DATE |
NAME |
INFO |
CATEGORY |
SUBCATE |
| 6.11.25 | Curly COMrades | Curly COMrades: Evasion and Persistence via Hidden Hyper-V Virtual Machines | GROUP | GROUP |
| 5.11.25 | UNK_SmudgedSerpent | Crossed wires: a case study of Iranian espionage and attribution | GROUP | GROUP |
| 2.11.25 | CryptoChameleon | CryptoChameleon: New Phishing Tactics Exhibited in FCC-Targeted Attack | GROUP | GROUP |
| 1.11.25 | Hezi Rash: Rising Kurdish Hacktivist Group Targets Global Sites | GROUP | GROUP | |
| 1.11.25 | UNC6384 | UNC6384 Weaponizes ZDI-CAN-25373 Vulnerability to Deploy PlugX Against Hungarian and Belgian Diplomatic Entities | GROUP | GROUP |
| 30.10.25 | UTG-Q-010 | Cyber Warfare Amidst Gold's Skyrocketing Price: UTG-Q-010 Group's Supply Chain Attack Strike Directly at the Heart of HongKong's Financial Market | GROUP | GROUP |
| 17.10.25 | Famous Chollima | Famous Chollima deploying Python version of GolangGhost RAT | GROUP | GROUP |
| 17.10.25 | Vanilla Tempest | Vice Society is a ransomware group that has been active since at least June 2021. | GROUP | RANSOMWARE |
| 17.10.25 | DPRK | DPRK Adopts EtherHiding: Nation-State Malware Hiding on Blockchains | GROUP | GROUP |
| 17.10.25 | UNC5142 | New Group on the Block: UNC5142 Leverages EtherHiding to Distribute Malware | GROUP | GROUP |
| 16.10.25 | TA585 | When the monster bytes: tracking TA585 and its arsenal | GROUP | GROUP |
|
12.10.25 |
Warlock | Warlock: Professional Development, China Ties, and the Multiple Variants it Planned from the Start | GROUP | RANSOMWARE |
|
11.10.25 |
UNC1151 | UNC1151 Assessed with High Confidence to have Links to Belarus, Ghostwriter Campaign Aligned with Belarusian Government Interests | GROUP | GROUP |
|
10.10.25 |
UAC-0226 | UAC-0226 is a cyber-espionage group targeting Ukrainian military, law enforcement, and local government entities—particularly near the eastern border—since February 2025. | GROUP | GROUP |
|
10.10.25 |
UAC-0219 | UAC-0219 is a hacking group observed conducting cyber-espionage operations targeting Ukrainian critical sectors, primarily utilising WRECKSTEEL malware for file exfiltration in both VBScript and PowerShell variants. | GROUP | GROUP |
|
10.10.25 |
UAC-0218 | UAC-0218 Attack Detection: Adversaries Steal Files Using HOMESTEEL Malware | GROUP | GROUP |
|
8.10.25 |
BatShadow | BatShadow: Vietnamese Threat Actor Expands Its Digital Operations | GROUP | GROUP |
|
5.10.25 |
UNC5174 | UNC5174, a Chinese state-sponsored threat actor, has been identified by Mandiant for exploiting critical vulnerabilities in F5 BIG-IP and ScreenConnect. They have been linked to targeting research and education institutions, businesses, charities, NGOs, and government organizations in Southeast Asia, the U.S., and the UK | GROUP | GROUP |
| 4.10.25 | TAG-124 | TAG-124’s Multi-Layered TDS Infrastructure and Extensive User Base | GROUP | GROUP |
| 4.10.25 | Hive0145 | Hive0145 back in German inboxes with Strela Stealer and a backdoor | GROUP | GROUP |
| 4.10.25 | Confucius | Confucius threat group evolves from document stealers to Python backdoors, showcasing the growing sophistication of state-aligned cyber campaigns | GROUP | GROUP |
| 4.10.25 | Phantom Taurus | Phantom Taurus is a previously undocumented nation-state actor whose espionage operations align with People’s Republic of China (PRC) state interests. Over the past two and a half years, Unit 42 researchers have observed Phantom Taurus targeting government and telecommunications organizations across Africa, the Middle East, and Asia. | GROUP | GROUP |
