The Winnti Group, also widely tracked as APT41, Barium, Blackfly, Wicked Panda, and LEAD, is a highly sophisticated, state-sponsored cyber espionage organization operating out of China. What distinguishes Winnti is its unique dual mandate: simultaneously executing government-directed intelligence collection (focused on critical infrastructure, government, defense, high-tech manufacturing, and technology sectors) and engaging in financially motivated operations (primarily targeting the video game industry, software companies, and cryptocurrency platforms). Their operations span over a decade, characterized by adaptability, a large arsenal of custom malware, and a strong focus on supply chain compromise, often leveraging compromised software updates or digitally signed malicious files. They frequently exploit zero-day and N-day vulnerabilities in network edge devices (VPNs, firewalls, web applications) for initial access, followed by extensive lateral movement, credential harvesting, and the exfiltration of intellectual property, source code, digital certificates, and personally identifiable information (PII). They are known for utilizing custom loaders, fileless techniques, and living-off-the-land binaries (LOLBins) to maintain stealth and persistence. Their sophisticated tooling includes custom backdoors, rootkits, and privilege escalation tools, often signed with stolen or compromised digital certificates to evade detection. They have a history of targeting managed service providers (MSPs) to gain access to their clients. Their initial access often involves spearphishing with malicious attachments or links, exploiting public-facing applications, or supply chain compromises. They are highly adaptive, constantly evolving their toolset and tactics to bypass defenses. They are also known for their use of novel techniques such as 'watering hole' attacks and exploiting vulnerabilities in widely used software to distribute their malware. Their operations demonstrate a high level of technical sophistication and operational security.

Volt Typhoon (also tracked as Vanguard Panda, Bronze Silhouette, or KV Botnet operator) is a highly sophisticated, state-sponsored cyber espionage group assessed to be operating on behalf of the People's Republic of China (PRC). Active since at least 2021, its primary objective is strategic pre-positioning for potential disruptive effects against critical infrastructure networks (CIN), particularly in the United States and Guam, during future geopolitical crises. The group is characterized by its extensive use of Living-Off-the-Land (LOTL) techniques, leveraging legitimate system tools (like PowerShell, WMIC, netsh, and curl) to evade detection and blend into normal network traffic. They frequently utilize compromised Small Office/Home Office (SOHO) routers, network storage devices, and edge devices (part of the 'KV Botnet') as command and control (C2) infrastructure to mask their origin, making attribution and tracking exceptionally difficult. Their operations prioritize stealth, persistence, and long-term access, often focusing on network devices and Operational Technology (OT) environments, specifically targeting network equipment (routers, firewalls) to establish persistent access points deep within critical networks. They are known for 'hands-on-keyboard' activity and utilizing valid accounts for lateral movement, often exploiting public-facing network devices for initial access, including known vulnerabilities in Fortinet, Ivanti, and Cisco products. Their C2 infrastructure often relies on a global network of compromised SOHO devices, making it difficult to distinguish legitimate traffic from malicious C2. This group focuses on maintaining long-term, covert access to critical infrastructure, rather than immediate data exfiltration or disruption, indicative of a strategic preparation phase. They often use open-source tools and custom scripts, avoiding complex malware to minimize their footprint and blend in with legitimate network activity. Their activity often involves network reconnaissance, data collection, and maintaining persistent access within target environments, specifically targeting communication, energy, water, and other critical infrastructure sectors. Their tactics demonstrate a high degree of operational security and a deliberate effort to remain undetected for extended periods, making them a significant and persistent threat to global critical infrastructure. They are also known to use custom tools like 'KV-X' for network tunneling and data exfiltration.

Vault Panda is a highly sophisticated, state-sponsored threat actor assessed to be operating on behalf of the Ministry of State Security (MSS) of the People's Republic of China (PRC). Active since at least 2023, the group specializes in long-term espionage campaigns targeting critical infrastructure, defense contractors, technology firms, and government entities globally. Their operations are characterized by meticulous planning, extensive use of supply chain compromise and third-party exploitation, and the rapid exploitation of zero-day vulnerabilities in perimeter devices, particularly network appliances and firewalls. Vault Panda is adept at maintaining persistence through complex obfuscation, custom loaders, and the use of legitimate cloud services (e.g., AWS, Azure, GitHub) for C2 communication. Their primary objective is strategic intelligence gathering, focusing on intellectual property theft and sensitive data exfiltration to support China's economic and military modernization goals. They exhibit high operational security, frequently rotating infrastructure and utilizing custom, memory-resident implants to evade detection. They often leverage custom tunneling protocols and DNS tunneling to mask data exfiltration and C2 traffic. Vault Panda utilizes advanced techniques like process injection and credential dumping to move laterally and elevate privileges within target networks. They are known for their sophisticated initial access vectors, including spearphishing with malicious attachments or links, and exploitation of public-facing applications. They demonstrate a high level of adaptability, quickly integrating new exploits and TTPs into their operations. This group is strongly associated with activities attributed to groups like Volt Typhoon and UNC3886, focusing on pre-positioning access to critical infrastructure for potential disruptive or destructive cyberattacks in a crisis.

Turla, also known by various names such as Snake, Uroboros, Venomous Bear, Waterbug, KRYPTON, and Group 88, is a highly sophisticated Russian state-sponsored advanced persistent threat (APT) group. It is widely believed to be linked to the Russian Federal Security Service (FSB). Active since at least 2004, Turla is renowned for its advanced and stealthy operations, primarily focused on long-term intelligence collection campaigns. Their main objective is intelligence gathering from critical government entities, military organizations, diplomatic missions, research institutions, and defense contractors. They operate globally, with a particular focus on Europe, the Middle East, Asia, and North America. Turla is known for its complex and custom toolkits, including advanced malware like Snake/Uroboros, Epic/CAPTCOM, Carbon/Penquin, KopiLuwak, LightNeuron, and Kazuar. A hallmark of their operations is the use of sophisticated command and control (C2) infrastructure, which often leverages satellite-based communication to obscure their origin and maintain stealth, sometimes hijacking legitimate satellite internet connections. They prioritize operational security to ensure persistence and evade detection, employing anti-analysis techniques and custom encryption. Initial access is frequently achieved through spearphishing, watering hole attacks, and supply chain compromises, often exploiting publicly known vulnerabilities or employing sophisticated social engineering. Turla is adept at maintaining long-term access, sometimes for years, and has been observed compromising third-party networks to pivot to their ultimate targets, demonstrating a high level of strategic planning and technical capability. They also utilize legitimate software and administrative tools for living-off-the-land techniques. Their operations often involve meticulous reconnaissance and tailored attacks, making them one of the most persistent and challenging APT groups to detect and mitigate. They are known for adapting their tactics to target diverse operating systems including Windows, Linux, and macOS. Recent observations indicate a continued focus on exploiting publicly known vulnerabilities for initial access and maintaining stealthy persistence. They have also been observed leveraging compromised devices, including MikroTik routers, as part of their infrastructure. Turla has consistently demonstrated an ability to evolve its TTPs, incorporating new evasion techniques and targeting methods to maintain access to high-value targets.

TraderTraitor, also known as APT38 or BlueNoroff, is a highly sophisticated, financially motivated subgroup operating under the umbrella of the North Korean state-sponsored Lazarus Group (Hidden Cobra). Their primary mandate is generating illicit revenue for the DPRK regime, focusing almost exclusively on large-scale theft from global financial institutions, cryptocurrency exchanges, decentralized finance (DeFi) protocols, and banks. They are characterized by meticulous planning, prolonged dwell times (often months), and the use of custom toolsets designed for stealth and rapid fund movement. Initial access frequently leverages highly personalized spearphishing campaigns (often disguised as job offers, investment opportunities, or venture capital inquiries) targeting blockchain developers, security personnel, and high-value employees in financial organizations. They are particularly adept at manipulating SWIFT systems, exploiting vulnerabilities in cryptocurrency platforms, and conducting 'bank heists' by targeting payment systems and ATM infrastructure. Their operations prioritize maximum financial gain and operational security, often employing complex money laundering techniques through mixers and chain hopping. They are known for their patience and persistence in achieving their financial objectives, often using social engineering to establish trust before delivering malicious payloads. They conduct thorough reconnaissance and maintain strong operational security to avoid detection, frequently using supply chain compromises and watering hole attacks alongside spearphishing. Their operations are global, with a focus on regions with high financial activity. They exhibit a high degree of operational security, frequently changing infrastructure and employing anti-analysis techniques. They are known for their advanced social engineering tactics, often impersonating legitimate companies or individuals to build rapport with targets over extended periods before delivering malicious documents or links. They meticulously research targets to craft highly convincing lures. Their post-compromise activities often involve extensive network reconnaissance, privilege escalation, lateral movement, and data exfiltration before initiating financial transfers. They are also known for their use of custom malware families and sophisticated evasion techniques to avoid detection, including the use of advanced obfuscation, anti-analysis, and anti-forensic capabilities. They use custom malware and legitimate tools to maintain persistence, move laterally, and exfiltrate data, often wiping systems to cover their tracks. They are highly adaptive, continuously evolving their tactics to bypass new security measures and exploit emerging technologies in the financial and cryptocurrency sectors. Recent campaigns have shown a focus on macOS systems in addition to Windows, and an increased use of open-source tools alongside their custom malware. Their sophisticated social engineering often involves building rapport over weeks or months, sometimes using fake LinkedIn profiles or other social media to establish trust before delivering malicious documents or links. They leverage supply chain attacks by compromising legitimate software or websites that their targets use, injecting malicious code to gain initial access. Once inside, they focus on understanding the target's financial systems, identifying critical assets, and locating credentials necessary for fund transfers. They are known to use custom keyloggers and screen recorders to capture sensitive information. Their post-exploitation phase often involves living off the land techniques and deploying custom backdoors for persistent access. They are highly skilled in covering their tracks, often using secure deletion tools and system wiping to hinder forensic analysis. Their techniques often involve leveraging legitimate remote access software and custom tools for stealthy operations. Their evolving TTPs include the use of advanced cryptocurrency theft methods, including exploiting vulnerabilities in DeFi protocols and bridging services, and leveraging sophisticated money laundering techniques to obscure the origin and destination of stolen funds. Their operations are characterized by a strong emphasis on operational security, using VPNs, Tor, and frequently changing infrastructure to obscure their origins and activities. They are known for their use of custom remote access tools (RATs) and information stealers, often disguised as legitimate applications or documents. Their campaigns are highly targeted and demonstrate a deep understanding of financial transaction processes and blockchain technologies.

ShinyHunters is a highly prolific and financially motivated cybercriminal group active since early 2020, known for large-scale data theft, extortion, and subsequent monetization. They specialize in compromising public-facing applications and cloud services (e.g., AWS S3 buckets, Azure Blobs, GitHub repositories) to exfiltrate sensitive data, which they then sell on dark web marketplaces (e.g., RaidForums, BreachForums) or use for direct extortion. Their primary attack vectors involve exploiting misconfigured cloud services, leveraging stolen credentials acquired via infostealers, credential stuffing, or phishing, supply chain compromises, and exploiting vulnerabilities (e.g., SQL injection, API abuse, IDOR, RCE) in web applications. They are particularly adept at rapid exploitation of newly disclosed vulnerabilities (N-days) and zero-days, often using automated scanning tools. ShinyHunters often publicly announce breaches and post data samples to validate claims and pressure victims. Their operations are characterized by a high volume of successful breaches across various sectors, resulting in the compromise of hundreds of millions of user records, including PII, financial data, and proprietary source code, from numerous high-profile organizations globally. They demonstrate high technical proficiency in web application and cloud environment exploitation, often using publicly available tools and scripts, customized for specific targets, while maintaining strong operational security. They are highly opportunistic, scanning for vulnerable systems globally and exploiting them regardless of geographic location, focusing on organizations with valuable data. They are known for their brazen approach, sometimes interacting directly with victims or media. Their activities have led to significant financial and reputational damage for affected organizations. The group is believed to be composed of multiple individuals and has been linked to other prominent data breach actors and marketplaces, notably 'BreachForums' and its administrator 'pompompurin'. They have also been observed to leverage compromised accounts to pivot into internal networks or further compromise other services. The group's activities are primarily driven by financial gain, seeking to profit from the sale of stolen data or through direct extortion. They have also been known to utilize compromised infrastructure to host phishing pages or distribute malware. They are considered one of the most impactful data breach groups of the past few years.

Scattered Spider, also known by aliases such as UNC3944, Muddled Libra, Scatter Swine, and sometimes '0ktapus' or 'Storm-0875', is a highly sophisticated, English-speaking cybercriminal group. Predominantly composed of individuals reportedly based in Western countries, including the United States and the UK, and often described as a young demographic, the group is renowned for its exceptional social engineering capabilities. They primarily target organizations in the telecommunications, business process outsourcing (BPO), technology, and financial sectors, with a particular focus on identity and access management (IAM) providers and cloud service providers. Their initial access methods frequently involve advanced SMS phishing (smishing) campaigns, SIM swapping, and sophisticated help desk social engineering to bypass multi-factor authentication (MFA). Once initial access is gained, they prioritize privilege escalation, lateral movement, and data exfiltration, often leveraging legitimate tools and 'living-off-the-land' techniques to evade detection. A significant aspect of their operations involves partnering with or deploying ransomware families such as BlackCat/ALPHV, Hive, and ALPHV, often after exfiltrating sensitive data for double extortion. Their operations are characterized by a high degree of adaptability, rapid execution, and a willingness to engage directly with victims or their employees. They are known for their aggressive and persistent tactics, often targeting high-value individuals within organizations to gain further access. They have also been observed using techniques like browser-in-the-browser phishing, exploiting zero-day vulnerabilities (e.g., against Okta), and leveraging stolen session cookies to bypass MFA. Their ultimate goal is financial gain, achieved through data exfiltration for extortion, ransomware deployment, or selling access to other threat actors. They often use tools like Sliver, AnyDesk, and RDP for remote access and persistence. They are also known for using tools like GoLang-based backdoors, Mimikatz, and various custom scripts. They are known for their rapid response to defensive measures and their ability to quickly pivot tactics. They often use VoIP services for social engineering calls and abuse legitimate cloud infrastructure for command and control. They have demonstrated a unique ability to rapidly adapt their TTPs in response to defensive measures and public disclosures, often within hours or days. Their operations are primarily financially motivated, focusing on data theft for extortion and ransomware deployment. They have also been linked to attacks on critical infrastructure entities.

