Cyber Intrusion Sets and Attackers
Storm-0530
Storm-0530 is an intrusion set tracked by researchers at Microsoft Threat Intelligence. The group calls itself H0lyGh0st and conducts ransomware ...
Onyx Sleet
Onyx Sleet, formerly known as PLUTONIUM, is a North Korean nation-state threat actor that has been active since at least 2014. Its primary targets ...
H0lyGh0st
H0lyGh0st is a ransomware actor who has been observed deploying ransomware against targets in education, finance, manufacturing, entertainment and ...
APT45
APT45 is a group observed carrying out campaigns as early as 2009 and graduated to APT status by researchers at Google's Mandiant in July 2024. ...
Andariel
Andariel is a state-sponsored cyber organization based in Pyongyang and Sinuiju, North Korea. It operates under the Reconnaissance General ...
Flax Typhoon
Flax Typhoon is a cyber intrusion set tracked by researchers at Microsoft Threat Intelligence who attribute the group as a nation-state adversary ...
Ethereal Panda
ETHEREAL PANDA is a China based intrusion set tracked by CrowdStrike and with suspected overlap with Flax Typhoon (an intrusion set tracked by ...
Leviathan
Leviathan is a cyber espionage actor originally identified by researchers at Proofpoint who report the actor as being active since at least 2014. ...
APT40
APT40 is a threat actor originally identified by researchers at Mandiant an attributed to the Chinese government. A 2021 US Department of Justice ...
RedFoxtrot
RedFoxtrot is a suspected Chinese state-sponsored intrusion set tracked by Recorded Future's Insikt Group and linked to the People's Liberation ...
Akira Ransomware Group
The Akira Ransomware Group is responsible for the Akira ransomware and associated (1980s themed) leaks site. According to reporting, Akira ...
Muddling Meerkat
Muddling Meerkat is an actor tracked by researchers at Infoblox and assorted partners. Infoblox suggest that the group appear to be a People's ...
UAC-0002
UAC-0002 is a designation given by Ukraine's CERT (CERT-UA) to a Russia attributed actor known more widely as Sandworm or APT44. CERT-UA identify ...
UAC-0133
UAC-0133 is an intrusion set tracked by Ukraine's CERT (CERT-UA). The group is identified with high confidence as a subcluster of Sandworm/APT44. ...
UAT4356
UAT4356 is an intrusion set tracked by Cisco Talos. According to reporting, Cisco Talos has a focus on espionage that demonstrates the advanced ...
STORM-1849
STORM-1849 is an intrusion set designated by Microsoft Threat Intelligence Center. According to reporting, STORM-1849 has a focus on espionage ...
UNC3886
UNC3886 is an intrusion set tracked by researchers at Google's Mandiant. Although the group has not been formally attributed or identified as a ...
INC Ransomware Group
The INC Ransomware Group emerged as a cyber criminal extortion group in July 2023. INC ransomware is a multi-extortion operation, stealing victim ...
GOLD IONIC
GOLD IONIC is the name Secureworks assign to the INC Ransom Group. According to researchers at Secureworks, GOLD IONIC emerged in August 2023, ...
APT44
APT44 is an intrusion set tracked by Google's Mandiant and graduated to 'APT' status in April 2024, having been active since at least 2009. Also ...
FROZENBARENTS
FROZENBARENTS is an intrusion set tracked by Google's Threat Analysis Group that has been active since at least 2009. The group is also known as ...
TA427
TA427 is an intrusion set tracked by researchers at Proofpoint who they link to North Korea (the Democratic People's Republic of Korea) and ...
Starry Addax
Starry Addax is an intrusion set originally identified by Cisco Talos. According to Talos, the group have been observed predominantly targeting ...
Virtual Invaders
Virtual Invaders is an intrusion set identified by researchers at ESET. The group have been observed targeting victims in South Asia ...
Wicked Spider
WICKED SPIDER is an intrusion set tracked by CrowdStrike. The actor behind WICKED SPIDER operates with two distinct motivations: targeted ...
