Threat Actor Index

Compromised nine U.S. telecom carriers, breached lawful intercept wiretap systems, and surveilled over a million Americans. The most consequential telecom espionage campaign ever recorded.

Russia's primary offensive cyber unit, active for two decades. Responsible for election interference, NATO targeting, zero-day chaining, and sustained espionage across Europe and North America.

English-speaking collective of teens and young adults who social engineer their way past MFA and help desks. Hit MGM, Caesars, Marks & Spencer, Co-op, and Harrods in high-profile operations. Four members were arrested by the UK's National Crime Agency in July 2025 in connection with the UK retail campaign, which caused an estimated £270–440 million in combined losses.

Dual-track APT running both state espionage and financially motivated cybercrime simultaneously. The Silver Dragon sub-cluster uses Google Drive as covert C2 against government targets across Southeast Asia and Europe.

Weaponized Google Sheets as covert C2 infrastructure, operating undetected across 42 countries for nearly a decade. Uses the GRIDTIDE backdoor to spy on telecoms and government networks via trusted cloud services.

Iran-linked APT targeting Iraqi government ministries with AI-assisted malware development. Deployed four previously undocumented families — SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM — in January 2026.

Financially motivated operator cloning Fortune 500 brand login portals with 98% visual accuracy, harvesting credentials via Telegram bots, and selling persistent RMM-based access to victim networks.

Data extortion group that steals and threatens to publish sensitive data without always deploying traditional ransomware encryption. Hit healthcare organizations including Greater Pittsburgh Orthopaedic Associates.

Exploited a Cisco SD-WAN CVSS 10.0 zero-day silently for three years before triggering a Five Eyes emergency response and CISA Emergency Directive 26-03. Confirmed critical infrastructure targeting across multiple countries.

North Korea's premier cyber unit, responsible for the largest cryptocurrency thefts in history and the Sony Pictures hack. Funds Pyongyang's weapons program through financial cybercrime on a state scale.

Quietly pre-positions inside U.S. critical infrastructure — power grids, water systems, and communications — for potential disruptive action in a Taiwan conflict scenario. Lives entirely off the land.

Once the world's dominant RaaS operation, responsible for more attacks than any other group in 2022–2024, including Boeing, the Royal Mail, and the Industrial and Commercial Bank of China. Operation Cronos in February 2024 seized infrastructure, servers, and source code, severely degrading the operation. LockBit 5.0 re-emerged at reduced scale in late 2025 but has not recovered its former dominance.

Russia's SVR intelligence cyber unit. Orchestrated the SolarWinds supply chain attack, breached Microsoft's corporate email systems in 2024, and has sustained access to Western government networks for over a decade.

Russia's most destructive cyber unit. Knocked out Ukraine's power grid twice, deployed NotPetya ($10B+ in global damage), disrupted the 2018 Winter Olympics, and continues sustained destructive attacks against Ukraine.

Sophisticated Rust-based ransomware that hit MGM Resorts, Change Healthcare (causing nationwide pharmacy disruptions), and Caesars. FBI disrupted the operation in December 2023. In March 2024 the group pulled an exit scam after the Change Healthcare attack — pocketing an alleged $22 million ransom and cheating their own affiliate — then announced a shutdown. As of early 2025, the group has apparently disappeared entirely.

Specializes in mass exploitation of zero-days in widely used enterprise file transfer software — MOVEit, GoAnywhere, and Accellion — hitting hundreds of organizations in single campaigns without deploying traditional ransomware.

Iran's primary cyber espionage unit targeting Middle Eastern governments, critical infrastructure, and financial institutions. Closely related to Dust Specter activity and has operated against Iraqi government infrastructure since 2024.

North Korean intelligence collection unit that impersonates journalists, academics, and policy experts to harvest geopolitical intelligence on South Korea, the U.S., and nuclear policy makers worldwide.

One of the most sophisticated financially motivated criminal groups in the world. Stole over $3 billion from restaurants, retail, and hospitality companies through POS malware and evolved into ransomware operations via BlackMatter and DarkSide.

Iran's IRGC cyber unit specializing in social engineering of journalists, academics, human rights workers, and dissidents. Implicated in interference with the 2024 U.S. presidential election via the Trump campaign breach.

Iranian IRGC-linked cyber espionage group active since at least 2013. Defined by patient, high-touch social engineering — impersonating journalists, academics, and conference organizers over weeks or months before harvesting credentials. Targets journalists, dissidents, academics, government, and defense personnel across the U.S., UK, Israel, and the Middle East.

RaaS cartel that emerged as one of the dominant ransomware operations of 2025. Supplied the ransomware payload to Scattered Spider's UK retail campaign against Marks & Spencer, Co-op, and Harrods. Claimed to have absorbed RansomHub in April 2025, converting it into a "cartel" model — a white-label RaaS framework allowing affiliates to operate under their own brands. Attack volume spiked 212% in June 2025.

The NSA's Tailored Access Operations unit, widely considered the most technically advanced threat actor ever documented. Responsible for Stuxnet (with Unit 8200), the HDD firmware implants, and the leaked Shadow Brokers toolset that enabled WannaCry and NotPetya.

Once described by Europol as the world's most dangerous malware botnet — a modular malware distribution service that rented botnet access to ransomware groups including Ryuk and Conti. Repeatedly disrupted by law enforcement and rebuilt. Went silent in April 2023 after Microsoft's macro-blocking policy eliminated its primary delivery mechanism, and no credible activity has been confirmed since. Its eventual return remains a standing concern given its history of adaptation.

Pro-Russian hacktivist collective that launched high-profile DDoS campaigns against NATO member healthcare, government, and airport websites following Russia's 2022 invasion of Ukraine. Announced it had completely disbanded in mid-2023 after founder KillMilk was publicly unmasked. Re-emerged in May 2025 under new leadership and a changed model — pivoting from ideological hacktivism to profit-driven hack-for-hire operations, with analysts assessing the current group as largely a different entity using a familiar brand.

Prolific Chinese espionage cluster targeting government and critical infrastructure in over 20 countries. Known for exploiting internet-facing applications (Confluence, Exchange, GitLab) and deploying the Cobalt Strike-derived WINNKIT rootkit.

VoIP-focused criminal operator who exploited a FreePBX zero-day to compromise 900+ phone systems, deploying the multi-stage EncystPHP web shell for persistent access and monetizing stolen dial-out access through international toll fraud.

Targeted the LexisNexis AWS infrastructure via an unpatched React2Shell vulnerability, exfiltrating 3.9 million records including 118 government user profiles and 53 plaintext secrets.

Built and operates Starkiller — a PhaaS platform that proxies real login pages in real time through headless Chrome containers, bypassing MFA by relaying the full authentication flow with Telegram-based analytics.

Chinese cyber-espionage group linked to the Ministry of State Security (MSS). Known for long-running intellectual property theft campaigns and the global Cloud Hopper operation targeting managed service providers to gain indirect access to hundreds of corporate networks.

Russian cybercrime organization responsible for major banking malware operations and later enterprise ransomware campaigns. Evil Corp initially built global financial theft infrastructure using the Dridex banking trojan before evolving into high-impact ransomware operations such as WastedLocker and Hades targeting large corporations worldwide.

Financially motivated ransomware operation that operated one of the most prolific ransomware-as-a-service platforms in the world. Known for large-scale double-extortion campaigns and the Kaseya supply-chain attack that impacted hundreds of downstream organizations.

Highly organized ransomware operation that operated one of the most active ransomware-as-a-service ecosystems between 2020 and 2022. Known for large-scale attacks on healthcare, government, and enterprise organizations and for internal operational leaks that exposed the structure of a modern ransomware syndicate.

Financially motivated ransomware-as-a-service operation best known for the 2021 Colonial Pipeline attack, which caused widespread fuel disruption across the U.S. East Coast. Combined data theft, affiliate-led intrusions, and public extortion branding in one of the most consequential ransomware campaigns ever recorded.

Highly active ransomware group believed to contain former Conti operators. Known for fast-moving enterprise intrusions and large-scale double-extortion campaigns against critical infrastructure and global corporations.

Financially motivated intrusion group specializing in rapid ransomware deployment following initial access purchases from brokers. Known for targeting healthcare and enterprise organizations with minimal dwell time before encryption.

Chinese cyber-espionage group focused on maritime industries, government agencies, and defense contractors across the Indo-Pacific region. Known for exploiting public-facing web applications and leveraging stolen credentials for long-term intelligence collection.

Russian cyber-espionage group focused almost exclusively on Ukraine. Known for relentless spear-phishing campaigns and rapid malware iteration targeting government and military organizations.

Iranian cyber-espionage group targeting telecommunications providers, government agencies, and defense organizations across the Middle East and Asia.

Iranian MOIS-affiliated destructive operations group responsible for wiper attacks, hack-and-leak campaigns, and the March 2026 attack on Stryker Corporation — the largest known wiper operation against a single U.S. company. Operates under multiple hacktivist personas including Handala, Homeland Justice, and Karma.

