Threat actors
Threat actors
Groups, operations, and franchises responsible for the catalogued cyberattacks. Ranked by attributed incident count.
- 236
RansomHub
RansomHub is a rapidly growing ransomware group believed to be an updated version of the older Knight ransomware.
$2.90B - 194
Play
- 156
Lynx
- 118
Incransom
- 95
Cactus
- 56
LockBit
Russian-speaking ransomware-as-a-service operation, dominant 2022–2024 until law-enforcement seizure (Operation Cronos).
$9.13B - 47
Hunters International
- 45
FOG
- 45
Killsecurity
- 45
Rhysida
$8.5M - 44
Bashe
- 39
BianLian
- 31
Flocker
- 30
DragonForce
DragonForce is a hacktivist group based in Malaysia that has been involved in cyberattacks targeting government institutions and commercial organizations in India.
$550.0M - 28
Arcusmedia
- 28
SpaceBears
SpaceBears is a ransomware group believed to be based in Moscow, Russia, that has taken credit for several high-profile cyberattacks while primarily operating as a Data Broker.
- 24
Kairos
Kairos is an extortion group that emerged with a data-leak site on 13 November 2024, claiming attacks against six organizations, primarily in the US healthcare sector.
- 23
RansomHouse
This group started operating during the first quarter of 2022.
- 21
Everest
- 20
Monti
- 14
Termite
- 13
Handala
Handala is a pro-Palestinian hacktivist group that targets Israeli organizations, employing tactics such as phishing, data theft, extortion, and destructive attacks using custom wiper malware.
- 13
ShinyHunters
ShinyHunters is a cybercriminal group of unknown origin that is motivated by financial gain.
$10.0M - 11
BlackSuit
$1.00B - 11
Braincipher
- 10
Black Basta
$1.83B - 10
Embargo
- 10
Unknown
$140.0M - 9
Abyss
- 9
Nitrogen
- 7
Eldorado
- 6
DPRK RGB
$8.84B - 6
Lazarus Group
North Korean state-sponsored actor (DPRK Reconnaissance General Bureau). Mixes espionage, financial theft, and cryptocurrency heists to fund the regime.
$8.84B - 6
Qilin
$31.4M - 6
Threeam
- 5
LAPSUS
An actor group conducting large-scale social engineering and extortion campaign against multiple organizations with some seeing evidence of destructive elements.
$5.0M - 5
Ransomblog_noname
- 5
Sandworm
This threat actor targets industrial control systems, using a tool called Black Energy, associated with electricity and power generation for espionage, denial of service, and data destruction purposes.
$10.20B - 4
UNC6240
- 3
Ciphbit
- 3
Conti
$370.0M - 3
Gnosticplayers
The hacker said that he put up the data for sale mainly because these companies had failed to protect passwords with strong encryption algorithms like bcrypt.
- 3
Hellcat
- 3
Metaencryptor
- 3
REvil
$302.3M - 3
Scattered Spider
Scattered Spider, a highly active hacking group, has made headlines by targeting more than 130 organizations, with the number of victims steadily increasing.
$665.0M - 3
TA505
TA505, the name given by Proofpoint, has been in the cybercrime business for at least four years.
$30.2M - 3
Underground
- 3
WIZARD SPIDER
Wizard Spider is reportedly associated with Grim Spider and Lunar Spider.
$370.0M - 2
ALPHV
$2.97B - 2
Clop
$220.0K - 2
Darkvault
- 2
GRU Unit 74455
$10.10B - 2
HelloKitty
- 2
Jabaroot (hacktivist alias; claimed Algeria-linked retaliation)
$4.0M - 2
Moneymessage
- 2
Orca
- 2
Predatory Sparrow
A self-proclaimed hacktivist group that carried out attacks against Iranian railway systems and against Iranian steel plants.
- 2
RansomEXX
- 2
ShinyHunters (claimed)
- 2
Sodinokibi
$300.0M - 2
Unattributed
- 2
Unknown criminal operators
$100.0M - 1
"Jia Tan" / JiaT75 (suspected state-sponsored)
- 1
@AnibalLeaks (unidentified individual)
- 1
1937CN (claimed)
- 1
9Near (Khemarat Boonchuay)
- 1
Ababil of Minab
Ababil of Minab is an emerging pro-Iranian hacktivist group with a limited public profile and little verifiable prior activity in threat intelligence reporting.
- 1
Accellion FTA exploitation actor (FIN11 / Clop-linked, suspected)
$2.4M - 1
Akira
- 1
Albert Gonzalez crew (Operation Get Rich or Die Tryin')
$200.0M - 1
Albert Gonzalez crew (ShadowCrew / Operation Get Rich or Die Tryin')
$256.0M - 1
Aleksanteri Kivimäki
$670.0K - 1
Anonymous
- 1
Anonymous Philippines
- 1
Anonymous Sudan
Since January 23, 2023, a threat actor identifying as "Anonymous Sudan" has been conducting denial of service (DDoS) attacks against multiple organizations in Sweden.
- 1
APT28
The Sofacy Group (also known as APT28, Pawn Storm, Fancy Bear and Sednit) is a cyber espionage group believed to have ties to the Russian government.
$22.0M - 1
APT28 / Fancy Bear (Russian GRU, 85th GTsSS)
- 1
APT28 / Fancy Bear / GRU Unit 26165
$50.0M - 1
APT29
A 2015 report by F-Secure describe APT29 as: 'The Dukes are a well-resourced, highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect
$100.00B - 1
APT29 / Cozy Bear / SVR (parallel intrusion)
$50.0M - 1
APT31 (China Ministry of State Security)
- 1
APT31 (China-nexus, Supo attribution)
- 1
APT33 / Elfin (likely Iranian attribution)
$200.0M - 1
APT38
$625.0M - 1
Atomic Arch
- 1
AvosLocker
- 1
Babuk
$7.0M - 1
Backmydata (Phobos ransomware affiliate)
- 1
Black Shadow
- 1
Black Shadow (Iran-linked)
- 1
Black Shadow (suspected Iran-linked)
- 1
BlackCat (ALPHV)
- 1
BlackCat / ALPHV (suspected)
- 1
BlackCat/ALPHV
- 1
Blackfield
- 1
Blackout
- 1
BlogXX (leak site)
$250.0M - 1
Bozkurtlar (Grey Wolves)
- 1
Brain Cipher
- 1
C0rpz (Recorded Future attribution)
- 1
Cadet Blizzard
- 1
Cambridge Analytica (SCL Group)
$5.00B - 1
China (UK government attribution)
- 1
China-based attackers (KCC attribution)
- 1
ChinaDan (alias)
- 1
Chinese MSS-linked APT (APT10 cluster, per public attribution)
$200.0M - 1
Chinese MSS-linked APT (Black Vine / Deep Panda)
$260.0M - 1
Chinese MSS-linked APT (Deep Panda / Anchor Panda)
$350.0M - 1
Chinese PLA Unit 54th Research Institute (DOJ attribution)
$1.38B - 1
Cl0p
$12.15B - 1
ComodoHacker (self-claimed, Iran-linked)
- 1
Cozy Bear
$100.00B - 1
Cutting Sword of Justice (claim persona)
$200.0M - 1
Daixin
- 1
Daixin Team
Daixin is a threat actor group that has been active since at least June 2022.
- 1
Daniel Kelley, Matthew Hanley, Connor Allsopp, Aaron Sterritt (UK teenagers, convicted)
$90.0M - 1
Dark Caracal (linked to Lebanese GDGS, EFF/Lookout attribution)
- 1
DarkSide
$4.4M - 1
DeepBlueMagic (suspected China-based, financially motivated)
- 1
Desorden Group
Desorden (Disorder in Spanish, previously known as ChaosCC), is a financially motivated hacker group.
- 1
DoppelPaymer
$71.0M - 1
Equation Group (NSA-attributed)
$100.0M - 1
Everest ransomware group
- 1
Evil Corp
Evil Corp is an internaltional cybercrime network.
$30.0M - 1
Fancy Bear
$22.0M - 1
FSB-affiliated operators (2014 breach, per DOJ indictment)
$470.0M - 1
FulcrumSec
- 1
GnosticPlayers (data broker / seller)
- 1
Golem (forum persona)
$50.0M - 1
Grief (Nefilim/Evil Corp-linked)
- 1
GRU Unit 26165
$22.0M - 1
Guacamaya
Guacamaya has conducted multiple hack and leak campaigns against military and police agencies and mining companies across Latin America, which they believe have played a role in the region’s environmental degradation and
- 1
Guardians of Peace (cover persona)
$100.0M - 1
Hacker Buba
- 1
Hafnium (China state-sponsored, Microsoft attribution)
- 1
Hive
- 1
Hive ransomware gang
- 1
Hive ransomware group
- 1
HomeLand Justice
HomeLand Justice is an Iranian state-sponsored cyber threat group that has been active since at least May 2021.
- 1
Hungarian Special Service for National Security (NBSZ)
- 1
Icarus
- 1
Indra (suspected)
- 1
INDRIK SPIDER
INDRIK SPIDER is a sophisticated eCrime group that has been operating Dridex since June 2014.
$30.0M - 1
Insider misuse / paid intermediary access
- 1
Intellexa / Cytrox (Predator spyware vendor)
- 1
Iran MOIS
- 1
John Binns (lone actor, self-attributed)
$500.0M - 1
John Binns + Connor Moucka (alleged participants)
$200.0M - 1
Jordandaven (forum seller, self-claimed)
- 1
kiberphant0m (forum handle)
- 1
Korea Credit Bureau contractor (insider)
- 1
Kotz (RaidForums seller)
- 1
kzoldyck
- 1
Lazarus Group (DPRK, attributed to WannaCry)
- 1
Lazarus Group (DPRK, BAE Systems attribution)
$500.0K - 1
Lazarus Group (DPRK)
- 1
Likely Volodymyr Tymoshchuk-attributed cluster (per 2025 DOJ unsealing)
$75.0M - 1
LockBit (rogue affiliate)
- 1
LockerGoga operators
$75.0M - 1
LulzSec Pilipinas
- 1
Lynx ransomware gang
- 1
Magecart Group 6 (per RiskIQ designation)
$35.0M - 1
Malicious insider (Yandex system administrator)
- 1
Malicious insider (Yandex.Eda employee)
$700 - 1
Masaomi Matsuzaki (contractor system engineer)
$190.0M - 1
Medusa
- 1
meli0das
- 1
Mirai botnet operators
- 1
Mount Locker
- 1
N4ughtysecTU
In March 2022, a hacking group calling themselves N4ughtySecTU claimed to have breached TransUnion’s systems and threatened to leak four terabytes of data if the credit bureau didn’t pay a $15-million (R242-million) rans
- 1
Nation-state actor (Flame/Stuxnet 'factory', widely attributed to US/Israel)
- 1
NetWalker (Circus Spider)
- 1
Netwalker (Mailto) ransomware operation
- 1
NewsBeef / Charming Kitten (Iran, code overlap)
- 1
Nile Phish operator (suspected nexus to Egyptian government; not conclusively attributed)
- 1
NOBELIUM (Microsoft)
$100.00B - 1
North Korea (Reconnaissance General Bureau)
- 1
OilRig / APT33 (Iran, suspected)
- 1
Operation Olympic Games
$100.0M - 1
Operator of Telecom Egypt's PacketLogic middleboxes (state-linked ISP)
- 1
Paige Thompson (lone actor)
$270.0M - 1
Peace / peace_of_mind (data broker / seller)
- 1
Pro-Kremlin actors (Nashi youth movement claimed responsibility; Russian state denied involvement)
- 1
RA World (RA Group) ransomware gang
- 1
Ragnar Locker
- 1
RansomExx (Defray777)
- 1
RansomHouse (suspected)
- 1
REvil (Sodinokibi) ransomware operation
- 1
REvil / Sodinokibi
- 1
REvil-affiliated criminal operators
$250.0M - 1
Russian SVR (Foreign Intelligence Service)
$100.00B - 1
Ryuk ransomware operators
- 1
Salt Typhoon
- 1
Scattered Lapsus$ Hunters
$2.40B - 1
Sébastien Boulanger-Dorval (employee)
$100.0M - 1
SHADOWBYT3$
- 1
Shalon/Aaron/Orenstein fraud network (DOJ attribution)
- 1
ShinyHunters (original 2021 sale)
- 1
ShinyHunters (re-sale market)
$500.0M - 1
SN_BlackMeta (DDoS, claimed)
- 1
Sofacy
$22.0M - 1
Sophisticated state-sponsored actor (unattributed)
- 1
Sp1d3r
Sp1d3r, a threat actor, has been involved in multiple data breaches targeting companies like Truist Bank, Cylance, and Advance Auto Parts.
- 1
State-sponsored (Qatar attributes to UAE)
- 1
Storm-0558
Storm-0558 is a China-based threat actor with espionage objectives.
- 1
Suspected China-nexus APT (RSA-assessed nation-state)
$66.0M - 1
Suspected Chinese state actor
$7.5M - 1
TeamPCP
TeamPCP is a threat actor that has executed a coordinated series of supply chain attacks, compromising widely-used open source tools such as Trivy, KICS, and LiteLLM to deploy credential-stealing malware.
- 1
The Impact Team
$1.6M - 1
TheGentlemen
- 1
TraderTraitor
TraderTraitor targets blockchain companies through spear-phishing messages.
$1.50B - 1
Turla (suspected, Russia-linked)
- 1
Unattributed (data theft)
- 1
Unattributed (FBI investigation; LulzSec/Anonymous-era context)
$171.0M - 1
Unattributed (mass scraping)
- 1
Unattributed (Russian-speaking operators)
- 1
Unattributed (tabplugins / yowgames / chromewallpaper operator)
- 1
Unattributed hacktivists (pro-Tamil messaging)
- 1
Unattributed offshore actor
- 1
Unauthorized data-harvesting websites (XpressVerify, AnyVerify and others)
- 1
UNC4736 (Mandiant)
- 1
UNC5537
UNC5537 is a financially motivated threat actor targeting Snowflake customer databases.
- 1
UNC5537 (Mandiant designation)
$200.0M - 1
UNC5537 (Snowflake credential-theft campaign)
- 1
UNC6508 (PRC-nexus)
- 1
Unidentified extortion actor
- 1
Unit 8200 (Israeli)
$100.0M - 1
Unknown attacker
$135.0K - 1
Unknown criminal actor (2013 breach)
$470.0M - 1
Unknown criminal crew (BlackPOS / Kaptoxa malware)
$292.0M - 1
Unknown dark-web seller
- 1
Unknown ransomware crew (suspected Chinese-attributed per Indian government statements)
$15.0M - 1
USDoD
USDoD is a threat actor known for leaking large databases of personal information, including from companies like Airbus and the U.S.
- 1
Various Magecart clusters
$35.0M - 1
Vice Society (suspected)
- 1
Vice Society ransomware gang
$3.2M - 1
Whitefly (Symantec designation)
$7.5M - 1
World Leaks
- 1
xenZen
$30.0M - 1
Yevgeniy Nikulin (convicted)
- 1
Zeppelin ransomware operators (unattributed)
- 1
ZeroX
[Unnamed group]
Over the last few weeks, several significant leaks regarding a number of Iranian APTs took place.
[Vault 7/8]
An unnamed source leaked almost 10,000 documents describing a large number of 0-day vulnerabilities, methodologies and tools that had been collected by the CIA.
1937CN
1937CN is a Chinese hacking group that has been active since at least 2013.
313 Team
313 Team is an Iraq-based threat actor that has conducted coordinated DDoS campaigns targeting multiple government servers in the UAE, Kuwait, and Romania, often in response to political statements.
Actor240524
Actor240524 is a newly identified APT group that targeted Azerbaijani and Israeli diplomats through spear-phishing emails to steal sensitive data.
Adrastea
Adrastea is a threat actor who has been active on cybercrime forums, claiming to have breached organizations like MBDA and offering stolen data for sale.
AeroBlade
AeroBlade is a previously unknown threat actor that has been targeting an aerospace organization in the United States.
Aggressive Inventory Zombies
Aggressive Inventory Zombies is a threat actor involved in a large-scale phishing and pig-butchering network targeting retail brands and cryptocurrency users.
ALLANITE
Adversaries abusing ICS (based on Dragos Inc adversary list).
Alpha Spider
ALPHA SPIDER is a threat actor known for developing and operating the Alphv ransomware as a service.
ALPHV (BlackCat)
Russian-speaking RaaS operation. First major ransomware written in Rust. Self-shutdown via exit scam after Change Healthcare in 2024.
Altahrea Team
Altahrea Team is a pro-Iranian hacking group that has been active since at least 2020.
ALTDOS
ALTDOS is a threat actor group that has targeted entities in Southeast Asia, including Singapore, Thailand, and Malaysia.
Altoufan Team
ALTOUFAN TEAM is a politically motivated hacktivist group with anti-Zionism, anti-monarchy, and pro-14-February movement sentiments.
Amaranth-Dragon
Amaranth-Dragon is a previously untracked threat actor assessed to be closely linked to the China-affiliated APT 41 ecosystem, exhibiting similar tooling and operational patterns.
ANDROMEDA SPIDER
ANDROMEDA SPIDER is a threat actor tracked in the Malpedia taxonomy.
Angry Likho
Angry Likho is an APT group that has been active since 2023, primarily targeting large organizations and government agencies in Russia and Belarus.
Anonymous KSA
Anonymous KSA is a Saudi hacking group that has executed cyber attacks targeting Indian institutions, including a significant breach of UIDAI's data storage units, leading to access to sensitive information and system di
Anonymous64
Anonymous 64 is a group accused by China's national security ministry of attempting to gain control of web portals, outdoor electronic screens, and network television.
ANTHROPOID SPIDER
Publicly known as 'EmpireMonkey', ANTHROPOID SPIDER conducted phishing campaigns in February and March 2019, spoofing French, Norwegian and Belizean financial regulators and institutions.
Antlion
Antlion is a Chinese state-backed advanced persistent threat (APT) group, who has been targeting financial institutions in Taiwan.
Aoqin Dragon
SentinelLabs has uncovered a cluster of activity beginning at least as far back as 2013 and continuing to the present day, primarily targeting organizations in Southeast Asia and Australia.
AppMilad
AppMilad is an Iranian hacking group that has been identified as the source of a spyware campaign called RatMilad.
APT-C-12
According to 360 TIC the actor has carried out continuous cyber espionage activities since 2011 on key units and departments of the Chinese government, military industry, scientific research, and finance.
APT-C-27
A threat actor which is ac tive since at least November 2014.
APT-C-34
As reported by ZDNet, Chinese cyber-security vendor Qihoo 360 published a report on 2019-11-29 exposing an extensive hacking operation targeting the country of Kazakhstan.
APT-C-36
Since April 2018, an APT group (Blind Eagle, APT-C-36) suspected coming from South America carried out continuous targeted attacks against Colombian government institutions as well as important corporations in financial
APT-C-60
APT-C-60
APT.3102
APT.3102 is a threat actor tracked in the Malpedia taxonomy (CN).
