Intelligence Database

Threat Actors

Comprehensive profiles of tracked threat actors — covering MITRE ATT&CK mappings, known IOCs, active campaigns, and infrastructure monitoring.

15actors tracked

14 active

6 nation-state

Showing all 15 profiles

ActiveAdvanced

Storm-1747

DEV-1747 · Sangria Tempest (subset) · Tycoon2FA operator +2 more

Storm-1747 is the financially motivated threat actor responsible for operating Tycoon2FA, the most prolific phishing-as-a-service (PhaaS) platform observed globally. The platform sold AiTM capabilities via Telegram channels starting at $120 USD for 10 days, enabling approximately 2,000 subscribers to bypass MFA and compromise accounts at scale. The platform's primary developer is alleged to be Saad Fridi (Pakistan), operating under handles 'SaaadFridi' and 'Mr_Xaad'. Despite a major takedown in March 2026 involving seizure of 330 domains, operations resumed within days, demonstrating significant resilience and adaptive infrastructure capabilities.

Unknown (likely Nigeria-based or West African cybercrime ecosystem)19 techniques20 tools

ActiveIntermediate

Rhysida

Rhysida Ransomware · Vice Society (suspected connection)

Rhysida is a ransomware-as-a-service (RaaS) operation that emerged in May 2023, quickly establishing itself as a significant threat to organizations worldwide. The group operates a double extortion model, encrypting victim data while simultaneously exfiltrating sensitive information to leverage for ransom payments. Rhysida has demonstrated a particular focus on critical infrastructure sectors, including healthcare, education, government organizations, and manufacturing. The group maintains an active data leak site on the dark web where they auction stolen data from victims who refuse to pay ransoms, typically setting 7-day auction periods. Rhysida has been linked to several high-profile attacks, including the British Library breach in October 2023, attacks on multiple healthcare organizations across the United States, the Chilean Army in 2023, and Prospect Medical Holdings affecting multiple hospitals. Rhysida's ransomware is written in C++ and uses ChaCha20 for file encryption combined with RSA-4096 for key encryption. The group typically gains initial access through exploiting known vulnerabilities in public-facing applications (particularly VPN and remote access services), phishing campaigns, and purchasing access from initial access brokers. Their operations show tactical overlaps with Vice Society, leading some researchers to suspect potential connections, shared tooling, or rebranded operations between the groups. The ransomware appends the .rhysida extension to encrypted files and drops a PDF ransom note named CriticalBreachDetected.pdf.

Unknown (likely Eastern Europe or Russia-nexus)24 techniques9 tools

ActiveAdvanced

BianLian

BianLian Group · BianLian Ransomware Group

BianLian is a sophisticated cybercriminal threat group that emerged in mid-2022, initially operating as a ransomware operation using encryption-based extortion. The group is notable for its strategic pivot in early 2023 from traditional ransomware encryption to purely exfiltration-based extortion, likely in response to improved backup and recovery capabilities among victims and the development of decryption tools. This shift demonstrates the group's adaptability and focus on data theft as the primary extortion mechanism. BianLian primarily targets organizations across multiple sectors in the United States, Australia, and the United Kingdom, with a particular focus on critical infrastructure sectors including healthcare, manufacturing, professional services, and education. The group employs double extortion tactics, threatening to publish stolen sensitive data on their leak site if ransom demands are not met. They are known for their professional negotiation tactics and persistent targeting of high-value organizations. The threat actors demonstrate advanced technical capabilities, utilizing custom-developed malware, open-source tools, and living-off-the-land techniques to maintain persistence and evade detection. BianLian operators typically gain initial access through exploitation of known vulnerabilities in internet-facing applications, particularly ProxyShell and FortiOS SSL-VPN vulnerabilities, followed by extensive reconnaissance and lateral movement across victim networks. Their operations are characterized by relatively fast attack timelines and efficient data exfiltration methods.

