ID | NAME | Associated Groups | Description |
G0018 | admin@338 | admin@338 is a China-based cyber threat group. | |
G0130 | Ajax Security Team | Operation Woolen-Goldfish, AjaxTM, Rocket Kitten, Flying KitteN | Ajax Security Team is a group that has been active since at least 2010 and believed to be operating out of Iran. |
G1000 | ALLANITE | Palmetto Fusion | ALLANITE is a suspected Russian cyber espionage group, that has primarily targeted the electric utility sector within the United States and United Kingdom. |
G0138 | Andariel | Silent Chollima | Andariel is a North Korean state-sponsored threat group that has been active since at least 2009. |
G1007 | Aoqin Dragon | Aoqin Dragon is a suspected Chinese cyber espionage threat group that has been active since at least 2013. | |
G0099 | APT-C-36 | Blind Eagle | APT-C-36 is a suspected South America espionage group that has been active since at least 2018. |
G0006 | APT1 | Comment Crew, Comment Group, Comment Panda | APT1 is a Chinese threat group that has been attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398. |
G0005 | APT12 | IXESHE, DynCalc, Numbered Panda, DNSCALC | APT12 is a threat group that has been attributed to China. The group has targeted a variety of victims including but not limited to media outlets, high-tech companies, and multiple governments. |
G0023 | APT16 | APT16 is a China-based threat group that has launched spearphishing campaigns targeting Japanese and Taiwanese organizations. | |
G0025 | APT17 | Deputy Dog | APT17 is a China-based threat group that has conducted network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations. |
G0026 | APT18 | TG-0416, Dynamite Panda, Threat Group-0416 | APT18 is a threat group that has operated since at least 2009 and has targeted a range of industries, including technology, manufacturing, human rights groups, government, and medical. |
G0073 | APT19 | Codoso, C0d0so0, Codoso Team, Sunshop Group | APT19 is a Chinese-based threat group that has targeted a variety of industries, including defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services. |
G0007 | APT28 | IRON TWILIGHT, SNAKEMACKEREL, Swallowtail, Group 74, Sednit, Sofacy, | APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165. This group has been active since at least 2004. |
G0016 | APT29 | IRON RITUAL, IRON HEMLOCK, NobleBaron, Dark Halo, StellarParticle | APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR). |
G0022 | APT3 | Gothic Panda, Pirpi, UPS Team, Buckeye, Threat Group-0110, TG-0110 | APT3 is a China-based threat group that researchers have attributed to China's Ministry of State Security |
G0013 | APT30 | APT30 is a threat group suspected to be associated with the Chinese government. While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches. | |
G0050 | APT32 | SeaLotus, OceanLotus, APT-C-00 | APT32 is a suspected Vietnam-based threat group that has been active since at least 2014. |
G0064 | APT33 | HOLMIUM, Elfin | APT33 is a suspected Iranian threat group that has carried out operations since at least 2013. |
G0067 | APT37 | Richochet Chollima, InkySquid, ScarCruft, Reaper, Group123, TEMP.Reaper | APT37 is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. |
G0082 | APT38 | NICKEL GLADSTONE, BeagleBoyz, Bluenoroff, Stardust Chollima | APT38 is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau. |
G0087 | APT39 | ITG07, Chafer, Remix Kitten | APT39 is one of several names for cyber espionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since at least 2014. |
G0096 | APT41 | Wicked Panda | APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations |
G0143 | Aquatic Panda | Aquatic Panda is a suspected China-based threat group with a dual mission of intelligence collection and industrial espionage. | |
G0001 | Axiom | Group 72 | Axiom is a suspected Chinese cyber espionage group that has targeted the aerospace, defense, government, manufacturing, and media sectors since at least 2008. |
G0135 | BackdoorDiplomacy | BackdoorDiplomacy is a cyber espionage threat group that has been active since at least 2017 | |
G1002 | BITTER | T-APT-17 | BITTER is a suspected South Asian cyber espionage threat group that has been active since at least 2013. |
