Leviathan (Threat Actor)

SYMBOL	COMMON_NAME	aka. SYNONYMS

Leviathan (Back to overview)

aka: TEMP.Periscope, TEMP.Jumper, APT 40, APT40, BRONZE MOHAWK, GADOLINIUM, Kryptonite Panda

Leviathan is an espionage actor targeting organizations and high-value targets in defense and government. Active since at least 2014, this actor has long-standing interest in maritime industries, naval defense contractors, and associated research institutions in the United States and Western Europe.

Associated Families

js.airbreak js.cactustorch js.nanhaishu js.scanbox win.badflick win.blackcoffee win.dadjoke win.dadstache win.derusbi win.grillmark win.homefry win.lazycat win.lunchmoney win.murkytop win.sedll win.zxshell win.chinachopper win.plugx win.ghost_rat

References

2021-12-14 ⋅ Trend Micro ⋅ Nick Dai, Ted Lee, Vickie Su
Collecting In the Dark: Tropic Trooper Targets Transportation and Government
ChiserClient Ghost RAT Lilith Quasar RAT

2021-12-01 ⋅ ESET Research ⋅ Alexis Dorais-Joncas, Facundo Muñoz
Jumping the air gap: 15 years of nation‑state effort
Agent.BTZ Fanny Flame Gauss PlugX Ramsay Retro Stuxnet USBCulprit USBferry

2021-11-03 ⋅ Cisco Talos ⋅ Chetan Raghuprasad, Vanja Svajcer, Caitlin Huey
Microsoft Exchange vulnerabilities exploited once again for ransomware, this time with Babuk
Babuk CHINACHOPPER

2021-10-18 ⋅ NortonLifeLock ⋅ Norton Labs
Operation Exorcist - 7 Years of Targeted Attacks against the Roman Catholic Church
NewBounce PlugX Zupdax

2021-10-05 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team
Drawing a Dragon: Connecting the Dots to Find APT41
Cobalt Strike Ghost RAT

2021-10-04 ⋅ JPCERT/CC ⋅ Shusei Tomonaga
Malware Gh0stTimes Used by BlackTech
Gh0stTimes Ghost RAT

2021-09-28 ⋅ Recorded Future ⋅ Insikt Group®
4 Chinese APT Groups Identified Targeting Mail Server of Afghan Telecommunications Firm Roshan
PlugX Winnti

2021-09-14 ⋅ McAfee ⋅ Christiaan Beek
Operation ‘Harvest’: A Deep Dive into a Long-term Campaign
MimiKatz PlugX Winnti

2021-09-10 ⋅ The Record ⋅ Catalin Cimpanu
Indonesian intelligence agency compromised in suspected Chinese hack
PlugX

2021-09-03 ⋅ FireEye ⋅ Adrian Sanchez Hernandez, Govand Sinjari, Joshua Goddard, Brendan McKeague, John Wolfram, Alex Pennino, Andrew Rector, Harris Ansari, Yash Gupta
PST, Want a Shell? ProxyShell Exploiting Microsoft Exchange Servers
CHINACHOPPER HTran

2021-09-01 ⋅ YouTube (Black Hat) ⋅ Aragorn Tseng, Charles Li
Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network
Cobalt Strike PlugX Waterbear

2021-08-03 ⋅ Cybereason ⋅ Assaf Dahan, Lior Rochberger, Daniel Frank, Tom Fakterman
DeadRinger: Exposing Chinese Threat Actors Targeting Major Telcos
CHINACHOPPER Cobalt Strike MimiKatz Nebulae

2021-07-27 ⋅ Palo Alto Networks Unit 42 ⋅ Mike Harbison, Alex Hinchliffe
THOR: Previously Unseen PlugX Variant Deployed During Microsoft Exchange Server Attacks by PKPLUG Group
PlugX

2021-07-21 ⋅ Bitdefender ⋅ Bogdan Botezatu, Victor Vrabie
LuminousMoth – PlugX, File Exfiltration and Persistence Revisited
PlugX

2021-07-20 ⋅ RNZ
Government points finger at China over cyber attacks
HAFNIUM Leviathan

2021-07-20 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
Ongoing Campaign Leveraging Exchange Vulnerability Potentially Linked to Iran
CHINACHOPPER MimiKatz RGDoor

2021-07-19 ⋅ Ministry of Foreign Affairs of Japan ⋅ Ministry of Foreign Affairs of Japan
Cases of cyberattacks including those by a group known as APT40 which the Chinese government is behind (Statement by Press Secretary YOSHIDA Tomoyuki)
Leviathan

2021-07-19 ⋅ CISA ⋅ CISA
Alert (AA21-200B): Chinese State-Sponsored Cyber Operations: Observed TTPs
Leviathan

2021-07-19 ⋅ Minister for Foreign Affairs of Australia ⋅ Karen Andrews, Peter Dutton
Australia joins international partners in attribution of malicious cyber activity to China
APT31 HAFNIUM Leviathan

2021-07-19 ⋅ NCSC UK ⋅ NCSC UK
UK and allies hold Chinese state responsible for pervasive pattern of hacking
APT31 Leviathan

2021-07-19 ⋅ Council of the European Union ⋅ Council of the European Union
China: Declaration by the High Representative on behalf of the European Union urging Chinese authorities to take action against malicious cyber activities undertaken from its territory
Leviathan

2021-07-19 ⋅ Department of Justice ⋅ Office of Public Affairs
Four Chinese Nationals Working with the Ministry of State Security Charged with Global Computer Intrusion Campaign Targeting Intellectual Property and Confidential Business Information, Including Infectious Disease Research
Leviathan

2021-07-19 ⋅ Government of Canada ⋅ Global Affairs Canada
Statement on China’s cyber campaigns
Leviathan

2021-07-19 ⋅ GOV.UK ⋅ NCSC UK, Dominic Raab
UK and allies hold Chinese state responsible for a pervasive pattern of hacking
APT31 HAFNIUM Leviathan

2021-07-07 ⋅ Trend Micro ⋅ Joseph C Chen, Kenney Lu, Jaromír Hořejší, Gloria Chen
BIOPASS RAT: New Malware Sniffs Victims via Live Streaming
BIOPASS Cobalt Strike Derusbi

