Kimsuky is a Democratic People's Republic of Korea (DPRK)-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter experts in various fields. Its operations expanded to include the United Nations and organizations in the government, education, business services, and manufacturing sectors across the United States, Japan, Russia, and Europe. Kimsuky has focused collection on foreign policy and national security issues tied to the Korean Peninsula, nuclear policy, and sanctions. Kimsuky operations have overlapped with those of other North Korean state-sponsored cyber espionage actors as a result of ad hoc…
Targets: Defense · Diplomacy · Education · Energy · Government · Media · Private sector · Research - Innovation
Regions: Germany · Korea Institute for Defense Analyses · Ministry of Unification · Sejong Institute
TTPs (130 techniques across 15 tactics)
Tools/malware: Troll Stealer · HTTPTroy · schtasks · certutil · Amadey · GoBear · Brave Prince · CSPY Downloader · gh0st RAT · AppleSeed · Gomir · NOKKI · QuasarRAT · Gold Dragon · PsExec · KGH_SPY · Mimikatz · BabyShark · TRANSLATEXT
Reporting (3)
↑ back to top
APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165. This group has been active since at least 2004. APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for…
Targets: Government · Military · Security Service
Regions: Afghanistan · Armenia · Asia Pacific Economic Cooperation · Belgium · China · European Commission · France · Georgia · Germany · Hungary · International Association of Athletics Federations · Japan
TTPs (93 techniques across 15 tactics)
Tools/malware: Wevtutil · certutil · CHOPSTICK · Net · Forfiles · DealersChoice · Mimikatz · ADVSTORESHELL · Cannon · Komplex · HIDEDRV · JHUHUGIT · Koadic · Winexe · Responder · cipher.exe · XTunnel · Drovorub · LAMEHUG · Tor · CORESHELL · OLDBAIT · Downdelph · XAgentOSX · +5 more
Reporting (3)
↑ back to top
Lazarus Group is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). Lazarus Group has been active since at least 2009 and is reportedly responsible for the November 2014 destructive wiper attack on Sony Pictures Entertainment, identified by Novetta as part of Operation Blockbuster. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain. North Korea’s cyber operations have shown a consistent pattern of adaptation, forming and reorganizing units as national priorities shift. These units frequently share personnel, infrastructure, malware, and…
Targets: Government · Private sector
Regions: Australia · Bangladesh · Bangladesh Bank · Brazil · Canada · China · Cryptocurrency exchanges in South Korea · France · Germany · Guatemala · Hong Kong · India
TTPs (93 techniques across 14 tactics)
Tools/malware: RawDisk · Proxysvc · BADCALL · FALLCHILL · WannaCry · MagicRAT · HOPLIGHT · TYPEFRAME · Dtrack · HotCroissant · HARDRAIN · Dacls · KEYMARBLE · TAINTEDSCRIBE · AuditCred · netsh · ECCENTRICBANDWAGON · AppleJeus · route · BLINDINGCAN · ThreatNeedle · Volgmer · Cryptoistic · Responder · +2 more
Reporting (3)
↑ back to top
Mustang Panda is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. Mustang Panda has been known to use tailored phishing lures and decoy documents to deliver malicious payloads. Mustang Panda has targeted government, diplomatic, and non-governmental organizations, including think tanks, religious institutions, and research entities, across the United States, Europe, and Asia, with notable activity in Russia, Mongolia, Myanmar, Pakistan, and Vietnam.
Targets: Civil society
Regions: Germany · United States
TTPs (85 techniques across 14 tactics)
Tools/malware: CANONSTAGER · STATICPLUGIN · ShadowPad · TONESHELL · Cobalt Strike · HIUPAN · Impacket · SplatCloak · PAKLOG · Wevtutil · AdFind · CLAIMLOADER · Mimikatz · PUBLOAD · StarProxy · CorKLOG · RCSession · NBTscan · PoisonIvy · SplatDropper · BOOKWORM · China Chopper · PlugX
Reporting (3)
↑ back to top
Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455. This group has been active since at least 2009. In October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm Team for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks…
Targets: Energy · Government · Industrial · Private sector
Regions: Azerbaijan · Belarus · Georgia · Iran · Israel · Kazakhstan · Kyrgyzstan · Lithuania · Poland · Russia · Ukraine
TTPs (79 techniques across 13 tactics)
Tools/malware: Bad Rabbit · Mimikatz · Exaramel for Linux · Exaramel for Windows · GreyEnergy · PsExec · Prestige · P.A.S. Webshell · AcidPour · VPNFilter · Neo-reGeorg · Cyclops Blink · SDelete · Empire · Kapeka · AcidRain · Industroyer · Industroyer2 · BlackEnergy · Cobalt Strike · NotPetya · KillDisk · Net · PoshC2 · +3 more
Reporting (3)
↑ back to top
APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR). They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015. In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes. Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.
Targets: Government · Private sector · Think Tanks
Regions: Belgium · Brazil · China · Georgia · Germany · India · Japan · Kazakhstan · Mexico · New Zealand · Portugal · Romania
TTPs (66 techniques across 13 tactics)
Tools/malware: PinchDuke · ROADTools · WellMail · CozyCar · Mimikatz · meek · TrailBlazer · Tasklist · OnionDuke · FatDuke · POSHSPY · EnvyScout · SoreFang · GeminiDuke · reGeorg · BloodHound · GoldMax · FoggyWeb · SDelete · PolyglotDuke · AADInternals · MiniDuke · TEARDROP · SeaDuke · +25 more
Reporting (3)
↑ back to top
Magic Hound is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European, U.S., and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via complex social engineering campaigns since at least 2014.
Targets: Defense · Diplomacy · Government · Military · Technology
Regions: Iraq · Israel · Saudi Arabia · U.S. government/defense sector websites · United Kingdom
TTPs (78 techniques across 14 tactics)
Tools/malware: Net · Impacket · Ping · CharmPower · FRP · Mimikatz · Systeminfo · ipconfig · netsh · PowerLess · Pupy · DownPaper · PsExec
Reporting (3)
↑ back to top
OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.
Targets: Chemical · Civil society · Defense · Education · Energy · Engineering · Finance · Government · Other · Private sector · Technology · Telecommunications
Regions: Canada · China · France · Germany · India · Iraq · Israel · Kuwait · Lebanon · Mexico · Middle East · Pakistan
TTPs (76 techniques across 13 tactics)
Tools/malware: ISMInjector · ODAgent · RDAT · Systeminfo · QUADAGENT · OopsIE · ngrok · Tasklist · Net · certutil · ZeroCleare · Reg · POWRUNER · netstat · Solar · ipconfig · LaZagne · BONDUPDATER · SideTwist · Helminth · Mango · OilBooster · SampleCheck5000 · PsExec · +6 more
Reporting (3)
↑ back to top
MuddyWater is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS). Since at least 2017, MuddyWater has targeted a range of government and private organizations across sectors, including telecommunications, local government, finance, defense, and oil and natural gas organizations, in the Middle East (specifically the UAE and Saudi Arabia), Asia, Africa, Europe, and North America. MuddyWater has reused domains dating back to October 2025, and has a preference for NameCheap and Hosterdaddy Private Limited (AS136557). In late 2025 and early 2026, MuddyWater used commercial satellite internet (i.e., Starlink) for command and control (C2)…
Targets: Government
Regions: Georgia · India · Iraq · Israel · Pakistan · Saudi Arabia · Turkey · United Arab Emirates · United States
TTPs (68 techniques across 14 tactics)
Tools/malware: MuddyViper · STARWHALE · LP-Notes · POWERSTATS · Rclone · Out1 · Tsundere Botnet · PowerSploit · Small Sieve · Fooder · Mori · Mimikatz · LaZagne · PowGoop · CrackMapExec · ConnectWise · SHARPSTATS · Empire · RustyWater · RemoteUtilities · Koadic
Reporting (3)
↑ back to top
Turla is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. Turla is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as Uroburos.
Targets: Education · Energy · Government · Healthcare · Military · Private sector
Regions: Belarus · France · Germany · India · Iran · Iraq · Kazakhstan · Netherlands · Poland · Romania · Russia · Saudi Arabia
TTPs (68 techniques across 13 tactics)
Tools/malware: PsExec · nbtstat · ComRAT · netstat · certutil · Empire · Mosquito · KOPILUWAK · IronNetInjector · LunarWeb · Arp · Crutch · Uroburos · PowerStallion · Gazer · Kazuar · Systeminfo · LightNeuron · Carbon · Mimikatz · Tasklist · LunarMail · Net · Reg · +6 more
Reporting (3)
↑ back to top
APT32 is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims.
Targets: Civil society · Dissidents · Government · Journalists · Private sector
Regions: Association of Southeast Asian Nations · China · Germany · Philippines · United States · Vietnam
TTPs (78 techniques across 14 tactics)
Tools/malware: Mimikatz · ipconfig · Kerrdown · Cobalt Strike · SOUNDBITE · OSX_OCEANLOTUS.D · KOMPROGO · netsh · RotaJakiro · PHOREAL · Arp · WINDSHIELD · Denis · Net · Goopy
Reporting (3)
↑ back to top
FIN7 is a financially-motivated threat group that has been active since 2013. FIN7 has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, pharmaceutical, and utilities industries in the United States. A portion of FIN7 was operated out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, FIN7 shifted operations to big game hunting (BGH), including use of REvil ransomware and their own Ransomware-as-a-Service (RaaS), Darkside. FIN7 may be linked to the Carbanak Group, but multiple threat groups have been observed using Carbanak, leading…
TTPs (67 techniques across 15 tactics)
Tools/malware: GRIFFON · Mimikatz · AdFind · JSS Loader · HALFBAKED · REvil · PowerSploit · CrackMapExec · Carbanak · Pillowmint · Cobalt Strike · Maze · POWERSOURCE · RDFSNIFFER · SQLRat · Lizar · TEXTMATE · BOOSTWRITE · SystemBC
Reporting (3)
↑ back to top
APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries. Notable behaviors include using a wide range of malware and tools to complete mission objectives. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.
Targets: Automotive · Business · Cryptocurrency · Education · Energy · Finance · Healthcare · High-Tech · Intergovernmental · Media · Pharmaceuticals · Private sector
Regions: China · France · Hong Kong · India · Italy · Japan · Myanmar · Netherlands · Singapore · South Africa · South Korea · Switzerland
TTPs (82 techniques across 15 tactics)
Tools/malware: ASPXSpy · BITSAdmin · PlugX · Impacket · gh0st RAT · netstat · PowerSploit · ZxShell · KEYPLUG · Ping · LightSpy · DUSTPAN · Net · ipconfig · sqlmap · China Chopper · ShadowPad · MESSAGETAP · Mimikatz · certutil · njRAT · Empire · Cobalt Strike · pwdump · +8 more
Reporting (3)
↑ back to top
Gamaredon Group is a suspected Russian cyber espionage group that has targeted military, law enforcement, judiciary, non-profit, and non-governmental organizations in Ukraine since at least 2013. The name Gamaredon Group derives from a misspelling of the word "Armageddon," found in early campaigns. In November 2021, the Ukrainian government publicly attributed Gamaredon Group to Russia’s Federal Security Service (FSB) Center 18, an assessment later supported by multiple independent cybersecurity researchers.
