Skip to main content


Top 20+ Advanced Persistent Threat Teams

An advanced persistent threat (APT) is an attack or state-sponsored group that occurs when an unauthorized user utilizes advanced and sophisticated techniques to gain access to a system or network. Phishing, ransomware, malware, and data breaches are common techniques used by APTs to attack their targets. Below is a list of the top 20+ advanced persistent threat actors:


Lazarus Group

  • AKA: APT38, Gods Apostles, Gods Disciples, Guardians of Peace, ZINC, Whois Team, Hidden Cobra
  • Targets: Bitcoin exchanges, Cryptocurrency, and Sony Corp; South Korea, United States, Australia, Germany, Guatemala, Hong Kong, India, Israel, Japan Russia, Mexico
  • Techniques/Tools: Bankshot, DDoS, EternalBlue, Mimikatz, Bankshot, Http Troy, PowerShell RAT
  • Significant Attack: 2014 Sony Pictures Hack, Operation Troy, WannaCry Software, Covid-19 Spear Phishing, New Mac variant of Lazarus Dacis RAT distributed
  • Location: North Korea



  • AKA: Dark Halo, Nobelium, SilverFish, StellarParticle
  • Targets: SolarWinds, Pentagon, United Kingdom Government, European Parliament
  • Techniques/Tools: Supply chain attack
  • Significant Attack: SolarWinds Orion software attack
  • Location: Unknown


Equation Group

  • AKA: Tilded Team
  • Targets: Afghanistan, Iran, India, Mali, Pakistan, Syria
  • Techniques/Tools: DoublePulsar, EQUATIONDRUG, FANNY, Lambert, Regin, GRAYFISH, Duqu, Flame
  • Significant Attack: iOS exploit 2020
  • Location: United States


Wizard Spider

  • AKA: Grim Spider, Gold Blackburn
  • Targets: Defense, financial, government, and telecommunications sectors; worldwide
  • Techniques/Tools: AdFind, Anchor, BazarBackdoor, BloodHound, Cobalt Strike, Dyre, Gophe, Invoke SMBAutoBrute, LaZagne, PowerSploit, PowerTrick, Ryuk, SessionGopher, TrickBot, TrickMo, Upatre
  • Significant Attack: Trickbot campaigns in Italy targeting COVID-19
  • Location: Russia



  • AKA: Anunak, Carbon Spider
  • Targets: Australia, Austria, Brazil, Bulgaria, Canada, China, Czech, France, Germany, Hong Kong, Iceland, India, Luxembourg, Morocco, Nepal, Norway, Pakistan, Poland, Russia, Spain, Sweden, Switzerland, Taiwan, UK, Ukraine, USA, Uzbekistan
  • Techniques/Tools: Antak, Ave Maria, BABYMETAL, Backdoor Batel, Bateleur, BELLHOP, Boostwrite, Cain & Abel, Carbanak, Cobalt Strike, DNSMessenger, DNSRat, DRIFTPIN, FlawedAmmyy, Griffon, HALFBAKED, Harpy, JS Flash, KLRD, Mimikatz, MBR Eraser, Odinaff, POWERPIPE, POWERSOURCE, PsExec, SocksBot, SoftPerfect Network Scanner, SQLRAT, TeamViewer, TinyMet
  • Significant Attack: Bank and financial institutions were targeted with one victim losing $7.3 million and another losing $10 million
  • Location: Ukraine


Sandworm Team

  • AKA: Telebots, Electrum, Voodoo Bear, Iron Viking
  • Targets: Industrial control systems and SCADA; Georgia, Iran, Israel, Russia, Ukraine, Kazakhstan
  • Techniques/Tools: BlackEnergy, Gcat, PassKillDisk, PsList
  • Significant Attack: Widespread power outage in Ukraine, Russian military hack, cyber espionage attacks against NATO
  • Location: Russia


Evil Corp

  • AKA: Indirk Spider
  • Targets: Financial, government, and healthcare sectors
  • Techniques/Tools: BitPaymer, Cobalt Strike, Cridex, Dridex, EmpireProject, FriedEx, Mimikatz, PowerSploit, PsExec, WastedLocker
  • Significant Attack: BitPaymer ransomware paralyzed the IT systems of an Alaskan town, Arizona Beverages knocked offline by ransomware attack, Apple Zero-Day exploited in new BitPaymer campaign, Treasury sanctions Evil Corp, the Russia-based cybercriminal group behind Dridex malware
  • Location: Russia


