeted-surveillance-reports.html)
:small_blue_diamond: [Raw Threat Intelligence](https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit)
:small_blue_diamond: [APT search](https://cse.google.com/cse/publicurl?cx=003248445720253387346:turlh5vi4xc)
:small_blue_diamond: [APT Sample by 0xffff0800](http://0xffff0800.ddns.net/Library/) (https://iec56w4ibovnb4wc.onion.si/)
:small_blue_diamond: [APT Map](https://aptmap.netlify.com/)
:small_blue_diamond: [sapphirex00 - Threat-Hunting](https://github.com/sapphirex00/Threat-Hunting)
:small_blue_diamond: [APTSimulator](https://github.com/NextronSystems/APTSimulator)
:small_blue_diamond: [MITRE Att&CK: Group](https://attack.mitre.org/groups/)
:small_blue_diamond: [APT_REPORT collected by @blackorbird](https://github.com/blackorbird/APT_REPORT)
:small_blue_diamond: [Analysis of malware and Cyber Threat Intel of APT and cybercriminals groups](https://github.com/StrangerealIntel/CyberThreatIntel)
:small_blue_diamond: [APT_Digital_Weapon](https://github.com/RedDrip7/APT_Digital_Weapon)
:small_blue_diamond: [vx-underground](https://vx-underground.org/apts.html)
:small_blue_diamond: [StrangerealIntel-EternalLiberty](https://github.com/StrangerealIntel/EternalLiberty/blob/main/EternalLiberty.csv)
## 2024 年 * July 19 - [[Google] APT41 Has Arisen From the DUST](https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust) | [:closed_book:](../../blob/master/2024/2024.07.19.APT41_Has_Arisen_From_the_DUST) * July 15 - [[CheckPoint] New BugSleep Backdoor Deployed in Recent MuddyWater Campaigns](https://research.checkpoint.com/2024/new-bugsleep-backdoor-deployed-in-recent-muddywater-campaigns/) | [:closed_book:](../../blob/master/2024/2024.07.15.New_BugSleep_Backdoor_Deployed_in_Recent_MuddyWater_Campaigns) * July 10 - [[Zscaler] A deep dive into the updated arsenal of APT41 ](https://www.zscaler.com/blogs/security-research/dodgebox-deep-dive-updated-arsenal-apt41-part-1) | [:closed_book:](../../blob/master/2024/2024.07.10.A_deep_dive_into_the_updated_arsenal_of_APT41) * Jun 24 - [[Recorded Future] Chinese State-Sponsored RedJuliett Intensifies Taiwanese Cyber Espionage via Network Perimeter Exploitation](https://www.recordedfuture.com/redjuliett-intensifies-taiwanese-cyber-espionage-via-network-perimeter) | [:closed_book:](../../blob/master/2024/2024.06.24_Chinese_State-Sponsored_Taiwanese) * Jun 21 - [[CISCO] SneakyChef espionage group targets government agencies with SugarGh0st and more infection techniques](https://blog.talosintelligence.com/sneakychef-sugarghost-rat/) | [:closed_book:](../../blob/master/2024/2024.06.21.sneakychef-sugarghost-rat) * Jun 16 - [[Sygnia] China-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load Balancers for Persistence](https://blog.talosintelligence.com/sneakychef-sugarghost-rat/) | [:closed_book:](../../blob/master/2024/2024.06.16.velvet-ant) * Jun 13 - [[ESET] Arid Viper poisons Android apps with AridSpy](https://www.welivesecurity.com/en/eset-research/arid-viper-poisons-android-apps-with-aridspy/) | [:closed_book:](../../blob/master/2024/2024.06.13.Arid_Viper_poisons_Android_apps_with_AridSpy) * Jun 10 - [[BlackBerry] Kimsuky is targeting an arms manufacturer in Europe](https://www.linkedin.com/pulse/kimsuky-targeting-arms-manufacturer-europe-dmitry-melikov-dquge/) | [:closed_book:](../../blob/master/2024/2024.06.10.Kimsuky_Europe) * May 23 - [[Palo Alto Networks] Operation Diplomatic Specter: An Active Chinese Cyberespionage Campaign Leverages Rare Tool Set to Target Governmental Entities in the Middle East, Africa and Asia ](https://unit42.paloaltonetworks.com/operation-diplomatic-specter/) | [:closed_book:](../../blob/master/2024/2024.05.23_Operation_Diplomatic_Specter) * May 16 - [[Palo Alto Networks] Payload Trends in Malicious OneNote Samples](https://unit42.paloaltonetworks.com/payloads-in-malicious-onenote-samples/) | [:closed_book:](../../blob/master/2024/2024.05.16_Payload_Trends_in_Malicious_OneNote_Samples) * Mar 07 - [[ESET] Evasive Panda leverages Monlam Festival to target Tibetans](https://www.welivesecurity.com/en/eset-research/evasive-panda-leverages-monlam-festival-target-tibetans/) | [:closed_book:](../../blob/master/2024/2024.03.07_Evasive_Panda) * Feb 27 - [[Mandiant] When Cats Fly: Suspected Iranian Threat Actor UNC1549 Targets Israeli and Middle East Aerospace and Defense Sectors](https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east) | [:closed_book:](../../blob/master/2024/2024.02.27.UNC1549) * Feb 26 - [[Trend Micro] Earth Lusca Uses Geopolitical Lure to Target Taiwan Before Elections](https://www.trendmicro.com/en_us/research/24/b/earth-lusca-uses-geopolitical-lure-to-target-taiwan.html) | [:closed_book:](../../blob/master/2024/2024.02.26.Earth_Lusca_Uses_Geopolitical_Lure_to_Target_Taiwan_Before_Elections) * Feb 23 - [[Sophos] ConnectWise ScreenConnect attacks deliver malware](https://news.sophos.com/en-us/2024/02/23/connectwise-screenconnect-attacks-deliver-malware/) | [:closed_book:](../../blob/master/2024/2024.02.23.ConnectWise_Malware) * Feb 23 - [[Palo Alto Networks] Data From Chinese Security Services Company i-Soon Linked to Previous Chinese APT Campaigns](https://unit42.paloaltonetworks.com/i-soon-data-leaks/) | [:closed_book:](../../blob/master/2024/2024.02.23.Data_From_Chinese_Security_Services_Company_i-Soon_Linked_to_Previous) * Feb 16 - [[---] inside I-Soon APT(Earth Lusca) operation center](https://github.com/I-S00N/I-S00N) | [:closed_book:](../../blob/master/2024/2024.02.16_I-Soon_Earth_Lusca) * Feb 14 - [[Microsoft] Staying ahead of threat actors in the age of AI](https://www.microsoft.com/en-us/security/blog/2024/02/14/staying-ahead-of-threat-actors-in-the-age-of-ai/) | [:closed_book:](../../blob/master/2024/2024.02.14_APT_AI) * Feb 13 - [[Trend Micro] CVE-2024-21412: Water Hydra Targets Traders With Microsoft Defender SmartScreen Zero-Day](https://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html) | [:closed_book:](../../blob/master/2024/2024.02.13.Water_Hydra) * Jan 31 - [[Trend Micro] Pawn Storm Uses Brute Force and Stealth Against High-Value Targets](https://www.trendmicro.com/en_us/research/24/a/pawn-storm-uses-brute-force-and-stealth.html) | [:closed_book:](../../blob/master/2024/2024.01.31.Pawn_Storm_Uses_Brute_Force_and_Stealth_Against_High-Value_Targets) * Jan 25 - [[KrCERT/CC] Lazarus Group’s Large-scale Threats via Watering Hole and Financial Software](https://jsac.jpcert.or.jp/archive/2024/pdf/JSAC2024_1_6_dongwook-kim_seulgi-lee_en.pdf) | [:closed_book:](../../blob/master/2024/2024.01.25.Lazarus_Group) * Jan 24 - [[itochuci] The Endless Struggle Against APT10: Insights from LODEINFO](https://blog-en.itochuci.co.jp/entry/2024/01/24/134100) | [:closed_book:](../../blob/master/2024/2024.01.24.APT10_LODEINFO) * Jan 10 - [[Volexity] Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN](https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/) | [:closed_book:](../../blob/master/2024/2024.01.10.Active_Exploitation_UTA0178) * Jan 03 - [[Greg Lesnewich] 100DaysofYARA - SpectralBlur](https://g-les.github.io/yara/2024/01/03/100DaysofYARA_SpectralBlur.html) | [:closed_book:](../../blob/master/2024/2024.01.03_SpectralBlur_North_Korean) ## 2023 年 * Dec 27 - [[Kaspersky] Operation Triangulation: The last (hardware) mystery](https://securelist.com/operation-triangulation-the-last-hardware-mystery/111669/) | [:closed_book:](../../blob/master/2023/2023.12.27.Operation_Triangulation) * Dec 21 - [[CISCO] Intellexa and Cytrox: From fixer-upper to Intel Agency-grade spyware](https://blog.talosintelligence.com/intellexa-and-cytrox-intel-agency-grade-spyware/) | [:closed_book:](../../blob/master/2023/2023.12.21.Intellexa_Cytrox) * Dec 19 - [[Symantec] Seedworm: Iranian Hackers Target Telecoms Orgs in North and East Africa](https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/iran-apt-seedworm-africa-telecoms) | [:closed_book:](../../blob/master/2023/2023.12.19.Seedworm) * Nov 30 - [[CISCO] New SugarGh0st RAT targets Uzbekistan government and South Korea](https://blog.talosintelligence.com/new-sugargh0st-rat/) | [:closed_book:](../../blob/master/2023/2023.11.30.New_SugarGh0st_RAT) * Nov 27 - [[Intezer] WildCard: The APT Behind SysJoker Targets Critical Sectors in Israel](https://blog.talosintelligence.com/new-sugargh0st-rat/https://intezer.com/blog/research/wildcard-evolution-of-sysjoker-cyber-threat/) | [:closed_book:](../../blob/master/2023/2023.11.27.WildCard_SysJoker_Israel) * Nov 