G0063 | BlackOasis | BlackOasis is a Middle Eastern threat group that is believed to be a customer of Gamma Group. | |
G0098 | BlackTech | Palmerworm | BlackTech is a suspected Chinese cyber espionage group that has primarily targeted organizations in East Asia--particularly Taiwan, Japan, and Hong Kong--and the US since at least 2013. |
G0108 | Blue Mockingbird | Blue Mockingbird is a cluster of observed activity involving Monero cryptocurrency-mining payloads in dynamic-link library (DLL) form on Windows systems. | |
G0097 | Bouncing Golf | Bouncing Golf is a cyberespionage campaign targeting Middle Eastern countries. | |
G0060 | BRONZE BUTLER | REDBALDKNIGHT, Tick | BRONZE BUTLER is a cyber espionage group with likely Chinese origins that has been active since at least 2008. |
G0008 | Carbanak | Anunak | Carbanak is a cybercriminal group that has used Carbanak malware to target financial institutions since at least 2013. |
G0114 | Chimera | Chimera is a suspected China-based threat group that has been active since at least 2018 targeting the semiconductor industry in Taiwan as well as data from the airline industry. | |
G0003 | Cleaver | Threat Group 2889, TG-2889 | Cleaver is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver. Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 (TG-2889). |
G0080 | Cobalt Group | GOLD KINGSWOOD, Cobalt Gang, Cobalt Spider | Cobalt Group is a financially motivated threat group that has primarily targeted financial institutions since at least 2016. |
G0142 | Confucius | Confucius APT | Confucius is a cyber espionage group that has primarily targeted military personnel, high-profile personalities, business persons, and government organizations in South Asia since at least 2013. |
G0052 | CopyKittens | CopyKittens is an Iranian cyber espionage group that has been operating since at least 2013. It has targeted countries including Israel, Saudi Arabia, Turkey, the U.S., Jordan, and Germany. | |
G1012 | CURIUM | CURIUM is an Iranian threat group first reported in November 2021 that has invested in building a relationship with potential targets via social media over a period of months to establish trust and confidence before sending malware. | |
G0070 | Dark Caracal | Dark Caracal is threat group that has been attributed to the Lebanese General Directorate of General Security (GDGS) and has operated since at least 2012. | |
G0012 | Darkhotel | DUBNIUM | Darkhotel is a suspected South Korean threat group that has targeted victims primarily in East Asia since at least 2004. |
G0079 | DarkHydrus | DarkHydrus is a threat group that has targeted government agencies and educational institutions in the Middle East since at least 2016. The group heavily leverages open-source tools and custom payloads for carrying out attacks. | |
G0105 | DarkVishnya | DarkVishnya is a financially motivated threat actor targeting financial institutions in Eastern Europe. In 2017-2018 the group attacked at least 8 banks in this region. | |
Deep Panda | Shell Crew, WebMasters, KungFu Kittens, PinkPanther, Black Vine | Deep Panda is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications. | |
G0035 | Dragonfly | TEMP.Isotope, DYMALLOY, Berserk Bear, TG-4192, Crouching Yeti, | Dragonfly is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16. |
G0017 | DragonOK | DragonOK is a threat group that has targeted Japanese organizations with phishing emails. | |
G1006 | Earth Lusca | TAG-22 | Earth Lusca is a suspected China-based cyber espionage group that has been active since at least April 2019 |
G0066 | Elderwood | Elderwood Gang, Beijing Group, Sneaky Panda | Elderwood is a suspected Chinese cyber espionage group that was reportedly responsible for the 2009 Google intrusion known as Operation Aurora. |
G1003 | Ember Bear | Saint Bear, UNC2589, UAC-0056, Lorec53, Lorec Bear, Bleeding Bear | Ember Bear is a suspected Russian state-sponsored cyber espionage group that has been active since at least March 2021. |
G0020 | Equation | Equation is a sophisticated threat group that employs multiple remote access tools. The group is known to use zero-day exploits and has developed the capability to overwrite the firmware of hard disk drives. | |
