Threat INTel Reports

Archive of publicly available threat/cybercrime INTel reports (mostly APT Reports but not limited to). Useful as a reference when you emulate threat actors on a daily basis. Please create an issue if I'm missing a relevant Report.

Note: If you are looking for every type of publicly available documents and notes related to APTs have a look at APTnotes and aptnotes. Unfortunately the way they store and sort their data doesn't work for me anymore.

2017

Title	Month	Source
APT28: A WINDOW INTO RUSSIAS CYBER ESPIONAGE OPERATIONS?	Jan	FireEye
APT28: At the center of the storm. Russia strategically evolves its cyber operations	Jan	FireEeye
APT28 Under the Scope A Journey into Exfiltrating Intelligence and Government Information	Feb	BitDefender
KingSlayer A Supply chain attack	Feb	RSA
Enhanced Analysis of GRIZZLY STEPPE Activity	Feb	US-CERT
Dissecting the APT28 Mac OS X Payload	Feb	Bitdefender
From Shamoon to StoneDrill	Mar	Kaspersky
LAZARUS UNDER THE HOOD	Apr	Kaspersky
Appendix B: Moonlight Maze Technical Report	Apr	Kaspersky
Callisto Group	Apr	F-Secure
McAfee Labs Threats Report	Apr	McAfee

2016

Title	Month	Source
Analyzing a New Variant of BlackEnergy 3 Likely Insider-Based Execution	Jan	SentinelOne
Operation Dusty Sky	Jan	ClearSky
Uncovering the Seven Pointed Dagger	Jan	Arbor Networks
Know Your Enemies 2.0: A Primer on Advanced Persistent Threat Groups	Feb	ICIT
Operation Duststorm	Feb	Cylance
peration Blockbuster	Feb	Novetta
From Seoul to Sony	Feb	Blue Coat
The Four Element Sword Engagement	Apr	Arbor Networks
PLATINUM Targeted attacks in South and Southeast Asia	Apr	Microsoft
Mofang: A politically motivated information stealing adversary	May	FoxIT
Operation Groundbait:Analysis of a surveillance toolkit	May	Kaspersky
APT Case RUAG Technical Report	May	Melani GovCERT
Operation DustySky Part 2	Jun	ClearSky
Visiting The Bear Den A Journey in the Land of Cyber-Espionage	Jun	ESET
Pacifier APT	Jul	Bitdefender
Unveiling Patchwork the Copy Paste APT	Jul	Cymmetria
Operation Manul	Aug	EFF
Moonsoon - Analysis of an APT Campaign	Aug	Forcepoint
The ProjectSauron APT	Aug	Kaspersky
Carbanak Oracle Breach	Aug	VISA
Visa Alert and Update on the Oracle Breach	Aug	VISA
Ego Market When Greed for Fame Benefits Large-Scale Botnets	Sep	GoSecure
Hunting Libyan Scorpions	Sep	Cyberkov
En Route with Sednit Part 1: Approaching the Target	Oct	ESET
En Route with Sednit Part 2: Observing the Comings and Goings	Oct	ESET
En Route with Sednit Part 3: A Mysterious Downloader	Oct	ESET
Rootkit analysis Use case on HideDRV	Oct	Sekoia
Wave your false flags! Deception tactics muddying attribution in targeted attacks	Oct	Kaspersky
When The Lights Went Out: Ukraine Cybersecurity Threat Briefing	Nov	BAH
PROMETHIUM and NEODYMIUM: Parallel zero-day attacks targeting individuals in Europe	Dec	Microsoft
Use of Fancy Bear Android Malware tracking of Ukrainian Artillery Units	Dec	Crowdstrike
GRIZZLY STEPPE - Russian Malicious Cyber Activity	Dec	FBI

