Group Group
DATE |
NAME |
CATEGORY |
SUBCATE |
INFO |
| 24.4.25 | UNC4736 | GROUP | GROUP | UNC4736 is a North Korean threat actor that has been involved in supply chain attacks targeting software chains of 3CX and X_TRADER. They have used malware strains such as TAXHAUL, Coldcat, and VEILEDSIGNAL to compromise Windows and macOS systems. |
| 24.4.25 | UNC1069 | GROUP | GROUP | (Active since at least April 2018), which targets diverse industries for financial gain using social engineering ploys by sending fake meeting invites and posing as investors from reputable companies on Telegram to gain access to victims' digital assets and cryptocurrency |
| 24.4.25 | UNC4899 | GROUP | GROUP | (Active since 2022), which is known for orchestrating job-themed campaigns that deliver malware as part of a supposed coding assignment and has previously staged supply chain compromises for financial gain (Overlaps with Jade Sleet, PUKCHONG, Slow Pisces, and TraderTraitor) |
| 24.4.25 | UNC5342 | GROUP | GROUP | (Active since at least December 2022), which is also known for employing job-related lures to trick developers into running malware-laced projects (Overlaps with Contagious Interview, DeceptiveDevelopment, DEV#POPPER, and Famous Chollima) |
| 22.4.25 | Billbug | GROUP | Espionage group | Billbug: Intrusion Campaign Against Southeast Asia Continues |
| 22.4.25 | Larva-24005 | GROUP | APT Group Profiles | During the breach investigation process, the AhnLab SEcurity intelligence Center (ASEC) discovered a new operation related to the Kimsuky group and named it Larva-24005.1 |
| 22.4.25 | Proton66 | GROUP | GROUP | Proton66 Part 1: Mass Scanning and Exploit Campaigns |
| 16.4.25 | UNC5174 | GROUP | GROUP | UNC5174’s evolution in China’s ongoing cyber warfare: From SNOWLIGHT to VShell |
| 15.4.25 | Slow Pisces | GROUP | GROUP | Slow Pisces Targets Developers With Coding Challenges and Introduces New Customized Python Malware |
| 11.4.25 | Core Werewolf | GROUP | GROUP | Core Werewolf hones its arsenal against Russia’s government organizations |
| 11.4.25 | Venture Wolf | GROUP | GROUP | Venture Wolf attempts to disrupt Russian businesses with MetaStealer |
| 11.4.25 | NOVA | GROUP | GROUP | Attackers use a fork of a popular stealer to target Russian companies |
| 11.4.25 | Bloody Wolf | GROUP | GROUP | Bloody Wolf evolution: new targets, new tools |
| 11.4.25 | Sapphire Werewolf | GROUP | GROUP | Sapphire Werewolf refines Amethyst stealer to attack energy companies |
| 11.4.25 | GOFFEE | GROUP | GROUP | GOFFEE continues to attack organizations in Russia |
| 10.4.25 | Everest Ransomware Group | GROUP | Ransomware | Threat Actor Profile |
| 4.4.25 | Proton66 | GROUP | GROUP | Bulletproof Hosting Networks and Proton66 |
|
27.3.25 |
FamousSparrow | GROUP | APT | You will always remember this as the day you finally caught FamousSparrow |
|
26.3.25 |
RedCurl | GROUP | APT | In mid to late 2024, Huntress uncovered activity across several organizations in Canada, with similar infrastructure and TTPs used that can be associated with the APT group known as RedCurl (aka Earth Kapre and Red Wolf). This activity goes back as far as November 2023 in the hosts observed by Huntress. |
|
25.3.25 |
Elephant Beetle | GROUP | GROUP | Elephant Beetle: Uncovering an Organized Financial-Theft Operation |
|
25.3.25 |
Weaver Ant | GROUP | GROUP | Weaver Ant, the Web Shell Whisperer: Tracking a Live China-nexus Operation |
|
21.3.25 |
UAT-5918 | GROUP | GROUP | UAT-5918 targets critical infrastructure entities in Taiwan |
|
21.3.25 |
-=TWELVE= | GROUP | GROUP | -=TWELVE=- is back |
|
21.3.25 |
Head Mare | GROUP | GROUP | Head Mare: adventures of a unicorn in Russia and Belarus |