2021-06-19 ⋅ CISA ⋅ US-CERT
Alert (AA21-200A): Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department
Leviathan

2021-06-10 ⋅ ESET Research ⋅ Adam Burgher
BackdoorDiplomacy: Upgrading from Quarian to Turian
CHINACHOPPER DoublePulsar EternalRocks BackdoorDiplomacy

2021-06-02 ⋅ xorhex blog ⋅ Twitter (@xorhex)
RedDelta PlugX Undergoing Changes and Overlapping Again with Mustang Panda PlugX Infrastructure
PlugX

2021-06-02 ⋅ Twitter (@xorhex) ⋅ Xorhex
Tweet on new variant of PlugX from RedDelta Group
PlugX

2021-05-28 ⋅ FBI
Wanted by the FBI: Zhu Yunmin, Wu Shurong, Ding Xiaoyang, Cheng Qingmin
Leviathan

2021-05-28 ⋅ United States District Court Southern District of California
United States of America vs Ding Xiaoyang, Cheng Qingmin, Zhu Yunmin, Wu Shurong
Leviathan

2021-05-27 ⋅ xorhex blog ⋅ Twitter (@xorhex)
Mustang Panda PlugX - Reused Mutex and Folder Found in the Extracted Config
PlugX

2021-05-17 ⋅ xorhex blog ⋅ Twitter (@xorhex)
Mustang Panda PlugX - 45.251.240.55 Pivot
PlugX

2021-05-07 ⋅ Cisco Talos ⋅ Caitlin Huey, Andrew Windsor, Edmund Brumaghin
Lemon Duck spreads its wings: Actors target Microsoft Exchange servers, incorporate new TTPs
CHINACHOPPER Cobalt Strike

2021-05-07 ⋅ TEAMT5 ⋅ Aragorn Tseng, Charles Li
Mem2Img: Memory-Resident Malware Detection via Convolution Neural Network
Cobalt Strike PlugX Waterbear

2021-05-07 ⋅ SophosLabs Uncut ⋅ Rajesh Nataraj
New Lemon Duck variants exploiting Microsoft Exchange Server
CHINACHOPPER Cobalt Strike

2021-05-06 ⋅ Trend Micro ⋅ Arianne Dela Cruz, Cris Tomboc, Jayson Chong, Nikki Madayag, Sean Torre
Proxylogon: A Coinminer, a Ransomware, and a Botnet Join the Party
Prometei BlackKingdom Ransomware CHINACHOPPER Cobalt Strike

2021-05-05 ⋅ Symantec ⋅ Threat Hunter Team
Multi-Factor Authentication: Headache for Cyber Actors Inspires New Attack Techniques
CHINACHOPPER

2021-05-05 ⋅ Zscaler ⋅ Aniruddha Dolas, Mohd Sadique, Manohar Ghule
Catching RATs Over Custom Protocols Analysis of top non-HTTP/S threats
Agent Tesla AsyncRAT Crimson RAT CyberGate Ghost RAT Nanocore RAT NetWire RC NjRAT Quasar RAT Remcos

2021-04-28 ⋅ Trend Micro ⋅ Jaromír Hořejší, Joseph C Chen
Water Pamola Attacked Online Shops Via Malicious Orders
Ghost RAT

2021-04-27 ⋅ Trend Micro ⋅ Janus Agcaoili
Hello Ransomware Uses Updated China Chopper Web Shell, SharePoint Vulnerability
CHINACHOPPER Cobalt Strike

2021-04-16 ⋅ Trend Micro ⋅ Nitesh Surana
Could the Microsoft Exchange breach be stopped?
CHINACHOPPER

2021-04-15 ⋅ Palo Alto Networks Unit 42 ⋅ Robert Falcone
Actor Exploits Microsoft Exchange Server Vulnerabilities, Cortex XDR Blocks Harvesting of Credentials
CHINACHOPPER

2021-04-02 ⋅ Dr.Web ⋅ Dr.Web
Study of targeted attacks on Russian research institutes
Cotx RAT Ghost RAT

2021-03-29 ⋅ The Record ⋅ Catalin Cimpanu
RedEcho group parks domains after public exposure
PlugX ShadowPad RedEcho

2021-03-26 ⋅ Imperva ⋅ Daniel Johnston
Imperva Observes Hive of Activity Following Hafnium Microsoft Exchange Disclosures
CHINACHOPPER

2021-03-25 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team
Analyzing attacks taking advantage of the Exchange Server vulnerabilities
CHINACHOPPER

2021-03-25 ⋅ Microsoft ⋅ Tom McElroy
Web Shell Threat Hunting with Azure Sentinel
CHINACHOPPER

2021-03-25 ⋅ Recorded Future ⋅ Insikt Group®
Suspected Chinese Group Calypso APT Exploiting Vulnerable Microsoft Exchange Servers
Meterpreter PlugX

2021-03-19 ⋅ Bundesamt für Sicherheit in der Informationstechnik ⋅ CERT-Bund
Microsoft Exchange Schwachstellen Detektion und Reaktion (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065)
CHINACHOPPER MimiKatz

2021-03-17 ⋅ Recorded Future ⋅ Insikt Group®
China-linked TA428 Continues to Target Russia and Mongolia IT Companies
PlugX Poison Ivy

2021-03-15 ⋅ Trustwave ⋅ Joshua Deacon
HAFNIUM, China Chopper and ASP.NET Runtime
CHINACHOPPER

2021-03-11 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42
Microsoft Exchange Server Attack Timeline
CHINACHOPPER

2021-03-11 ⋅ DEVO ⋅ Fran Gomez
Detection and Investigation Using Devo: HAFNIUM 0-day Exploits on Microsoft Exchange Service
CHINACHOPPER MimiKatz

2021-03-11 ⋅ Cyborg Security ⋅ Josh Campbell
You Don't Know the HAFNIUM of it...
CHINACHOPPER Cobalt Strike PowerCat

2021-03-10 ⋅ ESET Research ⋅ Thomas Dupuy, Matthieu Faou, Mathieu Tartare
Exchange servers under siege from at least 10 APT groups
Microcin MimiKatz PlugX Winnti

2021-03-10 ⋅ Lemon's InfoSec Ramblings ⋅ Josh Lemon
Microsoft Exchange & the HAFNIUM Threat Actor
CHINACHOPPER