Targets: Government
Regions: Germany · Ukraine
TTPs (70 techniques across 12 tactics)
Tools/malware: QuietSieve · Pteranodon · Remcos · Ping · Reg · PowerPunch
Reporting (3)
↑ back to top
Volt Typhoon is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021, primarily targeting critical infrastructure organizations in the US and its territories including Guam. Volt Typhoon's targeting and pattern of behavior have been assessed as pre-positioning to enable lateral movement to operational technology (OT) assets for potential destructive or disruptive attacks. Volt Typhoon has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials.. The group has leveraged compromised SOHO routers to proxy command and control traffic and obscure its infrastructure, activity associated…
TTPs (81 techniques across 13 tactics)
Tools/malware: netsh · PsExec · ipconfig · Wevtutil · VersaMem · Tasklist · Mimikatz · Ping · Impacket · Systeminfo · netstat · Nltest · certutil · Reg · FRP · cmd · Net
Reporting (3)
↑ back to top
Wizard Spider is a Russia-based financially motivated threat group originally known for the creation and deployment of TrickBot since at least 2016. Wizard Spider possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.
Targets: Defense · Finance · Government · Healthcare · Telecommunications
Regions: Australia · Bahamas · Canada · Costa Rica · France · Germany · India · Ireland · Italy · Japan · Mexico · New Zealand
TTPs (64 techniques across 13 tactics)
Tools/malware: TrickBot · AdFind · BITSAdmin · SystemBC · BloodHound · Ping · Bazar · LaZagne · Nltest · GrimAgent · Dyre · Ryuk · Conti · Emotet · Rubeus · Mimikatz · Anchor · Diavol · Net · Empire · PsExec · Cobalt Strike
Reporting (3)
↑ back to top
Scattered Spider is a native English-speaking cybercriminal group active since at least 2022. The group initially targeted customer relationship management (CRM) providers, business process outsourcing (BPO) firms, and telecommunications and technology companies before expanding in 2023 to gaming, hospitality, retail, managed service provider (MSP), manufacturing, and financial sectors. Scattered Spider relies heavily on social engineering, including impersonating IT and help-desk staff, to gain initial access, bypass multi-factor authentication (MFA), and compromise enterprise networks. The group has adapted its tooling to evade endpoint detection and response (EDR) defenses and used ransomware for financial…
TTPs (64 techniques across 14 tactics)
Tools/malware: WarzoneRAT · Rclone · LaZagne · Tor · Mimikatz · Raccoon Stealer · ngrok · BlackCat · ConnectWise
Reporting (3)
↑ back to top
Dragonfly is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16. Active since at least 2010, Dragonfly has targeted defense and aviation companies, government entities, companies related to industrial control systems, and critical infrastructure sectors worldwide through supply chain, spearphishing, and drive-by compromise attacks.
Targets: Energy · Government · Private sector
Regions: China · France · Germany · Ireland · Italy · Japan · Poland · Spain · Turkey · United States
TTPs (56 techniques across 12 tactics)
Tools/malware: MCMD · Net · Impacket · CrackMapExec · Reg · Backdoor.Oldrea · Mimikatz · PsExec · Trojan.Karagany · netsh
Reporting (3)
↑ back to top
VOID MANTICORE is a threat group assessed to operate on behalf of Iran’s Ministry of Intelligence and Security (MOIS). Active since at least mid-2022, VOID MANTICORE has targeted government entities, critical infrastructure, and private sector organizations across Albania, Israel, and the United States. VOID MANTICORE conducts destructive cyber operations, combining wiper attacks with hack-and-leak campaigns. The group has operated under multiple public-facing personas, including HomeLand Justice in operations against Albania, Karma and Karma Below in campaigns targeting Israeli organizations, and Handala Hack, its current primary persona, which has claimed activity against Israeli and U.S. entities, including…
Targets: Civil society · Education · Government · Healthcare · High-Tech · Media · NGOs · Pharmaceuticals · Telecommunications
Regions: Europe · Israel · Middle East · United States
TTPs (63 techniques across 14 tactics)
Reporting (3)
↑ back to top
Contagious Interview is a North Korea–aligned threat group active since 2023. The group conducts both cyberespionage and financially motivated operations, including the theft of cryptocurrency and user credentials. Contagious Interview targets Windows, Linux, and macOS systems, with a particular focus on individuals engaged in software development and cryptocurrency-related activities.
TTPs (54 techniques across 13 tactics)
Tools/malware: InvisibleFerret · BeaverTail · XORIndex Loader · HexEval Loader
Reporting (3)
↑ back to top
Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims. The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, manufacturing and gambling/betting sectors.
Targets: Defense · Government · Private sector · Technology
Regions: Australia · Canada · China · France · India · Iran · Israel · Japan · Russia · South Korea · Taiwan · Thailand
TTPs (57 techniques across 13 tactics)
Tools/malware: Net · Systeminfo · gsecdump · PlugX · ASPXSpy · Cobalt Strike · Mimikatz · Impacket · gh0st RAT · certutil · China Chopper · HTTPBrowser · Tasklist · netstat · SysUpdate · HyperBro · ZxShell · RCSession · ipconfig · Clambling · pwdump · NBTscan · Pandora · Windows Credential Editor
Reporting (3)
↑ back to top
APT38 is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau. Active since at least 2014, APT38 has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which APT38 stole $81 million, as well as attacks against Bancomext and Banco de Chile ; some of their attacks have been destructive. North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the…
Targets: Government · Private sector
Regions: Australia · Bangladesh · Bangladesh Bank · Brazil · Canada · China · Cryptocurrency exchanges in South Korea · France · Germany · Guatemala · Hong Kong · India
TTPs (56 techniques across 12 tactics)
Tools/malware: ECCENTRICBANDWAGON · Net · HOPLIGHT · Mimikatz · KillDisk · DarkComet
Reporting (3)
↑ back to top
TeamTNT is a threat group that has primarily targeted cloud and containerized environments. The group as been active since at least October 2019 and has mainly focused its efforts on leveraging cloud and container resources to deploy cryptocurrency miners in victim environments.
TTPs (56 techniques across 14 tactics)
Tools/malware: Peirates · MimiPenguin · LaZagne · Hildegard
Reporting (3)
↑ back to top
APT39 is one of several names for cyber espionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since at least 2014. APT39 has primarily targeted the travel, hospitality, academic, and telecommunications industries in Iran and across Asia, Africa, Europe, and North America to track individuals and entities considered to be a threat by the MOIS.
TTPs (53 techniques across 13 tactics)
Tools/malware: NBTscan · MechaFlounder · Remexi · CrackMapExec · pwdump · Mimikatz · Windows Credential Editor · Cadelspy · PsExec · ASPXSpy · ftp
Reporting (3)
↑ back to top
Medusa Group has been active since at least 2021 and was initially operated as a closed ransomware group before evolving into a Ransomware-as-a-Service (RaaS) operation. Some reporting indicates that certain attacks may still be conducted directly by the ransomware’s core developers. Public sources have also referred to the group as “Spearwing” or “Medusa Actors.” Medusa Group employs living-off-the-land techniques, frequently leveraging publicly available tools and common remote management software to conduct operations. The group engages in double extortion tactics, exfiltrating data prior to encryption and threatening to publish stolen information if ransom demands are not met. For initial access, Medusa…
TTPs (57 techniques across 13 tactics)
Tools/malware: certutil · Rclone · Medusa Ransomware · Mimikatz · PsExec
Reporting (3)
↑ back to top
Chimera is a suspected China-based threat group that has been active since at least 2018 targeting the semiconductor industry in Taiwan as well as data from the airline industry.
TTPs (59 techniques across 12 tactics)
Tools/malware: PsExec · BloodHound · esentutl · Net · Mimikatz · Cobalt Strike
Reporting (2)
↑ back to top
Leviathan is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company. Active since at least 2009, Leviathan has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Australia, Europe, the Middle East, and Southeast Asia.
Targets: Government · Private sector
Regions: Asia Pacific Economic Cooperation · Belgium · Cambodia · Germany · Hong Kong · Malaysia · Norway · Philippines · Saudi Arabia · Switzerland · The Philippines · United Kingdom
TTPs (50 techniques across 13 tactics)
Tools/malware: Windows Credential Editor · BITSAdmin · HOMEFRY · Derusbi · at · BLACKCOFFEE · BADFLICK · Empire · gh0st RAT · Net · PowerSploit · MURKYTOP · NanHaiShu · Orz · Cobalt Strike · China Chopper · Tor
Reporting (3)
↑ back to top
APT3 is a China-based threat group that researchers have attributed to China's Ministry of State Security. This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap. As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong.
Targets: Political party · Private sector
Regions: Hong Kong · United Kingdom · United States
TTPs (44 techniques across 11 tactics)
Tools/malware: OSInfo · schtasks · PlugX · LaZagne · SHOTPUT · RemoteCMD
Reporting (3)
↑ back to top
FIN13 is a financially motivated cyber threat group that has targeted the financial, retail, and hospitality industries in Mexico and Latin America, as early as 2016. FIN13 achieves its objectives by stealing intellectual property, financial data, mergers and acquisition information, or PII.
TTPs (53 techniques across 13 tactics)
Tools/malware: Impacket · Mimikatz · Empire · certutil
Reporting (2)
↑ back to top
BlackByte is a ransomware threat actor operating since at least 2021. BlackByte is associated with several versions of ransomware also labeled BlackByte Ransomware. BlackByte ransomware operations initially used a common encryption key allowing for the development of a universal decryptor, but subsequent versions such as BlackByte 2.0 Ransomware use more robust encryption mechanisms. BlackByte is notable for operations targeting critical infrastructure entities among other targets across North America.
TTPs (48 techniques across 14 tactics)
Tools/malware: AdFind · BlackByte Ransomware · Exbyte · Arp · BlackByte 2.0 Ransomware · PsExec · Cobalt Strike · Mimikatz
Reporting (3)
↑ back to top
Ke3chang is a threat group attributed to actors operating out of China. Ke3chang has targeted oil, government, diplomatic, military, and NGOs in Central and South America, the Caribbean, Europe, and North America since at least 2010.
Targets: Government
Regions: European Union · Germany · India · United Kingdom
TTPs (46 techniques across 11 tactics)
Tools/malware: Ping · Okrum · Systeminfo · netstat · spwebmember · Mimikatz · Tasklist · MirageFox · Net · Neoichor · ipconfig
Reporting (3)
↑ back to top
UNC3886 is a China-nexus cyberespionage group that has been active since at least 2022, targeting defense, technology, and telecommunication organizations located in the United States and the Asia-Pacific-Japan (APJ) regions. UNC3886 has displayed a deep understanding of edge devices and virtualization technologies through the exploitation of zero-day vulnerabilities and the use of novel malware families and utilities.
