APT_REPORT/summary/2023/README.MD

Happy New year

Exploit

https://www.mandiant.com/resources/blog/zero-days-exploited-2022

predictions:

https://securelist.com/advanced-threat-predictions-for-2023/107939/

summary:

THE CYBERTHREAT REPORT June 2023 Insights Gleaned from a Global Network of Experts, Sensors, Telemetry, and Intelligence

https://www.trellix.com/en-us/advanced-research-center/threat-reports/jun-2023.html

The State of Ransomware in the US: Report and Statistics 2022

https://www.emsisoft.com/en/blog/43258/the-state-of-ransomware-in-the-us-report-and-statistics-2022/

nsfocus summary

https://book.yunzhan365.com/tkgd/ftku/mobile/index.html

Crypto Money Laundering: Four Exchange Deposit Addresses Received Over $1 Billion in Illicit Funds in 2022

https://blog.chainalysis.com/reports/crypto-money-laundering-2022/

2022 Year in Review

https://thedfirreport.com/2023/03/06/2022-year-in-review/

20230511 update lnk

[1] https://www.eset.com/int/business/services/threat-intelligence/ [2] https://www.welivesecurity.com/2023/03/02/mqsttang-mustang-panda-latest-backdoor-treadsnew-ground-qt-mqtt/ [3] https://unit42.paloaltonetworks.com/playful-taurus/ [4] https://securelist.com/a-targeted-attack-against-the-syrian-ministry-of-foreign-affairs/34742/ [5] https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/ [6] https://www.crowdstrike.com/blog/new-supply-chain-attack-leverages-comm100-chat-installer/ [7] https://github.com/GetRektBoy724/SharpUnhooker [8] https://blogs.blackberry.com/en/2023/02/newspenguin-a-previously-unknown-threat-actortargets-pakistan-with-advanced-espionage-tool [9] https://the.earth.li/~sgtatham/putty/0.78/htmldoc/Chapter7.html#plink [10] https://asec.ahnlab.com/en/49089/ [11] https://www.nirsoft.net/utils/web_browser_password.html [12] https://www.nirsoft.net/utils/network_password_recovery.html [13] https://docs.devexpress.com/WindowsForms/15216/controls-and-libraries/pdf-viewer [14] https://www.justice.gov/usao-edny/pr/founder-and-majority-owner-bitzlato-cryptocurrencyexchange-charged-unlicensed-money [15] https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cxsupply-chain-attack/ [16] https://telegra.ph/ [17] https://twitter.com/ESETresearch/status/1618960022150729728 [18] https://cert.gov.ua/article/3718487 [19] https://cert.gov.ua/article/341128 [20] https://www.malwarebytes.com/blog/threat-intelligence/2022/06/russias-apt28-uses-fear-ofnuclear-war-to-spread-follina-docs-in-ukrain [21] https://attack.mitre.org/techniques/T1027/006/ [22] https://www.notion.so/ [23] https://www.welivesecurity.com/wp-content/uploads/2023/01/eset_apt_activity_report_t32022. pdf [24] https://blog.talosintelligence.com/yorotrooper-espionage-campaign-cis-turkey-europe/ [25] https://www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-governmentmaldocs/ [26] https://scpc.gov.ua/api/docs/4eeb6a10-b7aa-4396-8b04-e0e4b7fca1lj/4eeb6a10-b7aa-4396- 8b04-e0e4b7fca1lj.pdf [27] https://nvd.nist.gov/vuln/detail/CVE-2022-27926

