WOKGROUP

HOME 

Midnight Blizzard (NOBELIUM)

IDNAMECATEGORIEAssociated GroupsDescription
G0018admin@338APTadmin@338 is a China-based cyber threat group.
G0130Ajax Security TeamAPTOperation Woolen-Goldfish, AjaxTM, Rocket Kitten, Flying KitteNAjax Security Team is a group that has been active since at least 2010 and believed to be operating out of Iran.
G1000ALLANITEAPTPalmetto FusionALLANITE is a suspected Russian cyber espionage group, that has primarily targeted the electric utility sector within the United States and United Kingdom.
G0138AndarielAPTSilent Chollima

Andariel is a North Korean state-sponsored threat group that has been active since at least 2009.

G1007Aoqin DragonAPTAoqin Dragon is a suspected Chinese cyber espionage threat group that has been active since at least 2013.
G0099APT-C-36APTBlind EagleAPT-C-36 is a suspected South America espionage group that has been active since at least 2018.
G0006APT1APTComment Crew, Comment Group, Comment PandaAPT1 is a Chinese threat group that has been attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398.
G0005APT12APTIXESHE, DynCalc, Numbered Panda, DNSCALCAPT12 is a threat group that has been attributed to China. The group has targeted a variety of victims including but not limited to media outlets, high-tech companies, and multiple governments.
G0023APT16APT

APT16 is a China-based threat group that has launched spearphishing campaigns targeting Japanese and Taiwanese organizations.

G0025APT17APTDeputy DogAPT17 is a China-based threat group that has conducted network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations.
G0026APT18APTTG-0416, Dynamite Panda, Threat Group-0416APT18 is a threat group that has operated since at least 2009 and has targeted a range of industries, including technology, manufacturing, human rights groups, government, and medical.
G0073APT19APTCodoso, C0d0so0, Codoso Team, Sunshop GroupAPT19 is a Chinese-based threat group that has targeted a variety of industries, including defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services.
G0007APT28APTIRON TWILIGHT, SNAKEMACKEREL, Swallowtail, Group 74, Sednit, Sofacy,

APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165. This group has been active since at least 2004.

G0016APT29APTIRON RITUAL, IRON HEMLOCK, NobleBaron, Dark Halo, StellarParticle

APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).

G0022APT3APTGothic Panda, Pirpi, UPS Team, Buckeye, Threat Group-0110, TG-0110

APT3 is a China-based threat group that researchers have attributed to China's Ministry of State Security

G0013APT30APTAPT30 is a threat group suspected to be associated with the Chinese government. While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.
G0050APT32APTSeaLotus, OceanLotus, APT-C-00APT32 is a suspected Vietnam-based threat group that has been active since at least 2014.
G0064APT33APTHOLMIUM, ElfinAPT33 is a suspected Iranian threat group that has carried out operations since at least 2013.
G0067APT37APTRichochet Chollima, InkySquid, ScarCruft, Reaper, Group123, TEMP.Reaper

APT37 is a North Korean state-sponsored cyber espionage group that has been active since at least 2012.

G0082APT38APTNICKEL GLADSTONE, BeagleBoyz, Bluenoroff, Stardust Chollima

APT38 is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.

G0087APT39APTITG07, Chafer, Remix KittenAPT39 is one of several names for cyber espionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since at least 2014.
G0096APT41APTWicked PandaAPT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations
G0143Aquatic PandaAPTAquatic Panda is a suspected China-based threat group with a dual mission of intelligence collection and industrial espionage.
G0001AxiomAPTGroup 72Axiom is a suspected Chinese cyber espionage group that has targeted the aerospace, defense, government, manufacturing, and media sectors since at least 2008.
G0135BackdoorDiplomacyAPTBackdoorDiplomacy is a cyber espionage threat group that has been active since at least 2017
G1002BITTERAPTT-APT-17BITTER is a suspected South Asian cyber espionage threat group that has been active since at least 2013.
G0063BlackOasisAPTBlackOasis is a Middle Eastern threat group that is believed to be a customer of Gamma Group.
G0098BlackTechAPTPalmerwormBlackTech is a suspected Chinese cyber espionage group that has primarily targeted organizations in East Asia--particularly Taiwan, Japan, and Hong Kong--and the US since at least 2013.
G0108Blue MockingbirdAPTBlue Mockingbird is a cluster of observed activity involving Monero cryptocurrency-mining payloads in dynamic-link library (DLL) form on Windows systems.
G0097Bouncing GolfAPTBouncing Golf is a cyberespionage campaign targeting Middle Eastern countries.
G0060BRONZE BUTLERAPTREDBALDKNIGHT, TickBRONZE BUTLER is a cyber espionage group with likely Chinese origins that has been active since at least 2008.
G0008CarbanakAPTAnunakCarbanak is a cybercriminal group that has used Carbanak malware to target financial institutions since at least 2013. 
G0114ChimeraAPT

Chimera is a suspected China-based threat group that has been active since at least 2018 targeting the semiconductor industry in Taiwan as well as data from the airline industry. 