| 13.3.25 | Actor UNC3886 | GROUP | GROUP | Ghost in the Router: China-Nexus Espionage Actor UNC3886 Targets Juniper Routers |
| 8.3.25 | LARVA-208 | GROUP | GROUP | (EncryptHub) is a threat actor that has come to the forefront with highly sophisticated spear-phishing attacks since 26 June 2024. In the attacks it has carried out, it exhibits a different operational strategy by carrying out all the processes necessary to obtain initial access through personalized SMS (smishing) or by calling the person directly (vishing) and tricking the victim into installing remote monitoring and management (RMM) software. |
| 6.3.25 | Silk Typhoon | GROUP | APT | Silk Typhoon targeting IT supply chain |
| 6.3.25 | Dark Caracal | GROUP | APT | The evolution of Dark Caracal tools: analysis of a campaign featuring Poco RAT |
| 6.3.25 | Lotus Panda | GROUP | APT | Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools |
| 4.3.25 | JavaGhost’s | GROUP | GROUP | JavaGhost’s Persistent Phishing Attacks From the Cloud |
| 27.2.25 | TraderTraitor | GROUP | GROUP |
TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies |
| 26.2.25 | UNC1151 | GROUP | GROUP | UNC1151 Strikes Again: Unveiling Their Tactics Against Ukraine’s Ministry of Defence |
| 22.2.25 | Salt Typhoon | GROUP | APT | Weathering the storm: In the midst of a Typhoon |
| 15.2.25 | Storm-2372 | GROUP | Phishing | Storm-2372 conducts device code phishing campaign |
| 27.1.25 | GamaCopy | GROUP | GROUP | Love and hate under war: The GamaCopy organization, which imitates the Russian Gamaredon, uses military — related bait to launch attacks on Russia |
| 25.1.25 | UAC-0063 | GROUP | GROUP | UAC-0063: Cyber Espionage Operation Expanding from Central Asia |
|
16.1.25 | NICKEL TAPESTRY | GROUP | GROUP | NICKEL TAPESTRY Infrastructure Associated with Crowdfunding Scheme |
|
14.1.25 | UAC-0063 | GROUP | GROUP | Double-Tap Campaign: Russia-nexus APT possibly related to APT28 conducts cyber espionage on Central Asia and Kazakhstan diplomatic relations |
| 10.2.25 | DragonRank | GROUP | Campaigns | Trend Micro researchers observed an SEO manipulation campaign that highlights the need for organizations using Internet Information Services (IIS) to proactively update and patch systems to prevent exploitation by threat actors that use malware like BadIIS in their campaigns. |
|
10.1.25 | RedDelta | GROUP | GROUP | Chinese State-Sponsored RedDelta Targeted Taiwan, Mongolia, and Southeast Asia with Adapted PlugX Infection Chain |
|
10.1.25 | MirrorFace | GROUP | GROUP | China-linked threat actor named MirrorFace of orchestrating a persistent attack campaign targeting organizations, businesses, and individuals in the country since 2019. |
| 17.12.24 | TA397 | GROUP | GROUP | Proofpoint observed advanced persistent threat (APT) TA397 targeting a Turkish defense sector organization with a lure about public infrastructure projects in Madagascar. |
| 14.12.24 | MUT-1244 | GROUP | GROUP | Getting a taste of your own medicine: Threat actor MUT-1244 targets offensive actors, leaking hundreds of thousands of credentials |
| 12.12.24 | Gamaredon | GROUP | APT | Unit 42 threat researchers have recently observed a threat group distributing new, custom developed malware. We have labelled this threat group the Gamaredon Group and our research shows that the Gamaredon Group has been active since at least 2013. |
| 11.12.24 | Secret Blizzard | GROUP | GROUP | Frequent freeloader part II: Russian actor Secret Blizzard using tools of other groups to attack Ukraine |
|
26.11.24 |
GROUP |
RomCom exploits Firefox and Windows zero days in the wild |
||
|
26.11.24 |
GROUP |
Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions |
||
|
23.11.24 |
GROUP |
Microsoft shares latest intelligence on North Korean and Chinese threat actors at CYBERWARCON |
||
|
22.11.24 |
GROUP |
Russia-Aligned TAG-110 Targets Asia and Europe with HATVIBE and CHERRYSPY |
||
|
22.11.24 |
GROUP |
China-Nexus TAG-112 Compromises Tibetan Websites to Distribute Cobalt Strike |
||
|
21.11.24 |
GROUP |
Unveiling WolfsBane: Gelsemium’s Linux counterpart to Gelsevirine |
||
|
19.11.24 |
GROUP |
Unveiling LIMINAL PANDA: A Closer Look at China's Cyber Threats to the Telecom Sector |
||
|
16.11.24 |
GROUP |
BrazenBamboo Weaponizes FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA |
||
|
13.11.24 |
GROUP |
Hamas-affiliated Threat Actor WIRTE Continues its Middle East Operations and Moves to Disruptive Activity |
||
|
28.10.24 |
UNC5812 | GROUP | GROUP | Hybrid Russian Espionage and Influence Campaign Aims to Compromise Ukrainian Military Recruits and Deliver Anti-Mobilization Narratives |
|
28.10.24 | Crypt Ghouls | GROUP | GROUP | Analysis of the Crypt Ghouls group: continuing the investigation into a series of attacks on Russia |
|
27.10.24 | Water Makara | GROUP | GROUP | Water Makara Uses Obfuscated JavaScript in Spear Phishing Campaign, Targets Brazil With Astaroth Malware |
|
27.10.24 | UAT-5647 | GROUP | APT | UAT-5647 targets Ukrainian and Polish entities with RomCom malware variants |
27.9.24 | Embargo | GROUP | RANSOMWARE | Embargo Ransomware Group Strikes DME Delivers in Cyber Attack |
27.9.24 | DragonForce | GROUP | RANSOMWARE | Inside the Dragon: DragonForce Ransomware Group |
26.9.24 | BlackJack | GROUP | Hacktivist | BlackJack is a hacktivist group that emerged at the end of 2023, targeting companies based in Russia. In their Telegram channel, the group states that it aims to find vulnerabilities in the networks of Russian organizations and government institutions. |
22.9.24 | Marko Polo | GROUP | GROUP | “Marko Polo” Navigates Uncharted Waters With Infostealer Empire |
21.9.24 | TWELVE | GROUP | GROUP | -=TWELVE=- is back |
13.9.24 | DragonRank | GROUP | GROUP | DragonRank, a Chinese-speaking SEO manipulator service provider |
11.9.24 | CosmicBeetle | GROUP | RANSOMWARE | CosmicBeetle steps up: Probation period at RansomHub |
9.9.24 | Unit 29155 | GROUP | Military group | Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure |
5.9.24 | Head Mare | GROUP | GROUP | Head Mare: adventures of a unicorn in Russia and Belarus |
21.8.24 | UTG-Q-010 | GROUP | GROUP | UTG-Q-010: Targeted Attack Campaign Against the AI and Gaming Industry |
21.8.24 | TA453 | GROUP | GROUP | Best Laid Plans: TA453 Targets Religious Figure with Fake Podcast Invite Delivering New BlackSmith Malware Toolset |
15.8.24 | Actor240524 | GROUP | APT | New APT Group Actor240524: A Closer Look at Its Cyber Tactics Against Azerbaijan and Israel |
6.8.24 | Moonstone Sleet | GROUP | GROUP | Stressed Pungsan: DPRK-aligned threat actor leverages npm for initial access |
2.8.24 | GROUP | Cuckoo Spear – the latest Nation-state Threat Actor targeting Japanese companies | ||
27.7.24 | Handala Hacking Team | GROUP | GROUP | Handala Hack: What We Know About the Rising Threat Actor |
27.7.24 | Cuckoo Spear | GROUP | GROUP | Highly sophisticated, well-funded, and strategically motivated nation-state cybersecurity threats are complex and challenging, requiring advanced cybersecurity measures, threat intelligence, and international cooperation. |
26.7.24 | APT45 | GROUP | APT | APT45: North Korea’s Digital Military Machine |
25.7.24 | Patchwork | GROUP | GROUP | The Patchwork group has updated its arsenal, launching attacks for the first time using Brute Ratel C4 and an enhanced version of PGoShell |
