APT list

NameDescriptionTarget countriesTarget sectorsAliases

APT1 is a Chinese threat group that has been attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398. (https://medium.com/datadriveninvestor/top-famous-and-active-apt-groups-who-can-turn-life-to-a-nightmare-5d130168f43)

Singapore, Canada, South Africa, USA, Switzerland, Norway, Taiwan, Israel, Luxembourg, United Arab Emirates, United Kingdom, Belgium, France, India, Japan

aerospace, communications, construction, education, energy, financial-services, government-national, government-public-services, healthcare, infrastructure, manufacturing, non-profit, pharmaceuticals, retail, technology, telecommunications, transportation, entertainment, agriculture, mining

Operation Siesta, Group 3, Shanghai Group, BrownFox, Comment Panda, Comment Group, Operation Oceansalt, Operation Seasalt, PLA Unit 61398, Comment Crew, Byzantine Candor, ShadyRAT, Byzantine Hades, TG-8223, Brown Fox, GIF89a


Red Apollo (also known as APT 10 (by Mandiant), MenuPass (by Fireeye), Stone Panda (by Crowdstrike), and POTASSIUM (by Microsoft)) is a Chinese cyberespionage group. A 2018 Indictment by the Federal Bureau of Investigation claimed that they were a State-sponsored group linked to the Tianjin Field Office of the Ministry of State Security, operating since 2006. (https://en.wikipedia.org/wiki/Red_Apollo)

Japan, Canada, France, Australia, South Africa

technology, automotive, pharmaceuticals

Stone Panda, APT 10, MenuPass, Menupass Team, menuPass, menuPass Team, happyyongzi, POTASSIUM, DustStorm, Red Apollo, CVNX, HOGFISH, Cloud Hopper, BRONZE RIVERSIDE


Wekby was described by Palo Alto Networks in a 2015 report as: ‘Wekby is a group that has been active for a number of years, targeting various industries such as healthcare, telecommunications, aerospace, defense, and high tech. The group is known to leverage recently released exploits very shortly after those exploits are available, such as in the case of HackingTeams Flash zero – day exploit.’ (https://malpedia.caad.fkie.fraunhofer.de/actor/wekby)

United States

transportation, telecommunications, healthcare, education, construction, aerospace, defence, technology

Dynamite Panda, TG-0416, APT 18, SCANDIUM, PLA Navy, Wekby


APT28 is a threat group that has been attributed to Russia’s Main Intelligence Directorate of the Russian General Staff by July 2018 U.S. Department of Justice indictment. This group reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. APT28 has been active since at least 2004. (https://medium.com/datadriveninvestor/top-famous-and-active-apt-groups-who-can-turn-life-to-a-nightmare-5d130168f43)

Ukraine, South Africa, Lebanon, China, Norway, Mongolia, Thailand, Israel, Kazakhstan, Pakistan, France, Afghanistan, Germany, Russia, Poland, Montenegro, Lithuania, Turkey, Romania, Slovakia, Switzerland, Mexico, Malaysia, Spain, Luxembourg, Sweden, UK, Uganda, Croatia, Portugal, United States, Belarus, Ireland, Tajikistan, Latvia, Chile, Azerbaijan, Netherlands, Jordan, Armenia, Chechnya, Iraq, Iran, Japan, Georgia, United Arab Emirates, Canada, Australia, Bulgaria, Kyrgyzstan, Czech Republic, New Zealand, Slovenia, Cyprus, South Korea, Uzbekistan, Hungary, Belgium, Brazil, India

automotive, aerospace, communications, construction, defence, education, energy, financial-services, government-national, government-public-services, healthcare, infrastructure, manufacturing, non-profit, pharmaceuticals, retail, technology, telecommunications, transportation, utilities

Yttrium, Fancy Bear, SIG40, TsarTeam, ATK 5, Operation Russian Doll, PawnStorm, Tsar Team, The Dukes, Operation Ghost, Swallowtail, ATK 7, Operation DealersChoice, STRONTIUM, Operation Komplex, ITG05, IRON TWILIGHT, Operation Office monkeys, ITG11, TAG_0700, Grizzly Steppe, Group 74, Iron Hemlock, Iron Twilight, Operation Pawn Storm, Sednit, Operation Dear Joohn, T-APT-12, apt_sofacy, Pawn Storm, Strontium, Group-4127, Group 100, CloudLook, Minidionis, TG-4127, SNAKEMACKEREL, Sofacy