Ransomware operation containing former Conti operators, active from late 2022 before rebranding as BlackSuit in mid-2023. Responsible for large-scale attacks against healthcare, manufacturing, and enterprise networks, including the City of Dallas. The FBI and CISA confirmed the BlackSuit rebrand in August 2024. In July 2025, Operation Checkmate seized four servers and nine domains under the BlackSuit name, though no arrests were made.

Ransomware group known for targeting educational institutions and public sector organizations with data theft and extortion campaigns.

Large-scale malware distribution operator targeting hospitality and transportation sectors with phishing campaigns delivering remote access trojans.

Loose collective of hacktivists responsible for politically motivated cyber operations including website defacements, DDoS campaigns, and data leaks targeting governments and corporations.

Highly stealthy espionage operator tied to the SolarWinds Orion supply-chain intrusion and selective follow-on compromises against government, technology, and policy-sector targets.

Chinese intrusion cluster observed using ransomware as cover for broader espionage-oriented access, intrusion operations, and post-compromise activity across multiple sectors.

Cloud-focused espionage operator that abused a stolen Microsoft signing key to forge tokens and access Exchange Online and Outlook email accounts at targeted organizations.

Long-running Chinese state-backed APT active since at least 2010, targeting government, defense, technology, and human rights organizations worldwide. One of three China-nexus actors confirmed by Microsoft to have exploited the ToolShell SharePoint vulnerability chain in 2025.

Chinese state-backed APT specializing in intellectual property theft, targeting NGOs, think tanks, media, academia, and former government and military personnel. Confirmed by Microsoft as a ToolShell exploiter in 2025 and previously sanctioned by the US Treasury in connection with APT31 activity.

Emerging China-attributed threat cluster combining ransomware deployment with espionage-aligned access operations. First surfaced in March 2025 and confirmed as one of three actors exploiting the ToolShell SharePoint vulnerability chain. Microsoft links the group to LockBit and Warlock ransomware use while noting that its objectives remain difficult to confidently assess.

Unidentified China-nexus threat actor assessed by Mandiant as among the earliest actors to exploit the ToolShell SharePoint vulnerability chain, with activity beginning as early as July 7, 2025 — before public disclosure. Targeted multiple sectors and geographies with a focus on machine key material theft for persistent access. Distinct from the three named actors confirmed by Microsoft.

Prolific data theft and extortion group active since 2020 with a confirmed record of breaching more than 60 organizations globally. Known for mass credential harvesting, dark web data sales, and a 2024–2026 pivot to cloud platform extortion targeting Salesforce, Snowflake, and SaaS environments. Closely linked to Scattered Spider and LAPSUS$, and tracked by Google Threat Intelligence as UNC6040 and UNC6240. The Crunchyroll supply chain breach — accessed via a compromised Telus International BPO employee — is among the most recent confirmed operations.

Threat cluster responsible for the August 2025 Salesloft Drift supply chain breach — one of the largest SaaS supply chain compromises on record, affecting more than 700 organizations. The actor spent months covertly inside Salesloft's GitHub environment before pivoting to Drift's AWS infrastructure to steal OAuth tokens, then systematically queried Salesforce instances across hundreds of enterprises including Cloudflare, Palo Alto Networks, Zscaler, Proofpoint, and CyberArk. Primary objective: credential harvesting for downstream access. Attribution remains contested; Google tracks the cluster as UNC6395 while Cloudflare designates it GRUB1.

The dominant ransomware group by attack volume in 2025, surpassing 1,000 claimed victims on its leak site before year-end after absorbing RansomHub affiliates. Hit the UK's Synnovis NHS blood-testing service in June 2024, forcing cancellation of over 1,100 surgeries and causing transfusion shortages across London hospitals, and Malaysian Airports Holdings for $10 million. Maintained its leading position into January 2026, accounting for roughly a fifth of all observed ransomware attacks.

Persistent RaaS operation active since March 2023, with confirmed ransom proceeds exceeding $244 million USD through late September 2025 per a joint FBI/CISA advisory — spanning its entire operating history. Known for targeting Cisco VPN appliances and deploying a Linux encryptor through an unmonitored IoT webcam to bypass EDR — among the most creative evasion techniques documented that year. CISA and the FBI updated their advisory in November 2025, warning of an imminent threat to critical infrastructure.

Iran's premier surveillance unit — not focused on disruption but on identifying and locating dissidents, journalists, and foreign policy figures who oppose the regime. Invests weeks or months cultivating trust before harvesting credentials. Targeted Donald Trump's 2024 presidential campaign and Israeli government officials, and is now actively hunting population-scale datasets from ISPs and telecoms to locate regime opponents.

A previously undocumented China-aligned APT first exposed by ESET in 2025. Specializes in adversary-in-the-middle supply chain attacks — compromising network devices to hijack software update traffic and silently inject the SlowStepper backdoor, a 30+ component surveillance toolkit, into legitimate installer packages.

Dominated the ransomware landscape through 2024 and into early 2025, absorbing former ALPHV and LockBit affiliates. Infrastructure went dark on April 1, 2025 in what is widely assessed as a DragonForce takeover — DragonForce subsequently claimed RansomHub had "joined the cartel," absorbing its affiliates and infrastructure. Widely believed to be a rebrand of the Knight ransomware operation.

Emerged in 2023 and built a reputation for hitting healthcare and government targets with outsized ransom demands. Hit the British Library (destroying a decade of digital infrastructure), Insomniac Games (leaking unreleased Marvel IP), and Maryland's Transit Administration in 2025. Assessed to share affiliates with Vice Society.

A prolific RaaS operation with a notable healthcare focus, responsible for attacks on Comcast, Minneapolis Public Schools, and numerous hospital networks. Distinguished by its use of a Telegram bot for victim negotiations and a "Medusa Blog" leak site offering a pay-to-delay feature where victims can pay per day to extend their disclosure deadline.

A fast-rising ransomware operation built on leaked LockBit 3.0 source code that manages all attack phases internally without a traditional affiliate model. Hit global IT distributor Ingram Micro in 2025 — causing an estimated $136 million in daily revenue losses and claiming 3.5 TB of stolen data — before surging 223% in victim volume in Q1 2025 alone.

A consistently high-volume ransomware group notable for exploiting zero-day vulnerabilities and compromised valid credentials, with a strong focus on critical infrastructure. Attacked the City of Oakland, the City of Lowell (Massachusetts), and the Dallas County government. Play nearly doubled its victim count between Q1 and Q2 2025, with a sustained focus on government, healthcare, and manufacturing.

An emerging group that launched its leak site in March 2025 and claimed 200+ victims across 33+ countries by early 2026. Assessed as a rebrand of Rbfs ransomware based on shared operators, victim overlap, and infrastructure continuity. Primary initial access vector is CVE-2024-55591, a critical FortiOS authentication bypass. Notable for significant OPSEC failures including Gmail usage and exposed server headers.

The single most documented cyber espionage unit in history. Operating out of a 12-story building in Shanghai's Pudong district, APT1 systematically compromised 141 organizations across 20 industries over at least seven years, stealing hundreds of terabytes of intellectual property. Mandiant's 2013 exposure report — linking the group to PLA Unit 61398 — remains the defining publication in the history of cyber threat intelligence.

A Chinese MSS-linked espionage unit operating through the front company Boyusec, attributed by Recorded Future and confirmed by a 2017 DOJ indictment. Known for exploiting zero-days in Internet Explorer, Flash, and Office to compromise aerospace, defense, and telecom targets in the US and UK before pivoting to Hong Kong political entities ahead of the 2016 elections. One of the first APT groups publicly linked to China's civilian intelligence service rather than the PLA.

A PLA-linked espionage group with a sustained focus on Taiwan, Japan, and media organizations that publish reporting unfavorable to PRC leadership. Best known for a 2012 breach of The New York Times — sustained for over four months — timed to a Pulitzer-winning investigation into Premier Wen Jiabao's family wealth. FireEye dubbed them "Darwin's Favourite APT Group" after observing the group retool their entire malware infrastructure twice in direct response to security vendor publications.

A Chinese MSS unit operating out of Jinan, attributed by Intrusion Truth to MSS officer Guo Lin and a network of local contractor firms. Known for "hiding in plain sight" — embedding encoded C2 addresses inside legitimate Microsoft TechNet forum posts and profiles to evade detection. Confirmed active as recently as mid-2024, with targeted campaigns against Italian government and business entities using the 9002 RAT.

A PLA Navy-linked espionage group with a pronounced focus on healthcare, biotechnology, and defense. Responsible for the 2014 breach of Community Health Systems, in which SSNs and PII for 4.5 million patients were exfiltrated — believed to have exploited the OpenSSL Heartbleed vulnerability for initial access. Distinguished operationally by their speed: the group is known to weaponize newly released public exploits within days of disclosure, pivoting targets and retooling infrastructure faster than most state-sponsored actors.

A Chinese espionage group assessed to operate through freelance contractors with state sponsorship, targeting legal, financial, and defense sectors with unusual precision. Notable for a 2015 watering hole attack via Forbes.com and a 2017 phishing campaign that specifically targeted seven law firms and investment companies — an unusually deliberate focus on entities handling M&A negotiations, IP filings, and sensitive government contracts. Some researchers assess APT19 and Deep Panda as the same operation; attribution remains debated.

