#apt

Advanced Persistent Threat infrastructure (URLs, domains, IPs, hashes) attributed to nation-state and criminal threat actors


#apt

APT infrastructure (URLs, domains, IPs, hashes)

IOCs by window

Today

0

IOCs tagged #apt

Week

31

IOCs tagged #apt

Month

82

IOCs tagged #apt

Year

1,909

IOCs tagged #apt

Counts as of 2026-04-29. Regenerated daily.

About #apt

  • Definition: umbrella tag for IOCs that researchers attribute to an Advanced Persistent Threat - typically a well-resourced, long-running adversary (nation-state-aligned or organised criminal) with mission-focused targeting and tradecraft.
  • Common attributed groups in corpus: Kimsuky, Lazarus, APT29, APT41, FIN7, MuddyWater, Konni, OilRig and similar. Each has its own per-tag page when volume justifies it; see #Kimsuky and #Lazarus.
  • Detection: behaviour-based detection (atypical lateral movement, persistence in unusual registry locations, custom protocols), threat-intel-fed blocklists, and YARA on signature-light variants. Entry-point indicators are usually phishing or supply-chain compromise.
  • References: MITRE ATT&CK Groups · CISA APT advisories.

Recent IOCs tagged #apt

Latest 10 IOCs from the past 30 days. Live JSON: api.tweetfeed.live/v1/month/apt.

Date Type Value Source
Apr 27, 13:54 url http://195.201.104.53 @500mk500
Apr 27, 13:54 url http://195.201.104.53:6931 @500mk500
Apr 27, 13:54 url http://195.201.104.53:6936 @500mk500
Apr 27, 13:54 url http://195.201.104.53:6939 @500mk500
Apr 27, 13:54 url http://216.126.224.220:5976 @500mk500
Apr 27, 13:54 ip 195.201.104.53 @500mk500
Apr 27, 13:54 ip 216.126.224.220 @500mk500
Apr 27, 02:54 url http://94.126.224.99 @Cyberteam008
Apr 27, 02:54 domain mofa-go-np.direct880.net @Cyberteam008
Apr 27, 02:54 url http://mofa-go-np.direct880.net @Cyberteam008

Related tags

Tags that frequently co-occur with #apt.

See all tags on the Dashboard or browse the full IOC feed.

Frequently asked questions

What is APT (Advanced Persistent Threat)?

An Advanced Persistent Threat is a sophisticated, long-running adversary - typically nation-state-aligned or a top-tier criminal organisation - that targets specific verticals or organisations with mission-focused tradecraft. The label originally distinguished targeted, persistent operations from opportunistic commodity malware. MITRE ATT&CK Groups page lists the most-tracked clusters.

Which APT groups produce the most IOCs in this feed?

DPRK-aligned activity (Kimsuky, Lazarus, plus generic DPRK-tagged operations) dominates volume due to active researcher coverage on Twitter/X. Russian-, Iranian- and Chinese-attributed activity also appears regularly. For per-group filtering see the dedicated pages: #Kimsuky, #Lazarus, #DPRK.

How is this list updated?

Every 15 minutes. The TweetFeed pipeline scrapes RSS feeds from public Twitter/X security researcher accounts and lists, extracts IOCs, tags them with the relevant malware family or threat actor, and republishes the result in CSV, JSON and RSS. APT-tagged IOCs are surfaced on this page within the next 15-minute tick. The page itself is regenerated daily by a GitHub Action.

What is the license? Can I use this commercially?

All TweetFeed IOC data, including this APT subset, is released under CC0 1.0 Universal (Public Domain Dedication). No attribution required, no warranty. Commercial use is allowed. The TweetFeed website code and branding are not covered by CC0.

License

APT IOC data: CC0 1.0 Public Domain. No attribution required, no warranty. Source code for the pipeline: github.com/0xDanielLopez/TweetFeed (MIT).