24.7.24 | Espionage | Daggerfly: Espionage Group Makes Major Update to Toolset | ||
23.7.24 | VIGORISH VIPER | GROUP | GROUP | GAMBLING IS NO GAME: DNS LINKS BETWEEN CHINESE ORGANIZED CRIME AND SPORTS SPONSORSHIPS |
23.7.24 | FLUXROOT | GROUP | HACKING | A Latin America (LATAM)-based financially motivated actor codenamed FLUXROOT has been observed leveraging Google Cloud serverless projects to orchestrate credential phishing activity, highlighting the abuse of the cloud computing model for malicious purposes. |
23.7.24 | Prolific Puma | GROUP | Ransomware | Play Ransomware Group’s New Linux Variant Targets ESXi, Shows Ties With Prolific Puma |
19.7.24 | UNC5537 | GROUP | GROUP | UNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion |
18.7.24 | TAG-100 | GROUP | GROUP | TAG-100 Uses Open-Source Tools in Suspected Global Espionage Campaign, Compromising Two Asia-Pacific Intergovernmental Bodies |
16.7.24 | MuddyWater | GROUP | GROUP | MuddyWater replaces Atera by custom MuddyRot implant in a recent campaign |
16.7.24 | Void Banshee | GROUP | GROUP | CVE-2024-38112: Void Banshee Targets Windows Users Through Zombie Internet Explorer in Zero-Day Attacks |
14.7.24 | CRYSTALRAY | GROUP | GROUP | CRYSTALRAY: Inside the Operations of a Rising Threat Actor Exploiting OSS Tools |
30.6.24 | Unfurling Hemlock | GROUP | GROUP | Unfurling Hemlock: New threat group uses cluster bomb campaign to distribute malware |
30.6.24 | KADOKAWA | GROUP | GROUP | Service Outages on Multiple Websites of the KADOKAWA Gro |
| 27.6.24 | ChamelGang | Group | Gang | ChamelGang & Friends | Cyberespionage Groups Attacking Critical Infrastructure with Ransomware |
| 26.6.24 | FIN9 | GROUP | APT | Inside the DEA Tool Hackers Allegedly Used to Extort Targets |
| 26.6.24 | ExCobalt | GROUP | Cyber Gang | ExCobalt: GoRed, the hidden-tunnel technique |
| 19.6.24 | UNC3886 | GROUP | CAMPAIGN | Cloaked and Covert: Uncovering UNC3886 Espionage Operations |
| 14.6.24 | UNC4899 | GROUP | GROUP | Insights on Cyber Threats Targeting Users and Enterprises in Brazil |
| 11.6.24 | UNC5537 | GROUP | GROUP | UNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion |
| 10.6.24 | Sticky Werewolf | GROUP | GROUP | Howling at the Inbox: Sticky Werewolf's Latest Malicious Aviation Attacks |
7.6.24 | GROUP | Ghostwriter is referred as an 'activity set', with various incidents tied together by overlapping behavioral characteristics and personas, rather than as an actor or group in itself. | ||
7.6.24 | Cryptojacking | Commando Cat: A Novel Cryptojacking Attack Abusing Docker Remote API Servers | ||
3.6.24 | APT | Analysis of APT Attack Cases Using Dora RAT Against Korean Companies (Andariel Group) | ||
31.5.24 | UAC-0006 | Group | Group | UAC-0006 is a financially motivated threat actor that has been active since at least 2013. They primarily target Ukrainian organizations, particularly accountants, with phishing emails containing the SmokeLoader malware. Their goal is to steal credentials and execute unauthorized fund transfers, posing a significant risk to financial systems. |
31.5.24 | FlyingYeti | Group | Group | Cloudforce One is publishing the results of our investigation and real-time effort to detect, deny, degrade, disrupt, and delay threat activity by the Russia-aligned threat actor FlyingYeti during their latest phishing campaign targeting Ukraine. |
30.5.24 | LilacSquid | Group | Group | The stealthy trilogy of PurpleInk, InkBox and InkLoader |
29.5.24 | Moonstone Sleet | Group | APT | Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks |
27.5.24 | Storm-0539 | Group | Group | Navigating cyberthreats and strengthening defenses in the era of AI |
