This is a repository for various publicly-available documents and notes related to APT, sorted by year. For malware sample hashes, please see the individual reports
For the moment, it would be nice to have a PDF of the article that we add to the list, just to be sure we always have a copy.
To contribute, you can either:
- Fork, add and send me a pull request
- Open a ticket with the data you want to be added
Adding data:
- Add a link to the public document to README.md page
- Add the PDF file to the appropriate year
Thanks to the contributors for helping with the project!
The papers section contains historical documents.
- Aug 10 - Russian Invasion of Georgia Russian Cyberwar on Georgia - [Repo] (./2008/556_10535_798405_Annex87_CyberAttacks.pdf)
- Oct 02 - How China will use cyber warfare to leapfrog in military competitiveness - [Repo] (historical/2008/Cyberwar.pdf)
- Nov 04 - China's Electronic Long-Range Reconnaissance - [Repo] (historical/2008/chinas-electronic.pdf)
- Nov 19 - Agent.BTZ
- Jan 18 - Impact of Alleged Russian Cyber Attacks - [Repo] (historical/2009/Ashmore - Impact of Alleged Russian Cyber Attacks.pdf)
- Mar 29 - Tracking GhostNet - [Repo] (./2009/ghostnet.pdf)
- Jan 12 - Operation Aurora
- Jan 13 - The Command Structure of the Aurora Botnet - Damballa - [Repo] (./2010/Aurora_Botnet_Command_Structure.pdf)
- Jan 20 - McAfee Labs: Combating Aurora - [Repo] (./2010/Combating Threats - Operation Aurora.pdf)
- Jan 27 - Operation Aurora Detect, Diagnose, Respond - [Repo] (./2010/Aurora_HBGARY_DRAFT.pdf)
- Jan ?? - Case Study: Operation Aurora - Triumfant
- Feb 24 - How Can I Tell if I Was Infected By Aurora? (IOCs) - [Repo] (./2010/how_can_u_tell_Aurora.pdf)
- Mar 14 - In-depth Analysis of Hydraq - [Repo] (./2010/in-depth_analysis_of_hydraq_final_231538.pdf)
- Apr 06 - Shadows in the cloud: Investigating Cyber Espionage 2.0 - [Repo] (./2010/shadows-in-the-cloud.pdf)
- Sep 03 - The "MSUpdater" Trojan And Ongoing Targeted Attacks - [Repo] (./2010/MSUpdaterTrojanWhitepaper.pdf)
- Sep 30 - W32.Stuxnet Dossier - [Repo] (2011/w32_stuxnet_dossier.pdf)
- Dec 09 - The Stuxnet Computer Worm: Harbinger of an Emerging Warfare Capability - [Repo] (2010/R41524.pdf)
- Feb 10 - Global Energy Cyberattacks: Night Dragon - [Repo] (./2011/wp-global-energy-cyberattacks-night-dragon.pdf)
- Feb 18 - Night Dragon Specific Protection Measures for Consideration - [Repo] (./2011/Alerts DL-2011 Alerts-A-2011-02-18-01 Night Dragon Attachment 1.pdf)
- Apr 20 - Stuxnet Under the Microscope - [Repo] (./2011/Stuxnet_Under_the_Microscope.pdf)
- Aug ?? - Shady RAT
- Aug 04 - Operation Shady RAT - [Repo] (./2011/wp-operation-shady-rat.pdf)
- Aug 02 - Operation Shady rat : Vanity - [Repo] (./2011/shady_rat_vanity.pdf)
- Aug 03 - HTran and the Advanced Persistent Threat - [Repo] (./2011/HTran_and_the_Advanced_Persistent_Threat.pdf)