other 2022 link:
1.https://ti.qianxin.com/blog/articles/SideCopy's-Golang-based-Linux-tool/
2.https://mp.weixin.qq.com/s/xKKr5UV26npohwvyv79U0w
3.https://lab52.io/blog/complete-dissection-of-an-apk-with-a-suspicious-c2-server/
4.https://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-againstcatalans-using-pegasus-candiru/
5.https://mp.weixin.qq.com/s/1WtaS7htgiUGhtY_ovERxA
6.https://blog.cyble.com/2022/08/09/bitter-apt-group-using-dracarys-android-spyware/
7.https://www.mandiant.com/resources/blog/apt42-charms-cons-compromises
8.https://medium.com/s2wblog/unveil-the-evolution-of-kimsuky-targeting-android-devices-withnewly-discovered-mobile-malware-280dae5a650f
9.https://mp.weixin.qq.com/s/pd6fUs5TLdBtwUHauclDOQ
10.https://labs.k7computing.com/index.php/lazarus-apts-operation-interception-uses-signedbinary/
11.https://mp.weixin.qq.com/s/1pHp4WywrDnNcVBio8lq8w
12.https://www.trellix.com/en-us/about/newsroom/stories/research/prime-ministers-officecompromised.html
13.https://www.cisa.gov/uscert/ncas/alerts/aa22-047a
14.https://blog.sekoia.io/turla-new-phishing-campaign-eastern-europe/
15.https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/stonefly-north-koreaespionage
16.https://www.microsoft.com/en-us/security/blog/2022/09/29/zinc-weaponizing-open-sourcesoftware/
17.https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apttargeting-users-middle-east
18.https://www.cnnindonesia.com/teknologi/20220120191930-185-749298/ahli-sebut-gengransomware-conti-yang-bobol-bi-peretas-berbahaya
19.https://asec.ahnlab.com/en/38993/
20.https://mp.weixin.qq.com/s/QkKrxXbz3rHveokjwEoW-w
21.https://mp.weixin.qq.com/s/nnLqUBPX8xZ3hCr5u-iSjQ
22.https://securelist.com/bluenoroff-methods-bypass-motw/108383/
23.https://mp.weixin.qq.com/s/Xs54_RDKU5MvkvsPPCGKEw
24.https://www.proofpoint.com/us/blog/threat-insight/buy-sell-steal-evilnum-targetscryptocurrency-forex-commodities
25.https://mp.weixin.qq.com/s/1KIFSc3R5WrMklidXWSBaw
26.https://asec.ahnlab.com/en/44680/
27.https://mp.weixin.qq.com/s/PTWzKIPsO92XCP4-pXRDgg
28.https://blog.google/threat-analysis-group/countering-threats-north-korea/
29.https://twitter.com/ESETresearch/status/1559553324998955010
30.https://labs.k7computing.com/index.php/lazarus-apts-operation-interception-uses-signedbinary/
31.https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/
32.https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/
33.https://unit42.paloaltonetworks.com/trident-ursa/
34.https://www.zscaler.com/blogs/security-research/lyceum-net-dns-backdoor
35.https://ti.qianxin.com/blog/articles/king-of-phishing-analysis-of-kimsuky's-recent-spearphishing-attacks-targeting-south-korea-with-multiple-topics
36.https://ti.qianxin.com/blog/articles/spikes-from-the-kimsuky-organization-targeted-killing-ofsouth-korea-with-multiple-assault-weapons/
37.https://ti.qianxin.com/blog/articles/the-tiger-of-the-forest-entrenched-on-foyan-mountain/
38.https://cluster25.io/2022/01/03/konni-targets-the-russian-diplomatic-sector/
39.https://mp.weixin.qq.com/s/GPpOF-SSJbVR3ZHsx8eXgA
40.https://www.malwarebytes.com/blog/threat-intelligence/2022/01/north-koreas-lazarus-aptleverages-windows-update-client-github-in-latest-campaign
41.https://asec.ahnlab.com/en/31089/
42.https://blog.alyac.co.kr/4501
43.https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/suspected-darkhotel-aptactivity-update.html
44.https://asec.ahnlab.com/en/32958/
45.https://securelist.com/lazarus-trojanized-defi-app/106195/
46.https://ti.qianxin.com/blog/articles/analysis-of-the-lazarus-group-attacks-on-koreancompanies/
47.https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-jobchemical
48.https://www.cisa.gov/uscert/ncas/alerts/aa22-108a
49.https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/stonefly-north-koreaespionage
50.https://ti.qianxin.com/blog/articles/lazarus-armory-update-analysis-of-recent-andarielattacks/