25.5.24 | Group | Space Pirates: analyzing the tools and connections of a new hacker group | ||
25.5.24 | Group | No sleep until the Cybercrime Fighters Club is done with finding the answer as to who is behind this new ransomware-as-a-service affiliate. | ||
24.5.24 | APT | SHARP DRAGON EXPANDS TOWARDS AFRICA AND THE CARIBBEAN | ||
23.5.24 | Group | Deep Dive Into Unfading Sea Haze: A New Threat Actor in the South China Sea | ||
21.5.24 | Void Manticore | Group | Group | BAD KARMA, NO JUSTICE: VOID MANTICORE DESTRUCTIVE ACTIVITIES IN ISRAEL |
21.5.24 | GitCaught | Group | Group | GitCaught: Threat Actor Leverages GitHub Repository for Malicious Infrastructure |
18.5.24 | Kinsing | Group | Hacking | Kinsing Demystified A Comprehensive Technical Guide |
16.5.24 | Storm-1811 | Group | Group | Threat actors misusing Quick Assist in social engineering attacks leading to ransomware |
| 19.4.24 | FIN7 | Group | APT | Threat Group FIN7 Targets the U.S. Automotive Industry |
| 16.4.24 | Muddled Libra | Group | Group | Muddled Libra also uses the legitimate scalability and native functionality of CSP services to create new resources to assist with data exfiltration. All CSPs have terms of service (TOS) policies that explicitly prohibit activities like those performed by Muddled Libra. |
| 12.4.24 | TA547 | Group | Group | Security Brief: TA547 Targets German Organizations with Rhadamanthys Stealer |
11.4.24 |
Group |
There is no indication that this campaign is linked to any known group; however, we are tracking the threat actors behind it under the moniker Virtual Invaders. | ||
| 9.4.24 | Starry Addax | Group | Group | Starry Addax targets human rights defenders in North Africa with new malware |
| 5.4.24 | UTA0178 | Group | Group | While Volexity largely observed the attacker essentially living off the land, they still deployed a handful of malware files and tools during the course of the incident which primarily consisted of webshells, proxy utilities, and file modifications to allow credential harvesting. |
| 5.4.24 | CoralRaider | Group | Group | CoralRaider targets victims’ data and social media accounts |
| 2.4.24 | Earth Freybug | Group | Group | This article provides an in-depth look into two techniques used by Earth Freybug actors: dynamic-link library (DLL) hijacking and application programming interface (API) unhooking to prevent child processes from being monitored via a new malware we’ve discovered and dubbed UNAPIMON. |
| 28.3.24 | NARWHAL SPIDER | Group | APT | NARWHAL SPIDER’s operation of Cutwail v2 was limited to country-specific spam campaigns, although late in 2019 there appeared to be an effort to expand by bringing in INDRIK SPIDER as a customer. |
| 27.3.24 | Earth Krahang | Group | APT | Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks |
| 27.3.24 | Earth Lusca | Group | APT | Earth Lusca Uses Geopolitical Lure to Target Taiwan Before Elections |
| 27.3.24 | BRONZE VINEWOOD | Group | APT | DETAILS ON BRONZE VINEWOOD, IMPLICATED IN TARGETING OF THE U.S. ELECTION CAMPAIGN |
| 26.3.24 | Lord Nemesis Strikes | Group | Hacktivism | “Lord Nemesis Strikes: Supply Chain Attack on the Israeli Academic Sector |
| 26.3.24 | TA450 | Group | APT | Security Brief: TA450 Uses Embedded Links in PDF Attachments in Latest Campaign |
| 24.3.24 | Springtail | Group | APT | Springtail APT group abuses valid certificate of known Korean public entity |
| 24.3.24 | Kimsuky | Group | APT | The Updated APT Playbook: Tales from the Kimsuky threat actor group |
