Most Dangerous APT Hacker Group’s Deadly Cyber Attacks of the Year 2021- Complete Collection
The APT advanced persistent threat is known for launching sophisticated attacks to steal sensitive, financial information and stay undetected within the infrastructure. In this article, we see a list of APT attacks from 2019 to 2021.
These hacker groups primarily target enterprises regardless of the Industry, their targets include government, defense, financial services, legal services, industrial, telecoms, consumer goods and many more.
The APT group includes experienced cybercriminals who can bypass security provisions and cause as damage and disruption as possible. These APT groups have a specific target they spend time to detect them and they exploit them to gain access.
Most of the APT groups use custom malware to fly under the radar. The APT attack classified into different phases including Planning the attack, mapping company data, avoiding detection and compromising the network.
Dangerous APT Hacker Group Attacks 2019 January 1 Jan/16 Latest Target Attack of DarkHydruns Group Against Middle East 2 Jan/17 Malware Used by “Rocke” Group Evolves to Evade Detection by Cloud Security Products 3 Jan/18 DarkHydrus delivers new Trojan that can use Google Drive for C2 communications 4 Jan/24 GandCrab and Ursnif Campaign 5 Jan/30 Targeted Campaign delivers Orcus Remote Access Trojan 6 Jan/30 Double Life of SectorA05 Nesting in Agora 7 Jan/30 Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities
February 1 Feb/01 Tracking OceanLotus’ new Downloader, KerrDown 2 Feb/05 Analyzing Digital Quartermasters in Asia – Do Chinese and Indian APTs Have a Shared Supply Chain 3 Feb/06 APT10 Targeted Norwegian MSP and US Companies in Sustained Campaign 4 Feb/14 Suspected Molerats’ New Attack in the Middle East 5 Feb/18 APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations 6 Feb/20 IT IS IDENTIFIED ATTACKS OF THE CIBERCRIMINAL LAZARUS GROUP DIRECTED TO ORGANIZATIONS IN RUSSIA 7 Feb/25 Defeating Compiler Level Obfuscations Used in APT10 Malware 8 Feb/26 The Arsenal Behind the Australian Parliament Hack 9 Feb/27 A Peek into BRONZE UNION’s Toolbox
March 1 Mar/04 APT40: Examining a China-Nexus Espionage Actor 2 Mar/06 Whitefly: Espionage Group has Singapore in Its Sights 3 Mar/06 Targeted attack using Taidoor Analysis report 4 Mar/06 Operation Pistacchietto 5 Mar/07 New SLUB Backdoor Uses GitHub, Communicates via Slack 6 Mar/08 Supply Chain – The Major Target of Cyberespionage Groups 7 Mar/11 Gaming industry still in the scope of attackers in Asia 8 Mar/12 Operation Comando: How to Run a Cheap and Effective Credit Card Business 9 Mar/13 Operation Sheep: Pilfer-Analytics SDK in Action 10 Mar/13 ‘DMSniff’ POS Malware Actively Leveraged to Target Small-, Medium-Sized Businesses 11 Mar/13 GlitchPOS: New PoS malware for sale 12 Mar/13 LUCKY ELEPHANT CAMPAIGN MASQUERADING 13 Mar/22 Operation ShadowHammer 14 Mar/25 Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S. 15 Mar/27 Threat Actor Group using UAC Bypass Module to run BAT File 16 Mar/28 Above Us Only Stars: Exposing GPS Spoofing in Russia and Syria 17 Mar/28 Desktop, Mobile Phishing Campaign Targets South Korean Websites, Steals Credentials Via Watering Hole