23 - [[CheckPoint] ISRAEL-HAMAS WAR SPOTLIGHT: SHAKING THE RUST OFF SYSJOKER](https://research.checkpoint.com/2023/israel-hamas-war-spotlight-shaking-the-rust-off-sysjoker/) | [:closed_book:](../../blob/master/2023/2023.11.23.israel-hamas-sysjoker) * Nov 14 - [[HKUK] APT29 attacks Embassies using CVE-2023-38831](https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/november/APT29%20attacks%20Embassies%20using%20CVE-2023-38831%20-%20report%20en.pdf) | [:closed_book:](../../blob/master/2023/2023.11.14.APT29_CVE-2023-38831) * Nov 09 - [[Kaspersky] Modern Asian APT groups’ tactics, techniques and procedures (TTPs)](https://securelist.com/modern-asia-apt-groups-ttp/111009/) | [:closed_book:](../../blob/master/2023/2023.11.09.Modern_Asian_APT_TTPs) * Nov 07 - [[Palo Alto Networks] Chinese APT Targeting Cambodian Government](https://unit42.paloaltonetworks.com/chinese-apt-linked-to-cambodia-government-attacks/) | [:closed_book:](../../blob/master/2023/2023.11.07.Chinese_APT_Cambodian) * Nov 06 - [[Palo Alto Networks] Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors](https://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/) | [:closed_book:](../../blob/master/2023/2023.11.06.Agrius_Israeli) * Oct 31 - [[CheckPoint] FROM ALBANIA TO THE MIDDLE EAST: THE SCARRED MANTICORE IS LISTENING](https://research.checkpoint.com/2023/from-albania-to-the-middle-east-the-scarred-manticore-is-listening/) | [:closed_book:](../../blob/master/2023/2023.10.31.Scarred_Manticore) * Oct 26 - [[Kaspersky] StripedFly: Perennially flying under the radar](https://securelist.com/stripedfly-perennially-flying-under-the-radar/110903/) | [:closed_book:](../../blob/master/2023/2023.10.26.StripedFly) * Oct 13 - [[Trend Micro] Void Rabisu Targets Female Political Leaders with New Slimmed-Down ROMCOM Variant](https://www.trendmicro.com/en_us/research/23/j/void-rabisu-targets-female-leaders-with-new-romcom-variant.html) | [:closed_book:](../../blob/master/2023/2023.10.13.Void_Rabisu) * Sep 19 - [[CISCO] New ShroudedSnooper actor targets telecommunications firms in the Middle East with novel Implants](https://blog.talosintelligence.com/introducing-shrouded-snooper/) | [:closed_book:](_URL_55/>) * Aug 24 - [[Microsoft] Flax Typhoon using legitimate software to quietly access Taiwanese organizations](https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/) | [:closed_book:](../../blob/master/2023/2023.08.24_Flax_Typhoon) * Jul 27 - [[Recorded Future] BlueBravo Adapts to Target Diplomatic Entities with GraphicalProton Malware](https://www.recordedfuture.com/bluebravo-adapts-to-target-diplomatic-entities-with-graphicalproton-malware) | [:closed_book:](../../blob/master/2023/2023.07.27.BlueBravo) * May 24 - [[Microsoft] Volt Typhoon targets US critical infrastructure with living-off-the-land techniques](https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/) | [:closed_book:](../../blob/master/2023/2023.05.24.Volt_Typhoon) * Jan 26 - [[Mandiant] Welcome to Goot Camp: Tracking the Evolution of GOOTLOADER Operations](https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations) | [:closed_book:](../../blob/master/2023/2023.01.26.GOOTLOADER_Operations) * Jan 11 - [[GROUP-IB] Dark Pink](https://www.group-ib.com/blog/dark-pink-apt/) | [:closed_book:](../../blob/master/2023/2023.01.11.Dark_Pink_APT) * Jan 09 - [[Intrinsec] Emotet returns and deploys loaders](https://www.intrinsec.com/emotet-returns-and-deploys-loaders/) | [:closed_book:](../../blob/master/2023/2023.01.09.Emotet_return) ## 2022 年 * Dec 07 - [[Google] Internet Explorer 0-day exploited by North Korean actor APT37](https://blog.google/threat-analysis-group/internet-explorer-0-day-exploited-by-north-korean-actor-apt37/) | [:closed_book:](../../blob/master/2022/2022.12.07.APT37_0Day) * Dec 06 - [[BlackBerry] Mustang Panda Uses the Russian-Ukrainian War to Attack Europe and Asia Pacific Targets](https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets) | [:closed_book:](../../blob/master/2022/2022.12.06.Mustang_Panda) * Dec 05 - [[Recorded Future] Exposing TAG-53’s Credential Harvesting Infrastructure Used for Russia-Aligned Espionage Operations](https://www.recordedfuture.com/exposing-tag-53-credential-harvesting-infrastructure-for-russia-aligned-espionage-operations) | [:closed_book:](../../blob/master/2022/2022.12.05.TAG-53_Russia) * Dec 02 - [[Palo Alto Networks] Blowing Cobalt Strike Out of the Water With Memory Analysis](https://unit42.paloaltonetworks.com/cobalt-strike-memory-analysis/) | [:closed_book:](../../blob/master/2022/2022.12.02.Cobalt_Strike_Out_of_the_Water) * Nov 03 - [[Zscaler] APT-36 Uses New TTPs and New Tools to Target Indian Governmental Organizations](https://www.zscaler.com/blogs/security-research/apt-36-uses-new-ttps-and-new-tools-target-indian-governmental-organizations) | [:closed_book:](../../blob/master/2022/2022.11.03.APT-36) * Nov 02 - [[BlackBerry] RomCom Threat Actor Abuses KeePass and SolarWinds to Target Ukraine and Potentially the United Kingdom](https://blogs.blackberry.com/en/2022/11/romcom-spoofing-solarwinds-keepass) | [:closed_book:](../../blob/master/2022/2022.11.02.RomCom_Ukraine_UK) * Oct 06 - [[BlackBerry] Mustang Panda Abuses Legitimate Apps to Target Myanmar Based Victims](https://blogs.blackberry.com/en/2022/10/mustang-panda-abuses-legitimate-apps-to-target-myanmar-based-victims) | [:closed_book:](../../blob/master/2022/2022.10.06.Mustang_Panda_Myanmar) * Oct 04 - [[Trend Micro] The Rise of Earth Aughisky](https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/connecting-taidoors-dots-earth-aughisky-over-the-last-10-years) | [:closed_book:](../../blob/master/2022/2022.10.04.Rise_Earth_Aughisky) * Sep 28 - [[NSOGroup] Exploit-archaeology-a-forensic-history-of-in-the-wild](https://www.virusbulletin.com/uploads/pdf/conference/vb2022/papers/VB2022-Exploit-archaeology-a-forensic-history-of-in-the-wild-NSO-Group-exploits.pdf) | [:closed_book:](../../blob/master/2022/2022.09.28.EXPLOIT_ARCHAEOLOGY) * Sep 28 - [[Recorded Future] The Chinese Communist Party’s Strategy for Targeted Propaganda](https://go.recordedfuture.com/hubfs/reports/ta-2022-0928.pdf) | [:closed_book:](../../blob/master/2022/2022.09.28.Chinese_Communist_Party) * Sep 08 - [[Secureworks] BRONZE PRESIDENT Targets Government Officials](https://www.secureworks.com/blog/bronze-president-targets-government-officials) | [:closed_book:](../../blob/master/2022/2022.09.08.BRONZE_PRESIDENT) * Aug 12 - [[SEKOIA.IO] LuckyMouse uses a backdoored Electron app to target MacOS](https://blog.sekoia.io/luckymouse-uses-a-backdoored-electron-app-to-target-macos/) | [:closed_book:](../../blob/master/2022/2022.08.12.LuckyMouse) * Aug 12 - [[Trend Micro] Iron Tiger Compromises Chat Application Mimi, Targets Windows, Mac, and Linux Users](https://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html) | [:closed_book:](../../blob/master/2022/2022.08.12.Iron_Tiger_Mimi) * Jul 26 - [[PWC] Old cat, new tricks, bad habits An analysis of Charming Kitten’s new tools and OPSEC errors](https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/old-cat-new-tricks.html) | [:closed_book:](../../blob/master/2022/2022.07.26.Charming_Kitten_APT) * Jul 25 - [[Kaspersky] CosmicStrand: the discovery of a sophisticated UEFI firmware rootkit](https://securelist.com/cosmicstrand-uefi-firmware-rootkit/106973/) | [:closed_book:](../../blob/master/2022/2022.07.25.CosmicStrand) * Jun 27 - [[Kaspersky] Attacks on industrial control systems using ShadowPad](https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/) | [:closed_book:](../../blob/master/2022/2022.06.27.ShadowPad_ICS) * Jun 21 - [[Kaspersky] APT ToddyCat](https://securelist.com/toddycat/106799/) | [:closed_book:](../../blob/master/2022/2022.06.21.ToddyCat_APT) * Jun 02 - [[Kaspersky] WinDealer malware shows extremely sophisticated network abilities](https://securelist.com/windealer-dealing-on-the-side/105946/) | [:closed_book:](../../blob/master/2022/2022.06.02.WinDealer) * May 19 - [[CheckPoint] Twisted Panda: Chinese APT espionage operation against Russian’s state-owned defense institutes](https://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/) | [:closed_book:](../../blob/master/2022/2022.05.19.Twisted_Panda) * May 12 - [[BlackBerry] Threat Thursday: Malware Rebooted - How Industroyer2 Takes Aim at