Threats  H  THREATS  THREATS LIST  - H  Alert  Attacks  Bugtraq  CERT  Exploit  GHDB  IDS/IPS  Malware  Operation  Phishing  Ransom  Vulnerebility 


H  BOTNET  CRYPTOMINER  MALWARE FAMILIES  MALWARE  COMPUTER ATTACK  MOBIL BANKING MALWARE  MOBIL MALWARE  MOBIL RANSOMWARE  RAT MALWARE  OSX MALWARE  macOS MALWARE  IoT MALWARE  RANSOMWARE  Stalkerware  APT MALWARE  APT Group  ATM MALWARE  BANKING MALWARE  ANDROID MALWARE  POS Malware


APT Group

Name

Alies

Description

admin@338

admin@338

admin@338 is a China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy.

APT-C-36Blind EagleAPT-C-36 is a suspected South America espionage group that has been active since at least 2018. The group mainly targets Colombian government institutions as well as important corporations in the financial sector, petroleum industry, and professional manufacturing.

APT1

APT1, 

APT1 is a Chinese threat group that has been attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398.

APT12

APT12, 

APT12 is a threat group that has been attributed to China.

APT16

APT16

APT16 is a China-based threat group that has launched spearphishing campaigns targeting Japanese and Taiwanese organizations.

APT17

APT17, 

APT17 is a China-based threat group that has conducted network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations.

APT18

APT18, 

APT18 is a threat group that has operated since at least 2009 and has targeted a range of industries, including technology, manufacturing, human rights groups, government, and medical.

APT19

APT19, 

APT19 is a Chinese-based threat group that has targeted a variety of industries, including defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services.

APT28

APT28, 

APT28 is a threat group that has been attributed to Russia's Main Intelligence Directorate of the Russian General Staff by a July 2018 U.S. Department of Justice indictment.

APT29

APT29, 

APT29 is threat group that has been attributed to the Russian government and has operated since at least 2008. This group reportedly compromised the Democratic National Committee starting in the summer of 2015.

APT3

APT3, 

APT3 is a China-based threat group that researchers have attributed to China's Ministry of State Security.

APT30

APT30

APT30 is a threat group suspected to be associated with the Chinese government. While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.

APT32

APT32

APT32 is a threat group that has been active since at least 2014.

APT33

APT33

APT33 is a suspected Iranian threat group that has carried out operations since at least 2013.

APT37

APT37,

APT37 is a suspected North Korean cyber espionage group that has been active since at least 2012.

APT38 APT38 is a financially-motivated threat group that is backed by the North Korean regime.
APT39ChaferAPT39 is an Iranian cyber espionage group that has been active since at least 2014. They have targeted the telecommunication and travel industries to collect personal information that aligns with Iran's national priorities.
APT41 APT41 is a group that carries out Chinese state-sponsored espionage activity in addition to financially motivated activity. APT41 has been active since as early as 2012. The group has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries.

Axiom

Group 72

Axiom is a cyber espionage group suspected to be associated with the Chinese government.

BlackOasis

BlackOasis

BlackOasis is a Middle Eastern threat group that is believed to be a customer of Gamma Group.

BlackTech BlackTech is a cyber espionage group operating against targets in East Asia, particularly Taiwan, and occasionally, Japan and Hong Kong.
Blue Mockingbird Blue Mockingbird is a cluster of observed activity involving Monero cryptocurrency-mining payloads in dynamic-link library (DLL) form on Windows systems. The earliest observed Blue Mockingbird tools were created in December 2019.
Bouncing Golf Bouncing Golf is a cyberespionage campaign targeting Middle Eastern countries.

BRONZE BUTLER

BRONZE BUTLER

BRONZE BUTLER is a cyber espionage group with likely Chinese origins that has been active since at least 2008.

Carbanak

Anunak, Carbon Spider

Carbanak is a threat group that mainly targets banks. It also refers to malware of the same name (Carbanak).

Charming Kitten

Charming Kitten

Charming Kitten is an Iranian cyber espionage group that has been active since approximately 2014.

Cleaver

Cleaver, 

Cleaver is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver. Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 (TG-2889).

Cobalt Group

Cobalt Group

Cobalt Group is a financially motivated threat group that has primarily targeted financial institutions.

