Name Type Years Description PDFs
APT1 threat actor 2006-2013 APT1 is a single organization of operators that has conducted a cyber espionage campaign against a broad range of victims since at least 2006. From our observations, it is one of the most prolific cyber espionage groups in terms of the sheer quantity of information stolen.
TeamSpy threat actor 2008-2013 For at least several years, a mysterious threat actor infiltrated and tracked, performed surveillance and stole data from governmental organisations, some private companies and human rights activists throughout the Commonwealth of Independent States (CIS) and Eastern European nations. Some parts of this operation extended into Western nations and the Middle East as well, with victims in sectors such as energy and heavy industry manufacturing.
Gh0st Rat malware 2009-2012
RedOctober malware 2012-2013
icefog threat actor 2013 The Icefog targeted attacks rely on spear-phishing e-mails that attempt to trick the victim into opening a malicious attachment or a website.

Nettraveler malware 2004-2013 nettraveler is an automatic data exfiltration tool, designed to extract large amounts of private information from the victim’s system over long periods of time. the malware uses compression techniques and a fail-safe protocol to ensure that uploaded data is safely transferred to the attacker’s c2s.
ETSO threat actor 2011-2013 In the APT attacks against the companies in Korea, the ETSO Attack Group used encrypted communication between the master which generated the malware, monitored the system and managed the C2 agent, and the agent which accessed the C2 server. The ETSO Attack Group penetrated the targeted network via the C2 agent and remained dormant for a long period of time without any abnormal behavior that would trigger a network error or website compromise, thus making it difficult to detect the attacks.
Trojan.APT.Seinup malware 2012-2013 The FireEye research team has recently identified a number of spear phishing activities targeting Asia and ASEAN. Of these, one of the spear phishing documents was suspected to have used a potentially stolen document as a decoy. The rich and contextual details (body and metadata) which are not available online lead us to believe this was stolen. This decoy document mentioned countries such as Brunei, Cambodia, Indonesia, Laos, Malaysia, Myanmar, Philippines, Singapore, Thailand, and Vietnam, which leads us to suspect that these countries are targeted. As the content of this decoy document is suspected to be a stolen sensitive document, the details will not be published.
Wild Neutron threat actor 2013-2015 A powerful threat actor known as “Wild Neutron” (also known as “Jripbot” and “Morpho“) has been active since at least 2011, infecting high profile companies for several years by using a combination of exploits, watering holes and multi-platform malware.

Duqu Trojan malware 2010 Duqu’s primary purpose is to provide an attacker with remote access to a com- promised computer, including the ability to run arbitrary programs. It can theoretically be used to target any organization


Turbo malware 2015 This malware has been reported to have been used in high profile incidents like the ones involving Wellpoint/Anthem, USIS and Mitsubishi Heavy Industries. These incidents have ranged from simple targeting to reported breaches. Every one of these campaigns involved a Windows version of Derusbi.
Jaku malware 2015-2016 JAKU demonstrates is the re-use of Infrastructure, Tools, Techniques and Processes (TTPs), as well as the herding of victims into separate groupings; some indiscriminate and others highly targeted. Both the herding of general botnet victims and highly targeted attacks on individuals and organisations is hardly surprising. What is somewhat of a step change, however, is the execution of a number of concurrent operations within a campaign, using almost identical TTPs, to both herd thousands of victims into becoming botnet members while at the same time executing a targeted operation on a very small number of individuals.
Operation Hangover malware 2015-2016 The purpose of this malware seems predominantly to be a platform for surveillance against targets of national security interest (such as Pakistan), but we will also show how it has been used for industrial espionage against the Norwegian telecom corporation Telenor and other civilian corporations.

