body-backgroundbody-background

Epiphany Monitored Threat Actors: 304

The Epiphany Intelligence Platorm monitors all major cybercrime groups and their 1143 aliases as of June 18th, 2024. The Epiphany Intelligence Platform's threat actor data set is updated daily.

Search for names, descriptions and alias containing:

world map

AdGholas

(No description available for this threat actor)



Aliases:


References:
1 2 3 

Animal Farm

In 2014, researchers at Kaspersky Lab discovered and reported on three zero-days that were being used in cyberattacks in the wild. Two of these zero-day vulnerabilities are associated with an advanced threat actor we call Animal Farm. Over the past few years, Animal Farm has targeted a wide range of global organizations. The group has been active since at least 2009 and there are signs that earlier malware versions were developed as far back as 2007.


Goals:
Espionage

Target Industries:
Government, Private sector

Target Countries:
Syria, United States, Netherlands, Russia, Spain, Iran, China, Germany, Algeria, Norway, Malaysia, Turkey, United Kingdom, Ivory Coast, Greece

Aliases:
ATK8, Snowglobe

References:
1 2 

Antlion

Antlion is a Chinese state-backed advanced persistent threat (APT) group, who has been targeting financial institutions in Taiwan. This persistent campaign has lasted over the course of at least 18 months.



Target Industries:
Financial

Target Countries:
Taiwan

Aliases:


References:
1 

APT-C-36

Since April 2018, an APT group (Blind Eagle, APT-C-36) suspected coming from South America carried out continuous targeted attacks against Colombian government institutions as well as important corporations in financial sector, petroleum industry, professional manufacturing, etc.


Goals:
Espionage

Target Industries:
Petroleum, Manufacturing, Financial, Private sector, Government

Target Countries:
Ecuador, Colombia, Spain, Panama, Chile

Aliases:
Blind Eagle

References:
1 

APT-K-47

Confucius is an APT organization funded by India. It has been carrying out cyber attacks since 2013. Its main targets are India's neighbouring countries such as Pakistan and China. It has a strong interest in targets in the fields of military, government and energy.



Aliases:


References:
1 

APT-Q-27

(No description available for this threat actor)



Aliases:


References:
1 

APT.3102

(No description available for this threat actor)



Aliases:


References:
1 

APT16

APT16 is a China-based threat group that has launched spearphishing campaigns targeting Japanese and Taiwanese organizations.


Goals:
Espionage

Target Industries:
Private sector

Target Countries:
Japan, Taiwan

Aliases:
G0023, SVCMONDR

References:
1 2 3 

APT19

APT19 is a Chinese-based threat group that has targeted a variety of industries, including defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services. In 2017, a phishing campaign was used to target seven law and investment firms. Some analysts track APT19 and Deep Panda as the same group, but it is unclear from open source information if the groups are the same.


Goals:
Espionage

Target Industries:
Private sector, Military

Target Countries:
United States

Aliases:
Black Vine, BRONZE FIRESTONE, C0d0so0, Codoso, Codoso Team, DEEP PANDA, G0009, G0073, Group 13, KungFu Kittens, PinkPanther, Pupa, Shell Crew, Sunshop Group, TEMP.Avengers, WebMasters

References:
1 2 3 4 

APT30

APT30 is a threat group suspected to be associated with the Chinese government. While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.


Goals:
Espionage

Target Industries:
Government

Target Countries:
United States, South Korea, Saudi Arabia, Thailand, Vietnam, Malaysia, India

Aliases:
G0013, Raspberry Typhoon

APT35

Magic Hound is an Iranian-sponsored threat group that conducts long term, resource-intensive operations to collect intelligence, dating back as early as 2014. The group typically targets U.S. and the Middle Eastern military, as well as other organizations with government personnel, via complex social engineering campaigns.



Aliases:
Ajax Security Team, Cobalt Gypsy, COBALT MIRAGE, G0059, Magic Hound, Mint Sandstorm, Newscaster, Newscaster Team, Operation Saffron Rose, Operation Woolen-Goldfish, Phosphorus, Rocket Kitten, TunnelVision

References:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 

Aquatic Panda

Earth Lusca is a threat actor from China that targets organizations of interest to the Chinese government, including academic institutions, telecommunication companies, religious organizations, and other civil society groups. Earth Lusca's tools closely resemble those used by Winnti Umbrella, but the group appears to operate separately from Winnti. Earth Lusca has also been observed targeting cryptocurrency payment platforms and cryptocurrency exchanges in what are likely financially motivated ...more



Target Industries:
Gambling companies, Government Institutions, Education, Media and Entertainment, Pro-democracy and human rights political organizations, Telecommunications, Religious organization, Cryptocurrency, Medical, Covid-19 research organizations

Target Countries:
Australia, China, France, Germany, Hong Kong, Japan, Mongolia, Nepal, Nigeria, Philippines, Taiwan, Thailand, United Arab Emirates, United States, Vietnam

Aliases:
BountyGlad, BRONZE UNIVERSITY, Charcoal Typhoon, CHROMIUM, ControlX, FISHMONGER, Red Dev 10, Red Scylla, RedHotel, TAG-22

References:
1 2 3 

Aquatic Werewolf

(No description available for this threat actor)



Aliases:


References:
1 

Aurora Panda

Axiom is a cyber espionage group suspected to be associated with the Chinese government. It is responsible for the Operation SMN campaign. Though both this group and Winnti Group use the malware Winnti for Windows, the two groups appear to be distinct based on differences in reporting on the groups' TTPs and targeting.


Goals:
Espionage

Target Industries:
Government, Private sector, Civil society

Target Countries:
United States, Netherlands, Italy, Japan, United Kingdom, Belgium, Russia, Indonesia, Germany, Switzerland, China

Aliases:
APT17, Axiom, BRONZE KEYSTONE, DeputyDog, Dogfish, G0001, G0025, Group 72, Group 8, HELIUM, Hidden Lynx, Tailgater Team

References:
1 2 3 4 5 

BackdoorDiplomacy

An APT group that we are calling BackdoorDiplomacy, due to the main vertical of its victims, has been targeting Ministries of Foreign Affairs and telecommunication companies in Africa and the Middle East since at least 2017.



Target Industries:
Government, Telecomms

Target Countries:
Libya, Namibia, Sudan, Albania, Croatia, Georgia, Poland, Iran, Qatar, Saudi Arabia, Sri Lanka, Uzbekistan

Aliases:
BackDip, CloudComputating, Quarian

References:
1 2 3 

Bahamut

Windshift is a threat group that has been active since at least 2017, targeting specific individuals for surveillance in government departments and critical infrastructure across the Middle East.



Aliases:
Windshift

References:
1 

Berserk Bear

Dragonfly 2.0 is a suspected Russian group that has targeted government entities and multiple U.S. critical infrastructure sectors since at least March 2016. There is debate over the extent of overlap between Dragonfly 2.0 and Dragonfly, but there is sufficient evidence to lead to these being tracked as two separate groups.


Goals:
Espionage

Target Industries:
Government, Private sector

Target Countries:
Hungary, Belarus

Aliases:
Anger Bear, Dragonfly 2.0, DYMALLOY, IRON LIBERTY, IRON LYRIC, Team Bear, TeamSpy

References:
1 2 3 4 5 

Bitter

The Bitter threat group initially started using RAT tools in their campaigns, as the first Bitter versions, for Android released in 2014 were based on the AndroRAT framework. Over time, they switched to a custom version that has been known as BitterRAT ever since.



Target Countries:
Germany

Aliases:
APT-C-08, Orange Yali, T-APT-17

References:
1 2 3 4 5 6 7 8 9 10 

Black Kingdom

(No description available for this threat actor)



Aliases:


References:
1 

BlackOasis

BlackOasis is a Middle Eastern threat group that is believed to be a customer of Gamma Group. The group has shown interest in prominent figures in the United Nations, as well as opposition bloggers, activists, regional news correspondents, and think tanks. A group known by Microsoft as NEODYMIUM is reportedly associated closely with BlackOasis operations, but evidence that the group names are aliases has not been identified.



Aliases:
G0063

References:
1 2 

Blue Mockingbird

Blue Mockingbird is a cluster of observed activity involving Monero cryptocurrency-mining payloads in dynamic-link library (DLL) form on Windows systems. The earliest observed Blue Mockingbird tools were created in December 2019.



Aliases:


References:
1 2 3 4 

Blue Termite

Blue Termite is a group of suspected Chinese origin active in Japan.


Goals:
Espionage

Target Industries:
Government, Private sector

Target Countries:
Japan

Aliases:
Cloudy Omega, Emdivi

References:
1 

BRONZE STARLIGHT

BRONZE STARLIGHT has been active since mid 2021 and targets organizations globally across a range of industry verticals. The group leverages HUI Loader to load Cobalt Strike and PlugX payloads for command and control. CTU researchers have observed BRONZE STARLIGHT deploying ransomware to compromised networks as part of name-and-shame ransomware schemes, and posted victim names to leak sites.
CTU researchers assess with moderate confidence that BRONZE STARLIGHT is located in China based on
...more



Aliases:
Cinnamon Tempest, DEV-0401, Emperor Dragonfly, SLIME34

References:
1 2 

BuhTrap

Buhtrap has been active since 2014, however their first attacks against financial institutions were only detected in August 2015. Earlier, the group had only focused on targeting banking clients. At the moment, the group is known to target Russian and Ukrainian banks.
From August 2015 to February 2016 Buhtrap managed to conduct 13 successful attacks against Russian banks for a total amount of 1.8 billion rubles ($25.7 mln). The number of successful attacks against Ukrainian banks has not
...more



Aliases:


References:
1 2 3 4 

BunseTech

(No description available for this threat actor)



Aliases:


References:
1 

Cadet Blizzard

MSTIC has not found any notable associations between this observed activity, tracked as DEV-0586, and other known activity groups. MSTIC assesses that the malware (WhisperGate), which is designed to look like ransomware but lacking a ransom recovery mechanism, is intended to be destructive and designed to render targeted devices inoperable rather than to obtain a ransom.


Goals:
Sabotage

Target Countries:
Ukraine

Aliases:
Ruinous Ursa

References:
1 2 

Calypso

For the first time, the activity of the Calypso group was detected by specialists of PT Expert Security Center in March 2019, during the work to detect cyber threats. As a result, many malware samples of this group were obtained, affected organizations and control servers of intruders were identified. According to our data, the group has been active since at least September 2016. The main goal of the group is to steal confidential data, the main victims are government agencies from Brazil, ...more



Aliases:
BRONZE MEDLEY

References:
1 2 3 

Candiru

Caramel Tsunami is a threat actor that specializes in spyware attacks. They have recently resurfaced with an updated toolset and zero-day exploits, targeting specific victims through watering hole attacks. Candiru has been observed exploiting vulnerabilities in popular browsers like Google Chrome and using third-party signed drivers to gain access to the Windows kernel. They have also been linked to other spyware vendors and have been associated with extensive abuses of their surveillance tools.



Aliases:
SOURGUM

References:
1 2 3 4 5 6 7 8 

Carbon Spider

FIN7 is a financially-motivated threat group that has primarily targeted the U.S. retail, restaurant, and hospitality sectors since mid-2015. They often use point-of-sale malware. A portion of FIN7 was run out of a front company called Combi Security. FIN7 is sometimes referred to as Carbanak Group, but these appear to be two groups using the same Carbanak malware and are therefore tracked separately.



Aliases:
ATK32, Calcium, Carbanak, Coreid, ELBRUS, FIN7, G0008, G0046, GOLD NIAGARA, Sangria Tempest

References:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 

Careto

This threat actor targets governments, diplomatic missions, private companies in the energy sector, and academics for espionage purposes.
The Mask is an advanced threat actor that has been involved in cyber-espionage operations since at least 2007. The name "Mask" comes from the Spanish slang word "Careto" ("Ugly Face" or “Mask”) which the authors included in some of the malware modules.
More than 380 unique victims in 31 countries have been observed to date.What makes “The Mask”
...more


Goals:
Espionage

Target Industries:
Government, Private sector

Target Countries:
Morocco, France, Libya, Venezuela, Poland, Brazil, Spain, United States, South Africa, Tunisia, United Kingdom, Switzerland, Iran, Germany

Aliases:
Mask, The Mask, Ugly Face

References:
1 2 

ChamelGang

In Q2 2021, the PT Expert Security Center incident response team conducted an investigation in an energy company. The investigation revealed that the company's network had been compromised by an unknown group for the purpose of data theft. They gave the group the name ChamelGang (from the word "chameleon"), because the group disguised its malware and network infrastructure under legitimate services of Microsoft, TrendMicro, McAfee, IBM, and Google.



Target Industries:
Aviation, Energy

Target Countries:
India, Japan, Nepal, Russia, Taiwan, US

Aliases:


References:
1 2 

Charming Kitten

Charming Kitten is an Iranian cyber espionage group that has been active since approximately 2014. They appear to focus on targeting individuals of interest to Iran who work in academic research, human rights, and media, with most victims having been located in Iran, the US, Israel, and the UK. [Charming Kitten often tries to access private email and Facebook accounts, and sometimes establishes a foothold on victim computers as a secondary objective. The group's TTPs overlap extensively with ...more



Aliases:
Mint Sandstorm

References:
1 2 3 4 5 6 

CHERNOVITE

Chernovite is a highly capable and sophisticated threat actor group that has developed a modular ICS malware framework called PIPEDREAM. They are known for targeting industrial control systems and operational technology environments, with the ability to disrupt, degrade, and potentially destroy physical processes. Chernovite has demonstrated a deep understanding of ICS protocols and intrusion techniques, making them a significant threat to critical infrastructure sectors.



Aliases:


References:
1 2 3 4 

China Attribution

(No description available for this threat actor)



Aliases:


References:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 

Circuit Panda

BlackTech is a cyber espionage group operating against targets in East Asia, particularly Taiwan, and occasionally, Japan and Hong Kong.



Aliases:
BlackTech, Earth Hundun, G0098, HUAPI, Manga Taurus, Palmerworm, Red Djinn, T-APT-03, Temp.Overboard

References:
1 2 3 4 5 6 7 8 

Cloud Werewolf

(No description available for this threat actor)



Aliases:


References:
1 2 

Cobalt Spider

Cobalt Group is a financially motivated threat group that has primarily targeted financial institutions. The group has conducted intrusions to steal money via targeting ATM systems, card processing, payment systems and SWIFT systems. Cobalt Group has mainly targeted banks in Eastern Europe, Central Asia, and Southeast Asia. One of the alleged leaders was arrested in Spain in early 2018, but the group still appears to be active. The group has been known to target organizations in order to use ...more



Aliases:
Cobalt Gang, Cobalt Group, G0080, GOLD KINGSWOOD, Mule Libra

References:
1 2 3 4 5 6 7 

Cobalt Werewolf

(No description available for this threat actor)



Aliases:


References:
1 

Colourful Panda

Proofpoint researchers have identified a targeted APT campaign that utilized malicious RTF documents to deliver custom malware to unsuspecting victims. We dubbed this campaign “Operation LagTime IT” based on entities that were targeted and the distinctive domains registered to C&C IP infrastructure. Beginning in early 2019, these threat actors targeted a number of government agencies in East Asia overseeing government information technology, domestic affairs, foreign affairs, economic ...more



Aliases:
BRONZE DUDLEY

References:
1 2 3 4 5 

Comment Panda

APT1 is a Chinese threat group that has been attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398.


Goals:
Espionage

Target Industries:
Private sector, Government

Target Countries:
United States, Taiwan, Israel, Norway, United Arab Emirates, United Kingdom, Singapore, India, Belgium, South Africa, Switzerland, Canada, France, Luxembourg, Japan

Aliases:
APT1, Brown Fox, Byzantine Candor, Comment Crew, Comment Group, G0006, GIF89a, Group 3, PLA Unit 61398, ShadyRAT, TG-8223

References:
1 2 

Common Raven

Threat actor Common Raven has been actively targeting financial sector institutions, compromising their SWIFT payment infrastructure to send out fraudulent payments.



Aliases:
DESKTOP-GROUP, NXSMS, OPERA1ER

References:
1 

Cosmic Wolf

This blog post discusses the technical details of a state-sponsored attack manipulating DNS systems. While this incident is limited to targeting primarily national security organizations in the Middle East and North Africa, and we do not want to overstate the consequences of this specific campaign, we are concerned that the success of this operation will lead to actors more broadly attacking the global DNS system. DNS is a foundational technology supporting the Internet. Manipulating that ...more



Target Countries:
Germany

Aliases:
Marbled Dust, SILICON, Teal Kurma, UNC1326

References:
1 2 3 

CosmicBeetle

(No description available for this threat actor)



Aliases:


References:
1 2 

Cozy Bear

APT29 is threat group that has been attributed to the Russian government and has operated since at least 2008. This group reportedly compromised the Democratic National Committee starting in the summer of 2015.


Goals:
Espionage

Target Industries:
Government, Private sector

Target Countries:
United States, China, New Zealand, Ukraine, Romania, Georgia, Japan, South Korea, Belgium, Kazakhstan, Brazil, Mexico, Turkey, Portugal, India, Germany

Aliases:
APT29, ATK7, Blue Kitsune, BlueBravo, Cloaked Ursa, CozyDuke, G0016, Grizzly Steppe, Group 100, IRON HEMLOCK, ITG11, Midnight Blizzard, Minidionis, Nobelium, SeaDuke, TA421, The Dukes, UAC-0029, YTTRIUM

References:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 

Cyber Av3ngers

The hacktivist group ‘Cyber Av3ngers’ has historically claimed attacks on Israel’s critical infrastructures. It has been launching DDoS attacks and claiming breach of Israeli networks with supporting data leaks.



Aliases:


References:
1 2 3 

Cytrox

(No description available for this threat actor)



Aliases:


References:
1 

Dagger Panda

Operate since at least 2011, from several locations in China, with members in Korea and Japan as well. Possibly linked to Onion Dog. This threat actor targets government institutions, military contractors, maritime and shipbuilding groups, telecommunications operators, and others, primarily in Japan and South Korea.


Goals:
Espionage

Target Industries:
Government, Military

Target Countries:
South Korea, United States, Japan, Germany, China

Aliases:
IceFog, PLA Unit 69010, Red Wendigo, RedFoxtrot, Trident

References:
1 2 

Dalbit

The group usually targets vulnerable servers to breach information including internal data from companies or encrypts files and demands money. Their targets of attack are usually Windows servers that are poorly managed or are not patched to the latest version. Besides these, there are also attack cases that targeted email servers or MS-SQL database servers.



Aliases:


References:
1 2 

Danti

(No description available for this threat actor)



Aliases:


References:
1 2 

Dark Pink

(No description available for this threat actor)



Aliases:


References:
1 2 

Dark River

(No description available for this threat actor)



Aliases:


References:
1 

DarkCasino

DarkCasino is an economically motivated APT group that targets online trading platforms, including cryptocurrencies, online casinos, network banks, and online credit platforms. They are skilled at stealing passwords to access victims' online accounts and have been active for over a year. DarkCasino exploits vulnerabilities, such as the WinRAR vulnerability CVE-2023-38831, to launch phishing attacks and steal online property.



Aliases:


References:
1 2 3 

DarkHydrus

DarkHydrus is a threat group that has targeted government agencies and educational institutions in the Middle East since at least 2016. The group heavily leverages open-source tools and custom payloads for carrying out attacks.



Aliases:
G0079, LazyMeerkat, Obscure Serpens

References:
1 

DarkMe

(No description available for this threat actor)



Aliases:


References:
1 

Deadeye Jackal

The Syrian Electronic Army (SEA) is a group of computer hackers which first surfaced online in 2011 to support the government of Syrian President Bashar al-Assad. Using spamming, website defacement, malware, phishing, and denial of service attacks, it has targeted political opposition groups, western news organizations, human rights groups and websites that are seemingly neutral to the Syrian conflict. It has also hacked government websites in the Middle East and Europe, as well as US defense ...more



Aliases:
SEA, SyrianElectronicArmy

Deep Panda

Deep Panda is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications. The intrusion into healthcare company Anthem has been attributed to Deep Panda. This group is also known as Shell Crew, WebMasters, KungFu Kittens, and PinkPanther. Deep Panda also appears to be known as Black Vine based on the attribution of both group names to the Anthem intrusion. Some analysts track Deep Panda and APT19 as the same group, but ...more



Aliases:
Black Vine, KungFu Kittens, PinkPanther, Shell Crew, WebMasters

References:
1 2 3 4 5 6 7 

Denim Tsunami

Denim Tsunami is a threat actor group that has been involved in targeted attacks against European and Central American customers. They have been observed using multiple Windows and Adobe 0-day exploits, including one for CVE-2022-22047, which is a privilege escalation vulnerability. Denim Tsunami developed a custom malware called Subzero, which has capabilities such as keylogging, capturing screenshots, data exfiltration, and running remote shells. They have also been associated with the ...more



Aliases:
DSIRF, KNOTWEED

References:
1 2 3 

DEV-0322

One of their notable tools is a custom backdoor called SockDetour, which operates filelessly and socketlessly on compromised Windows servers. The group's activities have been linked to the exploitation of vulnerabilities in Zoho ManageEngine ADSelfService Plus and ServiceDesk Plus.



Aliases:
Circle Typhoon

References:
1 2 3 4 5 6 

DEV-0365

(No description available for this threat actor)



Aliases:


References:
1 

DEV-0413

EXOTIC LILY is a resourceful, financially motivated group whose activities appear to be closely linked with data exfiltration and deployment of human-operated ransomware such as Conti and Diavol. In early September 2021, the group has been obeserved exploiting a 0day in Microsoft MSHTML (CVE-2021-40444). Investigation lead researchers to believe that they are an Initial Access Broker (IAB) who appear to be working with the Russian cyber crime gang known as FIN12 (Mandiant, FireEye) / WIZARD ...more



Aliases:
Exotic Lilly

References:
1 2 3 4 

DEV-0671

(No description available for this threat actor)



Aliases:


References:
1 2 

DEV-0978

ROMCOM is an evolving and sophisticated threat actor group that has been using the malware tool ROMCOM for espionage and financially motivated attacks. They have targeted organizations in Ukraine and NATO countries, including military personnel, government agencies, and political leaders. The ROMCOM backdoor is capable of stealing sensitive information and deploying other malware, showcasing the group's adaptability and growing sophistication.