One of the longest-running documented espionage operations in history, active since at least 2005 with infrastructure dating to 2004. APT30 is singular in its focus: Southeast Asian political dynamics, ASEAN deliberations, disputed territorial claims, and journalists covering topics the CCP considers threats to its legitimacy. Operations spike around ASEAN summits. Uniquely developed air-gap crossing capabilities — malware designed to propagate via USB drives into networks with no internet connectivity — suggesting high-value targets inside physically isolated government systems.

Vietnam's primary offensive cyber unit, conducting espionage across two distinct tracks simultaneously: corporate targets — multinationals entering Vietnam's manufacturing, hospitality, and consumer goods sectors — and domestic dissidents, pro-democracy bloggers, and human rights organizations. A 2024 Huntress investigation uncovered an intrusion against a Vietnamese human rights defender that had been running undetected for at least four years. In early 2025, the group escalated supply-chain tradecraft by distributing backdoored security tools via GitHub, targeting Chinese cybersecurity professionals.

A large, multi-subgroup Chinese espionage actor with a singular obsession: telecommunications infrastructure and satellite communications. Mandiant assesses over half of APT5's confirmed victims operate in the telecom or technology sectors. The group has a documented pattern of exploiting zero-days in network edge devices — Pulse Secure VPN, Fortinet, and Citrix ADC — to achieve pre-authentication access, prompting a rare dedicated NSA threat-hunting advisory in December 2022 attributed specifically to this group.

A Chinese espionage actor operating under the Winnti Group umbrella and tied to i-Soon, the Chengdu-based MSS contractor exposed in a 2024 leak that revealed the scale of China's contractor-driven hacking apparatus. In March 2025, the FBI added named i-Soon employees to its Most Wanted list following DOJ indictments covering espionage campaigns from 2016 to 2023. ESET's Operation FishMedley investigation documented a 10-month 2022 campaign hitting seven organizations across Taiwan, Hungary, Turkey, Thailand, France, and the United States — governments, Catholic charities, NGOs, and think tanks.

One of the most operationally disciplined Chinese APT groups on record. Novetta's Operation SMN coalition — involving Cisco, Symantec, FireEye, Microsoft, and others — removed over 43,000 installations of Axiom tooling from networks worldwide and assessed the group with moderate-to-high confidence as part of China's Intelligence Apparatus. Unlike APT1, whose operators were identifiable through poor OPSEC, no Axiom operator mistakes have ever been publicly documented. Targets span Fortune 500 companies, pro-democracy NGOs, environmental groups, journalists, and aerospace and defense contractors across North America, Europe, and East Asia.

Named for its singular focus: Ministries of Foreign Affairs. Active since at least 2017, this China-aligned group systematically targets diplomatic organizations across Africa, the Middle East, Europe, and Asia using a custom backdoor lineage (Quarian → Turian) that has been under continuous development for over a decade. Palo Alto Unit 42 tracks this actor as Playful Taurus and overlaps it with APT15 — one of China's longest-running espionage clusters. Iranian government networks were confirmed compromised in a 2022 campaign documented by Unit 42.

A quietly operating Chinese-speaking espionage group that ran undetected for nearly a decade before SentinelOne's 2022 disclosure. Active since at least 2013, Aoqin Dragon focuses on government, education, and telecom targets in Southeast Asia and Australia — nations of direct interest to Chinese foreign policy. The group has evolved its infection chain three times across its operational history, cycling from document exploits to fake antivirus droppers to fake removable device shortcuts, consistently finding new methods to evade detection and extend dwell time.

Russia's premier long-term espionage unit, active since at least 1996 and attributed to FSB Center 16. Described by the US government as operating "the most sophisticated cyber-espionage tool in the FSB's arsenal" — the Snake implant, developed since 2003 and active for over 20 years. In May 2023, the FBI's Operation MEDUSA remotely neutralized Snake's peer-to-peer network across 50+ countries using a custom tool named PERSEUS. Turla then adapted, hijacking other nation-state actors' infrastructure — including a Pakistani APT's C2 servers — to conduct espionage without direct exposure. In 2025, confirmed conducting adversary-in-the-middle attacks at ISP level against foreign embassies in Moscow.

Russia's dedicated critical infrastructure access unit, operating since at least 2010 with a singular focus: gaining and maintaining persistent access to energy grids, utilities, and industrial control systems — not to destroy them, but to understand how they work and be positioned to act. The DOJ indicted four FSB officers in 2022 for targeting US energy, nuclear, and water systems. In 2025, linked to the Static Tundra campaign exploiting aged Cisco router vulnerabilities across telecom and infrastructure networks, and to a major attack on Poland's energy sector.

A narrowly focused ICS reconnaissance group targeting electric utilities in the US and UK, first documented by Dragos in 2018 and linked to the DHS's Palmetto Fusion campaign designation. What distinguishes ALLANITE from Dragonfly and similar actors is its operational discipline: the group deploys no custom malware, relying entirely on native Windows tools. Its confirmed activity — collecting and distributing screenshots of ICS human-machine interfaces — signals pre-positioning rather than an immediate intent to cause disruption, though Dragos assesses the group maintains access for exactly that purpose if needed.

A GRU cyber unit formally linked — in a September 2024 DOJ indictment — to Unit 29155, the same special operations unit responsible for the 2018 Salisbury nerve agent poisoning of Sergei Skripal. In January 2022, days before Russia's full-scale invasion of Ukraine, Ember Bear deployed WhisperGate: wiper malware disguised as ransomware that destroyed government computer systems and defaced websites. The operation hit at least 26 NATO countries beyond Ukraine and marked one of the first GRU cyber attributions to a unit previously known only for physical assassination and sabotage.

Described by Dragos as "easily the most dangerous threat activity publicly known." XENOTIME is the only threat actor ever confirmed to have intentionally targeted Safety Instrumented Systems — the last line of automated defense in industrial facilities designed to prevent explosions, fires, and chemical releases. The 2017 TRISIS attack on a Saudi Arabian petrochemical plant disabled safety controllers and was discovered only because an apparent misconfiguration accidentally triggered a safety shutdown before the intended destructive payload could execute. FireEye attributed the tooling with high confidence to CNIIHM, a Russian government research institute in Moscow.

North Korea's primary espionage unit focused on South Korean domestic targets — government, academia, think tanks, North Korea-focused journalists, and defectors. ScarCruft's intelligence collection feeds directly into Pyongyang's decision-making on South Korean politics, defector networks, and international perceptions of the regime. Highly active through 2025, with campaigns targeting national intelligence researchers, South Korean cybersecurity professionals, and national security organizations, alongside Android spyware (KoSpy) distributed via Google Play Store.

North Korea's primary financial cyber unit, responsible for generating hard currency at scale to fund the regime's nuclear and missile programs under international sanctions. Responsible for at least $81 million stolen from Bangladesh Bank in 2016 — stopped only because the Federal Reserve Bank of New York detected anomalies in the transfer instructions before a $1 billion theft could complete. By 2024–2025, the group had pivoted heavily toward cryptocurrency, stealing approximately $1.34 billion across 47 incidents in 2024 alone. The February 2025 Bybit heist — assessed at $1.5 billion — is believed to be the largest recorded crypto theft in history.

One of North Korea's longest-running cyber units, operating since at least 2009 and elevated to formal APT status (APT45) by Mandiant in 2024. Andariel pursues two missions simultaneously: stealing classified military and nuclear technology from defense, aerospace, and engineering targets across the US, South Korea, Japan, and India — and funding those operations by running ransomware attacks against US healthcare entities. A July 2024 DOJ indictment named Rim Jong Hyok and offered a $10 million reward; charges included attacks on NASA and two US Air Force bases.

North Korea's dedicated cryptocurrency theft and software supply chain unit, operating under the Lazarus Group umbrella. Named for its signature tactic: distributing trojanized cryptocurrency trading apps, wallets, and DeFi platforms that silently steal private keys and credentials. Responsible for the 2023 3CX supply chain attack — itself a downstream consequence of an earlier supply chain compromise — marking one of the first confirmed supply-chain-within-a-supply-chain attacks. In August 2024, exploited a Chromium V8 zero-day (CVE-2024-7971) chained with a Windows kernel zero-day, deploying the FudModule rootkit against cryptocurrency sector targets.

Iran's most persistent aerospace and energy espionage unit, targeting the sectors that hold technology and IP Iran cannot acquire through legitimate channels due to international sanctions. Active since at least 2013 with a consistent focus on US, Saudi Arabian, and South Korean aviation, defense, and petrochemical organizations. By 2023–2025, the group executed a strategic shift from spearphishing to large-scale cloud-based password spraying against Microsoft 365 and Azure AD environments — moving from network perimeter attacks to identity-layer infiltration. Carries latent destructive capability via the SHAPESHIFT wiper, assessed as staged for use under geopolitical triggers.