| 22.3.24 | UNC302 | Group | Group | BRONZE SPRING is a threat group that CTU researchers assess with high confidence operates on behalf of China in the theft of intellectual property from defense, engineering, pharmaceutical and technology companies |
| 22.3.24 | UNC3886 | Group | Group | UNC3886 is an advanced cyber espionage group with unique capabilities in how they operate on-network as well as the tools they utilize in their campaigns. UNC3886 has been observed targeting firewall and virtualization technologies which lack EDR support. |
| 22.3.24 | UNC5221 | Group | Group | While Volexity largely observed the attacker essentially living off the land, they still deployed a handful of malware files and tools during the course of the incident which primarily consisted of webshells, proxy utilities, and file modifications to allow credential harvesting. |
20.3.24 | Group | Andariel Group (MeshAgent) is attacking by abusing domestic asset management solutions | ||
18.3.24 | Group | Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns | ||
| 14.3.24 | APT-C-36 | Group | APT | Since April 2018, an APT group (Blind Eagle, APT-C-36) suspected coming from South America carried out continuous targeted attacks against Colombian government institutions as well as important corporations in financial sector, petroleum industry, professional manufacturing, etc. |
| 14.3.24 | DarkCasino | Group | APT | DarkCasino is an economically motivated APT group that targets online trading platforms, including cryptocurrencies, online casinos, network banks, and online credit platforms. They are skilled at stealing passwords to access victims' online accounts and have been active for over a year. DarkCasino exploits vulnerabilities, such as the WinRAR vulnerability CVE-2023-38831, to launch phishing attacks and steal online property. |
| 11.3.24 | BianLian | Group | Ransomware | BianLian is a ransomware developer, deployer, and data extortion cybercriminal group that has targeted organizations in multiple U.S. critical infrastructure sectors since June 2022. |
| 7.3.24 | Evasive Panda | Group | APT | Evasive Panda is an APT group that has been active since at least 2012, conducting cyberespionage targeting individuals, government institutions and organizations. |
| 7.3.24 | TA4903 | Group | Phishing | TA4903: Actor Spoofs U.S. Government, Small Businesses in Phishing, BEC Bids |
| 7.3.24 | 8220 Mining Group | Group | Cryptocurrency | Returned Libra, also known as 8220 Mining Group, is a cloud threat actor group that has been active since at least 2017. Tools commonly employed during their operations are PwnRig or DBUsed which are customized variants of the XMRig Monero mining software. |
| 6.3.24 | GhostSec | Group | Ransomware | GhostSec is a hacktivist group that emerged as an offshoot of Anonymous. They primarily focused on counterterrorism efforts and monitoring online activities associated with terrorism. They gained prominence following the 2015 Charlie Hebdo shooting in Paris and the rise of ISIS. |
| 6.3.24 | UNC1945 | Group | APT | UNC1945 is an APT group that has been targeting telecommunications companies globally. They use Linux-based implants to maintain long-term access in compromised networks. UNC1945 has demonstrated advanced technical abilities, utilizing various tools and techniques to evade detection and move laterally through networks. |
| 6.3.24 | APT32 | Group | APT | Cyber espionage actors, now designated by FireEye as APT32 (OceanLotus Group), are carrying out intrusions into private sector companies across multiple industries and have also targeted foreign governments, dissidents, and journalists. FireEye assesses that APT32 leverages a unique suite of fully-featured malware, in conjunction with commercially-available tools, to conduct targeted operations that are aligned with Vietnamese state interests. |
