WOKGROUP HOME RANSOMWARE APT GROUP
| ID | NAME | Description | CATEGORIE |
| G0018 | admin@338 | admin@338 is a China-based cyber threat group. | |
| G1030 | Agrius | Agrius is an Iranian threat actor active since 2020 notable for a series of ransomware and wiper operations in the Middle East, with an emphasis on Israeli targets. | |
| G0130 | Ajax Security Team | Ajax Security Team is a group that has been active since at least 2010 and believed to be operating out of Iran. | |
| G1024 | Akira | Akira is a ransomware variant and ransomware deployment entity active since at least March 2023. | |
| G1000 | ALLANITE | ALLANITE is a suspected Russian cyber espionage group, that has primarily targeted the electric utility sector within the United States and United Kingdom. | |
| G0138 | Andariel | Andariel is a North Korean state-sponsored threat group that has been active since at least 2009. | |
| G1007 | Aoqin Dragon | Aoqin Dragon is a suspected Chinese cyber espionage threat group that has been active since at least 2013. | |
| G1028 | APT-C-23 | APT-C-23 is a threat group that has been active since at least 2014. APT-C-23 has primarily focused its operations on the Middle East, including Israeli military assets. APT-C-23 has developed mobile spyware targeting Android and iOS devices since 2017. | |
| G0099 | APT-C-36 | APT-C-36 is a suspected South America espionage group that has been active since at least 2018. The group mainly targets Colombian government institutions as well as important corporations in the financial sector, petroleum industry, and professional manufacturing. | |
| G0006 | APT1 | APT1 is a Chinese threat group that has been attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398. | |
| G0005 | APT12 | APT12 is a threat group that has been attributed to China. The group has targeted a variety of victims including but not limited to media outlets, high-tech companies, and multiple governments. | |
| G0023 | APT16 | APT16 is a China-based threat group that has launched spearphishing campaigns targeting Japanese and Taiwanese organizations. | |
| G0025 | APT17 | APT17 is a China-based threat group that has conducted network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations. | |
| G0026 | APT18 | APT18 is a threat group that has operated since at least 2009 and has targeted a range of industries, including technology, manufacturing, human rights groups, government, and medical. | |
| G0073 | APT19 | APT19 is a Chinese-based threat group that has targeted a variety of industries, including defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services. | |
| G0007 | APT28 | APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165. This group has been active since at least 2004. | |
| G0016 | APT29 | APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR). They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. | |
| G0022 | APT3 | APT3 is a China-based threat group that researchers have attributed to China's Ministry of State Security. This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap. | |
| G0013 | APT30 | APT30 is a threat group suspected to be associated with the Chinese government. While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches. | |
| G0050 | APT32 | APT32 is a suspected Vietnam-based threat group that has been active since at least 2014. | |
| G0064 | APT33 | APT33 is a suspected Iranian threat group that has carried out operations since at least 2013. | |
| G0067 | APT37 | APT37 is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. | |
| G0082 | APT38 | APT38 is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau. | |
| G0087 | APT39 | APT39 is one of several names for cyber espionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since at least 2014. | |
| G0096 | APT41 | APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. | |
| G1023 | APT5 | APT5 is a China-based espionage actor that has been active since at least 2007 primarily targeting the telecommunications, aerospace, and defense industries throughout the U.S., Europe, and Asia. | |
| G0143 | Aquatic Panda | Aquatic Panda is a suspected China-based threat group with a dual mission of intelligence collection and industrial espionage. Active since at least May 2020, Aquatic Panda has primarily targeted entities in the telecommunications, technology, and government sectors. | |
| G0001 | Axiom | Axiom is a suspected Chinese cyber espionage group that has targeted the aerospace, defense, government, manufacturing, and media sectors since at least 2008. | |
| G0135 | BackdoorDiplomacy | BackdoorDiplomacy is a cyber espionage threat group that has been active since at least 2017. BackdoorDiplomacy has targeted Ministries of Foreign Affairs and telecommunication companies in Africa, Europe, the Middle East, and Asia. | |
| G1002 | BITTER | BITTER is a suspected South Asian cyber espionage threat group that has been active since at least 2013. BITTER has targeted government, energy, and engineering organizations in Pakistan, China, Bangladesh, and Saudi Arabia. | |