TTPs (49 techniques across 13 tactics)
Tools/malware: MOPSLED · VIRTUALPIE · CASTLETAP · THINCRUST · VIRTUALPITA · REPTILE · MEDUSA · RIFLESPINE
Reporting (2)
↑ back to top
Ember Bear is a Russian state-sponsored cyber espionage group that has been active since at least 2020, linked to Russia's General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155). Ember Bear has primarily focused operations against Ukrainian government and telecommunication entities, but has also operated against critical infrastructure entities in Europe and the Americas. Ember Bear conducted the WhisperGate destructive wiper attacks against Ukraine in early 2022. There is some confusion as to whether Ember Bear overlaps with another Russian-linked entity referred to as Saint Bear. At present available evidence strongly suggests these are distinct activities with…
Regions: Ukraine
TTPs (47 techniques across 14 tactics)
Tools/malware: P.A.S. Webshell · CrackMapExec · Responder · ngrok · reGeorg · WhisperGate · Saint Bot · PsExec · Rclone · BloodHound · Impacket
Reporting (3)
↑ back to top
HAFNIUM is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. HAFNIUM primarily targets entities in the US across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. HAFNIUM has targeted remote management tools and cloud software for intial access and has demonstrated an ability to quickly operationalize exploits for identified vulnerabilities in edge devices.
TTPs (44 techniques across 14 tactics)
Tools/malware: Tarrask · ASPXSpy · Impacket · PsExec · Covenant · China Chopper
Reporting (3)
↑ back to top
FIN6 is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors.
TTPs (40 techniques across 13 tactics)
Tools/malware: FlawedAmmyy · GrimAgent · FrameworkPOS · More_eggs · Cobalt Strike · Windows Credential Editor · AdFind · PsExec · Maze · LockerGoga · Ryuk · Mimikatz
Reporting (3)
↑ back to top
MirrorFace is a People's Republic of China (PRC)-aligned cyberespionage actor believed to be a subgroup under the menuPass umbrella based on targeting, tools, and infrastructure overlaps. MirrorFace has been active since at least 2019, at first exclusively targeting Japanese organizations across the media, defense, diplomatic, financial, manufacturing, and academic sectors. Subsequent MirrorFace operations included targets in Central Europe and featured use of LODEINFO, HiddenFace, and UPPERCUT malware.
TTPs (43 techniques across 12 tactics)
Tools/malware: Net · Cobalt Strike · MirrorStealer · UPPERCUT · Nltest · BITSAdmin · Tasklist · ipconfig · LODEINFO · ROAMINGHOUSE · DOWNIISSA · nbtstat · HiddenFace · Ping · Wevtutil · NOOPLDR
Reporting (3)
↑ back to top
Patchwork is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. Patchwork has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. Patchwork was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018.
Targets: Diplomacy · Finance · Government · Military · Private sector · Security Service
Regions: Bangladesh · Germany · Pakistan · Sri Lanka
TTPs (41 techniques across 13 tactics)
Tools/malware: NDiskMonitor · QuasarRAT · BackConfig · TINYTYPHON · AutoIt backdoor · PowerSploit · BADNEWS · Unknown Logger
Reporting (3)
↑ back to top
Tropic Trooper is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan, the Philippines, and Hong Kong. Tropic Trooper focuses on targeting government, healthcare, transportation, and high-tech industries and has been active since 2011.
Targets: Government · Military
TTPs (40 techniques across 9 tactics)
Tools/malware: USBferry · ShadowPad · PoisonIvy · BITSAdmin · YAHOYAH · KeyBoy
Reporting (3)
↑ back to top
Cobalt Group is a financially motivated threat group that has primarily targeted financial institutions since at least 2016. The group has conducted intrusions to steal money via targeting ATM systems, card processing, payment systems and SWIFT systems. Cobalt Group has mainly targeted banks in Eastern Europe, Central Asia, and Southeast Asia. One of the alleged leaders was arrested in Spain in early 2018, but the group still appears to be active. The group has been known to target organizations in order to use their access to then compromise additional victims. Reporting indicates there may be links between Cobalt Group and both the malware Carbanak and the group Carbanak.
TTPs (34 techniques across 9 tactics)
Tools/malware: Mimikatz · More_eggs · SpicyOmelette · SDelete · Cobalt Strike · PsExec
Reporting (3)
↑ back to top
Earth Lusca is a suspected China-based cyber espionage group that has been active since at least April 2019. Earth Lusca has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some Earth Lusca operations may be financially motivated. Earth Lusca has used malware commonly used by other Chinese threat…
Targets: Covid-19 Research Organizations · Cryptocurrency · Education · Gambling Companies · Government Institutions · Media · Medical · Pro-democracy And Human Rights Political Organizations · Religious Organization · Telecommunications
Regions: Australia · China · France · Germany · Hong Kong · Japan · Mongolia · Nepal · Nigeria · Philippines · Taiwan · Thailand
TTPs (44 techniques across 14 tactics)
Tools/malware: Mimikatz · PowerSploit · Tasklist · certutil · Cobalt Strike · Winnti for Linux · Nltest · NBTscan · ShadowPad
Reporting (3)
↑ back to top
Fox Kitten is threat actor with a suspected nexus to the Iranian government that has been active since at least 2017 against entities in the Middle East, North Africa, Europe, Australia, and North America. Fox Kitten has targeted multiple industrial verticals including oil and gas, technology, government, defense, healthcare, manufacturing, and engineering.
TTPs (41 techniques across 11 tactics)
Tools/malware: China Chopper · Pay2Key · ngrok · PsExec · SystemBC
Reporting (3)
↑ back to top
LAPSUS$ is cyber criminal threat group that has been active since at least mid-2021. LAPSUS$ specializes in large-scale social engineering and extortion operations, including destructive attacks without the use of ransomware. The group has targeted organizations globally, including in the government, manufacturing, higher education, energy, healthcare, technology, telecommunications, and media sectors.
TTPs (43 techniques across 13 tactics)
Tools/malware: Mimikatz
Reporting (3)
↑ back to top
TA505 is a cyber criminal group that has been active since at least 2014. TA505 is known for frequently changing malware, driving global trends in criminal malware distribution, and ransomware campaigns involving Clop.
Targets: Education · Finance · Healthcare · Hospitality · Retail
Regions: Australia · Canada · Czech Republic · Germany · Hungary · India · Japan · Romania · Serbia · Singapore · South Korea · Spain
TTPs (34 techniques across 9 tactics)
Tools/malware: AdFind · Clop · Azorult · FlawedAmmyy · Mimikatz · Dridex · TrickBot · Get2 · FlawedGrace · Cobalt Strike · ServHelper · BloodHound · Amadey · SDBbot · Net · PowerSploit
Reporting (3)
↑ back to top
Storm-0501 is a financially motivated cyber criminal group that uses commodity and open-source tools to conduct ransomware operations. Storm-0501 has been active since 2021 and has previously been affiliated with Sabbath Ransomware and other Ransomware-as-a-Service (RaaS) variants such as Hive, BlackCat, Hunters International, LockBit 3.0, and Embargo ransomware.
TTPs (42 techniques across 13 tactics)
Tools/malware: Impacket · Tasklist · Cobalt Strike · Embargo · Rclone · Nltest · Net · AADInternals
Reporting (3)
↑ back to top
RedCurl is a threat actor active since 2018 notable for corporate espionage targeting a variety of locations, including Ukraine, Canada and the United Kingdom, and a variety of industries, including but not limited to travel agencies, insurance companies, and banks. RedCurl is allegedly a Russian-speaking threat actor. The group’s operations typically start with spearphishing emails to gain initial access, then the group executes discovery and collection commands and scripts to find corporate data. The group concludes operations by exfiltrating files to the C2 servers.
TTPs (41 techniques across 11 tactics)
Reporting (2)
↑ back to top
APT-C-36 is a suspected South American threat group that has engaged in espionage and financially motivated operations since at least 2018. APT-C-36 has targeted government institutions and entities in the financial, energy, and professional manufacturing sectors across Colombia and other Latin American countries.
Targets: Finance · Government · Manufacturing · Petroleum · Private sector
Regions: Chile · Colombia · Ecuador · Panama · Spain
TTPs (38 techniques across 8 tactics)
Tools/malware: njRAT · Imminent Monitor · DCRAT · PureCrypter · Caminho · Remcos · AsyncRAT · QuasarRAT · HeartCrypt
Reporting (3)
↑ back to top
BRONZE BUTLER is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in government, biotechnology, electronics manufacturing, and industrial chemistry.
Targets: Diplomacy · Engineering · Industrial · Infrastructure · Manufacturing · Media · Political party · Private sector
Regions: China · Japan · Russian Federation · South Korea
TTPs (40 techniques across 12 tactics)
Tools/malware: Mimikatz · build_downer · cmd · ABK · at · BBK · schtasks · down_new · Daserf · Net · ShadowPad · Windows Credential Editor · gsecdump · Avenger
Reporting (3)
↑ back to top
HEXANE is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. Targeted companies have been located in the Middle East and Africa, including Israel, Saudi Arabia, Kuwait, Morocco, and Tunisia. HEXANE's TTPs appear similar to APT33 and OilRig but due to differences in victims and tools it is tracked as a separate entity.
Targets: Defense · Education · Energy · Government · High-Tech · Military · Telecommunications
Regions: Israel · Middle East
TTPs (36 techniques across 11 tactics)
Tools/malware: Milan · Ping · netstat · BITSAdmin · Shark · DnsSystem · DanBot · Empire · ipconfig · Mimikatz · Kevin · PoshC2
Reporting (3)
↑ back to top
FIN8 is a financially motivated threat group that has been active since at least January 2016, and known for targeting organizations in the hospitality, retail, entertainment, insurance, technology, chemical, and financial sectors. In June 2021, security researchers detected FIN8 switching from targeting point-of-sale (POS) devices to distributing a number of ransomware variants.
Targets: Entertainment · Hospitality · Retail
TTPs (36 techniques across 13 tactics)
Tools/malware: Ping · BADHATCH · PUNCHBUGGY · Ragnar Locker · PUNCHTRACK · dsquery · Net · Nltest · Sardonic · PsExec · Impacket
Reporting (3)
↑ back to top
Indrik Spider is a Russia-based cybercriminal group that has been active since at least 2014. Indrik Spider initially started with the Dridex banking Trojan, and then by 2017 they began running ransomware operations using BitPaymer, WastedLocker, and Hades ransomware. Following U.S. sanctions and an indictment in 2019, Indrik Spider changed their tactics and diversified their toolset.
TTPs (33 techniques across 13 tactics)
Tools/malware: Donut · Mimikatz · Empire · PsExec · Dridex · WastedLocker · BitPaymer · Cobalt Strike
Reporting (3)
↑ back to top
Rocke is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency. The name Rocke comes from the email address "[email protected]" used to create the wallet which held collected cryptocurrency. Researchers have detected overlaps between Rocke and the Iron Cybercrime Group, though this attribution has not been confirmed.