LockBit 3.0, also known as LockBit Black, is a highly active ransomware-as-a-service (RaaS) operation that emerged in mid-2022 as an evolution of previous LockBit versions. It offers enhanced encryption capabilities, new extortion tactics, and a bug bounty program. The group is known for its speed, efficiency, and widespread impact across various industries globally. LockBit 3.0 continues to operate under an affiliate model, providing its ransomware and infrastructure to partners who conduct the actual attacks, while the core developers handle the ransomware's development and infrastructure management. It is one of the most prolific ransomware groups currently operating.

Librarian Ghouls (also tracked as UNC2447, TunnelVision, Tunnel of Love, and with strong associations to Charming Kitten/APT35 due to overlapping TTPs and objectives) is a highly sophisticated Iranian state-aligned espionage group. They are strongly suspected to be affiliated with the Islamic Revolutionary Guard Corps (IRGC) and operate under strategic objectives to gather intelligence. Their primary focus is large-scale credential harvesting, data exfiltration, and maintaining persistent access against high-value targets globally. The group is highly proficient in 'living off the land' (LotL) techniques, leveraging legitimate commercial tools (e.g., TeamViewer, AnyDesk, commercial VPNs, VPS services) and native operating system utilities (PowerShell, WMI, RDP) to maintain stealth and avoid detection. Initial access frequently relies on exploiting critical vulnerabilities (e.g., Log4Shell, ProxyShell, Fortinet, VMware Horizon, Zoho ManageEngine, F5 BIG-IP) or sophisticated spearphishing campaigns targeting specific individuals for credential theft. Their operations are characterized by rapid deployment, extensive use of tunneling for C2 communications, and meticulous operational security (OpSec) to evade detection and attribution. They often deploy custom backdoors alongside publicly available tools to ensure redundancy and persistence. Their campaigns demonstrate a high level of technical expertise and adaptability, often quickly adopting new exploits for recently disclosed vulnerabilities. They are known for targeting government entities, defense contractors, critical infrastructure, academic institutions, and organizations involved in foreign policy or nuclear research. Their tactical approach often involves a multi-stage infection chain, moving from initial access to privilege escalation, lateral movement, and ultimately data exfiltration, frequently using cloud storage services for staging. They are also known for using bespoke backdoors like TunnelVision and Tunnel of Love, often delivered via complex infection chains involving PowerShell scripts and scheduled tasks. Their activities are consistent with Iranian national interests, particularly in intelligence collection against perceived adversaries. The group employs sophisticated social engineering tactics, including creating fake personas on social media platforms to establish trust and deliver malicious links or documents. They utilize various techniques for defense evasion, including disabling security tools and masquerading as legitimate processes. Persistence is often achieved through scheduled tasks and modification of boot/logon settings. Data exfiltration frequently leverages encrypted channels and cloud storage services to blend in with normal network traffic. They have shown a particular interest in organizations that could provide insights into Iranian dissidents, foreign policy, and nuclear programs. The group is highly adaptive, frequently updating their toolset and TTPs to bypass new security measures and exploit emerging vulnerabilities. They have also been observed using custom proxy tools and SSH tunnels for command and control.

Indrik Spider, also widely known as Evil Corp, and sometimes associated with TA505, is a highly sophisticated and prolific financially motivated cybercrime syndicate operating since at least 2007. Initially responsible for the Dridex banking Trojan, the group transitioned heavily into 'big game hunting' ransomware operations. They have utilized malware families like Dridex, WastedLocker, DoppelPaymer, Hades/Grief (also known as Grief), and have operated as an affiliate for LockBit. They frequently leverage initial access brokers or exploit zero-day/n-day vulnerabilities in widely used enterprise applications (e.g., MOVEit Transfer, GoAnywhere MFT, Citrix ADC/Gateway, Fortinet FortiClient SSL VPN, Microsoft Exchange) for initial access. Their primary objective is substantial financial gain through large-scale extortion, often targeting high-revenue enterprises for multi-million dollar ransoms. Operations are characterized by extensive internal reconnaissance, utilizing Living off the Land (LotL) tools like Cobalt Strike, PowerShell, RDP, and Mimikatz, and employing sophisticated evasion techniques. They frequently leverage sophisticated phishing campaigns (often using FakeUpdates/SocGholish loaders) for initial access, followed by rapid network compromise, data exfiltration (Double Extortion), and final encryption. They are known for maintaining a high operational security standard, often cycling through different ransomware payloads to evade tracking and sanctions. The group has been sanctioned by the U.S. Treasury Department, leading them to frequently rebrand their operations and ransomware variants to circumvent these measures. They are highly adaptive, quickly adopting new initial access vectors and ransomware payloads. Their tactics often involve exploiting supply chain vulnerabilities and widely used software for broad reach, particularly targeting organizations in critical infrastructure, healthcare, finance, retail, manufacturing, and legal sectors globally. Their operations are global, with a notable focus on Western countries. Their continuous evolution and rebranding make them a persistent and dangerous threat in the cybercrime landscape. They are also known for using legitimate remote management tools like AnyDesk and TeamViewer for persistence and lateral movement.

Famous Chollima, also known as APT38, BlueNoroff, Stardust Chollima, or Labyrinth Chollima, is a highly specialized, state-sponsored North Korean threat actor primarily focused on large-scale financial theft and revenue generation for the Democratic People's Republic of Korea (DPRK) regime. Operating as a distinct sub-group of the broader Lazarus Group (APT37/Hidden Cobra), APT38 focuses almost exclusively on compromising global financial institutions, cryptocurrency exchanges, and decentralized finance (DeFi) platforms. Their operations are characterized by meticulous planning, deep understanding of SWIFT and financial transaction systems, high operational security, and the use of custom, often destructive, malware (like wipers) to cover tracks post-theft. They are responsible for some of the largest bank heists in history, including the attempted theft from the Central Bank of Bangladesh (2016), the theft from Banco de Chile (2018), and numerous cryptocurrency exchange breaches, such as those targeting Coincheck (2018), Bithumb (2018), Atomic Wallet (2023), and Alphapo (2023). Their primary objective is monetary gain, making them one of the most financially successful APTs globally. They often maintain long dwell times within victim networks (upwards of 6 months) before executing large-scale fraudulent transactions, often using sophisticated spearphishing campaigns targeting high-value employees. They are known for their patience and persistence, extensive reconnaissance, and leveraging supply chain compromises. They often use destructive malware to impede forensic analysis, custom malware for network reconnaissance, privilege escalation, and data exfiltration, followed by SWIFT-specific tools. They are highly adaptive, constantly evolving their tools and techniques, and utilize social engineering tactics (e.g., fake job offers, impersonating venture capitalists) to deliver malware. They exploit vulnerabilities in financial software and systems, use remote access tools for persistence, and employ cryptocurrency mixers and chain hopping to launder stolen funds. They are also known for their use of legitimate software and living-off-the-land binaries (LOLBins) to evade detection. APT38 is characterized by its unique blend of traditional APT capabilities with a strong focus on financial fraud, often employing social engineering, watering hole attacks, and supply chain compromises for initial access. They demonstrate a sophisticated understanding of financial network architectures and transaction processes. Their operations often involve extensive reconnaissance, credential theft, lateral movement, and the deployment of custom tools for manipulating financial systems and exfiltrate funds. They leverage sophisticated social engineering, often impersonating recruiters or venture capitalists, to deliver malware via spearphishing attachments or malicious links. They are known for using a variety of custom tools and publicly available utilities, often masquerading as legitimate software updates or financial applications. They are highly adept at operational security, using encrypted communications, virtual private networks (VPNs), and frequently changing their infrastructure to avoid detection and attribution. They are considered one of the most sophisticated and persistent financial threat actors globally.

Genesis Panda is a highly sophisticated, state-sponsored threat actor (APT) widely attributed to the People's Republic of China (PRC). This group operates with strategic objectives focused primarily on economic espionage, intellectual property theft, and maintaining persistent, covert access to critical infrastructure networks globally (especially telecommunications, energy, defense, and technology). They are characterized by high operational security, frequent use of custom, modular malware frameworks (often employing multi-stage loaders and fileless execution), and rapid exploitation of newly disclosed vulnerabilities, including zero-days. Genesis Panda frequently targets supply chain components and Managed Service Providers (MSPs) to achieve broad victim access and bypass traditional perimeter defenses. Their TTPs often show overlaps with groups like APT41 and UNC4841, suggesting shared resources, tasking, or development infrastructure within the Chinese state apparatus. Their primary goal is pre-positioning access for future disruptive or intelligence-gathering operations. They are known for utilizing sophisticated techniques like DLL side-loading and kernel-level rootkits for persistence and evasion. They also leverage spearphishing with malicious attachments or links, watering hole attacks, and exploitation of public-facing applications for initial access.

Wizard Spider, also known as UNC1878, Gold Ulrick, and the Conti syndicate, is a highly sophisticated, financially motivated cybercrime organization primarily based in Russia and Eastern Europe. They pioneered 'Big Game Hunting' ransomware operations, initially leveraging banking trojans like TrickBot and IcedID, and loaders such as BazarLoader for initial access. Their core operations involved the development and deployment of Ryuk, Conti, and later, specialized tools like Anchor and BazaCall. Their TTPs are characterized by rapid network infiltration, extensive use of Living off the Land Binaries (LoLBas) like PowerShell, PsExec, and Cobalt Strike for lateral movement, and the implementation of double and triple extortion tactics (encryption, data theft, and DDoS). Following the public leak and subsequent dissolution of the core Conti operation in 2022, the skilled operators and leadership fragmented into several high-profile successor groups, including BlackBasta, Royal, Quantum, and Karakurt, maintaining a high operational tempo and continuing to target critical infrastructure and large enterprises globally. They are known for their highly organized structure, including dedicated teams for initial access, negotiation, and data exfiltration, often operating with a corporate-like hierarchy. Their operations are often characterized by a high degree of automation combined with manual intrusion techniques, allowing them to adapt quickly to network defenses. They are also known for maintaining sophisticated infrastructure and using highly obfuscated malware to evade detection. Their operations often begin with phishing or exploitation of public-facing applications, followed by extensive reconnaissance and privilege escalation. They are particularly adept at exploiting vulnerabilities in remote access services and supply chain weaknesses, and have been observed exploiting common vulnerabilities and exposures (CVEs) in VPNs, firewalls, and other perimeter devices. They are notorious for their aggressive negotiation tactics and their ability to quickly monetize stolen data and encrypted systems. Their objectives are purely financial, aiming for maximum profit through ransomware deployment, data exfiltration, and extortion. They often target organizations with cyber insurance policies to maximize payouts. They have demonstrated a high level of adaptability, quickly shifting their tactics and tools in response to law enforcement actions and public disclosures, often rebranding or forming new alliances to continue their operations. Their successor groups continue to evolve their TTPs, incorporating new evasion techniques and targeting methods, underscoring the enduring threat posed by the former Wizard Spider ecosystem. They have also been linked to the development and use of the TrickBot botnet for credential harvesting and initial access. They are recognized for their sophisticated supply chain attacks and their ability to quickly weaponize newly disclosed vulnerabilities. They have also been known to use social engineering techniques like BazaCall for initial access and are adept at disabling security software. Their impact has been global, causing significant disruption and financial losses across various critical sectors. The group's evolution showcases a modular and resilient cybercrime enterprise, adapting to pressure by decentralizing and diversifying its operations and malware arsenal. They are highly skilled in post-exploitation activities, leveraging tools like Mimikatz for credential dumping and BloodHound for active directory reconnaissance. They frequently use legitimate remote access tools such as AnyDesk or TeamViewer for persistent access and Cobalt Strike beacons for command and control. They utilize various persistence mechanisms, including scheduled tasks and registry modifications, and often attempt to disable security software to avoid detection. Their initial access often involves spearphishing attachments or links, as well as exploiting public-facing applications. They are also known for exploiting vulnerabilities in remote access services and supply chain weaknesses. They have been observed using tools like AdFind for Active Directory enumeration, BloodHound for domain trust mapping, and various custom scripts for data exfiltration and ransomware deployment. The group's financial motivation drives them to continuously innovate their attack chains and extortion methods.

LockBit is a prolific Ransomware-as-a-Service (RaaS) operation that emerged in September 2019. It is known for its high-speed encryption, use of double extortion, and recruitment of affiliates globally. The group has continuously evolved, releasing LockBit 2.0 and LockBit 3.0 (also known as LockBit Black), which introduced new features like a bug bounty program and enhanced evasion techniques. LockBit was, until its disruption, one of the most active ransomware groups globally.

