APT list

NameDescriptionTarget countriesTarget sectorsAliases
APT1 is a Chinese threat group that has been
attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd
Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398.
Singapore, Canada, South Africa, USA, Switzerland,
Norway, Taiwan, Israel, Luxembourg, United Arab Emirates, United Kingdom, Belgium, France, India, Japan
aerospace, communications, construction, education,
energy, financial-services, government-national, government-public-services, healthcare, infrastructure,
manufacturing, non-profit, pharmaceuticals, retail, technology, telecommunications, transportation,
entertainment, agriculture, mining
Operation Siesta, Group 3, Shanghai Group, BrownFox,
Comment Panda, Comment Group, Operation Oceansalt, Operation Seasalt, PLA Unit 61398, Comment Crew,
Byzantine Candor, ShadyRAT, Byzantine Hades, TG-8223, Brown Fox, GIF89a
Red Apollo (also known as APT 10 (by Mandiant),
MenuPass (by Fireeye), Stone Panda (by Crowdstrike), and POTASSIUM (by Microsoft)) is a Chinese
cyberespionage group. A 2018 Indictment by the Federal Bureau of Investigation claimed that they were a
State-sponsored group linked to the Tianjin Field Office of the Ministry of State Security, operating
since 2006. (https://en.wikipedia.org/wiki/Red_Apollo)
Japan, Canada, France, Australia, South Africa
technology, automotive,
Stone Panda, APT 10, MenuPass, Menupass Team,
menuPass, menuPass Team, happyyongzi, POTASSIUM, DustStorm, Red Apollo, CVNX, HOGFISH, Cloud Hopper,
Wekby was described by Palo Alto Networks in a 2015
report as: ‘Wekby is a group that has been active for a number of years, targeting various industries such
as healthcare, telecommunications, aerospace, defense, and high tech. The group is known to leverage
recently released exploits very shortly after those exploits are available, such as in the case of
HackingTeams Flash zero – day exploit.’ (https://malpedia.caad.fkie.fraunhofer.de/actor/wekby)
United States
transportation, telecommunications, healthcare,
education, construction, aerospace, defence, technology
Dynamite Panda, TG-0416, APT 18, SCANDIUM, PLA Navy,

APT28 is a threat group that has been attributed to
Russia’s Main Intelligence Directorate of the Russian General Staff by July 2018 U.S. Department of
Justice indictment. This group reportedly compromised the Hillary Clinton campaign, the Democratic
National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere
with the U.S. presidential election. APT28 has been active since at least 2004.
Ukraine, South Africa, Lebanon, China, Norway,
Mongolia, Thailand, Israel, Kazakhstan, Pakistan, France, Afghanistan, Germany, Russia, Poland,
Montenegro, Lithuania, Turkey, Romania, Slovakia, Switzerland, Mexico, Malaysia, Spain, Luxembourg,
Sweden, UK, Uganda, Croatia, Portugal, United States, Belarus, Ireland, Tajikistan, Latvia, Chile,
Azerbaijan, Netherlands, Jordan, Armenia, Chechnya, Iraq, Iran, Japan, Georgia, United Arab Emirates,
Canada, Australia, Bulgaria, Kyrgyzstan, Czech Republic, New Zealand, Slovenia, Cyprus, South Korea,
Uzbekistan, Hungary, Belgium, Brazil, India
automotive, aerospace, communications, construction,
defence, education, energy, financial-services, government-national, government-public-services,
healthcare, infrastructure, manufacturing, non-profit, pharmaceuticals, retail, technology,
telecommunications, transportation, utilities
Yttrium, Fancy Bear, SIG40, TsarTeam, ATK 5,
Operation Russian Doll, PawnStorm, Tsar Team, The Dukes, Operation Ghost, Swallowtail, ATK 7, Operation
DealersChoice, STRONTIUM, Operation Komplex, ITG05, IRON TWILIGHT, Operation Office monkeys, ITG11,
TAG_0700, Grizzly Steppe, Group 74, Iron Hemlock, Iron Twilight, Operation Pawn Storm, Sednit, Operation
Dear Joohn, T-APT-12, apt_sofacy, Pawn Storm, Strontium, Group-4127, Group 100, CloudLook, Minidionis,

APT29 is a threat group that has been attributed to
the Russian government and has operated since at least 2008. This group reportedly compromised the
Democratic National Committee starting in the summer of 2015.
Belgium, Brazil, China, Georgia, India, Japan,
Kazakhstan, Mexico, New Zealand, Portugal, Romania, South Korea, Turkey, Ukraine, United States
government-national, pharmaceuticals, retail
Dukes, Group 100, Cozy Duke, CozyDuke, EuroAPT,
CozyBear, CozyCar, Cozer, Office Monkeys, OfficeMonkeys, Cozy Bear, The Dukes, Minidionis, SeaDuke, Hammer
Toss, YTTRIUM, Iron Hemlock, Grizzly Steppe