2021-03-10 ⋅ PICUS Security ⋅ Süleyman Özarslan
Tactics, Techniques, and Procedures (TTPs) Used by HAFNIUM to Target Microsoft Exchange Servers
CHINACHOPPER

2021-03-10 ⋅ DomainTools ⋅ Joe Slowik
Examining Exchange Exploitation and its Lessons for Defenders
CHINACHOPPER

2021-03-09 ⋅ YouTube (John Hammond) ⋅ John Hammond
HAFNIUM - Post-Exploitation Analysis from Microsoft Exchange
CHINACHOPPER

2021-03-09 ⋅ PRAETORIAN ⋅ Anthony Weems, Dallas Kaman, Michael Weber
Reproducing the Microsoft Exchange Proxylogon Exploit Chain
CHINACHOPPER

2021-03-09 ⋅ Red Canary ⋅ Tony Lambert, Brian Donohue, Katie Nickels
Microsoft Exchange server exploitation: how to detect, mitigate, and stay calm
CHINACHOPPER

2021-03-09 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42
Remediation Steps for the Microsoft Exchange Server Vulnerabilities
CHINACHOPPER

2021-03-08 ⋅ Palo Alto Networks Unit 42 ⋅ Jeff White
Analyzing Attacks Against Microsoft Exchange Server With China Chopper Webshells
CHINACHOPPER

2021-03-08 ⋅ Symantec ⋅ Threat Hunter Team
How Symantec Stops Microsoft Exchange Server Attacks
CHINACHOPPER MimiKatz

2021-03-07 ⋅ TRUESEC ⋅ Rasmus Grönlund
Tracking Microsoft Exchange Zero-Day ProxyLogon and HAFNIUM
CHINACHOPPER

2021-03-05 ⋅ Huntress Labs ⋅ Huntress Labs
Operation Exchange Marauder
CHINACHOPPER

2021-03-05 ⋅ Wired ⋅ Andy Greenberg
Chinese Hacking Spree Hit an ‘Astronomical’ Number of Victims
CHINACHOPPER

2021-03-04 ⋅ Huntress Labs ⋅ Huntress Labs
Operation Exchange Marauder
CHINACHOPPER

2021-03-04 ⋅ CrowdStrike ⋅ The Falcon Complete Team
Falcon Complete Stops Microsoft Exchange Server Zero-Day Exploits
CHINACHOPPER HAFNIUM

2021-03-04 ⋅ FireEye ⋅ Matt Bromiley, Chris DiGiamo, Andrew Thompson, Robert Wallace
Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities
CHINACHOPPER HAFNIUM

2021-03-03 ⋅ Huntress Labs ⋅ Huntress Labs
Mass exploitation of on-prem Exchange servers :(
CHINACHOPPER HAFNIUM

2021-03-03 ⋅ Huntress Labs ⋅ John Hammond
Rapid Response: Mass Exploitation of On-Prem Exchange Servers
CHINACHOPPER HAFNIUM

2021-03-02 ⋅ Twitter (@ESETresearch) ⋅ ESET Research
Tweet on Exchange RCE
CHINACHOPPER HAFNIUM

2021-03-02 ⋅ Volexity ⋅ Josh Grunzweig, Matthew Meltzer, Sean Koessel, Steven Adair, Thomas Lancaster
Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities
CHINACHOPPER HAFNIUM

2021-03-02 ⋅ Rapid7 Labs ⋅ Andrew Christian
Rapid7’s InsightIDR Enables Detection And Response to Microsoft Exchange Zero-Day
CHINACHOPPER HAFNIUM

2021-03-02 ⋅ Microsoft ⋅ Microsoft Threat Intelligence Center (MSTIC), Microsoft 365 Defender Threat Intelligence Team, Microsoft 365 Security
HAFNIUM targeting Exchange Servers with 0-day exploits
CHINACHOPPER HAFNIUM

2021-02-28 ⋅ PWC UK ⋅ PWC UK
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare

2021-02-28 ⋅ Recorded Future ⋅ Insikt Group®
China-linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions
PlugX ShadowPad RedEcho

2021-02-28 ⋅ Recorded Future ⋅ Insikt Group®
China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions
Icefog PlugX ShadowPad

2021-02-25 ⋅ Proofpoint ⋅ Michael Raggi, Proofpoint Threat Research Team
TA413 Leverages New FriarFox Browser Extension to Target the Gmail Accounts of Global Tibetan Organizations
scanbox Sepulcher

2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER

2021-02-22 ⋅ tccontre Blog ⋅ tcontre
Gh0stRat Anti-Debugging: Nested SEH (try - catch) to Decrypt and Load its Payload
Ghost RAT

2021-02-01 ⋅ ESET Research ⋅ Ignacio Sanmillan, Matthieu Faou
Operation NightScout: Supply‑chain attack targets online gaming in Asia
Ghost RAT NoxPlayer Poison Ivy

2021-01-29 ⋅ Trend Micro ⋅ Trend Micro
Chopper ASPX web shell used in targeted attack
CHINACHOPPER MimiKatz

2021-01-20 ⋅ Trend Micro ⋅ Gilbert Sison, Abraham Camba, Ryan Maglaque
XDR investigation uncovers PlugX, unique technique in APT attack
PlugX

2021-01-15 ⋅ Swisscom ⋅ Markus Neis
Cracking a Soft Cell is Harder Than You Think
Ghost RAT MimiKatz PlugX Poison Ivy Trochilus RAT

2021-01-14 ⋅ PTSecurity ⋅ PT ESC Threat Intelligence
Higaisa or Winnti? APT41 backdoors, old and new
Cobalt Strike CROSSWALK FunnySwitch PlugX ShadowPad

2021-01-09 ⋅ Marco Ramilli's Blog ⋅ Marco Ramilli
Command and Control Traffic Patterns
ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot

2021-01-04 ⋅ Bleeping Computer ⋅ Ionut Ilascu
China's APT hackers move to ransomware attacks
Clambling PlugX

2021 ⋅ DomainTools ⋅ Joe Slowik
Conceptualizing a Continuum of Cyber Threat Attribution
CHINACHOPPER SUNBURST