Chimera, also known as UNC2447, is a highly sophisticated Chinese state-sponsored threat group. While sometimes linked to APT41 (Winnti Group) due to operational overlaps and shared targeting, it is often tracked as a distinct entity. Their primary objective is extensive cyber espionage, focusing on intellectual property theft, sensitive manufacturing processes, chip designs, strategic business information, and government secrets. They are particularly notorious for targeting the semiconductor industry in Taiwan and other high-tech sectors globally, including manufacturing, telecommunications, defense, and managed service providers (MSPs). Chimera employs a range of custom and publicly available tools, consistently adapting their techniques to evade detection. Their operations are characterized by meticulous planning, persistent access, sophisticated lateral movement, and a focus on long-term data exfiltration. They frequently leverage supply chain compromises, especially through MSPs, to gain initial access and maintain persistence. Initial access vectors often include exploiting vulnerabilities in network devices (e.g., VPNs, firewalls), web applications, and spear-phishing with malicious attachments or links. Their TTPs indicate a high level of operational security and a deep understanding of target networks, often blurring the lines between espionage and financially motivated cybercrime through the use of ransomware or extortion tactics to monetize access or data. They are known for their ability to maintain long-term persistence within compromised networks, sometimes for years, while systematically exfiltrating valuable data. Chimera's operations have been observed to align with China's strategic economic and military objectives, particularly in acquiring advanced technological capabilities. They are known for their use of legitimate tools for malicious purposes (living off the land) and sophisticated evasion techniques, including the use of encrypted channels and process injection to hide their activities. They are also known for credential dumping and lateral movement using remote services. Recent analysis suggests a close operational overlap and potential resource sharing with other Chinese state-sponsored groups, indicating a highly coordinated and persistent threat. They have demonstrated capabilities in targeting both Windows and Linux environments, adapting their toolset accordingly. Their objectives are primarily economic espionage and strategic intelligence gathering to support China's long-term technological and military ambitions. They are known for their adeptness at exploiting zero-day vulnerabilities and supply chain weaknesses, often maintaining multiple backdoors to ensure continued access. They have been observed using a wide array of custom tools for reconnaissance, backdoor deployment, and data exfiltration, alongside commercial off-the-shelf software. They have also been observed using techniques like web shell deployment and scheduled tasks for persistence and command and control.

Lotus Panda, also known as APT41, Winnti, Wicked Panda, Barium, and Blackfly, is a highly sophisticated, state-sponsored threat actor operating out of China. Active since at least 2012, this group is unique for its dual operational focus: conducting traditional cyber espionage targeting intellectual property, government secrets, and critical infrastructure, while simultaneously engaging in financially motivated cybercrime, primarily targeting the gaming industry. They leverage shared infrastructure and tools across both types of operations. Their primary objectives include supporting Chinese strategic interests through espionage, generating revenue, and conducting widespread supply chain attacks. They frequently exploit zero-day vulnerabilities (e.g., those affecting VPNs, web servers, and network edge devices like Cisco, Fortinet, Citrix, Pulse Secure, and VMWare) and extensive spear-phishing campaigns. They are known for their ability to quickly pivot between targets, utilize complex multi-stage infection chains, and employ custom loaders, sophisticated rootkits, and custom web shells. They frequently exploit public-facing applications (e.g., SQL injection, deserialization vulnerabilities), use living-off-the-land binaries (LOLBins), and legitimate services for Command and Control (C2) to evade detection. Their operations demonstrate a high level of technical sophistication, resourcefulness, and adaptability, making them one of the most prolific and impactful Chinese state-sponsored groups. They often use compromised legitimate websites for C2, and are known for their persistence and ability to blend in with normal network traffic. Their toolkit is extensive, including a wide array of custom malware, open-source tools, well-known backdoors, and commercial offensive security tools like Cobalt Strike. They have expanded their targeting to include healthcare and pharmaceutical sectors, particularly during global health crises, and continue to evolve their evasion techniques. They are known for their rapid exploitation of newly disclosed vulnerabilities and their ability to maintain long-term access to compromised networks. Their exfiltration methods often involve compressing data and sending it over C2 channels or web services. They use custom packers and obfuscators to evade detection and regularly update their toolset. Their unique blend of state-sponsored espionage and financially motivated cybercrime makes them a significant and adaptable threat across various sectors globally. They use digitally signed malware, DLL side-loading, scheduled tasks, and registry run keys for persistence. Initial access often involves exploiting public-facing applications, spearphishing, or supply chain compromises. They are adept at privilege escalation, lateral movement via stolen credentials or legitimate remote services, and data collection prior to exfiltration. They are highly adaptive, frequently updating their tools and tactics to bypass new security measures and exploit emerging vulnerabilities, maintaining a high operational tempo. They are also known for their sophisticated supply chain compromises, particularly targeting software vendors and their update mechanisms. They often leverage SQL injection for initial access and use various custom backdoors like Winnti, PlugX, and ShadowPad. Their operations are characterized by a high volume of activity and a willingness to reuse infrastructure and tools across both espionage and financially motivated campaigns. They employ credential dumping, process injection, masquerading, and frequently use encrypted channels for C2 communications. They are known for leveraging cloud services for C2 and data exfiltration, and for their use of various obfuscation techniques to hide their malicious code and network traffic. Their campaigns often involve multiple stages, starting with initial compromise and leading to extensive reconnaissance, privilege escalation, lateral movement, and data exfiltration, sometimes maintaining persistence for years within target networks. They have also been observed using techniques like web shell deployment for persistent access and utilizing tools such as Mimikatz for credential harvesting and BloodHound for network reconnaissance. Their C2 infrastructure often includes fast flux DNS and domain fronting to obscure their true origins. Their campaigns often involve multiple stages, starting with initial compromise and leading to extensive reconnaissance, privilege escalation, lateral movement, and data exfiltration, sometimes maintaining persistence for years within target networks. They are known for their ability to quickly adapt to new security measures and exploit emerging vulnerabilities, making them a persistent and evolving threat. They often use tools like China Chopper, Behinder, and AntSword for web shell management, and various custom backdoors like Crosswalk, MessageTap, and GhostEngine. They are also known for using tools like Earthworm and Chisel for tunneling, and the ScanBox reconnaissance framework. They have demonstrated capabilities in leveraging zero-day exploits for initial access and maintaining long-term persistence within targeted environments.

Stardust Chollima, also tracked as APT38, Bluenoroff, and BeagleBoyz, is the highly specialized, state-sponsored financial arm of the Democratic People's Republic of Korea (DPRK)'s broader Lazarus Group. Their primary strategic objective is generating significant illicit revenue for the North Korean regime, primarily through large-scale, audacious theft operations targeting global financial institutions, cryptocurrency exchanges, decentralized finance (DeFi) platforms, and ATM networks (e.g., FastCash campaigns). APT38 operations are characterized by meticulous planning, leveraging sophisticated social engineering tailored for financial professionals, long dwell times (often months) before the execution of the financial transfer (e.g., SWIFT transfers), and the deployment of custom, destructive malware (such as wiper tools like Destover, Duuzer, and WannaCry components) post-theft to destroy forensic evidence and systems. They prioritize operational security (OPSEC) and utilize highly obfuscated and frequently rotated infrastructure, often employing virtual private servers (VPS), compromised legitimate websites, and cloud services for command and control (C2). They are known for their patience, persistence, and ability to adapt their tactics to bypass advanced security measures, often exploiting supply chain vulnerabilities or weak points in financial transaction systems. Their campaigns often involve initial access through spearphishing, followed by extensive network reconnaissance, privilege escalation, lateral movement, and ultimately, the manipulation of financial systems to initiate fraudulent transactions. They frequently use custom tools for network reconnaissance, system manipulation, and data exfiltration, often employing unique file names and directory structures to evade detection. They are highly adept at covering their tracks and often use cryptocurrency mixers to launder stolen funds. They are also known for their use of custom tools like 'Jangal' for network reconnaissance and 'PowerRatankba' for persistence and C2. Their operations often involve a distinct separation of duties, with a dedicated team for network intrusion and another for financial operations, enhancing their overall security and effectiveness. They also leverage techniques like watering hole attacks for initial compromise and maintain persistence through various means. Recent activities indicate a continued focus on cryptocurrency theft and exploitation of DeFi protocols. APT38 is distinguished by its focus purely on financial gain rather than espionage or disruption, exhibiting a high level of sophistication in both their technical execution and financial fraud schemes.

Qilin has emerged as a top-tier ransomware group with a Rust-based variant (Qilin.B) designed to hinder analysis. The group topped December 2025 ransomware attack listings with approximately 900 incidents. They aggressively target virtualization platforms including Linux ESXi and Nutanix AHV.

Ransomware group discovered from victim leak site data. 16 known victims across 1 sectors and 5 countries.

Morpheus is a hypothetical ransomware group created for this exercise. As a highly sophisticated operation, it is designed to mimic the characteristics of top-tier Ransomware-as-a-Service (RaaS) groups, focusing on supply chain attacks and zero-day exploitation.

LockBit is a prolific ransomware-as-a-service (RaaS) operation that emerged in September 2019. It quickly rose to become one of the most active and impactful ransomware groups globally, known for its speed, efficiency, and widespread affiliate program. The group has undergone several iterations, with LockBit 3.0 (also known as LockBit Black) being a significant evolution, introducing new features like a bug bounty program and Zcash payments. LockBit5 refers to the LockBit 3.0 variant and its ongoing operations, which continued to be highly active until a major law enforcement disruption in February 2024.

LockBit 2.0 is a highly active ransomware-as-a-service (RaaS) operation that emerged in mid-2021 as an evolution of the original LockBit ransomware. It is known for its speed, automated encryption processes, and aggressive double extortion tactics. The group operates an affiliate program, providing its ransomware and infrastructure to partners who conduct the attacks. LockBit 2.0 is characterized by its use of self-propagating capabilities and a sophisticated data leak site.

Conti was a highly prolific and sophisticated Ransomware-as-a-Service (RaaS) operation that emerged in 2020. It was known for its aggressive tactics, double extortion model, and the use of a private, closed affiliate program. The group was linked to the Russian-speaking cybercrime syndicate Wizard Spider, which is also responsible for TrickBot and Ryuk. Conti's operations were severely disrupted following the leak of internal chats and source code in early 2022, though elements of its former affiliates and operators have since transitioned to new ransomware variants and groups.

XDSpy, also known as UNC2600, is a highly sophisticated and elusive cyber-espionage group active since at least 2011, with some reports suggesting activity as early as 2009. The group specializes in highly targeted operations against government entities, diplomatic missions, military contractors, and private companies involved in defense, foreign affairs, and energy sectors. Their primary objective is persistent access for the theft of politically, militarily, or economically sensitive documents, primarily focusing on strategic intelligence gathering. Operations are characterized by extreme stealth, utilization of custom, modular malware (such as the XDDownloader/XDRecon suite), and heavy reliance on living-off-the-land binaries (LOLBAS) and legitimate software (like TeamViewer, PowerShell, and legitimate administrative tools) to blend into network traffic. XDSpy maintains a distinct set of customized tools and infrastructure and prioritizes long-term, low-and-slow data exfiltration, often maintaining access for years. Initial access often involves spearphishing with malicious attachments or links, sometimes leveraging compromised legitimate websites for watering hole attacks or supply chain compromise. They demonstrate a high degree of operational security, often cleaning up traces of their activity and using encrypted communications. Their TTPs show overlaps with other Russian-aligned groups, suggesting a strong link to Russian state interests. They are known for their meticulous targeting and ability to adapt their tools and methods to bypass defenses, including multi-factor authentication. Persistence is often achieved through scheduled tasks and registry modifications, and they employ techniques to disable security software. XDSpy often uses compromised legitimate infrastructure for command and control, including cloud services and legitimate websites, to further evade detection. They are known for their patient and methodical approach, often conducting extensive reconnaissance before launching attacks. They have been observed using sophisticated anti-analysis techniques and custom packers to protect their malware. Their operations often involve extensive victim profiling and reconnaissance to tailor their initial access vectors and post-compromise activities. They are particularly adept at evading detection by leveraging trusted processes and minimizing their footprint.

SideWinder, also known as Outrider Tiger, T-APT-04, or APT-C-17, is a highly sophisticated, state-sponsored advanced persistent threat (APT) group strongly attributed to India. Operating since at least 2012, their primary objective is cyber espionage and intelligence gathering, focusing on strategic military, diplomatic, and critical infrastructure targets. They intensely target entities related to defense, government, telecommunications, and energy in South Asia and Southeast Asia, including Pakistan, China, Nepal, Afghanistan, and other neighboring countries. SideWinder is notorious for rapidly evolving TTPs, utilizing complex multi-stage infection chains initiated via highly tailored spear-phishing emails, often leveraging RTF/OLE exploits (e.g., CVE-2017-11882, CVE-2018-0802, CVE-2021-40444, CVE-2022-30190, CVE-2023-38831) or watering holes. They frequently leverage legitimate cloud services (e.g., Google Drive, Dropbox, GitHub, Telegram, Pastebin, OneDrive, YouTube) for resilient Command and Control (C2) and data exfiltration, often embedding C2 information within seemingly innocuous files or social media posts. SideWinder is quick to exploit N-day and 1-day vulnerabilities, employing sophisticated, modular malware designed for persistent access, extensive reconnaissance, and data collection. They utilize complex obfuscation, anti-analysis techniques (e.g., anti-VM, anti-debugging), and fileless execution methods, often relying on PowerShell, .NET assemblies, and custom loaders, sometimes masquerading as legitimate software updates or security tools. The group has shown a preference for targeting Android devices in recent campaigns alongside traditional Windows targets, deploying custom Android malware families. Their operations are characterized by a high degree of operational security, rapid adaptation to defensive measures, and a focus on long-term intelligence collection, often maintaining persistence for extended periods to maximize data exfiltration. They have also been observed using custom tools for credential dumping, keylogging, and screen capture. Their custom malware often includes backdoors, info-stealers, and downloaders, with a focus on stealth and persistence.

