Advanced Persistent Threat Groups

Advanced persistent threat (APT) groups are threat actors operated by nation states or state-sponsored groups. Our ready-made detection rules detect the following APT groups:

APT1

APT1 is a Chinese threat group attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, also referred to as its Military Unit Cover Designator (MUCD), Unit 61398.

Other names for this group include:

  • Byzantine Candor
  • Comment Crew
  • Comment Group
  • Comment Panda
  • GIF89a, Group 3
  • PLA Unit 61398
  • ShadyRAT
  • Shanghai Group
  • Siesta
  • TG-8223

Detection Rules

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT1.

Suspicious DNS Request - APT1 Related Domain Observed

Description

This detection identifies a request to resolve a domain publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often use compromised legitimate websites for malicious purposes.

Recommendation

The alert may be related to normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Process - APT1 Related Binary Executed

Description

This detection identifies the execution of a file with a hash publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often use common System Administration tools for malicious purposes.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Web Request - APT1 Related Domain Observed

Description

This detection identifies a request to a domain publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often compromise legitimate websites to use for malicious purposes.

Recommendation

The alert may be related to normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

APT10

APT10 is a threat group that appears to be Chinese-based and has been active since approximately 2009. This group has targeted the healthcare, defense, aerospace, and government industries and has targeted Japanese victims since at least 2014. In 2016 and 2017, this group targeted managed IT service providers, manufacturing and mining companies, and a university.

Other names for this group include:

  • CVNX
  • happyyongzi
  • HOGFISH
  • menuPass
  • Menupass Team
  • POTASSIUM
  • Red Apollo
  • Stone Panda

Detection Rules

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT10.

Suspicious DNS Request - APT10 Related Domain Observed

Description

This detection identifies a request to resolve a domain publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often use compromised legitimate websites for malicious purposes.

Recommendation

The alert may be related to normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Process - APT10 Related Binary Executed

Description

This detection identifies the execution of a file with a hash publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often use common System Administration tools for malicious purposes.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Web Request - APT10 Related Domain Observed

Description

This detection identifies a request to a domain publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often compromise legitimate websites to use for malicious purposes.

Recommendation

The alert may be related to normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

APT12

APT12 is a Chinese-based threat group that has targeted several victims, including media outlets, high-tech companies, and governments.

Other names for this group include:

  • CBeeBus
  • Calc Team
  • Crimson Iron
  • DNSCALC
  • DynCalc
  • Group 22
  • IXESHE
  • Numbered Panda
  • TG-2754

Detection Rules

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT12.

Suspicious DNS Request - APT12 Related Domain Observed

Description

This detection identifies a request to resolve a domain publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often use compromised legitimate websites for malicious purposes.

Recommendation

The alert may be related to normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Process - APT12 Related Binary Executed

Description

This detection identifies the execution of a file with a hash publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often use common System Administration tools for malicious purposes.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Web Request - APT12 Related Domain Observed

Description

This detection identifies a request to a domain publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often compromise legitimate websites to use for malicious purposes.

Recommendation

The alert may be related to normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

APT15

APT15 is a Chinese-based threat group that has targeted several industries, including oil, government, and military.

Other names for this group include:

  • GREF
  • Ke3chang
  • Mirage
  • Playful Dragon
  • RoyalAPT
  • Vixen Panda

Detection Rules

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT15.

Suspicious DNS Request - APT15 Related Domain Observed

Description

This detection identifies a request to resolve a domain publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often use compromised legitimate websites for malicious purposes.

Recommendation

The alert may be related to normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Process - APT15 Related Binary Executed

Description

This detection identifies the execution of a file with a hash publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often use common System Administration tools for malicious purposes.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Web Request - APT15 Related Domain Observed

Description

This detection identifies a request to a domain publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often compromise legitimate websites to use for malicious purposes.

Recommendation

The alert may be related to normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

APT16

APT16 is a Chinese-based threat group that has launched spear phishing campaigns targeting Japanese and Taiwanese organizations.

This group is also known as:

  • SVCMONDR

Detection Rules

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT16.

Suspicious DNS Request - APT16 Related Domain Observed

Description

This detection identifies a request to resolve a domain publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often use compromised legitimate websites for malicious purposes.

Recommendation

The alert may be related to normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Process - APT16 Related Binary Executed

Description

This detection identifies the execution of a file with a hash publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often use common System Administration tools for malicious purposes.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Web Request - APT16 Related Domain Observed

Description

This detection identifies a request to a domain publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often compromise legitimate websites to use for malicious purposes.

Recommendation

The alert may be related to normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

APT17

APT17 is a Chinese-based threat group that has conducted network intrusions against United States government entities, the defense industry, law firms, information technology and mining companies, and non-government organizations.