Fancy Bear

  • AKA: APT28, Sofacy, Sednit
  • Targets: Democratic National Committee and Democratic National Convention; Germany, United States, Ukraine
  • Techniques/Tools: Cannon, Coreshell, Responder, MimiKatz, spear-phishing
  • Significant Attack: U.S. Department of Justice indictment 
  • Location: Russia



  • AKA: Emissary Panda, Iron Tiger, APT27
  • Targets: Aerospace, education, and government sectors; Australia, Canada, China, Hong Kong, India, Iran, Israel, Japan, Middle East, Philippines, Russia, Spain, South Korea, Taiwan, Thailand, Tibet, Turkey, UK, and USA
  • Techniques/Tools: Antak, ASPXSpy, China Chopper, Gh0st RAT, gsecdump, HTTPBrowser, Htran, Hunter, HyperBro, Mimikatz, Nishang, OwaAuth, PlugX, ProcDump, PsExec, TwoFace, SysUpdate, Windows Credentials Editor, ZXShell, Living off the Land
  • Significant Attack: Operation Iron Tiger
  • Location: China



  • AKA: REvil, Sodin Targets: GandCrab, Oracle, Golden Gardens
  • Techniques/Tools: REvil ransomware, privilege escalation, PowerShell, Sodinokibi ransomware
  • Significant Attack: Breached managed service providers, impacting hundreds of dental offices
  • Location: Unknown



  • Targets: European Union, India, United Kingdom
  • Techniques/Tools: Cobalt Strike, Mimikatz, MS Exchange Tool, phishing, Royal DNS
  • Significant Attack: Attack on a company that provides a range of services to UK government
  • Location: China



  • Targets: British Airways, eCommerce, Magento, Newegg, Ticketmaster Entertainment
  • Techniques/Tools: Web-skimmers, skimmer scripts
  • Significant Attack: Ticketmaster breach



  • AKA: APT 34, Crambus, Helix Kitten, Twisted Kitten, Chrysene
  • Targets: Aviation, chemical, education, and energy sectors; Iran, Israel, Middle Eastern government; Saudi Arabia, United States
  • Techniques/Tools: GoogleDrive RAT, HyperShell, ISMDoor, Mimikatz, PoisonFrog, SpyNote, Tasklist, Webmask
  • Significant Attack: Shamoon v3 attack against targets in Middle East Asia, Karkoff
  • Location: Iran


Comment Crew

  • AKA: APT 1, Byzantine Hades, Comment Panda, Shanghai Group
  • Targets: Aerospace, chemical, construction, education, energy, engineering, entertainment, financial, and IT sectors; Belgium, Canada, France, India, Insrael, Japan, Luxembourg, Norway, Singapore, South Africa, Switzerland, Tawan, United Kingdom, United States
  • Techniques/Tools: GetMail, Mimikatz, Pass-The Hash toolkit, Poison Ivy, WebC2 significant attack: Operation “Oceansalt”
  • Location: China


Temper Panda

  • AKA: Admn@338, Magnesium, Team338
  • Targets: Financial, government, media sectors; Hong Kong, United States
  • Techniques/Tools: Bozok, LOWBALL, Poison Ivy, Systeminfo, Poison Ivy, Living off the Land
  • Location: China


Syrian Electronic Army

  • AKA: Deadeye Jackal, SEA, Syria Malware Team
  • Targets: Facebook, Forbes, Microsoft, Skype; Canada, France, United States, United Kingdom
  • Techniques/Tools: DDoS, malware, phishing, spamming, website defacement
  • Significant Attack: Defacement attacks against news websites such as BBC News, Associated Press, National Public Radio, CBC News, The Daily Telegraph, The Washington Post
  • Location: Syria



  • AKA: TwoForOne
  • Targets: Malaysia, Indonesia, Vietnam
  • Techniques/Tools: AMTsol, Dipsind, hot-patching vulnerabilities, spear-phishing, Titanium, zero-day exploits
  • Significant Attack: Southeast Asia attack
  • Location: China



  • Targets: Brazil, Kazakhstan, Russia, Thailand, Turkey
  • Techniques/Tools: EternalBlue, EternalRomance, Mimikatz, PlugX, SysInternals
  • Significant Attack: Attacked governments in India, Brazil, Kazakhstan, Brazil, Russia, Thailand, Turkey
  • Location: China 