51.https://research.nccgroup.com/2022/05/05/north-koreas-lazarus-and-their-initial-access-tradecraft-using-social-media-and-social-engineering/
52.https://asec.ahnlab.com/en/34461/
53.https://asec.ahnlab.com/en/34694/
54.https://asec.ahnlab.com/ko/34883/
55.https://mp.weixin.qq.com/s/ZV8AOTd7YGUgCTTTZtTktQ
56.https://blogs.jpcert.or.jp/en/2022/07/yamabot.html
57.https://mp.weixin.qq.com/s/USitU4jAg9y2XkQxbwcAPQ
58.https://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/
59.https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browserextension-sharpext/
60.https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/
61.https://mp.weixin.qq.com/s/R8fvBQDHrTA5-VnKINO5Wg
62.https://securelist.com/kimsukys-golddragon-cluster-and-its-c2-operations/107258/
63.https://blog.alyac.co.kr/4892
64.https://blog.talosintelligence.com/2022/09/lazarus-magicrat.html
65.https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
66.https://mp.weixin.qq.com/s/MElSffbcrQkBYdVKo3hzFg
67.https://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlandsbelgium/
68.https://asec.ahnlab.com/en/40830/
69.https://ti.qianxin.com/blog/articles/job-hunting-trap-analysis-of-lazarus-attack-activitiesusing-recruitment-information-such-as-mizuho-bank-of-japan-as-bait/
70.https://mp.weixin.qq.com/s/OaECtSaeClPzFHslN_WamA
71.https://www.welivesecurity.com/2022/11/30/whos-swimming-south-korean-waters-meetscarcrufts-dolphin/
72.https://www.volexity.com/blog/2022/12/01/buyer-beware-fake-cryptocurrency-applicationsserving-as-front-for-applejeus-malware/
73.https://blog.google/threat-analysis-group/internet-explorer-0-day-exploited-by-north-koreanactor-apt37/
74.https://slowmist.medium.com/slowmist-our-in-depth-investigation-of-north-korean-apts-largescale-phishing-attack-on-nft-users-362117600519
75.https://www.netskope.com/blog/abusing-microsoft-office-using-malicious-web-archive-files
76.https://ti.qianxin.com/blog/articles/Samples-of-the-OceanLotus-attack-using-the-Glitchplatform/
77.https://mp.weixin.qq.com/s/5gXllrE1srnHtaFCc-86GA
78.https://mp.weixin.qq.com/s/tBQSbv55lJUipaPWFr1fKw
79.https://mp.weixin.qq.com/s/Ah3pFjYk5AOvKvZPwXod6g
80.https://mp.weixin.qq.com/s/U9LIfVVP5kHBFFt0LN0Q-A
81.https://mp.weixin.qq.com/s/u2iEmGMi-SN2G-Isnp2pdg
82.https://mp.weixin.qq.com/s/LkiNNIx5-FlBO8YY4FxzZw
83.https://mp.weixin.qq.com/s/v2wiJe-YPG0ng87ffBB9FQ
84.https://mp.weixin.qq.com/s/NLe4JqmjiB58IQ5Kn6DSLQ
85.https://blog.malwarebytes.com/threat-intelligence/2022/01/patchwork-apt-caught-in-its-ownweb/
86.https://mp.weixin.qq.com/s/ZNhdLN_AgGfjdk8nG8kLmw
87.https://mp.weixin.qq.com/s/T1-JbC9FsVV2UNnusYPJbw
88.https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/
89.https://mp.weixin.qq.com/s/UcAJRnZVG1hrv4VQTp4A5g
90.https://mp.weixin.qq.com/s/epRGn7Tnzx6rXihYXIpIIg
91.https://mp.weixin.qq.com/s/olI67y-qKpDfLGZTOIWXqw
92.http://blog.nsfocus.net/apt-sidewinder-20220218/
93.https://ti.dbappsecurity.com.cn/blog/articles/2022/03/11/bitter-nepal-army-day/
94.https://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html
95.https://ti.dbappsecurity.com.cn/blog/articles/2022/04/24/bitter-attack-bd/V
96.https://mp.weixin.qq.com/s/xRumzCNzQ857I7VDg57mBg
97.https://mp.weixin.qq.com/s/_KQJH2_VIjoBp2Msh71odg
98.https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html
99.https://mp.weixin.qq.com/s/qsGxZIiTsuI7o-_XmiHLHg
100.https://blog.group-ib.com/sidewinder-antibot
101.https://mp.weixin.qq.com/s/PxFybr0SmA-lymDQ_L5W-Q
102.https://mp.weixin.qq.com/s/8j_rHA7gdMxY1_X8alj8Zg
103.https://mp.weixin.qq.com/s/YKSedzm7haO0vPttIqsUAQ
104.https://it.rising.com.cn/anquan/19904.html
105.https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-totarget-bangladesh/
106.https://mp.weixin.qq.com/s/wqcBiOYqPOLlOI6owyHxEw
107.https://blog.talosintelligence.com/2022/07/transparent-tribe-targets-education.html