G0003CleaverAPTThreat Group 2889, TG-2889Cleaver is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver. Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 (TG-2889).
G0080Cobalt GroupAPTGOLD KINGSWOOD, Cobalt Gang, Cobalt SpiderCobalt Group is a financially motivated threat group that has primarily targeted financial institutions since at least 2016.
G0142ConfuciusAPTConfucius APTConfucius is a cyber espionage group that has primarily targeted military personnel, high-profile personalities, business persons, and government organizations in South Asia since at least 2013.
G0052CopyKittensAPTCopyKittens is an Iranian cyber espionage group that has been operating since at least 2013. It has targeted countries including Israel, Saudi Arabia, Turkey, the U.S., Jordan, and Germany.
G0070Dark CaracalAPTDark Caracal is threat group that has been attributed to the Lebanese General Directorate of General Security (GDGS) and has operated since at least 2012.
G0012DarkhotelAPTDUBNIUMDarkhotel is a suspected South Korean threat group that has targeted victims primarily in East Asia since at least 2004.
G0079DarkHydrusAPTDarkHydrus is a threat group that has targeted government agencies and educational institutions in the Middle East since at least 2016. The group heavily leverages open-source tools and custom payloads for carrying out attacks.
G0105DarkVishnyaAPTDarkVishnya is a financially motivated threat actor targeting financial institutions in Eastern Europe. In 2017-2018 the group attacked at least 8 banks in this region.

G0009

Deep PandaAPTShell Crew, WebMasters, KungFu Kittens, PinkPanther, Black VineDeep Panda is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications.
G0035DragonflyAPTTEMP.Isotope, DYMALLOY, Berserk Bear, TG-4192, Crouching Yeti, Dragonfly is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16.
G0017DragonOKAPT

DragonOK is a threat group that has targeted Japanese organizations with phishing emails.

G1006Earth LuscaAPTTAG-22

Earth Lusca is a suspected China-based cyber espionage group that has been active since at least April 2019

G0066ElderwoodAPTElderwood Gang, Beijing Group, Sneaky Panda

Elderwood is a suspected Chinese cyber espionage group that was reportedly responsible for the 2009 Google intrusion known as Operation Aurora.

G1003Ember BearAPTSaint Bear, UNC2589, UAC-0056, Lorec53, Lorec Bear, Bleeding Bear

Ember Bear is a suspected Russian state-sponsored cyber espionage group that has been active since at least March 2021.

G0020EquationAPTEquation is a sophisticated threat group that employs multiple remote access tools. The group is known to use zero-day exploits and has developed the capability to overwrite the firmware of hard disk drives.
G0120EvilnumAPTEvilnum is a financially motivated threat group that has been active since at least 2018.
G1011EXOTIC LILYAPTEXOTIC LILY is a financially motivated group that has been closely linked with Wizard Spider and the deployment of ransomware including Conti and Diavol.
G0137Ferocious KittenAPTFerocious Kitten is a threat group that has primarily targeted Persian-speaking individuals in Iran since at least 2015.
G0051FIN10APTFIN10 is a financially motivated threat group that has targeted organizations in North America since at least 2013 through 2016. The group uses stolen data exfiltrated from victims to extort organizations.
G0085FIN4APTFIN4 is a financially-motivated threat group that has targeted confidential information related to the public financial market, particularly regarding healthcare and pharmaceutical companies, since at least 2013.
G0053FIN5APTFIN5 is a financially motivated threat group that has targeted personally identifiable information and payment card information.
G0037FIN6APTMagecart Group 6, ITG08, Skeleton SpiderFIN6 is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces.
G0046FIN7APTGOLD NIAGARA, ITG14, Carbon SpiderFIN7 is a financially-motivated threat group that has been active since 2013 primarily targeting the U.S. retail, restaurant, and hospitality sectors, often using point-of-sale malware.
G0061FIN8APTFIN8 is a financially motivated threat group known to launch tailored spearphishing campaigns targeting the retail, restaurant, and hospitality industries.
G0117Fox KittenAPTUNC757, Parisite, Pioneer KittenFox Kitten is threat actor with a suspected nexus to the Iranian government that has been active since at least 2017 against entities in the Middle East, North Africa, Europe, Australia, and North America.
G0093GALLIUMAPTOperation Soft CellGALLIUM is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan
G0084GallmakerAPTGallmaker is a cyberespionage group that has targeted victims in the Middle East and has been active since at least December 2017. The group has mainly targeted victims in the defense, military, and government sectors.
G0047Gamaredon GroupAPTIRON TILDEN, Primitive Bear, ACTINIUM, Armageddon, Shuckworm,