2015

Title	Month	Source
Insight In To A Strategic Web Compromise And Attack Campaign Against Hong Kong Infrastructure	Jan	Dragon Threat Labs
The Waterbug Attack Group	Jan	Symantec
CARBANAK APT THE GREAT BANK ROBBERY	Feb	Kaspersky
Behind The Syrian Conflict's Digital Front Lines	Feb	FireEye
The Desert Falcons Targeted Attacks	Feb	Kaspersky
Southeast Asia: An Evolving Cyber Threat Landscape	Feb	FireEye
Operation Arid Viper: Bypassing The Iron Dome	Feb	Trend Micro
Plugx Goes To The Registry And India	Feb	Sophos
ScanBox II	Feb	PWC
Crowdstrike Global Threat Intel Report	Feb	Crowdstrike
Equation Group: Questions And Answers	Feb	Kaspersky
Shooting Elephants	Feb	CIRCL Luxembourg
Tibetan Uprising Day Malware Attacks	Mar	The Citizen Lab
Operation Woolen-Goldfish When Kittens Go Phishing	Mar	Trend Micro
Volatile Cedar Threat Intelligence And Research	Mar5	Check Point
HACKING THE STREET? FIN4 LIKELY PLAYING THE MARKET	Apr	FireEye
APT30 And The Mechanics Of A Long-Running Cyber Espionage Operation	Apr	FireEye
Sofacy II Same Sofacy, Different Day	Apr	PWC
CozyDuke	Apr	F-Secure
Dissecting Linux/Moose The Analysis of a Linux Router-based Worm Hungry for Social Networks	May	ESET
Operation Tropic Trooper: Relying On Tried-And-Tested Flaws To Infiltrate Secret Keepers	May	Trend Micro
Oceanlotus APT-C-00	May	SkyEye
APT28 Targets Financial Markets: Zero Day Hashes Released	May	Root9b
Analysis On APT-To-Be Attack That Focusing On China's Government Agency	May	Antiy CERT
The Msnmm Campaigns: The Earliest Naikon APT Campaigns	May	Kaspersky
Operation Oil Tanker: The Phantom Menace	May	PandaLabs
Duqu 2.0: A Comparison To Duqu	Jun	CrySyS Lab
Operation Lotusblossom	Jun	PaloAlto
An Iranian Cyber-Attack Campaign Against Targets In The Middle East	Jun	ClearSky
The Duqu 2.0 Technical Details	Jun	Kaspersky
Insight in to advances of adversary tactics, techniques and procedures through analysis of an attack against an organisation in the Asia Pacific region	Jun	Dragon Threat Labs
Target Attacks Against Tibetan And Hong Kong Groups Exploiting CVE-2014-4114	Jun	The Citizen Lab
Operation Potao Express: Analysis Of A Cyber-Espionage Toolkit	Jul	ESET
The Black Vine Cyberespionage Group	Jul	Symantec
HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group	Jul	FireEye
Butterfly: Corporate Spies Out For Financial Gain	Jul	Symantec
RSA Research Terracotta VPN: Enabler Of Advanced Threat Anonymity	Aug	RSA
THE DUKES: 7 years of Russian cyberespionage	Sep	F-Secure
RUSSIAN FINANCIAL CYBERCRIME: HOW IT WORKS	Nov	Kaspersky
CopyKittens Attack Group	Nov	ClearSky