APT1
PLA Unit 61398 (Chinese: 61398部队, Pinyin: 61398 bùduì) is the Military Unit Cover Designator (MUCD)[1] of a People's Liberation Army advanced persistent threat unit that has been alleged to be a source of Chinese compute
APT10
menuPass is a threat group that has been active since at least 2006.
APT12
A group of China-based attackers, who conducted a number of spear phishing attacks in 2013.
APT14
PLA Navy Anchor Panda is an adversary that CrowdStrike has tracked extensively over the last year targeting both civilian and military maritime operations in the green/brown water regions primarily in the area of operati
APT15
This threat actor uses phishing techniques to compromise the networks of foreign ministries of European countries for espionage purposes.
APT16
Between November 26, 2015, and December 1, 2015, known and suspected China-based APT groups launched several spear-phishing attacks targeting Japanese and Taiwanese organizations in the high-tech, government services, me
APT17
FireEye described APT17 in a 2015 report as: 'APT17, also known as DeputyDog, is a China based threat group that FireEye Intelligence has observed conducting network intrusions against U.S.
APT18
Wekby was described by Palo Alto Networks in a 2015 report as: 'Wekby is a group that has been active for a number of years, targeting various industries such as healthcare, telecommunications, aerospace, defense, and hi
APT19
Adversary group targeting financial, technology, non-profit organisations.
APT2
Putter Panda were the subject of an extensive report by CrowdStrike, which stated: 'The CrowdStrike Intelligence team has been tracking this particular unit since2012, under the codename PUTTER PANDA, and has documented
APT20
We’ve uncovered some new data and likely attribution regarding a series of APT watering hole attacks this past summer.
APT21
APT21 is a threat actor tracked in the Malpedia taxonomy (CN).
APT22
Suckfly is a China-based threat group that has been active since at least 2014
APT23
TrendMicro described Tropic Trooper in a 2015 report as: 'Taiwan and the Philippines have become the targets of an ongoing campaign called Operation TropicTrooper.
APT24
The Pitty Tiger group has been active since at least 2011.
APT26
APT26 is a threat actor tracked in the Malpedia taxonomy (CN).
APT27
A China-based actor that targets foreign embassies to collect data on government, defence, and technology sectors.
APT3
Symantec described UPS in 2016 report as: 'Buckeye (also known as APT3, Gothic Panda, UPS Team, and TG-0110) is a cyberespionage group that is believed to have been operating for well over half a decade.
APT30
APT30 is a threat group suspected to be associated with the Chinese government.
APT31
FireEye characterizes APT31 as an actor specialized on intellectual property theft, focusing on data and projects that make a particular organization competetive in its field.
APT32
Cyber espionage actors, now designated by FireEye as APT32 (OceanLotus Group), are carrying out intrusions into private sector companies across multiple industries and have also targeted foreign governments, dissidents,
APT33
Our analysis reveals that APT33 is a capable group that has carried out cyber espionage operations since at least 2013.
APT35
FireEye has identified APT35 operations dating back to 2014.
APT37
APT37 has likely been active since at least 2012 and focuses on targeting the public and private sectors primarily in South Korea.
APT39
APT39 was created to bring together previous activities and methods used by this actor, and its activities largely align with a group publicly referred to as "Chafer." However, there are differences in what has been publ
APT4
APT4 is a threat actor tracked in the Malpedia taxonomy (CN).
APT40
Leviathan is an espionage actor targeting organizations and high-value targets in defense and government.
APT41
APT41 is a prolific cyber threat group that carries out Chinese state-sponsored espionage activity in addition to financially motivated activity potentially outside of state control.
APT42
Iranian state-sponsored cyber espionage group tasked with conducting information collection and surveillance operations against individuals and organizations of strategic interest to the Iranian government.
APT43
• APT43 is a prolific cyber operator that supports the interests of the North Korean regime.
APT45
APT45 is a North Korean cyber threat actor that has been active since at least 2009.
APT5
We have observed one APT group, which we call APT5, particularly focused on telecommunications and technology companies.
APT6
The FBI issued a rare bulletin admitting that a group named Advanced Persistent Threat 6 (APT6) hacked into US government computer systems as far back as 2011 and for years stole sensitive data.
APT73
APT73 is a ransomware group that has publicly identified 12 victims and launched its data leak site on April 25th.
APT9
APT9 engages in cyber operations where the goal is data theft, usually focusing on the data and projects that make a particular organization competitive within its field.
APTIran
APTIran has claimed responsibility for a large-scale campaign targeting Israeli critical infrastructure, asserting infiltration of government ministries, hospitals, universities, and financial institutions as retaliation
ArcaneDoor
ArcaneDoor is a campaign that is the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors.
AridViper
AridViper is a state-sponsored APT primarily targeting military personnel, journalists, and dissidents in the Middle East, with a focus on Israel and Palestine.
Aslan Neferler Tim
Turkish nationalist hacktivist group that has been active for roughly one year.
Asnarök
Asnarök is a threat actor that exploited CVE-2020-12271 and utilized command injection privilege escalation to gain root access to devices and install the Asnarök Trojan and demonstrated significant changes in TTPs, incl
AtlasCross
NSFOCUS Security Labs recently discovered a new attack process based on phishing documents in their daily threat-hunting operations.
Attor
Adversary group targeting diplomatic missions and governmental organisations.
Avivore
The group’s existence came to light during Context’s investigation of a number of attacks against multinational enterprises that compromise smaller engineering services and consultancies working in their supply chains.
Awaken Likho
Awaken Likho is an APT group that has targeted Russian government agencies and industrial enterprises, employing techniques such as information gathering via search engines and using MeshCentral for remote access.
Ayyıldız Tim
Ayyıldız (Crescent and Star) Tim is a nationalist hacking group founded in 2002.
AzzaSec
AzzaSec is a hacktivist group that originated in Italy.
BackdoorDiplomacy
An APT group that we are calling BackdoorDiplomacy, due to the main vertical of its victims, has been targeting Ministries of Foreign Affairs and telecommunication companies in Africa and the Middle East since at least 2
BadRory
Kaspersky researchers have identified a new APT group named BadRory that has mounted two waves of spear-phishing attacks against Russian organizations.
Bahamut
Bahamut is a threat actor primarily operating in Middle East and Central Asia, suspected to be a private contractor to several state sponsored actors.
BAMBOO SPIDER
Crowdstrike tracks the developer of Panda Zeus as BAMBOO SPIDER
BANISHED KITTEN
BANISHED KITTEN is an Iranian state-nexus adversary active since at least 2008.
BatShadow
BatShadow is a Vietnamese threat actor that targets job seekers and digital marketing professionals through social engineering campaigns, deploying the Go-based malware known as Vampire Bot.
BazarCall
BazarCall campaigns forgo malicious links or attachments in email messages in favor of phone numbers that recipients are misled into calling.
Bearlyfy
Bearlyfy has been attributed to over 70 cyber attacks targeting Russian companies since its emergence in January 2025, employing a custom Windows ransomware strain known as GenieLocker.
Beijing Group
Beijing Group is a threat actor tracked in the Malpedia taxonomy (CN).
BelialDemon
Mentioned as operator of TriumphLoader and Matanbuchus
Belsen Group
The Belsen Group has exploited the CVE-2022-40684 vulnerability in Fortinet devices to compromise over 15,000 FortiGate firewalls, releasing detailed configurations and plaintext VPN credentials.
BiBiGun
A pro-Hamas hacktivist group developed a wiper called BiBi-Linux to target and destroy data on Israeli systems.
BIG PANDA
BIG PANDA is a threat actor tracked in the Malpedia taxonomy (CN).
Bignosa
Bignosa is a threat actor known for launching malware campaigns targeting Australian and US organizations using phishing emails with disguised Agent Tesla attachments protected by Cassandra Protector.
BITWISE SPIDER
BITWISE SPIDER has recently and quickly become a significant player in the big game hunting (BGH) landscape.
Blackatom
Recent campaigns suggest Hamas-linked actors may be advancing their TTPs to include intricate social engineering lures specially crafted to appeal to a niche group of high value targets.
Blackgear
BLACKGEAR is an espionage campaign which has targeted users in Taiwan for many years.
BlackJack
Blackjack, a threat actor linked to Ukraine's security apparatus, has targeted critical Russian entities such as ISPs, utilities, and military infrastructure.
Blackmeta
BLACKMETA is a pro-Palestinian hacktivist group that has claimed responsibility for a series of DDoS attacks and data breaches targeting organizations perceived as supportive of Israel, including the Internet Archive and
BlackOasis
BlackOasis is a Middle Eastern threat group that is believed to be a customer of Gamma Group.
Blacktail
Blacktail is a cybercrime group that has gained attention for its ransomware campaigns, particularly the Buhti ransomware.
BlackTech
BlackTech is a cyber espionage group operating against targets in East Asia, particularly Taiwan, and occasionally, Japan and Hong Kong.
Blackwood
Blackwood is a China-aligned APT group that has been active since at least 2018.
BladedFeline
BladedFeline is an Iran-aligned APT group that has been active since at least 2017, targeting Iraqi and Kurdish government officials for cyberespionage.
BladeHawk
BladeHawk is a threat actor tracked in the Malpedia taxonomy.
Blue Termite
Blue Termite is a group of suspected Chinese origin active in Japan.
Blue Tsunami
Blue Tsunami, also known as Black Cube, is a cyber mercenary group associated with the private intelligence firm Black Cube.
BlueBottle
Bluebottle, a cyber-crime group that specializes in targeted attacks against the financial sector, is continuing to mount attacks on banks in Francophone countries.
BlueHornet
BlueHornet is an advanced persistent threat group targeting government organizations in China, North Korea, Iran, and Russia.
Bohrium
Bohrium is an Iranian threat actor that has been involved in spear-phishing operations targeting organizations in the US, Middle East, and India.
Bondnet
Bondnet is a threat actor that deploys backdoors and cryptocurrency miners.
Boolka
Boolka is a threat actor known for infecting websites with malicious JavaScript scripts for data exfiltration.
BOSON SPIDER
BOSON SPIDER is a cyber criminal group, which was first identified in 2015, recently and inexplicably went dark in the spring of 2016, appears to be a tightly knit group operating out of Eastern Europe.
BOSS SPIDER
Throughout 2018, CrowdStrike Intelligence tracked BOSS SPIDER as it regularly updated Samas ransomware and received payments to known Bitcoin (BTC) addresses.
Boulder Bear
First observed activity in December 2013.
BrazenBamboo
BrazenBamboo is a Chinese state-affiliated threat actor known for developing the LIGHTSPY, DEEPDATA, and DEEPPOST malware families.
BreachLaboratory
BreachLaboratory is a cybercrime actor that specializes in the extraction and sale of sensitive financial and identity datasets from various organizations.
BRONZE EDGEWOOD
In early 2021 CTU researchers observed BRONZE EDGEWOOD exploiting the Microsoft Exchange Server of an organization in Southeast Asia.
BRONZE HIGHLAND
BRONZE HIGHLAND has been observed using spearphishing as an initial infection vector to deploy the MgBot remote access trojan against targets in Hong Kong.
BRONZE SPIRAL
In December 2020, the IT management software provider SolarWinds announced that an unidentified threat actor had exploited a vulnerability in their Orion Platform software to deploy a web shell dubbed SUPERNOVA.
BRONZE SPRING
BRONZE SPRING is a threat group that CTU researchers assess with high confidence operates on behalf of China in the theft of intellectual property from defense, engineering, pharmaceutical and technology companies.
BRONZE STARLIGHT
BRONZE STARLIGHT has been active since mid 2021 and targets organizations globally across a range of industry verticals.
BRONZE VAPOR
BRONZE VAPOR is a targeted threat group assessed with moderate confidence to be of Chinese origin.
Budminer
Based on the evidence we have presented Symantec attributed the activity involving theDripion malware to the Budminer advanced threat group.
BuhTrap
Buhtrap has been active since 2014, however their first attacks against financial institutions were only detected in August 2015.
ByteToBreach
ByteToBreach is a prolific cybercriminal who operates across multiple platforms, including DarkForums and Telegram, and has been active since at least June 2025.
Cadelle
Symantec telemetry identified Cadelle and Chafer activity dating from as far back as July 2014, however, it’s likely that activity began well before this date.
Caliente Bandits
Caliente Bandits is a highly active threat group that targets multiple industries, including finance and entertainment.
Callisto
The Callisto Group is an advanced threat actor whose known targets include military personnel, government officials, think tanks, and journalists in Europe and the South Caucasus.
Calypso
For the first time, the activity of the Calypso group was detected by specialists of PT Expert Security Center in March 2019, during the work to detect cyber threats.
Camaro Dragon
In early 2023, the Check Point Incident Response Team (CPIRT) team investigated a malware incident at a European healthcare institution involving a set of tools mentioned in the Avast report in late 2022.
Caracal Kitten
Caracal Kitten is an APT group that has been targeting activists associated with the Kurdistan Democratic Party.
Caramel Tsunami
Caramel Tsunami is a threat actor that specializes in spyware attacks.
Carderbee
Symantec recently reported on activity attributed to a threat actor group dubbed Carderbee.
CardinalLizard
CardinalLizard, a cyber threat actor linked to China, has targeted entities in Asia since 2018.
Careto
This threat actor targets governments, diplomatic missions, private companies in the energy sector, and academics for espionage purposes.
Carmine Tsunami
Carmine Tsunami is a threat actor linked to an Israel-based private sector offensive actor called QuaDream.
CashRewindo
CashRewindo is a sophisticated threat actor leveraging aged domains in global malvertising campaigns to direct victims to investment scam sites.
CeranaKeeper
CeranaKeeper is a China-aligned APT that has been active since at least early 2022, primarily targeting governmental institutions in Asian countries.
ChainedShark
ChainedShark is an APT group targeting China's scientific research sector, particularly professionals in international relations and marine technology, with the intent to steal sensitive data.
Chamelgang
In Q2 2021, the PT Expert Security Center incident response team conducted an investigation in an energy company.
Charming Kitten
Charming Kitten (aka Parastoo, aka Newscaster) is an group with a suspected nexus to Iran that targets organizations involved in government, defense technology, military, and diplomacy sectors.
Chaya_004
Chaya_004 is a Chinese threat actor identified through malicious infrastructure, including a network of servers hosting Supershell backdoors and various pen testing tools of Chinese origin.
Chernovite
Chernovite is a highly capable and sophisticated threat actor group that has developed a modular ICS malware framework called PIPEDREAM.
Chronus Group
Chronus Team is a hacktivist group known for defacement attacks and data leaks, primarily targeting public-sector organizations in Mexico.
CHRYSENE
Adversaries abusing ICS (based on Dragos Inc adversary list).
CiberInteligenciaSV
CiberInteligenciaSV is a threat actor that leaked 5.1 million Salvadoran records on Breach Forums.
CIRCUS SPIDER
According to Crowdstrike, the NetWalker ransomware is being developed and maintained by a Russian-speaking actor designated as CIRCUS SPIDER.
CL-STA-0043
CL-STA-0043 is a highly skilled and sophisticated threat actor, believed to be a nation-state, targeting governmental entities in the Middle East and Africa.
CL-STA-0048
CL-STA-0048 is a Chinese state-backed APT that targets strategic sectors in South Asia, particularly government and telecommunications entities, with a focus on espionage.
CL-STA-1009
CL-STA-1009 is a threat activity cluster associated with a suspected nation-state actor utilizing the Airstalk malware family, which includes both PowerShell and .NET variants.
CL-STA-1020
CL-STA-1020 targets Southeast Asian government networks, employing AWS Lambda Function URLs configured with AuthType: NONE for stealthy command-and-control communication.
CL-STA-1087
CL-STA-1087 is a suspected state-sponsored espionage campaign operating out of China, targeting military organizations in Southeast Asia.
CL-UNK-1068
CL-UNK-1068 is a Chinese threat actor that has targeted critical infrastructure in Asia, primarily focusing on cyberespionage.
Cleaver
A group of cyber actors utilizing infrastructure located in Iran have been conducting computer network exploitation activity against public and private U.S.
Clever Kitten
Clever Kitten is a threat actor tracked in the Malpedia taxonomy (IR).
CLOCKWORK SPIDER
Opportunistic actor that installs custom root certificate on victim to support man-in-the-middle network monitoring.
CloudSorcerer
CloudSorcerer is a sophisticated APT targeting Russian government entities, utilizing cloud infrastructure for stealth monitoring and data exfiltration.
Cobalt
A criminal group dubbed Cobalt is behind synchronized ATM heists that saw machines across Europe, CIS countries (including Russia), and Malaysia being raided simultaneously, in the span of a few hours.
COBALT JUNO
COBALT JUNO has operated since at least 2013 and focused on targets located in the Middle East including Iran, Jordan, Egypt & Lebanon.
COBALT KATANA
COBALT KATANA has been active since at least March 2018, and it focuses many of its operations on organizations based in or associated with Kuwait.
Codefinger
Codefinger is a ransomware group that targets Amazon S3 buckets by exploiting AWS’s Server-Side Encryption with Customer Provided Keys to encrypt victim data.
Coinbase Cartel
Coinbase Cartel is a ransomware threat actor that emerged in September 2025, focusing on data exfiltration rather than encryption, and has claimed over 60 victims, primarily in the healthcare, technology, and transportat
Cold River
In short, “Cold River” is a sophisticated threat (actor) that utilizes DNS subdomain hijacking, certificate spoofing, and covert tunneled command and control traffic in combination with complex and convincing lure docume
ComicForm
ComicForm is an emerging cyber threat actor tracked since at least April 2025, specializing in targeted phishing campaigns against organizations in Eurasian countries including Belarus, Kazakhstan, and Russia, often in s
Common Raven
Threat actor Common Raven has been actively targeting financial sector institutions, compromising their SWIFT payment infrastructure to send out fraudulent payments.
Confucious
Confucius is an APT organization funded by India.
Conquerors Electronic Army
Conquerors Electronic Army operates under the “Wa’d al-Akhira” banner and has claimed multiple attacks against Israeli targets, including civil emergency alerting and healthcare sectors, utilizing rented stresser infrast
Contagious Interview
Contagious Interview is a North Korea–aligned threat group active since 2023.
Copy-Paste
The title ‘Copy-paste compromises’ is derived from the actor’s heavy use of tools copied almost identically from open source given by The Australian Government.
CopyKittens
CopyKittens is a threat actor tracked in the Malpedia taxonomy (IR).
CoralRaider
CoralRaider is a financially motivated threat actor of Vietnamese origin, targeting victims in Asian and Southeast Asian countries since at least 2023.
Corsair Jackal
Corsair Jackal is a threat actor tracked in the Malpedia taxonomy (TN).
Cosmic Lynx
Cosmic Lynx is a Russia-based BEC cybercriminal organization that has significantly impacted the email threat landscape with sophisticated, high-dollar phishing attacks.
CosmicBeetle
CosmicBeetle is a threat actor known for deploying the ScRansom ransomware, which has replaced its previous variant, Scarab.
CostaRicto
CostaRicto is a cyber-espionage threat actor that operates as a mercenary group, offering its services to various clients globally.
Cotton Sandstorm
Cotton Sandstorm is an Iranian threat actor involved in hack-and-leak operations.