G0120 | Evilnum | Evilnum is a financially motivated threat group that has been active since at least 2018. | |
G1011 | EXOTIC LILY | EXOTIC LILY is a financially motivated group that has been closely linked with Wizard Spider and the deployment of ransomware including Conti and Diavol. | |
G0137 | Ferocious Kitten | Ferocious Kitten is a threat group that has primarily targeted Persian-speaking individuals in Iran since at least 2015. | |
G0051 | FIN10 | FIN10 is a financially motivated threat group that has targeted organizations in North America since at least 2013 through 2016. The group uses stolen data exfiltrated from victims to extort organizations. | |
G1016 | FIN13 | Elephant Beetle | FIN13 is a financially motivated cyber threat group that has targeted the financial, retail, and hospitality industries in Mexico and Latin America, as early as 2016. |
G0085 | FIN4 | FIN4 is a financially-motivated threat group that has targeted confidential information related to the public financial market, particularly regarding healthcare and pharmaceutical companies, since at least 2013. | |
G0053 | FIN5 | FIN5 is a financially motivated threat group that has targeted personally identifiable information and payment card information. | |
G0037 | FIN6 | Magecart Group 6, ITG08, Skeleton Spider | FIN6 is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. |
G0046 | FIN7 | GOLD NIAGARA, ITG14, Carbon Spider | FIN7 is a financially-motivated threat group that has been active since 2013 primarily targeting the U.S. retail, restaurant, and hospitality sectors, often using point-of-sale malware. |
G0061 | FIN8 | FIN8 is a financially motivated threat group known to launch tailored spearphishing campaigns targeting the retail, restaurant, and hospitality industries. | |
G0117 | Fox Kitten | UNC757, Parisite, Pioneer Kitten | Fox Kitten is threat actor with a suspected nexus to the Iranian government that has been active since at least 2017 against entities in the Middle East, North Africa, Europe, Australia, and North America. |
G0093 | GALLIUM | Operation Soft Cell | GALLIUM is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan |
G0084 | Gallmaker | Gallmaker is a cyberespionage group that has targeted victims in the Middle East and has been active since at least December 2017. The group has mainly targeted victims in the defense, military, and government sectors. | |
G0047 | Gamaredon Group | IRON TILDEN, Primitive Bear, ACTINIUM, Armageddon, Shuckworm, | Gamaredon Group is a suspected Russian cyber espionage threat group that has targeted military, NGO, judiciary, law enforcement, and non-profit organizations in Ukraine since at least 2013. |
G0036 | GCMAN | GCMAN is a threat group that focuses on targeting banks for the purpose of transferring money to e-currency services. | |
G0115 | GOLD SOUTHFIELD | GOLD SOUTHFIELD is a financially motivated threat group active since at least 2019 that operates the REvil Ransomware-as-a Service (RaaS). | |
G0078 | Gorgon Group | Gorgon Group is a threat group consisting of members who are suspected to be Pakistan-based or have other connections to Pakistan. | |
G0043 | Group5 | Group5 is a threat group with a suspected Iranian nexus, though this attribution is not definite. | |
G0125 | HAFNIUM | Operation Exchange Marauder | HAFNIUM is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. |
G1001 | HEXANE | Lyceum, Siamesekitten, Spirlin | HEXANE is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. |
G0126 | Higaisa | Higaisa is a threat group suspected to have South Korean origins. Higaisa has targeted government, public, and trade organizations in North Korea; | |
G0100 | Inception | Inception Framework, Cloud Atlas | Inception is a cyber espionage group active since at least 2014. The group has targeted multiple industries and governmental entities primarily in Russia, |
G0136 | IndigoZebra | IndigoZebra is a suspected Chinese cyber espionage group that has been targeting Central Asian governments since at least 2014. | |
G0119 | Indrik Spider | Evil Corp | Indrik Spider is a Russia-based cybercriminal group that has been active since at least 2014. Indrik Spider initially started with the Dridex banking Trojan, and then by 2017 they began running ransomware operations using BitPaymer, WastedLocker, and Hades ransomware. |