Target Countries:
Germany

Aliases:
Storm-0978

References:
1 2 3 4 5 6 7 8 9 

Doppel Spider

In June 2019, CrowdStrike Intelligence observed a source code fork of BitPaymer and began tracking the new ransomware strain as DoppelPaymer. Further technical analysis revealed an increasing divergence between two versions of Dridex, with the new version dubbed DoppelDridex. Based on this evidence, CrowdStrike Intelligence assessed with high confidence that a new group split off from INDRIK SPIDER to form the adversary DOPPEL SPIDER. Following DOPPEL SPIDER’s inception, CrowdStrike ...more



Aliases:
GOLD HERON

References:
1 

DragonOK

DragonOK is a threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tools, DragonOK is thought to have a direct or indirect relationship with the threat group Moafee. It is known to use a variety of malware, including Sysget/HelloBridge, PlugX, PoisonIvy, FormerFirstRat, NFlog, and NewCT.


Goals:
Espionage

Target Industries:
Private sector

Target Countries:
United States

Aliases:
BRONZE OVERBROOK, G0002, G0017, Moafee, Shallow Taurus

References:
1 2 3 

DriftingCloud

DriftingCloud is a persistent threat actor known for targeting various industries and locations. They are skilled at developing or acquiring zero-day exploits to gain unauthorized access to target networks. Compromising gateway devices is a common tactic used by DriftingCloud, making network monitoring solutions crucial for detecting their attacks.



Aliases:


References:
1 2 

Ducktail

(No description available for this threat actor)



Aliases:


References:
1 

Duqu

(No description available for this threat actor)


Goals:
Espionage

Target Industries:
Military, Government, Private sector

Target Countries:
Iran, Sudan

Aliases:
Duqu Group

References:
1 

Dust Storm

Dust Storm is a threat group that has targeted multiple industries in Japan, South Korea, the United States, Europe, and several Southeast Asian countries.



Aliases:
G0031

References:
1 2 3 

Dynamite Panda

APT18 is a threat group that has operated since at least 2009 and has targeted a range of industries, including technology, manufacturing, human rights groups, government, and medical.


Goals:
Espionage

Target Industries:
Government, Private sector, Civil society

Target Countries:
United States

Aliases:
APT18, G0026, PLA Navy, SCANDIUM, TG-0416, Threat Group-0416, Wekby

References:
1 2 3 

Earth Kitsune

Earth Kitsune is an advanced persistent threat actor that has been active since at least 2019. They primarily target individuals interested in North Korea and use various tactics, such as compromising websites and employing social engineering, to distribute self-developed backdoors. Earth Kitsune demonstrates technical proficiency and continuously evolves their tools, tactics, and procedures. They have been associated with malware such as WhiskerSpy and SLUB.



Aliases:


References:
1 

Earth Krahang

Earth Krahang is an APT group targeting government organizations worldwide. They use spear-phishing emails, weak internet-facing servers, and custom backdoors like Cobalt Strike, RESHELL, and XDealer to conduct cyber espionage. The group creates VPN servers on infected systems, employs brute force attacks on email accounts, and exploits compromised government infrastructure to attack other governments. Earth Krahang has been linked to another China-linked actor, Earth Lusca, and is believed to ...more



Aliases:


References:
1 2 

Earth Yako

Earth Yako is a threat actor that has been actively targeting researchers in academic organizations and think tanks in Japan. They use spearphishing emails with malicious attachments to gain initial access to their targets' systems. Earth Yako's objectives and patterns suggest a possible connection to a Chinese APT group, but conclusive proof of their nationality is lacking. They have been observed using various malware delivery methods and techniques, such as the use of Winword.exe for DLL ...more



Aliases:
Enelink, Operation RestyLink

References:
1 

Ember Bear

A group targeting UA state organizations using the GraphSteel and GrimPlant malware.



Aliases:
DEV-0587, FROZENVISTA, Nascent Ursa, Nodaria, Saint Bear, Storm-0587, TA471, UAC-0056, UNC2589

References:
1 2 

Emissary Panda

Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims. The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, and manufacturing sectors.


Goals:
Espionage

Target Industries:
Government, Private sector

Target Countries:
United States, United Kingdom, France, Japan, Taiwan, India, Canada, China, Thailand, Israel, Australia, Republic of Korea, Russia, Iran, Turkey

Aliases:
APT27, BRONZE UNION, Budworm, Earth Smilodon, G0027, GreedyTaotie, Group 35, Iron Taurus, Iron Tiger, Lucky Mouse, LuckyMouse, Red Phoenix, TEMP.Hippo, TG-3390, Threat Group-3390, ZipToken

References:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 

Energetic Bear

Dragonfly Dragonfly is a cyber espionage group that has been active since at least 2011. They initially targeted defense and aviation companies but shifted to focus on the energy sector in early 2013. They have also targeted companies related to industrial control systems.

A similar group emerged in 2015 and was identified by Symantec as Dragonfly 2.0. There is debate over the extent of the overlap between Dragonfly and Dragonfly 2.0, but there is sufficient evidence to lead to these
...more


Goals:
Espionage

Target Industries:
Private sector, Government

Target Countries:
United States, Germany, Turkey, China, Spain, France, Ireland, Japan, Italy, Poland

Aliases:
ALLANITE, ATK6, BERSERK BEAR, Blue Kraken, BROMINE, CASTLE, Crouching Yeti, Dragonfly, DYMALLOY, G0035, Ghost Blizzard, Group 24, Havex, IRON LIBERTY, ITG15, Koala Team, TG-4192

References:
1 2 3 4 5 

Equation Group

Equation is a sophisticated threat group that employs multiple remote access tools. The group is known to use zero-day exploits and has developed the capability to overwrite the firmware of hard disk drives.


Goals:
Espionage

Target Industries:
Government, Military

Target Countries:
Iran, Afghanistan, Syria, Yemen, Kenya, Russia, India, Mali, Algeria, United Kingdom, Pakistan, China, Lebanon, United Arab Emirates, Libya

Aliases:
EQGRP, Equation, G0020, Tilded Team

References:
1 2 3 4 5 6 7 8 

ERYTHRITE

(No description available for this threat actor)



Aliases:

Ethereal Panda

Flax Typhoon is a Chinese state-sponsored threat actor that primarily targets organizations in Taiwan. They conduct espionage campaigns and focus on gaining and maintaining long-term access to networks using minimal malware. Flax Typhoon relies on tools built into the operating system and legitimate software to remain undetected. They exploit vulnerabilities in public-facing servers, use living-off-the-land techniques, and deploy a VPN connection to maintain persistence and move laterally ...more



Aliases:
Flax Typhoon, Storm-0919

Evilnum

ESET has analyzed the operations of Evilnum, the APT group behind the Evilnum malware previously seen in attacks against financial technology companies. While said malware has been seen in the wild since at least 2018 and documented previously, little has been published about the group behind it and how it operates. The group’s targets remain fintech companies, but its toolset and infrastructure have evolved and now consist of a mix of custom, homemade malware combined with tools purchased from ...more



Aliases:
DeathStalker, Jointworm, KNOCKOUT SPIDER, TA4563

References:
1 2 3 

Exodus Intelligence

(No description available for this threat actor)



Aliases:


References:
1 

FamousSparrow

(No description available for this threat actor)



Aliases:


References:
1 

Fancy Bear

APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165. This group has been active since at least 2004.

APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. In 2018, the US indicted five GRU Unit
...more


Goals:
Espionage

Target Industries:
Government, Military

Target Countries:
Georgia, France, Jordan, United States, Hungary, World Anti-Doping Agency, Armenia, Tajikistan, Japan, NATO, Ukraine, Belgium, Pakistan, Asia Pacific Economic Cooperation, International Association of Athletics Federations, Turkey, Mongolia, OSCE, United Kingdom, Germany, Poland, European Commission, Afghanistan, Kazakhstan, China

Aliases:
APT-C-20, APT28, ATK5, Blue Athena, Fighting Ursa, Forest Blizzard, FROZENLAKE, G0007, Grizzly Steppe, Group 74, IRON TWILIGHT, ITG05, Pawn Storm, PETROVITE, Sednit, SIG40, SNAKEMACKEREL, Sofacy, STRONTIUM, Swallowtail, T-APT-12, TA422, TG-4127, Threat Group-4127, Tsar Team, UAC-0028

References:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 

FIN11

FIN11 is a well-established financial crime group that has recently focused its operations on ransomware and extortion. The group has been active since 2017 and has been tracked under UNC902 and later on as TEMP.Warlok. In some ways, FIN11 is reminiscent of APT1; they are notable not for their sophistication, but for their sheer volume of activity.(FireEye) Mandiant has also responded to numerous FIN11 intrusions, but we’ve only observed the group successfully monetize access in few instances. ...more



Aliases:
Lace Tempest, TEMP.Warlock, UNC902

References:
1 2 3 4 5 6 

FIN13

Since 2017, Mandiant has been tracking FIN13, an industrious and versatile financially motivated threat actor conducting long-term intrusions in Mexico with an activity timeframe stretching back as early as 2016. Although their operations continue through the present day, in many ways FIN13's intrusions are like a time capsule of traditional financial cybercrime from days past. Instead of today's prevalent smash-and-grab ransomware groups, FIN13 takes their time to gather information to perform ...more



Aliases:
Elephant Beetle, TG2003

References:
1 2 

FIN8

FIN8 is a financially motivated threat group known to launch tailored spearphishing campaigns targeting the retail, restaurant, and hospitality industries.



Aliases:
ATK113, G0061

References:
1 2 

Flax Typhoon

Flax Typhoon is a Chinese state-sponsored threat actor that primarily targets organizations in Taiwan. They conduct espionage campaigns and focus on gaining and maintaining long-term access to networks using minimal malware. Flax Typhoon relies on tools built into the operating system and legitimate software to remain undetected. They exploit vulnerabilities in public-facing servers, use living-off-the-land techniques, and deploy a VPN connection to maintain persistence and move laterally ...more



Aliases:
Ethereal Panda, Storm-0919

FruityArmor

Stealth Falcon is a threat group that has conducted targeted spyware attacks against Emirati journalists, activists, and dissidents since at least 2012. Circumstantial evidence suggests there could be a link between this group and the United Arab Emirates (UAE) government, but that has not been confirmed.


Goals:
Espionage

Target Industries:
Civil society

Target Countries:
United Arab Emirates, United Kingdom

Aliases:
G0038, Stealth Falcon

References:
1 2 3 4 5 

GALLIUM

Operation Soft Cell is a group that is reportedly affiliated with China and is likely state-sponsored. The group has operated since at least 2012 and has compromised high-profile telecommunications networks.



Aliases:
Alloy Taurus, Granite Typhoon, Red Dev 4, Soft Cell

References:
1 

GambleForce

GambleForce is a threat actor specializing in SQL injection attacks. They have targeted over 20 websites in various sectors across multiple countries, compromising six companies. GambleForce utilizes publicly available pentesting tools and has been active since mid-September 2023.



Aliases:


References:
1 

Gelsemium

The Gelsemium group has been active since at least 2014 and was described in the past by a few security companies. Gelsemium’s name comes from one possible translation ESET found while reading a report from VenusTech who dubbed the group 狼毒草 for the first time. It’s the name of a genus of flowering plants belonging to the family Gelsemiaceae, Gelsemium elegans is the species that contains toxic compounds like Gelsemine, Gelsenicine and Gelsevirine, which ESET choses as names for the three ...more



Target Industries:
Government, Electronics Manufacturers, Universities, Religious organization

Target Countries:
North Korea, South Korea, Japan, China, Mongolia, Egypt, Saudi Arabia, Yemen, Oman, Iran, Iraq, Kuwait, Israel, Jordan, Gaza, Syria, Turkey, Lebanon

Aliases:
狼毒草

References:
1 

Ghostwriter

Ghostwriter is referred as an 'activity set', with various incidents tied together by overlapping behavioral characteristics and personas, rather than as an actor or group in itself.



Target Industries:
Government

Target Countries:
Germany, Latvia, Lithuania, Poland, Ukraine

Aliases:
DEV-0257, PUSHCHA, Storm-0257, TA445, UNC1151

References:
1 2 3 4 

Goblin Panda

This threat actor uses spear-phishing techniques to compromise diplomatic targets in Southeast Asia, India, and the United States. It also seems to have targeted the APT 30. Possibly uses the same infrastructure as Mirage


Goals:
Espionage

Target Industries:
Government

Target Countries:
Malaysia, Indonesia, Philippines, United States, India

Aliases:


References:
1 2 3 4 5 6 7 

Gold Southfield

GOLD SOUTHFIELD is a financially motivated threat group active since at least 2019 that operates the REvil Ransomware-as-a Service (RaaS). GOLD SOUTHFIELD provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments.



Aliases:


References:
1 2 3 4 5 

Golden Falcon

As reported by ZDNet, Chinese cyber-security vendor Qihoo 360 published a report on 2019-11-29 exposing an extensive hacking operation targeting the country of Kazakhstan. Targets included individuals and organizations involving all walks of life, such as government agencies, military personnel, foreign diplomats, researchers, journalists, private companies, the educational sector, religious figures, government dissidents, and foreign diplomats alike. The campaign, Qihoo 360 said, was broad, ...more



Aliases:


References:
1 

Goldmouse

A threat actor which is ac tive since at least November 2014. This group launched long-term at tacks against organizations in the Syrian region using Android and Windows malwares. Its objective is the theft of sensitive information.



Aliases:
ATK80, Golden RAT

References:
1 

Gorgon Group

Gorgon Group is a threat group consisting of members who are suspected to be Pakistan-based or have other connections to Pakistan. The group has performed a mix of criminal and targeted attacks, including campaigns against government organizations in the United Kingdom, Spain, Russia, and the United States.



Aliases:
ATK92, G0078, Pasty Gemini, Subaat

References:
1 2 3 

Gothic Panda

APT3 is a China-based threat group that researchers have attributed to China's Ministry of State Security. This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap. As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong.

MITRE has also developed an APT3 Adversary Emulation Plan.


Goals:
Espionage

Target Industries:
Private sector

Target Countries:
United States, United Kingdom, Hong Kong

Aliases:
APT3, BORON, Boyusec, BRONZE MAYFAIR, Buckeye, Group 6, Pirpi, Red Sylvan, TG-0110, Threat Group-0110, UPS, UPS Team

References:
1 2 3 4 5 

Graceful Spider

TA505 is a financially motivated threat group that has been active since at least 2014. The group is known for frequently changing malware and driving global trends in criminal malware distribution.



Target Industries:
Education, Finance, Health, Retail, Hospitality

Target Countries:
Australia, Canada, Czech Republic, Germany, Hungary, India, Japan, Romania, Serbia, Singapore, South Korea, Spain, Thailand, Turkey, United Kingdom, United States

Aliases:
ATK103, CHIMBORAZO, Dudear, G0092, GOLD TAHOE, Hive0065, SectorJ04, SectorJ04 Group, Spandex Tempest, TA505

References:
1 2 3 4 5 6 7 8 9 10 11 12 

Grayling

Grayling activity was first observed in early 2023, when a number of victims were identified with distinctive malicious DLL side-loading activity. Grayling appears to target organisations in Asia, however one unknown organisation in the United States was also targeted. Industries targeted include Biomedical, Government and Information Technology. Grayling use a variety of tools during their attacks, including well known tools such as Cobalt Strike and Havoc and also some others.



Target Industries:
Biomedical, Government, Information technology

Target Countries:
Taiwan, United States, Vietnam, Solomon Islands

Aliases:


References:
1 

GreyEnergy

ESET research reveals a successor to the infamous BlackEnergy APT group targeting critical infrastructure, quite possibly in preparation for damaging attacks



Aliases:
KAMACITE

References:
1 2 3 4 

Group5

Group5 is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. Group5 has used two commonly available remote access tools (RATs), njRAT and NanoCore, as well as an Android RAT, DroidJack.



Aliases:
G0043

References:
1 

GUI-vil

(No description available for this threat actor)



Aliases:


References:
1 

Hacking Team

The many 0-days that had been collected by Hacking Team and which became publicly available during the breach of their organization in 2015, have been used by several APT groups since.
Since being founded in 2003, the Italian spyware vendor Hacking Team gained notoriety for selling surveillance tools to governments and their agencies across the world.
The capabilities of its flagship product, the Remote Control System (RCS), include extracting files from a targeted device, intercepting
...more



Aliases:


References:
1 2 3 4 

HAFNIUM

HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures. HAFNIUM has previously compromised victims by ...more



Aliases:
ATK233, G0125, Operation Exchange Marauder, Red Dev 13, Silk Typhoon

References:
1 2 3 4 5 6 7 8 9 10 

Helix Kitten

OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of industries, including financial, government, energy, chemical, and telecommunications, and has largely focused its operations within the Middle East. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. FireEye assesses that the group works on ...more


Goals:
Espionage

Target Industries:
Government, Private sector, Civil society

Target Countries:
Israel, Kuwait, United States, Turkey, Saudi Arabia, Qatar, Lebanon, Middle East

Aliases:
APT 34, APT34, ATK40, CHRYSENE, Cobalt Gypsy, Crambus, EUROPIUM, Evasive Serpens, G0049, Hazel Sandstorm, IRN2, OilRig, TA452, Twisted Kitten

References:
1 2 3 4 

HEXANE

Lyceum is an Iranian APT group that has been active since at least 2014. They primarily target Middle Eastern governments and organizations in the energy and telecommunications sectors. Lyceum is known for using cyber espionage techniques and has been linked to other Iranian threat groups such as APT34. They have developed and deployed malware families like Shark and Milan, and have been observed using DNS tunneling and HTTPfor command and control communication.


Goals:
Espionage

Target Industries:
Government, Energy, High-Tech, Telecomms, Education, Military, Defense

Target Countries:
Israel, Middle East

Aliases:
Chrono Kitten, COBALT LYCEUM, MYSTICDOME, siamesekitten, Spirlin, Storm-0133, UNC1530

Hezb

Hezb is a group deploying cryptominers when new exploit are available for public facing vulnerabilities. The name is after the miner process they deploy.



Aliases:
Mimo

References:
1 

Higaisa

The organization often uses important North Korean time nodes such as holidays and North Korea to conduct fishing activities. The bait includes New Year blessings, Lantern blessings, North Korean celebrations, and important news, overseas personnel contact lists and so on. In addition, the attack organization also has the attack capability of the mobile terminal. The targets of the attack also include diplomatic entities related to North Korea (such as embassy officials in various places), ...more



Target Industries:
Government

Target Countries:
China, North Korea, Japan, Nepal, Singapore, Russia, Poland, Switzerland

Aliases:


References:
1 

HomeLand Justice

HomeLand Justice is an Iranian state-sponsored cyber threat group that has been active since at least May 2021. They have targeted various organizations, including a well-known telecommunication company and the Albanian Parliament. The group engaged in information operations and messaging campaigns to amplify the impact of their attacks.



Aliases:


References:
1 

HookAds

HookAds is a malvertising campaign that purchases cheap ad space on low quality ad networks commonly used by adult web sites, online games, or blackhat seo sites. These ads will include JavaScript that redirects a visitor through a serious of decoy sites that look like pages filled with native advertisements, online games, or other low quality pages. Under the right circumstances, a visitor will silently load the Fallout exploit kit, which will try and install its malware payload.



Aliases:


References:
1 

Hurricane Panda

We have investigated their intrusions since 2013 and have been battling them nonstop over the last year at several large telecommunications and technology companies. The determination of this China-based adversary is truly impressive: they are like a dog with a bone.
HURRICANE PANDA's preferred initial vector of compromise and persistence is a China Chopper webshell – a tiny and easily obfuscated 70 byte text file that consists of an ‘eval()’ command, which is then used to provide full
...more



Aliases:


References:
1 2 3 

Inception

Inception is a cyber espionage group active since at least 2014. The group has targeted multiple industries and governmental entities primarily in Russia, but has also been active in the United States and throughout Europe, Asia, Africa, and the Middle East.


Goals:
Espionage

Target Industries:
Government, Private sector

Target Countries:
Afghanistan, Armenia, Azerbaijan, Belarus, Belgium, Czech Republic, Greece, India, Iran, Italy, Kazakhstan, Kenya, Malaysia, Russia, South Africa, Suriname, Turkmenistan, Ukraine, United Kingdom, United States, Vietnam

Aliases:
ATK116, Blue Odin, Clean Ursa, Cloud Atlas, G0100, Inception Framework, OXYGEN

References:
1 2 3 4 5 6 7 8 9 10 

Indrik Spider

INDRIK SPIDER is a sophisticated eCrime group that has been operating Dridex since June 2014. In 2015 and 2016, Dridex was one of the most prolific eCrime banking trojans on the market and, since 2014, those efforts are thought to have netted INDRIK SPIDER millions of dollars in criminal profits. Throughout its years of operation, Dridex has received multiple updates with new modules developed and new anti-analysis features added to the malware.
In August 2017, a new ransomware variant
...more



Aliases:
Manatee Tempest

References:
1 

Intellexa

(No description available for this threat actor)



Aliases:


References:
1 2 3 4 

Invisimole

Adversary group targeting diplomatic missions, governmental and military organisations, mainly in Ukraine.


Goals:
Espionage

Target Industries:
Government

Target Countries:
Ukraine

Aliases:


References:
1 2 

Iran Attribution

(No description available for this threat actor)



Aliases:


References:
1 2 3 4 5 6 7 8 9 10 

IronHusky

IronHusky is a Chinese-based threat actor first attributed in July 2017 targeting Russian and Mongolian governments, as well as aviation companies and research institutes. Since their initial attacks ceased in 2018, they have been working on a new remote access trojan dubbed MysterySnail.



Aliases:


References:
1 

ItaDuke

ItaDuke is an actor known since 2013. It used PDF exploits for dropping malware and Twitter accounts to store C2 server urls. On 2018, an actor named DarkUniverse, which was active between 2009 to 2017, was attributed to this ItaDuke by Kaspersky.