CoughingDown
CoughingDown is a threat group attributed to various cyber campaigns, including the deployment of the EAGERBEE backdoor, which utilizes service manipulation and privilege escalation techniques.
Crimson Collective
The Crimson Collective is a cybercrime group that claimed to have compromised Red Hat's private GitHub repositories in September 2025.
CryptoChameleon
CryptoChameleon is a cybercriminal group known for targeting cryptocurrency exchanges and users to steal digital assets, employing tactics such as VIP spear phishing, SIM swapping, and email hacks.
CRYSTALRAY
CRYSTALRAY is a threat actor known for leveraging open source tools like zmap and SSH-Snake to conduct widespread vulnerability scanning and exploitation.
Cuboid Sandstorm
Cuboid Sandstorm is an Iranian threat actor that targeted an Israel-based IT company in July 2021.
Curious Gorge
Curious Gorge, a group TAG attributes to China's PLA SSF, has conducted campaigns against government and military organizations in Ukraine, Russia, Kazakhstan, and Mongolia.
Curly COMrades
Curly COMrades is a threat actor identified by Amazon Threat Intelligence and Bitdefender, believed to operate in support of Russian interests.
Cutting Kitten
One of the threat actors responsible for the denial of service attacks against U.S in 2012–2013.
Cyber Alliance
The Ukrainian Cyber Alliance is a pro-Ukraine hacktivist group formed in 2016, primarily targeting Russian entities since the invasion of Ukraine in 2022.
Cyber Army of Russia Reborn
Cyber Army of Russia Reborn is a threat actor tracked in the Malpedia taxonomy.
Cyber Av3ngers
The hacktivist group ‘Cyber Av3ngers’ has historically claimed attacks on Israel’s critical infrastructures.
Cyber Berkut
Cyber Berkut is a threat actor tracked in the Malpedia taxonomy (RU).
Cyber Caliphate Army
Cyber Caliphate Army is a threat actor tracked in the Malpedia taxonomy.
Cyber fighters of Izz Ad-Din Al Qassam
Cyber fighters of Izz Ad-Din Al Qassam is a threat actor tracked in the Malpedia taxonomy (IR).
Cyber Islamic Resistance
Cyber Islamic Resistance is a hacktivist collective ideologically aligned with Iran, engaging in operations such as website defacements, DDoS attacks, and data exfiltration targeting Israeli and Western entities.
Cyber Partisans
The Cyber Partisans, a hacktivist group based in Belarus, has been involved in various cyber-attacks targeting organizations and infrastructure in Belarus and Ukraine.
Cyber Serp
UAC-0255 is a threat actor that conducted a phishing campaign impersonating CERT-UA to distribute the AGEWHEEZE RAT, targeting organizations in Ukraine's public and private sectors.
Cyber Toufan
Cyber Toufan is a threat actor group that has gained prominence for its cyberattacks targeting Israeli organizations.
Cyber.Anarchy.Squad
Cyber Anarchy Squad is a pro-Ukrainian hacktivist group known for targeting Russian companies and infrastructure.
CyberNiggers
CyberNiggers is a threat group known for breaching various organizations, including the US military, federal contractors, and multinational corporations like General Electric.
DAGGER PANDA
Operate since at least 2011, from several locations in China, with members in Korea and Japan as well.
Dalbit
The group usually targets vulnerable servers to breach information including internal data from companies or encrypts files and demands money.
Dancing Salome
Dancing Salome is the Kaspersky codename for an APT actor with a primary focus on ministries of foreign affairs, think tanks, and Ukraine.
DangerousSavanna
Malicious campaign called DangerousSavanna has been targeting multiple major financial service groups in French-speaking Africa for the last two years.
Danti
Danti is a threat actor tracked in the Malpedia taxonomy.
Dark Basin
Dark Basin is a hack-for-hire group that has targeted thousands of individuals and hundreds of institutions on six continents.
Dark Caracal
Lookout and Electronic Frontier Foundation (EFF) have discovered Dark Caracal, a persistent and prolific actor, who at the time of writing is believed to be administered out of a building belonging to the Lebanese Genera
DarkCasino
DarkCasino is an economically motivated APT group that targets online trading platforms, including cryptocurrencies, online casinos, network banks, and online credit platforms.
DarkGaboon
DarkGaboon is a financially motivated APT group that has been independently targeting Russian organizations since May 2023, primarily using phishing emails to deliver malware such as Revenge RAT and LockBit 3.0 ransomwar
DarkHotel
Kaspersky described DarkHotel in a 2014 report as: '...
DarkHydrus
In July 2018, Unit 42 analyzed a targeted attack using a novel file type against at least one government agency in the Middle East.
DarkPink
DarkPink is an APT group that has been active since mid-2021, primarily targeting government, military, and non-profit organizations in Southeast Asia and Europe.
DarkRaaS
DarkRaaS is a threat actor specializing in selling unauthorized access to various organizations' systems and networks across multiple countries, with a recent focus on targets in Israel, UAE, Turkey, and South America 4
DarkSpectre
DarkSpectre is a threat actor tracked in the Malpedia taxonomy.
DarkVishnya
Dubbed DarkVishnya, the attacks targeted at least eight banks using readily-available gear such as netbooks or inexpensive laptops, Raspberry Pi mini-computers, or a Bash Bunny - a USB-sized piece hardware for penetratio
Deadeye Jackal
The Syrian Electronic Army (SEA) is a group of computer hackers which first surfaced online in 2011 to support the government of Syrian President Bashar al-Assad.
DefrayX
DefrayX is a threat actor group known for their RansomExx ransomware operations.
Denim Tsunami
Denim Tsunami is a threat actor group that has been involved in targeted attacks against European and Central American customers.
DEV-0147
DEV-0147 is a China-based cyber espionage actor was observed compromising diplomatic targets in South America, a notable expansion of the group's data exfiltration operations that traditionally targeted gov't agencies an
DEV-0270
Microsoft threat intelligence teams have been tracking multiple ransomware campaigns and have tied these attacks to DEV-0270, also known as Nemesis Kitten, a sub-group of Iranian actor PHOSPHORUS.
DEV-0569
DEV-0569, also known as Storm-0569, is a threat actor group that has been observed deploying the Royal ransomware.
DEV-0586
MSTIC has not found any notable associations between this observed activity, tracked as DEV-0586, and other known activity groups.
DEV-0928
DEV-0928 is a threat actor that has been tracked by Microsoft since September 2022.
DEV-0950
Lace Tempest, also known as DEV-0950, is a threat actor that exploited vulnerabilities in software such as SysAid and PaperCut to gain unauthorized access to systems.
DEV-1028
Microsoft reported on MCCrash, an IoT botnet operated by the DEV-1028 threat actor and used to launch DDoS attacks against private Minecraft servers.
DEXTOROUS SPIDER
DEXTOROUS SPIDER is a threat actor tracked in the Malpedia taxonomy.
DiceyF
DiceyF is an advanced persistent threat group that has been targeting online casinos and other victims in Southeast Asia for an extended period.
DieNet
DieNet is a hacktivist group that emerged in March 2025, known for conducting DDoS attacks targeting entities associated with political figures, such as Trump businesses.
DIZZY PANDA
DIZZY PANDA is a threat actor tracked in the Malpedia taxonomy.
DNSpionage
Cisco Talos recently discovered a new campaign targeting Lebanon and the United Arab Emirates (UAE) affecting .gov domains, as well as a private Lebanese airline company.
Domestic Kitten
An extensive surveillance operation targets specific groups of individuals with malicious mobile apps that collect sensitive information on the device along with surrounding voice recordings.
DOPPEL SPIDER
In June 2019, CrowdStrike Intelligence observed a source code fork of BitPaymer and began tracking the new ransomware strain as DoppelPaymer.
DragonBreath
Golden Eye Dog targets Chinese-speaking users engaged in online gambling, employing techniques such as SERP poisoning, social engineering, and DDoS attacks.
Dragonbridge
DRAGONBRIDGE is a Chinese state-sponsored threat actor known for engaging in information operations to promote the political interests of the People's Republic of China.
DragonOK
Threat group that has targeted Japanese organizations with phishing emails.
DragonRank
DragonRank is a threat actor primarily targeting web application services in Asia and Europe, utilizing TTPs associated with Simplified Chinese-speaking hacking groups.
DragonSpark
DragonSpark is a threat actor that has been conducting attacks primarily targeting organizations in East Asia.
DriftingCloud
DriftingCloud is a persistent threat actor known for targeting various industries and locations.
DriveSurge
DriveSurge compromises legitimate websites to inject scripts that route visitors through zTDS, leading them to fake browser updates and ClickFix-style prompts.
DUNGEON SPIDER
DUNGEON SPIDER is a criminal group operating the ransomware most commonly known as Locky, which has been active since February 2016 and was last observed in late 2017.
Dust Storm
Threat actors behind the Operation Dust Storm have been active since at least 2010, the hackers targeted several organizations in Japan, South Korea, the US, Europe, and other Asian countries.
DustSquad
Prodaft researchers have published a report on Paperbug, a cyber-espionage campaign carried out by suspected Russian-speaking group Nomadic Octopus and which targeted entities in Tajikistan.
Earth Alux
Earth Alux is a China-linked APT group known for conducting cyberespionage attacks across various sectors, including government, technology, and telecommunications.
Earth Baxia
Earth Baxia is a threat actor opearting out of China, targeting government organizations in Taiwan and potentially across the APAC region, using spear-phishing emails and exploiting the GeoServer vulnerability CVE-2024-3
Earth Berberoka
According to TrendMicro, Earth Berberoka is a threat group originating from China that mainly focuses on targeting gambling websites.
Earth Estries
Trend Micro found that Earth Estries relies heavily on DLL sideloading to load various tools within its arsenal.
Earth Freybug
Earth Freybug, identified as a subset of APT41, is a cyberthreat group active since at least 2012, engaging in espionage and financially motivated activities across various sectors worldwide.
Earth Kapre
Earth Kapre is an APT group specializing in cyberespionage.
Earth Kitsune
Earth Kitsune is an advanced persistent threat actor that has been active since at least 2019.
Earth Krahang
Earth Krahang is an APT group targeting government organizations worldwide.
Earth Kurma
Earth Kurma is an APT group targeting government and telecommunications sectors in Southeast Asia, with a primary focus on data exfiltration.
Earth Lamia
Earth Lamia is a China-nexus APT that targets organizations across multiple sectors, including finance, logistics, and government, primarily in Latin America, the Middle East, and Southeast Asia.
Earth Longzhi
Earth Longzhi is a subgroup of APT41 targeting organizations based in Taiwan, Thailand, the Philippines, and Fiji, and using “stack rumbling” via Image File Execution Options (IFEO), a new denial-of-service (DoS) techniq
Earth Lusca
Earth Lusca is a threat actor from China that targets organizations of interest to the Chinese government, including academic institutions, telecommunication companies, religious organizations, and other civil society gr
Earth Naga
Earth Naga is an APT group that has persistently targeted high-value organizations, including government agencies, telecommunications, and military-related manufacturers, primarily in Taiwan and the broader APAC region.
Earth Wendigo
Earth Wendigo is a threat actor from China that has been targeting several organizations — including government organizations, research institutions, and universities in Taiwan — since May 2019, aiming to exfiltrate emai
Earth Yako
Earth Yako is a threat actor that has been actively targeting researchers in academic organizations and think tanks in Japan.
EC2 Grouper
EC2 Grouper is a prolific threat actor known for leveraging AWS tools for PowerShell to conduct automated attacks in cloud environments.
Edalat-e Ali
Edalat-e Ali is a hacktivist group known for disrupting Iranian state-run TV and radio transmissions during significant events, such as the Revolution Day ceremonies.
Educated Manticore
Educated Manticore is an Iranian APT group aligned with the Islamic Revolutionary Guard Corps, primarily engaged in espionage targeting government, military, and academic sectors.
El Machete
El Machete is one of these threats that was first publicly disclosed and named by Kaspersky here.
ELECTRIC PANDA
ELECTRIC PANDA is a threat actor tracked in the Malpedia taxonomy (CN).
ELOQUENT PANDA
ELOQUENT PANDA is a threat actor tracked in the Malpedia taxonomy (CN).
ELUSIVE COMET
ELUSIVE COMET is a threat actor responsible for significant cryptocurrency theft through sophisticated social engineering attacks, particularly leveraging Zoom's remote control feature.
ENERGETIC BEAR
A Russian group that collects intelligence on the energy industry.
Equation Group
The Equation Group is a highly sophisticated threat actor described by its discoverers at Kaspersky Labs as one of the most sophisticated cyber attack groups in the world, operating alongside but always from a position o
Evasive Panda
Evasive Panda is an APT group that has been active since at least 2012, conducting cyberespionage targeting individuals, government institutions and organizations.
Evilbyte
EvilByte is a hacktivist group that has conducted several high-profile cyber attacks in 2024, including breaching MyFatoorah's banking system in retaliation against Saudi media 1 and targeting Radio 10 Rosario in Argenti
Evilnum
ESET has analyzed the operations of Evilnum, the APT group behind the Evilnum malware previously seen in attacks against financial technology companies.
EvilPost
EvilPost is a threat actor tracked in the Malpedia taxonomy.
EvilTraffic
Malware experts at CSE Cybsec uncovered a massive malvertising campaign dubbed EvilTraffic leveraging tens of thousands compromised websites.
EvilWeb
EvilWeb is a pro-Russian hacktivist group created in March 2024 that targets American and European entities using a hack-and-leak method alongside DDoS attacks.
ExCobalt
ExCobalt is an APT group that has been active since at least 2016 and is believed to be linked to the notorious Cobalt Gang.
EXOTIC LILY
EXOTIC LILY is a resourceful, financially motivated group whose activities appear to be closely linked with data exfiltration and deployment of human-operated ransomware such as Conti and Diavol.
Fail0verflow
Fail0verflow is a hacking group known for exploiting vulnerabilities in gaming consoles, notably the Nintendo Wii and PlayStation 3.
FASTCash
Treasury has identified a sophisticated cyber-enabled ATM cash out campaign we are calling FASTCash.
Femwar02
Femwar02 is a previously unknown pro-Russian ransomware threat actor that emerged in early 2026, linked to a major cyberattack on Italy's Sapienza University of Rome in February 2026, which caused a full network shutdown
Ferocious Kitten
Ferocious Kitten is an APT group that has been active against Persian-speaking individuals since 2015 and appears to be based in Iran.
FIN1
FireEye first identified this activity during a recent investigation at an organization in the financial industry.
FIN10
FireEye has observed multiple targeted intrusions occurring in North America — predominately in Canada — dating back to at least 2013 and continuing through at least 2016, in which the attacker(s) have compromised organi
FIN11
FIN11 is a well-established financial crime group that has recently focused its operations on ransomware and extortion.
FIN13
Since 2017, Mandiant has been tracking FIN13, an industrious and versatile financially motivated threat actor conducting long-term intrusions in Mexico with an activity timeframe stretching back as early as 2016.
FIN5
FIN5 is a financially motivated threat group that has targeted personally identifiable information and payment card information.
FIN6
FIN is a group targeting financial assets including assets able to do financial transaction including PoS.
FIN7
Groups targeting financial organizations or people with significant financial assets.
FIN8
FIN8 is a financially motivated group targeting the retail, hospitality and entertainment industries.
Fishing Elephant
Fishing Elephant is a threat actor that primarily targets victims in Bangladesh and Pakistan.
FishMedley
Verticals targeted during Operation FishMedley include governments, NGOs, and think tanks, across Asia, Europe, and the United States.
Flash Kitten
This suspected Iran-based adversary conducted long-running SWC campaigns from December 2016 until public disclosure in July 2018.
Flax Typhoon
Flax Typhoon is a Chinese state-sponsored threat actor that primarily targets organizations in Taiwan.
FlowerStorm
FlowerStorm is a phishing-as-a-service platform that mimics legitimate services to bypass multi-factor authentication structure.
Flying Kitten
Activity: defense and aerospace sectors, also interested in targeting entities in the oil/gas industry.
FlyingYeti
FlyingYeti is a Russia-aligned threat actor targeting Ukrainian military entities.
Fox Kitten
PIONEER KITTEN is an Iran-based adversary that has been active since at least 2017 and has a suspected nexus to the Iranian government.
FOXY PANDA
Adversary group targeting telecommunication and technology organizations.
FrostyNeighbor
FrostyNeighbor is a Belarus-aligned APT group known for conducting influence and disinformation campaigns, particularly targeting Ukraine, Poland, and Lithuania.
FunkSec
Funksec is a newly identified extortion group that has claimed 11 victims across various sectors, including media, IT, and education, operating a Tor-based DLS to centralize its ransomware activities.
FusionCore
The CYFIRMA research team has identified a new up-and-coming European threat actor group known as FusionCore.
Fxmsp
Throughout 2017 and 2018, Fxmsp established a network of trusted proxy resellers to promote their breaches on the criminal underground.
GALLIUM
GALLIUM, is a threat actor believed to be targeting telecommunication providers over the world, mostly South-East Asia, Europe and Africa.
Gallmaker
Symantec researchers have uncovered a previously unknown attack group that is targeting government and military targets, including several overseas embassies of an Eastern European country, and military and defense targe
GamaCopy
GamaCopy is a threat actor first discovered in June 2023, known for launching cyberattacks against Russia’s defense and critical infrastructure sectors by mimicking the TTPs of Gamaredon.
Gamaredon Group
Unit 42 threat researchers have recently observed a threat group distributing new, custom developed malware.
GambleForce
GambleForce is a threat actor specializing in SQL injection attacks.
GC01
From November 2017 to October 2018, we attributed 14 campaigns to the GC threat actors that used a specific MaaS provider (hereinafter “the Provider”) offered by a known individual (hereinafter “the Provider Operator”).
GC02
From November 2017 to October 2018, we attributed 14 campaigns to the GC threat actors that used a specific MaaS provider (hereinafter “the Provider”) offered by a known individual (hereinafter “the Provider Operator”).
GCMAN
GCMAN is a threat group that focuses on targeting banks for the purpose of transferring money to e-currency services.
Gelsemium
The Gelsemium group has been active since at least 2014 and was described in the past by a few security companies.
Ghost Jackal
Ghost Jackal is a threat actor tracked in the Malpedia taxonomy.
GHOST STADIUM
GHOST STADIUM is a Chinese-speaking, financially motivated threat actor operating a sophisticated phishing campaign across over 300 domains, utilizing a custom React-based phishing kit that closely mimics FIFA's official
GhostEmperor
GhostEmperor is a Chinese-speaking threat actor that targets government entities and telecom companies in Southeast Asia.
GhostNet
Cyber espionage is an issue whose time has come.
GhostR
Ghostr is a financially motivated threat actor known for stealing a confidential database containing 5.3 million records from the World-Check and leaking about 186GB of data from a stock trading platform.
GhostRedirector
GhostRedirector is a China-aligned threat actor that has compromised at least 65 Windows servers across various sectors, primarily in Brazil, Thailand, and Vietnam.
GhostSec
GhostSec is a hacktivist group that emerged as an offshoot of Anonymous.