TTPs (36 techniques across 10 tactics)
Reporting (1)
↑ back to top
APT5 is a China-based espionage actor that has been active since at least 2007 primarily targeting the telecommunications, aerospace, and defense industries throughout the U.S., Europe, and Asia. APT5 has displayed advanced tradecraft and significant interest in compromising networking devices and their underlying software including through the use of zero-day exploits.
Targets: Electronic · Technology · Telecommunications
TTPs (29 techniques across 10 tactics)
Tools/malware: Tasklist · PoisonIvy · RAPIDPULSE · PcShare · Mimikatz · SLOWPULSE · SLIGHTPULSE · Skeleton Key · Net · PACEMAKER · gh0st RAT · PULSECHECK · netstat
Reporting (3)
↑ back to top
APT33 is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors.
Targets: Private sector
Regions: Saudi Arabia · South Korea · United States
TTPs (31 techniques across 10 tactics)
Tools/malware: PowerSploit · AutoIt backdoor · PoshC2 · Ruler · Mimikatz · NanoCore · DEADWOOD · StoneDrill · POWERTON · LaZagne · TURNEDUP · NETWIRE · Net · Pupy · Empire · ftp
Reporting (3)
↑ back to top
Aquatic Panda is a suspected China-based threat group with a dual mission of intelligence collection and industrial espionage. Active since at least May 2020, Aquatic Panda has primarily targeted entities in the telecommunications, technology, and government sectors.
Targets: Covid-19 Research Organizations · Cryptocurrency · Education · Gambling Companies · Government Institutions · Media · Medical · Pro-democracy And Human Rights Political Organizations · Religious Organization · Telecommunications
Regions: Australia · China · France · Germany · Hong Kong · Japan · Mongolia · Nepal · Nigeria · Philippines · Taiwan · Thailand
TTPs (35 techniques across 11 tactics)
Tools/malware: Wevtutil · Winnti for Windows · njRAT · Cobalt Strike · ShadowPad · Winnti for Linux
Reporting (1)
↑ back to top
APT37 is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. APT37 has also been linked to the following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, North Korean Human Rights, and Evil New Year 2018. North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.
Targets: Government · Private sector
Regions: Japan · South Korea · Vietnam
TTPs (29 techniques across 10 tactics)
Tools/malware: BLUELIGHT · CORALDECK · KARAE · SLOWDRIFT · ROKRAT · SHUTTERSPEED · POORAIM · HAPPYWORK · Final1stspy · Cobalt Strike · NavRAT · DOGCALL · WINERACK
Reporting (3)
- Adversary Profile - Ricochet Chollima — CrowdStrike
- North Korean APT InkySquid Infects Victims Using Browser Exploits — Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T
- ScarCruft continues to evolve, introduces Bluetooth harvester — GReAT
↑ back to top
APT42 is an Iranian-sponsored threat group that conducts cyber espionage and surveillance. The group primarily focuses on targets in the Middle East region, but has targeted a variety of industries and countries since at least 2015. APT42 starts cyber operations through spearphishing emails and/or the PINEFLOWER Android malware, then monitors and collects information from the compromised systems and devices. Finally, APT42 exfiltrates data using native features and open-source tools. APT42 activities have been linked to Magic Hound by other commercial vendors. While there are behavior and software overlaps between Magic Hound and APT42, they appear to be distinct entities and are tracked as separate entities…
Targets: Civil society · Defense · Education · Energy · Finance · Government · Healthcare · Legal · Manufacturing · Media · Military · NGOs
Regions: Australia · Europe · Israel · Middle East · United States
TTPs (32 techniques across 11 tactics)
Tools/malware: NICECURL · TAMECAT
Reporting (1)
↑ back to top
ZIRCONIUM is a threat group operating out of China, active since at least 2017, that has targeted individuals associated with the 2020 US presidential election and prominent leaders in the international affairs community.
TTPs (29 techniques across 11 tactics)
Reporting (3)
↑ back to top
GALLIUM is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. This group is particularly known for launching Operation Soft Cell, a long-term campaign targeting telecommunications providers. Security researchers have identified GALLIUM as a likely Chinese state-sponsored group, based in part on tools used and TTPs commonly associated with Chinese threat actors.
TTPs (31 techniques across 12 tactics)
Tools/malware: ipconfig · Ping · cmd · China Chopper · PoisonIvy · at · PlugX · PingPull · BlackMould · Mimikatz · Net · Reg · PsExec · HTRAN · NBTscan · Windows Credential Editor
Reporting (3)
↑ back to top
Sidewinder is a suspected Indian threat actor group that has been active since at least 2012. They have been observed targeting government, military, and business entities throughout Asia, primarily focusing on Pakistan, China, Nepal, and Afghanistan.
Targets: Government · Military · Private sector
Regions: Afghanistan · China · Nepal · Pakistan
TTPs (30 techniques across 9 tactics)
Tools/malware: Koadic
Reporting (3)
↑ back to top
Storm-1811 is a financially-motivated entity linked to Black Basta ransomware deployment. Storm-1811 is notable for unique phishing and social engineering mechanisms for initial access, such as overloading victim email inboxes with non-malicious spam to prompt a fake "help desk" interaction leading to the deployment of adversary tools and capabilities.
TTPs (31 techniques across 12 tactics)
Tools/malware: Black Basta · Cobalt Strike · Quick Assist · BITSAdmin · PsExec · Impacket · QakBot
Reporting (3)
↑ back to top
Silence is a financially motivated threat actor targeting financial institutions in different countries. The group was first seen in June 2016. Their main targets reside in Russia, Ukraine, Belarus, Azerbaijan, Poland and Kazakhstan. They compromised various banking systems, including the Russian Central Bank's Automated Workstation Client, ATMs, and card processing.
TTPs (28 techniques across 11 tactics)
Tools/malware: Empire · Winexe · SDelete
Reporting (3)
↑ back to top
Darkhotel is a suspected South Korean threat group that has targeted victims primarily in East Asia since at least 2004. The group's name is based on cyber espionage operations conducted via hotel Internet networks against traveling executives and other select guests. Darkhotel has also conducted spearphishing campaigns and infected victims through peer-to-peer and file sharing networks.
Targets: Private sector
Regions: China · Japan · Russia · South Korea · Taiwan
TTPs (24 techniques across 9 tactics)
Reporting (3)
↑ back to top
INC Ransom is a ransomware and data extortion threat group associated with the deployment of INC Ransomware that has been active since at least July 2023. INC Ransom has targeted organizations worldwide most commonly in the industrial, healthcare, and education sectors in the US and Europe.
TTPs (25 techniques across 11 tactics)
Tools/malware: Tor · PsExec · Nltest · Rclone · AdFind · Net · esentutl · INC Ransomware
Reporting (3)
↑ back to top
Sea Turtle is a Türkiye-linked threat actor active since at least 2017 performing espionage and service provider compromise operations against victims in Asia, Europe, and North America. Sea Turtle is notable for targeting registrars managing ccTLDs and complex DNS-based intrusions where the threat actor compromised DNS providers to hijack DNS resolution for ultimate victims, enabling Sea Turtle to spoof log in portals and other applications for credential collection.
Regions: Germany
TTPs (27 techniques across 9 tactics)
Tools/malware: SnappyTCP
Reporting (3)
↑ back to top
TA2541 is a cybercriminal group that has been targeting the aviation, aerospace, transportation, manufacturing, and defense industries since at least 2017. TA2541 campaigns are typically high volume and involve the use of commodity remote access tools obfuscated by crypters and themes related to aviation, transportation, and travel.
TTPs (28 techniques across 8 tactics)
Tools/malware: Snip3 · Revenge RAT · jRAT · WarzoneRAT · Imminent Monitor · AsyncRAT · NETWIRE · Agent Tesla · njRAT
Reporting (2)
↑ back to top
Winter Vivern is a group linked to Russian and Belorussian interests active since at least 2020 targeting various European government and NGO entities, along with sporadic targeting of Indian and US victims. The group leverages a combination of document-based phishing activity and server-side exploitation for initial access, leveraging adversary-controlled and -created infrastructure for follow-on command and control.
Regions: Germany
TTPs (27 techniques across 9 tactics)
Reporting (3)
↑ back to top
Higaisa is a threat group suspected to have South Korean origins. Higaisa has targeted government, public, and trade organizations in North Korea; however, they have also carried out attacks in China, Japan, Russia, Poland, and other nations. Higaisa was first disclosed in early 2019 but is assessed to have operated as early as 2009.
Targets: Government
Regions: China · Japan · Nepal · North Korea · Poland · Russia · Singapore · Switzerland
TTPs (28 techniques across 7 tactics)
Tools/malware: PlugX · certutil · gh0st RAT
Reporting (3)
↑ back to top
Moonstone Sleet is a North Korean-linked threat actor executing both financially motivated attacks and espionage operations. The group previously overlapped significantly with another North Korean-linked entity, Lazarus Group, but has differentiated its tradecraft since 2023. Moonstone Sleet is notable for creating fake companies and personas to interact with victim entities, as well as developing unique malware such as a variant delivered via a fully functioning game.
Targets: Government · Private sector
Regions: Australia · Bangladesh · Bangladesh Bank · Brazil · Canada · China · Cryptocurrency exchanges in South Korea · France · Germany · Guatemala · Hong Kong · India
TTPs (30 techniques across 10 tactics)
Tools/malware: Qilin
Reporting (1)
↑ back to top
LuminousMoth is a Chinese-speaking cyber espionage group that has been active since at least October 2020. LuminousMoth has targeted high-profile organizations, including government entities, in Myanmar, the Philippines, Thailand, and other parts of Southeast Asia. Some security researchers have concluded there is a connection between LuminousMoth and Mustang Panda based on similar targeting and TTPs, as well as network infrastructure overlaps.
Targets: Civil society
Regions: Germany · United States
TTPs (28 techniques across 12 tactics)
Tools/malware: PlugX · Cobalt Strike
Reporting (2)
↑ back to top
WIRTE is a cyberespionage actor, believed to be a subgroup of the Hamas-affiliated Gaza Cybergang, that has been active since at least August 2018. WIRTE has targeted diplomatic, financial, military, legal, and technology organizations across the Middle East, North Africa, and in Europe to gather intelligence. WIRTE has remained persistently active despite the ongoing Israel-Hamas conflict and has expanded their operations to include wiper malware attacks against Israeli targets.
TTPs (26 techniques across 7 tactics)
Tools/malware: LitePower · SameCoin · Ferocious · Empire · IronWind · Rclone · Havoc · AshTag
Reporting (3)
↑ back to top
Play is a ransomware group that has been active since at least 2022 deploying Playcrypt ransomware against the business, government, critical infrastructure, healthcare, and media sectors in North America, South America, and Europe. Play actors employ a double-extortion model, encrypting systems after exfiltrating data, and are presumed by security researchers to operate as a closed group.
