Most Dangerous APT Hacker Group’s Deadly Cyber Attacks of the Year 2019-2020 – Complete Collection

The APT advanced persistent threat is known for launching sophisticated attacks to steal sensitive, financial information and stay undetected within the infrastructure. In this article, we see a list of APT attacks in 2019.

These hacker groups primarily target enterprises regardless of the Industry, their targets include government, defense, financial services, legal services, industrial, telecoms, consumer goods and many more.

The APT group includes experienced cybercriminals who can bypass security provisions and cause as damage and disruption as possible. These APT groups have a specific target they spend time to detect them and they exploit them to gain access.

Most of the APT groups use custom malware to fly under the radar. The APT attack classified into different phases including Planning the attack, mapping company data, avoiding detection and compromising the network.

Dangerous APT Hacker Group Attacks 2019

January

1Jan/16Latest Target Attack of DarkHydruns Group Against Middle East
2Jan/17Malware Used by “Rocke” Group Evolves to Evade Detection by Cloud Security Products
3Jan/18DarkHydrus delivers new Trojan that can use Google Drive for C2 communications
4Jan/24GandCrab and Ursnif Campaign
5Jan/30Targeted Campaign delivers Orcus Remote Access Trojan
6Jan/30Double Life of SectorA05 Nesting in Agora
7Jan/30Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities

February

1Feb/01Tracking OceanLotus’ new Downloader, KerrDown
2Feb/05Analyzing Digital Quartermasters in Asia – Do Chinese and Indian APTs Have a Shared Supply Chain
3Feb/06APT10 Targeted Norwegian MSP and US Companies in Sustained Campaign
4Feb/14Suspected Molerats’ New Attack in the Middle East
5Feb/18APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations
6Feb/20IT IS IDENTIFIED ATTACKS OF THE CIBERCRIMINAL LAZARUS GROUP DIRECTED TO ORGANIZATIONS IN RUSSIA
7Feb/25Defeating Compiler Level Obfuscations Used in APT10 Malware
8Feb/26The Arsenal Behind the Australian Parliament Hack
9Feb/27A Peek into BRONZE UNION’s Toolbox

March

1Mar/04APT40: Examining a China-Nexus Espionage Actor 
2Mar/06Whitefly: Espionage Group has Singapore in Its Sights
3Mar/06Targeted attack using Taidoor Analysis report 
4Mar/06Operation Pistacchietto
5Mar/07New SLUB Backdoor Uses GitHub, Communicates via Slack
6Mar/08Supply Chain – The Major Target of Cyberespionage Groups 
7Mar/11Gaming industry still in the scope of attackers in Asia
8Mar/12Operation Comando: How to Run a Cheap and Effective Credit Card Business
9Mar/13Operation Sheep: Pilfer-Analytics SDK in Action 
10Mar/13‘DMSniff’ POS Malware Actively Leveraged to Target Small-, Medium-Sized Businesses
11Mar/13GlitchPOS: New PoS malware for sale
12Mar/13LUCKY ELEPHANT CAMPAIGN MASQUERADING
13Mar/22Operation ShadowHammer 
14Mar/25Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.
15Mar/27Threat Actor Group using UAC Bypass Module to run BAT File 
16Mar/28Above Us Only Stars: Exposing GPS Spoofing in Russia and Syria
17Mar/28Desktop, Mobile Phishing Campaign Targets South Korean Websites, Steals Credentials Via Watering Hole

April

1Apr/02 OceanLotus Steganography
2Apr/10Gaza Cybergang Group1, operation SneakyPastes
3Apr/10Project TajMahal – a sophisticated new APT framework
4Apr/10The Muddy Waters of APT Attacks
5Apr/17DNS Hijacking Abuses Trust In Core Internet Service
6Apr/17Aggah Campaign: Bit.ly, BlogSpot, and Pastebin Used for C2 in Large Scale Campaign
7Apr/19“Funky malware format” found in Ocean Lotus sample
8Apr/22FINTEAM: Trojanized TeamViewer Against Government Targets 
9Apr/23Operation ShadowHammer: a high-profile supply chain attack
10Apr/24legit remote admin tools turn into threat actors’ tools
11Apr/30SectorB06 using Mongolian language in lure document