CopyKittens

CopyKittens

CopyKittens is an Iranian cyber espionage group that has been operating since at least 2013.

Dark Caracal

Dark Caracal

Dark Caracal is threat group that has been attributed to the Lebanese General Directorate of General Security (GDGS) and has operated since at least 2012.

Darkhotel

Darkhotel

Darkhotel is a threat group that has been active since at least 2004.

DarkHydrus

DarkHydrus

DarkHydrus is a threat group that has targeted government agencies and educational institutions in the Middle East since at least 2016. The group heavily leverages open-source tools and custom payloads for carrying out attacks.

DarkVishnya DarkVishnya is a financially motivated threat actor targeting financial institutions in Eastern Europe. In 2017-2018 the group attacked at least 8 banks in this region.

Deep Panda

Deep Panda

Deep Panda is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications.

Dragonfly

Dragonfly

Dragonfly is a cyber espionage group that has been active since at least 2011. They initially targeted defense and aviation companies but shifted to focus on the energy sector in early 2013

Dragonfly 2.0

Dragonfly 2.0

Dragonfly 2.0 is a suspected Russian group that has targeted government entities and multiple U.S. critical infrastructure sectors since at least March 2016.

DragonOK

DragonOK

DragonOK is a threat group that has targeted Japanese organizations with phishing emails.

Dust Storm

Dust Storm

Dust Storm is a threat group that has targeted multiple industries in Japan, South Korea, the United States, Europe, and several Southeast Asian countries.

Elderwood

Elderwood, 

Elderwood is a suspected Chinese cyber espionage group that was reportedly responsible for the 2009 Google intrusion known as Operation Aurora.

Equation

Equation

Equation is a sophisticated threat group that employs multiple remote access tools. The group is known to use zero-day exploits and has developed the capability to overwrite the firmware of hard disk drives.

FIN10

FIN10

FIN10 is a financially motivated threat group that has targeted organizations in North America since at least 2013 through 2016. The group uses stolen data exfiltrated from victims to extort organizations.

FIN4 FIN4 is a financially-motivated threat group that has targeted confidential information related to the public financial market, particularly regarding healthcare and pharmaceutical companies, since at least 2013

FIN5

FIN5

FIN5 is a financially motivated threat group that has targeted personally identifiable information and payment card information.

FIN6

FIN6

FIN6 is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces.

FIN7

FIN7

FIN7 is a financially-motivated threat group that has primarily targeted the U.S. retail, restaurant, and hospitality sectors since mid-2015. They often use point-of-sale malware.

FIN8

FIN8

FIN8 is a financially motivated threat group known to launch tailored spearphishing campaigns targeting the retail, restaurant, and hospitality industries.

Frankenstein Frankenstein is a campaign carried out between January and April 2019 by unknown threat actors. The campaign name comes from the actors' ability to piece together several unrelated components.
Gallmaker Gallmaker is a cyberespionage group that has targeted victims in the Middle East and has been active since at least December 2017. The group has mainly targeted victims in the defense, military, and government sectors.

Gamaredon Group

Gamaredon Group

Gamaredon Group is a threat group that has been active since at least 2013 and has targeted individuals likely involved in the Ukrainian government.

GCMAN

GCMAN

GCMAN is a threat group that focuses on targeting banks for the purpose of transferring money to e-currency services.

GOLD SOUTHFIELD GOLD SOUTHFIELD is a financially motivated threat group active since at least 2019 that operates the REvil Ransomware-as-a Service (RaaS). GOLD SOUTHFIELD provides backend infrastructure for affiliates recruited on undergrou

Gorgon Group

Gorgon
Group

Gorgon Group is a threat group consisting of members who are suspected to be Pakistan-based or have other connections to Pakistan.

Group5

Group5

Group5 is a threat group with a suspected Iranian nexus, though this attribution is not definite.

Honeybee

Honeybee

Honeybee is a campaign led by an unknown actor that targets humanitarian aid organizations and has been active in Vietnam, Singapore, Argentina, Japans, Indonesia, and Canada.

InceptionInception Framework, Cloud AtlasInception is a cyber espionage group active since at least 2014. The group has targeted multiple industries and governmental entities primarily in Russia, but has also been active in the United States and throughout Europe, Asia, Africa, and the Middle East.

