Andariel is a North Korean state-sponsored threat group that has been active since at least 2009.

APT16 is a China-based threat group that has launched spearphishing campaigns targeting Japanese and Taiwanese organizations.

APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165. This group has been active since at least 2004.

APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).

APT3 is a China-based threat group that researchers have attributed to China's Ministry of State Security

APT37 is a North Korean state-sponsored cyber espionage group that has been active since at least 2012.

APT38 is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.

Chimera is a suspected China-based threat group that has been active since at least 2018 targeting the semiconductor industry in Taiwan as well as data from the airline industry. 

G0009

DragonOK is a threat group that has targeted Japanese organizations with phishing emails.

Earth Lusca is a suspected China-based cyber espionage group that has been active since at least April 2019

Elderwood is a suspected Chinese cyber espionage group that was reportedly responsible for the 2009 Google intrusion known as Operation Aurora.

Ember Bear is a suspected Russian state-sponsored cyber espionage group that has been active since at least March 2021.

Gamaredon Group is a suspected Russian cyber espionage threat group that has targeted military, NGO, judiciary, law enforcement, and non-profit organizations in Ukraine since at least 2013.

IndigoZebra is a suspected Chinese cyber espionage group that has been targeting Central Asian governments since at least 2014. 

Indrik Spider is a Russia-based cybercriminal group that has been active since at least 2014. Indrik Spider initially started with the Dridex banking Trojan, and then by 2017 they began running ransomware operations using BitPaymer, WastedLocker, and Hades ransomware.

Kimsuky is a North Korea-based cyber espionage group that has been active since at least 2012.

Lazarus Group is a North Korean state-sponsored cyber threat group that has been attributed to the Reconnaissance General Bureau.

LazyScripter is threat group that has mainly targeted the airlines industry since at least 2018, primarily using open-source toolsets.

Leafminer is an Iranian threat group that has targeted government organizations and business entities in the Middle East since at least early 2017.

MUDCARP, Kryptonite Panda, Gadolinium, BRONZE MOHAWK,

Leviathan is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company.

Lotus Blossom is a threat group that has targeted government and military organizations in Southeast Asia.

APT-C-43, El Machete

Machete is a suspected Spanish-speaking cyber espionage group that has been active since at least 2010.

Magic Hound is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps.

Cicada, POTASSIUM, Stone Panda, APT10, Red Apollo, CVNX, HOGFISH

menuPass is a threat group that has been active since at least 2006.

Moafee is a threat group that appears to operate from the Guandong Province of China.

Mofang is a likely China-based cyber espionage group, named for its frequent practice of imitating a victim's infrastructure.

Operation Molerats, Gaza Cybergang

Molerats is an Arabic-speaking, politically-motivated threat group that has been operating since 2012. The group's victims have primarily been in the Middle East, Europe, and the United States.

Earth Vetala, MERCURY, Static Kitten, Seedworm, TEMP.Zagros

Moses Staff is a suspected Iranian threat group that has primarily targeted Israeli companies since at least September 2021

MuddyWater is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).

TA416, RedDelta, BRONZE PRESIDENT

Mustang Panda is a China-based cyber espionage threat actor that was first observed in 2017 but may have been conducting operations since at least 2014.

Naikon is assessed to be a state-sponsored cyber espionage group attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020).

NEODYMIUM is an activity group that conducted a campaign in May 2016 and has heavily targeted Turkish victims.

Nomadic Octopus is a Russian-speaking cyber espionage threat group that has primarily targeted Central Asia, including local governments, diplomatic missions, and individuals, since at least 2014.

COBALT GYPSY, IRN2, APT34, Helix Kitten

OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014.

Orangeworm is a group that has targeted organizations in the healthcare sector in the United States, Europe, and Asia since at least 2015, likely for the purpose of corporate espionage.

Hangover Group, Dropping Elephant, Chinastrats, MONSOON,

Patchwork is a cyber espionage group that was first observed in December 2015.

PittyTiger is a threat group believed to operate out of China that uses multiple different types of malware to maintain command and control.

PLATINUM is an activity group that has targeted victims since at least 2009. The group has focused on targets associated with governments and related organizations in South and Southeast Asia.

POLONIUM is a Lebanon-based group that has primarily targeted Israeli organizations, including critical manufacturing, information technology, and defense industry companies, since at least February 2022.

Poseidon Group

Poseidon Group is a Portuguese-speaking threat group that has been active since at least 2005. The group has a history of using information exfiltrated from victims to blackmail victim companies into contracting the Poseidon Group as a security firm.

PROMETHIUM is an activity group focused on espionage that has been active since at least 2012. The group has conducted operations globally with a heavy emphasis on Turkish targets.

APT2, MSUpdater

Putter Panda is a Chinese threat group that has been attributed to Unit 61486 of the 12th Bureau of the PLA’s 3rd General Staff Department (GSD).

