Iranian destructive-attack cluster operating wipers under ransomware cover.
DPRK financially-motivated cluster targeting cryptocurrency.
PLA Unit 61398 cyber-espionage group; subject of the 2013 Mandiant APT1 report.
Russian military intelligence cyber-espionage group attributed to GRU Unit 26165.
Russian SVR cyber-espionage group; perpetrators of the SolarWinds supply-chain compromise.
DPRK financial-heist cluster attributed to the Reconnaissance General Bureau.
Dual-purpose Chinese threat group conducting espionage and financially motivated operations.
GRU Unit 74455 destructive-attack and disinformation group.
APT49 is a state-sponsored advanced persistent threat group tracked by Mandiant, though limited public reporting exists under this specific designation. The group's primary motivation is espionage, consistent with nation-state objectives focused on intelligence collection rather than financial gain. Specific targeting patterns, victimology, and origin country remain insufficiently documented in open-source reporting to characterize with confidence.
APT73 is a state-sponsored advanced persistent threat actor whose precise national origin remains unattributed or undisclosed, operating under the designation assigned by Mandiant. The group conducts cyber espionage operations consistent with nation-state objectives, focusing on the collection of sensitive information to support government or strategic interests. Their targeting profile and specific victim sectors remain insufficiently documented in open-source reporting, making detailed characterization of their operational scope uncertain at this time.
APT9 (also known as NIGHTSHADE PANDA and Red Pegasus) is a Chinese state-sponsored threat actor engaged in cyber espionage operations primarily targeting organizations in the United States, Japan, South Korea, and across Europe and Southeast Asia. The group focuses on intellectual property and competitive data theft, with a historically strong emphasis on the pharmaceuticals, biotechnology, healthcare, and aerospace sectors. APT9 employs a range of intrusion techniques including spearphishing, abuse of valid accounts, exploitation of trusted inter-organizational relationships, and a diverse malware toolkit comprising both publicly available and custom backdoors shared across multiple Chinese APT groups.
Charming Kitten (also known as APT35, Phosphorus, and TA453) is an Iranian state-sponsored advanced persistent threat group widely assessed to operate on behalf of the Islamic Revolutionary Guard Corps (IRGC). The group conducts sophisticated cyber espionage campaigns employing spear-phishing, credential harvesting, and social engineering tactics — often posing as journalists, academics, or think-tank representatives to gain the trust of targets. Their primary focus is intelligence collection against government officials, military personnel, dissidents, journalists, human rights activists, and academic researchers, particularly those involved in foreign policy, nuclear negotiations, and matters of strategic interest to the Iranian government.
GRU cluster responsible for WhisperGate wiper attacks on Ukraine.
DPRK IT-worker fraud operation.
FSB-attributed cyber group operating against Ukraine since 2013.
PRC cluster behind the 2021 Microsoft Exchange ProxyLogon mass exploitation.
DPRK RGB cyber unit responsible for high-impact financial heists and espionage.
DPRK cluster engaged in IT-worker fraud and ransomware development.
Iranian MOIS-affiliated cyber-espionage and disruption group.
China-aligned cyber-espionage group targeting NGOs, religious orgs, and governments across Asia and Europe.
IRGC-aligned cluster opportunistically deploying ransomware.
IRGC-affiliated cluster involved in espionage and access brokering.
FSB cyber-espionage group targeting Western think tanks, NGOs, and politicians.
Belarusian disinformation and credential-theft cluster aligned with Russian objectives.
UNC28 is a Chinese state-sponsored advanced persistent threat (APT) group tracked by Mandiant, assessed to conduct cyber espionage operations in support of Chinese government intelligence objectives. The group focuses on intelligence gathering activities, leveraging sophisticated intrusion techniques to gain unauthorized access to targeted networks and exfiltrate sensitive information. Their targeting profile aligns with broader Chinese strategic interests, likely focusing on government, defense, technology, or other sectors of geopolitical significance, though specific victim verticals remain limited in open-source reporting.
PRC cluster targeting US critical infrastructure with living-off-the-land techniques.
DEV-0537, widely known as Lapsus$, is an extortion-focused cybercriminal collective active since 2021, composed of members spanning multiple countries and notable for including younger individuals among its ranks. The group primarily pursues financial gain and notoriety by compromising high-profile organizations through social engineering, credential theft, and insider recruitment rather than traditional malware-heavy intrusion methods. Their targeting is broad and opportunistic, spanning sectors such as technology, telecommunications, government, finance, and retail across North America, South America, Europe, and Asia.
Russian-speaking cybercriminal syndicate behind Dridex banking malware and ransomware.
Earth Lamia is a China-nexus APT that targets organizations across multiple sectors, including finance, logistics, and government, primarily in Latin America, the Middle East, and Southeast Asia. The actor exploits web application vulnerabilities, such as CVE-2025-55182, and employs techniques like SQL injection, DLL sideloading, and the deployment of custom backdoors like PULSEPACK and BypassBoss. Earth Lamia conducts reconnaissance, file operations, and credential theft, often utilizing tools like Cobalt Strike and VShell.
Native-English-speaking eCrime collective known for social-engineering helpdesks.
Emotet botnet operators.
TA577 (also known as Hive0118) is a financially motivated cybercriminal threat actor active since 2020, operating as an initial access broker and malware distributor with a broad targeting footprint spanning North America, Europe, Asia-Pacific, and the Middle East. The group conducts high-volume phishing and malspam campaigns delivering malware payloads—including information stealers and ransomware—across a wide range of sectors such as finance, manufacturing, healthcare, logistics, retail, and professional services. Their primary motivation is financial gain, achieved through deploying ransomware, facilitating data theft, or selling access to compromised networks to downstream threat actors.
Native-English-speaking eCrime collective known for social-engineering helpdesks.
Ransomware crew historically targeting education and healthcare.
Wizard Spider is a financially motivated Russian cybercriminal group active since 2016, widely known for operating the TrickBot banking trojan and associated malware ecosystem including BazarBackdoor, Ryuk, and Conti ransomware. The group conducts sophisticated, multi-stage intrusions typically beginning with TrickBot or BazarBackdoor infections that facilitate lateral movement and ultimately ransomware deployment against high-value targets. Their operations span a broad range of sectors globally—including finance, government, healthcare, education, and critical infrastructure—across North America, Europe, Asia, and Latin America, with attacks driven primarily by large ransom demands and financial extortion.
Loose hacktivist collective targeting government and infrastructure with defacements and DDoS.
Bahamut is a sophisticated cyber-mercenary APT group active since at least 2016, operating across South Asia and the Middle East and offering espionage-for-hire services to a range of clients including suspected state sponsors. The group conducts targeted spear-phishing campaigns, deploys custom malware, and leverages fake applications and websites to compromise both Windows and mobile devices. Their targets span government entities, military personnel, journalists, activists, and private individuals, with operations driven by financial gain and the intelligence requirements of their paying clients.
Predatory Sparrow (also known as Gonjeshke Darande) is a hacktivist collective widely suspected of operating as a state-sponsored front, conducting high-profile destructive cyberattacks against Iranian critical infrastructure. The group's operations are characterized by sabotage and disruption, targeting sectors such as steel manufacturing, fuel distribution, and railway systems, causing significant real-world physical and economic damage. Their stated motivation is ideological opposition to the Iranian government, though the sophistication and precision of their attacks strongly suggest backing from a nation-state actor, widely assessed to be Israel.