Threat INTel Reports

Archive of publicly available threat/cybercrime INTel reports (mostly APT Reports but not limited to). Useful as a reference when you emulate threat actors on a daily basis. Please create an issue if I'm missing a relevant Report.

Note: If you are looking for every type of publicly available documents and notes related to APT have a look at APTnotes and aptnotes. Unfortunately the way they store and sort their data doesn't work for me anymore.

2017

Title	Date	Source
APT28: A WINDOW INTO RUSSIAS CYBER ESPIONAGE OPERATIONS?	Jan 2017	FireEye
APT28: At the center of the storm. Russia strategically evolves its cyber operations	Jan 2017	FireEeye
Foreign Cyber Threats to the United States	Jan 2017	NSA
APT28 Under the Scope A Journey into Exfiltrating Intelligence and Government Information	Feb 2017	BitDefender
KingSlayer A Supply chain attack	Feb 2017	RSA
Enhanced Analysis of GRIZZLY STEPPE Activity	Feb 2017	US-CERT
Dissecting the APT28 Mac OS X Payload	Feb 2017	Bitdefender
From Shamoon to StoneDrill	March 2017	Kaspersky
LAZARUS UNDER THE HOOD	Apr 2017	Kaspersky
Appendix B: Moonlight Maze Technical Report	Apr 2017	Kaspersky

2016

Title	Date	Source
Analyzing a New Variant of BlackEnergy 3 Likely Insider-Based Execution	Jan 2016	SentinelOne
Operation Dusty Sky	Jan 2016	ClearSky
Uncovering the Seven Pointed Dagger	Jan 2016	Arbor Networks
Know Your Enemies 2.0: A Primer on Advanced Persistent Threat Groups	Feb 2016	ICIT
Operation Duststorm	Feb 2015	Cylance
peration Blockbuster	Feb 2016	Novetta
From Seoul to Sony	Feb 2016	Blue Coat
The Four Element Sword Engagement	Apr 2016	Arbor Networks
PLATINUM Targeted attacks in South and Southeast Asia	Apr 2016	Microsoft
Mofang: A politically motivated information stealing adversary	May 2016	FoxIT
Operation Groundbait:Analysis of a surveillance toolkit	May 2016	Kaspersky
APT Case RUAG Technical Report	May 2016	Melani GovCERT
Operation DustySky Part 2	Jun 2016	ClearSky
Visiting The Bear Den A Journey in the Land of Cyber-Espionage	Jun 2016	ESET
Pacifier APT	Jul 2016	Bitdefender
Unveiling Patchwork the Copy Paste APT	Jul 2016	Cymmetria
Operation Manul	Aug 2016	EFF
Moonsoon - Analysis of an APT Campaign	Aug 2016	Forcepoint
The ProjectSauron APT	Aug 2016	Kaspersky
Carbanak Oracle Breach	Aug 2016	VISA
Visa Alert and Update on the Oracle Breach	Aug 2016	VISA
Ego Market When Greed for Fame Benefits Large-Scale Botnets	Sep 2016	GoSecure
Hunting Libyan Scorpions	Sep 2016	Cyberkov
En Route with Sednit Part 1: Approaching the Target	Oct 2016	ESET
En Route with Sednit Part 2: Observing the Comings and Goings	Oct 2016	ESET
En Route with Sednit Part 3: A Mysterious Downloader	Oct 2016	ESET
Rootkit analysis Use case on HideDRV	Oct 2016	Sekoia
Wave your false flags! Deception tactics muddying attribution in targeted attacks	Oct 2016	Kaspersky
When The Lights Went Out: Ukraine Cybersecurity Threat Briefing	Nov 2016	BAH
PROMETHIUM and NEODYMIUM: Parallel zero-day attacks targeting individuals in Europe	Dec 2016	Microsoft
Use of Fancy Bear Android Malware tracking of Ukrainian Artillery Units	Dec 2016	Crowdstrike
GRIZZLY STEPPE - Russian Malicious Cyber Activity	Dec 2016	FBI