APT29 is a threat group that has been attributed to the Russian government and has operated since at least 2008. This group reportedly compromised the Democratic National Committee starting in the summer of 2015. (https://medium.com/datadriveninvestor/top-famous-and-active-apt-groups-who-can-turn-life-to-a-nightmare-5d130168f43)

Belgium, Brazil, China, Georgia, India, Japan, Kazakhstan, Mexico, New Zealand, Portugal, Romania, South Korea, Turkey, Ukraine, United States

government-national, pharmaceuticals, retail

Dukes, Group 100, Cozy Duke, CozyDuke, EuroAPT, CozyBear, CozyCar, Cozer, Office Monkeys, OfficeMonkeys, Cozy Bear, The Dukes, Minidionis, SeaDuke, Hammer Toss, YTTRIUM, Iron Hemlock, Grizzly Steppe


FireEye characterizes APT31 as an actor specialized on intellectual property theft, focusing on data and projects that make a particular organization competetive in its field. Based on available data (April 2016), FireEye assesses that APT31 conducts network operations at the behest of the Chinese Government. Also according to Crowdstrike, this adversary is suspected of continuing to target upstream providers (e.g., law firms and managed service providers) to support additional intrusions against high-profile assets. In 2018, CrowdStrike observed this adversary using spear-phishing, URL “web bugs” and scheduled tasks to automate credential harvesting. (https://malpedia.caad.fkie.fraunhofer.de/actor/apt31)


aerospace, communications, technology, construction, telecommunications, government-national



APT33 is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors.

Saudi Arabia, South Korea, United States

aerospace, energy, defence, technology, telecommunications, government-national

Elfin Team, Refined Kitten, Magnallium, Holmium, TA451, COBALT TRINITY


FireEye has identified APT35 operations dating back to 2014. APT35, also known as the Newscaster Team, is a threat group sponsored by the Iranian government that conducts long term, resource-intensive operations to collect strategic intelligence. APT35 typically targets U.S. and the Middle Eastern military, diplomatic and government personnel, organizations in the media, energy and defense industrial base (DIB), and engineering, business services and telecommunications sectors. (source: https://malpedia.caad.fkie.fraunhofer.de/actor/apt35)

China, Israel, Pakistan, France, Germany, Kuwait, Turkey, Mexico, United Kingdom, United States, Netherlands, Qatar, United Arab Emirates, Canada, South Korea, Saudi Arabia, India

transportation, utilities, telecommunications, energy, aviation, education, healthcare, government-national, technology, aerospace, Financial-services, mining, defence

Newscaster Team, Magic Hound, TEMP.Beanie, Tarh Andishan, TG-2889, Ghambar, Group 41, Operation Cleaver, Rocket_Kitten, Cobalt Gypsy, Cutting Kitten, Phosphorus, Ajax Security, NewsBeef, Turk Black Hat, Charming Kitten, Parastoo, iKittens

north koreaflag
North Korea

APT38 is a financially-motivated threat group that is backed by the North Korean regime. The group mainly targets banks and financial institutions and has targeted more than 16 organizations in at least 13 countries since at least 2014. (https://medium.com/datadriveninvestor/top-famous-and-active-apt-groups-who-can-turn-life-to-a-nightmare-5d130168f43)

China, Thailand, Ecuador, Philippines, Israel, France, Germany, Poland, Hong Kong, Russia, Taiwan, Mexico, United Kingdom, United States, Chile, Guatemala, Japan, Bangladesh, Canada, Australia, South Korea, Vietnam, Brazil, India

aerospace, construction, government-national, retail, technology, financial-services, entertainment

Operation VANXATM, Zinc, Operation Troy, T-APT-15, Operation Flame, Operation BLACKMINE, Appleworm, Hastati Group, Operation DarkSeoul, Lazarus Group, Operation North Star, Operation DESERTWOLF/Phase 3, Operation Mayday, Operation Blockbuster: Breach of Sony Pictures Entertainment, Dark Seoul, Operation FASTCash, Operation INITROY/Phase 2, Group 77, Operation In(ter)caption, Operation BLACKSHEEP/Phase 3., Bureau 121, ATK 117, ITG03, APT-C-26, SectorA01, Operation GhostSecret, Nickel Academy, NewRomanic Cyber Army Team, Operation Troy, Operation GhostSecret, Subgroup: Bluenoroff, Andariel, Stardust Chollima, Operation INITROY/Phase 1, Operation GoldenAxe, Bluenoroff, Silent Chollima, Operation Ten Days of Rain / DarkSeoul, Operation Sharpshooter, Unit 121, Operation AppleJeus sequel, Operation AppleJeus, Hidden Cobra, Operation AppleJeus, ATK 3, Labyrinth Chollima, Operation GHOSTRAT, Operation XEDA, Whois Hacking Team, Guardians of Peace, HIDDEN COBRA, Zinc


