APT Research: an essential pillar for Threat Intelligence

Português

Inglês

Esse site utiliza cookies

Nós armazenamos dados temporariamente para melhorar a sua experiência de navegação e recomendar conteúdo de seu interesse. Ao utilizar nosso serviços você concorda com tal monitoramento.

18 de novembro de 2025

Expert Desk

APT Research: an essential pillar for Threat Intelligence

In recent years, the field of Cyber Threat Intelligence (CTI) has gained significant relevance due to the exponential growth of cyber threats affecting different sectors and organizations. The collection of IOCs, malware analysis, and the study of Advanced Persistent Threats (APTs) have become essential CTI activities — and that is exactly what we will discuss today.

APT Research plays a fundamental role in long-term mapping of TTPs, collecting IOCs, and performing both static and dynamic analysis of the malware that composes a threat group’s toolkit. It also helps document additional artifacts and trace the evolutionary line of a group’s capabilities, technologies, and relationships between victim and attacker over a defined time period, enabling analysts to understand why a campaign happened and its motivation against a specific sector.

To support this, the Extended Diamond Model, a CTI framework, emerges from the need to contextualize why attacks happen — not only how they occur. It brings concepts that are essential to APT Research, which we will break down below.

At the vertices of the Extended Diamond Model, we have:

Adversary – The actor or group (APT, threat actor) coordinating the attack.
Infrastructure – Technical means used (C2 servers, domains, proxies, etc.).
Capability – Tools, exploits, malware or techniques (e.g., exploit for CVE-2025-31324 used by UNC6040).
Victim – The targeted entity or organization.

As Meta-features, the model includes:

TimeStamp – Date and time of the intrusion, helping compare TTPs over time.
Phase – Position within the Cyber Kill Chain and related MITRE ATT&CK® TTP.
Result – Outcome of the action (exfiltration, persistence, etc.).
Direction – Who initiated the attack and who was victimized.
Methodology – Modus operandi (reconnaissance, phishing, etc.).
Resources – Infrastructure or artifacts used.

Finally, the model includes two axes:

Technical Axis – Represents the relationship between an adversary’s capabilities and the infrastructure used.
Sociopolitical Axis – May be directly linked to geopolitical factors, such as conflicts in Eastern Europe or nation-state espionage targeting foreign public services.
It also describes the relationship between attacker and victim, explaining the motivation behind the attack. Not all cases involve an APT or ransomware group — sometimes the attacker may be a former employee seeking retaliation.

Using this framework together with MITRE ATT&CK® and the Cyber Kill Chain, iT.eam’s Threat Intelligence team performs concrete APT Research activities. We analyze not only the technical tools used by APT groups, but also their relationships and motivations, collected over time through real infiltration into threat actor communication channels — whether on Telegram, underground forums, or the DarkWeb. These channels host the main hubs for announcements, sales, recruitment, and data-dumping operations, enabling full correlation of intelligence that informs Threat Hunting and Detection Engineering activities, strengthening both our environment and that of our clients.

Our internal team has mapped several APTs, including cases related to the Akira ransomware group (which demonstrates multiple APT-like capabilities such as defense evasion, lateral movement, and silent exfiltration) as well as clusters UNC6040, UNC6395, and the rise of financial APT-like groups emerging in Brazil.

As a real example of iT.eam’s Threat Intelligence activities, we highlight analyses conducted between April and October 2025 of the group Scattered LAPSUS$ Hunters. Due to worldwide impact, the group became a target of international agencies such as the FBI and French Police. They were responsible for incidents affecting companies such as Salesforce, Google, Jaguar Land Rover, European Airlines, Gucci, Vivara, and other luxury brands — and they even mapped attack opportunities against Brazilian telecommunications companies.

“We are recruiting employees/insiders from the following:
Any telecommunications provider (Claro, Telefonica, ATT, etc.)
Large software/gaming companies (Microsoft, Apple, EA, IBM)
Call center/BPM…
Server providers…
Note: we are not looking for data, but for employees who can give us access to VPN or CITRIX networks or anydesk […]”

A temporal analysis of their TTPs shows that, in 2024, the group used vishing campaigns targeting non-technical employees, impersonating technical support, along with SIM swapping (Technique T1451 – Mobile, MITRE ATT&CK®). By 2025, during attacks against Salesforce, the group’s behavior evolved. They still used phishing, but now relied on AI voice agents, powered by VoIP services such as Twilio, Google Voice, and 3CX. These agents used AI voice models like Vapi and Bland, configured with customized gender and regional accents.

When separating TTPs, we observe LAPSUS$ performing initial access via vishing, while ShinySpiders focused on lateral movement and exfiltration. Through analysis of messages in their official channels, we identified several members, including ByteToBreach, one of the pentesters responsible for intrusions into airlines and Salesforce.

One of the group’s last appearances occurred on October 27, 2025, involving a data dump from a Ukrainian company, after several members had already been arrested.

The actors also cloned legitimate Okta pages for phishing campaigns, allowing IOC pivoting and revealing subtle provocations directed at the FBI when analyzing their requests.

APT Research remains one of the fundamental pillars of a modern Threat Intelligence team, enabling organizations to understand and anticipate adversary behaviors before they materialize into incidents. Rather than relying solely on vendors or public feeds, iT.eam’s team operates proactively — pivoting IOCs, performing direct analysis in underground and dark web environments, and correlating TTPs in real time using frameworks like MITRE ATT&CK® and the Extended Diamond Model.

This approach ensures that our detections and reports stem from living intelligence, built from real observations infiltrated and analyzed within the adversary ecosystem. Every pivoted IOC, every established relationship, and every mapped vector helps reduce the Time to Intel (TTI) and expands our ability to anticipate emerging threats not yet documented in commercial feeds.

More than reacting, iT.eam invests in understanding the motivation behind each threat, connecting the technical and sociopolitical dimensions to identify origin, intent, and potential impact of malicious operations. This is the “sixth sense” that every CTI team must develop, generating insights that act as countermeasures to prevent cyber disasters.

Learn more about the work of iT.eam’s CTI team!

Reference: https://www.ic3.gov/CSA/2025/250912.pdf