Aliases:
DarkUniverse, SIG27

References:
1 2 

Judgement Panda

FireEye characterizes APT31 as an actor specialized on intellectual property theft, focusing on data and projects that make a particular organization competetive in its field. Based on available data (April 2016), FireEye assesses that APT31 conducts network operations at the behest of the Chinese Government. Also according to Crowdstrike, this adversary is suspected of continuing to target upstream providers (e.g., law firms and managed service providers) to support additional intrusions against high-profile assets. In 2018, CrowdStrike observed this adversary using spear-phishing, URL “web bugs” and scheduled tasks to automate credential harvesting.



Aliases:
APT31, BRONZE VINEWOOD, JUDGMENT PANDA, Red keres, TA412, Violet Typhoon, ZIRCONIUM

References:
1 2 3 4 5 6 

Kabar Cobra

(No description available for this threat actor)



Aliases:


References:
1 

Karma Panda

Tonto Team is a Chinese-speaking APT group that has been active since at least 2013. They primarily target military, diplomatic, and infrastructure organizations in Asia and Eastern Europe. The group has been observed using various malware, including the Bisonal RAT and ShadowPad. They employ spear-phishing emails with malicious attachments as their preferred method of distribution.



Target Industries:
Military, Government, Private sector

Target Countries:
Eastern Europe, Japan, South Korea, Taiwan, US

Aliases:
BRONZE HUNTLEY, CactusPete, COPPER, Earth Akhlut, G0131, PLA Unit 65017, Red Beifang, TAG-74

References:
1 2 3 4 5 

Kasablanka

The Kasablanka group is a cyber-criminal organization that has
specifically targeted Russia between September and December 2022,
using various payloads delivered through phishing emails containing
socially engineered lnk files, zip packages, and executables attached to
virtual disk image files.



Aliases:


References:
1 

Keyhole Panda

We have observed one APT group, which we call APT5, particularly focused on telecommunications and technology companies. More than half of the organizations we have observed being targeted or breached by APT5 operate in these sectors. Several times, APT5 has targeted organizations and personnel based in Southeast Asia. APT5 has been active since at least 2007. It appears to be a large threat group that consists of several subgroups, often with distinct tactics and infrastructure. APT5 has ...more



Aliases:
APT5, BRONZE FLEETWOOD, MANGANESE, Mulberry Typhoon, Poisoned Flight, TEMP.Bottle

References:
1 2 3 4 5 6 

Konni

Konni is a threat actor associated with APT37, a North Korean cyber crime group. They have been active since 2012 and are known for their cyber-espionage activities. Konni has targeted various sectors, including education, government, business organizations, and the cryptocurrency industry. They have exploited vulnerabilities such as CVE-2023-38831 and have used malware like KonniRAT to gain control of victim hosts and steal important information.



Aliases:
Opal Sleet, OSMIUM, Vedalia

References:
1 2 3 

Kryptonite Panda

Leviathan is a cyber espionage group that has been active since at least 2013. The group generally targets defense and government organizations, but has also targeted a range of industries including engineering firms, shipping and transportation, manufacturing, defense, government offices, and research universities in the United States, Western Europe, and along the South China Sea.


Goals:
Espionage

Target Industries:
Government, Private sector

Target Countries:
United States, Hong Kong, The Philippines, Asia Pacific Economic Cooperation, Cambodia, Belgium, Germany, Philippines, Malaysia, Norway, Saudi Arabia, Switzerland, United Kingdom

Aliases:
APT40, ATK29, BRONZE MOHAWK, G0065, GADOLINIUM, Gingham Typhoon, ISLANDDREAMS, ITG09, Leviathan, MUDCARP, Red Ladon, TA423, TEMP.Jumper, TEMP.Periscope

References:
1 2 3 4 5 6 7 8 9 

LABRAT

(No description available for this threat actor)



Aliases:


References:
1 

Labyrinth Chollima

Lazarus Group is a threat group that has been attributed to the North Korean government. The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain. In late 2017, Lazarus ...more


Goals:
Espionage, Sabotage

Target Industries:
Government, Private sector

Target Countries:
South Korea, Bangladesh Bank, Sony Pictures Entertainment, United States, Thailand, France, China, Hong Kong, United Kingdom, Guatemala, Canada, Bangladesh, Japan, India, Germany, Brazil, Thailand, Australia, Cryptocurrency exchanges in South Korea

Aliases:
Andariel, Appleworm, APT 38, APT-C-26, APT38, ATK117, ATK3, BeagleBoyz, Bluenoroff, Bureau 121, Citrine Sleet, COPERNICIUM, COVELLITE, Dark Seoul, DEV-0139, DEV-1222, Diamond Sleet, G0032, G0082, Group 77, Guardians of Peace, Hastati Group, Hidden Cobra, Lazarus group, NewRomanic Cyber Army Team, Nickel Academy, NICKEL GLADSTONE, Operation AppleJeus, Operation DarkSeoul, Operation GhostSecret, Operation Troy, Sapphire Sleet, Stardust Chollima, Subgroup: Bluenoroff, TA404, Unit 121, Whois Hacking Team, Zinc

References:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 

LAURIONITE

(No description available for this threat actor)



Aliases:


References:
1 

Lone Wolf

(No description available for this threat actor)



Aliases:


References:
1 

Longhorn

Longhorn has been active since at least 2011. It has used a range of back door Trojans in addition to zero-day vulnerabilities to compromise its targets. Longhorn has infiltrated governments and internationally operating organizations, in addition to targets in the financial, telecoms, energy, aerospace, information technology, education, and natural resources sectors. All of the organizations targeted would be of interest to a nation-state attacker. Longhorn has infected 40 targets in at ...more


Goals:
Espionage

Target Industries:
Private sector, Government

Target Countries:
Global

Aliases:
APT-C-39, Lamberts, PLATINUM TERMINAL, the Lamberts

References:
1 2 3 

Lotus Blossom

Lotus Blossom is a threat group that has targeted government and military organizations in Southeast Asia.


Goals:
Espionage

Target Industries:
Military, Government

Target Countries:
Japan, Philippines, Hong Kong, Indonesia, Taiwan, Vietnam

Aliases:
ATK1, BRONZE ELGIN, DRAGONFISH, G0030, Red Salamander, Spring Dragon, ST Group

References:
1 2 3 4 

Luckycat

A series of attacks, targeting both Indian military research and south Asian shipping organizations, demonstrate the minimum level of effort required to successfully compromise a target and steal sensitive information. The attackers use very simple malware, which required little development time or skills, in conjunction with freely available Web hosting, to implement a highly effective attack. It is a case of the attackers obtaining a maximum return on their investment. The attack shows how an ...more



Aliases:
TA413, White Dev 9

References:
1 2 3 4 

luoxk

Luoxk is a malware campaign targeting web servers throughout Asia, Europe and North America.



Aliases:


References:
1 

Magnet Goblin

(No description available for this threat actor)



Aliases:


References:
1 2 

Manic Menagerie

(No description available for this threat actor)



Aliases:


References:
1 2 

ModifiedElephant

Our research into these intrusions revealed a decade of persistent malicious activity targeting specific groups and individuals that we now attribute to a previously unknown threat actor named ModifiedElephant. This actor has operated for years, evading research attention and detection due to their limited scope of operations, the mundane nature of their tools, and their regionally-specific targeting. ModifiedElephant is still active at the time of writing.



Target Industries:
Civil Society

Aliases:


References:
1 

Molerats

Molerats is a politically-motivated threat group that has been operating since 2012. The group's victims have primarily been in the Middle East, Europe, and the United States.


Goals:
Espionage

Target Industries:
Government, Defense, Energy, Finance, Healthcare, Pharmaceuticals, Education, Media, NGOs, Civil Society, Legal, Military

Target Countries:
United States, Israel, Palestine, Middle East, Europe

Aliases:
ALUMINUM SARATOGA, BLACKSTEM, Extreme Jackal, G0021, Gaza Cybergang, Gaza Hackers Team, Moonlight, Operation Molerats

References:
1 

MosesStaff

Cybereason Nocturnus describes Moses Staff as an Iranian hacker group, first spotted in October 2021. Their motivation appears to be to harm Israeli companies by leaking sensitive, stolen data.



Aliases:
DEV-0500, Marigold Sandstorm, Moses Staff

References:
1 

MoustachedBouncer

MoustachedBouncer is a cyberespionage group discovered by ESET Research and first publicly disclosed in August 2023. The group has been active since at least 2014 and only targets foreign embassies in Belarus. Since 2020, MoustachedBouncer has most likely been able to perform adversary-in-the-middle (AitM) attacks at the ISP level, within Belarus, in order to compromise its targets. The group uses two separate toolsets that we have named NightClub and Disco.


Goals:
Espionage

Target Industries:
Government

Target Countries:
Europe, Eastern Europe, South Asia, Northeast Africa

Aliases:


References:
1 

Mustang Panda

This threat actor targets nongovernmental organizations using Mongolian-themed lures for espionage purposes.
In April 2017, CrowdStrike Falcon Intelligence observed a previously unattributed actor group with a Chinese nexus targeting a U.S.-based think tank. Further analysis revealed a wider campaign with unique tactics, techniques, and procedures (TTPs). This adversary targets non-governmental organizations (NGOs) in general, but uses Mongolian language decoys and themes, suggesting this
...more


Goals:
Espionage

Target Industries:
Civil society

Target Countries:
United States, Germany

Aliases:
BASIN, BRONZE PRESIDENT, Earth Preta, HoneyMyte, LuminousMoth, Polaris, Red Lich, Stately Taurus, TA416, TANTALUM, TEMP.HEX, Twill Typhoon

References:
1 2 

Mysterious Elephant

(No description available for this threat actor)



Aliases:


References:
1 

Mysterious Werewolf

(No description available for this threat actor)



Aliases:


References:
1 2 3 

Mythic Leopard

Group targeting Indian Army or related assets in India, as well as activists and civil society in Pakistan. Attribution to a Pakistani connection has been made by TrendMicro and others.



Target Industries:
Civil society, Military, Government

Aliases:
APT 36, APT36, C-Major, COPPER FIELDSTONE, Earth Karkaddan, Green Havildar, ProjectM, TMP.Lapis, Transparent Tribe

References:
1 2 3 4 

Naikon

Naikon is a threat group that has focused on targets around the South China Sea. The group has been attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau(Military Unit Cover Designator 78020). While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.


Goals:
Espionage

Target Industries:
Government, Private sector

Target Countries:
India, Saudi Arabia, Vietnam, Myanmar, Singapore, Thailand, Malaysia, Cambodia, China, Philippines, South Korea, United States, Indonesia, Laos

Aliases:
BRONZE GENEVA, BRONZE STERLING, Camerashy, G0013, G0019, OVERRIDE PANDA, PLA Unit 78020

References:
1 2 

Narwhal Spider

NARWHAL SPIDER’s operation of Cutwail v2 was limited to country-specific spam campaigns, although late in 2019 there appeared to be an effort to expand by bringing in INDRIK SPIDER as a customer.



Aliases:
GOLD ESSEX, TA544

References:
1 

Nemesis Kitten

Microsoft threat intelligence teams have been tracking multiple ransomware campaigns and have tied these attacks to DEV-0270, also known as Nemesis Kitten, a sub-group of Iranian actor PHOSPHORUS. Microsoft assesses with moderate confidence that DEV-0270 conducts malicious network operations, including widespread vulnerability scanning, on behalf of the government of Iran.



Aliases:
BENTONITE, DEV-0270, Storm-0270

References:
1 2 3 4 5 6 7 

NEODYMIUM

NEODYMIUM is an activity group that conducted a campaign in May 2016 and has heavily targeted Turkish victims. The group has demonstrated similarity to another activity group called PROMETHIUM due to overlapping victim and campaign characteristics. NEODYMIUM is reportedly associated closely with BlackOasis operations, but evidence that the group names are aliases has not been identified.



Aliases:
G0055

References:
1 

NetTraveler

(No description available for this threat actor)


Goals:
Espionage

Target Industries:
Government, Military

Target Countries:
Mongolia, Kazakhstan, Tajikistan, Germany, United Kingdom, India, Kyrgyzstan, South Korea, United States, Chile, Russia, China, Spain, Canada, Morocco

Aliases:
APT21, HAMMER PANDA, TEMP.Zhenbao

References:
1 

Nexus Zeta

Nexus Zeta is no stranger when it comes to implementing SOAP related exploits. The threat actor has already been observed in implementing two other known SOAP related exploits, CVE-2014–8361 and CVE-2017–17215 in his Satori botnet project. A third SOAP exploit, TR-069 bug has also been observed previously in IoT botnets. This makes EDB 38722 the fourth SOAP related exploit which is discovered in the wild by IoT botnets.



Aliases:


References:
1 2 

Nomad Panda

In the first quarter of 2018, CrowdStrike Intelligence identified NOMAD PANDA activity targeting Central Asian nations with exploit documents built with the 8.t tool.



Aliases:


References:
1 2 

North Korea Attribution

(No description available for this threat actor)



Aliases:


References:
1 2 3 4 5 6 7 8 9 

NOTROBIN

Researchers at FireEye report finding a hacking group (dubbed NOTROBIN) that has been bundling mitigation code for NetScaler servers with its exploits. In effect, the hackers exploit the flaw to get access to the server, kill any existing malware, set up their own backdoor, then block off the vulnerable code from future exploit attempts by mitigation.



Aliases:


References:
1 

NSO Group

(No description available for this threat actor)



Aliases:
Night Tsunami

References:
1 2 3 4 5 6 

Numbered Panda

APT12 is a threat group that has been attributed to China. The group has targeted a variety of victims including but not limited to media outlets, high-tech companies, and multiple governments.


Goals:
Espionage

Target Industries:
Private sector, Government

Target Countries:
Taiwan, Japan

Aliases:
APT12, BeeBus, BRONZE GLOBE, Calc Team, Crimson Iron, DNSCALC, DynCalc, Group 22, IXESHE, TG-2754

References:
1 2 

Ocean Buffalo

APT32 is a threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as with foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims. The group is believed to be Vietnam-based.


Goals:
Espionage

Target Industries:
Government, Private sector, Civil society

Target Countries:
China, Germany, United States, Vietnam, Philippines, Association of Southeast Asian Nations

Aliases:
APT 32, APT-32, APT-C-00, APT32, ATK17, BISMUTH, Canvas Cyclone, Cobalt Kitty, G0050, Ocean Lotus, OceanLotus, OceanLotus Group, POND LOACH, Sea Lotus, SeaLotus, TIN WOODLAWN

References:
1 2 3 4 5 

Operation Shadow Tiger

(No description available for this threat actor)



Aliases:


References:
1 

Override Panda

Naikon is a threat group that has focused on targets around the South China Sea. The group has been attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau(Military Unit Cover Designator 78020). While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.


Goals:
Espionage

Target Industries:
Government, Private sector

Target Countries:
India, Saudi Arabia, Vietnam, Myanmar, Singapore, Thailand, Malaysia, Cambodia, China, Philippines, South Korea, United States, Indonesia, Laos

Aliases:
BRONZE GENEVA, BRONZE STERLING, Camerashy, G0013, G0019, Naikon, PLA Unit 78020

References:
1 2 

PhantomCore

(No description available for this threat actor)



Aliases:


References:
1 

Pinchy Spider

First observed in January 2018, GandCrab ransomware quickly began to proliferate and receive regular updates from its developer, PINCHY SPIDER, which over the course of the year established a RaaS operation with a dedicated set of affiliates.
CrowdStrike Intelligence has recently observed PINCHY SPIDER affiliates deploying GandCrab ransomware in enterprise environments, using lateral movement techniques and tooling commonly associated with nation-state adversary groups and penetration
...more



Aliases:


References:
1 2 3 4 5 6 

Pioneer Kitten

PIONEER KITTEN is an Iran-based adversary that has been active since at least 2017 and has a suspected nexus to the Iranian government. This adversary appears to be primarily focused on gaining and maintaining access to entities possessing sensitive information of likely intelligence interest to the Iranian government. According to DRAGOS, they also targeted ICS-related entities using known VPN vulnerabilities. They are widely known to use open source penetration testing tools for ...more



Aliases:
Lemon Sandstorm, PARISITE, RUBIDIUM, UNC757

References:
1 2 3 4 5 6 7 8 

Pirate Panda

Tropic Trooper is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan, the Philippines, and Hong Kong. Tropic Trooper focuses on targeting government, healthcare, transportation, and high-tech industries and has been active since 2011.



Aliases:
APT23, BRONZE HOBART, Earth Centaur, G0081, KeyBoy, Red Orthrus, Tropic Trooper

References:
1 2 3 4 

Pitty Panda

PittyTiger is a threat group believed to operate out of China that uses multiple different types of malware to maintain command and control.



Aliases:
APT24, G0011, PittyTiger, Temp.Pittytiger

References:
1 2 3 4 

PLATINUM

PLATINUM is an activity group that has targeted victims since at least 2009. The group has focused on targets associated with governments and related organizations in South and Southeast Asia.



Aliases:
ATK33, G0068, TwoForOne

References:
1 2 

POISON CARP

Between November 2018 and May 2019, senior members of Tibetan groups received malicious links in individually tailored WhatsApp text exchanges with operators posing as NGO workers, journalists, and other fake personas. The links led to code designed to exploit web browser vulnerabilities to install spyware on iOS and Android devices, and in some cases to OAuth phishing pages. This campaign was carried out by what appears to be a single operator that we call POISON CARP.



Aliases:
Earth Empusa, Evil Eye, Red Dev 16

References:
1 

Poison Needles

What’s noteworthy is that according to the introduction on the compromised website of the polyclinic (http://www.p2f.ru), the institution was established in 1965 and it was founded by the Presidential Administration of Russia. The multidisciplinary outpatient institution mainly serves the civil servants of the highest executive, legislative, judicial authorities of the Russian Federation, as well as famous figures of science and art.
Since it is the first detection of this APT attack by 360
...more



Aliases:


References:
1 

Polonium

Microsoft successfully detected and disabled attack activity abusing OneDrive by a previously undocumented Lebanon-based activity group Microsoft Threat Intelligence Center (MSTIC) tracks as POLONIUM.


Goals:
Espionage

Target Industries:
Critical manufacturing, Defense industrial base, Financial services, Food and agriculture, Government agencies and services, Healthcare, Pharmaceuticals, Information technology, Transportation systems, NGOs, Civil Society, Military, Defense

Target Countries:
Israel

Aliases:
GREATRIFT, Plaid Rain, UNC4453

References:
1 

PowerFall

(No description available for this threat actor)



Aliases:


References:
1 

PowerPool

Malware developers have started to use the zero-day exploit for Task Scheduler component in Windows, two days after proof-of-concept code for the vulnerability appeared online.

A security researcher who uses the online name SandboxEscaper on August 27 released the source code for exploiting a security bug in the Advanced Local Procedure Call (ALPC) interface used by Windows Task Scheduler.

More specifically, the problem is with the SchRpcSetSecurity API function, which fails
...more



Aliases:
IAmTheKing

References:
1 

Primitive Bear

Gamaredon Group is a threat group that has been active since at least 2013 and has targeted individuals likely involved in the Ukrainian government. The name Gamaredon Group comes from a misspelling of the word "Armageddon", which was detected in the adversary's early campaigns.



Target Industries:
Government

Target Countries:
Ukraine, Germany

Aliases:
ACTINIUM, Aqua Blizzard, Blue Otso, BlueAlpha, DEV-0157, G0047, Gamaredon Group, IRON TILDEN, Shuckworm, Trident Ursa, UAC-0010, Winterflounder

References:
1 2 3 4 5 

PROMETHIUM

PROMETHIUM is an activity group focused on espionage that has been active since at least 2012. The group has conducted operations globally with a heavy emphasis on Turkish targets. PROMETHIUM has demonstrated similarity to another activity group called NEODYMIUM due to overlapping victim and campaign characteristics.



Aliases:
G0056, StrongPity

References:
1 

Prophet Spider

PROPHET SPIDER is an eCrime actor, active since at least May 2017, that primarily gains access to victims by compromising vulnerable web servers, which commonly involves leveraging a variety of publicly disclosed vulnerabilities. The adversary has likely functioned as an access broker — handing off access to a third party to deploy ransomware — in multiple instances.



Aliases:
GOLD MELODY, UNC961

References:
1 2 3 4 5 6 7 8 9 10 11 

Putter Panda

Putter Panda is a Chinese threat group that has been attributed to Unit 61486 of the 12th Bureau of the PLA’s 3rd General Staff Department (GSD).


Goals:
Espionage

Target Industries:
Private sector, Government

Target Countries:
U.S. satellite and aerospace sector

Aliases:
4HCrew, APT2, G0024, MSUpdater, PLA Unit 61486, SearchFire, SULPHUR, TG-6952

References:
1 2 

PuzzleMaker

(No description available for this threat actor)



Aliases:


References:
1 

Quilted Tiger

Patchwork is a cyberespionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. Patchwork has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. Patchwork was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018.


Goals:
Espionage

Target Industries:
Private sector, Military

Target Countries:
Bangladesh, Sri Lanka, Pakistan

Aliases:
APT-C-09, ATK11, Chinastrats, Dropping Elephant, G0040, Hangover Group, Monsoon, Operation Hangover, Orange Athos, Patchwork, Sarit, Thirsty Gemini, ZINC EMERSON

References:
1 2 3 4 5 6 7 8 9 10 

Rancor

Rancor is a threat group that has led targeted campaigns against the South East Asia region. Rancor uses politically-motivated lures to entice victims to open malicious documents.


Goals:
Espionage

Target Industries:
Government, Civil society

Target Countries:
Singapore, Cambodia

Aliases:
G0075, Rancor Group, Rancor Taurus

References:
1 2 

RASPITE

Leafminer is an Iranian threat group that has targeted government organizations and business entities in the Middle East since at least early 2017.



Aliases:
Leafminer

References:
1 

Razor Tiger

An actor mainly targeting Pakistan military targets, active since at least 2012. We have low confidence that this malware might be authored by an Indian company. To spread the malware, they use unique implementations to leverage the exploits of known vulnerabilities (such as CVE-2017-11882) and later deploy a Powershell payload in the final stages.



Aliases:
APT-C-17, Rattlesnake, SideWinder, T-APT-04

References:
1 2 3 4 5 6 7 8 

Red Menshen

Since 2021, Red Menshen, a China based threat actor, which has been observed targeting telecommunications providers across the Middle East and Asia, as well as entities in the government, education, and logistics sectors using a custom backdoor referred as BPFDoor. This threat actor uses a variety of tools in its post-exploitation phase. This includes custom variants of the shared tool Mangzamel (including Golang variants), custom variants of Gh0st, and open source tools like Mimikatz and ...more



Target Industries:
Government, Education, Logistics

Target Countries:
Middle East, Asia

Aliases:
Red Dev 18

References:
1 

RedAlpha

Recorded Future’s Insikt Group has identified two new cyberespionage campaigns targeting the Tibetan Community over the past two years. The campaigns, which we are collectively naming RedAlpha, combine light reconnaissance, selective targeting, and diverse malicious tooling. We discovered this activity as the result of pivoting off of a new malware sample observed targeting the Tibetan community based in India.



Aliases:
DeepCliff, Red Dev 3

References:
1 

Refined Kitten

APT33 is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors.


Goals:
Espionage

Target Industries:
Private sector

Target Countries:
United States, Saudi Arabia, South Korea

Aliases:
APT 33, APT33, ATK35, COBALT TRINITY, Elfin, G0064, HOLMIUM, MAGNALLIUM, Peach Sandstorm, TA451

References:
1 2 3 

Returned Libra

Returned Libra, also known as 8220 Mining Group, is a cloud threat actor group that has been active since at least 2017. Tools commonly employed during their operations are PwnRig or DBUsed which are customized variants of the XMRig Monero mining software. The Returned Libra mining group is believed to have originated from a GitHub fork of the Rocke group's software. Returned Libra has elevated its mining operations with the use of cloud service platform credential scrapping.



Aliases:
8220 Mining Group

References:
1 2 3 4 5 6 7 8 9 

Ricochet Chollima

APT37 is a suspected North Korean cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. APT37 has also been linked to following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, Northern Korean Human Rights, and Evil New Year 2018.

North
...more



Target Industries:
Government, Private sector

Target Countries:
Republic of Korea, Japan, Vietnam

Aliases:
APT 37, APT37, ATK4, G0067, Group 123, Group123, InkySquid, Moldy Pisces, Operation Daybreak, Operation Erebus, Reaper, Reaper Group, Red Eyes, ScarCruft, TEMP.Reaper, Venus 121

References:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 

Roaming Tiger

(No description available for this threat actor)



Aliases:
BRONZE WOODLAND, Rotten Tomato

References:
1 2 

Rocke

Rocke is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency. The name Rocke comes from the email address "rocke@live.cn" used to create the wallet which held collected cryptocurrency. Researchers have detected overlaps between Rocke and the Iron Cybercrime Group, though this attribution has not been confirmed.



Aliases:
Aged Libra

References:
1 2 

Rocket Kitten

Targets Saudi Arabia, Israel, US, Iran, high ranking defense officials, embassies of various target countries, notable Iran researchers, human rights activists, media and journalists, academic institutions and various scholars, including scientists in the fields of physics and nuclear sciences.


Goals:
Espionage

Target Industries:
Government, Military

Target Countries:
Saudi Arabia, Venezuela, Afghanistan, United Arab Emirates, Iran, Israel, Iraq, Kuwait, Turkey, Canada, Yemen, United Kingdom, Egypt, Syria, Jordan

Aliases:
Operation Woolen Goldfish, Operation Woolen-Goldfish, TEMP.Beanie, Thamar Reservoir, Timberworm

References:
1 

Russia Attribution

(No description available for this threat actor)



Aliases:


References:
1 2 3 4 5 6 7 8 9 10 11 12 13 

Saaiwc Group

(No description available for this threat actor)



Aliases:


References:
1 2 

Samurai Panda

(No description available for this threat actor)


Goals:
Espionage

Target Industries:
Private sector, Military

Target Countries:
United States, United Kingdom, Hong Kong

Aliases:
APT4, BRONZE EDISON, MAVERICK PANDA, PLA Navy, Salmon Typhoon, SODIUM

References:
1 2 

Sandcat

SandCat, on the other hand, is a group that was discovered more recently by Kaspersky. One of the Windows vulnerabilities patched by Microsoft in December had been exploited by both FruityArmor and SandCat in attacks targeting the Middle East and Africa. SandCat has been using FinFisher/FinSpy spyware and CHAINSHOT, a piece of malware analyzed earlier this year by Palo Alto Networks. The group has also used the CVE-2018-8589 and CVE-2018-8611 Windows vulnerabilities in its attacks, both of ...more



Aliases:


References:
1 2 

Scarlet Mimic

Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, it has not been concluded that the groups are the same.



Aliases:
G0029, Golfing Taurus

References:
1 

Scattered Spider

Scattered Spider is a cybercriminal group that targets large companies and their contracted information technology (IT) help desks. Scattered Spider threat actors, per trusted third parties, have typically engaged in data theft for extortion and have also been known to utilize BlackCat/ALPHV ransomware alongside their usual TTPs.

Scattered Spider threat actors are considered experts in social engineering and use multiple social engineering techniques, especially phishing, push bombing,
...more



Aliases:
0ktapus, DEV-0971, Muddled Libra, Octo Tempest, Oktapus, Scatter Swine, Scattered Swine, Starfraud, Storm-0971, UNC3944

References:
1 2 3 4 

Sea Turtle

This blog post discusses the technical details of a state-sponsored attack manipulating DNS systems. While this incident is limited to targeting primarily national security organizations in the Middle East and North Africa, and we do not want to overstate the consequences of this specific campaign, we are concerned that the success of this operation will lead to actors more broadly attacking the global DNS system. DNS is a foundational technology supporting the Internet. Manipulating that ...more



Target Countries:
Germany

Aliases:
COSMIC WOLF, Marbled Dust, SILICON, Teal Kurma, UNC1326

References:
1 2 3 

SectorB01

(No description available for this threat actor)



Aliases:


References:
1 2 3 4 5 

SectorB83

(No description available for this threat actor)



Aliases:


References:
1 

SectorJ131

(No description available for this threat actor)



Aliases:


References:
1 2 3 

SectorJ132

(No description available for this threat actor)



Aliases:


References:
1 

Shadow Crane

Darkhotel is a threat group that has been active since at least 2004. The group has conducted activity on hotel and business center Wi‑Fi and physical connections as well as peer-to-peer and file sharing networks. The actors have also conducted spearphishing.


Goals:
Espionage

Target Industries:
Private sector

Target Countries:
Japan, Russia, Taiwan, South Korea, China

Aliases:
APT-C-06, ATK52, Darkhotel, DUBNIUM, Fallout Team, G0012, Karba, Luder, Nemim, Nemin, Pioneer, SIG25, T-APT-02, Tapaoux, TUNGSTEN BRIDGE, Zigzag Hail

References:
1 2 3 4 5 6 7 8 9 

Shadow Network

Shadows in the Cloud documents a complex ecosystem of cyber espionage that systematically compromised government, business, academic, and other computer network systems in India, the Offices of the Dalai Lama, the United Nations, and several other countries. The report also contains an analysis of data which were stolen from politically sensitive targets and recovered during the course of the investigation. These include documents from the Offices of the Dalai Lama and agencies of the Indian ...more



Aliases:


References:
1 

Shadow Wolf

(No description available for this threat actor)



Aliases:


References:
1 

SideCopy

The SideCopy APT is a Pakistani threat actor that has been operating since at least 2019, mainly targeting South Asian countries and more specifically India and Afghanistan. Its name comes from its infection chain that tries to mimic that of the SideWinder APT. It has been reported that this actor has similarities with Transparent Tribe (APT36) and possibly is a subdivision of this actor. Cisco Talos and Seqrite have provided comprehensive reports on this actor’s activities.



Aliases:


References:
1 2 3 4 5 

Silent Chollima

Andariel is a threat actor that primarily targets South Korean corporations and institutions. They are believed to collaborate with or operate as a subsidiary organization of the Lazarus threat group. WHOIS utilizes spear phishing attacks, watering hole attacks, and supply chain attacks for initial access. They have been known to exploit vulnerabilities and use malware such as Infostealer and TigerRAT.



Aliases:
Andariel, GOP, Guardian of Peace, Onyx Sleet, OperationTroy, PLUTONIUM, Subgroup: Andariel, WHOis Team

References:
1 2 3 4 5 6 7 8 9 10 11 12 

SilverTerrier

SilverTerrier is a Nigerian threat group that has been seen active since 2014. SilverTerrier mainly targets organizations in high technology, higher education, and manufacturing.



Aliases:


References:
1 2 

Skeleton Spider

FIN6 is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors.



Aliases:
ATK88, Camouflage Tempest, FIN6, G0037, GOLD FRANKLIN, ITG08, Magecart Group 6, White Giant

References:
1 

Slayer Kitten

CopyKittens is an Iranian cyber espionage group that has been operating since at least 2013. It has targeted countries including Israel, Saudi Arabia, Turkey, the U.S., Jordan, and Germany. The group is responsible for the campaign known as Operation Wilted Tulip.


Goals:
Espionage

Target Industries:
Government, Private sector, Civil society

Target Countries:
Israel, Jordan, Saudi Arabia, Germany, United States

Aliases:
CopyKittens, G0052

References:
1 

Slingshot

While analysing an incident which involved a suspected keylogger, we identified a malicious library able to interact with a virtual file system, which is usually the sign of an advanced APT actor. This turned out to be a malicious loader internally named ‘Slingshot’, part of a new, and highly sophisticated attack platform that rivals Project Sauron and Regin in complexity.
While for most victims the infection vector for Slingshot remains unknown, we were able to find several cases where the
...more



Aliases:


References:
1 2 

Slippy Spider

An actor group conducting large-scale social engineering and extortion campaign against multiple organizations with some seeing evidence of destructive elements.



Aliases:
DEV-0537, LAPSUS$, Strawberry Tempest

References:
1 2 3 

SnapMC

(No description available for this threat actor)



Aliases:


References:
1 

Sneaky Panda

Elderwood is a suspected Chinese cyber espionage group that was reportedly responsible for the 2009 Google intrusion known as Operation Aurora. The group has targeted defense organizations, supply chain manufacturers, human rights and nongovernmental organizations (NGOs), and IT service providers.


Goals:
Espionage

Target Industries:
Private sector, Civil society

Target Countries:
United States, Canada, United Kingdom, Switzerland, Hong Kong, Australia, India, Taiwan, China, Denmark

Aliases:
Beijing Group, Elderwood, Elderwood Gang, G0066, SIG22

References:
1 

Sourgum

(No description available for this threat actor)



Aliases:


References:
1 

Space Pirates

Space Pirates is a cybercrime group that has been active since at least 2017. They primarily target Russian companies and have been observed using various malware, including Deed RAT and ShadowPad. The group uses a combination of publicly available tools and their own protocols to communicate with their command-and-control servers.



Aliases:


References:
1 

SparklingGoblin

ESET researchers have discovered a new undocumented modular backdoor, SideWalk, being used by an APT group they’ve named SparklingGoblin; this backdoor was used during one of SparklingGoblin’s recent campaigns that targeted a computer retail company based in the USA. This backdoor shares multiple similarities with another backdoor used by the group: CROSSWALK.



Aliases:


References:
1 2 3 

Sprite Spider

GOLD DUPONT is a financially motivated cybercriminal threat group that specializes in post-intrusion ransomware attacks using 777 (aka Defray777 or RansomExx) malware. Active since November 2018, GOLD DUPONT establishes initial access into victim networks using stolen credentials to remote access services like virtual desktop infrastructure (VDI) or virtual private networks (VPN). From October 2019 to early 2020 the group used GOLD BLACKBURN's TrickBot malware as an initial access vector (IAV) ...more



Aliases:


References:
1 

Stalker Panda

BRONZE BUTLER is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in government, biotechnology, electronics manufacturing, and industrial chemistry.


Goals:
Espionage

Target Industries:
Private sector

Target Countries:
Japan, China, Korea (Republic of), Russian Federation

Aliases:
BRONZE BUTLER, G0060, Nian, PLA Unit 61419, REDBALDKNIGHT, Stalker Taurus, Tick

References:
1 2 3 4 5 6 7 8 9 10 

Stardust Chollima

APT38 is a financially-motivated threat group that is backed by the North Korean regime. The group mainly targets banks and financial institutions and has targeted more than 16 organizations in at least 13 countries since at least 2014.

North Korean group definitions are known to have significant overlap, and the name Lazarus Group is known to encompass a broad range of activity. Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea. Some
...more



Aliases:
APT38, Sapphire Sleet

References:
1 

Static Kitten

MuddyWater is an Iranian threat group that has primarily targeted Middle Eastern nations, and has also targeted European and North American nations. The group's victims are mainly in the telecommunications, government (IT services), and oil sectors. Activity from this group was previously linked to FIN7, but the group is believed to be a distinct group possibly motivated by espionage.


Goals:
Espionage

Target Industries:
Government

Target Countries:
Saudi Arabia, Georgia, Turkey, Iraq, Israel, India, United Arab Emirates, Pakistan, United States

Aliases:
ATK51, Boggy Serpens, COBALT ULSTER, Earth Vetala, G0069, Mango Sandstorm, MERCURY, MuddyWater, Seedworm, TA450, TEMP.Zagros

References:
1 2 3 4 5 6 7 8 9 10 11 12 

STIBNITE

(No description available for this threat actor)



Aliases:

Stone Panda

menuPass is a threat group that appears to originate from China and has been active since approximately 2009. The group has targeted healthcare, defense, aerospace, and government sectors, and has targeted Japanese victims since at least 2014. In 2016 and 2017, the group targeted managed IT service providers, manufacturing and mining companies, and a university.


Goals:
Espionage

Target Industries:
Private sector, Government

Target Countries:
Japan, India, South Africa, South Korea, Sweden, United States, Canada, Australia, France, Finland, United Kingdom, Brazil, Thailand, Switzerland, Norway

Aliases:
APT10, ATK41, BRONZE RIVERSIDE, Cloud Hopper, CVNX, G0045, Granite Taurus, happyyongzi, HOGFISH, menuPass, Menupass Team, POTASSIUM, Red Apollo, STONE PANDAD, TA429

References:
1 2 

Storm-0062

The cyberattack campaign that Microsoft uncovered was launched by a China-linked hacking group called Storm-0062. According to the company, the group is launching cyberattacks by exploiting a vulnerability in the Data Center and Server editions of Confluence. Those are versions of the application that companies run on-premises.



Aliases:
DarkShadow, Oro0lxy

References:
1 

Storm-0324

The threat actor that Microsoft tracks as Storm-0324 is a financially motivated group known to gain initial access using email-based initial infection vectors and then hand off access to compromised networks to other threat actors. These handoffs frequently lead to ransomware deployment.



Aliases:
DEV-0324, Sagrid, TA543

References:
1 2 

SturgeonPhisher

(No description available for this threat actor)



Aliases:


References:
1 

Subzero

(No description available for this threat actor)



Aliases:
Denim Tsunami

References:
1 2 3 

Suckfly

Suckfly is a China-based threat group that has been active since at least 2014.



Aliases:
APT22, BRONZE OLIVE, G0039, Group 46

References:
1 2 

Sweed

Cisco Talos recently identified a large number of ongoing malware distribution campaigns linked to a threat actor we're calling "SWEED," including such notable malware as Formbook, Lokibot and Agent Tesla. Based on our research, SWEED — which has been operating since at least 2017 — primarily targets their victims with stealers and remote access trojans.
SWEED remains consistent across most of their campaigns in their use of spear-phishing emails with malicious attachments. While these
...more



Aliases:


References:
1 

TA410

Early in August 2019, Proofpoint described what appeared to be state-sponsored activity targeting the US utilities sector with malware that we dubbed “Lookback”. Between August 21 and August 29, 2019, several spear phishing emails were identified targeting additional US companies in the utilities sector. The phishing emails originated from what appears to be an actor-controlled domain: globalenergycertification[.]net. This domain, like those used in previous campaigns, impersonated a licensing ...more



Aliases:
TALONITE

References:
1 2 3 

TA428

Proofpoint researchers have identified a targeted APT campaign that utilized malicious RTF documents to deliver custom malware to unsuspecting victims. We dubbed this campaign “Operation LagTime IT” based on entities that were targeted and the distinctive domains registered to C&C IP infrastructure. Beginning in early 2019, these threat actors targeted a number of government agencies in East Asia overseeing government information technology, domestic affairs, foreign affairs, economic ...more



Aliases:
BRONZE DUDLEY, Colourful Panda

References:
1 2 3 4 5 

TA459

TA459 is a threat group believed to operate out of China that has targeted countries including Russia, Belarus, Mongolia, and others.



Aliases:
G0062

References:
1 

TA558

Since 2018, security researchers tracked a financially-motivated cybercrime actor, TA558, targeting hospitality, travel, and related industries located in Latin America and sometimes North America, and western Europe. The actor sends malicious emails written in Portuguese, Spanish, and sometimes English. The emails use reservation-themed lures with business-relevant themes such as hotel room bookings. The emails may contain malicious attachments or URLs aiming to distribute one of at least 15 ...more



Aliases:


References:
1 

TA577

TA577 is a prolific cybercrime threat actor tracked by Proofpoint since mid-2020. This actor conducts broad targeting across various industries and geographies, and Proofpoint has observed TA577 deliver payloads including Qbot, IcedID, SystemBC, SmokeLoader, Ursnif, and Cobalt Strike.



Aliases:
Hive0118

References:
1 

TA578

TA578, a threat actor that Proofpoint researchers have been tracking since May of 2020. TA578 has previously been observed in email-based campaigns delivering Ursnif, IcedID, KPOT Stealer, Buer Loader, BazaLoader, and Cobalt Strike.



Aliases:


References:
1 

TA579

TA579, a threat actor that Proofpoint researchers have been tracking since August 2021. This actor frequently delivered BazaLoader and IcedID in past campaigns.



Aliases:


References:
1 

Taidoor

Taidoor is a threat group that has operated since at least 2009 and has primarily targeted the Taiwanese government.



Aliases:
Earth Aughisky, G0015

References:
1 2 

temp.hermit

(No description available for this threat actor)



Aliases:


References:
1 

TEMP.Veles

TEMP.Veles is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing TRITON, a malware framework designed to manipulate industrial safety systems.



Aliases:
ATK91, G0088, Xenotime

References:
1 2 3 4 

Temper Panda

admin@338 is a China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as PoisonIvy, as well as some non-public backdoors.


Goals:
Espionage

Target Industries:
Government, Private sector, Civil society

Target Countries:
Hong Kong, United States

Aliases:
Admin338, admin@338, G0018, MAGNESIUM, Team338

References:
1 2 

The White Company

The White Company is a likely state-sponsored threat actor with advanced capabilities. From 2017 through 2018, the group led an espionage campaign called Operation Shaheen targeting government and military organizations in Pakistan.



Aliases:


References:
1 

ToddyCat

ToddyCat is responsible for multiple sets of attacks detected since December 2020 against high-profile entities in Europe and Asia. There is still little information about this actor, but its main distinctive signs are two formerly unknown tools that Kaspersky call ‘Samurai backdoor’ and ‘Ninja Trojan’.



Target Industries:
Military, Government

Target Countries:
Afghanistan, India, Indonesia, Iran, Kyrgyzstan, Malaysia, Pakistan, Russia, Slovakia, Taiwan, Thailand, United Kingdom, Uzbekistan, Vietnam

Aliases:
Websiic

References:
1 

Tortilla

(No description available for this threat actor)



Aliases:


References:
1 2 

Toxic Panda

A group targeting dissident groups in China and at the boundaries.



Aliases:


References:
1 

TunnelSnake

The TunnelSnake campaign demonstrates the activity of a sophisticated actor that invests significant resources in designing an evasive toolset and infiltrating networks of high-profile organizations. By leveraging Windows drivers, covert communications channels and proprietary malware, the group behind it maintains a considerable level of stealth. That said, some of its TTPs, like the usage of a commodity webshell and open-source legacy code for loading unsigned drivers, may get detected and in ...more



Aliases:


References:
1 

Turbine Panda

(No description available for this threat actor)



Aliases:
APT26, BRONZE EXPRESS, JerseyMikes, TECHNETIUM

References:
1 

Turkey Attribution

(No description available for this threat actor)



Aliases:


References:
1 

UAC-0027

(No description available for this threat actor)



Aliases:


References:
1 2 3 4 5 6 7 8 

UAC-0097

(No description available for this threat actor)



Aliases:


References:
1 

UAC-0098

(No description available for this threat actor)



Aliases:


References:
1 2 

UAC-0099

UAC-0099 is a threat actor that has been active since at least May 2023, targeting Ukrainian entities. They have been observed using a known WinRAR vulnerability to carry out attacks, indicating a level of sophistication. The actor relies on PowerShell and the creation of scheduled tasks to execute malicious VBS files for initial infection. Monitoring and limiting the functionality of these components can help mitigate the risk of UAC-0099 attacks.



Aliases:


References:
1 

UAC-0144

A 2014 Guardian article described Turla as: 'Dubbed the Turla hackers, initial intelligence had indicated western powers were key targets, but it was later determined embassies for Eastern Bloc nations were of more interest. Embassies in Belgium, Ukraine, China, Jordan, Greece, Kazakhstan, Armenia, Poland, and Germany were all attacked, though researchers from Kaspersky Lab and Symantec could not confirm which countries were the true targets. In one case from May 2012, the office of the prime ...more


Goals:
Espionage

Target Industries:
Government, Military

Target Countries:
France, Romania, Kazakhstan, Poland, Tajikistan, Russia, United States, Saudi Arabia, Germany, India, Belarus, Netherlands, Iran, Uzbekistan, Iraq

Aliases:
ATK13, Blue Python, G0010, Group 88, Hippo Team, IRON HUNTER, ITG12, KRYPTON, MAKERSMARK, Pacifier APT, Pfinet, Popeye, Secret Blizzard, SIG23, Snake, SUMMIT, TAG_0530, UAC-0003, UAC-0024, UNC4210, Uroburos, VENOMOUS Bear, Waterbug, WRAITH

References:
1 2 3 4 

UAC-0149

UAC-0149 is a threat actor targeting the Armed Forces of Ukraine with COOKBOX malware. They use obfuscation techniques like character encoding and base64 encoding to evade detection. The group leverages dynamic DNS services and Cloudflare Workers for their C2 infrastructure.



Aliases:


References:
1 

UAT4356

(No description available for this threat actor)



Aliases:


References:
1 

Unattributed

(No description available for this threat actor)



Aliases:


References:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 

UNC215

UNC215 is a Chinese nation-state threat actor that has been active since at least 2014. They have targeted organizations in various sectors, including government, technology, telecommunications, defense, finance, entertainment, and healthcare. UNC215 has been observed using tools such as Mimikatz, FOCUSFJORD, and HYPERBRO for initial access and post-compromise activities. They have demonstrated a focus on evading detection and have employed tactics such as using trusted third parties, ...more



Aliases:


References:
1 

UNC2198

(No description available for this threat actor)



Aliases:


References:
1 

UNC2448

(No description available for this threat actor)



Aliases:


References:
1 

UNC2596

(No description available for this threat actor)



Aliases:


References:
1 2 3 

UNC2630

UNC2630 is a threat actor believed to be affiliated with the Chinese government. They engage in cyber espionage activities, targeting organizations aligned with Beijing's strategic objectives. UNC2630 demonstrates advanced tradecraft and employs various malware families, including SLOWPULSE and RADIALPULSE, to compromise Pulse Secure VPN appliances. They also utilize modified binaries and scripts to maintain persistence and move laterally within compromised networks.



Aliases:
KOSTOVITE

References:
1 2 3 4 

UNC2659

UNC2659 has been active since at least January 2021. We have observed the threat actor move through the whole attack lifecycle in under 10 days. UNC2659 is notable given their use of an exploit in the SonicWall SMA100 SSL VPN product, which has since been patched by SonicWall. The threat actor appeared to download several tools used for various phases of the attack lifecycle directly from those tools’ legitimate public websites.



Aliases:


References:
1 

UNC2682

(No description available for this threat actor)



Aliases:


References:
1 

UNC2717

UNC2717 is a threat actor that engages in espionage activities aligned with Chinese government priorities. They demonstrate advanced tradecraft and take measures to avoid detection, making it challenging for network defenders to identify their tools and intrusion methods. UNC2717, along with other Chinese APT actors, has been observed stealing credentials, email communications, and intellectual property. They have targeted global government agencies using malware such as HARDPULSE, QUIETPULSE, ...more



Aliases:


References:
1 2 

UNC2970

(No description available for this threat actor)



Aliases:


References:
1 

UNC2975

(No description available for this threat actor)



Aliases:


References:
1 

UNC2980

(No description available for this threat actor)



Aliases:


References:
1 

UNC3347

(No description available for this threat actor)



Aliases:


References:
1 2 3 

UNC3658

(No description available for this threat actor)



Aliases:


References:
1 

UNC3661

(No description available for this threat actor)



Aliases:


References:
1 

UNC3711

(No description available for this threat actor)



Aliases:


References:
1 

UNC3762

(No description available for this threat actor)



Aliases:


References:
1 

UNC3784

(No description available for this threat actor)



Aliases:


References:
1 

UNC3810

(No description available for this threat actor)



Aliases:


References:
1 

UNC3819

(No description available for this threat actor)



Aliases:


References:
1 2 

UNC3886

UNC3886 is an advanced cyber espionage group with unique capabilities in how they operate on-network as well as the tools they utilize in their campaigns. UNC3886 has been observed targeting firewall and virtualization technologies which lack EDR support. Their ability to manipulate firewall firmware and exploit a zero-day indicates they have curated a deeper-level of understanding of such technologies. UNC3886 has modified publicly available malware, specifically targeting *nix operating ...more



Aliases:


References:
1 2 3 4 5 6 7 8 9 

UNC3905

(No description available for this threat actor)



Aliases:


References:
1 

UNC4841

UNC4841 is a well-resourced threat actor that has utilized a wide range of malware and purpose-built tooling to enable their global espionage operations. They have been observed selectively deploying specific malware families at high priority targets, with SKIPJACK being the most widely deployed. UNC4841 primarily targeted government and technology organizations, but they have also been observed targeting other verticals.



Aliases:


References:
1 2 3 4 5 6 7 8 9 10 11 

UNC5085

(No description available for this threat actor)



Aliases:


References:
1 

UNC5174

UNC5174, a Chinese state-sponsored threat actor, has been identified by Mandiant for exploiting critical vulnerabilities in F5 BIG-IP and ScreenConnect. They have been linked to targeting research and education institutions, businesses, charities, NGOs, and government organizations in Southeast Asia, the U.S., and the UK. UNC5174 is believed to have connections to China's Ministry of State Security and has been observed using custom tooling and the SUPERSHELL framework in their operations. The ...more



Aliases:
Uteus

References:
1 

UNC5325

UNC5325 is a suspected Chinese cyber espionage operator that exploited CVE-2024-21893 to compromise Ivanti Connect Secure appliances. UNC5325 leveraged code from open-source projects, installed custom malware, and modified the appliance's settings in order to evade detection and attempt to maintain persistence. UNC5325 has been observed deploying LITTLELAMB.WOOLTEA, PITSTOP, PITDOG, PITJET, and PITHOOK. Mandiant identified TTPs and malware code overlaps in LITTLELAMB.WOOLTEA and PITHOOK with ...more



Aliases:


References:
1 2 

UNC5330

(No description available for this threat actor)



Aliases:


References:
1 

UNC5337

UNC5337 is a suspected China-nexus espionage actor that compromised Ivanti Connect Secure VPN appliances as early as Jan. 2024. UNC5337 is suspected to exploit CVE-2023-46805 (authentication bypass) and CVE-2024-21887 (command injection) for infecting Ivanti Connect Secure appliances. UNC5337 leveraged multiple custom malware families including the SPAWNSNAIL passive backdoor, SPAWNMOLE tunneler, SPAWNANT installer, and SPAWNSLOTH log tampering utility. Mandiant suspects with medium confidence ...more



Aliases:


References:
1 

UTA0178

While Volexity largely observed the attacker essentially living off the land, they still deployed a handful of malware files and tools during the course of the incident which primarily consisted of webshells, proxy utilities, and file modifications to allow credential harvesting. Once UTA0178 had access into the network via the ICS VPN appliance, their general approach was to pivot from system to system using compromised credentials. They would then further compromise credentials of users on ...more



Target Countries:
Germany

Aliases:
Red Dev 61, UNC5221

References:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 

UTA0188

(No description available for this threat actor)



Aliases:


References:
1 2 

VANADINITE

(No description available for this threat actor)



Aliases:


References:
1 

Vanguard Panda

[Microsoft] Volt Typhoon, a state-sponsored actor based in China that typically focuses on espionage and information gathering. Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.

[Secureworks] BRONZE SILHOUETTE likely operates on behalf the PRC. The targeting of U.S. government and defense
...more



Aliases:
BRONZE SILHOUETTE, Dev-0391, Insidious Taurus, Storm-0391, UNC3236, Volt Typhoon, VOLTZITE

References:
1 2 3 4 5 6 7 8 9 10 11 12 13 

Variston IT

(No description available for this threat actor)



Aliases:


References:
1 2 3 4 

Velvet Chollima

Kimsuky is a North Korean-based threat group that has been active since at least September 2013. The group focuses on targeting Korean think tank as well as DPRK/nuclear-related targets. The group was attributed as the actor behind the Korea Hydro & Nuclear Power Co. compromise.


Goals:
Espionage

Target Industries:
Government, Private sector

Target Countries:
Ministry of Unification, Sejong Institute, Korea Institute for Defense Analyses, Germany

Aliases:
APT43, Black Banshee, Emerald Sleet, G0086, Kimsuky, Operation Stolen Pencil, THALLIUM

References:
1 2 3 4 5 6 7 8 

Venomous Bear

Turla is a Russian-based threat group that has infected victims in over 45 countries, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies since 2004. Heightened activity was seen in mid-2015. Turla is known for conducting watering hole and spearphishing campaigns and leveraging in-house tools and malware. Turla’s espionage platform is mainly used against Windows machines, but has also been seen used against macOS and Linux ...more


Goals:
Espionage

Target Industries:
Government, Military

Target Countries:
France, Romania, Kazakhstan, Poland, Tajikistan, Russia, United States, Saudi Arabia, Germany, India, Belarus, Netherlands, Iran, Uzbekistan, Iraq

Aliases:
ATK13, Blue Python, G0010, Group 88, Hippo Team, IRON HUNTER, ITG12, Krypton, MAKERSMARK, Pacifier APT, Pfinet, Popeye, Secret Blizzard, SIG23, Snake, SUMMIT, TAG_0530, Turla, UAC-0003, UAC-0024, UAC-0144, UNC4210, Uroburos, Waterbug, WhiteBear, WRAITH

References:
1 2 3 4 5 6 7 

Vice Society

Vice Society is a ransomware group that has been active since at least June 2021. They primarily target the education and healthcare sectors, but have also been observed targeting the manufacturing industry. The group has used multiple ransomware families and has been known to utilize PowerShell scripts for their attacks. There are similarities between Vice Society and the Rhysida ransomware group, suggesting a potential connection or rebranding.



Aliases:
DEV-0832, Vanilla Tempest

References:
1 2 

Viceroy Tiger

VICEROY TIGER is an adversary with a nexus to India that has historically targeted entities throughout multiple sectors. Older activity targeted multiple sectors and countries; however, since 2015 this adversary appears to focus on entities in Pakistan with a particular focus on government and security organizations. This adversary consistently leverages spear phishing emails containing malicious Microsoft Office documents, malware designed to target the Android mobile platform, and phishing ...more



Target Countries:
Germany

Aliases:
APT-C-35, Donot Team, OPERATION HANGOVER, Orange Kala, SectorE02

References:
1 2 3 4 5 

Vicious Panda

Check Point Research discovered a new campaign against the Mongolian public sector, which takes advantage of the current Coronavirus scare, in order to deliver a previously unknown malware implant to the target.
A closer look at this campaign allowed us to tie it to other operations which were carried out by the same anonymous group, dating back to at least 2016. Over the years, these operations targeted different sectors in multiple countries, such as Ukraine, Russia, and Belarus.



Target Countries:
Belarus, Russia, Mongolia, Ukraine

Aliases:
SixLittleMonkeys

References:
1 2 

Viking Spider

VIKING SPIDER is the criminal group behind the development and distribution of Ragnar Locker ransomware. While public reporting indicates the group began threatening to leak victim data in February 2020, a DLS was not observed until April 2020. The DLS is hosted on Tor, and similar to other actors, proof of data exfiltration is provided before the stolen data is fully leaked. It was also noted that On Dec. 22, 2020, a new post made to MountLocker ransomware’s Tor-hosted DLS was titled 'Cartel ...more



Aliases:


References:
1 

Violin Panda

We’ve uncovered some new data and likely attribution regarding a series of APT watering hole attacks this past summer. Watering hole attacks are an increasingly popular component of APT campaigns, as many people are more aware of spear phishing and are less likely to open documents or click on links in unsolicited emails. Watering hole attacks offer a much better chance of success because they involve compromising legitimate websites and installing malware intended to compromise website ...more



Aliases:
APT20, Crawling Taurus, TH3Bug

References:
1 2 

Vixen Panda

Ke3chang is a threat group attributed to actors operating out of China. Ke3chang has targeted several industries, including oil, government, military, and more.


Goals:
Espionage

Target Industries:
Government

Target Countries:
European Union, India, United Kingdom, Germany

Aliases:
APT15, APT25, BRONZE DAVENPORT, BRONZE IDLEWOOD, BRONZE PALACE, G0004, GREF, Ke3Chang, Lurid, Metushy, Mirage, NICKEL, Nylon Typhoon, Playful Dragon, Red Vulture, Royal APT, RoyalAPT, Social Network Team

References:
1 2 3 4 5 

Volatile Cedar

Beginning in late 2012, a carefully orchestrated attack campaign we call Volatile Cedar has been targeting individuals, companies and institutions worldwide. This campaign, led by a persistent attacker group, has successfully penetrated a large number of targets using various attack techniques, and specifically, a custom-made malware implant codenamed Explosive.



Aliases:
DeftTorero, Lebanese Cedar

References:
1 

Volt Typhoon

[Microsoft] Volt Typhoon, a state-sponsored actor based in China that typically focuses on espionage and information gathering. Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.

[Secureworks] BRONZE SILHOUETTE likely operates on behalf the PRC. The targeting of U.S. government and defense
...more



Aliases:
BRONZE SILHOUETTE, Dev-0391, Insidious Taurus, Storm-0391, UNC3236, Vanguard Panda, VOLTZITE

References:
1 2 3 4 5 6 7 8 9 10 11 12 13 

Voodoo Bear

Sandworm Team is a destructive Russian threat group that has been attributed to Russian GRU Unit 74455 by the U.S. Department of Justice and U.K. National Cyber Security Centre. Sandworm Team's most notable attacks include the 2015 and 2016 targeting of Ukrainian electrical companies and 2017's NotPetya attacks. Sandworm Team has been active since at least 2009.


Goals:
Espionage

Target Industries:
Private sector, Government

Target Countries:
Russia, Lithuania, Kyrgyzstan, Israel, Ukraine, Belarus, Kazakhstan, Georgia, Poland, Azerbaijan, Iran

Aliases:
APT44, BlackEnergy (Group), Blue Echidna, ELECTRUM, FROZENBARENTS, G0034, IRIDIUM, IRON VIKING, Quedagh, Sandworm Team, Seashell Blizzard, TeleBots, TEMP.Noble, UAC-0082, UAC-0113

References:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 

WASSONITE

(No description available for this threat actor)



Aliases:

Wazawaka

(No description available for this threat actor)



Aliases:


References:
1 

Whisper Spider

Silence is a financially motivated threat actor targeting financial institutions in different countries. The group was first seen in June 2016. Their main targets reside in Russia, Ukraine, Belarus, Azerbaijan, Poland and Kazakhstan. They compromised various banking systems, including the Russian Central Bank's Automated Workstation Client, ATMs, and card processing.



Aliases:
Silence

References:
1 2 3 4 

Whitefly

Whitefly is a cyber espionage group that has been operating since at least 2017. The group has targeted organizations based mostly in Singapore across a wide variety of sectors, and is primarily interested in stealing large amounts of sensitive information. The group has been linked to an attack against Singapore’s largest public health organization, SingHealth.



Aliases:


References:
1 

Wicked Panda

APT41 is a group that carries out Chinese state-sponsored espionage activity in addition to financially motivated activity. APT41 has been active since as early as 2012. The group has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries.



Target Industries:
Automotive, Business, Services, Cryptocurrency, Education, Energy, Financial, Healthcare, High-Tech, Intergovernmental, Media and Entertainment, Pharmaceuticals, Private sector, Retail, Telecommunications, Travel

Target Countries:
China, France, Hong Kong, India, Italy, Japan, Myanmar, Netherlands, Singapore, South Korea, South Africa, Switzerland, Thailand, Turkey, United Kingdom, United States

Aliases:
Amoeba, APT41, BARIUM, Blackfly, Brass Typhoon, BRONZE ATLAS, BRONZE EXPORT, Earth Baku, G0044, G0096, Grayfly, HOODOO, LEAD, Red Kelpie, TA415, VANADINITE, WICKED SPIDER

References:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 

Wild Neutron

A corporate espionage group has compromised a string of major corporations over the past three years in order to steal confidential information and intellectual property. The gang, which Symantec calls Butterfly, is not-state sponsored, rather financially motivated. It has attacked multi-billion dollar companies operating in the internet, IT software, pharmaceutical, and commodities sectors. Twitter, Facebook, Apple, and Microsoft are among the companies who have publicly acknowledged ...more



Aliases:
Butterfly, Morpho, Sphinx Moth

References:
1 

Winter Vivern

Winter Vivern is a cyberespionage group first revealed by DomainTools in 2021. It is thought to have been active since at least 2020 and it targets governments in Europe and Central Asia. To compromise its targets, the group uses malicious documents, phishing websites, and a custom PowerShell backdoor.



Target Countries:
Germany

Aliases:
TA-473, TA473, TAG-70, UAC-0114

References:
1 2 3 4 5 

Wizard Opium

We are calling these attacks Operation WizardOpium. So far, we have been unable to establish a definitive link with any known threat actors. There are certain very weak code similarities with Lazarus attacks, although these could very well be a false flag. The profile of the targeted website is more in line with earlier DarkHotel attacks that have recently deployed similar false flag attacks.



Aliases:


References:
1 2 

Wizard Spider

Wizard Spider is a financially motivated criminal group that has been conducting ransomware campaigns since at least August 2018 against a variety of organizations, ranging from major corporations to hospitals.



Target Industries:
Defense, Financial, Government, Healthcare, Telecommunications

Target Countries:
Australia, Bahamas, Canada, Costa Rica, France, Germany, India, Ireland, Italy, Japan, Mexico, New Zealand, Spain, Switzerland, Taiwan, United Kingdom, Ukraine, United States

Aliases:
DEV-0193, DEV-0237, FIN12, GOLD BLACKBURN, Grim Spider, Periwinkle Tempest, Pistachio Tempest, Storm-0193, TEMP.MixMaster, Trickbot LLC, UNC1878, UNC2053

References:
1 2 3 4 5 6 7 8 9 10 

XDSpy

Rare is the APT group that goes largely undetected for nine years, but XDSpy is just that; a previously undocumented espionage group that has been active since 2011. It has attracted very little public attention, with the exception of an advisory from the Belarusian CERT in February 2020. In the interim, the group has compromised many government agencies and private companies in Eastern Europe and the Balkans.



Aliases:


References:
1 

z0Miner

(No description available for this threat actor)



Aliases:


References:
1 

ZuoRAT

(No description available for this threat actor)



Aliases:


References:
1 

AdGholas

(No description available for this threat actor)



Aliases:


References:
1 2 3 

Animal Farm

In 2014, researchers at Kaspersky Lab discovered and reported on three zero-days that were being used in cyberattacks in the wild. Two of these zero-day vulnerabilities are associated with an advanced threat actor we call Animal Farm. Over the past few years, Animal Farm has targeted a wide range of global organizations. The group has been active since at least 2009 and there are signs that earlier malware versions were developed as far back as 2007.


Goals:
Espionage

Target Industries:
Government, Private sector

Target Countries:
Syria, United States, Netherlands, Russia, Spain, Iran, China, Germany, Algeria, Norway, Malaysia, Turkey, United Kingdom, Ivory Coast, Greece

Aliases:
ATK8, Snowglobe

References:
1 2 

Antlion

Antlion is a Chinese state-backed advanced persistent threat (APT) group, who has been targeting financial institutions in Taiwan. This persistent campaign has lasted over the course of at least 18 months.



Target Industries:
Financial

Target Countries:
Taiwan

Aliases:


References:
1 

APT-C-36

Since April 2018, an APT group (Blind Eagle, APT-C-36) suspected coming from South America carried out continuous targeted attacks against Colombian government institutions as well as important corporations in financial sector, petroleum industry, professional manufacturing, etc.


Goals:
Espionage

Target Industries:
Petroleum, Manufacturing, Financial, Private sector, Government

Target Countries:
Ecuador, Colombia, Spain, Panama, Chile

Aliases:
Blind Eagle

References:
1 

APT-K-47

Confucius is an APT organization funded by India. It has been carrying out cyber attacks since 2013. Its main targets are India's neighbouring countries such as Pakistan and China. It has a strong interest in targets in the fields of military, government and energy.



Aliases:


References:
1 

APT-Q-27

(No description available for this threat actor)



Aliases:


References:
1 

APT.3102

(No description available for this threat actor)



Aliases:


References:
1 

APT16

APT16 is a China-based threat group that has launched spearphishing campaigns targeting Japanese and Taiwanese organizations.


Goals:
Espionage

Target Industries:
Private sector

Target Countries:
Japan, Taiwan

Aliases:
G0023, SVCMONDR

References:
1 2 3 

APT19

APT19 is a Chinese-based threat group that has targeted a variety of industries, including defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services. In 2017, a phishing campaign was used to target seven law and investment firms. Some analysts track APT19 and Deep Panda as the same group, but it is unclear from open source information if the groups are the same.


Goals:
Espionage

Target Industries:
Private sector, Military

Target Countries:
United States

Aliases:
Black Vine, BRONZE FIRESTONE, C0d0so0, Codoso, Codoso Team, DEEP PANDA, G0009, G0073, Group 13, KungFu Kittens, PinkPanther, Pupa, Shell Crew, Sunshop Group, TEMP.Avengers, WebMasters

References:
1 2 3 4 

APT30

APT30 is a threat group suspected to be associated with the Chinese government. While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.


Goals:
Espionage

Target Industries:
Government

Target Countries:
United States, South Korea, Saudi Arabia, Thailand, Vietnam, Malaysia, India

Aliases:
G0013, Raspberry Typhoon

APT35

Magic Hound is an Iranian-sponsored threat group that conducts long term, resource-intensive operations to collect intelligence, dating back as early as 2014. The group typically targets U.S. and the Middle Eastern military, as well as other organizations with government personnel, via complex social engineering campaigns.



Aliases:
Ajax Security Team, Cobalt Gypsy, COBALT MIRAGE, G0059, Magic Hound, Mint Sandstorm, Newscaster, Newscaster Team, Operation Saffron Rose, Operation Woolen-Goldfish, Phosphorus, Rocket Kitten, TunnelVision

References:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 

Aquatic Panda

Earth Lusca is a threat actor from China that targets organizations of interest to the Chinese government, including academic institutions, telecommunication companies, religious organizations, and other civil society groups. Earth Lusca's tools closely resemble those used by Winnti Umbrella, but the group appears to operate separately from Winnti. Earth Lusca has also been observed targeting cryptocurrency payment platforms and cryptocurrency exchanges in what are likely financially motivated ...more



Target Industries:
Gambling companies, Government Institutions, Education, Media and Entertainment, Pro-democracy and human rights political organizations, Telecommunications, Religious organization, Cryptocurrency, Medical, Covid-19 research organizations

Target Countries:
Australia, China, France, Germany, Hong Kong, Japan, Mongolia, Nepal, Nigeria, Philippines, Taiwan, Thailand, United Arab Emirates, United States, Vietnam

Aliases:
BountyGlad, BRONZE UNIVERSITY, Charcoal Typhoon, CHROMIUM, ControlX, FISHMONGER, Red Dev 10, Red Scylla, RedHotel, TAG-22

References:
1 2 3 

Aquatic Werewolf

(No description available for this threat actor)



Aliases:


References:
1 

Aurora Panda

Axiom is a cyber espionage group suspected to be associated with the Chinese government. It is responsible for the Operation SMN campaign. Though both this group and Winnti Group use the malware Winnti for Windows, the two groups appear to be distinct based on differences in reporting on the groups' TTPs and targeting.


Goals:
Espionage

Target Industries:
Government, Private sector, Civil society

Target Countries:
United States, Netherlands, Italy, Japan, United Kingdom, Belgium, Russia, Indonesia, Germany, Switzerland, China

Aliases:
APT17, Axiom, BRONZE KEYSTONE, DeputyDog, Dogfish, G0001, G0025, Group 72, Group 8, HELIUM, Hidden Lynx, Tailgater Team

References:
1 2 3 4 5 

BackdoorDiplomacy

An APT group that we are calling BackdoorDiplomacy, due to the main vertical of its victims, has been targeting Ministries of Foreign Affairs and telecommunication companies in Africa and the Middle East since at least 2017.



Target Industries:
Government, Telecomms

Target Countries:
Libya, Namibia, Sudan, Albania, Croatia, Georgia, Poland, Iran, Qatar, Saudi Arabia, Sri Lanka, Uzbekistan

Aliases:
BackDip, CloudComputating, Quarian

References:
1 2 3 

Bahamut

Windshift is a threat group that has been active since at least 2017, targeting specific individuals for surveillance in government departments and critical infrastructure across the Middle East.



Aliases:
Windshift

References:
1 

Berserk Bear

Dragonfly 2.0 is a suspected Russian group that has targeted government entities and multiple U.S. critical infrastructure sectors since at least March 2016. There is debate over the extent of overlap between Dragonfly 2.0 and Dragonfly, but there is sufficient evidence to lead to these being tracked as two separate groups.


Goals:
Espionage

Target Industries:
Government, Private sector

Target Countries:
Hungary, Belarus

Aliases:
Anger Bear, Dragonfly 2.0, DYMALLOY, IRON LIBERTY, IRON LYRIC, Team Bear, TeamSpy

References:
1 2 3 4 5 

Bitter

The Bitter threat group initially started using RAT tools in their campaigns, as the first Bitter versions, for Android released in 2014 were based on the AndroRAT framework. Over time, they switched to a custom version that has been known as BitterRAT ever since.



Target Countries:
Germany

Aliases:
APT-C-08, Orange Yali, T-APT-17

References:
1 2 3 4 5 6 7 8 9 10 

Black Kingdom

(No description available for this threat actor)



Aliases:


References:
1 

BlackOasis

BlackOasis is a Middle Eastern threat group that is believed to be a customer of Gamma Group. The group has shown interest in prominent figures in the United Nations, as well as opposition bloggers, activists, regional news correspondents, and think tanks. A group known by Microsoft as NEODYMIUM is reportedly associated closely with BlackOasis operations, but evidence that the group names are aliases has not been identified.



Aliases:
G0063

References:
1 2 

Blue Mockingbird

Blue Mockingbird is a cluster of observed activity involving Monero cryptocurrency-mining payloads in dynamic-link library (DLL) form on Windows systems. The earliest observed Blue Mockingbird tools were created in December 2019.



Aliases:


References:
1 2 3 4 

Blue Termite

Blue Termite is a group of suspected Chinese origin active in Japan.


Goals:
Espionage

Target Industries:
Government, Private sector

Target Countries:
Japan

Aliases:
Cloudy Omega, Emdivi

References:
1 

BRONZE STARLIGHT

BRONZE STARLIGHT has been active since mid 2021 and targets organizations globally across a range of industry verticals. The group leverages HUI Loader to load Cobalt Strike and PlugX payloads for command and control. CTU researchers have observed BRONZE STARLIGHT deploying ransomware to compromised networks as part of name-and-shame ransomware schemes, and posted victim names to leak sites.
CTU researchers assess with moderate confidence that BRONZE STARLIGHT is located in China based on
...more



Aliases:
Cinnamon Tempest, DEV-0401, Emperor Dragonfly, SLIME34

References:
1 2 

BuhTrap

Buhtrap has been active since 2014, however their first attacks against financial institutions were only detected in August 2015. Earlier, the group had only focused on targeting banking clients. At the moment, the group is known to target Russian and Ukrainian banks.
From August 2015 to February 2016 Buhtrap managed to conduct 13 successful attacks against Russian banks for a total amount of 1.8 billion rubles ($25.7 mln). The number of successful attacks against Ukrainian banks has not
...more



Aliases:


References:
1 2 3 4 

BunseTech

(No description available for this threat actor)



Aliases:


References:
1 

Cadet Blizzard

MSTIC has not found any notable associations between this observed activity, tracked as DEV-0586, and other known activity groups. MSTIC assesses that the malware (WhisperGate), which is designed to look like ransomware but lacking a ransom recovery mechanism, is intended to be destructive and designed to render targeted devices inoperable rather than to obtain a ransom.


Goals:
Sabotage

Target Countries:
Ukraine

Aliases:
Ruinous Ursa

References:
1 2 

Calypso

For the first time, the activity of the Calypso group was detected by specialists of PT Expert Security Center in March 2019, during the work to detect cyber threats. As a result, many malware samples of this group were obtained, affected organizations and control servers of intruders were identified. According to our data, the group has been active since at least September 2016. The main goal of the group is to steal confidential data, the main victims are government agencies from Brazil, ...more



Aliases:
BRONZE MEDLEY

References:
1 2 3 

Candiru

Caramel Tsunami is a threat actor that specializes in spyware attacks. They have recently resurfaced with an updated toolset and zero-day exploits, targeting specific victims through watering hole attacks. Candiru has been observed exploiting vulnerabilities in popular browsers like Google Chrome and using third-party signed drivers to gain access to the Windows kernel. They have also been linked to other spyware vendors and have been associated with extensive abuses of their surveillance tools.



Aliases:
SOURGUM

References:
1 2 3 4 5 6 7 8 

Carbon Spider

FIN7 is a financially-motivated threat group that has primarily targeted the U.S. retail, restaurant, and hospitality sectors since mid-2015. They often use point-of-sale malware. A portion of FIN7 was run out of a front company called Combi Security. FIN7 is sometimes referred to as Carbanak Group, but these appear to be two groups using the same Carbanak malware and are therefore tracked separately.



Aliases:
ATK32, Calcium, Carbanak, Coreid, ELBRUS, FIN7, G0008, G0046, GOLD NIAGARA, Sangria Tempest

References:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 

Careto

This threat actor targets governments, diplomatic missions, private companies in the energy sector, and academics for espionage purposes.
The Mask is an advanced threat actor that has been involved in cyber-espionage operations since at least 2007. The name "Mask" comes from the Spanish slang word "Careto" ("Ugly Face" or “Mask”) which the authors included in some of the malware modules.
More than 380 unique victims in 31 countries have been observed to date.What makes “The Mask”
...more


Goals:
Espionage

Target Industries:
Government, Private sector

Target Countries:
Morocco, France, Libya, Venezuela, Poland, Brazil, Spain, United States, South Africa, Tunisia, United Kingdom, Switzerland, Iran, Germany

Aliases:
Mask, The Mask, Ugly Face

References:
1 2 

ChamelGang

In Q2 2021, the PT Expert Security Center incident response team conducted an investigation in an energy company. The investigation revealed that the company's network had been compromised by an unknown group for the purpose of data theft. They gave the group the name ChamelGang (from the word "chameleon"), because the group disguised its malware and network infrastructure under legitimate services of Microsoft, TrendMicro, McAfee, IBM, and Google.



Target Industries:
Aviation, Energy

Target Countries:
India, Japan, Nepal, Russia, Taiwan, US

Aliases:


References:
1 2 

Charming Kitten

Charming Kitten is an Iranian cyber espionage group that has been active since approximately 2014. They appear to focus on targeting individuals of interest to Iran who work in academic research, human rights, and media, with most victims having been located in Iran, the US, Israel, and the UK. [Charming Kitten often tries to access private email and Facebook accounts, and sometimes establishes a foothold on victim computers as a secondary objective. The group's TTPs overlap extensively with ...more



Aliases:
Mint Sandstorm

References:
1 2 3 4 5 6 

CHERNOVITE

Chernovite is a highly capable and sophisticated threat actor group that has developed a modular ICS malware framework called PIPEDREAM. They are known for targeting industrial control systems and operational technology environments, with the ability to disrupt, degrade, and potentially destroy physical processes. Chernovite has demonstrated a deep understanding of ICS protocols and intrusion techniques, making them a significant threat to critical infrastructure sectors.



Aliases:


References:
1 2 3 4 

China Attribution

(No description available for this threat actor)



Aliases:


References:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 

Circuit Panda

BlackTech is a cyber espionage group operating against targets in East Asia, particularly Taiwan, and occasionally, Japan and Hong Kong.



Aliases:
BlackTech, Earth Hundun, G0098, HUAPI, Manga Taurus, Palmerworm, Red Djinn, T-APT-03, Temp.Overboard

References:
1 2 3 4 5 6 7 8 

Cloud Werewolf

(No description available for this threat actor)



Aliases:


References:
1 2 

Cobalt Spider

Cobalt Group is a financially motivated threat group that has primarily targeted financial institutions. The group has conducted intrusions to steal money via targeting ATM systems, card processing, payment systems and SWIFT systems. Cobalt Group has mainly targeted banks in Eastern Europe, Central Asia, and Southeast Asia. One of the alleged leaders was arrested in Spain in early 2018, but the group still appears to be active. The group has been known to target organizations in order to use ...more



Aliases:
Cobalt Gang, Cobalt Group, G0080, GOLD KINGSWOOD, Mule Libra

References:
1 2 3 4 5 6 7 

Cobalt Werewolf

(No description available for this threat actor)



Aliases:


References:
1 

Colourful Panda

Proofpoint researchers have identified a targeted APT campaign that utilized malicious RTF documents to deliver custom malware to unsuspecting victims. We dubbed this campaign “Operation LagTime IT” based on entities that were targeted and the distinctive domains registered to C&C IP infrastructure. Beginning in early 2019, these threat actors targeted a number of government agencies in East Asia overseeing government information technology, domestic affairs, foreign affairs, economic ...more



Aliases:
BRONZE DUDLEY

References:
1 2 3 4 5 

Comment Panda

APT1 is a Chinese threat group that has been attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398.


Goals:
Espionage

Target Industries:
Private sector, Government

Target Countries:
United States, Taiwan, Israel, Norway, United Arab Emirates, United Kingdom, Singapore, India, Belgium, South Africa, Switzerland, Canada, France, Luxembourg, Japan

Aliases:
APT1, Brown Fox, Byzantine Candor, Comment Crew, Comment Group, G0006, GIF89a, Group 3, PLA Unit 61398, ShadyRAT, TG-8223

References:
1 2 

Common Raven

Threat actor Common Raven has been actively targeting financial sector institutions, compromising their SWIFT payment infrastructure to send out fraudulent payments.



Aliases:
DESKTOP-GROUP, NXSMS, OPERA1ER

References:
1 

Cosmic Wolf

This blog post discusses the technical details of a state-sponsored attack manipulating DNS systems. While this incident is limited to targeting primarily national security organizations in the Middle East and North Africa, and we do not want to overstate the consequences of this specific campaign, we are concerned that the success of this operation will lead to actors more broadly attacking the global DNS system. DNS is a foundational technology supporting the Internet. Manipulating that ...more



Target Countries:
Germany

Aliases:
Marbled Dust, SILICON, Teal Kurma, UNC1326

References:
1 2 3 

CosmicBeetle

(No description available for this threat actor)



Aliases:


References:
1 2 

Cozy Bear

APT29 is threat group that has been attributed to the Russian government and has operated since at least 2008. This group reportedly compromised the Democratic National Committee starting in the summer of 2015.


Goals:
Espionage

Target Industries:
Government, Private sector

Target Countries:
United States, China, New Zealand, Ukraine, Romania, Georgia, Japan, South Korea, Belgium, Kazakhstan, Brazil, Mexico, Turkey, Portugal, India, Germany

Aliases:
APT29, ATK7, Blue Kitsune, BlueBravo, Cloaked Ursa, CozyDuke, G0016, Grizzly Steppe, Group 100, IRON HEMLOCK, ITG11, Midnight Blizzard, Minidionis, Nobelium, SeaDuke, TA421, The Dukes, UAC-0029, YTTRIUM

References:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 

Cyber Av3ngers

The hacktivist group ‘Cyber Av3ngers’ has historically claimed attacks on Israel’s critical infrastructures. It has been launching DDoS attacks and claiming breach of Israeli networks with supporting data leaks.



Aliases:


References:
1 2 3 

Cytrox

(No description available for this threat actor)



Aliases:


References:
1 

Dagger Panda

Operate since at least 2011, from several locations in China, with members in Korea and Japan as well. Possibly linked to Onion Dog. This threat actor targets government institutions, military contractors, maritime and shipbuilding groups, telecommunications operators, and others, primarily in Japan and South Korea.


Goals:
Espionage

Target Industries:
Government, Military

Target Countries:
South Korea, United States, Japan, Germany, China

Aliases:
IceFog, PLA Unit 69010, Red Wendigo, RedFoxtrot, Trident

References:
1 2 

Dalbit

The group usually targets vulnerable servers to breach information including internal data from companies or encrypts files and demands money. Their targets of attack are usually Windows servers that are poorly managed or are not patched to the latest version. Besides these, there are also attack cases that targeted email servers or MS-SQL database servers.



Aliases:


References:
1 2 

Danti

(No description available for this threat actor)



Aliases:


References:
1 2 

Dark Pink

(No description available for this threat actor)



Aliases:


References:
1 2 

Dark River

(No description available for this threat actor)



Aliases:


References:
1 

DarkCasino

DarkCasino is an economically motivated APT group that targets online trading platforms, including cryptocurrencies, online casinos, network banks, and online credit platforms. They are skilled at stealing passwords to access victims' online accounts and have been active for over a year. DarkCasino exploits vulnerabilities, such as the WinRAR vulnerability CVE-2023-38831, to launch phishing attacks and steal online property.



Aliases:


References:
1 2 3 

DarkHydrus

DarkHydrus is a threat group that has targeted government agencies and educational institutions in the Middle East since at least 2016. The group heavily leverages open-source tools and custom payloads for carrying out attacks.



Aliases:
G0079, LazyMeerkat, Obscure Serpens

References:
1 

DarkMe

(No description available for this threat actor)



Aliases:


References:
1 

Deadeye Jackal

The Syrian Electronic Army (SEA) is a group of computer hackers which first surfaced online in 2011 to support the government of Syrian President Bashar al-Assad. Using spamming, website defacement, malware, phishing, and denial of service attacks, it has targeted political opposition groups, western news organizations, human rights groups and websites that are seemingly neutral to the Syrian conflict. It has also hacked government websites in the Middle East and Europe, as well as US defense ...more



Aliases:
SEA, SyrianElectronicArmy

Deep Panda

Deep Panda is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications. The intrusion into healthcare company Anthem has been attributed to Deep Panda. This group is also known as Shell Crew, WebMasters, KungFu Kittens, and PinkPanther. Deep Panda also appears to be known as Black Vine based on the attribution of both group names to the Anthem intrusion. Some analysts track Deep Panda and APT19 as the same group, but ...more



Aliases:
Black Vine, KungFu Kittens, PinkPanther, Shell Crew, WebMasters

References:
1 2 3 4 5 6 7 

Denim Tsunami

Denim Tsunami is a threat actor group that has been involved in targeted attacks against European and Central American customers. They have been observed using multiple Windows and Adobe 0-day exploits, including one for CVE-2022-22047, which is a privilege escalation vulnerability. Denim Tsunami developed a custom malware called Subzero, which has capabilities such as keylogging, capturing screenshots, data exfiltration, and running remote shells. They have also been associated with the ...more



Aliases:
DSIRF, KNOTWEED

References:
1 2 3 

DEV-0322

One of their notable tools is a custom backdoor called SockDetour, which operates filelessly and socketlessly on compromised Windows servers. The group's activities have been linked to the exploitation of vulnerabilities in Zoho ManageEngine ADSelfService Plus and ServiceDesk Plus.



Aliases:
Circle Typhoon

References:
1 2 3 4 5 6 

DEV-0365

(No description available for this threat actor)



Aliases:


References:
1 

DEV-0413

EXOTIC LILY is a resourceful, financially motivated group whose activities appear to be closely linked with data exfiltration and deployment of human-operated ransomware such as Conti and Diavol. In early September 2021, the group has been obeserved exploiting a 0day in Microsoft MSHTML (CVE-2021-40444). Investigation lead researchers to believe that they are an Initial Access Broker (IAB) who appear to be working with the Russian cyber crime gang known as FIN12 (Mandiant, FireEye) / WIZARD ...more



Aliases:
Exotic Lilly

References:
1 2 3 4 

DEV-0671

(No description available for this threat actor)



Aliases:


References:
1 2 

DEV-0978

ROMCOM is an evolving and sophisticated threat actor group that has been using the malware tool ROMCOM for espionage and financially motivated attacks. They have targeted organizations in Ukraine and NATO countries, including military personnel, government agencies, and political leaders. The ROMCOM backdoor is capable of stealing sensitive information and deploying other malware, showcasing the group's adaptability and growing sophistication.



Target Countries:
Germany

Aliases:
Storm-0978

References:
1 2 3 4 5 6 7 8 9 

Doppel Spider

In June 2019, CrowdStrike Intelligence observed a source code fork of BitPaymer and began tracking the new ransomware strain as DoppelPaymer. Further technical analysis revealed an increasing divergence between two versions of Dridex, with the new version dubbed DoppelDridex. Based on this evidence, CrowdStrike Intelligence assessed with high confidence that a new group split off from INDRIK SPIDER to form the adversary DOPPEL SPIDER. Following DOPPEL SPIDER’s inception, CrowdStrike ...more



Aliases:
GOLD HERON

References:
1 

DragonOK

DragonOK is a threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tools, DragonOK is thought to have a direct or indirect relationship with the threat group Moafee. It is known to use a variety of malware, including Sysget/HelloBridge, PlugX, PoisonIvy, FormerFirstRat, NFlog, and NewCT.


Goals:
Espionage

Target Industries:
Private sector

Target Countries:
United States

Aliases:
BRONZE OVERBROOK, G0002, G0017, Moafee, Shallow Taurus

References:
1 2 3 

DriftingCloud

DriftingCloud is a persistent threat actor known for targeting various industries and locations. They are skilled at developing or acquiring zero-day exploits to gain unauthorized access to target networks. Compromising gateway devices is a common tactic used by DriftingCloud, making network monitoring solutions crucial for detecting their attacks.



Aliases:


References:
1 2 

Ducktail

(No description available for this threat actor)



Aliases:


References:
1 

Duqu

(No description available for this threat actor)


Goals:
Espionage

Target Industries:
Military, Government, Private sector

Target Countries:
Iran, Sudan

Aliases:
Duqu Group

References:
1 

Dust Storm

Dust Storm is a threat group that has targeted multiple industries in Japan, South Korea, the United States, Europe, and several Southeast Asian countries.



Aliases:
G0031

References:
1 2 3 

Dynamite Panda

APT18 is a threat group that has operated since at least 2009 and has targeted a range of industries, including technology, manufacturing, human rights groups, government, and medical.


Goals:
Espionage

Target Industries:
Government, Private sector, Civil society

Target Countries:
United States

Aliases:
APT18, G0026, PLA Navy, SCANDIUM, TG-0416, Threat Group-0416, Wekby

References:
1 2 3 

Earth Kitsune

Earth Kitsune is an advanced persistent threat actor that has been active since at least 2019. They primarily target individuals interested in North Korea and use various tactics, such as compromising websites and employing social engineering, to distribute self-developed backdoors. Earth Kitsune demonstrates technical proficiency and continuously evolves their tools, tactics, and procedures. They have been associated with malware such as WhiskerSpy and SLUB.



Aliases:


References:
1 

Earth Krahang

Earth Krahang is an APT group targeting government organizations worldwide. They use spear-phishing emails, weak internet-facing servers, and custom backdoors like Cobalt Strike, RESHELL, and XDealer to conduct cyber espionage. The group creates VPN servers on infected systems, employs brute force attacks on email accounts, and exploits compromised government infrastructure to attack other governments. Earth Krahang has been linked to another China-linked actor, Earth Lusca, and is believed to ...more



Aliases:


References:
1 2 

Earth Yako

Earth Yako is a threat actor that has been actively targeting researchers in academic organizations and think tanks in Japan. They use spearphishing emails with malicious attachments to gain initial access to their targets' systems. Earth Yako's objectives and patterns suggest a possible connection to a Chinese APT group, but conclusive proof of their nationality is lacking. They have been observed using various malware delivery methods and techniques, such as the use of Winword.exe for DLL ...more



Aliases:
Enelink, Operation RestyLink

References:
1 

Ember Bear

A group targeting UA state organizations using the GraphSteel and GrimPlant malware.



Aliases:
DEV-0587, FROZENVISTA, Nascent Ursa, Nodaria, Saint Bear, Storm-0587, TA471, UAC-0056, UNC2589

References:
1 2 

Emissary Panda

Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims. The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, and manufacturing sectors.


Goals:
Espionage

Target Industries:
Government, Private sector

Target Countries:
United States, United Kingdom, France, Japan, Taiwan, India, Canada, China, Thailand, Israel, Australia, Republic of Korea, Russia, Iran, Turkey

Aliases:
APT27, BRONZE UNION, Budworm, Earth Smilodon, G0027, GreedyTaotie, Group 35, Iron Taurus, Iron Tiger, Lucky Mouse, LuckyMouse, Red Phoenix, TEMP.Hippo, TG-3390, Threat Group-3390, ZipToken

References:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 

Energetic Bear

Dragonfly Dragonfly is a cyber espionage group that has been active since at least 2011. They initially targeted defense and aviation companies but shifted to focus on the energy sector in early 2013. They have also targeted companies related to industrial control systems.

A similar group emerged in 2015 and was identified by Symantec as Dragonfly 2.0. There is debate over the extent of the overlap between Dragonfly and Dragonfly 2.0, but there is sufficient evidence to lead to these
...more


Goals:
Espionage

Target Industries:
Private sector, Government

Target Countries:
United States, Germany, Turkey, China, Spain, France, Ireland, Japan, Italy, Poland

Aliases:
ALLANITE, ATK6, BERSERK BEAR, Blue Kraken, BROMINE, CASTLE, Crouching Yeti, Dragonfly, DYMALLOY, G0035, Ghost Blizzard, Group 24, Havex, IRON LIBERTY, ITG15, Koala Team, TG-4192

References:
1 2 3 4 5 

Equation Group

Equation is a sophisticated threat group that employs multiple remote access tools. The group is known to use zero-day exploits and has developed the capability to overwrite the firmware of hard disk drives.


Goals:
Espionage

Target Industries:
Government, Military

Target Countries:
Iran, Afghanistan, Syria, Yemen, Kenya, Russia, India, Mali, Algeria, United Kingdom, Pakistan, China, Lebanon, United Arab Emirates, Libya

Aliases:
EQGRP, Equation, G0020, Tilded Team

References:
1 2 3 4 5 6 7 8 

ERYTHRITE

(No description available for this threat actor)



Aliases:

Ethereal Panda

Flax Typhoon is a Chinese state-sponsored threat actor that primarily targets organizations in Taiwan. They conduct espionage campaigns and focus on gaining and maintaining long-term access to networks using minimal malware. Flax Typhoon relies on tools built into the operating system and legitimate software to remain undetected. They exploit vulnerabilities in public-facing servers, use living-off-the-land techniques, and deploy a VPN connection to maintain persistence and move laterally ...more



Aliases:
Flax Typhoon, Storm-0919

Evilnum

ESET has analyzed the operations of Evilnum, the APT group behind the Evilnum malware previously seen in attacks against financial technology companies. While said malware has been seen in the wild since at least 2018 and documented previously, little has been published about the group behind it and how it operates. The group’s targets remain fintech companies, but its toolset and infrastructure have evolved and now consist of a mix of custom, homemade malware combined with tools purchased from ...more



Aliases:
DeathStalker, Jointworm, KNOCKOUT SPIDER, TA4563

References:
1 2 3 

Exodus Intelligence

(No description available for this threat actor)



Aliases:


References:
1 

FamousSparrow

(No description available for this threat actor)



Aliases:


References:
1 

Fancy Bear

APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165. This group has been active since at least 2004.

APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. In 2018, the US indicted five GRU Unit
...more


Goals:
Espionage

Target Industries:
Government, Military

Target Countries:
Georgia, France, Jordan, United States, Hungary, World Anti-Doping Agency, Armenia, Tajikistan, Japan, NATO, Ukraine, Belgium, Pakistan, Asia Pacific Economic Cooperation, International Association of Athletics Federations, Turkey, Mongolia, OSCE, United Kingdom, Germany, Poland, European Commission, Afghanistan, Kazakhstan, China

Aliases:
APT-C-20, APT28, ATK5, Blue Athena, Fighting Ursa, Forest Blizzard, FROZENLAKE, G0007, Grizzly Steppe, Group 74, IRON TWILIGHT, ITG05, Pawn Storm, PETROVITE, Sednit, SIG40, SNAKEMACKEREL, Sofacy, STRONTIUM, Swallowtail, T-APT-12, TA422, TG-4127, Threat Group-4127, Tsar Team, UAC-0028

References:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 

FIN11

FIN11 is a well-established financial crime group that has recently focused its operations on ransomware and extortion. The group has been active since 2017 and has been tracked under UNC902 and later on as TEMP.Warlok. In some ways, FIN11 is reminiscent of APT1; they are notable not for their sophistication, but for their sheer volume of activity.(FireEye) Mandiant has also responded to numerous FIN11 intrusions, but we’ve only observed the group successfully monetize access in few instances. ...more



Aliases:
Lace Tempest, TEMP.Warlock, UNC902

References:
1 2 3 4 5 6 

FIN13

Since 2017, Mandiant has been tracking FIN13, an industrious and versatile financially motivated threat actor conducting long-term intrusions in Mexico with an activity timeframe stretching back as early as 2016. Although their operations continue through the present day, in many ways FIN13's intrusions are like a time capsule of traditional financial cybercrime from days past. Instead of today's prevalent smash-and-grab ransomware groups, FIN13 takes their time to gather information to perform ...more



Aliases:
Elephant Beetle, TG2003

References:
1 2 

FIN8

FIN8 is a financially motivated threat group known to launch tailored spearphishing campaigns targeting the retail, restaurant, and hospitality industries.



Aliases:
ATK113, G0061

References:
1 2 

Flax Typhoon

Flax Typhoon is a Chinese state-sponsored threat actor that primarily targets organizations in Taiwan. They conduct espionage campaigns and focus on gaining and maintaining long-term access to networks using minimal malware. Flax Typhoon relies on tools built into the operating system and legitimate software to remain undetected. They exploit vulnerabilities in public-facing servers, use living-off-the-land techniques, and deploy a VPN connection to maintain persistence and move laterally ...more



Aliases:
Ethereal Panda, Storm-0919

FruityArmor

Stealth Falcon is a threat group that has conducted targeted spyware attacks against Emirati journalists, activists, and dissidents since at least 2012. Circumstantial evidence suggests there could be a link between this group and the United Arab Emirates (UAE) government, but that has not been confirmed.


Goals:
Espionage

Target Industries:
Civil society

Target Countries:
United Arab Emirates, United Kingdom

Aliases:
G0038, Stealth Falcon

References:
1 2 3 4 5 

GALLIUM

Operation Soft Cell is a group that is reportedly affiliated with China and is likely state-sponsored. The group has operated since at least 2012 and has compromised high-profile telecommunications networks.



Aliases:
Alloy Taurus, Granite Typhoon, Red Dev 4, Soft Cell

References:
1 

GambleForce

GambleForce is a threat actor specializing in SQL injection attacks. They have targeted over 20 websites in various sectors across multiple countries, compromising six companies. GambleForce utilizes publicly available pentesting tools and has been active since mid-September 2023.



Aliases:


References:
1 

Gelsemium

The Gelsemium group has been active since at least 2014 and was described in the past by a few security companies. Gelsemium’s name comes from one possible translation ESET found while reading a report from VenusTech who dubbed the group 狼毒草 for the first time. It’s the name of a genus of flowering plants belonging to the family Gelsemiaceae, Gelsemium elegans is the species that contains toxic compounds like Gelsemine, Gelsenicine and Gelsevirine, which ESET choses as names for the three ...more



Target Industries:
Government, Electronics Manufacturers, Universities, Religious organization

Target Countries:
North Korea, South Korea, Japan, China, Mongolia, Egypt, Saudi Arabia, Yemen, Oman, Iran, Iraq, Kuwait, Israel, Jordan, Gaza, Syria, Turkey, Lebanon

Aliases:
狼毒草

References:
1 

Ghostwriter

Ghostwriter is referred as an 'activity set', with various incidents tied together by overlapping behavioral characteristics and personas, rather than as an actor or group in itself.



Target Industries:
Government

Target Countries:
Germany, Latvia, Lithuania, Poland, Ukraine

Aliases:
DEV-0257, PUSHCHA, Storm-0257, TA445, UNC1151

References:
1 2 3 4 

Goblin Panda

This threat actor uses spear-phishing techniques to compromise diplomatic targets in Southeast Asia, India, and the United States. It also seems to have targeted the APT 30. Possibly uses the same infrastructure as Mirage


Goals:
Espionage

Target Industries:
Government

Target Countries:
Malaysia, Indonesia, Philippines, United States, India

Aliases:


References:
1 2 3 4 5 6 7 

Gold Southfield

GOLD SOUTHFIELD is a financially motivated threat group active since at least 2019 that operates the REvil Ransomware-as-a Service (RaaS). GOLD SOUTHFIELD provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments.



Aliases:


References:
1 2 3 4 5 

Golden Falcon

As reported by ZDNet, Chinese cyber-security vendor Qihoo 360 published a report on 2019-11-29 exposing an extensive hacking operation targeting the country of Kazakhstan. Targets included individuals and organizations involving all walks of life, such as government agencies, military personnel, foreign diplomats, researchers, journalists, private companies, the educational sector, religious figures, government dissidents, and foreign diplomats alike. The campaign, Qihoo 360 said, was broad, ...more



Aliases:


References:
1 

Goldmouse

A threat actor which is ac tive since at least November 2014. This group launched long-term at tacks against organizations in the Syrian region using Android and Windows malwares. Its objective is the theft of sensitive information.



Aliases:
ATK80, Golden RAT

References:
1 

Gorgon Group

Gorgon Group is a threat group consisting of members who are suspected to be Pakistan-based or have other connections to Pakistan. The group has performed a mix of criminal and targeted attacks, including campaigns against government organizations in the United Kingdom, Spain, Russia, and the United States.



Aliases:
ATK92, G0078, Pasty Gemini, Subaat

References:
1 2 3 

Gothic Panda

APT3 is a China-based threat group that researchers have attributed to China's Ministry of State Security. This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap. As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong.

MITRE has also developed an APT3 Adversary Emulation Plan.


Goals:
Espionage

Target Industries:
Private sector

Target Countries:
United States, United Kingdom, Hong Kong

Aliases:
APT3, BORON, Boyusec, BRONZE MAYFAIR, Buckeye, Group 6, Pirpi, Red Sylvan, TG-0110, Threat Group-0110, UPS, UPS Team

References:
1 2 3 4 5 

Graceful Spider

TA505 is a financially motivated threat group that has been active since at least 2014. The group is known for frequently changing malware and driving global trends in criminal malware distribution.



Target Industries:
Education, Finance, Health, Retail, Hospitality

Target Countries:
Australia, Canada, Czech Republic, Germany, Hungary, India, Japan, Romania, Serbia, Singapore, South Korea, Spain, Thailand, Turkey, United Kingdom, United States

Aliases:
ATK103, CHIMBORAZO, Dudear, G0092, GOLD TAHOE, Hive0065, SectorJ04, SectorJ04 Group, Spandex Tempest, TA505

References:
1 2 3 4 5 6 7 8 9 10 11 12 

Grayling

Grayling activity was first observed in early 2023, when a number of victims were identified with distinctive malicious DLL side-loading activity. Grayling appears to target organisations in Asia, however one unknown organisation in the United States was also targeted. Industries targeted include Biomedical, Government and Information Technology. Grayling use a variety of tools during their attacks, including well known tools such as Cobalt Strike and Havoc and also some others.



Target Industries:
Biomedical, Government, Information technology

Target Countries:
Taiwan, United States, Vietnam, Solomon Islands

Aliases:


References:
1 

GreyEnergy

ESET research reveals a successor to the infamous BlackEnergy APT group targeting critical infrastructure, quite possibly in preparation for damaging attacks



Aliases:
KAMACITE

References:
1 2 3 4 

Group5

Group5 is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. Group5 has used two commonly available remote access tools (RATs), njRAT and NanoCore, as well as an Android RAT, DroidJack.



Aliases:
G0043

References:
1 

GUI-vil

(No description available for this threat actor)



Aliases:


References:
1 

Hacking Team

The many 0-days that had been collected by Hacking Team and which became publicly available during the breach of their organization in 2015, have been used by several APT groups since.
Since being founded in 2003, the Italian spyware vendor Hacking Team gained notoriety for selling surveillance tools to governments and their agencies across the world.
The capabilities of its flagship product, the Remote Control System (RCS), include extracting files from a targeted device, intercepting
...more



Aliases:


References:
1 2 3 4 

HAFNIUM

HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures. HAFNIUM has previously compromised victims by ...more



Aliases:
ATK233, G0125, Operation Exchange Marauder, Red Dev 13, Silk Typhoon

References:
1 2 3 4 5 6 7 8 9 10 

Helix Kitten

OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of industries, including financial, government, energy, chemical, and telecommunications, and has largely focused its operations within the Middle East. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. FireEye assesses that the group works on ...more


Goals:
Espionage

Target Industries:
Government, Private sector, Civil society

Target Countries:
Israel, Kuwait, United States, Turkey, Saudi Arabia, Qatar, Lebanon, Middle East

Aliases:
APT 34, APT34, ATK40, CHRYSENE, Cobalt Gypsy, Crambus, EUROPIUM, Evasive Serpens, G0049, Hazel Sandstorm, IRN2, OilRig, TA452, Twisted Kitten

References:
1 2 3 4 

HEXANE

Lyceum is an Iranian APT group that has been active since at least 2014. They primarily target Middle Eastern governments and organizations in the energy and telecommunications sectors. Lyceum is known for using cyber espionage techniques and has been linked to other Iranian threat groups such as APT34. They have developed and deployed malware families like Shark and Milan, and have been observed using DNS tunneling and HTTPfor command and control communication.


Goals:
Espionage

Target Industries:
Government, Energy, High-Tech, Telecomms, Education, Military, Defense

Target Countries:
Israel, Middle East

Aliases:
Chrono Kitten, COBALT LYCEUM, MYSTICDOME, siamesekitten, Spirlin, Storm-0133, UNC1530

Hezb

Hezb is a group deploying cryptominers when new exploit are available for public facing vulnerabilities. The name is after the miner process they deploy.



Aliases:
Mimo

References:
1 

Higaisa

The organization often uses important North Korean time nodes such as holidays and North Korea to conduct fishing activities. The bait includes New Year blessings, Lantern blessings, North Korean celebrations, and important news, overseas personnel contact lists and so on. In addition, the attack organization also has the attack capability of the mobile terminal. The targets of the attack also include diplomatic entities related to North Korea (such as embassy officials in various places), ...more



Target Industries:
Government

Target Countries:
China, North Korea, Japan, Nepal, Singapore, Russia, Poland, Switzerland

Aliases:


References:
1 

HomeLand Justice

HomeLand Justice is an Iranian state-sponsored cyber threat group that has been active since at least May 2021. They have targeted various organizations, including a well-known telecommunication company and the Albanian Parliament. The group engaged in information operations and messaging campaigns to amplify the impact of their attacks.



Aliases:


References:
1 

HookAds

HookAds is a malvertising campaign that purchases cheap ad space on low quality ad networks commonly used by adult web sites, online games, or blackhat seo sites. These ads will include JavaScript that redirects a visitor through a serious of decoy sites that look like pages filled with native advertisements, online games, or other low quality pages. Under the right circumstances, a visitor will silently load the Fallout exploit kit, which will try and install its malware payload.



Aliases:


References:
1 

Hurricane Panda

We have investigated their intrusions since 2013 and have been battling them nonstop over the last year at several large telecommunications and technology companies. The determination of this China-based adversary is truly impressive: they are like a dog with a bone.
HURRICANE PANDA's preferred initial vector of compromise and persistence is a China Chopper webshell – a tiny and easily obfuscated 70 byte text file that consists of an ‘eval()’ command, which is then used to provide full
...more



Aliases:


References:
1 2 3 

Inception

Inception is a cyber espionage group active since at least 2014. The group has targeted multiple industries and governmental entities primarily in Russia, but has also been active in the United States and throughout Europe, Asia, Africa, and the Middle East.


Goals:
Espionage

Target Industries:
Government, Private sector

Target Countries:
Afghanistan, Armenia, Azerbaijan, Belarus, Belgium, Czech Republic, Greece, India, Iran, Italy, Kazakhstan, Kenya, Malaysia, Russia, South Africa, Suriname, Turkmenistan, Ukraine, United Kingdom, United States, Vietnam

Aliases:
ATK116, Blue Odin, Clean Ursa, Cloud Atlas, G0100, Inception Framework, OXYGEN

References:
1 2 3 4 5 6 7 8 9 10 

Indrik Spider

INDRIK SPIDER is a sophisticated eCrime group that has been operating Dridex since June 2014. In 2015 and 2016, Dridex was one of the most prolific eCrime banking trojans on the market and, since 2014, those efforts are thought to have netted INDRIK SPIDER millions of dollars in criminal profits. Throughout its years of operation, Dridex has received multiple updates with new modules developed and new anti-analysis features added to the malware.
In August 2017, a new ransomware variant
...more



Aliases:
Manatee Tempest

References:
1 

Intellexa

(No description available for this threat actor)



Aliases:


References:
1 2 3 4 

Invisimole

Adversary group targeting diplomatic missions, governmental and military organisations, mainly in Ukraine.


Goals:
Espionage

Target Industries:
Government

Target Countries:
Ukraine

Aliases:


References:
1 2 

Iran Attribution

(No description available for this threat actor)



Aliases:


References:
1 2 3 4 5 6 7 8 9 10 

IronHusky

IronHusky is a Chinese-based threat actor first attributed in July 2017 targeting Russian and Mongolian governments, as well as aviation companies and research institutes. Since their initial attacks ceased in 2018, they have been working on a new remote access trojan dubbed MysterySnail.



Aliases:


References:
1 

ItaDuke

ItaDuke is an actor known since 2013. It used PDF exploits for dropping malware and Twitter accounts to store C2 server urls. On 2018, an actor named DarkUniverse, which was active between 2009 to 2017, was attributed to this ItaDuke by Kaspersky.



Aliases:
DarkUniverse, SIG27

References:
1 2 

Judgement Panda

FireEye characterizes APT31 as an actor specialized on intellectual property theft, focusing on data and projects that make a particular organization competetive in its field. Based on available data (April 2016), FireEye assesses that APT31 conducts network operations at the behest of the Chinese Government. Also according to Crowdstrike, this adversary is suspected of continuing to target upstream providers (e.g., law firms and managed service providers) to support additional intrusions ...more



Aliases:
APT31, BRONZE VINEWOOD, JUDGMENT PANDA, Red keres, TA412, Violet Typhoon, ZIRCONIUM

References:
1 2 3 4 5 6 

Kabar Cobra

(No description available for this threat actor)



Aliases:


References:
1 

Karma Panda

Tonto Team is a Chinese-speaking APT group that has been active since at least 2013. They primarily target military, diplomatic, and infrastructure organizations in Asia and Eastern Europe. The group has been observed using various malware, including the Bisonal RAT and ShadowPad. They employ spear-phishing emails with malicious attachments as their preferred method of distribution.



Target Industries:
Military, Government, Private sector

Target Countries:
Eastern Europe, Japan, South Korea, Taiwan, US

Aliases:
BRONZE HUNTLEY, CactusPete, COPPER, Earth Akhlut, G0131, PLA Unit 65017, Red Beifang, TAG-74

References:
1 2 3 4 5 

Kasablanka

The Kasablanka group is a cyber-criminal organization that has
specifically targeted Russia between September and December 2022,
using various payloads delivered through phishing emails containing
socially engineered lnk files, zip packages, and executables attached to
virtual disk image files.



Aliases:


References:
1 

Keyhole Panda

We have observed one APT group, which we call APT5, particularly focused on telecommunications and technology companies. More than half of the organizations we have observed being targeted or breached by APT5 operate in these sectors. Several times, APT5 has targeted organizations and personnel based in Southeast Asia. APT5 has been active since at least 2007. It appears to be a large threat group that consists of several subgroups, often with distinct tactics and infrastructure. APT5 has ...more



Aliases:
APT5, BRONZE FLEETWOOD, MANGANESE, Mulberry Typhoon, Poisoned Flight, TEMP.Bottle

References:
1 2 3 4 5 6 

Konni

Konni is a threat actor associated with APT37, a North Korean cyber crime group. They have been active since 2012 and are known for their cyber-espionage activities. Konni has targeted various sectors, including education, government, business organizations, and the cryptocurrency industry. They have exploited vulnerabilities such as CVE-2023-38831 and have used malware like KonniRAT to gain control of victim hosts and steal important information.



Aliases:
Opal Sleet, OSMIUM, Vedalia

References:
1 2 3 

Kryptonite Panda

Leviathan is a cyber espionage group that has been active since at least 2013. The group generally targets defense and government organizations, but has also targeted a range of industries including engineering firms, shipping and transportation, manufacturing, defense, government offices, and research universities in the United States, Western Europe, and along the South China Sea.


Goals:
Espionage

Target Industries:
Government, Private sector

Target Countries:
United States, Hong Kong, The Philippines, Asia Pacific Economic Cooperation, Cambodia, Belgium, Germany, Philippines, Malaysia, Norway, Saudi Arabia, Switzerland, United Kingdom

Aliases:
APT40, ATK29, BRONZE MOHAWK, G0065, GADOLINIUM, Gingham Typhoon, ISLANDDREAMS, ITG09, Leviathan, MUDCARP, Red Ladon, TA423, TEMP.Jumper, TEMP.Periscope

References:
1 2 3 4 5 6 7 8 9 

LABRAT

(No description available for this threat actor)



Aliases:


References:
1 

Labyrinth Chollima

Lazarus Group is a threat group that has been attributed to the North Korean government. The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain. In late 2017, Lazarus ...more


Goals:
Espionage, Sabotage

Target Industries:
Government, Private sector

Target Countries:
South Korea, Bangladesh Bank, Sony Pictures Entertainment, United States, Thailand, France, China, Hong Kong, United Kingdom, Guatemala, Canada, Bangladesh, Japan, India, Germany, Brazil, Thailand, Australia, Cryptocurrency exchanges in South Korea

Aliases:
Andariel, Appleworm, APT 38, APT-C-26, APT38, ATK117, ATK3, BeagleBoyz, Bluenoroff, Bureau 121, Citrine Sleet, COPERNICIUM, COVELLITE, Dark Seoul, DEV-0139, DEV-1222, Diamond Sleet, G0032, G0082, Group 77, Guardians of Peace, Hastati Group, Hidden Cobra, Lazarus group, NewRomanic Cyber Army Team, Nickel Academy, NICKEL GLADSTONE, Operation AppleJeus, Operation DarkSeoul, Operation GhostSecret, Operation Troy, Sapphire Sleet, Stardust Chollima, Subgroup: Bluenoroff, TA404, Unit 121, Whois Hacking Team, Zinc

References:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 

LAURIONITE

(No description available for this threat actor)



Aliases:


References:
1 

Lone Wolf

(No description available for this threat actor)



Aliases:


References:
1 

Longhorn

Longhorn has been active since at least 2011. It has used a range of back door Trojans in addition to zero-day vulnerabilities to compromise its targets. Longhorn has infiltrated governments and internationally operating organizations, in addition to targets in the financial, telecoms, energy, aerospace, information technology, education, and natural resources sectors. All of the organizations targeted would be of interest to a nation-state attacker. Longhorn has infected 40 targets in at ...more


Goals:
Espionage

Target Industries:
Private sector, Government

Target Countries:
Global

Aliases:
APT-C-39, Lamberts, PLATINUM TERMINAL, the Lamberts

References:
1 2 3 

Lotus Blossom

Lotus Blossom is a threat group that has targeted government and military organizations in Southeast Asia.


Goals:
Espionage

Target Industries:
Military, Government

Target Countries:
Japan, Philippines, Hong Kong, Indonesia, Taiwan, Vietnam

Aliases:
ATK1, BRONZE ELGIN, DRAGONFISH, G0030, Red Salamander, Spring Dragon, ST Group

References:
1 2 3 4 

Luckycat

A series of attacks, targeting both Indian military research and south Asian shipping organizations, demonstrate the minimum level of effort required to successfully compromise a target and steal sensitive information. The attackers use very simple malware, which required little development time or skills, in conjunction with freely available Web hosting, to implement a highly effective attack. It is a case of the attackers obtaining a maximum return on their investment. The attack shows how an ...more



Aliases:
TA413, White Dev 9

References:
1 2 3 4 

luoxk

Luoxk is a malware campaign targeting web servers throughout Asia, Europe and North America.



Aliases:


References:
1 

Magnet Goblin

(No description available for this threat actor)



Aliases:


References:
1 2 

Manic Menagerie

(No description available for this threat actor)



Aliases:


References:
1 2 

ModifiedElephant

Our research into these intrusions revealed a decade of persistent malicious activity targeting specific groups and individuals that we now attribute to a previously unknown threat actor named ModifiedElephant. This actor has operated for years, evading research attention and detection due to their limited scope of operations, the mundane nature of their tools, and their regionally-specific targeting. ModifiedElephant is still active at the time of writing.



Target Industries:
Civil Society

Aliases:


References:
1 

Molerats

Molerats is a politically-motivated threat group that has been operating since 2012. The group's victims have primarily been in the Middle East, Europe, and the United States.


Goals:
Espionage

Target Industries:
Government, Defense, Energy, Finance, Healthcare, Pharmaceuticals, Education, Media, NGOs, Civil Society, Legal, Military

Target Countries:
United States, Israel, Palestine, Middle East, Europe

Aliases:
ALUMINUM SARATOGA, BLACKSTEM, Extreme Jackal, G0021, Gaza Cybergang, Gaza Hackers Team, Moonlight, Operation Molerats

References:
1 

MosesStaff

Cybereason Nocturnus describes Moses Staff as an Iranian hacker group, first spotted in October 2021. Their motivation appears to be to harm Israeli companies by leaking sensitive, stolen data.



Aliases:
DEV-0500, Marigold Sandstorm, Moses Staff

References:
1 

MoustachedBouncer

MoustachedBouncer is a cyberespionage group discovered by ESET Research and first publicly disclosed in August 2023. The group has been active since at least 2014 and only targets foreign embassies in Belarus. Since 2020, MoustachedBouncer has most likely been able to perform adversary-in-the-middle (AitM) attacks at the ISP level, within Belarus, in order to compromise its targets. The group uses two separate toolsets that we have named NightClub and Disco.


Goals:
Espionage

Target Industries:
Government

Target Countries:
Europe, Eastern Europe, South Asia, Northeast Africa

Aliases:


References:
1 

Mustang Panda

This threat actor targets nongovernmental organizations using Mongolian-themed lures for espionage purposes.
In April 2017, CrowdStrike Falcon Intelligence observed a previously unattributed actor group with a Chinese nexus targeting a U.S.-based think tank. Further analysis revealed a wider campaign with unique tactics, techniques, and procedures (TTPs). This adversary targets non-governmental organizations (NGOs) in general, but uses Mongolian language decoys and themes, suggesting this
...more


Goals:
Espionage

Target Industries:
Civil society

Target Countries:
United States, Germany

Aliases:
BASIN, BRONZE PRESIDENT, Earth Preta, HoneyMyte, LuminousMoth, Polaris, Red Lich, Stately Taurus, TA416, TANTALUM, TEMP.HEX, Twill Typhoon

References:
1 2 

Mysterious Elephant

(No description available for this threat actor)



Aliases:


References:
1 

Mysterious Werewolf

(No description available for this threat actor)



Aliases:


References:
1 2 3 

Mythic Leopard

Group targeting Indian Army or related assets in India, as well as activists and civil society in Pakistan. Attribution to a Pakistani connection has been made by TrendMicro and others.



Target Industries:
Civil society, Military, Government

Aliases:
APT 36, APT36, C-Major, COPPER FIELDSTONE, Earth Karkaddan, Green Havildar, ProjectM, TMP.Lapis, Transparent Tribe

References:
1 2 3 4 

Naikon

Naikon is a threat group that has focused on targets around the South China Sea. The group has been attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau(Military Unit Cover Designator 78020). While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.


Goals:
Espionage

Target Industries:
Government, Private sector

Target Countries:
India, Saudi Arabia, Vietnam, Myanmar, Singapore, Thailand, Malaysia, Cambodia, China, Philippines, South Korea, United States, Indonesia, Laos

Aliases:
BRONZE GENEVA, BRONZE STERLING, Camerashy, G0013, G0019, OVERRIDE PANDA, PLA Unit 78020

References:
1 2 

Narwhal Spider

NARWHAL SPIDER’s operation of Cutwail v2 was limited to country-specific spam campaigns, although late in 2019 there appeared to be an effort to expand by bringing in INDRIK SPIDER as a customer.



Aliases:
GOLD ESSEX, TA544

References:
1 

Nemesis Kitten

Microsoft threat intelligence teams have been tracking multiple ransomware campaigns and have tied these attacks to DEV-0270, also known as Nemesis Kitten, a sub-group of Iranian actor PHOSPHORUS. Microsoft assesses with moderate confidence that DEV-0270 conducts malicious network operations, including widespread vulnerability scanning, on behalf of the government of Iran.



Aliases:
BENTONITE, DEV-0270, Storm-0270

References:
1 2 3 4 5 6 7 

NEODYMIUM

NEODYMIUM is an activity group that conducted a campaign in May 2016 and has heavily targeted Turkish victims. The group has demonstrated similarity to another activity group called PROMETHIUM due to overlapping victim and campaign characteristics. NEODYMIUM is reportedly associated closely with BlackOasis operations, but evidence that the group names are aliases has not been identified.



Aliases:
G0055

References:
1 

NetTraveler

(No description available for this threat actor)


Goals:
Espionage

Target Industries:
Government, Military

Target Countries:
Mongolia, Kazakhstan, Tajikistan, Germany, United Kingdom, India, Kyrgyzstan, South Korea, United States, Chile, Russia, China, Spain, Canada, Morocco

Aliases:
APT21, HAMMER PANDA, TEMP.Zhenbao

References:
1 

Nexus Zeta

Nexus Zeta is no stranger when it comes to implementing SOAP related exploits. The threat actor has already been observed in implementing two other known SOAP related exploits, CVE-2014–8361 and CVE-2017–17215 in his Satori botnet project. A third SOAP exploit, TR-069 bug has also been observed previously in IoT botnets. This makes EDB 38722 the fourth SOAP related exploit which is discovered in the wild by IoT botnets.



Aliases:


References:
1 2 

Nomad Panda

In the first quarter of 2018, CrowdStrike Intelligence identified NOMAD PANDA activity targeting Central Asian nations with exploit documents built with the 8.t tool.



Aliases:


References:
1 2 

North Korea Attribution

(No description available for this threat actor)



Aliases:


References:
1 2 3 4 5 6 7 8 9 

NOTROBIN

Researchers at FireEye report finding a hacking group (dubbed NOTROBIN) that has been bundling mitigation code for NetScaler servers with its exploits. In effect, the hackers exploit the flaw to get access to the server, kill any existing malware, set up their own backdoor, then block off the vulnerable code from future exploit attempts by mitigation.



Aliases:


References:
1 

NSO Group

(No description available for this threat actor)



Aliases:
Night Tsunami

References:
1 2 3 4 5 6 

Numbered Panda

APT12 is a threat group that has been attributed to China. The group has targeted a variety of victims including but not limited to media outlets, high-tech companies, and multiple governments.


Goals:
Espionage

Target Industries:
Private sector, Government

Target Countries:
Taiwan, Japan

Aliases:
APT12, BeeBus, BRONZE GLOBE, Calc Team, Crimson Iron, DNSCALC, DynCalc, Group 22, IXESHE, TG-2754

References:
1 2 

Ocean Buffalo

APT32 is a threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as with foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims. The group is believed to be Vietnam-based.


Goals:
Espionage

Target Industries:
Government, Private sector, Civil society

Target Countries:
China, Germany, United States, Vietnam, Philippines, Association of Southeast Asian Nations

Aliases:
APT 32, APT-32, APT-C-00, APT32, ATK17, BISMUTH, Canvas Cyclone, Cobalt Kitty, G0050, Ocean Lotus, OceanLotus, OceanLotus Group, POND LOACH, Sea Lotus, SeaLotus, TIN WOODLAWN

References:
1 2 3 4 5 

Operation Shadow Tiger

(No description available for this threat actor)



Aliases:


References:
1 

Override Panda

Naikon is a threat group that has focused on targets around the South China Sea. The group has been attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau(Military Unit Cover Designator 78020). While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.


Goals:
Espionage

Target Industries:
Government, Private sector

Target Countries:
India, Saudi Arabia, Vietnam, Myanmar, Singapore, Thailand, Malaysia, Cambodia, China, Philippines, South Korea, United States, Indonesia, Laos

Aliases:
BRONZE GENEVA, BRONZE STERLING, Camerashy, G0013, G0019, Naikon, PLA Unit 78020

References:
1 2 

PhantomCore

(No description available for this threat actor)



Aliases:


References:
1 

Pinchy Spider

First observed in January 2018, GandCrab ransomware quickly began to proliferate and receive regular updates from its developer, PINCHY SPIDER, which over the course of the year established a RaaS operation with a dedicated set of affiliates.
CrowdStrike Intelligence has recently observed PINCHY SPIDER affiliates deploying GandCrab ransomware in enterprise environments, using lateral movement techniques and tooling commonly associated with nation-state adversary groups and penetration
...more



Aliases:


References:
1 2 3 4 5 6 

Pioneer Kitten

PIONEER KITTEN is an Iran-based adversary that has been active since at least 2017 and has a suspected nexus to the Iranian government. This adversary appears to be primarily focused on gaining and maintaining access to entities possessing sensitive information of likely intelligence interest to the Iranian government. According to DRAGOS, they also targeted ICS-related entities using known VPN vulnerabilities. They are widely known to use open source penetration testing tools for ...more



Aliases:
Lemon Sandstorm, PARISITE, RUBIDIUM, UNC757

References:
1 2 3 4 5 6 7 8 

Pirate Panda

Tropic Trooper is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan, the Philippines, and Hong Kong. Tropic Trooper focuses on targeting government, healthcare, transportation, and high-tech industries and has been active since 2011.



Aliases:
APT23, BRONZE HOBART, Earth Centaur, G0081, KeyBoy, Red Orthrus, Tropic Trooper

References:
1 2 3 4 

Pitty Panda

PittyTiger is a threat group believed to operate out of China that uses multiple different types of malware to maintain command and control.



Aliases:
APT24, G0011, PittyTiger, Temp.Pittytiger

References:
1 2 3 4 

PLATINUM

PLATINUM is an activity group that has targeted victims since at least 2009. The group has focused on targets associated with governments and related organizations in South and Southeast Asia.



Aliases:
ATK33, G0068, TwoForOne

References:
1 2 

POISON CARP

Between November 2018 and May 2019, senior members of Tibetan groups received malicious links in individually tailored WhatsApp text exchanges with operators posing as NGO workers, journalists, and other fake personas. The links led to code designed to exploit web browser vulnerabilities to install spyware on iOS and Android devices, and in some cases to OAuth phishing pages. This campaign was carried out by what appears to be a single operator that we call POISON CARP.



Aliases:
Earth Empusa, Evil Eye, Red Dev 16

References:
1 

Poison Needles

What’s noteworthy is that according to the introduction on the compromised website of the polyclinic (http://www.p2f.ru), the institution was established in 1965 and it was founded by the Presidential Administration of Russia. The multidisciplinary outpatient institution mainly serves the civil servants of the highest executive, legislative, judicial authorities of the Russian Federation, as well as famous figures of science and art.
Since it is the first detection of this APT attack by 360
...more



Aliases:


References:
1 

Polonium

Microsoft successfully detected and disabled attack activity abusing OneDrive by a previously undocumented Lebanon-based activity group Microsoft Threat Intelligence Center (MSTIC) tracks as POLONIUM.


Goals:
Espionage

Target Industries:
Critical manufacturing, Defense industrial base, Financial services, Food and agriculture, Government agencies and services, Healthcare, Pharmaceuticals, Information technology, Transportation systems, NGOs, Civil Society, Military, Defense

Target Countries:
Israel

Aliases:
GREATRIFT, Plaid Rain, UNC4453

References:
1 

PowerFall

(No description available for this threat actor)



Aliases:


References:
1 

PowerPool

Malware developers have started to use the zero-day exploit for Task Scheduler component in Windows, two days after proof-of-concept code for the vulnerability appeared online.

A security researcher who uses the online name SandboxEscaper on August 27 released the source code for exploiting a security bug in the Advanced Local Procedure Call (ALPC) interface used by Windows Task Scheduler.

More specifically, the problem is with the SchRpcSetSecurity API function, which fails
...more



Aliases:
IAmTheKing

References:
1 

Primitive Bear

Gamaredon Group is a threat group that has been active since at least 2013 and has targeted individuals likely involved in the Ukrainian government. The name Gamaredon Group comes from a misspelling of the word "Armageddon", which was detected in the adversary's early campaigns.



Target Industries:
Government

Target Countries:
Ukraine, Germany

Aliases:
ACTINIUM, Aqua Blizzard, Blue Otso, BlueAlpha, DEV-0157, G0047, Gamaredon Group, IRON TILDEN, Shuckworm, Trident Ursa, UAC-0010, Winterflounder

References:
1 2 3 4 5 

PROMETHIUM

PROMETHIUM is an activity group focused on espionage that has been active since at least 2012. The group has conducted operations globally with a heavy emphasis on Turkish targets. PROMETHIUM has demonstrated similarity to another activity group called NEODYMIUM due to overlapping victim and campaign characteristics.



Aliases:
G0056, StrongPity

References:
1 

Prophet Spider

PROPHET SPIDER is an eCrime actor, active since at least May 2017, that primarily gains access to victims by compromising vulnerable web servers, which commonly involves leveraging a variety of publicly disclosed vulnerabilities. The adversary has likely functioned as an access broker — handing off access to a third party to deploy ransomware — in multiple instances.



Aliases:
GOLD MELODY, UNC961

References:
1 2 3 4 5 6 7 8 9 10 11 

Putter Panda

Putter Panda is a Chinese threat group that has been attributed to Unit 61486 of the 12th Bureau of the PLA’s 3rd General Staff Department (GSD).


Goals:
Espionage

Target Industries:
Private sector, Government

Target Countries:
U.S. satellite and aerospace sector

Aliases:
4HCrew, APT2, G0024, MSUpdater, PLA Unit 61486, SearchFire, SULPHUR, TG-6952

References:
1 2 

PuzzleMaker

(No description available for this threat actor)



Aliases:


References:
1 

Quilted Tiger

Patchwork is a cyberespionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. Patchwork has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. Patchwork was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of ...more


Goals:
Espionage

Target Industries:
Private sector, Military

Target Countries:
Bangladesh, Sri Lanka, Pakistan

Aliases:
APT-C-09, ATK11, Chinastrats, Dropping Elephant, G0040, Hangover Group, Monsoon, Operation Hangover, Orange Athos, Patchwork, Sarit, Thirsty Gemini, ZINC EMERSON

References:
1 2 3 4 5 6 7 8 9 10 

Rancor

Rancor is a threat group that has led targeted campaigns against the South East Asia region. Rancor uses politically-motivated lures to entice victims to open malicious documents.


Goals:
Espionage

Target Industries:
Government, Civil society

Target Countries:
Singapore, Cambodia

Aliases:
G0075, Rancor Group, Rancor Taurus

References:
1 2 

RASPITE

Leafminer is an Iranian threat group that has targeted government organizations and business entities in the Middle East since at least early 2017.



Aliases:
Leafminer

References:
1 

Razor Tiger

An actor mainly targeting Pakistan military targets, active since at least 2012. We have low confidence that this malware might be authored by an Indian company. To spread the malware, they use unique implementations to leverage the exploits of known vulnerabilities (such as CVE-2017-11882) and later deploy a Powershell payload in the final stages.



Aliases:
APT-C-17, Rattlesnake, SideWinder, T-APT-04

References:
1 2 3 4 5 6 7 8 

Red Menshen

Since 2021, Red Menshen, a China based threat actor, which has been observed targeting telecommunications providers across the Middle East and Asia, as well as entities in the government, education, and logistics sectors using a custom backdoor referred as BPFDoor. This threat actor uses a variety of tools in its post-exploitation phase. This includes custom variants of the shared tool Mangzamel (including Golang variants), custom variants of Gh0st, and open source tools like Mimikatz and ...more



Target Industries:
Government, Education, Logistics

Target Countries:
Middle East, Asia

Aliases:
Red Dev 18

References:
1 

RedAlpha

Recorded Future’s Insikt Group has identified two new cyberespionage campaigns targeting the Tibetan Community over the past two years. The campaigns, which we are collectively naming RedAlpha, combine light reconnaissance, selective targeting, and diverse malicious tooling. We discovered this activity as the result of pivoting off of a new malware sample observed targeting the Tibetan community based in India.



Aliases:
DeepCliff, Red Dev 3

References:
1 

Refined Kitten

APT33 is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors.


Goals:
Espionage

Target Industries:
Private sector

Target Countries:
United States, Saudi Arabia, South Korea

Aliases:
APT 33, APT33, ATK35, COBALT TRINITY, Elfin, G0064, HOLMIUM, MAGNALLIUM, Peach Sandstorm, TA451

References:
1 2 3 

Returned Libra

Returned Libra, also known as 8220 Mining Group, is a cloud threat actor group that has been active since at least 2017. Tools commonly employed during their operations are PwnRig or DBUsed which are customized variants of the XMRig Monero mining software. The Returned Libra mining group is believed to have originated from a GitHub fork of the Rocke group's software. Returned Libra has elevated its mining operations with the use of cloud service platform credential scrapping.



Aliases:
8220 Mining Group

References:
1 2 3 4 5 6 7 8 9 

Ricochet Chollima

APT37 is a suspected North Korean cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. APT37 has also been linked to following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, Northern Korean Human Rights, and Evil New Year 2018.

North
...more



Target Industries:
Government, Private sector

Target Countries:
Republic of Korea, Japan, Vietnam

Aliases:
APT 37, APT37, ATK4, G0067, Group 123, Group123, InkySquid, Moldy Pisces, Operation Daybreak, Operation Erebus, Reaper, Reaper Group, Red Eyes, ScarCruft, TEMP.Reaper, Venus 121

References:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 

Roaming Tiger

(No description available for this threat actor)



Aliases:
BRONZE WOODLAND, Rotten Tomato

References:
1 2 

Rocke

Rocke is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency. The name Rocke comes from the email address "rocke@live.cn" used to create the wallet which held collected cryptocurrency. Researchers have detected overlaps between Rocke and the Iron Cybercrime Group, though this attribution has not been confirmed.



Aliases:
Aged Libra

References:
1 2 

Rocket Kitten

Targets Saudi Arabia, Israel, US, Iran, high ranking defense officials, embassies of various target countries, notable Iran researchers, human rights activists, media and journalists, academic institutions and various scholars, including scientists in the fields of physics and nuclear sciences.


Goals:
Espionage

Target Industries:
Government, Military

Target Countries:
Saudi Arabia, Venezuela, Afghanistan, United Arab Emirates, Iran, Israel, Iraq, Kuwait, Turkey, Canada, Yemen, United Kingdom, Egypt, Syria, Jordan

Aliases:
Operation Woolen Goldfish, Operation Woolen-Goldfish, TEMP.Beanie, Thamar Reservoir, Timberworm

References:
1 

Russia Attribution

(No description available for this threat actor)



Aliases:


References:
1 2 3 4 5 6 7 8 9 10 11 12 13 

Saaiwc Group

(No description available for this threat actor)



Aliases:


References:
1 2 

Samurai Panda

(No description available for this threat actor)


Goals:
Espionage

Target Industries:
Private sector, Military

Target Countries:
United States, United Kingdom, Hong Kong

Aliases:
APT4, BRONZE EDISON, MAVERICK PANDA, PLA Navy, Salmon Typhoon, SODIUM

References:
1 2 

Sandcat

SandCat, on the other hand, is a group that was discovered more recently by Kaspersky. One of the Windows vulnerabilities patched by Microsoft in December had been exploited by both FruityArmor and SandCat in attacks targeting the Middle East and Africa. SandCat has been using FinFisher/FinSpy spyware and CHAINSHOT, a piece of malware analyzed earlier this year by Palo Alto Networks. The group has also used the CVE-2018-8589 and CVE-2018-8611 Windows vulnerabilities in its attacks, both of ...more



Aliases:


References:
1 2