GROUP LIST H GROUP LIST GROUP(214)
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 0 #
| -=TWELVE= | ||||
| 21.03.2025 | -=TWELVE= | -=TWELVE=- is back | GROUP | GROUP |
| 8220 Mining Group | ||||
| 07.03.2024 | 8220 Mining Group | Returned Libra, also known as 8220 Mining Group, is a cloud threat actor group that has been active since at least 2017. | Group | Cryptocurrency |
| Actor UNC3886 | ||||
| 13.03.2025 | Actor UNC3886 | Ghost in the Router: China-Nexus Espionage Actor UNC3886 Targets Juniper Routers | GROUP | GROUP |
| Actor240524 | ||||
| 15.08.2024 | Actor240524 | New APT Group Actor240524: A Closer Look at Its Cyber Tactics Against Azerbaijan and Israel | GROUP | APT |
| Andariel | ||||
| 20.03.2024 | Andariel | Andariel Group (MeshAgent) is attacking by abusing domestic asset management solutions | Group | Group |
| 03.06.2024 | Andariel | Analysis of APT Attack Cases Using Dora RAT Against Korean Companies (Andariel Group) | GROUP | APT |
| Andariel | ||||
| 16.05.2024 | APT GROUP123 | Group123 is a North Korean state-sponsored advanced persistent threat (APT) group active since at least 2012. It is also tracked under other names such as APT37, Reaper, and ScarCruft by various cybersecurity firms. | GROUP | APT |
| 19.07.2025 | APT PROFILE – FANCY BEAR | Fancy Bear, also known as APT28, is a notorious Russian cyberespionage group with a long history of targeting governments, military entities, and other high-value | GROUP | APT |
| APT32 | ||||
| 06.03.2024 | APT32 | Cyber espionage actors, now designated by FireEye as APT32 (OceanLotus Group), are carrying out intrusions into private sector companies across multiple industries and have also targeted foreign governments, dissidents, and journalists. | Group | APT |
| APT37 | ||||
| 27.02.2026 | APT37 | APT37 Adds New Capabilities for Air-Gapped Networks | GROUP | GROUP |
| APT45 | ||||
| 26.07.2024 | APT45 | APT45: North Korea’s Digital Military Machine | GROUP | APT |
| APT-C-36 | ||||
| 14.03.2024 | APT-C-36 | Since April 2018, an APT group (Blind Eagle, APT-C-36) suspected coming from South America carried out continuous targeted attacks against Colombian government institutions as well as important corporations in financial sector, petroleum industry, professional manufacturing, etc. | Group | APT |
| AridViper | ||||
| 12.12.2025 | AridViper | AridViper, an intrusion set allegedly associated with Hamas | GROUP | GROUP |
| BatShadow | ||||
| 08.10.2025 | BatShadow | BatShadow: Vietnamese Threat Actor Expands Its Digital Operations | GROUP | GROUP |
| 27.03.2026 | Bearlyfy | Bearlyfy Hits Russian Firms with Custom GenieLocker Ransomware | GROUP | GROUP |
| BianLian | ||||
| 11.03.2024 | BianLian | BianLian is a ransomware developer, deployer, and data extortion cybercriminal group that has targeted organizations in multiple U.S. critical infrastructure sectors since June 2022. | Group | Ransomware |
| Billbug | ||||
| 22.04.2025 | Billbug | Billbug: Intrusion Campaign Against Southeast Asia Continues | GROUP | Espionage group |
| Bitter Group | ||||
| 05.06.2025 | Bitter Group | Bitter Group Distributes CHM Malware to Chinese Organizations | GROUP | GROUP |
| BlackJack | ||||
| 26.09.2024 | BlackJack | BlackJack is a hacktivist group that emerged at the end of 2023, targeting companies based in Russia. | GROUP | Hacktivist |
| BlackTech | ||||
| 02.03.2024 | BlackTech | BlackTech is a cyber espionage group operating against targets in East Asia, particularly Taiwan, and occasionally, Japan and Hong Kong. Based on the mutexes and domain names of some of their C&C servers, BlackTech’s campaigns are likely designed to steal their target’s technology. | Group | CyberSpy |
| Bloody Wolf | ||||
| 28.11.2025 | Bloody Wolf | Bloody Wolf: A Blunt Crowbar Threat To Justice | GROUP | GROUP |
| 11.04.2025 | Bloody Wolf | Bloody Wolf evolution: new targets, new tools | GROUP | GROUP |
| Blue(Noroff) | ||||
| 20.06.2025 | Blue(Noroff) | Feeling Blue(Noroff): Inside a Sophisticated DPRK Web3 Intrusion | GROUP | GROUP |
| 01.03.2024 | Bohrium | Bohrium is an Iranian threat actor that has been involved in spear-phishing operations targeting organizations in the US, Middle East, and India. | Group | Group |
| Bohrium | ||||
| BrazenBamboo | ||||
| 16.11.2024 | BrazenBamboo | BrazenBamboo Weaponizes FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA | GROUP | GROUP |
| BRONZE VINEWOOD | ||||
| 27.03.2024 | BRONZE VINEWOOD | DETAILS ON BRONZE VINEWOOD, IMPLICATED IN TARGETING OF THE U.S. ELECTION CAMPAIGN | Group | APT |
| Cloud Atlas | ||||
| 12.09.2025 | Cloud Atlas | Cloud Atlas seen using a new tool in its attacks | GROUP | GROUP |
| 14.03.2026 | CL-STA-1087 | Suspected China-Based Espionage Operation Against Military Targets in Southeast Asia | GROUP | CLUSTER |
| 26.09.2025 | COLDRIVER | COLDRIVER Updates Arsenal with BAITSWITCH and SIMPLEFIX | GROUP | GROUP |
| 19.01.2024 | COLDRIVER | Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware | Group | Group |