Ghostwriter
Ghostwriter is referred as an 'activity set', with various incidents tied together by overlapping behavioral characteristics and personas, rather than as an actor or group in itself.
GIBBERISH PANDA
GIBBERISH PANDA is a threat actor tracked in the Malpedia taxonomy (CN).
Gitloker
Gitloker is a threat actor group targeting GitHub repositories, wiping their contents, and extorting victims for their data.
GOBLIN PANDA
Goblin Panda is one of a handful of elite Chinese advanced persistent threat (APT) groups.
GOFFEE
GOFFEE is a threat actor that has targeted entities in the Russian Federation since early 2022, employing spear phishing emails with malicious attachments, including modified Owowa and patched explorer.exe.
GOLD BURLAP
GOLD BURLAP is a group of financially motivated criminals responsible for the development of the Pysa ransomware, also referred to as Mespinoza.
GOLD CABIN
GOLD CABIN is a financially motivated cybercriminal threat group operating a malware distribution service on behalf of numerous customers since 2018.
GOLD DUPONT
GOLD DUPONT is a financially motivated cybercriminal threat group that specializes in post-intrusion ransomware attacks using 777 (aka Defray777 or RansomExx) malware.
GOLD EVERGREEN
GOLD EVERGREEN was a financially motivated cybercriminal threat group that operated the Gameover Zeus (aka Mapp, P2P Zeus) botnet until June 2014.
GOLD FAIRFAX
GOLD FAIRFAX is a financially motivated cybercriminal threat group responsible for the creation, distribution, and operation of the Ramnit botnet.
GOLD FLANDERS
GOLD FLANDERS is a financially motivated group responsible for distributed denial of service (DDOS) attacks linked to extortion emails demanding between 5 and 30 bitcoins.
GOLD GALLEON
GOLD GALLEON is a financially motivated cybercriminal threat group comprised of at least 20 criminal associates that collectively carry out business email compromise (BEC) and spoofing (BES) campaigns.
GOLD GARDEN
GOLD GARDEN was a financially motivated cybercriminal threat group that authored and operated the GandCrab ransomware from January 2018 through May 2019.
GOLD MANSARD
GOLD MANSARD is a financially motivated cybercriminal threat group that operated the Nemty ransomware from August 2019.
GOLD NORTHFIELD
Operational since at least October 2020, GOLD NORTHFIELD is a financially motivated cybercriminal threat group that leverages GOLD SOUTHFIELD's REvil ransomware in their attacks.
GOLD PRELUDE
GOLD PRELUDE is a financially motivated cybercriminal threat group that operates the SocGholish (aka FAKEUPDATES) malware distribution network.
GOLD REBELLION
GOLD REBELLION is a financially motivated cybercriminal threat group that operates the Black Basta name-and-shame ransomware.
GOLD RIVERVIEW
GOLD RIVERVIEW was a financially motivated cybercriminal group that facilitated the distribution of malware- and scam-laden spam email on behalf of its customers.
GOLD SKYLINE
GOLD SKYLINE is a financially motivated cybercriminal threat group operating from Nigeria engaged in high-value wire fraud facilitated by business email compromise (BEC) and spoofing (BES).
GOLD SOUTHFIELD
GOLD SOUTHFIELD is a financially motivated cybercriminal threat group that authors and operates the REvil (aka Sodinokibi) ransomware on behalf of various affiliated threat groups.
GOLD SYMPHONY
GOLD SYMPHONY is a financially motivated cybercrime group, likely based in Russia, that is responsible for the development and sale on underground forums of the Buer Loader malware.
GOLD WATERFALL
GOLD WATERFALL is a group of financially motivated cybercriminals responsible for the creation, distribution, and operation of the Darkside ransomware.
GOLD WINTER
GOLD WINTER are a financially motivated group, likely based in Russia, who operate the Hades ransomware.
GoldenJackal
GoldenJackal activity is characterized by the use of compromised WordPress websites as a method to host C2-related logic.
GoldFactory
GoldFactory is a threat actor group attributed to developing sophisticated mobile banking malware targeting victims primarily in the Asia-Pacific region, specifically Vietnam and Thailand.
GopherWhisper
GopherWhisper is a China-aligned APT that routes C2 traffic through legitimate enterprise platforms like Slack, Discord, and Microsoft 365 Outlook to evade detection.
Gorilla
Gorilla is a threat-actor operating a DoS-as-a-service service controlled on Telegram.
GozNym
IBM X-Force Research uncovered a Trojan hybrid spawned from the Nymaim and Gozi ISFB malware.
Gray Sandstorm
Gray Sandstorm is an Iran-linked threat actor that has been active since at least 2012.
GrayBravo
TAG-150, also known as GrayBravo, is a sophisticated threat actor responsible for developing multiple custom malware families, including CastleLoader and CastleRAT, and operates a large-scale, multi-layered infrastructur
GrayCharlie
GrayCharlie is a threat actor that compromises WordPress sites to inject malicious JavaScript, redirecting visitors to NetSupport RAT payloads via fake browser update pages or ClickFix mechanisms.
Grayling
Grayling activity was first observed in early 2023, when a number of victims were identified with distinctive malicious DLL side-loading activity.
GreedyBear
GreedyBear is a sophisticated threat actor responsible for over $1 million in cryptocurrency theft through a campaign involving 150 malicious Firefox extensions, nearly 500 malicious executables, and numerous fraudulent
Greenbug
Greenbug was discovered targeting a range of organizations in the Middle East including companies in the aviation, energy, government, investment, and education sectors.
GreenSpot
GreenSpot is an APT group believed to operate from Taiwan, active since at least 2007, primarily targeting government, academic, and military entities in China through phishing campaigns.
GREF
GREF is a China-aligned APT group that has been active since at least March 2017.
GreyEnergy
ESET research reveals a successor to the infamous BlackEnergy APT group targeting critical infrastructure, quite possibly in preparation for damaging attacks
GreyVibe
GREYVIBE is a low-to-moderately sophisticated threat actor associated with Russian state interests, primarily targeting Ukrainian entities.
GRIM SPIDER
GRIM SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return.
Groundbait
Groundbait is a group targeting anti-government separatists in the self-declared Donetsk and Luhansk People’s Republics.
Group5
A threat actor using Iranian-language tools, Iranian hosting companies, operating from the Iranian IP space at times was observed targeting the Syrian opposition in an elaborately staged malware operation, Citizen Lab re
GTFire
GTFire is a threat actor that leverages Google Firebase for hosting phishing pages and Google Translate to disguise malicious URLs, effectively bypassing security filters.
GTG-1002
GTG-1002 is a Chinese state-sponsored APT that conducted a large-scale autonomous cyber espionage campaign targeting approximately 30 global organizations across various sectors, focusing on military and energy-related d
GURU SPIDER
Early in 2018, CrowdStrike Intelligence observed GURU SPIDER supporting the distribution of multiple crimeware families through its flagship malware loader, Quant Loader.
Hacking Team
The many 0-days that had been collected by Hacking Team and which became publicly available during the breach of their organization in 2015, have been used by several APT groups since.
HAFNIUM
HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, an
Hagga
Hagga is believed to have been using Agent Tesla, 2021’s sixth most prevalent malware, to steal sensitive information from his victims since the latter part of 2021.
HAZY TIGER
The Bitter threat group initially started using RAT tools in their campaigns, as the first Bitter versions, for Android released in 2014 were based on the AndroRAT framework.
Head Mare
Head Mare is a hacktivism focussed threat actor group known for targeting Russia and Belarus sectors using a remote access malware called PhantomRAT.
HellHounds
Hellhounds is an APT group targeting organizations in Russia, using a modified version of Pupy RAT called Decoy Dog.
Hellsing
This threat actor uses spear-phishing techniques to compromise diplomatic targets in Southeast Asia, India, and the United States.
HenBox
This threat actor targets Uighurs—a minority ethnic group located primarily in northwestern China—and devices from Chinese mobile phone manufacturer Xiaomi, for espionage purposes.
HexagonalRodent
HexagonalRodent targets Web3 developers to steal crypto assets, employing social engineering tactics such as fake job offers.
Hezb
Hezb is a group deploying cryptominers when new exploit are available for public facing vulnerabilities.
HiddenArt
It was observed that a mobile network threat actor designated as ‘HiddenArt’ actively sustains a capacity to remotely access the personal devices of targeted individuals around the world on an ongoing basis.
Higaisa
The organization often uses important North Korean time nodes such as holidays and North Korea to conduct fishing activities.
HikkI-Chan
Hikki-Chan has claimed responsibility for multiple significant data breaches, including the theft of data from 390.4 million users of VKontakte, which included sensitive personal information.
HIVE-0145
Hive0145 is a financially motivated initial access broker that has been active since late 2022, primarily utilizing Strela Stealer malware to target email credentials.
Hive0117
Hive0117 is a financially motivated cybercriminal group that conducts phishing campaigns to deliver the fileless malware DarkWatchman, which is capable of keylogging and collecting system information.
Hive0137
Being one of the most active malware distributors, Hive0137 demonstrates a willingness to explore new payloads and technologies such as GenAI.
Hive0163
Hive0163 is a financially motivated ransomware group responsible for deploying Interlock ransomware, utilizing ClickFix social engineering for initial access.
HollowQuill
SEQRITE Labs APT-Team has been tracking and has uncovered a campaign targeting the Baltic State Technical University, a well-known institution for various defense, aerospace, and advanced engineering programs that contri
Honeybee
McAfee Advanced Threat Research analysts have discovered a new operation targeting humanitarian aid organizations and using North Korean political topics as bait to lure victims into opening malicious Microsoft Word docu
HookAds
HookAds is a malvertising campaign that purchases cheap ad space on low quality ad networks commonly used by adult web sites, online games, or blackhat seo sites.
Houken
Houken is a Chinese state-sponsored threat actor that exploits zero-day vulnerabilities in Ivanti Cloud Services Appliance devices to gain initial access to critical infrastructure networks, particularly in France.
HOUND SPIDER
According to Crowdstrike, HOUND SPIDER affiliates arrested in Romania on December,2017
HummingBad
This group created a malware that takes over Android devices and generates $300,000 per month in fraudulent ad revenue.
Hunt3r Kill3rs
Hunt3r Kill3rs is a newly emerged threat group claiming expertise in cyber operations, including ICS breaches and web application vulnerabilities exploitation.
HURRICANE PANDA
We have investigated their intrusions since 2013 and have been battling them nonstop over the last year at several large telecommunications and technology companies.
IcePeony
IcePeony is a China-nexus APT group that has been active since at least 2023, targeting government agencies, academic institutions, and political organizations in countries such as India, Mauritius, and Vietnam.
IMPERSONATING PANDA
IMPERSONATING PANDA is a threat actor tracked in the Malpedia taxonomy (CN).
Inception Framework
This threat actor uses spear-phishing techniques to target private-sector energy, defense, aerospace, research, and media organizations and embassies in Africa, Europe, and the Middle East, for the purpose of espionage.
IndigoZebra
IndigoZebra is a Chinese state-sponsored actor mentioned for the first time by Kaspersky in its APT Trends report Q2 2017, targeting, at the time of its discovery, former Soviet Republics with multiple malware strains in
INDOHAXSEC TEAM
INDOHAXSEC TEAM is an Indonesian group that claims to have developed a web-based version of WannaCry, asserting the ability to encrypt websites and demand Bitcoin as ransom.
Infrastructure Destruction Squad
Dark Engine has emerged as a significant threat actor targeting industrial control systems and SCADA systems in sectors such as metallurgy and food processing.
Infy
Infy is a group of suspected Iranian origin.
INJ3CTOR3
INJ3CTOR3 is a threat actor first identified in 2020, known for targeting vulnerabilities in VoIP systems, specifically CVE-2019-19006 and CVE-2021-45461.
Inteid
Inteid is a member of the Russian Legion alliance, which includes groups like Cardinal and The White Pulse, and has been involved in DDoS attacks targeting Denmark's health portal, sundhed.dk.
IntelBroker
IntelBroker is a threat actor known for orchestrating high-profile data breaches targeting companies like Apple, Zscaler, and Facebook Marketplace.
InvisiMole
Adversary group targeting diplomatic missions, governmental and military organisations, mainly in Ukraine.
IRIDIUM
Resecurity’s research indicates that the attack on Parliament is a part of a multi-year cyberespionage campaign orchestrated by a nation-state actor whom we are calling IRIDIUM.
IRLeaks
IRLeaks is a threat actor known for significant cyberattacks targeting Iranian organizations, including a major breach of SnappFood, where they exfiltrated 3TB of sensitive data from 20 million user profiles.
Iron Group
Iron group has developed multiple types of malware (backdoors, crypto-miners, and ransomware) for Windows, Linux and Android platforms.
IronErn440
IronErn440 is a threat actor tracked by Oligo Security for orchestrating the ShadowRay 2.0 campaign, an evolution of attacks since September 2023 exploiting CVE-2023-48022, a missing authentication flaw in the Ray AI fra
IronHusky
IronHusky is a Chinese-based threat actor first attributed in July 2017 targeting Russian and Mongolian governments, as well as aviation companies and research institutes.
ItaDuke
ItaDuke is an actor known since 2013. It used PDF exploits for dropping malware and Twitter accounts to store C2 server urls.
Jabaroot
JabaRoot is an Algerian hacker group that has targeted Moroccan government systems, successfully exfiltrating sensitive data from the Ministry of Economic Inclusion and the National Social Security Fund (CNSS).
JavaGhost
JavaGhost is a threat actor group that has targeted cloud environments, particularly AWS, for phishing campaigns without engaging in data theft for extortion.
JINX-0126
Wiz Threat Research identified a new variant of an ongoing malicious campaign targeting misconfigured and publicly exposed PostgreSQL servers.
JINX-0164
JINX-0164 is a financially motivated threat actor active since mid-2025, primarily targeting software developers through recruitment-themed social engineering to steal cryptocurrencies and conduct supply chain attacks.
JuiceLedger
JuiceLedger is a threat actor known for infostealing through their JuiceStealer .NET assembly.
Karakurt
Karakurt actors have employed a variety of tactics, techniques, and procedures (TTPs), creating significant challenges for defense and mitigation.
Karkadann
Karkadann is a threat actor that has been active since at least October 2020, targeting government bodies and news outlets in the Middle East.
Kasablanka
The Kasablanka group is a cyber-criminal organization that has specifically targeted Russia between September and December 2022, using various payloads delivered through phishing emails containing socially engineered lnk
KAX17
KAX17 is a sophisticated threat actor that has been active since at least 2017.
Kazu
Kazu is a financially motivated ransomware group known for employing a double extortion model, targeting sectors such as healthcare and government.
Keksec
The threat group behind EnemyBot, Keksec, is well-resourced and has the ability to update and add new capabilities to its arsenal of malware on a daily basis (see below for more detail on Keksec)
KelvinSecurity
KelvinSecurity is a hacker group that has been active since at least 2015.
Keymous+
Keymous is a threat actor known for executing extensive DDoS attacks across multiple Arab countries, targeting government ministries and critical infrastructure.
Killnet
A group targeting various countries using Denial of Services attacked.
Kimsuky
This threat actor targets South Korean think tanks, industry, nuclear power operators, and the Ministry of Unification for espionage purposes.
Kinsing
This group started operating during the first quarter of 2022.
Kiss-a-Dog
CrowdStrike identified a cryptojacking campaign targeting vulnerable Docker and Kubernetes infrastructure.
KromSec
KromSec is a hacktivist group that claims to be composed of hackers, activists, writers, and journalists.
Krybit
Krybit is a ransomware group that operates as a ransomware-as-a-service provider, offering affiliates 80% of ransom proceeds in exchange for technical support and a malware suite.
LabHost
LabHost is a threat actor group targeting Canadian Banks with Phishing-as-a-Service attacks.
Lamashtu
Lamashtu is a financially motivated data-theft and extortion group that emerged in mid-April 2026, operating a Tor-hosted leak site (Lamashtu[.]Blog) with countdown timers, structured Breach Impact Reports, and proof-of-
Lancefly
Lancefly targets government, aviation, and telecom organizations in South and Southeast Asia.
Larva-208
LARVA-208 is a financially motivated threat actor employing sophisticated phishing campaigns to harvest credentials and deploy ransomware.
Larva-24005
Larva-24005 is a threat actor that breaches servers in Korea to establish a web server and PHP environment for phishing attacks, primarily targeting individuals involved with North Korea and university professors researc
Larva-24010
The Larva-24010 threat actor is distributing malware through the website of a Korean VPN service provider.
Larva-26002
Larva-26002 targets improperly managed MS-SQL servers, exploiting vulnerabilities such as brute force and dictionary attacks.
Larva‑25012
Larva‑25012 is a threat actor known for deploying Proxyware, utilizing malware disguised as a Notepad++ installer.
Libyan Scorpions
Libyan Scorpions is a malware operation in use since September 2015 and operated by a politically motivated group whose main objective is intelligence gathering, spying on influentials and political figures and operate a
Lifting Zmiy
Rostelecom's security team has discovered a new APT group that is breaching companies via industrial PLCs.
LightBasin
UNC1945 is an APT group that has been targeting telecommunications companies globally.
Lilac Typhoon
Lilac Typhoon is a threat actor attributed to China.
LilacSquid
LilacSquid is an APT actor targeting a variety of industries worldwide since at least 2021.
LIMINAL PANDA
LIMINAL PANDA is a China-nexus APT that targets telecommunications entities, employing custom malware and publicly available tools for covert access, C2, and data exfiltration.
LinkC Pub
Linkc is a newly emerged ransomware group that operates an onion-based data leak site and has claimed one victim, a U.S.-based AI and cloud service provider, H2O.ai, which was attacked on January 29, 2025.
LofyGang
LofyGang has been found to be linked to more than 200 malicious packages, with thousands of installations throughout 2022.
Longhorn
Longhorn has been active since at least 2011.
LongNosedGoblin
LongNosedGoblin is a China-aligned APT group targeting governmental entities in Southeast Asia and Japan for cyberespionage.
LOTUS PANDA
Lotus Blossom is a threat group that has targeted government and military organizations in Southeast Asia.
Lucky Cat
A series of attacks, targeting both Indian military research and south Asian shipping organizations, demonstrate the minimum level of effort required to successfully compromise a target and steal sensitive information.
LulzIntel
The threat actor lulzintel has claimed responsibility for multiple data breaches, including those of vegehome.pl, Almaex, Smaregi, and Kin Teck Tong, exposing sensitive information of over 400,000 individuals combined.
LulzSec Black
LulzSec Black is a hacktivist group that has claimed responsibility for coordinated DDoS attacks against Cyprus' government and critical infrastructure in response to the country's support for Israel.
Luna Moth
Luna Moth conducts high-tempo callback phishing campaigns targeting legal and financial organizations in the U.S., using social engineering to lure victims into calling fake helpdesk numbers.
LUNAR SPIDER
According to CrowdStrike, this actor is using BokBok/IcedID, potentially buying distribution through Emotet infections.
luoxk
Luoxk is a malware campaign targeting web servers throughout Asia, Europe and North America.