G0004 | Ke3chang | APT15, Mirage, Vixen Panda, GREF, Playful Dragon, RoyalAPT, NICKEL | Ke3chang is a threat group attributed to actors operating out of China. |
G0094 | Kimsuky | STOLEN PENCIL, Thallium, Black Banshee, Velvet Chollima | Kimsuky is a North Korea-based cyber espionage group that has been active since at least 2012. |
G1004 | LAPSUS$ | DEV-0537 | LAPSUS$ is cyber criminal threat group that has been active since at least mid-2021. |
G0032 | Lazarus Group | Labyrinth Chollima, HIDDEN COBRA, Guardians of Peace, | Lazarus Group is a North Korean state-sponsored cyber threat group that has been attributed to the Reconnaissance General Bureau. |
G0140 | LazyScripter | LazyScripter is threat group that has mainly targeted the airlines industry since at least 2018, primarily using open-source toolsets. | |
G0077 | Leafminer | Raspite | Leafminer is an Iranian threat group that has targeted government organizations and business entities in the Middle East since at least early 2017. |
G0065 | Leviathan | MUDCARP, Kryptonite Panda, Gadolinium, BRONZE MOHAWK, | Leviathan is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company. |
G0030 | Lotus Blossom | DRAGONFISH, Spring Dragon | Lotus Blossom is a threat group that has targeted government and military organizations in Southeast Asia. |
G1014 | LuminousMoth | LuminousMoth is a Chinese-speaking cyber espionage group that has been active since at least October 2020. | |
G0095 | Machete | APT-C-43, El Machete | Machete is a suspected Spanish-speaking cyber espionage group that has been active since at least 2010. |
G0059 | Magic Hound | TA453, COBALT ILLUSION, Charming Kitten, ITG18, Phosphorus | Magic Hound is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. |
G0045 | menuPass | Cicada, POTASSIUM, Stone Panda, APT10, Red Apollo, CVNX, HOGFISH | menuPass is a threat group that has been active since at least 2006. |
G1013 | Metador | Metador is a suspected cyber espionage group that was first reported in September 2022. | |
G0002 | Moafee | Moafee is a threat group that appears to operate from the Guandong Province of China. | |
G0103 | Mofang | Mofang is a likely China-based cyber espionage group, named for its frequent practice of imitating a victim's infrastructure. | |
G0021 | Molerats | Operation Molerats, Gaza Cybergang | Molerats is an Arabic-speaking, politically-motivated threat group that has been operating since 2012. The group's victims have primarily been in the Middle East, Europe, and the United States. |
G1009 | Moses Staff | Earth Vetala, MERCURY, Static Kitten, Seedworm, TEMP.Zagros | Moses Staff is a suspected Iranian threat group that has primarily targeted Israeli companies since at least September 2021 |
G1019 | MoustachedBouncer | MoustachedBouncer is a cyberespionage group that has been active since at least 2014 targeting foreign embassies in Belarus. | |
G0069 | MuddyWater | MuddyWater is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS). | |
G0129 | Mustang Panda | TA416, RedDelta, BRONZE PRESIDENT | Mustang Panda is a China-based cyber espionage threat actor that was first observed in 2017 but may have been conducting operations since at least 2014. |
G0019 | Naikon | Naikon is assessed to be a state-sponsored cyber espionage group attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020). | |
G0055 | NEODYMIUM | NEODYMIUM is an activity group that conducted a campaign in May 2016 and has heavily targeted Turkish victims. | |
G0133 | Nomadic Octopus | DustSquad | Nomadic Octopus is a Russian-speaking cyber espionage threat group that has primarily targeted Central Asia, including local governments, diplomatic missions, and individuals, since at least 2014. |
G0049 | OilRig | COBALT GYPSY, IRN2, APT34, Helix Kitten | OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. |
G0071 | Orangeworm | Orangeworm is a group that has targeted organizations in the healthcare sector in the United States, Europe, and Asia since at least 2015, likely for the purpose of corporate espionage. | |
G0040 | Patchwork | Hangover Group, Dropping Elephant, Chinastrats, MONSOON, | Patchwork is a cyber espionage group that was first observed in December 2015. |