April 1 Apr/02 OceanLotus Steganography 2 Apr/10 Gaza Cybergang Group1, operation SneakyPastes 3 Apr/10 Project TajMahal – a sophisticated new APT framework 4 Apr/10 The Muddy Waters of APT Attacks 5 Apr/17 DNS Hijacking Abuses Trust In Core Internet Service 6 Apr/17 Aggah Campaign: Bit.ly, BlogSpot, and Pastebin Used for C2 in Large Scale Campaign 7 Apr/19 “Funky malware format” found in Ocean Lotus sample 8 Apr/22 FINTEAM: Trojanized TeamViewer Against Government Targets 9 Apr/23 Operation ShadowHammer: a high-profile supply chain attack 10 Apr/24 legit remote admin tools turn into threat actors’ tools 11 Apr/30 SectorB06 using Mongolian language in lure document
May 1 May/03 Who’s who in the Zoo Cyberespionage operation targets Android users in the Middle East 2 May/07 Buckeye: Espionage Outfit Used Equation Group Tools Prior to Shadow Brokers Leak 3 May/07 Turla LightNeuron: An email too far 4 May/07 ATMitch: New Evidence Spotted In The Wild 5 May/08 OceanLotus’ Attacks to Indochinese Peninsula: Evolution of Targets, Techniques and Procedure 6 May/08 FIN7.5: the infamous cybercrime rig “FIN7” continues its activities 7 May/09 Iranian Nation-State APT Groups – “Black Box” Leak 8 May/11 Chinese Actor APT target Ministry of Justice Vietnamese 9 May/13 ScarCruft continues to evolve, introduces Bluetooth harvester 10 May/15 Winnti: More than just Windows and Gates 11 May/18 Operation_BlackLion 12 May/19 HiddenWasp Malware Stings Targeted Linux Systems 13 May/22 A journey to Zebrocy land 14 May/24 UNCOVERING NEW ACTIVITY BY APT10 15 May/27 APT-C-38 16 May/28 Emissary Panda Attacks Middle East Government Sharepoint Servers 17 May/29 TA505 is Expanding its Operations 18 May/29 A dive into Turla PowerShell usage 19 May/30 10 years of virtual dynamite: A high-level retrospective of ATM malware
June 1 June/03 Zebrocy’s Multilanguage Malware Salad 2 June/04 An APT Blueprint: Gaining New Visibility into Financial Threats 3 June/05 Scattered Canary The Evolution and Inner Workings of a West African Cybercriminal Startup Turned BEC Enterprise 4 June/10 MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools 5 June/11 The Discovery of Fishwrap: A New Social Media Information Operation Methodology 6 June/12 Threat Group Cards: A Threat Actor Encyclopedia 7 June/20 New Approaches Utilized by OceanLotus to Target An Environmental Group in Vietnam 8 June/21 Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments 9 June/25 OPERATION SOFT CELL: A WORLDWIDE CAMPAIGN AGAINST TELECOMMUNICATIONS PROVIDERS 10 June/25 Analysis of MuddyC3, a New Weapon Used by MuddyWater 11 June/26 Iranian Threat Actor Amasses Large Cyber Operations Infrastructure Network to Target Saudi Organizations
July 1 Jul/01 Threat Spotlight: Ratsnif – New Network Vermin from OceanLotus 2 Jul/03 Operation Tripoli 3 Jul/04 Multiple Chinese Threat Groups Exploiting CVE-2018-0798 Equation Editor Vulnerability Since Late 2018 4 Jul/04 Latest Spam Campaigns from TA505 Now Using New Malware Tools Gelup and FlowerPippi 5 Jul/09 Twas the night before 6 Jul/11 Sea Turtle keeps on swimming, finds new victims, DNS hijacking techniques 7 Jul/15 Buhtrap group uses zero‑day in latest espionage campaigns 8 Jul/16 SWEED: Exposing years of Agent Tesla campaigns 9 Jul/17 SLUB Gets Rid of GitHub, Intensifies Slack Use 10 Jul/18 EvilGnome: Rare Malware Spying on Linux Desktop Users 11 Jul/18 OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY 12 Jul/18 Spam Campaign Targets Colombian Entities with Custom-made ‘Proyecto RAT,’ Uses Email Service YOPmail for C&C 13 Jul/20 Hard Pass: Declining APT34’s Invite to Join Their Professional Network 14 Jul/24 Chinese APT “Operation LagTime IT” Targets Government Information Technology Agencies in Eastern Asia 15 Jul/24 Attacking the Heart of the German Industry
August 1 Aug/01 Analysis of the Attack of Mobile Devices by OceanLotus 2 Aug/05 Sharpening the Machete 3 Aug/05 Latest Trickbot Campaign Delivered via Highly Obfuscated JS File 4 Aug/07 APT41: A Dual Espionage and Cyber Crime Operation 5 Aug/08 Suspected BITTER APT Continues Targeting Government of China and Chinese Organizations 6 Aug/12 Recent Cloud Atlas activity 7 Aug/14 In the Balkans, businesses are under fire from a double‑barreled weapon 8 Aug/20 Malware analysis about unknown Chinese APT campaign 9 Aug/21 Silence 2.0 10 Aug/21 The Gamaredon Group: A TTP Profile Analysis 11 Aug/26 APT-C-09 Reappeared as Conflict Intensified Between India and Pakistan 12 Aug/27 TA505 At It Again: Variety is the Spice of ServHelper and FlawedAmmyy 13 Aug/27 China Chopper still active 9 years later 14 Aug/27 LYCEUM Takes Center Stage in Middle East Campaign 15 Aug/27 Malware analysis about sample of APT Patchwork 16 Aug/29 SectorJ04 Group’s Increased Activity in 2019 17 Aug/29 More_eggs, Anyone? Threat Actor ITG08 Strikes Again 18 Aug/29 Tick Tock – Activities of the Tick Cyber Espionage Group in East Asia Over the Last 10 Years 19 Aug/30 ‘Heatstroke’ Campaign Uses Multistage Phishing Attack to Steal PayPal and Credit Card Information 20 Aug/31 Malware analysis on Bitter APT campaign
September 1 Sep/04 Glupteba Campaign Hits Network Routers and Updates C&C Servers with Data from Bitcoin Transactions 2 Sep/05 UPSynergy: Chinese-American Spy vs. Spy Story 3 Sep/06 BITTER APT: Not So Sweet 4 Sep/09 Thrip: Ambitious Attacks Against High Level Targets Continue 5 Sep/11 RANCOR APT: Suspected targeted attacks against South East Asia 6 Sep/15 The Kittens Are Back in Town Charming Kitten Campaign Against Academic Researchers 7 Sep/18 Tortoiseshell Group Targets IT Providers in Saudi Arabia in Probable Supply Chain Attacks 8 Sep/24 Mapping the connections inside Russia’s APT Ecosystem 9 Sep/24 How Tortoiseshell created a fake veteran hiring website to host malware 10 Sep/24 DeadlyKiss APT 11 Sep/26 Chinese APT Hackers Attack Windows Users via FakeNarrator Malware to Implant PcShare Backdoor 12 Sep/30 HELO Winnti: Attack or Scan?
October 1 Oct/01 New Fileless Botnet Novter Distributed by KovCoreG Malvertising Campaign 2 Oct/01 New Adwind Campaign targets US Petroleum Industry 3 Oct/03 PKPLUG: Chinese Cyber Espionage Group Attacking Asia 4 Oct/04 GEOST BOTNET. THE STORY OF THE DISCOVERY OF A NEW ANDROID BANKING TROJAN FROM AN OPSEC ERROR 5 Oct/07 China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations 6 Oct/07 The Kittens Are Back in Town 2 – Charming Kitten Campaign Keeps Going on, Using New Impersonation Methods 7 Oct/07 Supply chain attacks: threats targeting service providers and design offices 8 Oct/10 Attor, a spy platform with curious GSM fingerprinting 9 Oct/10 CONNECTING THE DOTS Exposing the arsenal and methods of the Winnti Group 10 Oct/10 Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques 11 Oct/14 HUGE FAN OF YOUR WORK: TURBINE PANDA 12 Oct/14 From tweet to rootkit 13 Oct/15 LOWKEY: Hunting for the Missing Volume Serial ID 14 Oct/17 Operation Ghost: The Dukes aren’t back – they never left 15 Oct/21 Winnti Group’s skip‑2.0: A Microsoft SQL Server backdoor 16 Oct/31 MESSAGETAP: Who’s Reading Your Text Messages?