| 6.3.24 | Kimsuky | Group | APT | JOINT CYBERSECURITY ADVISORY North Korean Advanced Persistent Threat Focus: Kimsuky |
| 5.3.24 | TA577 | Group | Group | TA577’s Unusual Attack Chain Leads to NTLM Data Theft |
| 2.3.24 | Scattered Spider | Group | Hacking | Scattered Spider, a highly active hacking group, has made headlines by targeting more than 130 organizations, with the number of victims steadily increasing. |
| 2.3.24 | BlackTech | Group | CyberSpy | BlackTech is a cyber espionage group operating against targets in East Asia, particularly Taiwan, and occasionally, Japan and Hong Kong. Based on the mutexes and domain names of some of their C&C servers, BlackTech’s campaigns are likely designed to steal their target’s technology. |
| 2.3.24 | Peach Sandstorm | Group | APT | Our analysis reveals that APT33 is a capable group that has carried out cyber espionage operations since at least 2013. We assess APT33 works at the behest of the Iranian government. |
| 2.3.24 | LightBasin | Group | APT | UNC1945 is an APT group that has been targeting telecommunications companies globally. They use Linux-based implants to maintain long-term access in compromised networks. |
| 1.3.24 | UNC1549 | BigBrother | CyberSpy | When Cats Fly: Suspected Iranian Threat Actor UNC1549 Targets Israeli and Middle East Aerospace and Defense Sectors |
| 1.3.24 | UNC3886 | Group | Group | UNC3886 is an advanced cyber espionage group with unique capabilities in how they operate on-network as well as the tools they utilize in their campaigns. UNC3886 has been observed targeting firewall and virtualization technologies which lack EDR support. |
| 1.3.24 | Tortoiseshell | Group | Group | A previously undocumented attack group is using both custom and off-the-shelf malware to target IT providers in Saudi Arabia in what appear to be supply chain attacks with the end goal of compromising the IT providers’ customers. The group, which we are calling Tortoiseshell, has been active since at least July 2018. |
| 1.3.24 | Bohrium | Group | Group | Bohrium is an Iranian threat actor that has been involved in spear-phishing operations targeting organizations in the US, Middle East, and India. |
| 19.2.24 | TAG-70 | Group | Group | Russia-Aligned TAG-70 Targets European Government and Military Mail Servers in New Espionage Campaign |
6.2.24 | Group | Analysis of TTPs tied to GambleForce, which carried out SQL injection attacks against companies in the APAC region | ||
3.2.24 | COLDRIVER | Group | Group | The Coldriver Group, also known as Callisto and SEABORGIUM, is a threat actor known to attack government organizations, think tanks, and journalists in Europe and the Caucasus regions through spearphishing campaigns. |
3.2.24 | Shuckworm | Group | Group | Shuckworm: Inside Russia’s Relentless Cyber Campaign Against Ukraine |
3.2.24 | LitterDrifter | Group | Group | Malware Spotlight – Into the Trash: Analyzing LitterDrifter |
3.2.24 | UAC-0027 | Group | Group | UAC-0027 Attack Detection: Hackers Target Ukrainian Organizations Using DIRTYMOE (PURPLEFOX) Malware |
2.2.24 | UNC5221 | Group | CyberSpy | UNC5221: Unreported and Undetected WIREFIRE Web Shell Variant |
2.2.24 | Volt Typhoon | Group | Group | [Microsoft] Volt Typhoon, a state-sponsored actor based in China that typically focuses on espionage and information gathering. Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises. |
1.2.24 | UNC4990 | Group | Group | Evolution of UNC4990: Uncovering USB Malware's Hidden Depths |
19.1.24 |
COLDRIVER | Group | Group | Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware |