The APT advanced persistent threat is known for launching sophisticated attacks to steal sensitive, financial information and stay undetected within the infrastructure. In this article, we see a list of APT attacks from 2019 to 2021.
These hacker groups primarily target enterprises regardless of the Industry, their targets include government, defense, financial services, legal services, industrial, telecoms, consumer goods and many more.
The APT group includes experienced cybercriminals who can bypass security provisions and cause as damage and disruption as possible. These APT groups have a specific target they spend time to detect them and they exploit them to gain access.
Most of the APT groups use custom malware to fly under the radar. The APT attack classified into different phases including Planning the attack, mapping company data, avoiding detection and compromising the network.
Dangerous APT Hacker Group Attacks 2019
January
February
March
April
May
June
July
August
September
October
November
December
2020 Attack list So Far
January
February
March
- Mar 30 – The ‘Spy Cloud’ Operation: Geumseong121 group carries out the APT attack disguising the evidence of North Korean defection
- Mar 26 – iOS exploit chain deploys LightSpy feature-rich malware
- Mar 25 – This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits
- Mar 24 – WildPressure targets industrial-related entities in the Middle East
- Mar 24 – Operation Poisoned News: Hong Kong Users Targeted With Mobile Malware via Local News Links
- Mar 19 – Probing Pawn Storm : Cyberespionage Campaign Through Scanning, Credential Phishing and More
- Mar 15 – APT36 jumps on the coronavirus bandwagon, delivers Crimson RAT
- Mar 12 – Vicious Panda: The COVID Campaign
- Mar 12 –Two-tailed scorpion APT-C-23
- Mar 12 – Tracking Turla: New backdoor delivered via Armenian watering holes
- Mar 11 – Operation Overtrap Targets Japanese Online Banking Users Via Bottle Exploit Kit and Brand-New Cinobi Banking Trojan
- Mar 10 – WHO’S HACKING THE HACKERS: NO HONOR AMONG THIEVES
- Mar 05 – Dissecting Geost: Exposing the Anatomy of the Android Trojan Targeting Russian Banks
- Mar 05 – Guildma: The Devil drives electric
- Mar 03 – New Perl Botnet (Tuyul) Found with Possible Indonesian Attribution
- Mar 03 – The North Korean Kimsuky APT keeps threatening South Korea evolving its TTPs
- Mar 02 – APT34 (AKA OILRIG, AKA HELIX KITTEN) ATTACKS LEBANON GOVERNMENT ENTITIES WITH MAILDROPPER IMPLANTS
April
- Apr 29 – Chinese Influence Operations Evolve in Campaigns Targeting Taiwanese Elections, Hong Kong Protests
- Apr 28 – Outlaw is Back, a New Crypto-Botnet Targets European Organizations
- Apr 28 – Grandoreiro: How engorged can an EXE get?
