Here is a list of Advanced Persistent Threat (APT) groups around the world, categorized by their country of origin, known aliases, and primary motives (cyberespionage, financial gain, political influence, etc.). APT groups are typically state-sponsored or highly organized cybercriminal groups.
| Country | APT Group Name / Alias | Primary Motive | Key Targets |
| 🇨🇳 China | APT1 (Comment Crew), APT3 (Buckeye), APT10 (Stone Panda), APT41 (Winnti) | Cyberespionage, Economic Gain | Government, defense, telecom, healthcare, tech |
| 🇷🇺 Russia | APT28 (Fancy Bear), APT29 (Cozy Bear), Sandworm | Cyberespionage, Political Influence | Governments, NATO, critical infrastructure |
| 🇮🇷 Iran | APT33 (Elfin), APT34 (OilRig), APT39 (Chafer) | Cyberespionage, Regional Influence | Energy, financial services, government, telecom |
| 🇰🇵 North Korea | APT37 (Reaper), APT38 (Lazarus Group) | Financial Theft, Cyberespionage | Banks, cryptocurrency exchanges, defense |
| 🇺🇸 USA | Equation Group (linked to NSA) | Cyberespionage | Global infrastructure, communication systems |
| 🇻🇳 Vietnam | APT32 (OceanLotus) | Cyberespionage, Political Influence | Government, private sector, dissidents |
| 🇵🇰 Pakistan | APT36 (Transparent Tribe) | Cyberespionage, Political Influence | Indian government, defense sector |
| 🇮🇳 India | SideWinder, Dark Basin | Cyberespionage, Political Influence | Pakistan, China, Bangladesh, NGOs |
| 🇰🇿 Kazakhstan | Nomadic Octopus | Cyberespionage, Regional Influence | Central Asian governments |
| 🇹🇷 Turkey | StrongPity | Cyberespionage | Dissidents, Kurdish groups, government agencies |
| 🇰🇵 South Korea | Kimsuky | Cyberespionage | North Korean defectors, NGOs, journalists |
| 🇸🇾 Syria | Syrian Electronic Army | Political Influence, Hacktivism | Media, political opponents |
| 🇮🇱 Israel | OilRig (linked to Iran-Israel conflict) | Cyberespionage | Regional adversaries |
Also Read: Soc Interview Questions and Answers – CYBER SECURITY ANALYST
APT Threat Group targets, Motives, and Attack Methods
📌 China-Linked APT Groups
APT10 (Stone Panda)
- Motive: Cyberespionage, Economic Gain
- Key Targets: IT service providers, healthcare, aerospace, and government organizations
- Attack Methods:
- Supply chain attacks (Cloud Hopper campaign)
- Spear-phishing emails with malicious attachments
- Remote Access Trojans (RATs)
- Credential theft and lateral movement
APT41 (Winnti)
- Motive: Dual-purpose (Cyberespionage & Financial Theft)
- Key Targets: Video games, healthcare, telecommunications, and political organizations
- Attack Methods:
- Supply chain attacks
- Use of backdoors and malware such as Winnti, ShadowPad, and PlugX
- Exploiting vulnerabilities in widely-used software
APT31 (Zirconium)
- Motive: Political Espionage
- Key Targets: Government agencies, political campaigns, NGOs
- Attack Methods:
- Spear-phishing emails
- Malware implants
- Command-and-Control (C2) servers
📌 Russia-Linked APT Groups
APT28 (Fancy Bear)
- Motive: Political Influence, Cyberespionage
- Key Targets: NATO, European governments, U.S. government, media, and defense sectors
- Attack Methods:
- Phishing emails and credential harvesting
- Malware such as X-Agent, Sofacy, and Zebrocy
- Exploiting vulnerabilities in Microsoft Office
APT29 (Cozy Bear)
- Motive: Cyberespionage
- Key Targets: Government organizations, think tanks, NGOs
- Attack Methods:
- Spear-phishing emails with malicious links
- Use of malware like WellMess and WellMail
- Command-and-Control infrastructure
Sandworm (BlackEnergy Group)
- Motive: Disruption, Cyberespionage
- Key Targets: Ukraine’s power grid, NATO, European organizations
- Attack Methods:
- Use of BlackEnergy malware
- DDoS attacks
- Supply chain attacks
📌 North Korea-Linked APT Groups
Lazarus Group
- Motive: Financial Theft, Cyberespionage
- Key Targets: Financial institutions, cryptocurrency exchanges, media, and defense sectors
- Attack Methods:
- Use of ransomware (e.g., WannaCry)
- Phishing attacks
- Cryptocurrency-stealing malware
- Remote Access Trojans (RATs)
APT38
- Motive: Financial Theft
- Key Targets: Banks, cryptocurrency exchanges
- Attack Methods:
- SWIFT banking system attacks
- Malware like FASTCash
- Lateral movement within networks
📌 Iran-Linked APT Groups
APT33 (Elfin)
- Motive: Cyberespionage, Regional Influence
- Key Targets: Aerospace, energy, and government sectors
- Attack Methods:
- Spear-phishing emails
- Malware such as Shamoon and Nanocore
- Credential theft
APT34 (OilRig)
- Motive: Cyberespionage
- Key Targets: Financial services, government agencies, telecom
- Attack Methods:
- Phishing emails
- Webshells and backdoors
- Exploitation of Microsoft Excel macros
📌 Vietnam-Linked APT Groups
APT32 (OceanLotus)
- Motive: Cyberespionage
- Key Targets: Government, private sector, dissidents
- Attack Methods:
- Spear-phishing emails
- Custom malware such as Cobalt Strike
- Watering hole attacks
📌 Pakistan-Linked APT Groups
APT36 (Transparent Tribe)
- Motive: Cyberespionage
- Key Targets: Indian government, defense sector
- Attack Methods:
- Spear-phishing emails with malicious attachments
- Malware like Crimson RAT
- Mobile malware targeting Android devices
📌 Turkey-Linked APT Groups
StrongPity
- Motive: Cyberespionage
- Key Targets: Dissidents, Kurdish groups, government agencies
- Attack Methods:
- Watering hole attacks
- Trojanized installers
- Keyloggers and spyware
📌 Syria-Linked APT Groups
Syrian Electronic Army
- Motive: Political Influence, Hacktivism
- Key Targets: Media, political opponents
- Attack Methods:
- Website defacements
- Phishing attacks
- Social engineering
📌 India-Linked APT Groups
SideWinder
- Motive: Cyberespionage
- Key Targets: Pakistan, China, Bangladesh, NGOs
- Attack Methods:
- Spear-phishing emails
- Exploiting vulnerabilities in mobile and web applications
Dark Basin
- Motive: Cyberespionage, Political Influence
- Key Targets: NGOs, journalists, government agencies
- Attack Methods:
- Phishing campaigns
- Credential theft
📌 Key Attack Methods Used by APT Groups
- Spear-phishing Emails – Customized emails with malicious links or attachments.
- Remote Access Trojans (RATs) – Malware that allows attackers to control the victim’s system remotely.
- Watering Hole Attacks – Compromising legitimate websites to infect users.
- Supply Chain Attacks – Infiltrating third-party vendors to reach the target.
- Credential Theft – Stealing login credentials to gain unauthorized access.
- Lateral Movement – Moving across a network to access critical systems.
- Ransomware – Encrypting victims’ files and demanding ransom for decryption.
- Command-and-Control (C2) Servers – Servers used by attackers to control infected systems.