Leviathan is an espionage actor targeting organizations and high-value targets in defense and government. Active since at least 2014, this actor has long-standing interest in maritime industries, naval defense contractors, and associated research institutions in the United States and Western Europe. (https://malpedia.caad.fkie.fraunhofer.de/actor/leviathan)

United States, United Kingdom, Norway, Germany, Saudi Arabia, Cambodia, Indonesia

communications, transportation, technology, defence, government-national, education, manufacturing, utilities

Leviathan, TEMP.Periscope, TEMP.Jumper, APT 40, BRONZE MOHAWK, GADOLINIUM, Kryptonite Panda


APT41 is a group that carries out Chinese state-sponsored espionage activity in addition to financially motivated activity. APT41 has been active since as early as 2012. The group has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. (https://medium.com/datadriveninvestor/top-famous-and-active-apt-groups-who-can-turn-life-to-a-nightmare-5d130168f43)

Australia, Canada, Denmark, Finland, France, India, Italy, Japan, Malaysia, Mexico, Philippines, Poland, Qatar, Saudi Arabia, Singapore, Sweden, Switzerland, United Arab Emirates, United Kingdom, United States, South Korea, Taiwan, Vietnam, Pakistan, Chile, Indonesia, Thailand

aerospace, transportation, government-national, pharmaceuticals, energy, technology, telecommunications, communications, entertainment, construction, healthcare, financial-services, manufacturing, defence, retail, education

Double Dragon, Group72, WinNTI, Axiom, APT22, Tailgater Team, Ragebeast, Wicked Panda, Deputy Dog, Dogfish, Wicked Spider, Winnti Umbrella, Barium, Pigfish, Blackfly, Winnti Group, Suckfly, APT17


Evil Corp is the Russia-based cybercriminal organization responsible for the development and distribution of the Dridex malware. The Dridex malware is a multifunctional malware package that is designed to automate the theft of confidential information, to include online banking credentials from infected computers. Dridex is traditionally spread through massive phishing email campaigns that seek to entice victims to click on malicious links or attachments embedded within the emails. Once a system is infected, Evil Corp uses compromised credentials to fraudulently transfer funds from victims’ bank accounts to those of accounts controlled by the group. As of 2016, Evil Corp had harvested banking credentials from customers at approximately 300 banks and financial institutions in over 40 countries, making the group one of the main financial threats faced by businesses. In particular, Evil Corp heavily targets financial services sector organizations located in the United States and the United Kingdom. Through their use of the Dridex malware, Evil Corp has illicitly earned at least $100 million, though it is likely that the total of their illicit proceeds is significantly higher. As a result of this activity, Evil Corp is being designated pursuant to E.O. 13694, as amended, for engaging in cyber-enabled activities that have the effect of causing a significant misappropriation of funds or economic resources for private financial gain. (https://home.treasury.gov/news/press-releases/sm845)

United States, United Kingdom, Europe

financial-services, technology



Turla has been in operation since the early 2000s. The group focuses on espionage, targeting government entities and embassies in up to 100 countries. Turla is believed to be behind attacks on the U.S. State Department, NASA, U.S. Central Command (CENTCOM) and various embassies located in European countries. (source: https://www.bluvector.io/threat-report-turla-apt-anti-detection/) The NCSC has observed the Turla group using the Neuron and Nautilus malicious tools designed to operate on Microsoft Windows platforms, primarily targeting mail servers and web servers. These tools are being used to maintain persistent network access and to conduct operations that compromise networks for the purposes of intelligence collection. (source: https://www.ncsc.gov.uk/news/turla-group-malware)

United Kingdom, United States, Russia, Kazakhstan, Poland, China, Vietnam, Ukraine, Germany, India, France, Iran, Latvia, Belarus, Algeria, Brazil, Equador, Spain, Mexiko, Saudi Arabia, Serbia, Iraq, Uzbekistan, Romania, Tajikistan, Armenia, Netherlands

government-national, technology, energy, retail, pharmaceuticals, education, defence

Turla, Snake, Venomous Bear, VENOMOUS Bear, Group 88, Waterbug, WRAITH, Turla Team, Uroburos, Pfinet, TAG_0530, KRYPTON, Hippo Team, Pacifier APT, Popeye, SIG23, Iron Hunter, MAKERSMARK