November 1 Nov/01 Chrome 0-day exploit CVE-2019-13720 used in Operation WizardOpium 2 Nov/04 Higaisa APT 3 Nov/05 THE LAZARUS’ GAZE TO THE WORLD: WHAT IS BEHIND THE FIRST STONE ? 4 Nov/08 Titanium: the Platinum group strikes again 5 Nov/13 More than a Dozen Obfuscated APT33 Botnets Used for Extreme Narrow Targeting 6 Nov/20 Mac Backdoor Linked to Lazarus Targets Korean Users 7 Nov/20 Golden Eagle (APT-C-34) 8 Nov/25 Studying Donot Team 9 Nov/26 Insights from one year of tracking a polymorphic threat: Dexphot 10 Nov/28 RevengeHotels: cybercrime targeting hotel front desks worldwide 11 Nov/29 Operation ENDTRADE: Finding Multi-Stage Backdoors that TICK
December 1 Dec/03 Threat Actor Targeting Hong Kong Pro-Democracy Figures 2 Dec/04 Obfuscation Tools Found in the Capesand Exploit Kit Possibly Used in “KurdishCoder” Campaign 3 Dec/04 New Destructive Wiper “ZeroCleare” Targets Energy Sector in the Middle East 4 Dec/11 Waterbear is Back, Uses API Hooking to Evade Security Product Detection 5 Dec/12 Operation Gamework: Infrastructure Overlaps Found Between BlueAlpha and Iranian APTs 6 Dec/12 GALLIUM: Targeting global telecom 7 Dec/12 Drilling Deep: A Look at Cyberattacks on the Oil and Gas Industry
2020 Attack list So Far January 1 Jan/01 [WeiXin] Pakistan Sidewinder APT Attack 2 Jan/06 First Active Attack Exploiting CVE-2019-2215 Found on Google Play, Linked to SideWinder APT 3 Jan/07 Destructive Attack: DUSTMAN 4 Jan/07 Iranian Cyber Response to Death of IRGC Head Would Likely Use Reported TTPs and Previous Access 5 Jan/08 Operation AppleJeus Sequel 6 Jan/09 The State of Threats to Electric Entities in North America 7 Jan/13 APT27 ZxShell RootKit module updates 8 Jan/13 Reviving MuddyC3 Used by MuddyWater (IRAN) APT 9 Jan/16 JhoneRAT: Cloud based python RAT targeting Middle Eastern countries 10 Jan/31 Winnti Group targeting universities in Hong Kong
February 1 Feb/03 Actors Still Exploiting SharePoint Vulnerability to Attack Middle East Government Organizations 2 Feb/10 Outlaw Updates Kit to Kill Older Miner Versions, Targets More Systems 3 Feb/13 NEW CYBER ESPIONAGE CAMPAIGNS TARGETING PALESTINIANS – PART 2: THE DISCOVERY OF THE NEW, MYSTERIOUS PIEROGI BACKDOOR 4 Feb /17 Fox Kitten Campaign 5 Feb /17 CLAMBLING – A New Backdoor Base On Dropbox (EN) 6 Feb /17 A deep dive into the latest Gamaredon Espionage Campaign 7 Feb /18 Operation DRBControl 8 Feb /19 The Lazarus Constellation 9 Feb/22 Cloud Snooper’ Attack Bypasses Firewall Security Measures 10 Feb/28 Nortrom_Lion_APT
March Mar 30 – The ‘Spy Cloud’ Operation: Geumseong121 group carries out the APT attack disguising the evidence of North Korean defection Mar 26 – iOS exploit chain deploys LightSpy feature-rich malware Mar 25 – This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits Mar 24 – WildPressure targets industrial-related entities in the Middle East Mar 24 – Operation Poisoned News: Hong Kong Users Targeted With Mobile Malware via Local News Links Mar 19 – Probing Pawn Storm : Cyberespionage Campaign Through Scanning, Credential Phishing and More Mar 15 – APT36 jumps on the coronavirus bandwagon, delivers Crimson RAT Mar 12 – Vicious Panda: The COVID Campaign Mar 12 –Two-tailed scorpion APT-C-23 Mar 12 – Tracking Turla: New backdoor delivered via Armenian watering holes Mar 11 – Operation Overtrap Targets Japanese Online Banking Users Via Bottle Exploit Kit and Brand-New Cinobi Banking Trojan Mar 10 – WHO’S HACKING THE HACKERS: NO HONOR AMONG THIEVES Mar 05 – Dissecting Geost: Exposing the Anatomy of the Android Trojan