2014

Title	Month	Source
Targeted Attacks Against The Energy Sector	Jan	Symantec
Emerging Threat Profile Shell_Crew	Jan	RSA
New Cdto: A Sneakernet Trojan Solution	Jan	Fidelis
Intruder File Report- Sneakernet Trojan	Jan	Fidelis
Uroburos Highly Complex Espionage Software With Russian Roots	Feb	GDATA
Unveiling Careto - The Masked Apt	Feb	Kaspersky
Gathering In The Middle East, Operation Stteam	Feb	Fidelis
The Monju Incident	Feb	Context
Snake Campaign & Cyber Espionage Toolkit	Mar	BAE
Deep Panda	May	Crowdstrike
Operation Saffron Rose	May	FireEye
Rat In A Jar: A Phishing Campaign Using Unrecom	May	Fidelis
Illuminating The Etumbot Apt Backdoor	Jun	Arbor
Putter Panda	Jun	Crowdstrike
Anatomy Of The Attack: Zombie Zero	Jun	Trapx
Dragonfly: Cyberespionage Attacks Against Energy Suppliers	Jun	Symantec
Police Story: Hacking Team Government Surveillance Malware Jun	The Citizen Lab
Energetic Bear _ Crouching Yeti	Jul	Kaspersky
The Eye Of The Tiger (Pitty Tiger)	Jul	Airbus
Crouching Yeti: Appendixes	Jul	Kaspersky
Operation Arachnophobia Caught In The Spider's Web	Aug	Threat Connect
Sidewinder Targeted Attack Against Android In The Golden Age Of Ad Libraries	Aug	FireEye
Profiling An Enigma: The Mystery Of North Korea's Cyber Threat Landscape	Aug	HP
The Epic Turla Operation: Solving Some Of The Mysteries Of Snake/Uroboros	Aug	Kaspersky
Syrian Malware, The Ever-Evolving Threat	Aug	Kaspersky
Cosmicduke Cosmu With A Twist Of Miniduke	Sep	F-Secure
Operation Quantum Entanglement	Sep	FireEye
BLACKENERGY & QUEDAGH The convergence of crimeware and APT attacks	Oct	F-Secure
Sofacy Phishing	Oct	PWC
Operation Pawn Storm Using Decoys to Evade Detection	Oct	Trend Micro
Hikit Analysis	Oct	Novetta
Apt28: A Window Into Russia's Cyber Espionage Operations	Oct	FireEye
Micro-Targeted Malvertising Via Real-Time Ad Bidding	Oct	Invincea
The Rotten Tomato Campaign	Oct	Sophos
Zoxpng Analysis	Oct	Novetta
Operation Toohash How Targeted Attacks Work	Oct	GDATA
The Darkhotel Apt A Story Of Unusual Hospitality	Nov	Kaspersky
Darkhotel Indicators Of Compromise	Nov	Kaspersky
Derusbi (Server Variant) Analysis	Nov	Novetta
Evil Bunny: Suspect #4	Nov	Marion
The Regin Platform Nation-State Ownership Of Gsm Networks	Nov	Kaspersky
Regin: Top-Tier Espionage Tool Enables Stealthy Surveillance	Nov	Symantec
Anunak: Apt Against Financial Institutions	Dec	FoxIT
The Inception Framework: Cloud-Hosted Apt	Dec	Blue Coat
Operation Cleaver	Dec	Cylance
Bots, Machines, And The Matrix	Dec	Fidelis
Hacking The Street? Fin4 Likely Playing The Market	Dec	FireEye
W32/Regin, Stage #1	Dec	F-Secure
W64/Regin, Stage #1	Dec	F-Secure

2013

Title	Month	Source
"Red October" Diplomatic Cyber Attacks Investigation	Jan	Kaspersky
The Icefog Apt: A Tale Of Cloak And Three Daggers	Jan	Kaspersky
A closer look at MiniDuke	Feb	BitDefender
Stuxnet 0.5: The Missing Link	Feb	Symantec
The Miniduke Mystery: Pdf 0-Day Government Spy Assembler 0X29A Micro Backdoor	Feb	Kaspersky
Miniduke: Indicators	Feb	CrySyS Lab
Apt1 Exposing One Of China's Cyber Espionage Units	Feb	Mandiant
Command And Control In The Fifth Domain	Feb	Command Five Pty Ltd
Comment Crew: Indicators Of Compromise	Feb	Symantec
Dissecting Operation Troy: Cyberespionage In South Korea	Mar	McAfee
The Teamspy Story - Abusing Teamviewer In Cyberespionage Campaigns	Mar	Kaspersky
Analysis Of A Plugx Variant (Plugx Version 7.0)	Mar	CIRCL
You Only Click Twice: Finfisher's Global Proliferation	Mar	Citizen Lab
Apt1: Technical Backstage	Mar	itrust
Safe A Targeted Threat	Mar	Trend Micro
Winnti: More Than Just A Game	Apr	Kaspersky
Analysis Of A Stage 3 Miniduke Sample	May	CIRCL
Operation Hangover - Unveiling An Indian Cyberattack Infrastructure	May	Norman
The Chinese Malware Complexes: The Maudi Surveillance Operation	Jun	Norman
A Call To Harm: New Malware Attacks Target The Syrian Opposition	Jun	Citizen Lab
Crude Faux: An Analysis Of Cyber Conflict Within The Oil & Gas Industries	Jun	Cerias
Njrat Uncovered	Jun	Fidelis
The Nettraveler (Aka Travnet)	Jun	Kaspersky
The Plugx Malware Revisited: Introducing Smoaler	Jul	Sophos
Operation Hangover - Unveiling An Indian Cyberattack Infrastructure (Appendix)	Aug	FIXME
The Little Malware That Could: Detecting And Defeating The China Chopper Web Shell	Aug	FireEye
Inside Report _ Apt Attacks On Indian Cyber Space	Aug	Infosec Consorcium
Poison Ivy: Assessing Damage And Extracting Intelligence	Aug	FireEye
2Q Report On Targeted Attack Campaigns	Sep	Trend Micro
Hidden Lynx: Professional Hackers For Hire	Sep	Symantec
World War C: Understanding Nation-State Motives Behind Today's Advanced Cyber Attacks	Sep	FireEye
Fakem Rat: Malware Disguised As Windows Messenger And Yahoo! Messenger	Oct	Trend Micro
Supply Chain Analysis: From Quartermaster To Sunshopfireeye	Nov	FireEye
Energy At Risk: A Study Of It Security In The Energy And Natural Resources Industry	Dec	KPMG
Etso Apt Attacks Analysis	Dec	AHNLAB
Operation Ke3Chang Targeted Attacks Against Ministries Of Foreign Affairs	Dec	FireEye
"Njrat", The Saga Continues	Dec	Fidelis