| G0063 | BlackOasis | BlackOasis is a Middle Eastern threat group that is believed to be a customer of Gamma Group. The group has shown interest in prominent figures in the United Nations, as well as opposition bloggers, activists, regional news correspondents, and think tanks. | |
| G0098 | BlackTech | BlackTech is a suspected Chinese cyber espionage group that has primarily targeted organizations in East Asia--particularly Taiwan, Japan, and Hong Kong--and the US since at least 2013. | |
| G0108 | Blue Mockingbird | Blue Mockingbird is a cluster of observed activity involving Monero cryptocurrency-mining payloads in dynamic-link library (DLL) form on Windows systems. The earliest observed Blue Mockingbird tools were created in December 2019. | |
| G0097 | Bouncing Golf | Bouncing Golf is a cyberespionage campaign targeting Middle Eastern countries. | |
| G0060 | BRONZE BUTLER | BRONZE BUTLER is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in government, biotechnology, electronics manufacturing, and industrial chemistry. | |
| G0008 | Carbanak | Carbanak is a cybercriminal group that has used Carbanak malware to target financial institutions since at least 2013. Carbanak may be linked to groups tracked separately as Cobalt Group and FIN7 that have also used Carbanak malware. | |
| G0114 | Chimera | Chimera is a suspected China-based threat group that has been active since at least 2018 targeting the semiconductor industry in Taiwan as well as data from the airline industry. | |
| G1021 | Cinnamon Tempest | Cinnamon Tempest is a China-based threat group that has been active since at least 2021 deploying multiple strains of ransomware based on the leaked Babuk source code. | |
| G0003 | Cleaver | Cleaver is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver. Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 (TG-2889). | |
| G0080 | Cobalt Group | Cobalt Group is a financially motivated threat group that has primarily targeted financial institutions since at least 2016. The group has conducted intrusions to steal money via targeting ATM systems, card processing, payment systems and SWIFT systems. | |
| G0142 | Confucius | Confucius is a cyber espionage group that has primarily targeted military personnel, high-profile personalities, business persons, and government organizations in South Asia since at least 2013. | |
| G0052 | CopyKittens | CopyKittens is an Iranian cyber espionage group that has been operating since at least 2013. It has targeted countries including Israel, Saudi Arabia, Turkey, the U.S., Jordan, and Germany. The group is responsible for the campaign known as Operation Wilted Tulip. | |
| G1012 | CURIUM | CURIUM is an Iranian threat group, first reported in September 2019 and active since at least July 2018, targeting IT service providers in the Middle East. | |
| G1027 | CyberAv3ngers | The CyberAv3ngers are a suspected Iranian Government Islamic Revolutionary Guard Corps (IRGC)-affiliated APT group. The CyberAv3ngers have been known to be active since at least 2020, with disputed and false claims of critical infrastructure compromises in Israel. | |
| G1034 | Daggerfly | Daggerfly is a People's Republic of China-linked APT entity active since at least 2012. Daggerfly has targeted individuals, government and NGO entities, and telecommunication companies in Asia and Africa. | |
| G0070 | Dark Caracal | Dark Caracal is threat group that has been attributed to the Lebanese General Directorate of General Security (GDGS) and has operated since at least 2012. | |
| G0012 | Darkhotel | Darkhotel is a suspected South Korean threat group that has targeted victims primarily in East Asia since at least 2004. | |
| G0079 | DarkHydrus | DarkHydrus is a threat group that has targeted government agencies and educational institutions in the Middle East since at least 2016. The group heavily leverages open-source tools and custom payloads for carrying out attacks. | |
| G0105 | DarkVishnya | DarkVishnya is a financially motivated threat actor targeting financial institutions in Eastern Europe. In 2017-2018 the group attacked at least 8 banks in this region. | |
| G0009 | Deep Panda | Deep Panda is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications. | |
| G0035 | Dragonfly | Dragonfly is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16. | |
| G0017 | DragonOK | DragonOK is a threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tools, DragonOK is thought to have a direct or indirect relationship with the threat group Moafee. | |
| G0066 | Elderwood | Elderwood is a suspected Chinese cyber espionage group that was reportedly responsible for the 2009 Google intrusion known as Operation Aurora. | |
| G1003 | Ember Bear | Ember Bear is a Russian state-sponsored cyber espionage group that has been active since at least 2020, linked to Russia's General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155). | |
| G0020 | Equation | Equation is a sophisticated threat group that employs multiple remote access tools. The group is known to use zero-day exploits and has developed the capability to overwrite the firmware of hard disk drives. | |