G0011 | PittyTiger | PittyTiger is a threat group believed to operate out of China that uses multiple different types of malware to maintain command and control. | |
G0068 | PLATINUM | PLATINUM is an activity group that has targeted victims since at least 2009. The group has focused on targets associated with governments and related organizations in South and Southeast Asia. | |
G1005 | POLONIUM | POLONIUM is a Lebanon-based group that has primarily targeted Israeli organizations, including critical manufacturing, information technology, and defense industry companies, since at least February 2022. | |
G0033 | Poseidon Group is a Portuguese-speaking threat group that has been active since at least 2005. The group has a history of using information exfiltrated from victims to blackmail victim companies into contracting the Poseidon Group as a security firm. | ||
G0056 | PROMETHIUM | StrongPity | PROMETHIUM is an activity group focused on espionage that has been active since at least 2012. The group has conducted operations globally with a heavy emphasis on Turkish targets. |
G0024 | Putter Panda | APT2, MSUpdater | Putter Panda is a Chinese threat group that has been attributed to Unit 61486 of the 12th Bureau of the PLA’s 3rd General Staff Department (GSD). |
G0075 | Rancor | Rancor is a threat group that has led targeted campaigns against the South East Asia region. Rancor uses politically-motivated lures to entice victims to open malicious documents. | |
G0106 | Rocke | Rocke is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency. | |
G0048 | RTM | RTM is a cybercriminal group that has been active since at least 2015 and is primarily interested in users of remote banking systems in Russia and neighboring countries. The group uses a Trojan by the same name (RTM). | |
G0034 | Sandworm Team | ELECTRUM, Telebots, IRON VIKING, BlackEnergy (Group), Quedagh, | Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455. |
G0029 | Scarlet Mimic | Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government. | |
G1015 | Scattered Spider | Roasted 0ktapus | Scattered Spider is a cybercriminal group that has been active since at least 2022 targeting customer relationship management and business-process outsourcing (BPO) firms as well as telecommunications and technology companies. |
G1008 | SideCopy | SideCopy is a Pakistani threat group that has primarily targeted South Asian countries, including Indian and Afghani government personnel, since at least 2019. | |
G0121 | Sidewinder | T-APT-04, Rattlesnake | Sidewinder is a suspected Indian threat actor group that has been active since at least 2012. They have been observed targeting government, military, and business entities throughout Asia, primarily focusing on Pakistan, China, Nepal, and Afghanistan. |
G0091 | Silence | Whisper Spider | Silence is a financially motivated threat actor targeting financial institutions in different countries. The group was first seen in June 2016 |
G0122 | Silent Librarian | TA407, COBALT DICKENS | Silent Librarian is a group that has targeted research and proprietary data at universities, government agencies, and private sector companies worldwide since at least 2013. |
G0083 | SilverTerrier is a Nigerian threat group that has been seen active since 2014. SilverTerrier mainly targets organizations in high technology, higher education, and manufacturing. | ||
G0054 | Sowbug | Sowbug is a threat group that has conducted targeted attacks against organizations in South America and Southeast Asia, particularly government entities, since at least 2015. | |
G0038 | Stealth Falcon | Stealth Falcon is a threat group that has conducted targeted spyware attacks against Emirati journalists, activists, and dissidents since at least 2012. | |
G0041 | Strider | ProjectSauron | Strider is a threat group that has been active since at least 2011 and has targeted victims in Russia, China, Sweden, Belgium, Iran, and Rwanda. |
G0039 | Suckfly is a China-based threat group that has been active since at least 2014. | ||
G1018 | TA2541 | TA2541 is a cybercriminal group that has been targeting the aviation, aerospace, transportation, manufacturing, and defense industries since at least 2017. | |