- Apr 24 – PoshC2
- Apr 21 – Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant
- Apr 20 – WINNTI GROUP: Insights From the Past
- Apr 17 – Gamaredon APT Group Use Covid-19 Lure in Campaigns
- Apr 16 – Exposing Modular Adware: How DealPly, IsErIk, and ManageX Persist in Systems
- Apr 16 – Giving Fraudsters the Cold Shoulder: Inside the Largest Connected TV Bot Attack
- Apr 16 – Taiwan High-Tech Ecosystem Targeted by Foreign APT Group
- Apr 15 – Nation-state Mobile Malware Targets Syrians with COVID-19 Lures
- Apr 15 – Craft for Resilience: APT Group Chimera
- Apr 07 –APTs and COVID-19: How advanced persistent threats use the coronavirus as a lure
- Apr 07 –New Ursnif Campaign: A Shift from PowerShell to Mshta
- Apr 07 – Decade of the RATs: Novel APT Attacks Targeting Linux, Windows and Android
May
- May 29 – Russian Cyber Attack Campaigns and Actors
- May 28 – The zero-day exploits of Operation WizardOpium
- May 26 – From Agent.BTZ to ComRAT v4: A ten‑year journey
- May 21 – The Evolution of APT15’s Codebase 2020
- May 21 – Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia
- May 21 – No “Game over” for the Winnti Group
- May 19 – Sophisticated Espionage Group Turns Attention to Telecom Providers in South Asia
- May 18 – APT-C-23 middle East
- May 14 – LOLSnif – Tracking Another Ursnif-Based Targeted Campaign
- May 14 – RATicate: an attacker’s waves of information-stealing malware
- May 14 – Vendetta-new threat actor from Europe
- May 14 – Mikroceen: Spying backdoor leveraged in high‑profile networks in Central Asia
- May 14 –APT Group Planted Backdoors Targeting High Profile Networks in Central Asia
- May 14 – COMpfun authors spoof visa application with HTTP status-based Trojan
- May 13 – Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks
- May 12 –Tropic Trooper’s Back: USBferry Attack Targets Air-gapped Environments
- May 11 – Targeted Attacks on Indian Government and Financial Institutions Using the JsOutProx RAT
- May 11 – Updated BackConfig Malware Targeting Government and Military Organizations in South Asia
- May 07 – Introducing Blue Mockingbird
- May 07 – Naikon APT: Cyber Espionage Reloaded
- May 06 – Phantom in the Command Shell
- May 06 – Leery Turtle Threat Report
- May 05 – Nazar: Spirits of the Past
June
- Jun 30 – StrongPity APT – Revealing Trojanized Tools, Working Hours and Infrastructure
- Jun 29 – PROMETHIUM extends global reach with StrongPity3 APT
- Jun 26 – WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations
- Jun 25 – A close look at the advanced techniques used in a Malaysian-focused APT campaign
- Jun 24 – BRONZE VINEWOOD Targets Supply Chains
- Jun 23 – WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group
- Jun 19 – Targeted Attack Leverages India-China Border Dispute to Lure Victims
- Jun 18 – Digging up InvisiMole’s hidden arsenal
- Jun 17 – Operation In(ter)ception: Aerospace and military companies in the crosshairs of cyberspies
- Jun 17 – AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations
- Jun 17 – Multi-stage APT attack drops Cobalt Strike using Malleable C2 feature
- Jun 16 – Cobalt: tactics and tools update
- Jun 15 – India: Human Rights Defenders Targeted by a Coordinated Spyware Operation
- Jun 11 – New Android Spyware ActionSpy Revealed via Phishing Attacks from Earth Empusa
- Jul 11 – Gamaredon group grows its game
- Jun 08 – TA410: The Group Behind LookBack Attacks Against U.S. Utilities Sector Returns with New Malware
- Jun 08 – GuLoader? No, CloudEyE
- Jun 03 – New LNK attack tied to Higaisa APT discovered
- Jun 03 – Cycldek: Bridging the (air) gap
July
- Jul 29 – Operation North Star: A Job Offer That’s Too Good to be True?
- Jul 22 – OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory
- Jul 22 –MATA: Multi-platform targeted malware framework
- Jul 15 – THE FAKE CISCO: Hunting for backdoors in Counterfeit Cisco devices
- Jul 14 – TURLA / VENOMOUS BEAR UPDATES ITS ARSENAL: “NEWPASS” APPEARS ON THE APT THREAT SCENE
- Jul 14 – Welcome Chat as a secure messaging app? Nothing could be further from the truth
- Jul 12 – SideWinder 2020 H1
- Jul 09 – Cosmic Lynx: The Rise of Russian BEC
- Jul 09 –More evil: A deep look at Evilnum and its toolset
- Jul 08 – Copy cat of APT Sidewinder ?
