IDNAMEAssociated GroupsDescription
G0018admin@338admin@338 is a China-based cyber threat group.
G0130Ajax Security TeamOperation Woolen-Goldfish, AjaxTM, Rocket Kitten, Flying KitteNAjax Security Team is a group that has been active since at least 2010 and believed to be operating out of Iran.
G1000ALLANITEPalmetto FusionALLANITE is a suspected Russian cyber espionage group, that has primarily targeted the electric utility sector within the United States and United Kingdom.
G0138AndarielSilent Chollima

Andariel is a North Korean state-sponsored threat group that has been active since at least 2009.

G1007Aoqin DragonAoqin Dragon is a suspected Chinese cyber espionage threat group that has been active since at least 2013.
G0099APT-C-36Blind EagleAPT-C-36 is a suspected South America espionage group that has been active since at least 2018.
G0006APT1Comment Crew, Comment Group, Comment PandaAPT1 is a Chinese threat group that has been attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398.
G0005APT12IXESHE, DynCalc, Numbered Panda, DNSCALCAPT12 is a threat group that has been attributed to China. The group has targeted a variety of victims including but not limited to media outlets, high-tech companies, and multiple governments.
G0023APT16

APT16 is a China-based threat group that has launched spearphishing campaigns targeting Japanese and Taiwanese organizations.

G0025APT17Deputy DogAPT17 is a China-based threat group that has conducted network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations.
G0026APT18TG-0416, Dynamite Panda, Threat Group-0416APT18 is a threat group that has operated since at least 2009 and has targeted a range of industries, including technology, manufacturing, human rights groups, government, and medical.
G0073APT19Codoso, C0d0so0, Codoso Team, Sunshop GroupAPT19 is a Chinese-based threat group that has targeted a variety of industries, including defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services.
G0007APT28IRON TWILIGHT, SNAKEMACKEREL, Swallowtail, Group 74, Sednit, Sofacy,

APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165. This group has been active since at least 2004.

G0016APT29IRON RITUAL, IRON HEMLOCK, NobleBaron, Dark Halo, StellarParticle

APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).

G0022APT3Gothic Panda, Pirpi, UPS Team, Buckeye, Threat Group-0110, TG-0110

APT3 is a China-based threat group that researchers have attributed to China's Ministry of State Security

G0013APT30APT30 is a threat group suspected to be associated with the Chinese government. While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.
G0050APT32SeaLotus, OceanLotus, APT-C-00APT32 is a suspected Vietnam-based threat group that has been active since at least 2014.
G0064APT33HOLMIUM, ElfinAPT33 is a suspected Iranian threat group that has carried out operations since at least 2013.
G0067APT37Richochet Chollima, InkySquid, ScarCruft, Reaper, Group123, TEMP.Reaper

APT37 is a North Korean state-sponsored cyber espionage group that has been active since at least 2012.

G0082APT38NICKEL GLADSTONE, BeagleBoyz, Bluenoroff, Stardust Chollima

APT38 is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.

G0087APT39ITG07, Chafer, Remix KittenAPT39 is one of several names for cyber espionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since at least 2014.
G0096APT41Wicked PandaAPT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations
G0143Aquatic PandaAquatic Panda is a suspected China-based threat group with a dual mission of intelligence collection and industrial espionage.
G0001AxiomGroup 72Axiom is a suspected Chinese cyber espionage group that has targeted the aerospace, defense, government, manufacturing, and media sectors since at least 2008.
G0135BackdoorDiplomacyBackdoorDiplomacy is a cyber espionage threat group that has been active since at least 2017
G1002BITTERT-APT-17BITTER is a suspected South Asian cyber espionage threat group that has been active since at least 2013.
G0063BlackOasisBlackOasis is a Middle Eastern threat group that is believed to be a customer of Gamma Group.
G0098BlackTechPalmerwormBlackTech is a suspected Chinese cyber espionage group that has primarily targeted organizations in East Asia--particularly Taiwan, Japan, and Hong Kong--and the US since at least 2013.
G0108Blue MockingbirdBlue Mockingbird is a cluster of observed activity involving Monero cryptocurrency-mining payloads in dynamic-link library (DLL) form on Windows systems.
G0097Bouncing GolfBouncing Golf is a cyberespionage campaign targeting Middle Eastern countries.
G0060BRONZE BUTLERREDBALDKNIGHT, TickBRONZE BUTLER is a cyber espionage group with likely Chinese origins that has been active since at least 2008.
G0008CarbanakAnunakCarbanak is a cybercriminal group that has used Carbanak malware to target financial institutions since at least 2013. 
G0114Chimera

Chimera is a suspected China-based threat group that has been active since at least 2018 targeting the semiconductor industry in Taiwan as well as data from the airline industry. 