- Sep 09 - The RSA Hack - [Repo] (2011/FTA1001-The_RSA_Hack.pdf)
- Sep 11 - SK Hack by an Advanced Persistent Threat - [Repo] (./2011/C5_APT_SKHack.pdf)
- Sep 22 - The "LURID" Downloader - [Repo] (./2011/wp_dissecting-lurid-apt.pdf)
- Oct 12 - Alleged APT Intrusion Set: "1.php" Group - [Repo] (./2011/tb_advanced_persistent_threats.pdf)
- Oct 26 - Duqu Trojan Questions and Answers - [Repo] (./2011/Duqu_Trojan_Questions_and_Answers.pdf)
- Oct 31 - The Nitro Attacks: Stealing Secrets from the Chemical Industry - [Repo] (./2011/the_nitro_attacks.pdf)
- Dec 08 - Palebot trojan harvests Palestinian online credentials - [Repo] (./2011/Palebot_Palestinian_credentials.pdf)
- Jan 03 - The HeartBeat APT - [Repo] (./2012/wp_the-heartbeat-apt-campaign.pdf)
- Feb 03 - Command and Control in the Fifth Domain - [Repo] (2011/C5_APT_C2InTheFifthDomain.pdf)
- Feb 29 - The Sin Digoo Affair - [Repo] (./2012/The_Sin_Digoo_Affair.pdf)
- Mar 12 - Crouching Tiger, Hidden Dragon, Stolen Data - [Repo] (./2012/Crouching_tiger_hidden_dragon.pdf)
- Mar 13 - Reversing DarkComet RAT's crypto - [Repo] (./2012/Crypto-DarkComet-Report.pdf)
- Mar 26 - Luckycat Redux - [Repo] (./2012/wp_luckycat_redux.pdf)
- Apr 10 - Anatomy of a Gh0st RAT - [Repo] (2012/wp-know-your-digital-enemy.pdf)
- Apr 16 - OSX.SabPub & Confirmed Mac APT attacks - [Repo] (./2012/OSX_SabPub.pdf)
- May 18 - Analysis of Flamer C&C Server - [Repo] (./2012/w32_flamer_newsforyou.pdf)
- May 22 - IXESHEA An APT Campaign - [Repo] (./2012/wp_ixeshe.pdf)
- May 31 - sKyWIper (Flame/Flamer) - [Repo] (./2012/skywiper.pdf)
- Jul 10 - Advanced Social Engineering for the Distribution of LURK Malware - [Repo] (./2012/Tibet_Lurk.pdf)
- Jul 11 - Wired article on DarkComet creator
- Jul 27 - The Madi Campaign - [Repo] (./2012/The_Madi_Infostealers.pdf)
- Aug 09 - Gauss: Abnormal Distribution - [Repo] (./2012/kaspersky-lab-gauss.pdf)
- Sep 06 - The Elderwood Project - [Repo] (./2012/the-elderwood-project.pdf)
- Sep 07 - IEXPLORE RAT - [Repo] (./2012/IEXPL0RE_RAT.pdf)
- Sep 12 - The VOHO Campaign: An in depth analysis - [Repo] (./2012/VOHO_WP_FINAL_READY-FOR-Publication-09242012_AC.pdf)
- Sep 18 - The Mirage Campaign - [Repo] (./2012/The_Mirage_Campaign.pdf)
- Oct 08 - Matasano notes on DarkComet, Bandook, CyberGate and Xtreme RAT - [Repo] (./2012/PEST-CONTROL.pdf)
- Oct 27 - Trojan.Taidoor: Targeting Think Tanks - [Repo] (./2012/trojan_taidoor-targeting_think_tanks.pdf)
- Nov 01 - RECOVERING FROM SHAMOON - [Repo] (./2012/FTA 1007 - Shamoon.pdf)
- Nov 03 - Systematic cyber attacks against Israeli and Palestinian targets going on for a year - [Repo] (./2012/Cyberattack_against_Israeli_and_Palestinian_targets.pdf)
- Jan 14 - The Red October Campaign - [Repo] (./2013/Securelist_RedOctober_Detail.pdf)
- Jan 14 - Red October Diplomatic Cyber Attacks Investigation - [Repo] (./2013/Securelist_RedOctober.pdf)