May

1May/03Who’s who in the Zoo Cyberespionage operation targets Android users in the Middle East
2May/07Buckeye: Espionage Outfit Used Equation Group Tools Prior to Shadow Brokers Leak
3May/07Turla LightNeuron: An email too far 
4May/07ATMitch: New Evidence Spotted In The Wild
5May/08OceanLotus’ Attacks to Indochinese Peninsula: Evolution of Targets, Techniques and Procedure 
6May/08FIN7.5: the infamous cybercrime rig “FIN7” continues its activities
7May/09Iranian Nation-State APT Groups – “Black Box” Leak
8May/11Chinese Actor APT target Ministry of Justice Vietnamese
9May/13ScarCruft continues to evolve, introduces Bluetooth harvester 
10May/15Winnti: More than just Windows and Gates
11May/18Operation_BlackLion
12May/19HiddenWasp Malware Stings Targeted Linux Systems
13May/22A journey to Zebrocy land
14May/24UNCOVERING NEW ACTIVITY BY APT10
15May/27APT-C-38
16May/28Emissary Panda Attacks Middle East Government Sharepoint Servers
17May/29TA505 is Expanding its Operations
18May/29A dive into Turla PowerShell usage
19May/3010 years of virtual dynamite: A high-level retrospective of ATM malware

June

1June/03Zebrocy’s Multilanguage Malware Salad 
2June/04An APT Blueprint: Gaining New Visibility into Financial Threats
3June/05Scattered Canary The Evolution and Inner Workings of a West African Cybercriminal Startup Turned BEC Enterprise
4June/10MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools
5June/11The Discovery of Fishwrap: A New Social Media Information Operation Methodology
6June/12Threat Group Cards: A Threat Actor Encyclopedia
7June/20New Approaches Utilized by OceanLotus to Target An Environmental Group in Vietnam
8June/21Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments
9June/25OPERATION SOFT CELL: A WORLDWIDE CAMPAIGN AGAINST TELECOMMUNICATIONS PROVIDERS
10June/25Analysis of MuddyC3, a New Weapon Used by MuddyWater
11June/26Iranian Threat Actor Amasses Large Cyber Operations Infrastructure Network to Target Saudi Organizations

July

1Jul/01Threat Spotlight: Ratsnif – New Network Vermin from OceanLotus
2Jul/03Operation Tripoli
3Jul/04Multiple Chinese Threat Groups Exploiting CVE-2018-0798 Equation Editor Vulnerability Since Late 2018
4Jul/04Latest Spam Campaigns from TA505 Now Using New Malware Tools Gelup and FlowerPippi
5Jul/09Twas the night before
6Jul/11Sea Turtle keeps on swimming, finds new victims, DNS hijacking techniques
7Jul/15Buhtrap group uses zero‑day in latest espionage campaigns
8Jul/16SWEED: Exposing years of Agent Tesla campaigns
9Jul/17SLUB Gets Rid of GitHub, Intensifies Slack Use
10Jul/18EvilGnome: Rare Malware Spying on Linux Desktop Users 
11Jul/18OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY 
12Jul/18Spam Campaign Targets Colombian Entities with Custom-made ‘Proyecto RAT,’ Uses Email Service YOPmail for C&C
13Jul/20Hard Pass: Declining APT34’s Invite to Join Their Professional Network 
14Jul/24Chinese APT “Operation LagTime IT” Targets Government Information Technology Agencies in Eastern Asia
15Jul/24Attacking the Heart of the German Industry