G0003CleaverThreat Group 2889, TG-2889Cleaver is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver. Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 (TG-2889).
G0080Cobalt GroupGOLD KINGSWOOD, Cobalt Gang, Cobalt SpiderCobalt Group is a financially motivated threat group that has primarily targeted financial institutions since at least 2016.
G0142ConfuciusConfucius APTConfucius is a cyber espionage group that has primarily targeted military personnel, high-profile personalities, business persons, and government organizations in South Asia since at least 2013.
G0052CopyKittensCopyKittens is an Iranian cyber espionage group that has been operating since at least 2013. It has targeted countries including Israel, Saudi Arabia, Turkey, the U.S., Jordan, and Germany.
G0070Dark CaracalDark Caracal is threat group that has been attributed to the Lebanese General Directorate of General Security (GDGS) and has operated since at least 2012.
G0012DarkhotelDUBNIUMDarkhotel is a suspected South Korean threat group that has targeted victims primarily in East Asia since at least 2004.
G0079DarkHydrusDarkHydrus is a threat group that has targeted government agencies and educational institutions in the Middle East since at least 2016. The group heavily leverages open-source tools and custom payloads for carrying out attacks.
G0105DarkVishnyaDarkVishnya is a financially motivated threat actor targeting financial institutions in Eastern Europe. In 2017-2018 the group attacked at least 8 banks in this region.

G0009

Deep PandaShell Crew, WebMasters, KungFu Kittens, PinkPanther, Black VineDeep Panda is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications.
G0035DragonflyTEMP.Isotope, DYMALLOY, Berserk Bear, TG-4192, Crouching Yeti, Dragonfly is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16.
G0017DragonOK

DragonOK is a threat group that has targeted Japanese organizations with phishing emails.

G1006Earth LuscaTAG-22

Earth Lusca is a suspected China-based cyber espionage group that has been active since at least April 2019

G0066ElderwoodElderwood Gang, Beijing Group, Sneaky Panda

Elderwood is a suspected Chinese cyber espionage group that was reportedly responsible for the 2009 Google intrusion known as Operation Aurora.

G1003Ember BearSaint Bear, UNC2589, UAC-0056, Lorec53, Lorec Bear, Bleeding Bear

Ember Bear is a suspected Russian state-sponsored cyber espionage group that has been active since at least March 2021.

G0020EquationEquation is a sophisticated threat group that employs multiple remote access tools. The group is known to use zero-day exploits and has developed the capability to overwrite the firmware of hard disk drives.
G0120EvilnumEvilnum is a financially motivated threat group that has been active since at least 2018.
G1011EXOTIC LILYEXOTIC LILY is a financially motivated group that has been closely linked with Wizard Spider and the deployment of ransomware including Conti and Diavol.
G0137Ferocious KittenFerocious Kitten is a threat group that has primarily targeted Persian-speaking individuals in Iran since at least 2015.
G0051FIN10FIN10 is a financially motivated threat group that has targeted organizations in North America since at least 2013 through 2016. The group uses stolen data exfiltrated from victims to extort organizations.
G0085FIN4FIN4 is a financially-motivated threat group that has targeted confidential information related to the public financial market, particularly regarding healthcare and pharmaceutical companies, since at least 2013.
G0053FIN5FIN5 is a financially motivated threat group that has targeted personally identifiable information and payment card information.
G0037FIN6Magecart Group 6, ITG08, Skeleton SpiderFIN6 is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces.
G0046FIN7GOLD NIAGARA, ITG14, Carbon SpiderFIN7 is a financially-motivated threat group that has been active since 2013 primarily targeting the U.S. retail, restaurant, and hospitality sectors, often using point-of-sale malware.
G0061FIN8FIN8 is a financially motivated threat group known to launch tailored spearphishing campaigns targeting the retail, restaurant, and hospitality industries.
G0117Fox KittenUNC757, Parisite, Pioneer KittenFox Kitten is threat actor with a suspected nexus to the Iranian government that has been active since at least 2017 against entities in the Middle East, North Africa, Europe, Australia, and North America.
G0093GALLIUMOperation Soft CellGALLIUM is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan
G0084GallmakerGallmaker is a cyberespionage group that has targeted victims in the Middle East and has been active since at least December 2017. The group has mainly targeted victims in the defense, military, and government sectors.
G0047Gamaredon GroupIRON TILDEN, Primitive Bear, ACTINIUM, Armageddon, Shuckworm,