| G0120 | Evilnum | Evilnum is a financially motivated threat group that has been active since at least 2018. | |
| G1011 | EXOTIC LILY | EXOTIC LILY is a financially motivated group that has been closely linked with Wizard Spider and the deployment of ransomware including Conti and Diavol. | |
| G0137 | Ferocious Kitten | Ferocious Kitten is a threat group that has primarily targeted Persian-speaking individuals in Iran since at least 2015. | |
| G0051 | FIN10 | FIN10 is a financially motivated threat group that has targeted organizations in North America since at least 2013 through 2016. The group uses stolen data exfiltrated from victims to extort organizations. | |
| G1016 | FIN13 | FIN13 is a financially motivated cyber threat group that has targeted the financial, retail, and hospitality industries in Mexico and Latin America, as early as 2016. FIN13 achieves its objectives by stealing intellectual property, financial data, mergers and acquisition information, or PII. | |
| G0085 | FIN4 | FIN4 is a financially-motivated threat group that has targeted confidential information related to the public financial market, particularly regarding healthcare and pharmaceutical companies, since at least 2013. | |
| G0053 | FIN5 | FIN5 is a financially motivated threat group that has targeted personally identifiable information and payment card information. The group has been active since at least 2008 and has targeted the restaurant, gaming, and hotel industries. | |
| G0037 | FIN6 | FIN6 is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors. | |
| G0046 | FIN7 | FIN7 is a financially-motivated threat group that has been active since 2013. | |
| G0061 | FIN8 | FIN8 is a financially motivated threat group that has been active since at least January 2016, and known for targeting organizations in the hospitality, retail, entertainment, insurance, technology, chemical, and financial sectors. | |
| G0117 | Fox Kitten | Fox Kitten is threat actor with a suspected nexus to the Iranian government that has been active since at least 2017 against entities in the Middle East, North Africa, Europe, Australia, and North America. | |
| G0093 | GALLIUM | GALLIUM is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. | |
| G0084 | Gallmaker | Gallmaker is a cyberespionage group that has targeted victims in the Middle East and has been active since at least December 2017. The group has mainly targeted victims in the defense, military, and government sectors. | |
| G0047 | Gamaredon Group | Gamaredon Group is a suspected Russian cyber espionage threat group that has targeted military, NGO, judiciary, law enforcement, and non-profit organizations in Ukraine since at least 2013. | |
| G0036 | GCMAN | GCMAN is a threat group that focuses on targeting banks for the purpose of transferring money to e-currency services. | |
| G0115 | GOLD SOUTHFIELD | GOLD SOUTHFIELD is a financially motivated threat group active since at least 2018 that operates the REvil Ransomware-as-a Service (RaaS). GOLD SOUTHFIELD provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments. | |
| G0078 | Gorgon Group | Gorgon Group is a threat group consisting of members who are suspected to be Pakistan-based or have other connections to Pakistan. | |
| G0043 | Group5 | Group5 is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. | |
| G0125 | HAFNIUM | HAFNIUM is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. | |
| G1001 | HEXANE | HEXANE is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. | |
| G0126 | Higaisa | Higaisa is a threat group suspected to have South Korean origins. Higaisa has targeted government, public, and trade organizations in North Korea; however, they have also carried out attacks in China, Japan, Russia, Poland, and other nations. | |
| G1032 | INC Ransom | INC Ransom is a ransomware and data extortion threat group associated with the deployment of INC Ransomware that has been active since at least July 2023. | |
| G0100 | Inception | Inception is a cyber espionage group active since at least 2014. The group has targeted multiple industries and governmental entities primarily in Russia, but has also been active in the United States and throughout Europe, Asia, Africa, and the Middle East. | |
| G0136 | IndigoZebra | IndigoZebra is a suspected Chinese cyber espionage group that has been targeting Central Asian governments since at least 2014. | |
| G0119 | Indrik Spider | Indrik Spider is a Russia-based cybercriminal group that has been active since at least 2014. Indrik Spider initially started with the Dridex banking Trojan, and then by 2017 they began running ransomware operations using BitPaymer, WastedLocker, and Hades ransomware. | |
| G0004 | Ke3chang | Ke3chang is a threat group attributed to actors operating out of China. Ke3chang has targeted oil, government, diplomatic, military, and NGOs in Central and South America, the Caribbean, Europe, and North America since at least 2010. | |
| G0094 | Kimsuky | Kimsuky is a North Korea-based cyber espionage group that has been active since at least 2012. | |