The Iranian Ministry of Intelligence and Security's primary people-tracking unit, operating through the front company Rana Intelligence Computing. Unlike other Iranian APTs focused on IP theft or destructive operations, APT39's mission is human surveillance: acquiring the travel itineraries, call records, and personal data needed to monitor dissidents, journalists, opposition figures, and foreign officials inside and outside Iran. In September 2020, the US Treasury and FBI sanctioned Rana and 45 named individuals — making this one of the few cases where an APT's front company and specific employees have been formally designated.

An Iran-aligned destructive unit that pioneered the "wiper-as-ransomware" playbook — deploying malware that destroys data while demanding payment, providing cover for state-directed sabotage as cybercrime. Active since 2020 with a primary focus on Israeli targets, Agrius has operated under multiple personas and progressively escalated its methods: from fake ransomware to a full supply chain attack in 2022, compromising an Israeli software developer to deploy the Fantasy wiper against the diamond industry. During the June 2025 Iran–Israel military conflict, infrastructure linked to Agrius was observed scanning Israeli cameras across the country, assessed as bomb damage assessment support.

A textbook example of Iranian hacktivist-to-APT pipeline: Ajax Security Team began as a publicly active defacement crew before being recruited into targeted espionage around 2014. Operating as Rocket Kitten, the group conducted campaigns against US defense contractors, Israeli institutions, Iranian dissidents, and users of anti-censorship tools — eventually accumulating a phishing infrastructure containing over 1,800 individual targets. Check Point's 2015 investigation gained root access to the group's own backend after the operators failed to secure it, exposing internal tools and operator identities — a rare window into an APT's operational infrastructure through their own OPSEC failures.

An Iran-linked espionage group profiled jointly by ClearSky and Trend Micro, notable for succeeding despite relatively unsophisticated tradecraft. Active since at least 2013, CopyKittens targeted government organizations, academic institutions, defense companies, and NGOs across Israel, Saudi Arabia, Turkey, Jordan, the US, and Germany. Operation Wilted Tulip documented the group's use of a particularly effective social engineering technique: gaining access to one email account in an organization, then waiting for natural conversation threads to develop before slipping a malicious link into an existing reply chain — a trusted-context attack that bypasses conventional suspicion.

The primary cyber espionage arm assessed to operate on behalf of Hamas, targeting Israeli military and government personnel alongside Palestinian political opponents. Runs two concurrent surveillance tracks: external operations against Israeli targets — including IDF soldiers stationed near Gaza — and internal operations monitoring Fatah, Palestinian civil society, and diaspora journalists. Operation Bearded Barbie (2022) documented operators spending months building convincing fake Facebook personas, posting in Hebrew and engaging with Israeli communities, before delivering spyware to senior defense, law enforcement, and emergency services personnel.

One of the first PLA units to have a specific officer publicly identified and named by researchers. ThreatConnect and Defense Group Inc.'s 2015 Project CameraShy report traced Naikon's C2 infrastructure to PLA officer Ge Xing in Kunming — using social media cross-referencing, pattern-of-life analysis, and Chinese-language research across eight overlapping data points. Based in Yunnan province, PLA Unit 78020's mandate is signals intelligence and cyber espionage against South China Sea claimant nations, targeting the military, diplomatic, and economic sectors of Cambodia, Indonesia, Laos, Malaysia, Myanmar, Nepal, the Philippines, Singapore, Thailand, and Vietnam, as well as ASEAN and the UN Development Programme.

India's primary assessed offensive cyber unit, named "Patchwork" by researchers for its habit of copy-pasting code from online forums — a development style that leaves distinctive fingerprints. Focused on espionage against Pakistan and China, the group targets military and defense R&D networks, Chinese diplomatic entities, and Pakistani government and security organizations. Highly active through 2025, with confirmed campaigns hitting Pakistan's defense sector, Turkish precision-guided missile manufacturers, and Bhutanese government entities — all geopolitically timed to India-Pakistan and India-China tensions.

One of the most prolific assessed Indian APT groups, active since 2012 and running multiple confirmed campaigns through late 2025. Historically focused on Pakistan, Sri Lanka, Nepal, and China, SideWinder has steadily expanded its geographic reach — adding maritime facilities in the Indian Ocean and Mediterranean, Middle East and African strategic infrastructure, and now Thailand and Indonesia. A four-wave spearphishing campaign against South Asian diplomats ran from March through September 2025, deploying the StealerBot post-exploitation toolkit first documented by Kaspersky in October 2024.

Pakistan's primary assessed offensive cyber unit, conducting sustained long-term espionage against Indian government, military, defense contractors, and academic institutions since at least 2013. Not particularly sophisticated, but exceptionally persistent and geopolitically aware — campaigns are consistently timed to regional events, with lures weaponizing real incidents including the April 2025 Pahalgam terror attack within days of occurrence. Active through early 2026, with confirmed campaigns against Indian Air Force and Department of Defense Production entities using ISO payloads, cross-platform RATs, and cloud-hosted C2 infrastructure.

A South Asian espionage group — assessed by Proofpoint with high likelihood as operating on behalf of an Indian intelligence organization — conducting long-running campaigns against Pakistan, China, Bangladesh, and Saudi Arabia. Known for targeting an exceedingly narrow set of high-value individuals within defense, government, and military entities. Active through mid-2025, including a May 2025 campaign against Pakistan Telecommunication Company timed to India's Operation Sindoor military action, using credentials stolen from Pakistan's Counter Terrorism Department months earlier.

Turkey's primary assessed offensive cyber unit, distinguished by a signature technique that attacks the internet's naming infrastructure itself rather than individual targets. Sea Turtle compromises DNS registrars and ccTLD managers — then hijacks DNS resolution for the actual targets, silently redirecting their traffic to attacker-controlled servers to harvest credentials at scale. Microsoft noted in 2021 that the group's targeting consistently aligns with Turkish foreign policy interests in Armenia, Cyprus, Greece, Iraq, and Syria. More recently confirmed targeting Kurdish opposition groups — including PKK-affiliated websites — and IT and telecom companies in the Netherlands used as upstream access points into Kurdish political networks.

A Recorded Future designation for Chinese state-sponsored activity targeting India's power grid infrastructure — notable because the targeting makes no economic or intelligence-gathering sense by conventional APT metrics. Recorded Future assessed the campaign is instead likely pre-positioning: establishing persistent access to India's electrical dispatch systems to enable future geostrategic signaling, influence operations, or kinetic escalation options during border disputes. Active from at least 2020, with targets geographically concentrated in North India near the Ladakh border region — the active flashpoint in India-China territorial tensions. Infrastructure and tooling overlaps with APT41 and Tonto Team but remains tracked as a distinct activity group.

A financially motivated Eastern European crew whose evolution traces the entire arc of modern payment card crime: from point-of-sale malware in hospitality and retail (2015), to Magecart JavaScript skimmers on e-commerce checkout pages (2018), to ransomware partnerships with Ryuk and LockerGoga (2019), to their current tactic of flipping the LinkedIn job scam — posing as job seekers rather than recruiters to deliver the More_eggs backdoor to HR professionals and hiring managers. The June 2025 campaign hosted fake resume portfolio sites on AWS infrastructure behind CAPTCHA gates and environmental fingerprinting checks to block automated scanners.

A financially motivated Eastern European crew known for two defining behaviors: targeting the hospitality sector with POS malware since 2016, and taking deliberate extended breaks between campaigns to retool and evade detection. Active since 2016, FIN8 has evolved through three distinct phases — POS credential theft, pivot to ransomware partnerships (Ragnar Locker, White Rabbit, BlackCat/ALPHV), and continuous backdoor development — each time rewriting core tooling to shed prior signatures. The Sardonic backdoor has been overhauled multiple times since its 2021 discovery, with the December 2022 variant so heavily reworked that most of the code bore no resemblance to its predecessor.

Assessed as the largest phishing and malspam distributor in the world, responsible for some of the most impactful ransomware campaigns of the past decade. TA505 drove the Dridex banking trojan and Locky ransomware campaigns through the Necurs botnet, then pivoted to Clop ransomware — culminating in the May 2023 MOVEit Transfer zero-day mass exploitation that hit thousands of organizations simultaneously, including multiple US government agencies. The group operates as a near-enterprise criminal infrastructure, running its own initial access broker operation and frequently rotating malware families to maintain volume and evade detection.

The criminal enterprise that built modern big-game hunting ransomware. Starting with TrickBot as a banking trojan in 2016, Wizard Spider constructed a full-stack cybercrime operation: TrickBot for initial access and credential theft, Ryuk for high-ransom targeting, then Conti as a scaled RaaS, and Black Basta after Conti's 2022 collapse. The group employed ~80 people across development, operations, and a custom VoIP call center used to pressure non-paying victims. In May 2025, German authorities publicly identified "Stern" — Wizard Spider's leader — as 36-year-old Russian national Vitaly Nikolaevich Kovalev. He remains at large in Russia.

The group that executed what Kaspersky called the "Great Bank Robbery" — an estimated $1 billion stolen from over 100 financial institutions across 30 countries by targeting bank employees rather than customers. Carbanak's operators would spend months inside a bank network using screen recording malware to study exactly how administrators processed transactions, then replicate those actions to quietly drain accounts, inflate balances, and trigger ATM jackpotting at precise times. The group later pivoted to US hospitality and restaurant chains via a phone-based social engineering tactic, calling as customers and staying on the line until malware delivery was confirmed.