Gamaredon Group is a suspected Russian cyber espionage threat group that has targeted military, NGO, judiciary, law enforcement, and non-profit organizations in Ukraine since at least 2013.

G0036GCMANGCMAN is a threat group that focuses on targeting banks for the purpose of transferring money to e-currency services.
G0115GOLD SOUTHFIELDGOLD SOUTHFIELD is a financially motivated threat group active since at least 2019 that operates the REvil Ransomware-as-a Service (RaaS).
G0078Gorgon GroupGorgon Group is a threat group consisting of members who are suspected to be Pakistan-based or have other connections to Pakistan.
G0043Group5Group5 is a threat group with a suspected Iranian nexus, though this attribution is not definite.
G0125HAFNIUMOperation Exchange MarauderHAFNIUM is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. 
G1001HEXANELyceum, Siamesekitten, SpirlinHEXANE is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017.
G0126HigaisaHigaisa is a threat group suspected to have South Korean origins. Higaisa has targeted government, public, and trade organizations in North Korea;
G0100InceptionInception Framework, Cloud AtlasInception is a cyber espionage group active since at least 2014. The group has targeted multiple industries and governmental entities primarily in Russia,
G0136IndigoZebra

IndigoZebra is a suspected Chinese cyber espionage group that has been targeting Central Asian governments since at least 2014. 

G0119Indrik SpiderEvil Corp

Indrik Spider is a Russia-based cybercriminal group that has been active since at least 2014. Indrik Spider initially started with the Dridex banking Trojan, and then by 2017 they began running ransomware operations using BitPaymerWastedLocker, and Hades ransomware.

G0004Ke3changAPT15, Mirage, Vixen Panda, GREF, Playful Dragon, RoyalAPT, NICKELKe3chang is a threat group attributed to actors operating out of China.
G0094KimsukySTOLEN PENCIL, Thallium, Black Banshee, Velvet Chollima

Kimsuky is a North Korea-based cyber espionage group that has been active since at least 2012.

G1004LAPSUS$DEV-0537LAPSUS$ is cyber criminal threat group that has been active since at least mid-2021.
G0032Lazarus GroupLabyrinth Chollima, HIDDEN COBRA, Guardians of Peace,

Lazarus Group is a North Korean state-sponsored cyber threat group that has been attributed to the Reconnaissance General Bureau.

G0140LazyScripter

LazyScripter is threat group that has mainly targeted the airlines industry since at least 2018, primarily using open-source toolsets.

G0077LeafminerRaspite

Leafminer is an Iranian threat group that has targeted government organizations and business entities in the Middle East since at least early 2017.

G0065Leviathan

MUDCARP, Kryptonite Panda, Gadolinium, BRONZE MOHAWK,

Leviathan is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company.

G0030Lotus BlossomDRAGONFISH, Spring Dragon

Lotus Blossom is a threat group that has targeted government and military organizations in Southeast Asia.

G0095Machete

APT-C-43, El Machete

Machete is a suspected Spanish-speaking cyber espionage group that has been active since at least 2010.

G0059Magic HoundTA453, COBALT ILLUSION, Charming Kitten, ITG18, Phosphorus

Magic Hound is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps.

G0045menuPass

Cicada, POTASSIUM, Stone Panda, APT10, Red Apollo, CVNX, HOGFISH

menuPass is a threat group that has been active since at least 2006.

G0002Moafee

Moafee is a threat group that appears to operate from the Guandong Province of China.