- Jul 08 – [proofpoint] TA410: The Group Behind LookBack Attacks Against U.S. Utilities Sector Returns with New Malware
- Jul 08 – Operation ‘Honey Trap’: APT36 Targets Defense Organizations in India
- Jul 06 – North Korean hackers are skimming US and European shoppers
- Jul 01 – [Lookout] Mobile APT Surveillance Campaigns Targeting Uyghurs
- Aug 27 – The Kittens Are Back in Town 3
- Aug 28 – Transparent Tribe: Evolution analysis, part 2
- Aug 20 – DEVELOPMENT OF THE ACTIVITY OF THE TA505 CYBERCRIMINAL GROUP
- Aug 20 –More Evidence of APT Hackers-for-Hire Used for Industrial Espionage
- Aug 18 – [F-Secure] LAZARUS GROUP CAMPAIGN TARGETING THE CRYPTOCURRENCY VERTICAL
- Aug 13 – [Kaspersky] CactusPete APT group’s updated Bisonal backdoor
- Aug 13 – [ClearSky] Operation ‘Dream Job’ Widespread North Korean Espionage Campaign
- Aug 12 – [Kaspersky] Internet Explorer and Windows zero-day exploits used in Operation PowerFall
- Aug 10 – [Seqrite] Gorgon APT targeting MSME sector in India
September
- Sep 30 – APT‑C‑23 group evolves its Android spyware
- Sep 29 – Palmerworm: Espionage Gang Targets the Media, Finance, and Other Sectors
- Sep 29 – ShadowPad: new activity from the Winnti group
- Sep 25 – German-made FinSpy spyware found in Egypt, and Mac and Linux versions revealed
- Sep 25 –APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign
- Sep 24 – detecting empires in the cloud
- Sep 23 –Operation SideCopy
- Sep 22 – APT28 Delivers Zebrocy Malware Campaign using NATO Theme as Lure
- Sep 17 – Operation Tibbar
- Sep 08 –TeamTNT activity targets Weave Scope deployments
- Sep 03 – NO REST FOR THE WICKED: EVILNUM UNLEASHES PYVIL RAT
- Sep 01 –Chinese APT TA413 Resumes Targeting of Tibet Following COVID-19 Themed Economic Espionage Campaign Delivering Sepulcher Malware Targeting Europe
October
- Oct 27 – North Korean Advanced Persistent Threat Focus: Kimsuky
- Oct 23 – APT-C-44 NAFox
- Oct 22 – Bitter CHM
- Oct 19 –Operation Earth Kitsune: Tracking SLUB’s Current Operations
- Oct 15 – Operation Quicksand – MuddyWater’s Offensive Attack Against Israeli Organizations
- Oct 14 – [MalwareByte] Silent Librarian APT right on schedule for 20/21 academic year
- Oct 13 – [WeiXin] Operation Rubia cordifolia
- Oct 07 – [BlackBerry] BlackBerry Uncovers Massive Hack-For-Hire Group Targeting Governments, Businesses, Human Rights Groups and Influential Individuals
- Oct 06 – [Malwarebytes] Release the Kraken: Fileless APT attack abuses Windows Error Reporting service
- Oct 05 – [Kaspersky] MosaicRegressor: Lurking in the Shadows of UEFI
November
- Nov 17 – CHAES: Novel Malware Targeting Latin American E-Commerce
- Nov 17 – Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign
- Nov 16 – TA505: A Brief History Of Their Time
- Nov 16 – A Detailed Timeline of a Chinese APT Espionage Attack Targeting South Eastern Asian Government Institutions
- Nov 12 – CRAT wants to plunder your endpoints
- Nov 12 – The CostaRicto Campaign: Cyber-Espionage Outsourced
- Nov 12 –
- Nov 10 – New APT32 Malware Campaign Targets Cambodian Government
- Nov 06 – [Volexity] OceanLotus: Extending Cyber Espionage Operations Through Fake Websites
- Nov 04 – [Sophos] A new APT uses DLL side-loads to “KilllSomeOne”
- Nov 01 – [Cyberstanc] A look into APT36’s (Transparent Tribe) tradecraft
December
- Dec 30 – [Recorded Future] SolarWinds Attribution: Are We Getting Ahead of Ourselves?