SIDEWINDER malware 2014 Android apps and the Android system itself contain vulnerabilities. Aggressive ad libraries also leak the user’s private information. By leveraging all these vulnerabilities, an attacker can conduct more targeted attacks, which we call “Sidewinder Targeted Attacks.”
DarkComet malware 2012 DarkComet is primarily a general purpose remote access trojan (RAT)
Operation Cleaver threat actor 2012-2013 The focus of the Operation Cleaver report is on one particular Iranian team we’ve dubbed Tarh Andishan, the infrastructure they utilize, as well as their tactics, techniques and procedures. Roughly translated, ‘Tarh Andishan’ means ‘thinkers’ or ‘innovators’. This team displays an evolved skillset and uses a complex infrastructure to perform attacks of espionage, theft, and the potential destruction of control systems and networks. While our investigation is ongoing, and we presently have limited visibility inside many of the compromised networks, Cylance observed Tarh Andishan actively targeting, attacking, and compromising more than 50 victims since at least 2012.

Operation Dust Storm threat actor 2010-2015 Our research indicates Operation Dust Storm has been operational since at least early 2010, and has employed a number of different operational techniques, including spear phishing, waterholes, and zero-day exploits over time. Several antivirus companies initially detected early backdoor samples under the moniker Misdat, but the group has quietly evolved over the years to remain undetected and highly effective.
ZooPark threat actor 2015-2017 ZooPark is a cyberespionage operation that has been focusing on Middle Eastern targets since at least June 2015. The threat actors behind ZooPark infect Android devices using several generations of malware we label from v1-v4, with v4 being the most recent version deployed in 2017.
Epic Turla threat actor < Known years active > The attackers behind Epic Turla have infected several hundred computers in more than 45 countries, including government institutions, embassies, military, education, research and pharmaceutical companies.



Energetic Bear threat actor 2010-2014 Energetic Bear/Crouching Yeti is an actor involved in several advanced persistent threat (APT) campaigns that have been active going back to at least the end of 2010. Targeted sectors include: Industrial/machinery, Manufacturing, Pharmaceutical, Construction, Education, and Information technology
APT37 threat actor 2014-2017 A suspected North Korean cyber espionage group that we now track as APT37 (Reaper). Recent examination of this group’s activities by FireEye iSIGHT Intelligence reveals APT37 has expanded its operations in both scope and sophistication. APT37’s toolset, which includes access to zero-day vulnerabilities and wiper malware, combined with heightened tensions in Northeast Asia and North Korea’s penchant for norm breaking, means this group should be taken seriously.
GRIZZLY STEPPE threat actor 2015-2018 Russian malicious cyber activity

Operation Potato threat actor 2011-2015 Among the victims that we were able to identify, the most notable high-value targets include Ukrainian government and military entities and one of the major Ukrainian news agencies. The malware was also used to spy on members of MMM, a financial pyramid scheme popular in Russia and Ukraine.
PlugX malware 2014 PlugX was by far the most used malware variant for targeted activity during 2014. It proliferated greatly amongst China-based targeted intrusion adversaries and now appears to be the tool of choice for many. The malware has been around for years and has been used by multiple Chinese actors for quite some time; however, the frequency of PlugX use during 2014 revealed just how prominent it is.



Charming Kitten threat actor 2014 Iran-based adversary that leverages fake personas on social networking sites in order to conduct social engineering and ultimately targeted attacks against desired targets.

HURRICANE PANDA threat actor 2014 HURRICANE PANDA is an advanced China-based adversary actively targeting Internet services, engineering, and aerospace companies.



Dukes ThreatActor 2008-2015 the Dukes, a well-resourced, highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making.
Mirage threat actor 2012-2015 Since April 2012, the Mirage APT has targeted military and energy organizations in the Philippines, Taiwan, Canada, Brazil, Israel, Egypt, and Nigeria. The most distinct commonality between victims is their involvement in the contest for rights to survey natural gas and oil in the South China Sea. It is believed that the intent of the campaign was to exfiltrate confidential information, steal intellectual property, or to construct a botnet for further infections.
Stuxnet malware 2008 The Stuxnet worm covertly attempts to identify and exploit equipment that controls a nation’s critical infrastructure. A successful attack by a software application such as the Stuxnet worm could result in manipulation of control system code to the point of inoperability or long-term damage. Should such an incident occur, recovery from the damage to the computer systems programmed to monitor and manage a facility and the physical equipment producing goods or services could be significantly delayed. Depending on the severity of the attack, the interconnected nature of the affected critical infrastructure facilities, and government preparation and response plans, entities and individuals relying on these facilities could be without life sustaining or comforting services for a long period of time. The resulting damage to the nation’s critical infrastructure could threaten many aspects of life, including the government’s ability to safeguard national security interests.