- Jan 18 - Operation Red October - [Repo] (./2013/McAfee_Labs_Threat_Advisory_Exploit_Operation_Red_Oct.pdf)
- Feb 12 - Targeted cyber attacks: examples and challenges ahead - [Repo] (./2013/Presentation_Targeted-Attacks_EN.pdf)
- Feb 18 - Mandiant APT1 Report - [Repo] (./2013/Mandiant_APT1_Report.pdf)
- Feb 22 - Comment Crew: Indicators of Compromise - [Repo] (./2013/comment_crew_indicators_of_compromise.pdf)
- Feb 26 - Stuxnet 0.5: The Missing Link - [Repo] (./2013/stuxnet_0_5_the_missing_link.pdf)
- Feb 27 - The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0x29A Micro Backdoor - [Repo] (./2013/themysteryofthepdf0-dayassemblermicrobackdoor.pdf)
- Feb 27 - Miniduke: Indicators v1 - [Repo] (./2013/miniduke_indicators_public.pdf)
- Mar 13 - You Only Click Twice: FinFisher's Global Proliferation - [Repo] (./2013/15-2013-youonlyclicktwice.pdf)
- Mar 17 - Safe: A Targeted Threat - [Repo] (./2013/Safe-a-targeted-threat.pdf)
- Mar 20 - Dissecting Operation Troy - [Repo] (./2013/dissecting-operation-troy.pdf)
- Mar 20 - The TeamSpy Crew Attacks - [Repo] (./2013/theteamspystory_final_t2.pdf)
- Mar 21 - Darkseoul/Jokra Analysis And Recovery - [Repo] (2013/Darkseoul-Jokra_Analysis_And_Recovery.pdf)
- Mar 27 - APT1: technical backstage (Terminator/Fakem RAT) - [Repo] (./2013/RAP002_APT1_Technical_backstage.1.0.pdf)
- Mar 28 - TR-12 - Analysis of a PlugX malware variant used for targeted attacks - [Repo] (./2013/tr-12-circl-plugx-analysis-v1.pdf)
- Apr 01 - Trojan.APT.BaneChant - [Repo] (./2013/Trojan.APT.BaneChant.pdf)
- Apr 13 - "Winnti" More than just a game - [Repo] (./2013/winnti-more-than-just-a-game-130410.pdf)
- Apr 24 - Operation Hangover - [Repo] (./2013/Norman_HangOver report_Executive Summary_042513.pdf)
- May ?? - Operation Hangover
- May 30 - TR-14 - Analysis of a stage 3 Miniduke malware sample - [Repo] (./2013/circl-analysisreport-miniduke-stage3-public.pdf)
- Jun ?? - The Chinese Malware Complexes: The Maudi Surveillance Operation
- Jun 01 - Crude Faux: An analysis of cyber conflict within the oil & gas industries - [Repo] (./2013/2013-9.pdf)
- Jun 04 - The NetTraveller (aka 'Travnet') - [Repo] (./2013/kaspersky-the-net-traveler-part1-final.pdf)
- Jun 07 - KeyBoy, Targeted Attacks against Vietnam and India - [Repo] (./2013/KeyBoy_Vietnam_India.pdf)
- Jun 18 - Trojan.APT.Seinup Hitting ASEAN - [Repo] (./2013/Trojan.APT.Seinup.pdf)
- Jun 21 - A Call to Harm: New Malware Attacks Target the Syrian Opposition - [Repo] (./2013/19-2013-acalltoharm.pdf)
- Jun 28 - njRAT Uncovered - [Repo] (./2013/fta-1009---njrat-uncovered-1.pdf)
- Jul 09 - Dark Seoul Cyber Attack: Could it be worse? - [Repo] (./2013/Dark_Seoul_Cyberattack.pdf)
- Jul 15 - PlugX revisited: "Smoaler" - [Repo] (./2013/Plugx_Smoaler.pdf)
- Jul 31 - Secrets of the Comfoo Masters - [Repo] (./2013/Secrets_of_the_Comfoo_Masters.pdf)