| 03.02.2024 | COLDRIVER | The Coldriver Group, also known as Callisto and SEABORGIUM, is a threat actor known to attack government organizations, think tanks, and journalists in Europe and the Caucasus regions through spearphishing campaigns. | Group | Group |
| COLDRIVER | ||||
| Commando Cat | ||||
| 07.06.2024 | Commando Cat | Commando Cat: A Novel Cryptojacking Attack Abusing Docker Remote API Servers | GROUP | Cryptojacking |
| 04.10.2025 | Confucius | Confucius threat group evolves from document stealers to Python backdoors, showcasing the growing sophistication of state-aligned cyber campaigns | GROUP | GROUP |
| Confucius | ||||
| 30.08.2025 | COOKIE SPIDER | Falcon Platform Prevents COOKIE SPIDER’s SHAMOS Delivery on macOS | GROUP | GROUP |
| 01.03.2026 | COOKIE SPIDER | COOKIE SPIDER (active since at least October 2018) develops and rents Atomic macOS Stealer (AMOS), an information stealer targeting macOS victims via multiple delivery methods, including search engine optimization (SEO) poisoning, fake job advertisements, and malicious VSCode extensions. | GROUP | GROUP |
| COOKIE SPIDER | ||||
| CoralRaider | ||||
| 05.04.2024 | CoralRaider | CoralRaider targets victims’ data and social media accounts | Group | Group |
| Core Werewolf | ||||
| 11.04.2025 | Core Werewolf | Core Werewolf hones its arsenal against Russia’s government organizations | GROUP | GROUP |
| 11.09.2024 | CosmicBeetle | CosmicBeetle steps up: Probation period at RansomHub | GROUP | RANSOMWARE |
| CosmicBeetle | ||||
| Crypt Ghouls | ||||
| 28.10.2024 | Crypt Ghouls | Analysis of the Crypt Ghouls group: continuing the investigation into a series of attacks on Russia | GROUP | GROUP |
| CryptoChameleon | ||||
| 02.11.2025 | CryptoChameleon | CryptoChameleon: New Phishing Tactics Exhibited in FCC-Targeted Attack | GROUP | GROUP |
| CRYSTALRAY | ||||
| 14.07.2024 | CRYSTALRAY | CRYSTALRAY: Inside the Operations of a Rising Threat Actor Exploiting OSS Tools | GROUP | GROUP |
| Cuckoo Spear | ||||
| 02.08.2024 | Cuckoo Spear | Cuckoo Spear – the latest Nation-state Threat Actor targeting Japanese companies | GROUP | GROUP |
| 27.07.2024 | Cuckoo Spear | Highly sophisticated, well-funded, and strategically motivated nation-state cybersecurity threats are complex and challenging, requiring advanced cybersecurity measures, threat intelligence, and international cooperation. | GROUP | GROUP |
| Curly COMrades | ||||
| 06.11.2025 | Curly COMrades | Curly COMrades: Evasion and Persistence via Hidden Hyper-V Virtual Machines | GROUP | GROUP |
| Daggerfly | ||||
| 24.07.2024 | Daggerfly | Daggerfly: Espionage Group Makes Major Update to Toolset | GROUP | Espionage |
| Dark Caracal | ||||
| 06.03.2025 | Dark Caracal | The evolution of Dark Caracal tools: analysis of a campaign featuring Poco RAT | GROUP | APT |
| DarkCasino | ||||
| 14.03.2024 | DarkCasino | DarkCasino is an economically motivated APT group that targets online trading platforms, including cryptocurrencies, online casinos, network banks, and online credit platforms. | Group | APT |
| Detour Dog | ||||
| 04.10.2025 | Detour Dog | GROUP | GROUP | GROUP |
| Diesel Vortex | ||||
| 01.03.2026 | Diesel Vortex | Diesel Vortex: Inside the Russian cybercrime group targeting US & EU freight | GROUP | GROUP |
| Dire Wolf | ||||
| 26.06.2025 | Dire Wolf | Dire Wolf Strikes: New Ransomware Group Targeting Global Sectors | GROUP | GROUP |
| DPRK | ||||
| 17.10.2025 | DPRK | DPRK Adopts EtherHiding: Nation-State Malware Hiding on Blockchains | GROUP | GROUP |
| DragonForce | ||||
| 27.09.2024 | DragonForce | Inside the Dragon: DragonForce Ransomware Group | GROUP | RANSOMWARE |
| DragonRank | ||||
| 10.02.2025 | DragonRank | Trend Micro researchers observed an SEO manipulation campaign that highlights the need for organizations using Internet Information Services (IIS) to proactively update and patch systems to prevent exploitation by threat actors that use malware like BadIIS in their campaigns. | GROUP | Campaigns |
| 13.09.2024 | DragonRank | DragonRank, a Chinese-speaking SEO manipulator service provider | GROUP | GROUP |
| Earth Freybug | ||||
| 02.04.2024 | Earth Freybug | This article provides an in-depth look into two techniques used by Earth Freybug actors: dynamic-link library (DLL) hijacking and application programming interface (API) unhooking to prevent child processes from being monitored via a new malware we’ve discovered and dubbed UNAPIMON. | Group | Group |
| Earth Krahang | ||||
| 27.03.2024 | Earth Krahang | Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks | Group | APT |
| Earth Lusca | ||||
| 27.03.2024 | Earth Lusca | Earth Lusca Uses Geopolitical Lure to Target Taiwan Before Elections | Group | APT |
| Elephant Beetle | ||||
| 25.03.2025 | Elephant Beetle | Elephant Beetle: Uncovering an Organized Financial-Theft Operation | GROUP | GROUP |
| 27.09.2024 | Embargo | Embargo Ransomware Group Strikes DME Delivers in Cyber Attack | GROUP | RANSOMWARE |
| Embargo | ||||
| Evasive Panda | ||||
| 07.03.2024 | Evasive Panda | Evasive Panda is an APT group that has been active since at least 2012, conducting cyberespionage targeting individuals, government institutions and organizations. | Group | APT |