| 4.10.25 | UAT-8099 | UAT-8099: Chinese-speaking cybercrime group targets high-value IIS for SEO fraud | GROUP | GROUP |
| 4.10.25 | Detour Dog | GROUP | GROUP | GROUP |
| 26.9.25 | COLDRIVER | COLDRIVER Updates Arsenal with BAITSWITCH and SIMPLEFIX | GROUP | GROUP |
| 26.9.25 | Vane Viper | DNS-Driven Insights into a Malicious Ad Network | GROUP | GROUP |
| 25.9.25 | RedNovember | RedNovember Targets Government, Defense, and Technology Organizations | GROUP | GROUP |
| 13.9.25 | Scattered LAPSUS$ | The Cybercrime Group Redefining Threats | GROUP | GROUP |
| 12.9.25 | Cloud Atlas | Cloud Atlas seen using a new tool in its attacks | GROUP | GROUP |
| 30.8.25 | COOKIE SPIDER | Falcon Platform Prevents COOKIE SPIDER’s SHAMOS Delivery on macOS | GROUP | GROUP |
| 27.8.25 | UNC6395 | Widespread Data Theft Targets Salesforce Instances via Salesloft Drift | GROUP | GROUP |
| 27.8.25 | TAG-144 | TAG-144’s Persistent Grip on South American Organizations | GROUP | GROUP |
| 22.8.25 | MURKY PANDA | MURKY PANDA: A Trusted-Relationship Threat in the Cloud | GROUP | GROUP |
| 17.8.25 | UAT-7237 | UAT-7237 targets Taiwanese web hosting infrastructure | GROUP | GROUP |
| 22.7.25 | PoisonSeed | PoisonSeed downgrading FIDO key authentications to ‘fetch’ user accounts | GROUP | GROUP |
| 19.7.25 | APT PROFILE – FANCY BEAR | Fancy Bear, also known as APT28, is a notorious Russian cyberespionage group with a long history of targeting governments, military entities, and other high-value | GROUP | APT |
| 19.7.25 | UNG0002 | UNG0002: Regional Threat Operations Tracked Across Multiple Asian Jurisdictions | GROUP | APT |
| 16.7.25 | GLOBAL GROUP | GLOBAL GROUP: Emerging Ransomware-as-a-Service, Supporting AI Driven Negotiation and Mobile Control Panel for Their Affiliates | GROUP | RANSOMWARE |
| 28.6.25 | UAC-0226 | UAC-0226 is a cyber-espionage group targeting Ukrainian military, law enforcement, and local government entities—particularly near the eastern border—since February 2025. | GROUP | GROUP |
| 27.6.25 | Hive0154 | Hive0154 aka Mustang Panda shifts focus on Tibetan community to deploy Pubload backdoor | GROUP | GROUP |
| 26.6.25 | Dire Wolf | Dire Wolf Strikes: New Ransomware Group Targeting Global Sectors | GROUP | GROUP |
| 20.6.25 | Blue(Noroff) | Feeling Blue(Noroff): Inside a Sophisticated DPRK Web3 Intrusion | GROUP | GROUP |
| 11.6.25 | FIN6 | Eggs in a Cloudy Basket: Skeleton Spider’s Trusted Cloud Malware Delivery | GROUP | GROUP |
| 5.6.25 | Bitter Group | Bitter Group Distributes CHM Malware to Chinese Organizations | GROUP | GROUP |
| 5.6.25 | UNC6040 | The Cost of a Call: From Voice Phishing to Data Extortion | GROUP | GROUP |
| 3.6.25 | JINX-0132 | The Wiz Threat Research team has identified a widespread cryptojacking campaign targeting commonly used DevOps applications including Nomad and Consul. | GROUP | GROUP |
| 27.5.25 | Void Blizzard | New Russia-affiliated actor Void Blizzard targets critical sectors for espionage | GROUP | GROUP |
| 27.5.25 | TAG-110 | Russia-Aligned TAG-110 Targets Tajikistan with Macro-Enabled Word Documents | GROUP | GROUP |
| 22.5.25 | UAT-6382 | UAT-6382 exploits Cityworks zero-day vulnerability to deliver malware | GROUP | GROUP |
| 20.5.25 | Hazy Hawk | From banks to battalions: SideWinder’s attacks on South Asia’s public sector | GROUP | APT |
