Advanced Persistent Threat Groups

Advanced persistent threat (APT) groups are threat actors operated by nation states or state-sponsored groups. Our ready-made detection rules detect the following APT groups:

APT-C-27

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.

APT-C-36

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.

APT-C-37

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.

APT1

APT1 is a Chinese threat group attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, also referred to as its Military Unit Cover Designator (MUCD), Unit 61398.

Other names for this group include:

  • Brown Fox
  • Byzantine Candor
  • Comment Crew
  • Comment Group
  • Comment Panda
  • GIF89a, Group 3
  • PLA Unit 61398
  • ShadyRAT
  • Shanghai Group
  • Siesta
  • TG-8223

Detection Rules

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT1.

APT2

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.

APT3

APT3 is a Chinese-based threat group attributed to China's Ministry of State Security. This group is responsible for the campaigns Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap. As of June 2015, this group appears to have shifted from targeting primarily United States victims to targeting political organizations in Hong Kong.

Other names for this group include:

  • Boyusec
  • Buckeye
  • Gothic Panda
  • Group 6
  • Pirpi
  • TG-0110
  • Threat Group-0110
  • UPS
  • UPS Team

Detection Rules

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT3.

APT4

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.

APT5

APT5 is suspected Chinese-based threat group that uses multiple types of malware to maintain command and control.

Other names associated with this group include:

  • BRONZE FLEETWOOD
  • MANGANESE
  • Pitty Panda
  • PittyTiger

Detection Rules

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT5.

APT6

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.

APT10

APT10 is a threat group that appears to be Chinese-based and has been active since approximately 2009. This group has targeted the healthcare, defense, aerospace, and government industries and has targeted Japanese victims since at least 2014. In 2016 and 2017, this group targeted managed IT service providers, manufacturing and mining companies, and a university.

Other names for this group include:

  • CVNX
  • happyyongzi
  • HOGFISH
  • menuPass
  • Menupass Team
  • POTASSIUM
  • Red Apollo
  • Stone Panda

Detection Rules

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT10.

APT12

APT12 is a Chinese-based threat group that has targeted several victims, including media outlets, high-tech companies, and governments.

Other names for this group include:

  • CBeeBus
  • Calc Team
  • Crimson Iron
  • DNSCALC
  • DynCalc
  • Group 22
  • IXESHE
  • Numbered Panda
  • TG-2754

Detection Rules

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT12.

APT15

APT15 is a Chinese-based threat group that has targeted several industries, including oil, government, and military.

Other names for this group include:

  • GREF
  • Ke3chang
  • Mirage
  • Playful Dragon
  • RoyalAPT
  • Vixen Panda

Detection Rules

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT15.

APT16

APT16 is a Chinese-based threat group that has launched spear phishing campaigns targeting Japanese and Taiwanese organizations.

This group is also known as:

  • SVCMONDR

Detection Rules

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT16.

APT17

APT17 is a Chinese-based threat group that has conducted network intrusions against United States government entities, the defense industry, law firms, information technology and mining companies, and non-government organizations.

Other names for this group include:

  • Aurora Panda
  • Deputy Dog
  • Dogfish
  • Group 8
  • Hidden Lynx
  • Tailgater
  • Tailgater Team

Detection Rules

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT17.

APT18

APT18 is a threat group that has operated since at least 2009, and has targeted several industries, including technology, manufacturing, human rights groups, government, and medical.

Other names for this group include:

  • Dynamite Panda
  • TG-0416
  • Threat Group-0416
  • Wekby

Detection Rules

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT18.

APT19

APT19 is a Chinese-based threat group that has targeted several industries, including defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services. In 2017, this group used a phishing campaign to target seven law and investment firms. Some researchers have linked APT19 and Deep Panda as the same group, but it is unclear from open source information if the groups are the same.

Other names for this group include:

  • C0d0so0
  • Codoso
  • Codoso Team
  • Shell Crew
  • Sunshop Group

Detection Rules

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT19.

APT20

APT20 is a Chinese-based threat group that primarily uses spear phishing and watering hole attacks against victims. The following is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.

Other names for this group include:

  • APT8
  • TH3Bug
  • Violin Panda

Detection Rules

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT20.

APT27

APT27 is a Chinese-based threat group that has primarily used strategic web compromises to target victims. The group has been active since at least 2010, and has targeted organizations in the aerospace, government, defense, technology, energy, and manufacturing industries.

Other names for this group include:

  • BRONZE UNION
  • Emissary Panda
  • Group 35
  • Hippo Team
  • Iron Tiger
  • Iron Tiger APT
  • Lucky Mouse
  • LuckyMouse
  • TEMP.Hippo
  • TG-3390
  • Threat Group 3390
  • Threat Group-3390
  • ZipToken

Detection Rules

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT27.

APT28

APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165. This group has been active since at least 2004. APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations. Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.

Other names for this group include:

  • Tsar Team
  • Sednit
  • TG-4127
  • Group 74
  • Pawn Storm
  • Fancy Bear
  • SNAKEMACKEREL
  • Threat Group-4127
  • Sofacy
  • STRONTIUM
  • Swallowtail

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.

APT29

APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR). They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015. In April 2021, the US and UK governments attributed the SolarWinds supply chain compromise cyber operation to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes. Victims of this campaign included government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East. Industry reporting referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, and Dark Halo.