Other names for this group include:

  • Aurora Panda
  • Deputy Dog
  • Dogfish
  • Group 8
  • Hidden Lynx
  • Tailgater
  • Tailgater Team

Detection Rules

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT17.

Suspicious DNS Request - APT17 Related Domain Observed

Description

This detection identifies a request to resolve a domain publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often use compromised legitimate websites for malicious purposes.

Recommendation

The alert may be related to normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Process - APT17 Related Binary Executed

Description

This detection identifies the execution of a file with a hash publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often use common System Administration tools for malicious purposes.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Web Request - APT17 Related Domain Observed

Description

This detection identifies a request to a domain publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often compromise legitimate websites to use for malicious purposes.

Recommendation

The alert may be related to normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

APT18

APT18 is a threat group that has operated since at least 2009, and has targeted several industries, including technology, manufacturing, human rights groups, government, and medical.

Other names for this group include:

  • Dynamite Panda
  • TG-0416
  • Threat Group-0416
  • Wekby

Detection Rules

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT18.

Suspicious DNS Request - APT18 Related Domain Observed

Description

This detection identifies a request to resolve a domain publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often use compromised legitimate websites for malicious purposes.

Recommendation

The alert may be related to normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Process - APT18 Related Binary Executed

Description

This detection identifies the execution of a file with a hash publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often use common System Administration tools for malicious purposes.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Web Request - APT18 Related Domain Observed

Description

This detection identifies a request to a domain publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often compromise legitimate websites to use for malicious purposes.

Recommendation

The alert may be related to normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

APT19

APT19 is a Chinese-based threat group that has targeted several industries, including defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services. In 2017, this group used a phishing campaign to target seven law and investment firms. Some researchers have linked APT19 and Deep Panda as the same group, but it is unclear from open source information if the groups are the same.

Other names for this group include:

  • C0d0so0
  • Codoso
  • Codoso Team
  • Shell Crew
  • Sunshop Group

Detection Rules

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT19.

Suspicious DNS Request - APT19 Related Domain Observed

Description

This detection identifies a request to resolve a domain publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often use compromised legitimate websites for malicious purposes.

Recommendation

The alert may be related to normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Process - APT19 Related Binary Executed

Description

This detection identifies the execution of a file with a hash publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often use common System Administration tools for malicious purposes.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Web Request - APT19 Related Domain Observed

Description

This detection identifies a request to a domain publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often compromise legitimate websites to use for malicious purposes.

Recommendation

The alert may be related to normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

APT20

APT20 is a Chinese-based threat group that primarily uses spear phishing and watering hole attacks against victims. The following is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.

Other names for this group include:

  • APT8
  • TH3Bug
  • Violin Panda

Detection Rules

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT20.

Suspicious DNS Request - APT20 Related Domain Observed

Description

This detection identifies a request to resolve a domain publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often use compromised legitimate websites for malicious purposes.

Recommendation

The alert may be related to normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Process - APT20 Related Binary Executed

Description

This detection identifies the execution of a file with a hash publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often use common System Administration tools for malicious purposes.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Web Request - APT20 Related Domain Observed

Description

This detection identifies a request to a domain publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often compromise legitimate websites to use for malicious purposes.

Recommendation

The alert may be related to normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

APT27

APT27 is a Chinese-based threat group that has primarily used strategic web compromises to target victims. The group has been active since at least 2010, and has targeted organizations in the aerospace, government, defense, technology, energy, and manufacturing industries.

Other names for this group include:

  • BRONZE UNION
  • Emissary Panda
  • Group 35
  • Hippo Team
  • Iron Tiger
  • Iron Tiger APT
  • Lucky Mouse
  • LuckyMouse
  • TEMP.Hippo
  • TG-3390
  • Threat Group 3390
  • Threat Group-3390
  • ZipToken

Detection Rules

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT27.

Suspicious DNS Request - APT27 Related Domain Observed

Description

This detection identifies a request to resolve a domain publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often use compromised legitimate websites for malicious purposes.

Recommendation

The alert may be related to normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Process - APT27 Related Binary Executed

Description

This detection identifies the execution of a file with a hash publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often use common System Administration tools for malicious purposes.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Web Request - APT27 Related Domain Observed

Description

This detection identifies a request to a domain publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often compromise legitimate websites to use for malicious purposes.

Recommendation

The alert may be related to normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

APT3

APT3 is a Chinese-based threat group attributed to China's Ministry of State Security. This group is responsible for the campaigns Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap. As of June 2015, this group appears to have shifted from targeting primarily United States victims to targeting political organizations in Hong Kong.

Other names for this group include:

  • Boyusec
  • Buckeye
  • Gothic Panda
  • Group 6
  • Pirpi
  • TG-0110
  • Threat Group-0110
  • UPS
  • UPS Team

Detection Rules

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT3.

Suspicious DNS Request - APT3 Related Domain Observed

Description

This detection identifies a request to resolve a domain publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often use compromised legitimate websites for malicious purposes.

Recommendation

The alert may be related to normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Process - APT3 Related Binary Executed

Description

This detection identifies the execution of a file with a hash publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often use common System Administration tools for malicious purposes.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Web Request - APT3 Related Domain Observed

Description

This detection identifies a request to a domain publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often compromise legitimate websites to use for malicious purposes.

Recommendation

The alert may be related to normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

APT31

APT31 is a threat group specialized in intellectual property theft, focusing on data and projects that make a particular organization competitive in its field. Based on available data, APT31 appears to conduct network operations at the behest of the Chinese government. This threat group is also suspected of continuing to target upstream providers, such as law firms and managed service providers, to support additional intrusions against high-profile assets. In 2018, this threat group was observed using spear phishing, URL ‘web bugs’, and scheduled tasks to automate credential harvesting.

Other names for this group include:

  • BRONZE VINEWOOD
  • Hurricane Panda
  • Judgment Panda
  • TEMP.Avengers
  • ZIRCONIUM

Detection Rules

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT31.

Suspicious DNS Request - APT31 Related Domain Observed

Description

This detection identifies a request to resolve a domain publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often use compromised legitimate websites for malicious purposes.

Recommendation

The alert may be related to normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Process - APT31 Related Binary Executed

Description

This detection identifies the execution of a file with a hash publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often use common System Administration tools for malicious purposes.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Web Request - APT31 Related Domain Observed

Description

This detection identifies a request to a domain publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often compromise legitimate websites to use for malicious purposes.

Recommendation

The alert may be related to normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

APT32

APT32 is a threat group that has been active since at least 2014. This group appears to be Vietnamese-based and has targeted multiple private sector industries, foreign governments, dissidents, and journalists with a focus on Southeast Asian countries, such as Vietnam, the Philippines, Laos, and Cambodia. This threat group has primarily used strategic web compromises on victims.

Other names for this group include:

  • APT-C-00
  • Cobalt Kitty
  • Ocean Buffalo
  • Ocean Lotus
  • OceanLotus
  • OceanLotus Group
  • POND LOACH
  • SeaLotus
  • TIN WOODLAWN

Detection Rules

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT32.

Suspicious DNS Request - APT32 Related Domain Observed

Description

This detection identifies a request to resolve a domain publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often use compromised legitimate websites for malicious purposes.

Recommendation

The alert may be related to normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Process - APT32 Related Binary Executed

Description

This detection identifies the execution of a file with a hash publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often use common System Administration tools for malicious purposes.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Web Request - APT32 Related Domain Observed

Description

This detection identifies a request to a domain publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often compromise legitimate websites to use for malicious purposes.

Recommendation

The alert may be related to normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

APT33

APT33 is a suspected Iranian-based threat group that has been active since at least 2013. This threat group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a focus in the aviation and energy industries.

Other names for this group include:

  • COBALT TRINITY
  • Elfin, HOLMIUM
  • MAGNALLIUM
  • Refined Kitten

Detection Rules

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT33.

Suspicious DNS Request - APT33 Related Domain Observed

Description

This detection identifies a request to resolve a domain publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often use compromised legitimate websites for malicious purposes.

Recommendation

The alert may be related to normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Process - APT33 Related Binary Executed

Description

This detection identifies the execution of a file with a hash publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often use common System Administration tools for malicious purposes.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Web Request - APT33 Related Domain Observed

Description

This detection identifies a request to a domain publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often compromise legitimate websites to use for malicious purposes.

Recommendation

The alert may be related to normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

APT36

APT36 is a Pakistani-based threat group that has targeted the Indian Army or associated assets in India, and activists and civil society in Pakistan.

Other names for this group include:

  • C-Major
  • Mythic Leopard
  • Operation C-Major
  • ProjectM
  • TMP.Lapis
  • Transparent Tribe

Detection Rules

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT36.

Suspicious DNS Request - APT36 Related Domain Observed

Description

This detection identifies a request to resolve a domain publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often use compromised legitimate websites for malicious purposes.

Recommendation

The alert may be related to normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Process - APT36 Related Binary Executed

Description

This detection identifies the execution of a file with a hash publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often use common System Administration tools for malicious purposes.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Web Request - APT36 Related Domain Observed

Description

This detection identifies a request to a domain publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often compromise legitimate websites to use for malicious purposes.

Recommendation

The alert may be related to normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

APT37

APT37 is a suspected North Korean cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but has also targeted victims in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. APT37 has also been linked to the following campaigns between 2016 and 2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, Northern Korean Human Rights, and Evil New Year 2018. North Korean group definitions are reported to have significant overlap, and the name Lazarus Group reportedly encompasses a broad range of activity. Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea. Some organizations track North Korean clusters or groups, such as Bluenoroff, APT37, and APT38 separately, while other organizations track some activity associated with those group names by the name Lazarus Group.

Other names for this group include:

  • Group 123
  • Group123
  • Operation Daybreak
  • Operation Erebus
  • Reaper
  • Reaper Group
  • Red Eyes
  • Ricochet Chollima
  • ScarCruft
  • Starcruft
  • TEMP.Reaper
  • Venus 121

Detection Rules

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT37.

Suspicious DNS Request - APT37 Related Domain Observed

Description

This detection identifies a request to resolve a domain publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often use compromised legitimate websites for malicious purposes.

Recommendation

The alert may be related to normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Process - APT37 Related Binary Executed

Description

This detection identifies the execution of a file with a hash publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often use common System Administration tools for malicious purposes.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Web Request - APT37 Related Domain Observed

Description

This detection identifies a request to a domain publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often compromise legitimate websites to use for malicious purposes.

Recommendation

The alert may be related to normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

APT39

APT39 is an Iranian cyber espionage group that has been active since at least 2014. This threat group has targeted the telecommunication and travel industries to collect personal information that aligns with Iran's national priorities

Other names for this group include:

  • Chafer
  • COBALT HICKMAN
  • IRIDIUM
  • REMIX KITTEN

Detection Rules

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT39.

Suspicious DNS Request - APT39 Related Domain Observed

Description

This detection identifies a request to resolve a domain publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often use compromised legitimate websites for malicious purposes.

Recommendation

The alert may be related to normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Process - APT39 Related Binary Executed

Description

This detection identifies the execution of a file with a hash publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often use common System Administration tools for malicious purposes.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Web Request - APT39 Related Domain Observed

Description

This detection identifies a request to a domain publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often compromise legitimate websites to use for malicious purposes.

Recommendation

The alert may be related to normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

APT40

APT40 is a cyber espionage group that has been active since at least 2013. This group primarily targets defense and government organizations, but has also targeted other industries, including engineering firms, shipping and transportation, manufacturing, defense, government offices, and research universities in the United States, Western Europe, and along the South China Sea.

Other names for this group include:

  • BRONZE MOHAWK
  • GADOLINIUM
  • Leviathan
  • TEMP.Jumper
  • TEMP.Periscope

Detection Rules

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT40.

Suspicious DNS Request - APT40 Related Domain Observed

Description

This detection identifies a request to resolve a domain publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often use compromised legitimate websites for malicious purposes.

Recommendation

The alert may be related to normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Process - APT40 Related Binary Executed

Description

This detection identifies the execution of a file with a hash publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often use common System Administration tools for malicious purposes.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Web Request - APT40 Related Domain Observed

Description

This detection identifies a request to a domain publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often compromise legitimate websites to use for malicious purposes.

Recommendation

The alert may be related to normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

APT41

APT41 is a threat group that performs Chinese state-sponsored espionage and financially motivated activity. APT41 has been active since as early as 2012. The group has targeted healthcare, telecom, technology, and video game industries in 14 countries.

Other names associated with this group include:

  • Axiom
  • Blackfly
  • Lead
  • Wicked Panda
  • Wicked Spider
  • WinNTI
  • Winnti Group
  • Winnti Umbrella

Detection Rules

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT41.

Suspicious DNS Request - APT41 Related Domain Observed

Description

This detection identifies a request to resolve a domain publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often use compromised legitimate websites for malicious purposes.

Recommendation

The alert may be related to normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Process - APT41 Related Binary Executed

Description

This detection identifies the execution of a file with a hash publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often use common System Administration tools for malicious purposes.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Web Request - APT41 Related Domain Observed

Description

This detection identifies a request to a domain publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often compromise legitimate websites to use for malicious purposes.

Recommendation

The alert may be related to normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

APT5

APT5 is suspected Chinese-based threat group that uses multiple types of malware to maintain command and control.

Other names associated with this group include:

  • BRONZE FLEETWOOD
  • MANGANESE
  • Pitty Panda
  • PittyTiger

Detection Rules

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT5.

Suspicious DNS Request - APT5 Related Domain Observed

Description

This detection identifies a request to resolve a domain publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often use compromised legitimate websites for malicious purposes.

Recommendation

The alert may be related to normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Process - APT5 Related Binary Executed

Description

This detection identifies the execution of a file with a hash publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often use common System Administration tools for malicious purposes.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Web Request - APT5 Related Domain Observed

Description

This detection identifies a request to a domain publicly known to be associated with this specific malicious actor. Please be aware that malicious actors will often compromise legitimate websites to use for malicious purposes.

Recommendation

The alert may be related to normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.