Targeting Russian Banks Mar 05 – Guildma: The Devil drives electric Mar 03 – New Perl Botnet (Tuyul) Found with Possible Indonesian Attribution Mar 03 – The North Korean Kimsuky APT keeps threatening South Korea evolving its TTPs Mar 02 – APT34 (AKA OILRIG, AKA HELIX KITTEN) ATTACKS LEBANON GOVERNMENT ENTITIES WITH MAILDROPPER IMPLANTS April Apr 29 – Chinese Influence Operations Evolve in Campaigns Targeting Taiwanese Elections, Hong Kong Protests Apr 28 – Outlaw is Back, a New Crypto-Botnet Targets European Organizations Apr 28 – Grandoreiro: How engorged can an EXE get? Apr 24 – PoshC2 Apr 21 – Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant Apr 20 – WINNTI GROUP: Insights From the Past Apr 17 – Gamaredon APT Group Use Covid-19 Lure in Campaigns Apr 16 – Exposing Modular Adware: How DealPly, IsErIk, and ManageX Persist in Systems Apr 16 – Giving Fraudsters the Cold Shoulder: Inside the Largest Connected TV Bot Attack Apr 16 – Taiwan High-Tech Ecosystem Targeted by Foreign APT Group Apr 15 – Nation-state Mobile Malware Targets Syrians with COVID-19 Lures Apr 15 – Craft for Resilience: APT Group Chimera Apr 07 –APTs and COVID-19: How advanced persistent threats use the coronavirus as a lure Apr 07 –New Ursnif Campaign: A Shift from PowerShell to Mshta Apr 07 – Decade of the RATs: Novel APT Attacks Targeting Linux, Windows and Android May May 29 – Russian Cyber Attack Campaigns and Actors May 28 – The zero-day exploits of Operation WizardOpium May 26 – From Agent.BTZ to ComRAT v4: A ten‑year journey May 21 – The Evolution of APT15’s Codebase 2020 May 21 – Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia May 21 – No “Game over” for the Winnti Group May 19 – Sophisticated Espionage Group Turns Attention to Telecom Providers in South Asia May 18 – APT-C-23 middle East May 14 – LOLSnif – Tracking Another Ursnif-Based Targeted Campaign May 14 – RATicate: an attacker’s waves of information-stealing malware May 14 – Vendetta-new threat actor from Europe May 14 – Mikroceen: Spying backdoor leveraged in high‑profile networks in Central Asia May 14 –APT Group Planted Backdoors Targeting High Profile Networks in Central Asia May 14 – COMpfun authors spoof visa application with HTTP status-based Trojan May 13 – Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks May 12 –Tropic Trooper’s Back: USBferry Attack Targets Air-gapped Environments May 11 – Targeted Attacks on Indian Government and Financial Institutions Using the JsOutProx RAT May 11 – Updated BackConfig Malware Targeting Government and Military Organizations in South Asia May 07 – Introducing Blue Mockingbird May 07 – Naikon APT: Cyber Espionage Reloaded May 06 – Phantom in the Command Shell May 06 – Leery Turtle Threat Report May 05 – Nazar: Spirits of the Past June Jun 30 – StrongPity APT – Revealing Trojanized Tools, Working Hours and Infrastructure Jun 29 – PROMETHIUM extends global reach with StrongPity3 APT Jun 26 – WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations Jun 25 – A close look at the advanced techniques used in a Malaysian-focused APT campaign Jun 24 – BRONZE VINEWOOD Targets Supply Chains Jun 23 – WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group Jun 19 – Targeted Attack Leverages India-China Border Dispute to Lure Victims Jun 18 – Digging up InvisiMole’s hidden arsenal Jun 17 – Operation In(ter)ception: Aerospace and military companies in the crosshairs of cyberspies Jun 17 – AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations Jun 17 – Multi-stage APT attack drops Cobalt