G0062 | TA459 | TA459 is a threat group believed to operate out of China that has targeted countries including Russia, Belarus, Mongolia, and others. | |
G0092 | TA505 | Hive0065 | TA505 is a cyber criminal group that has been active since at least 2014. TA505 is known for frequently changing malware, driving global trends in criminal malware distribution, and ransomware campaigns involving Clop. |
G0127 | TA551 | GOLD CABIN, Shathak | TA551 is a financially-motivated threat group that has been active since at least 2018. The group has primarily targeted English, German, Italian, and Japanese speakers through email-based malware distribution campaigns. |
G0139 | TeamTNT | TeamTNT is a threat group that has primarily targeted cloud and containerized environments. | |
G0088 | TEMP.Veles | XENOTIME | TEMP.Veles is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing TRITON, a malware framework designed to manipulate industrial safety systems. |
G0089 | The White Company | The White Company is a likely state-sponsored threat actor with advanced capabilities. | |
G0028 | Threat Group-1314 | TG-1314 | Threat Group-1314 is an unattributed threat group that has used compromised credentials to log into a victim's remote access infrastructure. |
G0027 | Threat Group-3390 | Earth Smilodon, TG-3390, Emissary Panda, BRONZE UNION, APT27, | Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims. |
G0076 | Thrip | Thrip is an espionage group that has targeted satellite communications, telecoms, and defense contractor companies in the U.S. and Southeast Asia. The group uses custom malware as well as "living off the land" techniques. | |
G0131 | Tonto Team | Earth Akhlut, BRONZE HUNTLEY, CactusPete, Karma Panda | Tonto Team is a suspected Chinese state-sponsored cyber espionage threat group that has primarily targeted South Korea, Japan, Taiwan, and the United States since at least 2009; |
G0134 | Transparent Tribe | COPPER FIELDSTONE, APT36, Mythic Leopard, ProjectM | Transparent Tribe is a suspected Pakistan-based threat group that has been active since at least 2013, primarily targeting diplomatic, defense, and research organizations in India and Afghanistan. |
G0081 | Tropic Trooper | Pirate Panda, KeyBoy | Tropic Trooper is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan, the Philippines, and Hong Kong. |
G0010 | Turla | IRON HUNTER, Group 88, Belugasturgeon, Waterbug, WhiteBear, | Turla is a Russian-based threat group that has infected victims in over 45 countries, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies since 2004. |
G0123 | Volatile Cedar | Lebanese Cedar | Volatile Cedar is a Lebanese threat group that has targeted individuals, companies, and institutions worldwide. Volatile Cedar has been operating since 2012 and is motivated by political and ideological interests. |
G1017 | Volt Typhoon | BRONZE SILHOUETTE | Volt Typhoon is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021. |
G0107 | Whitefly | Whitefly is a cyber espionage group that has been operating since at least 2017. | |
G0124 | Windigo | The Windigo group has been operating since at least 2011, compromising thousands of Linux and Unix servers using the Ebury SSH backdoor to create a spam botnet. | |
G0112 | Windshift | Bahamut | Windshift is a threat group that has been active since at least 2017, targeting specific individuals for surveillance in government departments and critical infrastructure across the Middle East. |
G0044 | Winnti Group | Blackfly | Winnti Group is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting. |
G0090 | WIRTE | WIRTE is a threat group that has been active since at least August 2018. WIRTE has targeted government, diplomatic, financial, military, legal, and technology organizations in the Middle East and Europe | |
G0102 | Wizard Spider | UNC1878, TEMP.MixMaster, Grim Spider | Wizard Spider is a Russia-based financially motivated threat group originally known for the creation and deployment of TrickBot since at least 2016. |
G0128 | ZIRCONIUM | APT31 | ZIRCONIUM is a threat group operating out of China, active since at least 2017, that has targeted individuals associated with the 2020 US presidential election and prominent leaders in the international affairs community. |