[{"name":"Void Blizzard","aliases":["LAUNDRY BEAR","UAC-0190","Void Blizzard","Laundry Bear"],"description":"Void Blizzard’s cyberespionage operations tend to be highly targeted at specific organizations of interest to the Russian government, including in government, defense, transportation, media, non-governmental organizations (NGOs), and healthcare sectors primarily in Europe and North America. The threat actor uses stolen credentials—which are likely procured from commodity infostealer ecosystems—and collects a high volume of email and files from compromised organizations.","url":"/void-blizzard","permalink":"/void-blizzard/","country":"Russia","sector_focus":[],"risk_level":null,"last_updated":"2026-04-28","last_activity":null,"ioc_count":0},{"name":"Vanilla Tempest","aliases":["DEV-0832","Vice Society","Vanilla Tempest","VICE SPIDER","Vicesociety"],"description":"Vice Society is a ransomware group that has been active since at least June 2021. They primarily target the education and healthcare sectors, but have also been observed targeting the manufacturing industry. The group has used multiple ransomware families and has been known to utilize PowerShell scripts for their attacks. There are similarities between Vice Society and the Rhysida ransomware group, suggesting a potential connection or rebranding.","url":"/vanilla-tempest","permalink":"/vanilla-tempest/","country":"Russia","sector_focus":[],"risk_level":null,"last_updated":"2026-04-28","last_activity":null,"ioc_count":0},{"name":"UTA0355","aliases":["UTA0355"],"description":"UTA0355 is a Russian threat actor that conducts phishing campaigns targeting individuals and organizations associated with Ukraine. The actor initiates contact via email, inviting targets to a video conference, and follows up through Signal or WhatsApp to enhance legitimacy. After establishing communication, UTA0355 prompts victims to log in via a malicious M365 URL, subsequently requesting approval for a 2FA authentication to access email data. Volexity assesses with high confidence that UTA0355 successfully registered devices and downloaded email data from compromised accounts.","url":"/uta0355","permalink":"/uta0355/","country":"Russia","sector_focus":[],"risk_level":null,"last_updated":"2026-04-28","last_activity":null,"ioc_count":0},{"name":"UTA0352","aliases":["UTA0352"],"description":"UTA0352 is a Russian threat actor attributed to phishing campaigns that exploit Microsoft OAuth 2.0 authentication workflows, often impersonating government officials to lure targets into providing sensitive information. The actor has been observed using malicious URLs disguised as legitimate services, such as a Romanian government authentication system. UTA0352 has also targeted Microsoft Teams and employed social engineering tactics via messaging platforms like Signal and WhatsApp. Volexity assesses with medium confidence that UTA0352 is involved in operations themed around Ukraine, targeting individuals and organizations historically associated with Russian threat activities.","url":"/uta0352","permalink":"/uta0352/","country":"Russia","sector_focus":[],"risk_level":null,"last_updated":"2026-04-28","last_activity":null,"ioc_count":0},{"name":"Storm-2603","aliases":["Storm-2603"],"description":"The group Microsoft tracks as Storm-2603 is assessed with medium confidence to be a China-based threat actor. Microsoft has not identified links between Storm-2603 and other known Chinese threat actors. Microsoft tracks this threat actor in association with attempts to steal MachineKeys via the on-premises SharePoint vulnerabilities. Although Microsoft has observed this threat actor deploying Warlock and Lockbit ransomware in the past, Microsoft is currently unable to confidently assess the threat actor’s objectives.  Additional actors may use these exploits to target unpatched on-premises SharePoint systems, further emphasizing the need for organizations to implement mitigations and security updates immediately.","url":"/storm-2603","permalink":"/storm-2603/","country":"China","sector_focus":[],"risk_level":null,"last_updated":"2026-04-28","last_activity":null,"ioc_count":0},{"name":"Sandworm","aliases":["Quedagh","VOODOO BEAR","TEMP.Noble","IRON VIKING","G0034","ELECTRUM","TeleBots","IRIDIUM","Blue Echidna","FROZENBARENTS","UAC-0113","Seashell Blizzard","UAC-0082","APT44","Sandworm","SandWorm","沙虫 - APT-C-13"],"description":"This threat actor targets industrial control systems, using a tool called Black Energy, associated with electricity and power generation for espionage, denial of service, and data destruction purposes. Some believe that the threat actor is linked to the 2015 compromise of the Ukrainian electrical grid and a distributed denial of service prior to the Russian invasion of Georgia. Believed to be responsible for the 2008 DDoS attacks in Georgia and the 2015 Ukraine power grid outage","url":"/sandworm","permalink":"/sandworm/","country":"Russia","sector_focus":["Electric","Energy","Industrial","Private sector","Government"],"risk_level":"High","last_updated":"2026-04-28","last_activity":null,"ioc_count":0},{"name":"SafePay","aliases":["SafePay Ransomware","safepay"],"description":"SafePay is a ransomware group particularly active in Germany, responsible for 24% of the 74 ransomware victims reported in the country during Q1 2025.","url":"/safepay","permalink":"/safepay/","country":"Unknown","sector_focus":["Healthcare","Logistics","Manufacturing","Government"],"risk_level":"High","last_updated":"2026-04-28","last_activity":"2025","ioc_count":0},{"name":"Ryuk","aliases":["Wizard Spider"],"description":"Ryuk is a ransomware operation known for targeting large organizations and demanding high ransom payments.","url":"/ryuk","permalink":"/ryuk/","country":"Russia","sector_focus":["Healthcare","Government","Education"],"risk_level":"Critical","last_updated":"2026-04-28","last_activity":"2021","ioc_count":0},{"name":"REvil","aliases":["Sodinokibi","Sodin","Water Mare","GrandCrab","Revil","REvil"],"description":"REvil is a Russian ransomware-as-a-service operation that has targeted major corporations worldwide.","url":"/revil","permalink":"/revil/","country":"Russia","sector_focus":["Technology","Healthcare","Legal"],"risk_level":"Critical","last_updated":"2026-04-28","last_activity":"2021","ioc_count":0},{"name":"RansomHub","aliases":["RansomHub RaaS","RansomHub","ransomhub"],"description":"RansomHub is a dominant ransomware-as-a-service operation that emerged in 2024 and quickly became the most prolific group with 736 disclosed victims.","url":"/ransomhub","permalink":"/ransomhub/","country":"Unknown","sector_focus":["Critical Infrastructure","Healthcare","Education","Manufacturing"],"risk_level":"Critical","last_updated":"2026-04-28","last_activity":"2025","ioc_count":0},{"name":"Qilin","aliases":["Qilin Ransomware","Qilin Gang","Qilin Group","Qilin"],"description":"Qilin is a ransomware group that first appeared in 2022 but had a breakout year in 2024, with around 200 victims, 156 of them based in the U.S.","url":"/qilin","permalink":"/qilin/","country":"Unknown","sector_focus":["Critical Infrastructure","Manufacturing","Healthcare","Government"],"risk_level":"High","last_updated":"2026-04-28","last_activity":"2025","ioc_count":0},{"name":"Prophet Spider","aliases":["GOLD MELODY","UNC961","Prophet Spider"],"description":"PROPHET SPIDER is an eCrime actor, active since at least May 2017, that primarily gains access to victims by compromising vulnerable web servers, which commonly involves leveraging a variety of publicly disclosed vulnerabilities. The adversary has likely functioned as an access broker — handing off access to a third party to deploy ransomware — in multiple instances.","url":"/prophet-spider","permalink":"/prophet-spider/","country":null,"sector_focus":[],"risk_level":null,"last_updated":"2026-04-28","last_activity":null,"ioc_count":0}]