Gamaredon Group is a suspected Russian cyber espionage threat group that has targeted military, NGO, judiciary, law enforcement, and non-profit organizations in Ukraine since at least 2013.

G0036GCMANAPTGCMAN is a threat group that focuses on targeting banks for the purpose of transferring money to e-currency services.
G0115GOLD SOUTHFIELDAPTGOLD SOUTHFIELD is a financially motivated threat group active since at least 2019 that operates the REvil Ransomware-as-a Service (RaaS).
G0078Gorgon GroupAPTGorgon Group is a threat group consisting of members who are suspected to be Pakistan-based or have other connections to Pakistan.
G0043Group5APTGroup5 is a threat group with a suspected Iranian nexus, though this attribution is not definite.
G0125HAFNIUMAPTOperation Exchange MarauderHAFNIUM is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. 
G1001HEXANEAPTLyceum, Siamesekitten, SpirlinHEXANE is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017.
G0126HigaisaAPTHigaisa is a threat group suspected to have South Korean origins. Higaisa has targeted government, public, and trade organizations in North Korea;
G0100InceptionAPTInception Framework, Cloud AtlasInception is a cyber espionage group active since at least 2014. The group has targeted multiple industries and governmental entities primarily in Russia,
G0136IndigoZebraAPT

IndigoZebra is a suspected Chinese cyber espionage group that has been targeting Central Asian governments since at least 2014. 

G0119Indrik SpiderAPTEvil Corp

Indrik Spider is a Russia-based cybercriminal group that has been active since at least 2014. Indrik Spider initially started with the Dridex banking Trojan, and then by 2017 they began running ransomware operations using BitPaymerWastedLocker, and Hades ransomware.

G0004Ke3changAPTAPT15, Mirage, Vixen Panda, GREF, Playful Dragon, RoyalAPT, NICKELKe3chang is a threat group attributed to actors operating out of China.
G0094KimsukyAPTSTOLEN PENCIL, Thallium, Black Banshee, Velvet Chollima

Kimsuky is a North Korea-based cyber espionage group that has been active since at least 2012.

G1004LAPSUS$APTDEV-0537LAPSUS$ is cyber criminal threat group that has been active since at least mid-2021.
G0032Lazarus GroupAPTLabyrinth Chollima, HIDDEN COBRA, Guardians of Peace,

Lazarus Group is a North Korean state-sponsored cyber threat group that has been attributed to the Reconnaissance General Bureau.

G0140LazyScripterAPT

LazyScripter is threat group that has mainly targeted the airlines industry since at least 2018, primarily using open-source toolsets.

G0077LeafminerAPTRaspite

Leafminer is an Iranian threat group that has targeted government organizations and business entities in the Middle East since at least early 2017.

G0065LeviathanAPT

MUDCARP, Kryptonite Panda, Gadolinium, BRONZE MOHAWK,

Leviathan is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company.

G0030Lotus BlossomAPTDRAGONFISH, Spring Dragon

Lotus Blossom is a threat group that has targeted government and military organizations in Southeast Asia.

G0095MacheteAPT

APT-C-43, El Machete

Machete is a suspected Spanish-speaking cyber espionage group that has been active since at least 2010.

G0059Magic HoundAPTTA453, COBALT ILLUSION, Charming Kitten, ITG18, Phosphorus

Magic Hound is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps.

G0045menuPassAPT

Cicada, POTASSIUM, Stone Panda, APT10, Red Apollo, CVNX, HOGFISH

menuPass is a threat group that has been active since at least 2006.

G0002MoafeeAPT

Moafee is a threat group that appears to operate from the Guandong Province of China.