TTPs (26 techniques across 13 tactics)
Tools/malware: Nltest · AdFind · PsExec · Empire · Wevtutil · Cobalt Strike · Playcrypt · BloodHound · Mimikatz
Reporting (2)
↑ back to top
Agrius is an Iranian threat actor active since 2020 notable for a series of ransomware and wiper operations in the Middle East, with an emphasis on Israeli targets. Public reporting has linked Agrius to Iran's Ministry of Intelligence and Security (MOIS).
TTPs (22 techniques across 11 tactics)
Tools/malware: NBTscan · Mimikatz · IPsec Helper · Moneybird · MultiLayer Wiper · DEADWOOD · BFG Agonizer · ASPXSpy · Apostle
Reporting (3)
↑ back to top
APT1 is a Chinese threat group that has been attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398.
Targets: Government · Private sector
Regions: Belgium · Canada · France · India · Israel · Japan · Luxembourg · Norway · Singapore · South Africa · Switzerland · Taiwan
TTPs (23 techniques across 8 tactics)
Tools/malware: Seasalt · ipconfig · BISCUIT · Cachedump · PsExec · GLOOXMAIL · Lslsass · PoisonIvy · WEBC2 · Mimikatz · gsecdump · Pass-The-Hash Toolkit · CALENDAR · Tasklist · Net · xCmd · pwdump
Reporting (1)
↑ back to top
APT19 is a Chinese-based threat group that has targeted a variety of industries, including defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services. In 2017, a phishing campaign was used to target seven law and investment firms. Some analysts track APT19 and Deep Panda as the same group, but it is unclear from open source information if the groups are the same.
Targets: Finance · Military · Non-profit Organisation · Private sector · Technology
Regions: United States
TTPs (21 techniques across 8 tactics)
Tools/malware: Cobalt Strike · Empire
Reporting (3)
↑ back to top
Lotus Blossom is a long-standing threat group largely targeting various entities in Asia since at least 2009. In addition to government and related targets, Lotus Blossom has also targeted entities such as digital certificate issuers.
Targets: Government · Military · Private sector
Regions: Hong Kong · Indonesia · Japan · Philippines · Taiwan · United States · Vietnam
TTPs (21 techniques across 9 tactics)
Tools/malware: AdFind · Ping · Impacket · Emissary · Elise · Hannotog · NBTscan · Sagerunex · certutil
Reporting (3)
↑ back to top
ToddyCat is a sophisticated threat group that has been active since at least 2020 using custom loaders and malware in multi-stage infection chains against government and military targets across Europe and Asia.
Targets: Government · Military
Regions: Afghanistan · India · Indonesia · Iran · Kyrgyzstan · Malaysia · Pakistan · Russia · Slovakia · Taiwan · Thailand · United Kingdom
TTPs (25 techniques across 9 tactics)
Tools/malware: Cobalt Strike · LoFiSe · China Chopper · netstat · Ping · Pcexter · Net · Samurai · Ninja
Reporting (2)
↑ back to top
Cinnamon Tempest is a China-based threat group that has been active since at least 2021 deploying multiple strains of ransomware based on the leaked Babuk source code. Cinnamon Tempest does not operate their ransomware on an affiliate model or purchase access but appears to act independently in all stages of the attack lifecycle. Based on victimology, the short lifespan of each ransomware variant, and use of malware attributed to government-sponsored threat groups, Cinnamon Tempest may be motivated by intellectual property theft or cyberespionage rather than financial gain.
TTPs (19 techniques across 10 tactics)
Tools/malware: Sliver · Pandora · PlugX · Cheerscrypt · Impacket · Cobalt Strike · HUI Loader · Rclone
Reporting (3)
↑ back to top
Inception is a cyber espionage group active since at least 2014. The group has targeted multiple industries and governmental entities primarily in Russia, but has also been active in the United States and throughout Europe, Asia, Africa, and the Middle East.
Targets: Government · Private sector
Regions: Afghanistan · Armenia · Azerbaijan · Belarus · Belgium · Czech Republic · Greece · India · Iran · Italy · Kazakhstan · Kenya
TTPs (22 techniques across 9 tactics)
Tools/malware: PowerShower · VBShower · LaZagne
Reporting (3)
↑ back to top
Akira is a ransomware variant and ransomware deployment entity active since at least March 2023. Akira uses compromised credentials to access single-factor external access mechanisms such as VPNs for initial access, then various publicly-available tools and techniques for lateral movement. Akira operations are associated with "double extortion" ransomware activity, where data is exfiltrated from victim environments prior to encryption, with threats to publish files if a ransom is not paid. Technical analysis of Akira ransomware indicates variants capable of targeting Windows or VMWare ESXi hypervisors and multiple overlaps with Conti ransomware.
TTPs (17 techniques across 11 tactics)
Tools/malware: Mimikatz · PsExec · AdFind · Akira _v2 · Akira · Megazord · LaZagne · Rclone
Reporting (3)
↑ back to top
CURIUM is an Iranian threat group, first reported in September 2019 and active since at least July 2018, targeting IT service providers in the Middle East. CURIUM has since invested in building relationships with potential targets via social media over a period of months to establish trust and confidence before sending malware. Security researchers note CURIUM has demonstrated great patience and persistence by chatting with potential targets daily and sending benign files to help lower their security consciousness.
Targets: Civil society · Defense · Energy · Finance · Government · Healthcare · High-Tech · Legal · Media · Military · NGOs · Pharmaceuticals
Regions: Europe · Israel · Middle East · United States
TTPs (19 techniques across 8 tactics)
Tools/malware: IMAPLoader
Reporting (3)
↑ back to top
Star Blizzard is a cyber espionage and influence group originating in Russia that has been active since at least 2019. Star Blizzard campaigns align closely with Russian state interests and have included persistent phishing and credential theft against academic, defense, government, NGO, and think tank organizations in NATO countries, particularly the US and the UK.
Targets: Government · Journalists · Military · Think Tanks
TTPs (20 techniques across 8 tactics)
Tools/malware: Spica
Reporting (3)
↑ back to top
Tonto Team is a suspected Chinese state-sponsored cyber espionage threat group that has primarily targeted South Korea, Japan, Taiwan, and the United States since at least 2009; by 2020 they expanded operations to include other Asian as well as Eastern European countries. Tonto Team has targeted government, military, energy, mining, financial, education, healthcare, and technology organizations, including through the Heartbeat Campaign (2009-2012) and Operation Bitter Biscuit (2017).
Targets: Government · Military · Private sector
Regions: Eastern Europe · Japan · South Korea · Taiwan · United States
TTPs (15 techniques across 10 tactics)
Tools/malware: Mimikatz · Bisonal · ShadowPad · LaZagne · NBTscan · gsecdump
Reporting (3)
↑ back to top
Velvet Ant is a threat actor operating since at least 2021. Velvet Ant is associated with complex persistence mechanisms, the targeting of network devices and appliances during operations, and the use of zero day exploits.
TTPs (22 techniques across 8 tactics)
Tools/malware: PlugX · Impacket
Reporting (2)
↑ back to top
Blue Mockingbird is a cluster of observed activity involving Monero cryptocurrency-mining payloads in dynamic-link library (DLL) form on Windows systems. The earliest observed Blue Mockingbird tools were created in December 2019.
TTPs (22 techniques across 12 tactics)
Tools/malware: FRP · Mimikatz
Reporting (1)
↑ back to top
Windshift is a threat group that has been active since at least 2017, targeting specific individuals for surveillance in government departments and critical infrastructure across the Middle East.
TTPs (19 techniques across 6 tactics)
Tools/malware: WindTail
Reporting (3)
↑ back to top
Confucius is a cyber espionage group that has primarily targeted military personnel, high-profile personalities, business persons, and government organizations in South Asia since at least 2013. Security researchers have noted similarities between Confucius and Patchwork, particularly in their respective custom malware code and targets.
TTPs (19 techniques across 9 tactics)
Tools/malware: WarzoneRAT
Reporting (3)
↑ back to top
Molerats is an Arabic-speaking, politically-motivated threat group that has been operating since 2012. The group's victims have primarily been in the Middle East, Europe, and the United States.
Targets: Civil society · Defense · Education · Energy · Finance · Government · Healthcare · Legal · Media · Military · NGOs · Pharmaceuticals
Regions: Europe · Israel · Middle East · Palestine · United States
TTPs (16 techniques across 8 tactics)
Tools/malware: MoleNet · Spark · DustySky · DropBook · SharpStage · PoisonIvy
Reporting (3)
↑ back to top
Andariel is a North Korean state-sponsored threat group that has been active since at least 2009. Andariel has primarily focused its operations--which have included destructive attacks--against South Korean government agencies, military organizations, and a variety of domestic companies; they have also conducted cyber financial operations against ATMs, banks, and cryptocurrency exchanges. Andariel's notable activity includes Operation Black Mine, Operation GoldenAxe, and Campaign Rifle. Andariel is considered a sub-set of Lazarus Group, and has been attributed to North Korea's Reconnaissance General Bureau. North Korean group definitions are known to have significant overlap, and some security researchers…
Targets: Government · Private sector
Regions: Australia · Bangladesh · Bangladesh Bank · Brazil · Canada · China · Cryptocurrency exchanges in South Korea · France · Germany · Guatemala · Hong Kong · India
TTPs (12 techniques across 8 tactics)
Tools/malware: Rifdoor · gh0st RAT
Reporting (3)
↑ back to top
Axiom is a suspected Chinese cyber espionage group that has targeted the aerospace, defense, government, manufacturing, and media sectors since at least 2008. Some reporting suggests a degree of overlap between Axiom and Winnti Group but the two groups appear to be distinct based on differences in reporting on TTPs and targeting.
Targets: Civil society · Defense · Government · Intelligence · Justice · Mining · Private sector · Technology
Regions: Belgium · China · Germany · Indonesia · Italy · Japan · Netherlands · Russia · Switzerland · United Kingdom · United States
TTPs (16 techniques across 10 tactics)
Tools/malware: ZxShell · gh0st RAT · Zox · PlugX · Hikit · PoisonIvy · Derusbi · Hydraq
Reporting (3)
↑ back to top
BlackTech is a suspected Chinese cyber espionage group that has primarily targeted organizations in East Asia--particularly Taiwan, Japan, and Hong Kong--and the US since at least 2013. BlackTech has used a combination of custom malware, dual-use tools, and living off the land tactics to compromise media, construction, engineering, electronics, and financial company networks.
TTPs (14 techniques across 6 tactics)
Tools/malware: PLEAD · Kivars · PsExec · TSCookie · Flagpro · Waterbear
Reporting (3)
↑ back to top
Daggerfly is a People's Republic of China-linked APT entity active since at least 2012. Daggerfly has targeted individuals, government and NGO entities, and telecommunication companies in Asia and Africa. Daggerfly is associated with exclusive use of MgBot malware and is noted for several potential supply chain infection campaigns.
Targets: Government · Individuals · Universities
Regions: Hong Kong · India · Macao · Malaysia · Nigeria · Taiwan
TTPs (17 techniques across 9 tactics)
Tools/malware: PlugX · MgBot · BITSAdmin · MacMa · Nightdoor · Reg
Reporting (3)
↑ back to top
LazyScripter is threat group that has mainly targeted the airlines industry since at least 2018, primarily using open-source toolsets.