- Jul 31 - Blackhat: In-Depth Analysis of Escalated APT Attacks (Lstudio,Elirks), video - [Repo] (./2013/US-13-Yarochkin-In-Depth-Analysis-of-Escalated-APT-Attacks-Slides.pdf)
- Aug ?? - Operation Hangover - Unveiling an Indian Cyberattack Infrastructure
- Aug ?? - APT Attacks on Indian Cyber Space
- Aug 02 - Where There is Smoke, There is Fire: South Asian Cyber Espionage Heats Up - [Repo] (2013/ThreatConnect_Operation_Arachnophobia_Report.pdf)
- Aug 02 - Surtr: Malware Family Targeting the Tibetan Community - [Repo] (./2013/Surtr_Malware_Tibetan.pdf)
- Aug 19 - ByeBye Shell and the targeting of Pakistan - [Repo] (./2013/ByeBye_Shell_target.pdf)
- Aug 21 - POISON IVY: Assessing Damage and Extracting Intelligence - [Repo] (./2013/fireeye-poison-ivy-report.pdf)
- Aug 23 - Operation Molerats: Middle East Cyber Attacks Using Poison Ivy - [Repo] (./2013/Operation_Molerats.pdf)
- Sep ?? - Feature: EvilGrab Campaign Targets Diplomatic Agencies
- Sep 11 - The "Kimsuky" Operation - [Repo] (./2013/Kimsuky.pdf)
- Sep 13 - Operation DeputyDog: Zero-Day (CVE-2013-3893) Attack Against Japanese Targets - [Repo] (./2013/Operation_DeputyDog.pdf)
- Sep 17 - Hidden Lynx - Professional Hackers for Hire - [Repo] (./2013/hidden_lynx.pdf)
- Sep 25 - The 'ICEFROG' APT: A Tale of cloak and three daggers - [Repo] (./2013/icefog.pdf)
- Sep 30 - World War C: State of affairs in the APT world - [Repo] (./2013/fireeye-wwc-report.pdf)
- Oct 24 - Terminator RAT or FakeM RAT - [Repo] (./2013/FireEye-Terminator_RAT.pdf)
- Nov 10 - Operation Ephemeral Hydra: IE Zero-Day Linked to DeputyDog Uses Diskless Method - [Repo] (./2013/Operation_EphemeralHydra.pdf)
- Nov 11 - Supply Chain Analysis - [Repo] (./2013/fireeye-malware-supply-chain.pdf)
- Dec 02 - njRAT, The Saga Continues - [Repo] (./2013/FTA 1010 - njRAT The Saga Continues.pdf)
- Dec 11 - Operation "Ke3chang" - [Repo] (./2013/fireeye-operation-ke3chang.pdf)
- Dec 20 - ETSO APT Attacks Analysis - [Repo] (./2013/ETSO_APT_Attacks_Analysis.pdf)
- ??? ?? - Deep Panda
- ??? ?? - Detecting and Defeating the China Chopper Web Shell
- Jan 06 - PlugX: some uncovered points - [Repo] (2014/plugx-some-uncovered-points.pdf)
- Jan 13 - Targeted attacks against the Energy Sector - [Repo] (./2014/targeted_attacks_against_the_energy_sector.pdf)
- Jan 14 - The Icefog APT Hits US Targets With Java Backdoor - [Repo] (2014/the-icefog-apt-hits-us-targets-with-java-backdoor.pdf)
- Jan 15 - New CDTO: A Sneakernet Trojan Solution - [Repo] (./2014/FTA 1001 FINAL 1.15.14.pdf)
- Jan 21 - Shell_Crew (Deep Panda) - [Repo] (./2014/h12756-wp-shell-crew.pdf)
- Jan 31 - Intruder File Report- Sneakernet Trojan - [Repo] (./2014/FTA 1011 Follow UP.pdf)
- Feb 11 - Unveiling "Careto" - The Masked APT - [Repo] (./2014/unveilingthemask_v1.0.pdf)
- Feb 13 - Operation SnowMan: DeputyDog Actor Compromises US Veterans of Foreign Wars Website - [Repo] (./2014/Op_SnowMan_DeputyDog.pdf)