LYCEUM
Lyceum is an Iranian APT group that has been active since at least 2014.
Madi
Kaspersky Lab and Seculert worked together to sinkhole the Madi Command & Control (C&C) servers to monitor the campaign.
MageCart
Digital threat management company RiskIQ tracks the activity of MageCart group and reported their use of web-based card skimmers since 2016.
Magic Kitten
Earliest activity back to November 2008. An established group of cyber attackers based in Iran, who carried on several campaigns in 2013, including a series of attacks targeting political dissidents and those supporting
MAGNETIC SPIDER
MAGNETIC SPIDER is a threat actor tracked in the Malpedia taxonomy (RU).
MalKamak
MalKamak is an Iranian threat actor that has been operating since at least 2018.
MALLARD SPIDER
Crowdstrike tarcks the operators behind the Qbot as MALLARD SPIDER
Malsmoke
Malsmoke primarily targets Japanese users through malvertising campaigns that deliver Zloader malware, often leveraging adult content lures and geographic IP information.
Malteiro
This group of cybercriminals is named Malteiroby SCILabs, they operate and distribute the URSA/Mispadu banking trojan.
Mana Team
Mana Team is a threat actor tracked in the Malpedia taxonomy (CN).
Markopolo
Markopolo is a threat actor known for running scams targeting cryptocurrency users through a fake app called Vortax.
Massgrave
Massgrave is a hacking group that has developed a method to bypass Microsoft's software licensing for Windows and Office, enabling permanent activation of versions from Windows Vista to Windows 11.
Metador
Metador primarily targets telecommunications, internet service providers, and universities in several countries in the Middle East and Africa.
MIMIC SPIDER
MIMIC SPIDER is mentioned in two summary reports only
Mirage Tiger
Mirage Tiger is a threat actor tracked in the Malpedia taxonomy.
MirrorFace
MirrorFace is a Chinese-speaking advanced persistent threat group that has been targeting high-value organizations in Japan, including media, government, diplomatic, and political entities.
Mocha Manakin
Mocha Manakin is a threat actor that employs the paste and run technique for initial access, tricking users into executing scripts that download various payloads, including LummaC2, HijackLoader, and Vidar.
ModifiedElephant
Our research into these intrusions revealed a decade of persistent malicious activity targeting specific groups and individuals that we now attribute to a previously unknown threat actor named ModifiedElephant.
Mofang
Mofang is a threat actor tracked in the Malpedia taxonomy (CN).
Mogilevich
Mogilevich is a ransomware group known for claiming to breach organizations like Epic Games and Ireland's Department of Foreign Affairs, offering stolen data for sale without providing proof of the attacks.
Molatori
Molatori is a threat actor group identified by Malwarebytes researchers, known for utilizing malicious ScreenConnect clients hosted on domains like atmolatori.icu and gomolatori.cyou.
Molerats
In October 2012, malware attacks against Israeli government targets grabbed media attention as officials temporarily cut off Internet access for its entire police force and banned the use of USB memory sticks.
MoneyTaker
In less than two years, this group has conducted over 20 successful attacks on financial institutions and legal firms in the USA, UK and Russia.
MONTY SPIDER
Spambots continued to decline in 2019, with MONTY SPIDER’s CraP2P spambot falling silent in April.
Mora_001
Mora_001 is a threat actor exhibiting a distinct operational signature that combines opportunistic attacks with ties to the LockBit ecosystem.
MORH4x
MORH4x is a self-proclaimed Moroccan hacking group that claimed responsibility for a data leak from Algeria's pharmaceutical industry ministry.
MosesStaff
Cybereason Nocturnus describes Moses Staff as an Iranian hacker group, first spotted in October 2021.
Moshen Dragon
Moshen Dragon is a Chinese-aligned cyberespionage threat actor operating in Central Asia.
Moskalvzapoe
Moskalvzapoe is a threat actor tracked in the Malpedia taxonomy.
MoustachedBouncer
MoustachedBouncer is a cyberespionage group discovered by ESET Research and first publicly disclosed in August 2023.
Mr_Rot13
Mr_Rot13 is a stable hacking group identified through a PHP backdoor and a Downloader domain linked to a C2 infrastructure active since 2020.
MuddyWater
The MuddyWater attacks are primarily against Middle Eastern nations.
MUMMY SPIDER
MUMMY SPIDER is a criminal entity linked to the core development of the malware most commonly known as Emotet or Geodo.
MurenShark
MurenShark is an advanced persistent threat group that operates primarily in the Middle East, with a focus on targeting Turkey.
MUSTANG PANDA
This threat actor targets nongovernmental organizations using Mongolian-themed lures for espionage purposes.
Mustard Tempest
Mustard Tempest is a threat actor that primarily uses malvertising as their main technique to gain access to and profile networks.
Mythic Likho
Arcane Werewolf has been observed targeting Russian manufacturing enterprises through phishing emails that lead to malicious links and spoofed websites.
Naikon
Kaspersky described Naikon in a 2015 report as: 'The Naikon group is mostly active in countries such as the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, and Nepal, hitting a variety of targets
Nam3L3ss
Nam3L3ss is a threat actor who has leaked data from 25 companies, including over 2.8 million lines of Amazon employee data, which was confirmed to be stolen from a third-party service provider.
Narketing163
Narketing163 is a financially motivated threat actor named after one of their frequently used email addresses (narketing163@gmail.com).
NARWHAL SPIDER
NARWHAL SPIDER’s operation of Cutwail v2 was limited to country-specific spam campaigns, although late in 2019 there appeared to be an effort to expand by bringing in INDRIK SPIDER as a customer.
Natohub
Natohub is a hacker who claimed to have stolen 42,000 documents from the UN’s International Civil Aviation Organization and is offering the data for sale on underground forums.
Nazar
This actor was identified by Juan Andres Guerrero-Saade from the SIG37 cluster as published in the ShadowBrokers' 'Lost in Translation' leak.
NB65
Network Battalion 65 is an hactivist group with ties to Anonymous, known for attacking Russian companies and performing hack-and-leak operations.
NEODYMIUM
NEODYMIUM is an activity group that is known to use a backdoor malware detected by Microsoft as Wingbird.
NetRunnerPR
NetRunnerPR has claimed to breach the networks of Shiraume Hospital and Nippon Medical School Musashi Kosugi Hospital in Japan, exfiltrating patient PII and medical records.
NewsPenguin
NewsPenguin is threat actor that has been targeting organizations in Pakistan.
Nexus Zeta
Nexus Zeta is no stranger when it comes to implementing SOAP related exploits.
Nickel Alley
NICKEL ALLEY is a North Korean threat group that targets technology professionals through fake job opportunities, employing social engineering tactics such as creating fraudulent LinkedIn pages and GitHub repositories fo
Night Dragon
Night Dragon is a threat actor tracked in the Malpedia taxonomy (CN).
NightEagle
NightEagle is an advanced Threat Actor that targeted China's High-Tech Industry and Military Organisation, leveraging sophisticated techniques, 0 days, and specialized detection avoiding malware.
Nitro
These attackers were the subject of an extensive report by Symantec in 2011, which termed the attackers Nitro and stated: 'The goal of the attackers appears to be to collect intellectual property such as design documents
NOCTURNAL SPIDER
Mentioned as MaaS operator in CrowdStrike's 2020 Report.
NOMAD PANDA
In the first quarter of 2018, CrowdStrike Intelligence identified NOMAD PANDA activity targeting Central Asian nations with exploit documents built with the 8.t tool.
NoName057(16)
NoName057(16) is performing DDoS attacks on websites belonging to governments, news agencies, armies, suppliers, telecommunications companies, transportation authorities, financial institutions, and more in Ukraine and n
NOTROBIN
Researchers at FireEye report finding a hacking group (dubbed NOTROBIN) that has been bundling mitigation code for NetScaler servers with its exploits.
Nullbulge
NullBulge is a cybercriminal threat group targeting AI and gaming focused entities.
NyxarGroup
NyxarGroup is a threat actor involved in a coordinated data brokerage ecosystem across Latin America, primarily targeting government infrastructure.
OilAlpha
OilAlpha has almost exclusively relied on infrastructure associated with the Public Telecommunication Corporation (PTC), a Yemeni government-owned enterprise reported to be under the direct control of the Houthi authorit
OilRig
OilRig is an Iranian threat group operating primarily in the Middle East by targeting organizations in this region that are in a variety of different industries; however, this group has occasionally targeted organization
OldGremlin
OldGremlin is a Russian-speaking ransomware group that has been active for several years.
OnionDog
This threat actor targets the South Korean government, transportation, and energy sectors.
Opal Sleet
Konni is a threat actor associated with APT37, a North Korean cyber crime group.
Operation BugDrop
This threat actor targets critical infrastructure entities in the oil and gas sector, primarily in Ukraine.
Operation C-Major
Group targeting Indian Army or related assets in India, as well as activists and civil society in Pakistan.
Operation Cobalt Whisper
Operation Cobalt Whisper is a threat actor tracked in the Malpedia taxonomy.
Operation Comando
Operation Comando is a pure cybercrime campaign, possibly with Brazilian origin, with a concrete and persistent focus on the hospitality sector, which proves how a threat actor can be successful in pursuing its objective
Operation DRBControl
Operation DRBControl is a cyberespionage campaign targeting gambling companies in Southeast Asia, first identified in 2019.
Operation Emmental
Operation Emmental, also known as the Retefe gang, is a threat actor group that has been active since at least 2012.
Operation ForumTroll
Operation ForumTroll is a sophisticated cyber espionage campaign discovered by Kaspersky in mid-March 2025.
Operation Ghoul
Operation Ghoul is a profit-driven threat actor that targeted over 130 organizations in 30 countries, primarily in the industrial and engineering sectors.
Operation Kabar Cobra
Operation Kabar Cobra is a threat actor tracked in the Malpedia taxonomy.
Operation Parliament
This threat actor uses spear-phishing techniques to target parliaments, government ministries, academics, and media organizations, primarily in the Middle East, for the purpose of espionage.
Operation Poison Needles
What’s noteworthy is that according to the introduction on the compromised website of the polyclinic (http://www.p2f.ru), the institution was established in 1965 and it was founded by the Presidential Administration of R
Operation Red Signature
The threat actors compromised the update server of a remote support solutions provider to deliver a remote access tool called 9002 RAT to their targets of interest through the update process.
Operation Shadow Force
Operation Shadow Force is a group of malware that is representative of Shadow Force and Wgdrop from 2013 to 2020, and is a group activity that attacks Korean companies and organizations.
Operation ShadowHammer
Newly discovered supply chain attack that leveraged ASUS Live Update software.
Operation Sharpshooter
The McAfee Advanced Threat Research team and McAfee Labs Malware Operations Group have discovered a new global campaign targeting nuclear, defense, energy, and financial companies, based on McAfee® Global Threat Intellig
Operation Soft Cell
In 2018, the Cybereason Nocturnus team identified an advanced, persistent attack targeting global telecommunications providers carried out by a threat actor using tools and techniques commonly associated with Chinese-aff
Operation Triangulation
Operation Triangulation is an ongoing APT campaign targeting iOS devices with zero-click iMessage exploits.
Operation WizardOpium
We are calling these attacks Operation WizardOpium.
Operation Wocao
Operation Wocao (我操, “Wǒ cāo”, used as “shit” or “damn”) is the name that Fox-IT uses to describe the hacking activities of a Chinese based hacking group.
Orangeworm
Symantec has identified a previously unknown group called Orangeworm that has been observed installing a custom backdoor called Trojan.Kwampirs within large international corporations that operate within the healthcare s
OurMine
OurMine is known for celebrity internet accounts, often causing cyber vandalism, to advertise their commercial services.
OUTLAW SPIDER
On May 7, 2019, Mayor Bernard “Jack” Young confirmed that the network for the U.S.
OverFlame
OverFlame is a hacktivist group known for executing DDoS attacks and website defacements, primarily targeting government institutions and corporations in Europe and North America.
OVERLORD SPIDER
OVERLORD SPIDER, aka The Dark Overlord. Similar to ransomware operators today, OVERLORD SPIDER likely purchased RDP access to compromised servers on underground forums in order to exfiltrate data from corporate networks.
Pacha Group
Antd is a miner found in the wild on September 18, 2018.
Packrat
A threat group that has been active for at least seven years has used malware, phishing and disinformation tactics to target activists, journalists, politicians and public figures in various Latin American countries.
PALE PANDA
PALE PANDA is a threat actor tracked in the Malpedia taxonomy (CN).
PARINACOTA
One actor that has emerged in this trend of human-operated attacks is an active, highly adaptive group that frequently drops Wadhrama as payload.
PassCV
The PassCV group continues to be one of the most successful and active threat groups that leverage a wide array of stolen Authenticode-signing certificates.
Patched Lightning
Patched Lightning is a threat actor tracked in the Malpedia taxonomy.
PayTool
PayTool is a threat actor that operates a phishing ecosystem focused on traffic violation and fine payment scams targeting Canadians through SMS-based social engineering.
Pearl Sleet
Pearl Sleet is a nation state activity group based in North Korea that has been active since at least 2012.
People's Cyber Army of Russia
People's Cyber Army of Russia is a threat actor tracked in the Malpedia taxonomy.
PerSwaysion
PerSwaysion is a threat actor known for conducting phishing campaigns targeting high-level executives.
PhantomControl
PhantomControl is a sophisticated threat actor that emerged in November 2023.
Phlox Tempest
Phlox Tempest is a threat actor responsible for a large-scale click fraud campaign targeting users through YouTube comments and malicious ads.
Pickaxe
Prying Libra, also known as Pickaxe, is a threat actor active since at least August 2017, and continues to remain active to this day.
PINCHY SPIDER
First observed in January 2018, GandCrab ransomware quickly began to proliferate and receive regular updates from its developer, PINCHY SPIDER, which over the course of the year established a RaaS operation with a dedica
Pink Sandstorm
Agonizing Serpens is an Iranian-linked APT group that has been active since 2020.
PIZZO SPIDER
PIZZO SPIDER is a threat actor tracked in the Malpedia taxonomy (US).
PLATINUM
PLATINUM has been targeting its victims since at least as early as 2009, and may have been active for several years prior.
PlushDaemon
PlushDaemon is a China-aligned APT group that has conducted cyberespionage operations against targets in China, Taiwan, Hong Kong, South Korea, the United States, and New Zealand.
POISON CARP
Between November 2018 and May 2019, senior members of Tibetan groups received malicious links in individually tailored WhatsApp text exchanges with operators posing as NGO workers, journalists, and other fake personas.
PoisonSeed
PoisonSeed is a threat actor employing an MFA-resistant phishing kit to acquire credentials from individuals and organizations, primarily targeting email infrastructure for cryptocurrency-related spam.
POISONUS PANDA
POISONUS PANDA is a threat actor tracked in the Malpedia taxonomy (CN).
POLONIUM
Microsoft successfully detected and disabled attack activity abusing OneDrive by a previously undocumented Lebanon-based activity group Microsoft Threat Intelligence Center (MSTIC) tracks as POLONIUM.
Poseidon Group
Poseidon Group is a Portuguese-speaking threat group that has been active since at least 2005.
PowerPool
Malware developers have started to use the zero-day exploit for Task Scheduler component in Windows, two days after proof-of-concept code for the vulnerability appeared online.
PREDATOR PANDA
PREDATOR PANDA is a threat actor tracked in the Malpedia taxonomy (CN).
ProCC
ProCC is a threat actor targeting the hospitality sector with remote access Trojan malware.
ProjectSauron
ProjectSauron is the name for a top level modular cyber-espionage platform, designed to enable and manage long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods.
Prolific Puma
Prolific Puma provides an underground link shortening service to criminals.
PROMETHIUM
PROMETHIUM is an activity group that has been active as early as 2012.
Prophet Spider
PROPHET SPIDER is an eCrime actor, active since at least May 2017, that primarily gains access to victims by compromising vulnerable web servers, which commonly involves leveraging a variety of publicly disclosed vulnera
puNK-003
puNK-003 is a North Korean APT group known for deploying the Lilith RAT, a sophisticated C++ remote access trojan, and its AutoIt variant, CURKON, which functions as a downloader.
PurpleHaze
PurpleHaze is a China-nexus threat actor tracked by SentinelLABS, linked to APT15, known for targeting critical infrastructure sectors such as telecommunications and government organizations.
QUILTED TIGER
Dropping Elephant (also known as “Chinastrats” and “Patchwork“) is a relatively new threat actor that is targeting a variety of high profile diplomatic and economic targets using a custom set of attack tools.
R00tK1T
R00TK1T is a hacking group known for sophisticated cyber attacks targeting governmental agencies in Malaysia, including data exfiltration from the National Population and Family Development Board.
RADIO PANDA
RADIO PANDA is a threat actor tracked in the Malpedia taxonomy (CN).
RaHDit
RaHDit is a pro-Kremlin hacktivist group known for orchestrating hack-and-leak operations, including the publication of personal information about Ukrainian military intelligence personnel and their associates.
RANCOR
The Rancor group’s attacks use two primary malware families which are naming DDKONG and PLAINTEE.
RansomVC
Ransomed.VC burst onto the scene with a well-orchestrated PR campaign, encompassing a clearnet site and multiple communication channels including Telegram and Twitter/X profiles.
Raspberry Typhoon
Microsoft has tracked Raspberry Typhoon (RADIUM) as the primary threat group targeting nations that ring the South China Sea.
RASPITE
Dragos has identified a new activity group targeting access operations in the electric utility sector.
RATPAK SPIDER
In July 2018, the source code of Pegasus, RATPAK SPIDER’s malware framework, was anonymously leaked.
RAZOR TIGER
An actor mainly targeting Pakistan military targets, active since at least 2012.
Rebel Jackal
This is a pro-Islamist organization that generally conducts attacks motivated by real world events in which its members believe that members of the Muslim faith were wronged.
Reckless Rabbit
Reckless Rabbit lures victims into investment scams through malicious Facebook advertisements that lead to fake news articles with embedded web forms for personal information collection.
Red Charon
Throughout 2019, multiple companies in the Taiwan high-tech ecosystem were victims of an advanced persistent threat (APT) attack.
Red Dev 17
In 2021, PwC started tracking a series of intrusions under the moniker of Red Dev 17 that they assess were highly likely conducted by a China-based threat actor.
Red Menshen
Since 2021, Red Menshen, a China based threat actor, which has been observed targeting telecommunications providers across the Middle East and Asia, as well as entities in the government, education, and logistics sectors
Red Nue
Red Nue, active since at least 2017, is known for its use of the multi-platform LootRAt backdoor, also known as ReverseWindow.
Red-Lili
RED-LILI is an active threat actor that has been identified by Checkmarx SCS research team.
RedAlpha
Recorded Future’s Insikt Group has identified two new cyberespionage campaigns targeting the Tibetan Community over the past two years.
RedDelta
Likely Chinese state-sponsored threat activity group RedDelta targeting organizations within Europe and Southeast Asia using a customized variant of the PlugX backdoor.