| 16.5.24 | APT GROUP123 | Group123 is a North Korean state-sponsored advanced persistent threat (APT) group active since at least 2012. It is also tracked under other names such as APT37, Reaper, and ScarCruft by various cybersecurity firms. | GROUP | APT |
| 13.5.24 | TA406 | TA406 began targeting government entities in Ukraine, delivering both credential harvesting and malware in its phishing campaigns. The aim of these campaigns is likely to collect intelligence on the trajectory of the Russian invasion. | GROUP | CAMPAIGN |
| 9.5.24 | Gunra Ransomware | At CYFIRMA, we are committed to delivering timely insights into emerging cyber threats and the evolving tactics of cybercriminals targeting individuals and organizations. | GROUP | RANSOMWARE |
| 26.4.25 | ToyMaker | Introducing ToyMaker, an initial access broker working in cahoots with double extortion gangs | GROUP | IAB |
| 24.4.25 | UNC4736 | UNC4736 is a North Korean threat actor that has been involved in supply chain attacks targeting software chains of 3CX and X_TRADER. They have used malware strains such as TAXHAUL, Coldcat, and VEILEDSIGNAL to compromise Windows and macOS systems. | GROUP | GROUP |
| 24.4.25 | UNC1069 | (Active since at least April 2018), which targets diverse industries for financial gain using social engineering ploys by sending fake meeting invites and posing as investors from reputable companies on Telegram to gain access to victims' digital assets and cryptocurrency | GROUP | GROUP |
| 24.4.25 | UNC4899 | (Active since 2022), which is known for orchestrating job-themed campaigns that deliver malware as part of a supposed coding assignment and has previously staged supply chain compromises for financial gain (Overlaps with Jade Sleet, PUKCHONG, Slow Pisces, and TraderTraitor) | GROUP | GROUP |
| 24.4.25 | UNC5342 | (Active since at least December 2022), which is also known for employing job-related lures to trick developers into running malware-laced projects (Overlaps with Contagious Interview, DeceptiveDevelopment, DEV#POPPER, and Famous Chollima) | GROUP | GROUP |
| 22.4.25 | Billbug | Billbug: Intrusion Campaign Against Southeast Asia Continues | GROUP | Espionage group |
| 22.4.25 | Larva-24005 | During the breach investigation process, the AhnLab SEcurity intelligence Center (ASEC) discovered a new operation related to the Kimsuky group and named it Larva-24005.1 | GROUP | APT Group Profiles |
| 22.4.25 | Proton66 | Proton66 Part 1: Mass Scanning and Exploit Campaigns | GROUP | GROUP |
| 16.4.25 | UNC5174 | UNC5174’s evolution in China’s ongoing cyber warfare: From SNOWLIGHT to VShell | GROUP | GROUP |
| 15.4.25 | Slow Pisces | Slow Pisces Targets Developers With Coding Challenges and Introduces New Customized Python Malware | GROUP | GROUP |
| 11.4.25 | Core Werewolf | Core Werewolf hones its arsenal against Russia’s government organizations | GROUP | GROUP |
| 11.4.25 | Venture Wolf | Venture Wolf attempts to disrupt Russian businesses with MetaStealer | GROUP | GROUP |
| 11.4.25 | NOVA | Attackers use a fork of a popular stealer to target Russian companies | GROUP | GROUP |
| 11.4.25 | Bloody Wolf | Bloody Wolf evolution: new targets, new tools | GROUP | GROUP |
| 11.4.25 | Sapphire Werewolf | Sapphire Werewolf refines Amethyst stealer to attack energy companies | GROUP | GROUP |
| 11.4.25 | GOFFEE | GOFFEE continues to attack organizations in Russia | GROUP | GROUP |