Unknown (suspected Eastern European or Russian-speaking based on operational patterns and victim targeting)42 techniques22 tools

ActiveAdvanced

Qilin

Agenda · Qilin Ransomware Group

Qilin (also known as Agenda) is a sophisticated ransomware-as-a-service (RaaS) operation that emerged in mid-2022, with significant activity escalating through 2023 and 2024. The group is known for its highly customizable ransomware written in both Rust and Golang, which targets Windows, Linux, and VMware ESXi environments. Qilin operates on an affiliate model, recruiting experienced cybercriminals to conduct attacks while the core group maintains the ransomware infrastructure and negotiation platform. Qilin has been particularly aggressive in targeting healthcare, manufacturing, critical infrastructure, and education sectors. Notable attacks include the June 2024 compromise of Synnovis, a pathology services provider in the UK, which severely disrupted NHS operations and healthcare services across London. The group has also targeted major organizations globally, demonstrating a preference for high-value targets with significant operational impact potential. The group's ransomware is notable for its speed of encryption, use of modern programming languages that complicate analysis and detection, and employment of double extortion tactics. Qilin has evolved to include triple extortion methods, threatening DDoS attacks and direct contact with victims' customers and partners. Their leak site, hosted on the dark web, regularly publishes victim data to pressure organizations into paying ransoms, often releasing sensitive data incrementally to maintain pressure. Qilin affiliates typically gain initial access through compromised credentials, exploitation of VPN and remote access vulnerabilities (including Citrix and VPN appliances), phishing campaigns, and supply chain compromises. The group has shown increasing sophistication over time, including the development of Qilin.B (an improved variant), enhanced evasion capabilities against EDR solutions, and the use of legitimate administrative tools for lateral movement and persistence. In 2024, the group introduced a new variant targeting Chrome browser data to steal credentials stored in browsers. Their operations have resulted in significant financial and operational impacts across multiple industries globally, with ransom demands often exceeding millions of dollars.

Unknown (suspected Russia or Eastern Europe based on language artifacts and operational security practices)31 techniques11 tools

ActiveAdvanced

Clop

Cl0p · TA505 · FIN11 +2 more

Clop (also known as Cl0p) is a sophisticated ransomware-as-a-service (RaaS) operation and cybercriminal group that has been active since 2019. The group gained significant notoriety for its double extortion tactics, where they both encrypt victim data and threaten to publish stolen information on their leak site if ransom demands are not met. Clop operates with a highly organized structure and targets large enterprises across multiple sectors, focusing on organizations that can afford substantial ransom payments. The group is believed to have connections to TA505, a well-established financially motivated threat actor group, and operates primarily from Eastern Europe, with suspected ties to Russian-speaking cybercriminal networks. Clop achieved widespread attention in 2023 through their mass exploitation of zero-day vulnerabilities in file transfer applications, particularly the MOVEit Transfer zero-day (CVE-2023-34362), which affected hundreds of organizations worldwide including government agencies, healthcare providers, and Fortune 500 companies. Clop's operational methodology demonstrates high sophistication, utilizing custom malware variants, exploiting supply chain vulnerabilities, and conducting extensive reconnaissance before attacks. The group maintains an active data leak site where they publish stolen data from non-compliant victims, applying significant pressure on organizations to pay ransoms. Their operations have resulted in hundreds of millions of dollars in damages globally, making them one of the most impactful ransomware operations in recent years.

Eastern Europe / Russia34 techniques16 tools

InactiveExpert

BlackCat

ALPHV · Noberus · UNC4466 +4 more

BlackCat/ALPHV executed an exit scam in March 2024 following the Change Healthcare attack (February 2024), which resulted in the largest healthcare data breach in U.S. history affecting approximately 190 million individuals. UnitedHealth paid $22 million ransom, but ALPHV operators kept the payment from their affiliate, posted a fake FBI seizure notice, and shut down operations. The group has been linked to over 1,000 victims globally and collected nearly $300 million in ransoms. Recent prosecutions (2025-2026) revealed insider threats: three U.S. cybersecurity professionals working as ransomware negotiators and incident responders secretly operated as ALPHV affiliates, extorting over $75 million from victims they were hired to help.