| G1004 | LAPSUS$ | LAPSUS$ is cyber criminal threat group that has been active since at least mid-2021. LAPSUS$ specializes in large-scale social engineering and extortion operations, including destructive attacks without the use of ransomware. | |
| G0032 | Lazarus Group | Lazarus Group is a North Korean state-sponsored cyber threat group that has been attributed to the Reconnaissance General Bureau. | |
| G0140 | LazyScripter | LazyScripter is threat group that has mainly targeted the airlines industry since at least 2018, primarily using open-source toolsets. | |
| G0077 | Leafminer | Leafminer is an Iranian threat group that has targeted government organizations and business entities in the Middle East since at least early 2017. | |
| G0065 | Leviathan | Leviathan is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company. | |
| G0030 | Lotus Blossom | Lotus Blossom is a threat group that has targeted government and military organizations in Southeast Asia. | |
| G1014 | LuminousMoth | LuminousMoth is a Chinese-speaking cyber espionage group that has been active since at least October 2020. | |
| G0095 | Machete | Machete is a suspected Spanish-speaking cyber espionage group that has been active since at least 2010. | |
| G0059 | Magic Hound | Magic Hound is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. | |
| G1026 | Malteiro | Malteiro is a financially motivated criminal group that is likely based in Brazil and has been active since at least November 2019. | |
| G0045 | menuPass | menuPass is a threat group that has been active since at least 2006. | |
| G1013 | Metador | Metador is a suspected cyber espionage group that was first reported in September 2022. | |
| G0002 | Moafee | Moafee is a threat group that appears to operate from the Guandong Province of China. Due to overlapping TTPs, including similar custom tools, Moafee is thought to have a direct or indirect relationship with the threat group DragonOK. | |
| G0103 | Mofang | Mofang is a likely China-based cyber espionage group, named for its frequent practice of imitating a victim's infrastructure. | |
| G0021 | Molerats | Molerats is an Arabic-speaking, politically-motivated threat group that has been operating since 2012. The group's victims have primarily been in the Middle East, Europe, and the United States. | |
| G1036 | Moonstone Sleet | Moonstone Sleet is a North Korean-linked threat actor executing both financially motivated attacks and espionage operations. | |
| G1009 | Moses Staff | Moses Staff is a suspected Iranian threat group that has primarily targeted Israeli companies since at least September 2021. | |
| G1019 | MoustachedBouncer | MoustachedBouncer is a cyberespionage group that has been active since at least 2014 targeting foreign embassies in Belarus. | |
| G0069 | MuddyWater | MuddyWater is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS). | |
| G0129 | Mustang Panda | Mustang Panda is a China-based cyber espionage threat actor that was first observed in 2017 but may have been conducting operations since at least 2014. | |
| G1020 | Mustard Tempest | Mustard Tempest is an initial access broker that has operated the SocGholish distribution network since at least 2017. Mustard Tempest has partnered with Indrik Spider to provide access for the download of additional malware including LockBit, WastedLocker, and remote access tools. | |
| G0019 | Naikon | Naikon is assessed to be a state-sponsored cyber espionage group attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020). | |
| G0055 | NEODYMIUM | NEODYMIUM is an activity group that conducted a campaign in May 2016 and has heavily targeted Turkish victims. The group has demonstrated similarity to another activity group called PROMETHIUM due to overlapping victim and campaign characteristics. | |
| G0133 | Nomadic Octopus | Nomadic Octopus is a Russian-speaking cyber espionage threat group that has primarily targeted Central Asia, including local governments, diplomatic missions, and individuals, since at least 2014. | |
| G0049 | OilRig | OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. | |
| G0071 | Orangeworm | Orangeworm is a group that has targeted organizations in the healthcare sector in the United States, Europe, and Asia since at least 2015, likely for the purpose of corporate espionage. | |
| G0040 | Patchwork | Patchwork is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. | |
| G0011 | PittyTiger | PittyTiger is a threat group believed to operate out of China that uses multiple different types of malware to maintain command and control. | |
| G0068 | PLATINUM | PLATINUM is an activity group that has targeted victims since at least 2009. The group has focused on targets associated with governments and related organizations in South and Southeast Asia. | |
| G1040 | Play | Play is a ransomware group that has been active since at least 2022 deploying Playcrypt ransomware against the business, government, critical infrastructure, healthcare, and media sectors in North America, South America, and Europe. | |