Strike using Malleable C2 feature Jun 16 – Cobalt: tactics and tools update Jun 15 – India: Human Rights Defenders Targeted by a Coordinated Spyware Operation Jun 11 – New Android Spyware ActionSpy Revealed via Phishing Attacks from Earth Empusa Jul 11 – Gamaredon group grows its game Jun 08 – TA410: The Group Behind LookBack Attacks Against U.S. Utilities Sector Returns with New Malware Jun 08 – GuLoader? No, CloudEyE Jun 03 – New LNK attack tied to Higaisa APT discovered Jun 03 – Cycldek: Bridging the (air) gap July Jul 29 – Operation North Star: A Job Offer That’s Too Good to be True? Jul 22 – OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory Jul 22 –MATA: Multi-platform targeted malware framework Jul 15 – THE FAKE CISCO: Hunting for backdoors in Counterfeit Cisco devices Jul 14 – TURLA / VENOMOUS BEAR UPDATES ITS ARSENAL: “NEWPASS” APPEARS ON THE APT THREAT SCENE Jul 14 – Welcome Chat as a secure messaging app? Nothing could be further from the truth Jul 12 – SideWinder 2020 H1 Jul 09 – Cosmic Lynx: The Rise of Russian BEC Jul 09 –More evil: A deep look at Evilnum and its toolset Jul 08 – Copy cat of APT Sidewinder ? Jul 08 – [proofpoint] TA410: The Group Behind LookBack Attacks Against U.S. Utilities Sector Returns with New Malware Jul 08 – Operation ‘Honey Trap’: APT36 Targets Defense Organizations in India Jul 06 – North Korean hackers are skimming US and European shoppers Jul 01 – [Lookout] Mobile APT Surveillance Campaigns Targeting Uyghurs Aug 27 – The Kittens Are Back in Town 3 Aug 28 – Transparent Tribe: Evolution analysis, part 2 Aug 20 – DEVELOPMENT OF THE ACTIVITY OF THE TA505 CYBERCRIMINAL GROUP Aug 20 –More Evidence of APT Hackers-for-Hire Used for Industrial Espionage Aug 18 – [F-Secure] LAZARUS GROUP CAMPAIGN TARGETING THE CRYPTOCURRENCY VERTICAL Aug 13 – [Kaspersky] CactusPete APT group’s updated Bisonal backdoor Aug 13 – [ClearSky] Operation ‘Dream Job’ Widespread North Korean Espionage Campaign Aug 12 – [Kaspersky] Internet Explorer and Windows zero-day exploits used in Operation PowerFall Aug 10 – [Seqrite] Gorgon APT targeting MSME sector in India September Sep 30 – APT‑C‑23 group evolves its Android spyware Sep 29 – Palmerworm: Espionage Gang Targets the Media, Finance, and Other Sectors Sep 29 – ShadowPad: new activity from the Winnti group Sep 25 – German-made FinSpy spyware found in Egypt, and Mac and Linux versions revealed Sep 25 –APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign Sep 24 – detecting empires in the cloud Sep 23 –Operation SideCopy Sep 22 – APT28 Delivers Zebrocy Malware Campaign using NATO Theme as Lure Sep 17 – Operation Tibbar Sep 08 –TeamTNT activity targets Weave Scope deployments Sep 03 – NO REST FOR THE WICKED: EVILNUM UNLEASHES PYVIL RAT Sep 01 –Chinese APT TA413 Resumes Targeting of Tibet Following COVID-19 Themed Economic Espionage Campaign Delivering Sepulcher Malware Targeting Europe October Oct 27 – North Korean Advanced Persistent Threat Focus: Kimsuky Oct 23 – APT-C-44 NAFox Oct 22 – Bitter CHM Oct 19 –Operation Earth Kitsune: Tracking SLUB’s Current Operations Oct 15 – Operation Quicksand – MuddyWater’s Offensive Attack Against Israeli Organizations Oct 14 – [MalwareByte] Silent Librarian APT right on schedule for 20/21 academic year Oct 13 – [WeiXin] Operation Rubia cordifolia Oct 07 – [BlackBerry] BlackBerry Uncovers Massive Hack-For-Hire Group Targeting Governments, Businesses, Human Rights Groups and Influential Individuals Oct 06 – [Malwarebytes] Release the Kraken: Fileless APT attack abuses Windows