2015

Title	Date	Source
Insight In To A Strategic Web Compromise And Attack Campaign Against Hong Kong Infrastructure	Jan 2015	Dragon Threat Labs
The Waterbug Attack Group	Jan 2015	Symantec
CARBANAK APT THE GREAT BANK ROBBERY	Feb 2015	Kaspersky
Behind The Syrian Conflict's Digital Front Lines	Feb 2015	FireEye
The Desert Falcons Targeted Attacks	Feb 2015	Kaspersky
Southeast Asia: An Evolving Cyber Threat Landscape	Feb 2015	FireEye
Operation Arid Viper: Bypassing The Iron Dome	Feb 2015	Trend Micro
Plugx Goes To The Registry And India	Feb 2015	Sophos
ScanBox II	Feb 2015	PWC
Crowdstrike Global Threat Intel Report	Feb 2015	Crowdstrike
Equation Group: Questions And Answers	Feb 2015	Kaspersky
Shooting Elephants	Feb 2015	CIRCL Luxembourg
Tibetan Uprising Day Malware Attacks	Mar 2015	The Citizen Lab
Operation Woolen-Goldfish When Kittens Go Phishing	Mar 2015	Trend Micro
Volatile Cedar Threat Intelligence And Research	Mar 20015	Check Point
HACKING THE STREET? FIN4 LIKELY PLAYING THE MARKET	Apr 2015	FireEye
APT30 And The Mechanics Of A Long-Running Cyber Espionage Operation	Apr 2015	FireEye
Sofacy II Same Sofacy, Different Day	Apr 2015	PWC
CozyDuke	Apr 2015	F-Secure
Dissecting Linux/Moose The Analysis of a Linux Router-based Worm Hungry for Social Networks	May 2015	ESET
Operation Tropic Trooper: Relying On Tried-And-Tested Flaws To Infiltrate Secret Keepers	May 2015	Trend Micro
Oceanlotus APT-C-00	May 2015	SkyEye
APT28 Targets Financial Markets: Zero Day Hashes Released	May 2015	Root9b
Analysis On APT-To-Be Attack That Focusing On China's Government Agency	May 2015	Antiy CERT
The Msnmm Campaigns: The Earliest Naikon APT Campaigns	May 2015	Kaspersky
[Operation Oil Tanker: The Phantom Menace](2015/oil-tanker-en.pdf	May 2015	PandaLabs
Duqu 2.0: A Comparison To Duqu	Jun 2015	CrySyS Lab
Operation Lotusblossom	Jun 2015	PaloAlto
An Iranian Cyber-Attack Campaign Against Targets In The Middle East	Jun 2015	ClearSky
The Duqu 2.0 Technical Details	Jun 2015	Kaspersky
Insight in to advances of adversary tactics, techniques and procedures through analysis of an attack against an organisation in the Asia Pacific region	Jun 2015	Dragon Threat Labs
Target Attacks Against Tibetan And Hong Kong Groups Exploiting CVE-2014-4114	Jun 2015	The Citizen Lab
Operation Potao Express: Analysis Of A Cyber-Espionage Toolkit	Jul 2015	ESET
The Black Vine Cyberespionage Group	Jul 2015	Symantec
HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group	Jul 2015	FireEye
Butterfly: Corporate Spies Out For Financial Gain	Jul 2015	Symantec
RSA Research Terracotta VPN: Enabler Of Advanced Threat Anonymity	Aug 2015	RSA
THE DUKES: 7 years of Russian cyberespionage	Sep 2015	F-Secure
RUSSIAN FINANCIAL CYBERCRIME: HOW IT WORKS	Nov 2015	Kaspersky
CopyKittens Attack Group	Nov 2015	ClearSky

2014

Title	Date	Source
Targeted Attacks Against The Energy Sector	Jan 2014	Symantec
Emerging Threat Profile Shell_Crew	Jan 2014	RSA
New Cdto: A Sneakernet Trojan Solution	Jan 2014	Fidelis
Intruder File Report- Sneakernet Trojan	Jan 2014	Fidelis
Uroburos Highly Complex Espionage Software With Russian Roots	Feb 2014	GDATA
Unveiling Careto - The Masked Apt	Feb 2014	Kaspersky
Gathering In The Middle East, Operation Stteam	Feb 2014	Fidelis
The Monju Incident	Feb 2014	Context
Snake Campaign & Cyber Espionage Toolkit	Mar 2014	BAE
Deep Panda	May 2014	Crowdstrike
Operation Saffron Rose	May 2014	FireEye
Rat In A Jar: A Phishing Campaign Using Unrecom	May 2014	Fidelis
Illuminating The Etumbot Apt Backdoor	Jun 2014	Arbor
Putter Panda	Jun 2014	Crowdstrike
Anatomy Of The Attack: Zombie Zero	Jun 2014	Trapx
Dragonfly: Cyberespionage Attacks Against Energy Suppliers	Jun 2014	Symantec
Energetic Bear _ Crouching Yeti	Jul 2014	Kaspersky
The Eye Of The Tiger (Pitty Tiger)	Jul 2014	Airbus
Crouching Yeti: Appendixes	jul 2014	Kaspersky
Operation Arachnophobia Caught In The Spider's Web	Aug 2014	Threat Connect
Sidewinder Targeted Attack Against Android In The Golden Age Of Ad Libraries	Aug 2014	FireEye
Profiling An Enigma: The Mystery Of North Korea's Cyber Threat Landscape	Aug 2014	HP
The Epic Turla Operation: Solving Some Of The Mysteries Of Snake/Uroboros	Aug 2014	Kaspersky
Syrian Malware, The Ever-Evolving Threat	Aug 2014	Kaspersky
Cosmicduke Cosmu With A Twist Of Miniduke	Sep 2014	F-Secure
Operation Quantum Entanglement	Sep 2014	FireEye
BLACKENERGY & QUEDAGH The convergence of crimeware and APT attacks	Oct 2014	F-Secure
Sofacy Phishing	Oct 2014	PWC
Operation Pawn Storm Using Decoys to Evade Detection	Oct 2014	Trend Micro
Hikit Analysis	Oct 2014	Novetta
Apt28: A Window Into Russia's Cyber Espionage Operations	Oct 2014	FireEye
Micro-Targeted Malvertising Via Real-Time Ad Bidding	Oct 2014	Invincea
The Rotten Tomato Campaign	Oct 2014	Sophos
Zoxpng Analysis	Oct 2014	Novetta
Operation Toohash How Targeted Attacks Work	Oct 2014	GDATA
The Darkhotel Apt A Story Of Unusual Hospitality	Nov 2014	Kaspersky
Darkhotel Indicators Of Compromise	Nov 2014	Kaspersky
Derusbi (Server Variant) Analysis	Nov 2014	Novetta
Evil Bunny: Suspect #4	Nov 2014	Marion
The Regin Platform Nation-State Ownership Of Gsm Networks	Nov 2014	Kaspersky
Regin: Top-Tier Espionage Tool Enables Stealthy Surveillance	Nov 2014	Symantec
Anunak: Apt Against Financial Institutions	Dec 2014	FoxIT
The Inception Framework: Cloud-Hosted Apt	Dec 2014	Blue Coat
Operation Cleaver	Dec 2014	Cylance
Bots, Machines, And The Matrix	Dec 2014	Fidelis
Hacking The Street? Fin4 Likely Playing The Market	Dec 2014	FireEye
W32/Regin, Stage #1	Dec 2014	F-Secure
W64/Regin, Stage #1	Dec 2014	F-Secure

2013

Title	Date	Source
"Red October" Diplomatic Cyber Attacks Investigation	Jan 2013	Kaspersky
The Icefog Apt: A Tale Of Cloak And Three Daggers	Jan 2013	Kaspersky
A closer look at MiniDuke	Feb 2013	BitDefender
Stuxnet 0.5: The Missing Link	Feb 2013	Symantec
The Miniduke Mystery: Pdf 0-Day Government Spy Assembler 0X29A Micro Backdoor	Feb 2013	Kaspersky
Miniduke: Indicators	Feb 2013	CrySyS Lab
Apt1 Exposing One Of China's Cyber Espionage Units	Feb 2013	Mandiant
Command And Control In The Fifth Domain	Feb 2013	Command Five Pty Ltd
Comment Crew: Indicators Of Compromise	Feb 2013	Symantec
Dissecting Operation Troy: Cyberespionage In South Korea	Mar 2013	McAfee
The Teamspy Story - Abusing Teamviewer In Cyberespionage Campaigns	Mar 2013	Kaspersky
Analysis Of A Plugx Variant (Plugx Version 7.0)	Mar 2013	CIRCL
You Only Click Twice: Finfisher's Global Proliferation	Mar 2013	Citizen Lab
Apt1: Technical Backstage	Mar 2013	itrust
Safe A Targeted Threat	Mar 2013	Trend Micro
Winnti: More Than Just A Game	Apr 2013	Kaspersky
Analysis Of A Stage 3 Miniduke Sample	May 2013	CIRCL
Operation Hangover - Unveiling An Indian Cyberattack Infrastructure	May 2013	Norman
The Chinese Malware Complexes: The Maudi Surveillance Operation	Jun 2013	Norman
A Call To Harm: New Malware Attacks Target The Syrian Opposition	Jun 2013	Citizen Lab
Crude Faux: An Analysis Of Cyber Conflict Within The Oil & Gas Industries	Jun 2013	Cerias
Njrat Uncovered	Jun 2013	Fidelis
The Nettraveler (Aka Travnet)	Jun 2013	Kaspersky
The Plugx Malware Revisited: Introducing Smoaler	Jul 2013	Sophos
Operation Hangover - Unveiling An Indian Cyberattack Infrastructure (Appendix)	Aug 2013	FIXME
The Little Malware That Could: Detecting And Defeating The China Chopper Web Shell	Aug 2013	FireEye
Inside Report _ Apt Attacks On Indian Cyber Space	Aug 2013	Infosec Consorcium
Poison Ivy: Assessing Damage And Extracting Intelligence	Aug 2013	FireEye
2Q Report On Targeted Attack Campaigns	Sep 2013	Trend Micro
Hidden Lynx: Professional Hackers For Hire	Sep 2013	Symantec
World War C: Understanding Nation-State Motives Behind Today's Advanced Cyber Attacks	Sep 2013	FireEye
Fakem Rat: Malware Disguised As Windows Messenger And Yahoo! Messenger	Oct 2013	Trend Micro
Supply Chain Analysis: From Quartermaster To Sunshopfireeye	Nov 2013	FireEye
Energy At Risk: A Study Of It Security In The Energy And Natural Resources Industry	Dec 2013	KPMG
Etso Apt Attacks Analysis	Dec 2013	AHNLAB
Operation Ke3Chang Targeted Attacks Against Ministries Of Foreign Affairs	Dec 2013	FireEye
"Njrat", The Saga Continues	Dec 2013	Fidelis