| Everest Ransomware Group | ||||
| 10.04.2025 | Everest Ransomware Group | Threat Actor Profile | GROUP | Ransomware |
| ExCobalt | ||||
| 26.06.2024 | ExCobalt | ExCobalt: GoRed, the hidden-tunnel technique | GROUP | Cyber Gang |
| Famous Chollima | ||||
| 17.10.2025 | Famous Chollima | Famous Chollima deploying Python version of GolangGhost RAT | GROUP | GROUP |
| 27.03.2025 | FamousSparrow | You will always remember this as the day you finally caught FamousSparrow | GROUP | APT |
| FamousSparrow | ||||
| FANCY BEAR | ||||
| FIN6 | ||||
| 11.06.2025 | FIN6 | Eggs in a Cloudy Basket: Skeleton Spider’s Trusted Cloud Malware Delivery | GROUP | GROUP |
| FIN7 | ||||
| 19.04.2024 | FIN7 | Threat Group FIN7 Targets the U.S. Automotive Industry | Group | APT |
| FIN9 | ||||
| 26.06.2024 | FIN9 | Inside the DEA Tool Hackers Allegedly Used to Extort Targets | GROUP | APT |
| 23.07.2024 | FLUXROOT | A Latin America (LATAM)-based financially motivated actor codenamed FLUXROOT has been observed leveraging Google Cloud serverless projects to orchestrate credential phishing activity,... | GROUP | HACKING |
| FLUXROOT | ||||
| 31.05.2024 | FlyingYeti | Cloudforce One is publishing the results of our investigation and real-time effort to detect, deny, degrade, disrupt, and delay threat activity by the Russia-aligned threat actor FlyingYeti during their latest phishing campaign targeting Ukraine. | Group | Group |
| FlyingYeti | ||||
| GamaCopy | ||||
| 27.01.2025 | GamaCopy | Love and hate under war: The GamaCopy organization, which imitates the Russian Gamaredon, uses military — related bait to launch attacks on Russia | GROUP | GROUP |
| Gamaredon | ||||
| 12.12.2024 | Gamaredon | Unit 42 threat researchers have recently observed a threat group distributing new, custom developed malware. | GROUP | APT |
| GambleForce | ||||
| 06.02.2024 | GambleForce | Analysis of TTPs tied to GambleForce, which carried out SQL injection attacks against companies in the APAC region | Group | Group |
| Game of Emperor | ||||
| 26.11.2024 | Game of Emperor | Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions | GROUP | GROUP |
| Gelsemium | ||||
| 21.11.2024 | Gelsemium | Unveiling WolfsBane: Gelsemium’s Linux counterpart to Gelsevirine | GROUP | GROUP |
| GhostSec | ||||
| 06.03.2024 | GhostSec | GhostSec is a hacktivist group that emerged as an offshoot of Anonymous. | Group | Ransomware |
| GhostWriter | ||||
| 07.06.2024 | GhostWriter | Ghostwriter is referred as an 'activity set', with various incidents tied together by overlapping behavioral characteristics and personas, rather than as an actor or group in itself. | GROUP | GROUP |
| GitCaught | ||||
| 21.05.2024 | GitCaught | GitCaught: Threat Actor Leverages GitHub Repository for Malicious Infrastructure | Group | Group |
| GLOBAL GROUP | ||||
| 16.07.2025 | GLOBAL GROUP | GLOBAL GROUP: Emerging Ransomware-as-a-Service, Supporting AI Driven Negotiation and Mobile Control Panel for Their Affiliates | GROUP | RANSOMWARE |
| 11.04.2025 | GOFFEE | GOFFEE continues to attack organizations in Russia | GROUP | GROUP |
| GOFFEE | ||||
| GROUP123 | ||||
| Gunra Ransomware | ||||
| 09.05.2024 | Gunra Ransomware | At CYFIRMA, we are committed to delivering timely insights into emerging cyber threats and the evolving tactics of cybercriminals targeting individuals and organizations. | GROUP | RANSOMWARE |
| 14.03.2026 | Handala Hack | Handala Hack is an online persona operated by Void Manticore (aka Red Sandstorm, Banished Kitten), an actor affiliated with Iranian Ministry of Intelligence and Security (MOIS) | GROUP | GROUP |
| Handala Hacking Team | ||||
| 27.07.2024 | Handala Hacking Team | Handala Hack: What We Know About the Rising Threat Actor | GROUP | GROUP |
| Hazy Hawk | ||||
| 20.05.2025 | Hazy Hawk | From banks to battalions: SideWinder’s attacks on South Asia’s public sector | GROUP | APT |
| Head Mare | ||||
| 21.03.2025 | Head Mare | Head Mare: adventures of a unicorn in Russia and Belarus | GROUP | GROUP |
| 05.09.2024 | Head Mare | Head Mare: adventures of a unicorn in Russia and Belarus | GROUP | GROUP |
| Hezi Rash | ||||
| 01.11.2025 | Hezi Rash | Hezi Rash: Rising Kurdish Hacktivist Group Targets Global Sites | GROUP | GROUP |
| Hive0145 | ||||
| 04.10.2025 | Hive0145 | Hive0145 back in German inboxes with Strela Stealer and a backdoor | GROUP | GROUP |
| Hive0154 | ||||
| 27.06.2025 | Hive0154 | Hive0154 aka Mustang Panda shifts focus on Tibetan community to deploy Pubload backdoor | GROUP | GROUP |
| ChamelGang | ||||
| 27.06.2024 | ChamelGang | ChamelGang & Friends | Cyberespionage Groups Attacking Critical Infrastructure with Ransomware | Group | Gang |
| ITG05 | ||||
| 18.03.2024 | ITG05 | Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns | Group | Group |
| Jasper Sleet | ||||
| 08.03.2026 | Jasper Sleet | Jasper Sleet: North Korean remote IT workers’ evolving tactics to infiltrate organizations | GROUP | GROUP |
| JavaGhost’s | ||||
| 04.03.2025 | JavaGhost’s | JavaGhost’s Persistent Phishing Attacks From the Cloud | GROUP | GROUP |
| JINX-0132 | ||||
