Advanced Persistent Threat Groups

Advanced persistent threat (APT) groups are threat actors operated by nation states or state-sponsored groups. Our ready-made detection rules detect the following APT groups:

APT1

APT1 is a Chinese threat group attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, also referred to as its Military Unit Cover Designator (MUCD), Unit 61398.

Other names for this group include:

  • Byzantine Candor
  • Comment Crew
  • Comment Group
  • Comment Panda
  • GIF89a, Group 3
  • PLA Unit 61398
  • ShadyRAT
  • Shanghai Group
  • Siesta
  • TG-8223

Detection Rules

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT1.

APT10

APT10 is a threat group that appears to be Chinese-based and has been active since approximately 2009. This group has targeted the healthcare, defense, aerospace, and government industries and has targeted Japanese victims since at least 2014. In 2016 and 2017, this group targeted managed IT service providers, manufacturing and mining companies, and a university.

Other names for this group include:

  • CVNX
  • happyyongzi
  • HOGFISH
  • menuPass
  • Menupass Team
  • POTASSIUM
  • Red Apollo
  • Stone Panda

Detection Rules

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT10.

APT12

APT12 is a Chinese-based threat group that has targeted several victims, including media outlets, high-tech companies, and governments.

Other names for this group include:

  • CBeeBus
  • Calc Team
  • Crimson Iron
  • DNSCALC
  • DynCalc
  • Group 22
  • IXESHE
  • Numbered Panda
  • TG-2754

Detection Rules

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT12.

APT15

APT15 is a Chinese-based threat group that has targeted several industries, including oil, government, and military.

Other names for this group include:

  • GREF
  • Ke3chang
  • Mirage
  • Playful Dragon
  • RoyalAPT
  • Vixen Panda

Detection Rules

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT15.

APT16

APT16 is a Chinese-based threat group that has launched spear phishing campaigns targeting Japanese and Taiwanese organizations.

This group is also known as:

  • SVCMONDR

Detection Rules

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT16.

APT17

APT17 is a Chinese-based threat group that has conducted network intrusions against United States government entities, the defense industry, law firms, information technology and mining companies, and non-government organizations.

Other names for this group include:

  • Aurora Panda
  • Deputy Dog
  • Dogfish
  • Group 8
  • Hidden Lynx
  • Tailgater
  • Tailgater Team

Detection Rules

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT17.

APT18

APT18 is a threat group that has operated since at least 2009, and has targeted several industries, including technology, manufacturing, human rights groups, government, and medical.

Other names for this group include:

  • Dynamite Panda
  • TG-0416
  • Threat Group-0416
  • Wekby

Detection Rules

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT18.

APT19

APT19 is a Chinese-based threat group that has targeted several industries, including defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services. In 2017, this group used a phishing campaign to target seven law and investment firms. Some researchers have linked APT19 and Deep Panda as the same group, but it is unclear from open source information if the groups are the same.

Other names for this group include:

  • C0d0so0
  • Codoso
  • Codoso Team
  • Shell Crew
  • Sunshop Group

Detection Rules

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT19.

APT20

APT20 is a Chinese-based threat group that primarily uses spear phishing and watering hole attacks against victims. The following is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.

Other names for this group include:

  • APT8
  • TH3Bug
  • Violin Panda

Detection Rules

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT20.

APT27

APT27 is a Chinese-based threat group that has primarily used strategic web compromises to target victims. The group has been active since at least 2010, and has targeted organizations in the aerospace, government, defense, technology, energy, and manufacturing industries.

Other names for this group include:

  • BRONZE UNION
  • Emissary Panda
  • Group 35
  • Hippo Team
  • Iron Tiger
  • Iron Tiger APT
  • Lucky Mouse
  • LuckyMouse
  • TEMP.Hippo
  • TG-3390
  • Threat Group 3390
  • Threat Group-3390
  • ZipToken

Detection Rules

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT27.

APT3

APT3 is a Chinese-based threat group attributed to China's Ministry of State Security. This group is responsible for the campaigns Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap. As of June 2015, this group appears to have shifted from targeting primarily United States victims to targeting political organizations in Hong Kong.

Other names for this group include:

  • Boyusec
  • Buckeye
  • Gothic Panda
  • Group 6
  • Pirpi
  • TG-0110
  • Threat Group-0110
  • UPS
  • UPS Team

Detection Rules

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT3.

