Intelligence Database

Threat Actors

Comprehensive profiles of tracked threat actors — covering MITRE ATT&CK mappings, known IOCs, active campaigns, and infrastructure monitoring.

17actors tracked

16 active

6 nation-state

Showing all 17 profiles

ActiveIntermediate

M3rx

Merx · M3RX Team · Merx Ransomware Group +1 more

M3rx is a financially-motivated cybercriminal group that emerged in late 2024, primarily focused on ransomware operations and data extortion. The group operates a double extortion model, encrypting victim data while simultaneously exfiltrating sensitive information for leverage in ransom negotiations. M3rx has demonstrated a preference for targeting small to medium-sized businesses across multiple sectors, particularly those with limited cybersecurity resources. The group's operations indicate an intermediate level of sophistication, utilizing commercially available and open-source tools combined with custom scripts for initial access and lateral movement. M3rx has been observed leveraging compromised Remote Desktop Protocol (RDP) credentials and exploiting known vulnerabilities in perimeter devices to establish initial footholds in victim networks. Their ransomware payloads show evidence of being based on leaked ransomware builders with moderate customization. M3rx maintains a data leak site on the dark web where they publish stolen data from victims who refuse to pay ransoms. The group's communication style and operational security practices suggest they may be comprised of Russian-speaking actors, though definitive attribution remains challenging. Their ransom demands typically range from $50,000 to $500,000 in cryptocurrency, with negotiations conducted through encrypted chat platforms.

Unknown (likely Eastern Europe/Russia based on linguistic indicators)16 techniques10 tools

ActiveIntermediate

BravoX

BravoX · Bravo-X · BX Group +1 more

BravoX is an emerging Ransomware-as-a-Service (RaaS) operation that came to public attention on January 23, 2026. The group operates a selective affiliate model requiring targets with $5M+ annual revenue and excludes CIS countries. They employ double extortion tactics with data exfiltration via Rclone, VMDK encryption, and maintain a modern Vue.js-based data leak site with automated negotiation features. The group demonstrates operational creativity in persistence and defense evasion, particularly through BYOVD techniques using the wsftprm.sys driver (Killer.exe) to disable EDR solutions including Microsoft Defender and Sophos.

Unknown (likely Eastern Europe or Russia based on operational hours and language artifacts)26 techniques19 tools

ActiveAdvanced

Storm-1747

DEV-1747 · Sangria Tempest (subset) · Tycoon2FA operator +2 more

Storm-1747 is a financially motivated threat actor that developed and operated Tycoon2FA, one of the most prolific phishing-as-a-service (PhaaS) platforms active from August 2023 through at least March 2025. The platform enabled tens of millions of phishing messages reaching over 500,000 organizations monthly worldwide, primarily targeting Microsoft 365 and Gmail credentials. In March 2025, a coordinated law enforcement operation (Operation Synergia) involving Interpol, Microsoft, and other partners seized 330 domains, but the platform resumed operations within days. TrendAI formally confirmed the developer/operator uses monikers SaaadFridi and Mr_Xaad, with historical activity showing earlier involvement in web defacement before pivoting to phishing kit development. The platform had approximately 2,000 criminal subscribers and leveraged over 24,000 domains since inception, sold via Telegram for $120-$350. Tycoon2FA featured advanced anti-detection capabilities including adversary-in-the-middle (AiTM) techniques to bypass multi-factor authentication.

Unknown (likely Nigeria-based or West African cybercrime ecosystem)23 techniques25 tools

ActiveIntermediate

Rhysida

Rhysida Ransomware · Vice Society (suspected connection) · OysterLoader operators +2 more

Rhysida is a highly active RaaS operation that emerged in May 2023, strongly linked to Vice Society (likely a rebrand). The group has matured rapidly from 'novice malware' to sophisticated double-extortion operations. As of February 2026, 265 victims documented with sustained operational tempo through late 2025 and early 2026. The group uses multi-tiered infrastructure including typosquatted domains, SEO poisoning, and CleanUpLoader backdoor. Recent evolution includes abuse of Microsoft Trusted Signing certificates (200+ revoked), cloud-native exfiltration via Azure tools, and sophisticated evasion scripts. Geographic focus remains on US targets (49-50% of victims).

Unknown (likely Eastern Europe or Russia-nexus)40 techniques21 tools

ActiveAdvanced

BianLian

BianLian Group · BianLian Ransomware Group · Bitter Scorpius

BianLian is a Russia-based ransomware developer, deployer, and data extortion cybercriminal group with multiple Russia-based affiliates. Active since June 2022, the group shifted primarily to exfiltration-based extortion in early 2023 after decryption capabilities for their ransomware were released, though they have not completely abandoned encryption. They target critical infrastructure sectors including healthcare, manufacturing, professional services, and legal organizations using compromised RDP credentials, ProxyShell exploits (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207), and custom Go-based backdoors. The group employs pressure tactics including printing ransom notes to network printers and making threatening phone calls to victims. BianLian typically maintains persistence for extended periods before exfiltration, uses legitimate tools like TeamViewer and AnyDesk for remote access, and leverages various open-source tools for credential harvesting and lateral movement.

Unknown (suspected Eastern European or Russian-speaking based on operational patterns and victim targeting)66 techniques30 tools

ActiveAdvanced

Qilin

Agenda · Qilin Ransomware Group · Water Galura

Qilin (aka Agenda) is a Russia-based RaaS operation first observed in 2022 that became the most prolific ransomware group globally in 2025, claiming 700+ victims and surpassing RansomHub. Operating under a double-extortion model with 80-85% affiliate profit shares, Qilin evolved from Golang to Rust-based variants targeting Windows, Linux, and ESXi. The group formed a strategic alliance with LockBit and DragonForce in September 2025, added DDoS capabilities, spam campaigns, automated network propagation, and a 'Call Lawyer' feature for victims. Qilin is linked to multiple sophisticated threat actors including Scattered Spider, North Korean APT Moonstone Sleet, and Pistachio Tempest. In 2025, the group executed 1,000+ attacks, amassed over $50 million in ransom payments in 2024 alone, and continues aggressive targeting of critical infrastructure, healthcare, manufacturing, and government sectors globally.

Unknown (suspected Russia or Eastern Europe based on language artifacts and operational security practices)41 techniques29 tools

ActiveAdvanced

Clop

Cl0p · TA505 · FIN11 +8 more

Clop has evolved from encryption-focused ransomware to data-theft-centric extortion campaigns, primarily exploiting zero-day vulnerabilities in enterprise file transfer and ERP systems. Operated by TA505/FIN11, the group has generated over $500 million in extorted payments and compromised more than 11,000 organizations worldwide. Now focuses on mass victimization through supply chain attacks targeting widely-deployed software, with campaigns affecting hundreds of organizations simultaneously. Active through April 2026 as one of the most prolific global ransomware operations.

Eastern Europe / Russia41 techniques19 tools

InactiveExpert

BlackCat

ALPHV · Noberus · UNC4466 +4 more

BlackCat/ALPHV ransomware operation executed an exit scam in March 2024 following the Change Healthcare attack, where operators kept the entire $22 million ransom payment and cheated affiliates. The FBI had previously disrupted operations in December 2023, seizing infrastructure and releasing a decryption tool that saved victims ~$99 million. After the March 2024 exit scam with a fake FBI seizure notice, the group announced closure and attempted to sell source code for $5 million. As of early 2025, the group has apparently disappeared. Notable affiliate Scattered Spider continues independent operations with DragonForce and other ransomware variants.

