// APT & THREAT ACTORS

Collection of Advanced Persistent Threat groups, ransomware gangs, malware operators, and threat actors encountered during malware analysis, reverse engineering, threat hunting, IOC tracking, and cybersecurity research.

This research presents a series of technical analyses of Advanced Persistent Threat (APT) groups — nation-state actors, ransomware operators, and financially motivated threat actors responsible for some of the most impactful cyber operations on record. Each entry combines threat intelligence with practical malware analysis, examining malware samples attributed to the group through both static and dynamic analysis techniques. Reverse engineering is performed to understand the malware's internal functionality, including its execution flow, persistence mechanisms, command-and-control (C2) communication, anti-analysis techniques, and overall capabilities.

Based on the analysis, Indicators of Compromise (IOCs) are extracted and mapped to the MITRE ATT&CK framework to provide a structured view of the adversary's tactics, techniques, and procedures (TTPs). Detection artifacts such as YARA rules are developed to facilitate malware identification and support threat hunting and incident response activities. The objective of this research collection is to provide a comprehensive, practitioner-focused understanding of each threat actor while demonstrating a repeatable malware analysis workflow applicable to future threat research.

The primary objectives of each threat actor research entry are:

  1. Provide an overview of the threat actor, including its history, attribution, objectives, and major cyber campaigns.
  2. Examine the group's tactics, techniques, and procedures (TTPs) using publicly available threat intelligence and original analysis.
  3. Analyze malware samples associated with the selected threat actor through static and dynamic analysis.
  4. Reverse engineer the malware to understand its internal architecture and functionality.
  5. Identify persistence mechanisms, anti-analysis techniques, command-and-control protocols, and other malicious capabilities.
  6. Extract Indicators of Compromise (IOCs) including file hashes, domains, IP addresses, registry keys, mutexes, and network artifacts.
  7. Map observed behaviors to the MITRE ATT&CK framework.
  8. Develop YARA rules capable of detecting the analyzed malware samples.
  9. Document the complete analysis process to serve as a reference for malware analysts, reverse engineers, and cybersecurity researchers.

Each research entry follows a structured malware analysis methodology consisting of multiple phases:

PHASE 01

Threat Intelligence Collection — Collecting threat intelligence from public reports, academic publications, security vendors, and malware repositories to establish background information on the threat actor and the selected malware family.

PHASE 02

Sample Collection & Lab Setup — Representative malware samples are collected and analyzed within an isolated virtual laboratory to ensure safe execution.

PHASE 03

Static Analysis — Examining Portable Executable (PE) structures, imported functions, embedded resources, strings, configurations, and indicators of obfuscation without executing the sample.

PHASE 04

Dynamic Analysis — Observing runtime behavior including process creation, file system modifications, registry changes, persistence mechanisms, and network communications in a controlled environment.

PHASE 05

Reverse Engineering — Using professional disassembly and debugging tools to understand the malware's internal logic, configuration parsing, encryption routines, command handlers, and anti-analysis features.

PHASE 06

IOC Extraction & ATT&CK Mapping — Correlating static and dynamic findings to extract IOCs, document capabilities, and map behaviors to the MITRE ATT&CK framework.

PHASE 07

Detection Engineering — Developing and validating YARA detection rules to identify the analyzed malware samples and support threat hunting and incident response activities.


// APT RESEARCH ENTRIES
Lazarus Group
Hidden Cobra / Zinc
North Korean threat actor associated with destructive malware, cryptocurrency theft, ransomware, and financial attacks.
RANSOMWARE CRYPTO BANKING
CRITICAL
CLICK TO EXPAND ↓

OVERVIEW

Lazarus Group is responsible for financial cyber operations, destructive attacks, supply-chain compromises, cryptocurrency theft, espionage campaigns, and high-profile attacks against governments, defense contractors, and financial institutions worldwide.

KNOWN MALWARE

  • AppleJeus
  • Destover
  • Volgmer
  • FALLCHILL
  • Dacls
  • Manuscrypt
  • Gopuram
  • VEILEDSIGNAL
  • ICONICSTEALER
  • AppleSeed