SideWinder, also widely known as Hazy Tiger (and aliases such as Hardcore Group, Rattlesnake, T-APT17, APT-C-01), is a highly sophisticated, state-sponsored advanced persistent threat (APT) group strongly linked to Indian intelligence services, particularly the Research and Analysis Wing (RAW). Active since at least 2012, their primary objective is long-term strategic cyber espionage and intelligence collection, focusing on sensitive information from government, military, and critical infrastructure entities. They specialize in low-volume, high-precision targeting, leveraging extensive social engineering via spear-phishing campaigns. These campaigns often utilize weaponized documents (RTF/DOCX) containing exploits (such as CVE-2017-11882, CVE-2021-40444, CVE-2022-30190, CVE-2023-38831, CVE-2024-21413) to drop custom loaders. SideWinder frequently utilizes legitimate cloud services (Google Drive, Dropbox, GitHub, OneDrive, AWS, SharePoint) and compromised web servers for Command and Control (C2) infrastructure and data exfiltration, ensuring a low profile. Their toolset is modular, designed for stealth, persistence, and complex data staging, often relying on custom .NET or PowerShell scripts. They are known for rapid adaptation of new exploits and C2 methods, focusing heavily on mobile platforms (Android) in recent years, deploying sophisticated mobile malware to target individuals via SMS and messaging apps. Their operations demonstrate a high level of technical sophistication and a clear mandate for intelligence collection. They are also known for using custom obfuscation techniques and anti-analysis features in their malware, including anti-VM and anti-debugging checks, and frequently employ DLL side-loading. They show a consistent pattern of evolving their toolset and infrastructure to evade detection, often using multiple stages of infection, and have been observed using DNS tunneling for C2 communication. They have a history of using custom downloaders and backdoors, often named after animals or mythological creatures, to maintain persistence and exfiltrate data. They are known for their operational security and ability to quickly adapt their infrastructure and TTPs to avoid detection.

Glacial Panda, also known as APT40, Leviathan, TEMP.Periscope, or BRONZE MOHAWK, is a highly sophisticated, state-sponsored cyber espionage group believed to operate on behalf of the Chinese Ministry of State Security (MSS), specifically the Hainan State Security Department. Their primary objectives include long-term strategic intelligence gathering, intellectual property theft, and acquiring sensitive data related to military, political, and economic interests, particularly focusing on technology critical to China's 'Made in China 2025' initiative and Belt and Road Initiative (BRI) projects. They are known for their high operational security, frequent use of spear-phishing campaigns, supply chain compromise, and the rapid development and deployment of custom malware and implants. They frequently exploit public-facing infrastructure (VPNs, email servers, web applications) and leverage living-off-the-land techniques (LOLBAS) and legitimate remote access tools for persistence. APT40 is characterized by its adaptability, quickly shifting infrastructure and employing diverse toolsets to evade detection. The group has been active since at least 2013, demonstrating a clear focus on geopolitical advantage, especially targeting maritime technologies and nations involved in South China Sea disputes. They have also been observed using watering hole attacks and exploiting zero-day and N-day vulnerabilities. Their operations often involve extensive reconnaissance, initial access through social engineering or exploitation, followed by lateral movement, privilege escalation, and data exfiltration. They are known for maintaining long-term access to compromised networks, often using custom backdoors and web shells for persistent access. Their tactical evolution includes the use of sophisticated evasion techniques and a modular approach to malware deployment, often leveraging legitimate cloud services for C2 and data staging. They are adept at blending into network traffic and using encrypted communications. They have shown a particular interest in maritime industries, naval defense, and critical infrastructure, often targeting organizations in Southeast Asia, Europe, and the United States. Their TTPs include extensive use of custom loaders, backdoors, and credential harvesting tools. They have also been known to register look-alike domains for phishing and use compromised legitimate websites for watering hole attacks. Recent activity suggests continued focus on maritime and defense sectors, with an emphasis on exploiting known vulnerabilities in network devices and email servers. They are known for their patience and ability to remain undetected within target networks for extended periods. They have also been observed using SQL injection and exploiting vulnerabilities in web applications for initial access. Their campaigns often involve a multi-stage approach, starting with initial compromise, establishing persistence, internal reconnaissance, credential theft, lateral movement, and ultimately data exfiltration. They are highly adaptive and continuously evolve their toolsets and methods to bypass detection.

0mega is a ransomware-as-a-service (RaaS) operation that emerged in May 2022. It targets organizations across various sectors, encrypting their data and exfiltrating it for double extortion. The group is known for its aggressive negotiation tactics and has been observed to demand high ransom payments.

Partisan Jackal is assessed to be a highly active, politically motivated entity operating as a State-Sponsored Hacktivism (SSH) front, closely aligned with Iranian state interests, specifically elements within the Islamic Revolutionary Guard Corps (IRGC). They function as a deniable layer for more established Iranian APT groups (such as APT35/Charming Kitten, APT33/Shamoon, or MuddyWater/APT39 surrogates) to conduct disruptive operations and influence campaigns. This group specializes in rapid, high-impact campaigns, often leveraging geopolitical events for timing. Their primary objectives are political messaging, intimidation, data destruction/leakage (doxing), and undermining perceived adversaries. TTPs include Distributed Denial of Service (DDoS) attacks, website defacement, SQL injection for data theft, and the deployment of destructive payloads (wiper or pseudo-ransomware functionality). They rely heavily on a mix of publicly available tools, open-source penetration testing utilities (e.g., SQLmap, Metasploit modules), and custom Python/PowerShell scripts focused on achieving immediate political or strategic goals rather than long-term espionage. They utilize compromised legitimate infrastructure, VPNs, and anonymizing services (e.g., Tor) to obfuscate origin and maintain deniability. Their operations often coincide with geopolitical tensions involving Iran, aiming to amplify state narratives and exert pressure on adversaries. They are known for their opportunistic targeting and quick operational turnaround, frequently exploiting recently disclosed vulnerabilities. Their activities are characterized by a blend of hacktivist-style disruption and state-sponsored strategic objectives, making attribution complex but pointing strongly to Iranian state backing. They frequently use social media and messaging platforms to amplify their messages and coordinate attacks. Their operations are often characterized by a quick burst of activity followed by periods of dormancy, making them difficult to track consistently. They are adept at social engineering to gain initial access and often leverage supply chain compromises or vulnerable internet-facing applications. Their actions serve as a psychological warfare component of Iran's broader cyber strategy. They often target organizations that are critical of the Iranian regime or have ties to perceived adversaries, aiming to cause reputational damage, financial disruption, or data loss. Their operations are designed for maximum public impact and often involve data leaks published on dedicated Telegram channels or hacktivist forums. They have demonstrated capabilities in web application exploitation, credential harvesting, and leveraging compromised accounts for further access and data exfiltration. Their campaigns are typically short-lived but impactful, aiming for maximum media attention and disruption.

Monti is a ransomware group that emerged in June 2022, primarily known for being a 'copycat' or 'rebrand' of the Conti ransomware. They utilize leaked Conti source code and tools, often making minimal modifications to their ransomware payload and operational tactics. Monti typically engages in double extortion, encrypting data and exfiltrating it for public release if the ransom is not paid. Their operations have targeted a wide range of industries globally.

Mustang Panda (also tracked as Bronze President, RedDelta, TA416, Earth Preta, LuminousMoth, and TEMP.HEX) is a highly active, state-sponsored cyber espionage group operating out of China since at least 2012. The group's primary objective is political intelligence gathering to support the strategic interests of the People's Republic of China, including geopolitical insights, economic intelligence, and information on dissidents or groups perceived as threats to the Chinese government. They frequently leverage sophisticated spear-phishing campaigns that utilize current events (e.g., COVID-19, regional conflicts, political summits, Ukraine war, ASEAN topics, human rights issues) as lures. Their initial access typically involves malicious documents (often RTF, LNK, ISO, VHD, or ZIP/RAR files containing executables) designed to drop custom malware loaders and backdoors. Mustang Panda is known for rapid adaptation of TTPs, maintaining persistence within high-value targets, and consistently targeting entities involved in China's geopolitical interests, particularly those related to the Belt and Road Initiative (BRI), the South China Sea disputes, and entities critical of the Chinese government. They frequently use cloud storage services (like Dropbox, OneDrive, Google Drive, Box) for C2 and data exfiltration, demonstrating a preference for living-off-the-land techniques (LotL) to evade detection. Recent campaigns have shown a shift towards using compromised legitimate websites for C2 infrastructure, often employing DLL side-loading for execution to bypass security controls. Their operations are characterized by high operational tempo and wide geographic scope, targeting government entities, think tanks, NGOs, academic institutions, and telecommunications firms. They are adept at using publicly available tools and custom malware, often chaining multiple stages of infection, and have shown a consistent ability to evolve their toolset and delivery mechanisms to bypass detection, often leveraging supply chain compromises or legitimate software vulnerabilities. They also commonly use legitimate remote access tools like TeamViewer and AnyDesk for post-exploitation. They have shown a particular interest in Southeast Asian nations, Europe, and Australia, often targeting foreign ministries and diplomatic missions.

MuddyWater (also known by various names including APT39, Static Kitten, Seedworm, Boggy Koto, YellowFoxtrot, Mercury, and TA450) is a highly active Iranian state-sponsored advanced persistent threat (APT) group. It is widely believed to operate under the direction of the Iranian Ministry of Intelligence and Security (MOIS). The group's primary objectives are espionage, intelligence gathering, and intellectual property theft, aligning directly with Iranian national interests. They predominantly target government entities, telecommunications, energy, oil and gas, defense, financial services, and critical infrastructure. Their operations span across the Middle East, Europe, North America, and Central/South Asia. MuddyWater is characterized by its adaptability, frequently changing its toolset, infrastructure, and obfuscation techniques to evade detection. Their operations involve sophisticated social engineering tactics, often utilizing spearphishing with malicious documents (leveraging macros or exploiting vulnerabilities like CVE-2017-11882, CVE-2017-0199, CVE-2020-0968, CVE-2020-1350, CVE-2021-26411, and more recent N-day vulnerabilities) for initial access. They make extensive use of legitimate tools (Living Off The Land binaries - LOLBins) such as PowerShell, WinRAR, TeamViewer, AnyDesk, Ngrok, RemoteUtilities, ScreenConnect, and other remote administration tools to maintain persistence, move laterally, and evade detection. Their campaigns often involve multi-stage infections, deploying custom backdoors and remote access tools like PowGoop, Mori, MuddyC2Go, Venomdog, Cloudfucker, Syncro, and PhonyPony. They have also been observed using open-source tools like LaZagne, Mimikatz, BloodHound, and various custom loaders and downloaders. MuddyWater demonstrates a high operational tempo and a focus on long-term access, frequently leveraging compromised infrastructure to host C2 servers and stage subsequent attacks. They have shown a willingness to adapt their TTPs, including the use of novel initial access vectors (e.g., exploiting VPN vulnerabilities, leveraging compromised accounts) and custom malware variants, to maintain effectiveness against evolving defenses. They are known for their use of various scripting languages like PowerShell, Python, and JavaScript for their operations and frequently use compromised legitimate websites for command and control (C2) infrastructure. They have also been observed using DNS tunneling for C2 communications and employing various obfuscation techniques for their scripts and payloads.

Velvet Chollima, also known as Kimsuky, Thallium, Black Banshee, and APT43, is a highly active North Korean state-sponsored threat actor primarily focused on intelligence gathering and cyber espionage. Their operations are tightly aligned with the DPRK's strategic intelligence requirements, focusing on political, military, economic, and nuclear data relevant to foreign policy, national security, and sanctions evasion. They are notorious for sophisticated, persistent social engineering campaigns, often impersonating journalists, academics, security researchers, or individuals from legitimate organizations to establish long-term relationships before delivering malware. They frequently leverage compromised legitimate infrastructure and cloud services (e.g., Google Drive, Telegram, Dropbox, Naver, Daum, KakaoTalk, OneDrive, SharePoint, Blogspot, Tistory, Google Forms, Google Sites, Zoho, WordPress, ProtonMail, Tutanota, GitHub, GitLab, Notion, Slack, YouTube, Discord) for initial access, command and control (C2), and data exfiltration, making detection challenging. Their primary objective is espionage, often targeting defectors, experts, and entities involved in North Korean affairs, particularly those with insights into nuclear proliferation, sanctions, and human rights. They are known for rapidly adopting new techniques, maintaining high operational security, and utilizing custom toolsets. They specialize in spearphishing and watering hole attacks, frequently utilizing malicious LNK files, macro-enabled documents, malvertizing, and compromised websites to gain initial access. They are also known for using supply chain attacks, exploiting software vulnerabilities, and deploying custom backdoors. They have been observed using social media platforms for reconnaissance and victim profiling, and creating fake personas to build rapport with targets. Their operations demonstrate a high degree of adaptability and persistence, constantly evolving their TTPs to evade detection and achieve their intelligence objectives. While primarily espionage-focused, they have also been linked to the use of AppleJeus malware for cryptocurrency theft, suggesting potential for revenue generation alongside intelligence objectives. They are known for their meticulous reconnaissance and long-term engagement with targets, often spanning months or even years. Recent campaigns have shown an increased focus on macOS users and the use of sophisticated phishing kits for credential harvesting, particularly targeting email and cloud service credentials. They often employ custom malware families alongside publicly available tools like PowerShell Empire, Mimikatz, and legitimate remote access tools. Their TTPs include extensive use of spearphishing attachments, often disguised as legitimate documents, and malicious links. They are adept at using living-off-the-land binaries (LOLBins) and scripting for execution and persistence. They often use scheduled tasks for persistence and obfuscate their code to evade detection. Data exfiltration often occurs over C2 channels or legitimate cloud services. They have also been observed using custom browser extensions for data theft and credential harvesting. They also leverage various scripting languages like PowerShell, VBScript, and JavaScript for execution and utilize DLL side-loading for stealth and persistence. Their operational tempo remains high, constantly refining their social engineering lures and technical capabilities to bypass security measures and compromise high-value targets. They are known for actively targeting cybersecurity researchers and organizations. They also engage in extensive open-source intelligence gathering to inform their targeting and social engineering efforts. Their infrastructure often includes proxy chains and VPNs to obscure their origin, and they frequently register domains mimicking legitimate organizations or news sites for phishing campaigns. Their objectives extend to gathering intelligence on South Korean foreign policy, defense, and national security matters, as well as insights into international sanctions against North Korea. They are also known for using legitimate remote administration tools like AnyDesk and TeamViewer for remote access and control, and for leveraging compromised web servers as C2 infrastructure. Kimsuky is also known for using custom keyloggers and screenshotting tools, and for leveraging compromised websites for watering hole attacks, often injecting malicious JavaScript. They show a clear preference for targeting individuals with access to sensitive information related to North Korean affairs, employing highly personalized spearphishing campaigns. They frequently use custom backdoors such as GoldDragon, BabyShark, and KGH_SPY, and have developed sophisticated infection chains involving multi-stage loaders and encrypted communications. Their campaigns often involve extensive social engineering to build trust with targets over prolonged periods, sometimes months, before delivering malware. They are known for their rapid adaptation of new techniques and infrastructure to evade detection, including the use of cloud services and legitimate applications for C2 and data exfiltration. They have also been observed using custom browser extensions for data theft and credential harvesting, and leveraging various scripting languages like PowerShell, VBScript, and JavaScript for execution. Their campaigns often involve extensive social engineering to build trust with targets over prolonged periods, sometimes months, before delivering malware. They are known for their rapid adaptation of new techniques and infrastructure to evade detection, including the use of cloud services and legitimate applications for C2 and data exfiltration. They are highly adaptive, constantly evolving their TTPs to bypass security measures and achieve their intelligence objectives.