- Feb 19 - The Monju Incident - [Repo] (./2014/The_Monju_Incident.pdf)
- Feb 19 - XtremeRAT: Nuisance or Threat? - [Repo] (./2014/XtremeRAT_fireeye.pdf)
- Feb 20 - Operation GreedyWonk: Multiple Economic and Foreign Policy Sites Compromised, Serving Up Flash Zero-Day Exploit - [Repo] (./2014/Operation_GreedyWonk.pdf)
- Feb 20 - Mo' Shells Mo' Problems - Deep Panda Web Shells - [Repo] (./2014/deep-panda-webshells.pdf)
- Feb 23 - Gathering in the Middle East, Operation STTEAM - [Repo] (./2014/FTA 1012 STTEAM Final.pdf)
- Feb 28 - Uroburos: Highly complex espionage software with Russian roots - [Repo] (./2014/GData_Uroburos_RedPaper_EN_v1.pdf)
- Mar 06 - The Siesta Campaign - [Repo] (./2014/The_Siesta_Campaign.pdf)
- Mar 07 - Snake Campaign & Cyber Espionage Toolkit - [Repo] (./2014/snake_whitepaper.pdf)
- Mar 08 - Russian spyware Turla
- Apr 26 - CVE-2014-1776: Operation Clandestine Fox - [Repo] (./2014/Op_Clandestine_Fox.pdf)
- May 13 - Operation Saffron Rose (aka Flying Kitten) - [Repo] (./2014/fireeye-operation-saffron-rose.pdf)
- May 13 - CrowdStrike's report on Flying Kitten - [Repo] (./2014/CrowdStrike_Flying_Kitten.pdf)
- May 20 - Miniduke Twitter C&C - [Repo] (./2014/Miniduke_twitter.pdf)
- May 21 - RAT in jar: A phishing campaign using Unrecom - [Repo] (./2014/FTA_1013_RAT_in_a_jar.pdf)
- Jun 06 - Illuminating The Etumbot APT Backdoor (APT12) - [Repo] (2014/Illuminating-the-Etumbot-APT-Backdoor.pdf)
- Jun 09 - Putter Panda - [Repo] (./2014/putter-panda.pdf)
- Jun 20 - Embassy of Greece Beijing - [Repo] (2014/blitzanalysis-embassy-of-greece-beijing.pdf)
- Jun 30 - Dragonfly: Cyberespionage Attacks Against Energy Suppliers - [Repo] (./2014/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf)
- Jun 10 - Anatomy of the Attack: Zombie Zero - [Repo] (./2014/TrapX_ZOMBIE_Report_Final.pdf)
- Jul 07 - Deep Pandas - [Repo] (2014/deep-thought-chinese-targeting-national-security-think-tanks.pdf)
- Jul 10 - TR-25 Analysis - Turla / Pfinet / Snake/ Uroburos - [Repo] (2014/circl-tr25-analysis-turla-pfinet-snake-uroburos.pdf)
- Jul 11 - Pitty Tiger - [Repo] (./2014/Pitty_Tiger_Final_Report.pdf)
- Jul 20 - Sayad (Flying Kitten) Analysis & IOCs - [Repo] (./2014/Sayad_Flying_Kitten_analysis.pdf)
- Jul 31 - Energetic Bear/Crouching Yeti - [Repo] (./2014/EB-YetiJuly2014-Public.pdf)
- Jul 31 - Energetic Bear/Crouching Yeti Appendix - [Repo] (./2014/Kaspersky_Lab_crouching_yeti_appendixes_eng_final.pdf)
- Aug 04 - Sidewinder Targeted Attack Against Android - [Repo] (./2014/fireeye-sidewinder-targeted-attack.pdf)
- Aug 05 - Operation Arachnophobia - [Repo] (./2014/ThreatConnect_Operation_Arachnophobia_Report.pdf)
- Aug 06 - Operation Poisoned Hurricane - [Repo] (./2014/Operation_Poisoned_Hurricane.pdf)
- Aug 07 - The Epic Turla Operation Appendix - [Repo] (./2014/KL_Epic_Turla_Technical_Appendix_20140806.pdf)
- Aug 12 - New York Times Attackers Evolve Quickly (Aumlib/Ixeshe/APT12) - [Repo] (./2014/NYTimes_Attackers_Evolve_Quickly.pdf)
- Aug 13 - A Look at Targeted Attacks Through the Lense of an NGO - [Repo] (./2014/Targeted_Attacks_Lense_NGO.pdf)
- Aug 18 - The Syrian Malware House of Cards - [Repo] (2014/KL_report_syrian_malware.pdf)
- Aug 20 - El Machete - [Repo] (./2014/El_Machete.pdf)
- Aug 25 - Vietnam APT Campaign - [Repo] (2014/another-country-sponsored-malware.pdf)
- Aug 27 - NetTraveler APT Gets a Makeover for 10th Birthday - [Repo] (./2014/NetTraveler_Makeover_10th_Birthday.pdf)
- Aug 27 - North Korea's cyber threat landscape - [Repo] (./2014/HPSR SecurityBriefing_Episode16_NorthKorea.pdf)
- Aug 28 - Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks - [Repo] (./2014/Alienvault_Scanbox.pdf)
- Aug 29 - Syrian Malware Team Uses BlackWorm for Attacks - [Repo] (./2014/Syrian_Malware_Team_BlackWorm.pdf)
- Sep 03 - Darwin's Favorite APT Group (APT12) - [Repo] (./2014/Darwin_fav_APT_Group.pdf)
- Sep 04 - Forced to Adapt: XSLCmd Backdoor Now on OS X - [Repo] (./2014/XSLCmd_OSX.pdf)
- Sep 08 - Targeted Threat Index: Characterizingand Quantifying Politically-MotivatedTargeted Malware video - [Repo] (./2014/sec14-paper-hardy.pdf)
- Sep 08 - When Governments Hack Opponents: A Look at Actors and Technology video - [Repo] (./2014/sec14-paper-marczak.pdf)
- Sep 10 - Operation Quantum Entanglement - [Repo] (./2014/fireeye-operation-quantum-entanglement.pdf)
- Sep 17 - Chinese intrusions into key defense contractors - [Repo] (2014/SASC_Cyberreport_091714.pdf)
- Sep 18 - COSMICDUKE: Cosmu with a twist of MiniDuke - [Repo] (./2014/cosmicduke_whitepaper.pdf)
- Sep 19 - Watering Hole Attacks using Poison Ivy by "th3bug" group - [Repo] (./2014/th3bug_Watering_Hole_PoisonIvy.pdf)
- Sep 23 - Ukraine and Poland Targeted by BlackEnergy (video)
- Sep 26 - Aided Frame, Aided Direction (Sunshop Digital Quartermaster) - [Repo] (./2014/Aided_Frame_Aided_Direction.pdf)
- Sep 26 - BlackEnergy & Quedagh - [Repo] (./2014/blackenergy_whitepaper.pdf)
- Oct 03 - New indicators for APT group Nitro - [Repo] (./2014/PAN_Nitro.pdf)
- Oct 09 - Democracy in Hong Kong Under Attack - [Repo] (2014/Volexity-HK_under-attack.pdf)
- Oct 14 - ZoxPNG Preliminary Analysis - [Repo] (./2014/ZoxPNG_Full_Analysis-Final.pdf)
- Oct 14 - Hikit Preliminary Analysis - [Repo] (./2014/Hikit_Analysis-Final.pdf)
- Oct 14 - Derusbi Preliminary Analysis - [Repo] (./2014/Derusbi_Server_Analysis-Final.pdf)
- Oct 14 - Group 72 (Axiom) - [Repo] (./2014/Group_72.pdf)
- Oct 14 - Sandworm - CVE-2104-4114 - [Repo] (2014/isight-sandworm-preview.pdf)
- Oct 20 - OrcaRAT - A whale of a tale - [Repo] (./2014/OrcaRAT.pdf)
- Oct 22 - Operation Pawn Storm: The Red in SEDNIT - [Repo] (./2014/wp-operation-pawn-storm.pdf)
- Oct 22 - Sofacy Phishing by PWC - [Repo] (2014/pwc-sofacy-phishing-.pdf)