Russia17 techniques20 tools

ActiveNation-State

APT41

Double Dragon · BARIUM · Brass Typhoon +5 more

APT41, also known as Double Dragon, is a unique Chinese threat actor that conducts both state-sponsored espionage operations and financially motivated cybercrime. Active since at least 2012, the group is attributed to contractors working for China's Ministry of State Security (MSS), which provides them the unusual latitude to pursue personal financial gain alongside state-directed intelligence missions. APT41 is technically sophisticated, known for deploying supply chain attacks (CCleaner 2017, ShadowPad in NetSarang 2017), targeting managed service providers, and exploiting zero-day vulnerabilities. The group has compromised software companies to inject backdoors into legitimate products, affecting millions of downstream users. The group targets an exceptionally wide range of industries including healthcare, telecommunications, technology, gaming, and higher education across 14+ countries. In 2020, the U.S. DOJ indicted five Chinese nationals associated with APT41's operations. Despite these indictments, APT41 has continued operations, recently exploiting zero-days in Citrix, Cisco, and Zoho products.

China46 techniques13 tools

ActiveExpert

LockBit

LockBit 2.0 · LockBit 3.0 · LockBit Black +9 more

LockBit remains one of the most prolific ransomware-as-a-service (RaaS) operations with 2,757+ lifetime victims. Following February 2024 Operation Cronos disruption by international law enforcement and May 2024 infrastructure breach exposing internal operations, the group continued operations with various iterations including LockBit 5.0 released in September 2024 featuring cross-platform capabilities. Leader Dmitry Khoroshev (LockBitSupp) was sanctioned and indicted in May 2024 with a $10M bounty but remains at large. The leaked LockBit Black builder in 2022 has enabled independent operators to deploy variants. Despite law enforcement actions, LockBit has demonstrated resilience and continues targeting critical infrastructure, financial services, healthcare, and organizations globally with double extortion tactics involving data theft and encryption.

Russia32 techniques14 tools

ActiveExpert

FIN7

Carbanak · Carbon Spider · ELBRUS +5 more

FIN7 (Sangria Tempest) is a sophisticated financially-motivated threat actor active since at least 2013, known for targeting point-of-sale systems, payment card data, and deploying ransomware. The group has significantly evolved operations in 2023-2025, shifting to automated attack platforms, enhanced EDR bypasses, and sophisticated phishing infrastructure. FIN7 operates through sub-clusters including GrayAlpha, which deployed custom PowerNet and MaskBat loaders via fake 7-Zip downloads and undocumented TAG-124 TDS network. The group deployed Clop ransomware in April 2023 (first ransomware campaign since late 2021), targeted U.S. automotive industry in late 2023-2024, and expanded to over 4000 typosquatting domains mimicking brands like Google, Microsoft 365, American Express. FIN7 continues developing AvNeutralizer EDR bypass tool and employs Checkmarks platform for automated SQL injection against public-facing servers. The group also utilizes the OpenDir network for malware distribution and maintains operational resilience through compartmentalized teams despite 2018 arrests of key members. Recent campaigns involve sophisticated social engineering using fake job offers, IT support impersonation, and supply chain compromises.

Eastern Europe37 techniques29 tools

ActiveAdvanced

Kimsuky

Velvet Chollima · THALLIUM · Emerald Sleet +10 more

Kimsuky is a North Korean state-sponsored cyber espionage group active since at least 2012, assessed to operate under the Reconnaissance General Bureau (RGB). The group primarily focuses on intelligence collection targeting South Korean government entities, think tanks, academic institutions, and individuals involved in Korean Peninsula geopolitics, nuclear policy, and sanctions. Kimsuky is known for its extensive social engineering operations, often impersonating journalists, academics, or think tank personnel to build rapport with targets before delivering malware. The group conducts sophisticated spear-phishing campaigns using meticulously crafted lures related to North Korean policy, denuclearization, and inter-Korean relations. The group has expanded its targeting beyond South Korea to include the United States, Japan, and European countries. Kimsuky frequently abuses legitimate cloud services (Google Drive, OneDrive, Dropbox) for command and control, and has developed a diverse malware toolkit including reconnaissance tools, keyloggers, and credential stealers.

North Korea38 techniques26 tools

ActiveNation-State

Sandworm

Voodoo Bear · IRIDIUM · Seashell Blizzard +6 more

Sandworm Team is a Russian state-sponsored destructive threat actor attributed to GRU Military Unit 74455 (Main Center for Special Technologies). Active since at least 2009, Sandworm is considered one of the most dangerous threat actors globally, responsible for the most destructive cyberattacks in history including the NotPetya wiper attack (2017) that caused over $10 billion in damages worldwide. The group specializes in disruptive and destructive operations against critical infrastructure, particularly targeting Ukraine's power grid. Sandworm was responsible for the December 2015 and December 2016 Ukraine power grid attacks — the first confirmed cyberattacks to cause power outages. The group has also conducted operations targeting the 2018 Winter Olympics (Olympic Destroyer), Georgian media and government, and French elections. Since Russia's 2022 invasion of Ukraine, Sandworm has intensified operations using multiple wiper malware families (CaddyWiper, WhisperGate, HermeticWiper, IsaacWiper, AcidRain) against Ukrainian government and infrastructure targets, often coordinating destructive cyber operations with kinetic military strikes.

Russia29 techniques14 tools

ActiveNation-State

Volt Typhoon

VANGUARD PANDA · Bronze Silhouette · DEV-0391 +5 more

Volt Typhoon is a Chinese state-sponsored threat actor focused on pre-positioning for potential disruptive or destructive operations against U.S. critical infrastructure. First publicly disclosed by Microsoft in May 2023, the group has been active since at least mid-2021 and represents a significant shift in Chinese cyber operations from traditional espionage to operational preparation of the environment (OPE). The group is characterized by its exclusive use of living-off-the-land (LOTL) techniques, avoiding custom malware in favor of built-in Windows tools, legitimate network administration utilities, and compromised SOHO routers as operational relay boxes (ORBs). This approach makes detection exceptionally difficult as the activity blends with normal administrative operations. Volt Typhoon has compromised organizations across communications, energy, transportation, and water/wastewater sectors. U.S. intelligence agencies assess that the group's operations are designed to maintain persistent access to critical infrastructure networks that could be leveraged for disruptive attacks during a potential Taiwan Strait crisis.

China32 techniques15 tools

ActiveNation-State

Lazarus Group

Hidden Cobra · ZINC · Diamond Sleet +16 more

Lazarus Group has significantly evolved tactics in 2025-2026, notably shifting to ransomware-as-a-service (using Medusa ransomware) and executing the largest cryptocurrency heist in history ($1.5B Bybit). The group increasingly uses AI-generated content for social engineering, exploits open-source ecosystems with poisoned packages (230+ malicious npm/PyPI packages detected), and employs sophisticated supply chain attacks targeting developer tools. Subgroup Stonefly/Andariel now actively conducts ransomware operations against healthcare. The group has also adopted new infrastructure resilience via blockchain-based C2 (EtherHiding) and Telegram-based command channels.

North Korea42 techniques33 tools

ActiveNation-State

APT29

Cozy Bear · The Dukes · Nobelium +12 more

APT29 (Midnight Blizzard) is a Russian Foreign Intelligence Service (SVR) threat actor active since 2008, conducting sophisticated cyber espionage primarily against government, diplomatic, and technology sectors. The group has significantly evolved toward cloud-native tradecraft, leveraging identity abuse, OAuth exploitation, residential proxy networks, and advanced social engineering. Recent operations demonstrate patience and operational discipline with multi-month rapport-building campaigns, alongside large-scale attacks targeting hundreds of organizations simultaneously.

Russia30 techniques16 tools

ActiveNation-State

APT28

Fancy Bear · Sofacy · Pawn Storm +15 more

APT28 (GRU Unit 26165) has significantly evolved its arsenal and tactics in 2024-2026. The group now rapidly weaponizes 1-day vulnerabilities (CVE-2026-21509 exploited within 24 hours of disclosure), deploys AI-powered malware (LameHug using Qwen LLM for dynamic command generation), heavily modified Covenant framework with cloud-based C2, novel proximity-based 'Nearest Neighbor' Wi-Fi attacks, and extensive abuse of legitimate cloud services (Filen, Koofr, Icedrive) for C2. Major campaigns include Operation MacroMaze (Sept 2025-Jan 2026), Operation Neusploit (Jan 2026), Operation Phantom Net Voxel, and sustained targeting of Western logistics supporting Ukraine.

Russia53 techniques24 tools

ActiveAdvanced

Qilin

Agenda · Qilin Ransomware Group

Unknown (suspected Russia or Eastern Europe based on language artifacts and operational security practices)31 techniques11 tools