body-backgroundbody-background

Epiphany Monitored Threat Actors: 283

The Epiphany Intelligence Platorm monitors all major cybercrime groups and their 999 aliases as of March 1st, 2024. The Epiphany Intelligence Platform's threat actor data set is updated daily.

Search for names, descriptions and alias containing:

AdGholas

(No description available for this threat actor)



References:
1 2 3 

Animal Farm (FR)

In 2014, researchers at Kaspersky Lab discovered and reported on three zero-days that were being used in cyberattacks in the wild. Two of these zero-day vulnerabilities are associated with an advanced threat actor we call Animal Farm. Over the past few years, Animal Farm has targeted a wide range of global organizations. The group has been active since at least 2009 and there are signs that earlier malware versions were developed as far back as 2007.


Goals:
Espionage

Target Industries:
Government, Private sector

Target Countries:
Syria, United States, Netherlands, Russia, Spain, Iran, China, Germany, Algeria, Norway, Malaysia, Turkey, United Kingdom, Ivory Coast, Greece

Aliases:
ATK8, Snowglobe

References:
1 2 

Antlion (CN)

Antlion is a Chinese state-backed advanced persistent threat (APT) group, who has been targeting financial institutions in Taiwan. This persistent campaign has lasted over the course of at least 18 months.



Target Industries:
Financial

Target Countries:
Taiwan

References:
1 

APT-C-36

Since April 2018, an APT group (Blind Eagle, APT-C-36) suspected coming from South America carried out continuous targeted attacks against Colombian government institutions as well as important corporations in financial sector, petroleum industry, professional manufacturing, etc.


Goals:
Espionage

Target Industries:
Petroleum, Manufacturing, Financial, Private sector, Government

Target Countries:
Ecuador, Colombia, Spain, Panama, Chile

Aliases:
Blind Eagle

References:
1 

APT-K-47 (IN)

Confucius is an APT organization funded by India. It has been carrying out cyber attacks since 2013. Its main targets are India's neighbouring countries such as Pakistan and China. It has a strong interest in targets in the fields of military, government and energy.



References:
1 

APT-Q-27

(No description available for this threat actor)



References:
1 

APT.3102 (CN)

(No description available for this threat actor)



References:
1 

APT16 (CN)

Between November 26, 2015, and December 1, 2015, known and suspected China-based APT groups launched several spear-phishing attacks targeting Japanese and Taiwanese organizations in the high-tech, government services, media and financial services industries. Each campaign delivered a malicious Microsoft Word document exploiting the aforementioned EPS dict copy use-after-free vulnerability, and the local Windows privilege escalation vulnerability CVE-2015-1701. The successful exploitation of ...more


Goals:
Espionage

Target Industries:
Private sector

Target Countries:
Japan, Taiwan

Aliases:
G0023, SVCMONDR

References:
1 2 3 

APT19 (CN)

Adversary group targeting financial, technology, non-profit organisations.


Goals:
Espionage

Target Industries:
Private sector, Military

Target Countries:
United States

Aliases:
Black Vine, BRONZE FIRESTONE, C0d0so0, Codoso, Codoso Team, DEEP PANDA, G0009, G0073, Group 13, KungFu Kittens, PinkPanther, Pupa, Shell Crew, Sunshop Group, TEMP.Avengers, WebMasters

References:
1 2 3 4 

APT30 (CN)

APT30 is a threat group suspected to be associated with the Chinese government. While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches


Goals:
Espionage

Target Industries:
Government

Target Countries:
United States, South Korea, Saudi Arabia, Thailand, Vietnam, Malaysia, India

Aliases:
G0013, Raspberry Typhoon

APT35 (IR)

FireEye has identified APT35 operations dating back to 2014. APT35, also known as the Newscaster Team, is a threat group sponsored by the Iranian government that conducts long term, resource-intensive operations to collect strategic intelligence. APT35 typically targets U.S. and the Middle Eastern military, diplomatic and government personnel, organizations in the media, energy and defense industrial base (DIB), and engineering, business services and telecommunications sectors.



Aliases:
Ajax Security Team, Cobalt Gypsy, COBALT MIRAGE, G0059, Magic Hound, Mint Sandstorm, Newscaster, Newscaster Team, Operation Saffron Rose, Operation Woolen-Goldfish, Phosphorus, Rocket Kitten, TunnelVision

References:
1 2 3 4 5 6 7 8 9 10 11 12 

Aquatic Panda (CN)

Earth Lusca is a threat actor from China that targets organizations of interest to the Chinese government, including academic institutions, telecommunication companies, religious organizations, and other civil society groups. Earth Lusca's tools closely resemble those used by Winnti Umbrella, but the group appears to operate separately from Winnti. Earth Lusca has also been observed targeting cryptocurrency payment platforms and cryptocurrency exchanges in what are likely financially motivated ...more



Target Industries:
Gambling companies, Government Institutions, Education, Media and Entertainment, Pro-democracy and human rights political organizations, Telecommunications, Religious organization, Cryptocurrency, Medical, Covid-19 research organizations

Target Countries:
Australia, China, France, Germany, Hong Kong, Japan, Mongolia, Nepal, Nigeria, Philippines, Taiwan, Thailand, United Arab Emirates, United States, Vietnam

Aliases:
BRONZE UNIVERSITY, Charcoal Typhoon, CHROMIUM, ControlX, FISHMONGER, Red Dev 10, RedHotel, TAG-22

References:
1 2 3 

Aurora Panda (CN)

FireEye described APT17 in a 2015 report as: 'APT17, also known as DeputyDog, is a China based threat group that FireEye Intelligence has observed conducting network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations.'


Goals:
Espionage

Target Industries:
Government, Private sector, Civil society

Target Countries:
United States, Netherlands, Italy, Japan, United Kingdom, Belgium, Russia, Indonesia, Germany, Switzerland, China

Aliases:
APT17, Axiom, BRONZE KEYSTONE, DeputyDog, Dogfish, G0001, G0025, Group 72, Group 8, HELIUM, Hidden Lynx, Tailgater Team

References:
1 2 3 4 

BackdoorDiplomacy

An APT group that we are calling BackdoorDiplomacy, due to the main vertical of its victims, has been targeting Ministries of Foreign Affairs and telecommunication companies in Africa and the Middle East since at least 2017.



Target Industries:
Government, Telecomms

Target Countries:
Libya, Namibia, Sudan, Albania, Croatia, Georgia, Poland, Iran, Qatar, Saudi Arabia, Sri Lanka, Uzbekistan

Aliases:
BackDip, CloudComputating, Quarian

References:
1 2 3 

Bahamut

Bahamut is a threat actor primarily operating in Middle East and Central Asia, suspected to be a private contractor to several state sponsored actors. They were observed conduct phishing as well as desktop and mobile malware campaigns.



Aliases:
Windshift

References:
1 

Berserk Bear (RU)

Researchers have uncovered a long-term cyber-espionage campaign that used a combination of legitimate software packages and commodity malware tools to target a variety of heavy industry, government intelligence agencies and political activists. Known as the TeamSpy crew because of its affinity for using the legitimate TeamViewer application as part of its toolset, the attackers may have been active for as long as 10 years, researchers say. The attack appears to be a years-long espionage ...more


Goals:
Espionage

Target Industries:
Government, Private sector

Target Countries:
Hungary, Belarus

Aliases:
Anger Bear, Dragonfly 2.0, DYMALLOY, IRON LIBERTY, IRON LYRIC, Team Bear, TeamSpy

References:
1 2 3 4 5 

Bitter (IN)

The Bitter threat group initially started using RAT tools in their campaigns, as the first Bitter versions, for Android released in 2014 were based on the AndroRAT framework. Over time, they switched to a custom version that has been known as BitterRAT ever since.



Aliases:
APT-C-08, Orange Yali, T-APT-17

References:
1 2 3 4 5 6 7 8 9 

Black Kingdom

(No description available for this threat actor)



References:
1 

BlackOasis

BlackOasis is a Middle Eastern threat group that is believed to be a customer of Gamma Group. The group has shown interest in prominent figures in the United Nations, as well as opposition bloggers, activists, regional news correspondents, and think tanks. A group known by Microsoft as NEODYMIUM is reportedly associated closely with BlackOasis operations, but evidence that the group names are aliases has not been identified.



Aliases:
G0063

References:
1 2 

Blue Mockingbird

(No description available for this threat actor)



Aliases:


References:
1 2 3 4 

Blue Termite (CN)

Blue Termite is a group of suspected Chinese origin active in Japan.


Goals:
Espionage

Target Industries:
Government, Private sector

Target Countries:
Japan

Aliases:
Cloudy Omega, Emdivi

References:
1 

BRONZE STARLIGHT (CN)

BRONZE STARLIGHT has been active since mid 2021 and targets organizations globally across a range of industry verticals. The group leverages HUI Loader to load Cobalt Strike and PlugX payloads for command and control. CTU researchers have observed BRONZE STARLIGHT deploying ransomware to compromised networks as part of name-and-shame ransomware schemes, and posted victim names to leak sites. CTU researchers assess with moderate confidence that BRONZE STARLIGHT is located in China based on ...more



Aliases:
Cinnamon Tempest, DEV-0401, Emperor Dragonfly, SLIME34

References:
1 2 

BuhTrap (RU)

Buhtrap has been active since 2014, however their first attacks against financial institutions were only detected in August 2015. Earlier, the group had only focused on targeting banking clients. At the moment, the group is known to target Russian and Ukrainian banks. From August 2015 to February 2016 Buhtrap managed to conduct 13 successful attacks against Russian banks for a total amount of 1.8 billion rubles ($25.7 mln). The number of successful attacks against Ukrainian banks has not been ...more



References:
1 2 3 4 

BunseTech

(No description available for this threat actor)



References:
1 

Cadet Blizzard (RU)

MSTIC has not found any notable associations between this observed activity, tracked as DEV-0586, and other known activity groups. MSTIC assesses that the malware (WhisperGate), which is designed to look like ransomware but lacking a ransom recovery mechanism, is intended to be destructive and designed to render targeted devices inoperable rather than to obtain a ransom.


Goals:
Sabotage

Target Countries:
Ukraine

Aliases:
Ruinous Ursa

References:
1 2 

Calypso

For the first time, the activity of the Calypso group was detected by specialists of PT Expert Security Center in March 2019, during the work to detect cyber threats. As a result, many malware samples of this group were obtained, affected organizations and control servers of intruders were identified. According to our data, the group has been active since at least September 2016. The main goal of the group is to steal confidential data, the main victims are government agencies from Brazil, ...more



Aliases:
BRONZE MEDLEY

References:
1 2 3 

Candiru

(No description available for this threat actor)



References:
1 2 3 4 5 6 7 8 

Carbon Spider (RU)

Groups targeting financial organizations or people with significant financial assets.



Aliases:
ATK32, Calcium, Carbanak, Coreid, ELBRUS, FIN7, G0008, G0046, GOLD NIAGARA, Sangria Tempest

References:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 

Careto (ES)

This threat actor targets governments, diplomatic missions, private companies in the energy sector, and academics for espionage purposes. The Mask is an advanced threat actor that has been involved in cyber-espionage operations since at least 2007. The name "Mask" comes from the Spanish slang word "Careto" ("Ugly Face" or “Mask”) which the authors included in some of the malware modules. More than 380 unique victims in 31 countries have been observed to date.What makes “The Mask” special is ...more


Goals:
Espionage

Target Industries:
Government, Private sector

Target Countries:
Morocco, France, Libya, Venezuela, Poland, Brazil, Spain, United States, South Africa, Tunisia, United Kingdom, Switzerland, Iran, Germany

Aliases:
Mask, The Mask, Ugly Face

References:
1 2 

ChamelGang

In Q2 2021, the PT Expert Security Center incident response team conducted an investigation in an energy company. The investigation revealed that the company's network had been compromised by an unknown group for the purpose of data theft. They gave the group the name ChamelGang (from the word "chameleon"), because the group disguised its malware and network infrastructure under legitimate services of Microsoft, TrendMicro, McAfee, IBM, and Google.



Target Industries:
Aviation, Energy

Target Countries:
India, Japan, Nepal, Russia, Taiwan, US

References:
1 2 

Charming Kitten

(No description available for this threat actor)



Aliases:
Mint Sandstorm

References:
1 2 3 4 5 

CHERNOVITE (RU)

Chernovite is a highly capable and sophisticated threat actor group that has developed a modular ICS malware framework called PIPEDREAM. They are known for targeting industrial control systems and operational technology environments, with the ability to disrupt, degrade, and potentially destroy physical processes. Chernovite has demonstrated a deep understanding of ICS protocols and intrusion techniques, making them a significant threat to critical infrastructure sectors.



Aliases:


References:
1 2 3 4 

China Attribution

(No description available for this threat actor)



References:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 

Circuit Panda (CN)

BlackTech is a cyber espionage group operating against targets in East Asia, particularly Taiwan, and occasionally, Japan and Hong Kong. Based on the mutexes and domain names of some of their C&C servers, BlackTech’s campaigns are likely designed to steal their target’s technology. Following their activities and evolving tactics and techniques helped us uncover the proverbial red string of fate that connected three seemingly disparate campaigns: PLEAD, Shrouded Crossbow, and of late, ...more



Aliases:
BlackTech, G0098, HUAPI, Manga Taurus, Palmerworm, Red Djinn, T-APT-03, Temp.Overboard

References:
1 2 3 4 5 6 7 8 

Cobalt Spider

A criminal group dubbed Cobalt is behind synchronized ATM heists that saw machines across Europe, CIS countries (including Russia), and Malaysia being raided simultaneously, in the span of a few hours. The group has been active since June 2016, and their latest attacks happened in July and August.



Aliases:
Cobalt Gang, Cobalt Group, G0080, GOLD KINGSWOOD, Mule Libra

References:
1 2 3 4 5 6 7 

Comment Panda (CN)

PLA Unit 61398 (Chinese: 61398部队, Pinyin: 61398 bùduì) is the Military Unit Cover Designator (MUCD)[1] of a People's Liberation Army advanced persistent threat unit that has been alleged to be a source of Chinese computer hacking attacks


Goals:
Espionage

Target Industries:
Private sector, Government

Target Countries:
United States, Taiwan, Israel, Norway, United Arab Emirates, United Kingdom, Singapore, India, Belgium, South Africa, Switzerland, Canada, France, Luxembourg, Japan

Aliases:
APT1, Brown Fox, Byzantine Candor, Comment Crew, Comment Group, G0006, GIF89a, Group 3, PLA Unit 61398, ShadyRAT, TG-8223

References:
1 

Common Raven

Threat actor Common Raven has been actively targeting financial sector institutions, compromising their SWIFT payment infrastructure to send out fraudulent payments.



Aliases:
DESKTOP-GROUP, NXSMS, OPERA1ER

References:
1 

CosmicBeetle

(No description available for this threat actor)



References:
1 2 

Cozy Bear (RU)

A 2015 report by F-Secure describe APT29 as: 'The Dukes are a well-resourced, highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making. The Dukes show unusual confidence in their ability to continue successfully compromising their targets, as well as in their ability to operate with impunity. The Dukes primarily target Western governments ...more


Goals:
Espionage

Target Industries:
Government, Private sector

Target Countries:
United States, China, New Zealand, Ukraine, Romania, Georgia, Japan, South Korea, Belgium, Kazakhstan, Brazil, Mexico, Turkey, Portugal, India

Aliases:
APT29, ATK7, Blue Kitsune, BlueBravo, Cloaked Ursa, CozyDuke, G0016, Grizzly Steppe, Group 100, IRON HEMLOCK, ITG11, Midnight Blizzard, Minidionis, SeaDuke, TA421, The Dukes, YTTRIUM

References:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 

Cyber Av3ngers (IR)

The hacktivist group ‘Cyber Av3ngers’ has historically claimed attacks on Israel’s critical infrastructures. It has been launching DDoS attacks and claiming breach of Israeli networks with supporting data leaks.



References:
1 

Cytrox

(No description available for this threat actor)



References:
1 

Dagger Panda (CN)

Operate since at least 2011, from several locations in China, with members in Korea and Japan as well. Possibly linked to Onion Dog. This threat actor targets government institutions, military contractors, maritime and shipbuilding groups, telecommunications operators, and others, primarily in Japan and South Korea.


Goals:
Espionage

Target Industries:
Government, Military

Target Countries:
South Korea, United States, Japan, Germany, China

Aliases:
IceFog, PLA Unit 69010, Red Wendigo, RedFoxtrot, Trident

References:
1 2 

Dalbit (CN)

The group usually targets vulnerable servers to breach information including internal data from companies or encrypts files and demands money. Their targets of attack are usually Windows servers that are poorly managed or are not patched to the latest version. Besides these, there are also attack cases that targeted email servers or MS-SQL database servers.



References:
1 2 

Danti

(No description available for this threat actor)



References:
1 2 

Dark Pink

(No description available for this threat actor)



References:
1 2 

Dark River

(No description available for this threat actor)



References:
1 

DarkCasino

DarkCasino is an economically motivated APT group that targets online trading platforms, including cryptocurrencies, online casinos, network banks, and online credit platforms. They are skilled at stealing passwords to access victims' online accounts and have been active for over a year. DarkCasino exploits vulnerabilities, such as the WinRAR vulnerability CVE-2023-38831, to launch phishing attacks and steal online property.



References:
1 2 

DarkHydrus

In July 2018, Unit 42 analyzed a targeted attack using a novel file type against at least one government agency in the Middle East. It was carried out by a previously unpublished threat group we track as DarkHydrus. Based on our telemetry, we were able to uncover additional artifacts leading us to believe this adversary group has been in operation with their current playbook since early 2016. This attack diverged from previous attacks we observed from this group as it involved spear-phishing ...more



Aliases:
G0079, LazyMeerkat, Obscure Serpens

References:
1 

DarkMe

(No description available for this threat actor)



References:
1 

Deadeye Jackal (SY)

The Syrian Electronic Army (SEA) is a group of computer hackers which first surfaced online in 2011 to support the government of Syrian President Bashar al-Assad. Using spamming, website defacement, malware, phishing, and denial of service attacks, it has targeted political opposition groups, western news organizations, human rights groups and websites that are seemingly neutral to the Syrian conflict. It has also hacked government websites in the Middle East and Europe, as well as US defense ...more



Aliases:
SEA, SyrianElectronicArmy

Deep Panda

(No description available for this threat actor)



Aliases:
Black Vine, KungFu Kittens, PinkPanther, Shell Crew, WebMasters

References:
1 2 3 4 5 6 7 

DEV-0193

(No description available for this threat actor)



References:
1 

DEV-0322 (CN)

One of their notable tools is a custom backdoor called SockDetour, which operates filelessly and socketlessly on compromised Windows servers. The group's activities have been linked to the exploitation of vulnerabilities in Zoho ManageEngine ADSelfService Plus and ServiceDesk Plus.



Aliases:
Circle Typhoon

References:
1 2 3 4 5 6 

DEV-0365

(No description available for this threat actor)



References:
1 

DEV-0413

EXOTIC LILY is a resourceful, financially motivated group whose activities appear to be closely linked with data exfiltration and deployment of human-operated ransomware such as Conti and Diavol. In early September 2021, the group has been obeserved exploiting a 0day in Microsoft MSHTML (CVE-2021-40444). Investigation lead researchers to believe that they are an Initial Access Broker (IAB) who appear to be working with the Russian cyber crime gang known as FIN12 (Mandiant, FireEye) / WIZARD ...more



Aliases:


References:
1 2 3 4 

DEV-0671

(No description available for this threat actor)



References:
1 2 

DEV-0978 (RU)

ROMCOM is an evolving and sophisticated threat actor group that has been using the malware tool ROMCOM for espionage and financially motivated attacks. They have targeted organizations in Ukraine and NATO countries, including military personnel, government agencies, and political leaders. The ROMCOM backdoor is capable of stealing sensitive information and deploying other malware, showcasing the group's adaptability and growing sophistication.



Aliases:
Storm-0978

References:
1 2 3 4 5 6 7 8 

Doppel Spider

In June 2019, CrowdStrike Intelligence observed a source code fork of BitPaymer and began tracking the new ransomware strain as DoppelPaymer. Further technical analysis revealed an increasing divergence between two versions of Dridex, with the new version dubbed DoppelDridex. Based on this evidence, CrowdStrike Intelligence assessed with high confidence that a new group split off from INDRIK SPIDER to form the adversary DOPPEL SPIDER. Following DOPPEL SPIDER’s inception, CrowdStrike ...more



Aliases:
GOLD HERON

References:
1 

DragonOK (CN)

Threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tools, DragonOK is thought to have a direct or indirect relationship with the threat group Moafee. 2223 It is known to use a variety of malware, including Sysget/HelloBridge, PlugX, PoisonIvy, FormerFirstRat, NFlog, and NewCT.


Goals:
Espionage

Target Industries:
Private sector

Target Countries:
United States

Aliases:
BRONZE OVERBROOK, G0002, G0017, Moafee, Shallow Taurus

References:
1 2 3 

DriftingCloud (CN)

DriftingCloud is a persistent threat actor known for targeting various industries and locations. They are skilled at developing or acquiring zero-day exploits to gain unauthorized access to target networks. Compromising gateway devices is a common tactic used by DriftingCloud, making network monitoring solutions crucial for detecting their attacks.



References:
1 2 

Ducktail

(No description available for this threat actor)



References:
1 

Duqu (IL)

(No description available for this threat actor)


Goals:
Espionage

Target Industries:
Military, Government, Private sector

Target Countries:
Iran, Sudan

Aliases:
Duqu Group

References:
1 

Dust Storm

Threat actors behind the Operation Dust Storm have been active since at least 2010, the hackers targeted several organizations in Japan, South Korea, the US, Europe, and other Asian countries.



Aliases:
G0031

References:
1 2 3 

Dynamite Panda (CN)

Wekby was described by Palo Alto Networks in a 2015 report as: 'Wekby is a group that has been active for a number of years, targeting various industries such as healthcare, telecommunications, aerospace, defense, and high tech. The group is known to leverage recently released exploits very shortly after those exploits are available, such as in the case of HackingTeams Flash zero - day exploit.'


Goals:
Espionage

Target Industries:
Government, Private sector, Civil society

Target Countries:
United States

Aliases:
APT18, G0026, PLA Navy, SCANDIUM, TG-0416, Threat Group-0416, Wekby

References:
1 2 3 

Earch Yako

(No description available for this threat actor)



References:
1 

Earth Kitsune

Earth Kitsune is an advanced persistent threat actor that has been active since at least 2019. They primarily target individuals interested in North Korea and use various tactics, such as compromising websites and employing social engineering, to distribute self-developed backdoors. Earth Kitsune demonstrates technical proficiency and continuously evolves their tools, tactics, and procedures. They have been associated with malware such as WhiskerSpy and SLUB.



References:
1 

Earth Yako

(No description available for this threat actor)



References:
1 

Ember Bear (RU)

A group targeting UA state organizations using the GraphSteel and GrimPlant malware.



Aliases:
DEV-0587, FROZENVISTA, Nascent Ursa, Nodaria, Saint Bear, Storm-0587, TA471, UAC-0056, UNC2589

References:
1 

Emissary Panda (CN)

A China-based actor that targets foreign embassies to collect data on government, defence, and technology sectors.


Goals:
Espionage

Target Industries:
Government, Private sector

Target Countries:
United States, United Kingdom, France, Japan, Taiwan, India, Canada, China, Thailand, Israel, Australia, Republic of Korea, Russia, Iran, Turkey

Aliases:
APT27, BRONZE UNION, Budworm, Earth Smilodon, G0027, GreedyTaotie, Group 35, Iron Taurus, Iron Tiger, Lucky Mouse, LuckyMouse, Red Phoenix, TEMP.Hippo, TG-3390, Threat Group-3390, ZipToken

References:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 

Energetic Bear (RU)

A Russian group that collects intelligence on the energy industry.