- Dec 29 – [Uptycs] Revenge RAT targeting users in South America
- Dec 23 – [Kaspersky] Lazarus covets COVID-19-related intelligence
- Dec 22 – [Truesec] Collaboration between FIN7 and the RYUK group, a Truesec Investigation
- Dec 19 – [VinCSS] Analyzing new malware of China Panda hacker group used to attack supply chain against Vietnam Government Certification Authority
- Dec 17 – [ClearSky] Pay2Kitten
- Dec 17 – [ESET] Operation SignSight: Supply‑chain attack against a certification authority in Southeast Asia
- Dec 16 – [Team Cymru] Mapping out AridViper Infrastructure Using Augury’s Malware Module
- Dec 15 – [WeiXin] APT-C-47 ClickOnce Operation
- Dec 15 – [hvs consulting] Greetings from Lazarus Anatomy of a cyber espionage campaign
- Dec 13 – [Fireeye] Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor
- Dec 09 – [Trend Micro] SideWinder Uses South Asian Issues for Spear Phishing, Mobile Attacks
- Dec 07 – [Group-IB] The footprints of Raccoon: a story about operators of JS-sniffer FakeSecurity distributing Raccoon stealer
- Dec 02 – [ESET] Turla Crutch: Keeping the “back door” open
- Dec 03 – [Telsy] Adversary Tracking Report
- Dec 01 – [CISA] Advanced Persistent Threat Actors Targeting U.S. Think Tanks
- Dec 01 – [Prevasio] OPERATION RED KANGAROO: INDUSTRY’S FIRST DYNAMIC ANALYSIS OF 4M PUBLIC DOCKER CONTAINER IMAGES
2021 Attacks list So Far
January
- Jan 31 – [JPCERT] A41APT case ~ Analysis of the Stealth APT Campaign Threatening Japan
- Jan 28 – [ClearSky] “Lebanese Cedar” APT: Global Lebanese Espionage Campaign Leveraging Web Servers
- Jan 20 – [JPCERT] Commonly Known Tools Used by Lazarus
- Jan 20 – [Cybie] A Deep Dive Into Patchwork APT Group
- Jan 14 – [Positive] Higaisa or Winnti? APT41 backdoors, old and new
- Jab 12 – [ESET] Operation Spalax: Targeted malware attacks in Colombia
- Jan 12 – [Yoroi] Opening “STEELCORGI”: A Sophisticated APT Swiss Army Knife
- Jan 12 – [NCCgroup] Abusing cloud services to fly under the radar
- Jan 11 – [Palo Alto Networks] xHunt Campaign: New BumbleBee Webshell and SSH Tunnels Used for Lateral Movement
- Jan 11 – [CrowdStrike] SUNSPOT: An Implant in the Build Process
- Jan 11 – [Kaspersky] Sunburst backdoor – code overlaps with Kazuar
- Jan 08 – [Certfa] Charming Kitten’s Christmas Gift
- Jan 07 – [Prodaft] Brunhilda DaaS Malware Analysis Report
- Jan 06 – [CISCO] A Deep Dive into Lokibot Infection Chain
- Jan 06 – [Malwarebytes] Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat
- Jan 05 – [QuoIntelligence] ReconHellcat Uses NIST Theme as Lure To Deliver New BlackSoul Malware
- Jan 05 – [Trend Micro] Earth Wendigo Injects JavaScript Backdoor to Service Worker for Mailbox Exfiltration
- Jan 04 – [CheckPoint] Stopping Serial Killer: Catching the Next Strike: Dridex
- Jan 04 – [Medium] APT27 Turns to Ransomware
- Jan 04 – [Nao-Sec] Royal Road! Re:Dive
Febrary
- Feb 28 – [Recorded Future] China-linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions
- Feb 25 – [Proofpoint] TA413 Leverages New FriarFox Browser Extension to Target the Gmail Accounts of Global Tibetan Organizations
- Feb 25 – [Kaspersky] Lazarus targets defense industry with ThreatNeedle