Naikon threat actor 2013-2015 The Naikon APT appears to have used specific toolsets against organizations within a designated country, as though each campaign was focused on one country. There is sometimes crossover between campaigns in several ways: the backdoors they deliver, the infiltration techniques, and the overall infrastructure. Backdoor functionality can also cross campaigns and tools. For example, sometimes we see an “inject” variant dropping a “sys10” backdoor. Or a naikon backdoor dropping a rarstone backdoor. Again, this particular actor is responsible for the MsnMM and Naikon campaigns


Lazarus Group threat actor 2011-2014 The Lazarus Group appears to have resources that allow for development of custom malware tools for extensive, targeted, and coordinated attacks, including long periods of reconnaissance. The Lazarus Group has also displayed the technical capability and will to perform destructive attacks against targets.



BlackEnergy malware 2015 On December 23, 2015, unknown cyber actors disrupted energy-grid operations for the first time ever,a causing blackouts for over 225,000 customers in Ukraine.1 Among the most striking features of this attack were the complexity of organization and planning, the discipline in execution, and capability in many of the discrete tasks exhibited by the threat actors. Over the course of nearly a year prior to the attack, these unknown actors clandestinely established persistent access to multiple industrial networks, identified targets, and ultimately carried out a complex set of actions, which not only disrupted electricity distribution in Ukraine, but also destroyed IT systems, flooded call centers, sowed confusion, and inhibited incident response. The attackers used a malware tool, BlackEnergy 3, designed to enable unauthorized network access, then used valid user credentials to move laterally across internal systems, and ultimately shut down electricity distribution using the utilities’ native control systems.


APT38 threat actor 2014-2018 APT38 is a financially motivated North Korean regime-backed group responsible for conducting destructive attacks against financial institutions, as well as some of the world’s largest cyber heists. Based on widely publicized operations alone, the group has attempted to steal more than $1.1 billion.
Group-IB < threat actor/malware > 2016-2017 In total Group-IB has confirmed at least 20 companies as victims of the MoneyTaker group, 16 of which are located in the US. The vast majority of them are small community banks, where hackers attacked card processing systems. The average damage from each successful attack was 500,000 USD baseline.


XSLCmd malware 2009-2012 FireEye Labs recently discovered a previously unknown variant of the APT backdoor XSLCmd – OSX.XSLCmd – which is designed to compromise Apple OS X systems. This backdoor shares a significant portion of its code with the Windows- based version of the XSLCmd backdoor that has been around since at least 2009.
Pitty Tiger threat actor 2011-2014 Pitty Tiger is a group of attackers that have been active since at least 2011. They have targeted private companies in several sectors, such as defense and telecommunications, but also at least one government.
Rocket Kitten threat actor 2014-2015 Since early 2014, an attacker group of Iranian origin has been actively targeting persons of interest by means of malware infection, supported by persistent spear phishing campaigns. This cyber-espionage group was dubbed ‘Rocket Kitten,’ and remains active as of this writing, with reported attacks as recent as October 2015.
Copy Kittens threat actor 2013-2017 CopyKittens is a cyberespionage group that has been operating since at least 2013. In November 2015, ClearSky and Minerva Labs published1 the first public report exposing its activity. In March 2017, ClearSky published a second report2 exposing further incidents, some of which impacted the German Bundestag. In this report, Trend Micro and ClearSky expose a vast espionage apparatus spanning the entire time the group has been active. It includes recent incidents as well as older ones that have not been publicly reported; new malware; exploitation, delivery and command and control infrastructure; and the group’s modus operandi.
CARBANAK threat actor 2017 Intrusions associated with the CARBANAK actors have been reported describing compromises of organizations within banking2, financial3, hospitality4, and restaurant verticals. However, they all describe a relatively equivalent progression, with only slight deviation in specific attacker actions. The intelligence surrounding recent CARBANAK incidents indicate that phishing attacks have been the group’s primary method of initial compromise. After gaining access to a user system, the attackers move laterally throughout the environment, conduct internal reconnaissance, establish staging points and internal network paths, harvest credentials, and move towards their intended target. However, this intrusion began with a significantly higher level of privilege due to the exploitation of the Apache Struts vulnerability CVE-2017-5638 that allowed the attackers to quickly gain administrative access within the client’s Linux environment.

TEMP.Demon threat actor 2018 The attacker leveraged a web content management system vulnerability to install webshell variants such as DEVILZSHELL, ASPXSHELL, WEBSNIFF and TABLETOP on Internet-facing web servers. The attacker then used publicly available webshells to remotely execute code and elevate privileges on the compromised Windows servers. The attacker executed publicly available credential harvesting tools, such as Procdump, Mimikatz and SafetyKatz to obtain local and domain credentials, and laterally access additional systems in the targeted environment. Stolen domain credentials were used to rapidly deploy Cobalt Strike payloads to systems in the targeted environment. Cobalt Strike is threat emulation software often used by red teams and real-world attackers for its remote access trojan (RAT) and detection evasion capabilities.
APT10 threat actor 2018 APT10 is a Chinese cyber espionage group that FireEye has tracked since 2009. They have historically targeted construction and engineering, aerospace, and telecom firms, and governments in the United States, Europe, and Japan. We believe that the targeting of these industries has been in support of Chinese national security goals, including acquiring valuable military and intelligence information as well as the theft of confidential business data to support Chinese corporations.


Wiper malware 2014 US-CERT was recently notified by a trusted third party of cyber threat actors using a Server Message Block (SMB) Worm Tool to conduct cyber exploitation activities recently targeting a major entertainment company. This SMB Worm Tool is equipped with a Listening Implant, Lightweight Backdoor, Proxy Tool, Destructive Hard Drive Tool, and Destructive Target Cleaning Tool.
Axiom threat actor 2009-2014 The Axiom group is a Chinese, potentially state-sponsored, threat actor that compromises systems that contain information of value to advancing China’s 12th Five Year Plan. Axiom was investigated in the October 2014 Operation SMN, a joint operation between private firms, led by Novetta which released information and led to the removal of Axiom malware from over 43,000 systems.

PLA threat actor 2002-2009 The Chinese military, using increasingly networked forces capable of communicating across service arms and among all echelons of command, is pushing beyond its traditional missions focused on Taiwan and toward a more regional defense posture. This modernization effort, known as informationization, is guided by the doctrine of fighting “Local War Under Informationized Conditions,” which refers to the PLA’s ongoing effort to develop a fully networked architecture capable of coordinating military operations on land, in air, at sea, in space and across the electromagnetic spectrum.
FIN5 threat actor 2008-2019 FIN5 is a financially motivated threat group that has targeted personally identifiable information and payment card information. The group has been active since at least 2008 and has targeted the restaurant, gaming, and hotel industries. The group is made up of actors who likely speak Russian.
TA505 threat actor 2014-2019 The sophisticated threat actor group dubbed ‘TA505’ are financially- motivated and have been attributed to high-volume malicious email campaigns since 2014 including the distribution of the ‘Dridex’ and ‘Shifu’ banking trojans as well as the Neutrino botnet/exploit kit and Locky ransomware.
Shell_Crew threat actor 2005 Shell_Crew continues to be a formidable threat group that is actively attacking organizations. In instances where Shell_Crew has already breached an organization, it has observed that the adversary will aggressively attempt to regain a foothold once their Trojans have been eradicated and communication channels severed. If any of their existing backdoors or Web shells remain active in the environment, Shell_Crew will begin to redeploy other tiers of malware that communicate through different channels, which may use different protocols and obfuscation techniques.

BlackAtlas threat actor 2012-2015 Black Atlas’ current operations are somewhat successful as they have been able to compromise some interesting victims that, for them, are low-hanging fruits and are easy prey. Furthermore, we believe that this method of operation would continue, improve and may still be utilized in the future by other threat actor groups.
Crouching Tiger threat actor These attacks are far from random or indiscriminate. These attacks are designed to steal information that will fulfil a clear set of requirements set by the Chinese state and furnish them with political, commercial and security/intelligence information. These requirements are carefully and clearly identified, shared with a number of government departments and constantly updated. There is evidence of worldwide targeting but only a minority of attacks are identified and fewer still made public. 2010-2015
Regin malware 2008-2013 Regin is a multi-purpose data collection tool which dates back several years. Symantec first began looking into this threat in the fall of 2013. Multiple versions of Regin were found in the wild, targeting several corporations, institutions, academics, and individuals.



SHADOWS IN THE CLOUD threat actor 2004-2010 Shadows in the Cloud documents a complex ecosystem of cyber espionage that systematically compromised government, business, academic, and other computer network systems in India, the Offices of the Dalai Lama, the United Nations, and several other countries. The report also contains an analysis of data which were stolen from politically sensitive targets and recovered during the course of the investigation. These include documents from the Offices of the Dalai Lama and agencies of the Indian national security establishment. Data containing sensitive information on citizens of numerous third-party countries, as well as personal, financial, and business information.
Iron tiger threat actor 2010-2013 In a cyber-espionage operation we dubbed “Iron Tiger,” the actors first spent years spying on political targets and government agencies in China, Hong Kong, and the Philippines back in 2010 before eyeing technology-related organizations in the US. Given the huge geographical shift in target, it is very likely that Iron Tiger is only part of a bigger campaign where specific targets are assigned to various teams.
Clever Kitten threat actor 2013 Clever Kitten primarily targets global companies with strategic importance to countries that are contrary to Iranian interests. Clever Kitten actors have a strong affinity for PHP server-side attacks to make access; this is relatively unique amongst targeted attackers who often favor targeting a specific individual at a specific organization using social engineering.
Kimsuky threat actor 2013 Cyber-espionage campaign by North Korea against South Korean think-tanks
Syrian Electronic Army threat actor 2012 EA has conducted DDoS attacks, phishing, pro-Assad defacements, and spamming campaigns against governments, online services, and media that are perceived to be hostile to the Syrian government. SEA has hacked Al-Jazeera, Anonymous, Associated Press (AP), BBC, Daily Telegraph, Financial Times, Guardian, Human Rights Watch, National Public Radio, The New York Times, Twitter, and more.62 Its most famous exploit was a hoax announcement using AP’s Twitter account that the White House was bombed and President Obama injured—after which stock markets briefly dipped to the tune of $200 billion.

Whois Hacking Team threat actor 2009-2013 The attacks managed to create a significant disruption of ATM networks while denying access to funds. This wasn’t the first time that this type of attack—in which destructive malware wiped the systems belonging to a financial institution—has occurred in South Korea. In 2011 the same financial institution was hit with destructive malware that caused a denial of service.

Ajax Security Team threat actor 2010-2013 n this report, we document the activities of the Ajax Security Team, a hacking group believed to be operating from Iran. Members of this group have accounts on popular Iranian hacker forums such as ashiyane[.]org and shabgard[.]org, and they have engaged in website defacements under the group name “AjaxTM” since 2010. By 2014, the Ajax Security Team had transitioned from performing defacements (their last defacement was in December 2013) to malware-based espionage, using a methodology consistent with other advanced persistent threat actors in this region.