Goals:
Espionage

Target Industries:
Private sector, Government

Target Countries:
United States, Germany, Turkey, China, Spain, France, Ireland, Japan, Italy, Poland

Aliases:
ALLANITE, ATK6, BERSERK BEAR, Blue Kraken, BROMINE, CASTLE, Crouching Yeti, Dragonfly, DYMALLOY, G0035, Ghost Blizzard, Group 24, Havex, IRON LIBERTY, ITG15, Koala Team, TG-4192

References:
1 2 3 4 5 

Equation Group (US)

The Equation Group is a highly sophisticated threat actor described by its discoverers at Kaspersky Labs as one of the most sophisticated cyber attack groups in the world, operating alongside but always from a position of superiority with the creators of Stuxnet and Flame


Goals:
Espionage

Target Industries:
Government, Military

Target Countries:
Iran, Afghanistan, Syria, Yemen, Kenya, Russia, India, Mali, Algeria, United Kingdom, Pakistan, China, Lebanon, United Arab Emirates, Libya

Aliases:
EQGRP, Equation, G0020, Tilded Team

References:
1 2 3 4 5 6 7 8 

ERYTHRITE

(No description available for this threat actor)



Aliases:

Evilnum

ESET has analyzed the operations of Evilnum, the APT group behind the Evilnum malware previously seen in attacks against financial technology companies. While said malware has been seen in the wild since at least 2018 and documented previously, little has been published about the group behind it and how it operates. The group’s targets remain fintech companies, but its toolset and infrastructure have evolved and now consist of a mix of custom, homemade malware combined with tools purchased from ...more



Aliases:
DeathStalker, Jointworm, KNOCKOUT SPIDER, TA4563

References:
1 2 3 

Exodus Intelligence

(No description available for this threat actor)



References:
1 

FamousSparrow

(No description available for this threat actor)



References:
1 

Fancy Bear (RU)

The Sofacy Group (also known as APT28, Pawn Storm, Fancy Bear and Sednit) is a cyber espionage group believed to have ties to the Russian government. Likely operating since 2007, the group is known to target government, military, and security organizations. It has been characterized as an advanced persistent threat.


Goals:
Espionage

Target Industries:
Government, Military

Target Countries:
Georgia, France, Jordan, United States, Hungary, World Anti-Doping Agency, Armenia, Tajikistan, Japan, NATO, Ukraine, Belgium, Pakistan, Asia Pacific Economic Cooperation, International Association of Athletics Federations, Turkey, Mongolia, OSCE, United Kingdom, Germany, Poland, European Commission, Afghanistan, Kazakhstan, China

Aliases:
APT-C-20, APT28, ATK5, Blue Athena, Fighting Ursa, Forest Blizzard, FROZENLAKE, G0007, Grizzly Steppe, Group 74, IRON TWILIGHT, ITG05, Pawn Storm, PETROVITE, Sednit, SIG40, SNAKEMACKEREL, Sofacy, STRONTIUM, Swallowtail, T-APT-12, TA422, TG-4127, Threat Group-4127, Tsar Team, UAC-0028

References:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 

FIN11

FIN11 is a well-established financial crime group that has recently focused its operations on ransomware and extortion. The group has been active since 2017 and has been tracked under UNC902 and later on as TEMP.Warlok. In some ways, FIN11 is reminiscent of APT1; they are notable not for their sophistication, but for their sheer volume of activity.(FireEye) Mandiant has also responded to numerous FIN11 intrusions, but we’ve only observed the group successfully monetize access in few instances. ...more



Aliases:
Lace Tempest, TEMP.Warlock, UNC902

References:
1 2 3 4 

FIN13 (RU)

Since 2017, Mandiant has been tracking FIN13, an industrious and versatile financially motivated threat actor conducting long-term intrusions in Mexico with an activity timeframe stretching back as early as 2016. Although their operations continue through the present day, in many ways FIN13's intrusions are like a time capsule of traditional financial cybercrime from days past. Instead of today's prevalent smash-and-grab ransomware groups, FIN13 takes their time to gather information to perform ...more



Aliases:
Elephant Beetle, TG2003

References:
1 2 

FIN8

FIN8 is a financially motivated group targeting the retail, hospitality and entertainment industries. The actor had previously conducted several tailored spearphishing campaigns using the downloader PUNCHBUGGY and POS malware PUNCHTRACK.



Aliases:
ATK113, G0061

References:
1 2 

Flax Typhoon (CN)

Flax Typhoon is a Chinese state-sponsored threat actor that primarily targets organizations in Taiwan. They conduct espionage campaigns and focus on gaining and maintaining long-term access to networks using minimal malware. Flax Typhoon relies on tools built into the operating system and legitimate software to remain undetected. They exploit vulnerabilities in public-facing servers, use living-off-the-land techniques, and deploy a VPN connection to maintain persistence and move laterally ...more



Aliases:
Ethereal Panda

FruityArmor (AE)

This threat actor targets civil society groups and Emirati journalists, activists, and dissidents.


Goals:
Espionage

Target Industries:
Civil society

Target Countries:
United Arab Emirates, United Kingdom

Aliases:
G0038, Stealth Falcon

References:
1 2 3 4 5 

GALLIUM (CN)

GALLIUM, is a threat actor believed to be targeting telecommunication providers over the world, mostly South-East Asia, Europe and Africa. To compromise targeted networks, GALLIUM target unpatched internet-facing services using publicly available exploits and have been known to target vulnerabilities in WildFly/JBoss.



Aliases:
Alloy Taurus, Granite Typhoon, Red Dev 4, Soft Cell

References:
1 

GambleForce

GambleForce is a threat actor specializing in SQL injection attacks. They have targeted over 20 websites in various sectors across multiple countries, compromising six companies. GambleForce utilizes publicly available pentesting tools and has been active since mid-September 2023.



References:
1 

Gelsemium

The Gelsemium group has been active since at least 2014 and was described in the past by a few security companies. Gelsemium’s name comes from one possible translation ESET found while reading a report from VenusTech who dubbed the group 狼毒草 for the first time. It’s the name of a genus of flowering plants belonging to the family Gelsemiaceae, Gelsemium elegans is the species that contains toxic compounds like Gelsemine, Gelsenicine and Gelsevirine, which ESET choses as names for the three ...more



Target Industries:
Government, Electronics Manufacturers, Universities, Religious organization

Target Countries:
North Korea, South Korea, Japan, China, Mongolia, Egypt, Saudi Arabia, Yemen, Oman, Iran, Iraq, Kuwait, Israel, Jordan, Gaza, Syria, Turkey, Lebanon

Aliases:
狼毒草

References:
1 

Ghostwriter (BY)

Ghostwriter is referred as an 'activity set', with various incidents tied together by overlapping behavioral characteristics and personas, rather than as an actor or group in itself.



Target Industries:
Government

Target Countries:
Germany, Latvia, Lithuania, Poland, Ukraine

Aliases:
DEV-0257, PUSHCHA, Storm-0257, TA445, UNC1151

References:
1 2 3 4 

Goblin Panda (CN)

This threat actor uses spear-phishing techniques to compromise diplomatic targets in Southeast Asia, India, and the United States. It also seems to have targeted the APT 30. Possibly uses the same infrastructure as Mirage


Goals:
Espionage

Target Industries:
Government

Target Countries:
Malaysia, Indonesia, Philippines, United States, India

Aliases:


References:
1 2 3 4 5 6 7 

Gold Southfield

GOLD SOUTHFIELD is a financially motivated cybercriminal threat group that authors and operates the REvil (aka Sodinokibi) ransomware on behalf of various affiliated threat groups. Operational since April 2019, the group obtained the GandCrab source code from GOLD GARDEN, the operators of GandCrab that voluntarily withdrew their ransomware from underground markets in May 2019. GOLD SOUTHFIELD is responsible for authoring REvil and operating the backend infrastructure used by affiliates (also ...more



Aliases:


References:
1 2 3 4 5 

Golden Falcon

As reported by ZDNet, Chinese cyber-security vendor Qihoo 360 published a report on 2019-11-29 exposing an extensive hacking operation targeting the country of Kazakhstan. Targets included individuals and organizations involving all walks of life, such as government agencies, military personnel, foreign diplomats, researchers, journalists, private companies, the educational sector, religious figures, government dissidents, and foreign diplomats alike. The campaign, Qihoo 360 said, was broad, ...more



Aliases:


References:
1 

Goldmouse (SY)

A threat actor which is ac tive since at least November 2014. This group launched long-term at tacks against organizations in the Syrian region using Android and Windows malwares. Its objective is the theft of sensitive information.



Aliases:
ATK80, Golden RAT

References:
1 

Gorgon Group

Unit 42 researchers have been tracking Subaat, an attacker, since 2017. Recently Subaat drew our attention due to renewed targeted attack activity. Part of monitoring Subaat included realizing the actor was possibly part of a larger crew of individuals responsible for carrying out targeted attacks against worldwide governmental organizations. Technical analysis on some of the attacks as well as attribution links with Pakistan actors have been already depicted by 360 and Tuisec, in which they ...more



Aliases:
ATK92, G0078, Pasty Gemini, Subaat

References:
1 2 3 

Gothic Panda (CN)

Symantec described UPS in 2016 report as: 'Buckeye (also known as APT3, Gothic Panda, UPS Team, and TG-0110) is a cyberespionage group that is believed to have been operating for well over half a decade. Traditionally, the group attacked organizations in the US as well as other targets. However, Buckeyes focus appears to have changed as of June 2015, when the group began compromising political entities in Hong Kong.'


Goals:
Espionage

Target Industries:
Private sector

Target Countries:
United States, United Kingdom, Hong Kong

Aliases:
APT3, BORON, Boyusec, BRONZE MAYFAIR, Buckeye, Group 6, Pirpi, Red Sylvan, TG-0110, Threat Group-0110, UPS, UPS Team

References:
1 2 3 4 5 

Graceful Spider (RU)

TA505, the name given by Proofpoint, has been in the cybercrime business for at least four years. This is the group behind the infamous Dridex banking trojan and Locky ransomware, delivered through malicious email campaigns via Necurs botnet. Other malware associated with TA505 include Philadelphia and GlobeImposter ransomware families.



Target Industries:
Education, Finance, Health, Retail, Hospitality

Target Countries:
Australia, Canada, Czech Republic, Germany, Hungary, India, Japan, Romania, Serbia, Singapore, South Korea, Spain, Thailand, Turkey, United Kingdom, United States

Aliases:
ATK103, CHIMBORAZO, Dudear, G0092, GOLD TAHOE, Hive0065, SectorJ04, SectorJ04 Group, Spandex Tempest, TA505

References:
1 2 3 4 5 6 7 8 9 10 11 12 

Grayling (CN)

Grayling activity was first observed in early 2023, when a number of victims were identified with distinctive malicious DLL side-loading activity. Grayling appears to target organisations in Asia, however one unknown organisation in the United States was also targeted. Industries targeted include Biomedical, Government and Information Technology. Grayling use a variety of tools during their attacks, including well known tools such as Cobalt Strike and Havoc and also some others.



Target Industries:
Biomedical, Government, Information technology

Target Countries:
Taiwan, United States, Vietnam, Solomon Islands

References:
1 

GreyEnergy

ESET research reveals a successor to the infamous BlackEnergy APT group targeting critical infrastructure, quite possibly in preparation for damaging attacks



Aliases:
KAMACITE

References:
1 2 3 4 

Group5

A threat actor using Iranian-language tools, Iranian hosting companies, operating from the Iranian IP space at times was observed targeting the Syrian opposition in an elaborately staged malware operation, Citizen Lab researchers reveal. The operation was first noticed in late 2015, when a member of the Syrian opposition flagged a suspicious email containing a PowerPoint slideshow, which led researchers to a watering hole website with malicious programs, malicious PowerPoint files, and Android ...more



Aliases:
G0043

References:
1 

GUI-vil

(No description available for this threat actor)



References:
1 

Hacking Team

The many 0-days that had been collected by Hacking Team and which became publicly available during the breach of their organization in 2015, have been used by several APT groups since. Since being founded in 2003, the Italian spyware vendor Hacking Team gained notoriety for selling surveillance tools to governments and their agencies across the world. The capabilities of its flagship product, the Remote Control System (RCS), include extracting files from a targeted device, intercepting emails ...more



References:
1 2 3 

HAFNIUM (CN)

HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures. HAFNIUM has previously compromised victims by ...more



Aliases:
ATK233, G0125, Operation Exchange Marauder, Red Dev 13, Silk Typhoon

References:
1 2 3 4 5 6 7 8 9 

Helix Kitten (IR)

OilRig is an Iranian threat group operating primarily in the Middle East by targeting organizations in this region that are in a variety of different industries; however, this group has occasionally targeted organizations outside of the Middle East as well. It also appears OilRig carries out supply chain attacks, where the threat group leverages the trust relationship between organizations to attack their primary targets. OilRig is an active and organized threat group, which is evident ...more


Goals:
Espionage

Target Industries:
Government, Private sector, Civil society

Target Countries:
Israel, Kuwait, United States, Turkey, Saudi Arabia, Qatar, Lebanon, Middle East

Aliases:
APT 34, APT34, ATK40, CHRYSENE, Cobalt Gypsy, Crambus, EUROPIUM, Evasive Serpens, G0049, Hazel Sandstorm, IRN2, OilRig, TA452, Twisted Kitten

References:
1 2 3 

HEXANE (IR)

Lyceum is an Iranian APT group that has been active since at least 2014. They primarily target Middle Eastern governments and organizations in the energy and telecommunications sectors. Lyceum is known for using cyber espionage techniques and has been linked to other Iranian threat groups such as APT34. They have developed and deployed malware families like Shark and Milan, and have been observed using DNS tunneling and HTTPfor command and control communication.



Aliases:
COBALT LYCEUM, siamesekitten, Spirlin, Storm-0133

Hezb

Hezb is a group deploying cryptominers when new exploit are available for public facing vulnerabilities. The name is after the miner process they deploy.



Aliases:
Mimo

References:
1 

Higaisa (KR)

The organization often uses important North Korean time nodes such as holidays and North Korea to conduct fishing activities. The bait includes New Year blessings, Lantern blessings, North Korean celebrations, and important news, overseas personnel contact lists and so on. In addition, the attack organization also has the attack capability of the mobile terminal. The targets of the attack also include diplomatic entities related to North Korea (such as embassy officials in various places), ...more



Target Industries:
Government

Target Countries:
China, North Korea, Japan, Nepal, Singapore, Russia, Poland, Switzerland

References:
1 

HomeLand Justice (IR)

HomeLand Justice is an Iranian state-sponsored cyber threat group that has been active since at least May 2021. They have targeted various organizations, including a well-known telecommunication company and the Albanian Parliament. The group engaged in information operations and messaging campaigns to amplify the impact of their attacks.



References:
1 

HookAds

HookAds is a malvertising campaign that purchases cheap ad space on low quality ad networks commonly used by adult web sites, online games, or blackhat seo sites. These ads will include JavaScript that redirects a visitor through a serious of decoy sites that look like pages filled with native advertisements, online games, or other low quality pages. Under the right circumstances, a visitor will silently load the Fallout exploit kit, which will try and install its malware payload.



References:
1 

Hurricane Panda (CN)

We have investigated their intrusions since 2013 and have been battling them nonstop over the last year at several large telecommunications and technology companies. The determination of this China-based adversary is truly impressive: they are like a dog with a bone. HURRICANE PANDA's preferred initial vector of compromise and persistence is a China Chopper webshell – a tiny and easily obfuscated 70 byte text file that consists of an ‘eval()’ command, which is then used to provide full command ...more



Aliases:


References:
1 2 3 

Inception (RU)

This threat actor uses spear-phishing techniques to target private-sector energy, defense, aerospace, research, and media organizations and embassies in Africa, Europe, and the Middle East, for the purpose of espionage.


Goals:
Espionage

Target Industries:
Government, Private sector

Target Countries:
Afghanistan, Armenia, Azerbaijan, Belarus, Belgium, Czech Republic, Greece, India, Iran, Italy, Kazakhstan, Kenya, Malaysia, Russia, South Africa, Suriname, Turkmenistan, Ukraine, United Kingdom, United States, Vietnam

Aliases:
ATK116, Blue Odin, Clean Ursa, Cloud Atlas, G0100, Inception Framework, OXYGEN

References:
1 2 3 4 5 6 7 8 9 10 

Indrik Spider (RU)

INDRIK SPIDER is a sophisticated eCrime group that has been operating Dridex since June 2014. In 2015 and 2016, Dridex was one of the most prolific eCrime banking trojans on the market and, since 2014, those efforts are thought to have netted INDRIK SPIDER millions of dollars in criminal profits. Throughout its years of operation, Dridex has received multiple updates with new modules developed and new anti-analysis features added to the malware. In August 2017, a new ransomware variant ...more



Aliases:
Manatee Tempest

References:
1 

Intellexa

(No description available for this threat actor)



References:
1 2 3 4 

Invisimole

Adversary group targeting diplomatic missions, governmental and military organisations, mainly in Ukraine.


Goals:
Espionage

Target Industries:
Government

Target Countries:
Ukraine

References:
1 2 

Iran Attribution

(No description available for this threat actor)



References:
1 2 3 4 5 6 7 8 9 10 

IronHusky (CN)

IronHusky is a Chinese-based threat actor first attributed in July 2017 targeting Russian and Mongolian governments, as well as aviation companies and research institutes. Since their initial attacks ceased in 2018, they have been working on a new remote access trojan dubbed MysterySnail.



References:
1 

ItaDuke

ItaDuke is an actor known since 2013. It used PDF exploits for dropping malware and Twitter accounts to store C2 server urls. On 2018, an actor named DarkUniverse, which was active between 2009 to 2017, was attributed to this ItaDuke by Kaspersky.



Aliases:
DarkUniverse, SIG27

References:
1 2 

Judgement Panda (CN)

FireEye characterizes APT31 as an actor specialized on intellectual property theft, focusing on data and projects that make a particular organization competetive in its field. Based on available data (April 2016), FireEye assesses that APT31 conducts network operations at the behest of the Chinese Government. Also according to Crowdstrike, this adversary is suspected of continuing to target upstream providers (e.g., law firms and managed service providers) to support additional intrusions against high-profile assets. In 2018, CrowdStrike observed this adversary using spear-phishing, URL “web bugs” and scheduled tasks to automate credential harvesting.



Aliases:
APT31, BRONZE VINEWOOD, JUDGMENT PANDA, Red keres, TA412, Violet Typhoon, ZIRCONIUM

References:
1 2 3 4 5 

Kabar Cobra

(No description available for this threat actor)



References:
1 

Karma Panda (CN)

Tonto Team is a Chinese-speaking APT group that has been active since at least 2013. They primarily target military, diplomatic, and infrastructure organizations in Asia and Eastern Europe. The group has been observed using various malware, including the Bisonal RAT and ShadowPad. They employ spear-phishing emails with malicious attachments as their preferred method of distribution.



Target Industries:
Military, Government, Private sector

Target Countries:
Eastern Europe, Japan, South Korea, Taiwan, US

Aliases:
BRONZE HUNTLEY, CactusPete, COPPER, Earth Akhlut, G0131, PLA Unit 65017, Red Beifang, TAG-74

References:
1 2 3 4 5 

Kasablanka (MA)

The Kasablanka group is a cyber-criminal organization that has specifically targeted Russia between September and December 2022, using various payloads delivered through phishing emails containing socially engineered lnk files, zip packages, and executables attached to virtual disk image files.



References:
1 

Keyhole Panda

We have observed one APT group, which we call APT5, particularly focused on telecommunications and technology companies. More than half of the organizations we have observed being targeted or breached by APT5 operate in these sectors. Several times, APT5 has targeted organizations and personnel based in Southeast Asia. APT5 has been active since at least 2007. It appears to be a large threat group that consists of several subgroups, often with distinct tactics and infrastructure. APT5 has ...more



Aliases:
APT5, BRONZE FLEETWOOD, MANGANESE, Mulberry Typhoon, Poisoned Flight, TEMP.Bottle

References:
1 2 3 4 5 6 

Konni

(No description available for this threat actor)



Aliases:
Opal Sleet

References:
1 2 3 

Kryptonite Panda (CN)

Leviathan is an espionage actor targeting organizations and high-value targets in defense and government. Active since at least 2014, this actor has long-standing interest in maritime industries, naval defense contractors, and associated research institutions in the United States and Western Europe.


Goals:
Espionage

Target Industries:
Government, Private sector

Target Countries:
United States, Hong Kong, The Philippines, Asia Pacific Economic Cooperation, Cambodia, Belgium, Germany, Philippines, Malaysia, Norway, Saudi Arabia, Switzerland, United Kingdom

Aliases:
APT40, ATK29, BRONZE MOHAWK, G0065, GADOLINIUM, Gingham Typhoon, ISLANDDREAMS, ITG09, Leviathan, MUDCARP, Red Ladon, TA423, TEMP.Jumper, TEMP.Periscope

References:
1 2 3 4 5 6 7 8 9 

LABRAT

(No description available for this threat actor)



References:
1 

Labyrinth Chollima (KP)

Since 2009, HIDDEN COBRA actors have leveraged their capabilities to target and compromise a range of victims; some intrusions have resulted in the exfiltration of data while others have been disruptive in nature. Commercial reporting has referred to this activity as Lazarus Group and Guardians of Peace. Tools and capabilities used by HIDDEN COBRA actors include DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware. Variants of malware and tools used by HIDDEN COBRA actors ...more


Goals:
Espionage, Sabotage

Target Industries:
Government, Private sector

Target Countries:
South Korea, Bangladesh Bank, Sony Pictures Entertainment, United States, Thailand, France, China, Hong Kong, United Kingdom, Guatemala, Canada, Bangladesh, Japan, India, Germany, Brazil, Thailand, Australia, Cryptocurrency exchanges in South Korea

Aliases:
Andariel, Appleworm, APT 38, APT-C-26, APT38, ATK117, ATK3, Bluenoroff, Bureau 121, Citrine Sleet, COPERNICIUM, COVELLITE, Dark Seoul, DEV-0139, DEV-1222, Diamond Sleet, G0032, G0082, Group 77, Guardians of Peace, Hastati Group, Hidden Cobra, Lazarus group, NewRomanic Cyber Army Team, Nickel Academy, NICKEL GLADSTONE, Operation AppleJeus, Operation DarkSeoul, Operation GhostSecret, Operation Troy, Sapphire Sleet, Stardust Chollima, Subgroup: Bluenoroff, TA404, Unit 121, Whois Hacking Team, Zinc

References:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 

LABYRINTH CHOLLIMA (KP)

Since 2009, HIDDEN COBRA actors have leveraged their capabilities to target and compromise a range of victims; some intrusions have resulted in the exfiltration of data while others have been disruptive in nature. Commercial reporting has referred to this activity as Lazarus Group and Guardians of Peace. Tools and capabilities used by HIDDEN COBRA actors include DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware. Variants of malware and tools used by HIDDEN COBRA actors ...more


Goals:
Espionage, Sabotage

Target Industries:
Government, Private sector

Target Countries:
South Korea, Bangladesh Bank, Sony Pictures Entertainment, United States, Thailand, France, China, Hong Kong, United Kingdom, Guatemala, Canada, Bangladesh, Japan, India, Germany, Brazil, Thailand, Australia, Cryptocurrency exchanges in South Korea

Aliases:
Andariel, Appleworm, APT 38, APT-C-26, APT38, ATK117, ATK3, Bluenoroff, Bureau 121, COVELLITE, Dark Seoul, G0032, G0082, Group 77, Guardians of Peace, Hastati Group, Hidden Cobra, Lazarus Group, NewRomanic Cyber Army Team, Nickel Academy, NICKEL GLADSTONE, Operation AppleJeus, Operation DarkSeoul, Operation GhostSecret, Operation Troy, Stardust Chollima, Subgroup: Bluenoroff, Unit 121, Whois Hacking Team, Zinc

References:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 

Longhorn (US)

Longhorn has been active since at least 2011. It has used a range of back door Trojans in addition to zero-day vulnerabilities to compromise its targets. Longhorn has infiltrated governments and internationally operating organizations, in addition to targets in the financial, telecoms, energy, aerospace, information technology, education, and natural resources sectors. All of the organizations targeted would be of interest to a nation-state attacker. Longhorn has infected 40 targets in at ...more


Goals:
Espionage

Target Industries:
Private sector, Government

Target Countries:
Global

Aliases:
APT-C-39, Lamberts, PLATINUM TERMINAL, the Lamberts

References:
1 2 3 

Lotus Blossom (CN)

Lotus Blossom is a threat group that has targeted government and military organizations in Southeast Asia.


