Collection of Advanced Persistent Threat groups, ransomware gangs, malware operators, and threat actors encountered during malware analysis, reverse engineering, threat hunting, IOC tracking, and cybersecurity research.
This research presents a series of technical analyses of Advanced Persistent Threat (APT) groups — nation-state actors, ransomware operators, and financially motivated threat actors responsible for some of the most impactful cyber operations on record. Each entry combines threat intelligence with practical malware analysis, examining malware samples attributed to the group through both static and dynamic analysis techniques. Reverse engineering is performed to understand the malware's internal functionality, including its execution flow, persistence mechanisms, command-and-control (C2) communication, anti-analysis techniques, and overall capabilities.
Based on the analysis, Indicators of Compromise (IOCs) are extracted and mapped to the MITRE ATT&CK framework to provide a structured view of the adversary's tactics, techniques, and procedures (TTPs). Detection artifacts such as YARA rules are developed to facilitate malware identification and support threat hunting and incident response activities. The objective of this research collection is to provide a comprehensive, practitioner-focused understanding of each threat actor while demonstrating a repeatable malware analysis workflow applicable to future threat research.
The primary objectives of each threat actor research entry are:
Each research entry follows a structured malware analysis methodology consisting of multiple phases:
Threat Intelligence Collection — Collecting threat intelligence from public reports, academic publications, security vendors, and malware repositories to establish background information on the threat actor and the selected malware family.
Sample Collection & Lab Setup — Representative malware samples are collected and analyzed within an isolated virtual laboratory to ensure safe execution.
Static Analysis — Examining Portable Executable (PE) structures, imported functions, embedded resources, strings, configurations, and indicators of obfuscation without executing the sample.
Dynamic Analysis — Observing runtime behavior including process creation, file system modifications, registry changes, persistence mechanisms, and network communications in a controlled environment.
Reverse Engineering — Using professional disassembly and debugging tools to understand the malware's internal logic, configuration parsing, encryption routines, command handlers, and anti-analysis features.
IOC Extraction & ATT&CK Mapping — Correlating static and dynamic findings to extract IOCs, document capabilities, and map behaviors to the MITRE ATT&CK framework.
Detection Engineering — Developing and validating YARA detection rules to identify the analyzed malware samples and support threat hunting and incident response activities.
Lazarus Group is responsible for financial cyber operations, destructive attacks, supply-chain compromises, cryptocurrency theft, espionage campaigns, and high-profile attacks against governments, defense contractors, and financial institutions worldwide.