Flying Kitten threat actor 2013-2014 his campaign leveraged fake websites to trick users into entering credentials, and to concurrently serve malware that poses as software updates for legitimate applications. Shortly after this activity was identified, other campaigns against additional targets in the defense and aerospace sectors were observed. evidence supporting the attribution of FLyING KITTeN to Iran is found in their secondary focus, which targets Iranian dissidents in foreign countries, as well as in Iran itself.


APT28 threat actor 2008-2016 Since at least 2007, APT28 has engaged in extensive operations in support of Russian strategic interests. The group, almost certainly compromised of a sophisticated and prolific set of developers and operators, has historically collected intelligence on defense and geopolitical issues. APT28 espionage activity has primarily targeted entities in the U.S., Europe, and the countries of the former Soviet Union, including governments and militaries, defense attaches, media entities, and dissidents and figures opposed to the current Russian Government.





Poison Ivy malware 2005-2013 Poison Ivy is a remote access tool that is freely available for download from its official web site at www.poisonivy-rat.com. First released in 2005, the tool has gone unchanged since 2008 with v ersion 2.3.2. Poison Ivy includes features common to most Windows-based RATs, including key logging, screen capturing, video capturing, file transfers, system administration, password theft, and traffic relaying.>
ZxShell malware 2004-2014 ZxShell command and control servers (C&C) and generate the malware that is placed on the victim’s network. ZxShell has been observed to be distributed through phishing attacks, dropped by exploits that leverage vulnerabilities such as CVE-2011- 2462, CVE-2013-3163, and CVE-2014-0322.
Careto threat actor 2008-2014 An advanced threat actor that has been involved in cyber-espionage operations since at least 2007. The name ‘Mask’ comes from the Spanish slang word ‘Careto’ (‘Ugly Face’ or ‘Mask’) which the authors included in some of the malware modules.
DragonFly threat actor 2011-2014 A cyberespionage campaign against a range of targets, mainly in the energy sector, gave attackers the ability to mount sabotage operations against their victims. The attackers, known to Symantec as Dragonfly, managed to compromise a number of strategically important organizations for spying purposes and, if they had used the sabotage capabilities open to them, could have caused damage or disruption to the energy supply in the affected countries.
Uroburos malware 2008-2013 Uroburos is a rootkit, composed of two files, a driver and an encrypted virtual file system. The rootkit is able to take control of an infected machine, execute arbitrary commands and hide system activities. It can steal information (most notably: files) and it is also able to capture network traffic. Its modular structure allows extending it with new features easily, which makes it not only highly sophisticated but also highly flexible and dangerous. Uroburos’ driver part is extremely complex and is designed to be very discrete and very difficult to identify.

APT32 threat actor 2014-2017 Since at least 2014, APT32 has been targeting foreign corporations with a vested interest in Vietnam’s manufacturing, consumer products, and hospitality sectors. Furthermore, there are indications that APT32 actors are targeting peripheral network security and technology infrastructure corporations.