- Feb 25 – [TeamT5] APT10: Tracking down the stealth activity of the A41APT campaign
- Feb 24 – [MalwareBytes] LazyScripter: From Empire to double RAT
- Feb 24 – [Amnesty] Click and Bait: Vietnamese Human Rights Defenders Targeted with Spyware Attacks
- Feb 22 – [CheckPoint] The Story of Jian – How APT31 Stole and Used an Unknown Equation Group 0-Day
- Feb 17 – [Cybleinc] Confucius APT Android Spyware Targets Pakistani and Other South Asian Regions
- Feb 10 – [Lookout] Lookout Discovers Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict
- Feb 09 – [Palo Alto Networks] BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech
- Feb 08 – [CheckPoint] Domestic Kitten – An Inside Look at the Iranian Surveillance Operations
- Feb 03 – [Palo Alto Networks] Hildegard: New TeamTNT Malware Targeting Kubernetes
- Feb 02 – [ESET] Kobalos – A complex Linux threat to high performance computing infrastructure
- Feb 01 – [VinCSS] ElephantRAT (Kunming version): our latest discovered RAT of Panda and the similarities with recently Smanager RAT
- Feb 01 – [ESET] Operation NightScout: Supply‑chain attack targets online gaming in Asia
March
- Mar XX – [CSET] Academics, AI, and APTs
- Mar 30 – [Kaspersky] APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign
- Mar 30 – [proofpoint] BadBlood: TA453 Targets US and Israeli Medical Research Personnel in Credential Phishing Campaigns
- Mar 18 – [Prodaft] SilverFish Group Threat Actor Report
- Mar 10 – [Bitdefender] FIN8 Returns with Improved BADHATCH Toolkit
- Mar 10 – [Intezer] New Linux Backdoor RedXOR Likely Operated by Chinese Nation-State Actor
- Mar 02 – [Volexity] Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities
- Mar 02 – [Microsoft] HAFNIUM targeting Exchange Servers with 0-day exploits
April
- Apr 28 – [Fireeye] Ghostwriter Update: Cyber Espionage Group UNC1151 Likely Conducts Ghostwriter Influence Activity
- Apr 27 – [Positive] Lazarus Group Recruitment: Threat Hunters vs Head Hunters
- Apr 23 – [Bitdefender] NAIKON – Traces from a Military Cyber-Espionage Operation
- Apr 23 – [Darktrace] APT35 ‘Charming Kitten’ discovered in a pre-infected environment
- Apr 20 – [FireEye] Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day
- Apr 19 – [SentinelOne] A Deep Dive into Zebrocy’s Dropper Docs
- Apr 19 – [MalwareBytes] Lazarus APT conceals malicious code within BMP image to drop its RAT
- Apr 13 – [Sentire] Hackers Flood the Web with 100,000 Malicious Pages, Promising Professionals Free Business Forms, But Delivering Malware, Reports eSentire
- Apr 13 – [Kaspersky] Zero-day vulnerability in Desktop Window Manager (CVE-2021-28310) used in the wild
- Apr 09 – [TrendMicro] Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware
- Apr 08 – [CheckPoint] Iran’s APT34 Returns with an Updated Arsenal
- Apr 08 – [ESET] (Are you) afreight of the dark? Watch out for Vyveva, new Lazarus backdoor
- Apr 07 – [CISCO] Sowing Discord: Reaping the benefits of collaboration app abuse
May
May
Listed are the most dangerous APT attacks of the year 2019-2020, we keep the list updated with the new attacks reported regularly.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates