Prior research on Advanced Persistent Threats (APT) largely focuses on isolated dimensions—such as detection or threat intelligence—lacking longitudinal, macro-level analysis spanning multiple years. Method: This paper presents the first systematic, decade-long (2014–2023) analysis of 1,509 global APT reports, integrating technical disclosures and actor metadata to construct a standardized knowledge base covering 603 organizations across 154 countries. We propose a hybrid information extraction framework combining rule-based retrieval with large language models (LLMs) to efficiently process unstructured text. Contribution/Results: Our analysis reveals evolutionary trends in attack vectors (dominated by malicious documents and spear-phishing), targeted sectors, and geopolitical affiliations; notably, zero-day exploit usage has declined significantly since 2016. All findings are integrated into an interactive visualization platform, establishing a reusable, macro-analytic paradigm for APT situational awareness and strategic assessment.

An advanced persistent threat (APT) refers to a covert, long-term cyberattack, typically conducted by state-sponsored actors, targeting critical sectors and often remaining undetected for long periods. In response, collective intelligence from around the globe collaborates to identify and trace surreptitious activities, generating substantial documentation on APT campaigns publicly available on the web. While prior works predominantly focus on specific aspects of APT cases, such as detection, evaluation, cyber threat intelligence, and dataset creation, limited attention has been devoted to revisiting and investigating these scattered dossiers in a longitudinal manner. The objective of our study is to fill the gap by offering a macro perspective, connecting key insights and global trends in past APT attacks. We systematically analyze six reliable sources-three focused on technical reports and another three on threat actors-examining 1,509 APT dossiers (24,215 pages) spanning 2014-2023, and identifying 603 unique APT groups worldwide. To efficiently unearth relevant information, we employ a hybrid methodology that combines rule-based information retrieval with large-language-model-based search techniques. Our longitudinal analysis reveals shifts in threat actor activities, global attack vectors, changes in targeted sectors, and relationships between cyberattacks and significant events such as elections or wars, which provide insights into historical patterns in APT evolution. Over the past decade, 154 countries have been affected, primarily using malicious documents and spear phishing as dominant initial infiltration vectors, with a noticeable decline in zero-day exploitation since 2016. Furthermore, we present our findings through interactive visualization tools, such as an APT map or flow diagram, to facilitate intuitive understanding of global patterns and trends in APT activities.