Russia17 techniques20 tools

ActiveNation-State

APT41

Double Dragon · BARIUM · Brass Typhoon +18 more

APT41, also known as Double Dragon, is a unique Chinese threat actor that conducts both state-sponsored espionage operations and financially motivated cybercrime. Active since at least 2012, the group is attributed to contractors working for China's Ministry of State Security (MSS), which provides them the unusual latitude to pursue personal financial gain alongside state-directed intelligence missions. APT41 is technically sophisticated, known for deploying supply chain attacks (CCleaner 2017, ShadowPad in NetSarang 2017), targeting managed service providers, and exploiting zero-day vulnerabilities. The group has compromised software companies to inject backdoors into legitimate products, affecting millions of downstream users. The group targets an exceptionally wide range of industries including healthcare, telecommunications, technology, gaming, higher education, media, manufacturing, retail, and government sectors across Asia, Europe, and North America. In 2020, the U.S. DOJ indicted five Chinese nationals associated with APT41's operations. Despite these indictments, APT41 has continued operations, exploiting zero-days in products from Citrix, Cisco, Zoho, Fortinet, and Barracuda. Recent activity (2023-2024) includes campaigns exploiting CVE-2023-46747 (F5 BIG-IP), CVE-2024-23113 (Fortinet FortiOS), and CVE-2023-2868 (Barracuda ESG), demonstrating continued focus on edge devices and network appliances. APT41 has also been observed deploying ransomware for financial gain while simultaneously conducting espionage operations, maintaining their dual-mission profile.

China74 techniques28 tools

ActiveExpert

LockBit

LockBit 2.0 · LockBit 3.0 · LockBit Black +9 more

LockBit is a highly resilient ransomware-as-a-service (RaaS) operation that has survived multiple law enforcement disruptions including Operation Cronos (February 2024) and a May 2025 infrastructure breach that exposed affiliate data. The group released LockBit 5.0 in September 2025 with enhanced cross-platform capabilities targeting Windows, Linux, and ESXi environments. Built on .NET Core, the new variant features improved obfuscation, ETW patching, invisible mode encryption, and randomized 16-character file extensions. Despite setbacks, LockBit recorded over 200 victims on its data leak site from December 2025 into early 2026, primarily targeting U.S., India, and Brazil across manufacturing, healthcare, and government sectors.

Russia44 techniques15 tools

ActiveExpert

FIN7

Carbanak · Carbon Spider · ELBRUS +12 more

FIN7 (Sangria Tempest) is a sophisticated financially-motivated threat actor active since at least 2013, known for targeting point-of-sale systems, payment card data, and deploying ransomware. The group has significantly evolved operations in 2023-2025, shifting to automated attack platforms, enhanced EDR bypasses, and sophisticated phishing infrastructure. FIN7 operates through sub-clusters including GrayAlpha, which deployed custom PowerNet and MaskBat loaders via fake 7-Zip downloads and undocumented TAG-124 TDS network. The group deployed Clop ransomware in April 2023 (first ransomware campaign since late 2021), targeted U.S. automotive industry in late 2023-2024, and expanded to over 4000 typosquatting domains mimicking brands like Google, Microsoft 365, American Express. FIN7 continues developing AvNeutralizer EDR bypass tool and employs Checkmarks platform for automated SQL injection against public-facing servers. The group also utilizes the OpenDir network for malware distribution and maintains operational resilience through compartmentalized teams despite 2018 arrests of key members. Recent campaigns involve sophisticated social engineering using fake job offers, IT support impersonation, and supply chain compromises.

Eastern Europe45 techniques41 tools

ActiveAdvanced

Kimsuky

Velvet Chollima · THALLIUM · Emerald Sleet +19 more

Kimsuky is a North Korean state-sponsored cyber espionage group active since at least 2012, assessed to operate under the Reconnaissance General Bureau (RGB). The group primarily focuses on intelligence collection targeting South Korean government entities, think tanks, academic institutions, and individuals involved in Korean Peninsula geopolitics, nuclear policy, and sanctions. Kimsuky is known for its extensive social engineering operations, often impersonating journalists, academics, or think tank personnel to build rapport with targets before delivering malware. The group conducts sophisticated spear-phishing campaigns using meticulously crafted lures related to North Korean policy, denuclearization, and inter-Korean relations. The group has expanded its targeting beyond South Korea to include the United States, Japan, and European countries. Kimsuky frequently abuses legitimate cloud services (Google Drive, OneDrive, Dropbox) for command and control, and has developed a diverse malware toolkit including reconnaissance tools, keyloggers, and credential stealers.

North Korea108 techniques30 tools

ActiveNation-State

Sandworm

Voodoo Bear · IRIDIUM · Seashell Blizzard +21 more

Sandworm has undergone significant operational evolution in 2025-2026, pivoting from zero-day exploitation to exploiting misconfigured network edge devices for credential harvesting. A specialized initial access subgroup dubbed 'BadPilot' has been conducting multiyear global compromises across sensitive sectors. The group deployed multiple new wiper malware families against Polish energy infrastructure in December 2025 and continues sustained destructive campaigns against Ukrainian critical infrastructure. They increasingly leverage pirated software distribution, Tor hidden services, and legitimate RMM tools for persistence while maintaining deep integration with Russian military operations.

Russia75 techniques49 tools

ActiveNation-State

Volt Typhoon

VANGUARD PANDA · Bronze Silhouette · DEV-0391 +5 more

Volt Typhoon is a Chinese state-sponsored threat actor focused on pre-positioning for potential disruptive or destructive operations against U.S. critical infrastructure. First publicly disclosed by Microsoft in May 2023, the group has been active since at least mid-2021 and represents a significant shift in Chinese cyber operations from traditional espionage to operational preparation of the environment (OPE). The group is characterized by its exclusive use of living-off-the-land (LOTL) techniques, avoiding custom malware in favor of built-in Windows tools, legitimate network administration utilities, and compromised SOHO routers as operational relay boxes (ORBs). This approach makes detection exceptionally difficult as the activity blends with normal administrative operations. Volt Typhoon has compromised organizations across communications, energy, transportation, and water/wastewater sectors. U.S. intelligence agencies assess that the group's operations are designed to maintain persistent access to critical infrastructure networks that could be leveraged for disruptive attacks during a potential Taiwan Strait crisis.

China73 techniques22 tools

ActiveNation-State

Lazarus Group

Hidden Cobra · ZINC · Diamond Sleet +36 more

Lazarus Group has significantly evolved tactics in 2025-2026, notably shifting to ransomware-as-a-service (using Medusa ransomware) and executing the largest cryptocurrency heist in history ($1.5B Bybit). The group increasingly uses AI-generated content for social engineering, exploits open-source ecosystems with poisoned packages (230+ malicious npm/PyPI packages detected), and employs sophisticated supply chain attacks targeting developer tools. Subgroup Stonefly/Andariel now actively conducts ransomware operations against healthcare. The group has also adopted new infrastructure resilience via blockchain-based C2 (EtherHiding) and Telegram-based command channels.

North Korea96 techniques55 tools

ActiveNation-State

APT29

Cozy Bear · The Dukes · Nobelium +17 more

APT29 (Midnight Blizzard) is a Russian Foreign Intelligence Service (SVR) threat actor active since 2008, conducting sophisticated cyber espionage primarily against government, diplomatic, and technology sectors. The group has significantly evolved toward cloud-native tradecraft, leveraging identity abuse, OAuth exploitation, residential proxy networks, and advanced social engineering. Recent operations demonstrate patience and operational discipline with multi-month rapport-building campaigns, alongside large-scale attacks targeting hundreds of organizations simultaneously.

Russia74 techniques22 tools

ActiveNation-State

APT28

Fancy Bear · Sofacy · Pawn Storm +16 more

APT28 (GRU Unit 26165) has significantly evolved its arsenal and tactics in 2024-2026. The group now rapidly weaponizes 1-day vulnerabilities (CVE-2026-21509 exploited within 24 hours of disclosure), deploys AI-powered malware (LameHug using Qwen LLM for dynamic command generation), heavily modified Covenant framework with cloud-based C2, novel proximity-based 'Nearest Neighbor' Wi-Fi attacks, and extensive abuse of legitimate cloud services (Filen, Koofr, Icedrive) for C2. Major campaigns include Operation MacroMaze (Sept 2025-Jan 2026), Operation Neusploit (Jan 2026), Operation Phantom Net Voxel, and sustained targeting of Western logistics supporting Ukraine.

Russia56 techniques31 tools