North Korean RGB group responsible for Sony hack, WannaCry, and major cryptocurrency thefts.

APT35 (Charming Kitten) is an Iranian state-linked APT active since 2011, operating under the IRGC. Known for sophisticated phishing, credential theft, and influence operations targeting journalists, activists, and government officials.

APT34 (OilRig) is an Iranian state-sponsored threat group operating under MOIS (Ministry of Intelligence and Security). The group conducts strategic espionage and sabotage operations, sharing TTPs with MuddyWater and other Iranian APTs.

Iranian threat group targeting aerospace, energy, and petrochemical sectors.

Osiris is a new ransomware strain discovered in January 2026 that uses a custom POORTRY driver in BYOVD (Bring Your Own Vulnerable Driver) attacks to disable security tools and steal data. The group demonstrates sophisticated evasion capabilities.

Hydro Kitten, also widely known as APT35, Charming Kitten, Phosphorus, TA453, or Ajax Security Team, is a highly prolific and sophisticated Iranian state-sponsored threat actor. The group is assessed to operate under the direction of the Islamic Revolutionary Guard Corps (IRGC) and primarily focuses on intelligence collection, espionage, and influence operations. Their objectives align closely with Iran's national security and geopolitical interests, targeting individuals and organizations deemed threats to the Iranian regime, particularly those involved in national security, diplomacy, academia, journalism, defense, and critical infrastructure. Operations are characterized by extensive reconnaissance, sophisticated social engineering (often leveraging fake personas like journalists, academics, or conference organizers), and the use of customized, low-volume malware alongside legitimate tools (Living off the Land - LOTL). They specialize in large-scale spear-phishing campaigns aimed at credential harvesting, often using fake login pages (phishing kits), and subsequent lateral movement for data exfiltration. They frequently utilize compromised accounts and cloud infrastructure for command and control and staging. Hydro Kitten is known for its persistence and adaptability, often retooling and refining their TTPs in response to detection. They have a history of exploiting known vulnerabilities in public-facing applications and using VPNs or proxy services to mask their origin. They have demonstrated capabilities in supply chain compromise, data destruction, and leveraging social media for intelligence gathering and influence operations, including creating convincing fake websites, social media profiles, and entire conferences to lure targets. Recent activities also indicate a focus on exploiting unpatched vulnerabilities in enterprise collaboration tools and network devices, as well as using SMS phishing (smishing) and WhatsApp to deliver malicious links. They are known for their patient and long-term campaigns. They have also engaged in ransomware deployment and data destruction operations, particularly against entities perceived as adversaries of Iran.

Haywire Kitten, also known by aliases such as APT35, Charming Kitten, Phosphorus, TA453, and Yellow Garuda, is a highly sophisticated, state-sponsored threat actor operating on behalf of the Iranian government. Their primary focus is intelligence collection, espionage, and influence operations aimed at supporting Iranian national security interests. Their operations are characterized by extensive social engineering, meticulous reconnaissance, and the use of custom, modular malware frameworks delivered primarily through spear-phishing, credential harvesting, and watering hole attacks. They frequently target individuals and organizations perceived as threats or sources of strategic information regarding sanctions, nuclear negotiations, regional stability, human rights activism, and Iranian dissidents, often impersonating journalists, academics, conference organizers, government officials, or even colleagues. They are known for exploiting vulnerabilities (often N-day) and leveraging legitimate cloud services (like Google Drive, Dropbox, and Microsoft OneDrive) for command and control (C2) and data exfiltration, demonstrating a high degree of operational security awareness. They often utilize VPNs and proxies to obfuscate their true origin and maintain persistence through sophisticated techniques like malicious scheduled tasks and boot persistence methods. They have also been observed using SMS phishing (smishing), WhatsApp, LinkedIn, and Telegram to deliver malicious links and engage targets. Their campaigns are often long-running and highly adaptive, evolving their TTPs in response to detection and defensive measures. They have demonstrated a capability to adapt their malware and infrastructure, often using open-source tools alongside custom implants. Recent activities show an increased focus on targeting critical infrastructure entities, leveraging supply chain compromises, and expanding their reach to include targets in the Middle East, Europe, and North America. They are also known for their use of fake personas across social media platforms to establish rapport and deliver malicious content. They have also been observed using techniques such as supply chain compromise to gain initial access. Their objectives are primarily aligned with Iranian geopolitical interests, including monitoring dissidents, gathering intelligence on rival nations, and influencing international policy.

Imperial Kitten, also known by aliases such as APT35, Phosphorous, Charming Kitten, TA453, and Ajax Security Team, is a highly sophisticated, state-sponsored Iranian threat actor group with strong ties to the Islamic Revolutionary Guard Corps (IRGC). Their primary mission encompasses intelligence collection, espionage, and influence operations, predominantly targeting entities perceived as adversaries of the Iranian regime. This includes dissidents, human rights activists, academics, journalists, government officials, and critical infrastructure entities across the US, Europe, and the Middle East. The group is renowned for its elaborate and persistent social engineering campaigns, frequently leveraging highly convincing fake personas (e.g., journalists, academics, conference organizers, government officials, or even former colleagues) to establish trust and conduct credential harvesting. These campaigns often employ advanced techniques such as OAuth consent phishing, redirection chains, SMS phishing (smishing), and watering hole attacks. Imperial Kitten frequently exploits known vulnerabilities (especially N-day exploits) in public-facing applications, particularly those related to VPNs (e.g., Fortinet, Pulse Secure, Palo Alto GlobalProtect), email servers (e.g., Microsoft Exchange, Outlook Web Access), collaboration platforms (e.g., Microsoft 365, Google Workspace), and network devices to gain initial access. Their operations prioritize long-term persistence, extensive data exfiltration, and, in some cases, disruptive or destructive capabilities. They are known for their use of custom backdoors (e.g., CharmPower, PowerLess, Roadsweeper, Piston, Koadic, TunnelBear, NokNok, PoisonFrog, ReconShark, Remexi, Magic Hound), dual-use tools (e.g., Mimikatz, PowerShell Empire, ScreenConnect, Metasploit, AnyDesk, Ngrok, TeamViewer, PsExec, WinRAR), and frequently utilize compromised infrastructure, often located in Western countries, to host command and control (C2) operations and obscure their origins. Their TTPs are constantly evolving, demonstrating a high degree of adaptability, resourcefulness, a willingness to adopt new attack vectors and tools to achieve their objectives, and an increasing focus on supply chain attacks and leveraging legitimate cloud services for C2 and data exfiltration. They are also known for using spear-phishing attachments with malicious macros or embedded links, often delivered via compromised email accounts. Recent trends show an increased focus on targeting healthcare organizations, particularly those involved in medical research, and exploiting cloud environments for data staging and exfiltration. They are highly adaptive, consistently refining their social engineering lures and technical capabilities to bypass security measures and achieve their intelligence-gathering objectives.

Gamaredon, also known by aliases such as Primitive Bear, ACTINIUM, Armageddon, Shuckworm, DEV-0157, Aqua Blizzard, IRON TILDEN, UAC-0010, and Pteranodon, is a highly active, state-sponsored cyber espionage group attributed to the Federal Security Service (FSB) Center 18 of Russia. Active since at least 2013, the group focuses almost exclusively on Ukraine, conducting high-volume, persistent campaigns characterized by rapid infrastructure turnover and the use of evolving, custom VBScript, PowerShell, and .NET-based malware strains. Their primary objective is intelligence collection, specifically targeting sensitive government, military, law enforcement, judicial, and critical infrastructure entities in Ukraine to exfiltrate documents, harvest credentials, maintain long-term access, and conduct reconnaissance. They frequently utilize spearphishing with malicious attachments or links, often disguised as legitimate government or military communications, followed by complex, multi-stage dropper chains, often leveraging legitimate cloud services (like Telegram, Dropbox, and legitimate hosting providers) for command and control (C2) and data staging. They are notorious for their high operational tempo, widespread use of infected USB drives for lateral movement, and use of compromised legitimate websites as C2 infrastructure. Their campaigns are often characterized by low-sophistication initial access methods but high persistence, making them a significant and continuous threat to Ukrainian national security. They are known for their extensive use of custom tools that often evolve rapidly, including backdoors, information stealers, and wipers, which often feature obfuscated code and anti-analysis techniques. They frequently register new domains and host C2 infrastructure on compromised legitimate websites to evade detection. They have also been observed using custom tools to collect system information, take screenshots, upload/download files, and are known for their use of various file types for delivery including LNK, ISO, and RAR archives. Their malware often includes components for reconnaissance, data exfiltration, and persistent access, frequently employing techniques like DLL side-loading and scheduled tasks for execution and persistence. They are also known for their use of commodity tools like 7-Zip and WinRAR, and for their ability to quickly adapt their tactics and infrastructure in response to defensive measures. They have recently adopted more sophisticated techniques, including supply chain compromise and leveraging compromised VPN accounts for initial access. The group continuously refines its toolset and delivery mechanisms, often employing polymorphic malware and obfuscation to evade detection. Their operations are characterized by a high volume of attacks, often targeting a wide range of organizations within Ukraine, aiming for broad intelligence gathering rather than highly selective, high-value targets, though they do pursue high-value targets when opportunities arise.

Galactic Ocelot, also known as 'Andean Jaguar' or 'Condor APT', is a highly sophisticated, state-sponsored cyber espionage group assessed to be operating under the directive of Colombian intelligence agencies. The group specializes in long-term strategic access, political influence operations, and intelligence gathering against strategic targets both domestically and regionally. They are characterized by high operational security (OPSEC), utilizing multi-stage infection chains, highly tailored spear-phishing (often leveraging local political themes and current events) as an initial access vector, and a combination of custom modular malware (like 'Jaguar' and 'PumaLoader') and extensive use of living-off-the-land binaries (LOLBins) to maintain stealth and persistence. Their primary objective is long-term data exfiltration and strategic access, often focusing on sensitive political opposition data, human rights documentation, critical infrastructure planning, and diplomatic communications. They frequently leverage compromised legitimate cloud storage services (like Google Drive, Dropbox, or OneDrive) for command and control infrastructure, data staging, and exfiltration to evade network detection, demonstrating a strong focus on minimizing custom infrastructure footprint. They exhibit strong tradecraft in evading detection, often using fileless execution techniques, signed binaries, and anti-analysis measures. Their operations suggest a deep understanding of target environments and a patient, methodical approach to achieving their intelligence objectives, often involving extensive reconnaissance and social engineering. Their activities are primarily aligned with national intelligence priorities, focusing on geopolitical adversaries, internal dissent monitoring, and economic intelligence. Their operations are typically covert, aiming for long-term strategic access rather than disruptive attacks. They show a strong preference for Windows environments but have demonstrated capabilities against macOS and Linux systems when required. They have also been observed employing supply chain compromise techniques to gain initial access, particularly targeting software development firms or government contractors. Their activities align with national intelligence priorities, including monitoring internal political opposition, gathering economic intelligence, and maintaining situational awareness of regional geopolitical developments. They are known for their adaptive TTPs and ability to quickly integrate new techniques to bypass defenses. They have shown a particular interest in government entities, diplomatic missions, and critical infrastructure organizations within South America and occasionally beyond. Their use of legitimate services and LOLBins makes attribution and detection challenging, requiring advanced threat hunting capabilities.