A small Russian-speaking crew — assessed to be just two people, a developer and an operator — that graduated from failed copycat attacks in 2016 to sophisticated global bank heists totaling an estimated $4.2 million by 2019. Group-IB assessed the members are likely former white-hat security professionals who crossed over, given their access to non-public malware samples, penetration testing tradecraft, and knowledge of ATM internals. Named for the long gaps between operations and the near-silence of attacks in progress. The May 2019 Dutch-Bangla Bank ATM jackpotting operation in Bangladesh — $3 million withdrawn over a single weekend — demonstrated the group's ability to execute multi-country coordinated cash-out operations at scale.

The group that fundamentally changed ransomware economics by inventing double extortion. Before Maze, ransomware was defeatable with backups. Maze changed that: in November 2019 the operators contacted BleepingComputer to announce they had stolen Allied Universal's unencrypted data before encrypting it — and would publish it if the ransom went unpaid. When Allied didn't pay, Maze published the data. Within months the tactic had been adopted by REvil, Conti, Clop, and DoppelPaymer. Maze shut down in November 2020 with a self-aggrandizing press release, but operators almost immediately resumed under Egregor, a near-identical ransomware variant.

The subject of one of the most operationally significant law enforcement actions in ransomware history. After the FBI infiltrated Hive's infrastructure in July 2022 — seven months before the public announcement — agents quietly obtained over 1,000 decryption keys and passed them to victims, preventing $130 million in ransom payments. During the infiltration, Hive continued attacking healthcare systems, hospitals, and critical infrastructure. Attorney General Garland cited the case of a Midwestern hospital forced to turn away patients at the height of the COVID-19 surge after a Hive attack. On January 26, 2023, the DOJ announced the takedown alongside 13 international partners.

A RaaS operation that emerged in mid-2021 targeting US critical infrastructure sectors — financial services, critical manufacturing, and government facilities — with confirmed FBI activity through May 2023. AvosLocker combined a layered extortion model with live pressure tactics: operators would phone victims during negotiations to encourage ransom payment and, when victims were uncooperative, threatened and executed DDoS attacks as additional leverage. A notable technical signature was forcing victim systems to restart in Windows Safe Mode before encrypting — disabling security software that cannot operate in that mode.

A Russia-based ransomware operation that uses Cuban Revolution iconography despite having no connection to Cuba — first active as Tropical Scorpius in 2019, later adopting the Cuba branding. Distinguished by technical depth: operators developed custom kernel drivers signed with certificates leaked in the 2022 Lapsus$ NVIDIA breach, used them to terminate specific security product processes before deploying ransomware, and leveraged a custom RAT (RomCom) for post-intrusion activity. By 2022 the group had netted at least $43.9 million in ransom payments and demanded at least $74 million from over 60 confirmed victims across government, financial services, and critical infrastructure.

A prolific RaaS operation built on Phobos ransomware infrastructure that became one of the most active groups targeting small and medium-sized businesses in 2023. Operating quietly from March 2022, 8Base went public with a data leak site in June 2023 and rapidly escalated — indiscriminately targeting healthcare, finance, manufacturing, and government sectors across the US and globally, and claiming a 2024 attack on the UN Development Programme. Law enforcement Operation Phobos Aetor dismantled the group in February 2025, arresting four Russian nationals in Phuket, Thailand and seizing 27 servers. Japanese authorities subsequently released a free decryptor for victims.

Emerged in October 2023 with code showing approximately 60% overlap with the FBI-dismantled Hive ransomware — operators deny a rebrand, claiming they purchased the source code. Within a year became one of the most active RaaS operations globally, claiming 280+ attacks across 30+ countries. In November 2024 the operators issued a farewell letter citing ransomware as too risky and unprofitable — then reversed course weeks later, relaunching on January 1, 2025 as World Leaks, dropping encryption entirely in favor of pure data extortion. The group now operates an exfiltration-as-a-service model, arming affiliates with an automated data theft tool and threatening data publication rather than system lockout.

One of the most prolific healthcare-targeting ransomware groups through 2024 and 2025 — leading confirmed attacks on healthcare providers across both years according to Comparitech tracking. INC Ransom's UK NHS campaigns were particularly impactful: the March 2024 attack on NHS Scotland (Dumfries and Galloway) exposed 3TB of patient data including genetics reports, medication records, and children's test results. The November 2024 attack on Alder Hey Children's Hospital in Liverpool — accessed via a shared digital gateway — compromised patient records, donor reports, and procurement data spanning six years across three hospital trusts.

Emerged April 2024 as an education-sector specialist built on compromised VPN credentials — 80% of early victims were US schools and universities. Fog distinguished itself by operational speed: the shortest observed time from initial access to full encryption was under two hours. Researchers note it as a variant rather than a group, separating encryptor developers from the hands-on operators deploying it. A November 2024 Arctic Wolf analysis of 30 Fog intrusions found all initiated through compromised SonicWall VPN accounts, with 75% of the same intrusions also linked to Akira — suggesting shared infrastructure between the two groups.

A case study in adversarial adaptation: BianLian started as a double-extortion ransomware group, but when Avast released a free decryptor for their encryptor in early 2023, the operators made a strategic decision to abandon encryption entirely and pivot to pure data extortion. By January 2024, CISA confirmed BianLian had shifted exclusively to exfiltration-based extortion — stealing data, then threatening to publish it without ever locking systems. The FBI/CISA/ASD advisory noted the group likely chose the Chinese name "Bian Lian" (face changing) deliberately to complicate attribution — a cultural reference to the rapid mask-swapping art of Sichuan opera.

Russia's most prolific state-aligned hacktivist collective — created by CISM (Centre for the Study and Network Monitoring of the Youth Environment) as a covert Kremlin project, with CISM staff developing the DDoSia tool, funding infrastructure, and serving as channel administrators. Active since March 2022, the group has maintained an average of 50 DDoS attacks per day, targeting 3,700+ unique hosts between mid-2024 and mid-2025 alone. Attacks are timed to geopolitical events — NATO aid announcements, weapons transfers, state visits — and gamified via cryptocurrency rewards and leaderboards to sustain a volunteer base of up to 4,000 participants. Operation Eastwood (July 2025) dismantled core servers and resulted in two arrests, but the group publicly dismissed the operation and resumed activity within days.

Two brothers from Sudan — Ahmed Salah (22) and Alaa Salah (27) — built one of the most disruptive DDoS operations in recent history using rented servers, high-bandwidth infrastructure, and a custom tool called DCAT (Distributed Cloud Attack Tool). Between January 2023 and March 2024, they executed 35,000+ DDoS attacks globally, taking down Microsoft Azure and Outlook, the French government, US DOJ, DOD, FBI, State Department, and Cedars-Sinai Medical Center's emergency department for eight hours. Security researchers initially theorized Russian state backing — the indictment ultimately confirmed two independent Sudanese nationals, correcting a widely held attribution assumption.

The world's first government-crowdsourced cyber army — established by Ukraine's Minister of Digital Transformation Mykhailo Fedorov days after Russia's February 2022 invasion. Targets are listed on Telegram; volunteers worldwide contribute computing power and run provided DDoS tools. Russian cybersecurity firm F6 identified the IT Army as the most active hacking group targeting Russian digital infrastructure in 2024, with DDoS attacks surging 50% year-over-year. Operations are coordinated by a small in-house engineering team and a public call-to-action network — structured enough for strategic focus, open enough for tens of thousands of international participants.

A pro-Israel group assessed to have state links — though Israel maintains official ambiguity — that conducts precision-timed destructive attacks on Iranian infrastructure under the guise of hacktivism. Known for restraint as a message: the group emphasizes that it deliberately limits civilian impact while demonstrating capability. In June 2025, within days of Israeli airstrikes on Iranian nuclear sites, Predatory Sparrow destroyed IRGC data at Bank Sepah and stole $90 million from Nobitex — Iran's largest crypto exchange — then burned all of it rather than keeping it, to send a political rather than financial message.

One of the most structurally complex designations in threat intelligence — "Winnti" refers to a shared malware family, a set of tactics, and a loose contractor network under Chinese intelligence direction rather than a single cohesive group. Microsoft broke it into BARIUM (gaming / multimedia targeting, personal financial gain) and LEAD (industrial espionage, state mandate). The defining capability is supply chain compromise: stealing code signing certificates from gaming companies to legitimize later trojanized software distribution — a technique that underpins operations like ShadowHammer (ASUS) and the Netsarang supply chain attack. Confirmed active in March 2024 (RevivalStone campaign against Japanese manufacturing).

One of China's most prolific and consistently active espionage groups, distinguished by high operational tempo and "volume over stealth" targeting philosophy. Campaigns are tightly aligned with PRC foreign policy moments — the 2020 Vatican targeting coincided precisely with the Sino-Vatican bishop appointment agreement renewal; Ukraine war campaigns began within weeks of the 2022 invasion to collect EU internal deliberations on sanctions and foreign policy realignment. Confirmed active through 2025 with new malware families (CoolClient infostealer modules, ToneShell variants, Frankenstein ToneShell, Yokai) and USB worm propagation added to its phishing-heavy infrastructure.

A Chinese state-linked group that built its reputation specifically on telecom sector intrusion — penetrating carrier networks not to steal data from the carriers themselves, but to access the call detail records (CDRs) of high-value targets transiting those networks. Operation Soft Cell (Cybereason's name for Gallium activity) demonstrated sustained network presence inside telecom providers in Southeast Asia, Europe, Africa, and the Middle East, in some cases maintaining access for years. Since 2021 the group has expanded targeting to financial institutions and government entities, and added PingPull — a hard-to-detect remote access trojan — to its arsenal.

A low-attribution espionage group discovered by Malwarebytes in early 2021 after years of undetected activity — distinguished by a nearly exclusive reliance on commodity open-source RATs rather than custom malware, making attribution difficult by design. Targets two overlapping groups: airline employees and organizations that interact with IATA's BSPLink billing platform, and individuals seeking immigration to Canada through legitimate job programs. Lures are carefully updated to track new IATA products, suggesting ongoing tasking to collect intelligence from the aviation sector specifically. GitHub used as payload hosting infrastructure — a tactic associated with Iranian APT groups.

One of Latin America's longest-running espionage campaigns — active since at least 2010 and confirmed updated through 2019 with continued infrastructure activity. Machete is assessed as Spanish-speaking with roots in Latin America, and focuses heavily on Venezuelan military targets alongside neighboring governments, intelligence services, and embassies. Despite low technical sophistication by APT standards — no zero-days, Python-based tooling, simple phishing — the group has exfiltrated gigabytes of data per week from high-value targets and operated largely unimpeded for over a decade, demonstrating that persistence and targeted lures often outperform technical complexity.

A Russian-speaking espionage group that has operated quietly across Central Asia and former Soviet states since at least 2014, targeting diplomatic missions, government networks, and opposition political groups. Notably opportunistic in its lure design — when Kazakhstan threatened to ban Telegram in 2018, the group immediately distributed malware disguised as a Telegram alternative for the DVK opposition party. Operation Paperbug (2020–2023) took a more invasive step: infiltrating a Tajikistani mobile carrier to surveil 18 entities, including government officials, and extending access to OT devices such as gas station systems — unusual scope for a diplomatically-focused APT.

One of the most consistent and sector-specific APTs tracked by Proofpoint — active since at least 2017 with almost no change in tactics over eight years. TA2541 exclusively targets aviation, aerospace, transportation, defense, and manufacturing using only industry-specific lure themes (aircraft parts, fuel orders, charter requests, ambulatory flights) rather than current events. Unusually, campaigns hit broad recipient lists without targeting specific job roles, suggesting intelligence-gathering rather than spearfishing. Despite extensive public reporting and IOC disclosure, the group continues operating with the same playbook, implying either high confidence in lure effectiveness or operations that continue to yield value.

A rare publicly documented hybrid of cyber espionage and coordinated influence operations — UNC1151 provides the technical access (credential theft, website compromise) while the Ghostwriter campaign uses those stolen assets to publish fabricated narratives on hacked news sites and government portals. Mandiant assessed with high confidence in 2021 that UNC1151 is linked to the Belarusian government and military based in Minsk, reattributing a campaign Germany and the EU had previously blamed on Russia. The geographic tell is notable: Ghostwriter operations target NATO members bordering Belarus (Lithuania, Latvia, Poland) but have consistently excluded Estonia — a Baltic state that does not share a border with Belarus. Active through 2025 targeting Ukrainian military and Belarusian opposition.

A long-running Chinese espionage group — active since at least 2009 — that has spent over a decade targeting South Korea, Japan, and Taiwan before expanding east to include Russia and Eastern Europe. The Russia targeting is strategically notable: China publicly aligned with Russia as a "comprehensive strategic partner" while simultaneously running espionage campaigns against Russian government agencies, infrastructure providers, and security firms. The Bisonal RAT used by Tonto Team has been observed exclusively among Chinese APT groups and has been in development for over 15 years, making it one of the more reliable Chinese-exclusive attribution anchors in public threat intelligence.

One of the longest-running Chinese diplomatic espionage groups — active since at least 2010 and continuously evolving its toolset across three generations of custom backdoors. First publicly identified through Operation Ke3chang in 2014, which compromised European ministries of foreign affairs using Syria crisis lures timed to a G20 summit. The group's Graphican backdoor (2023) uses Microsoft Graph API and OneDrive for C2 — a technique that blends malicious traffic into legitimate cloud service communications. Confirmed active July 2024–March 2025 through PurpleHaze campaign activity targeting 75+ organizations, using ShadowPad and exploiting Ivanti zero-days before public disclosure.

An Iranian espionage group with a focused mandate: telecom carriers and energy sector operators in the Middle East and Africa. The targeting logic is deliberate — compromise an ISP or telecom provider to gain a pivot point into the networks of its government and enterprise clients. The group uses convincing fake job offers (impersonating named HR staff from real companies, sometimes using identities of former employees) to deliver malware via LinkedIn and email. Tool and tactic similarities with OilRig (APT34) are described by ESET as "too numerous and specific" to be coincidental, suggesting resource sharing or common origin within Iran's intelligence apparatus.

An Iranian state-linked group operating under a pro-Palestinian hacktivist persona — but assessed by SecureWorks and others as an inauthentic front for IRGC cyber operations. Moses Staff conducts multi-stage attacks: espionage with StrifeWater RAT (which removes itself before the final stage), followed by data exfiltration, then deployment of DCSrv cryptographic wiper disguised as ransomware. Unlike financial ransomware groups, Moses Staff never offers decryption keys — the "ransom" framing exists to obfuscate the state-sponsored nature and inflict maximum disruption. Victims include organizations in Israel, Italy, India, Germany, Chile, Turkey, UAE, and the US.

One of the most prolific and adaptive initial access brokers in the eCrime ecosystem — informally nicknamed the "letters" affiliate for its use of campaign IDs like AA, BB, and TR. TA577 functioned as one of Qbot's primary distributors for years, then rapidly pivoted through the disruption cycle: DarkGate and IcedID after the August 2023 Qbot takedown, then PikaBot, then Latrodectus in late 2023. In early 2024 the group shifted to NTLM hash theft via weaponized email attachments — a sign of expanding from pure access brokerage into post-exploitation credential staging that feeds directly into Black Basta ransomware operations.

A case study in what the Cyber Safety Review Board called "exploiting systemic ecosystem weaknesses" — Lapsus$ breached NVIDIA, Microsoft, Samsung, Okta, Uber, Rockstar Games, and dozens more using almost no custom malware, relying instead on social engineering, MFA fatigue attacks, SIM swapping, and paying insiders for credentials. The group was notably composed of teenagers — its ringleader was 16 at the time of his most prominent attacks and received an indefinite hospital order in December 2023. Largely inactive since September 2022 following arrests, but the tactics Lapsus$ pioneered remain in active use across the eCrime ecosystem and directly influenced groups like Scattered Spider.

Iran's MOIS-subordinate espionage group, active since at least 2017 with one of the broadest geographic footprints among Iranian APTs — covering the Middle East, Asia, Africa, Europe, and North America. Known operationally as MuddyWater by most vendors, the group shifted in 2023–2024 from PowerShell-heavy scripts to abusing legitimate remote monitoring and management (RMM) tools as primary C2 channels, making malicious traffic indistinguishable from normal enterprise tooling. In 2023 it collaborated with DEV-1084 on DarkBit pseudo-ransomware attacks that were actually destructive wipers against Azure cloud environments. Confirmed active March 2026 targeting US, Israeli, and Canadian organizations with Dindoor (Deno-runtime backdoor) and Fakeset (Python implant).

Described by Google TAG as "the opportunistic locksmiths of the security world" — Exotic Lily is a full-time initial access broker that distinguished itself by the unusually high level of human engagement involved in its phishing campaigns. Rather than blasting malware attachments at scale, operators build a fabricated business identity (fake LinkedIn profile, AI-generated photo, spoofed company domain), initiate real email correspondence, schedule meetings to discuss business requirements, then deliver malware via a legitimate file-sharing notification email. At peak activity it was sending 5,000+ emails per day to 650 organizations — while apparently maintaining this relationship-building model across all of them.

A Chinese espionage group with a dual identity: as Flax Typhoon it conducts stealthy LotL-heavy intrusions into Taiwanese government, education, and technology organizations; as the operator of the Raptor Train botnet (linked to front company Integrity Technology Group) it maintained a 260,000-device IoT/SOHO botnet used for espionage relay and global C2 infrastructure. The September 2024 FBI operation that disrupted the botnet provoked a real-time DDoS counterattack from the operators, who attempted to migrate infrastructure before being identified and abandoning the network entirely. Integrity Technology Group was OFAC-sanctioned January 2025.