RedEcho
RedEcho: The group made heavy use of AXIOMATICASYMPTOTE — a term we use to track infrastructure that comprises ShadowPad C2s, which is shared between several Chinese threat activity groups
Redfly
Redfly hacked a national electricity grid organization in Asia and maintained persistent access to the network for about six months.
RedGolf
Recorded Future’s Insikt Group has identified a large cluster of new operational infrastructure associated with use of the custom Windows and Linux backdoor KEYPLUG.
RedJuliett
RedJuliett is a likely Chinese state-sponsored threat actor targeting government, academic, technology, and diplomatic organizations in Taiwan.
RedKitten
RedKitten is a campaign targeting Iranian interests, particularly NGOs and individuals documenting human rights abuses, first observed in January 2026.
RedStinger
In October 2022, Kaspersky identified an active infection of government, agriculture and transportation organizations located in the Donetsk, Lugansk, and Crimea regions.
REF2924
A group monitored as REF2924 by Elastic Security Labs is wielding novel data-stealing malware — an HTTP listener written in C# dubbed Naplistener by the researchers — in attacks against victims operating in southern and
REF5961
Elastic's security team has published a report on REF5961, a cyber-espionage group they found on the network of a Foreign Affairs Ministry from a member of the Association of Southeast Asian Nations (ASEAN).
REF7707
REF7707 is a cyber campaign targeting government entities, particularly a foreign ministry in South America, utilizing malware families such as FinalDraft, GuidLoader, and PathLoader for persistence and lateral movement.
ResumeLooters
Since the beginning of 2023, ResumeLooters have been able to compromise at least 65 websites.
Returned Libra
Returned Libra, also known as 8220 Mining Group, is a cloud threat actor group that has been active since at least 2017.
RevengeHotels
RevengeHotels is a targeted cybercrime campaign that has been active since 2015, primarily targeting hotels, hostels, and tourism companies.
RGB-TEAM
RGB-TEAM is a previously unknown Russian-speaking threat actor.
RIDDLE SPIDER
According to Crowdstrike, RIDDLE SPIDER is the operator behind the avaddon ransomware
RipperSec
RipperSec is a pro-Palestinian, likely Malaysian hacktivist group created in June 2023, known for conducting DDoS attacks, data breaches, and defacements primarily targeting government and educational websites, as well a
Roaming Mantis
According to new research by Kaspersky's GReAT team, the online criminal activities of the Roaming Mantis Group have continued to evolve since they were first discovered in April 2018.
Roaming Tiger
Roaming Tiger is a threat actor tracked in the Malpedia taxonomy.
Rocke
This threat actor initially came to our attention in April 2018, leveraging both Western and Chinese Git repositories to deliver malware to honeypot systems vulnerable to an Apache Struts vulnerability.
Rocket Kitten
Targets Saudi Arabia, Israel, US, Iran, high ranking defense officials, embassies of various target countries, notable Iran researchers, human rights activists, media and journalists, academic institutions and various sc
RomCom
ROMCOM is an evolving and sophisticated threat actor group that has been using the malware tool ROMCOM for espionage and financially motivated attacks.
RTM
There are several groups actively and profitably targeting businesses in Russia.
Ruby Sleet
Ruby Sleet is a threat actor linked to North Korea's Ministry of State Security.
RUBYCARP
RUBYCARP is a financially-motivated threat actor group likely based in Romania, with a history of at least 10 years of activity.
RuskiNet
RuskiNet is a pro-Russian hacktivist collective associated with disruptive operations including DDoS attacks, website defacements, phishing, and data leaks against government, infrastructure, financial, and civil targets
Ruthless Rabbit
Ruthless Rabbit has been running investment scam campaigns since November 2022, primarily targeting users in Russia, Poland, Romania, and Kazakhstan.
Saad Tycoon
Saad Tycoon is the operator and alleged developer of the Tycoon 2FA PhaaS, a phishing service that targets users for financial gain.
SABRE PANDA
SABRE PANDA is a threat actor tracked in the Malpedia taxonomy (CN).
SaintBear
A group targeting UA state organizations using the GraphSteel and GrimPlant malware.
SALTY SPIDER
Beginning in January 2018 and persisting through the first half of the year, CrowdStrike Intelligence observed SALTY SPIDER, developer and operator of the long-running Sality botnet, distribute malware designed to target
SAMBASPIDER
SAMBASPIDER is a threat actor associated to the Mispadu malware.
SAMURAI PANDA
SAMURAI PANDA is a threat actor tracked in the Malpedia taxonomy (CN).
SandCat
SandCat, on the other hand, is a group that was discovered more recently by Kaspersky.
Sandman APT
First disclosed in 2023, the Sandman APT is likely associated with suspected China-based threat clusters known for using the KEYPLUG backdoor, specifically STORM-0866/Red Dev 40.
Sands Casino
Sands Casino is a threat actor tracked in the Malpedia taxonomy (IR).
Sath-ı Müdafaa
A Turkish hacking group, Sath-ı Müdafaa, is encouraging individuals to join its DDoS-for-Points platform that features points and prizes for carrying out distributed denial-of-service (DDoS) attacks against a list of pre
ScamClub
ScamClub is a threat actor involved in malvertising activities since 2018.
Scarab
Scarab APT was first spotted in 2015, but is believed to have been active since at least 2012, conducting surgical attacks against a small number of individuals across the world, including Russia and the United States.
Scarlet Mimic
Scarlet Mimic is a threat group that has targeted minority rights activists.
SCARLETEEL
SCARLETEEL is a threat actor that primarily targets cloud environments, specifically AWS and Kubernetes.
Scarred Manticore
Scarred Manticore has been pursuing high-value targets for years, utilizing a variety of IIS-based backdoors to attack Windows servers.
Scattered Canary
When the first member of Scattered Canary, who, for the purposes of this report, we call Alpha, began his operations, he was a lone wolf—working mostly Craigslist scams as he learned the tricks of the trade from a mentor.
ScreamedJungle
ScreamedJungle is a threat actor that exploits vulnerabilities in outdated Magento e-commerce platforms to inject malicious JavaScript code, specifically Bablosoft JS, into compromised websites.
Scripted Sparrow
Scripted Sparrow is a prolific Business Email Compromise (BEC) collective that conducts highly targeted phishing campaigns, impersonating professional services firms to deceive finance teams into transferring funds.
SCULLY SPIDER
Mentioned as operator of DanaBot in CrowdStrike's 2020 Report.
Sea Turtle
This blog post discusses the technical details of a state-sponsored attack manipulating DNS systems.
SEXi
SEXi is a ransomware group that targets VMware ESXi servers, encrypting data and demanding ransom payments.
Shadow Network
Shadows in the Cloud documents a complex ecosystem of cyber espionage that systematically compromised government, business, academic, and other computer network systems in India, the Offices of the Dalai Lama, the United
SHADOW-AETHER-015
SHADOW-AETHER-015 is a highly adaptable cybercriminal group known for identity abuse and cloud compromise, primarily targeting identity and access management systems like Okta and Azure AD/Entra ID.
Shadow-Earth-053
SHADOW-EARTH-053 is a China-aligned threat group exploiting unpatched Microsoft Exchange Server vulnerabilities, specifically CVE-2021-26855, to conduct cyberespionage against government and defense-linked targets across
SHADOW-VOID-042
SHADOW-VOID-042 is a provisional intrusion set tracked by Trend Micro, active in October-November 2025, conducting spear-phishing campaigns against energy, defense, pharmaceutical, cybersecurity, and other sectors using
SHADOW-WATER-063
SHADOW-WATER-063 is a financially motivated threat actor attributed to the Banana RAT banking trojan, primarily targeting Brazilian financial accounts.
ShadowSyndicate
ShadowSyndicate is a threat actor associated with various ransomware groups, using a consistent Secure Shell fingerprint across multiple servers.
ShadyPanda
ShadyPanda is a threat actor behind a 7-year campaign that has infected 4.3 million users through extensions masquerading as productivity tools while functioning as comprehensive spyware.
ShaggyPanther
ShaggyPanther is a threat actor that primarily targets government entities in Taiwan and Malaysia.
Shahid Hemmat
Shahid Hemmat is an IRGC-CEC affiliated hacking group linked to cyberattacks targeting U.S.
Shamoon Group
Shamoon Group is an Iran-linked threat actor associated with destructive Shamoon wiper operations targeting organizations in the Middle East, especially in the energy sector.
SHARK SPIDER
This group's activity was first observed in November 2013.
SharpPanda
SharpPanda, an APT group originating from China, has seen a rise in its cyber-attack operations starting from at least 2018.
ShroudedSnooper
In September 2023, Cisco Talos identified a new malware family that it calls ‘HTTPSnoop’ being deployed against telecommunications providers in the Middle East.
SideCopy
The SideCopy APT is a Pakistani threat actor that has been operating since at least 2019, mainly targeting South Asian countries and more specifically India and Afghanistan.
SiegedSec
SiegedSec, a hacktivist collective, emerged coincidentally just days before Russia’s invasion of Ukraine.
Siesta
FireEye recently looked deeper into the activity discussed in TrendMicro’s blog and dubbed the “Siesta” campaign.
Silence group
a relatively new threat actor that’s been operating since mid-2016 Group-IB has exposed the attacks committed by Silence cybercriminal group.
Silent Chollima
Andariel is a threat actor that primarily targets South Korean corporations and institutions.
Silent Librarian
Last Friday, Deputy Attorney General Rod Rosenstein announced the indictment of nine Iranians who worked for an organization named the Mabna Institute.
SilitNetwork
SilitNetwork is a hacking group known for targeting high-profile entities, such as airlines, for various motives.
SILKFIN AGENCY
SILKFIN AGENCY has claimed responsibility for multiple significant data breaches, including the compromise of DimeCuba.com, which exposed over 1 million SMS records and more than 100,000 email records.
SilkSpecter
SilkSpecter is a Chinese financially motivated threat actor that orchestrates phishing campaigns targeting e-commerce shoppers, particularly during peak shopping seasons.
SilverFish
SilverFish is believed to be a Russian cyberespionage group that has been involved in various cyberattacks, including the use of the SolarWinds breach as an attack vector.
SilverTerrier
As these tools rise and fall in popularity (and more importantly, as detection rates by antivirus vendors improve), SilverTerrier actors have consistently adopted new malware families and shifted to the latest packing to
Sima
Sima is a group of suspected Iranian origin targeting Iranians in diaspora.
SINGING SPIDER
SINGING SPIDER is a threat actor tracked in the Malpedia taxonomy.
SingularityMD
SingularityMD is a threat actor group that has targeted educational institutions in the US.
Sinobi
Sinobi is a financially motivated ransomware group that employs data theft and extortion as primary tactics, operating a public-facing leak portal to pressure victims during ransom negotiations.
SkidSec
SkidSec is a threat group that has engaged in operations targeting exposed printers in South Korea to disseminate North Korean propaganda, utilizing techniques such as printer exploitation and social engineering for evid
SLIME29
SLIME29 is a threat actor tracked in the Malpedia taxonomy (CN).
Slingshot
While analysing an incident which involved a suspected keylogger, we identified a malicious library able to interact with a virtual file system, which is usually the sign of an advanced APT actor.
SlopAds
SlopAds is a sophisticated ad fraud and click fraud operation involving a collection of 224 apps, downloaded over 38 million times globally.
SloppyLemming
SloppyLemming is an advanced actor that uses multiple cloud service providers to facilitate different aspects of their activities, such as credential harvesting, malware delivery and command and control (C2).
Smishing Triad
The Smishing Triad is a Chinese-speaking threat group known for targeting postal services and their customers globally through smishing campaigns.
SMOKY SPIDER
Mentioned as operator of SmokeLoader in CrowdStrike's 2020 Report.
SmugX
The campaign, called SmugX, overlaps with previously reported activity by Chinese APT actors RedDelta and Mustang Panda.
Snake Wine
While investigating some of the smaller name servers that APT28/Sofacy routinely use to host their infrastructure, Cylance discovered another prolonged campaign that appeared to exclusively target Japanese companies and
SneakyChef
SneakyChef is a threat actor known for using the SugarGh0st RAT to target government agencies, research institutions, and organizations worldwide.
SNOWGLOBE
In 2014, researchers at Kaspersky Lab discovered and reported on three zero-days that were being used in cyberattacks in the wild.
SnowSoul
SnowSoul is a financially motivated threat actor active since at least early 2026, operating a low-ransom extortion scheme primarily targeting Chinese organizations.
SOLAR SPIDER
SOLAR SPIDER’s phishing campaigns deliver the JSOutProx RAT to financial institutions across Africa, the Middle East, South Asia and Southeast Asia.
Solntsepek
Solntsepek is a threat actor group with ties to the Russian military unit GRU.
SongXY
SongXY is a Chinese APT group that employs phishing tactics to initiate cyberespionage campaigns.
Sowbug
Sowbug has been conducting highly targeted cyber attacks against organizations in South America and Southeast Asia and appears to be heavily focused on foreign policy institutions and diplomatic targets.
SparklingGoblin
ESET researchers have discovered a new undocumented modular backdoor, SideWalk, being used by an APT group they’ve named SparklingGoblin; this backdoor was used during one of SparklingGoblin’s recent campaigns that targe
SPICY PANDA
SPICY PANDA is a threat actor tracked in the Malpedia taxonomy (CN).
SPIKEDWINE
SPIKEDWINE is a threat actor targeting European officials with a new backdoor called WINELOADER.
STAC5143
STAC5143 is a threat actor group tracked by Sophos, notable for its sophisticated use of Microsoft Office 365's legitimate services to conduct ransomware and data extortion campaigns.
STARDUST CHOLLIMA
Open-source reporting has claimed that the Hermes ransomware was developed by the North Korean group STARDUST CHOLLIMA (activities of which have been public reported as part of the “Lazarus Group”), because Hermes was ex
Stargazer Goblin
Stargazer Goblin is a threat actor group that operates the Stargazers Ghost Network on GitHub, distributing malware and malicious links through multiple accounts.
Starry Addax
Starry Addax is a threat actor targeting human rights activists associated with the Sahrawi Arab Democratic Republic using a novel mobile malware called FlexStarling.
Stealth Falcon
This threat actor targets civil society groups and Emirati journalists, activists, and dissidents.
Stealth Mango and Tangelo
This threat actor targets organizations in the satellite communications, telecommunications, geospatial-imaging, and defense sectors in the United States and Southeast Asia for espionage purposes.
Storm Cloud
Storm Cloud is a Chinese espionage threat actor known for targeting organizations across Asia, particularly Tibetan organizations and individuals.
Storm-0062
The cyberattack campaign that Microsoft uncovered was launched by a China-linked hacking group called Storm-0062.
Storm-0249
Storm-0249 is an access broker active since 2021, known for distributing BazaLoader, IcedID, Bumblebee, and Emotet malware.
Storm-0324
The threat actor that Microsoft tracks as Storm-0324 is a financially motivated group known to gain initial access using email-based initial infection vectors and then hand off access to compromised networks to other thr
Storm-0381
Storm-0381 is a threat actor identified by Microsoft as a Russian cybercrime group.
Storm-0473
Storm-0473 (Tomiris) is a threat actor that has been active since at least 2019.
Storm-0494
Storm-0494 is a threat actor that facilitates Gootloader infections, which are then exploited by groups like Vice Society to deploy tools such as the Supper backdoor, AnyDesk, and MEGA.
Storm-0501
Storm-0501 is a financially motivated cybercriminal group that has been active since 2021, initially targeting US school districts with the Sabbath ransomware and later transitioning to a RaaS model deploying various ran
Storm-0506
Storm-0506 (DEV-0506) is a financially motivated cybercriminal group operating as a core affiliate within the Black Basta ransomware-as-a-service (RaaS) ecosystem, having switched from deploying Conti ransomware around A
Storm-0530
H0lyGh0st is a North Korean threat actor that has been active since June 2021.
Storm-0539
Storm-0539 is a financially motivated threat actor that has been active since at least 2021.
Storm-0826
Storm-0826 is a financially motivated cybercriminal group operating as an affiliate within the Black Basta ransomware-as-a-service (RaaS) ecosystem.
Storm-0829
Nwgen is a group that focuses on data exfiltration and ransomware activities.
Storm-0835
Cybercriminals have launched a phishing campaign targeting senior executives in U.S.
Storm-0867
Storm-0867 is a threat actor that has been active since 2012 and has targeted various industries and regions.
Storm-0940
Storm-0940 is a Chinese threat actor active since at least 2021, known for gaining initial access through password spray and brute-force attacks, as well as exploiting network edge applications.
Storm-1044
Storm-1044 has been identified as part of a cyber campaign in collaboration with Twisted Spider.
Storm-1084
Storm-1084 is a threat actor that has been observed collaborating with the MuddyWater group.
Storm-1099
Storm-1099 is a sophisticated Russia-affiliated influence actor that has been conducting pro-Russia influence operations targeting international supporters of Ukraine since Spring 2022.
Storm-1101
DEV-1101 is a threat actor tracked by Microsoft who is responsible for developing and advertising phishing kits, specifically AiTM phishing kits.
Storm-1113
Storm-1113 is a threat actor that acts both as an access broker focused on malware distribution through search advertisements and as an “as-a-service” entity providing malicious installers and landing page frameworks.
Storm-1133
In early 2023, Microsoft In early 2023, observed a wave of activity from a Gaza-based group that we track as Storm-1133 targeting Israeli private sector energy, defense, and telecommunications organizations.
Storm-1152
Storm-1152, a cybercriminal group, was recently taken down by Microsoft for illegally reselling Outlook accounts.
Storm-1167
Storm-1167 is a threat actor tracked by Microsoft, known for their use of an AiTM phishing kit.
Storm-1175
Storm-1175 is a cybercriminal group known for deploying Medusa ransomware and exploiting public-facing applications for initial access.
Storm-1283
Storm-1283 is a threat actor that targeted Microsoft Azure cloud platform.
Storm-1286
Storm-1286 is a threat actor that engages in large-scale spamming activities, primarily targeting user accounts without multifactor authentication enabled.
Storm-1295
Storm-1295 is a threat actor group that operates the Greatness phishing-as-a-service platform.
Storm-1516
CopyCop is a Russian covert influence network that has established over 300 fictional media websites targeting the US, France, Canada, and other countries, primarily to disseminate pro-Russian and anti-Ukrainian narrativ
Storm-1567
Storm-1567 is the threat actor behind the Ransomware-as-a-Service Akira.
Storm-1575
Storm-1575 is a threat actor identified by Microsoft as being involved in phishing campaigns using the Dadsec platform.
Storm-1674
Storm-1674 is an access broker known for using tools based on the publicly available TeamsPhisher tool to distribute DarkGate malware.
Storm-1679
Storm-1679 is a Russian disinformation group believed to be a spinoff of the Internet Research Agency, actively engaged in influence operations targeting the International Olympic Committee and the 2024 Olympic Games.
Storm-1747
Storm-1747 is an intrusion set that develops and operates the Tycoon 2FA phishing kit, which has been active since at least mid-2023 and is known for its sophisticated obfuscation and exfiltration techniques.
Storm-1849
UAT4356 is a state-sponsored threat actor that targeted government networks globally through a campaign named ArcaneDoor.