TTPs (20 techniques across 6 tactics)
Tools/malware: Remcos · QuasarRAT · njRAT · ngrok · Empire · Koadic · KOCTOPUS
Reporting (1)
↑ back to top
Transparent Tribe is a suspected Pakistan-based threat group that has been active since at least 2013, primarily targeting diplomatic, defense, and research organizations in India and Afghanistan.
Targets: Activists · Civil society · Government · Military
TTPs (14 techniques across 5 tactics)
Tools/malware: DarkComet · ObliqueRAT · njRAT · Crimson · Peppy
Reporting (3)
↑ back to top
BITTER is a suspected South Asian cyber espionage threat group that has been active since at least 2013. BITTER has targeted government, energy, and engineering organizations in Pakistan, China, Bangladesh, and Saudi Arabia.
Regions: Germany
TTPs (16 techniques across 6 tactics)
Tools/malware: ZxxZ
Reporting (2)
↑ back to top
Saint Bear is a Russian-nexus threat actor active since early 2021, primarily targeting entities in Ukraine and Georgia. The group is notable for a specific remote access tool, Saint Bot, and information stealer, OutSteel in campaigns. Saint Bear typically relies on phishing or web staging of malicious documents and related file types for initial access, spoofing government or related entities. Saint Bear has previously been confused with Ember Bear operations, but analysis of behaviors, tools, and targeting indicates these are distinct clusters.
TTPs (18 techniques across 6 tactics)
Tools/malware: OutSteel · Saint Bot
Reporting (2)
↑ back to top
Leafminer is an Iranian threat group that has targeted government organizations and business entities in the Middle East since at least early 2017.
Targets: Energy
TTPs (17 techniques across 8 tactics)
Tools/malware: LaZagne · Mimikatz · MailSniper · PsExec
Reporting (2)
↑ back to top
Naikon is assessed to be a state-sponsored cyber espionage group attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020). Active since at least 2010, Naikon has primarily conducted operations against government, military, and civil organizations in Southeast Asia, as well as against international bodies such as the United Nations Development Programme (UNDP) and the Association of Southeast Asian Nations (ASEAN). While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.
Targets: Government · Private sector
Regions: Cambodia · China · India · Indonesia · Laos · Malaysia · Myanmar · Philippines · Saudi Arabia · Singapore · South Korea · Thailand
TTPs (14 techniques across 5 tactics)
Tools/malware: ftp · Net · Ping · netsh · WinMM · Systeminfo · RainyDay · Nebulae · RARSTONE · HDoor · Sys10 · SslMM · PsExec · Tasklist · Aria-body
Reporting (3)
↑ back to top
Silent Librarian is a group that has targeted research and proprietary data at universities, government agencies, and private sector companies worldwide since at least 2013. Members of Silent Librarian are known to have been affiliated with the Iran-based Mabna Institute which has conducted cyber intrusions at the behest of the government of Iran, specifically the Islamic Revolutionary Guard Corps (IRGC).
TTPs (13 techniques across 5 tactics)
Reporting (3)
↑ back to top
Mustard Tempest is an initial access broker that has operated the SocGholish distribution network since at least 2017. Mustard Tempest has partnered with Indrik Spider to provide access for the download of additional malware including LockBit, WastedLocker, and remote access tools.
TTPs (12 techniques across 6 tactics)
Tools/malware: SocGholish · Cobalt Strike
Reporting (3)
↑ back to top
APT18 is a threat group that has operated since at least 2009 and has targeted a range of industries, including technology, manufacturing, human rights groups, government, and medical.
Targets: Aerospace · Civil society · Defense · Government · Healthcare · High-Tech · Private sector · Telecommunications
Regions: United States
TTPs (12 techniques across 5 tactics)
Tools/malware: hcdLoader · gh0st RAT · cmd · Pisloader · HTTPBrowser
Reporting (3)
↑ back to top
Carbanak is a cybercriminal group that has used Carbanak malware to target financial institutions since at least 2013. Carbanak may be linked to groups tracked separately as Cobalt Group and FIN7 that have also used Carbanak malware.
TTPs (9 techniques across 5 tactics)
Tools/malware: Carbanak · Mimikatz · PsExec · netsh
Reporting (3)
↑ back to top
EXOTIC LILY is a financially motivated group that has been closely linked with Wizard Spider and the deployment of ransomware including Conti and Diavol. EXOTIC LILY may be acting as an initial access broker for other malicious actors, and has targeted a wide range of industries including IT, cybersecurity, and healthcare since at least September 2021.
TTPs (15 techniques across 5 tactics)
Tools/malware: Bazar · Bumblebee
Reporting (1)
↑ back to top
Gorgon Group is a threat group consisting of members who are suspected to be Pakistan-based or have other connections to Pakistan. The group has performed a mix of criminal and targeted attacks, including campaigns against government organizations in the United Kingdom, Spain, Russia, and the United States.
TTPs (16 techniques across 7 tactics)
Tools/malware: NanoCore · QuasarRAT · Remcos · njRAT
Reporting (1)
↑ back to top
SideCopy is a Pakistani threat group that has primarily targeted South Asian countries, including Indian and Afghani government personnel, since at least 2019. SideCopy's name comes from its infection chain that tries to mimic that of Sidewinder, a suspected Indian threat group.
TTPs (16 techniques across 7 tactics)
Tools/malware: AuTo Stealer · Action RAT
Reporting (1)
↑ back to top
Stealth Falcon is a threat group that has conducted targeted spyware attacks against Emirati journalists, activists, and dissidents since at least 2012. Circumstantial evidence suggests there could be a link between this group and the United Arab Emirates (UAE) government, but that has not been confirmed.
Targets: Activists · Civil society · Dissidents · Journalists
Regions: United Arab Emirates · United Kingdom
TTPs (16 techniques across 6 tactics)
Reporting (1)
↑ back to top
TA551 is a financially-motivated threat group that has been active since at least 2018. The group has primarily targeted English, German, Italian, and Japanese speakers through email-based malware distribution campaigns.
TTPs (14 techniques across 5 tactics)
Tools/malware: QakBot · IcedID · Valak · Sliver · Ursnif
Reporting (2)
↑ back to top
BackdoorDiplomacy is a cyber espionage threat group that has been active since at least 2017. BackdoorDiplomacy has targeted Ministries of Foreign Affairs and telecommunication companies in Africa, Europe, the Middle East, and Asia.
Targets: Government · Telecommunications
Regions: Albania · Croatia · Georgia · Iran · Libya · Namibia · Poland · Qatar · Saudi Arabia · Sri Lanka · Sudan · Uzbekistan
TTPs (15 techniques across 7 tactics)
Tools/malware: Turian · China Chopper · Mimikatz · NBTscan · QuasarRAT
Reporting (1)
↑ back to top
Deep Panda is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications. The intrusion into healthcare company Anthem has been attributed to Deep Panda. This group is also known as Shell Crew, WebMasters, KungFu Kittens, and PinkPanther. Deep Panda also appears to be known as Black Vine based on the attribution of both group names to the Anthem intrusion. Some analysts track Deep Panda and APT19 as the same group, but it is unclear from open source information if the groups are the same.
Targets: Finance · Military · Non-profit Organisation · Private sector · Technology
Regions: United States
TTPs (10 techniques across 6 tactics)
Tools/malware: Mivast · Ping · Net · StreamEx · Sakula · Tasklist · Derusbi
Reporting (3)
↑ back to top
Salt Typhoon is a People's Republic of China (PRC) state-backed actor that has been active since at least 2019 and responsible for numerous compromises of network infrastructure at major U.S. telecommunication and internet service providers (ISP).
TTPs (14 techniques across 10 tactics)
Tools/malware: JumbledPath
Reporting (2)
↑ back to top
FIN4 is a financially-motivated threat group that has targeted confidential information related to the public financial market, particularly regarding healthcare and pharmaceutical companies, since at least 2013. FIN4 is unique in that they do not infect victims with typical persistent malware, but rather they focus on capturing credentials authorized to access email and other non-public correspondence.
Targets: Finance · Healthcare · Pharmacy
TTPs (12 techniques across 5 tactics)
Reporting (3)
↑ back to top
Machete is a suspected Spanish-speaking cyber espionage group that has been active since at least 2010. It has primarily focused its operations within Latin America, with a particular emphasis on Venezuela, but also in the US, Europe, Russia, and parts of Asia. Machete generally targets high-profile organizations such as government institutions, intelligence services, and military units, as well as telecommunications and power companies.
Targets: Government · Military
Regions: Belgium · Brazil · China · Colombia · Cuba · Ecuador · France · Germany · Malaysia · Peru · Russia · Spain
TTPs (11 techniques across 3 tactics)
Tools/malware: Machete
Reporting (3)
↑ back to top
Moses Staff is a suspected Iranian threat group that has primarily targeted Israeli companies since at least September 2021. Moses Staff openly stated their motivation in attacking Israeli companies is to cause damage by leaking stolen sensitive data and encrypting the victim's networks without a ransom demand. Security researchers assess Moses Staff is politically motivated, and has targeted government, finance, travel, energy, manufacturing, and utility companies outside of Israel as well, including those in Italy, India, Germany, Chile, Turkey, the UAE, and the US.
TTPs (12 techniques across 8 tactics)
Tools/malware: PyDCrypt · PsExec · DCSrv · StrifeWater
Reporting (3)
↑ back to top
PROMETHIUM is an activity group focused on espionage that has been active since at least 2012. The group has conducted operations globally with a heavy emphasis on Turkish targets. PROMETHIUM has demonstrated similarity to another activity group called NEODYMIUM due to overlapping victim and campaign characteristics.
TTPs (11 techniques across 6 tactics)
Tools/malware: Truvasys · StrongPity
Reporting (3)
↑ back to top
FIN5 is a financially motivated threat group that has targeted personally identifiable information and payment card information. The group has been active since at least 2008 and has targeted the restaurant, gaming, and hotel industries. The group is made up of actors who likely speak Russian.
TTPs (11 techniques across 9 tactics)
Tools/malware: Windows Credential Editor · PsExec · FLIPSIDE · pwdump · SDelete · RawPOS
Reporting (3)
↑ back to top
GOLD SOUTHFIELD is a financially motivated threat group active since at least 2018 that operates the REvil Ransomware-as-a Service (RaaS). GOLD SOUTHFIELD provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments. By early 2020, GOLD SOUTHFIELD started capitalizing on the new trend of stealing data and further extorting the victim to pay for their data to not get publicly leaked.
TTPs (9 techniques across 6 tactics)
Tools/malware: ConnectWise · REvil
Reporting (3)
↑ back to top
Malteiro is a financially motivated criminal group that is likely based in Brazil and has been active since at least November 2019. The group operates and distributes the Mispadu banking trojan via a Malware-as-a-Service (MaaS) business model. Malteiro mainly targets victims throughout Latin America (particularly Mexico) and Europe (particularly Spain and Portugal).