Evasive Panda, also known as APT15, Bronze Highland, and Vixen Panda, is a highly sophisticated, state-sponsored cyber espionage group operating out of China since at least 2008. Their primary mission is strategic intelligence gathering, intellectual property (IP) theft, and reconnaissance against critical infrastructure, government entities, and defense sectors globally. They are characterized by their use of complex initial access vectors, including supply-chain compromise (e.g., via compromised software updates), DNS poisoning, watering hole attacks, and highly tailored spearphishing campaigns with malicious attachments or links. They utilize modular, evolving custom malware families such as MgBot, CloudScout, RoyalRoad, KHRAT, KeyBoy, Mirage, and variants of PlugX, often delivered via custom loaders and droppers leveraging techniques like DLL search order hijacking or DLL side-loading. Evasive Panda maintains high operational security, frequently rotating infrastructure and leveraging legitimate cloud services (like Dropbox, Google Drive, Microsoft OneDrive) for Command and Control (C2) to achieve long-term persistence and evade detection. Their operations often focus on long-term data exfiltration rather than disruptive attacks, maintaining a low profile over extended periods. Their TTPs include extensive use of DLL side-loading, process injection, and scheduled tasks for persistence. They also employ credential dumping using tools like Mimikatz, and various forms of persistence to maintain access. They are known for their adaptability, often updating their toolset and TTPs to bypass new security measures, including the use of encrypted channels and obfuscation techniques. They have a history of targeting diplomatic entities, telecommunications, and technology companies, often focusing on Southeast Asian nations, particularly Vietnam, Thailand, and the Philippines, but also observed in other regions like Europe, North America, and Africa. The group has shown a consistent evolution in their toolset and techniques, frequently adopting new attack vectors and C2 mechanisms to maintain effectiveness and avoid detection. They are known for their patience and ability to maintain long-term access to compromised networks. Their objectives align with China's strategic intelligence priorities, focusing on sensitive political, economic, and military information. They have also been observed using custom loaders and droppers to deploy their payloads, often using techniques like DLL search order hijacking to execute malicious code. Recent observations indicate a continued focus on government and diplomatic entities, with evolving evasion techniques.

Comrade Saiga is a highly sophisticated, state-sponsored advanced persistent threat (APT) actor operating with objectives aligned with Central Asian geopolitical interests, primarily focused on intelligence gathering, espionage, and political sabotage. Attributed with high confidence to Kazakhstan, this group focuses heavily on government entities, diplomatic missions, critical infrastructure (energy, telecommunications), and international organizations. Their operations are characterized by high operational security (OpSec), rapid infrastructure rotation, and the consistent use of custom, multi-stage malware frameworks like 'SAIGA-LOADER' (initial access/loader) and 'SAIGA-STEALER' (data exfiltration/credential harvesting). They frequently leverage supply chain vectors and N-day vulnerabilities for initial access, followed by extensive use of living-off-the-land binaries (LOLBins) and legitimate cloud infrastructure (e.g., AWS, Azure, Google Cloud) for robust command and control (C2) to maintain stealth and persistence. They are known for meticulous target selection and long-term infiltration strategies, often utilizing highly customized spearphishing campaigns targeting specific high-value individuals. Their campaigns demonstrate a clear focus on long-term intelligence collection to support national strategic interests, exhibiting patience and adaptability in their TTPs. They also employ credential dumping and scheduled tasks for persistence, and use process injection to evade detection. Communication often occurs over encrypted channels and application layer protocols to blend in with normal network traffic, and exfiltration often happens over C2 channels. They are highly adaptive, frequently updating their toolset and tactics to bypass evolving security measures, and have been observed using alternate authentication material for lateral movement and persistence. Their use of custom malware and sophisticated evasion techniques underscores their advanced capabilities and state-sponsored backing.

COLDRIVER, also known as Star Blizzard (Google TAG), SEABORGIUM (Microsoft), BlueCharlie (Mandiant), and Callisto Group (various researchers), is a highly sophisticated and persistent Russian state-aligned cyber espionage group. Strongly linked to the Federal Security Service (FSB) Center 18, the group has been active since at least 2019. Their primary objective is strategic intelligence collection, influence operations (IO), and disruption targeting critical information related to foreign policy, defense, energy, and national security interests of NATO countries and organizations supporting Ukraine. COLDRIVER specializes in highly effective spear-phishing campaigns utilizing sophisticated, tailored phishing kits that mimic legitimate login pages (e.g., Microsoft 365, Google Workspace, ProtonMail, Zimbra, Yandex, Outlook Web Access, Webmail, VPN portals) to harvest credentials and session cookies. They frequently leverage 'Living off the Land' (LotL) techniques, legitimate credentials, and proxy services for persistent access, reconnaissance, and exfiltration, minimizing the need for complex custom malware. Their operations are characterized by meticulous preparation, extensive OSINT for crafting convincing lures, rapid adaptation of infrastructure, and a focus on high-value political, defense, and critical infrastructure targets. They often use compromised accounts for lateral movement and further phishing operations. The group employs custom tools for credential harvesting, session cookie theft, and data exfiltration, often disguised as legitimate software updates or system utilities. They are known for their patience and persistence, maintaining access for extended periods to gather intelligence and using open-source tools and publicly available services (e.g., ProtonMail, Tutanota, Gmail, legitimate cloud hosting) to host their phishing infrastructure, making attribution and takedown more challenging. They have also been observed employing password spray attacks against exposed services and using social engineering tactics to build rapport with targets before delivering malicious links. Their operations are typically low-volume but highly targeted, focusing on individuals with access to sensitive information. They have evolved their tactics to include leveraging compromised accounts for further phishing and using custom tools for session hijacking and data exfiltration. Recent activity indicates a continued focus on government, defense, and critical infrastructure entities, particularly those involved in supporting Ukraine. The group's tradecraft emphasizes stealth and persistence, often using legitimate services and infrastructure to blend in with normal network traffic. They are known for rapid infrastructure changes, sometimes using newly registered domains for only a few days before discarding them.

Bounty Jackal is a composite designation tracking highly opportunistic and financially motivated cybercrime groups and Initial Access Brokers (IABs). Their primary objective is rapid financial gain, typically achieved through double extortion ransomware operations (data exfiltration followed by encryption) and the sale of initial access to high-value networks on underground forums. They specialize in exploiting recently disclosed N-day vulnerabilities (T1190) in internet-facing perimeter devices such as VPNs, firewalls, RDP gateways, and web applications for initial access. They demonstrate a high operational tempo, often moving quickly from initial compromise to network-wide encryption. While primarily cybercrime, they frequently incorporate public shaming and Distributed Denial of Service (DDoS) tactics (T1498.001) to increase pressure during extortion negotiations. Their operations prioritize speed in lateral movement and privilege escalation, utilizing commodity tools and living-off-the-land binaries. Their infrastructure is characterized by frequent cycling using bulletproof hosting services to evade detection and maintain persistence. They often leverage phishing (T1566.001, T1566.002) and supply chain compromises (T1195) to gain initial footholds. Post-exploitation, they focus on credential dumping (T1003), data exfiltration (T1041, T1567), and deploying ransomware. They are known to adapt quickly to new vulnerabilities and defense mechanisms, constantly refining their TTPs to bypass security measures. Their operations are characterized by a lack of specific geographic or sector targeting beyond what offers the quickest financial return, making them a pervasive and unpredictable threat. They exhibit characteristics of a 'Ransomware-as-a-Service' (RaaS) affiliate model, leveraging readily available tools and infrastructure, often operating with minimal custom development. They are known to leverage tools for network scanning, vulnerability exploitation, and post-exploitation activities.

Spectral Kitten, also known as APT35, Charming Kitten, Phosphorus, TA453, and Yellow Garuda, is a highly active, state-sponsored Iranian threat actor operating primarily under the direction of the Islamic Revolutionary Guard Corps (IRGC). Their core mission is intelligence gathering, espionage, and influence operations targeting perceived enemies of the Iranian regime, particularly the US, Israel, Saudi Arabia, Europe, and the Middle East, with a strong focus on dissidents, academics, journalists, human rights activists, and government officials. Operations are characterized by sophisticated social engineering, extensive spear-phishing campaigns leveraging fake login pages (credential harvesting), and exploitation of known vulnerabilities in perimeter devices (VPNs, Exchange, SharePoint, Fortinet, Pulse Secure, Zoho ManageEngine). APT35 is highly adaptive, frequently updating its toolset and using custom backdoors (like TunnelBear/NokNok, PowerShower, CharmPower, CharmPrint, PowerLess, Magic Hound, Roadmap, Karkoff, Macaron, PupyRAT, Remexi, TinySieve, GhostSieve) and legitimate tools (LOLBAS, PowerShell, Mimikatz, PsExec, Rclone, Ngrok, TeamViewer, AnyDesk) to maintain persistence and exfiltrate sensitive data. Recent activity shows an increasing focus on deploying destructive capabilities, including ransomware (e.g., Pay2Key, GhostLocker, N3tw0rm) and wiper tools (e.g., ZeroCleare, Dustman), often coinciding with geopolitical tensions. They frequently leverage compromised accounts and supply chain vectors for initial access. They are known for utilizing infrastructure hosted on legitimate cloud services (e.g., AWS, Azure, Google Cloud, DigitalOcean, Vultr) to evade detection, often employing compromised websites for command and control. They have also been observed using social media platforms (LinkedIn, Facebook, WhatsApp, Telegram, X/Twitter, Instagram) for reconnaissance, initial contact, and social engineering, often impersonating journalists, academics, or conference organizers. Their operations demonstrate a high degree of operational security and a persistent, long-term approach to achieving strategic objectives, often blending cyber espionage with information operations and psychological warfare.

Jewelbug, also known as APT31, Zirconium, Judgement Panda, PANDA_MESSIAH, and UNC2546, is a highly sophisticated, state-sponsored Chinese threat actor with strong links to the Ministry of State Security (MSS) and its provincial departments. Their primary objectives are strategic intelligence gathering, economic espionage, and intellectual property (IP) theft, specifically targeting organizations critical to China's national security interests and those involved in high-tech, defense, government policy, telecommunications, energy, aerospace, and critical infrastructure. APT31 is known for constantly evolving its toolset, utilizing advanced custom backdoors (like JSSLoader, FoulPlay, PlugX, Ketrican, Bisonal, BlackCoffee, SodaMaster, SManager, Ninjia, and custom variants of Gh0st RAT), and leveraging compromised infrastructure (often routers/VPNs, IoT devices) for C2 activities to obfuscate their origins. They maintain persistent access to high-value targets globally. They frequently employ spear-phishing campaigns using malicious attachments or links, often exploiting known vulnerabilities (especially in VPNs, email servers like Microsoft Exchange, Fortinet, Pulse Secure, Zoho ManageEngine, and zero-day flaws) for initial access. They are recognized for their careful operational security, extensive use of living-off-the-land techniques (LOLBAS) like PowerShell, WMI, and legitimate cloud services (like Dropbox, Google Drive, OneDrive) for command and control and data exfiltration. They have also been observed utilizing supply chain compromises and exploiting vulnerabilities in managed service providers (MSPs) to gain access to downstream targets. Their operations demonstrate a high level of technical proficiency and a persistent, long-term approach to intelligence collection. They have also been linked to operations targeting political dissidents, human rights organizations, journalists, and government officials, particularly those critical of the Chinese government. Their tactics include sophisticated social engineering, exploitation of public-facing applications, and lateral movement within compromised networks using tools like Mimikatz, PsExec, and Cobalt Strike. They are highly adaptive, frequently changing their infrastructure and TTPs to evade detection. They often use custom tools for host enumeration and data staging, and employ various obfuscation techniques for their malware and C2 communications. They are known to target sensitive data suchs as proprietary technology, government secrets, and personal information of dissidents.

Iranian IRGC-affiliated group targeting water utilities and industrial control systems.

An illicit network engaged in selling and shipping Iranian oil and other commodities in violation of U.S. sanctions, allegedly funded by Mohammad Hossein Shamkhani.

Pakistani threat group targeting Indian and Afghan diplomatic and defense organizations.

Ransomware group discovered from victim leak site data. 26 known victims across 5 sectors and 5 countries.

Ransomware group active since March 2023 with links to Conti, targeting Windows and VMWare ESXi.

Trident Locker is a ransomware variant that emerged in mid-2024. It is designed to encrypt files on compromised systems and demand a ransom payment, typically in cryptocurrency, for decryption. The group behind Trident Locker appears to be financially motivated, targeting a range of organizations for profit. Early analysis suggests it may be a new or rebranded operation, focusing on rapid encryption and data exfiltration for double extortion tactics.

DragonForce operates as a ransomware cartel and ecosystem consolidator, absorbing affiliate networks from disrupted groups. Known for identity-centric exploitation and AI-generated impersonation techniques. The group has demonstrated sophisticated social engineering capabilities and business-like resilience.

SloppyLemming is a threat activity cluster attributed to attacks targeting government entities and critical infrastructure operators.

Play ransomware is a ransomware-as-a-service (RaaS) operation that emerged in mid-2022. It is known for its 'double extortion' tactics, encrypting systems, and exfiltrating sensitive data for public release if the ransom is not paid. The group is characterized by its use of a '.play' extension for encrypted files and a unique ransom note format. Play ransomware actors have been observed exploiting vulnerabilities in public-facing applications for initial access and employing living-off-the-land techniques.

Ransomware group targeting healthcare and education sectors.

Lapsus$ is a financially motivated threat group known for its unique extortion tactics, which often involve gaining initial access through social engineering, SIM swapping, and insider threats. Unlike traditional ransomware groups, Lapsus$ primarily focuses on data theft and extortion rather than encrypting systems. They publicly announce their successful breaches and demand ransom to prevent data leaks, often engaging directly with victims and the public on social media platforms.

Everest is a ransomware group that has been active since at least 2020. Initially operating as a traditional ransomware group, they later shifted their tactics to focus heavily on data exfiltration and extortion, often selling stolen data or access to compromised networks rather than solely relying on encryption. They are known for targeting a wide range of industries globally.

Inc Ransom is a relatively new ransomware group that emerged in late 2022, operating a Ransomware-as-a-Service (RaaS) model. They are known for targeting organizations in the education and healthcare sectors and for utilizing double extortion tactics. The group often exploits publicly exposed vulnerabilities for initial access.

Abyss Locker is a relatively new ransomware-as-a-service (RaaS) operation that emerged in early 2023. It is notable for exploiting the VMware ESXiArgs vulnerability (CVE-2021-22005) and targeting Linux systems, particularly virtual machines. The group operates a double extortion model and maintains a dedicated leak site.