August

1Aug/01Analysis of the Attack of Mobile Devices by OceanLotus
2Aug/05Sharpening the Machete
3Aug/05Latest Trickbot Campaign Delivered via Highly Obfuscated JS File
4Aug/07APT41: A Dual Espionage and Cyber Crime Operation
5Aug/08Suspected BITTER APT Continues Targeting Government of China and Chinese Organizations 
6Aug/12Recent Cloud Atlas activity
7Aug/14In the Balkans, businesses are under fire from a double‑barreled weapon 
8Aug/20Malware analysis about unknown Chinese APT campaign
9Aug/21Silence 2.0
10Aug/21The Gamaredon Group: A TTP Profile Analysis 
11Aug/26APT-C-09 Reappeared as Conflict Intensified Between India and Pakistan
12Aug/27TA505 At It Again: Variety is the Spice of ServHelper and FlawedAmmyy 
13Aug/27China Chopper still active 9 years later
14Aug/27LYCEUM Takes Center Stage in Middle East Campaign
15Aug/27Malware analysis about sample of APT Patchwork 
16Aug/29SectorJ04 Group’s Increased Activity in 2019 
17Aug/29More_eggs, Anyone? Threat Actor ITG08 Strikes Again
18Aug/29Tick Tock – Activities of the Tick Cyber Espionage Group in East Asia Over the Last 10 Years
19Aug/30‘Heatstroke’ Campaign Uses Multistage Phishing Attack to Steal PayPal and Credit Card Information
20Aug/31Malware analysis on Bitter APT campaign

September

1Sep/04Glupteba Campaign Hits Network Routers and Updates C&C Servers with Data from Bitcoin Transactions
2Sep/05UPSynergy: Chinese-American Spy vs. Spy Story 
3Sep/06BITTER APT: Not So Sweet
4Sep/09Thrip: Ambitious Attacks Against High Level Targets Continue
5Sep/11RANCOR APT: Suspected targeted attacks against South East Asia
6Sep/15The Kittens Are Back in Town Charming Kitten Campaign Against Academic Researchers
7Sep/18Tortoiseshell Group Targets IT Providers in Saudi Arabia in Probable Supply Chain Attacks
8Sep/24Mapping the connections inside Russia’s APT Ecosystem
9Sep/24How Tortoiseshell created a fake veteran hiring website to host malware
10Sep/24DeadlyKiss APT
11Sep/26Chinese APT Hackers Attack Windows Users via FakeNarrator Malware to Implant PcShare Backdoor 
12Sep/30HELO Winnti: Attack or Scan? 

October

1Oct/01New Fileless Botnet Novter Distributed by KovCoreG Malvertising Campaign
2Oct/01New Adwind Campaign targets US Petroleum Industry 
3Oct/03PKPLUG: Chinese Cyber Espionage Group Attacking Asia 
4Oct/04GEOST BOTNET. THE STORY OF THE DISCOVERY OF A NEW ANDROID BANKING TROJAN FROM AN OPSEC ERROR
5Oct/07China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations
6Oct/07The Kittens Are Back in Town 2 – Charming Kitten Campaign Keeps Going on, Using New Impersonation Methods
7Oct/07Supply chain attacks: threats targeting service providers and design offices
8Oct/10Attor, a spy platform with curious GSM fingerprinting
9Oct/10CONNECTING THE DOTS Exposing the arsenal and methods of the Winnti Group
10Oct/10Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques
11Oct/14HUGE FAN OF YOUR WORK: TURBINE PANDA 
12Oct/14From tweet to rootkit 
13Oct/15LOWKEY: Hunting for the Missing Volume Serial ID
14Oct/17Operation Ghost: The Dukes aren’t back – they never left
15Oct/21Winnti Group’s skip‑2.0: A Microsoft SQL Server backdoor
16Oct/31MESSAGETAP: Who’s Reading Your Text Messages? 

