Sunshine Group APT

Type: Cyber-criminal

Status: Inactive, though subgroups may be active

Sunshine group APT Other Names: Sunshop Group

Active Since/Discovered: Discovered July 2011

Target Sectors: Aerospace/Defense/Airlines, Applied research and development, Chemicals/Manufacturing/Mining, Higher education, Entertainment/Media/Hospitality, Energy/Utilities/Petroleum refining, Financial services, Federal government, State and local government, Healthcare/Pharmaceuticals, High-tech,  Insurance, Legal services, Services/Consulting/VAR, Telecommunications


    • Shared Malware builder
    • Trojan.APT.9002, Trojan.APT.PoisonIvy, Trojan.APT.Gh0st, Trojan.APT.Kaba, and Trojan.APT.Briba.

Preferred Attack Vector:  Watering-hole


  • Shares infrastructure with ten sub-groups
  • Described as “digital quartermaster” to the 10-11 APTs
    • All associated campaigns utilize a common development infrastructure characterized by shared:
  • 64 of 110 binaries were packaged with two unique manifest resources, and 47 were signed with six different digital certificates.
  • The binaries connected to 54 unique fully qualified domains


  • One of the first and largest Malware-as-a-Service groups
  • Possible cyber arms dealer, supplying the operators responsible for conducting attacks and establishing footholds within targeted organizations.
Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Consent to display content from Youtube
Consent to display content from Vimeo
Google Maps
Consent to display content from Google