| 03.06.2025 | JINX-0132 | The Wiz Threat Research team has identified a widespread cryptojacking campaign targeting commonly used DevOps applications including Nomad and Consul. | GROUP | GROUP |
| KADOKAWA | ||||
| 30.06.2024 | KADOKAWA | Service Outages on Multiple Websites of the KADOKAWA Gro | GROUP | GROUP |
| Kimsuky | ||||
| 24.03.2024 | Kimsuky | The Updated APT Playbook: Tales from the Kimsuky threat actor group | Group | APT |
| 06.03.2024 | Kimsuky | JOINT CYBERSECURITY ADVISORY North Korean Advanced Persistent Threat Focus: Kimsuky | Group | APT |
| Kinsing | ||||
| 18.05.2024 | Kinsing | Kinsing Demystified A Comprehensive Technical Guide | Group | Hacking |
| LARVA-208 | ||||
| 08.03.2025 | LARVA-208 | (EncryptHub) is a threat actor that has come to the forefront with highly sophisticated spear-phishing attacks since 26 June 2024. | GROUP | GROUP |
| Larva-24005 | ||||
| 22.04.2025 | Larva-24005 | During the breach investigation process, the AhnLab SEcurity intelligence Center (ASEC) discovered a new operation related to the Kimsuky group and named it Larva-24005.1 | GROUP | APT Group Profiles |
| LightBasin | ||||
| 02.03.2024 | LightBasin | UNC1945 is an APT group that has been targeting telecommunications companies globally. They use Linux-based implants to maintain long-term access in compromised networks. | Group | APT |
| LilacSquid | ||||
| 30.05.2024 | LilacSquid | The stealthy trilogy of PurpleInk, InkBox and InkLoader | Group | Group |
| LIMINAL PANDA | ||||
| 19.11.2024 | LIMINAL PANDA | Unveiling LIMINAL PANDA: A Closer Look at China's Cyber Threats to the Telecom Sector | GROUP | GROUP |
| LitterDrifter | ||||
| 03.02.2024 | LitterDrifter | Malware Spotlight – Into the Trash: Analyzing LitterDrifter | Group | Group |
| Lord Nemesis Strikes | ||||
| 26.03.2024 | Lord Nemesis Strikes | “Lord Nemesis Strikes: Supply Chain Attack on the Israeli Academic Sector | Group | Hacktivism |
| Lotus Panda | ||||
| 06.03.2025 | Lotus Panda | Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools | GROUP | APT |
| Marko Polo | ||||
| 22.09.2024 | Marko Polo | “Marko Polo” Navigates Uncharted Waters With Infostealer Empire | GROUP | GROUP |
| 10.01.2025 | MirrorFace | China-linked threat actor named MirrorFace of orchestrating a persistent attack campaign targeting organizations, businesses, and individuals in the country since 2019. | GROUP | GROUP |
| MirrorFace | ||||
| 06.08.2024 | Moonstone Sleet | Stressed Pungsan: DPRK-aligned threat actor leverages npm for initial access | GROUP | GROUP |
| 29.05.2024 | Moonstone Sleet | Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks | Group | APT |
| Moonstone Sleet | ||||
| Muddled Libra | ||||
| 16.04.2024 | Muddled Libra | Muddled Libra also uses the legitimate scalability and native functionality of CSP services to create new resources to assist with data exfiltration. | Group | Group |
| MuddyWater | ||||
| 16.07.2024 | MuddyWater | MuddyWater replaces Atera by custom MuddyRot implant in a recent campaign | GROUP | GROUP |
| MURKY PANDA | ||||
| 22.08.2025 | MURKY PANDA | MURKY PANDA: A Trusted-Relationship Threat in the Cloud | GROUP | GROUP |
| MUT-1244 | ||||
| 14.12.2024 | MUT-1244 | Getting a taste of your own medicine: Threat actor MUT-1244 targets offensive actors, leaking hundreds of thousands of credentials | GROUP | GROUP |
| NARWHAL SPIDER | ||||
| 28.03.2024 | NARWHAL SPIDER | NARWHAL SPIDER’s operation of Cutwail v2 was limited to country-specific spam campaigns, although late in 2019 there appeared to be an effort to expand by bringing in INDRIK SPIDER as a customer. | Group | APT |
| NICKEL TAPESTRY | ||||
| 16.01.2025 | NICKEL TAPESTRY | NICKEL TAPESTRY Infrastructure Associated with Crowdfunding Scheme | GROUP | GROUP |
| NOVA | ||||
| 11.04.2025 | NOVA | Attackers use a fork of a popular stealer to target Russian companies | GROUP | GROUP |
| Patchwork | ||||
| 25.07.2024 | Patchwork | The Patchwork group has updated its arsenal, launching attacks for the first time using Brute Ratel C4 and an enhanced version of PGoShell | GROUP | GROUP |
| 02.03.2024 | Peach Sandstorm | Our analysis reveals that APT33 is a capable group that has carried out cyber espionage operations since at least 2013. We assess APT33 works at the behest of the Iranian government. | Group | APT |
| Peach Sandstorm | ||||
| Phantom Taurus | ||||
| 04.10.2025 | Phantom Taurus | Phantom Taurus is a previously undocumented nation-state actor whose espionage operations align with People’s Republic of China (PRC) state interests. Over the past two and a half years, Unit 42 researchers have observed Phantom Taurus targeting government and telecommunications organizations across Africa, the Middle East, and Asia. | GROUP | GROUP |
| PoisonSeed | ||||
| 22.07.2025 | PoisonSeed | PoisonSeed downgrading FIDO key authentications to ‘fetch’ user accounts | GROUP | GROUP |
| Prolific Puma | ||||
| 23.07.2024 | Prolific Puma | Play Ransomware Group’s New Linux Variant Targets ESXi, Shows Ties With Prolific Puma | GROUP | Ransomware |
| Proton66 | ||||
| 22.04.2025 | Proton66 | Proton66 Part 1: Mass Scanning and Exploit Campaigns | GROUP | GROUP |
| 04.04.2025 | Proton66 | Bulletproof Hosting Networks and Proton66 | GROUP | GROUP |
| PurpleBravo | ||||
| 22.01.2026 | PurpleBravo | PurpleBravo’s Targeting of the IT Software Supply Chain | GROUP | GROUP |
| RedCurl | ||||
| 26.03.2025 | RedCurl | In mid to late 2024, Huntress uncovered activity across several organizations in Canada, with similar infrastructure and TTPs used that can be associated with the APT group known as RedCurl (aka Earth Kapre and Red Wolf). | GROUP | APT |
| RedDelta | ||||
| 10.01.2025 | RedDelta | Chinese State-Sponsored RedDelta Targeted Taiwan, Mongolia, and Southeast Asia with Adapted PlugX Infection Chain | GROUP | GROUP |
| 25.09.2025 | RedNovember | RedNovember Targets Government, Defense, and Technology Organizations | GROUP | GROUP |
| RedNovember | ||||
| RomCom | ||||
| 26.11.2024 | RomCom | RomCom exploits Firefox and Windows zero days in the wild | GROUP | GROUP |
| Salt Typhoon | ||||
| 22.02.2025 | Salt Typhoon | Weathering the storm: In the midst of a Typhoon | GROUP | APT |
| Sapphire Slee | ||||
| 23.11.2024 | Sapphire Slee | Microsoft shares latest intelligence on North Korean and Chinese threat actors at CYBERWARCON | GROUP | GROUP |
| Sapphire Werewolf | ||||
| 11.04.2025 | Sapphire Werewolf | Sapphire Werewolf refines Amethyst stealer to attack energy companies | GROUP | GROUP |
| Scattered LAPSUS$ | ||||
| 13.09.2025 | Scattered LAPSUS$ | The Cybercrime Group Redefining Threats | GROUP | GROUP |
| Scattered LAPSUS$ Hunters | ||||
| 26.02.2026 | Scattered LAPSUS$ Hunters | Cyber Intel Brief: Scattered Lapsus$ Hunters (SLH) Kicks Off Campaign to Recruit Women | GROUP | GROUP |
| Scattered Spider | ||||
| 02.03.2024 | Scattered Spider | Scattered Spider, a highly active hacking group, has made headlines by targeting more than 130 organizations, with the number of victims steadily increasing. | Group | Hacking |
| Secret Blizzard | ||||
| 11.12.2024 | Secret Blizzard | Frequent freeloader part II: Russian actor Secret Blizzard using tools of other groups to attack Ukraine | GROUP | GROUP |
| 10.03.2026 | Sednit | Sednit reloaded: Back in the trenches | GROUP | GROUP |
| ShadowSyndicate | ||||
| 25.05.2024 | ShadowSyndicate | No sleep until the Cybercrime Fighters Club is done with finding the answer as to who is behind this new ransomware-as-a-service affiliate. | Group | Group |
| SHARP DRAGON | ||||
| 24.05.2024 | SHARP DRAGON | SHARP DRAGON EXPANDS TOWARDS AFRICA AND THE CARIBBEAN | Group | APT |
| Shuckworm | ||||
| 03.02.2024 | Shuckworm | Shuckworm: Inside Russia’s Relentless Cyber Campaign Against Ukraine | Group | Group |
| Silk Typhoon | ||||
| 06.03.2025 | Silk Typhoon | Silk Typhoon targeting IT supply chain | GROUP | APT |
| SloppyLemming | ||||
| 03.03.2026 | SloppyLemming | SloppyLemming is an advanced actor that uses multiple cloud service providers to facilitate different aspects of their activities, such as credential harvesting, malware delivery and command and control (C2). This actor conducts extensive operations targeting Pakistani, Sri Lanka, Bangladesh, and China. | GROUP | GROUP |
| Slow Pisces | ||||
| 15.04.2025 | Slow Pisces | Slow Pisces Targets Developers With Coding Challenges and Introduces New Customized Python Malware | GROUP | GROUP |
| Space Pirates | ||||
| 25.05.2024 | Space Pirates | Space Pirates: analyzing the tools and connections of a new hacker group | Group | Group |
| Springtail | ||||
| 24.03.2024 | Springtail | Springtail APT group abuses valid certificate of known Korean public entity | Group | APT |
| Stan Ghouls | ||||
| 09.02.2026 | Stan Ghouls | Stan Ghouls targeting Russia and Uzbekistan with NetSupport RAT | GROUP | GROUP |
| Starry Addax | ||||
| 09.04.2024 | Starry Addax | Starry Addax targets human rights defenders in North Africa with new malware | Group | Group |
| Sticky Werewolf | ||||
| 10.06.2024 | Sticky Werewolf | Howling at the Inbox: Sticky Werewolf's Latest Malicious Aviation Attacks | GROUP | GROUP |
| Storm-0539 | ||||
| 27.05.2024 | Storm-0539 | Navigating cyberthreats and strengthening defenses in the era of AI | Group | Group |
| Storm-1811 | ||||
| 16.05.2024 | Storm-1811 | Threat actors misusing Quick Assist in social engineering attacks leading to ransomware | Group | Group |
| Storm-2372 | ||||
| 15.02.2025 | Storm-2372 | Storm-2372 conducts device code phishing campaign | GROUP | Phishing |
| 14.03.2026 | Storm-2561 | Storm-2561 uses SEO poisoning to distribute fake VPN clients for credential theft | GROUP | GROUP |
| Storm-2603 | ||||
| 15.02.2026 | Storm-2603 | Storm-2603 Exploits CVE-2026-23760 to Stage Warlock Ransomware | GROUP | GROUP |
| TA397 | ||||
| 17.12.2024 | TA397 | Proofpoint observed advanced persistent threat (APT) TA397 targeting a Turkish defense sector organization with a lure about public infrastructure projects in Madagascar. | GROUP | GROUP |
| TA406 | ||||
| 13.05.2024 | TA406 | TA406 began targeting government entities in Ukraine, delivering both credential harvesting and malware in its phishing campaigns. The aim of these campaigns is likely to collect intelligence on the trajectory of the Russian invasion. | GROUP | CAMPAIGN |
| 05.04.2026 | TA416 | I’d come running back to EU again: TA416 resumes European government espionage campaigns | GROUP | GROUP |
| TA450 | ||||
| 26.03.2024 | TA450 | Security Brief: TA450 Uses Embedded Links in PDF Attachments in Latest Campaign | Group | APT |
| TA453 | ||||
| 21.08.2024 | TA453 | Best Laid Plans: TA453 Targets Religious Figure with Fake Podcast Invite Delivering New BlackSmith Malware Toolset | GROUP | GROUP |
| TA4903 | ||||
| 07.03.2024 | TA4903 | TA4903: Actor Spoofs U.S. Government, Small Businesses in Phishing, BEC Bids | Group | Phishing |
| TA547 | ||||
| 12.04.2024 | TA547 | Security Brief: TA547 Targets German Organizations with Rhadamanthys Stealer | Group | Group |
| TA577 | ||||
| 05.03.2024 | TA577 | TA577’s Unusual Attack Chain Leads to NTLM Data Theft | Group | Group |
| TA585 | ||||
| 16.10.2025 | TA585 | When the monster bytes: tracking TA585 and its arsenal | GROUP | GROUP |
| TAG-100 | ||||
| 18.07.2024 | TAG-100 | TAG-100 Uses Open-Source Tools in Suspected Global Espionage Campaign, Compromising Two Asia-Pacific Intergovernmental Bodies | GROUP | GROUP |
| TAG-110 | ||||
| 27.05.2025 | TAG-110 | Russia-Aligned TAG-110 Targets Tajikistan with Macro-Enabled Word Documents | GROUP | GROUP |
| 22.11.2024 | TAG-110 | Russia-Aligned TAG-110 Targets Asia and Europe with HATVIBE and CHERRYSPY | GROUP | GROUP |
| TAG-112 | ||||
| 22.11.2024 | TAG-112 | China-Nexus TAG-112 Compromises Tibetan Websites to Distribute Cobalt Strike | GROUP | GROUP |
| TAG-124 | ||||
| 04.10.2025 | TAG-124 | TAG-124’s Multi-Layered TDS Infrastructure and Extensive User Base | GROUP | GROUP |
| TAG-144 | ||||
| 27.08.2025 | TAG-144 | TAG-144’s Persistent Grip on South American Organizations | GROUP | GROUP |
| TAG-70 | ||||
| 19.02.2024 | TAG-70 | Russia-Aligned TAG-70 Targets European Government and Military Mail Servers in New Espionage Campaign | Group | Group |
| ToddyCat | ||||
| 25.11.2025 | ToddyCat | ToddyCat: your hidden email assistant. Part 1 | GROUP | GROUP |
| Tortoiseshell | ||||
| 01.03.2024 | Tortoiseshell | A previously undocumented attack group is using both custom and off-the-shelf malware to target IT providers in Saudi Arabia in what appear to be supply chain attacks with the end goal of compromising the IT providers’ customers. | Group | Group |
| 26.04.2025 | ToyMaker | Introducing ToyMaker, an initial access broker working in cahoots with double extortion gangs | GROUP | IAB |
| ToyMaker | ||||
| TraderTraitor | ||||
| 27.02.2025 | TraderTraitor | TraderTraitor: North Korean State-Sponsored | GROUP | GROUP |
| TWELVE | ||||
| 21.09.2024 | TWELVE | -=TWELVE=- is back | GROUP | GROUP |
| UAC-0006 | ||||
| 31.05.2024 | UAC-0006 | UAC-0006 is a financially motivated threat actor that has been active since at least 2013. | Group | Group |
| UAC-0027 | ||||
| 03.02.2024 | UAC-0027 | UAC-0027 Attack Detection: Hackers Target Ukrainian Organizations Using DIRTYMOE (PURPLEFOX) Malware | Group | Group |
| UAC-0063 | ||||
| 25.01.2025 | UAC-0063 | UAC-0063: Cyber Espionage Operation Expanding from Central Asia | GROUP | GROUP |
| 14.01.2025 | UAC-0063 | Double-Tap Campaign: Russia-nexus APT possibly related to APT28 conducts cyber espionage on Central Asia and Kazakhstan diplomatic relations | GROUP | GROUP |
| 07.01.2026 | UAC-0184 | UAC-0184 | GROUP | GROUP |
| UAC-0184 | ||||
| UAC-0218 | ||||
| 10.10.2025 | UAC-0218 | UAC-0218 Attack Detection: Adversaries Steal Files Using HOMESTEEL Malware | GROUP | GROUP |
| UAC-0219 | ||||
| 10.10.2025 | UAC-0219 | UAC-0219 is a hacking group observed conducting cyber-espionage operations targeting Ukrainian critical sectors, primarily utilising WRECKSTEEL malware for file exfiltration in both VBScript and PowerShell variants. | GROUP | GROUP |
| UAC-0226 | ||||
| 10.10.2025 | UAC-0226 | UAC-0226 is a cyber-espionage group targeting Ukrainian military, law enforcement, and local government entities—particularly near the eastern border—since February 2025. | GROUP | GROUP |
| 28.06.2025 | UAC-0226 | UAC-0226 is a cyber-espionage group targeting Ukrainian military, law enforcement, and local government entities—particularly near the eastern border—since February 2025. | GROUP | GROUP |
| 03.04.2026 | UAT-10608 | UAT-10608: Inside a large-scale automated credential harvesting operation targeting web applications | GROUP | GROUP |
| UAT-5647 | ||||
| 27.10.2024 | UAT-5647 | UAT-5647 targets Ukrainian and Polish entities with RomCom malware variants | GROUP | APT |
| UAT-5918 | ||||
| 21.03.2025 | UAT-5918 | UAT-5918 targets critical infrastructure entities in Taiwan | GROUP | GROUP |
| UAT-6382 | ||||
| 22.05.2025 | UAT-6382 | UAT-6382 exploits Cityworks zero-day vulnerability to deliver malware | GROUP | GROUP |
| UAT-7237 | ||||
| 17.08.2025 | UAT-7237 | UAT-7237 targets Taiwanese web hosting infrastructure | GROUP | GROUP |
| UAT-7290 | ||||
| 08.01.2026 | UAT-7290 | UAT-7290 targets high value telecommunications infrastructure in South Asia | GROUP | GROUP |
| UAT-8099 | ||||
| 02.02.2026 | UAT-8099 | Dissecting UAT-8099: New persistence mechanisms and regional focus | GROUP | GROUP |