Goals:
Espionage

Target Industries:
Military, Government

Target Countries:
Japan, Philippines, Hong Kong, Indonesia, Taiwan, Vietnam

Aliases:
ATK1, BRONZE ELGIN, DRAGONFISH, G0030, Red Salamander, Spring Dragon, ST Group

References:
1 2 3 4 

Luckycat

A series of attacks, targeting both Indian military research and south Asian shipping organizations, demonstrate the minimum level of effort required to successfully compromise a target and steal sensitive information. The attackers use very simple malware, which required little development time or skills, in conjunction with freely available Web hosting, to implement a highly effective attack. It is a case of the attackers obtaining a maximum return on their investment. The attack shows how an ...more



Aliases:
TA413, White Dev 9

References:
1 2 3 4 

luoxk

Luoxk is a malware campaign targeting web servers throughout Asia, Europe and North America.



References:
1 

Manic Menagerie

(No description available for this threat actor)



References:
1 2 

ModifiedElephant

Our research into these intrusions revealed a decade of persistent malicious activity targeting specific groups and individuals that we now attribute to a previously unknown threat actor named ModifiedElephant. This actor has operated for years, evading research attention and detection due to their limited scope of operations, the mundane nature of their tools, and their regionally-specific targeting. ModifiedElephant is still active at the time of writing.



Target Industries:
Civil Society

References:
1 

Molerats

In October 2012, malware attacks against Israeli government targets grabbed media attention as officials temporarily cut off Internet access for its entire police force and banned the use of USB memory sticks. Security researchers subsequently linked these attacks to a broader, yearlong campaign that targeted not just Israelis but Palestinians as well. and as discovered later, even the U.S. and UK governments. Further research revealed a connection between these attacks and members of the ...more



Aliases:
ALUMINUM SARATOGA, Extreme Jackal, G0021, Gaza cybergang, Gaza Hackers Team, Moonlight, Operation Molerats

References:
1 

MoustachedBouncer (BY)

MoustachedBouncer is a cyberespionage group discovered by ESET Research and first publicly disclosed in August 2023. The group has been active since at least 2014 and only targets foreign embassies in Belarus. Since 2020, MoustachedBouncer has most likely been able to perform adversary-in-the-middle (AitM) attacks at the ISP level, within Belarus, in order to compromise its targets. The group uses two separate toolsets that we have named NightClub and Disco.


Goals:
Espionage

Target Industries:
Government

Target Countries:
Europe, Eastern Europe, South Asia, Northeast Africa

References:
1 

Mustang Panda (CN)

This threat actor targets nongovernmental organizations using Mongolian-themed lures for espionage purposes. In April 2017, CrowdStrike Falcon Intelligence observed a previously unattributed actor group with a Chinese nexus targeting a U.S.-based think tank. Further analysis revealed a wider campaign with unique tactics, techniques, and procedures (TTPs). This adversary targets non-governmental organizations (NGOs) in general, but uses Mongolian language decoys and themes, suggesting this actor ...more


Goals:
Espionage

Target Industries:
Civil society

Target Countries:
United States

Aliases:
BASIN, BRONZE PRESIDENT, Earth Preta, HoneyMyte, LuminousMoth, Red Lich, Stately Taurus, TA416, TEMP.HEX

References:
1 2 

Mysterious Elephant

(No description available for this threat actor)



References:
1 

MysterySnail

(No description available for this threat actor)



References:
1 

Mythic Leopard (PK)

Group targeting Indian Army or related assets in India, as well as activists and civil society in Pakistan. Attribution to a Pakistani connection has been made by TrendMicro and others.



Target Industries:
Civil society, Military, Government

Aliases:
APT 36, APT36, C-Major, COPPER FIELDSTONE, Earth Karkaddan, Green Havildar, ProjectM, TMP.Lapis, Transparent Tribe

References:
1 2 3 

Naikon (CN)

Kaspersky described Naikon in a 2015 report as: 'The Naikon group is mostly active in countries such as the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, and Nepal, hitting a variety of targets in a very opportunistic way.'


Goals:
Espionage

Target Industries:
Government, Private sector

Target Countries:
India, Saudi Arabia, Vietnam, Myanmar, Singapore, Thailand, Malaysia, Cambodia, China, Philippines, South Korea, United States, Indonesia, Laos

Aliases:
BRONZE GENEVA, BRONZE STERLING, Camerashy, G0013, G0019, Override Panda, PLA Unit 78020

References:
1 2 

Narwhal Spider

NARWHAL SPIDER’s operation of Cutwail v2 was limited to country-specific spam campaigns, although late in 2019 there appeared to be an effort to expand by bringing in INDRIK SPIDER as a customer.



Aliases:
GOLD ESSEX, TA544

References:
1 

Nemesis Kitten (IR)

Microsoft threat intelligence teams have been tracking multiple ransomware campaigns and have tied these attacks to DEV-0270, also known as Nemesis Kitten, a sub-group of Iranian actor PHOSPHORUS. Microsoft assesses with moderate confidence that DEV-0270 conducts malicious network operations, including widespread vulnerability scanning, on behalf of the government of Iran.



Aliases:
BENTONITE, DEV-0270, Storm-0270

References:
1 2 3 4 5 6 

NEODYMIUM

NEODYMIUM is an activity group that is known to use a backdoor malware detected by Microsoft as Wingbird. This backdoor’s characteristics closely match FinFisher, a government-grade commercial surveillance package. Data about Wingbird activity indicate that it is typically used to attack individual computers instead of networks.



Aliases:
G0055

References:
1 

NetTraveler (CN)

(No description available for this threat actor)


Goals:
Espionage

Target Industries:
Government, Military

Target Countries:
Mongolia, Kazakhstan, Tajikistan, Germany, United Kingdom, India, Kyrgyzstan, South Korea, United States, Chile, Russia, China, Spain, Canada, Morocco

Aliases:
APT21, HAMMER PANDA, TEMP.Zhenbao

References:
1 

Nexus Zeta

Nexus Zeta is no stranger when it comes to implementing SOAP related exploits. The threat actor has already been observed in implementing two other known SOAP related exploits, CVE-2014–8361 and CVE-2017–17215 in his Satori botnet project. A third SOAP exploit, TR-069 bug has also been observed previously in IoT botnets. This makes EDB 38722 the fourth SOAP related exploit which is discovered in the wild by IoT botnets.



References:
1 2 

Nomad Panda

In the first quarter of 2018, CrowdStrike Intelligence identified NOMAD PANDA activity targeting Central Asian nations with exploit documents built with the 8.t tool.



Aliases:


References:
1 2 

North Korea Attribution

(No description available for this threat actor)



References:
1 2 3 4 5 6 7 8 9 

NOTROBIN

Researchers at FireEye report finding a hacking group (dubbed NOTROBIN) that has been bundling mitigation code for NetScaler servers with its exploits. In effect, the hackers exploit the flaw to get access to the server, kill any existing malware, set up their own backdoor, then block off the vulnerable code from future exploit attempts by mitigation.



References:
1 

NSO Group

(No description available for this threat actor)



Aliases:
Night Tsunami

References:
1 2 3 4 5 6 

Numbered Panda (CN)

A group of China-based attackers, who conducted a number of spear phishing attacks in 2013.


Goals:
Espionage

Target Industries:
Private sector, Government

Target Countries:
Taiwan, Japan

Aliases:
APT12, BeeBus, BRONZE GLOBE, Calc Team, Crimson Iron, DNSCalc, DynCalc, Group 22, IXESHE, TG-2754

References:
1 2 

Ocean Buffalo (VN)

Cyber espionage actors, now designated by FireEye as APT32 (OceanLotus Group), are carrying out intrusions into private sector companies across multiple industries and have also targeted foreign governments, dissidents, and journalists. FireEye assesses that APT32 leverages a unique suite of fully-featured malware, in conjunction with commercially-available tools, to conduct targeted operations that are aligned with Vietnamese state interests.


Goals:
Espionage

Target Industries:
Government, Private sector, Civil society

Target Countries:
China, Germany, United States, Vietnam, Philippines, Association of Southeast Asian Nations

Aliases:
APT 32, APT-32, APT-C-00, APT32, ATK17, BISMUTH, Canvas Cyclone, Cobalt Kitty, G0050, Ocean Lotus, OceanLotus, OceanLotus Group, POND LOACH, Sea Lotus, SeaLotus, TIN WOODLAWN

References:
1 2 3 4 5 

Operation Shadow Tiger

(No description available for this threat actor)



References:
1 

Pinchy Spider

First observed in January 2018, GandCrab ransomware quickly began to proliferate and receive regular updates from its developer, PINCHY SPIDER, which over the course of the year established a RaaS operation with a dedicated set of affiliates. CrowdStrike Intelligence has recently observed PINCHY SPIDER affiliates deploying GandCrab ransomware in enterprise environments, using lateral movement techniques and tooling commonly associated with nation-state adversary groups and penetration testing ...more



Aliases:


References:
1 2 3 4 5 6 

Pioneer Kitten (IR)

PIONEER KITTEN is an Iran-based adversary that has been active since at least 2017 and has a suspected nexus to the Iranian government. This adversary appears to be primarily focused on gaining and maintaining access to entities possessing sensitive information of likely intelligence interest to the Iranian government. According to DRAGOS, they also targeted ICS-related entities using known VPN vulnerabilities. They are widely known to use open source penetration testing tools for ...more



Aliases:
Lemon Sandstorm, PARISITE, RUBIDIUM, UNC757

References:
1 2 3 4 5 6 7 

Pirate Panda (CN)

TrendMicro described Tropic Trooper in a 2015 report as: 'Taiwan and the Philippines have become the targets of an ongoing campaign called Operation TropicTrooper. Active since 2012, the attackers behind the campaign haveset their sights on the Taiwanese government as well as a number of companies in the heavy industry. The same campaign has also targeted key Philippine military agencies.'



Aliases:
APT23, BRONZE HOBART, Earth Centaur, G0081, KeyBoy, Red Orthrus, Tropic Trooper

References:
1 2 3 4 

Pitty Panda (CN)

The Pitty Tiger group has been active since at least 2011. They have been seen using HeartBleed vulnerability in order to directly get valid credentials



Aliases:
APT24, G0011, PittyTiger, Temp.Pittytiger

References:
1 2 3 4 

PLATINUM

PLATINUM has been targeting its victims since at least as early as 2009, and may have been active for several years prior. Its activities are distinctly different not only from those typically seen in untargeted attacks, but from many targeted attacks as well. A large share of targeted attacks can be characterized as opportunistic: the activity group changes its target profiles and attack geographies based on geopolitical seasons, and may attack institutions all over the world. Like many such ...more



Aliases:
ATK33, G0068, TwoForOne

References:
1 2 

POISON CARP

Between November 2018 and May 2019, senior members of Tibetan groups received malicious links in individually tailored WhatsApp text exchanges with operators posing as NGO workers, journalists, and other fake personas. The links led to code designed to exploit web browser vulnerabilities to install spyware on iOS and Android devices, and in some cases to OAuth phishing pages. This campaign was carried out by what appears to be a single operator that we call POISON CARP.



Aliases:
Earth Empusa, Evil Eye, Red Dev 16

References:
1 

Poison Needles

What’s noteworthy is that according to the introduction on the compromised website of the polyclinic (http://www.p2f.ru), the institution was established in 1965 and it was founded by the Presidential Administration of Russia. The multidisciplinary outpatient institution mainly serves the civil servants of the highest executive, legislative, judicial authorities of the Russian Federation, as well as famous figures of science and art. Since it is the first detection of this APT attack by 360 ...more



References:
1 

Polonium (LB)

Microsoft successfully detected and disabled attack activity abusing OneDrive by a previously undocumented Lebanon-based activity group Microsoft Threat Intelligence Center (MSTIC) tracks as POLONIUM.


Goals:
Espionage

Target Industries:
Critical manufacturing, Defense industrial base, Financial services, Food and agriculture, Government agencies and services, Healthcare and public health, Information technology, Transportation systems

Target Countries:
Israel

Aliases:
Plaid Rain

References:
1 

PowerFall

(No description available for this threat actor)



References:
1 

PowerPool

Malware developers have started to use the zero-day exploit for Task Scheduler component in Windows, two days after proof-of-concept code for the vulnerability appeared online. A security researcher who uses the online name SandboxEscaper on August 27 released the source code for exploiting a security bug in the Advanced Local Procedure Call (ALPC) interface used by Windows Task Scheduler. More specifically, the problem is with the SchRpcSetSecurity API function, which fails to properly check ...more



Aliases:
IAmTheKing

References:
1 

Primitive Bear

Unit 42 threat researchers have recently observed a threat group distributing new, custom developed malware. We have labelled this threat group the Gamaredon Group and our research shows that the Gamaredon Group has been active since at least 2013. In the past, the Gamaredon Group has relied heavily on off-the-shelf tools. Our new research shows the Gamaredon Group have made a shift to custom-developed malware. We believe this shift indicates the Gamaredon Group have improved their technical ...more



Target Industries:
Government

Target Countries:
Ukraine

Aliases:
ACTINIUM, Aqua Blizzard, Blue Otso, BlueAlpha, DEV-0157, G0047, Gamaredon Group, IRON TILDEN, Shuckworm, Trident Ursa, UAC-0010, Winterflounder

References:
1 2 3 4 5 

PROMETHIUM (TR)

PROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional features—this shows a close relationship between the activity groups behind the ...more



Aliases:
G0056, StrongPity

References:
1 

Prophet Spider

PROPHET SPIDER is an eCrime actor, active since at least May 2017, that primarily gains access to victims by compromising vulnerable web servers, which commonly involves leveraging a variety of publicly disclosed vulnerabilities. The adversary has likely functioned as an access broker — handing off access to a third party to deploy ransomware — in multiple instances.



Aliases:
GOLD MELODY, UNC961

References:
1 2 3 4 5 6 7 8 9 10 11 

Putter Panda (CN)

Putter Panda were the subject of an extensive report by CrowdStrike, which stated: 'The CrowdStrike Intelligence team has been tracking this particular unit since2012, under the codename PUTTER PANDA, and has documented activity dating back to 2007. The report identifies Chen Ping, aka cpyy, and the primary location of Unit 61486.'


Goals:
Espionage

Target Industries:
Private sector, Government

Target Countries:
U.S. satellite and aerospace sector

Aliases:
4HCrew, APT2, G0024, MSUpdater, PLA Unit 61486, SearchFire, SULPHUR, TG-6952

References:
1 2 

PuzzleMaker

(No description available for this threat actor)



References:
1 

Quilted Tiger (IN)

Dropping Elephant (also known as “Chinastrats” and “Patchwork“) is a relatively new threat actor that is targeting a variety of high profile diplomatic and economic targets using a custom set of attack tools. Its victims are all involved with China’s foreign relations in some way, and are generally caught through spear-phishing or watering hole attacks.


Goals:
Espionage

Target Industries:
Private sector, Military

Target Countries:
Bangladesh, Sri Lanka, Pakistan

Aliases:
APT-C-09, ATK11, Chinastrats, Dropping Elephant, G0040, Hangover Group, Monsoon, Operation Hangover, Orange Athos, Patchwork, Sarit, Thirsty Gemini, ZINC EMERSON

References:
1 2 3 4 5 6 7 8 9 10 

Rancor (CN)

The Rancor group’s attacks use two primary malware families which are naming DDKONG and PLAINTEE. DDKONG is used throughout the campaign and PLAINTEE appears to be new addition to these attackers’ toolkit. Countries Unit 42 has identified as targeted by Rancor with these malware families include, but are not limited to Singapore and Cambodia.


Goals:
Espionage

Target Industries:
Government, Civil society

Target Countries:
Singapore, Cambodia

Aliases:
G0075, Rancor group, Rancor Taurus

References:
1 2 

RASPITE

Dragos has identified a new activity group targeting access operations in the electric utility sector. We call this activity group RASPITE. Analysis of RASPITE tactics, techniques, and procedures (TTPs) indicate the group has been active in some form since early- to mid-2017. RASPITE targeting includes entities in the US, Middle East, Europe, and East Asia. Operations against electric utility organizations appear limited to the US at this time. RASPITE leverages strategic website compromise ...more



Aliases:
LeafMiner

References:
1 

Razor Tiger

An actor mainly targeting Pakistan military targets, active since at least 2012. We have low confidence that this malware might be authored by an Indian company. To spread the malware, they use unique implementations to leverage the exploits of known vulnerabilities (such as CVE-2017-11882) and later deploy a Powershell payload in the final stages.



Aliases:
APT-C-17, Rattlesnake, SideWinder, T-APT-04

References:
1 2 3 4 5 6 7 8 

Red Menshen (CN)

Since 2021, Red Menshen, a China based threat actor, which has been observed targeting telecommunications providers across the Middle East and Asia, as well as entities in the government, education, and logistics sectors using a custom backdoor referred as BPFDoor. This threat actor uses a variety of tools in its post-exploitation phase. This includes custom variants of the shared tool Mangzamel (including Golang variants), custom variants of Gh0st, and open source tools like Mimikatz and ...more



Target Industries:
Government, Education, Logistics

Target Countries:
Middle East, Asia

Aliases:
Red Dev 18

References:
1 

RedAlpha

Recorded Future’s Insikt Group has identified two new cyberespionage campaigns targeting the Tibetan Community over the past two years. The campaigns, which we are collectively naming RedAlpha, combine light reconnaissance, selective targeting, and diverse malicious tooling. We discovered this activity as the result of pivoting off of a new malware sample observed targeting the Tibetan community based in India.



Aliases:
DeepCliff, Red Dev 3

References:
1 

Refined Kitten (IR)

Our analysis reveals that APT33 is a capable group that has carried out cyber espionage operations since at least 2013. We assess APT33 works at the behest of the Iranian government.


Goals:
Espionage

Target Industries:
Private sector

Target Countries:
United States, Saudi Arabia, South Korea

Aliases:
APT 33, APT33, ATK35, COBALT TRINITY, Elfin, G0064, HOLMIUM, MAGNALLIUM, Peach Sandstorm, TA451

References:
1 2 3 

Returned Libra

Returned Libra, also known as 8220 Mining Group, is a cloud threat actor group that has been active since at least 2017. Tools commonly employed during their operations are PwnRig or DBUsed which are customized variants of the XMRig Monero mining software. The Returned Libra mining group is believed to have originated from a GitHub fork of the Rocke group's software. Returned Libra has elevated its mining operations with the use of cloud service platform credential scrapping.



Aliases:
8220 Mining Group

References:
1 2 3 4 5 6 7 8 

Ricochet Chollima (KP)

APT37 has likely been active since at least 2012 and focuses on targeting the public and private sectors primarily in South Korea. In 2017, APT37 expanded its targeting beyond the Korean peninsula to include Japan, Vietnam and the Middle East, and to a wider range of industry verticals, including chemicals, electronics, manufacturing, aerospace, automotive and healthcare entities



Target Industries:
Government, Private sector

Target Countries:
Republic of Korea, Japan, Vietnam

Aliases:
APT 37, APT37, ATK4, G0067, Group 123, Group123, InkySquid, Moldy Pisces, Operation Daybreak, Operation Erebus, Reaper, Reaper Group, Red Eyes, ScarCruft, TEMP.Reaper, Venus 121

References:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 

Roaming Tiger

(No description available for this threat actor)



Aliases:
BRONZE WOODLAND, Rotten Tomato

References:
1 2 

Rocke

This threat actor initially came to our attention in April 2018, leveraging both Western and Chinese Git repositories to deliver malware to honeypot systems vulnerable to an Apache Struts vulnerability. In late July, we became aware that the same actor was engaged in another similar campaign. Through our investigation into this new campaign, we were able to uncover more details about the actor.



Aliases:
Aged Libra

References:
1 2 

Rocket Kitten (IR)

Targets Saudi Arabia, Israel, US, Iran, high ranking defense officials, embassies of various target countries, notable Iran researchers, human rights activists, media and journalists, academic institutions and various scholars, including scientists in the fields of physics and nuclear sciences.


Goals:
Espionage

Target Industries:
Government, Military

Target Countries:
Saudi Arabia, Venezuela, Afghanistan, United Arab Emirates, Iran, Israel, Iraq, Kuwait, Turkey, Canada, Yemen, United Kingdom, Egypt, Syria, Jordan

Aliases:
Operation Woolen Goldfish, Operation Woolen-Goldfish, TEMP.Beanie, Thamar Reservoir, Timberworm

References:
1 

Russia Attribution

(No description available for this threat actor)



References:
1 2 3 4 5 6 7 8 9 10 11 

Saaiwc Group

(No description available for this threat actor)



References:
1 2 

Samurai Panda (CN)

(No description available for this threat actor)


Goals:
Espionage

Target Industries:
Private sector, Military

Target Countries:
United States, United Kingdom, Hong Kong

Aliases:
APT4, BRONZE EDISON, MAVERICK PANDA, PLA Navy, Sykipot

References:
1 2 

Sandcat

SandCat, on the other hand, is a group that was discovered more recently by Kaspersky. One of the Windows vulnerabilities patched by Microsoft in December had been exploited by both FruityArmor and SandCat in attacks targeting the Middle East and Africa. SandCat has been using FinFisher/FinSpy spyware and CHAINSHOT, a piece of malware analyzed earlier this year by Palo Alto Networks. The group has also used the CVE-2018-8589 and CVE-2018-8611 Windows vulnerabilities in its attacks, both of ...more



References:
1 2 

Scarlet Mimic (CN)

Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group’s motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, APT 2, it has not been concluded that the groups are the same. The attacks began over four years ago and their targeting pattern suggests that this adversary’s primary mission is to ...more



Aliases:
G0029, Golfing Taurus

References:
1 

Scattered Spider

Scattered Spider is a cybercriminal group that targets large companies and their contracted information technology (IT) help desks. Scattered Spider threat actors, per trusted third parties, have typically engaged in data theft for extortion and have also been known to utilize BlackCat/ALPHV ransomware alongside their usual TTPs.

Scattered Spider threat actors are considered experts in social engineering and use multiple social engineering techniques, especially phishing, push bombing,
...more



Aliases:
0ktapus, DEV-0971, Muddled Libra, Octo Tempest, Oktapus, Scatter Swine, Scattered Swine, Starfraud, Storm-0971, UNC3944

References:
1 2 3 4 

Sea Turtle (TR)

This blog post discusses the technical details of a state-sponsored attack manipulating DNS systems. While this incident is limited to targeting primarily national security organizations in the Middle East and North Africa, and we do not want to overstate the consequences of this specific campaign, we are concerned that the success of this operation will lead to actors more broadly attacking the global DNS system. DNS is a foundational technology supporting the Internet. Manipulating that ...more



Aliases:
Cosmic Wolf, Marbled Dust, SILICON, Teal Kurma, UNC1326

References:
1 2 

SectorB01

(No description available for this threat actor)



References:
1 2 

SectorB83

(No description available for this threat actor)



References:
1 

Shadow Crane (KR)

Kaspersky described DarkHotel in a 2014 report as: '... DarkHotel drives its campaigns by spear-phishing targets with highly advanced Flash zero-day exploits that effectively evade the latest Windows and Adobe defenses, and yet they also imprecisely spread among large numbers of vague targets with peer-to-peer spreading tactics. Moreover, this crews most unusual characteristic is that for several years the Darkhotel APT has maintained a capability to use hotel networks to follow and hit ...more


Goals:
Espionage

Target Industries:
Private sector

Target Countries:
Japan, Russia, Taiwan, South Korea, China

Aliases:
APT-C-06, ATK52, Darkhotel, DUBNIUM, Fallout Team, G0012, Karba, Luder, Nemim, Nemin, Pioneer, SIG25, T-APT-02, Tapaoux, TUNGSTEN BRIDGE, Zigzag Hail

References:
1 2 3 4 5 6 7 8 9 

Shadow Network

Shadows in the Cloud documents a complex ecosystem of cyber espionage that systematically compromised government, business, academic, and other computer network systems in India, the Offices of the Dalai Lama, the United Nations, and several other countries. The report also contains an analysis of data which were stolen from politically sensitive targets and recovered during the course of the investigation. These include documents from the Offices of the Dalai Lama and agencies of the Indian ...more



References:
1 

SideCopy (PK)

The SideCopy APT is a Pakistani threat actor that has been operating since at least 2019, mainly targeting South Asian countries and more specifically India and Afghanistan. Its name comes from its infection chain that tries to mimic that of the SideWinder APT. It has been reported that this actor has similarities with Transparent Tribe (APT36) and possibly is a subdivision of this actor. Cisco Talos and Seqrite have provided comprehensive reports on this actor’s activities.



References:
1 2 3 4 5 

Silent Chollima (KP)

Andariel is a threat actor that primarily targets South Korean corporations and institutions. They are believed to collaborate with or operate as a subsidiary organization of the Lazarus threat group. WHOIS utilizes spear phishing attacks, watering hole attacks, and supply chain attacks for initial access. They have been known to exploit vulnerabilities and use malware such as Infostealer and TigerRAT.



Aliases:
Andariel, GOP, Guardian of Peace, Onyx Sleet, OperationTroy, PLUTONIUM, Subgroup: Andariel, WHOis Team

References:
1 2 3 4 5 6 7 8 9 10 

SilverTerrier (NG)

As these tools rise and fall in popularity (and more importantly, as detection rates by antivirus vendors improve), SilverTerrier actors have consistently adopted new malware families and shifted to the latest packing tools available.



Aliases:


References:
1 2 

Skeleton Spider

FIN is a group targeting financial assets including assets able to do financial transaction including PoS.



Aliases:
ATK88, Camouflage Tempest, FIN6, G0037, GOLD FRANKLIN, ITG08, MageCart Group 6, White Giant

References:
1 

Slayer Kitten (IR)

(No description available for this threat actor)


Goals:
Espionage

Target Industries:
Government, Private sector, Civil society

Target Countries:
Israel, Jordan, Saudi Arabia, Germany, United States

Aliases:
CopyKittens, G0052

References:
1 

Slingshot

While analysing an incident which involved a suspected keylogger, we identified a malicious library able to interact with a virtual file system, which is usually the sign of an advanced APT actor. This turned out to be a malicious loader internally named ‘Slingshot’, part of a new, and highly sophisticated attack platform that rivals Project Sauron and Regin in complexity. While for most victims the infection vector for Slingshot remains unknown, we were able to find several cases where the ...more



References:
1 2 

Slippy Spider

An actor group conducting large-scale social engineering and extortion campaign against multiple organizations with some seeing evidence of destructive elements.



Aliases:
DEV-0537, LAPSUS$, Strawberry Tempest

References:
1 

SnapMC

(No description available for this threat actor)



References:
1 

Sneaky Panda (CN)

(No description available for this threat actor)


Goals:
Espionage

Target Industries:
Private sector, Civil society

Target Countries:
United States, Canada, United Kingdom, Switzerland, Hong Kong, Australia, India, Taiwan, China, Denmark

Aliases:
Beijing Group, Elderwood, Elderwood Gang, G0066, SIG22

References:
1 

Sourgum

(No description available for this threat actor)



References:
1 

Space Pirates (CN)

Space Pirates is a cybercrime group that has been active since at least 2017. They primarily target Russian companies and have been observed using various malware, including Deed RAT and ShadowPad. The group uses a combination of publicly available tools and their own protocols to communicate with their command-and-control servers.



Aliases:


References:
1 

SparklingGoblin

ESET researchers have discovered a new undocumented modular backdoor, SideWalk, being used by an APT group they’ve named SparklingGoblin; this backdoor was used during one of SparklingGoblin’s recent campaigns that targeted a computer retail company based in the USA. This backdoor shares multiple similarities with another backdoor used by the group: CROSSWALK.



References:
1 2 3 

Sprite Spider

GOLD DUPONT is a financially motivated cybercriminal threat group that specializes in post-intrusion ransomware attacks using 777 (aka Defray777 or RansomExx) malware. Active since November 2018, GOLD DUPONT establishes initial access into victim networks using stolen credentials to remote access services like virtual desktop infrastructure (VDI) or virtual private networks (VPN). From October 2019 to early 2020 the group used GOLD BLACKBURN's TrickBot malware as an initial access vector (IAV) ...more



Aliases:


References:
1 

Stalker Panda (CN)

Tick is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group appears to have close ties to the Chinese National University of Defense and Technology, which is possibly linked to the PLA. This threat actor targets organizations in the critical infrastructure, heavy industry, manufacturing, and international relations sectors for espionage purposes. The attacks appear to be centered on political, media, and engineering sectors. STALKER PANDA has ...more


Goals:
Espionage

Target Industries:
Private sector

Target Countries:
Japan, China, Korea (Republic of), Russian Federation

Aliases:
BRONZE BUTLER, G0060, Nian, PLA Unit 61419, REDBALDKNIGHT, Stalker Taurus, Tick

References:
1 2 3 4 5 6 7 8 9 

Stardust Chollima (KP)

Since 2009, HIDDEN COBRA actors have leveraged their capabilities to target and compromise a range of victims; some intrusions have resulted in the exfiltration of data while others have been disruptive in nature. Commercial reporting has referred to this activity as Lazarus Group and Guardians of Peace. Tools and capabilities used by HIDDEN COBRA actors include DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware. Variants of malware and tools used by HIDDEN COBRA actors ...more


Goals:
Espionage, Sabotage

Target Industries:
Government, Private sector

Target Countries:
South Korea, Bangladesh Bank, Sony Pictures Entertainment, United States, Thailand, France, China, Hong Kong, United Kingdom, Guatemala, Canada, Bangladesh, Japan, India, Germany, Brazil, Thailand, Australia, Cryptocurrency exchanges in South Korea

Aliases:
Andariel, Appleworm, APT 38, APT-C-26, APT38, ATK117, ATK3, Bluenoroff, Bureau 121, COVELLITE, Dark Seoul, G0032, G0082, Group 77, Guardians of Peace, Hastati Group, Hidden Cobra, Labyrinth Chollima, Lazarus Group, NewRomanic Cyber Army Team, Nickel Academy, NICKEL GLADSTONE, Operation AppleJeus, Operation DarkSeoul, Operation GhostSecret, Operation Troy, Subgroup: Bluenoroff, Unit 121, Whois Hacking Team, Zinc

References:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 

Static Kitten (IR)

The MuddyWater attacks are primarily against Middle Eastern nations. However, we have also observed attacks against surrounding nations and beyond, including targets in India and the USA. MuddyWater attacks are characterized by the use of a slowly evolving PowerShell-based first stage backdoor we call “POWERSTATS”. Despite broad scrutiny and reports on MuddyWater attacks, the activity continues with only incremental changes to the tools and techniques.


Goals:
Espionage

Target Industries:
Government

Target Countries:
Saudi Arabia, Georgia, Turkey, Iraq, Israel, India, United Arab Emirates, Pakistan, United States

Aliases:
ATK51, Boggy Serpens, COBALT ULSTER, G0069, Mango Sandstorm, MERCURY, MuddyWater, Seedworm, TA450, TEMP.Zagros

References:
1 2 3 4 5 6 7 8 9 

STIBNITE

(No description available for this threat actor)



Aliases:

Stone Panda (CN)

menuPass is a threat group that has been active since at least 2006. Individual members of menuPass are known to have acted in association with the Chinese Ministry of State Security's (MSS) Tianjin State Security Bureau and worked for the Huaying Haitai Science and Technology Development Company.


Goals:
Espionage

Target Industries:
Private sector, Government

Target Countries:
Japan, India, South Africa, South Korea, Sweden, United States, Canada, Australia, France, Finland, United Kingdom, Brazil, Thailand, Switzerland, Norway

Aliases:
APT10, ATK41, BRONZE RIVERSIDE, Cloud Hopper, CVNX, G0045, Granite Taurus, happyyongzi, HOGFISH, menuPass, Menupass Team, POTASSIUM, Red Apollo, STONE PANDAD, TA429

References:
1 2 

Storm-0062 (CN)

The cyberattack campaign that Microsoft uncovered was launched by a China-linked hacking group called Storm-0062. According to the company, the group is launching cyberattacks by exploiting a vulnerability in the Data Center and Server editions of Confluence. Those are versions of the application that companies run on-premises.



Aliases:
DarkShadow, Oro0lxy

References:
1 

Storm-0324

The threat actor that Microsoft tracks as Storm-0324 is a financially motivated group known to gain initial access using email-based initial infection vectors and then hand off access to compromised networks to other threat actors. These handoffs frequently lead to ransomware deployment.



Aliases:
DEV-0324, Sagrid, TA543

References:
1 2 

SturgeonPhisher

(No description available for this threat actor)



References:
1 

Subzero

(No description available for this threat actor)



Aliases:
Denim Tsunami

References:
1 2 3 

Suckfly (CN)

Suckfly is a China-based threat group that has been active since at least 2014



Aliases:
APT22, BRONZE OLIVE, G0039, Group 46

References:
1 2 

Sweed

Cisco Talos recently identified a large number of ongoing malware distribution campaigns linked to a threat actor we're calling "SWEED," including such notable malware as Formbook, Lokibot and Agent Tesla. Based on our research, SWEED — which has been operating since at least 2017 — primarily targets their victims with stealers and remote access trojans. SWEED remains consistent across most of their campaigns in their use of spear-phishing emails with malicious attachments. While these ...more



References:
1 

TA410

Early in August 2019, Proofpoint described what appeared to be state-sponsored activity targeting the US utilities sector with malware that we dubbed “Lookback”. Between August 21 and August 29, 2019, several spear phishing emails were identified targeting additional US companies in the utilities sector. The phishing emails originated from what appears to be an actor-controlled domain: globalenergycertification[.]net. This domain, like those used in previous campaigns, impersonated a licensing ...more



Aliases:
TALONITE

References:
1 2 3 

TA428 (CN)

Proofpoint researchers have identified a targeted APT campaign that utilized malicious RTF documents to deliver custom malware to unsuspecting victims. We dubbed this campaign “Operation LagTime IT” based on entities that were targeted and the distinctive domains registered to C&C IP infrastructure. Beginning in early 2019, these threat actors targeted a number of government agencies in East Asia overseeing government information technology, domestic affairs, foreign affairs, economic ...more



Aliases:
BRONZE DUDLEY, Colourful Panda

References:
1 2 3 4 5 

TA459 (CN)

(No description available for this threat actor)



Aliases:
G0062

References:
1 

TA558

Since 2018, security researchers tracked a financially-motivated cybercrime actor, TA558, targeting hospitality, travel, and related industries located in Latin America and sometimes North America, and western Europe. The actor sends malicious emails written in Portuguese, Spanish, and sometimes English. The emails use reservation-themed lures with business-relevant themes such as hotel room bookings. The emails may contain malicious attachments or URLs aiming to distribute one of at least 15 ...more



References:
1 

TA577 (RU)

TA577 is a prolific cybercrime threat actor tracked by Proofpoint since mid-2020. This actor conducts broad targeting across various industries and geographies, and Proofpoint has observed TA577 deliver payloads including Qbot, IcedID, SystemBC, SmokeLoader, Ursnif, and Cobalt Strike.



Aliases:
Hive0118

References:
1 

TA578

TA578, a threat actor that Proofpoint researchers have been tracking since May of 2020. TA578 has previously been observed in email-based campaigns delivering Ursnif, IcedID, KPOT Stealer, Buer Loader, BazaLoader, and Cobalt Strike.



References:
1 

TA579

TA579, a threat actor that Proofpoint researchers have been tracking since August 2021. This actor frequently delivered BazaLoader and IcedID in past campaigns.



References:
1 

Taidoor

The Taidoor attackers have been actively engaging in targeted attacks since at least March 4, 2009. Despite some exceptions, the Taidoor campaign often used Taiwanese IP addresses as C&C servers and email addresses to send out socially engineered emails with malware as attachments. One of the primary targets of the Taidoor campaign appeared to be the Taiwanese government. The attackers spoofed Taiwanese government email addresses to send out socially engineered emails in the Chinese language ...more



Aliases:
Earth Aughisky, G0015

References:
1 2 

TeamTNT

In early Febuary, 2021 TeamTNT launched a new campaign against Docker and Kubernetes environments. Using a collection of container images that are hosted in Docker Hub, the attackers are targeting misconfigured docker daemons, Kubeflow dashboards, and Weave Scope, exploiting these environments in order to steal cloud credentials, open backdoors, mine cryptocurrency, and launch a worm that is looking for the next victim. They're linked to the First Crypto-Mining Worm to Steal AWS Credentials and ...more



Aliases:
Adept Libra

References:
1 

temp.hermit (KP)

(No description available for this threat actor)



References:
1 

TEMP.Veles

TEMP.Veles is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing TRITON, a malware framework designed to manipulate industrial safety systems.



Aliases:
ATK91, G0088, XENOTIME

References:
1 2 3 4 

Temper Panda (CN)

China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as PoisonIvy, as well as some non-public backdoors. This threat actor targets prodemocratic activists and organizations in Hong Kong, European and international financial institutions, and a U.S.-based think tank.


Goals:
Espionage

Target Industries:
Government, Private sector, Civil society

Target Countries:
Hong Kong, United States

Aliases:
Admin338, admin@338, G0018, MAGNESIUM, Team338

References:
1 2 

The White Company

(No description available for this threat actor)



Aliases:


References:
1 

ToddyCat

ToddyCat is responsible for multiple sets of attacks detected since December 2020 against high-profile entities in Europe and Asia. There is still little information about this actor, but its main distinctive signs are two formerly unknown tools that Kaspersky call ‘Samurai backdoor’ and ‘Ninja Trojan’.



Target Industries:
Military, Government

Target Countries:
Afghanistan, India, Indonesia, Iran, Kyrgyzstan, Malaysia, Pakistan, Russia, Slovakia, Taiwan, Thailand, United Kingdom, Uzbekistan, Vietnam

Aliases:
Websiic

References:
1 

Tortilla

(No description available for this threat actor)



References:
1 2 

Toxic Panda (CN)

A group targeting dissident groups in China and at the boundaries.



Aliases:


References:
1 

TunnelSnake (CN)

The TunnelSnake campaign demonstrates the activity of a sophisticated actor that invests significant resources in designing an evasive toolset and infiltrating networks of high-profile organizations. By leveraging Windows drivers, covert communications channels and proprietary malware, the group behind it maintains a considerable level of stealth. That said, some of its TTPs, like the usage of a commodity webshell and open-source legacy code for loading unsigned drivers, may get detected and in ...more



References:
1 

Turbine Panda (CN)

(No description available for this threat actor)



Aliases:
APT26, BRONZE EXPRESS, Hippo Team, JerseyMikes, TECHNETIUM

References:
1 

Turkey Attribution

(No description available for this threat actor)



References:
1 

UAC-0027

(No description available for this threat actor)



References:
1 2 3 4 5 6 7 8 

UAC-0097

(No description available for this threat actor)



References:
1 

UAC-0098

(No description available for this threat actor)



References:
1 2 

UAC-0099

UAC-0099 is a threat actor that has been active since at least May 2023, targeting Ukrainian entities. They have been observed using a known WinRAR vulnerability to carry out attacks, indicating a level of sophistication. The actor relies on PowerShell and the creation of scheduled tasks to execute malicious VBS files for initial infection. Monitoring and limiting the functionality of these components can help mitigate the risk of UAC-0099 attacks.



References:
1 

UAC-0144

(No description available for this threat actor)



References:
1 2 3 4 5 6 

Unattributed

(No description available for this threat actor)



References:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 

UNC215 (CN)

UNC215 is a Chinese nation-state threat actor that has been active since at least 2014. They have targeted organizations in various sectors, including government, technology, telecommunications, defense, finance, entertainment, and healthcare. UNC215 has been observed using tools such as Mimikatz, FOCUSFJORD, and HYPERBRO for initial access and post-compromise activities. They have demonstrated a focus on evading detection and have employed tactics such as using trusted third parties, ...more



Aliases:


References:
1 

UNC2198

(No description available for this threat actor)



Aliases:


References:
1 

UNC2596

(No description available for this threat actor)



Aliases:


References:
1 2 3 

UNC2630 (CN)

UNC2630 is a threat actor believed to be affiliated with the Chinese government. They engage in cyber espionage activities, targeting organizations aligned with Beijing's strategic objectives. UNC2630 demonstrates advanced tradecraft and employs various malware families, including SLOWPULSE and RADIALPULSE, to compromise Pulse Secure VPN appliances. They also utilize modified binaries and scripts to maintain persistence and move laterally within compromised networks.



Aliases:
KOSTOVITE

References:
1 2 3 4 

UNC2659

UNC2659 has been active since at least January 2021. We have observed the threat actor move through the whole attack lifecycle in under 10 days. UNC2659 is notable given their use of an exploit in the SonicWall SMA100 SSL VPN product, which has since been patched by SonicWall. The threat actor appeared to download several tools used for various phases of the attack lifecycle directly from those tools’ legitimate public websites.



Aliases:


References:
1 

UNC2682

(No description available for this threat actor)



Aliases:


References:
1 

UNC2717 (CN)

UNC2717 is a threat actor that engages in espionage activities aligned with Chinese government priorities. They demonstrate advanced tradecraft and take measures to avoid detection, making it challenging for network defenders to identify their tools and intrusion methods. UNC2717, along with other Chinese APT actors, has been observed stealing credentials, email communications, and intellectual property. They have targeted global government agencies using malware such as HARDPULSE, QUIETPULSE, ...more



Aliases:


References:
1 2 

UNC2970

(No description available for this threat actor)



Aliases:


References:
1 

UNC2975

(No description available for this threat actor)



Aliases:


References:
1 

UNC2980

(No description available for this threat actor)



Aliases:


References:
1 

UNC3347

(No description available for this threat actor)



Aliases:


References:
1 2 3 

UNC3658

(No description available for this threat actor)



Aliases:


References:
1 

UNC3661

(No description available for this threat actor)



Aliases:


References:
1 

UNC3711

(No description available for this threat actor)



Aliases:


References:
1 

UNC3762

(No description available for this threat actor)



Aliases:


References:
1 

UNC3784

(No description available for this threat actor)



Aliases:


References:
1 

UNC3810

(No description available for this threat actor)



Aliases:


References:
1 

UNC3819

(No description available for this threat actor)



Aliases:


References:
1 2 

UNC3886 (CN)

UNC3886 is an advanced cyber espionage group with unique capabilities in how they operate on-network as well as the tools they utilize in their campaigns. UNC3886 has been observed targeting firewall and virtualization technologies which lack EDR support. Their ability to manipulate firewall firmware and exploit a zero-day indicates they have curated a deeper-level of understanding of such technologies. UNC3886 has modified publicly available malware, specifically targeting *nix operating ...more



Aliases:


References:
1 2 3 4 5 6 7 

UNC3905

(No description available for this threat actor)



Aliases:


References:
1 

UNC4841 (CN)

UNC4841 is a well-resourced threat actor that has utilized a wide range of malware and purpose-built tooling to enable their global espionage operations. They have been observed selectively deploying specific malware families at high priority targets, with SKIPJACK being the most widely deployed. UNC4841 primarily targeted government and technology organizations, but they have also been observed targeting other verticals.



Aliases:


References:
1 2 3 4 5 6 7 8 

UNC5085

(No description available for this threat actor)



Aliases:


References:
1 

UNC961

(No description available for this threat actor)



References:
1 2 3 

UTA0178 (CN)

While Volexity largely observed the attacker essentially living off the land, they still deployed a handful of malware files and tools during the course of the incident which primarily consisted of webshells, proxy utilities, and file modifications to allow credential harvesting. Once UTA0178 had access into the network via the ICS VPN appliance, their general approach was to pivot from system to system using compromised credentials. They would then further compromise credentials of users on ...more



Aliases:
UNC5221

References:
1 2 3 4 5 6 7 8 9 10 11 12 

UTA0188

(No description available for this threat actor)



References:
1 2 

Vanguard Panda (CN)

[Microsoft] Volt Typhoon, a state-sponsored actor based in China that typically focuses on espionage and information gathering. Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises. [Secureworks] BRONZE SILHOUETTE likely operates on behalf the PRC. The targeting of U.S. government and defense organizations for ...more



Aliases:
BRONZE SILHOUETTE, UNC3236, Volt Typhoon, VOLTZITE

References:
1 2 3 4 5 6 7 8 9 10 

Variston IT

(No description available for this threat actor)



References:
1 2 3 4 

Velvet Chollima (KP)

This threat actor targets South Korean think tanks, industry, nuclear power operators, and the Ministry of Unification for espionage purposes.


Goals:
Espionage

Target Industries:
Government, Private sector

Target Countries:
Ministry of Unification, Sejong Institute, Korea Institute for Defense Analyses

Aliases:
APT43, Black Banshee, Emerald Sleet, G0086, Kimsuky, Operation Stolen Pencil, Thallium

References:
1 2 3 4 5 

Venomous Bear (RU)

A 2014 Guardian article described Turla as: 'Dubbed the Turla hackers, initial intelligence had indicated western powers were key targets, but it was later determined embassies for Eastern Bloc nations were of more interest. Embassies in Belgium, Ukraine, China, Jordan, Greece, Kazakhstan, Armenia, Poland, and Germany were all attacked, though researchers from Kaspersky Lab and Symantec could not confirm which countries were the true targets. In one case from May 2012, the office of the prime ...more


Goals:
Espionage

Target Industries:
Government, Military

Target Countries:
France, Romania, Kazakhstan, Poland, Tajikistan, Russia, United States, Saudi Arabia, Germany, India, Belarus, Netherlands, Iran, Uzbekistan, Iraq

Aliases:
ATK13, Blue Python, G0010, Group 88, Hippo Team, IRON HUNTER, ITG12, KRYPTON, MAKERSMARK, Pacifier APT, Pfinet, Popeye, Secret Blizzard, SIG23, Snake, SUMMIT, TAG_0530, Turla, UNC4210, Uroburos, Waterbug, WhiteBear, WRAITH

References:
1 2 3 4 5 6 7 

Vice Society

(No description available for this threat actor)



Aliases:
Vanilla Tempest

References:
1 2 

Viceroy Tiger (IN)

VICEROY TIGER is an adversary with a nexus to India that has historically targeted entities throughout multiple sectors. Older activity targeted multiple sectors and countries; however, since 2015 this adversary appears to focus on entities in Pakistan with a particular focus on government and security organizations. This adversary consistently leverages spear phishing emails containing malicious Microsoft Office documents, malware designed to target the Android mobile platform, and phishing ...more



Aliases:
APT-C-35, Donot Team, OPERATION HANGOVER, Orange Kala, SectorE02

References:
1 2 3 4 5 

Vicious Panda (CN)

Check Point Research discovered a new campaign against the Mongolian public sector, which takes advantage of the current Coronavirus scare, in order to deliver a previously unknown malware implant to the target. A closer look at this campaign allowed us to tie it to other operations which were carried out by the same anonymous group, dating back to at least 2016. Over the years, these operations targeted different sectors in multiple countries, such as Ukraine, Russia, and Belarus.



Target Countries:
Belarus, Russia, Mongolia, Ukraine

Aliases:
SixLittleMonkeys

References:
1 2 

Viking Spider

VIKING SPIDER is the criminal group behind the development and distribution of Ragnar Locker ransomware. While public reporting indicates the group began threatening to leak victim data in February 2020, a DLS was not observed until April 2020. The DLS is hosted on Tor, and similar to other actors, proof of data exfiltration is provided before the stolen data is fully leaked. It was also noted that On Dec. 22, 2020, a new post made to MountLocker ransomware’s Tor-hosted DLS was titled 'Cartel ...more



Aliases:


References:
1 

Violin Panda (CN)

We’ve uncovered some new data and likely attribution regarding a series of APT watering hole attacks this past summer. Watering hole attacks are an increasingly popular component of APT campaigns, as many people are more aware of spear phishing and are less likely to open documents or click on links in unsolicited emails. Watering hole attacks offer a much better chance of success because they involve compromising legitimate websites and installing malware intended to compromise website ...more



Aliases:
APT20, Crawling Taurus, TH3Bug

References:
1 2 

Vixen Panda (CN)

This threat actor uses phishing techniques to compromise the networks of foreign ministries of European countries for espionage purposes.


Goals:
Espionage

Target Industries:
Government

Target Countries:
European Union, India, United Kingdom

Aliases:
APT15, APT25, BRONZE DAVENPORT, BRONZE IDLEWOOD, BRONZE PALACE, G0004, GREF, Ke3Chang, Lurid, Metushy, Mirage, NICKEL, Nylon Typhoon, Playful Dragon, Red Vulture, Royal APT, RoyalAPT, Social Network Team

References:
1 2 3 4 5 

Volatile Cedar (LB)

Beginning in late 2012, a carefully orchestrated attack campaign we call Volatile Cedar has been targeting individuals, companies and institutions worldwide. This campaign, led by a persistent attacker group, has successfully penetrated a large number of targets using various attack techniques, and specifically, a custom-made malware implant codenamed Explosive.



Aliases:
DeftTorero, Lebanese Cedar

References:
1 

Volt Typhoon (CN)

[Microsoft] Volt Typhoon, a state-sponsored actor based in China that typically focuses on espionage and information gathering. Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises. [Secureworks] BRONZE SILHOUETTE likely operates on behalf the PRC. The targeting of U.S. government and defense organizations for ...more



Aliases:
BRONZE SILHOUETTE, Vanguard Panda

References:
1 2 3 4 5 6 

Voodoo Bear (RU)

This threat actor targets industrial control systems, using a tool called Black Energy, associated with electricity and power generation for espionage, denial of service, and data destruction purposes. Some believe that the threat actor is linked to the 2015 compromise of the Ukrainian electrical grid and a distributed denial of service prior to the Russian invasion of Georgia. Believed to be responsible for the 2008 DDoS attacks in Georgia and the 2015 Ukraine power grid outage


Goals:
Espionage

Target Industries:
Private sector, Government

Target Countries:
Russia, Lithuania, Kyrgyzstan, Israel, Ukraine, Belarus, Kazakhstan, Georgia, Poland, Azerbaijan, Iran

Aliases:
BlackEnergy (Group), Blue Echidna, ELECTRUM, FROZENBARENTS, G0034, IRIDIUM, IRON VIKING, Quedagh, Sandworm Team, Seashell Blizzard, TeleBots, TEMP.Noble, UAC-0113

References:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 

WASSONITE

(No description available for this threat actor)



Aliases:

Wazawaka

(No description available for this threat actor)



References:
1 

Whisper Spider

a relatively new threat actor that’s been operating since mid-2016 Group-IB has exposed the attacks committed by Silence cybercriminal group. While the gang had previously targeted Russian banks, Group-IB experts also have discovered evidence of the group's activity in more than 25 countries worldwide. Group-IB has published its first detailed report on tactics and tools employed by Silence. Group-IB security analysts' hypothesis is that at least one of the gang members appears to be a former ...more



Aliases:
Silence

References:
1 2 3 4 

Whitefly

In July 2018, an attack on Singapore’s largest public health organization, SingHealth, resulted in a reported 1.5 million patient records being stolen. Until now, nothing was known about who was responsible for this attack. Symantec researchers have discovered that this attack group, which we call Whitefly, has been operating since at least 2017, has targeted organizations based mostly in Singapore across a wide variety of sectors, and is primarily interested in stealing large amounts of ...more



Aliases:


References:
1 

Wicked Panda (CN)

APT41 is a prolific cyber threat group that carries out Chinese state-sponsored espionage activity in addition to financially motivated activity potentially outside of state control.



Target Industries:
Automotive, Business, Services, Cryptocurrency, Education, Energy, Financial, Healthcare, High-Tech, Intergovernmental, Media and Entertainment, Pharmaceuticals, Private sector, Retail, Telecommunications, Travel

Target Countries:
China, France, Hong Kong, India, Italy, Japan, Myanmar, Netherlands, Singapore, South Korea, South Africa, Switzerland, Thailand, Turkey, United Kingdom, United States

Aliases:
Amoeba, APT41, BARIUM, Blackfly, Brass Typhoon, BRONZE ATLAS, BRONZE EXPORT, Earth Baku, G0044, G0096, Grayfly, HOODOO, LEAD, Red Kelpie, TA415, VANADINITE, WICKED SPIDER

References:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 

Wild Neutron

A corporate espionage group has compromised a string of major corporations over the past three years in order to steal confidential information and intellectual property. The gang, which Symantec calls Butterfly, is not-state sponsored, rather financially motivated. It has attacked multi-billion dollar companies operating in the internet, IT software, pharmaceutical, and commodities sectors. Twitter, Facebook, Apple, and Microsoft are among the companies who have publicly acknowledged attacks. ...more



Aliases:
Butterfly, Morpho, Sphinx Moth

References:
1 

Winter Vivern

Winter Vivern is a cyberespionage group first revealed by DomainTools in 2021. It is thought to have been active since at least 2020 and it targets governments in Europe and Central Asia. To compromise its targets, the group uses malicious documents, phishing websites, and a custom PowerShell backdoor.



Aliases:
TA473, UAC-0114

References:
1 

Wizard Opium

We are calling these attacks Operation WizardOpium. So far, we have been unable to establish a definitive link with any known threat actors. There are certain very weak code similarities with Lazarus attacks, although these could very well be a false flag. The profile of the targeted website is more in line with earlier DarkHotel attacks that have recently deployed similar false flag attacks.



References:
1 2 

Wizard Spider (RU)

Wizard Spider is reportedly associated with Grim Spider and Lunar Spider. The WIZARD SPIDER threat group is the Russia-based operator of the TrickBot banking malware. This group represents a growing criminal enterprise of which GRIM SPIDER appears to be a subset. The LUNAR SPIDER threat group is the Eastern European-based operator and developer of the commodity banking malware called BokBot (aka IcedID), which was first observed in April 2017. The BokBot malware provides LUNAR SPIDER affiliates ...more



Target Industries:
Defense, Financial, Government, Healthcare, Telecommunications

Target Countries:
Australia, Bahamas, Canada, Costa Rica, France, Germany, India, Ireland, Italy, Japan, Mexico, New Zealand, Spain, Switzerland, Taiwan, United Kingdom, Ukraine, United States

Aliases:
DEV-0193, DEV-0237, FIN12, GOLD BLACKBURN, Grim Spider, Periwinkle Tempest, Pistachio Tempest, Storm-0193, TEMP.MixMaster, Trickbot LLC, UNC1878, UNC2053

References:
1 2 3 4 5 6 7 8 9 10 

XDSpy

Rare is the APT group that goes largely undetected for nine years, but XDSpy is just that; a previously undocumented espionage group that has been active since 2011. It has attracted very little public attention, with the exception of an advisory from the Belarusian CERT in February 2020. In the interim, the group has compromised many government agencies and private companies in Eastern Europe and the Balkans.



References:
1 

ZuoRAT

(No description available for this threat actor)



References:
1 

AdGholas

(No description available for this threat actor)



References:
1 2 3 

Animal Farm (FR)

In 2014, researchers at Kaspersky Lab discovered and reported on three zero-days that were being used in cyberattacks in the wild. Two of these zero-day vulnerabilities are associated with an advanced threat actor we call Animal Farm. Over the past few years, Animal Farm has targeted a wide range of global organizations. The group has been active since at least 2009 and there are signs that earlier malware versions were developed as far back as 2007.


Goals:
Espionage

Target Industries:
Government, Private sector

Target Countries:
Syria, United States, Netherlands, Russia, Spain, Iran, China, Germany, Algeria, Norway, Malaysia, Turkey, United Kingdom, Ivory Coast, Greece

Aliases:
ATK8, Snowglobe

References:
1 2 

Antlion (CN)

Antlion is a Chinese state-backed advanced persistent threat (APT) group, who has been targeting financial institutions in Taiwan. This persistent campaign has lasted over the course of at least 18 months.



Target Industries:
Financial

Target Countries:
Taiwan

References:
1 

APT-C-36

Since April 2018, an APT group (Blind Eagle, APT-C-36) suspected coming from South America carried out continuous targeted attacks against Colombian government institutions as well as important corporations in financial sector, petroleum industry, professional manufacturing, etc.


Goals:
Espionage

Target Industries:
Petroleum, Manufacturing, Financial, Private sector, Government

Target Countries:
Ecuador, Colombia, Spain, Panama, Chile

Aliases:
Blind Eagle

References:
1 

APT-K-47 (IN)

Confucius is an APT organization funded by India. It has been carrying out cyber attacks since 2013. Its main targets are India's neighbouring countries such as Pakistan and China. It has a strong interest in targets in the fields of military, government and energy.



References:
1 

APT-Q-27

(No description available for this threat actor)



References:
1 

APT.3102 (CN)

(No description available for this threat actor)



References:
1 

APT16 (CN)

Between November 26, 2015, and December 1, 2015, known and suspected China-based APT groups launched several spear-phishing attacks targeting Japanese and Taiwanese organizations in the high-tech, government services, media and financial services industries. Each campaign delivered a malicious Microsoft Word document exploiting the aforementioned EPS dict copy use-after-free vulnerability, and the local Windows privilege escalation vulnerability CVE-2015-1701. The successful exploitation of ...more


Goals:
Espionage

Target Industries:
Private sector

Target Countries:
Japan, Taiwan

Aliases:
G0023, SVCMONDR

References:
1 2 3 

APT19 (CN)

Adversary group targeting financial, technology, non-profit organisations.


Goals:
Espionage

Target Industries:
Private sector, Military

Target Countries:
United States

Aliases:
Black Vine, BRONZE FIRESTONE, C0d0so0, Codoso, Codoso Team, DEEP PANDA, G0009, G0073, Group 13, KungFu Kittens, PinkPanther, Pupa, Shell Crew, Sunshop Group, TEMP.Avengers, WebMasters

References:
1 2 3 4 

APT30 (CN)

APT30 is a threat group suspected to be associated with the Chinese government. While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches


Goals:
Espionage

Target Industries:
Government

Target Countries:
United States, South Korea, Saudi Arabia, Thailand, Vietnam, Malaysia, India

Aliases:
G0013, Raspberry Typhoon

APT35 (IR)

FireEye has identified APT35 operations dating back to 2014. APT35, also known as the Newscaster Team, is a threat group sponsored by the Iranian government that conducts long term, resource-intensive operations to collect strategic intelligence. APT35 typically targets U.S. and the Middle Eastern military, diplomatic and government personnel, organizations in the media, energy and defense industrial base (DIB), and engineering, business services and telecommunications sectors.



Aliases:
Ajax Security Team, Cobalt Gypsy, COBALT MIRAGE, G0059, Magic Hound, Mint Sandstorm, Newscaster, Newscaster Team, Operation Saffron Rose, Operation Woolen-Goldfish, Phosphorus, Rocket Kitten, TunnelVision

References:
1 2 3 4 5 6 7 8 9 10 11 12 

Aquatic Panda (CN)

Earth Lusca is a threat actor from China that targets organizations of interest to the Chinese government, including academic institutions, telecommunication companies, religious organizations, and other civil society groups. Earth Lusca's tools closely resemble those used by Winnti Umbrella, but the group appears to operate separately from Winnti. Earth Lusca has also been observed targeting cryptocurrency payment platforms and cryptocurrency exchanges in what are likely financially motivated ...more



Target Industries:
Gambling companies, Government Institutions, Education, Media and Entertainment, Pro-democracy and human rights political organizations, Telecommunications, Religious organization, Cryptocurrency, Medical, Covid-19 research organizations

Target Countries:
Australia, China, France, Germany, Hong Kong, Japan, Mongolia, Nepal, Nigeria, Philippines, Taiwan, Thailand, United Arab Emirates, United States, Vietnam

Aliases:
BRONZE UNIVERSITY, Charcoal Typhoon, CHROMIUM, ControlX, FISHMONGER, Red Dev 10, RedHotel, TAG-22

References:
1 2 3 

Aurora Panda (CN)

FireEye described APT17 in a 2015 report as: 'APT17, also known as DeputyDog, is a China based threat group that FireEye Intelligence has observed conducting network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations.'


Goals:
Espionage

Target Industries:
Government, Private sector, Civil society

Target Countries:
United States, Netherlands, Italy, Japan, United Kingdom, Belgium, Russia, Indonesia, Germany, Switzerland, China

Aliases:
APT17, Axiom, BRONZE KEYSTONE, DeputyDog, Dogfish, G0001, G0025, Group 72, Group 8, HELIUM, Hidden Lynx, Tailgater Team

References:
1 2 3 4 

BackdoorDiplomacy

An APT group that we are calling BackdoorDiplomacy, due to the main vertical of its victims, has been targeting Ministries of Foreign Affairs and telecommunication companies in Africa and the Middle East since at least 2017.



Target Industries:
Government, Telecomms

Target Countries:
Libya, Namibia, Sudan, Albania, Croatia, Georgia, Poland, Iran, Qatar, Saudi Arabia, Sri Lanka, Uzbekistan

Aliases:
BackDip, CloudComputating, Quarian

References:
1 2 3 

Bahamut

Bahamut is a threat actor primarily operating in Middle East and Central Asia, suspected to be a private contractor to several state sponsored actors. They were observed conduct phishing as well as desktop and mobile malware campaigns.



Aliases:
Windshift

References:
1 

Berserk Bear (RU)

Researchers have uncovered a long-term cyber-espionage campaign that used a combination of legitimate software packages and commodity malware tools to target a variety of heavy industry, government intelligence agencies and political activists. Known as the TeamSpy crew because of its affinity for using the legitimate TeamViewer application as part of its toolset, the attackers may have been active for as long as 10 years, researchers say. The attack appears to be a years-long espionage ...more


Goals:
Espionage

Target Industries:
Government, Private sector

Target Countries:
Hungary, Belarus

Aliases:
Anger Bear, Dragonfly 2.0, DYMALLOY, IRON LIBERTY, IRON LYRIC, Team Bear, TeamSpy

References:
1 2 3 4 5 

Bitter (IN)

The Bitter threat group initially started using RAT tools in their campaigns, as the first Bitter versions, for Android released in 2014 were based on the AndroRAT framework. Over time, they switched to a custom version that has been known as BitterRAT ever since.



Aliases:
APT-C-08, Orange Yali, T-APT-17

References:
1 2 3 4 5 6 7 8 9 

Black Kingdom

(No description available for this threat actor)



References:
1 

BlackOasis

BlackOasis is a Middle Eastern threat group that is believed to be a customer of Gamma Group. The group has shown interest in prominent figures in the United Nations, as well as opposition bloggers, activists, regional news correspondents, and think tanks. A group known by Microsoft as NEODYMIUM is reportedly associated closely with BlackOasis operations, but evidence that the group names are aliases has not been identified.



Aliases:
G0063

References:
1 2 

Blue Mockingbird

(No description available for this threat actor)



Aliases:


References:
1 2 3 4 

Blue Termite (CN)

Blue Termite is a group of suspected Chinese origin active in Japan.


Goals:
Espionage

Target Industries:
Government, Private sector

Target Countries:
Japan

Aliases:
Cloudy Omega, Emdivi

References:
1 

BRONZE STARLIGHT (CN)

BRONZE STARLIGHT has been active since mid 2021 and targets organizations globally across a range of industry verticals. The group leverages HUI Loader to load Cobalt Strike and PlugX payloads for command and control. CTU researchers have observed BRONZE STARLIGHT deploying ransomware to compromised networks as part of name-and-shame ransomware schemes, and posted victim names to leak sites. CTU researchers assess with moderate confidence that BRONZE STARLIGHT is located in China based on ...more



Aliases:
Cinnamon Tempest, DEV-0401, Emperor Dragonfly, SLIME34

References:
1 2 

BuhTrap (RU)

Buhtrap has been active since 2014, however their first attacks against financial institutions were only detected in August 2015. Earlier, the group had only focused on targeting banking clients. At the moment, the group is known to target Russian and Ukrainian banks. From August 2015 to February 2016 Buhtrap managed to conduct 13 successful attacks against Russian banks for a total amount of 1.8 billion rubles ($25.7 mln). The number of successful attacks against Ukrainian banks has not been ...more



References:
1 2 3 4 

BunseTech

(No description available for this threat actor)



References:
1 

Cadet Blizzard (RU)

MSTIC has not found any notable associations between this observed activity, tracked as DEV-0586, and other known activity groups. MSTIC assesses that the malware (WhisperGate), which is designed to look like ransomware but lacking a ransom recovery mechanism, is intended to be destructive and designed to render targeted devices inoperable rather than to obtain a ransom.


Goals:
Sabotage

Target Countries:
Ukraine

Aliases:
Ruinous Ursa

References:
1 2 

Calypso

For the first time, the activity of the Calypso group was detected by specialists of PT Expert Security Center in March 2019, during the work to detect cyber threats. As a result, many malware samples of this group were obtained, affected organizations and control servers of intruders were identified. According to our data, the group has been active since at least September 2016. The main goal of the group is to steal confidential data, the main victims are government agencies from Brazil, ...more



Aliases:
BRONZE MEDLEY

References:
1 2 3 

Candiru

(No description available for this threat actor)



References:
1 2 3 4 5 6 7 8 

Carbon Spider (RU)

Groups targeting financial organizations or people with significant financial assets.



Aliases:
ATK32, Calcium, Carbanak, Coreid, ELBRUS, FIN7, G0008, G0046, GOLD NIAGARA, Sangria Tempest

References:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 

Careto (ES)

This threat actor targets governments, diplomatic missions, private companies in the energy sector, and academics for espionage purposes. The Mask is an advanced threat actor that has been involved in cyber-espionage operations since at least 2007. The name "Mask" comes from the Spanish slang word "Careto" ("Ugly Face" or “Mask”) which the authors included in some of the malware modules. More than 380 unique victims in 31 countries have been observed to date.What makes “The Mask” special is ...more


Goals:
Espionage

Target Industries:
Government, Private sector

Target Countries:
Morocco, France, Libya, Venezuela, Poland, Brazil, Spain, United States, South Africa, Tunisia, United Kingdom, Switzerland, Iran, Germany

Aliases:
Mask, The Mask, Ugly Face

References:
1 2 

ChamelGang

In Q2 2021, the PT Expert Security Center incident response team conducted an investigation in an energy company. The investigation revealed that the company's network had been compromised by an unknown group for the purpose of data theft. They gave the group the name ChamelGang (from the word "chameleon"), because the group disguised its malware and network infrastructure under legitimate services of Microsoft, TrendMicro, McAfee, IBM, and Google.



Target Industries:
Aviation, Energy

Target Countries:
India, Japan, Nepal, Russia, Taiwan, US

References:
1 2 

Charming Kitten

(No description available for this threat actor)



Aliases:
Mint Sandstorm

References:
1 2 3 4 5 

CHERNOVITE (RU)

Chernovite is a highly capable and sophisticated threat actor group that has developed a modular ICS malware framework called PIPEDREAM. They are known for targeting industrial control systems and operational technology environments, with the ability to disrupt, degrade, and potentially destroy physical processes. Chernovite has demonstrated a deep understanding of ICS protocols and intrusion techniques, making them a significant threat to critical infrastructure sectors.



Aliases:


References:
1 2 3 4 

China Attribution

(No description available for this threat actor)



References:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 

Circuit Panda (CN)

BlackTech is a cyber espionage group operating against targets in East Asia, particularly Taiwan, and occasionally, Japan and Hong Kong. Based on the mutexes and domain names of some of their C&C servers, BlackTech’s campaigns are likely designed to steal their target’s technology. Following their activities and evolving tactics and techniques helped us uncover the proverbial red string of fate that connected three seemingly disparate campaigns: PLEAD, Shrouded Crossbow, and of late, ...more



Aliases:
BlackTech, G0098, HUAPI, Manga Taurus, Palmerworm, Red Djinn, T-APT-03, Temp.Overboard

References:
1 2 3 4 5 6 7 8 

Cobalt Spider

A criminal group dubbed Cobalt is behind synchronized ATM heists that saw machines across Europe, CIS countries (including Russia), and Malaysia being raided simultaneously, in the span of a few hours. The group has been active since June 2016, and their latest attacks happened in July and August.



Aliases:
Cobalt Gang, Cobalt Group, G0080, GOLD KINGSWOOD, Mule Libra

References:
1 2 3 4 5 6 7 

Comment Panda (CN)

PLA Unit 61398 (Chinese: 61398部队, Pinyin: 61398 bùduì) is the Military Unit Cover Designator (MUCD)[1] of a People's Liberation Army advanced persistent threat unit that has been alleged to be a source of Chinese computer hacking attacks


Goals:
Espionage

Target Industries:
Private sector, Government

Target Countries:
United States, Taiwan, Israel, Norway, United Arab Emirates, United Kingdom, Singapore, India, Belgium, South Africa, Switzerland, Canada, France, Luxembourg, Japan

Aliases:
APT1, Brown Fox, Byzantine Candor, Comment Crew, Comment Group, G0006, GIF89a, Group 3, PLA Unit 61398, ShadyRAT, TG-8223

References:
1 

Common Raven

Threat actor Common Raven has been actively targeting financial sector institutions, compromising their SWIFT payment infrastructure to send out fraudulent payments.



Aliases:
DESKTOP-GROUP, NXSMS, OPERA1ER

References:
1 

CosmicBeetle

(No description available for this threat actor)



References:
1 2 

Cozy Bear (RU)

A 2015 report by F-Secure describe APT29 as: 'The Dukes are a well-resourced, highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making. The Dukes show unusual confidence in their ability to continue successfully compromising their targets, as well as in their ability to operate with impunity. The Dukes primarily target Western governments ...more


Goals:
Espionage

Target Industries:
Government, Private sector

Target Countries:
United States, China, New Zealand, Ukraine, Romania, Georgia, Japan, South Korea, Belgium, Kazakhstan, Brazil, Mexico, Turkey, Portugal, India

Aliases:
APT29, ATK7, Blue Kitsune, BlueBravo, Cloaked Ursa, CozyDuke, G0016, Grizzly Steppe, Group 100, IRON HEMLOCK, ITG11, Midnight Blizzard, Minidionis, SeaDuke, TA421, The Dukes, YTTRIUM

References:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 

Cyber Av3ngers (IR)

The hacktivist group ‘Cyber Av3ngers’ has historically claimed attacks on Israel’s critical infrastructures. It has been launching DDoS attacks and claiming breach of Israeli networks with supporting data leaks.



References:
1 

Cytrox

(No description available for this threat actor)



References:
1 

Dagger Panda (CN)

Operate since at least 2011, from several locations in China, with members in Korea and Japan as well. Possibly linked to Onion Dog. This threat actor targets government institutions, military contractors, maritime and shipbuilding groups, telecommunications operators, and others, primarily in Japan and South Korea.


Goals:
Espionage

Target Industries:
Government, Military

Target Countries:
South Korea, United States, Japan, Germany, China

Aliases:
IceFog, PLA Unit 69010, Red Wendigo, RedFoxtrot, Trident

References:
1 2 

Dalbit (CN)

The group usually targets vulnerable servers to breach information including internal data from companies or encrypts files and demands money. Their targets of attack are usually Windows servers that are poorly managed or are not patched to the latest version. Besides these, there are also attack cases that targeted email servers or MS-SQL database servers.



References:
1 2 

Danti

(No description available for this threat actor)



References:
1 2 

Dark Pink

(No description available for this threat actor)



References:
1 2 

Dark River

(No description available for this threat actor)



References:
1 

DarkCasino

DarkCasino is an economically motivated APT group that targets online trading platforms, including cryptocurrencies, online casinos, network banks, and online credit platforms. They are skilled at stealing passwords to access victims' online accounts and have been active for over a year. DarkCasino exploits vulnerabilities, such as the WinRAR vulnerability CVE-2023-38831, to launch phishing attacks and steal online property.



References:
1 2 

DarkHydrus

In July 2018, Unit 42 analyzed a targeted attack using a novel file type against at least one government agency in the Middle East. It was carried out by a previously unpublished threat group we track as DarkHydrus. Based on our telemetry, we were able to uncover additional artifacts leading us to believe this adversary group has been in operation with their current playbook since early 2016. This attack diverged from previous attacks we observed from this group as it involved spear-phishing ...more



Aliases:
G0079, LazyMeerkat, Obscure Serpens

References:
1 

DarkMe

(No description available for this threat actor)



References:
1 

Deadeye Jackal (SY)

The Syrian Electronic Army (SEA) is a group of computer hackers which first surfaced online in 2011 to support the government of Syrian President Bashar al-Assad. Using spamming, website defacement, malware, phishing, and denial of service attacks, it has targeted political opposition groups, western news organizations, human rights groups and websites that are seemingly neutral to the Syrian conflict. It has also hacked government websites in the Middle East and Europe, as well as US defense ...more



Aliases:
SEA, SyrianElectronicArmy

Deep Panda

(No description available for this threat actor)



Aliases:
Black Vine, KungFu Kittens, PinkPanther, Shell Crew, WebMasters

References:
1 2 3 4 5 6 7 

DEV-0193

(No description available for this threat actor)



References:
1 

DEV-0322 (CN)

One of their notable tools is a custom backdoor called SockDetour, which operates filelessly and socketlessly on compromised Windows servers. The group's activities have been linked to the exploitation of vulnerabilities in Zoho ManageEngine ADSelfService Plus and ServiceDesk Plus.



Aliases:
Circle Typhoon

References:
1 2 3 4 5 6 

DEV-0365

(No description available for this threat actor)



References:
1 

DEV-0413

EXOTIC LILY is a resourceful, financially motivated group whose activities appear to be closely linked with data exfiltration and deployment of human-operated ransomware such as Conti and Diavol. In early September 2021, the group has been obeserved exploiting a 0day in Microsoft MSHTML (CVE-2021-40444). Investigation lead researchers to believe that they are an Initial Access Broker (IAB) who appear to be working with the Russian cyber crime gang known as FIN12 (Mandiant, FireEye) / WIZARD ...more



Aliases:


References:
1 2 3 4 

DEV-0671

(No description available for this threat actor)



References:
1 2 

DEV-0978 (RU)

ROMCOM is an evolving and sophisticated threat actor group that has been using the malware tool ROMCOM for espionage and financially motivated attacks. They have targeted organizations in Ukraine and NATO countries, including military personnel, government agencies, and political leaders. The ROMCOM backdoor is capable of stealing sensitive information and deploying other malware, showcasing the group's adaptability and growing sophistication.



Aliases:
Storm-0978

References:
1 2 3 4 5 6 7 8 

Doppel Spider

In June 2019, CrowdStrike Intelligence observed a source code fork of BitPaymer and began tracking the new ransomware strain as DoppelPaymer. Further technical analysis revealed an increasing divergence between two versions of Dridex, with the new version dubbed DoppelDridex. Based on this evidence, CrowdStrike Intelligence assessed with high confidence that a new group split off from INDRIK SPIDER to form the adversary DOPPEL SPIDER. Following DOPPEL SPIDER’s inception, CrowdStrike ...more



Aliases:
GOLD HERON

References:
1 

DragonOK (CN)

Threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tools, DragonOK is thought to have a direct or indirect relationship with the threat group Moafee. 2223 It is known to use a variety of malware, including Sysget/HelloBridge, PlugX, PoisonIvy, FormerFirstRat, NFlog, and NewCT.


Goals:
Espionage

Target Industries:
Private sector

Target Countries:
United States

Aliases:
BRONZE OVERBROOK, G0002, G0017, Moafee, Shallow Taurus

References:
1 2 3 

DriftingCloud (CN)

DriftingCloud is a persistent threat actor known for targeting various industries and locations. They are skilled at developing or acquiring zero-day exploits to gain unauthorized access to target networks. Compromising gateway devices is a common tactic used by DriftingCloud, making network monitoring solutions crucial for detecting their attacks.



References:
1 2 

Ducktail

(No description available for this threat actor)



References:
1 

Duqu (IL)

(No description available for this threat actor)


Goals:
Espionage

Target Industries:
Military, Government, Private sector

Target Countries:
Iran, Sudan

Aliases:
Duqu Group

References:
1 

Dust Storm

Threat actors behind the Operation Dust Storm have been active since at least 2010, the hackers targeted several organizations in Japan, South Korea, the US, Europe, and other Asian countries.



Aliases:
G0031

References:
1 2 3 

Dynamite Panda (CN)

Wekby was described by Palo Alto Networks in a 2015 report as: 'Wekby is a group that has been active for a number of years, targeting various industries such as healthcare, telecommunications, aerospace, defense, and high tech. The group is known to leverage recently released exploits very shortly after those exploits are available, such as in the case of HackingTeams Flash zero - day exploit.'


Goals:
Espionage

Target Industries:
Government, Private sector, Civil society

Target Countries:
United States

Aliases:
APT18, G0026, PLA Navy, SCANDIUM, TG-0416, Threat Group-0416, Wekby

References:
1 2 3 

Earch Yako

(No description available for this threat actor)



References:
1 

Earth Kitsune

Earth Kitsune is an advanced persistent threat actor that has been active since at least 2019. They primarily target individuals interested in North Korea and use various tactics, such as compromising websites and employing social engineering, to distribute self-developed backdoors. Earth Kitsune demonstrates technical proficiency and continuously evolves their tools, tactics, and procedures. They have been associated with malware such as WhiskerSpy and SLUB.



References:
1 

Earth Yako

(No description available for this threat actor)



References:
1 

Ember Bear (RU)

A group targeting UA state organizations using the GraphSteel and GrimPlant malware.



Aliases:
DEV-0587, FROZENVISTA, Nascent Ursa, Nodaria, Saint Bear, Storm-0587, TA471, UAC-0056, UNC2589

References:
1 

Emissary Panda (CN)

A China-based actor that targets foreign embassies to collect data on government, defence, and technology sectors.


Goals:
Espionage

Target Industries:
Government, Private sector

Target Countries:
United States, United Kingdom, France, Japan, Taiwan, India, Canada, China, Thailand, Israel, Australia, Republic of Korea, Russia, Iran, Turkey

Aliases:
APT27, BRONZE UNION, Budworm, Earth Smilodon, G0027, GreedyTaotie, Group 35, Iron Taurus, Iron Tiger, Lucky Mouse, LuckyMouse, Red Phoenix, TEMP.Hippo, TG-3390, Threat Group-3390, ZipToken

References:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 

Energetic Bear (RU)

A Russian group that collects intelligence on the energy industry.


Goals:
Espionage

Target Industries:
Private sector, Government

Target Countries:
United States, Germany, Turkey, China, Spain, France, Ireland, Japan, Italy, Poland

Aliases:
ALLANITE, ATK6, BERSERK BEAR, Blue Kraken, BROMINE, CASTLE, Crouching Yeti, Dragonfly, DYMALLOY, G0035, Ghost Blizzard, Group 24, Havex, IRON LIBERTY, ITG15, Koala Team, TG-4192

References:
1 2 3 4 5 

Equation Group (US)

The Equation Group is a highly sophisticated threat actor described by its discoverers at Kaspersky Labs as one of the most sophisticated cyber attack groups in the world, operating alongside but always from a position of superiority with the creators of Stuxnet and Flame


Goals:
Espionage

Target Industries:
Government, Military

Target Countries:
Iran, Afghanistan, Syria, Yemen, Kenya, Russia, India, Mali, Algeria, United Kingdom, Pakistan, China, Lebanon, United Arab Emirates, Libya

Aliases:
EQGRP, Equation, G0020, Tilded Team

References:
1 2 3 4 5 6 7 8 

ERYTHRITE

(No description available for this threat actor)



Aliases:

Evilnum

ESET has analyzed the operations of Evilnum, the APT group behind the Evilnum malware previously seen in attacks against financial technology companies. While said malware has been seen in the wild since at least 2018 and documented previously, little has been published about the group behind it and how it operates. The group’s targets remain fintech companies, but its toolset and infrastructure have evolved and now consist of a mix of custom, homemade malware combined with tools purchased from ...more



Aliases:
DeathStalker, Jointworm, KNOCKOUT SPIDER, TA4563

References:
1 2 3 

Exodus Intelligence

(No description available for this threat actor)



References:
1 

FamousSparrow

(No description available for this threat actor)



References:
1 

Fancy Bear (RU)

The Sofacy Group (also known as APT28, Pawn Storm, Fancy Bear and Sednit) is a cyber espionage group believed to have ties to the Russian government. Likely operating since 2007, the group is known to target government, military, and security organizations. It has been characterized as an advanced persistent threat.


Goals:
Espionage

Target Industries:
Government, Military

Target Countries:
Georgia, France, Jordan, United States, Hungary, World Anti-Doping Agency, Armenia, Tajikistan, Japan, NATO, Ukraine, Belgium, Pakistan, Asia Pacific Economic Cooperation, International Association of Athletics Federations, Turkey, Mongolia, OSCE, United Kingdom, Germany, Poland, European Commission, Afghanistan, Kazakhstan, China

Aliases:
APT-C-20, APT28, ATK5, Blue Athena, Fighting Ursa, Forest Blizzard, FROZENLAKE, G0007, Grizzly Steppe, Group 74, IRON TWILIGHT, ITG05, Pawn Storm, PETROVITE, Sednit, SIG40, SNAKEMACKEREL, Sofacy, STRONTIUM, Swallowtail, T-APT-12, TA422, TG-4127, Threat Group-4127, Tsar Team, UAC-0028

References:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 

FIN11

FIN11 is a well-established financial crime group that has recently focused its operations on ransomware and extortion. The group has been active since 2017 and has been tracked under UNC902 and later on as TEMP.Warlok. In some ways, FIN11 is reminiscent of APT1; they are notable not for their sophistication, but for their sheer volume of activity.(FireEye) Mandiant has also responded to numerous FIN11 intrusions, but we’ve only observed the group successfully monetize access in few instances. ...more



Aliases:
Lace Tempest, TEMP.Warlock, UNC902

References:
1 2 3 4 

FIN13 (RU)

Since 2017, Mandiant has been tracking FIN13, an industrious and versatile financially motivated threat actor conducting long-term intrusions in Mexico with an activity timeframe stretching back as early as 2016. Although their operations continue through the present day, in many ways FIN13's intrusions are like a time capsule of traditional financial cybercrime from days past. Instead of today's prevalent smash-and-grab ransomware groups, FIN13 takes their time to gather information to perform ...more



Aliases:
Elephant Beetle, TG2003

References:
1 2 

FIN8

FIN8 is a financially motivated group targeting the retail, hospitality and entertainment industries. The actor had previously conducted several tailored spearphishing campaigns using the downloader PUNCHBUGGY and POS malware PUNCHTRACK.



Aliases:
ATK113, G0061

References:
1 2 

Flax Typhoon (CN)

Flax Typhoon is a Chinese state-sponsored threat actor that primarily targets organizations in Taiwan. They conduct espionage campaigns and focus on gaining and maintaining long-term access to networks using minimal malware. Flax Typhoon relies on tools built into the operating system and legitimate software to remain undetected. They exploit vulnerabilities in public-facing servers, use living-off-the-land techniques, and deploy a VPN connection to maintain persistence and move laterally ...more



Aliases:
Ethereal Panda

FruityArmor (AE)

This threat actor targets civil society groups and Emirati journalists, activists, and dissidents.


Goals:
Espionage

Target Industries:
Civil society

Target Countries:
United Arab Emirates, United Kingdom

Aliases:
G0038, Stealth Falcon

References:
1 2 3 4 5 

GALLIUM (CN)

GALLIUM, is a threat actor believed to be targeting telecommunication providers over the world, mostly South-East Asia, Europe and Africa. To compromise targeted networks, GALLIUM target unpatched internet-facing services using publicly available exploits and have been known to target vulnerabilities in WildFly/JBoss.



Aliases:
Alloy Taurus, Granite Typhoon, Red Dev 4, Soft Cell

References:
1 

GambleForce

GambleForce is a threat actor specializing in SQL injection attacks. They have targeted over 20 websites in various sectors across multiple countries, compromising six companies. GambleForce utilizes publicly available pentesting tools and has been active since mid-September 2023.



References:
1 

Gelsemium

The Gelsemium group has been active since at least 2014 and was described in the past by a few security companies. Gelsemium’s name comes from one possible translation ESET found while reading a report from VenusTech who dubbed the group 狼毒草 for the first time. It’s the name of a genus of flowering plants belonging to the family Gelsemiaceae, Gelsemium elegans is the species that contains toxic compounds like Gelsemine, Gelsenicine and Gelsevirine, which ESET choses as names for the three ...more



Target Industries:
Government, Electronics Manufacturers, Universities, Religious organization

Target Countries:
North Korea, South Korea, Japan, China, Mongolia, Egypt, Saudi Arabia, Yemen, Oman, Iran, Iraq, Kuwait, Israel, Jordan, Gaza, Syria, Turkey, Lebanon

Aliases:
狼毒草

References:
1 

Ghostwriter (BY)

Ghostwriter is referred as an 'activity set', with various incidents tied together by overlapping behavioral characteristics and personas, rather than as an actor or group in itself.



Target Industries:
Government

Target Countries:
Germany, Latvia, Lithuania, Poland, Ukraine

Aliases:
DEV-0257, PUSHCHA, Storm-0257, TA445, UNC1151

References:
1 2 3 4 

Goblin Panda (CN)

This threat actor uses spear-phishing techniques to compromise diplomatic targets in Southeast Asia, India, and the United States. It also seems to have targeted the APT 30. Possibly uses the same infrastructure as Mirage


Goals:
Espionage

Target Industries:
Government

Target Countries:
Malaysia, Indonesia, Philippines, United States, India

Aliases:


References:
1 2 3 4 5 6 7 

Gold Southfield

GOLD SOUTHFIELD is a financially motivated cybercriminal threat group that authors and operates the REvil (aka Sodinokibi) ransomware on behalf of various affiliated threat groups. Operational since April 2019, the group obtained the GandCrab source code from GOLD GARDEN, the operators of GandCrab that voluntarily withdrew their ransomware from underground markets in May 2019. GOLD SOUTHFIELD is responsible for authoring REvil and operating the backend infrastructure used by affiliates (also ...more



Aliases:


References:
1 2 3 4 5 

Golden Falcon

As reported by ZDNet, Chinese cyber-security vendor Qihoo 360 published a report on 2019-11-29 exposing an extensive hacking operation targeting the country of Kazakhstan. Targets included individuals and organizations involving all walks of life, such as government agencies, military personnel, foreign diplomats, researchers, journalists, private companies, the educational sector, religious figures, government dissidents, and foreign diplomats alike. The campaign, Qihoo 360 said, was broad, ...more



Aliases:


References:
1 

Goldmouse (SY)

A threat actor which is ac tive since at least November 2014. This group launched long-term at tacks against organizations in the Syrian region using Android and Windows malwares. Its objective is the theft of sensitive information.



Aliases:
ATK80, Golden RAT

References:
1 

Gorgon Group

Unit 42 researchers have been tracking Subaat, an attacker, since 2017. Recently Subaat drew our attention due to renewed targeted attack activity. Part of monitoring Subaat included realizing the actor was possibly part of a larger crew of individuals responsible for carrying out targeted attacks against worldwide governmental organizations. Technical analysis on some of the attacks as well as attribution links with Pakistan actors have been already depicted by 360 and Tuisec, in which they ...more



Aliases:
ATK92, G0078, Pasty Gemini, Subaat

References:
1 2 3 

Gothic Panda (CN)

Symantec described UPS in 2016 report as: 'Buckeye (also known as APT3, Gothic Panda, UPS Team, and TG-0110) is a cyberespionage group that is believed to have been operating for well over half a decade. Traditionally, the group attacked organizations in the US as well as other targets. However, Buckeyes focus appears to have changed as of June 2015, when the group began compromising political entities in Hong Kong.'


Goals:
Espionage

Target Industries:
Private sector

Target Countries:
United States, United Kingdom, Hong Kong

Aliases:
APT3, BORON, Boyusec, BRONZE MAYFAIR, Buckeye, Group 6, Pirpi, Red Sylvan, TG-0110, Threat Group-0110, UPS, UPS Team

References:
1 2 3 4 5 

Graceful Spider (RU)

TA505, the name given by Proofpoint, has been in the cybercrime business for at least four years. This is the group behind the infamous Dridex banking trojan and Locky ransomware, delivered through malicious email campaigns via Necurs botnet. Other malware associated with TA505 include Philadelphia and GlobeImposter ransomware families.



Target Industries:
Education, Finance, Health, Retail, Hospitality

Target Countries:
Australia, Canada, Czech Republic, Germany, Hungary, India, Japan, Romania, Serbia, Singapore, South Korea, Spain, Thailand, Turkey, United Kingdom, United States

Aliases:
ATK103, CHIMBORAZO, Dudear, G0092, GOLD TAHOE, Hive0065, SectorJ04, SectorJ04 Group, Spandex Tempest, TA505

References:
1 2 3 4 5 6 7 8 9 10 11 12 

Grayling (CN)

Grayling activity was first observed in early 2023, when a number of victims were identified with distinctive malicious DLL side-loading activity. Grayling appears to target organisations in Asia, however one unknown organisation in the United States was also targeted. Industries targeted include Biomedical, Government and Information Technology. Grayling use a variety of tools during their attacks, including well known tools such as Cobalt Strike and Havoc and also some others.



Target Industries:
Biomedical, Government, Information technology

Target Countries:
Taiwan, United States, Vietnam, Solomon Islands

References:
1 

GreyEnergy

ESET research reveals a successor to the infamous BlackEnergy APT group targeting critical infrastructure, quite possibly in preparation for damaging attacks



Aliases:
KAMACITE

References:
1 2 3 4 

Group5

A threat actor using Iranian-language tools, Iranian hosting companies, operating from the Iranian IP space at times was observed targeting the Syrian opposition in an elaborately staged malware operation, Citizen Lab researchers reveal. The operation was first noticed in late 2015, when a member of the Syrian opposition flagged a suspicious email containing a PowerPoint slideshow, which led researchers to a watering hole website with malicious programs, malicious PowerPoint files, and Android ...more



Aliases:
G0043

References:
1 

GUI-vil

(No description available for this threat actor)



References:
1 

Hacking Team

The many 0-days that had been collected by Hacking Team and which became publicly available during the breach of their organization in 2015, have been used by several APT groups since. Since being founded in 2003, the Italian spyware vendor Hacking Team gained notoriety for selling surveillance tools to governments and their agencies across the world. The capabilities of its flagship product, the Remote Control System (RCS), include extracting files from a targeted device, intercepting emails ...more



References:
1 2 3 

HAFNIUM (CN)

HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures. HAFNIUM has previously compromised victims by ...more



Aliases:
ATK233, G0125, Operation Exchange Marauder, Red Dev 13, Silk Typhoon

References:
1 2 3 4 5 6 7 8 9 

Helix Kitten (IR)

OilRig is an Iranian threat group operating primarily in the Middle East by targeting organizations in this region that are in a variety of different industries; however, this group has occasionally targeted organizations outside of the Middle East as well. It also appears OilRig carries out supply chain attacks, where the threat group leverages the trust relationship between organizations to attack their primary targets. OilRig is an active and organized threat group, which is evident ...more


Goals:
Espionage

Target Industries:
Government, Private sector, Civil society

Target Countries:
Israel, Kuwait, United States, Turkey, Saudi Arabia, Qatar, Lebanon, Middle East

Aliases:
APT 34, APT34, ATK40, CHRYSENE, Cobalt Gypsy, Crambus, EUROPIUM, Evasive Serpens, G0049, Hazel Sandstorm, IRN2, OilRig, TA452, Twisted Kitten

References:
1 2 3 

HEXANE (IR)

Lyceum is an Iranian APT group that has been active since at least 2014. They primarily target Middle Eastern governments and organizations in the energy and telecommunications sectors. Lyceum is known for using cyber espionage techniques and has been linked to other Iranian threat groups such as APT34. They have developed and deployed malware families like Shark and Milan, and have been observed using DNS tunneling and HTTPfor command and control communication.



Aliases:
COBALT LYCEUM, siamesekitten, Spirlin, Storm-0133

Hezb

Hezb is a group deploying cryptominers when new exploit are available for public facing vulnerabilities. The name is after the miner process they deploy.



Aliases:
Mimo

References:
1 

Higaisa (KR)

The organization often uses important North Korean time nodes such as holidays and North Korea to conduct fishing activities. The bait includes New Year blessings, Lantern blessings, North Korean celebrations, and important news, overseas personnel contact lists and so on. In addition, the attack organization also has the attack capability of the mobile terminal. The targets of the attack also include diplomatic entities related to North Korea (such as embassy officials in various places), ...more



Target Industries:
Government

Target Countries:
China, North Korea, Japan, Nepal, Singapore, Russia, Poland, Switzerland

References:
1 

HomeLand Justice (IR)

HomeLand Justice is an Iranian state-sponsored cyber threat group that has been active since at least May 2021. They have targeted various organizations, including a well-known telecommunication company and the Albanian Parliament. The group engaged in information operations and messaging campaigns to amplify the impact of their attacks.



References:
1 

HookAds

HookAds is a malvertising campaign that purchases cheap ad space on low quality ad networks commonly used by adult web sites, online games, or blackhat seo sites. These ads will include JavaScript that redirects a visitor through a serious of decoy sites that look like pages filled with native advertisements, online games, or other low quality pages. Under the right circumstances, a visitor will silently load the Fallout exploit kit, which will try and install its malware payload.



References:
1 

Hurricane Panda (CN)

We have investigated their intrusions since 2013 and have been battling them nonstop over the last year at several large telecommunications and technology companies. The determination of this China-based adversary is truly impressive: they are like a dog with a bone. HURRICANE PANDA's preferred initial vector of compromise and persistence is a China Chopper webshell – a tiny and easily obfuscated 70 byte text file that consists of an ‘eval()’ command, which is then used to provide full command ...more



Aliases:


References:
1 2 3 

Inception (RU)

This threat actor uses spear-phishing techniques to target private-sector energy, defense, aerospace, research, and media organizations and embassies in Africa, Europe, and the Middle East, for the purpose of espionage.


Goals:
Espionage

Target Industries:
Government, Private sector

Target Countries:
Afghanistan, Armenia, Azerbaijan, Belarus, Belgium, Czech Republic, Greece, India, Iran, Italy, Kazakhstan, Kenya, Malaysia, Russia, South Africa, Suriname, Turkmenistan, Ukraine, United Kingdom, United States, Vietnam

Aliases:
ATK116, Blue Odin, Clean Ursa, Cloud Atlas, G0100, Inception Framework, OXYGEN

References:
1 2 3 4 5 6 7 8 9 10 

Indrik Spider (RU)

INDRIK SPIDER is a sophisticated eCrime group that has been operating Dridex since June 2014. In 2015 and 2016, Dridex was one of the most prolific eCrime banking trojans on the market and, since 2014, those efforts are thought to have netted INDRIK SPIDER millions of dollars in criminal profits. Throughout its years of operation, Dridex has received multiple updates with new modules developed and new anti-analysis features added to the malware. In August 2017, a new ransomware variant ...more



Aliases:
Manatee Tempest

References:
1 

Intellexa

(No description available for this threat actor)



References:
1 2 3 4 

Invisimole

Adversary group targeting diplomatic missions, governmental and military organisations, mainly in Ukraine.


Goals:
Espionage

Target Industries:
Government

Target Countries:
Ukraine

References:
1 2 

Iran Attribution

(No description available for this threat actor)



References:
1 2 3 4 5 6 7 8 9 10 

IronHusky (CN)

IronHusky is a Chinese-based threat actor first attributed in July 2017 targeting Russian and Mongolian governments, as well as aviation companies and research institutes. Since their initial attacks ceased in 2018, they have been working on a new remote access trojan dubbed MysterySnail.



References:
1 

ItaDuke

ItaDuke is an actor known since 2013. It used PDF exploits for dropping malware and Twitter accounts to store C2 server urls. On 2018, an actor named DarkUniverse, which was active between 2009 to 2017, was attributed to this ItaDuke by Kaspersky.



Aliases:
DarkUniverse, SIG27

References:
1 2 

Judgement Panda (CN)

FireEye characterizes APT31 as an actor specialized on intellectual property theft, focusing on data and projects that make a particular organization competetive in its field. Based on available data (April 2016), FireEye assesses that APT31 conducts network operations at the behest of the Chinese Government. Also according to Crowdstrike, this adversary is suspected of continuing to target upstream providers (e.g., law firms and managed service providers) to support additional intrusions ...more



Aliases:
APT31, BRONZE VINEWOOD, JUDGMENT PANDA, Red keres, TA412, Violet Typhoon, ZIRCONIUM

References:
1 2 3 4 5 

Kabar Cobra

(No description available for this threat actor)



References:
1 

Karma Panda (CN)

Tonto Team is a Chinese-speaking APT group that has been active since at least 2013. They primarily target military, diplomatic, and infrastructure organizations in Asia and Eastern Europe. The group has been observed using various malware, including the Bisonal RAT and ShadowPad. They employ spear-phishing emails with malicious attachments as their preferred method of distribution.



Target Industries:
Military, Government, Private sector

Target Countries:
Eastern Europe, Japan, South Korea, Taiwan, US

Aliases:
BRONZE HUNTLEY, CactusPete, COPPER, Earth Akhlut, G0131, PLA Unit 65017, Red Beifang, TAG-74

References:
1 2 3 4 5 

Kasablanka (MA)

The Kasablanka group is a cyber-criminal organization that has specifically targeted Russia between September and December 2022, using various payloads delivered through phishing emails containing socially engineered lnk files, zip packages, and executables attached to virtual disk image files.



References:
1 

Keyhole Panda

We have observed one APT group, which we call APT5, particularly focused on telecommunications and technology companies. More than half of the organizations we have observed being targeted or breached by APT5 operate in these sectors. Several times, APT5 has targeted organizations and personnel based in Southeast Asia. APT5 has been active since at least 2007. It appears to be a large threat group that consists of several subgroups, often with distinct tactics and infrastructure. APT5 has ...more



Aliases:
APT5, BRONZE FLEETWOOD, MANGANESE, Mulberry Typhoon, Poisoned Flight, TEMP.Bottle

References:
1 2 3 4 5 6 

Konni

(No description available for this threat actor)



Aliases:
Opal Sleet

References:
1 2 3 

Kryptonite Panda (CN)

Leviathan is an espionage actor targeting organizations and high-value targets in defense and government. Active since at least 2014, this actor has long-standing interest in maritime industries, naval defense contractors, and associated research institutions in the United States and Western Europe.


Goals:
Espionage

Target Industries:
Government, Private sector

Target Countries:
United States, Hong Kong, The Philippines, Asia Pacific Economic Cooperation, Cambodia, Belgium, Germany, Philippines, Malaysia, Norway, Saudi Arabia, Switzerland, United Kingdom

Aliases:
APT40, ATK29, BRONZE MOHAWK, G0065, GADOLINIUM, Gingham Typhoon, ISLANDDREAMS, ITG09, Leviathan, MUDCARP, Red Ladon, TA423, TEMP.Jumper, TEMP.Periscope

References:
1 2 3 4 5 6 7 8 9 

LABRAT

(No description available for this threat actor)



References:
1 

Labyrinth Chollima (KP)

Since 2009, HIDDEN COBRA actors have leveraged their capabilities to target and compromise a range of victims; some intrusions have resulted in the exfiltration of data while others have been disruptive in nature. Commercial reporting has referred to this activity as Lazarus Group and Guardians of Peace. Tools and capabilities used by HIDDEN COBRA actors include DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware. Variants of malware and tools used by HIDDEN COBRA actors ...more


Goals:
Espionage, Sabotage

Target Industries:
Government, Private sector

Target Countries:
South Korea, Bangladesh Bank, Sony Pictures Entertainment, United States, Thailand, France, China, Hong Kong, United Kingdom, Guatemala, Canada, Bangladesh, Japan, India, Germany, Brazil, Thailand, Australia, Cryptocurrency exchanges in South Korea

Aliases:
Andariel, Appleworm, APT 38, APT-C-26, APT38, ATK117, ATK3, Bluenoroff, Bureau 121, Citrine Sleet, COPERNICIUM, COVELLITE, Dark Seoul, DEV-0139, DEV-1222, Diamond Sleet, G0032, G0082, Group 77, Guardians of Peace, Hastati Group, Hidden Cobra, Lazarus group, NewRomanic Cyber Army Team, Nickel Academy, NICKEL GLADSTONE, Operation AppleJeus, Operation DarkSeoul, Operation GhostSecret, Operation Troy, Sapphire Sleet, Stardust Chollima, Subgroup: Bluenoroff, TA404, Unit 121, Whois Hacking Team, Zinc

References:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 

LABYRINTH CHOLLIMA (KP)

Since 2009, HIDDEN COBRA actors have leveraged their capabilities to target and compromise a range of victims; some intrusions have resulted in the exfiltration of data while others have been disruptive in nature. Commercial reporting has referred to this activity as Lazarus Group and Guardians of Peace. Tools and capabilities used by HIDDEN COBRA actors include DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware. Variants of malware and tools used by HIDDEN COBRA actors ...more


Goals:
Espionage, Sabotage

Target Industries:
Government, Private sector

Target Countries:
South Korea, Bangladesh Bank, Sony Pictures Entertainment, United States, Thailand, France, China, Hong Kong, United Kingdom, Guatemala, Canada, Bangladesh, Japan, India, Germany, Brazil, Thailand, Australia, Cryptocurrency exchanges in South Korea

Aliases:
Andariel, Appleworm, APT 38, APT-C-26, APT38, ATK117, ATK3, Bluenoroff, Bureau 121, COVELLITE, Dark Seoul, G0032, G0082, Group 77, Guardians of Peace, Hastati Group, Hidden Cobra, Lazarus Group, NewRomanic Cyber Army Team, Nickel Academy, NICKEL GLADSTONE, Operation AppleJeus, Operation DarkSeoul, Operation GhostSecret, Operation Troy, Stardust Chollima, Subgroup: Bluenoroff, Unit 121, Whois Hacking Team, Zinc

References:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 

Longhorn (US)

Longhorn has been active since at least 2011. It has used a range of back door Trojans in addition to zero-day vulnerabilities to compromise its targets. Longhorn has infiltrated governments and internationally operating organizations, in addition to targets in the financial, telecoms, energy, aerospace, information technology, education, and natural resources sectors. All of the organizations targeted would be of interest to a nation-state attacker. Longhorn has infected 40 targets in at ...more


Goals:
Espionage

Target Industries:
Private sector, Government

Target Countries:
Global

Aliases:
APT-C-39, Lamberts, PLATINUM TERMINAL, the Lamberts

References:
1 2 3 

Lotus Blossom (CN)

Lotus Blossom is a threat group that has targeted government and military organizations in Southeast Asia.


Goals:
Espionage

Target Industries:
Military, Government

Target Countries:
Japan, Philippines, Hong Kong, Indonesia, Taiwan, Vietnam

Aliases:
ATK1, BRONZE ELGIN, DRAGONFISH, G0030, Red Salamander, Spring Dragon, ST Group

References:
1 2 3 4 

Luckycat

A series of attacks, targeting both Indian military research and south Asian shipping organizations, demonstrate the minimum level of effort required to successfully compromise a target and steal sensitive information. The attackers use very simple malware, which required little development time or skills, in conjunction with freely available Web hosting, to implement a highly effective attack. It is a case of the attackers obtaining a maximum return on their investment. The attack shows how an ...more



Aliases:
TA413, White Dev 9

References:
1 2 3 4 

luoxk

Luoxk is a malware campaign targeting web servers throughout Asia, Europe and North America.



References:
1 

Manic Menagerie

(No description available for this threat actor)



References:
1 2 

ModifiedElephant

Our research into these intrusions revealed a decade of persistent malicious activity targeting specific groups and individuals that we now attribute to a previously unknown threat actor named ModifiedElephant. This actor has operated for years, evading research attention and detection due to their limited scope of operations, the mundane nature of their tools, and their regionally-specific targeting. ModifiedElephant is still active at the time of writing.



Target Industries:
Civil Society

References:
1 

Molerats

In October 2012, malware attacks against Israeli government targets grabbed media attention as officials temporarily cut off Internet access for its entire police force and banned the use of USB memory sticks. Security researchers subsequently linked these attacks to a broader, yearlong campaign that targeted not just Israelis but Palestinians as well. and as discovered later, even the U.S. and UK governments. Further research revealed a connection between these attacks and members of the ...more



Aliases:
ALUMINUM SARATOGA, Extreme Jackal, G0021, Gaza cybergang, Gaza Hackers Team, Moonlight, Operation Molerats

References:
1 

MoustachedBouncer (BY)

MoustachedBouncer is a cyberespionage group discovered by ESET Research and first publicly disclosed in August 2023. The group has been active since at least 2014 and only targets foreign embassies in Belarus. Since 2020, MoustachedBouncer has most likely been able to perform adversary-in-the-middle (AitM) attacks at the ISP level, within Belarus, in order to compromise its targets. The group uses two separate toolsets that we have named NightClub and Disco.


Goals:
Espionage

Target Industries:
Government

Target Countries:
Europe, Eastern Europe, South Asia, Northeast Africa

References:
1 

Mustang Panda (CN)

This threat actor targets nongovernmental organizations using Mongolian-themed lures for espionage purposes. In April 2017, CrowdStrike Falcon Intelligence observed a previously unattributed actor group with a Chinese nexus targeting a U.S.-based think tank. Further analysis revealed a wider campaign with unique tactics, techniques, and procedures (TTPs). This adversary targets non-governmental organizations (NGOs) in general, but uses Mongolian language decoys and themes, suggesting this actor ...more


Goals:
Espionage

Target Industries:
Civil society

Target Countries:
United States

Aliases:
BASIN, BRONZE PRESIDENT, Earth Preta, HoneyMyte, LuminousMoth, Red Lich, Stately Taurus, TA416, TEMP.HEX

References:
1 2 

Mysterious Elephant

(No description available for this threat actor)



References:
1 

MysterySnail

(No description available for this threat actor)



References:
1 

Mythic Leopard (PK)

Group targeting Indian Army or related assets in India, as well as activists and civil society in Pakistan. Attribution to a Pakistani connection has been made by TrendMicro and others.



Target Industries:
Civil society, Military, Government

Aliases:
APT 36, APT36, C-Major, COPPER FIELDSTONE, Earth Karkaddan, Green Havildar, ProjectM, TMP.Lapis, Transparent Tribe

References:
1 2 3 

Naikon (CN)

Kaspersky described Naikon in a 2015 report as: 'The Naikon group is mostly active in countries such as the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, and Nepal, hitting a variety of targets in a very opportunistic way.'


Goals:
Espionage

Target Industries:
Government, Private sector

Target Countries:
India, Saudi Arabia, Vietnam, Myanmar, Singapore, Thailand, Malaysia, Cambodia, China, Philippines, South Korea, United States, Indonesia, Laos

Aliases:
BRONZE GENEVA, BRONZE STERLING, Camerashy, G0013, G0019, Override Panda, PLA Unit 78020

References:
1 2 

Narwhal Spider

NARWHAL SPIDER’s operation of Cutwail v2 was limited to country-specific spam campaigns, although late in 2019 there appeared to be an effort to expand by bringing in INDRIK SPIDER as a customer.



Aliases:
GOLD ESSEX, TA544

References:
1 

Nemesis Kitten (IR)

Microsoft threat intelligence teams have been tracking multiple ransomware campaigns and have tied these attacks to DEV-0270, also known as Nemesis Kitten, a sub-group of Iranian actor PHOSPHORUS. Microsoft assesses with moderate confidence that DEV-0270 conducts malicious network operations, including widespread vulnerability scanning, on behalf of the government of Iran.



Aliases:
BENTONITE, DEV-0270, Storm-0270

References:
1 2 3 4 5 6 

NEODYMIUM

NEODYMIUM is an activity group that is known to use a backdoor malware detected by Microsoft as Wingbird. This backdoor’s characteristics closely match FinFisher, a government-grade commercial surveillance package. Data about Wingbird activity indicate that it is typically used to attack individual computers instead of networks.



Aliases:
G0055

References:
1 

NetTraveler (CN)

(No description available for this threat actor)


Goals:
Espionage

Target Industries:
Government, Military

Target Countries:
Mongolia, Kazakhstan, Tajikistan, Germany, United Kingdom, India, Kyrgyzstan, South Korea, United States, Chile, Russia, China, Spain, Canada, Morocco

Aliases:
APT21, HAMMER PANDA, TEMP.Zhenbao

References:
1 

Nexus Zeta

Nexus Zeta is no stranger when it comes to implementing SOAP related exploits. The threat actor has already been observed in implementing two other known SOAP related exploits, CVE-2014–8361 and CVE-2017–17215 in his Satori botnet project. A third SOAP exploit, TR-069 bug has also been observed previously in IoT botnets. This makes EDB 38722 the fourth SOAP related exploit which is discovered in the wild by IoT botnets.



References:
1 2 

Nomad Panda

In the first quarter of 2018, CrowdStrike Intelligence identified NOMAD PANDA activity targeting Central Asian nations with exploit documents built with the 8.t tool.



Aliases:


References:
1 2 

North Korea Attribution

(No description available for this threat actor)



References:
1 2 3 4 5 6 7 8 9 

NOTROBIN

Researchers at FireEye report finding a hacking group (dubbed NOTROBIN) that has been bundling mitigation code for NetScaler servers with its exploits. In effect, the hackers exploit the flaw to get access to the server, kill any existing malware, set up their own backdoor, then block off the vulnerable code from future exploit attempts by mitigation.



References:
1 

NSO Group

(No description available for this threat actor)



Aliases:
Night Tsunami

References:
1 2 3 4 5 6 

Numbered Panda (CN)

A group of China-based attackers, who conducted a number of spear phishing attacks in 2013.


Goals:
Espionage

Target Industries:
Private sector, Government

Target Countries:
Taiwan, Japan

Aliases:
APT12, BeeBus, BRONZE GLOBE, Calc Team, Crimson Iron, DNSCalc, DynCalc, Group 22, IXESHE, TG-2754

References:
1 2 

Ocean Buffalo (VN)

Cyber espionage actors, now designated by FireEye as APT32 (OceanLotus Group), are carrying out intrusions into private sector companies across multiple industries and have also targeted foreign governments, dissidents, and journalists. FireEye assesses that APT32 leverages a unique suite of fully-featured malware, in conjunction with commercially-available tools, to conduct targeted operations that are aligned with Vietnamese state interests.


Goals:
Espionage

Target Industries:
Government, Private sector, Civil society

Target Countries:
China, Germany, United States, Vietnam, Philippines, Association of Southeast Asian Nations

Aliases:
APT 32, APT-32, APT-C-00, APT32, ATK17, BISMUTH, Canvas Cyclone, Cobalt Kitty, G0050, Ocean Lotus, OceanLotus, OceanLotus Group, POND LOACH, Sea Lotus, SeaLotus, TIN WOODLAWN

References:
1 2 3 4 5 

Operation Shadow Tiger

(No description available for this threat actor)



References:
1 

Pinchy Spider

First observed in January 2018, GandCrab ransomware quickly began to proliferate and receive regular updates from its developer, PINCHY SPIDER, which over the course of the year established a RaaS operation with a dedicated set of affiliates. CrowdStrike Intelligence has recently observed PINCHY SPIDER affiliates deploying GandCrab ransomware in enterprise environments, using lateral movement techniques and tooling commonly associated with nation-state adversary groups and penetration testing ...more



Aliases:


References:
1 2 3 4 5 6 

Pioneer Kitten (IR)

PIONEER KITTEN is an Iran-based adversary that has been active since at least 2017 and has a suspected nexus to the Iranian government. This adversary appears to be primarily focused on gaining and maintaining access to entities possessing sensitive information of likely intelligence interest to the Iranian government. According to DRAGOS, they also targeted ICS-related entities using known VPN vulnerabilities. They are widely known to use open source penetration testing tools for ...more



Aliases:
Lemon Sandstorm, PARISITE, RUBIDIUM, UNC757

References:
1 2 3 4 5 6 7 

Pirate Panda (CN)

TrendMicro described Tropic Trooper in a 2015 report as: 'Taiwan and the Philippines have become the targets of an ongoing campaign called Operation TropicTrooper. Active since 2012, the attackers behind the campaign haveset their sights on the Taiwanese government as well as a number of companies in the heavy industry. The same campaign has also targeted key Philippine military agencies.'



Aliases:
APT23, BRONZE HOBART, Earth Centaur, G0081, KeyBoy, Red Orthrus, Tropic Trooper

References:
1 2 3 4 

Pitty Panda (CN)

The Pitty Tiger group has been active since at least 2011. They have been seen using HeartBleed vulnerability in order to directly get valid credentials



Aliases:
APT24, G0011, PittyTiger, Temp.Pittytiger

References:
1 2 3 4 

PLATINUM

PLATINUM has been targeting its victims since at least as early as 2009, and may have been active for several years prior. Its activities are distinctly different not only from those typically seen in untargeted attacks, but from many targeted attacks as well. A large share of targeted attacks can be characterized as opportunistic: the activity group changes its target profiles and attack geographies based on geopolitical seasons, and may attack institutions all over the world. Like many such ...more



Aliases:
ATK33, G0068, TwoForOne

References:
1 2 

POISON CARP

Between November 2018 and May 2019, senior members of Tibetan groups received malicious links in individually tailored WhatsApp text exchanges with operators posing as NGO workers, journalists, and other fake personas. The links led to code designed to exploit web browser vulnerabilities to install spyware on iOS and Android devices, and in some cases to OAuth phishing pages. This campaign was carried out by what appears to be a single operator that we call POISON CARP.



Aliases:
Earth Empusa, Evil Eye, Red Dev 16

References:
1 

Poison Needles

What’s noteworthy is that according to the introduction on the compromised website of the polyclinic (http://www.p2f.ru), the institution was established in 1965 and it was founded by the Presidential Administration of Russia. The multidisciplinary outpatient institution mainly serves the civil servants of the highest executive, legislative, judicial authorities of the Russian Federation, as well as famous figures of science and art. Since it is the first detection of this APT attack by 360 ...more



References:
1 

Polonium (LB)

Microsoft successfully detected and disabled attack activity abusing OneDrive by a previously undocumented Lebanon-based activity group Microsoft Threat Intelligence Center (MSTIC) tracks as POLONIUM.


Goals:
Espionage

Target Industries:
Critical manufacturing, Defense industrial base, Financial services, Food and agriculture, Government agencies and services, Healthcare and public health, Information technology, Transportation systems

Target Countries:
Israel

Aliases:
Plaid Rain

References:
1 

PowerFall

(No description available for this threat actor)



References:
1 

PowerPool

Malware developers have started to use the zero-day exploit for Task Scheduler component in Windows, two days after proof-of-concept code for the vulnerability appeared online. A security researcher who uses the online name SandboxEscaper on August 27 released the source code for exploiting a security bug in the Advanced Local Procedure Call (ALPC) interface used by Windows Task Scheduler. More specifically, the problem is with the SchRpcSetSecurity API function, which fails to properly check ...more



Aliases:
IAmTheKing

References:
1 

Primitive Bear

Unit 42 threat researchers have recently observed a threat group distributing new, custom developed malware. We have labelled this threat group the Gamaredon Group and our research shows that the Gamaredon Group has been active since at least 2013. In the past, the Gamaredon Group has relied heavily on off-the-shelf tools. Our new research shows the Gamaredon Group have made a shift to custom-developed malware. We believe this shift indicates the Gamaredon Group have improved their technical ...more



Target Industries:
Government

Target Countries:
Ukraine

Aliases:
ACTINIUM, Aqua Blizzard, Blue Otso, BlueAlpha, DEV-0157, G0047, Gamaredon Group, IRON TILDEN, Shuckworm, Trident Ursa, UAC-0010, Winterflounder

References:
1 2 3 4 5 

PROMETHIUM (TR)

PROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional features—this shows a close relationship between the activity groups behind the ...more



Aliases:
G0056, StrongPity

References:
1 

Prophet Spider

PROPHET SPIDER is an eCrime actor, active since at least May 2017, that primarily gains access to victims by compromising vulnerable web servers, which commonly involves leveraging a variety of publicly disclosed vulnerabilities. The adversary has likely functioned as an access broker — handing off access to a third party to deploy ransomware — in multiple instances.



Aliases:
GOLD MELODY, UNC961

References:
1 2 3 4 5 6 7 8 9 10 11 

Putter Panda (CN)

Putter Panda were the subject of an extensive report by CrowdStrike, which stated: 'The CrowdStrike Intelligence team has been tracking this particular unit since2012, under the codename PUTTER PANDA, and has documented activity dating back to 2007. The report identifies Chen Ping, aka cpyy, and the primary location of Unit 61486.'


Goals:
Espionage

Target Industries:
Private sector, Government

Target Countries:
U.S. satellite and aerospace sector

Aliases:
4HCrew, APT2, G0024, MSUpdater, PLA Unit 61486, SearchFire, SULPHUR, TG-6952

References:
1 2 

PuzzleMaker

(No description available for this threat actor)



References:
1 

Quilted Tiger (IN)

Dropping Elephant (also known as “Chinastrats” and “Patchwork“) is a relatively new threat actor that is targeting a variety of high profile diplomatic and economic targets using a custom set of attack tools. Its victims are all involved with China’s foreign relations in some way, and are generally caught through spear-phishing or watering hole attacks.


Goals:
Espionage

Target Industries:
Private sector, Military

Target Countries:
Bangladesh, Sri Lanka, Pakistan

Aliases:
APT-C-09, ATK11, Chinastrats, Dropping Elephant, G0040, Hangover Group, Monsoon, Operation Hangover, Orange Athos, Patchwork, Sarit, Thirsty Gemini, ZINC EMERSON

References:
1 2 3 4 5 6 7 8 9 10 

Rancor (CN)

The Rancor group’s attacks use two primary malware families which are naming DDKONG and PLAINTEE. DDKONG is used throughout the campaign and PLAINTEE appears to be new addition to these attackers’ toolkit. Countries Unit 42 has identified as targeted by Rancor with these malware families include, but are not limited to Singapore and Cambodia.