Other names for this group include:

  • CozyCar
  • CozyBear
  • EuroAPT
  • Cozy Duke
  • SeaDuke
  • Minidionis
  • Office Monkeys
  • Cozer
  • Group 100
  • Dukes
  • Iron Hemlock
  • Hammer Toss
  • StellarParticle
  • Dark Halo
  • NOBELIUM
  • Cozy Bear
  • The Dukes
  • CozyDuke
  • UNC2452
  • YTTRIUM

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.

APT31

APT31 is a threat group specialized in intellectual property theft, focusing on data and projects that make a particular organization competitive in its field. Based on available data, APT31 appears to conduct network operations at the behest of the Chinese government. This threat group is also suspected of continuing to target upstream providers, such as law firms and managed service providers, to support additional intrusions against high-profile assets. In 2018, this threat group was observed using spear phishing, URL ‘web bugs’, and scheduled tasks to automate credential harvesting.

Other names for this group include:

  • BRONZE VINEWOOD
  • Hurricane Panda
  • Judgment Panda
  • TEMP.Avengers
  • ZIRCONIUM

Detection Rules

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT31.

APT32

APT32 is a threat group that has been active since at least 2014. This group appears to be Vietnamese-based and has targeted multiple private sector industries, foreign governments, dissidents, and journalists with a focus on Southeast Asian countries, such as Vietnam, the Philippines, Laos, and Cambodia. This threat group has primarily used strategic web compromises on victims.

Other names for this group include:

  • APT-C-00
  • Cobalt Kitty
  • Ocean Buffalo
  • Ocean Lotus
  • OceanLotus
  • OceanLotus Group
  • POND LOACH
  • SeaLotus
  • TIN WOODLAWN

Detection Rules

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT32.

APT33

APT33 is a suspected Iranian-based threat group that has been active since at least 2013. This threat group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a focus in the aviation and energy industries.

Other names for this group include:

  • COBALT TRINITY
  • Elfin, HOLMIUM
  • MAGNALLIUM
  • Refined Kitten

Detection Rules

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT33.

APT34

The OilRig hacker group is an Iran-linked APT, also known by the names: APT34, HelixKitten, and Crambus. The group started its operations around 2014.

This APT group targets various sectors, such as government agencies, banking, energy, chemicals, financial services, and technology companies in Saudi Arabia, Israel, the United Arab Emirates, Lebanon, Kuwait, Qatar, the United States, and Turkey.

APT35

APT35 is an Iranian-sponsored threat group operating primarily in the Middle East that dates back as early as 2014. The group behind the campaign has primarily targeted organizations in the energy, government, and technology sectors that are either based or have business interests in Saudi Arabia.

The group compromise websites by using vulnerabilities, and inject links or entire BeEF web pages. Then, the victims are directed to BeEF servers.

This group is also linked to a malware called StoneDrill which was designed as a backdoor and a wiper.

APT36

APT36 is a Pakistani-based threat group that has targeted the Indian Army or associated assets in India, and activists and civil society in Pakistan.

Other names for this group include:

  • C-Major
  • Mythic Leopard
  • Operation C-Major
  • ProjectM
  • TMP.Lapis
  • Transparent Tribe

Detection Rules

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT36.

APT37

APT37 is a suspected North Korean cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but has also targeted victims in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. APT37 has also been linked to the following campaigns between 2016 and 2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, Northern Korean Human Rights, and Evil New Year 2018. North Korean group definitions are reported to have significant overlap, and the name Lazarus Group reportedly encompasses a broad range of activity. Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea. Some organizations track North Korean clusters or groups, such as Bluenoroff, APT37, and APT38 separately, while other organizations track some activity associated with those group names by the name Lazarus Group.

Other names for this group include:

  • Group 123
  • Group123
  • Operation Daybreak
  • Operation Erebus
  • Reaper
  • Reaper Group
  • Red Eyes
  • Ricochet Chollima
  • ScarCruft
  • Starcruft
  • TEMP.Reaper
  • Venus 121

Detection Rules

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT37.

APT38

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.

APT39

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.

APT39 is an Iranian cyber espionage group that has been active since at least 2014. This threat group has targeted the telecommunication and travel industries to collect personal information that aligns with Iran's national priorities

Other names for this group include: Chafer COBALT HICKMAN IRIDIUM REMIX KITTEN

APT40

APT40 is a cyber espionage group that has been active since at least 2013. This group primarily targets defense and government organizations, but has also targeted other industries, including engineering firms, shipping and transportation, manufacturing, defense, government offices, and research universities in the United States, Western Europe, and along the South China Sea.

Other names for this group include:

  • BRONZE MOHAWK
  • GADOLINIUM
  • Leviathan
  • TEMP.Jumper
  • TEMP.Periscope

Detection Rules

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT40.

APT41

APT41 is a threat group that performs Chinese state-sponsored espionage and financially motivated activity. APT41 has been active since as early as 2012. The group has targeted healthcare, telecom, technology, and video game industries in 14 countries.

Other names associated with this group include:

  • Axiom
  • Blackfly
  • Lead
  • Wicked Panda
  • Wicked Spider
  • WinNTI
  • Winnti Group
  • Winnti Umbrella

Detection Rules

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with APT41.