November

1Nov/01Chrome 0-day exploit CVE-2019-13720 used in Operation WizardOpium 
2Nov/04Higaisa APT
3Nov/05THE LAZARUS’ GAZE TO THE WORLD: WHAT IS BEHIND THE FIRST STONE ? 
4Nov/08Titanium: the Platinum group strikes again
5Nov/13More than a Dozen Obfuscated APT33 Botnets Used for Extreme Narrow Targeting
6Nov/20Mac Backdoor Linked to Lazarus Targets Korean Users
7Nov/20Golden Eagle (APT-C-34)
8Nov/25Studying Donot Team
9Nov/26Insights from one year of tracking a polymorphic threat: Dexphot 
10Nov/28RevengeHotels: cybercrime targeting hotel front desks worldwide
11Nov/29Operation ENDTRADE: Finding Multi-Stage Backdoors that TICK 

December

1Dec/03Threat Actor Targeting Hong Kong Pro-Democracy Figures
2Dec/04Obfuscation Tools Found in the Capesand Exploit Kit Possibly Used in “KurdishCoder” Campaign
3Dec/04New Destructive Wiper “ZeroCleare” Targets Energy Sector in the Middle East
4Dec/11Waterbear is Back, Uses API Hooking to Evade Security Product Detection
5Dec/12Operation Gamework: Infrastructure Overlaps Found Between BlueAlpha and Iranian APTs 
6Dec/12GALLIUM: Targeting global telecom
7Dec/12Drilling Deep: A Look at Cyberattacks on the Oil and Gas Industry

2020 Attack list So Far

January

1 Jan/01 [WeiXin] Pakistan Sidewinder APT Attack 
2Jan/06 First Active Attack Exploiting CVE-2019-2215 Found on Google Play, Linked to SideWinder APT
3 Jan/07Destructive Attack: DUSTMAN 
4 Jan/07Iranian Cyber Response to Death of IRGC Head Would Likely Use Reported TTPs and Previous Access
5 Jan/08Operation AppleJeus Sequel 
6 Jan/09The State of Threats to Electric Entities in North America 
7 Jan/13APT27 ZxShell RootKit module updates
8 Jan/13 Reviving MuddyC3 Used by MuddyWater (IRAN) APT
9 Jan/16 JhoneRAT: Cloud based python RAT targeting Middle Eastern countries
10 Jan/31 Winnti Group targeting universities in Hong Kong 

February

1Feb/03 Actors Still Exploiting SharePoint Vulnerability to Attack Middle East Government Organizations
2Feb/10  Outlaw Updates Kit to Kill Older Miner Versions, Targets More Systems 
3Feb/13 NEW CYBER ESPIONAGE CAMPAIGNS TARGETING PALESTINIANS – PART 2: THE DISCOVERY OF THE NEW, MYSTERIOUS PIEROGI BACKDOOR 
4Feb /17Fox Kitten Campaign 
5Feb /17CLAMBLING – A New Backdoor Base On Dropbox (EN) 
6Feb /17A deep dive into the latest Gamaredon Espionage Campaign
7Feb /18Operation DRBControl 
8Feb /19The Lazarus Constellation 
9Feb/22 Cloud Snooper’ Attack Bypasses Firewall Security Measures
10Feb/28  Nortrom_Lion_APT 

March

  1. Mar 30 – The ‘Spy Cloud’ Operation: Geumseong121 group carries out the APT attack disguising the evidence of North Korean defection
  2. Mar 26 –  iOS exploit chain deploys LightSpy feature-rich malware 
  3. Mar 25 – This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits 
  4. Mar 24 – WildPressure targets industrial-related entities in the Middle East 
  5. Mar 24 –  Operation Poisoned News: Hong Kong Users Targeted With Mobile Malware via Local News Links 
  6. Mar 19 – Probing Pawn Storm : Cyberespionage Campaign Through Scanning, Credential Phishing and More 
  7. Mar 15 –  APT36 jumps on the coronavirus bandwagon, delivers Crimson RAT 
  8. Mar 12 – Vicious Panda: The COVID Campaign
  9. Mar 12 –Two-tailed scorpion APT-C-23 
  10. Mar 12 – Tracking Turla: New backdoor delivered via Armenian watering holes
  11. Mar 11 – Operation Overtrap Targets Japanese Online Banking Users Via Bottle Exploit Kit and Brand-New Cinobi Banking Trojan 
  12. Mar 10 – WHO’S HACKING THE HACKERS: NO HONOR AMONG THIEVES 
  13. Mar 05 – Dissecting Geost: Exposing the Anatomy of the Android Trojan Targeting Russian Banks 
  14. Mar 05 – Guildma: The Devil drives electric
  15. Mar 03 –  New Perl Botnet (Tuyul) Found with Possible Indonesian Attribution 
  16. Mar 03 – The North Korean Kimsuky APT keeps threatening South Korea evolving its TTPs 
  17. Mar 02 – APT34 (AKA OILRIG, AKA HELIX KITTEN) ATTACKS LEBANON GOVERNMENT ENTITIES WITH MAILDROPPER IMPLANTS 