108.https://blog.checkpoint.com/2022/07/13/a-hit-is-made-suspected-india-based-sidewinderapt-successfully-cyber-attacks-pakistan-military-focused-targets/
109.https://mp.weixin.qq.com/s/U7RiFIlyLGo0aTYttvPQfg
110.https://blog.morphisec.com/apt-c-35-new-windows-framework-revealed
111.https://paper.seebug.org/1943/#1
112.https://mp.weixin.qq.com/s/YB32toWJWdiTBpnSnuypJA
113.https://mp.weixin.qq.com/s/IZNl6N2K1LUU7e1hT4JeYw
114.https://mp.weixin.qq.com/s/heWhL6ev_pigAF_HMR4oLQ
115.https://www.zscaler.com/blogs/security-research/warhawk-new-backdoor-arsenalsidewinder-apt-group-0
116.https://mp.weixin.qq.com/s/XMrWLx6KVeoDQ7WzvOcwqA
117.https://mp.weixin.qq.com/s/IwcxY3TqkmyY-pBxnXuM1A
118.https://mp.weixin.qq.com/s/BXjZ6fEgNmLY_l8cZt1FXQ
119.https://www.a.com/blogs/security-research/apt-36-uses-new-ttps-and-new-tools-targetindian-governmental-organizations
120.https://mp.weixin.qq.com/s/LOZTOz4Lo6cOpeD4mMC29g
121.https://mp.weixin.qq.com/s/NOpFJx4LnMOWhTm0iluFfw
122.https://www.securonix.com/blog/new-steppykavach-attack-campaign/
123.https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/prime-ministers-officecompromised.html
124.https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/
125.https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckwormgamaredon-espionage-ukraine
126.https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainianorganizations/
127.http://blog.nsfocus.net/apt-lorec53-20220216/
128.https://www.cisa.gov/uscert/ncas/alerts/aa22-047a
129.https://www.cisa.gov/uscert/ncas/alerts/aa22-054a
130.https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/
131.https://mp.weixin.qq.com/s/j2w_cZgprGsM0zTQ5ngEWA
132.https://mp.weixin.qq.com/s/_3DPj9N3nLhDqlWrqsUcfw
133.https://lab52.io/blog/looking-for-penquins-in-the-wild/
134.https://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-usescompromised-private-ukrainian-military-emails
135.https://ti.qianxin.com/blog/articles/Analysis-of-attack-activities-of-suspectedaptorganization-unc1151-against-ukraine-and-other-countries/
136.https://mp.weixin.qq.com/s/YsyeLQDR_LQLfKhigSm2_Q
137.https://securityaffairs.co/wordpress/129337/apt/invisimole-targets-ukraine-government.html
138.https://www.malwarebytes.com/blog/threat-intelligence/2022/04/new-uac-0056-activitytheres-a-go-elephant-in-the-room
139.https://cert.gov.ua/article/39138
140.https://inquest.net/blog/2022/04/18/nobelium-israeli-embassy-maldoc
141.https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckwormintense-campaign-ukraine
142.https://businessinsights.bitdefender.com/deep-dive-into-the-elephant-framework-a-newcyber-threat-in-ukraine
143.https://www.mandiant.com/resources/blog/tracking-apt29-phishing-campaigns
144.https://cert.gov.ua/article/40102
145.https://mp.weixin.qq.com/s/bIXX0hUITaPkeJ6yf0yWPw
146.https://cluster25.io/2022/05/13/cozy-smuggled-into-the-box/
147.https://www.welivesecurity.com/2022/05/20/sandworm-ukraine-new-version-arguepatchmalware-loader/
148.https://mp.weixin.qq.com/s/a94G-QVTGbIc8vu9yL_nww
149.https://mp.weixin.qq.com/s/gJFSlpIlbaI11lcClNN_Xw
150.https://www.malwarebytes.com/blog/threat-intelligence/2022/06/russias-apt28-uses-fear-ofnuclear-war-to-spread-follina-docs-in-ukraine
151.https://inquest.net/blog/2022/06/27/glowsand
152.https://blog.malwarebytes.com/threat-intelligence/2022/07/cobalt-strikes-again-uac-0056- continues-to-target-ukraine-in-its-latest-campaign/
153.https://ti.qianxin.com/blog/articles/analysis-of-apt29's-attack-activities-against-italy/
154.https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europeobserved-by-tag/
155.http://blog.nsfocus.net/gamaredon/
156.https://www.mandiant.com/resources/apt29-continues-targeting-microsoft
157.https://blog.talosintelligence.com/2022/09/gamaredon-apt-targets-ukrainian-agencies.html
158.https://www.recordedfuture.com/russia-nexus-uac-0113-emulating-telecommunicationproviders-in-ukraine
159.https://blog.cluster25.duskrise.com/2022/09/23/in-the-footsteps-of-the-fancy-bearpowerpoint-graphite/