Storm-1977
Storm-1977 is a sophisticated threat actor that conducts password-spraying attacks targeting cloud tenants, particularly in the education sector, utilizing the AzureChecker.exe CLI tool as their primary infection vector.
Storm-2077
TAG-100 is a cyber-espionage APT that targets government and private sector organizations globally, exploiting vulnerabilities in internet-facing devices such as Citrix NetScaler and F5 BIG-IP for initial access.
Storm-2139
Storm-2139 is a cybercrime group that exploited stolen API keys from compromised Azure OpenAI Service accounts to generate harmful content, including non-consensual intimate imagery, using the DALL-E model.
Storm-2372
Storm-2372 is a suspected nation-state actor aligned with Russian interests, engaging in device code phishing campaigns targeting governments, NGOs, and various industries across Europe, North America, Africa, and the Mi
Storm-2460
Storm-2460 is a threat actor that has exploited elevation of privilege vulnerabilities to deploy PipeMagic malware and ransomware, enabling them to escalate access within compromised environments.
Storm-2561
Storm-2561 is a cybercriminal threat actor known for a credential theft campaign that employs SEO poisoning to distribute fake VPN clients.
Storm-2603
The group Microsoft tracks as Storm-2603 is assessed with medium confidence to be a China-based threat actor.
Storm-2657
Storm-2657 is a financially motivated threat actor targeting US-based organizations, particularly in higher education, to compromise employee accounts and redirect salary payments to attacker-controlled accounts.
Storm-2949
Storm-2949 is a sophisticated threat actor that exploited Microsoft’s Self-Service Password Reset process to compromise high-value accounts, primarily targeting IT personnel and senior leadership.
StucxTeam
Stucx is a threat actor known for targeting Israeli systems, including SCADA systems and the Red Alert missile protection system.
Sunglow Blizzard
DEV-0665 is a threat actor associated with the HermeticWiper attacks.
Swan Vector
Seqrite Labs APT-Team has recently uncovered a campaign which we have termed as Swan Vector, that has been targeting the nations across the East China sea such as Taiwan and Japan.
SWEED
Cisco Talos recently identified a large number of ongoing malware distribution campaigns linked to a threat actor we're calling "SWEED," including such notable malware as Formbook, Lokibot and Agent Tesla.
SYLHET GANG-SG
SYLHET GANG-SG is a hacktivist group that has targeted critical infrastructure and various entities, including the Central European University and the EU Parliament, often articulating their rationale for attacks.
TA2101
Proofpoint researchers detected campaigns from a relatively new actor, tracked internally as TA2101, targeting German companies and organizations to deliver and install backdoor malware.
TA2536
TA2536, which has been active since at least 2015, is likely Nigerian based on its unique linguistic style, tactics and tools.
TA2541
Persistent cybercrime threat actor targeting aviation, aerospace, transportation, manufacturing, and defense industries for years.
TA2552
Since January 2020, Proofpoint researchers have tracked an actor abusing Microsoft Office 365 (O365) third-party application (3PA) access, with suspected activity dating back to August 2019.
TA2719
In late March 2020, Proofpoint researchers began tracking a new actor with a penchant for using NanoCore and later AsyncRAT, popular commodity remote access trojans (RATs).
TA2722
TA2722 is a highly active threat actor that targets various industries including Shipping/Logistics, Manufacturing, Business Services, Pharmaceutical, and Energy.
TA2723
TA2723 is a financially-motivated, high-volume credential phishing threat actor known for spoofing Microsoft OneDrive, LinkedIn, and DocuSign.
TA2725
TA2725 is a threat actor that has been tracked since March 2022.
TA402
TA402 is an APT group that has been tracked by Proofpoint since 2020.
TA406
TA406 is engaging in malware distribution, phishing, intelligence collection, and cryptocurrency theft, resulting in a wide range of criminal activities.
TA410
Early in August 2019, Proofpoint described what appeared to be state-sponsored activity targeting the US utilities sector with malware that we dubbed “Lookback”.
TA428
Proofpoint researchers have identified a targeted APT campaign that utilized malicious RTF documents to deliver custom malware to unsuspecting victims.
TA444
TA444 is a North Korea state-sponsored threat actor that primarily focuses on financially motivated operations.
TA453
TA453 has employed the use of compromised accounts, malware, and confrontational lures to go after targets with a range of backgrounds from medical researchers to realtors to travel agencies.
TA455
TA455 is an Iranian APT group targeting the aerospace industry through a campaign known as the “Iranian Dream Job Campaign,” utilizing deceptive job offers to lure victims.
TA459
TA459 is a threat actor tracked in the Malpedia taxonomy (CN).
TA482
Since early 2022, Proofpoint researchers have observed a prolific threat actor, tracked as TA482, regularly engaging in credential harvesting campaigns that target the social media accounts of mostly US-based journalists
TA4903
TA4903 is a financially motivated threat actor known for conducting credential phishing and business email compromise campaigns.
TA499
TA499, also known as Vovan and Lexus, is a Russia-aligned threat actor that has aggressively engaged in email campaigns since at least 2021.
TA516
This actor typically distributes instances of the SmokeLoader intermediate downloader, which, in turn, downloads additional malware of the actor’s choice -- often banking Trojans.
TA530
TA530, who we previously examined in relation to large-scale personalized phishing campaigns
TA547
TA547 is responsible for many other campaigns since at least November 2017.
TA554
Since May 2018, Proofpoint researchers have observed email campaigns using a new downloader called sLoad.
TA555
Beginning in May 2018, Proofpoint researchers observed a previously undocumented downloader dubbed AdvisorsBot appearing in malicious email campaigns.
TA558
Since 2018, security researchers tracked a financially-motivated cybercrime actor, TA558, targeting hospitality, travel, and related industries located in Latin America and sometimes North America, and western Europe.
TA570
One of the most active Qbot malware affiliates, Proofpoint has tracked the large cybercrime threat actor TA570 since 2018.
TA571
TA571 is a spam distributor actor known for delivering a variety of malware, including DarkGate, NetSupport RAT, and information stealers.
TA575
TA575 is a Dridex affiliate tracked by Proofpoint since late 2020.
TA577
TA577 is a prolific cybercrime threat actor tracked by Proofpoint since mid-2020.
TA578
TA578, a threat actor that Proofpoint researchers have been tracking since May of 2020.
TA579
TA579, a threat actor that Proofpoint researchers have been tracking since August 2021.
TA584
TA584 is a prominent initial access broker tracked by Proofpoint since November 2020, known for its high-volume campaigns targeting organizations globally.
TA800
This attacker is an affiliate distributor of the The Trick, also known as Trickbot, and BazaLoader.
TA829
TA829 is a Russia-aligned threat actor that employs the RomCom RAT for intelligence-gathering and financially motivated cyberattacks, exploiting zero-day vulnerabilities in Mozilla Firefox and Microsoft Windows.
TA866
According to Proofpoint, TA866 is a newly identified threat actor that distributes malware via email utilizing both commodity and custom tools.
TAG-112
TAG-112 is a Chinese state-sponsored APT that compromised Tibetan websites, including Tibet Post and Gyudmed Tantric University, to deliver Cobalt Strike malware.
TAG-124
TAG-124 is a threat actor that employs a traffic distribution system to distribute malware, primarily using MintsLoader and targeting various sectors through phishing emails and compromised websites.
TAG-140
TAG-140 is a threat actor group that primarily targets Indian government entities, employing cyber espionage tactics such as phishing and malware campaigns.
TAG-28
TAG-28 is a Chinese state-sponsored threat actor that has been targeting Indian organizations, including media conglomerates and government agencies.
TAG-56
TAG-56 is a threat actor group that shares similarities with the APT42 group.
Taidoor
The Taidoor attackers have been actively engaging in targeted attacks since at least March 4, 2009.
TaskMasters
TaskMasters is a state-sponsored Chinese APT that has been active since at least 2010, primarily targeting industrial, energy, and government sectors in Russia and the CIS.
Team-Xecuter
Team-Xecuter is a hacking group led by Gary Bowser, also known as GaryOPA.
Team46
Team46 is a sophisticated APT group active since at least late 2024, targeting Russian government, academic, and media organizations through spearphishing emails disguised as forum invitations or service notifications.
TeamSpy Crew
Researchers have uncovered a long-term cyber-espionage campaign that used a combination of legitimate software packages and commodity malware tools to target a variety of heavy industry, government intelligence agencies
TeamTNT
In early Febuary, 2021 TeamTNT launched a new campaign against Docker and Kubernetes environments.
TeamXRat
TeamXRat is a threat actor tracked in the Malpedia taxonomy.
Teleboyi
Teleboyi is a threat actor reportedly based in China, associated with the PlugX RAT.
TEMP_Heretic
TEMP_Heretic is a threat actor that has been observed engaging in targeted spear-phishing campaigns.
TEMP.Hermit
TEMP.Hermit is a threat actor tracked in the Malpedia taxonomy (KP).
TEMP.Veles
TEMP.Veles is a Russia-based threat group that has targeted critical infrastructure.
TEMPER PANDA
China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly av
TempTick
This threat actor targets organizations in the finance, defense, aerospace, technology, health-care, and automotive sectors and media organizations in East Asia for the purpose of espionage.
TERBIUM
Microsoft Threat Intelligence identified similarities between this recent attack and previous 2012 attacks against tens of thousands of computers belonging to organizations in the energy sector.
TEST PANDA
TEST PANDA is a threat actor tracked in the Malpedia taxonomy (CN).
TetrisPhantom
TetrisPhantom relies on compromising of certain type of secure USB drives that provide hardware encryption and is commonly used by government organizations.
The Big Bang
While it is not clear exactly what the attacker is looking for, what is clear is that once he finds it, a second stage of the attack awaits, fetching additional modules and/or malware from the Command and Control server.
The Gentlemen
The Gentlemen is a ransomware group that employs a dual-extortion strategy, encrypting sensitive files while exfiltrating critical business data to pressure victims into paying ransoms.
The Gorgon Group
Unit 42 researchers have been tracking Subaat, an attacker, since 2017.
The Shadow Brokers
The Shadow Brokers (TSB) is a hacker group who first appeared in the summer of 2016.
TheDarkOverlord
The Dark Overlord is a financially motivated ransomware group that has been active since 2016.
TheWizards
TheWizards is a China-aligned APT group that employs the Spellbinder tool for adversary-in-the-middle attacks, utilizing IPv6 SLAAC spoofing to redirect legitimate software updates to malicious servers.
Threat Actor 888
Threat actor 888 is a hacker active in 2024, targeting companies for data breaches.
Threatsec
ThreatSec is a hacktivist group that has targeted various organizations, including internet service providers in Gaza.
Thrip
This threat actor targets organizations in the satellite communications, telecommunications, geospatial-imaging, and defense sectors in the United States and Southeast Asia for espionage purposes.
TianWu
TianWu is a threat actor tracked in the Malpedia taxonomy (CN).
Tick
Tick is a cyber espionage group with likely Chinese origins that has been active since at least 2008.
TIDRONE
TIDRONE is an unidentified threat actor linked to Chinese-speaking groups, with a focus on military-related industry chains, particularly drone manufacturers in Taiwan.
TiltedTemple
One of their notable tools is a custom backdoor called SockDetour, which operates filelessly and socketlessly on compromised Windows servers.
TINY SPIDER
According to CrowdStrike, this actor is using TinyLoader and TinyPOS, potentially buying access through Dridex infections.
ToddyCat
ToddyCat is responsible for multiple sets of attacks detected since December 2020 against high-profile entities in Europe and Asia.
Tonto Team
Tonto Team is a Chinese-speaking APT group that has been active since at least 2013.
Tortoiseshell
A previously undocumented attack group is using both custom and off-the-shelf malware to target IT providers in Saudi Arabia in what appear to be supply chain attacks with the end goal of compromising the IT providers’ c
TOXCAR CYBER TEAM
The Toxcar Cyber Team has claimed responsibility for a data leak involving Mastercard, asserting that the attack targeted the U.S.
TOXIC PANDA
A group targeting dissident groups in China and at the boundaries.
TRACER KITTEN
In April 2020, Crowstrike Falcon OverWatch discovered Iran-based adversary TRACER KITTEN conducting malicious interactive activity against multiple hosts at a telecommunications company in the Europe, Middle East and Afr
TRAVELING SPIDER
Crowdstrike Tracks the criminal developer of Nemty ransomware as TRAVELING SPIDER.
TridentLocker
TridentLocker is a ransomware group known for targeting organizations that manage high volumes of regulated or third-party data, including government services and telecom providers.
TRIPLESTRENGTH
TRIPLESTRENGTH is a financially motivated threat actor targeting cloud environments and on-premises infrastructures for cryptojacking, ransomware, and extortion.
Tstark
TStark is a threat actor identified by X-Ops, associated with a cluster of devices that executed the bookmark buffer overflow exploit targeting CVE-2020-15069 (T1203).
TunnelSnake
The TunnelSnake campaign demonstrates the activity of a sophisticated actor that invests significant resources in designing an evasive toolset and infiltrating networks of high-profile organizations.
TurkHackTeam
Founded in 2004, Turkhackteam is one of Turkey’s oldest and most high-profile hacking collectives.
Turla
A 2014 Guardian article described Turla as: 'Dubbed the Turla hackers, initial intelligence had indicated western powers were key targets, but it was later determined embassies for Eastern Bloc nations were of more inter
TwoSail Junk
TwoSail Junk directs visitors to its exploit site by posting links within the threads of forum discussions, or creating new topic threads of their own.
UAC-0006
UAC-0006 is a financially motivated threat actor that has been active since at least 2013.
UAC-0020
Vermin is a threat actor group linked to the Luhansk People’s Republic and believed to be acting on behalf of the Kremlin.
UAC-0050
UAC-0050 is a threat actor that has been active since 2020, targeting government agencies in Ukraine.
UAC-0063
UAC-0063 is a threat actor linked to Russian APT28, known for targeting government entities in Ukraine and Central Asia for cyber espionage operations.
UAC-0094
State Service of Special Communication and Information Protection of Ukraine spotted a new wave of cyber attacks aimed at gaining access to users’ Telegram accounts.
UAC-0099
UAC-0099 is a threat actor that has been active since at least May 2023, targeting Ukrainian entities.
UAC-0102
UAC-0102 is a threat actor group targeting UKR.NET users through phishing attacks.
UAC-0118
From Russia with Love, is a threat actor group that emerged during the Russia-Ukraine war in 2022.
UAC-0149
UAC-0149 is a threat actor targeting the Armed Forces of Ukraine with COOKBOX malware.
UAC-0154
UAC-0154 is a threat actor orchestrating the STARK#VORTEX phishing campaign, specifically targeting Ukraine’s military.
UAC-0184
UAC-0184 is a threat actor targeting Ukrainian organizations in Finland, using the Remcos Remote Access Trojan in their attacks.
UAC-0185
UAC-0185 has been active since at least 2022, primarily targeting Ukrainian defense organizations through credential theft via messaging apps like Signal, Telegram, and WhatsApp, as well as military systems such as DELTA
UAC-0194
UAC-0194 is a Russian threat actor linked to the exploitation of the Windows zero-day CVE-2024-43451, which was used in attacks against Ukrainian organizations.
UAC-0215
UAC-0215 is an APT group that has orchestrated a phishing campaign targeting public institutions, major industries, and military units in Ukraine, utilizing rogue RDP files to gain unauthorized access.
UAC-0219
UAC-0219 is a hacking group observed conducting cyber-espionage operations targeting Ukrainian critical sectors, primarily utilising WRECKSTEEL malware for file exfiltration in both VBScript and PowerShell variants.
UAC-0226
UAC-0226 is a cyber-espionage group targeting Ukrainian military, law enforcement, and local government entities—particularly near the eastern border—since February 2025.
UAC-0227
UAC-0227 is an APT group that has been active since at least March 2025, targeting local governments, critical infrastructure, and various organizations in the European Union.
UAC-0239
UAC-0239 has been observed conducting spearphishing attacks targeting the Defence Forces and local state agencies of Ukraine, impersonating the Security Service of Ukraine.
UAC-0241
UAC-0241 is a threat actor tracked by CERT-UA, active from May to November 2025, targeting educational institutions and government bodies in eastern Ukraine via spear-phishing emails from compromised Gmail accounts.
UAC-0245
Threat actors, tracked under the identifier UAC-0245 and targeting Ukraine, employ malicious XLL files disguised as critical documents.
UAT-10362
UAT-10362 is a threat actor identified by Cisco Talos, conducting spear-phishing campaigns targeting Taiwanese NGOs and suspected universities to deploy the malware "LucidRook." The malware features a multi-language modu
UAT-10608
UAT-10608 is a threat cluster observed by Cisco Talos conducting a large-scale, automated credential-harvesting campaign against public-facing web applications, especially Next.js deployments, using a custom framework ca
UAT-5394
UAT-5394 is a state-sponsored North Korean threat actor known for developing the MoonPeak RAT, which is based on XenoRAT.
UAT-5918
UAT-5918 is an APT group that targets entities in Taiwan, primarily in telecommunications, healthcare, and IT sectors, to establish long-term access for information theft.
UAT-6382
UAT-6382 is a Chinese-speaking threat actor that exploits CVE-2025-0944 to gain access to enterprise networks, particularly targeting local governing bodies in the U.S.
UAT-7237
UAT-7237 is a Chinese-speaking APT group that has been active since at least 2022, primarily targeting web infrastructure entities in Taiwan.
UAT-8099
UAT-8099 is a Chinese-speaking cybercrime group primarily engaged in SEO fraud and the theft of high-value credentials, configuration files, and certificate data from vulnerable IIS servers.
UAT-8302
UAT-8302 is a sophisticated China-nexus APT group targeting government entities in South America and southeastern Europe, deploying custom-made malware such as NetDraft, CloudSorcerer version 3, and VSHELL.
UAT-8616
UAT-8616 is a highly sophisticated cyber threat actor attributed by Cisco Talos, with evidence of activity dating back to at least 2023.
UAT-8837
UAT-8837 is a sophisticated China-linked APT group exploiting critical zero-day vulnerabilities, such as CVE-2025-53690 in the Sitecore platform, to achieve remote code execution and deploy the WeepSteel backdoor for esp
UAT-9244
UAT-9244 is a China-nexus APT actor, disclosed by Cisco Talos on March 5, 2026, assessed with high confidence as closely associated with Famous Sparrow and overlapping with Tropic Trooper.
UAT-9686
UAT-9686 is a Chinese state-sponsored APT known for targeting networking infrastructure and edge appliances through a sophisticated espionage campaign.
UAT-9921
UAT-9921 is a China-nexus threat actor active since 2019, tracked by Cisco Talos.
Ukrainian Cyber Alliance
Cyber Alliance is a hacktivist group that has demonstrated capabilities in exploiting vulnerabilities, such as CVE-2023-22515 in Confluence, to escalate privileges and access targeted infrastructure.
UNC1069
CryptoCore is a North Korean APT known for targeting cryptocurrency exchanges and financial institutions, employing spear-phishing techniques that lead to LONEJOGGER malware infections.