TTPs (12 techniques across 6 tactics)
Tools/malware: Mispadu
Reporting (1)
↑ back to top
PLATINUM is an activity group that has targeted victims since at least 2009. The group has focused on targets associated with governments and related organizations in South and Southeast Asia.
Targets: Defense · Diplomacy · Government · Intelligence · Telecommunications
TTPs (11 techniques across 7 tactics)
Tools/malware: JPIN · Dipsind · adbupd
Reporting (1)
↑ back to top
admin@338 is a China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as PoisonIvy, as well as some non-public backdoors.
Targets: Activists · Civil society · Finance · Government · Political party · Private sector · Trade
Regions: Hong Kong · United States
TTPs (12 techniques across 4 tactics)
Tools/malware: BUBBLEWRAP · LOWBALL · Systeminfo · PoisonIvy · Net · netstat · ipconfig
Reporting (1)
↑ back to top
CopyKittens is an Iranian cyber espionage group that has been operating since at least 2013. It has targeted countries including Israel, Saudi Arabia, Turkey, the U.S., Jordan, and Germany. The group is responsible for the campaign known as Operation Wilted Tulip.
Targets: Civil society · Government · Private sector
Regions: Germany · Israel · Jordan · Saudi Arabia · United States
TTPs (8 techniques across 6 tactics)
Tools/malware: Cobalt Strike · Empire · TDTESS · Matryoshka
Reporting (3)
↑ back to top
Dark Caracal is threat group that has been attributed to the Lebanese General Directorate of General Security (GDGS) and has operated since at least 2012.
TTPs (12 techniques across 7 tactics)
Tools/malware: FinFisher · CrossRAT · Bandook
Reporting (1)
↑ back to top
Elderwood is a suspected Chinese cyber espionage group that was reportedly responsible for the 2009 Google intrusion known as Operation Aurora. The group has targeted defense organizations, supply chain manufacturers, human rights and nongovernmental organizations (NGOs), and IT service providers.
Targets: Civil society · Private sector
Regions: Australia · Canada · China · Denmark · Hong Kong · India · Switzerland · Taiwan · United Kingdom · United States
TTPs (9 techniques across 4 tactics)
Tools/malware: PoisonIvy · Naid · Briba · Hydraq · Linfo · Nerex · Vasport · Wiarp · Pasam
Reporting (3)
↑ back to top
FIN10 is a financially motivated threat group that has targeted organizations in North America since at least 2013 through 2016. The group uses stolen data exfiltrated from victims to extort organizations.
TTPs (11 techniques across 6 tactics)
Tools/malware: Empire
Reporting (1)
↑ back to top
Evilnum is a financially motivated threat group that has been active since at least 2018.
TTPs (11 techniques across 6 tactics)
Tools/malware: More_eggs · EVILNUM · LaZagne
Reporting (1)
↑ back to top
Ajax Security Team is a group that has been active since at least 2010 and believed to be operating out of Iran. By 2014 Ajax Security Team transitioned from website defacement operations to malware-based cyber espionage campaigns targeting the US defense industrial base and Iranian users of anti-censorship technologies.
Targets: Activists · Aerospace · Civil society · Defense · Education · Gas · Government · Journalists · Military · Oil · Research - Innovation
Regions: Afghanistan · Canada · Egypt · Iran · Iranian internet activists · Iraq · Israel · Jordan · Kuwait · Saudi Arabia · Syria · Turkey
TTPs (6 techniques across 5 tactics)
Tools/malware: sqlmap · Havij
Reporting (3)
↑ back to top
DarkVishnya is a financially motivated threat actor targeting financial institutions in Eastern Europe. In 2017-2018 the group attacked at least 8 banks in this region.
TTPs (10 techniques across 7 tactics)
Tools/malware: Winexe · PsExec
Reporting (1)
↑ back to top
Nomadic Octopus is a Russian-speaking cyber espionage threat group that has primarily targeted Central Asia, including local governments, diplomatic missions, and individuals, since at least 2014. Nomadic Octopus has been observed conducting campaigns involving Android and Windows malware, mainly using the Delphi programming language, and building custom variants.
TTPs (7 techniques across 4 tactics)
Tools/malware: Octopus
Reporting (3)
↑ back to top
Rancor is a threat group that has led targeted campaigns against the South East Asia region. Rancor uses politically-motivated lures to entice victims to open malicious documents.
Targets: Civil society · Government
Regions: Cambodia · Singapore
TTPs (9 techniques across 5 tactics)
Tools/malware: Reg · DDKONG · PLAINTEE · certutil
Reporting (1)
↑ back to top
Winnti Group is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting. Some reporting suggests a number of other groups, including Axiom, APT17, and Ke3chang, are closely linked to Winnti Group.
Targets: Automotive · Business · Cryptocurrency · Education · Energy · Finance · Healthcare · High-Tech · Intergovernmental · Media · Pharmaceuticals · Private sector
Regions: China · France · Hong Kong · India · Italy · Japan · Myanmar · Netherlands · Singapore · South Africa · South Korea · Switzerland
TTPs (6 techniques across 5 tactics)
Tools/malware: PipeMon · Winnti for Windows · PlugX
Reporting (3)
↑ back to top
Aoqin Dragon is a suspected Chinese cyber espionage threat group that has been active since at least 2013. Aoqin Dragon has primarily targeted government, education, and telecommunication organizations in Australia, Cambodia, Hong Kong, Singapore, and Vietnam. Security researchers noted a potential association between Aoqin Dragon and UNC94, based on malware, infrastructure, and targets.
Targets: Education · Government · Telecommunications
Regions: Australia · Cambodia · Hong Kong · Singapore · Vietnam
TTPs (9 techniques across 5 tactics)
Tools/malware: Mongall · Heyoka Backdoor
Reporting (1)
↑ back to top
DarkHydrus is a threat group that has targeted government agencies and educational institutions in the Middle East since at least 2016. The group heavily leverages open-source tools and custom payloads for carrying out attacks.
TTPs (7 techniques across 5 tactics)
Tools/malware: Mimikatz · RogueRobin · Cobalt Strike
Reporting (2)
↑ back to top
IndigoZebra is a suspected Chinese cyber espionage group that has been targeting Central Asian governments since at least 2014.
TTPs (7 techniques across 4 tactics)
Tools/malware: xCaon · BoxCaon · PoisonIvy
Reporting (3)
↑ back to top
Metador is a suspected cyber espionage group that was first reported in September 2022. Metador has targeted a limited number of telecommunication companies, internet service providers, and universities in the Middle East and Africa. Security researchers named the group Metador based on the "I am meta" string in one of the group's malware samples and the expectation of Spanish-language responses from C2 servers.
TTPs (9 techniques across 5 tactics)
Tools/malware: metaMain · Mafalda
Reporting (1)
↑ back to top
RTM is a cybercriminal group that has been active since at least 2015 and is primarily interested in users of remote banking systems in Russia and neighboring countries. The group uses a Trojan by the same name (RTM).
TTPs (7 techniques across 5 tactics)
Tools/malware: RTM
Reporting (1)
↑ back to top
Sowbug is a threat group that has conducted targeted attacks against organizations in South America and Southeast Asia, particularly government entities, since at least 2015.
Targets: Government
Regions: Argentina · Brazil · Brunei · Ecuador · Malaysia · Peru
TTPs (9 techniques across 5 tactics)
Tools/malware: Starloader · Felismus
Reporting (1)
↑ back to top
Whitefly is a cyber espionage group that has been operating since at least 2017. The group has targeted organizations based mostly in Singapore across a wide variety of sectors, and is primarily interested in stealing large amounts of sensitive information. The group has been linked to an attack against Singapore’s largest public health organization, SingHealth.
TTPs (9 techniques across 6 tactics)
Tools/malware: Mimikatz
Reporting (1)
↑ back to top
The Windigo group has been operating since at least 2011, compromising thousands of Linux and Unix servers using the Ebury SSH backdoor to create a spam botnet. Despite law enforcement intervention against the creators, Windigo operators continued updating Ebury through 2019.
TTPs (7 techniques across 5 tactics)
Tools/malware: Ebury
Reporting (2)
- 2019/06/04 Advisory: Windigo attacks — CERN
- Operation Windigo – the vivisection of a large Linux server‑side credential‑stealing malware campaign — Bilodeau, O., Bureau, M., Calvet, J., Dorais-Joncas, A., Léveillé, M., Vanheuverzwijn, B
↑ back to top
MoustachedBouncer is a cyberespionage group that has been active since at least 2014 targeting foreign embassies in Belarus.
Targets: Government
Regions: Eastern Europe · Europe · Northeast Africa · South Asia
TTPs (8 techniques across 6 tactics)
Tools/malware: NightClub · Disco · SharpDisco
Reporting (1)
↑ back to top
POLONIUM is a Lebanon-based group that has primarily targeted Israeli organizations, including critical manufacturing, information technology, and defense industry companies, since at least February 2022. Security researchers assess POLONIUM has coordinated their operations with multiple actors affiliated with Iran’s Ministry of Intelligence and Security (MOIS), based on victim overlap as well as common techniques and tooling.
Targets: Civil society · Critical Manufacturing · Defense · Defense industrial base · Financial Services · Food And Agriculture · Government Agencies And Services · Healthcare · Military · NGOs · Pharmaceuticals · Technology
Regions: Israel
TTPs (7 techniques across 5 tactics)
Tools/malware: CreepyDrive · CreepySnail
Reporting (2)
↑ back to top
Poseidon Group is a Portuguese-speaking threat group that has been active since at least 2005. The group has a history of using information exfiltrated from victims to blackmail victim companies into contracting the Poseidon Group as a security firm.
TTPs (8 techniques across 4 tactics)
Reporting (1)
↑ back to top
APT12 is a threat group that has been attributed to China. The group has targeted a variety of victims including but not limited to media outlets, high-tech companies, and multiple governments.
Targets: Government · Private sector
Regions: Japan · Taiwan
TTPs (5 techniques across 3 tactics)
Tools/malware: Ixeshe · RIPTIDE · HTRAN
Reporting (2)
↑ back to top
The White Company is a likely state-sponsored threat actor with advanced capabilities. From 2017 through 2018, the group led an espionage campaign called Operation Shaheen targeting government and military organizations in Pakistan.
TTPs (7 techniques across 4 tactics)
Tools/malware: Revenge RAT · NETWIRE
Reporting (1)
↑ back to top
AppleJeus is a North Korean state-sponsored threat group attributed to the Reconnaissance General Bureau. Associated with the broader Lazarus Group umbrella of actors, AppleJeus has been active since at least 2018 and is closely aligned in resources with TEMP.hermit, another DPRK-affiliated group under the same umbrella. The group’s primary mission is to generate and launder revenue to provide financial support to the government. AppleJeus primarily targets the cryptocurrency industry and is most notably responsible for the 3CX Supply Chain Attack. The group traditionally deploys malicious cryptocurrency software in combination with Phishing. From these compromised environments, it selectively deploys…
Targets: Government · Private sector
Regions: Australia · Bangladesh · Bangladesh Bank · Brazil · Canada · China · Cryptocurrency exchanges in South Korea · France · Germany · Guatemala · Hong Kong · India
TTPs (2 techniques across 2 tactics)
Reporting (3)
↑ back to top
Cleaver is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver. Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 (TG-2889).