G0103MofangAPT

Mofang is a likely China-based cyber espionage group, named for its frequent practice of imitating a victim's infrastructure.

G0021MoleratsAPT

Operation Molerats, Gaza Cybergang

Molerats is an Arabic-speaking, politically-motivated threat group that has been operating since 2012. The group's victims have primarily been in the Middle East, Europe, and the United States.

G1009Moses StaffAPT

Earth Vetala, MERCURY, Static Kitten, Seedworm, TEMP.Zagros

Moses Staff is a suspected Iranian threat group that has primarily targeted Israeli companies since at least September 2021

G0069MuddyWaterAPT

MuddyWater is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).

G0129Mustang PandaAPT

TA416, RedDelta, BRONZE PRESIDENT

Mustang Panda is a China-based cyber espionage threat actor that was first observed in 2017 but may have been conducting operations since at least 2014.

G0019NaikonAPT

Naikon is assessed to be a state-sponsored cyber espionage group attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020).

G0055NEODYMIUMAPT

NEODYMIUM is an activity group that conducted a campaign in May 2016 and has heavily targeted Turkish victims.

G0133Nomadic OctopusAPTDustSquad

Nomadic Octopus is a Russian-speaking cyber espionage threat group that has primarily targeted Central Asia, including local governments, diplomatic missions, and individuals, since at least 2014.

G0049OilRigAPT

COBALT GYPSY, IRN2, APT34, Helix Kitten

OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014.

G0071OrangewormAPT

Orangeworm is a group that has targeted organizations in the healthcare sector in the United States, Europe, and Asia since at least 2015, likely for the purpose of corporate espionage.

G0040PatchworkAPT

Hangover Group, Dropping Elephant, Chinastrats, MONSOON,

Patchwork is a cyber espionage group that was first observed in December 2015.

G0011PittyTigerAPT

PittyTiger is a threat group believed to operate out of China that uses multiple different types of malware to maintain command and control.

G0068PLATINUMAPT

PLATINUM is an activity group that has targeted victims since at least 2009. The group has focused on targets associated with governments and related organizations in South and Southeast Asia.

G1005POLONIUMAPT

POLONIUM is a Lebanon-based group that has primarily targeted Israeli organizations, including critical manufacturing, information technology, and defense industry companies, since at least February 2022.

G0033

Poseidon Group

APT

Poseidon Group is a Portuguese-speaking threat group that has been active since at least 2005. The group has a history of using information exfiltrated from victims to blackmail victim companies into contracting the Poseidon Group as a security firm.

G0056PROMETHIUMAPTStrongPity

PROMETHIUM is an activity group focused on espionage that has been active since at least 2012. The group has conducted operations globally with a heavy emphasis on Turkish targets.

G0024Putter PandaAPT

APT2, MSUpdater

Putter Panda is a Chinese threat group that has been attributed to Unit 61486 of the 12th Bureau of the PLA’s 3rd General Staff Department (GSD).

G0075RancorAPT

Rancor is a threat group that has led targeted campaigns against the South East Asia region. Rancor uses politically-motivated lures to entice victims to open malicious documents. 

G0106RockeAPT

Rocke is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency.

G0048RTMAPT

RTM is a cybercriminal group that has been active since at least 2015 and is primarily interested in users of remote banking systems in Russia and neighboring countries. The group uses a Trojan by the same name (RTM).

G0034Sandworm TeamAPT

ELECTRUM, Telebots, IRON VIKING, BlackEnergy (Group), Quedagh,

Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.

G0029Scarlet MimicAPT

Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government.

G1008SideCopyAPT

SideCopy is a Pakistani threat group that has primarily targeted South Asian countries, including Indian and Afghani government personnel, since at least 2019.

G0121SidewinderAPT

T-APT-04, Rattlesnake

Sidewinder is a suspected Indian threat actor group that has been active since at least 2012. They have been observed targeting government, military, and business entities throughout Asia, primarily focusing on Pakistan, China, Nepal, and Afghanistan.

G0091SilenceAPT

Whisper Spider

Silence is a financially motivated threat actor targeting financial institutions in different countries. The group was first seen in June 2016

G0122Silent LibrarianAPT

TA407, COBALT DICKENS

Silent Librarian is a group that has targeted research and proprietary data at universities, government agencies, and private sector companies worldwide since at least 2013.

G0083

SilverTerrier

APT

SilverTerrier is a Nigerian threat group that has been seen active since 2014. SilverTerrier mainly targets organizations in high technology, higher education, and manufacturing. 

