Threat Intel

The APT that hunts other APT’s: “APT49”, “BlueHornet”, “AgaintsTheWest”

This amazing picture is from the genius Valentin Tkach

Around October of the past year, a new group who self-procalimed BlueHornet aka AgainstTheWest shown up at forums like the already dead RAID Forums (This was a well-known site to share information about security breaches, leaks, but also to sell drugs, personal data, etc. The owner of the site was captured at the United Kingdom the 21st of January).

More recently, at the successor of the RAID forums, a website called, this Actor shown up again with the following account:

He got banned from the site by the admins on March 18, but he created a new account the same day, which is the one we can see on the previous picture.

¿What’s the peculiarity about this group? ¿What makes them so different from the rest?

Their motivation is quite interesting if you allow me to be said. They act as Hacktivist pursuing mainly other Threat Actors’ information (but not exclusively). So far, their focus has been groups from China (Including China’s Banks), Russia, Iran and North Korea. Profs, so far, points them to be from North America or at least from the OTAN block. Though this doesn’t mean this is a state-sponsored group, quite contrary, since they submitted quizzes on their Twitter account asking people to vote for potential targets, and they are self-proclaimed hacktivists and journalists, among other things.

¿Which communication platforms they use?

So far, we have seen publications related to all their leaks on Twitter, Telegram, and the previously mentioned site They also have a Github repository called AgaintsTheWest.

¿What’s the information leaked about the other APTs and which ones?

The information published at was related to some members of the Threat Actors Known as APT3, APT28, APT38 and APT40.

We have to clarify that part of this information was already known by the Feds, but wasn’t public.

APT3: Gothic Panda

Introduction from MITRE ATT&CK

APT3 is a China-based threat group that researchers have attributed to China’s Ministry of State Security. This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap. As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong.

In 2017, MITRE developed an APT3 Adversary Emulation Plan.

Member Information:

APT28: Fancy Bear

Introduction from MITRE ATT&CK

APT28 is a threat group that has been attributed to Russia’s General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165. This group has been active since at least 2004.

APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations. Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.

Member Information:

APT38: Lazarus Group

Introduction from MITRE ATT&CK

APT38 is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau. Active since at least 2014, APT38 has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which APT38 stole $81 million, as well as attacks against Bancomext (2018) and Banco de Chile (2018); some of their attacks have been destructive.

North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.

Member Information:

APT40: Leviathan aka Kryptonite Panda

Introduction from MITRE ATT&CK

Leviathan is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security’s (MSS) Hainan State Security Department and an affiliated front company. Active since at least 2009, Leviathan has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Europe, the Middle East, and Southeast Asia.

Member Information:

Potential Allies

Intrusion Truth
-Belarusian Cyber Partisans
-Anonymous Taiwan

Giving closure to this

Recently, the group stated on its Telegram account that it would stop its activities, pursuing a “normal life” for all its members. Nonetheless, their account remains active and is being used at the Breached Forum.

Im, sure there’s probably a more complete inform our there. Still, I hope this information will be helpful for other Cybersec Researchers, Threat Intelligence Analysts, and SOC Analysts in the wild.

If you find this information useful or you liked it, feel free to add a comment 😉

See ya’ space cowboy…