G0103Mofang

Mofang is a likely China-based cyber espionage group, named for its frequent practice of imitating a victim's infrastructure.

G0021Molerats

Operation Molerats, Gaza Cybergang

Molerats is an Arabic-speaking, politically-motivated threat group that has been operating since 2012. The group's victims have primarily been in the Middle East, Europe, and the United States.

G1009Moses Staff

Earth Vetala, MERCURY, Static Kitten, Seedworm, TEMP.Zagros

Moses Staff is a suspected Iranian threat group that has primarily targeted Israeli companies since at least September 2021

G0069MuddyWater

MuddyWater is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).

G0129Mustang Panda

TA416, RedDelta, BRONZE PRESIDENT

Mustang Panda is a China-based cyber espionage threat actor that was first observed in 2017 but may have been conducting operations since at least 2014.

G0019Naikon

Naikon is assessed to be a state-sponsored cyber espionage group attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020).

G0055NEODYMIUM

NEODYMIUM is an activity group that conducted a campaign in May 2016 and has heavily targeted Turkish victims.

G0133Nomadic OctopusDustSquad

Nomadic Octopus is a Russian-speaking cyber espionage threat group that has primarily targeted Central Asia, including local governments, diplomatic missions, and individuals, since at least 2014.

G0049OilRig

COBALT GYPSY, IRN2, APT34, Helix Kitten

OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014.

G0071Orangeworm

Orangeworm is a group that has targeted organizations in the healthcare sector in the United States, Europe, and Asia since at least 2015, likely for the purpose of corporate espionage.

G0040Patchwork

Hangover Group, Dropping Elephant, Chinastrats, MONSOON,

Patchwork is a cyber espionage group that was first observed in December 2015.

G0011PittyTiger

PittyTiger is a threat group believed to operate out of China that uses multiple different types of malware to maintain command and control.

G0068PLATINUM

PLATINUM is an activity group that has targeted victims since at least 2009. The group has focused on targets associated with governments and related organizations in South and Southeast Asia.

G1005POLONIUM

POLONIUM is a Lebanon-based group that has primarily targeted Israeli organizations, including critical manufacturing, information technology, and defense industry companies, since at least February 2022.

G0033

Poseidon Group

Poseidon Group is a Portuguese-speaking threat group that has been active since at least 2005. The group has a history of using information exfiltrated from victims to blackmail victim companies into contracting the Poseidon Group as a security firm.

G0056PROMETHIUMStrongPity

PROMETHIUM is an activity group focused on espionage that has been active since at least 2012. The group has conducted operations globally with a heavy emphasis on Turkish targets.

G0024Putter Panda

APT2, MSUpdater

Putter Panda is a Chinese threat group that has been attributed to Unit 61486 of the 12th Bureau of the PLA’s 3rd General Staff Department (GSD).

G0075Rancor

Rancor is a threat group that has led targeted campaigns against the South East Asia region. Rancor uses politically-motivated lures to entice victims to open malicious documents. 

G0106Rocke

Rocke is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency.

G0048RTM

RTM is a cybercriminal group that has been active since at least 2015 and is primarily interested in users of remote banking systems in Russia and neighboring countries. The group uses a Trojan by the same name (RTM).

G0034Sandworm Team

ELECTRUM, Telebots, IRON VIKING, BlackEnergy (Group), Quedagh,

Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.

G0029Scarlet Mimic

Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government.

G1008SideCopy

SideCopy is a Pakistani threat group that has primarily targeted South Asian countries, including Indian and Afghani government personnel, since at least 2019.

G0121Sidewinder

T-APT-04, Rattlesnake

Sidewinder is a suspected Indian threat actor group that has been active since at least 2012. They have been observed targeting government, military, and business entities throughout Asia, primarily focusing on Pakistan, China, Nepal, and Afghanistan.

G0091Silence

Whisper Spider

Silence is a financially motivated threat actor targeting financial institutions in different countries. The group was first seen in June 2016

G0122Silent Librarian

TA407, COBALT DICKENS

Silent Librarian is a group that has targeted research and proprietary data at universities, government agencies, and private sector companies worldwide since at least 2013.

G0083

SilverTerrier

SilverTerrier is a Nigerian threat group that has been seen active since 2014. SilverTerrier mainly targets organizations in high technology, higher education, and manufacturing. 