| 04.10.2025 | UAT-8099 | UAT-8099: Chinese-speaking cybercrime group targets high-value IIS for SEO fraud | GROUP | GROUP |
| UAT-8837 | ||||
| 16.01.2026 | UAT-8837 | UAT-8837 targets critical infrastructure sectors in North America | GROUP | GROUP |
| UAT-9244 | ||||
| 06.03.2026 | UAT-9244 | UAT-9244 targets South American telecommunication providers with three new malware implants | GROUP | GROUP |
| UAT-9686 | ||||
| 25.01.2026 | UAT-9686 | UAT-9686 actively targets Cisco Secure Email Gateway and Secure Email and Web Manager | GROUP | GROUP |
| UAT-9921 | ||||
| 14.02.2026 | UAT-9921 | New threat actor, UAT-9921, leverages VoidLink framework in campaigns | GROUP | GROUP |
| UNC1069 | ||||
| 01.04.2026 | UNC1069 | North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package in Supply Chain Attack | GROUP | GROUP |
| 11.02.2026 | UNC1069 | UNC1069 Targets Cryptocurrency Sector with New Tooling and AI-Enabled Social Engineering | GROUP | GROUP |
| 24.04.2025 | UNC1069 | (Active since at least April 2018), which targets diverse industries for financial gain using social engineering ploys by sending fake meeting invites and posing as investors from reputable companies on Telegram to gain access to victims' digital assets and cryptocurrency | GROUP | GROUP |
| UNC1151 | ||||
| 11.10.2025 | UNC1151 | UNC1151 Assessed with High Confidence to have Links to Belarus, Ghostwriter Campaign Aligned with Belarusian Government Interests | GROUP | GROUP |
| 26.02.2025 | UNC1151 | UNC1151 Strikes Again: Unveiling Their Tactics Against Ukraine’s Ministry of Defence | GROUP | GROUP |
| 01.03.2024 | UNC1549 | When Cats Fly: Suspected Iranian Threat Actor UNC1549 Targets Israeli and Middle East Aerospace and Defense Sectors | BigBrother | CyberSpy |
| UNC1549 | ||||
| UNC1945 | ||||
| 06.03.2024 | UNC1945 | UNC1945 is an APT group that has been targeting telecommunications companies globally. | Group | APT |
| UNC2814 | ||||
| 26.02.2026 | UNC2814 | Exposing the Undercurrent: Disrupting the GRIDTIDE Global Cyber Espionage Campaign | GROUP | GROUP |
| UNC302 | ||||
| 22.03.2024 | UNC302 | BRONZE SPRING is a threat group that CTU researchers assess with high confidence operates on behalf of China in the theft of intellectual property from defense, engineering, pharmaceutical and technology companies | Group | Group |
| UNC3886 | ||||
| 10.02.2026 | UNC3886 | Largest Multi-Agency Cyber Operation Mounted to Counter Threat Posed by Advanced Persistent Threat (APT) Actor UNC3886 to Singapore’s Telecommunications Sector | GROUP | GROUP |
| 19.06.2024 | UNC3886 | Cloaked and Covert: Uncovering UNC3886 Espionage Operations | GROUP | CAMPAIGN |
| 22.03.2024 | UNC3886 | UNC3886 is an advanced cyber espionage group with unique capabilities in how they operate on-network as well as the tools they utilize in their campaigns. | Group | Group |
| 01.03.2024 | UNC3886 | UNC3886 is an advanced cyber espionage group with unique capabilities in how they operate on-network as well as the tools they utilize in their campaigns. UNC3886 has been observed targeting firewall and virtualization technologies which lack EDR support. | Group | Group |
| UNC4736 | ||||
| 24.04.2025 | UNC4736 | UNC4736 is a North Korean threat actor that has been involved in supply chain attacks targeting software chains of 3CX and X_TRADER. They have used malware strains such as TAXHAUL, Coldcat, and VEILEDSIGNAL to compromise Windows and macOS systems. | GROUP | GROUP |
| UNC4899 | ||||
| 24.04.2025 | UNC4899 | (Active since 2022), which is known for orchestrating job-themed campaigns that deliver malware as part of a supposed coding assignment and has previously staged supply chain compromises for financial gain (Overlaps with Jade Sleet, PUKCHONG, Slow Pisces, and TraderTraitor) | GROUP | GROUP |
| 14.06.2024 | UNC4899 | Insights on Cyber Threats Targeting Users and Enterprises in Brazil | GROUP | GROUP |
| UNC4990 | ||||
| 01.02.2024 | UNC4990 | Evolution of UNC4990: Uncovering USB Malware's Hidden Depths | Group | Group |
| UNC5142 | ||||
| 17.10.2025 | UNC5142 | New Group on the Block: UNC5142 Leverages EtherHiding to Distribute Malware | GROUP | GROUP |
| UNC5174 | ||||
| 16.04.2025 | UNC5174 | UNC5174’s evolution in China’s ongoing cyber warfare: From SNOWLIGHT to VShell | GROUP | GROUP |
| 05.10.2025 | UNC5174 | UNC5174, a Chinese state-sponsored threat actor, has been identified by Mandiant for exploiting critical vulnerabilities in F5 BIG-IP and ScreenConnect. They have been linked to targeting research and education institutions, businesses, charities, NGOs, and government organizations in Southeast Asia, the U.S., and the UK | GROUP | GROUP |
| UNC5174 | ||||
| UNC5221 | ||||
| 22.03.2024 | UNC5221 | While Volexity largely observed the attacker essentially living off the land, they still deployed a handful of malware files and tools during the course of the incident which primarily consisted of webshells, proxy utilities, and file modifications to allow credential harvesting. | Group | Group |
| 02.02.2024 | UNC5221 | UNC5221: Unreported and Undetected WIREFIRE Web Shell Variant | Group | CyberSpy |
| UNC5342 | ||||
| 24.04.2025 | UNC5342 | (Active since at least December 2022), which is also known for employing job-related lures to trick developers into running malware-laced projects (Overlaps with Contagious Interview, DeceptiveDevelopment, DEV#POPPER, and Famous Chollima) | GROUP | GROUP |
| UNC5537 | ||||
| 19.07.2024 | UNC5537 | UNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion | GROUP | GROUP |
| 11.06.2024 | UNC5537 | UNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion | GROUP | GROUP |
| UNC5812 | ||||
| 28.10.2024 | UNC5812 | Hybrid Russian Espionage and Influence Campaign Aims to Compromise Ukrainian Military Recruits and Deliver Anti-Mobilization Narratives | GROUP | GROUP |
| UNC6040 | ||||
| 05.06.2025 | UNC6040 | The Cost of a Call: From Voice Phishing to Data Extortion | GROUP | GROUP |
| UNC6384 | ||||
| 01.11.2025 | UNC6384 | UNC6384 Weaponizes ZDI-CAN-25373 Vulnerability to Deploy PlugX Against Hungarian and Belgian Diplomatic Entities | GROUP | GROUP |
| UNC6395 | ||||
| 27.08.2025 | UNC6395 | Widespread Data Theft Targets Salesforce Instances via Salesloft Drift | GROUP | GROUP |
| Unfading Sea Haze | ||||
| 23.05.2024 | Unfading Sea Haze | Deep Dive Into Unfading Sea Haze: A New Threat Actor in the South China Sea | Group | Group |
| Unfurling Hemlock | ||||
| 30.06.2024 | Unfurling Hemlock | Unfurling Hemlock: New threat group uses cluster bomb campaign to distribute malware | GROUP | GROUP |
| UNG0002 | ||||
| 19.07.2025 | UNG0002 | UNG0002: Regional Threat Operations Tracked Across Multiple Asian Jurisdictions | GROUP | APT |
| UNG0801 | ||||
| 27.12.2025 | UNG0801 | Key Targets. Industries Affected. Geographical Focus. Infection Chain – Operation IconCat. Infection Chain – I. Infection Chain – II. Campaign-Analysis – Operation IconCat. Campaign-I Initial Findings. Looking into the malicious PDF File. Technical Analysis. Malicious PyInstaller implant – PYTRIC... | GROUP | GROUP |
| Unit 29155 | ||||
| 09.09.2024 | Unit 29155 | Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure | GROUP | Military group |
| UNK_SmudgedSerpent | ||||
| 05.11.2025 | UNK_SmudgedSerpent | Crossed wires: a case study of Iranian espionage and attribution | GROUP | GROUP |
| UTA0178 | ||||
| 05.04.2024 | UTA0178 | While Volexity largely observed the attacker essentially living off the land, they still deployed a handful of malware files and tools during the course of the incident which primarily consisted of webshells, proxy utilities, and file modifications to allow credential harvesting. | Group | Group |
| UTG-Q-010 | ||||
| 30.10.2025 | UTG-Q-010 | Cyber Warfare Amidst Gold's Skyrocketing Price: UTG-Q-010 Group's Supply Chain Attack Strike Directly at the Heart of HongKong's Financial Market | GROUP | GROUP |
| 21.08.2024 | UTG-Q-010 | UTG-Q-010: Targeted Attack Campaign Against the AI and Gaming Industry | GROUP | GROUP |
| Vane Viper | ||||
| 26.09.2025 | Vane Viper | DNS-Driven Insights into a Malicious Ad Network | GROUP | GROUP |
| Vanilla Tempest | ||||
| 17.10.2025 | Vanilla Tempest | Vice Society is a ransomware group that has been active since at least June 2021. | GROUP | RANSOMWARE |
| Venture Wolf | ||||
| 11.04.2025 | Venture Wolf | Venture Wolf attempts to disrupt Russian businesses with MetaStealer | GROUP | GROUP |
| VIGORISH VIPER | ||||
| 23.07.2024 | VIGORISH VIPER | GAMBLING IS NO GAME: DNS LINKS BETWEEN CHINESE ORGANIZED CRIME AND SPORTS SPONSORSHIPS | GROUP | GROUP |
| Virtual Invaders | ||||
| 11.04.2024 | Virtual Invaders | There is no indication that this campaign is linked to any known group; however, we are tracking the threat actors behind it under the moniker Virtual Invaders. | Group | Group |
| Void Banshee | ||||
| 16.07.2024 | Void Banshee | CVE-2024-38112: Void Banshee Targets Windows Users Through Zombie Internet Explorer in Zero-Day Attacks | GROUP | GROUP |
| Void Blizzard | ||||
| 27.05.2025 | Void Blizzard | New Russia-affiliated actor Void Blizzard targets critical sectors for espionage | GROUP | GROUP |
| Void Manticore | ||||
| 21.05.2024 | Void Manticore | BAD KARMA, NO JUSTICE: VOID MANTICORE DESTRUCTIVE ACTIVITIES IN ISRAEL | Group | Group |
| Volt Typhoon | ||||
| 02.02.2024 | Volt Typhoon | [Microsoft] Volt Typhoon, a state-sponsored actor based in China that typically focuses on espionage and information gathering. | Group | Group |
| Warlock | ||||
| 12.10.2025 | Warlock | Warlock: Professional Development, China Ties, and the Multiple Variants it Planned from the Start | GROUP | RANSOMWARE |
| Water Makara | ||||
| 27.10.2024 | Water Makara | Water Makara Uses Obfuscated JavaScript in Spear Phishing Campaign, Targets Brazil With Astaroth Malware | GROUP | GROUP |
| Weaver Ant | ||||
| 25.03.2025 | Weaver Ant | Weaver Ant, the Web Shell Whisperer: Tracking a Live China-nexus Operation | GROUP | GROUP |
| 13.11.2024 | WIRTE | Hamas-affiliated Threat Actor WIRTE Continues its Middle East Operations and Moves to Disruptive Activity | GROUP | GROUP |
| WIRTE | ||||
| APT Targets Blockchain Companies |