- Oct 23 - Modified Tor Binaries - [Repo] (./2014/Modified_Binaries_Tor.pdf)
- Oct 24 - LeoUncia and OrcaRat - [Repo] (./2014/LeoUncia_OrcaRat.pdf)
- Oct 27 - Full Disclosure of Havex Trojans - ICS Havex backdoors - [Repo] (2014/Full-Disclosure-of-Havex-Trojans.pdf)
- Oct 27 - ScanBox framework - who's affected, and who's using it? - [Repo] (./2014/pwc_ScanBox_framework.pdf)
- Oct 28 - APT28 - A Window Into Russia's Cyber Espionage Operations - [Repo] (./2014/apt28.pdf)
- Oct 28 - Group 72, Opening the ZxShell - [Repo] (./2014/Group72_Opening_ZxShell.pdf)
- Oct 30 - The Rotten Tomato Campaign - [Repo] (./2014/sophos-rotten-tomato-campaign.pdf)
- Oct 31 - Operation TooHash - [Repo] (2014/GDATA_TooHash_CaseStudy_102014_EN_v1.pdf)
- Nov 03 - New observations on BlackEnergy2 APT activity - [Repo] (./2014/BlackEnergy2_Plugins_Router.pdf)
- Nov 03 - Operation Poisoned Handover: Unveiling Ties Between APT Activity in Hong Kong's Pro-Democracy Movement - [Repo] (./2014/Operation_Poisoned_Handover.pdf)
- Nov 10 - The Darkhotel APT - A Story of Unusual Hospitality - [Repo] (2014/darkhotel_kl_07.11.pdf)
- Nov 11 - The Uroburos case- Agent.BTZ's successor, ComRAT - [Repo] (2014/The_Uroburos_case.pdf)
- Nov 12 - Korplug military targeted attacks: Afghanistan & Tajikistan - [Repo] (./2014/Korplug_Afghanistan_Tajikistan.pdf)
- Nov 13 - Operation CloudyOmega: Ichitaro 0-day targeting Japan - [Repo] (./2014/Operation_CloudyOmega_Ichitaro.pdf)
- Nov 14 - OnionDuke: APT Attacks Via the Tor Network - [Repo] (./2014/OnionDuke_Tor.pdf)
- Nov 14 - Roaming Tiger (Slides) - [Repo] (./2014/roaming_tiger_zeronights_2014.pdf)
- Nov 21 - Operation Double Tap | IOCs - [Repo] (./2014/OperationDoubleTap.pdf)
- Nov 23 - Symantec's report on Regin - [Repo] (./2014/regin-analysis.pdf)
- Nov 24 - Kaspersky's report on The Regin Platform - [Repo] (./2014/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf)
- Nov 24 - [TheIntercept's report on The Regin Platform] (https://firstlook.org/theintercept/2014/11/24/secret-regin-malware-belgacom-nsa-gchq/) - [Repo] (2014/secret-regin-malware-belgacom-nsa-gchq.pdf)
- Nov 24 - Deep Panda Uses Sakula Malware - [Repo] (./2014/DEEP_PANDA_Sakula.pdf)
- Nov 30 - FIN4: Stealing Insider Information for an Advantage in Stock Trading? - [Repo] (2014/rpt-fin4.pdf)
- Dec 02 - Operation Cleaver | IOCs - [Repo] (./2014/Cylance_Operation_Cleaver_Report.pdf)
- Dec 03 - Operation Cleaver: The Notepad Files - [Repo] (./2014/OperationCleaver_The_Notepad_Files.pdf)
- Dec 08 - The 'Penquin' Turla - [Repo] (./2014/Turla_2_Penquin.pdf)
- Dec 09 - The Inception Framework - [Repo] (./2014/bcs_wp_InceptionReport_EN_v12914.pdf)
- Dec 10 - Cloud Atlas: RedOctober APT - [Repo] (./2014/CloudAtlas_RedOctober_APT.pdf)
- Dec 10 - W32/Regin, Stage #1 - [Repo] (./2014/w32_regin_stage_1.pdf)
- Dec 10 - W64/Regin, Stage #1 - [Repo] (./2014/w64_regin_stage_1.pdf)