Error Reporting service Oct 05 – [Kaspersky] MosaicRegressor: Lurking in the Shadows of UEFI November Nov 17 – CHAES: Novel Malware Targeting Latin American E-Commerce Nov 17 – Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign Nov 16 – TA505: A Brief History Of Their Time Nov 16 – A Detailed Timeline of a Chinese APT Espionage Attack Targeting South Eastern Asian Government Institutions Nov 12 – CRAT wants to plunder your endpoints Nov 12 – The CostaRicto Campaign: Cyber-Espionage Outsourced Nov 12 – Nov 10 – New APT32 Malware Campaign Targets Cambodian Government Nov 06 – [Volexity] OceanLotus: Extending Cyber Espionage Operations Through Fake Websites Nov 04 – [Sophos] A new APT uses DLL side-loads to “KilllSomeOne” Nov 01 – [Cyberstanc] A look into APT36’s (Transparent Tribe) tradecraft December Dec 30 – [Recorded Future] SolarWinds Attribution: Are We Getting Ahead of Ourselves? Dec 29 – [Uptycs] Revenge RAT targeting users in South America Dec 23 – [Kaspersky] Lazarus covets COVID-19-related intelligence Dec 22 – [Truesec] Collaboration between FIN7 and the RYUK group, a Truesec Investigation Dec 19 – [VinCSS] Analyzing new malware of China Panda hacker group used to attack supply chain against Vietnam Government Certification Authority Dec 17 – [ClearSky] Pay2Kitten Dec 17 – [ESET] Operation SignSight: Supply‑chain attack against a certification authority in Southeast Asia Dec 16 – [Team Cymru] Mapping out AridViper Infrastructure Using Augury’s Malware Module Dec 15 – [WeiXin] APT-C-47 ClickOnce Operation Dec 15 – [hvs consulting] Greetings from Lazarus Anatomy of a cyber espionage campaign Dec 13 – [Fireeye] Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor Dec 09 – [Trend Micro] SideWinder Uses South Asian Issues for Spear Phishing, Mobile Attacks Dec 07 – [Group-IB] The footprints of Raccoon: a story about operators of JS-sniffer FakeSecurity distributing Raccoon stealer Dec 02 – [ESET] Turla Crutch: Keeping the “back door” open Dec 03 – [Telsy] Adversary Tracking Report Dec 01 – [CISA] Advanced Persistent Threat Actors Targeting U.S. Think Tanks Dec 01 – [Prevasio] OPERATION RED KANGAROO: INDUSTRY’S FIRST DYNAMIC ANALYSIS OF 4M PUBLIC DOCKER CONTAINER IMAGES 2021 Attacks list So Far January Jan 31 – [JPCERT] A41APT case ~ Analysis of the Stealth APT Campaign Threatening Japan Jan 28 – [ClearSky] “Lebanese Cedar” APT: Global Lebanese Espionage Campaign Leveraging Web Servers Jan 20 – [JPCERT] Commonly Known Tools Used by Lazarus Jan 20 – [Cybie] A Deep Dive Into Patchwork APT Group Jan 14 – [Positive] Higaisa or Winnti? APT41 backdoors, old and new Jab 12 – [ESET] Operation Spalax: Targeted malware attacks in Colombia Jan 12 – [Yoroi] Opening “STEELCORGI”: A Sophisticated APT Swiss Army Knife Jan 12 – [NCCgroup] Abusing cloud services to fly under the radar Jan 11 – [Palo Alto Networks] xHunt Campaign: New BumbleBee Webshell and SSH Tunnels Used for Lateral Movement Jan 11 – [CrowdStrike] SUNSPOT: An Implant in the Build Process Jan 11 – [Kaspersky] Sunburst backdoor – code overlaps with Kazuar Jan 08 – [Certfa] Charming Kitten’s Christmas Gift Jan 07 – [Prodaft] Brunhilda DaaS Malware Analysis Report Jan 06 – [CISCO] A Deep Dive into Lokibot Infection Chain Jan 06 – [Malwarebytes] Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat Jan 05 – [QuoIntelligence] ReconHellcat Uses NIST Theme as Lure To Deliver New BlackSoul Malware Jan 05 – [Trend Micro] Earth Wendigo Injects JavaScript Backdoor to Service Worker for Mailbox Exfiltration Jan 04 – [CheckPoint] Stopping