| G1005 | POLONIUM | POLONIUM is a Lebanon-based group that has primarily targeted Israeli organizations, including critical manufacturing, information technology, and defense industry companies, since at least February 2022. | |
| G0033 | Poseidon Group | Poseidon Group is a Portuguese-speaking threat group that has been active since at least 2005. The group has a history of using information exfiltrated from victims to blackmail victim companies into contracting the Poseidon Group as a security firm. | |
| G0056 | PROMETHIUM | PROMETHIUM is an activity group focused on espionage that has been active since at least 2012. The group has conducted operations globally with a heavy emphasis on Turkish targets. | |
| G0024 | Putter Panda | Putter Panda is a Chinese threat group that has been attributed to Unit 61486 of the 12th Bureau of the PLA’s 3rd General Staff Department (GSD). | |
| G0075 | Rancor | Rancor is a threat group that has led targeted campaigns against the South East Asia region. Rancor uses politically-motivated lures to entice victims to open malicious documents. | |
| G1039 | RedCurl | RedCurl is a threat actor active since 2018 notable for corporate espionage targeting a variety of locations, including Ukraine, Canada and the United Kingdom, and a variety of industries, including but not limited to travel agencies, insurance companies, and banks. | |
| G0106 | Rocke | Rocke is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency. | |
| G0048 | RTM | RTM is a cybercriminal group that has been active since at least 2015 and is primarily interested in users of remote banking systems in Russia and neighboring countries. The group uses a Trojan by the same name (RTM). | |
| G1031 | Saint Bear | Saint Bear is a Russian-nexus threat actor active since early 2021, primarily targeting entities in Ukraine and Georgia. The group is notable for a specific remote access tool, Saint Bot, and information stealer, OutSteel in campaigns. | |
| G0034 | Sandworm Team | Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455. This group has been active since at least 2009. | |
| G0029 | Scarlet Mimic | Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government. | |
| G1015 | Scattered Spider | Scattered Spider is a native English-speaking cybercriminal group that has been active since at least 2022. The group initially targeted customer relationship management and business-process outsourcing (BPO) firms as well as telecommunications and technology companies. | |
| G1008 | SideCopy | SideCopy is a Pakistani threat group that has primarily targeted South Asian countries, including Indian and Afghani government personnel, since at least 2019. SideCopy's name comes from its infection chain that tries to mimic that of Sidewinder, a suspected Indian threat group. | |
| G0121 | Sidewinder | Sidewinder is a suspected Indian threat actor group that has been active since at least 2012. They have been observed targeting government, military, and business entities throughout Asia, primarily focusing on Pakistan, China, Nepal, and Afghanistan. | |
| G0091 | Silence | Silence is a financially motivated threat actor targeting financial institutions in different countries. The group was first seen in June 2016. Their main targets reside in Russia, Ukraine, Belarus, Azerbaijan, Poland and Kazakhstan. | |
| G0122 | Silent Librarian | Silent Librarian is a group that has targeted research and proprietary data at universities, government agencies, and private sector companies worldwide since at least 2013. | |
| G0083 | SilverTerrier | SilverTerrier is a Nigerian threat group that has been seen active since 2014. SilverTerrier mainly targets organizations in high technology, higher education, and manufacturing. | |
| G0054 | Sowbug | Sowbug is a threat group that has conducted targeted attacks against organizations in South America and Southeast Asia, particularly government entities, since at least 2015. | |
| G1033 | Star Blizzard | Star Blizzard is a cyber espionage and influence group originating in Russia that has been active since at least 2019. | |
| G0038 | Stealth Falcon | Stealth Falcon is a threat group that has conducted targeted spyware attacks against Emirati journalists, activists, and dissidents since at least 2012. | |
| G0041 | Strider | Strider is a threat group that has been active since at least 2011 and has targeted victims in Russia, China, Sweden, Belgium, Iran, and Rwanda. | |
| G0039 | Suckfly | Suckfly is a China-based threat group that has been active since at least 2014. | |
| G1018 | TA2541 | TA2541 is a cybercriminal group that has been targeting the aviation, aerospace, transportation, manufacturing, and defense industries since at least 2017. | |
| G0062 | TA459 | TA459 is a threat group believed to operate out of China that has targeted countries including Russia, Belarus, Mongolia, and others. | |
| G0092 | TA505 | TA505 is a cyber criminal group that has been active since at least 2014. TA505 is known for frequently changing malware, driving global trends in criminal malware distribution, and ransomware campaigns involving Clop. | |