FireEye characterizes APT31 as an actor specialized
on intellectual property theft, focusing on data and projects that make a particular organization
competetive in its field. Based on available data (April 2016), FireEye assesses that APT31 conducts
network operations at the behest of the Chinese Government. Also according to Crowdstrike, this adversary
is suspected of continuing to target upstream providers (e.g., law firms and managed service providers) to
support additional intrusions against high-profile assets. In 2018, CrowdStrike observed this adversary
using spear-phishing, URL “web bugs” and scheduled tasks to automate credential harvesting.
aerospace, communications, technology, construction,
telecommunications, government-national
North Korea
APT38 is a financially-motivated threat group that is
backed by the North Korean regime. The group mainly targets banks and financial institutions and has
targeted more than 16 organizations in at least 13 countries since at least 2014.
China, Thailand, Ecuador, Philippines, Israel,
France, Germany, Poland, Hong Kong, Russia, Taiwan, Mexico, United Kingdom, United States, Chile,
Guatemala, Japan, Bangladesh, Canada, Australia, South Korea, Vietnam, Brazil, India
aerospace, construction, government-national, retail,
technology, financial-services, entertainment
Operation VANXATM, Zinc, Operation Troy, T-APT-15,
Operation Flame, Operation BLACKMINE, Appleworm, Hastati Group, Operation DarkSeoul, Lazarus Group,
Operation North Star, Operation DESERTWOLF/Phase 3, Operation Mayday, Operation Blockbuster: Breach of
Sony Pictures Entertainment, Dark Seoul, Operation FASTCash, Operation INITROY/Phase 2, Group 77,
Operation In(ter)caption, Operation BLACKSHEEP/Phase 3., Bureau 121, ATK 117, ITG03, APT-C-26, SectorA01,
Operation GhostSecret, Nickel Academy, NewRomanic Cyber Army Team, Operation Troy, Operation GhostSecret,
Subgroup: Bluenoroff, Andariel, Stardust Chollima, Operation INITROY/Phase 1, Operation GoldenAxe,
Bluenoroff, Silent Chollima, Operation Ten Days of Rain / DarkSeoul, Operation Sharpshooter, Unit 121,
Operation AppleJeus sequel, Operation AppleJeus, Hidden Cobra, Operation AppleJeus, ATK 3, Labyrinth
Chollima, Operation GHOSTRAT, Operation XEDA, Whois Hacking Team, Guardians of Peace, HIDDEN COBRA, Zinc
Leviathan is an espionage actor targeting
organizations and high-value targets in defense and government. Active since at least 2014, this actor has
long-standing interest in maritime industries, naval defense contractors, and associated research
institutions in the United States and Western Europe.
United States, United Kingdom, Norway, Germany, Saudi
Arabia, Cambodia, Indonesia
communications, transportation, technology, defence,
government-national, education, manufacturing, utilities
Leviathan, TEMP.Periscope, TEMP.Jumper, APT 40,

APT41 is a group that carries out Chinese
state-sponsored espionage activity in addition to financially motivated activity. APT41 has been active
since as early as 2012. The group has been observed targeting healthcare, telecom, technology, and video
game industries in 14 countries.
Australia, Canada, Denmark, Finland, France, India,
Italy, Japan, Malaysia, Mexico, Philippines, Poland, Qatar, Saudi Arabia, Singapore, Sweden, Switzerland,
United Arab Emirates, United Kingdom, United States, South Korea, Taiwan, Vietnam, Pakistan, Chile,
Indonesia, Thailand
aerospace, transportation, government-national,
pharmaceuticals, energy, technology, telecommunications, communications, entertainment, construction,
healthcare, financial-services, manufacturing, defence, retail, education
Double Dragon, Group72, WinNTI, Axiom, APT22,
Tailgater Team, Ragebeast, Wicked Panda, Deputy Dog, Dogfish, Wicked Spider, Winnti Umbrella, Barium,
Pigfish, Blackfly, Winnti Group, Suckfly, APT17

Evil Corp is the Russia-based cybercriminal
organization responsible for the development and distribution of the Dridex malware. The Dridex malware is
a multifunctional malware package that is designed to automate the theft of confidential information, to
include online banking credentials from infected computers. Dridex is traditionally spread through massive
phishing email campaigns that seek to entice victims to click on malicious links or attachments embedded
within the emails. Once a system is infected, Evil Corp uses compromised credentials to fraudulently
transfer funds from victims’ bank accounts to those of accounts controlled by the group. As of 2016, Evil
Corp had harvested banking credentials from customers at approximately 300 banks and financial
institutions in over 40 countries, making the group one of the main financial threats faced by businesses.
In particular, Evil Corp heavily targets financial services sector organizations located in the United
States and the United Kingdom. Through their use of the Dridex malware, Evil Corp has illicitly earned at
least $100 million, though it is likely that the total of their illicit proceeds is significantly higher.
As a result of this activity, Evil Corp is being designated pursuant to E.O. 13694, as amended, for
engaging in cyber-enabled activities that have the effect of causing a significant misappropriation of
funds or economic resources for private financial gain.
United States, United Kingdom, Europe
financial-services, technology