Targets: Defense · Education · Energy · Government · Private sector · Technology
Regions: Canada · China · France · Germany · India · Israel · Kuwait · Mexico · Pakistan · Qatar · Saudi Arabia · South Korea
TTPs (5 techniques across 2 tactics)
Tools/malware: Net Crawler · PsExec · TinyZBot · Mimikatz
Reporting (2)
↑ back to top
Ferocious Kitten is a threat group that has primarily targeted Persian-speaking individuals in Iran since at least 2015.
TTPs (6 techniques across 4 tactics)
Tools/malware: MarkiRAT · BITSAdmin
Reporting (1)
↑ back to top
Gallmaker is a cyberespionage group that has targeted victims in the Middle East and has been active since at least December 2017. The group has mainly targeted victims in the defense, military, and government sectors.
TTPs (6 techniques across 4 tactics)
Reporting (1)
↑ back to top
Mofang is a likely China-based cyber espionage group, named for its frequent practice of imitating a victim's infrastructure. This adversary has been observed since at least May 2012 conducting focused attacks against government and critical infrastructure in Myanmar, as well as several other countries and sectors including military, automobile, and weapons industries.
Targets: Government · Private sector
Regions: Canada · Germany · India · Myanmar · Singapore · South Korea · United States
TTPs (6 techniques across 3 tactics)
Tools/malware: ShimRatReporter · ShimRat
Reporting (1)
↑ back to top
RedEcho is a People’s Republic of China-related threat actor associated with long-running intrusions in Indian critical infrastructure entities. RedEcho overlaps with various other PRC-linked threat groups, such as APT41, and is linked to ShadowPad malware use through shared infrastructure.
TTPs (5 techniques across 2 tactics)
Tools/malware: ShadowPad
Reporting (2)
↑ back to top
Suckfly is a China-based threat group that has been active since at least 2014.
TTPs (5 techniques across 5 tactics)
Tools/malware: Nidiran
Reporting (2)
↑ back to top
TA577 is an initial access broker (IAB) that has distributed QakBot and Pikabot, and was among the first observed groups distributing Latrodectus in 2023.
TTPs (6 techniques across 4 tactics)
Tools/malware: Pikabot · QakBot · Latrodectus
Reporting (1)
↑ back to top
Volatile Cedar is a Lebanese threat group that has targeted individuals, companies, and institutions worldwide. Volatile Cedar has been operating since 2012 and is motivated by political and ideological interests.
TTPs (5 techniques across 4 tactics)
Tools/malware: Caterpillar WebShell · Explosive
Reporting (2)
↑ back to top
Equation is a sophisticated threat group that employs multiple remote access tools. The group is known to use zero-day exploits and has developed the capability to overwrite the firmware of hard disk drives.
TTPs (4 techniques across 2 tactics)
Reporting (1)
↑ back to top
Putter Panda is a Chinese threat group that has been attributed to Unit 61486 of the 12th Bureau of the PLA’s 3rd General Staff Department (GSD).
Targets: Government · Private sector
Regions: U.S. satellite and aerospace sector
TTPs (4 techniques across 3 tactics)
Tools/malware: pngdowner · 3PARA RAT · 4H RAT · httpclient
Reporting (2)
↑ back to top
SilverTerrier is a Nigerian threat group that has been seen active since 2014. SilverTerrier mainly targets organizations in high technology, higher education, and manufacturing.
TTPs (4 techniques across 2 tactics)
Tools/malware: NanoCore · Agent Tesla · NETWIRE · DarkComet · Lokibot
Reporting (2)
↑ back to top
Strider is a threat group that has been active since at least 2011 and has targeted victims in Russia, China, Sweden, Belgium, Iran, and Rwanda.
Targets: Government · Intelligence · Military
Regions: Belgium · China · Iran · Russia · Rwanda · Sweden
TTPs (3 techniques across 3 tactics)
Tools/malware: Remsec
Reporting (3)
↑ back to top
TA459 is a threat group believed to operate out of China that has targeted countries including Russia, Belarus, Mongolia, and others.
TTPs (5 techniques across 2 tactics)
Tools/malware: gh0st RAT · NetTraveler · PlugX · ZeroT
Reporting (1)
↑ back to top
TA578 is a threat actor that has used contact forms and email to initiate communications with victims and to distribute malware including Latrodectus, IcedID, and Bumblebee.
TTPs (4 techniques across 3 tactics)
Tools/malware: Bumblebee · Latrodectus · IcedID
Reporting (2)
↑ back to top
Water Galura are the operators of the Qilin Ransomware-as-a-Service (RaaS) who handle payload generation, ransom negotiations, and the publication of stolen data for Qilin affilates recruited on Russian cybercrime forums. Water Galura have been active since at least 2022 and use a double extortion model where they demand payment for providing decryption keys and for refraining from publishing the stolen data to their leak site.
TTPs (3 techniques across 2 tactics)
Tools/malware: Qilin · Tor
Reporting (2)
↑ back to top
APT-C-23 is a threat group that has been active since at least 2014. APT-C-23 has primarily focused its operations on the Middle East, including Israeli military assets. APT-C-23 has developed mobile spyware targeting Android and iOS devices since 2017.
Targets: Civil society · Defense · Education · Energy · Finance · Government · High-Tech · Legal · Media · Military · NGOs · Telecommunications
Regions: Europe · Israel · Middle East · Palestine · United States
Tools/malware: Micropsia
Reporting (3)
↑ back to top
Group5 is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. Group5 has used two commonly available remote access tools (RATs), njRAT and NanoCore, as well as an Android RAT, DroidJack.
TTPs (4 techniques across 2 tactics)
Tools/malware: njRAT · NanoCore
Reporting (1)
↑ back to top
Orangeworm is a group that has targeted organizations in the healthcare sector in the United States, Europe, and Asia since at least 2015, likely for the purpose of corporate espionage. Reverse engineering of Kwampirs, directly associated with Orangeworm activity, indicates significant functional and development overlaps with Shamoon.
TTPs (2 techniques across 2 tactics)
Tools/malware: Kwampirs · netstat · Net · ipconfig · cmd · route · Arp · Systeminfo
Reporting (2)
↑ back to top
TEMP.Veles is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing TRITON, a malware framework designed to manipulate industrial safety systems.
Tools/malware: Mimikatz · PsExec
Reporting (3)
↑ back to top
Threat Group-1314 is an unattributed threat group that has used compromised credentials to log into a victim's remote access infrastructure.
TTPs (4 techniques across 3 tactics)
Tools/malware: Net · PsExec
Reporting (1)
↑ back to top
Thrip is an espionage group that has targeted satellite communications, telecoms, and defense contractor companies in the U.S. and Southeast Asia. The group uses custom malware as well as "living off the land" techniques.
Targets: Private sector
Regions: United States
TTPs (4 techniques across 4 tactics)
Tools/malware: PsExec · Mimikatz · Catchamas
Reporting (1)
↑ back to top
APT30 is a threat group suspected to be associated with the Chinese government. While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.
Targets: Government
Regions: India · Malaysia · Saudi Arabia · South Korea · Thailand · United States · Vietnam
TTPs (2 techniques across 2 tactics)
Tools/malware: SHIPSHAPE · BACKSPACE · FLASHFLOOD · NETEAGLE · SPACESHIP
Reporting (2)
↑ back to top
BlackOasis is a Middle Eastern threat group that is believed to be a customer of Gamma Group. The group has shown interest in prominent figures in the United Nations, as well as opposition bloggers, activists, regional news correspondents, and think tanks. A group known by Microsoft as NEODYMIUM is reportedly associated closely with BlackOasis operations, but evidence that the group names are aliases has not been identified.
TTPs (1 techniques across 1 tactics)
Reporting (3)
↑ back to top
PittyTiger is a threat group believed to operate out of China that uses multiple different types of malware to maintain command and control.
TTPs (2 techniques across 2 tactics)
Tools/malware: gh0st RAT · Lurid · gsecdump · PoisonIvy · Mimikatz
Reporting (2)
- Spy of the Tiger — Villeneuve, N., Homan, J
- Eye of the Tiger — Bizeul, D., Fontarensky, I., Mouchoux, R., Perigaud, F., Pernet, C
↑ back to top
APT17 is a China-based threat group that has conducted network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations.
Targets: Civil society · Defense · Government · Intelligence · Justice · Mining · Private sector · Technology
Regions: Belgium · China · Germany · Indonesia · Italy · Japan · Netherlands · Russia · Switzerland · United Kingdom · United States
TTPs (2 techniques across 1 tactics)
Tools/malware: BLACKCOFFEE
Reporting (1)
↑ back to top
GCMAN is a threat group that focuses on targeting banks for the purpose of transferring money to e-currency services.
Targets: Finance
TTPs (2 techniques across 1 tactics)
Reporting (1)
↑ back to top
NEODYMIUM is an activity group that conducted a campaign in May 2016 and has heavily targeted Turkish victims. The group has demonstrated similarity to another activity group called PROMETHIUM due to overlapping victim and campaign characteristics. NEODYMIUM is reportedly associated closely with BlackOasis operations, but evidence that the group names are aliases has not been identified.
Tools/malware: Wingbird
Reporting (3)
↑ back to top
APT16 is a China-based threat group that has launched spearphishing campaigns targeting Japanese and Taiwanese organizations.
Targets: Private sector
Regions: Japan · Taiwan
TTPs (1 techniques across 1 tactics)
Tools/malware: ELMER
Reporting (1)
↑ back to top
DragonOK is a threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tools, DragonOK is thought to have a direct or indirect relationship with the threat group Moafee. It is known to use a variety of malware, including Sysget/HelloBridge, PlugX, PoisonIvy, FormerFirstRat, NFlog, and NewCT.
Targets: Private sector
Regions: United States
Tools/malware: PoisonIvy · PlugX
Reporting (2)
- Unit 42 Identifies New DragonOK Backdoor Malware Deployed Against Japanese Targets — Miller-Osborn, J., Grunzweig, J.
- OPERATION QUANTUM ENTANGLEMENT — Haq, T., Moran, N., Vashisht, S., Scott, M
↑ back to top
Moafee is a threat group that appears to operate from the Guandong Province of China. Due to overlapping TTPs, including similar custom tools, Moafee is thought to have a direct or indirect relationship with the threat group DragonOK.
Targets: Private sector
Regions: United States
TTPs (1 techniques across 1 tactics)
Tools/malware: PoisonIvy
Reporting (1)
↑ back to top
Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, it has not been concluded that the groups are the same.
Targets: Activists
TTPs (1 techniques across 1 tactics)
Tools/malware: Psylo · MobileOrder · CallMe · FakeM
Reporting (1)
↑ back to top