Serial Killer: Catching the Next Strike: Dridex Jan 04 – [Medium] APT27 Turns to Ransomware Jan 04 – [Nao-Sec] Royal Road! Re:Dive Febrary Feb 28 – [Recorded Future] China-linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions Feb 25 – [Proofpoint] TA413 Leverages New FriarFox Browser Extension to Target the Gmail Accounts of Global Tibetan Organizations Feb 25 – [Kaspersky] Lazarus targets defense industry with ThreatNeedle Feb 25 – [TeamT5] APT10: Tracking down the stealth activity of the A41APT campaign Feb 24 – [MalwareBytes] LazyScripter: From Empire to double RAT Feb 24 – [Amnesty] Click and Bait: Vietnamese Human Rights Defenders Targeted with Spyware Attacks Feb 22 – [CheckPoint] The Story of Jian – How APT31 Stole and Used an Unknown Equation Group 0-Day Feb 17 – [Cybleinc] Confucius APT Android Spyware Targets Pakistani and Other South Asian Regions Feb 10 – [Lookout] Lookout Discovers Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict Feb 09 – [Palo Alto Networks] BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech Feb 08 – [CheckPoint] Domestic Kitten – An Inside Look at the Iranian Surveillance Operations Feb 03 – [Palo Alto Networks] Hildegard: New TeamTNT Malware Targeting Kubernetes Feb 02 – [ESET] Kobalos – A complex Linux threat to high performance computing infrastructure Feb 01 – [VinCSS] ElephantRAT (Kunming version): our latest discovered RAT of Panda and the similarities with recently Smanager RAT Feb 01 – [ESET] Operation NightScout: Supply‑chain attack targets online gaming in Asia March Mar XX – [CSET] Academics, AI, and APTs Mar 30 – [Kaspersky] APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign Mar 30 – [proofpoint] BadBlood: TA453 Targets US and Israeli Medical Research Personnel in Credential Phishing Campaigns Mar 18 – [Prodaft] SilverFish Group Threat Actor Report Mar 10 – [Bitdefender] FIN8 Returns with Improved BADHATCH Toolkit Mar 10 – [Intezer] New Linux Backdoor RedXOR Likely Operated by Chinese Nation-State Actor Mar 02 – [Volexity] Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities Mar 02 – [Microsoft] HAFNIUM targeting Exchange Servers with 0-day exploits April Apr 28 – [Fireeye] Ghostwriter Update: Cyber Espionage Group UNC1151 Likely Conducts Ghostwriter Influence Activity Apr 27 – [Positive] Lazarus Group Recruitment: Threat Hunters vs Head Hunters Apr 23 – [Bitdefender] NAIKON – Traces from a Military Cyber-Espionage Operation Apr 23 – [Darktrace] APT35 ‘Charming Kitten’ discovered in a pre-infected environment Apr 20 – [FireEye] Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day Apr 19 – [SentinelOne] A Deep Dive into Zebrocy’s Dropper Docs Apr 19 – [MalwareBytes] Lazarus APT conceals malicious code within BMP image to drop its RAT Apr 13 – [Sentire] Hackers Flood the Web with 100,000 Malicious Pages, Promising Professionals Free Business Forms, But Delivering Malware, Reports eSentire Apr 13 – [Kaspersky] Zero-day vulnerability in Desktop Window Manager (CVE-2021-28310) used in the wild Apr 09 – [TrendMicro] Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware Apr 08 – [CheckPoint] Iran’s APT34 Returns with an Updated Arsenal Apr 08 – [ESET] (Are you) afreight of the dark? Watch out for Vyveva, new Lazarus backdoor Apr 07 – [CISCO] Sowing Discord: Reaping the benefits of collaboration app abuse May
May Listed are the most dangerous APT attacks of the year 2019-2020, we keep the list updated with the new attacks reported regularly.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates
