Group 2026() 2025() 2024() H GROUP LIST GROUPS
DATE |
NAME |
INFO |
CATEGORY |
SUBCATE |
| 14.5.26 | UNC1151 | UNC1151 exploiting Roundcube to steal user credentials in a spearphishing campaign | GROUP | GROUP |
| 14.5.26 | FrostyNeighbor | FrostyNeighbor: Fresh mischief and digital shenanigans | GROUP | GROUP |
| 6.5.26 | UAT-8302 | UAT-8302 and its box full of malware | GROUP | GROUP |
| 1.5.26 | Cordial Spider | CORDIAL SPIDER is a financially motivated eCrime adversary that has performed data theft and extortion since at least October 2025. CORDIAL SPIDER gains initial access to victim systems via voice phishing (vishing) calls in which they direct targeted users to single sign-on (SSO)–themed phishing pages. | GROUP | GROUP |
| 1.5.26 | Snarky Spider | SNARKY SPIDER is a financially motivated eCrime adversary that has performed data theft and extortion and cryptocurrency theft since at least October 2025. T | GROUP | GROUP |
| 1.5.26 | Shadow-Earth-053 | Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia | GROUP | GROUP |
| 26.4.26 | Cordial Spider | CORDIAL SPIDER is a financially motivated eCrime adversary that has performed data theft and extortion since at least October 2025. CORDIAL SPIDER gains initial access to victim systems via voice phishing (vishing) calls in which they direct targeted users to single sign-on (SSO)–themed phishing pages. | GROUP | GROUP |
| 25.4.26 | UNC6692 | Google Threat Intelligence Group (GTIG) identified a multistage intrusion campaign by a newly tracked threat group, UNC6692, that leveraged persistent social engineering, a custom modular malware suite, and deft pivoting inside the victim’s environment to achieve deep network penetration. | GROUP | GROUP |
| 25.4.26 | UAT-4356's | Cisco Talos is aware of UAT-4356's continued active targeting of Cisco Firepower devices’ Firepower eXtensible Operating System (FXOS). UAT-4356 exploited n-day vulnerabilities (CVE-2025-20333 and CVE-2025-20362) to gain unauthorized access to vulnerable devices. | GROUP | GROUP |
| 24.4.26 | UNC6692 | GROUP | GROUP | GROUP |
| 17.4.26 | UAC-0247 | Лікарні, органи місцевого самоврядування та оператори FPV - у фокусі кластера кіберзагроз UAC-0247 | GROUP | GROUP |
| 12.4.26 | Storm-2755 | Investigating Storm-2755: “Payroll pirate” attacks targeting Canadian employees | GROUP | GROUP |
| 8.4.26 | FrostArmada | A DNS setting change on a single router can quietly reroute an entire network’s authentication traffic. In FrostArmada, Lumen observed Forest Blizzard using that technique to feed targeted logins into Attacker-in-the-Middle (AitM) infrastructure, scaling from limited activity to thousands of victims worldwide. | GROUP | GROUP |
| 8.4.26 | Pay2Key | Pay2Key Iranian-Linked Ransomware is Back, Back Again | GROUP | RANSOMWARE |
| 8.4.26 | Storm-1175 | Storm-1175 focuses gaze on vulnerable web-facing assets in high-tempo Medusa ransomware operations | GROUP | GROUP |
| 8.4.26 | PIONEER KITTEN | Who Is PIONEER KITTEN? | GROUP | APT |
| 5.4.26 | TA416 | I’d come running back to EU again: TA416 resumes European government espionage campaigns | GROUP | GROUP |
| 3.4.26 | UAT-10608 | UAT-10608: Inside a large-scale automated credential harvesting operation targeting web applications | GROUP | GROUP |
| 1.4.26 | UNC1069 | North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package in Supply Chain Attack | GROUP | GROUP |
| 27.3.26 | Bearlyfy | Bearlyfy Hits Russian Firms with Custom GenieLocker Ransomware | GROUP | GROUP |
| 14.3.26 | Handala Hack | Handala Hack is an online persona operated by Void Manticore (aka Red Sandstorm, Banished Kitten), an actor affiliated with Iranian Ministry of Intelligence and Security (MOIS) | GROUP | GROUP |
| 14.3.26 | CL-STA-1087 | Suspected China-Based Espionage Operation Against Military Targets in Southeast Asia | GROUP | CLUSTER |
| 14.3.26 | Storm-2561 | Storm-2561 uses SEO poisoning to distribute fake VPN clients for credential theft | GROUP | GROUP |
| 10.3.26 | Sednit | Sednit reloaded: Back in the trenches | GROUP | GROUP |
| 8.3.26 | Jasper Sleet | Jasper Sleet: North Korean remote IT workers’ evolving tactics to infiltrate organizations | GROUP | GROUP |
| 6.3.26 | UAT-9244 | UAT-9244 targets South American telecommunication providers with three new malware implants | GROUP | GROUP |
| 3.3.26 | SloppyLemming | SloppyLemming is an advanced actor that uses multiple cloud service providers to facilitate different aspects of their activities, such as credential harvesting, malware delivery and command and control (C2). This actor conducts extensive operations targeting Pakistani, Sri Lanka, Bangladesh, and China. | GROUP | GROUP |
| 1.3.26 | COOKIE SPIDER | COOKIE SPIDER (active since at least October 2018) develops and rents Atomic macOS Stealer (AMOS), an information stealer targeting macOS victims via multiple delivery methods, including search engine optimization (SEO) poisoning, fake job advertisements, and malicious VSCode extensions. | GROUP | GROUP |
| 1.3.26 | Diesel Vortex | Diesel Vortex: Inside the Russian cybercrime group targeting US & EU freight | GROUP | GROUP |
| 27.2.26 | APT37 | APT37 Adds New Capabilities for Air-Gapped Networks | GROUP | GROUP |
| 26.2.26 | Scattered LAPSUS$ Hunters | Cyber Intel Brief: Scattered Lapsus$ Hunters (SLH) Kicks Off Campaign to Recruit Women | GROUP | GROUP |
| 26.2.26 | UNC2814 | Exposing the Undercurrent: Disrupting the GRIDTIDE Global Cyber Espionage Campaign | GROUP | GROUP |
| 15.2.26 | Storm-2603 | Storm-2603 Exploits CVE-2026-23760 to Stage Warlock Ransomware | GROUP | GROUP |
| 14.2.26 | UAT-9921 | New threat actor, UAT-9921, leverages VoidLink framework in campaigns | GROUP | GROUP |
| 11.2.26 | UNC1069 | UNC1069 Targets Cryptocurrency Sector with New Tooling and AI-Enabled Social Engineering | GROUP | GROUP |
| 10.2.26 | UNC3886 | Largest Multi-Agency Cyber Operation Mounted to Counter Threat Posed by Advanced Persistent Threat (APT) Actor UNC3886 to Singapore’s Telecommunications Sector | GROUP | GROUP |
| 9.2.26 | Stan Ghouls | Stan Ghouls targeting Russia and Uzbekistan with NetSupport RAT | GROUP | GROUP |
| 2.2.26 | UAT-8099 | Dissecting UAT-8099: New persistence mechanisms and regional focus | GROUP | GROUP |
| 25.1.26 | UAT-9686 | UAT-9686 actively targets Cisco Secure Email Gateway and Secure Email and Web Manager | GROUP | GROUP |
| 22.1.26 | PurpleBravo | PurpleBravo’s Targeting of the IT Software Supply Chain | GROUP | GROUP |
| 16.1.26 | UAT-8837 | UAT-8837 targets critical infrastructure sectors in North America | GROUP | GROUP |
| 8.1.26 | UAT-7290 | UAT-7290 targets high value telecommunications infrastructure in South Asia | GROUP | GROUP |
| 7.1.26 | UAC-0184 | UAC-0184 | GROUP | GROUP |