- Dec 10 - South Korea MBR Wiper - [Repo] (./2014/korea_power_plant_wiper.pdf)
- Dec 12 - Vinself now with steganography - [Repo] (./2014/Vinself_steganography.pdf)
- Dec 12 - Bots, Machines, and the Matrix - [Repo] (./2014/FTA_1014_Bots_Machines_and_the_Matrix.pdf)
- Dec 17 - Wiper Malware - A Detection Deep Dive - [Repo] (./2014/Wiper_Malware.pdf)
- Dec 18 - Malware Attack Targeting Syrian ISIS Critics - [Repo] (./2014/Targeting_Syrian_ISIS_Critics.pdf)
- Dec 19 - TA14-353A: Targeted Destructive Malware (wiper) - [Repo] (./2014/TA14-353A_wiper.pdf)
- Dec 21 - Operation Poisoned Helmand - [Repo] (./2014/operation-poisoned-helmand.pdf)
- Dec 22 - Anunak: APT against financial institutions - [Repo] (./2014/Anunak_APT_against_financial_institutions.pdf)
- Jan 11 - Hong Kong SWC attack - [Repo] (./2015/DTL-12012015-01.pdf)
- Jan 12 - Skeleton Key Malware Analysis - [Repo] (./2015/Skeleton_Key_Analysis.pdf)
- Jan 15 - Evolution of Agent.BTZ to ComRAT - [Repo] (./2015/Agent.BTZ_to_ComRAT.pdf)
- Jan 20 - Analysis of Project Cobra - [Repo] (./2015/Project_Cobra_Analysis.pdf)
- Jan 20 - Reversing the Inception APT malware - [Repo] (./2015/Inception_APT_Analysis_Bluecoat.pdf)
- Jan 22 - The Waterbug attack group - [Repo] (./2015/waterbug-attack-group.pdf)
- Jan 22 - Scarab attackers Russian targets | IOCs - [Repo] (./2015/Scarab_Russian.pdf)
- Jan 22 - Regin's Hopscotch and Legspin - [Repo] (./2015/Regin_Hopscotch_Legspin.pdf)
- Jan 27 - Comparing the Regin module 50251 and the "Qwerty" keylogger - [Repo] (2015/comparing-the-regin-module-50251-and-the-qwerty-keylogger.pdf)
- Jan 29 - Backdoor.Winnti attackers and Trojan.Skelky - [Repo] (./2015/Backdoor.Winnti_Trojan.Skelky.pdf)
- Jan 29 - Analysis of PlugX Variant - P2P PlugX - [Repo] (./2015/P2P_PlugX_Analysis.pdf)
- Feb 01 - Sophos: PlugX goes to the registry and India - [Repo] (./2015/plugx-goes-to-the-registry-and-india.pdf)
- Feb 02 - Behind the Syrian Conflict's Digital Frontlines - [Repo] (./2015/rpt-behind-the-syria-conflict.pdf)
- Feb 04 - Pawn Storm Update: iOS Espionage App Found - [Repo] (./2015/PawnStorm_iOS.pdf)
- Feb 10 - CrowdStrike Global Threat Intel Report for 2014 - [Repo] (./2015/GlobalThreatIntelReport.pdf)
- Feb 16 - Equation: The Death Star of Malware Galaxy - [Repo] (2015/equation-the-death-star-of-malware-galaxy.pdf)
- Feb 16 - The Carbanak APT - [Repo] (./2015/Carbanak_APT_eng.pdf)
- Feb 16 - Operation Arid Viper - [Repo] (./2015/operation-arid-viper-whitepaper-en.pdf)
- Feb 17 - Desert Falcons APT - [Repo] (./2015/The-Desert-Falcons-targeted-attacks.pdf)
- Feb 17 - Shooting Elephants - [Repo] (./2015/Elephantosis.pdf)
- Feb 18 - Babar: espionage software finally found and put under the microscope - [Repo] (./2015/GData-Babar-Espionage-Software.pdf)
- Mar 03 - FireEye: Southeast Asia - An Evolving Cyber Threat Landscape - [Repo] (./2015/SE_Asia-ATR-1h2015.pdf)