2012 and before

Title	Date	Source
The Heartbeat Apt Campaign	Jan 2012	Trend Micro
Crouching Tiger, Hidden Dragon, Stolen Data	Mar 2012	Context
Skywiper (A.K.A. Flame A.K.A. Flamer): A Complex Malware For Targeted Attacks	Mar 2012	CrySyS Lab
Luckycat Redux: Inside An Apt Campaign With Multiple Targets In India And Japan	Mar 2012	Trend Micro
Have I Got Newsforyou: Analysis Of Flamer C&C Server	May 2012	Symantec
Ixeshe An Apt Campaign	May 2012	Trend Micro
Pest Control: Taming The Rats	Jun 2012	Matasano
From Bahrain With Love: Finfisher Spy Kit Exposed?	Jul 2012	Citizen Lab
Recent Observations In Tibet-Related Information Operations: Advanced Social Engineering For The Distribution Of Lurk Malware	Jul 2012	Citizen Lab
Iexpl0Re Rat	Aug 2012	Citizen Lab
Gauss: Abnormal Distribution	Aug 2012	Kaspersky
The Voho Campaign: An In Depth Analysis	Aug 2012	RSA
The Elderwood Project	Sep 2012	Symantec
Trojan.Taidoor: Targeting Think Tanks	Oct 2012	Symantec
Recovering From Shamoon	Nov 2012	Fidelis
Systematic Cyber Attacks Against Israeli And Palestinian Targets Going On For A Year	Nov 2012	Norman
The Many Faces Of Gh0St Rat: Plotting The Connections Between Malware Attacks	Nov 2012	Norman
W32.Stuxnet Dossier	Feb 2011	Symantec
Global Energy Cyberattacks: Night Dragon	Feb 2011	McAfee
Stuxnet Under the Microscope	Apr 2011	ESET
Advanced Persistent Threats: A Decade in Review	Jun 2011	Command Five Pty Ltd
The Lurid Downloader	Aug 2011	Trend Micro
Revealed: Operation Shady Rat	Aug 2011	McAfee
Enter the Cyber-dragon	Sept 2011	Vanity Fair
SK Hack by an Advanced Persistent Threat	Sep 2011	Command Five Pty Ltd
Alleged APT Intrusion Set: "1.php" Group	Oct 2011	Zscaler
The Nitro Attacks: Stealing Secrets From The Chemical Industry	Oct 2011	Symantec
The Command Structure Of The Aurora Botnet	Jan 2010	Damballa
Operation Aurora: Detect, Diagnose, Respond	Jan 2010	HBGary
Operation Aurora	Feb 2010	HBGary
Combating Aurora	Jan 2010	McAfee
In-Depth Analysis Of Hydraq: The Face Of Cyberwar Enemies Unfolds	Mar 2010	CA
Shadows In The Cloud: Investigating Cyber Espionage 2.0	Apr 2010	Shadowserver
The Msupdater Trojan And Ongoing Targeted Attacks	Sep 2010	Zscaler
Tracking GhostNet: Investigating a Cyber Espionage Network	Mar 2009	TheSecDevGroup
DECLAWING THE DRAGON: WHY THE U.S. MUST COUNTER CHINESE CYBER-WARRIORS	Jun 2009	NA
Capability of the People\92s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation	Oct 2009
Russian Cyberwar on Georgia	Nov 2008	georgiaupdate.gov.ge

References

• APT Groups
• Mitre Attack Wiki Groups