APT31

APT31 is a threat group specialized in intellectual property theft, focusing on data and projects that make a particular organization competitive in its field. Based on available data, APT31 appears to conduct network operations at the behest of the Chinese government. This threat group is also suspected of continuing to target upstream providers, such as law firms and managed service providers, to support additional intrusions against high-profile assets. In 2018, this threat group was observed using spear phishing, URL ‘web bugs’, and scheduled tasks to automate credential harvesting.

Other names for this group include:

  • BRONZE VINEWOOD
  • Hurricane Panda
  • Judgment Panda
  • TEMP.Avengers
  • ZIRCONIUM

Detection Rules

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT31.

APT32

APT32 is a threat group that has been active since at least 2014. This group appears to be Vietnamese-based and has targeted multiple private sector industries, foreign governments, dissidents, and journalists with a focus on Southeast Asian countries, such as Vietnam, the Philippines, Laos, and Cambodia. This threat group has primarily used strategic web compromises on victims.

Other names for this group include:

  • APT-C-00
  • Cobalt Kitty
  • Ocean Buffalo
  • Ocean Lotus
  • OceanLotus
  • OceanLotus Group
  • POND LOACH
  • SeaLotus
  • TIN WOODLAWN

Detection Rules

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT32.

APT33

APT33 is a suspected Iranian-based threat group that has been active since at least 2013. This threat group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a focus in the aviation and energy industries.

Other names for this group include:

  • COBALT TRINITY
  • Elfin, HOLMIUM
  • MAGNALLIUM
  • Refined Kitten

Detection Rules

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT33.

APT36

APT36 is a Pakistani-based threat group that has targeted the Indian Army or associated assets in India, and activists and civil society in Pakistan.

Other names for this group include:

  • C-Major
  • Mythic Leopard
  • Operation C-Major
  • ProjectM
  • TMP.Lapis
  • Transparent Tribe

Detection Rules

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT36.

APT37

APT37 is a suspected North Korean cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but has also targeted victims in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. APT37 has also been linked to the following campaigns between 2016 and 2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, Northern Korean Human Rights, and Evil New Year 2018. North Korean group definitions are reported to have significant overlap, and the name Lazarus Group reportedly encompasses a broad range of activity. Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea. Some organizations track North Korean clusters or groups, such as Bluenoroff, APT37, and APT38 separately, while other organizations track some activity associated with those group names by the name Lazarus Group.

Other names for this group include:

  • Group 123
  • Group123
  • Operation Daybreak
  • Operation Erebus
  • Reaper
  • Reaper Group
  • Red Eyes
  • Ricochet Chollima
  • ScarCruft
  • Starcruft
  • TEMP.Reaper
  • Venus 121

Detection Rules

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT37.

APT39

APT39 is an Iranian cyber espionage group that has been active since at least 2014. This threat group has targeted the telecommunication and travel industries to collect personal information that aligns with Iran's national priorities

Other names for this group include:

  • Chafer
  • COBALT HICKMAN
  • IRIDIUM
  • REMIX KITTEN

Detection Rules

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT39.

APT40

APT40 is a cyber espionage group that has been active since at least 2013. This group primarily targets defense and government organizations, but has also targeted other industries, including engineering firms, shipping and transportation, manufacturing, defense, government offices, and research universities in the United States, Western Europe, and along the South China Sea.

Other names for this group include:

  • BRONZE MOHAWK
  • GADOLINIUM
  • Leviathan
  • TEMP.Jumper
  • TEMP.Periscope

Detection Rules

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT40.

APT41

APT41 is a threat group that performs Chinese state-sponsored espionage and financially motivated activity. APT41 has been active since as early as 2012. The group has targeted healthcare, telecom, technology, and video game industries in 14 countries.

Other names associated with this group include:

  • Axiom
  • Blackfly
  • Lead
  • Wicked Panda
  • Wicked Spider
  • WinNTI
  • Winnti Group
  • Winnti Umbrella

Detection Rules

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT41.

APT5

APT5 is suspected Chinese-based threat group that uses multiple types of malware to maintain command and control.

Other names associated with this group include:

  • BRONZE FLEETWOOD
  • MANGANESE
  • Pitty Panda
  • PittyTiger

Detection Rules

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT5.