| G0127 | TA551 | TA551 is a financially-motivated threat group that has been active since at least 2018. The group has primarily targeted English, German, Italian, and Japanese speakers through email-based malware distribution campaigns. | |
| G1037 | TA577 | TA577 is an initial access broker (IAB) that has distributed QakBot and Pikabot, and was among the first observed groups distributing Latrodectus in 2023. | |
| G1038 | TA578 | TA578 is a threat actor that has used contact forms and email to initiate communications with victims and to distribute malware including Latrodectus, IcedID, and Bumblebee. | |
| G0139 | TeamTNT | TeamTNT is a threat group that has primarily targeted cloud and containerized environments. The group as been active since at least October 2019 and has mainly focused its efforts on leveraging cloud and container resources to deploy cryptocurrency miners in victim environments. | |
| G0088 | TEMP.Veles | TEMP.Veles is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing TRITON, a malware framework designed to manipulate industrial safety systems. | |
| G0089 | The White Company | The White Company is a likely state-sponsored threat actor with advanced capabilities. From 2017 through 2018, the group led an espionage campaign called Operation Shaheen targeting government and military organizations in Pakistan. | |
| G0028 | Threat Group-1314 | Threat Group-1314 is an unattributed threat group that has used compromised credentials to log into a victim's remote access infrastructure. | |
| G0027 | Threat Group-3390 | Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims. | |
| G0076 | Thrip | Thrip is an espionage group that has targeted satellite communications, telecoms, and defense contractor companies in the U.S. and Southeast Asia. The group uses custom malware as well as "living off the land" techniques. | |
| G1022 | ToddyCat | ToddyCat is a sophisticated threat group that has been active since at least 2020 using custom loaders and malware in multi-stage infection chains against government and military targets across Europe and Asia. | |
| G0131 | Tonto Team | Tonto Team is a suspected Chinese state-sponsored cyber espionage threat group that has primarily targeted South Korea, Japan, Taiwan, and the United States since at least 2009; by 2020 they expanded operations to include other Asian as well as Eastern European countries. | |
| G0134 | Transparent Tribe | Transparent Tribe is a suspected Pakistan-based threat group that has been active since at least 2013, primarily targeting diplomatic, defense, and research organizations in India and Afghanistan. | |
| G0081 | Tropic Trooper | Tropic Trooper is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan, the Philippines, and Hong Kong. Tropic Trooper focuses on targeting government, healthcare, transportation, and high-tech industries and has been active since 2011. | |
| G0010 | Turla | Turla is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). | |
| G1029 | UNC788 | UNC788 is a group of hackers from Iran that has targeted people in the Middle East. | |
| G0123 | Volatile Cedar | Volatile Cedar is a Lebanese threat group that has targeted individuals, companies, and institutions worldwide. Volatile Cedar has been operating since 2012 and is motivated by political and ideological interests. | |
| G1017 | Volt Typhoon | Volt Typhoon is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021 primarily targeting critical infrastructure organizations in the US and its territories including Guam. | |
| G0107 | Whitefly | Whitefly is a cyber espionage group that has been operating since at least 2017. The group has targeted organizations based mostly in Singapore across a wide variety of sectors, and is primarily interested in stealing large amounts of sensitive information. | |
| G0124 | Windigo | The Windigo group has been operating since at least 2011, compromising thousands of Linux and Unix servers using the Ebury SSH backdoor to create a spam botnet. | |
| G0112 | Windshift | Windshift is a threat group that has been active since at least 2017, targeting specific individuals for surveillance in government departments and critical infrastructure across the Middle East. | |
| G0044 | Winnti Group | Winnti Group is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting. | |
| G1035 | Winter Vivern | Winter Vivern is a group linked to Russian and Belorussian interests active since at least 2020 targeting various European government and NGO entities, along with sporadic targeting of Indian and US victims. | |
| G0090 | WIRTE | WIRTE is a threat group that has been active since at least August 2018. WIRTE has targeted government, diplomatic, financial, military, legal, and technology organizations in the Middle East and Europe. | |
| G0102 | Wizard Spider | Wizard Spider is a Russia-based financially motivated threat group originally known for the creation and deployment of TrickBot since at least 2016. | |
| G0128 | ZIRCONIUM | ZIRCONIUM is a threat group operating out of China, active since at least 2017, that has targeted individuals associated with the 2020 US presidential election and prominent leaders in the international affairs community. |