Wicked Panda
WICKED PANDA is an intrusion set tracked by researchers at CrowdStrike who they identify as 'one of the most prolific and effective China-based ...
Earth Hundun
Earth Hundun is a cyber espionage intrusion set tracked by researchers at TrendMicro. The group is believed to be based in China and has been ...
Nokoyawa Ransomware Group
This intrusion set is responsible for the development of the Nokoyawa strain of ransomware. The ransomware has been observed in use against ...
Winnti
Over time, Winnti (also known as Winnti Group) has become an umbrella term which likely covers multiple overlapping threat groups linked to the ...
TeleBoyi
TeleBoyi is an intrusion set tracked by TeamT5. According to researchers, TeleBoyi is a China-nexus group which has been active since at least ...
Storm-0558
Storm-0558 is an intrusion set tracked by researchers at Microsoft and attributed as a China based threat actor. In May 2023, the group was able ...
APT41
APT41 is a Chinese state-sponsored group involved in espionage and cyber crime, targeting sectors aligned with China's economic plans. The group ...
SparklingGoblin
SparklingGoblin is an Advanced Persistent Threat (APT) group tracked by ESET, also known as Earth Baku by Trend Micro. SparklingGoblin shows ...
FamousSparrow
FamousSparrow is a cyberespionage group originally identified by ESET. The group has been observed targeting hotels, governments, and private ...
RedAlpha
The RedAlpha group is an advanced persistent threat (APT) group tracked by analysts at Recorded Future. The group is thought to have been active ...
APT33
APT33 is a cyber espionage group tracked by researchers at Mandiant. The group has been active since at least 2013, and is believed to be working ...
Peach Sandstorm
Peach Sandstorm is an Iranian threat group tracked by Microsoft Threat Intelligence and observed targeting global organizations for intelligence ...
Curious Serpens
Curious Serpens (also known as Peach Sandstorm, APT33, Elfin, HOLMIUM, MAGNALIUM, or REFINED KITTEN) is a suspected Iranian-affiliated espionage ...
Refined Kitten
REFINED KITTEN is a cyber intrusion set tracked by CrowdStrike and linked to Iran's IRGC. The group has been tied to espionage operations since ...
APT31
APT31, attributed to China, is a cyber espionage actor. The groups primary focus is to obtain information that can provide the Chinese government ...
UNC5174
UNC5174 is an uncategorised intrusion set tracked by Mandiant. Although UNC5174 has not been formally designated, Mandiant state with moderate ...
Zirconium
Zirconium is an intrusion set tracked by Microsoft, which shows overlap with APT31. Microsoft subsequently renamed the group as 'Violet Typhoon'. ...
Violet Typhoon
Violet Typhoon is an intrusion set tracked by Microsoft and formerly known as ZIRCONIUM. The group, who Microsoft link to APT31, is attributed to ...
Earth Krahang
Earth Krahang is an intrusion set tracked by researchers at Trend Micro since early 2022. The group has been observed targeting government ...
EKANS Ransomware Operators
The EKANS ransomware, also known as "Snake" (but not to be confused with the snake malware used by turla), emerged in 2019. The name EKANS comes ...
LockBit Ransomware Group
The LockBit Ransomware Group operate a 'Ransomware-as-a-Service' offering which first emerged around 2019. According to reports the first version ...
ITG05
ITG05 is a likely Russian state-sponsored intrusion set tracked by researchers at IBM X-Force. According to X-Force, the ITG05 is made up of ...
Forest Blizzard
Forest Blizzard is an intrusion set tracked by researchers at Microsoft and formerly known by them as STRONTIUM. The group reportedly shows ...
STRONTIUM
STRONTIUM, also known as Fancy Bear or APT28, is a cyber espionage group historically tracked by Microsoft. It is believed to be associated with ...
Fancy Bear
Fancy Bear, also known as APT28 or Sofacy, is a cyberespionage group that is linked to the Russian government. The group has been in operation ...
Play Ransomware Group
The Play Ransomware group, also known as PlayCrypt, is a criminal collective responsible for ransomware attacks on companies and governmental ...
CyberAv3ngers
The CyberAv3ngers (Cyber Av3ngers) are an Iranian intrusion set affiliated with the Islamic Revolutionary Guard Corps (IRGC). They are known for ...
BlackTech
BlackTech is a cyber espionage group reported as being active since at least 2010 and linked to the People's Republic of China. The group is known ...
DarkGate Operators (RastaFarEye)
According to public reporting, DarkGate is a Malware-as-a-Service offering by a forum user named RastaFarEye. The DarkGate Loader includes ...
Magnet Goblin
Magnet Goblin is a financially motivated intrusion set that has been observed exploiting '1-day' vulnerabilities in exposed applications and ...
GhostSec
GhostSec is a hacking group that claims to be part of a modern-day collective known as the Five Families. These families include other groups like ...
Muddled Libra
Muddled Libra is an intrusion set tracked by researchers at Palo Alto who describe the group as 'the intersection of devious social engineering ...
Rhysida Ransomware Gang
Rhysida operate a 'ransomware-as-a-service' offering which was reportedly first observed in May 2023. Ransomware attacks using Rhysida typically ...
Red Wolf
Red Wolf is an intrusion set that has been observed conducting corporate espionage across multiple victim countries. According to the BI.ZONE ...
Earth Kapre
Earth Kapre is an intrusion set tracked by Trend Micro researchers and linked to the RedCurl group. According to researchers Earth Kapre conduct ...
RedCurl
RedCurl is an intrusion set originally identified by Group-IB that has been active since at least 2018. Group-IB researchers have identified the ...
Lazarus Group
The Lazarus Group intrusion set was originally identified by Novetta under Operation Blockbuster which attributed the 2014 cyber attack against ...
Insidious Taurus
Insidious Taurus is an intrusion set identified researchers from Palo Alto which is also known as Volt Typhoon. The group have been called out by ...
ALPHV Blackcat Ransomware Group
ALPHV represents the operators behind the BlackCat ransomware strain. According to reporting, ALPHV is likely a Russian-speaking cybercrime group ...
UAC-0050
The UAC-0050 cyber threat group was originally identified by the Ukrainian CERT (CERT-UA). They are known for launching targeted phishing ...
Evil Eye
Evil Eye is an intrusion set tracked by Volexity researchers since at least 2019. According to Volexity, Evil Eye has been observed targeting ...
POISON CARP
POISON CARP is a cyber operator tracked by researchers at The Citizen Lab. The group has been observed targeting senior members of Tibetan groups ...
Evasive Panda
Evasive Panda is an intrusion set originally identified by researchers from Malwarebytes. The group has been active since at least 2014 and is ...
EvilBamboo
EvilBamboo is a cyber intrusion set tracked by researchers at Volexity. The group was originally tracked under the name Evil Eye. According to ...
JACKPOT PANDA
JACKPOT PANDA is a cyber intrusion set tracked by CrowdStrike who state that the actor has been active since at least May 2020 and likely operates ...
Phobos Ransomware Group
According to public reporting, Phobos ransomware has been observed since at least 2019, with researchers also linking the group to the Dharma ...
Kimsuky
Kimsuky is a North Korean sponsored APT group that conducts cyber espionage operations against targets related to the Korean peninsula, nuclear ...
APT37
APT37 is an intrusion set originally identified by FireEye iSight Intelligence and linked to North Korean state interests. The group has ...
Lycantrox
Lycantrox is an intrusion set tracked by analysts at Sekoia. Lycantrox is associated with the use of the Predator spyware by customers of ...
Bl00dy Ransomware Gang
The Bl00dy Ransomware Gang emerged around May 2022 and employs double extortion tactics against targeted organizations. Unlike traditional data ...
Black Basta Ransomware Group
Black Basta is a ransomware operator and Ransomware-as-a-Service (RaaS) criminal enterprise that emerged in early 2022. It quickly became one of ...
FIN7
FIN7 is a criminal, financially motivated group which Mandiant has tracked since 2015 and which shows overlaps with the Carbanak Group. The group ...
TAG-22
TAG-22 is an intrusion set tracked by Recorded Future and later designated as Red Hotel. The group shows overlaps with the 'Winnti Group' and is ...
RedHotel
RedHotel is a group tracked by Recorded Future's Insikt Group and formerly referred to as TAG-22. RedHotel is a highly active Chinese state- ...
Earth Lusca
Earth Lusca is an intrusion set which has been observed by Trend Micro since 2021. The group use spear phishing and watering holes to gain initial ...
Anonymous Sudan
The Anonymous Sudan group active since January 2023 purports to be an authentic hactivist collective linked to Sudan. However research by CyberCX ...
KillNet
KillNet is a pro-Russia hacktivist collection which has been observed conducting distributed denial of service (DDoS) and 'hack and leak' attacks ...
BRONZE PRESIDENT
BRONZE PRESIDENT is an intrusion set tracked by Secureworks and linked to the Chinese government. The group has been active since at least 2018, ...
Earth Preta
Earth Preta is an adversary tracked by TrendMicro. Researchers have identified a wide outbreak of attacks targeting the government, academic, ...
Mustang Panda
MUSTANG PANDA is an adversary attribute to China and originally identified by CrowdStrike. The group has been observed using exploits and ...
TA579
TA579 is a financially motivated, cyber criminal group tracked by researchers at Proofpoint. The actor has reportedly been active since at least ...
TEMP.Veles
TEMP.Veles is the name given by Mandiant (formerly FireEye Intelligence) to the intrusion set which deployed the TRITON malware which impacted ...
TAG-70
TAG-70 is a cyber threat group identified by Recorded Future’s Insikt Group. They assess the intrusion set as likely acting on behalf of Belarus ...
Winter Vivern
Winter Vivern is a cyber intrusion set named by Domain Tools researchers after a string ('wintervivern') found in the command and control beacon ...
UAC-0114
UAC-0114 is a designation assigned by the Ukraine CERT to a group which they assess as being Russian speaking. The group has been observed ...
TA473
TA473 is an intrusion set tracked by cyber threat researchers at Proofpoint, which shows overlap with the Winter Vivern actor. Proofpoint ...
KOSTOVITE
KOSTOVITE is a threat group tracked by Dragos. The group compromised an organisation in the renewable energy sector in 2021. KOSTOVITE have been ...
VOLTZITE
VOLTZITE is an intrusion set tracked by Dragos which has overlap with the group designated as Volt Typhoon by Microsoft. VOLTZITE is reported as ...
UNC2630
UNC2630 is an 'uncategorized' intrusion set tracked by cyber threat researchers at Mandiant. The group is reported as conducting espionage ...
UNC2717
UNC2717 is an 'uncategorized' intrusion set tracked by cyber threat researchers at Mandiant. The group is reported as conducting espionage ...
Turla
Turla is an intrusion set attributed to Russia and specifically FSB Center 16. The group is also known as Venomous Bear and is associated with the ...
Mint Sandstorm
Mint Sandstorm is a cyber intrusion set attributed to Iran and tracked by Microsoft threat researchers. Microsoft previously referred to this ...
PHOSPHORUS
PHOSPHORUS is a cyber intrusion set formerly tracked by Microsoft and attributed to Iran. The group has been observed employing persistent social ...
CharmingCypress
CharmingCypress is an intrusion set tracked by Volexity and attributed to Iran - showing overlaps with Charming Kitten / APT42 / TA453. Volexity ...
Charming Kitten
Charming Kitten is an adversary tracked by Crowd Strike and attributed to the Islamic Revolutionary Guard Corps (IRGC). The actor has reportedly ...
APT35
APT35 is an intrusion set tracked by researchers at Mandiant. The group has been attributed to Iran and has been observed conducting operations ...
APT3
APT3 is an intrusion set which Mandiant attribute to China. Mandiant reports that the group has targeted organisations in aerospace and defense, ...
Naikon
The Naikon intrusion set has reportedly been active since 2010. Threat researchers from Kaspersky, ThreatConnect, Bitdefender and more have ...