Ke3chang

Ke3chang, 

Ke3chang is a threat group attributed to actors operating out of China. Ke3chang has targeted several industries, including oil, government, military, and more.

KimsukyVelvet Chollima Kimsuky is a North Korean-based threat group that has been active since at least September 2013. The group focuses on targeting Korean think tank as well as DPRK/nuclear-related targets. The group was attributed as the actor behind the Korea Hydro & Nuclear Power Co. compromise.

Lazarus Group

Lazarus Group

Lazarus Group is a threat group that has been attributed to the North Korean government.

Leafminer

Leafminer

Leafminer is an Iranian threat group that has targeted government organizations and business entities in the Middle East since at least early 2017.

Leviathan

Leviathan, 

Leviathan is a cyber espionage group that has been active since at least 2013.

Lotus Blossom

Lotus Blossom

Lotus Blossom is a threat group that has targeted government and military organizations in Southeast Asia.

MacheteEl Machete Machete is a group that has been active since at least 2010, targeting high-profile government entities in Latin American countries.

Magic Hound

Magic Hound

Magic Hound is an Iranian-sponsored threat group operating primarily in the Middle East that dates back as early as 2014.

menuPass

menuPass

menuPass is a threat group that appears to originate from China and has been active since approximately 2009.

Moafee

Moafee

Moafee is a threat group that appears to operate from the Guandong Province of China.

Mofang Mofang is a likely China-based cyber espionage group, named for its frequent practice of imitating a victim's infrastructure. This adversary has been observed since at least May 2012 conducting focused attacks against government and critical infrastructure in Myanmar, as well as several other countries and sectors including military, automobile, and weapons industries.

Molerats

Molerats, 

Molerats is a politically-motivated threat group that has been operating since 2012. The group's victims have primarily been in the Middle East, Europe, and the United States.

MuddyWater

MuddyWater

MuddyWater is an Iranian threat group that has primarily targeted Middle Eastern nations. Activity from this group was previously linked to FIN7, but is believed to be a distinct group motivated by espionage.

Naikon

Naikon

Naikon is a threat group that has focused on targets around the South China Sea.

NEODYMIUM

NEODYMIUM

NEODYMIUM is an activity group that conducted a campaign in May 2016 and has heavily targeted Turkish victims.

Night Dragon

Night Dragon

Night Dragon is a campaign name for activity involving threat group that has conducted activity originating primarily in China. The activity from this group is also known as Musical Chairs.

OilRig

OilRig

OilRig is a threat group with suspected Iranian origins that has targeted Middle Eastern and international victims since at least 2014.

Orangeworm

Orangeworm

Orangeworm is a group that has targeted organizations in the healthcare sector in the United States, Europe, and Asia since at least 2015, likely for the purpose of corporate espionage.

Patchwork

Patchwork, 

Patchwork is a cyberespionage group that was first observed in December 2015.

PittyTiger

PittyTiger

PittyTiger is a threat group believed to operate out of China that uses multiple different types of malware to maintain command and control.

PLATINUM

PLATINUM

PLATINUM is an activity group that has targeted victims since at least 2009. The group has focused on targets associated with governments and related organizations in South and Southeast Asia.

Poseidon Group

Poseidon Group

Poseidon Group is a Portuguese-speaking threat group that has been active since at least 2005.

PROMETHIUM

PROMETHIUM

PROMETHIUM is an activity group that has been active since at least 2012.

Putter Panda

Putter Panda, 

Putter Panda is a Chinese threat group that has been attributed to Unit 61486 of the 12th Bureau of the PLA’s 3rd General Staff Department (GSD).

Rancor

Rancor

Rancor is a threat group that has led targeted campaigns against the South East Asia region. Rancor uses politically-motivated lures to entice victims to open malicious documents.

Rocke Rocke is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency. The name Rocke comes from the email address "rocke@live.cn" used to create the wallet which held collected cryptocurrency. Researchers have detected overlaps between Rocke and the Iron Cybercrime Group, though this attribution has not been confirmed.

RTM

RTM

RTM is a cybercriminal group that has been active since at least 2015 and is primarily interested in users of remote banking systems in Russia and neighboring countries. The group uses a Trojan by the same name (RTM).

Sandworm Team

Sandworm Team

Sandworm Team is a Russian cyber espionage group that has operated since approximately 2009.

