Sunshine Group APT

Type: Cyber-criminal

Status: Inactive, though subgroups may be active

Sunshine group APT Other Names: Sunshop Group

Active Since/Discovered: Discovered July 2011

Target Sectors: Aerospace/Defense/Airlines, Applied research and development, Chemicals/Manufacturing/Mining, Higher education, Entertainment/Media/Hospitality, Energy/Utilities/Petroleum refining, Financial services, Federal government, State and local government, Healthcare/Pharmaceuticals, High-tech,  Insurance, Legal services, Services/Consulting/VAR, Telecommunications


    • Shared Malware builder
    • Trojan.APT.9002, Trojan.APT.PoisonIvy, Trojan.APT.Gh0st, Trojan.APT.Kaba, and Trojan.APT.Briba.

Preferred Attack Vector:  Watering-hole


  • Shares infrastructure with ten sub-groups
  • Described as “digital quartermaster” to the 10-11 APTs
    • All associated campaigns utilize a common development infrastructure characterized by shared:
  • 64 of 110 binaries were packaged with two unique manifest resources, and 47 were signed with six different digital certificates.
  • The binaries connected to 54 unique fully qualified domains


  • One of the first and largest Malware-as-a-Service groups
  • Possible cyber arms dealer, supplying the operators responsible for conducting attacks and establishing footholds within targeted organizations.