FireEye characterizes APT31 as an actor specialized on intellectual property theft, focusing on data and projects that make a particular organization competetive in its field. Based on available data (April 2016), FireEye assesses that APT31 conducts network operations at the behest of the Chinese Government. Also according to Crowdstrike, this adversary is suspected of continuing to target upstream providers (e.g., law firms and managed service providers) to support additional intrusions against high-profile assets. In 2018, CrowdStrike observed this adversary using spear-phishing, URL “web bugs” and scheduled tasks to automate credential harvesting.
2020-09-18 ⋅ Symantec ⋅ Threat Hunter Team
@online{team:20200918:apt41:363daa8,
author = {Threat Hunter Team},
title = {{APT41: Indictments Put Chinese Espionage Group in the Spotlight}},
date = {2020-09-18},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage},
language = {English},
urldate = {2020-09-23}
}
APT41: Indictments Put Chinese Espionage Group in the Spotlight
CROSSWALK PlugX poisonplug ShadowPad Winnti |
2020-09-15 ⋅ Recorded Future ⋅ Insikt Group®
@techreport{group:20200915:back:2c78a6f,
author = {Insikt Group®},
title = {{Back Despite Disruption: RedDelta Resumes Operations}},
date = {2020-09-15},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-0915.pdf},
language = {English},
urldate = {2020-09-16}
}
Back Despite Disruption: RedDelta Resumes Operations
PlugX |
2020-09-11 ⋅ ThreatConnect ⋅ ThreatConnect Research Team
@online{team:20200911:research:edfb074,
author = {ThreatConnect Research Team},
title = {{Research Roundup: Activity on Previously Identified APT33 Domains}},
date = {2020-09-11},
organization = {ThreatConnect},
url = {https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/},
language = {English},
urldate = {2020-09-15}
}
Research Roundup: Activity on Previously Identified APT33 Domains
Emotet PlugX APT33 |
2020-07-29 ⋅ ESET Research ⋅ welivesecurity
@techreport{welivesecurity:20200729:threat:496355c,
author = {welivesecurity},
title = {{THREAT REPORT Q2 2020}},
date = {2020-07-29},
institution = {ESET Research},
url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf},
language = {English},
urldate = {2020-07-30}
}
THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos Ransomware PlugX Pony REvil Socelars STOP Ransomware Tinba TrickBot WannaCryptor |
2020-07-29 ⋅ Recorded Future ⋅ Insikt Group
@techreport{group:20200729:chinese:1929fcd,
author = {Insikt Group},
title = {{Chinese State-sponsored Group RedDelta Targets the Vatican and Catholic Organizations}},
date = {2020-07-29},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf},
language = {English},
urldate = {2020-07-30}
}
Chinese State-sponsored Group RedDelta Targets the Vatican and Catholic Organizations
PlugX |
2020-07-29 ⋅ Kaspersky Labs ⋅ GReAT
@online{great:20200729:trends:6810325,
author = {GReAT},
title = {{APT trends report Q2 2020}},
date = {2020-07-29},
organization = {Kaspersky Labs},
url = {https://securelist.com/apt-trends-report-q2-2020/97937/},
language = {English},
urldate = {2020-07-30}
}
APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel |
2020-07-28 ⋅ NTT ⋅ NTT Security
@online{security:20200728:craftypanda:7643b28,
author = {NTT Security},
title = {{CraftyPanda 標的型攻撃解析レポート}},
date = {2020-07-28},
organization = {NTT},
url = {https://www.nttsecurity.com/docs/librariesprovider3/default-document-library/craftypanda-analysis-report},
language = {Japanese},
urldate = {2020-07-30}
}
CraftyPanda 標的型攻撃解析レポート
Ghost RAT PlugX |
2020-07-20 ⋅ Risky.biz ⋅ Daniel Gordon
@online{gordon:20200720:what:b88e81f,
author = {Daniel Gordon},
title = {{What even is Winnti?}},
date = {2020-07-20},
organization = {Risky.biz},
url = {https://risky.biz/whatiswinnti/},
language = {English},
urldate = {2020-08-18}
}
What even is Winnti?
CCleaner Backdoor Ghost RAT PlugX ZXShell |
2020-07-20 ⋅ Dr.Web ⋅ Dr.Web
@techreport{drweb:20200720:study:442ba99,
author = {Dr.Web},
title = {{Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan}},
date = {2020-07-20},
institution = {Dr.Web},
url = {https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf},
language = {English},
urldate = {2020-10-02}
}
Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan
Microcin Mirage PlugX WhiteBird |
2020-07-15 ⋅ ZDNet ⋅ Catalin Cimpanu
@online{cimpanu:20200715:chinese:0ff06bd,
author = {Catalin Cimpanu},
title = {{Chinese state hackers target Hong Kong Catholic Church}},
date = {2020-07-15},
organization = {ZDNet},
url = {https://www.zdnet.com/article/chinese-state-hackers-target-hong-kong-catholic-church/},
language = {English},
urldate = {2020-07-30}
}
Chinese state hackers target Hong Kong Catholic Church
PlugX |
2020-06-24 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
@online{researchteam:20200624:bronze:a4d2ead,
author = {Counter Threat Unit ResearchTeam},
title = {{BRONZE VINEWOOD Uses HanaLoader to Target Government Supply Chain}},
date = {2020-06-24},
organization = {Secureworks},
url = {https://www.secureworks.com/research/bronz-vinewood-uses-hanaloader-to-target-government-supply-chain},
language = {English},
urldate = {2020-06-26}
}
BRONZE VINEWOOD Uses HanaLoader to Target Government Supply Chain
APT31 |
2020-06-24 ⋅ Counter Threat Unit ResearchTeam
@online{researchteam:20200624:bronze:62b58ff,
author = {Counter Threat Unit ResearchTeam},
title = {{BRONZE VINEWOOD Targets Supply Chains}},
date = {2020-06-24},
url = {https://www.secureworks.com/research/bronze-vinewood-targets-supply-chains},
language = {English},
urldate = {2020-06-26}
}
BRONZE VINEWOOD Targets Supply Chains
MimiKatz Trochilus RAT APT31 |
2020-06-03 ⋅ Kaspersky Labs ⋅ GReAT, Mark Lechtik, Giampaolo Dedola
@online{great:20200603:cycldek:ed9a830,
author = {GReAT and Mark Lechtik and Giampaolo Dedola},
title = {{Cycldek: Bridging the (air) gap}},
date = {2020-06-03},
organization = {Kaspersky Labs},
url = {https://securelist.com/cycldek-bridging-the-air-gap/97157/},
language = {English},
urldate = {2020-06-03}
}
Cycldek: Bridging the (air) gap
8.t Dropper NewCore RAT PlugX USBCulprit Hellsing |
2020-06-03 ⋅ Trend Micro ⋅ Daniel Lunghi
@techreport{lunghi:20200603:how:4f28e63,
author = {Daniel Lunghi},
title = {{How to perform long term monitoring of careless threat actors}},
date = {2020-06-03},
institution = {Trend Micro},
url = {https://www.sstic.org/media/SSTIC2020/SSTIC-actes/pivoter_tel_bernard_ou_comment_monitorer_des_attaq/SSTIC2020-Slides-pivoter_tel_bernard_ou_comment_monitorer_des_attaquants_ngligents-lunghi.pdf},
language = {English},
urldate = {2020-06-05}
}
How to perform long term monitoring of careless threat actors
BBSRAT HyperBro Trochilus RAT |
2020-06-02 ⋅ Lab52 ⋅ Jagaimo Kawaii
@online{kawaii:20200602:mustang:2cf125a,
author = {Jagaimo Kawaii},
title = {{Mustang Panda Recent Activity: Dll-Sideloading trojans with temporal C2 servers}},
date = {2020-06-02},
organization = {Lab52},
url = {https://lab52.io/blog/mustang-panda-recent-activity-dll-sideloading-trojans-with-temporal-c2-servers/},
language = {English},
urldate = {2020-06-03}
}
Mustang Panda Recent Activity: Dll-Sideloading trojans with temporal C2 servers
PlugX |
2020-05-15 ⋅ Twitter (@stvemillertime) ⋅ Steve Miller
@online{miller:20200515:sogu:cc5a1fc,
author = {Steve Miller},
title = {{Tweet on SOGU development timeline, including TIGERPLUG IOCs}},
date = {2020-05-15},
organization = {Twitter (@stvemillertime)},
url = {https://twitter.com/stvemillertime/status/1261263000960450562},
language = {English},
urldate = {2020-05-18}
}
Tweet on SOGU development timeline, including TIGERPLUG IOCs
PlugX |
2020-05-14 ⋅ Lab52 ⋅ Dex
@online{dex:20200514:energy:43e92b4,
author = {Dex},
title = {{The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey}},
date = {2020-05-14},
organization = {Lab52},
url = {https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/},
language = {English},
urldate = {2020-06-10}
}
The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey
Cobalt Strike HTran MimiKatz PlugX Quasar RAT |
2020-05-01 ⋅ Viettel Cybersecurity ⋅ Cyberthreat
@online{cyberthreat:20200501:chin:3a4fb89,
author = {Cyberthreat},
title = {{Chiến dịch của nhóm APT Trung Quốc Goblin Panda tấn công vào Việt Nam lợi dụng đại dịch Covid-19 (phần 1)}},
date = {2020-05-01},
organization = {Viettel Cybersecurity},
url = {https://blog.viettelcybersecurity.com/p1-chien-dich-cua-nhom-apt-trung-quoc-goblin-panda-tan-cong-vao-viet-nam-loi-dung-dai-dich-covid-19/},
language = {Vietnamese},
urldate = {2020-09-09}
}
Chiến dịch của nhóm APT Trung Quốc Goblin Panda tấn công vào Việt Nam lợi dụng đại dịch Covid-19 (phần 1)
NewCore RAT PlugX |
2020-03-19 ⋅ VinCSS ⋅ m4n0w4r
@online{m4n0w4r:20200319:phn:461fca7,
author = {m4n0w4r},
title = {{Phân tích mã độc lợi dụng dịch Covid-19 để phát tán giả mạo “Chỉ thị của thủ tướng Nguyễn Xuân Phúc” - Phần 2}},
date = {2020-03-19},
organization = {VinCSS},
url = {https://blog.vincss.net/2020/03/re012-phan-tich-ma-doc-loi-dung-dich-COVID-19-de-phat-tan-gia-mao-chi-thi-cua-thu-tuong-Nguyen-Xuan-Phuc-phan2.html},
language = {Vietnamese},
urldate = {2020-03-19}
}
Phân tích mã độc lợi dụng dịch Covid-19 để phát tán giả mạo “Chỉ thị của thủ tướng Nguyễn Xuân Phúc” - Phần 2
PlugX |
2020-03-04 ⋅ CrowdStrike ⋅ CrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f,
author = {CrowdStrike},
title = {{2020 CrowdStrike Global Threat Report}},
date = {2020-03-04},
institution = {CrowdStrike},
url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf},
language = {English},
urldate = {2020-07-24}
}
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER |
2020-03-02 ⋅ Virus Bulletin ⋅ Alex Hinchliffe
@online{hinchliffe:20200302:pulling:35771e7,
author = {Alex Hinchliffe},
title = {{Pulling the PKPLUG: the adversary playbook for the long-standing espionage activity of a Chinese nation-state adversary}},
date = {2020-03-02},
organization = {Virus Bulletin},
url = {https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/},
language = {English},
urldate = {2020-03-02}
}
Pulling the PKPLUG: the adversary playbook for the long-standing espionage activity of a Chinese nation-state adversary
HenBox Farseer PlugX Poison Ivy |
2020-02-21 ⋅ ADEO DFIR ⋅ ADEO DFIR
@techreport{dfir:20200221:apt10:e9c3328,
author = {ADEO DFIR},
title = {{APT10 Threat Analysis Report}},
date = {2020-02-21},
institution = {ADEO DFIR},
url = {https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf},
language = {English},
urldate = {2020-03-03}
}
APT10 Threat Analysis Report
CHINACHOPPER HTran MimiKatz PlugX Quasar RAT |
2020-02-18 ⋅ Trend Micro ⋅ Daniel Lunghi, Cedric Pernet, Kenney Lu, Jamz Yaneza
@online{lunghi:20200218:uncovering:93b0937,
author = {Daniel Lunghi and Cedric Pernet and Kenney Lu and Jamz Yaneza},
title = {{Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations}},
date = {2020-02-18},
organization = {Trend Micro},
url = {https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia},
language = {English},
urldate = {2020-02-20}
}
Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations
Cobalt Strike HyperBro PlugX Trochilus RAT |
2020-02-17 ⋅ Talent-Jump Technologies ⋅ Theo Chen, Zero Chen
@online{chen:20200217:clambling:1a0bb8e,
author = {Theo Chen and Zero Chen},
title = {{CLAMBLING - A New Backdoor Base On Dropbox}},
date = {2020-02-17},
organization = {Talent-Jump Technologies},
url = {http://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/},
language = {English},
urldate = {2020-03-30}
}
CLAMBLING - A New Backdoor Base On Dropbox
HyperBro PlugX |
2020-01-31 ⋅ Avira ⋅ Shahab Hamzeloofard
@online{hamzeloofard:20200131:new:5d058ea,
author = {Shahab Hamzeloofard},
title = {{New wave of PlugX targets Hong Kong}},
date = {2020-01-31},
organization = {Avira},
url = {https://insights.oem.avira.com/new-wave-of-plugx-targets-hong-kong/},
language = {English},
urldate = {2020-02-10}
}
New wave of PlugX targets Hong Kong
PlugX |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:4db27ec,
author = {SecureWorks},
title = {{BRONZE UNION}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-union},
language = {English},
urldate = {2020-05-23}
}
BRONZE UNION
9002 RAT CHINACHOPPER Enfal Ghost RAT HttpBrowser HyperBro owaauth PlugX Poison Ivy ZXShell LuckyMouse |
2020-01 ⋅ Dragos ⋅ Joe Slowik
@techreport{slowik:202001:threat:d891011,
author = {Joe Slowik},
title = {{Threat Intelligence and the Limits of Malware Analysis}},
date = {2020-01},
institution = {Dragos},
url = {https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf},
language = {English},
urldate = {2020-06-10}
}
Threat Intelligence and the Limits of Malware Analysis
Exaramel Exaramel Industroyer Lookback NjRAT PlugX |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:66a45ac,
author = {SecureWorks},
title = {{BRONZE VINEWOOD}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-vinewood},
language = {English},
urldate = {2020-05-23}
}
BRONZE VINEWOOD
MimiKatz Trochilus RAT APT31 |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:65ecf8a,
author = {SecureWorks},
title = {{BRONZE KEYSTONE}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-keystone},
language = {English},
urldate = {2020-05-23}
}
BRONZE KEYSTONE
9002 RAT BLACKCOFFEE DeputyDog Derusbi HiKit PlugX Poison Ivy ZXShell Aurora Panda |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:1a5bdbb,
author = {SecureWorks},
title = {{BRONZE PRESIDENT}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-president},
language = {English},
urldate = {2020-05-23}
}
BRONZE PRESIDENT
CHINACHOPPER Cobalt Strike PlugX Mustang Panda |
2020 ⋅ CrowdStrike ⋅ CrowdStrike
@online{crowdstrike:2020:2019:f849658,
author = {CrowdStrike},
title = {{2019 Crowdstrike Global Threat Report}},
date = {2020},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report},
language = {English},
urldate = {2020-07-23}
}
2019 Crowdstrike Global Threat Report
APT31 |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:4118462,
author = {SecureWorks},
title = {{BRONZE ATLAS}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-atlas},
language = {English},
urldate = {2020-05-23}
}
BRONZE ATLAS
Speculoos Winnti ACEHASH CCleaner Backdoor CHINACHOPPER Empire Downloader HTran MimiKatz PlugX Winnti Axiom |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:472aea8,
author = {SecureWorks},
title = {{BRONZE OLIVE}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-olive},
language = {English},
urldate = {2020-05-23}
}
BRONZE OLIVE
ANGRYREBEL PlugX APT 22 |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:f48e53c,
author = {SecureWorks},
title = {{BRONZE WOODLAND}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-woodland},
language = {English},
urldate = {2020-05-23}
}
BRONZE WOODLAND
PlugX Zeus Roaming Tiger |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:972c13a,
author = {SecureWorks},
title = {{BRONZE FIRESTONE}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-firestone},
language = {English},
urldate = {2020-05-23}
}
BRONZE FIRESTONE
9002 RAT Derusbi Empire Downloader PlugX Poison Ivy Shell Crew |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:79d8dd2,
author = {SecureWorks},
title = {{BRONZE OVERBROOK}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-overbrook},
language = {English},
urldate = {2020-05-23}
}
BRONZE OVERBROOK
Aveo DDKONG IsSpace PLAINTEE PlugX Rambo DragonOK |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:fcb04ab,
author = {SecureWorks},
title = {{BRONZE EXPRESS}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-express},
language = {English},
urldate = {2020-05-23}
}
BRONZE EXPRESS
9002 RAT CHINACHOPPER IsSpace NewCT PlugX smac APT 26 |
2020 ⋅ Secureworks ⋅ SecureWorks
@online{secureworks:2020:bronze:66f1290,
author = {SecureWorks},
title = {{BRONZE RIVERSIDE}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-riverside},
language = {English},
urldate = {2020-05-23}
}
BRONZE RIVERSIDE
Anel ChChes Cobalt Strike PlugX Poison Ivy Quasar RAT RedLeaves Stone Panda |
2019-12-29 ⋅ Secureworks ⋅ CTU Research Team
@online{team:20191229:bronze:bda6bfc,
author = {CTU Research Team},
title = {{BRONZE PRESIDENT Targets NGOs}},
date = {2019-12-29},
organization = {Secureworks},
url = {https://www.secureworks.com/research/bronze-president-targets-ngos},
language = {English},
urldate = {2020-01-10}
}
BRONZE PRESIDENT Targets NGOs
PlugX BRONZE PRESIDENT |
2019-12-03 ⋅ NSHC ⋅ Red Alert
@online{alert:20191203:threat:f7b8cb6,
author = {Red Alert},
title = {{THREAT ACTOR TARGETING HONG KONG PRO-DEMOCRACY FIGURES}},
date = {2019-12-03},
organization = {NSHC},
url = {https://redalert.nshc.net/2019/12/03/threat-actor-targeting-hong-kong-activists},
language = {English},
urldate = {2020-06-03}
}
THREAT ACTOR TARGETING HONG KONG PRO-DEMOCRACY FIGURES
APT31 |
2019-12-03 ⋅ Twitter (@bkMSFT) ⋅ Ben K (bkMSFT)
@online{bkmsft:20191203:zirconium:c025731,
author = {Ben K (bkMSFT)},
title = {{Tweet on ZIRCONIUM alias for APT31}},
date = {2019-12-03},
organization = {Twitter (@bkMSFT)},
url = {https://twitter.com/bkMSFT/status/1201876664667582466},
language = {English},
urldate = {2020-06-16}
}
Tweet on ZIRCONIUM alias for APT31
APT31 |
2019-12-03 ⋅ NSHC ⋅ NSHC Threatrecon Team
@online{team:20191203:threat:6665e7f,
author = {NSHC Threatrecon Team},
title = {{Threat Actor Targeting Hong Kong Pro-Democracy Figures}},
date = {2019-12-03},
organization = {NSHC},
url = {https://threatrecon.nshc.net/2019/12/03/threat-actor-targeting-hong-kong-activists/},
language = {English},
urldate = {2020-01-08}
}
Threat Actor Targeting Hong Kong Pro-Democracy Figures
sihost |
2019-11-16 ⋅ Silas Cutler's Blog ⋅ Silas Cutler
@online{cutler:20191116:fresh:871567d,
author = {Silas Cutler},
title = {{Fresh PlugX October 2019}},
date = {2019-11-16},
organization = {Silas Cutler's Blog},
url = {https://silascutler.blogspot.com/2019/11/fresh-plugx-october-2019.html},
language = {English},
urldate = {2020-01-07}
}
Fresh PlugX October 2019
PlugX |
2019-11-11 ⋅ Virus Bulletin ⋅ Shusei Tomonaga, Tomoaki Tani, Hiroshi Soeda, Wataru Takahashi
@online{tomonaga:20191111:cases:ac5f1b3,
author = {Shusei Tomonaga and Tomoaki Tani and Hiroshi Soeda and Wataru Takahashi},
title = {{APT cases exploiting vulnerabilities in region‑specific software}},
date = {2019-11-11},
organization = {Virus Bulletin},
url = {https://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/},
language = {English},
urldate = {2020-05-13}
}
APT cases exploiting vulnerabilities in region‑specific software
NodeRAT Emdivi PlugX |
2019-10-31 ⋅ PTSecurity ⋅ PTSecurity
@online{ptsecurity:20191031:calypso:adaf761,
author = {PTSecurity},
title = {{Calypso APT: new group attacking state institutions}},
date = {2019-10-31},
organization = {PTSecurity},
url = {https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/},
language = {English},
urldate = {2020-01-12}
}
Calypso APT: new group attacking state institutions
BYEBY FlyingDutchman Hussar PlugX |
2019-10-03 ⋅ Palo Alto Networks Unit 42 ⋅ Alex Hinchliffe
@online{hinchliffe:20191003:pkplug:4a43ea5,
author = {Alex Hinchliffe},
title = {{PKPLUG: Chinese Cyber Espionage Group Attacking Asia}},
date = {2019-10-03},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/},
language = {English},
urldate = {2020-01-07}
}
PKPLUG: Chinese Cyber Espionage Group Attacking Asia
HenBox Farseer PlugX |
2019-06-03 ⋅ FireEye ⋅ Chi-en Shen
@online{shen:20190603:into:d40fee9,
author = {Chi-en Shen},
title = {{Into the Fog - The Return of ICEFOG APT}},
date = {2019-06-03},
organization = {FireEye},
url = {https://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt},
language = {English},
urldate = {2020-06-30}
}
Into the Fog - The Return of ICEFOG APT
Icefog PlugX Sarhust |
2019-05-24 ⋅ enSilo ⋅ Ben Hunter
@online{hunter:20190524:uncovering:7d8776e,
author = {Ben Hunter},
title = {{Uncovering new Activity by APT10}},
date = {2019-05-24},
organization = {enSilo},
url = {https://blog.ensilo.com/uncovering-new-activity-by-apt10},
language = {English},
urldate = {2020-01-13}
}
Uncovering new Activity by APT10
PlugX Quasar RAT |
2019-03-19 ⋅ NSHC ⋅ ThreatRecon Team
@online{team:20190319:sectorm04:6c6ea37,
author = {ThreatRecon Team},
title = {{SectorM04 Targeting Singapore – An Analysis}},
date = {2019-03-19},
organization = {NSHC},
url = {https://threatrecon.nshc.net/2019/03/19/sectorm04-targeting-singapore-custom-malware-analysis/},
language = {English},
urldate = {2020-01-07}
}
SectorM04 Targeting Singapore – An Analysis
PlugX Termite |
2019-02-12 ⋅ Duo ⋅ Dennis Fisher
@online{fisher:20190212:groups:6605dcc,
author = {Dennis Fisher},
title = {{APT Groups Moving Down the Supply Chain}},
date = {2019-02-12},
organization = {Duo},
url = {https://duo.com/decipher/apt-groups-moving-down-the-supply-chain},
language = {English},
urldate = {2019-11-26}
}
APT Groups Moving Down the Supply Chain
APT31 |
2019-02-06 ⋅ Recorded Future ⋅ Insikt Group, Rapid7
@techreport{group:20190206:apt10:74d18e7,
author = {Insikt Group and Rapid7},
title = {{APT10 Targeted Norwegian MSP and US Companies in Sustained Campaign}},
date = {2019-02-06},
institution = {Recorded Future},
url = {https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf},
language = {English},
urldate = {2019-12-17}
}
APT10 Targeted Norwegian MSP and US Companies in Sustained Campaign
Trochilus RAT APT31 Hurricane Panda Stone Panda |
2018-12-14 ⋅ Australian Cyber Security Centre ⋅ ASD
@techreport{asd:20181214:investigationreport:6eda856,
author = {ASD},
title = {{Investigationreport: Compromise of an Australian companyvia their Managed Service Provider}},
date = {2018-12-14},
institution = {Australian Cyber Security Centre},
url = {https://www.cyber.gov.au/sites/default/files/2019-03/msp_investigation_report.pdf},
language = {English},
urldate = {2020-03-11}
}
Investigationreport: Compromise of an Australian companyvia their Managed Service Provider
PlugX RedLeaves |
2018-08-21 ⋅ Trend Micro ⋅ Jaromír Hořejší, Joseph C. Chen, Kawabata Kohei, Kenney Lu
@online{hoej:20180821:supply:d426e6b,
author = {Jaromír Hořejší and Joseph C. Chen and Kawabata Kohei and Kenney Lu},
title = {{Supply Chain Attack Operation Red Signature Targets South Korean Organizations}},
date = {2018-08-21},
organization = {Trend Micro},
url = {https://blog.trendmicro.com/trendlabs-security-intelligence/supply-chain-attack-operation-red-signature-targets-south-korean-organizations/},
language = {English},
urldate = {2020-01-06}
}
Supply Chain Attack Operation Red Signature Targets South Korean Organizations
9002 RAT |
2018-05-09 ⋅ COUNT UPON SECURITY ⋅ Luis Rocha
@online{rocha:20180509:malware:3ee8ecf,
author = {Luis Rocha},
title = {{Malware Analysis - PlugX - Part 2}},
date = {2018-05-09},
organization = {COUNT UPON SECURITY},
url = {https://countuponsecurity.com/2018/05/09/malware-analysis-plugx-part-2/},
language = {English},
urldate = {2020-01-05}
}
Malware Analysis - PlugX - Part 2
PlugX |
2018-03-13 ⋅ Kaspersky Labs ⋅ Denis Makrushin, Yury Namestnikov
@online{makrushin:20180313:time:7171143,
author = {Denis Makrushin and Yury Namestnikov},
title = {{Time of death? A therapeutic postmortem of connected medicine}},
date = {2018-03-13},
organization = {Kaspersky Labs},
url = {https://securelist.com/time-of-death-connected-medicine/84315/},
language = {English},
urldate = {2019-12-20}
}
Time of death? A therapeutic postmortem of connected medicine
PlugX |
2018-03 ⋅ CrySyS Lab ⋅ Boldizsar Bencsath
@techreport{bencsath:201803:territorial:04343bb,
author = {Boldizsar Bencsath},
title = {{Territorial Dispute – NSA’s perspective on APT landscape}},
date = {2018-03},
institution = {CrySyS Lab},
url = {https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf},
language = {English},
urldate = {2020-05-07}
}
Territorial Dispute – NSA’s perspective on APT landscape
9002 RAT Agent.BTZ DuQu EYService Flame FlowerShop Stuxnet Uroburos |
2018-02-04 ⋅ COUNT UPON SECURITY ⋅ Luis Rocha
@online{rocha:20180204:malware:ea0aede,
author = {Luis Rocha},
title = {{MALWARE ANALYSIS – PLUGX}},
date = {2018-02-04},
organization = {COUNT UPON SECURITY},
url = {https://countuponsecurity.com/2018/02/04/malware-analysis-plugx/},
language = {English},
urldate = {2020-01-07}
}
MALWARE ANALYSIS – PLUGX
PlugX |
2017-12-18 ⋅ LAC ⋅ Yoshihiro Ishikawa
@online{ishikawa:20171218:relationship:fb13bae,
author = {Yoshihiro Ishikawa},
title = {{Relationship between PlugX and attacker group "DragonOK"}},
date = {2017-12-18},
organization = {LAC},
url = {https://www.lac.co.jp/lacwatch/people/20171218_001445.html},
language = {Japanese},
urldate = {2019-11-22}
}
Relationship between PlugX and attacker group "DragonOK"
PlugX |
2017-11-03 ⋅ Github (5loyd) ⋅ 5loyd
@online{5loyd:20171103:trochilus:964b44c,
author = {5loyd},
title = {{Trochilus}},
date = {2017-11-03},
organization = {Github (5loyd)},
url = {https://github.com/5loyd/trochilus/},
language = {English},
urldate = {2020-01-08}
}
Trochilus
Trochilus RAT |
2017-08-25 ⋅ Proofpoint ⋅ Darien Huss, Matthew Mesa
@online{huss:20170825:operation:87e2e2b,
author = {Darien Huss and Matthew Mesa},
title = {{Operation RAT Cook: Chinese APT actors use fake Game of Thrones leaks as lures}},
date = {2017-08-25},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-apt-actors-use-fake-game-thrones-leaks-lures},
language = {English},
urldate = {2019-12-20}
}
Operation RAT Cook: Chinese APT actors use fake Game of Thrones leaks as lures
9002 RAT |
2017-06-27 ⋅ Palo Alto Networks Unit 42 ⋅ Tom Lancaster, Esmid Idrizovic
@online{lancaster:20170627:paranoid:f933eb4,
author = {Tom Lancaster and Esmid Idrizovic},
title = {{Paranoid PlugX}},
date = {2017-06-27},
organization = {Palo Alto Networks Unit 42},
url = {https://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/},
language = {English},
urldate = {2019-12-20}
}
Paranoid PlugX
PlugX |
2017-04-27 ⋅ US-CERT ⋅ US-CERT
@online{uscert:20170427:alert:fdb865d,
author = {US-CERT},
title = {{Alert (TA17-117A): Intrusions Affecting Multiple Victims Across Multiple Sectors}},
date = {2017-04-27},
organization = {US-CERT},
url = {https://www.us-cert.gov/ncas/alerts/TA17-117A},
language = {English},
urldate = {2020-03-11}
}
Alert (TA17-117A): Intrusions Affecting Multiple Victims Across Multiple Sectors
PlugX RedLeaves |
2017-04-03 ⋅ JPCERT/CC ⋅ Shusei Tomonaga
@online{tomonaga:20170403:redleaves:211a123,
author = {Shusei Tomonaga},
title = {{RedLeaves - Malware Based on Open Source RAT}},
date = {2017-04-03},
organization = {JPCERT/CC},
url = {http://blog.jpcert.or.jp/.s/2017/04/redleaves---malware-based-on-open-source-rat.html},
language = {English},
urldate = {2020-01-10}
}
RedLeaves - Malware Based on Open Source RAT
PlugX RedLeaves |
2017-04 ⋅ PricewaterhouseCoopers ⋅ PricewaterhouseCoopers
@techreport{pricewaterhousecoopers:201704:operation:cb50712,
author = {PricewaterhouseCoopers},
title = {{Operation Cloud Hopper: Technical Annex}},
date = {2017-04},
institution = {PricewaterhouseCoopers},
url = {https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf},
language = {English},
urldate = {2019-10-15}
}
Operation Cloud Hopper: Technical Annex
ChChes PlugX Quasar RAT RedLeaves Trochilus RAT |
2017-03-27 ⋅ Microsoft ⋅ Microsoft Defender ATP Research Team
@online{team:20170327:detecting:46740f0,
author = {Microsoft Defender ATP Research Team},
title = {{Detecting and mitigating elevation-of-privilege exploit for CVE-2017-0005}},
date = {2017-03-27},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2017/03/27/detecting-and-mitigating-elevation-of-privilege-exploit-for-cve-2017-0005/},
language = {English},
urldate = {2020-01-08}
}
Detecting and mitigating elevation-of-privilege exploit for CVE-2017-0005
APT31 |
2017-02-21 ⋅ JPCERT/CC ⋅ Shusei Tomonaga
@online{tomonaga:20170221:plugx:f9e4817,
author = {Shusei Tomonaga},
title = {{PlugX + Poison Ivy = PlugIvy? - PlugX Integrating Poison Ivy’s Code}},
date = {2017-02-21},
organization = {JPCERT/CC},
url = {http://blog.jpcert.or.jp/2017/02/plugx-poison-iv-919a.html},
language = {English},
urldate = {2020-01-13}
}
PlugX + Poison Ivy = PlugIvy? - PlugX Integrating Poison Ivy’s Code
PlugX |
2017-02-13 ⋅ RSA ⋅ RSA Research
@techreport{research:20170213:kingslayer:98f4892,
author = {RSA Research},
title = {{KINGSLAYER – A SUPPLY CHAIN ATTACK}},
date = {2017-02-13},
institution = {RSA},
url = {https://www.rsa.com/content/dam/pdfs/2-2017/kingslayer-a-supply-chain-attack.pdf},
language = {English},
urldate = {2020-01-08}
}
KINGSLAYER – A SUPPLY CHAIN ATTACK
CodeKey PlugX |
2016-08-25 ⋅ Malwarebytes ⋅ Malwarebytes Labs
@online{labs:20160825:unpacking:66173f5,
author = {Malwarebytes Labs},
title = {{Unpacking the spyware disguised as antivirus}},
date = {2016-08-25},
organization = {Malwarebytes},
url = {https://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disguised-as-antivirus/},
language = {English},
urldate = {2019-12-20}
}
Unpacking the spyware disguised as antivirus
PlugX |
2016-04-26 ⋅ FireEye ⋅ FireEye
@techreport{fireeye:20160426:apt31:ecc41bd,
author = {FireEye},
title = {{APT31 Threat Group Profile}},
date = {2016-04-26},
institution = {FireEye},
url = {https://github.com/GuardaCyber/APT-Groups-and-Operations/blob/master/Reports/FireEye%20Intel%20-%20APT31%20Threat%20Group%20Profile.pdf},
language = {English},
urldate = {2019-10-13}
}
APT31 Threat Group Profile
APT31 |
2016-01-22 ⋅ RSA Link ⋅ Norton Santos
@online{santos:20160122:plugx:580fcff,
author = {Norton Santos},
title = {{PlugX APT Malware}},
date = {2016-01-22},
organization = {RSA Link},
url = {https://community.rsa.com/thread/185439},
language = {English},
urldate = {2020-01-13}
}
PlugX APT Malware
PlugX |
2015-09-23 ⋅ Palo Alto Networks Unit 42 ⋅ Robert Falcone, Jen Miller-Osborn
@online{falcone:20150923:chinese:4faf76a,
author = {Robert Falcone and Jen Miller-Osborn},
title = {{Chinese Actors Use ‘3102’ Malware in Attacks on US Government and EU Media}},
date = {2015-09-23},
organization = {Palo Alto Networks Unit 42},
url = {https://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/},
language = {English},
urldate = {2019-12-20}
}
Chinese Actors Use ‘3102’ Malware in Attacks on US Government and EU Media
9002 RAT |
2015-08 ⋅ Arbor Networks ⋅ ASERT Team
@online{team:201508:uncovering:121e5cf,
author = {ASERT Team},
title = {{Uncovering the Seven Pointed Dagger}},
date = {2015-08},
organization = {Arbor Networks},
url = {https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn},
language = {English},
urldate = {2020-05-18}
}
Uncovering the Seven Pointed Dagger
9002 RAT EvilGrab PlugX Trochilus RAT Group 27 |
2015-02-06 ⋅ CrowdStrike ⋅ CrowdStrike
@techreport{crowdstrike:20150206:crowdstrike:fbcc37f,
author = {CrowdStrike},
title = {{CrowdStrike Global Threat Intel Report 2014}},
date = {2015-02-06},
institution = {CrowdStrike},
url = {https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf},
language = {English},
urldate = {2020-05-11}
}
CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor |
2015-01-29 ⋅ JPCERT/CC ⋅ Shusei Tomonaga
@online{tomonaga:20150129:analysis:0eaad95,
author = {Shusei Tomonaga},
title = {{Analysis of a Recent PlugX Variant - “P2P PlugX”}},
date = {2015-01-29},
organization = {JPCERT/CC},
url = {http://blog.jpcert.or.jp/2015/01/analysis-of-a-r-ff05.html},
language = {English},
urldate = {2020-01-09}
}
Analysis of a Recent PlugX Variant - “P2P PlugX”
PlugX |
2014-06-27 ⋅ SophosLabs ⋅ Gabor Szappanos
@techreport{szappanos:20140627:plugx:e63d8bf,
author = {Gabor Szappanos},
title = {{PlugX - The Next Generation}},
date = {2014-06-27},
institution = {SophosLabs},
url = {https://www.sophos.com/en-us/medialibrary/pdfs/technical%20papers/plugx-thenextgeneration.pdf},
language = {English},
urldate = {2020-01-10}
}
PlugX - The Next Generation
PlugX |
2014-06-10 ⋅ FireEye ⋅ Mike Scott
@online{scott:20140610:clandestine:6d515ab,
author = {Mike Scott},
title = {{Clandestine Fox, Part Deux}},
date = {2014-06-10},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2014/06/clandestine-fox-part-deux.html},
language = {English},
urldate = {2019-12-20}
}
Clandestine Fox, Part Deux
PlugX |
2014-01-06 ⋅ Airbus ⋅ Fabien Perigaud
@online{perigaud:20140106:plugx:16410d7,
author = {Fabien Perigaud},
title = {{PlugX: some uncovered points}},
date = {2014-01-06},
organization = {Airbus},
url = {http://blog.airbuscybersecurity.com/post/2014/01/plugx-some-uncovered-points.html},
language = {English},
urldate = {2020-01-08}
}
PlugX: some uncovered points
PlugX |
2013-11-10 ⋅ FireEye ⋅ Sai Omkar Vashisht, Mike Scott, Thoufique Haq, Ned Moran
@online{vashisht:20131110:operation:d653a09,
author = {Sai Omkar Vashisht and Mike Scott and Thoufique Haq and Ned Moran},
title = {{Operation Ephemeral Hydra: IE Zero-Day Linked to DeputyDog Uses Diskless Method}},
date = {2013-11-10},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html},
language = {English},
urldate = {2019-12-20}
}
Operation Ephemeral Hydra: IE Zero-Day Linked to DeputyDog Uses Diskless Method
9002 RAT |
2013-09-17 ⋅ Symantec ⋅ Stephen Doherty, Jozsef Gegeny, Branko Spasojevic, Jonell Baltazar
@techreport{doherty:20130917:hidden:72a1bd7,
author = {Stephen Doherty and Jozsef Gegeny and Branko Spasojevic and Jonell Baltazar},
title = {{Hidden Lynx – Professional Hackers for Hire}},
date = {2013-09-17},
institution = {Symantec},
url = {https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/hidden_lynx.pdf},
language = {English},
urldate = {2020-04-21}
}
Hidden Lynx – Professional Hackers for Hire
9002 RAT HiKit Aurora Panda |
2013-05-20 ⋅ FireEye ⋅ Ned Moran
@online{moran:20130520:ready:6a59df8,
author = {Ned Moran},
title = {{Ready for Summer: The Sunshop Campaign}},
date = {2013-05-20},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2013/05/ready-for-summer-the-sunshop-campaign.html},
language = {English},
urldate = {2019-12-20}
}
Ready for Summer: The Sunshop Campaign
9002 RAT |
2013-03-29 ⋅ Computer Incident Response Center Luxembourg ⋅ CIRCL
@techreport{circl:20130329:analysis:b3c48b0,
author = {CIRCL},
title = {{Analysis Report (TLP:WHITE) Analysis of a PlugX variant (PlugX version 7.0)}},
date = {2013-03-29},
institution = {Computer Incident Response Center Luxembourg},
url = {https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf},
language = {English},
urldate = {2019-11-24}
}
Analysis Report (TLP:WHITE) Analysis of a PlugX variant (PlugX version 7.0)
PlugX |
2013-02-07 ⋅ FireEye ⋅ J. Gomez, Thoufique Haq
@online{gomez:20130207:ladyboyle:5927b00,
author = {J. Gomez and Thoufique Haq},
title = {{LadyBoyle Comes to Town with a New Exploit}},
date = {2013-02-07},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html},
language = {English},
urldate = {2019-12-20}
}
LadyBoyle Comes to Town with a New Exploit
9002 RAT |
2012-09-07 ⋅ Symantec ⋅ Gavin O'Gorman, Geoff McDonald
@techreport{ogorman:20120907:elderwood:4247c36,
author = {Gavin O'Gorman and Geoff McDonald},
title = {{The Elderwood Project}},
date = {2012-09-07},
institution = {Symantec},
url = {https://www.infopoint-security.de/medien/the-elderwood-project.pdf},
language = {English},
urldate = {2020-07-11}
}
The Elderwood Project
9002 RAT Beijing Group |