2020-12-26 ⋅ CYBER GEEKS All Things Infosec ⋅ CyberMasterV
Analyzing APT19 malware using a step-by-step method
Derusbi

2020-12-24 ⋅ IronNet ⋅ Adam Hlavek
China cyber attacks: the current threat landscape
PLEAD TSCookie FlowCloud Lookback PLEAD PlugX Quasar RAT Winnti

2020-12-18 ⋅ Seqrite ⋅ Pavankumar Chaudhari
RAT used by Chinese cyberspies infiltrating Indian businesses
Ghost RAT

2020-12-10 ⋅ ESET Research ⋅ Mathieu Tartare
Operation StealthyTrident: corporate software under attack
HyperBro PlugX ShadowPad Tmanger

2020-12-10 ⋅ Intel 471 ⋅ Intel 471
No pandas, just people: The current state of China’s cybercrime underground
Anubis SpyNote AsyncRAT Cobalt Strike Ghost RAT NjRAT

2020-12-10 ⋅ US-CERT ⋅ US-CERT, FBI, MS-ISAC
Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data
PerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim REvil Ryuk Zeus

2020-12-09 ⋅ Avast Decoded ⋅ Luigino Camastra, Igor Morgenstern
APT Group Targeting Governmental Agencies in East Asia
Albaniiutas HyperBro PlugX Tmanger

2020-11-27 ⋅ PTSecurity ⋅ Denis Goydenko, Alexey Vishnyakov
Investigation with a twist: an accidental APT attack and averted data destruction
TwoFace CHINACHOPPER HyperBro MegaCortex MimiKatz

2020-11-23 ⋅ Proofpoint ⋅ Proofpoint Threat Research Team
TA416 Goes to Ground and Returns with a Golang PlugX Malware Loader
PlugX

2020-11-20 ⋅ Trend Micro ⋅ Abraham Camba, Bren Matthew Ebriega, Gilbert Sison
Weaponizing Open Source Software for Targeted Attacks
LaZagne Defray PlugX

2020-11-04 ⋅ Sophos ⋅ Gabor Szappanos
A new APT uses DLL side-loads to “KilllSomeOne”
KilllSomeOne PlugX

2020-11-03 ⋅ Kaspersky Labs ⋅ GReAT
APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti

2020-10-27 ⋅ Dr.Web ⋅ Dr.Web
Study of the ShadowPad APT backdoor and its relation to PlugX
Ghost RAT PlugX ShadowPad

2020-10-01 ⋅ US-CERT ⋅ US-CERT
Alert (AA20-275A): Potential for China Cyber Response to Heightened U.S.-China Tensions
CHINACHOPPER Cobalt Strike Empire Downloader MimiKatz Poison Ivy

2020-09-24 ⋅ Microsoft ⋅ Ben Koehl, Joe Hannon, Microsoft Identity Security Team
Microsoft Security—detecting empires in the cloud
CACTUSTORCH LazyCat Leviathan

2020-09-23 ⋅ Seqrite ⋅ Kalpesh Mantri, Pawan CHaudhari, Goutam Tripathy
Operation SideCopy: An insight into Transparent Tribe’s sub-division which has been incorrectly attributed for years
CACTUSTORCH AllaKore

2020-09-18 ⋅ Symantec ⋅ Threat Hunter Team
APT41: Indictments Put Chinese Espionage Group in the Spotlight
CROSSWALK PlugX poisonplug ShadowPad Winnti

2020-09-15 ⋅ US-CERT ⋅ US-CERT
Alert (AA20-259A): Iran-Based Threat Actor Exploits VPN Vulnerabilities
CHINACHOPPER Fox Kitten

2020-09-15 ⋅ Recorded Future ⋅ Insikt Group®
Back Despite Disruption: RedDelta Resumes Operations
PlugX

2020-09-15 ⋅ US-CERT ⋅ US-CERT
Malware Analysis Report (AR20-259A): Iranian Web Shells
CHINACHOPPER

2020-09-11 ⋅ ThreatConnect ⋅ ThreatConnect Research Team
Research Roundup: Activity on Previously Identified APT33 Domains
Emotet PlugX APT33

2020-07-29 ⋅ ESET Research ⋅ welivesecurity
THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor

2020-07-29 ⋅ Recorded Future ⋅ Insikt Group
Chinese State-sponsored Group RedDelta Targets the Vatican and Catholic Organizations
PlugX

2020-07-29 ⋅ Kaspersky Labs ⋅ GReAT
APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel

2020-07-28 ⋅ NTT ⋅ NTT Security
CraftyPanda 標的型攻撃解析レポート
Ghost RAT PlugX

2020-07-20 ⋅ Dr.Web ⋅ Dr.Web
Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan
Microcin Mirage PlugX WhiteBird

2020-07-20 ⋅ or10nlabs ⋅ oR10n
Reverse Engineering the New Mustang Panda PlugX Downloader
PlugX

2020-07-20 ⋅ Risky.biz ⋅ Daniel Gordon
What even is Winnti?
CCleaner Backdoor Ghost RAT PlugX ZXShell

2020-07-15 ⋅ ZDNet ⋅ Catalin Cimpanu
Chinese state hackers target Hong Kong Catholic Church
PlugX

2020-07-10 ⋅ ByteAtlas ⋅ Daniel Plohmann
Knowledge Fragment: Casting Sandbox Necromancy on DADSTACHE
DADSTACHE

2020-07-05 ⋅ or10nlabs ⋅ oR10n
Reverse Engineering the Mustang Panda PlugX RAT – Extracting the Config
PlugX

2020-06-25 ⋅ Elastic ⋅ Samir Bousseaden, Daniel Stepanic
A close look at the advanced techniques used in a Malaysian-focused APT campaign
DADSTACHE Leviathan

2020-06-14 ⋅ BushidoToken ⋅ BushidoToken
Deep-dive: The DarkHotel APT
Asruex Ghost RAT Ramsay Retro Unidentified 076 (Higaisa LNK to Shellcode)

2020-06-05 ⋅ Prevailion ⋅ Danny Adamitis
The Gh0st Remains the Same
Ghost RAT

2020-06-04 ⋅ PTSecurity ⋅ PT ESC Threat Intelligence
COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group
Ghost RAT

2020-06-03 ⋅ Kaspersky Labs ⋅ GReAT, Mark Lechtik, Giampaolo Dedola
Cycldek: Bridging the (air) gap
8.t Dropper NewCore RAT PlugX USBCulprit Hellsing

2020-06-02 ⋅ Lab52 ⋅ Jagaimo Kawaii
Mustang Panda Recent Activity: Dll-Sideloading trojans with temporal C2 servers
PlugX

2020-05-24 ⋅ or10nlabs ⋅ oR10n
Reverse Engineering the Mustang Panda PlugX Loader
PlugX

2020-05-20 ⋅ Medium Asuna Amawaka ⋅ Asuna Amawaka
What happened between the BigBadWolf and the Tiger?
Ghost RAT

2020-05-15 ⋅ Twitter (@stvemillertime) ⋅ Steve Miller
Tweet on SOGU development timeline, including TIGERPLUG IOCs
PlugX

2020-05-14 ⋅ Lab52 ⋅ Dex
The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey
Cobalt Strike HTran MimiKatz PlugX Quasar RAT

2020-05-01 ⋅ Viettel Cybersecurity ⋅ Cyberthreat
Chiến dịch của nhóm APT Trung Quốc Goblin Panda tấn công vào Việt Nam lợi dụng đại dịch Covid-19 (phần 1)
NewCore RAT PlugX

2020-04-07 ⋅ Blackberry ⋅ Blackberry Research
Decade of the RATS: Cross-Platform APT Espionage Attacks Targeting Linux, Windows and Android
Penquin Turla XOR DDoS ZXShell

2020-03-19 ⋅ VinCSS ⋅ m4n0w4r
Phân tích mã độc lợi dụng dịch Covid-19 để phát tán giả mạo “Chỉ thị của thủ tướng Nguyễn Xuân Phúc” - Phần 2
PlugX

2020-03-15 ⋅ insomniacs(Medium) ⋅ Asuna Amawaka
Dad! There’s A Rat In Here!
DADSTACHE

2020-03-10 ⋅ insomniacs(Medium) ⋅ Asuna Amawaka
APT40 goes from Template Injections to OLE-Linkings for payload delivery
DADSTACHE

2020-03-04 ⋅ CrowdStrike ⋅ CrowdStrike
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER Pirate Panda SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER

2020-03-02 ⋅ Virus Bulletin ⋅ Alex Hinchliffe
Pulling the PKPLUG: the adversary playbook for the long-standing espionage activity of a Chinese nation-state adversary
HenBox Farseer PlugX Poison Ivy

2020-02-21 ⋅ ADEO DFIR ⋅ ADEO DFIR
APT10 Threat Analysis Report
CHINACHOPPER HTran MimiKatz PlugX Quasar RAT

2020-02-18 ⋅ Trend Micro ⋅ Daniel Lunghi, Cedric Pernet, Kenney Lu, Jamz Yaneza
Uncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations
Cobalt Strike HyperBro PlugX Trochilus RAT

2020-02-17 ⋅ Talent-Jump Technologies ⋅ Theo Chen, Zero Chen
CLAMBLING - A New Backdoor Base On Dropbox
HyperBro PlugX

2020-02-08 ⋅ MyCERT ⋅ MyCERT
MA-774.022020: MyCERT Advisory - Espionage Campaign Based On Technical Indicators
Leviathan

2020-02-07 ⋅ Medium Sebdraven ⋅ Sébastien Larinier
APT 40 in Malaysia
DADJOKE

2020-01-31 ⋅ Avira ⋅ Shahab Hamzeloofard
New wave of PlugX targets Hong Kong
PlugX

2020-01-29 ⋅ nao_sec blog ⋅ nao_sec
An Overhead View of the Royal Road
BLACKCOFFEE Cotx RAT Datper DDKONG Derusbi Icefog Korlia NewCore RAT PLAINTEE Poison Ivy Sisfader

2020-01-15 ⋅ Intrusiontruth ⋅ Intrusiontruth
Hainan Xiandun Technology Company is APT40
Leviathan

2020-01-14 ⋅ Intrusiontruth ⋅ Intrusiontruth
Who is Mr Ding?
Leviathan

2020-01-13 ⋅ Intrusiontruth ⋅ Intrusiontruth
Who else works for this cover company network?
Leviathan

2020-01-13 ⋅ Lab52 ⋅ Jagaimo Kawaii
APT27 ZxShell RootKit module updates
ZXShell

2020-01-10 ⋅ Intrusiontruth ⋅ Intrusiontruth
Who is Mr Gu?
Leviathan

2020-01-09 ⋅ Intrusiontruth ⋅ Intrusiontruth
What is the Hainan Xiandun Technology Development Company?
Leviathan

2020-01-03 ⋅ Youtube (BSides Belfast) ⋅ Brian Bartholomew
Nice One, Dad: Dissecting A Rare Malware Used By Leviathan
DADJOKE

2020 ⋅ Secureworks ⋅ SecureWorks
BRONZE FLEETWOOD
Binanen Ghost RAT OrcaRAT APT5

2020 ⋅ Secureworks ⋅ SecureWorks
BRONZE KEYSTONE
9002 RAT BLACKCOFFEE DeputyDog Derusbi HiKit PlugX Poison Ivy ZXShell Aurora Panda

2020 ⋅ Secureworks ⋅ SecureWorks
BRONZE RIVERSIDE
Anel ChChes Cobalt Strike PlugX Poison Ivy Quasar RAT RedLeaves Stone Panda

2020 ⋅ Secureworks ⋅ SecureWorks
BRONZE OLIVE
ANGRYREBEL PlugX APT 22

2020 ⋅ Secureworks ⋅ SecureWorks
BRONZE FIRESTONE
9002 RAT Derusbi Empire Downloader PlugX Poison Ivy Shell Crew

2020 ⋅ Secureworks ⋅ SecureWorks
BRONZE OVERBROOK
Aveo DDKONG IsSpace PLAINTEE PlugX Rambo DragonOK

2020-01 ⋅ FireEye ⋅ Tom Hall, Mitchell Clarke, Mandiant
Mandiant IR Grab Bag of Attacker Activity
TwoFace CHINACHOPPER HyperBro HyperSSL

2020 ⋅ Secureworks ⋅ SecureWorks
BRONZE GLOBE
EtumBot Ghost RAT IXESHE

2020 ⋅ Secureworks ⋅ SecureWorks
BRONZE ATLAS
Speculoos Winnti ACEHASH CCleaner Backdoor CHINACHOPPER Empire Downloader HTran MimiKatz PlugX Winnti Axiom

2020 ⋅ Secureworks ⋅ SecureWorks
BRONZE MOHAWK
AIRBREAK scanbox BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi homefry murkytop SeDll Leviathan

2020 ⋅ Secureworks ⋅ SecureWorks
BRONZE EDISON
Ghost RAT sykipot Maverick Panda Samurai Panda

2020 ⋅ Secureworks ⋅ SecureWorks
BRONZE EXPRESS
9002 RAT CHINACHOPPER IsSpace NewCT PlugX smac APT 26

2020 ⋅ Secureworks ⋅ SecureWorks
BRONZE UNION
9002 RAT CHINACHOPPER Enfal Ghost RAT HttpBrowser HyperBro owaauth PlugX Poison Ivy ZXShell EMISSARY PANDA

2020 ⋅ Secureworks ⋅ SecureWorks
BRONZE PRESIDENT
CHINACHOPPER Cobalt Strike PlugX Mustang Panda

2020 ⋅ Secureworks ⋅ SecureWorks
BRONZE WOODLAND
PlugX Zeus Roaming Tiger

2020-01 ⋅ Dragos ⋅ Joe Slowik
Threat Intelligence and the Limits of Malware Analysis
Exaramel Exaramel Industroyer Lookback NjRAT PlugX

2019-12-29 ⋅ Secureworks ⋅ CTU Research Team
BRONZE PRESIDENT Targets NGOs
PlugX BRONZE PRESIDENT

2019-12-17 ⋅ Palo Alto Networks Unit 42 ⋅ Jen Miller-Osborn, Mike Harbison
Rancor: Cyber Espionage Group Uses New Custom Malware to Attack Southeast Asia
DDKONG Derusbi KHRAT

2019-12-12 ⋅ Microsoft ⋅ Microsoft Threat Intelligence Center
GALLIUM: Targeting global telecom
Ghost RAT HTran GALLIUM

2019-11-28 ⋅ Twitter (@cyb3rops) ⋅ Florian Roth
Tweet on Signature Writing for DADJOKE
DADSTACHE

2019-11-19 ⋅ FireEye ⋅ Kelli Vanderlee, Nalani Fraser
Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions
MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell

2019-11-16 ⋅ Silas Cutler's Blog ⋅ Silas Cutler
Fresh PlugX October 2019
PlugX

2019-11-11 ⋅ Virus Bulletin ⋅ Shusei Tomonaga, Tomoaki Tani, Hiroshi Soeda, Wataru Takahashi
APT cases exploiting vulnerabilities in region‑specific software
NodeRAT Emdivi PlugX

2019-11-05 ⋅ Brian Bartholomew
DADJOKE
DADJOKE

2019-11-04 ⋅ Tencent ⋅ Tencent Security Mikan TIC
APT attack group "Higaisa" attack activity disclosed
Ghost RAT Higaisa

2019-10-31 ⋅ PTSecurity ⋅ PTSecurity
Calypso APT: new group attacking state institutions
BYEBY FlyingDutchman Hussar PlugX

2019-10-03 ⋅ Palo Alto Networks Unit 42 ⋅ Alex Hinchliffe
PKPLUG: Chinese Cyber Espionage Group Attacking Asia
HenBox Farseer PlugX

2019-09-19 ⋅ MeltX0R
Emissary Panda APT: Recent infrastructure and RAT analysis
ZXShell

2019-09-17 ⋅ Talos ⋅ Christopher Evans, David Liebenberg
Cryptocurrency miners aren’t dead yet: Documenting the voracious but simple “Panda”
Ghost RAT

2019-09-02 ⋅ Volexity ⋅ Andrew Case, Matthew Meltzer, Steven Adair
Digital Crackdown: Large-Scale Surveillance and Exploitation of Uyghurs
scanbox POISON CARP

2019-08-27 ⋅ Cisco Talos ⋅ Paul Rascagnères, Vanja Svajcer
China Chopper still active 9 years later
CHINACHOPPER

2019-08-19 ⋅ FireEye ⋅ Alex Pennino, Matt Bromiley
GAME OVER: Detecting and Stopping an APT41 Operation
ACEHASH CHINACHOPPER HIGHNOON

2019-08-13 ⋅ 奇安信威胁情报中心
洞察人性：一起利用政治人物桃色丑闻的诱饵攻击活动披露
DADJOKE

2019-07-26 ⋅ Twitter (@a_tweeter_user) ⋅ a_tweeter_user
Tweet on Malware
DADJOKE

2019-07-24 ⋅ Intrusiontruth ⋅ Intrusiontruth
APT17 is run by the Jinan bureau of the Chinese Ministry of State Security
BLACKCOFFEE

2019-06-03 ⋅ FireEye ⋅ Chi-en Shen
Into the Fog - The Return of ICEFOG APT
Icefog PlugX Sarhust

2019-05-28 ⋅ Palo Alto Networks Unit 42 ⋅ Robert Falcone, Tom Lancaster
Emissary Panda Attacks Middle East Government Sharepoint Servers
CHINACHOPPER HyperSSL

2019-05-24 ⋅ Fortinet ⋅ Ben Hunter
Uncovering new Activity by APT10
PlugX Quasar RAT

2019-04-30 ⋅ Council on Foreign Relations ⋅ Cyber Operations Tracker
APT 40
Leviathan

2019-04-25 ⋅ DATANET ⋅ Kim Seon-ae
Chinese-based hackers attack domestic energy institutions
CALMTHORN Ghost RAT

2019-04-22 ⋅ Twitter (@killamjr) ⋅ Suspicious Link
Tweet on DADSTACHE payload
DADSTACHE

2019-04-11 ⋅ FireEye ⋅ FireEye
M-Trend 2019
GRILLMARK

2019-04 ⋅ Macnica Networks ⋅ Macnica Networks
OceanLotus Attack on Southeast Asian Automotive Industry
CACTUSTORCH Cobalt Strike

2019-03-27 ⋅ Twitter (@ClearskySec) ⋅ ClearSky Cyber Security
Tweet on "Timelines - ECRL.docx"
DADJOKE

2019-03-19 ⋅ NSHC ⋅ ThreatRecon Team
SectorM04 Targeting Singapore – An Analysis
PlugX Termite

2019-03-14 ⋅ Trustwave ⋅ Simon Kenin
Attacker Tracking Users Seeking Pakistani Passport
scanbox

2019-03-04 ⋅ FireEye ⋅ Fred Plan, Nalani Fraser, Jacqueline O’Leary, Vincent Cannon, Ben Read
APT40: Examining a China-Nexus Espionage Actor
LunchMoney Leviathan

2019-02-27 ⋅ Secureworks ⋅ CTU Research Team
A Peek into BRONZE UNION’s Toolbox
Ghost RAT HyperBro ZXShell

2019-02-26 ⋅ Yoroi ⋅ ZLAB-Yoroi
The Arsenal Behind the Australian Parliament Hack
LazyCat powerkatz Unidentified 057

2019-02-19 ⋅ Twitter (@MrDanPerez) ⋅ Dan Perez
APT40 dropper
LunchMoney

2019-01-07 ⋅ Intezer ⋅ Ignacio Sanmillan
ChinaZ Revelations: Revealing ChinaZ Relationships with other Chinese Threat Actor Groups
Ghost RAT

2019 ⋅ CrowdStrike ⋅ CrowdStrike
2019 CrowdStrike Global Threat Report
BOSS SPIDER Flash Kitten GURU SPIDER Leviathan LUNAR SPIDER Nomad Panda PINCHY SPIDER RATPAK SPIDER SALTY SPIDER SKELETON SPIDER TINY SPIDER

2019 ⋅ MITRE ⋅ MITRE ATT&CK
Tool description: NanHaiShu
NanHaiShu

2019 ⋅ Virus Bulletin ⋅ Lion Gu, Bowen Pan
A vine climbing over the Great Firewall: A long-term attack against China
Poison Ivy ZXShell

2019 ⋅ MITRE ⋅ MITRE ATT&CK
Tool description: BLACKCOFFEE
BLACKCOFFEE

2019 ⋅ MITRE ⋅ MITRE ATT&CK
Tool description: China Chopper
CHINACHOPPER

2019 ⋅ MITRE ⋅ MITRE ATT&CK
Group description: Leviathan
Leviathan

2018-12-20 ⋅ Codercto ⋅ Codercto
Analysis of the attack activities of Hailian Lotus APT group against large domestic investment companies
CACTUSTORCH

2018-12-14 ⋅ Australian Cyber Security Centre ⋅ ASD
Investigationreport: Compromise of an Australian companyvia their Managed Service Provider
PlugX RedLeaves

2018-11-13 ⋅ Recorded Future ⋅ Insikt Group
Chinese Threat Actor TEMP.Periscope Targets UK-Based Engineering Company Using Russian APT Techniques
SeDll Leviathan

2018-09-19 ⋅ Möbius Strip Reverse Engineering ⋅ Rolf Rolles
Hex-Rays Microcode API vs. Obfuscating Compiler
Ghost RAT

2018-07-11 ⋅ FireEye ⋅ Scott Henderson, Steve Miller, Dan Perez, Marcin Siedlarz, Ben Wilson, Ben Read
Chinese Espionage Group TEMP.Periscope Targets Cambodia Ahead of July 2018 Elections and Reveals Broad Operations Globally
AIRBREAK Leviathan

2018-05-09 ⋅ COUNT UPON SECURITY ⋅ Luis Rocha
Malware Analysis - PlugX - Part 2
PlugX

2018-04-17 ⋅ NCC Group ⋅ Nikolaos Pantazopoulos
Decoding network data from a Gh0st RAT variant
Ghost RAT EMISSARY PANDA

2018-03-30 ⋅ Kahu Security ⋅ Kahu Security
Reflow JavaScript Backdoor
AIRBREAK

2018-03-30 ⋅ AmosSys ⋅ Florent Saudel
BADFLICK is not so bad!
badflick

2018-03-16 ⋅ FireEye ⋅ FireEye
Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries
badflick BLACKCOFFEE CHINACHOPPER homefry murkytop SeDll Leviathan

2018-03-13 ⋅ Kaspersky Labs ⋅ Denis Makrushin, Yury Namestnikov
Time of death? A therapeutic postmortem of connected medicine
PlugX

2018-02-04 ⋅ COUNT UPON SECURITY ⋅ Luis Rocha
MALWARE ANALYSIS – PLUGX
PlugX

2018-02-01 ⋅ Bitdefender ⋅ Bitdefender Team
Operation PZCHAO: Inside a highly specialized espionage infrastructure
Ghost RAT EMISSARY PANDA

2018-01-04 ⋅ Malware Traffic Analysis ⋅ Brad Duncan
MALSPAM PUSHING PCRAT/GH0ST
Ghost RAT

2017-12-20 ⋅ CrowdStrike ⋅ Adam Kozy
An End to “Smash-and-Grab” and a Move to More Targeted Approaches
CHINACHOPPER

2017-12-19 ⋅ Proofpoint ⋅ Darien Huss
North Korea Bitten by Bitcoin Bug
QUICKCAFE PowerSpritz Ghost RAT PowerRatankba

2017-12-19 ⋅ Proofpoint ⋅ Darien Huss
North Korea Bitten by Bitcoin Bug: Financially motivated campaigns reveal new dimension of the Lazarus Group
Ghost RAT

2017-12-18 ⋅ LAC ⋅ Yoshihiro Ishikawa
Relationship between PlugX and attacker group "DragonOK"
PlugX

2017-11-16 ⋅ Github (mdsecactivebreach) ⋅ Vincent Yiu
CACTUSTORCH: Payload Generation for Adversary Simulations
CACTUSTORCH

2017-10-16 ⋅ Proofpoint ⋅ Axel F, Pierre T
Leviathan: Espionage actor spearphishes maritime and defense targets
NanHaiShu SeDll Leviathan

2017-06-27 ⋅ Palo Alto Networks Unit 42 ⋅ Tom Lancaster, Esmid Idrizovic
Paranoid PlugX
PlugX

2017-04-27 ⋅ US-CERT ⋅ US-CERT
Alert (TA17-117A): Intrusions Affecting Multiple Victims Across Multiple Sectors
PlugX RedLeaves

2017-04-03 ⋅ JPCERT/CC ⋅ Shusei Tomonaga
RedLeaves - Malware Based on Open Source RAT
PlugX RedLeaves

2017-04 ⋅ PricewaterhouseCoopers ⋅ PricewaterhouseCoopers
Operation Cloud Hopper: Technical Annex
ChChes PlugX Quasar RAT RedLeaves Trochilus RAT

2017-02-25 ⋅ Financial Security Institute ⋅ Kyoung-Ju Kwak (郭炅周)
Silent RIFLE: Response Against Advanced Threat
Ghost RAT

2017-02-21 ⋅ JPCERT/CC ⋅ Shusei Tomonaga
PlugX + Poison Ivy = PlugIvy? - PlugX Integrating Poison Ivy’s Code
PlugX

2017-02-13 ⋅ RSA ⋅ RSA Research
KINGSLAYER – A SUPPLY CHAIN ATTACK
CodeKey PlugX

2016-10-28 ⋅ Github (smb01) ⋅ smb01
zxshell repository
ZXShell

2016-08-25 ⋅ Malwarebytes ⋅ Malwarebytes Labs
Unpacking the spyware disguised as antivirus
PlugX

2016-08-05 ⋅ F-Secure ⋅ F-Secure Labs
NANHAISHU: RATing the South China Sea
NanHaiShu

2016-06-13 ⋅ Macnica Networks ⋅ Macnica Networks
Survey of the actual situation of the large-scale cyber spy activity that hit Japan | 1st edition
Emdivi PlugX

2016-04-22 ⋅ Cylance ⋅ Isaac Palmer
The Ghost Dragon
Ghost RAT

2016-03-02 ⋅ RSA Conference ⋅ Vanja Svajcer
Dissecting Derusbi
Derusbi

2016-01-22 ⋅ RSA Link ⋅ Norton Santos
PlugX APT Malware
PlugX

2015-12-15 ⋅ Airbus Defence & Space ⋅ Fabien Perigaud
Newcomers in the Derusbi family
Derusbi

2015-10-08 ⋅ Virus Bulletin ⋅ Micky Pun, Eric Leung, Neo Tan
Catching the silent whisper: Understanding the Derusbi family tree
Derusbi

2015-08 ⋅ Arbor Networks ⋅ ASERT Team
Uncovering the Seven Pointed Dagger
9002 RAT EvilGrab PlugX Trochilus RAT Group 27

2015-06-24 ⋅ Spiceworks ⋅ Chris Miller
Stealthy Cyberespionage Campaign Attacks With Social Engineering
NanHaiShu

2015-05-18 ⋅ Tetsuji Tanigawa
TT Malware Log
BLACKCOFFEE

2015-05 ⋅ FireEye ⋅ FireEye
HIDING IN PLAIN SIGHT: FIREEYE AND MICROSOFT EXPOSE OBFUSCATION TACTIC
BLACKCOFFEE

2015-04-15 ⋅ Kaspersky Labs ⋅ Costin Raiu, Maxim Golovkin
The Chronicles of the Hellsing APT: the Empire Strikes Back
GRILLMARK Naikon

2015-02-27 ⋅ InfoSec Institute ⋅ Ryan Mazerik
ScanBox Framework
scanbox

2015-02-27 ⋅ ThreatConnect ⋅ ThreatConnect Research Team
The Anthem Hack: All Roads Lead to China
Derusbi

2015-02-06 ⋅ CrowdStrike ⋅ CrowdStrike
CrowdStrike Global Threat Intel Report 2014
BlackPOS CryptoLocker Derusbi Elise Enfal EvilGrab Gameover P2P HttpBrowser Medusa Mirage Naikon NetTraveler pirpi PlugX Poison Ivy Sakula RAT Sinowal sykipot taidoor

2015-01-29 ⋅ JPCERT/CC ⋅ Shusei Tomonaga
Analysis of a Recent PlugX Variant - “P2P PlugX”
PlugX

2014-11 ⋅ Novetta ⋅ Novetta
ZoxPNG Analysis
BLACKCOFFEE

2014-10-28 ⋅ Cisco ⋅ Andrea Allievi, Douglas Goddard, Shaun Hurley, Alain Zidouemba
Threat Spotlight: Group 72, Opening the ZxShell
ZXShell

2014-10-28 ⋅ Novetta ⋅ Novetta
Derusbi (Server Variant) Analysis
Derusbi

2014-08-28 ⋅ AT&T ⋅ Jaime Blasco
Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks
scanbox

2014-06-27 ⋅ SophosLabs ⋅ Gabor Szappanos
PlugX - The Next Generation
PlugX

2014-06-10 ⋅ FireEye ⋅ Mike Scott
Clandestine Fox, Part Deux
PlugX

2014-01-06 ⋅ Airbus ⋅ Fabien Perigaud
PlugX: some uncovered points
PlugX

2014-01 ⋅ RSA ⋅ RSA Research
RSA Incident Response: Emerging Threat Profile Shell_Crew
Derusbi

2013-08-07 ⋅ FireEye ⋅ Ian Ahl, Tony Lee, Dennis Hanzlik
Breaking Down the China Chopper Web Shell - Part I
CHINACHOPPER

2013-03-29 ⋅ Computer Incident Response Center Luxembourg ⋅ CIRCL
Analysis Report (TLP:WHITE) Analysis of a PlugX variant (PlugX version 7.0)
PlugX

2013-03 ⋅ Contextis ⋅ Kevin O’Reilly
PlugX–Payload Extraction
PlugX

2012-02-10 ⋅ tracker.h3x.eu ⋅ Malware Corpus Tracker
Info for Family: plugx
PlugX

2012 ⋅ Norman ASA ⋅ Snorre Fagerland
The many faces of Gh0st Rat
Ghost RAT

2011-06-29 ⋅ Symantec ⋅ John McDonald
Inside a Back Door Attack
Ghost RAT Dust Storm

2009-03-28 ⋅ Information Warfare Monitor ⋅ Information Warfare Monitor
Tracking GhostNet: Investigating a Cyber Espionage Network
Ghost RAT GhostNet

Credits: MISP Project