160.https://www.bleepingcomputer.com/news/security/new-ransomware-attacks-in-ukrainelinked-to-russian-sandworm-hackers/
161.https://www.cyberscoop.com/apt28-fancy-bear-satellite/
162.https://unit42.paloaltonetworks
163.https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-ofmalware-uses-open-source-tools/
164.https://ti.qianxin.com/blog/articles/promethium-attack-activity-analysis-disguised-as-Winrar. exe/
165.https://ti.qianxin.com/blog/articles/the-lyceum-organization-uses-military-hotspot-events-asbait-to-target-targeted-attacks-on-the-middle-east/
166.https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-newmodular-powershell-toolkit/
167.https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-aniranian-state-sponsored-threat-actor/
168.https://ti.qianxin.com/blog/articles/Summary-of-MuddyWater's-recent-attack-activity/
169.https://team-cymru.com/blog/2022/01/26/analysis-of-a-management-ip-address-linked-tomolerats-apt/
170.https://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html
171.https://www.cybereason.com/blog/research/powerless-trojan-iranian-apt-phosphorus-addsnew-powershell-backdoor-for-espionage
172.https://blog.talosintelligence.com/2022/02/arid-viper-targets-palestine.html
173.https://www.proofpoint.com/us/blog/threat-insight/ugg-boots-4-sale-tale-palestinianaligned-espionage
174.https://mp.weixin.qq.com/s/_BQzqAjroi7TBxmT191Vjg
175.https://www.mandiant.com/resources/blog/telegram-malware-iranian-espionage
176.https://www.cisa.gov/uscert/sites/default/files/publications/AA22-055A_Iranian_GovernmentSponsored_Actors_Conduct_Cyber_Operations.pdf
177.https://blog.talosintelligence.com/2022/03/iranian-supergroup-muddywater.html
178.https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/
179.https://blog.morphisec.com/vmware-identity-manager-attack-backdoor
180.https://www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targetingisraeli-officials
181.https://www.malwarebytes.com/blog/threat-intelligence/2022/05/apt34-targets-jordangovernment-using-new-saitama-backdoor
182.https://mp.weixin.qq.com/s/yjcCYJNUQq6smc3YsBmYhA
183.https://mp.weixin.qq.com/s/WBCGGLog3IwJhXZmbjxoTQ
184.https://lab52.io/blog/muddywaters-light-first-stager-targetting-middle-east/
185.https://mp.weixin.qq.com/s/1uJaPS-nuGNI8lQ1-ZekIA
186.https://www.avertium.com/resources/threat-reports/in-depth-look-at-apt35-aka-charmingkitten
187.https://www.deepinstinct.com/blog/new-muddywater-threat-old-kitten-new-tricks
188.https://securityintelligence.com/posts/hive00117-fileless-malware-delivery-eastern-europe/
189.https://mp.weixin.qq.com/s/eyIfchJVi9kJq_the8TIBQ
190.https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-europeanprivate-sector-offensive-actor-using-0-day-exploits/
191.https://mp.weixin.qq.com/s/mstwBMkS0G3Et4GOji2mwA
192.https://www.mandiant.com/resources/blog/suspected-iranian-actor-targeting-israeli-shipping
193.http://blog.nsfocus.net/murenshark/
194.https://www.mandiant.com/resources/blog/dprk-whatsapp-phishing
195.https://www.sentinelone.com/labs/the-mystery-of-metador-an-unattributed-threat-hiding-intelcos-isps-and-universities/
196.https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchettysteganography-espionage
197.https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainiangovernment
198.https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/ view#gid=0
199.https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewallexploitation-and-an-insidious-breach/
200.https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/
201.https://www.ncsgroup.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rcevulnerability-on-microsoft-exchange-server-12715.html
202.https://mp.weixin.qq.com/s/VeyE0LVqWXsQ2slahU5AWQ
203.https://ti.qianxin.com/blog/articles/operation-dragon-breath-(apt-q-27)-dimensionalityreduction-blow-to-the-gambling-industry/