| 10.4.25 | Everest Ransomware Group | Threat Actor Profile | GROUP | Ransomware |
| 4.4.25 | Proton66 | Bulletproof Hosting Networks and Proton66 | GROUP | GROUP |
|
27.3.25 |
FamousSparrow | You will always remember this as the day you finally caught FamousSparrow | GROUP | APT |
|
26.3.25 |
RedCurl | In mid to late 2024, Huntress uncovered activity across several organizations in Canada, with similar infrastructure and TTPs used that can be associated with the APT group known as RedCurl (aka Earth Kapre and Red Wolf). | GROUP | APT |
|
25.3.25 |
Elephant Beetle | Elephant Beetle: Uncovering an Organized Financial-Theft Operation | GROUP | GROUP |
|
25.3.25 |
Weaver Ant | Weaver Ant, the Web Shell Whisperer: Tracking a Live China-nexus Operation | GROUP | GROUP |
|
21.3.25 |
UAT-5918 | UAT-5918 targets critical infrastructure entities in Taiwan | GROUP | GROUP |
|
21.3.25 |
-=TWELVE= | -=TWELVE=- is back | GROUP | GROUP |
|
21.3.25 |
Head Mare | Head Mare: adventures of a unicorn in Russia and Belarus | GROUP | GROUP |
| 13.3.25 | Actor UNC3886 | Ghost in the Router: China-Nexus Espionage Actor UNC3886 Targets Juniper Routers | GROUP | GROUP |
| 8.3.25 | LARVA-208 | (EncryptHub) is a threat actor that has come to the forefront with highly sophisticated spear-phishing attacks since 26 June 2024. | GROUP | GROUP |
| 6.3.25 | Silk Typhoon | Silk Typhoon targeting IT supply chain | GROUP | APT |
| 6.3.25 | Dark Caracal | The evolution of Dark Caracal tools: analysis of a campaign featuring Poco RAT | GROUP | APT |
| 6.3.25 | Lotus Panda | Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools | GROUP | APT |
| 4.3.25 | JavaGhost’s | JavaGhost’s Persistent Phishing Attacks From the Cloud | GROUP | GROUP |
| 27.2.25 | TraderTraitor |
TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies |
GROUP | GROUP |
| 26.2.25 | UNC1151 | UNC1151 Strikes Again: Unveiling Their Tactics Against Ukraine’s Ministry of Defence | GROUP | GROUP |
| 22.2.25 | Salt Typhoon | Weathering the storm: In the midst of a Typhoon | GROUP | APT |
| 15.2.25 | Storm-2372 | Storm-2372 conducts device code phishing campaign | GROUP | Phishing |
| 27.1.25 | GamaCopy | Love and hate under war: The GamaCopy organization, which imitates the Russian Gamaredon, uses military — related bait to launch attacks on Russia | GROUP | GROUP |
| 25.1.25 | UAC-0063 | UAC-0063: Cyber Espionage Operation Expanding from Central Asia | GROUP | GROUP |
|
16.1.25 | NICKEL TAPESTRY | NICKEL TAPESTRY Infrastructure Associated with Crowdfunding Scheme | GROUP | GROUP |
|
14.1.25 | UAC-0063 | Double-Tap Campaign: Russia-nexus APT possibly related to APT28 conducts cyber espionage on Central Asia and Kazakhstan diplomatic relations | GROUP | GROUP |
| 10.2.25 | DragonRank | Trend Micro researchers observed an SEO manipulation campaign that highlights the need for organizations using Internet Information Services (IIS) to proactively update and patch systems to prevent exploitation by threat actors that use malware like BadIIS in their campaigns. | GROUP | Campaigns |
|
10.1.25 | RedDelta | Chinese State-Sponsored RedDelta Targeted Taiwan, Mongolia, and Southeast Asia with Adapted PlugX Infection Chain | GROUP | GROUP |
|
10.1.25 | MirrorFace | China-linked threat actor named MirrorFace of orchestrating a persistent attack campaign targeting organizations, businesses, and individuals in the country since 2019. | GROUP | GROUP |