Atomsilo is a ransomware group that emerged in 2021, known for its use of a custom ransomware strain. The group has been observed targeting various sectors globally. It is believed to be a rebrand or successor to the 'Grief' ransomware, which itself was linked to the 'Evil Corp' (TA505) group. Atomsilo ransomware is written in C++ and leverages a combination of AES-256 and RSA-2048 for encryption. It is capable of encrypting files, deleting shadow copies, and disabling recovery options.

Sinobi is a relatively new ransomware group that emerged in mid-2025 and has rapidly become one of the most active groups. They have conducted several attacks on healthcare organizations and rank third in ransomware incidents with 203 attacks recorded.

A developer advertising and selling a new mobile spyware platform called ZeroDayRAT on Telegram, offering real-time surveillance and data theft capabilities for Android and iOS devices. They operate dedicated channels for sales, customer support, and updates.

Ransomware group discovered from victim leak site data. 6 known victims across 4 sectors and 1 countries.

RansomHouse is a data extortion group that emerged in late 2021. Unlike traditional ransomware groups, RansomHouse primarily focuses on data exfiltration and extortion, often claiming to be 'professional mediators' or 'security researchers' who expose vulnerabilities and demand payment to prevent data leaks, rather than encrypting systems. They typically target organizations with weak security postures and exploit known vulnerabilities. They have been observed using a 'leakware' model, where they threaten to publish stolen data if a ransom is not paid.

Ransomware group discovered from victim leak site data. 10 known victims across 5 sectors and 2 countries.

An unknown cybercriminal group or individual responsible for hijacking the 'AgreeTo' Outlook add-in and converting it into a phishing kit to steal Microsoft account credentials.

A group operating 30 malicious Chrome extensions disguised as AI assistants to steal user data.

A group described as 'terrorists' by Pakistan's military media affairs wing, responsible for attacks in Balochistan.

Money Message is a ransomware-as-a-service (RaaS) operation that emerged in early 2023. It is notable for utilizing a custom encryptor often written in the Rust programming language, which allows for fast and efficient encryption across various operating systems. The group primarily focuses on double extortion, leveraging a dedicated data leak site.

Ransomware group with suspected Conti connections.

RansomHub is a relatively new ransomware-as-a-service (RaaS) operation that emerged in early 2024. It is believed to have attracted affiliates from other dismantled or inactive ransomware groups, particularly those previously associated with BlackBasta and NoEscape. The group operates a double extortion model, encrypting data and exfiltrating it for public release if the ransom is not paid. RansomHub has quickly gained notoriety for its aggressive targeting and sophisticated operations.

Hunters International is a ransomware group that emerged in late 2023, claiming to be a rebrand of the Hive ransomware operation, although this claim is disputed by some researchers. The group operates a Ransomware-as-a-Service (RaaS) model and is known for its double extortion tactics, encrypting data and exfiltrating it for public release if the ransom is not paid. Their operations have targeted a wide range of industries globally.

Mallox is a ransomware-as-a-service (RaaS) operation that emerged in mid-2021. It primarily focuses on double extortion, encrypting victim data and exfiltrating it for public release if the ransom is not paid. The group is known for exploiting vulnerable Microsoft SQL Servers and other internet-facing services for initial access, often leveraging brute-force attacks or exploiting weak credentials. Mallox ransomware typically appends a unique extension (e.g., .mallox, .targetcompany, .fpcc) to encrypted files and drops a ransom note (e.g., 'RECOVER-MALLOX.txt').

Cooming is a ransomware-as-a-service (RaaS) operation that emerged in late 2023. It is known for its aggressive tactics, including double extortion, and targeting a wide range of organizations globally. The group operates an affiliate program and maintains a data leak site to pressure victims into paying ransoms.

BlackSuit is a ransomware-as-a-service (RaaS) operation that emerged in May 2023. It is believed to be a successor or rebrand of the Royal ransomware group, with significant code similarities identified between the two. The group employs a double extortion strategy, encrypting victim data and exfiltrating it for public release if the ransom is not paid. BlackSuit targets organizations across various sectors globally.

VanirGroup is a ransomware-as-a-service (RaaS) operation that emerged in late 2023. It is known for targeting organizations across various sectors, employing double extortion tactics, and leveraging a custom-built ransomware strain. The group actively recruits affiliates and operates a data leak site to pressure victims into paying ransoms.

MalekTeam is a ransomware operation that emerged in late 2023, primarily targeting organizations in the Middle East, particularly Iran and Israel. The group is known for its data exfiltration and encryption tactics, often leveraging vulnerabilities in public-facing applications for initial access. Their operations appear to be politically motivated, aligning with hacktivist or state-sponsored objectives rather than purely financial gain, although ransom demands are still made.

IMNCrew is a ransomware group that emerged in late 2023. They operate a Ransomware-as-a-Service (RaaS) model and are known for their double extortion tactics, exfiltrating data before encryption and threatening to publish it on their leak site if the ransom is not paid. Their operations primarily target organizations across various sectors globally. The group has been observed using custom ransomware strains and leveraging common initial access vectors.

BlueLocker is a ransomware variant that emerged in late 2023, primarily targeting VMware ESXi virtual machines. It is notable for its use of the 'BlueLocker' string in its ransom notes and for encrypting virtual disk files (VMDKs). The ransomware group behind it appears to focus on high-value targets, often leveraging vulnerabilities or compromised credentials for initial access. Its operational model includes double extortion tactics, threatening to leak stolen data if the ransom is not paid.

Raworld is a ransomware operation that emerged in late 2023, primarily targeting organizations for financial gain. It employs encryption to render systems inaccessible and typically demands a ransom for decryption. The group has shown a preference for exploiting known vulnerabilities for initial access and has been observed using double extortion tactics.

GunRansom is a ransomware group that emerged in late 2023. It operates as a Ransomware-as-a-Service (RaaS) model, primarily targeting organizations in various sectors. The group is known for its relatively unsophisticated but effective encryption methods and its use of double extortion tactics. They often exploit vulnerabilities in public-facing applications or leverage stolen credentials for initial access.

BonaciGroup is a ransomware operation that emerged in late 2023. The group primarily targets organizations across various sectors, employing a double extortion model to pressure victims into paying ransoms. They are known for their custom ransomware locker and data exfiltration tactics.

RedAlert, also known as Nokoyawa, is a ransomware-as-a-service (RaaS) operation that emerged in 2022. It primarily targets Windows and Linux systems, with a focus on encrypting VMware ESXi servers. The group is known for its double extortion tactics, exfiltrating data before encryption and threatening to publish it if the ransom is not paid. RedAlert has been observed targeting organizations globally, particularly in critical infrastructure sectors.

Babuk2 refers to the ransomware variant and operations that emerged after the original Babuk Locker source code was leaked in September 2021. While the original Babuk group ceased operations in April 2021, the leaked source code enabled new threat actors to develop and deploy their own versions of the ransomware. Babuk2 operations often leverage the leaked builder to create customized payloads.

Hotarus is a ransomware operation that emerged in late 2023. It is notable for its use of a custom-developed ransomware strain and its focus on double extortion tactics. The group primarily targets organizations in specific sectors, leveraging common initial access vectors to infiltrate networks.

LostTrust is a relatively new ransomware-as-a-service (RaaS) operation that emerged in mid-2023. It is notable for its use of a custom ransomware variant written in the Rust programming language, which allows for cross-platform compilation and evasion of some security solutions. The group primarily focuses on double extortion tactics, exfiltrating data before encryption and threatening to publish it on their leak site if the ransom is not paid. Their operations often involve exploiting vulnerabilities in public-facing applications for initial access.

Babuk ransomware emerged in early 2021, quickly gaining notoriety for its custom-built ransomware strain written in C/C++. The group initially operated as a ransomware-as-a-service (RaaS) model, targeting various organizations globally. In April 2021, the group announced its retirement from encrypting victim networks and shifted its focus to data exfiltration and extortion only, releasing its source code. Despite this, variants and offshoots of Babuk have continued to be observed in the wild.

HolyGhost is a ransomware group that emerged in 2022, primarily targeting small and medium-sized businesses (SMBs). The group is known for its use of a custom ransomware variant and has been observed employing double extortion tactics. Their operations often involve exploiting vulnerabilities in public-facing applications and leveraging legitimate tools for post-compromise activities. The group has been linked to North Korean state-sponsored activity by some researchers, though this attribution remains debated by others.

Daixin Team is a ransomware group that emerged in June 2022. They primarily target organizations in the healthcare and public health (HPH) sector. The group engages in double extortion, encrypting systems and exfiltrating sensitive data, which they then threaten to publish if the ransom is not paid. They are known for exploiting vulnerabilities in VPN appliances and conducting sophisticated network intrusions.

Snatch ransomware is a ransomware-as-a-service (RaaS) operation that first emerged in late 2018. It is known for rebooting infected machines into safe mode to bypass security software during the encryption process. The group employs a double extortion tactic, exfiltrating data before encryption and threatening to publish it on their leak site if the ransom is not paid. Snatch operators are observed to be highly opportunistic, targeting a wide range of organizations globally.

MosesStaff is a politically motivated Iranian threat group that has conducted destructive cyberattacks against Israeli organizations since at least October 2021. The group primarily focuses on data exfiltration and destruction rather than traditional ransomware, often using wiper malware disguised as ransomware. Their operations are characterized by public taunting of victims and the release of stolen data on dedicated leak sites. Their motivations appear to be primarily political, aiming to disrupt and embarrass Israeli entities.

MedusaLocker is a ransomware operation that emerged in late 2019. It typically gains initial access through RDP brute-forcing or exploitation of vulnerable services. Once inside a network, it focuses on encrypting files on network shares, local drives, and connected removable media. It often attempts to disable security software and delete shadow copies to hinder recovery efforts. The group is known for its persistent encryption efforts and has evolved its tactics over time.

NovaLocker is a ransomware-as-a-service (RaaS) operation that emerged in 2021. It is known for targeting corporate networks globally, often leveraging common initial access vectors and employing double extortion tactics. The group maintains a relatively low profile compared to larger RaaS operations but has demonstrated consistent activity.

Lorenz is a ransomware-as-a-service (RaaS) operation that emerged in early 2021. The group is known for its double extortion tactics, exfiltrating sensitive data before encrypting systems and threatening to publish the data if the ransom is not paid. Lorenz often targets organizations globally, leveraging vulnerabilities in public-facing applications for initial access. They have been observed selling access to victim networks on underground forums prior to deploying their ransomware.

Nevada is a ransomware-as-a-service (RaaS) operation that emerged in late 2022. It is known for its use of a custom-built ransomware written in Rust, which allows for cross-platform compatibility. The group targets organizations across various sectors globally, employing double extortion tactics by exfiltrating data before encryption and threatening its public release if the ransom is not paid.

Pysa, also known as Mespinoza, is a human-operated ransomware variant that first emerged in late 2019. The group behind Pysa ransomware typically gains initial access through phishing campaigns or by exploiting vulnerabilities in remote access services like RDP. They engage in double extortion, exfiltrating sensitive data before encrypting systems and threatening to publish the data if the ransom is not paid. Pysa operators are known for their targeted attacks against government entities, educational institutions, and healthcare organizations.

Ransom Cartel is a ransomware group that emerged in late 2021, operating a ransomware-as-a-service (RaaS) model. The group is known for targeting organizations across various sectors globally, often leveraging previously compromised networks or exploiting vulnerabilities for initial access. Their ransomware payload is based on the Egregor/Maze codebase, suggesting a potential lineage or shared development resources with these earlier groups. Ransom Cartel engages in double extortion tactics, exfiltrating sensitive data before encryption and threatening to publish it if the ransom is not paid.

Lunalock is a relatively new ransomware operation that emerged in mid-2022. It is notable for being written in Rust, a programming language known for its performance and memory safety, which makes it more challenging to analyze and reverse engineer. The ransomware targets Windows, Linux, and ESXi systems, indicating a broad targeting capability. It operates as a Ransomware-as-a-Service (RaaS) model, suggesting an affiliate program. Lunalock encrypts files and appends a '.luna' extension to them, demanding cryptocurrency for decryption.

Lilith is a ransomware variant that emerged in 2022, primarily targeting corporate networks. It operates as a Ransomware-as-a-Service (RaaS) model, with affiliates deploying the ransomware. The ransomware encrypts files and appends a '.lilith' extension to them, dropping a ransom note named 'Restore-My-Files.txt'. It is known for its double extortion tactics, threatening to leak stolen data if the ransom is not paid.

Pandora ransomware is a relatively new ransomware variant that emerged in early 2022. It is known for its sophisticated encryption capabilities and its use of double extortion tactics. The ransomware is written in Rust, which allows it to target multiple operating systems and evade some security detections. It typically gains initial access through exploiting vulnerabilities in public-facing applications or stolen credentials, then encrypts files and exfiltrates data for double extortion.

DarkAngels is a ransomware group that emerged in late 2021, operating a Ransomware-as-a-Service (RaaS) model. They are known for encrypting victim data and exfiltrating it for double extortion. The group often targets organizations across various sectors globally. DarkAngels ransomware is a variant of the Babuk ransomware, sharing significant code similarities, particularly in its encryption routines. They maintain a data leak site to publish stolen data from non-paying victims.

Midas Ransomware is a ransomware-as-a-service (RaaS) operation that emerged in late 2021. It is known for its use of double extortion tactics, encrypting victim data and exfiltrating it for public release if the ransom is not paid. The group primarily targets organizations across various sectors globally.

Karakurt is a financially motivated cybercrime group that emerged in late 2021, primarily known for data exfiltration and extortion, often without deploying ransomware. They typically steal sensitive data and then threaten to leak it if a ransom is not paid. While associated with the Conti ransomware ecosystem, Karakurt operates as a distinct data extortion group, frequently targeting organizations that have already been compromised by other ransomware groups or have vulnerabilities exploited by initial access brokers.

