Malware analysis

Malware Spotlight: What is APT?

Greg Belding
November 21, 2019 by
Greg Belding


For some things, the whole is greater than the sum of its parts. When it comes to cybersecurity, this saying is an appropriate description of Advanced Persistent Threat (APT) cyberattacks. Made up of a thoughtful combination of different tools and methods, sometimes rudimentary ones at that, the dreaded APT is magnitudes more of a threat than any of its composite parts. This article will detail APTs and will shed some light on what APTs are, characteristics of APTs, phases of APTs, and real-world examples of APTs being used to carry out attacks. In my humble opinion, the concept of APT in malware is a sort of culmination of Malware spotlight series as it presents a wide variety of malware and related concepts in one nice little package - dare I say a malware final thesis?

Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

A Little About APT

APT is defined as a prolonged attacked focused on a specific target with the aim of compromising system and stealing information about said target. The threat actors that run APT attacks use a variety of tools and methods to gain entry to their target and widen their breach. These tools are often custom malware for the various techniques the attack calls for and sometimes attack groups create malware families consisting of custom tools only used in their APT attacks. These tools are kind of like calling cards for the attack group.

Traditionally, APT was a classification of cyberattack sponsored by a nation state. This was due to the resources needed for waging an APT campaign – which can be significantly more than a private attack group can muster. This definition has been slightly changed recently by some malware authorities to include non-state actors and this article will follow the new expanded definition. 

Characteristics of APT Attacks

For those attacks that are hard to put your finger on, there are certain characteristics that have been attributed to ATP attacks that may help identify APT as they leave behind different signs than other cyberattacks. These characteristics are briefly explored below.

1. Increased logins late at night

The thing about APT attacks is they are often waged by threat actors on the other side of the world. This means that when you are sleeping, these shady threat actors are carrying out their APT attack. High volume of these logins should be your clue.

2. Widespread Backdoor Trojans

APT attacks rely on backdoor trojans because attackers need a way back into systems they have established a proverbial beachhead on. Sometimes these trojans are a result of social engineering. Backdoor trojans are used because even if valid credentials have been captured, they may be changed by their legitimate user.

3. Unexpected Information Flows

This can be a telltale sign of an APT attack but based upon the increased use of VPNs by attackers, this is becoming harder to use as a clue. To get around this, you will have to “unwrap” the HTTPS traffic. A good starting point is of course knowing what your information flow normally looks like.

4. Unexpected Data Bundles

These data bundles may be your information being exfiltrated out to the attackers. Keep an eye out for large chunks of information being where it should not be, especially if it is compressed (which could almost be a characteristic in and of itself). 

5. Focused Spear Phishing Campaigns

The causative agent in the majority of APT attacks is a successful spear phishing campaign. These spear phishing emails commonly have an infected document file containing malicious URL links or malicious executable code. Tracking down the infected system could bring you to the zero point of the APT attack.

Phases of APT

There are 6 distinct phases of an APT attack. There is no time limit for these phases to conclude as an APT can persist for a long time.

  1. Getting to know the target – the information gathered can help in furtherance of the attack.
  2. Finding an entrance and deliver custom malware – may be accomplished by spear phishing or taking advantage of watering holes.
  3. Gaining the foothold – tricking a user to run the malware on their system, within the targeted network.
  4. Widening the attack scope.
  5. Finding and stealing information – this may involve privilege elevation. 
  6. Moving and covering tracks – moving or expanding entry points may be necessary to further the attack. If nothing more is left to be done, tools used may be removed to cover tracks. 

Real-World APT Examples


Used by an APT attack group, Stuxnet refers to a worm used in the APT attack that is considered one of the most sophisticated instances of malware ever used. Stuxnet targeted mainly SCADA systems servicing nuclear plants in Iran,


This China-based APT cyberattack group used spear phishing loaded with malicious attachments to gain entry to systems in over 100 countries beginning in 2009. Among the many attack techniques GhostNet used were audio and screen capture to gain information about targets.

Sykipot APT

The Sykipot attack group is known in part for creating the Sykipot APT malware family. This custom malware family leveraged flaws in Adobe Acrobat and Adobe Reader and used spear phishing attacks to effectuate zero-day exploits upon its victims.


This attack group, along with others including Carbanak and GCMAN, targeted financial institutions. Mettel used custom malware to infect ATMs and when the ATMs were cashed out at the end of the day, the malware caused the ATM transactions to roll back. This demonstrates that APT attacks can steal money as well as information.


APTs are, in many ways, the collective culmination of the world’s cyberattacks. APT attack groups leverage different types of pre-existing malware, custom made malware, and well work methods to launch targeted attacks that may continue for an extended time period. APT attacks tend to persist after initial detection and mitigation attempts, making them possibly the most serious malware risk next to ransomware.

Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.



  1. Explained: Advanced Persistent Threat (APT). Malwarebytes
  2. 5 Signs You’ve Been Hit by an ATP. CSO
  3. APT-style Attacks: How Cybercriminals are Using Them. TechTarget
  4. Advanced Persistent Threat (APT). TechTarget
Greg Belding
Greg Belding

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.