Ukraine Infrastructure](https://blogs.blackberry.com/en/2022/05/threat-thursday-malware-rebooted-how-industroyer2-takes-aim-at-ukraine-infrastructure) | [:closed_book:](../../blob/master/2022/2022.05.12.Industroyer2_Ukraine) * May 11 - [[CISCO] Bitter APT adds Bangladesh to their targets](https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html) | [:closed_book:](../../blob/master/2022/2022.05.11.Bitter_APT_Bangladesh) * May 05 - [[CISCO] Mustang Panda deploys a new wave of malware targeting Europe](https://blog.talosintelligence.com/2022/05/mustang-panda-targets-europe.html) | [:closed_book:](../../blob/master/2022/2022.05.05.Mustang_Panda_Europe) * May 02 - [[Mandiant] UNC3524: Eye Spy on Your Email](https://www.mandiant.com/resources/unc3524-eye-spy-email) | [:closed_book:](../../blob/master/2022/2022.05.02.UNC3524) * Apr 06 - [[Recorded Future] Continued Targeting of Indian Power Grid Assets by Chinese State-Sponsored Activity Group](https://www.recordedfuture.com/continued-targeting-of-indian-power-grid-assets/) | [:closed_book:](../../blob/master/2022/2022.04.06.Targeting_of_Indian_Power_Grid) * Mar 30 - [[Fortinet] New Milestones for Deep Panda: Log4Shell and Digitally Signed Fire Chili Rootkits](https://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits) | [:closed_book:](../../blob/master/2022/2022.03.30.Deep_Panda_New_Milestones) * Mar 23 - [[Dr.Web] Study of an APT attack on a telecommunications company in Kazakhstan](https://st.drweb.com/static/new-www/news/2022/march/telecom_research_en.pdf) | [:closed_book:](../../blob/master/2022/2022.03.23.Kazakhstan_APT) * Mar 23 - [[ESET] Mustang Panda’s Hodur: Old tricks, new Korplug variant](https://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/) | [:closed_book:](../../blob/master/2022/2022.03.23.Mustang_Panda) * Mar 17 - [[Trend Micro] Cyclops Blink Sets Sights on Asus Routers](https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html) | [:closed_book:](../../blob/master/2022/2022.03.17.Cyclops_Blink_Voodoo_Bear) * Mar 08 - [[Trend Micro] New RURansom Wiper Targets Russia](https://www.trendmicro.com/en_us/research/22/c/new-ruransom-wiper-targets-russia.html) | [:closed_book:](../../blob/master/2022/2022.03.08.RURansom_Wiper) * Mar 07 - [[proofpoint] The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates](https://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european) | [:closed_book:](../../blob/master/2022/2022.03.07.TA416) * Mar 01 - [[proofpoint] Asylum Ambuscade: State Actor Uses Compromised Private Ukrainian Military Emails to Target European Governments and Refugee Movement](https://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails) | [:closed_book:](../../blob/master/2022/2022.03.01.Asylum_Ambuscade) * Feb 23 - [[Pangulab] Bvp47:Top-tier Backdoor of US NSA Equation Group](https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf) | [:closed_book:](../../blob/master/2022/2022.02.23.Bvp47) * Feb 23 - [[Mandiant] (Ex)Change of Pace: UNC2596 Observed Leveraging Vulnerabilities to Deploy Cuba Ransomware ](https://www.mandiant.com/resources/unc2596-cuba-ransomware) | [:closed_book:](../../blob/master/2022/2022.02.23.UNC2596) * Feb 15 - [[Dell] ShadowPad Malware Analysis](https://www.secureworks.com/research/shadowpad-malware-analysis) | [:closed_book:](../../blob/master/2022/2022.02.15_ShadowPad) * Feb 03 - [[Symantec] Antlion: Chinese APT Uses Custom Backdoor to Target Financial Institutions in Taiwan](https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/china-apt-antlion-taiwan-financial-attacks) | [:closed_book:]( * 7月28日 - [[Recorded Future] 中国国家支持组织“RedDelta”针对梵蒂冈及天主教组织](https://www.recordedfuture.com/reddelta-targets-catholic-organizations/) | [:closed_book:](../../blob/master/2020/2020.07.28.RedDelta_APT) * 7月22日 - [[Palo Alto Network] OilRig 针对中东电信组织并在其武器库中增加了使用隐写术的新型 C2 通道](https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/) | [:closed_book:](../../blob/master/2020/2020.07.22.OilRig_Middle_Eastern_Telecommunication) * 7月22日 - [[Kaspersky] MATA：多平台针对性恶意软件框架](https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/) | [:closed_book:](../../blob/master/2020/2020.07.22_MATA_APT) * 7月20日 - [[Dr.Web] 针对哈萨克斯坦和吉尔吉斯斯坦国家机构的 APT 攻击研究](https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf) | [:closed_book:](../../blob/master/2020/2020.07.20.APT_attacks_Kazakhstan_Kyrgyzstan) * 7月17日 - [[CERT-FR] 恶意软件 DRIDEX：起源与用途](https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf) | [:closed_book:](../../blob/master/2020/2020.07.17.DRIDEX) * 7月16日 - [[NCSC] 咨询公告：APT29 针对 COVID-19 疫苗研发](https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development) | [:closed_book:](../../blob/master/2020/2020.07.16.apt29-targets-covid-19-vaccine-development) * 7月15日 - [[F-Secure] 假冒的 CISCO：搜寻假冒 Cisco 设备中的后门](https://labs.f-secure.com/assets/BlogFiles/2020-07-the-fake-cisco.pdf) | [:closed_book:](../../blob/master/2020/2020.07.15_the_Fake_CISCO) * 7月14日 - [[Tesly] TURLA / VENOMOUS BEAR 更新其武器库：“NEWPASS”出现在 APT 威胁舞台上](https://www.telsy.com/turla-venomous-bear-updates-its-arsenal-newpass-appears-on-the-apt-threat-scene/) | [:closed_book:](../../blob/master/2020/2020.07.14_Turla_VENOMOUS_BEAR) * 7月14日 - [[ESET] Welcome Chat 是一款安全通讯应用吗？事实远非如此](https://www.welivesecurity.com/2020/07/14/welcome-chat-secure-messaging-app-nothing-further-truth/) | [:closed_book:](../../blob/master/2020/2020.07.14_Molerats_Middle_East_APT) * 7月12日 - [[WeiXin] SideWinder 2020 上半年活动](https://mp.weixin.qq.com/s/5mBqxf_v6G006EnjECoTHw) | [:closed_book:](../../blob/master/2020/2020.07.12_SideWinder_2020_H1) * 7月09日 - [[AGARI] Cosmic Lynx：俄罗斯 BEC 的兴起](https://www.agari.com/cyber-intelligence-research/whitepapers/acid-agari-cosmic-lynx.pdf) | [:closed_book:](../../blob/master/2020/2020.07.09_Cosmic_Lynx) * 7月09日 - [[ESET] 更多的邪恶：深入窥探 Evilnum 及其工具集](https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/) | [:closed_book:](../../blob/master/2020/2020.07.09_Evilnum_Toolset) * 7月08日 - [[Sedbraven] APT Sidewinder 的模仿者？](https://medium.com/@Sebdraven/copy-cat-of-apt-sidewinder-1893059ca68d) | [:closed_book:](../../blob/master/2020/2020.07.08.Copy_Cat_of_Sidewinder) * 7月08日 - [[proofpoint] TA410：针对美国公用事业部门发起 LookBack 攻击的组织携新恶意软件回归](https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new) | [:closed_book:](../../blob/master/2020/2020.07.08.TA410) * 7月08日 - [[Seqrite] “Honey Trap”行动：APT36 针对印度国防组织](https://www.seqrite.com/blog/operation-honey-trap-apt36-targets-defense-organizations-in-india/) | [:closed_book:](../../blob/master/2020/2020.07.08_Operation_Honey_Trap) * 7月06日 - [[Sansec] 朝鲜黑客正在窃取美国和欧洲购物者的数据](https://sansec.io/research/north-korea-magecart) | [:closed_book:](../../blob/master/2020/2020.07.06_North_Korean_Magecart) * 7月01日 - [[Lookout] 针对维吾尔人的移动 APT 监控活动](https://www.lookout.com * 11月30日 - [[Trend Micro] 土耳其发现新的基于 PowerShell 的后门，与 MuddyWater 工具惊人地相似](https://blog.trendmicro.com/trendlabs-security-intelligence/new-powershell-based-backdoor-found-in-turkey-strikingly-similar-to-muddywater-tools/) | [:closed_book:](../../blob/master/2018/2018.11.30.MuddyWater_Turkey) * 11月29日 - [[360] 利用 InPage 漏洞针对巴基斯坦的攻击及相关 APT 组织分析](https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/) | [:closed_book:](../../blob/master/2018/2018.11.29.Attack_Pakistan_By_Exploiting_InPage) * 11月28日 - [[Microsoft] Windows Defender ATP 设备风险评分揭露新的网络攻击，推动条件访问以保护网络](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/) | [:closed_book:](../../blob/master/2018/2018.11.28.Tropic_Trooper_microsoft) * 11月28日 - [[Clearsky] MuddyWater 在黎巴嫩和阿曼的行动](https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf) | [:closed_book:](../../blob/master/2018/2018.11.28.MuddyWater-Operations-in-Lebanon-and-Oman) * 11月27日 - [[CISCO] DNSpionage 攻击活动 targeting 中东](https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html) | [:closed_book:](../../blob/master/2018/2018.11.27.dnspionage-campaign-targets-middle-east) * 11月20日 - [[Trend Micro] Lazarus 持续盗窃，对拉丁美洲的金融机构发起攻击](https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-continues-heists-mounts-attacks-on-financial-organizations-in-latin-america/) | [:closed_book:](../../blob/master/2018/2018.11.20.lazarus-in-latin-america) * 11月19日 - [[FireEye] 并不舒适：对疑似 APT29 钓鱼攻击活动的令人不安的审查](https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html) | [:closed_book:](../../blob/master/2018/2018.11.19.APT29_Phishing) * 11月13日 - [[Recorded Future] 中国威胁行动者 TEMP.Periscope 