The FSB's credential-theft and influence intelligence unit — dedicated to systematically compromising the personal email accounts of NATO government officials, defense contractors, journalists, NGOs, and think tanks. The group's approach is unusually patient: operators invest extended time building rapport with targets on topics of genuine interest before introducing a phishing link. The EvilGinx reverse-proxy framework steals both credentials and session cookies simultaneously, bypassing 2FA. In October 2024 DOJ and Microsoft jointly seized 100+ of its phishing domains, the largest single disruption of its infrastructure — the group quickly re-established new infrastructure. In 2025 it added LostKeys malware delivered via ClickFix for select high-value targets.

An espionage group aligned with Russian and Belarusian geopolitical objectives, distinguished by a highly methodical approach to webmail exploitation: use Acunetix to scan public-facing email portals for known unpatched CVEs, then engineer bespoke JavaScript payloads customized to each target organization's specific webmail implementation. The group has repeatedly exploited medium-severity vulnerabilities in Zimbra and Roundcube — not sophisticated zero-days but widely unpatched flaws — successfully accessing email accounts across 80+ European government, military, and diplomatic organizations. The October–December 2023 Roundcube XSS campaign notably extended targeting to Iranian embassies in Russia and the Netherlands, suggesting intelligence interests that span the Iran-Russia relationship.

A mobile surveillance cluster — not a single group, but four interconnected Android spyware families (SilkBean, DoubleAgent, CarbonSteal, GoldenEagle) discovered by Lookout in 2020 and traceable to at least 2013. All four share C2 infrastructure, signing certificates, and code overlap, pointing to a single state-linked operator. Infrastructure connects to GREF / APT15 desktop activity. The targeting is systematic: apps are trojanized versions of legitimate services used by Uyghur communities (music apps, e-commerce, pharmaceutical guides, keyboards), delivered in 10+ languages across 14+ countries wherever Uyghur diaspora communities exist. As one Lookout researcher put it: "wherever China's Uyghurs are going, however far they go, the malware followed them there."

A group that emerged under the N4ughtySecTU alias targeting South African financial infrastructure — breaching TransUnion SA in March 2022 and exfiltrating data on 5 million consumers, then demanding $15 million in cryptocurrency. When TransUnion refused to pay on principle, the group released the data and claimed sustained access to credit bureau and government systems. Subsequent operations as N4ughtySec expanded to Experian, XDS, and claims of access to South African Social Security Agency (SASSA) systems. Attribution and geopolitical alignment remain contested — the group has made statements aligned with pro-Palestinian positions while primarily executing financially motivated data extortion campaigns.

A textbook example of Iranian "faketivism" — an IRGC-affiliated operation presenting itself as a pro-Palestinian hacktivist group while executing state-directed attacks on industrial control systems. CISA confirmed the November 2023 water facility campaign as IRGC-affiliated, and the Treasury Department sanctioned six IRGC Cyber-Electronic Command officials for directing it. The group's method is blunt: scan Shodan/Censys for internet-exposed Unitronics PLCs using default passwords, gain access via default credentials on TCP port 20256, then deface the HMI with "Down with Israel" messaging and alter or delete ladder logic to disrupt or disable operations. The November 2023 Aliquippa Municipal Water Authority breach shut down a pump serving two Pennsylvania townships.

A financially motivated BEC actor with a two-stage playbook: first impersonate a US government agency (DOT, USDA, DOL, SBA, HUD, DOC) to steal corporate credentials via fake bid proposal portals, then use those stolen credentials to search compromised inboxes for payment-related threads and conduct invoice fraud or payroll redirect. Proofpoint planted honeypot credentials in one of the spoofed bid portals and confirmed access within six days — the actor immediately searched for "bank information," "payment," and "merchant" keywords, confirming the downstream BEC intent. Metadata in the PDF attachments consistently points to Nigerian origin.

One of the most volume-driven financially motivated groups in the eCrime ecosystem — notable for sheer operational scale rather than technical sophistication. Mandiant tracks FIN11 as a subset of TA505 activity with distinct post-compromise TTPs; CISA and FBI treat them as identical. FIN11 was central to building Clop ransomware's operational model, providing initial access and distribution infrastructure before transitioning to selling network access to other ransomware operations. The May 2023 MOVEit zero-day exploitation (CVE-2023-34362) remains their highest-profile operation, compromising hundreds of organizations globally including US government agencies, and establishing a pure data-extortion-without-encryption model. In late 2024, Clop/FIN11 repeated the pattern against Cleo file transfer software.

A relatively new and previously undocumented state-suspected APT first publicly identified by Group-IB in January 2023, though activity traces back to mid-2021. Dark Pink stands out for deploying an almost entirely custom toolkit — TelePowerBot, KamiKakaBot, Cucky, Ctealer — while most similarly-positioned groups rely heavily on commodity malware. A signature lure technique exploits ASEAN-Europe diplomatic relations: phishing emails disguised as job applications or policy papers ("Concept paper Strategic Dialogue DEU-IDN") to target government and military personnel. Microphone audio capture is an explicit collection objective alongside document and messenger data theft.

One of the most documented examples of hacktivist-to-cybercriminal evolution. GhostSec began in January 2015 as an Anonymous offshoot targeting ISIS websites after the Charlie Hebdo attacks — it even passed intelligence on planned terrorist attacks to law enforcement. By 2023 the group had pivoted to launching GhostLocker, a full Ransomware-as-a-Service platform, while simultaneously attacking Israeli infrastructure under pro-Palestinian framing. The group's own admission — "Hacktivism does not pay the bills!" — captures the transition. In May 2024 they announced retirement from cybercrime and transfer of GhostLocker operations to Stormous, though the Five Families alliance and continued infrastructure activity suggest the exit was not clean.

Self-described "gay furry hackers" — a US-based hacktivist collective that spent two years targeting NATO, a major nuclear research lab, right-wing organizations, and anti-LGBTQ+ state governments under explicitly queer political framing. The Idaho National Laboratory breach demanded the facility research "creating IRL catgirls." The Heritage Foundation breach ended with the group publishing leaked chat logs of the foundation's executive director threatening them in colorful terms. SiegedSec disbanded July 11, 2024, citing FBI scrutiny and mental health — days after the Heritage Foundation hack generated international headlines and the leader was reportedly raided by the FBI.

A Black Basta ransomware delivery group notable for a uniquely engineered social engineering chain: first flood the target's inbox with legitimate subscription emails (link listing attack), then call posing as IT support to "help" with the spam problem, then convince the user to open Quick Assist and grant remote access — all before any malware is deployed. The technique bypasses email security entirely, exploits a user who is already stressed and actively seeking help, and abuses a Microsoft-built tool installed by default on every Windows 11 device. Black Basta affiliates had breached 500+ organizations by May 2024, generating at least $100 million in ransom payments.

An Arabic-speaking ransomware and hacktivism group active since 2021, known for politically aligning with Russia during the Ukraine conflict and conducting joint operations with GhostSec through the Five Families collective. Stormous draws skepticism from researchers for frequently claiming attacks without producing verifiable evidence — sometimes sharing already-publicly-available data as "proof." The group's credibility rose considerably after the March 2024 STMX_GhostLocker RaaS launch with GhostSec, following which Stormous absorbed full GhostLocker operations when GhostSec exited cybercrime in May 2024. The GhostLocker C2 server has been identified at an IP address located in Moscow.

The predecessor persona to Predatory Sparrow — an anti-Iranian regime hacktivist group that built the operational playbook of wiper malware against Iranian critical infrastructure, beginning with Syrian airline and company targets in 2019–2020 before pivoting to Iran itself. The July 2021 Iranian railway attack displayed train delay messages directing furious passengers to call Ayatollah Khamenei's office directly — the phone number became a running signature across subsequent attacks. Check Point's analysis linked the railway wiper tooling back to Indra's Syria-era operations, effectively deanonymizing the group via its own reused malware. Predatory Sparrow, which later claimed the steel plant and gas station campaigns, is assessed as an evolution or successor of Indra.

The most active and persistent APT threat actor focused exclusively on Latin America — hyper-targeted at Colombia's government, judiciary, financial sector, and critical infrastructure, with secondary targeting in Ecuador, Chile, and Panama. Blind Eagle's campaigns are operationally notable for their rapid exploitation windows: the group deployed a CVE-2024-43451 variant just six days after Microsoft released the patch, affecting both patched and unpatched systems. A December 2024 campaign infected over 1,600 victims in a single day — high by any standard, exceptional for an APT with deliberately narrow geographic focus. In February 2025 the group accidentally exposed an HTML file containing 8,075 stolen Colombian credential records including ATM PINs.

A China-based threat group that uses ransomware as a distraction from what researchers assess is the real objective: intellectual property theft and espionage. The group cycled through six distinct ransomware brands in under a year (LockFile → Atom Silo → Rook → Night Sky → Pandora → LockBit 2.0), with each variant deployed against a small number of victims then abandoned — an operational pattern inconsistent with financially motivated ransomware groups, which typically sustain a single brand to maximize affiliate recruitment and victim trust. Each rebrand resets payload-based detection and makes attribution harder across incidents. Unusually, Cinnamon Tempest does not use affiliates and operates the entire attack chain independently.

