Search Results

Advanced persistent threat (APT) groups are threat actors operated by nation states or state-sponsored groups. Our ready-made detection rules detect the following APT groups

Leafminer is an Iranian threat group that has targeted government organizations and business entities in the Middle East since at least early 2017

WIRTE is a threat group that has been active since at least August 2018. The group has focused on targeting Middle East defense and diplomats

GCMAN is a threat group that has focused on targeting banks to transfer money to e-currency services

BlackTech is a cyber espionage group that has targeted victims in East Asia, primarilyTaiwan, and also Japan and Hong Kong

WindShift is a threat group that has been active since at least 2017, and has targeted specific individuals for surveillance in government departments and critical infrastructure across the Middle East

Orangeworm is a threat group that has targeted organizations in the healthcare industry in the United States, Europe, and Asia since at least 2015, for the suspected purpose of corporate espionage

Molerats is a politically-motivated threat group that has been active since 2012. This group has primarily targeted victims in the Middle East, Europe, and the United States

Lotus Blossom is a threat group that has targeted government and military organizations in Southeast Asia

BlackOasis is a Middle Eastern-based threat group that appears to be a customer of Gamma Group. This threat group has targeted prominent figures in the United Nations, opposition bloggers, activists, regional news correspondents, and think tanks. A group identified by Microsoft as NEODYMIUM is reportedly associated closely with BlackOasis’ operations, but evidence that the group names are aliases has not been confirmed

Cobalt Group is a financially motivated threat group that has primarily targeted financial institutions. This threat group has conducted intrusions to steal money by targeting ATM, card processing, payment, and SWIFT systems. Cobalt Group has primarily targeted banks in Eastern Europe, Central Asia, and Southeast Asia. One of the alleged leaders was arrested in Spain in early 2018, but the group still appears to be active. This group has targeted organizations to use their access to compromise additional victims. Reporting indicates there may be links between Cobalt Group and the malware Carbanak and threat group Carbanak

Deep Panda is a suspected Chinese-based threat group that has targeted several industries, including government, defense, financial, and telecommunications. Deep Panda is attributed with the intrusion into the healthcare company Anthem. Deep Panda is also linked to Black Vine based on both group names being attributed to the Anthem intrusion. Some researchers have linked Deep Panda and APT19 as being the same group, but it is unclear from open source information if the groups are the same

DarkHydrus is a threat group that has targeted government agencies and educational institutions in the Middle East since at least 2016. This group has primarily used open-source tools and custom payloads to perform attacks

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor

MuddyWater is an Iranian-based threat group that has primarily targeted Middle Eastern countries, but has also targeted European and North American countries. This group has primarily targeted victims in the telecommunications, government IT services, and oil industries. This group’s activity was previously linked to FIN7, but the group is suspected to be a distinct group, possibly motivated by espionage

DragonOK is a threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tools, DragonOK may have a direct or indirect relationship with the threat group Moafee. DragonOK has used a variety of malware, including Sysget/HelloBridge, PlugX, PoisonIvy, FormerFirstRat, NFlog, and NewCT

Mofang is a likely Chinese-based cyber espionage group, named for its frequent practice of imitating a victim's infrastructure. This group has been active since at least May 2012, and has conducted focused attacks against the government and critical infrastructure in Myanmar, and several other countries and industries, including military, automobile, and weapons

Poseidon Group is a Portuguese-speaking threat group that has been active since at least 2005. This group has used information exfiltrated from victims to blackmail companies into contracting Poseidon Group as a security firm

Energetic Bear is a cyber espionage group that has been active since at least 2011. This group initially targeted defense and aviation companies, but shifted focus on the energy industry in early 2013. This group has also targeted companies related to industrial control systems. A similar group emerged in 2015 and was identified as Dragonfly 2.0. There is debate over the extent of the overlap between Dragonfly and Dragonfly 2.0, but there is sufficient evidence for these to be tracked as two separate groups

Night Dragon is a campaign name for activity involving a primarily Chinese-based threat group