G0054Sowbug

Sowbug is a threat group that has conducted targeted attacks against organizations in South America and Southeast Asia, particularly government entities, since at least 2015.

G0038Stealth Falcon

Stealth Falcon is a threat group that has conducted targeted spyware attacks against Emirati journalists, activists, and dissidents since at least 2012.

G0041StriderProjectSauron

Strider is a threat group that has been active since at least 2011 and has targeted victims in Russia, China, Sweden, Belgium, Iran, and Rwanda.

G0039

Suckfly

Suckfly is a China-based threat group that has been active since at least 2014.

G0062TA459

TA459 is a threat group believed to operate out of China that has targeted countries including Russia, Belarus, Mongolia, and others.

G0092TA505Hive0065

TA505 is a cyber criminal group that has been active since at least 2014. TA505 is known for frequently changing malware, driving global trends in criminal malware distribution, and ransomware campaigns involving Clop.

G0127TA551

GOLD CABIN, Shathak

TA551 is a financially-motivated threat group that has been active since at least 2018. The group has primarily targeted English, German, Italian, and Japanese speakers through email-based malware distribution campaigns.

G0139TeamTNT

TeamTNT is a threat group that has primarily targeted cloud and containerized environments.

G0088TEMP.VelesXENOTIME

TEMP.Veles is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing TRITON, a malware framework designed to manipulate industrial safety systems.

G0089The White Company

The White Company is a likely state-sponsored threat actor with advanced capabilities.

G0028Threat Group-1314

TG-1314

Threat Group-1314 is an unattributed threat group that has used compromised credentials to log into a victim's remote access infrastructure.

G0027Threat Group-3390

Earth Smilodon, TG-3390, Emissary Panda, BRONZE UNION, APT27,

Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims.

G0076Thrip

Thrip is an espionage group that has targeted satellite communications, telecoms, and defense contractor companies in the U.S. and Southeast Asia. The group uses custom malware as well as "living off the land" techniques.

G0131Tonto Team

Earth Akhlut, BRONZE HUNTLEY, CactusPete, Karma Panda

Tonto Team is a suspected Chinese state-sponsored cyber espionage threat group that has primarily targeted South Korea, Japan, Taiwan, and the United States since at least 2009;

G0134Transparent Tribe

COPPER FIELDSTONE, APT36, Mythic Leopard, ProjectM

Transparent Tribe is a suspected Pakistan-based threat group that has been active since at least 2013, primarily targeting diplomatic, defense, and research organizations in India and Afghanistan.

G0081Tropic Trooper

Pirate Panda, KeyBoy

Tropic Trooper is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan, the Philippines, and Hong Kong.

G0010Turla

IRON HUNTER, Group 88, Belugasturgeon, Waterbug, WhiteBear,

Turla is a Russian-based threat group that has infected victims in over 45 countries, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies since 2004.

G0123Volatile Cedar

Lebanese Cedar

Volatile Cedar is a Lebanese threat group that has targeted individuals, companies, and institutions worldwide. Volatile Cedar has been operating since 2012 and is motivated by political and ideological interests.

G0107Whitefly

Whitefly is a cyber espionage group that has been operating since at least 2017.

G0124Windigo

The Windigo group has been operating since at least 2011, compromising thousands of Linux and Unix servers using the Ebury SSH backdoor to create a spam botnet.

G0112WindshiftBahamut

Windshift is a threat group that has been active since at least 2017, targeting specific individuals for surveillance in government departments and critical infrastructure across the Middle East.

G0044Winnti GroupBlackfly

Winnti Group is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting.

G0090WIRTE

WIRTE is a threat group that has been active since at least August 2018. WIRTE has targeted government, diplomatic, financial, military, legal, and technology organizations in the Middle East and Europe

G0102Wizard Spider

UNC1878, TEMP.MixMaster, Grim Spider

Wizard Spider is a Russia-based financially motivated threat group originally known for the creation and deployment of TrickBot since at least 2016.

G0128ZIRCONIUMAPT31

ZIRCONIUM is a threat group operating out of China, active since at least 2017, that has targeted individuals associated with the 2020 US presidential election and prominent leaders in the international affairs community.