UNC1549
UNC1549 is an Iranian threat actor linked to Tortoiseshell and potentially the IRGC.
UNC1860
UNC1860 is a persistent and opportunistic Iranian state-sponsored threat actor that is likely affiliated with Iran’s Ministry of Intelligence and Security (MOIS).
UNC1878
UNC1878 is a financially motivated threat actor that monetizes network access via the deployment of RYUK ransomware.
UNC215
UNC215 is a Chinese nation-state threat actor that has been active since at least 2014.
UNC2447
UNC2447 is a financially motivated threat actor with ties to multiple hacker groups.
UNC2452
Reporting regarding activity related to the SolarWinds supply chain injection has grown quickly since initial disclosure on 13 December 2020.
UNC2465
UNC2465 is a threat actor known for deploying the SMOKEDHAM .NET backdoor and DARKSIDE ransomware, utilizing TTPs such as phishing, Trojanized software installers, and supply chain attacks.
UNC2565
UNC2565 is a threat group that has used the GOOTLOADER downloader to deliver Cobalt Strike BEACON.
UNC2630
UNC2630 is a threat actor believed to be affiliated with the Chinese government.
UNC2659
UNC2659 has been active since at least January 2021.
UNC2717
UNC2717 is a threat actor that engages in espionage activities aligned with Chinese government priorities.
UNC2814
UNC2814 is a suspected PRC-nexus cyber espionage group that has targeted telecommunications providers and government entities globally since at least 2017.
UNC2970
UNC2970 is a North Korean threat actor that primarily targets organizations through spear-phishing emails with job recruitment themes, often utilizing fake LinkedIn accounts to engage victims.
UNC3524
Mandiant observed this group operating since December 2019.
UNC3569
China-nexus espionage actor that has been observed exploiting vulnerabilities in Aspera Faspex, Microsoft Exchange, and Oracle Web Applications Desktop Integrator, among others, to gain initial access to target environme
UNC3886
UNC3886 is an advanced cyber espionage group with unique capabilities in how they operate on-network as well as the tools they utilize in their campaigns.
UNC3890
A suspected Iranian threat activity cluster has been linked to attacks aimed at Israeli shipping, government, energy, and healthcare organizations, in a campaign stretching back to late 2020.
UNC3973
UNC3973 is a financially motivated threat actor tracked by Mandiant, distinguished from the broader BASTA ransomware ecosystem (primarily tracked as UNC4393) due to its unique operational characteristics and TTPs.
UNC4191
UNC4191 is a China-linked threat actor that has been involved in cyber espionage campaigns targeting public and private sectors primarily in Southeast Asia.
UNC4393
UNC4393 is a financially motivated threat actor primarily using BASTA ransomware.
UNC4487
UNC4487 is a threat actor that targeted Ukrainian government officials by compromising a Ukrainian auto insurance website essential for official travel.
UNC4536
UNC4536 is a threat actor that distributes malware, including ICEDID, REDLINESTEALER, and CARBANAK, primarily through malvertising and trojanized MSIX installers masquerading as popular software.
UNC4540
UNC4540 is a suspected Chinese threat actor targeting unpatched SonicWall Secure Mobile Access appliances to deploy custom malware that establishes long-term persistence for cyber espionage.
UNC4736
UNC4736 is a North Korean threat actor that has been involved in supply chain attacks targeting software chains of 3CX and X_TRADER.
UNC4841
UNC4841 is a well-resourced threat actor that has utilized a wide range of malware and purpose-built tooling to enable their global espionage operations.
UNC4990
UNC4990 is a financially motivated threat actor that has been active since at least 2020.
UNC5174
UNC5174, a Chinese state-sponsored threat actor, has been identified by Mandiant for exploiting critical vulnerabilities in F5 BIG-IP and ScreenConnect.
UNC5266
Mandiant created UNC5266 to track post-disclosure exploitation leading to deployment of Bishop Fox's SLIVER implant framework, a WARPWIRE variant, and a new malware family that Mandiant has named TERRIBLETEA.
UNC5291
UNC5291 is a cluster of targeted probing activity that we assess with moderate confidence is associated with UNC3236, also known publicly as Volt Typhoon.
UNC5325
UNC5325 is a suspected Chinese cyber espionage operator that exploited CVE-2024-21893 to compromise Ivanti Connect Secure appliances.
UNC5330
UNC5330 is a suspected China-nexus espionage actor.
UNC5337
UNC5337 is a suspected China-nexus espionage actor that compromised Ivanti Connect Secure VPN appliances as early as Jan.
UNC5342
UNC5342 is a North Korea-linked APT that employs the EtherHiding technique to deliver malware and facilitate cryptocurrency theft.
UNC5820
UNC5820 is a threat actor exploiting the CVE-2024-47575 vulnerability in Fortinet's FortiManager, allowing them to bypass authentication and execute arbitrary commands.
UNC6032
UNC6032 is a threat actor that weaponizes interest in AI tools, specifically targeting users with fake "AI video generator" websites to distribute malware, including Python-based infostealers and backdoors.
UNC6040
UNC6040 is a financially motivated threat cluster that employs vishing to gain access to organizations' Salesforce environments, facilitating large-scale data exfiltration.
UNC6148
UNC6148 is a financially motivated threat actor that targets SonicWall Secure Mobile Access 100 series appliances, leveraging stolen credentials and possibly zero-day exploits to deploy a persistent backdoor known as OVE
UNC6201
UNC6201 is a sophisticated Chinese state-sponsored hacking group that exploited CVE-2026–22769, a critical vulnerability in Dell RecoverPoint for Virtual Machines appliances, to establish a persistent presence.
UNC6293
UNC6293 is a Russian state-sponsored threat actor identified by Google's Threat Intelligence Group (GTIG), which associates them with APT29 with low confidence.
UNC6353
suspected Russian espionage group.
UNC6384
UNC6384 (also tracked as Vertigo Panda) is a Chinese-affiliated APT that conducts targeted espionage campaigns primarily against diplomatic entities in Southeast Asia and Europe, specifically Belgium and Hungary.
UNC6395
The actor systematically exported large volumes of data from numerous corporate Salesforce instances.
UNC6426
UNC6426 exploited a supply chain compromise of the nx npm package to steal a developer's GitHub Personal Access Token and gain access to a victim's cloud environment.
UNC6485
UNC6485 is a cyber-espionage group exploiting CVE-2025-12480 in Gladinet’s Triofox file-sharing platform to gain initial network access and establish long-term persistence.
UNC6619
TGR-STA-1030 is a state-aligned cyberespionage group operating out of Asia, known for compromising government and critical infrastructure organizations across 37 countries.
UNC6671
UNC6671 is involved in credential harvesting operations, utilizing vishing tactics to impersonate IT staff and directing victims to enter credentials on a victim-branded site.
UNC6691
financially motivated threat actor operating from China
UNC6692
UNC6692 is a threat actor that employs social engineering tactics, such as impersonating IT helpdesk personnel, to gain initial access to victim environments.
UNC6748
UNC6748 targets users in Saudi Arabia through a fake Snapchat website, employing a backdoor known as GHOSTKNIFE for data exfiltration.
Unfading Sea Haze
Unfading Sea Haze is a threat actor focused on espionage, targeting government and military organizations in the South China Sea region since 2018.
UNG0002
UNG0002 is a technically adept APT conducting large-scale cyber espionage campaigns targeting strategic sectors in China, Hong Kong, and Pakistan, including defense, energy infrastructure, and healthcare.
UNG0901
UNG0901 is a cyber-espionage threat actor targeting Russian entities, particularly in the aerospace and defense sectors, utilizing spear-phishing tactics.
UNION PANDA
UNION PANDA is a threat actor tracked in the Malpedia taxonomy (CN).
UNION SPIDER
Adversary targeting manufacturing and industrial organizations.
Unit 8200
Unit 8200 is a threat actor tracked in the Malpedia taxonomy (IL).
UNK_AcademicFlare
UNK_AcademicFlare is a suspected Russia-aligned threat actor that conducts device code phishing campaigns by leveraging compromised email addresses from government and military organizations.
UNK_DropPitch
Between March and June 2025, Proofpoint identified multiple China-aligned threat actors specifically targeting Taiwanese organizations within the semiconductor industry.
UNK_FistBump
Between March and June 2025, Proofpoint identified multiple China-aligned threat actors specifically targeting Taiwanese organizations within the semiconductor industry.
UNK_RemoteRogue
UNK_RemoteRogue is a suspected Russian threat actor that has been observed utilizing ClickFix in its infection chains, although this technique is not revolutionizing their operations but rather replacing existing install
UNK_SparkyCarp
Between March and June 2025, Proofpoint identified multiple China-aligned threat actors specifically targeting Taiwanese organizations within the semiconductor industry.
Unnamed Actor
This threat actor compromises civil society groups the Chinese Communist Party views as hostile to its interests, such as Tibetan, Uyghur, Hong Kong, and Taiwanese activist.
UnsolicitedBooker
UnsolicitedBooker is a China-aligned APT group known for its persistent targeting of an unnamed international organization in Saudi Arabia, employing a backdoor called MarsSnake.
Urpage
What sets Urpage attacks apart is its targeting of InPage, a word processor for Urdu and Arabic languages.
UserSec
UserSec is a pro-Russian hacking group that has been active since at least 2022.
UTA0178
While Volexity largely observed the attacker essentially living off the land, they still deployed a handful of malware files and tools during the course of the incident which primarily consisted of webshells, proxy utili
UTA0218
UTA0218 is a threat actor with advanced capabilities, targeting organizations to establish a reverse shell, acquire tools, and extract data.
UTA0352
UTA0352 is a Russian threat actor attributed to phishing campaigns that exploit Microsoft OAuth 2.0 authentication workflows, often impersonating government officials to lure targets into providing sensitive information.
UTA0355
UTA0355 is a Russian threat actor that conducts phishing campaigns targeting individuals and organizations associated with Ukraine.
UTA0388
UTA0388 is a China-aligned APT known for spear-phishing campaigns targeting organizations in North America, Asia, and Europe, primarily to deliver a Go-based implant called GOVERSHELL.
UTG-Q-008
UTG-Q-008 is a threat actor targeting Linux platforms, primarily focusing on government and enterprise entities in China.
UTG-Q-010
UTG-Q-010 is a financially motivated APT group from East Asia that has been active since late 2022, primarily targeting the pharmaceutical industry and cryptocurrency enthusiasts.
Vanilla Tempest
Vice Society is a ransomware group that has been active since at least June 2021.
Velvet Tempest
Velvet Tempest is a threat actor associated with the BlackCat ransomware group.
VENOM SPIDER
VENOM SPIDER is the developer of a large toolset that includes SKID, VenomKit and Taurus Loader.
VICE SPIDER
Vice Spider is a Russian-speaking ransomware group that has been active since at least April 2021 and is linked to a significant increase in identity-based attacks, with a reported 583% rise in Kerberoasting incidents.
ViceLeaker
In May 2018, we discovered a campaign targeting dozens of mobile Android devices belonging to Israeli citizens.
VICEROY TIGER
VICEROY TIGER is an adversary with a nexus to India that has historically targeted entities throughout multiple sectors.
Vicious Panda
Check Point Research discovered a new campaign against the Mongolian public sector, which takes advantage of the current Coronavirus scare, in order to deliver a previously unknown malware implant to the target.
ViciousTrap
ViciousTrap has compromised over 5,500 edge devices, transforming them into honeypots and utilizing a shell script called NetGhost to redirect incoming traffic from specific ports to their infrastructure.
Viking Jackal
Viking Jackal is a threat actor tracked in the Malpedia taxonomy (AE).
VIKING SPIDER
VIKING SPIDER is the criminal group behind the development and distribution of Ragnar Locker ransomware.
Void Arachne
Void Arachne is a threat actor group targeting Chinese-speaking users with malicious MSI files containing legitimate software installers for AI software.
Void Balaur
Void Balaur is a highly active hack-for-hire / cyber mercenary group with a wide range of known target types across the globe.
Void Banshee
Void Banshee is an APT group targeting North America, Europe, and Southeast Asia for information theft and financial gain.
Void Blizzard
Void Blizzard’s cyberespionage operations tend to be highly targeted at specific organizations of interest to the Russian government, including in government, defense, transportation, media, non-governmental organization
Void Manticore
Void Manticore is an Iranian APT group affiliated with MOIS, known for conducting destructive wiping attacks and influence operations.
Void Rabisu
Void Rabisu is an intrusion set associated with both financially motivated ransomware attacks and targeted campaigns on Ukraine and countries supporting Ukraine.
Volatile Cedar
Beginning in late 2012, a carefully orchestrated attack campaign we call Volatile Cedar has been targeting individuals, companies and institutions worldwide.
Volt Typhoon
[Microsoft] Volt Typhoon, a state-sponsored actor based in China that typically focuses on espionage and information gathering.
VulzSecTeam
VulzSec, also known as VulzSecTeam, is a hacktivist group that has been involved in various cyber-attacks.
WageMole
WageMole is a North Korean state-sponsored APT that employs social engineering and technology to secure remote job opportunities in Western countries, leveraging stolen personal data from the Contagious Interview campaig
WARP PANDA
WARP PANDA is a China-nexus APT that targets VMware vCenter environments and Microsoft Azure infrastructures, primarily focusing on legal, technology, and manufacturing sectors in the U.S.
Wassonite
WASSONITE is a North Korea-linked APT that has targeted industrial sectors, including electric generation, nuclear energy, manufacturing, and research entities in India, South Korea, and Japan since at least 2018.
Watchdog
Thief Libra is a cloud-focused threat group that has a history of cryptojacking operations as well as cloud service platform credential scraping.
Water Bakunawa
Water Bakunawa is a cybercriminal group identified by Trend Micro, responsible for the RansomHub ransomware, which exploits the Zerologon vulnerability to gain unauthorized network access.
Water Barghest
Water Barghest is a cybercriminal group that has compromised over 20,000 IoT devices by October 2024, monetizing them through a residential proxy marketplace.
Water Curupira
With its emergence in 2022, Water Curupira has established itself as a persistent threat actor targeting organizations primarily in South America and Europe.
Water Gamayun
Water Gamayun exploits the MSC EvilTwin zero-day vulnerability to compromise systems and exfiltrate data, utilizing custom payloads and advanced data exfiltration techniques.
Water Kurita
Water Kurita is a financially motivated cybercriminal entity associated with the Lumma Stealer infostealer-as-a-service operation, primarily active on underground forums and marketplaces.
Water Labbu
Trend Micro discovered a threat actor they named Water Labbu that was targeting cryptocurrency scam websites.
Water Makara
Water Makara employs the Astaroth banking malware, which features a new defense evasion technique.
Water Orthrus
Water Orthrus is a threat actor known for distributing CopperStealer and CopperPhish malware.
Water Saci
Water Saci is a sophisticated cyber threat actor operating in Brazil, utilizing a multi-format attack chain that includes HTA files, ZIP archives, and PDFs to bypass security measures.
Water Sigbin
The 8220 Gang, also known as Water Sigbin, is a threat actor group that focuses on deploying cryptocurrency-mining malware.
Webworm
Space Pirates is a cybercrime group that has been active since at least 2017.
WeedSec
WeedSec is a threat actor group that recently targeted the online learning and course management platform Moodle.
WeRedEvils
WeRedEvils is a hacking group that has claimed responsibility for multiple cyber attacks.
WET PANDA
WET PANDA is a threat actor tracked in the Malpedia taxonomy (CN).
White Bear
As a part of our Kaspersky APT Intelligence Reporting subscription, customers received an update in mid-February 2017 on some interesting APT activity that we called WhiteBear.
WhiteCobra
WhiteCobra is a threat actor that has infiltrated the Visual Studio Code marketplace and Open VSX registry, deploying 24 malicious extensions targeting cryptocurrency development tools, particularly Solidity.
Whitefly
In July 2018, an attack on Singapore’s largest public health organization, SingHealth, resulted in a reported 1.5 million patient records being stolen.
WildCard
Wildcard is a threat actor that initially targeted Israel's educational sector with the SysJoker malware.
WildNeutron
A corporate espionage group has compromised a string of major corporations over the past three years in order to steal confidential information and intellectual property.
WildPressure
WildPressure is a threat actor that targets industrial-related entities in the Middle East.
WindShift
In August of 2018, DarkMatter released a report entitled “In the Trails of WINDSHIFT APT”, which unveiled a threat actor with TTPs very similar to those of Bahamut.
Winter Vivern
Winter Vivern is a cyberespionage group first revealed by DomainTools in 2021.
WIP19
WIP19 is a Chinese-speaking threat group involved in espionage targeting the Middle East and Asia.
WIRTE
WIRTE is a threat actor group that was first discovered in 2018.
Witchetty
Witchetty was first documented by ESET in April 2022, who concluded that it was one of three sub-groups of TA410, a broad cyber-espionage operation with some links to the Cicada group (aka APT10).
WOLF SPIDER
FIN4 is a financially-motivated threat group that has targeted confidential information related to the public financial market, particularly regarding healthcare and pharmaceutical companies, since at least 2013.
Worok
Worok is a cyber espionage group, mostly targeting Central Asia.
XakNet
XakNet is a self-proclaimed hacktivist group that has targeted Ukraine.
Xcatze
Cloud security company Lacework says it discovered a threat actor group named Xcatze that uses a Python named AndroxGh0st to take over AWS servers and send out massive email spam campaigns.
XDSpy
Rare is the APT group that goes largely undetected for nine years, but XDSpy is just that; a previously undocumented espionage group that has been active since 2011.
Xiaoqiying
Xiaoqiying is a primarily Chinese-speaking threat group that is most well known for conducting website defacement and data exfiltration attacks on more than a dozen South Korean research and academic institutions in late
XinXin
XinXin is a Chinese-speaking threat actor known for its phishing-as-a-service platform, Lucid, which targets global organizations to steal credit card details and personally identifiable information through smishing camp
Yanbian Gang
RiskIQ characterizes the Yanbian Gang as a group that targeted South Korean Android mobile banking customers since 2013 with malicious Android apps purporting to be from major banks, namely Shinhan Savings Bank, Saemaul
YoroTrooper
YoroTrooper’s main targets are government or energy organizations in Azerbaijan, Tajikistan, Kyrgyzstan and other Commonwealth of Independent States, based on Cisco Talos analysis.
Z-Pentest Alliance
Z-Pentest Alliance is a pro-Russian hacktivist group known for targeting industrial control systems and operational technology systems, particularly in Italy and Israel.
Zarya
Zarya is a pro-Russian hacktivist group that emerged in March 2022.
ZeffSec
ZeffSec is a hacktivist collective focused on infrastructure-level disruption and exposing vulnerabilities in centralized digital networks.
ZeroSevenGroup
ZeroSevenGroup is a threat actor that claims to have breached a U.S.
ZOMBIE SPIDER
On April 7, 2017, Pytor Levashov — who predominantly used the alias Severa or Peter Severa and whom Falcon Intelligence tracks as ZOMBIE SPIDER — was arrested in an international law enforcement operation led by the FBI.
ZooPark
ZooPark is a cyberespionage operation that has been focusing on Middle Eastern targets since at least June 2015.