An Uzbek state intelligence operation — attributed to Uzbekistan's State Security Service — notable less for its capabilities than for its catastrophic operational security failures, which led Kaspersky researchers to discover four separate Windows zero-day exploits in under four months simply by monitoring the group. SandCat's developers installed Kaspersky antivirus with telemetry enabled on their own malware development machines, causing new malicious code to be automatically uploaded to Kaspersky for analysis before it was ever deployed. They also embedded a screenshot of a developer's workstation in a test file, exposing their own attack platform in development. The group targets journalists, human rights activists, and dissidents domestically and in neighboring Central Asian states.

The GRU unit behind WhisperGate — the destructive wiper that preceded Russia's full-scale invasion of Ukraine by one month. Cadet Blizzard deployed WhisperGate against Ukrainian government agencies on January 13, 2022, a month before Russian ground forces crossed the border, framing the malware as ransomware while deliberately omitting any recovery mechanism. Microsoft distinguishes Cadet Blizzard from the more sophisticated Seashell Blizzard (Sandworm) and Forest Blizzard (APT28) — the group operates with lower discipline and achieves comparatively modest impact, yet remains dangerous for its willingness to execute destructive attacks with little apparent operational restraint. The unit is linked to GRU Unit 29155, historically associated with assassination and sabotage operations abroad.

One of the most extensively documented nation-state threat actors in existence — GRU Unit 26165, known to the public primarily as APT28 or Fancy Bear. Active since at least 2004, the group has executed some of the most consequential cyber operations in the history of state-sponsored hacking: the 2016 US DNC breach and election interference, WADA athlete medical data theft, interference in French and German elections, and sustained Ukraine-focused espionage and disruption throughout the ongoing conflict. Recent operations demonstrate continued technical evolution — a 2025 car-for-sale diplomatic lure campaign, Operation RoundPress exploiting webmail XSS zero-days, BEARDSHELL/COVENANT cloud-based surveillance implants against Ukrainian military, and credential harvesting targeting Western logistics companies supplying Ukraine.

A Chinese state-aligned APT group with a singular decade-long focus: surveillance of the global Tibetan diaspora. TA413's operations impersonate the Bureau of His Holiness the Dalai Lama and Tibetan civil society organizations to deliver spyware into communities where targets already implicitly trust Dalai Lama office communications. A notable operational characteristic: unlike many APT groups, public disclosure of TA413's campaigns, tools, and infrastructure has not led to significant operational changes — the group continues using the same sender Gmail accounts and social engineering templates for years after exposure. The 2021 FriarFox campaign delivered near-total access to targets' Gmail accounts via a trojanized browser extension disguised as Adobe Flash.

An Iranian-attributed espionage group documented by Symantec in 2018, notable for the extraordinary scale of its targeting ambitions versus its modest technical capabilities. While peer APT groups typically focus on narrow, high-value target sets, Leafminer had an identified list of over 800 organizations across the Middle East spanning government, financial, energy, and petrochemical sectors. The group's poor operational security led to its full exposure — a staging server was left publicly accessible, revealing the group's entire toolkit, a 809-entry Farsi-language target list, and log files from active scans and post-compromise operations. Post-2018 attributed activity is limited in public reporting, suggesting the group may have been absorbed into broader Iranian APT infrastructure or significantly modified its tradecraft.

Notable for a human-in-the-loop reconnaissance model that sets it apart from most financially motivated threat actors: after gaining initial access, the group deploys Screenshotter to take periodic JPG screenshots of the victim's desktop and manually reviews them before deciding whether the target is worth pursuing further. Only after human review does the group proceed to credential theft, Active Directory profiling, or full post-exploitation. This manual triage approach suggests either volume-based targeting where most victims are discarded, or selective high-value targeting where human judgment supplements automated access. The group overlaps significantly with Asylum Ambuscade, a threat actor documented to engage in both cybercrime and state-sponsored espionage operations, blurring motivation classification.

An APT41 subgroup first documented by Trend Micro in November 2022, with operations traceable to 2020. Earth Longzhi is an Asia-Pacific-focused espionage actor targeting sectors with direct relevance to national security and regional economies — defense, aviation, government, healthcare, banking, and urban development. The group is technically distinguished by its custom Cobalt Strike loader ecosystem (CroxLoader, BigpipeLoader, OutLoader) and its evolution of security evasion techniques: from BYOVD attacks (vulnerable driver zamguard.sys) to a novel method called "stack rumbling" — abusing Image File Execution Options to crash security products rather than terminate them, avoiding process-kill detection.

A financially motivated cybercriminal group with an unusually deep specialization in Italian targets — Ursnif (Gozi) banking trojan campaigns targeting Italian organizations have been TA544's dominant activity since at least 2017, with 2021 alone seeing nearly half a million malicious messages targeting Italy. The group developed WikiLoader, a heavily obfuscated downloader first detected December 2022, then rented it to other cybercrime groups — marking a pivot from pure end-user targeting to malware-as-a-service provision. By late 2023, TA544 began expanding beyond Italy toward the US, Canada, and broader Europe, using AI-assisted translation to craft convincing multilingual lures posing as law firms.

A financially motivated initial access broker best known as the primary distributor of Latrodectus — a sophisticated downloader created by the same developers behind IcedID, which TA578 adopted almost exclusively from January 2024. The group's signature delivery tactic is impersonating companies sending legal threats for alleged copyright infringement via website contact forms, creating urgency through legal pressure rather than standard phishing lures. TA578 previously distributed IcedID and Bumblebee before pivoting to Latrodectus, and also delivered the downloader via DanaBot infection in at least one observed campaign.

An early pioneer of VMware ESXi-targeted ransomware — SPRITE SPIDER (CrowdStrike's designation for the operators) began developing Linux variants specifically to encrypt virtualized environments as early as July 2020, years before ESXi targeting became common. The group runs low-volume, highly targeted big game hunting campaigns, building unique ransomware binaries per victim containing victim-specific RSA public keys. RansomEXX and Defray777 represent the same malware family under different naming conventions — Defray777 is the later, more sophisticated Linux/ESXi-capable evolution of the original Defray Windows ransomware.

A mercenary APT group with an unusually narrow commercial focus: law firms, fintech companies, wealth consultancy firms, and financial advisors — the kinds of organizations that hold sensitive business intelligence, merger and acquisition details, and client financial data with high value to commercial competitors or litigants. DeathStalker does not deploy ransomware or steal payment data for resale. Kaspersky assesses the group acts as an information broker or hacker-for-hire in financial circles, selecting targets based on perceived value or client requests. Active since at least 2012, the group has operated entirely below the threshold of state-sponsored threat actors while demonstrating consistent tooling evolution across Powersing, Evilnum, and Janicab malware families.

One of the most patient social engineers in the Iranian threat ecosystem — documented spending multiple years cultivating a single fake persona ("Marcella Flores," an aerobics instructor from Liverpool) across Facebook, Instagram, and email chains before deploying the LEMPO malware against a specific US aerospace defense contractor employee. Proofpoint assesses TA456 as among the most determined Iranian-aligned threat actors specifically because of this operational investment in long-term human engagement. The group's targeting aligns with IRGC strategic intelligence requirements — aerospace, defense contractors, and military supply chains, especially those with Middle East operational footprints.

One of China's most prolific and long-running espionage groups — active since at least 2010 and still conducting operations through 2025. APT27 is characterized by sustained, long-term intelligence collection rather than disruption or financial gain, though unusual ransomware incidents using BitLocker have been attributed to the group, possibly opportunistic monetization. In March 2025, the US Department of Justice unsealed indictments against two APT27 operators — Yin Kecheng and Zhou Shuai — for campaigns spanning August 2013 through December 2024, including an intrusion into the US Department of the Treasury. A $2 million reward has been offered for information leading to their arrest; both remain at large in China.

A China-attributed espionage group with an unusually narrow geographic and sectoral focus — targeting exclusively Japanese and Taiwanese organizations in media, government, high-tech, and financial services since at least 2012. APT16 is notable for the precision of its social engineering: lure documents reference real events, real organizations, and real conferences relevant to the target's professional context — a 2015 campaign used the subject "2015 Taiwan Security and Cultural Forum Invitation Form" in authentic Chinese, designed to pass scrutiny from the recipients it was targeting. The group uses compromised legitimate websites as staging servers for second-stage payloads, keeping its own infrastructure harder to attribute.

A UAE-registered software operation whose signed adware silently disabled antivirus protection on more than 25,000 endpoints across 124 countries — a global sinkhole observation independently reported by Huntress, BleepingComputer, Dark Reading, Infosecurity Magazine, and Arabian Post. Dragon Boss's browser family (Chromnius, Chromstera, Web Genius, Artificius) was flagged as adware/PUP by PCRisk, Gridinsoft, and community forums as early as 2023 before its signed update channel began delivering a PowerShell AV killer (ClockRemoval.ps1) as a silent MSI in late March 2025. Victim networks spanned universities, operational technology in energy and transport, municipal governments and public utilities, K-12 schools, healthcare providers, and multiple Fortune 500 companies. The primary update domain was left unregistered — a domain registration (reported across coverage as roughly $10) would have given any party arbitrary remote code execution across every infected host with no AV present.