April

  1. Apr 29 –  Chinese Influence Operations Evolve in Campaigns Targeting Taiwanese Elections, Hong Kong Protests 
  2. Apr 28 – Outlaw is Back, a New Crypto-Botnet Targets European Organizations
  3. Apr 28 – Grandoreiro: How engorged can an EXE get?
  4. Apr 24 – PoshC2 
  5. Apr 21 –  Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant 
  6. Apr 20 –  WINNTI GROUP: Insights From the Past
  7. Apr 17 – Gamaredon APT Group Use Covid-19 Lure in Campaigns
  8. Apr 16 –  Exposing Modular Adware: How DealPly, IsErIk, and ManageX Persist in Systems
  9. Apr 16 – Giving Fraudsters the Cold Shoulder: Inside the Largest Connected TV Bot Attack 
  10. Apr 16 – Taiwan High-Tech Ecosystem Targeted by Foreign APT Group 
  11. Apr 15 – Nation-state Mobile Malware Targets Syrians with COVID-19 Lures 
  12. Apr 15 – Craft for Resilience: APT Group Chimera
  13. Apr 07 –APTs and COVID-19: How advanced persistent threats use the coronavirus as a lure
  14. Apr 07 –New Ursnif Campaign: A Shift from PowerShell to Mshta 
  15. Apr 07 – Decade of the RATs: Novel APT Attacks Targeting Linux, Windows and Android

May

June

  1. Jun 30 –  StrongPity APT – Revealing Trojanized Tools, Working Hours and Infrastructure 
  2. Jun 29 –  PROMETHIUM extends global reach with StrongPity3 APT 
  3. Jun 26 – WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations 
  4. Jun 25 – A close look at the advanced techniques used in a Malaysian-focused APT campaign 
  5. Jun 24 – BRONZE VINEWOOD Targets Supply Chains
  6. Jun 23 – WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group
  7. Jun 19 – Targeted Attack Leverages India-China Border Dispute to Lure Victims
  8. Jun 18 – Digging up InvisiMole’s hidden arsenal 
  9. Jun 17 –  Operation In(ter)ception: Aerospace and military companies in the crosshairs of cyberspies 
  10. Jun 17 – AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations 
  11. Jun 17 –  Multi-stage APT attack drops Cobalt Strike using Malleable C2 feature 
  12. Jun 16 – Cobalt: tactics and tools update
  13. Jun 15 –  India: Human Rights Defenders Targeted by a Coordinated Spyware Operation
  14. Jun 11 – New Android Spyware ActionSpy Revealed via Phishing Attacks from Earth Empusa
  15. Jul 11 –  Gamaredon group grows its game
  16. Jun 08 – TA410: The Group Behind LookBack Attacks Against U.S. Utilities Sector Returns with New Malware
  17. Jun 08 – GuLoader? No, CloudEyE 
  18. Jun 03 – New LNK attack tied to Higaisa APT discovered 
  19. Jun 03 –  Cycldek: Bridging the (air) gap

July

  1. Jul 29 – Operation North Star: A Job Offer That’s Too Good to be True? 
  2. Jul 22 –  OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory 
  3. Jul 22 –MATA: Multi-platform targeted malware framework 
  4. Jul 15 – THE FAKE CISCO: Hunting for backdoors in Counterfeit Cisco devices
  5. Jul 14 –  TURLA / VENOMOUS BEAR UPDATES ITS ARSENAL: “NEWPASS” APPEARS ON THE APT THREAT SCENE 
  6. Jul 14 – Welcome Chat as a secure messaging app? Nothing could be further from the truth 
  7. Jul 12 –  SideWinder 2020 H1 
  8. Jul 09 – Cosmic Lynx: The Rise of Russian BEC 
  9. Jul 09 –More evil: A deep look at Evilnum and its toolset 
  10. Jul 08 –  Copy cat of APT Sidewinder ?
  11. Jul 08 – [proofpoint] TA410: The Group Behind LookBack Attacks Against U.S. Utilities Sector Returns with New Malware 
  12. Jul 08 – Operation ‘Honey Trap’: APT36 Targets Defense Organizations in India
  13. Jul 06 –  North Korean hackers are skimming US and European shoppers 
  14. Jul 01 – [Lookout] Mobile APT Surveillance Campaigns Targeting Uyghurs 
  1. Aug 27 – The Kittens Are Back in Town 3 
  2. Aug 28 – Transparent Tribe: Evolution analysis, part 2
  3. Aug 20 – DEVELOPMENT OF THE ACTIVITY OF THE TA505 CYBERCRIMINAL GROUP
  4. Aug 20 –More Evidence of APT Hackers-for-Hire Used for Industrial Espionage 
  5. Aug 18 – [F-Secure] LAZARUS GROUP CAMPAIGN TARGETING THE CRYPTOCURRENCY VERTICAL 
  6. Aug 13 – [Kaspersky] CactusPete APT group’s updated Bisonal backdoor 
  7. Aug 13 – [ClearSky] Operation ‘Dream Job’ Widespread North Korean Espionage Campaign 
  8. Aug 12 – [Kaspersky] Internet Explorer and Windows zero-day exploits used in Operation PowerFall
  9. Aug 10 – [Seqrite] Gorgon APT targeting MSME sector in India 

September

  1. Sep 30 – APT‑C‑23 group evolves its Android spyware 
  2. Sep 29 –  Palmerworm: Espionage Gang Targets the Media, Finance, and Other Sectors 
  3. Sep 29 –  ShadowPad: new activity from the Winnti group
  4. Sep 25 –  German-made FinSpy spyware found in Egypt, and Mac and Linux versions revealed 
  5. Sep 25 –APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign
  6. Sep 24 – detecting empires in the cloud 
  7. Sep 23 –Operation SideCopy 
  8. Sep 22 – APT28 Delivers Zebrocy Malware Campaign using NATO Theme as Lure
  9. Sep 17 –  Operation Tibbar 
  10. Sep 08 –TeamTNT activity targets Weave Scope deployments
  11. Sep 03 –  NO REST FOR THE WICKED: EVILNUM UNLEASHES PYVIL RAT 
  12. Sep 01 –Chinese APT TA413 Resumes Targeting of Tibet Following COVID-19 Themed Economic Espionage Campaign Delivering Sepulcher Malware Targeting Europe 

October

  1. Oct 27 – North Korean Advanced Persistent Threat Focus: Kimsuky
  2. Oct 23 – APT-C-44 NAFox 
  3. Oct 22 – Bitter CHM 
  4. Oct 19 –Operation Earth Kitsune: Tracking SLUB’s Current Operations
  5. Oct 15 – Operation Quicksand – MuddyWater’s Offensive Attack Against Israeli Organizations 
  6. Oct 14 – [MalwareByte] Silent Librarian APT right on schedule for 20/21 academic year 
  7. Oct 13 – [WeiXin] Operation Rubia cordifolia
  8. Oct 07 – [BlackBerry] BlackBerry Uncovers Massive Hack-For-Hire Group Targeting Governments, Businesses, Human Rights Groups and Influential Individuals 
  9. Oct 06 – [Malwarebytes] Release the Kraken: Fileless APT attack abuses Windows Error Reporting service 
  10. Oct 05 – [Kaspersky] MosaicRegressor: Lurking in the Shadows of UEFI

November

Listed are the most dangerous APT attacks of the year 2019-2020, we keep the list updated with the new attacks reported regularly.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates

2 COMMENTS

Leave a Reply