使用俄罗斯 APT 技术攻击英国工程公司](https://go.recordedfuture.com/hubfs/reports/cta-2018-1113.pdf) | [:closed_book:](../../blob/master/2018/2018.11.13.China.TEMP.Periscope.Using.Russian_APT) * 11月08日 - [[Symantec] FASTCash：Lazarus 组织如何从 ATM 中窃取数百万](https://www.symantec.com/blogs/threat-intelligence/fastcash-lazarus-atm-malware) | [:closed_book:](../../blob/master/2018/2018.11.08.FASTCash) * 11月05日 - [[Palo Alto Networks] Inception 攻击者利用一年前的 Office 漏洞 targeting 欧洲](https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/) | [:closed_book:](../../blob/master/2018/2018.11.05.Inception_Attackers_Target_Europe) * 11月01日 - [[Trend Micro] Outlaw 组：基于 Perl 的 Shellbot 试图通过 C&C targeting 组织](https://blog.trendmicro.com/trendlabs-security-intelligence/perl-based-shellbot-looks-to-target-organizations-via-cc/) | [:closed_book:](../../blob/master/2018/2018.11.01_Outlaw_group) * 10月19日 - [[Kaspersky] DarkPulsar](https://securelist.com/darkpulsar/88199/) | [:closed_book:](../../blob/master/2018/2018.10.19.DarkPulsar) * 10月18日 - [[Medium] APT Sidewinder 改变其 TTPs 以安装后门](https://medium.com/@Sebdraven/apt-sidewinder-changes-theirs-ttps-to-install-their-backdoor-f92604a2739) | [:closed_book:](../../blob/master/2018/2018.10.18.APT_Sidewinder_changes) * 10月18日 - [[CISCO] 通过近期针对东亚的攻击活动追踪 Tick](https://blog.talosintelligence.com/2018/10/tracking-tick-through-recent-campaigns.html) | [:closed_book:](../../blob/master/2018/2018.10.18.Datper_Bronze_Butler) * 10月18日 - [[McAfee] Operation Oceansalt 攻击韩国、美国和加拿大，使用来自中国黑客组织的源代码](https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf) | [:closed_book:](../../blob/master/2018/2018.10.18.Operation_Oceansalt) * 10月17日 - [[Marco Ramilli] MartyMcFly 恶意软件：targeting 海军工业](https://marcoramilli.com/2018/10/17/martymcfly-malware-targeting-naval-industry/) | [:closed_book:](../../blob/master/2018/2018.10.17_MartyMcFly_Targeting_Naval_Industry) * 10月17日 - [[Cylance] OceanLotus 的 SpyRAT：恶意软件分析白皮书](https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/SpyRATsofOceanLotusMalwareWhitePaper.pdf) | [:closed_book:](../../blob/master/2018/2018.10.17.OceanLotus_SpyRATs) * 10月17日 - [[ESET] GreyEnergy：最危险威胁行动者之一的更新武器库](https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/) | [:closed_book:](../../blob/master/2018/2018.10.17.GreyEnergy) * 10月17日 - [[Yoroi] 针对“海军工业”的网络间谍攻击活动（“MartyMcFly”）](https://blog.yoroi.company/?p=1829) | [:closed_book:](../../blob/master/2018/2018.10.17.Targeting_the_Naval_Industry) * 10月15日 - [[Kaspersky] 章鱼出没的中亚海域](https://securelist.com/octopus-infested-seas-of-central-asia/88200/) | [:closed_book:](../../blob/master/2018/2018.10.15.Octopus_Central_Asia) * 10月11日 - [[Symantec] Gallmaker：新攻击组织弃用恶意软件，转而“靠土地生存”(LotL)](https://www.symantec.com/blogs/threat-intelligence/gallmaker-attack-group) | [:closed_book:](../../blob/master/2018/2018.10.11.Gallmaker) * 10月10日 - [[Kaspersky] MuddyWater 扩大行动](https://securelist.com/muddywater/88059/) | [:closed_book:](../../blob/master/2018/2018.10.10.MuddyWater_expands) * 10月03日 - [[FireEye] APT38：关于新的朝鲜政府支持威胁组织的详细信息](https://content.fireeye.com/apt/rpt-apt38) | [:closed_book:](../../blob/master/2018/2018.10.03.APT38) * 9月27日 - [[ESET] LoJax：野外发现的第一个 UEFI rootkit，由 Sednit 组织提供](https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf) | [:closed_book:](../../blob/master/2018/2018.09.27.LoJax) * 9月20日 - [[360] (非英语) (中文) PoisonVine](https://ti.360.net/uploads/2018/09/20/6f8ad451646c9eda1f75c5d31f39f668.pdf) | [:closed_book:](../../blob/master/2018/2018.09.20.Poison_Trumpet_Vine_Operation) * 9月19日 - [[Antiy] (非英语) (中文) Green Spot APT](https://www.antiy.cn/report-download/20180919.pdf) | [:closed_book:](../../blob/master/2018/2018.09.19.Green_Spot_APT) * 9月13日 - [[FireEye] APT10 使用更新的 TTPs 攻击日本公司](https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html) | [:closed_book:](../../blob/master/2018/2018.09.13.APT10_Targeting_Japanese) * 9月10日 - [[Kaspersky] LuckyMouse 使用中国 IT 公司的证书对恶意 NDISProxy 驱动程序进行签名](https://securelist.com/luckymouse-ndisproxy-driver/87914) | [:closed_book:](../../blob/master/2018/2018.09.07.Goblin_Panda_targets_Cambodia) * 9月07日 - [[Volon] 使用 Crimson RAT 针对印度外交部的定向攻击](https://volon.io/2018/09/07/targeted-attack-on-indian-ministry-of-external-affairs-using-crimson-rat/) | [:closed_book:](../../blob/master/2018/2018.09.07.indian-ministry_crimson-rat) * 9月07日 - [[CheckPoint] Domestic Kitten：伊朗的监视行动](https://research.checkpoint.com/domestic-kitten-an-iranian-surveillance-operation/) | [:closed_book:](../../blob/master/2018/2018.09.07.Domestic_Kitten) * 9月07日 - [[Medium] Goblin Panda targeting 柬埔寨，与另一个中国黑客组织 Temp Periscope 共享能力](https://medium.com/@Sebdraven/goblin-panda-targets-cambodia-sharing-capacities-with-another-chinese-group-hackers-temp-periscope-7871382ffcc0) | [:closed_book:](../../blob/master/2018/2018.08.28.CeidPageLock) * 9月04日 - [[Palo Alto Networks] OilRig targeting 中东某政府，并为 OopsIE 增加逃避技术](https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/) | [:closed_book:](../../blob/master/2018/2018.09.04.OilRig_Targets_Middle_Eastern) * 9月04日 - [[Group-IB] Silence：走向黑暗面](https://www.group-ib.com/resources/threat-research/silence_moving-into-the-darkside.pdf) | [:closed_book:](../../blob/master/2018/2018.09.04.Silence) * 8月30日 - [[MalwareBytes] 逆向分析自定义格式的恶意软件：Hidden Bee 元素](https://blog.malwarebytes.com/threat-analysis/2018/08/reversing-malware-in-a-custom-format-hidden-bee-elements/) | [:closed_book:](../../blob/master/2018/2018.08.30.Hidden_Bee_Custom_format) * 8月30日 - [[CrowdStrike] 一石二鸟，STONE PANDA](https://www.crowdstrike.com/blog/two-birds-one-stone-panda/) | [:closed_book:](../../blob/master/2018/2018.08.30.Stone_Panda) * 8月30日 - [[Arbor] 双重感染，双倍乐趣](https://asert.arbornetworks.com/double-the-infection-double-the-fun/) | [:closed_book:](../../blob/master/2018/2018.08.30.Cobalt_Group_Fun) * 8月30日 - [[Dark Matter] COMMSEC：WINDSHIFT APT 的踪迹](https://gsec.hitb.org/materials/sg2018/D1%20COMMSEC%20-%20In%20the%20Trails%20of%20WINDSHIFT%20APT%20-%20Taha%20Karim.pdf) | [:closed_book:](../../blob/master/2018/2018.08.30.WINDSHIFT_APT) * 8月29日 - [[Trend Micro] Urpage 与 Bahamut、Confucius 和 Patchwork 的关联](https://blog.trendmicro.com/trendlabs-security-intelligence/the-urpage-connection-to-bahamut-confucius-and-patchwork/) | [:closed_book:](../../blob/master/2018/2018.08.29.Bahamut_Confucius_Patchwork) * 8月28日 - [[CheckPoint] CeidPageLock：一个中国 RootKit](https://research.checkpoint.com/ceidpagelock-a-chinese-rootkit/) | [:closed_book:](../../blob/master/2018/2018.08.28.CeidPageLock) * 8月23日 - [[Kaspersky] Operation AppleJeus：Lazarus 用伪造的安装程序和 macOS 恶意软件攻击加密货币交易所](https://securelist.com/operation-applejeus/87553/) | [:closed_book:](../../blob/master/2018/2018.08.23.Operation_AppleJeus) * 8月21日 - [[ESET] TURLA OUTLOOK 后门](https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf) | [:closed_book:](../../blob/master/2018/2018.08.21.Operation_Red_Signature) * 8月21日 - [[Trend Micro] 供应链攻击 Operation Red Signature targeting 韩国组织](https://blog.trendmicro.com/trendlabs-security-intelligence/supply-chain-attack-operation-red-signature-targets-south-korean-organizations) | [:closed_book:](../../blob/master/2018/2018.08.21.Operation_Red_Signature) * 8月16日 - [[Recorded Future] 源自清华大学基础设施的中国网络间谍活动](https://go * 7月8日 - [[Kaspersky] The Dropping Elephant – 亚洲地区激进的网络间谍活动](https://securelist.com/blog/research/75328/the-dropping-elephant-actor/) | [:closed_book:](../../blob/master/2016/2016.07.08.The_Dropping_Elephant) * 7月7日 - [[Proofpoint] NetTraveler APT 针对俄罗斯及欧洲利益](https://www.proofpoint.com/us/threat-insight/post/nettraveler-apt-targets-russian-european-interests) | [:closed_book:](../../blob/master/2016/2016.07.07.nettraveler-apt-targets-russian-european-interests) * 7月7日 - [[Cymmetria] 揭秘 PATCHWORK：复制粘贴型 APT](https://www.cymmetria.com/wp-content/uploads/2016/07/Unveiling-Patchwork.pdf) | [:closed_book:](../../blob/master/2016/2016.07.07.UNVEILING_PATCHWORK) * 7月3日 - [[Check Point] 从 HummingBad 到更糟](http://blog.checkpoint.com/wp-content/uploads/2016/07/HummingBad-Research-report_FINAL-62916.pdf) | [:closed_book:](../../blob/master/2016/2016.07.03_From_HummingBad_to_Worse) * 7月1日 - [[Bitdefender] Pacifier APT](http://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf) | [:closed_book:](../../blob/master/2016/2016.07.01.Bitdefender_Pacifier_APT) * 7月1日 - [[ESET] 针对中欧和东欧的间谍工具包被发现](http://www.welivesecurity.com/2016/07/01/espionage-toolkit-targeting-central-eastern-europe-uncovered/) | [:closed_book:](../../blob/master/2016/2016.07.01.SBDH_toolkit_targeting_Central_and_Eastern_Europe) * 6月30日 - [[JPCERT] Asruex：通过快捷方式文件传播的恶意软件](http://blog.jpcert.or.jp/2016/06/asruex-malware-infecting-through-shortcut-files.html) | [:closed_book:](../../blob/master/2016/2016.06.30.Asruex) * 6月28日 - [[Palo Alto Networks] 波斯王子 – 游戏结束](http://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/) | [:closed_book:](../../blob/master/2016/2016.06.28.prince-of-persia-game-over) * 6月28日 - [[JPCERT] （日本）攻击工具调查](https://www.jpcert.or.jp/research/20160628ac-ir_research.pdf) | [:closed_book:](../../blob/master/2016/2016.06.28.Attack_Tool_Investigation) * 6月26日 - [[Trend Micro] ESILE/Lotus Blossom 攻击活动的现状](http://blog.trendmicro.com/trendlabs-security-intelligence/the-state-of-the-esilelotus-blossom-campaign/) | [:closed_book:](../../blob/master/2016/2016.06.26.The_State_of_the_ESILE_Lotus_Blossom_Campaign) * 6月26日 - [[Cylance] 尼日利亚网络罪犯通过 Pony 针对印度的高影响力行业](https://blog.cylance.com/threat-update-nigerian-cybercriminals-target-high-impact-indian-industries-via-pony) | [:closed_book:](../../blob/master/2016/2016.06.26.Nigerian_Cybercriminals_Target_High_Impact_Industries_in_India) * 6月23日 - [[Palo Alto Networks] 追踪日本的 Elirks 变种：与以往攻击的相似之处](http://researchcenter.paloaltonetworks.com/2016/06/unit42-tracking-elirks-variants-in-japan-similarities-to-previous-attacks/) | [:closed_book:](../../blob/master/2016/2016.06.23.Tracking_Elirks_Variants_in_Japan) * 6月21日 - [[Fortinet] 未知木马针对德语用户的离奇案件](https://blog.fortinet.com/2016/06/21/the-curious-case-of-an-unknown-trojan-targeting-german-speaking-users) | [:closed_book:](../../blob/master/2016/2016.06.21.Unknown_Trojan_Targeting_German_Speaking_Users) * 6月21日 - [[FireEye] 划定红线：中国重新计算其对网络间谍的使用]( https://www.fireeye.com/content/dam/FireEye-www/current-threats/pdfs/rpt-china-espionage.pdf) | [:closed_book:](../../blob/master/2016/2016.06.21.Redline_Drawn_China_Recalculates_Its_Use_of_Cyber_Espionage) * 6月21日 - [[ESET] 探访熊穴](http://www.welivesecurity.com/wp-content/uploads/2016/06/visiting_the_bear_den_recon_2016_calvet_campos_dupuy-1.pdf) | [:closed_book:](../../blob/master/2016/2016.06.21.visiting_the_bear_den_recon_2016_calvet_campos_dupuy) * 6月17日 - [[Kaspersky] Operation Daybreak](https://securelist.com/operation-daybreak/75100/) | [:closed_book:](../../blob/master/2016/2016.06.17.Operation_Daybreak) * 6月16日 - [[Dell] Threat Group-4127 针对希拉里·克林顿总统竞选活动](https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign) | [:closed_book:](../../blob/master/2016/2016.06.16.DNC) * 6月15日 - [[CrowdStrike] 熊出没：入侵美国民主党全国委员会](https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/) | [:closed_book:](../../blob/master/2016/2016.06.09.Operation_DustySky_II/) * 6月9日 - [[Clearsky] Operation DustySky 第二部分](http://www.clearskysec.com/wp-content/uploads/2016/06/Operation-DustySky2_-6.2016_TLP_White.pdf) | [:closed_book:](../../blob/master/2016/2016.06.09.Operation_DustySky_II/) * 6月2日 - [[Trend Micro] FastPOS：快速简便的信用卡盗窃](http://documents.trendmicro.com/assets/fastPOS-quick-and-easy-credit-card-theft.pdf) | [:closed_book:](../../blob/master/2016/2016.06.02.fastpos-quick-and-easy-credit-card-theft/) * 5月27日 - [[Trend Micro] IXESHE 衍生变种 IHEATE 针对美国用户](http://blog.trendmicro.com/trendlabs-security-intelligence/ixeshe-derivative-iheate-targets-users-america/) | [:closed_book:](../../blob/master/2016/2016.05.27.IXESHE_Derivative_IHEATE_Targets_Users_in_America/) * 5月26日 - [[Palo Alto Networks] The OilRig Campaign：针对沙特阿拉伯组织的攻击投递 Helminth 后门](http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/) | [:closed_book:](../../blob/master/2016/2016.05.26.OilRig_Campaign/) * 5月25日 - [[Kaspersky] CVE-2015-2545：当前威胁概览](https://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/) | [:closed_book:](../../blob/master/2016/2016.05.25.CVE-2015-2545/) * 5月24日 - [[Palo Alto Networks] 新的 Wekby 攻击使用 DNS 请求作为命令与控制机制](http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/) | [:closed_book:](../../blob/master/2016/2016.05.24.New_Wekby_Attacks) * 5月23日 - [[MELANI:GovCERT] APT 案例 RUAG 技术报告](https://www.melani.admin.ch/dam/melani/en/dokumente/2016/technical%20report%20ruag.pdf.download.pdf/Report_Ruag-Espionage-Case.pdf) | [:closed_book:](../../blob/master/2016/2016.05.23.APT_Case_RUAG) * 5月22日 - [[FireEye] 针对中东银行的定向攻击](https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html) | [:closed_book:](../../blob/master/2016/2016.05.22.Targeted_Attacks_Against_Banks_in_Middle_East) * 5月22日 - [[Palo Alto Networks] Operation Ke3chang 携带新的 TidePool 恶意软件卷土重来](http://researchcenter.paloaltonetworks.com/2016/05/operation-ke3chang-resurfaces-with-new-tidepool-malware/) | [:closed_book:](../../blob/master/2016/2016.05.22.Operation_Ke3chang_Resurfaces_With_New_TidePool_Malware/) * 5月18日 - [[ESET] Operation Groundbait：监控工具包分析](http://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf) | [:closed_book:](../../blob/master/2016/2016.05.18.Operation_Groundbait/) * 5月17日 - [[FOX-IT] Mofang：出于政治动机的信息窃取对手](https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf) | [:closed_book:](../../blob/master/2016/2016.05.17.Mofang) * 5月17日 - [[Symantec] 印度组织成为 Suckfly 攻击目标](http://www.symantec.com/connect/ko/blogs/indian-organizations-targeted-suckfly-attacks) | [:closed_book:](../../blob/master/2016/2016.05.17.Indian_organizations_targeted_in_Suckfly_attacks/) * 5月10日 - [[Trend Micro] 后门即软件套件：TinyLoader 如何分发和升级 PoS 威胁](http://blog.trendmicro.com/trendlabs-security-intelligence/how-tinyloader-distributes-and-upgrades-pos-threats/) | [论文](http://documents.trendmicro.com/assets/tinypos-abaddonpos-ties-to-tinyloader.pdf) | [:closed_book:](../../blob/master/2016/2016.05.10.tinyPOS_tinyloader/) * 5月9日 - [[CMU SEI] 使用蜜网和钻石模型进行 ICS 威胁分析](http://resources.sei.cmu.edu/asset_files/TechnicalReport/2016_005_001_454247.pdf) | [:closed_book:](../../blob/master/2016/2016.05.09_ICS_Threat_Analysis/) * 5月6日 - [[PwC] 探索 CVE-2015-2545 及其使用者](http://pwc.blogs.com/cyber_security_updates/2016/05/exploring-cve-2015-2545-and-its-users.html) | [:closed_book:](../../blob/master/2016/2016.05.06_Exploring_CVE-2015-2545/) * 5月5日 - [[Forcepoint] Jaku：正在进行的僵尸网络活动](https://www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf) | [:closed_book:](../../blob/master/2016/2016.05.05_Jaku_botnet_campaign/) * 5月2日 - [[Team Cymru] GOZNYM MALWARE 针对美国、奥地利、德国](https://blog.team-cymru.org/2016/05/goznym-malware/) | [:closed_book:](../../blob/master/2016/2016.05.02.GOZNYM_MALWARE) * 5月2日 - [[Palo Alto Networks] 波斯王子：Infy 恶意软件在十年的定向攻击中活跃](http://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/) | [:closed_book:](../../blob/master/2016/2016.05.02.Prince_of_Persia_Infy_Malware/) * 4月27日 - [[Kaspersky] 重新包装开源 BeEF 进行追踪及其他](https://securelist.com/blog/software/74503/freezer-paper-around-free-meat/) | [:closed_book:](../../blob/master/2016/2016.04.27.Repackaging_Open_Source_BeEF) * 4月26日 - [[Financial Times] 网络战：伊朗开辟新战线](http://www.ft.com/intl/cms/s/0/15e1acf0-0a47-11e6-b0f1-61f222853ff3.html#axzz478cZz3ao) | [:closed_book:](../../blob/master/2016/2016.04.26.Iran_Opens_a_New_Front/) * 4月26日 - [[Arbor] 新的 Poison Ivy 活动针对缅甸和亚洲国家](https://www.arbornetworks.com/blog/asert/recent-poison-iv/) | [:closed_book:](../../blob/master/2016/2016.04.26.New_Poison_Ivy_Activity_Targeting_Myanmar_Asian_Countries/) * 4月22日 - [[Cylance] The Ghost Dragon](https://blog.cylance.com/the-ghost-dragon) | [:closed_book:](../../blob/master/2016/2016.04.22.the-ghost-dragon) * 4月21日 - [[SentinelOne] 教老 RAT 新技巧](https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/) | [:closed_book:](../../blob/master/2016/2016.04.21.Teaching_an_old_RAT_new_tricks/) * 4月21日 - [[Palo Alto Networks] 新的 Poison Ivy RAT 变种针对香港亲民主活动人士](http://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/) | [:closed_book:](../../blob/master/2016/2016.04.21.New_Poison_Ivy_RAT_Variant_Targets_Hong_Kong/) * 4月18日 - [[Citizen Lab] 在香港与缅甸之间：追踪 UP007 和 SLServer 间谍活动](https://citizenlab.org/2016/04/between-hong-kong-and-burma/) | [:closed_book:](../../blob/master/2016/2016.04.18.UP007/) * 4月15日 - [[SANS] 检测与响应熊猫和熊](http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf) | [:closed_book:](../../blob/master/2016/2016.04.15.pandas_and_bears/* 4月12日 - [[Microsoft] PLATINUM：南亚和东南亚的定向攻击](http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf) | [:closed_book:](../../blob/master/2016/2016.04.12.PLATINUM_Targeted_attacks_in_South_and_Southeast_Asia/) * 3月25日 - [[Palo Alto Networks] ProjectM：发现巴基斯坦行动者与 Operation Transparent Tribe 之间的联系](http://researchcenter.paloaltonetworks.com/2016/03/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe/?utm_medium=email&utm_source=Adobe%20Campaign&utm_campaign=Unit%2042%20Blog%20Updates%2031Mar16) | [:closed_book:](../../blob/master/2016/2016.03.25.ProjectM/) * 3月23日 - [[Trend Micro] Operation C-Major：针对印度军事人员的信息窃取活动](http://blog.trendmicro.com/trendlabs-security-intelligence/indian-military-personnel-targeted-by-information-theft-campaign/) | [:closed_book:](../../blob/master/2016/2016.03.23.Operation_C_Major/) * 3月18日 - [[SANS] 乌克兰电网网络攻击分析：防御用例](https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf) | [:closed_book:](../../blob/master/2016/2016.03.18.Analysis_of_the_Cyber_Attack_on_the_Ukrainian_Power_Grid/) * 3月17日 - [[PwC] 台湾地区领导人选举：主题性定向攻击案例研究](http://pwc.blogs.com/cyber_security_updates/2016/03/taiwant-election-targetting.html) | [:closed_book:](../../blob/master/2016/2016.03.17.Taiwan-election-targetting/) * 3月15日 - [[Symantec] Suckfly：揭示代码签名证书的秘密生活](http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates) | [:closed_book:](../../blob/master/2016/2016.03.15.Suckfly) * 3月14日 - [[Proofpoint] 银行抢劫进行中：Carbanak 组织的新攻击针对中东和美国的银行](https://www.proofpoint.com/us/threat-insight/post/carbanak-cybercrime-group-targets-executives-of-financial-organizations-in-middle-east) | [:closed_book:](../../blob/master/2016/2016.03.14.Carbanak_cybercrime_group) * 3月10日 - [[Citizen Lab] 变换战术：追踪针对藏人长达数年的间谍活动变化](https://citizenlab.org/2016/03/shifting-tactics/) | [:closed_book:](../../blob/master/2016/2016.03.10.shifting-tactics) * 3月9日 - [[FireEye] 来自 Operation RUSSIANDOLL 的教训](https://www.fireeye.com/blog/threat-research/2016/03/lessons-from-operation-russian-doll.html) | [:closed_book:](../../blob/master/2016/2016.03.09.Operation_RussianDoll) * 3月8日 - [[360] Operation OnionDog：一个专注于韩语国家能源和交通运输行业三年的 APT](http://www.prnewswire.com/news-releases/onion-dog-a-3-year-old-apt-focused-on-the-energy-and-transportation-industries-in-korean-language-countries-is-exposed-by-360-300232441.html) | [:closed_book:](../../blob/master/2016/2016.03.08.OnionDog) * 3月3日 - [[Recorded Future] 利用开源情报解析 BlackEnergy](https://www.recordedfuture.com/blackenergy-malware-analysis/) | [:closed_book:](../../blob/master/2016/2016.03.03.Shedding_Light_BlackEnergy) * 3月1日 - [[Proofpoint] Operation Transparent Tribe - APT 针对印度外交和军事利益](https://www.proofpoint.com/us/threat-insight/post/Operation-Transparent-Tribe) | [:closed_book:](../../blob/master/2016/2016.03.01.Operation_Transparent_Tribe/) * 2月29日 - [[Fidelis] The Turbo Campaign， featuring Derusbi for 64-bit Linux](https://www.fidelissecurity.com/sites/default/files/TA_Fidelis_Turbo_1602_0.pdf) | [:closed_book:](../../blob/master/2016/2016.02.24.Operation_Blockbuster) * 2月24日 - [[NOVETTA] Operation Blockbuster](https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf) | [:closed_book:](../../blob/master/2016/2016.02.24.Operation_Blockbuster) * 2月23日 - [[Cylance] OPERATION DUST STORM](https://www.cylance.com/hubfs/2015_cylance_website/assets/operation-dust-storm/Op_Dust_Storm_Report.pdf?t=1456355696065) | [:closed_book:](../../blob/master/2016/2016.02.23.Operation_Dust_Storm) * 2月12日 - [[Palo Alto Networks] 深入了解 Fysbis：Sofacy 的 Linux 后门](http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/) | [:closed_book:](../../blob/master/2016/2016.02.12.Fysbis_Sofacy_Linux_Backdoor) * 2月11日 - [[Recorded Future] 黑客行动主义：印度对阵巴基斯坦](https://www.recordedfuture.com/india-pakistan-cyber-rivalry/) | [:closed_book:](../../blob/master/2016/2016.02.11.Hacktivism_India_vs_Pakistan) * 2月9日 - [[Kaspersky] Poseidon Group：一家专门从事全球网络间谍活动的定向攻击精品店](https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/) | [:closed_book:](../../blob/master/2016/2016.02.09_Poseidon_APT_Boutique) * 2月8日 - [[ICIT] 了解你的敌人 2.0：高级持续性威胁组织入门](http://icitech.org/know-your-enemies-2-0/) | [:closed_book:](../../blob/master/2016/2016.02.08.Know_Your_Enemies_2.0) * 2月4日 - [[Palo Alto Networks] T9000：高级模块化后门使用复杂的反分析技术](http://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/) | [:closed_book:](../../blob/master/2016/2016.02.04_PaloAlto_T9000-Advanced-Modular-Backdoor) * 2月3日 - [[Palo Alto Networks] Emissary Trojan 更新日志：Operation Lotus Blossom 是否促使其进化？](http://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/) | [:closed_book:](../../blob/master/2016.02.03.Emissary_Trojan_Changelog) * 2月1日 - [[Sucuri] 大规模 Admedia/Adverting iFrame 感染](https://blog.sucuri.net/2016/02/massive-admedia-iframe-javascript-infection.html) | [:closed_book:](../../blob/master/2016/2016.02.01.Massive_Admedia_Adverting_iFrame_Infection) * 2月1日 - [[IBM] 日本的有组织网络犯罪：URLZone 现身](https://securityintelligence.com/organized-cybercrime-big-in-japan-urlzone-now-on-the-scene/) | [:closed_book:](../../blob/master/2016/2016.02.01.URLzone_Team) * 1月29日 - [[F5] Tinbapore：数百万美元面临风险](https://devcentral.f5.com/d/tinbapore-millions-of-dollars-at-risk?download=true) | [:closed_book:](../../blob/master/2016/2016.01.29.Tinbapore_Attack) * 1月29日 - [[Zscaler] 恶意 Office 文件投放 Kasidet 和 Dridex](http://research.zscaler.com/2016/01/malicious-office-files-dropping-kasidet.html) | [:closed_book:](../../blob/master/2016/2016.01.29.Malicious_Office_files_dropping_Kasidet_and_Dridex) * 1月28日 - [[Kaspersky] 乌克兰的 BlackEnergy APT 攻击使用带有 Word 文档的鱼叉式网络钓鱼](https://securelist.com/blog/research/73440/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/) | [:closed_book:](../../blob/master/2016/2016.01.28.BlackEnergy_APT) * 1月27日 - [[Fidelis] 剖析 INOCNATION 活动中涉及的恶意软件](https://www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL.pdf) | [:closed_book:](../../blob/master/2016/2016.01.27.Hi-Zor.RAT) * 1月26日 - [[SentinelOne] 分析 BlackEnergy 3 的新变种](https://www.sentinelone.com/wp-content/uploads/2016/01/BlackEnergy3_WP_012716_1c.pdf) | [:closed_book:](../../blob/master/2016/2016.01.26.BlackEnergy3) * 1月24日 - [[Palo Alto Networks] Scarlet Mimic：长达数年的间谍活动针对少数群体活动人士](http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/) | [:closed_book:](../../blob/master/2016/2016.01.24_Scarlet_Minic) * 1月21日 - [[Palo Alto Networks] NetTraveler 鱼叉式网络钓鱼邮件针对乌兹别克斯坦外交官](http://researchcenter.paloaltonetworks.com/2016/01/nettraveler-spear-phishing-email-targets-diplomat-of-uzbekistan/) | [:closed_book:](../../blob/master/2016/2016.01.21.NetTraveler_Uzbekistan) * 1月19日 - [[360] 2015 APT 年度报告](https://ti.360.com/upload/report/file/2015.APT.Annual_Report.pdf) | [:closed_book:](../../blob/master/2016/2016.01.19.360_APT_Report) * 1月14日 - [[CISCO] 研究聚焦：大海捞针](http://blog.talosintel.com/2016/01/haystack.html#more) | [:closed_book:](../../blob/master/2016/2016.01.14_Cisco_Needles_in_a_Haystack) * 1月14日 - [[Symantec] The Waterbug attack group](https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf) | [:closed_book:](../../blob/master/2016/2016.01.14.The.Waterbug.Attack.Group/) * 1月7日 - [[Clearsky] Operation DustySky](http://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf) | [:closed_book:](../../blob/master/2016/2016.01.07.Operation_DustySky) * 1月7日 - [[CISCO] 操纵入侵 - RIG EXPLOIT KIT](http://blog.talosintel.com/2016/01/rigging-compromise.html) | [:closed_book:](../../blob/master/2016/2016.01.07.rigging-compromise) * 1月3日 - [[ESET] BlackEnergy by the SSHBearDoor：针对乌克兰新闻媒体和电力行业的攻击](http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/) | [:closed_book:](../../blob/master/2016/2016.01.03.BlackEnergy_Ukrainian) ## 2015 年 * 12月23日 - [[PwC] ELISE：通过臃肿实现安全](http://pwc.blogs.com/cyber_security_updates/2015/12/elise-security-through-obesity.html) | [:closed_book:](../../blob/master/2015/2015.12.13.ELISE) * 12月22日 - [[Palo Alto Networks] 针对俄罗斯组织的 BBSRAT 攻击与 Roaming Tiger 有关](http://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/) | [:closed_book:](../../blob/master/2015/2015.12.22.BBSRAT_Roaming_Tiger) * 12月20日 - [[FireEye] EPS 觉醒 - 第二部分](https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html) | [:closed_book:](../../blob/master/2015/2015.12.20.EPS_Awakens_Part_II) * 12月18日 - [[Palo Alto Networks] 针对外交官的攻击与 Operation Lotus Blossom 有关](http://researchcenter.paloaltonetworks.com/2015/12/attack-on-french-diplomat-linked-to-operation-lotus-blossom/) | [:closed_book:](../../blob/master/2015/2015.12.18.Attack_on_Frence_Diplomat_Linked_To_Operation_Lotus_Blossom) * 12月16日 - [[Bitdefender] APT28 聚焦 - 窃取情报和政府信息的旅程](http://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf) | [:closed_book:](../../blob/master/2015/2015.12.17.APT28_Under_The_Scope) * 