Rancor is a threat group that has led targeted campaigns against the South East Asia region. Rancor uses politically-motivated lures to entice victims to open malicious documents. 

Rocke is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency.

RTM is a cybercriminal group that has been active since at least 2015 and is primarily interested in users of remote banking systems in Russia and neighboring countries. The group uses a Trojan by the same name (RTM).

ELECTRUM, Telebots, IRON VIKING, BlackEnergy (Group), Quedagh,

Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.

Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government.

SideCopy is a Pakistani threat group that has primarily targeted South Asian countries, including Indian and Afghani government personnel, since at least 2019.

T-APT-04, Rattlesnake

Sidewinder is a suspected Indian threat actor group that has been active since at least 2012. They have been observed targeting government, military, and business entities throughout Asia, primarily focusing on Pakistan, China, Nepal, and Afghanistan.

Whisper Spider

Silence is a financially motivated threat actor targeting financial institutions in different countries. The group was first seen in June 2016

TA407, COBALT DICKENS

Silent Librarian is a group that has targeted research and proprietary data at universities, government agencies, and private sector companies worldwide since at least 2013.

SilverTerrier

SilverTerrier is a Nigerian threat group that has been seen active since 2014. SilverTerrier mainly targets organizations in high technology, higher education, and manufacturing. 

Sowbug is a threat group that has conducted targeted attacks against organizations in South America and Southeast Asia, particularly government entities, since at least 2015.

Stealth Falcon is a threat group that has conducted targeted spyware attacks against Emirati journalists, activists, and dissidents since at least 2012.

Strider is a threat group that has been active since at least 2011 and has targeted victims in Russia, China, Sweden, Belgium, Iran, and Rwanda.

Suckfly

Suckfly is a China-based threat group that has been active since at least 2014.

TA459 is a threat group believed to operate out of China that has targeted countries including Russia, Belarus, Mongolia, and others.

TA505 is a cyber criminal group that has been active since at least 2014. TA505 is known for frequently changing malware, driving global trends in criminal malware distribution, and ransomware campaigns involving Clop.

GOLD CABIN, Shathak

TA551 is a financially-motivated threat group that has been active since at least 2018. The group has primarily targeted English, German, Italian, and Japanese speakers through email-based malware distribution campaigns.

TeamTNT is a threat group that has primarily targeted cloud and containerized environments.

TEMP.Veles is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing TRITON, a malware framework designed to manipulate industrial safety systems.

The White Company is a likely state-sponsored threat actor with advanced capabilities.

TG-1314

Threat Group-1314 is an unattributed threat group that has used compromised credentials to log into a victim's remote access infrastructure.

Earth Smilodon, TG-3390, Emissary Panda, BRONZE UNION, APT27,

Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims.

Thrip is an espionage group that has targeted satellite communications, telecoms, and defense contractor companies in the U.S. and Southeast Asia. The group uses custom malware as well as "living off the land" techniques.

Earth Akhlut, BRONZE HUNTLEY, CactusPete, Karma Panda

Tonto Team is a suspected Chinese state-sponsored cyber espionage threat group that has primarily targeted South Korea, Japan, Taiwan, and the United States since at least 2009;

COPPER FIELDSTONE, APT36, Mythic Leopard, ProjectM

Transparent Tribe is a suspected Pakistan-based threat group that has been active since at least 2013, primarily targeting diplomatic, defense, and research organizations in India and Afghanistan.

Pirate Panda, KeyBoy

Tropic Trooper is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan, the Philippines, and Hong Kong.

IRON HUNTER, Group 88, Belugasturgeon, Waterbug, WhiteBear,

Turla is a Russian-based threat group that has infected victims in over 45 countries, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies since 2004.

Lebanese Cedar

Volatile Cedar is a Lebanese threat group that has targeted individuals, companies, and institutions worldwide. Volatile Cedar has been operating since 2012 and is motivated by political and ideological interests.

Whitefly is a cyber espionage group that has been operating since at least 2017.

The Windigo group has been operating since at least 2011, compromising thousands of Linux and Unix servers using the Ebury SSH backdoor to create a spam botnet.

Windshift is a threat group that has been active since at least 2017, targeting specific individuals for surveillance in government departments and critical infrastructure across the Middle East.

Winnti Group is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting.

WIRTE is a threat group that has been active since at least August 2018. WIRTE has targeted government, diplomatic, financial, military, legal, and technology organizations in the Middle East and Europe

UNC1878, TEMP.MixMaster, Grim Spider

Wizard Spider is a Russia-based financially motivated threat group originally known for the creation and deployment of TrickBot since at least 2016.

ZIRCONIUM is a threat group operating out of China, active since at least 2017, that has targeted individuals associated with the 2020 US presidential election and prominent leaders in the international affairs community.