ProjectSauron malware 2011-2016 The threat actor behind ProjectSauron commands a top-of-the-top modular cyber-espionage platform in terms of technical sophistication, designed to enable long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods. Technical details show how attackers learned from other extremely advanced actors in order to avoid repeating their mistakes. As such, all artifacts are customized per given target, reducing their value as indicators of compromise for any other victim. Usually APT campaigns have a geographical nexus, aimed at extracting information within a specific region or from a given industry. That usually results in several infections in countries within that region, or in the targeted industry around the world. Interestingly, ProjectSauron seems to be dedicated to just a few countries, focused on collecting high value intelligence by compromising almost all key entities it could possibly reach within the target area.
Backdoor.Remsec malware N/A The Backdoor.Remsec signature is used to detect several different components. These various components work together as a framework to provide an attacker complete control over a victim computer, allow them to spread across a network, utilize a discreet command and control protocol, and deploy custom tools as required.
Volatile Cedar threat actor 2012-2014 Volatile Cedar is a highly targeted and very well-managed campaign. Its targets are carefully chosen, confining the infection spread to the bare minimum required to achieve the attacker’s goal while minimizing the risk of exposure. Our analysis leads us to believe that the attackers conduct a fair amount of intelligence gathering to tailor each infection to its specific target.
GreyEnergy malware 2015-2017 The malware, named GreyEnergy by ESET researchers, exhibits many conceptual similarities with BlackEnergy, the malware used in attacks against the Ukrainian energy industry in December 2015 Besides these similarities, there are links that suggest that the group behind GreyEnergy has been working together with the TeleBots group, known in connection with many destructive attacks
OnionDuke < threat actor/malware > 2003-2015 In October 2014, Leviathan Security Group disclosed that a Russia based Tor exit node was attaching malware onto the files that passed through it by wrapping legitimate executables with the malware executable. The technique increased the attacker’s chance of bypassing integrity check mechanisms. The malware campaign is believed to have been active from at least February 2013 through spring 2015.
Aurora Botnet malware 2009 In general, Aurora is “just another botnet” and typifies the advanced nature of the threat and the criminal ecosystem that supports it. It is important to note, however, that botnets linked to the criminal operators behind Aurora may have been sold or traded to other botnet operators, either in sections or on an individual victim basis. This kind of transaction is increasingly popular. Specialist botnet builders sell access to victim systems or networks for a fee – making it very simple for other entities to access confidential business systems and information without needing be technologically proficient. These transactions between criminals are very difficult to detect.
DorkBot malware 2014 DorkBot is a modified IRCBot that is very similar in features to NgrBot. DorkBot has a loader and a module. The bot includes the following features: process injection, hard drive wiping, etc. Different from NgrBot, DorkBot uses modified IRC commands. Some of the commands supported include: !die, !dl, !http.inj, !logins, !rc,!speed, !ssyn, !stop, !up, and !udp.
DarkHotel threat actor 2007-2012 Darkhotel ApT is a threat actor possessing a seemingly inconsistent and con- tradictory set of characteristics, some advanced and some fairly rudimentary. in- hospitably operating for almost a decade, the threat actor is currently active. The actor’s offensive activity can be tied to specific hotel and business center Wi-fi and physical connections, some of it is also tied to p2p/file sharing networks, and they have been known to spear-phish targets as well. Darkhotel tools are detected as “Tapaoux”, “pioneer”, “Karba”, and “Nemim”, among other names.
Hidden Lynx threat actor 2009-2013 The Hidden Lynx group has been in operation since at least 2009 and is most likely a professional organization that offers a “hackers for hire” service. They have the capability to attack many organizations with concurrently running campaigns. They operate efficiently and move quickly and methodically. Based on these factors, the Hidden Lynx group would need to be a sizeable organization made up of between 50 and 100 individuals.
Ebury malware 2014 It is a sophisticated backdoor used to steal OpenSSH credentials and maintain access to a compromised server.



Threat Group 3390 threat actor 2010-2018 Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims. The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, and manufacturing sectors.


APT39 threat actor 2014-2019 APT39 is an Iranian cyber espionage group that has been active since at least 2014. They have targeted the telecommunication and travel industries to collect personal information that aligns with Iran’s national priorities.
menuPass threat actor 2009-2014 menuPass is a threat group that appears to originate from China and has been active since approximately 2009. The group has targeted healthcare, defense, aerospace, and government sectors, and has targeted Japanese victims since at least 2014. In 2016 and 2017, the group targeted managed IT service providers, manufacturing and mining companies, and a university.

Emotet malware 2014-2019 Emotet is a modular malware variant which is primarily used as a downloader for other malware variants such as TrickBot and IcedID. Emotet first emerged in June 2014 and has been primarily used to target the banking sector. [1]
WannaCry malware 2017 WannaCry is ransomware that was first seen in a global attack during May 2017, which affected more than 150 countries. It contains worm-like features to spread itself across a computer network using the SMBv1 exploit EternalBlue.


template < threat actor/malware > < Known years active > < Description of threat actor or malware >