12月16日 - [[Trend Micro] Operation Black Atlas，第二部分：使用的工具和恶意软件及检测方法](http://documents.trendmicro.com/assets/Operation_Black%20Atlas_Technical_Brief.pdf) | [:closed_book:](../../blob/master/2015/2015.12.16.INOCNATION.Campaign) * 12月16日 - [[Fidelis] 剖析 INOCNATION 活动中涉及的恶意软件](https://www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL.pdf) | [:closed_book:](../../blob/master/2015/2015.12.16.INOCNATION.Campaign) * 12月15 - [[AirBus] Derusbi 家族的新成员](http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family) | [:closed_book:](../../blob/master/2015/2015.12.15.Newcomers_in_the_Derusbi_family) * 12月8日 - [[Citizen Lab] Packrat：一个南美威胁行动者的七年](https://citizenlab.org/2015/12/packrat-report/) | [:closed_book:](../../blob/master/2015/2015.12.08.Packrat) * 12月7日 - [[FireEye] 金融威胁组织针对卷引导记录](https://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-record.html) | [:closed_book:](../../blob/master/2015/2015.12.07.Thriving_Beyond_The_Operating_System) * 12月7日 - [[Symantec] 位于伊朗的攻击者使用后门威胁监视中东目标](http://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets) | [:closed_book:](../../blob/master/2015/2015.12.07.Iran-based) * 12月4日 - [[Kaspersky] Sofacy APT 使用更新的工具集攻击高调目标](https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/) | [:closed_book:](../../blob/master/2015/2015.12.04.Sofacy_APT) * 12月1日 - [[FireEye] 位于中国的网络威胁组织使用 Dropbox 进行恶意软件通信并针对香港媒体机构](https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html) | [:closed_book:](../../blob/master/2015/2015.12.01.China-based_Cyber_Threat_Group_Uses_Dropbox_for_Malware_Communications_and_Targets_Hong_Kong_Media_Outlets) * 11月30日 - [[FOX-IT] Ponmocup 隐藏在阴影中的巨人](https://foxitsecurity.files.wordpress.com/2015/12/foxit-whitepaper_ponmocup_1_1.pdf) | [:closed_book:](../../blob/master/2015/2015.11.30.Ponmocup) * 11月24日 - [[Palo Alto Networks] 针对泰国政府的攻击活动投放 Bookworm Trojan](http://researchcenter.paloaltonetworks.com/2015/11/attack-campaign-on-the-government-of-thailand-delivers-bookworm-trojan/) | [:closed_book:](../../blob/master/2015/2015.11.24.Attack_Campaign_on_the_Government_of_Thailand_Delivers_Bookworm_Trojan) * 11月23日 - [[Minerva Labs, ClearSky] CopyKittens 攻击组织](https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf) | [:closed_book:](../../blob/master/2015/2015.11.23.CopyKittens_Attack_Group) * 11月23日 - [[RSA] 窥探 GLASSRAT](https://blogs.rsa.com/wp-content/uploads/2015/11/GlassRAT-final.pdf) | [:closed_book:](../../blob/master/2015/2015.11.23.PEERING_INTO_GLASSRAT) * 11月23日 - [[Trend Micro] 原型国度：2015 年中国网络犯罪地下市场](http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/prototype-nation-the-chinese-cybercriminal-underground-in-2015/?utm_source=siblog&utm_medium=referral&utm_campaign=2015-cn-ug) | [:closed_book:](../../blob/master/2015/2015.11.23.Prototype_Nation_The_Chinese_Cybercriminal_Underground_in_2015) * 11月19日 - [[Kaspersky] 俄罗斯金融网络犯罪：运作方式](https://securelist.com/analysis/publications/72782/russian-financial-cybercrime-how-it-works/) | [:closed_book:](../../blob/master/2015/2015.11.18.Russian_financial_cybercrime_how_it_works) * 11月19日 - [[JPCERT] 解密 Emdivi 中的字符串](http://blog.jpcert.or.jp/2015/11/decrypting-strings-in-emdivi.html) | [:closed_book:](../../blob/master/2015/2015.11.19.decrypting-strings-in-emdivi) * 11月18日 - [[Palo Alto Networks] TDrop2 攻击暗示 Dark Seoul 攻击者回归](http://researchcenter.paloaltonetworks.com/2015/11/tdrop2-attacks-suggest-dark-seoul-attackers-return/) | [:closed_book:](../../blob/master/2015/2015.11.18.tdrop2) * 11月18日 - [[CrowdStrike] Sakula 重装上阵](http://blog.crowdstrike.com/sakula-reloaded/) | [:closed_book:](../../blob/master/2015/2015.11.18.Sakula_Reloaded) * 11月18日 - [[Damballa] Damballa 发现与 Destover 攻击者相关的新工具集，帮助他们扩大攻击面](https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/2015.11.18.Destover/amballa-discovers-new-toolset-linked-to-destover-attackers-arsenal-helps-them-to-broaden-attack-surface.pdf) | [:closed_book:](../../blob/master/2015/2015.11.18.Destover) * 11月16日 - [[FireEye] WitchCoven：利用网络分析诱捕受害者](https://www2.fireeye.com/threat-intel-report-WITCHCOVEN.html) | [:closed_book:](../../blob/master/2015/2015.11.17.Pinpointing_Targets_Exploiting_Web_Analytics_to_Ensnare_Victims) * 11月10日 - [[Palo Alto Networks] Bookworm Trojan：模块化架构的典范](http://researchcenter.paloaltonetworks.com/2015/11/bookworm-trojan-a-model-of-modular-architecture/) | [:closed_book:](../../blob/master/2015/2015.11.10.bookworm-trojan-a-model-of-modular-architecture) * 11月9日 - [[Check Point] Rocket Kitten：拥有 9 条命的攻击活动](http://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf) | [:closed_book:](../../blob/master/2015/2015.11.09.Rocket_Kitten_A_Campaign_With_9_Lives) * 11月4日 - [[RSA] 不断演变的威胁：网络间谍攻击剖析](http://www.rsaconference.com/writable/presentations/file_upload/cct-w08_evolving-threats-dissection-of-a-cyber-espionage-attack.pdf) | [:closed_book:](../../blob/master/2015/2015.11.04_Evolving_Threats) * 10月16日 - [[Citizen Lab] 针对 NGO 的定向恶意软件攻击与针对缅甸政府网站的攻击有关](https://citizenlab.org/2015/10/targeted-attacks-ngo-burma/)(https://otx.alienvault.com/pulse/5621208f4637f21ecf2aac36/) | [:closed_book:](../../blob/master/2015/2015.10.16.NGO_Burmese_Government) * 10月15日 - [[Citizen Lab] 不要理会代理背后的服务器：绘制 FinFisher 的持续扩散图](https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/) | [:closed_book:](../../blob/master/2015/2015.10.15.FinFisher_Continuing) * 10月5日 - [[Recorded Future] 主动威胁识别中和远程访问木马 efficacy](http://go.recordedfuture.com/hubfs/reports/threat-identification.pdf) | [:closed_book:](../../blob/master/2015/2015.10.05.Proactive_Threat_Identification) * 10月3日 - [[Cybereason] Webmail Server APT：一种针对 Microsoft Outlook Web Application (OWA) 的新型持久攻击方法](http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Labs-Analysis-Webmail-Sever-APT.pdf) | [:closed_book:](../../blob/master/2015/2015.10.03.Webmail_Server_APT) * 9月23日 - [[ThreatConnect] PROJECT CAMERASHY：缩小中国 Unit 78020 的光圈](https://www.threatconnect.com/camerashy-intro/) | [PDF](https://cdn2.hubspot.net/hubfs/454298/Project_CAMERASHY_ThreatConnect_Copyright_2015.pdf) | [:closed_book:](../../blob/master/2015/2015.09.23.CAMERASHY_ThreatConnect) * 9月17日 - [[F-SECURE] The Dukes 7 年的俄罗斯网络间谍活动](https://labsblog.f-secure.com/2015/09/17/the-dukes-7-years-of-russian-cyber-espionage/) - [PDF](https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf) | [:closed_book:](../../blob/master/2015/2015.09.17.duke_russian) * 9月16日 - [[Proofpoint] 影子知道：恶意广告活动使用域名影子技术引入 Angler EK](https://www.proofpoint.com/us/threat-insight/post/The-Shadow-Knows) | [:closed_book:](../../blob/master/2015/2015.09.16.The-Shadow-Knows) * 9月16日 - [[Trend Micro] Operation Iron Tiger：位于中国的攻击者如何将攻击从亚太地区转移到美国目标](http://newsroom.trendmicro.com/blog/operation-iron-tiger-attackers-shift-east-asia-united-states) | [IOC](https://otx.alienvault.com/pulse/55f9910967db8c6fb35179bd/) | [:closed_book:](../../blob/master/2015/2015.09.17.Operation_Iron_Tiger) * 9月15日 - [[Proofpoint] 追寻光纤和部队情报：定向攻击在俄罗斯分发 PlugX](https://www.proofpoint.com/us/threat-insight/post/PlugX-in-Russia) | [:closed_book:](../../blob/master/2015/2015.09.15.PlugX_in_Russia) * 9月9日 - [[Trend Micro] Shadow Force 使用 DLL 劫持，针对韩国公司](https://blog.trendmicro.com/trendlabs-security-intelligence/shadow-force-uses-dll-hijacking-targets-south-korean-company/) | [:closed_book:](../../blob/master/2015/2015.09.09.Shadow_Force) * 9月9日 - [[Kaspersky] Satellite Turla：空中的 APT 命令与控制](https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/) | [:closed_book:](../../blob/master/2015/2015.09.09.satellite-turla-apt) * 9月8日 - [[Palo Alto Networks] 抢椅子游戏：涉及 Gh0st Malware 新变种的多年活动](http://researchcenter.paloaltonetworks.com/2015/09/musical-chairs-multi-year-campaign-involving-new-variant-of-gh0st-malware/) | [:closed_book:](../../blob/master/2015/2015.09.08.Musical_Chairs_Gh0st_Malware) * 9月1日 - [[Trend Micro, Clearsky] Spy Kittens 回归：Rocket Kitten 2](http://www.trendmicro.tw/vinfo/us/security/news/cyber-attacks/rocket-kitten-continues-attacks-on-middle-east-targets) | [PDF](http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-the-spy-kittens-are-back.pdf) | [:closed_book:](../../blob/master/2015/2015.09.01.Rocket_Kitten_2) * 8月20日 - [[Arbor] 缅甸的 PlugX 威胁活动](http://pages.arbornetworks.com/rs/082-KNA-087/images/ASERT%20Threat%20Intelligence%20Brief%202015-05%20PlugX%20Threat%20Activity%20in%20Myanmar.pdf) | [:closed_book:](../../blob/master/2015/2015.08.20.PlugX_Threat_Activity_in_Myanmar) * 8月20日 - [[Kaspersky] Blue Termite APT 的新活动](https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/) | [:closed_book:](../../blob/master/2015/2015.08.20.new-activity-of-the-blue-termite-apt) * 8月19日 - [[Symantec] 新的 Internet Explorer 零日漏洞在香港攻击中被利用](http://www.symantec.com/connect/blogs/new-internet-explorer-zero-day-exploited-hong-kong-attacks) | [:closed_book:](../../blob/master/2015/2015.08.19.new-internet-explorer-zero-day-exploited-hong-kong-attacks) * 8月10日 - [[ShadowServer] 意大利连接：分析漏洞供应链和数字军需官](http://blog.shadowserver.org/2015/08/10/the-italian-connection-an-analysis-of-exploit-supply-chains-and-digital-quartermasters/) | [:closed_book:](../../blob/master/2015/2015.08.10.The_Italian_Connection_An_analysis_of_exploit_supply_chains_and_digital_quartermasters) * 8月8日 - [[Cyint] 威胁分析：Poison Ivy 与扩展 PlugX 活动的联系](http://www.cyintanalysis.com/threat-analysis-poison-ivy-and-links-to-an-extended-plugx-campaign/) | [:closed_book:](../../blob/master/2015/2015.08.08.Poison_Ivy_and_Links_to_an_Extended_PlugX_Campaign) * 8月5日 - [[Dell] Threat Group-3390 针对组织进行网络间谍活动](http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/) | [:closed_book:](../../blob/master/2015/2015.08.05.Threat_Group-3390) * 8月4日 - [[RSA] Terracotta VPN：高级威胁匿名性的推动者](https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity/) | [:closed_book:](../../blob/master/2015/2015.08.04.Terracotta_VPN) * 7月30日 - [[ESET] Operation Potao Express](http://www.welivesecurity.com/2015/07/30/operation-potao-express/) | [IOC](https://github.com/eset/malware-ioc/tree/master/potao) | [:closed_book:](../../blob/master/2015/2015.07.30.Operation-Potao-Express) * 7月28日 - [[Symantec] Black Vine：自 2012 年起针对航空航天、医疗保健的强大网络间谍组织](http://www.symantec.com/connect/blogs/black-vine-formidable-cyberespionage-group-targeted-aerospace-healthcare-2012) | [:closed_book:](../../blob/master/2015/2015.07.28.Black_Vine) * 7月27日 - [[FireEye] HAMMERTOSS：隐蔽战术定义了一个俄罗斯网络威胁组织](https://www.fireeye.com/blog/threat-research/2015/07/hammertoss_stealthy.html) |closed_book:](../../blob/master/2015/2015.07.27.HAMMERTOSS) * 7月22日 - [[F-SECURE] Duke APT 组织的最新工具：云服务和 Linux 支持](https://www.f-secure.com/weblog/archives/00002822.html) | [:closed_book:](../../blob/master/2015/2015.07.22.Duke_APT_groups_latest_tools) * 7月20日 - [[ThreatConnect] 中国黑客攻击和平宫：你们的专属经济区都 * XXX XX - [[CISAK] 首尔黑客攻击：情况可能更糟吗？](http://cisak.perpika.kr/2013/wp-content/uploads/2013/06/Accepted-Papers.xlsx) | [:closed_book:](../../blob/master/2013/2013.00.00.Dark_Seoul_Cyber_Attack) * XXX XX - [[Fireeye] 藏红花行动](https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-operation-saffron-rose.pdf) | [:closed_book:](../../blob/master/2013/2013.00.00.OPERATION_SAFFRON_ROSE) * 12月 20日 - [[Ahnlab] ETSO APT 攻击分析](http://image.ahnlab.com/global/upload/download/documents/1401223631603288.pdf) | [:closed_book:](../../blob/master/2013/2013.12.20.ETSO) * 12月 12日 - [[FireEye] Ke3chang 行动：针对外交部的定向攻击](https://www.fireeye.com/blog/executive-perspective/2013/12/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs.html) | [:closed_book:](../../blob/master/2013/2013.12.12.Operation_Ke3chang) * 12月 02日 - [[Fidelis] njRAT，传奇仍在继续](http://www.fidelissecurity.com/files/files/FTA%201010%20-%20njRAT%20The%20Saga%20Continues.pdf) | [:closed_book:](../../blob/master/2013/2013.12.02.njRAT_Saga_Continues) * 11月 10日 - [[FireEye] Ephemeral Hydra 行动：与 DeputyDog 相关的 IE 零日漏洞利用无磁盘方法](http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html) | [:closed_book:](../../blob/master/2013/2013.11.10.Operation_Ephemeral_Hydra) * 10月 25日 - [[FireEye] 规避战术：Terminator RAT](https://www.fireeye.com/blog/threat-research/2013/10/evasive-tactics-terminator-rat.html) | [:closed_book:](../../blob/master/2013/2013.10.25.Terminator_RAT) * 10月 24日 - [[Trend Micro] FakeM RAT](http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-fakem-rat.pdf) | [:closed_book:](../../blob/master/2013/2013.10.24.FakeM_RAT) * 9月 25日 - [[Kaspersky] “ICEFROG” APT：披风与三把匕首的故事](http://www.securelist.com/en/downloads/vlpdfs/icefog.pdf) | [:closed_book:](../../blob/master/2013/2013.09.25.ICEFROG_APT) * 9月 21日 - [[FireEye] DeputyDog 行动：针对日本目标的零日 (CVE-2013-3893) 攻击](https://www.fireeye.com/blog/threat-research/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html) | [:closed_book:](../../blob/master/2013/2013.09.21.Operation_DeputyDog) * 9月 19日 - [[Trend Micro] 2013年第二季度定向攻击活动报告：深入解析 EvilGrab](https://www.trendmicro.tw/vinfo/hk/security/news/cyber-attacks/2q-2013-report-on-targeted-attack-campaigns-a-look-into-evilgrab) | [:closed_book:](../../blob/master/2013/2013.09.19.EvilGrab) * 9月 17日 - [[Symantec] Hidden Lynx - 受雇的专业黑客](http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdf) | [:closed_book:](../../blob/master/2013/2013.09.17.Hidden_Lynx) * 9月 11日 - [[Kaspersky] “Kimsuky” 行动](https://securelist.com/analysis/57915/the-kimsuky-operation-a-north-korean-apt/) | [:closed_book:](../../blob/master/2013/2013.09.11.Kimsuky_Operation) * 9月 06日 - [[FireEye] 规避战术：Taidoor](https://www.fireeye.com/blog/threat-research/2013/09/evasive-tactics-taidoor-3.html) | [:closed_book:](../../blob/master/2013/2013.09.06.EvasiveTactics_Taidoor) * 8月 23日 - [[FireEye] Molerats 行动：使用 Poison Ivy 的中东网络攻击](http://www.fireeye.com/blog/technical/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html) | [:closed_book:](../../blob/master/2013/2013.08.23.Operation_Molerats) * 8月 21日 - [[FireEye] POISON IVY：评估损害与提取情报](http://www.fireeye.com/resources/pdfs/FireEye-poison-ivy-report.pdf) | [:closed_book:](../../blob/master/2013/2013.08.21.POISON_IVY) * 8月 19日 - [[Rapid7] ByeBye Shell 及其对巴基斯坦的 targeting](https://community.rapid7.com/community/infosec/blog/2013/08/19/byebye-and-the-targeting-of-pakistan) | [:closed_book:](../../blob/master/2013/2013.08.19.ByeBye_Shell) * 8月 02日 - [[CitizenLab] Surtr：针对西藏社区的恶意软件家族](https://citizenlab.org/2013/08/surtr-malware-family-targeting-the-tibetan-community/) | [:closed_book:](../../blob/master/2013/2013.08.02.Surtr_Targeting_Tibetan) * 8月 02日 - [[ThreatConnect] 无风不起浪：南亚网络间谍活动升温](http://www.threatconnect.com/news/where-there-is-smoke-there-is-fire-south-asian-cyber-espionage-heats-up/) | [:closed_book:](../../blob/master/2013/2013.08.02.Smoke_Fire_South_Asian_Cyber_Espionage) * 7月 31日 - [[BlackHat] 狩猎暗影：升级 APT 攻击的深度分析](https://media.blackhat.com/us-13/US-13-Yarochkin-In-Depth-Analysis-of-Escalated-APT-Attacks-Slides.pdf) | [:closed_book:](../../blob/master/2013/2013.07.31.Hunting_the_Shadows) * 7月 31日 - [[Dell] Comfoo 大师的秘密](http://www.secureworks.com/cyber-threat-intelligence/threats/secrets-of-the-comfoo-masters/) | [:closed_book:](../../blob/master/2013/2013.07.31.ecrets_of_the_Comfoo_Masters) * 7月 15日 - [[Sophos] 重访 PlugX 恶意软件：介绍 “Smoaler”](http://sophosnews.files.wordpress.com/2013/07/sophosszappanosplugxrevisitedintroducingsmoaler-rev1.pdf) | [:closed_book:](../../blob/master/2013/2013.07.15.PlugX_Smoaler) * 7月 01日 - [[McAfee] 针对海湾国家和加勒比地区的窃取凭证定向活动](https://www.kashifali.ca/2013/07/01/targeted-campaign-steals-credentials-in-gulf-states-and-caribbean/) | [:closed_book:](../../blob/master/2013/2013.07.01.Gulf_States_APT) * 6月 28日 - [[ThreatGeek] 揭秘 njRAT](http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf) | [:closed_book:](../../blob/master//2013/2013.06.28.njRAT_Uncovered) * 6月 21日 - [[Citizen Lab] 致命伤害：针对叙利亚反对派的新恶意软件攻击](https://citizenlab.org/wp-content/uploads/2013/07/19-2013-acalltoharm.pdf) | [:closed_book:](../../blob/master/2013/2013.06.21.Syrian_Attack) * 6月 18日 - [[FireEye] Trojan.APT.Seinup 袭击东盟 (ASEAN)](http://www.fireeye.com/blog/technical/malware-research/2013/06/trojan-apt-seinup-hitting-asean.html) | [:closed_book:](../../blob/master/2013/2013.06.18.APT_Seinup) * 6月 07日 - [[Rapid7] KeyBoy，针对越南和印度的定向攻击](https://community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india) | [:closed_book:](../../blob/master/2013/2013.06.07.KeyBoy_APT) * 6月 04日 - [[Kaspersky] NetTraveller (又名 ‘Travnet’)](http://www.securelist.com/en/downloads/vlpdfs/kaspersky-the-net-traveler-part1-final.pdf) | [:closed_book:](../../blob/master/2013/2013.06.04.NetTraveller) * 6月 01日 - [[Purdue] Crude Faux：石油天然气行业内的网络冲突分析](https://www.cerias.purdue.edu/assets/pdf/bibtex_archive/2013-9.pdf) | [:closed_book:](../../blob/master/2013/2013.06.01.cyber_conflict_Oil_Gas) * 6月 XX - [[BlueCoat] 中国恶意软件综合体：Maudi 监控

标签：APT攻击, Cloudflare, DAST, MITRE ATT&CK, 威胁情报, 安全报告, 开发者工具, 恶意软件分析, 情报共享, 攻击组织, 数字武器, 数据集合, 样本集, 网络安全, 网络犯罪, 防御加固, 隐私保护