Tonto Team
Tonto Team is an intrusion set which has been linked to China and observed targeting military, diplomatic and infrastructure organisations in Asia ...
Silk Typhoon
Silk Typhoon is an intrusion set originally identified by Microsoft researchers. In March 2021, the group was observed targeting Microsoft ...
HAFNIUM
HAFNIUM is an intrusion set originally identified by Microsoft researchers. In March 2021, HAFNIUM were observed targeting Microsoft Exchange ...
APT2
APT2 is an intrusion set tracked by Mandiant. They were first observed in 2010 and have been observed conducting theft of intellectual property.
Putter Panda
Putter Panda is an intrusion set identified by Crowd Strike and attributed to China.
Volt Typhoon
Volt Typhoon is a cyber intrusion set first identified by Microsoft. Threat researchers at Microsoft state that the group has been active since ...
Scattered Spider
Scattered Spider is a group of criminal actors that have been observed targeting large companies using social engineering techniques and extorting ...
Dark Angels Team Ransomware Group
Dark Angels Team reportedly emerged in May 2022 having developed a strain of ransomware based on previously leaked Babuk builders. They ...
Cryakl Ransomware Group
This group represents the actors responsible for the Cryakly ransomware variant.
CryLock Ransomware Group
This group represents the actors responsible for the CryLock ransomware variant. CryLock reportedly shares overlaps with Cryakl ransomware.
Trigona Ransomware Group
The Trigona Ransomware group reportedly began operations in 2022 and target both Windows and Linux systems. Some researchers indicate that there ...
CACTUS Ransomware Group
CACTUS is ransomware group observed targeting victims since at least March 2023. The name CACTUS has been derived from the ransom note left with ...
APT1
APT1 was one of the first publicly attributed advanced persistent threats following the APT1 report published by Mandiant. Mandiant linked them to ...
Callisto Group
Callisto Group has been reported as active since at least 2015, with a strong history of spear phishing targets.
Midnight Blizzard
Microsoft identied Midnight Blizzard as the attackers behind the 2020 attack against SolarWinds. The group have been linked to the APT29 intrusion ...
The Dukes
F-Secure track the Dukes as a well-resourced, highly dedicated and organized cyberespionage group that they attribute to the Russian Federation. ...
NOBELIUM
Microsoft identied NOBELIUM as the attackers behind the 2020 attack against SolarWinds. The group have subsequently been linked to APT29 and ...
Cozy Bear
COZY BEAR is a Russian adversary tracked by CrowdStrike and linked to the SVR. COZY BEAR is one of the adversaries identified during the intrusion ...
TEMP.isotope
TEMP.Isotope is a threat actor tracked by Mandiant researchers. It is assessed that the group have a destructive mandate however they have not ...
Crouching Yeti
Crouching Yeti is a Russian-speaking advanced persistent threat (APT) group that Kaspersky Lab has been tracking since 2010. Targeted sectors ...
Energetic Bear
Crowdstrike identified Energetic Bear in 2012 as a Russian cyber actor targeting the energy sector.
Berserk Bear
BERSERK BEAR is reportedly linked to the FSB and has been observed targeting entities in Western Europe and North America including state, local, ...
Dragonfly
Dragonfly is a group reportedly linked to Russia's FSB and responsible for conducting cyber operations against a range of sectors including ...
Sandworm
Sandworm is a cyber threat actor reportedly linked to the Russian government and responsible for conducting numerous cyber attack campaigns. The ...
ELECTRUM
ELECTRUM is a nation state actor, likely related to Sandworm and attributed to the Russian government. Targeting includes critical national ...
APT29
APT29 is a Russian cyber intrusion set. They have been linked to attacks including the SolarWinds compromise and an attack against the US ...
XENOTIME
According to Dragos threat researchers, XENOTIME "is easily the most dangerous threat activity publicly known" due to their targeting of ...
APT28
APT28 is a Russian intrusion set, originally named by FireEye/Mandiant. They allegedly stole information in an attempt to interfere with the 2016 ...