2012

Title	Month	Source
The Heartbeat Apt Campaign	Jan	Trend Micro
Crouching Tiger, Hidden Dragon, Stolen Data	Mar	Context
Skywiper (A.K.A. Flame A.K.A. Flamer): A Complex Malware For Targeted Attacks	Mar	CrySyS Lab
Luckycat Redux: Inside An Apt Campaign With Multiple Targets In India And Japan	Mar	Trend Micro
Have I Got Newsforyou: Analysis Of Flamer C&C Server	May	Symantec
Ixeshe An Apt Campaign	May	Trend Micro
Pest Control: Taming The Rats	Jun	Matasano
From Bahrain With Love: Finfisher Spy Kit Exposed?	Jul	Citizen Lab
Recent Observations In Tibet-Related Information Operations: Advanced Social Engineering For The Distribution Of Lurk Malware	Jul	Citizen Lab
Iexpl0Re Rat	Aug	Citizen Lab
Gauss: Abnormal Distribution	Aug	Kaspersky
The Voho Campaign: An In Depth Analysis	Aug	RSA
The Elderwood Project	Sep	Symantec
Trojan.Taidoor: Targeting Think Tanks	Oct	Symantec
Recovering From Shamoon	Nov	Fidelis
Systematic Cyber Attacks Against Israeli And Palestinian Targets Going On For A Year	Nov	Norman
The Many Faces Of Gh0St Rat: Plotting The Connections Between Malware Attacks	Nov	Norman

2011

Title	Month	Source
W32.Stuxnet Dossier	Feb	Symantec
Global Energy Cyberattacks: Night Dragon	Feb	McAfee
Stuxnet Under the Microscope	Apr	ESET
Advanced Persistent Threats: A Decade in Review	Jun	Command Five Pty Ltd
The Lurid Downloader	Aug	Trend Micro
Revealed: Operation Shady Rat	Aug	McAfee
Enter the Cyber-dragon	Sep	Vanity Fair
SK Hack by an Advanced Persistent Threat	Sep	Command Five Pty Ltd
Alleged APT Intrusion Set: "1.php" Group	Oct	Zscaler
The Nitro Attacks: Stealing Secrets From The Chemical Industry	Oct	Symantec

2010

Title	Month	Source
The Command Structure Of The Aurora Botnet	Jan	Damballa
Operation Aurora: Detect, Diagnose, Respond	Jan	HBGary
Operation Aurora	Feb	HBGary
Combating Aurora	Jan	McAfee
In-Depth Analysis Of Hydraq: The Face Of Cyberwar Enemies Unfolds	Mar	CA
Shadows In The Cloud: Investigating Cyber Espionage 2.0	Apr	Shadowserver
The Msupdater Trojan And Ongoing Targeted Attacks	Sep	Zscaler

2009

Title	Month	Source
Tracking GhostNet: Investigating a Cyber Espionage Network	Mar	TheSecDevGroup
DECLAWING THE DRAGON: WHY THE U.S. MUST COUNTER CHINESE CYBER-WARRIORS	Jun	NA
Capability of the People\92s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation	Oct	Northrop Grumman
Russian Cyberwar on Georgia	Nov	georgiaupdate.gov.ge

References

• APT Groups
• Mitre Attack Wiki Groups