G0054SowbugAPT

Sowbug is a threat group that has conducted targeted attacks against organizations in South America and Southeast Asia, particularly government entities, since at least 2015.

G0038Stealth FalconAPT

Stealth Falcon is a threat group that has conducted targeted spyware attacks against Emirati journalists, activists, and dissidents since at least 2012.

G0041StriderAPTProjectSauron

Strider is a threat group that has been active since at least 2011 and has targeted victims in Russia, China, Sweden, Belgium, Iran, and Rwanda.

G0039

Suckfly

APT

Suckfly is a China-based threat group that has been active since at least 2014.

G0062TA459APT

TA459 is a threat group believed to operate out of China that has targeted countries including Russia, Belarus, Mongolia, and others.

G0092TA505APTHive0065

TA505 is a cyber criminal group that has been active since at least 2014. TA505 is known for frequently changing malware, driving global trends in criminal malware distribution, and ransomware campaigns involving Clop.

G0127TA551APT

GOLD CABIN, Shathak

TA551 is a financially-motivated threat group that has been active since at least 2018. The group has primarily targeted English, German, Italian, and Japanese speakers through email-based malware distribution campaigns.

G0139TeamTNTAPT

TeamTNT is a threat group that has primarily targeted cloud and containerized environments.

G0088TEMP.VelesAPTXENOTIME

TEMP.Veles is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing TRITON, a malware framework designed to manipulate industrial safety systems.

G0089The White CompanyAPT

The White Company is a likely state-sponsored threat actor with advanced capabilities.

G0028Threat Group-1314APT

TG-1314

Threat Group-1314 is an unattributed threat group that has used compromised credentials to log into a victim's remote access infrastructure.

G0027Threat Group-3390APT

Earth Smilodon, TG-3390, Emissary Panda, BRONZE UNION, APT27,

Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims.

G0076ThripAPT

Thrip is an espionage group that has targeted satellite communications, telecoms, and defense contractor companies in the U.S. and Southeast Asia. The group uses custom malware as well as "living off the land" techniques.

G0131Tonto TeamAPT

Earth Akhlut, BRONZE HUNTLEY, CactusPete, Karma Panda

Tonto Team is a suspected Chinese state-sponsored cyber espionage threat group that has primarily targeted South Korea, Japan, Taiwan, and the United States since at least 2009;

G0134Transparent TribeAPT

COPPER FIELDSTONE, APT36, Mythic Leopard, ProjectM

Transparent Tribe is a suspected Pakistan-based threat group that has been active since at least 2013, primarily targeting diplomatic, defense, and research organizations in India and Afghanistan.

G0081Tropic TrooperAPT

Pirate Panda, KeyBoy

Tropic Trooper is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan, the Philippines, and Hong Kong.

G0010TurlaAPT

IRON HUNTER, Group 88, Belugasturgeon, Waterbug, WhiteBear,

Turla is a Russian-based threat group that has infected victims in over 45 countries, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies since 2004.

G0123Volatile CedarAPT

Lebanese Cedar

Volatile Cedar is a Lebanese threat group that has targeted individuals, companies, and institutions worldwide. Volatile Cedar has been operating since 2012 and is motivated by political and ideological interests.

G0107WhiteflyAPT

Whitefly is a cyber espionage group that has been operating since at least 2017.

G0124WindigoAPT

The Windigo group has been operating since at least 2011, compromising thousands of Linux and Unix servers using the Ebury SSH backdoor to create a spam botnet.

G0112WindshiftAPTBahamut

Windshift is a threat group that has been active since at least 2017, targeting specific individuals for surveillance in government departments and critical infrastructure across the Middle East.

G0044Winnti GroupAPTBlackfly

Winnti Group is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting.

G0090WIRTEAPT

WIRTE is a threat group that has been active since at least August 2018. WIRTE has targeted government, diplomatic, financial, military, legal, and technology organizations in the Middle East and Europe

G0102Wizard SpiderAPT

UNC1878, TEMP.MixMaster, Grim Spider

Wizard Spider is a Russia-based financially motivated threat group originally known for the creation and deployment of TrickBot since at least 2016.

G0128ZIRCONIUMAPTAPT31

ZIRCONIUM is a threat group operating out of China, active since at least 2017, that has targeted individuals associated with the 2020 US presidential election and prominent leaders in the international affairs community.