Goals:
Espionage

Target Industries:
Government, Civil society

Target Countries:
Singapore, Cambodia

Aliases:
G0075, Rancor group, Rancor Taurus

References:
1 2 

RASPITE

Dragos has identified a new activity group targeting access operations in the electric utility sector. We call this activity group RASPITE. Analysis of RASPITE tactics, techniques, and procedures (TTPs) indicate the group has been active in some form since early- to mid-2017. RASPITE targeting includes entities in the US, Middle East, Europe, and East Asia. Operations against electric utility organizations appear limited to the US at this time. RASPITE leverages strategic website compromise ...more



Aliases:
LeafMiner

References:
1 

Razor Tiger

An actor mainly targeting Pakistan military targets, active since at least 2012. We have low confidence that this malware might be authored by an Indian company. To spread the malware, they use unique implementations to leverage the exploits of known vulnerabilities (such as CVE-2017-11882) and later deploy a Powershell payload in the final stages.



Aliases:
APT-C-17, Rattlesnake, SideWinder, T-APT-04

References:
1 2 3 4 5 6 7 8 

Red Menshen (CN)

Since 2021, Red Menshen, a China based threat actor, which has been observed targeting telecommunications providers across the Middle East and Asia, as well as entities in the government, education, and logistics sectors using a custom backdoor referred as BPFDoor. This threat actor uses a variety of tools in its post-exploitation phase. This includes custom variants of the shared tool Mangzamel (including Golang variants), custom variants of Gh0st, and open source tools like Mimikatz and ...more



Target Industries:
Government, Education, Logistics

Target Countries:
Middle East, Asia

Aliases:
Red Dev 18

References:
1 

RedAlpha

Recorded Future’s Insikt Group has identified two new cyberespionage campaigns targeting the Tibetan Community over the past two years. The campaigns, which we are collectively naming RedAlpha, combine light reconnaissance, selective targeting, and diverse malicious tooling. We discovered this activity as the result of pivoting off of a new malware sample observed targeting the Tibetan community based in India.



Aliases:
DeepCliff, Red Dev 3

References:
1 

Refined Kitten (IR)

Our analysis reveals that APT33 is a capable group that has carried out cyber espionage operations since at least 2013. We assess APT33 works at the behest of the Iranian government.


Goals:
Espionage

Target Industries:
Private sector

Target Countries:
United States, Saudi Arabia, South Korea

Aliases:
APT 33, APT33, ATK35, COBALT TRINITY, Elfin, G0064, HOLMIUM, MAGNALLIUM, Peach Sandstorm, TA451

References:
1 2 3 

Returned Libra

Returned Libra, also known as 8220 Mining Group, is a cloud threat actor group that has been active since at least 2017. Tools commonly employed during their operations are PwnRig or DBUsed which are customized variants of the XMRig Monero mining software. The Returned Libra mining group is believed to have originated from a GitHub fork of the Rocke group's software. Returned Libra has elevated its mining operations with the use of cloud service platform credential scrapping.



Aliases:
8220 Mining Group

References:
1 2 3 4 5 6 7 8 

Ricochet Chollima (KP)

APT37 has likely been active since at least 2012 and focuses on targeting the public and private sectors primarily in South Korea. In 2017, APT37 expanded its targeting beyond the Korean peninsula to include Japan, Vietnam and the Middle East, and to a wider range of industry verticals, including chemicals, electronics, manufacturing, aerospace, automotive and healthcare entities



Target Industries:
Government, Private sector

Target Countries:
Republic of Korea, Japan, Vietnam

Aliases:
APT 37, APT37, ATK4, G0067, Group 123, Group123, InkySquid, Moldy Pisces, Operation Daybreak, Operation Erebus, Reaper, Reaper Group, Red Eyes, ScarCruft, TEMP.Reaper, Venus 121

References:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 

Roaming Tiger

(No description available for this threat actor)



Aliases:
BRONZE WOODLAND, Rotten Tomato

References:
1 2 

Rocke

This threat actor initially came to our attention in April 2018, leveraging both Western and Chinese Git repositories to deliver malware to honeypot systems vulnerable to an Apache Struts vulnerability. In late July, we became aware that the same actor was engaged in another similar campaign. Through our investigation into this new campaign, we were able to uncover more details about the actor.



Aliases:
Aged Libra

References:
1 2 

Rocket Kitten (IR)

Targets Saudi Arabia, Israel, US, Iran, high ranking defense officials, embassies of various target countries, notable Iran researchers, human rights activists, media and journalists, academic institutions and various scholars, including scientists in the fields of physics and nuclear sciences.


Goals:
Espionage

Target Industries:
Government, Military

Target Countries:
Saudi Arabia, Venezuela, Afghanistan, United Arab Emirates, Iran, Israel, Iraq, Kuwait, Turkey, Canada, Yemen, United Kingdom, Egypt, Syria, Jordan

Aliases:
Operation Woolen Goldfish, Operation Woolen-Goldfish, TEMP.Beanie, Thamar Reservoir, Timberworm

References:
1 

Russia Attribution

(No description available for this threat actor)



References:
1 2 3 4 5 6 7 8 9 10 11 

Saaiwc Group

(No description available for this threat actor)



References:
1 2 

Samurai Panda (CN)

(No description available for this threat actor)


Goals:
Espionage

Target Industries:
Private sector, Military

Target Countries:
United States, United Kingdom, Hong Kong

Aliases:
APT4, BRONZE EDISON, MAVERICK PANDA, PLA Navy, Sykipot

References:
1 2 

Sandcat

SandCat, on the other hand, is a group that was discovered more recently by Kaspersky. One of the Windows vulnerabilities patched by Microsoft in December had been exploited by both FruityArmor and SandCat in attacks targeting the Middle East and Africa. SandCat has been using FinFisher/FinSpy spyware and CHAINSHOT, a piece of malware analyzed earlier this year by Palo Alto Networks. The group has also used the CVE-2018-8589 and CVE-2018-8611 Windows vulnerabilities in its attacks, both of ...more



References:
1 2 

Scarlet Mimic (CN)

Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group’s motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, APT 2, it has not been concluded that the groups are the same. The attacks began over four years ago and their targeting pattern suggests that this adversary’s primary mission is to ...more



Aliases:
G0029, Golfing Taurus

References:
1 

Scattered Spider

Scattered Spider is a cybercriminal group that targets large companies and their contracted information technology (IT) help desks. Scattered Spider threat actors, per trusted third parties, have typically engaged in data theft for extortion and have also been known to utilize BlackCat/ALPHV ransomware alongside their usual TTPs.

Scattered Spider threat actors are considered experts in social engineering and use multiple social engineering techniques, especially phishing, push bombing,
...more



Aliases:
0ktapus, DEV-0971, Muddled Libra, Octo Tempest, Oktapus, Scatter Swine, Scattered Swine, Starfraud, Storm-0971, UNC3944

References:
1 2 3 4 

Sea Turtle (TR)

This blog post discusses the technical details of a state-sponsored attack manipulating DNS systems. While this incident is limited to targeting primarily national security organizations in the Middle East and North Africa, and we do not want to overstate the consequences of this specific campaign, we are concerned that the success of this operation will lead to actors more broadly attacking the global DNS system. DNS is a foundational technology supporting the Internet. Manipulating that ...more



Aliases:
Cosmic Wolf, Marbled Dust, SILICON, Teal Kurma, UNC1326

References:
1 2 

SectorB01

(No description available for this threat actor)



References:
1 2 

SectorB83

(No description available for this threat actor)



References:
1 

Shadow Crane (KR)

Kaspersky described DarkHotel in a 2014 report as: '... DarkHotel drives its campaigns by spear-phishing targets with highly advanced Flash zero-day exploits that effectively evade the latest Windows and Adobe defenses, and yet they also imprecisely spread among large numbers of vague targets with peer-to-peer spreading tactics. Moreover, this crews most unusual characteristic is that for several years the Darkhotel APT has maintained a capability to use hotel networks to follow and hit ...more


Goals:
Espionage

Target Industries:
Private sector

Target Countries:
Japan, Russia, Taiwan, South Korea, China

Aliases:
APT-C-06, ATK52, Darkhotel, DUBNIUM, Fallout Team, G0012, Karba, Luder, Nemim, Nemin, Pioneer, SIG25, T-APT-02, Tapaoux, TUNGSTEN BRIDGE, Zigzag Hail

References:
1 2 3 4 5 6 7 8 9 

Shadow Network

Shadows in the Cloud documents a complex ecosystem of cyber espionage that systematically compromised government, business, academic, and other computer network systems in India, the Offices of the Dalai Lama, the United Nations, and several other countries. The report also contains an analysis of data which were stolen from politically sensitive targets and recovered during the course of the investigation. These include documents from the Offices of the Dalai Lama and agencies of the Indian ...more



References:
1 

SideCopy (PK)

The SideCopy APT is a Pakistani threat actor that has been operating since at least 2019, mainly targeting South Asian countries and more specifically India and Afghanistan. Its name comes from its infection chain that tries to mimic that of the SideWinder APT. It has been reported that this actor has similarities with Transparent Tribe (APT36) and possibly is a subdivision of this actor. Cisco Talos and Seqrite have provided comprehensive reports on this actor’s activities.



References:
1 2 3 4 5 

Silent Chollima (KP)

Andariel is a threat actor that primarily targets South Korean corporations and institutions. They are believed to collaborate with or operate as a subsidiary organization of the Lazarus threat group. WHOIS utilizes spear phishing attacks, watering hole attacks, and supply chain attacks for initial access. They have been known to exploit vulnerabilities and use malware such as Infostealer and TigerRAT.



Aliases:
Andariel, GOP, Guardian of Peace, Onyx Sleet, OperationTroy, PLUTONIUM, Subgroup: Andariel, WHOis Team

References:
1 2 3 4 5 6 7 8 9 10 

SilverTerrier (NG)

As these tools rise and fall in popularity (and more importantly, as detection rates by antivirus vendors improve), SilverTerrier actors have consistently adopted new malware families and shifted to the latest packing tools available.



Aliases:


References:
1 2 

Skeleton Spider

FIN is a group targeting financial assets including assets able to do financial transaction including PoS.



Aliases:
ATK88, Camouflage Tempest, FIN6, G0037, GOLD FRANKLIN, ITG08, MageCart Group 6, White Giant

References:
1 

Slayer Kitten (IR)

(No description available for this threat actor)


Goals:
Espionage

Target Industries:
Government, Private sector, Civil society

Target Countries:
Israel, Jordan, Saudi Arabia, Germany, United States

Aliases:
CopyKittens, G0052

References:
1 

Slingshot

While analysing an incident which involved a suspected keylogger, we identified a malicious library able to interact with a virtual file system, which is usually the sign of an advanced APT actor. This turned out to be a malicious loader internally named ‘Slingshot’, part of a new, and highly sophisticated attack platform that rivals Project Sauron and Regin in complexity. While for most victims the infection vector for Slingshot remains unknown, we were able to find several cases where the ...more



References:
1 2 

Slippy Spider

An actor group conducting large-scale social engineering and extortion campaign against multiple organizations with some seeing evidence of destructive elements.



Aliases:
DEV-0537, LAPSUS$, Strawberry Tempest

References:
1 

SnapMC

(No description available for this threat actor)



References:
1 

Sneaky Panda (CN)

(No description available for this threat actor)


Goals:
Espionage

Target Industries:
Private sector, Civil society

Target Countries:
United States, Canada, United Kingdom, Switzerland, Hong Kong, Australia, India, Taiwan, China, Denmark

Aliases:
Beijing Group, Elderwood, Elderwood Gang, G0066, SIG22

References:
1 

Sourgum

(No description available for this threat actor)



References:
1 

Space Pirates (CN)

Space Pirates is a cybercrime group that has been active since at least 2017. They primarily target Russian companies and have been observed using various malware, including Deed RAT and ShadowPad. The group uses a combination of publicly available tools and their own protocols to communicate with their command-and-control servers.



Aliases:


References:
1 

SparklingGoblin

ESET researchers have discovered a new undocumented modular backdoor, SideWalk, being used by an APT group they’ve named SparklingGoblin; this backdoor was used during one of SparklingGoblin’s recent campaigns that targeted a computer retail company based in the USA. This backdoor shares multiple similarities with another backdoor used by the group: CROSSWALK.



References:
1 2 3 

Sprite Spider

GOLD DUPONT is a financially motivated cybercriminal threat group that specializes in post-intrusion ransomware attacks using 777 (aka Defray777 or RansomExx) malware. Active since November 2018, GOLD DUPONT establishes initial access into victim networks using stolen credentials to remote access services like virtual desktop infrastructure (VDI) or virtual private networks (VPN). From October 2019 to early 2020 the group used GOLD BLACKBURN's TrickBot malware as an initial access vector (IAV) ...more



Aliases:


References:
1 

Stalker Panda (CN)

Tick is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group appears to have close ties to the Chinese National University of Defense and Technology, which is possibly linked to the PLA. This threat actor targets organizations in the critical infrastructure, heavy industry, manufacturing, and international relations sectors for espionage purposes. The attacks appear to be centered on political, media, and engineering sectors. STALKER PANDA has ...more


Goals:
Espionage

Target Industries:
Private sector

Target Countries:
Japan, China, Korea (Republic of), Russian Federation

Aliases:
BRONZE BUTLER, G0060, Nian, PLA Unit 61419, REDBALDKNIGHT, Stalker Taurus, Tick

References:
1 2 3 4 5 6 7 8 9 

Stardust Chollima (KP)

Since 2009, HIDDEN COBRA actors have leveraged their capabilities to target and compromise a range of victims; some intrusions have resulted in the exfiltration of data while others have been disruptive in nature. Commercial reporting has referred to this activity as Lazarus Group and Guardians of Peace. Tools and capabilities used by HIDDEN COBRA actors include DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware. Variants of malware and tools used by HIDDEN COBRA actors ...more


Goals:
Espionage, Sabotage

Target Industries:
Government, Private sector

Target Countries:
South Korea, Bangladesh Bank, Sony Pictures Entertainment, United States, Thailand, France, China, Hong Kong, United Kingdom, Guatemala, Canada, Bangladesh, Japan, India, Germany, Brazil, Thailand, Australia, Cryptocurrency exchanges in South Korea

Aliases:
Andariel, Appleworm, APT 38, APT-C-26, APT38, ATK117, ATK3, Bluenoroff, Bureau 121, COVELLITE, Dark Seoul, G0032, G0082, Group 77, Guardians of Peace, Hastati Group, Hidden Cobra, Labyrinth Chollima, Lazarus Group, NewRomanic Cyber Army Team, Nickel Academy, NICKEL GLADSTONE, Operation AppleJeus, Operation DarkSeoul, Operation GhostSecret, Operation Troy, Subgroup: Bluenoroff, Unit 121, Whois Hacking Team, Zinc

References:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 

Static Kitten (IR)

The MuddyWater attacks are primarily against Middle Eastern nations. However, we have also observed attacks against surrounding nations and beyond, including targets in India and the USA. MuddyWater attacks are characterized by the use of a slowly evolving PowerShell-based first stage backdoor we call “POWERSTATS”. Despite broad scrutiny and reports on MuddyWater attacks, the activity continues with only incremental changes to the tools and techniques.


Goals:
Espionage

Target Industries:
Government

Target Countries:
Saudi Arabia, Georgia, Turkey, Iraq, Israel, India, United Arab Emirates, Pakistan, United States

Aliases:
ATK51, Boggy Serpens, COBALT ULSTER, G0069, Mango Sandstorm, MERCURY, MuddyWater, Seedworm, TA450, TEMP.Zagros

References:
1 2 3 4 5 6 7 8 9 

STIBNITE

(No description available for this threat actor)



Aliases:

Stone Panda (CN)

menuPass is a threat group that has been active since at least 2006. Individual members of menuPass are known to have acted in association with the Chinese Ministry of State Security's (MSS) Tianjin State Security Bureau and worked for the Huaying Haitai Science and Technology Development Company.


Goals:
Espionage

Target Industries:
Private sector, Government

Target Countries:
Japan, India, South Africa, South Korea, Sweden, United States, Canada, Australia, France, Finland, United Kingdom, Brazil, Thailand, Switzerland, Norway

Aliases:
APT10, ATK41, BRONZE RIVERSIDE, Cloud Hopper, CVNX, G0045, Granite Taurus, happyyongzi, HOGFISH, menuPass, Menupass Team, POTASSIUM, Red Apollo, STONE PANDAD, TA429

References:
1 2 

Storm-0062 (CN)

The cyberattack campaign that Microsoft uncovered was launched by a China-linked hacking group called Storm-0062. According to the company, the group is launching cyberattacks by exploiting a vulnerability in the Data Center and Server editions of Confluence. Those are versions of the application that companies run on-premises.



Aliases:
DarkShadow, Oro0lxy

References:
1 

Storm-0324

The threat actor that Microsoft tracks as Storm-0324 is a financially motivated group known to gain initial access using email-based initial infection vectors and then hand off access to compromised networks to other threat actors. These handoffs frequently lead to ransomware deployment.



Aliases:
DEV-0324, Sagrid, TA543

References:
1 2 

SturgeonPhisher

(No description available for this threat actor)



References:
1 

Subzero

(No description available for this threat actor)



Aliases:
Denim Tsunami

References:
1 2 3 

Suckfly (CN)

Suckfly is a China-based threat group that has been active since at least 2014



Aliases:
APT22, BRONZE OLIVE, G0039, Group 46

References:
1 2 

Sweed

Cisco Talos recently identified a large number of ongoing malware distribution campaigns linked to a threat actor we're calling "SWEED," including such notable malware as Formbook, Lokibot and Agent Tesla. Based on our research, SWEED — which has been operating since at least 2017 — primarily targets their victims with stealers and remote access trojans. SWEED remains consistent across most of their campaigns in their use of spear-phishing emails with malicious attachments. While these ...more



References:
1 

TA410

Early in August 2019, Proofpoint described what appeared to be state-sponsored activity targeting the US utilities sector with malware that we dubbed “Lookback”. Between August 21 and August 29, 2019, several spear phishing emails were identified targeting additional US companies in the utilities sector. The phishing emails originated from what appears to be an actor-controlled domain: globalenergycertification[.]net. This domain, like those used in previous campaigns, impersonated a licensing ...more



Aliases:
TALONITE

References:
1 2 3 

TA428 (CN)

Proofpoint researchers have identified a targeted APT campaign that utilized malicious RTF documents to deliver custom malware to unsuspecting victims. We dubbed this campaign “Operation LagTime IT” based on entities that were targeted and the distinctive domains registered to C&C IP infrastructure. Beginning in early 2019, these threat actors targeted a number of government agencies in East Asia overseeing government information technology, domestic affairs, foreign affairs, economic ...more



Aliases:
BRONZE DUDLEY, Colourful Panda

References:
1 2 3 4 5 

TA459 (CN)

(No description available for this threat actor)



Aliases:
G0062

References:
1 

TA558

Since 2018, security researchers tracked a financially-motivated cybercrime actor, TA558, targeting hospitality, travel, and related industries located in Latin America and sometimes North America, and western Europe. The actor sends malicious emails written in Portuguese, Spanish, and sometimes English. The emails use reservation-themed lures with business-relevant themes such as hotel room bookings. The emails may contain malicious attachments or URLs aiming to distribute one of at least 15 ...more



References:
1 

TA577 (RU)

TA577 is a prolific cybercrime threat actor tracked by Proofpoint since mid-2020. This actor conducts broad targeting across various industries and geographies, and Proofpoint has observed TA577 deliver payloads including Qbot, IcedID, SystemBC, SmokeLoader, Ursnif, and Cobalt Strike.



Aliases:
Hive0118

References:
1 

TA578

TA578, a threat actor that Proofpoint researchers have been tracking since May of 2020. TA578 has previously been observed in email-based campaigns delivering Ursnif, IcedID, KPOT Stealer, Buer Loader, BazaLoader, and Cobalt Strike.



References:
1 

TA579

TA579, a threat actor that Proofpoint researchers have been tracking since August 2021. This actor frequently delivered BazaLoader and IcedID in past campaigns.



References:
1 

Taidoor

The Taidoor attackers have been actively engaging in targeted attacks since at least March 4, 2009. Despite some exceptions, the Taidoor campaign often used Taiwanese IP addresses as C&C servers and email addresses to send out socially engineered emails with malware as attachments. One of the primary targets of the Taidoor campaign appeared to be the Taiwanese government. The attackers spoofed Taiwanese government email addresses to send out socially engineered emails in the Chinese language ...more



Aliases:
Earth Aughisky, G0015

References:
1 2 

TeamTNT

In early Febuary, 2021 TeamTNT launched a new campaign against Docker and Kubernetes environments. Using a collection of container images that are hosted in Docker Hub, the attackers are targeting misconfigured docker daemons, Kubeflow dashboards, and Weave Scope, exploiting these environments in order to steal cloud credentials, open backdoors, mine cryptocurrency, and launch a worm that is looking for the next victim. They're linked to the First Crypto-Mining Worm to Steal AWS Credentials and ...more



Aliases:
Adept Libra

References:
1 

temp.hermit (KP)

(No description available for this threat actor)



References:
1 

TEMP.Veles

TEMP.Veles is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing TRITON, a malware framework designed to manipulate industrial safety systems.



Aliases:
ATK91, G0088, XENOTIME

References:
1 2 3 4 

Temper Panda (CN)

China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as PoisonIvy, as well as some non-public backdoors. This threat actor targets prodemocratic activists and organizations in Hong Kong, European and international financial institutions, and a U.S.-based think tank.


Goals:
Espionage

Target Industries:
Government, Private sector, Civil society

Target Countries:
Hong Kong, United States

Aliases:
Admin338, admin@338, G0018, MAGNESIUM, Team338

References:
1 2 

The White Company

(No description available for this threat actor)



Aliases:


References:
1 

ToddyCat

ToddyCat is responsible for multiple sets of attacks detected since December 2020 against high-profile entities in Europe and Asia. There is still little information about this actor, but its main distinctive signs are two formerly unknown tools that Kaspersky call ‘Samurai backdoor’ and ‘Ninja Trojan’.



Target Industries:
Military, Government

Target Countries:
Afghanistan, India, Indonesia, Iran, Kyrgyzstan, Malaysia, Pakistan, Russia, Slovakia, Taiwan, Thailand, United Kingdom, Uzbekistan, Vietnam

Aliases:
Websiic

References:
1 

Tortilla

(No description available for this threat actor)



References:
1 2 

Toxic Panda (CN)

A group targeting dissident groups in China and at the boundaries.



Aliases:


References:
1 

TunnelSnake (CN)

The TunnelSnake campaign demonstrates the activity of a sophisticated actor that invests significant resources in designing an evasive toolset and infiltrating networks of high-profile organizations. By leveraging Windows drivers, covert communications channels and proprietary malware, the group behind it maintains a considerable level of stealth. That said, some of its TTPs, like the usage of a commodity webshell and open-source legacy code for loading unsigned drivers, may get detected and in ...more



References:
1 

Turbine Panda (CN)

(No description available for this threat actor)



Aliases:
APT26, BRONZE EXPRESS, Hippo Team, JerseyMikes, TECHNETIUM

References:
1 

Turkey Attribution

(No description available for this threat actor)



References:
1 

UAC-0027

(No description available for this threat actor)



References:
1 2 3 4 5 6 7 8 

UAC-0097

(No description available for this threat actor)



References:
1 

UAC-0098

(No description available for this threat actor)



References:
1 2 

UAC-0099

UAC-0099 is a threat actor that has been active since at least May 2023, targeting Ukrainian entities. They have been observed using a known WinRAR vulnerability to carry out attacks, indicating a level of sophistication. The actor relies on PowerShell and the creation of scheduled tasks to execute malicious VBS files for initial infection. Monitoring and limiting the functionality of these components can help mitigate the risk of UAC-0099 attacks.



References:
1 

UAC-0144

(No description available for this threat actor)



References:
1 2 3 4 5 6 

Unattributed

(No description available for this threat actor)



References:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354