Scarlet Mimic

Scarlet Mimic

Scarlet Mimic is a threat group that has targeted minority rights activists.

Sharpshooter Operation Sharpshooter is the name of a cyber espionage campaign discovered in October 2018 targeting nuclear, defense, energy, and financial companies. Though overlaps between this adversary and Lazarus Group have been noted, definitive links have not been established.
Silence Silence is a financially motivated threat actor targeting financial institutions in different countries. The group was first seen in June 2016. Their main targets reside in Russia, Ukraine, Belarus, Azerbaijan, Poland and Kazakhstan. They compromised various banking systems, including the Russian Central Bank's Automated Workstation Client, ATMs, and card processing.
SilverTerrier SilverTerrier is a Nigerian threat group that has been seen active since 2014. SilverTerrier mainly targets organizations in high technology, higher education, and manufacturing.
Soft Cell Operation Soft Cell is a group that is reportedly affiliated with China and is likely state-sponsored. The group has operated since at least 2012 and has compromised high-profile telecommunications networks.

Sowbug

Sowbug

Sowbug is a threat group that has conducted targeted attacks against organizations in South America and Southeast Asia, particularly government entities, since at least 2015.

Stealth Falcon

Stealth Falcon

Stealth Falcon is a threat group that has conducted targeted spyware attacks against Emirati journalists, activists, and dissidents since at least 2012.

Stolen Pencil Stolen Pencil is a threat group likely originating from DPRK that has been active since at least May 2018. The group appears to have targeted academic institutions, but its motives remain unclear.

Strider

Strider

Strider is a threat group that has been active since at least 2011 and has targeted victims in Russia, China, Sweden, Belgium, Iran, and Rwanda.

Suckfly

Suckfly

Suckfly is a China-based threat group that has been active since at least 2014.

TA459

TA459

TA459 is a threat group believed to operate out of China that has targeted countries including Russia, Belarus, Mongolia, and others.

TA505 TA505 is a financially motivated threat group that has been active since at least 2014. The group is known for frequently changing malware and driving global trends in criminal malware distribution.

Taidoor

Taidoor

Taidoor is a threat group that has operated since at least 2009 and has primarily targeted the Taiwanese government.

TEMP.VelesXENOTIMETEMP.Veles is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing TRITON, a malware framework designed to manipulate industrial safety systems.
The White Company The White Company is a likely state-sponsored threat actor with advanced capabilities. From 2017 through 2018, the group led an espionage campaign called Operation Shaheen targeting government and military organizations in Pakistan.

Threat Group-1314

Threat Group-1314

Threat Group-1314 is an unattributed threat group that has used compromised credentials to log into a victim's remote access infrastructure.

Threat Group-3390

Threat Group-3390

Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims.

Thrip

Thrip

Thrip is an espionage group that has targeted satellite communications, telecoms, and defense contractor companies in the U.S. and Southeast Asia. The group uses custom malware as well as "living off the land" techniques.

Tropic TrooperKeyBoyTropic Trooper is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan, the Philippines, and Hong Kong. 

Turla

Turla

Turla is a Russian-based threat group that has infected victims in over 45 countries, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies.

UNC2452Solorigate, StellarParticle, Dark HaloUNC2452 is a suspected Russian state-sponsored threat group responsible for the 2020 SolarWinds software supply chain intrusion. Victims of this campaign include government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East. The group also compromised at least one think tank by late 2019.
Whitefly Whitefly is a cyber espionage group that has been operating since at least 2017. The group has targeted organizations based mostly in Singapore across a wide variety of sectors, and is primarily interested in stealing large amounts of sensitive information. The group has been linked to an attack against Singapore’s largest public health organization, SingHealth.
WindshiftBahamutWindshift is a threat group that has been active since at least 2017, targeting specific individuals for surveillance in government departments and critical infrastructure across the Middle East.

Winnti Group

Winnti Group

Winnti Group is a threat group with Chinese origins that has been active since at least 2010.

WIRTE WIRTE is a threat group that has been active since at least August 2018. The group focuses on targeting Middle East defense and diplomats.
Wizard SpiderTEMP.MixMaster, Grim SpiderWizard Spider is financially motivated group that has been conducting ransomware campaigns since at least August 2018, primarily targeting large organizations.

Strontium (RUSSIA)
Zirconium (CHINA)
Phosphorus (IRAN)