DagonLocker is a ransomware operation that emerged in late 2022, primarily targeting organizations in critical infrastructure sectors. The group employs a double extortion tactic, encrypting victim data and exfiltrating it for public release if the ransom is not paid. They are known for their custom-developed ransomware strain and sophisticated attack methodologies.

Entropy ransomware is a sophisticated variant that emerged in late 2021, primarily targeting large enterprises for financial gain. It is known for its use of advanced techniques, including bypassing security products and encrypting virtual machines. The group behind Entropy is believed to be highly organized and financially motivated, often engaging in double extortion tactics.

IceFire is a ransomware variant that emerged in late 2022 and gained notoriety for targeting Linux-based ESXi servers. It is known for its speed and efficiency in encrypting virtual machines. The ransomware is written in C and Go, and its operators have demonstrated the ability to adapt their tactics to target different operating systems.

RagnarLocker is a ransomware group that emerged in late 2019, known for its targeted attacks against large enterprises. The group is notable for its use of virtual machines (VMs) to encrypt systems, specifically deploying a Windows XP virtual machine containing the ransomware to evade detection and encrypt files. They also engage in double extortion tactics, exfiltrating sensitive data before encryption and threatening to publish it if the ransom is not paid.

Rook is a ransomware-as-a-service (RaaS) operation that emerged in late 2021. It is believed to be a rebrand or successor to the Babuk ransomware, sharing significant code similarities and operational tactics. Rook operators engage in double extortion, exfiltrating data before encryption and threatening to publish it on their leak site if the ransom is not paid. The group targets organizations across various sectors globally, often exploiting vulnerabilities like Log4Shell or using initial access brokers.

Ranzy is a ransomware-as-a-service (RaaS) operation that emerged in late 2020. It is believed to be a rebrand or successor to the SunCrypt ransomware, sharing significant code similarities and operational tactics. The group primarily focuses on double extortion, encrypting victim data and exfiltrating it for public release if the ransom is not paid. Ranzy targets organizations across various sectors globally.

Diavol is a ransomware family first observed in mid-2021. It is believed to be operated by a threat actor group that has also been linked to TrickBot and Conti operations, specifically by some researchers suggesting a connection to the TrickBot/Conti ecosystem. Diavol ransomware uses a custom encryption routine that avoids standard Windows CryptoAPI functions, making it more challenging to detect and analyze. It typically encrypts files, appends a custom extension, and drops a ransom note. The group behind Diavol has engaged in double extortion tactics.

HelloKitty, also known as FiveHands, is a ransomware operation that emerged in late 2020. It is known for its sophisticated encryption capabilities and has been linked to attacks against high-profile organizations, including gaming companies and industrial targets. The group often employs double extortion tactics, exfiltrating data before encryption and threatening to publish it if the ransom is not paid. The ransomware executable is typically a 64-bit Windows PE file that encrypts user data, deletes shadow copies, and leaves a ransom note.

OnePercent is a ransomware operation that emerged in late 2020/early 2021, known for its double extortion tactics. The group is believed to be a rebrand or affiliate of the REvil (Sodinokibi) ransomware-as-a-service (RaaS) operation, often deploying its own custom ransomware payload alongside REvil's. They typically exfiltrate sensitive data before encrypting systems and threaten to publish it on their leak site if the ransom is not paid. The group targets a wide range of industries globally.

Prometheus ransomware is a Ransomware-as-a-Service (RaaS) operation that emerged in February 2021. It is believed to be a rebrand or variant of the Thanos ransomware, sharing significant code similarities and operational tactics. The group primarily targets organizations across various sectors, encrypting their data and demanding ransom for decryption, often coupled with data exfiltration for double extortion. Prometheus has been observed to exploit vulnerabilities in public-facing applications and use common initial access vectors like RDP compromise and phishing.

BlackMatter was a ransomware-as-a-service (RaaS) operation that emerged in July 2021. It was widely believed to be a rebrand or successor to the DarkSide and REvil ransomware groups, sharing significant code similarities and operational tactics. The group focused on large enterprises, demanding high ransoms and employing double extortion techniques. BlackMatter claimed to avoid targeting critical infrastructure, healthcare, and government organizations, but this claim was inconsistent with their actual victimology.

Ragnarok, also known as Ragnar Locker, is a ransomware group that emerged in late 2019. The group is known for its highly targeted attacks against large enterprises, often employing a double extortion strategy by exfiltrating sensitive data before encrypting systems. They are known for their custom-built ransomware, which often targets virtual machines and uses a unique encryption process. The group gained notoriety for their sophisticated operational security and their ability to adapt tactics.

MountLocker is a ransomware-as-a-service (RaaS) operation that emerged in late 2020. The group is known for its double extortion tactics, encrypting victim data and exfiltrating it for public release if the ransom is not paid. MountLocker's operations have shown some overlap and evolution into other ransomware variants like XingLocker and possibly BlackMatter, suggesting a continuous or re-branded operation by the same threat actors.

Prolock is a ransomware-as-a-service (RaaS) operation that emerged in late 2019. It is known for its slow and stealthy encryption process, often exfiltrating data before encryption. The group has primarily targeted large enterprises and government entities, employing double extortion tactics. Prolock's operations saw a decline in mid-2021, though remnants and affiliates may still pose a threat.

Avaddon was a Ransomware-as-a-Service (RaaS) operation that emerged in mid-2020. It was known for its aggressive double extortion tactics, encrypting victim data and exfiltrating it for public release if the ransom was not paid. The group operated an affiliate program and targeted a wide range of organizations globally. The group announced its shutdown in June 2021 and released decryption keys for its victims.

Nefilim is a ransomware group that emerged in early 2020, known for its double extortion tactics. The group typically exfiltrates sensitive data before encrypting systems, threatening to leak the data if the ransom is not paid. Nefilim ransomware is believed to be a successor or rebrand of the Nemty ransomware, sharing significant code similarities and operational patterns. They primarily target large enterprises across various sectors.

Pay2Key is a ransomware group that emerged in late 2020, primarily targeting organizations in Israel. The group is known for its relatively fast encryption process and its use of a custom ransomware payload. While its initial activity was focused on Israeli entities, there have been indications of potential expansion beyond this region. The group has been linked to nation-state actors by some researchers due to its specific targeting and operational patterns.

Hades ransomware is a variant of ransomware that emerged in late 2020. It gained notoriety for its targeted attacks against large enterprises, often employing double extortion tactics. The group behind Hades is believed to be highly selective in its targets, focusing on organizations that can pay significant ransoms. The ransomware itself is written in Go and designed to encrypt files on compromised systems, appending a unique extension to them. It also attempts to delete shadow copies and disable recovery features to prevent data restoration.

Netwalker is a sophisticated ransomware-as-a-service (RaaS) operation that emerged in late 2019. It quickly gained notoriety for targeting large enterprises, healthcare organizations, and government entities, often leveraging vulnerabilities in remote access solutions. The group operated an affiliate model, providing its ransomware to partners who would then carry out the attacks. Netwalker was known for its double extortion tactics, exfiltrating sensitive data before encrypting systems and threatening to publish it if the ransom was not paid. Its operations were significantly disrupted in early 2021 through international law enforcement actions.

Maze ransomware, also known as ChaCha, was a highly impactful ransomware operation that emerged in 2019. It was one of the first groups to widely popularize the 'double extortion' tactic, where threat actors not only encrypt data but also exfiltrate it and threaten to publish it if the ransom is not paid. Maze operators were known for their sophisticated tactics, techniques, and procedures (TTPs), often involving extensive network reconnaissance and lateral movement before deploying the ransomware. The group announced its retirement in November 2020, though some affiliates may have transitioned to other ransomware operations.

RobinHood is a ransomware group that emerged in 2019, primarily targeting large enterprises and government entities. The group is known for its manual, hands-on-keyboard operations, often spending considerable time within a victim's network to understand the environment before deploying the ransomware. Their attacks often involve encrypting critical systems and demanding significant ransoms, sometimes in the millions of dollars. The group has been observed using legitimate tools and custom scripts to facilitate their attacks, including disabling security services and exfiltrating data for double extortion.

Chinese threat group targeting ASEAN members and surrounding countries since at least 2005.

Chinese threat group targeting government, defense, financial, and telecom sectors.

Iranian MOIS-linked group targeting telecommunications and travel industries.

Iranian threat group targeting Persian-speaking individuals since 2015.

Suspected Indian threat group targeting Pakistan, China, Nepal, and Afghanistan.

Iranian cyber espionage group targeting oil & gas, telecommunications, and aviation.

Iranian hacktivist group targeting Israeli organizations with destructive attacks.

Lebanon-based group coordinating with Iranian MOIS to target Israeli organizations.

Chinese threat group targeting law firms and investment companies.

Russia-based threat group targeting critical infrastructure with TRITON malware.

Russian cyber espionage group targeting NATO countries with persistent phishing campaigns.

North Korean RGB group targeting cryptocurrency industry, responsible for 3CX supply chain attack.

Russian GRU Unit 74455 responsible for NotPetya, Olympic Destroyer, and Ukraine power grid attacks.

North Korean financially motivated group targeting banks and cryptocurrency exchanges.

Russian-nexus threat actor targeting Ukraine and Georgia with Saint Bot and OutSteel.

Russian FSB Center 18 group targeting Ukrainian military, law enforcement, and government.

Russian GRU Unit 29155 group responsible for WhisperGate attacks against Ukraine.

Russian cyber espionage group targeting energy sector in US and Europe.

Ransomware group active since 2021 targeting US critical infrastructure.

Operators of REvil Ransomware-as-a-Service since 2018.

Financially motivated group affiliated with multiple RaaS variants including LockBit and Embargo.

Ransomware group active since 2024.

Operators of Qilin Ransomware-as-a-Service since 2022.

Nokoyawa, also tracked as Bashful Scorpius, is a ransomware group that first emerged in February 2022. It operates as a ransomware-as-a-service (RaaS) model and employs a multi-extortion strategy, threatening to leak stolen data if the ransom is not paid. Analysis of their ransomware code indicates a significant reuse of functions and code structures from the leaked Babuk ransomware source code, suggesting either a direct evolution or a group leveraging readily available, effective codebases. Some researchers hypothesize a potential lineage or connection to the Nemty and Karma ransomware operations, given code similarities and operational patterns. Their primary objective is financial gain through data encryption and exfiltration.

Pakistani threat group targeting Indian and Afghan government personnel.

Russian GRU Unit 26165 threat group targeting government, military, and security organizations globally.

Ransomware group targeting Microsoft SQL servers.

Türkiye-linked threat actor performing DNS hijacking and espionage operations.

PRC state-backed actor compromising US telecommunication and ISP infrastructure since 2019.

Chinese threat group active since 2009 targeting technology, manufacturing, human rights, government, and medical sectors.

Suspected South Korean group targeting North Korea, China, Japan, and Russia.

Chinese threat group targeting Russia, Belarus, and Mongolia.

Chinese threat group attributed to PLA Unit 61398, targeting various industries globally.

China-based cyber threat group targeting financial, economic, and trade policy organizations using PoisonIvy and custom backdoors.

Iranian MOIS-linked threat actor conducting ransomware and wiper operations against Israel.

Chinese threat group targeting individuals associated with US elections and international affairs.

Chinese group responsible for Operation Aurora, targeting defense and NGOs.

Chinese threat group targeting media outlets, high-tech companies, and governments.

South American espionage group targeting Colombian government and financial sector.

Vietnamese threat group targeting foreign governments, dissidents, and journalists.

South Asian threat group targeting government, energy, and engineering sectors in China and Pakistan.

Chinese cyber espionage group targeting Singapore organizations including SingHealth.

Chinese threat group targeting US government, defense, law firms, IT, and mining companies.

Suspected pro-Indian cyber espionage group targeting diplomatic and government agencies.

Iranian IRGC-IO group conducting surveillance and credential harvesting against dissidents and journalists.

Chinese MSS-linked group targeting managed service providers.

Chinese state-sponsored group targeting South Korea, Japan, Taiwan, and the US.

Prominent RaaS operation responsible for major attacks including Kaseya.

Lebanese threat group motivated by political and ideological interests since 2012.

Cyberespionage campaign targeting Middle Eastern countries.

Threat group targeting government and military in South Asia.

Threat group targeting Taiwan, Philippines, and Hong Kong government and healthcare.

Iranian threat group targeting government, defense, and academic institutions.

Threat group targeting government, military, and journalists globally.

Threat group targeting business executives via hotel WiFi networks.

Sophisticated threat group targeting government and military in Europe and Asia.

Suspected Chinese cyber espionage group targeting government, education, and telecom in Southeast Asia and Australia.

Chinese espionage group targeting satellite communications, telecoms, and defense contractors.

Chinese cyber espionage group targeting aerospace, defense, government, manufacturing, and media sectors.

Chinese threat group targeting aerospace, government, defense, technology, energy, and manufacturing.

Chinese cyber espionage group targeting Ministries of Foreign Affairs and telecom companies in Africa and the Middle East.

Suspected Iranian group targeting Syrian opposition via spearphishing.

Cyber espionage group active since 2014 targeting Russia and global organizations.

Threat group targeting airlines with IATA-themed spearphishing.

Iranian threat group targeting government and business in the Middle East.

Threat group targeting government and military in Southeast Asia.

Chinese APT targeting government entities in Southeast Asia.

China-based threat group active since at least 2014.

Ransomware group operating Medusa ransomware since 2021.

Chinese threat group targeting healthcare, defense, aerospace, and government.

Sophisticated threat group targeting telecommunications and universities.

Iranian group conducting hack-and-leak operations against US organizations.