Numbered Panda

  • AKA: APT 12, Calc Team, Crimson Iron
  • Targets: Organizations in East Asia, media outlets, high-tech companies and governments, New York Times
  • Techniques/Tools: DynCalc, DNSCalc, HIGHTIDE, RapidStealer, spear-phishing
  • Significant Attack: New York Times breach, Taiwanese government
  • Location: China


Cozy Bear

  • AKA: APT 29, CloudLook, Grizzly Steppe, Minidionis, Yttrium
  • Targets: Norwegian Government, United States
  • Techniques/Tools: Cobalt Strike, CozyDuke, Mimikatz, spear-phishing
  • Significant Attacks: Attack on the Pentagon, phishing campaign in the USA
  • Location: Russia



  • AKA: APT 33, Magnallium
  • Targets: Aerospace and energy sectors; Saudi Arabia, South Korea, United States
  • Techniques/Tools: Mimikatz, NETWIRE RC, PowerSploit, Shamoon
  • Significant Attacks: Organizations in Saudi Arabia and US
  • Location: Supported by government of Iran


Charming Kitten

  • AKA: Group 83, NewsBeef, Newscaster, APT 35
  • Targets: Saudi Arabia, Israel, Iraq, United Kingdom, U.S. government/defense sector websites
  • Techniques/Tools: DownPaper, FireMalv, MacDownloader
  • Significant Attack: HBO cyberattack
  • Location: Iran


Team TNT

  • Targets: Amazon, Kubernetes, Windows, Alpine, Docker
  • Techniques/Tools: Cryptojacking. Botnets, Cryptominers, TNTbotinger
  • Significant Attack: AWS Worm attack, Chimaera campaign
  • Location: Unknown


Mythic Leopard

  • AKA: APT 36, ProjectM, TEMP. Lapis, Transparent Tribe
  • Targets: India, Indian Army
  • Techniques/Tools: Andromeda, beendoor, Bozok, Breachrat, spear-phishing
  • Significant Attack: Spreading fake coronavirus health advisory
  • Location: Pakistan


Muddy Water

  • AKA: Static Kitten, Seedworm, TEMP .Zagros
  • Targets: Georgia, Iraq, Israel, India, Pakistan, Saudi Arabia, Turkey, United Arab Emirates, United States
  • Techniques/Tools: ChromeCookiesView, chrome-passwords, CrackMapExec, Mimikatz, PowerSploit, POWERSTATS, spear-phishing
  • Location: Iran



  • AKA: APT 32, Ocean Buffalo, SeaLotus
  • Targets: Australia, Brunei, Cambodia, China, Germany, Indonesia, Laos, Malaysia, Myanmar, Philippines, Singapore, Thailand, USA, Vietnam
  • Techniques/Tools: Cobalt Strike, KerrDown, MimiKatz, PowerSploit, Terracotta VPN, 0-day exploits in MS Office
  • Significant Attack: Breach of Toyota in Australia, Japan, Thailand and Vietnam; targeting Wuhan government and Chinese Ministry of Emergency Management in latest example of COVID-19 related espionage
  • Location: Vietnam

Written by: Edin Y Cardona - FSVM Coordinator/IS Specialist
SBS CyberSecurity, LLC


SBS Resources:

  • {Service} Incident Response Planning: An SBS consultant can assure your well-structured Incident Response Plan (IRP) will help mitigate the negative effects of a security breach, as well as demonstrate to examiners that your organization is properly prepared to handle such an event.
  • {Blog} Threat Intelligence - What Does it Look Like?:  To stay on top of emerging threats you can invest in threat intelligence; this not only helps you stay aware of any new and emerging threats making their way across the internet, but also monitor potential threats targeting your business network. Developing a Threat Intelligence Plan that outlines how you plan to monitor new cyber threats and attacks can provide great benefit to your business, and it doesn’t have to be a huge undertaking. 
  • {Article} 50+ Incident Response Preparedness Checklist Items: The #1 question organizations need to ask themselves is “if someone was in our network, would we be able to tell?” If you are uncertain how to go about detecting an incident on your network, you are certainly not alone. Here’s a primer to get you started.

Related Certifications:

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.
Certified Banking Incident Handler   

Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Friday, December 10, 2021
Categories: Blog