Threat Intelligence
Threat Actor Profiles
Know your adversary. Detailed profiles of nation-state hackers, APTs, and cybercrime groups.
Anonymous Sudan
Anonymous Sudan says they are from Sudan, but many experts think they are actually Russian. They take down websites with DDoS attacks and have hit major companies like Microsoft and healthcare providers.
APT1 (Comment Crew)
APT1 is a famous Chinese military hacking unit that got caught in 2013. They stole secrets from over 140 US companies, taking everything from product designs to business plans. They operated from a building in Shanghai.
APT10 (Stone Panda)
APT10 is a Chinese spy hacking group that figured out a clever trick: instead of attacking companies directly, they hack the IT companies that manage those companies' computers. Once inside the IT company, they can access hundreds of clients.
APT27 (Emissary Panda)
APT27 is a Chinese hacking group that steals secrets from defense and tech companies. Recently they started using ransomware too, which is unusual for a government spy group.
APT28 (Fancy Bear)
APT28 is a Russian military hacking unit that's been active for 20 years. They're behind the infamous DNC hack in 2016 and constantly target governments, militaries, and political organizations. They're extremely sophisticated and focus on espionage and influence operations.
APT29 (Cozy Bear)
APT29 is a Russian government hacking team that's been active since 2008. They're the ones behind the massive SolarWinds hack that hit thousands of companies and government agencies. They specialize in sneaking into networks and staying hidden for months or years while stealing secrets. If you're in government, healthcare, or work with sensitive data, they may be interested in you.
APT31 (Zirconium)
APT31 is a Chinese spy group that goes after politicians and government workers. They tried to hack US election campaigns and European parliaments. They are very good at hiding their malware.
APT32 (OceanLotus)
APT32 is Vietnam's hacking team that spies on foreign companies doing business in Vietnam and Vietnamese activists abroad. They use clever tricks like fake job offers and hacked websites to infect their targets.
APT33 (Elfin)
APT33 is an Iranian hacking group that goes after airplane makers and oil companies, especially in Saudi Arabia and the US. They have used destructive malware that wipes computers clean, causing massive damage to their targets.
APT35 (Charming Kitten)
APT35 is Iran's spy hacking team that pretends to be journalists or researchers to trick real journalists, activists, and government officials into giving up their passwords. They are very good at creating fake personas on social media.
APT38
APT38 is North Korea's bank robbery team. They hack into banks around the world and steal money by manipulating the SWIFT system that banks use to transfer funds. They have stolen over a billion dollars to fund North Korea.
APT39 (Chafer)
APT39 is Iran's surveillance hackers. They break into telecom companies and travel agencies to track people. They want to know where Iranian dissidents and opposition figures are traveling.
APT40 (Leviathan)
APT40 is a Chinese hacking team that focuses on stealing secrets about ships, naval technology, and defense systems. They work for Chinese intelligence and target anyone building ships or working on underwater technology.
APT41 (Double Dragon)
APT41 is a Chinese hacking group that works for the government but also does crimes for money on the side. They hack video game companies, hospitals, and telecom providers. They are unusual because most government hackers only do spy stuff, but these guys also steal for personal profit.
Aquatic Panda
Aquatic Panda does spy work for China but also does ransomware attacks for money. They are unusual because most government hackers stick to spying, but this group does both.
BlackTech
BlackTech hacks into routers at the network edge and installs hidden backdoors. Since routers rarely get checked, they can stay hidden for years while stealing data from the network.
Blue Mockingbird
Blue Mockingbird breaks into web servers and installs cryptocurrency mining software. They use your computers' power to mine cryptocurrency without you knowing, making money while slowing down your systems.
Carbanak
Carbanak figured out how to rob banks without guns. They hacked into banks' computers, learned how everything worked, then made ATMs spit out cash and transferred money to their accounts. They stole over a billion dollars.
Charcoal Typhoon
Charcoal Typhoon is a Chinese hacking group that pretends to be ransomware criminals but is actually stealing secrets. They use ransomware as a smokescreen to hide their real spy missions.
Cirrus (DPRK)
Cirrus is a North Korean hacking team that goes after cryptocurrency and blockchain companies. They trick developers into running malicious code to steal crypto and fund North Korea.
Cl0p
Cl0p is a ransomware gang that became famous for hacking file transfer software used by thousands of companies. When they find one bug, they can hack hundreds of companies at once.
DarkHotel
DarkHotel hackers target business executives when they stay at fancy hotels. They hack the hotel WiFi so when guests connect, they get tricked into installing fake software updates that are actually malware.
Dragonfly (Energetic Bear)
Dragonfly is Russia's energy sector hackers. They break into power plants and energy companies to steal secrets and potentially sabotage systems. They know how to attack the computers that control power grids.
Earth Lusca
Earth Lusca attacks governments by hacking websites that government workers visit. When someone visits the hacked website, their computer gets infected. They target governments across Asia.
Emerald Sleet
Emerald Sleet is the same as Kimsuky - North Korean hackers who pretend to be journalists or researchers to trick experts into giving up information or clicking malicious links.
Equation Group
Equation Group is widely believed to be the NSA's hacking team. They created incredibly advanced malware that can survive even reformatting your hard drive. Their tools were leaked by Shadow Brokers in 2016-2017.
Evil Corp
Evil Corp is a Russian criminal gang that stole over $100 million with banking malware. The US government put sanctions on them, which means companies cannot legally pay their ransoms. They keep changing ransomware names to avoid sanctions.
FIN7
FIN7 has stolen over a billion dollars by hacking into restaurants and stores to steal credit card data. They ran fake job ads for 'penetration testers' who didn't realize they were working for criminals. Now they've moved into ransomware. Several members have been arrested, but the group continues operating.
Flax Typhoon
Flax Typhoon is a Chinese hacking group that barely uses any malware. They break in and then only use tools already on your computers, making them very hard to detect.
Forest Blizzard
Forest Blizzard is the same as Fancy Bear/APT28 - Russian military hackers who hacked the DNC in 2016. They combine hacking with leaking information to influence events.
GALLIUM
GALLIUM hacks phone companies to spy on their customers. They break into telecom networks and can potentially monitor calls and messages without anyone knowing.
Gamaredon
Gamaredon is a Russian hacking group that mostly attacks Ukraine. They send tons of phishing emails with infected Word documents. Their malware is simple but they send so many attacks that some always get through.
Hafnium
Hafnium found critical bugs in Microsoft Exchange email servers and hacked hundreds of thousands of organizations worldwide. This was one of the biggest hacking campaigns ever discovered.
Indrik Spider
Indrik Spider created the Dridex banking malware and later moved to ransomware. They are on the US sanctions list, so paying their ransom could get companies in legal trouble.
Kimsuky
Kimsuky is North Korea's intelligence-gathering hacking team. They target experts on North Korea—professors, journalists, government analysts—to steal information about foreign policy and nuclear negotiations. They're masters of social engineering, often impersonating trusted contacts or creating fake personas to build relationships before attacking.
LAPSUS$
LAPSUS$ was a group of teenage hackers who embarrassed some of the world's biggest tech companies. They hacked Microsoft, stole NVIDIA's code, and breached the company that makes login systems for thousands of businesses (Okta). They did it mostly through bribery and social engineering. Several were arrested, including a 16-year-old.
Lazarus Group
Lazarus is North Korea's top hacking team, and they're all about the money. They've stolen over $2 billion in cryptocurrency to fund the North Korean government. They also do espionage and have launched major destructive attacks, including the Sony Pictures hack and the WannaCry ransomware outbreak.
Mango Sandstorm
Mango Sandstorm is the same as MuddyWater - Iranian government hackers who spy on Middle Eastern governments and telecom companies using legitimate admin tools to avoid detection.
Midnight Blizzard
Midnight Blizzard is the same group as Cozy Bear/APT29 - Russian government hackers who did the massive SolarWinds hack. They are one of the most sophisticated spy groups in the world.
Mint Sandstorm
Mint Sandstorm is the same as Charming Kitten/APT35 - Iranian hackers who pretend to be journalists or conference organizers to trick their targets into giving up email access.
MuddyWater
MuddyWater is an Iranian spy group that sends fake documents that look like invoices or resumes. When people open them, their computers get infected. They target governments and telecom companies in the Middle East.
Mustang Panda
Mustang Panda spreads malware through USB drives left in offices or mailed to targets. They spy on governments, NGOs, and religious groups, especially those involved with Tibet and Uyghur issues.
OilRig (APT34)
OilRig is Iran's main cyber spy group. They hack into governments and energy companies in the Middle East using clever tricks like sending fake job offers and LinkedIn messages.
Peach Sandstorm
Peach Sandstorm is the same as APT33/Elfin - Iranian hackers who target aviation and energy companies with password guessing attacks and sometimes ransomware.
Pink Sandstorm
Pink Sandstorm is an Iranian hacking group that destroys data and pretends to be ransomware or hacktivists. They mainly target Israel but attack others too.
Pioneer Kitten
Pioneer Kitten breaks into companies through VPN bugs and then sells that access to ransomware gangs. They work for Iran but also make money on the side selling access to criminals.
Raspberry Robin
Raspberry Robin is a computer worm that spreads through USB drives left in offices. It does not do damage itself, but opens the door for ransomware gangs to attack later.
Salt Typhoon
Salt Typhoon hacked major US phone companies and got access to the wiretapping systems. This means they could potentially see who the US government was monitoring and spy on those communications.
Sandworm
Sandworm is Russia's most destructive hacking unit. They knocked out Ukraine's power grid in 2015 and 2016—the first cyberattacks to cause blackouts. They also unleashed NotPetya, a fake ransomware that destroyed computers worldwide, costing companies like Maersk and FedEx billions. They're still actively attacking Ukraine.
Scattered Spider
Scattered Spider is a group of young American and British hackers who are masters at tricking people. They call help desks pretending to be employees, convince them to reset passwords, and take over accounts. They're behind the MGM casino hack that shut down slot machines for days. Some members are teenagers.
Silent Librarian
Silent Librarian hacks universities to steal research papers and intellectual property. They send fake library emails to professors and students to steal their passwords, then download massive amounts of academic research.
Star Blizzard
Star Blizzard is a Russian spy group that specializes in stealing email passwords. They create fake websites and send convincing phishing emails to government workers and defense contractors.
Stormous
Stormous is a politically motivated hacking group that uses ransomware to make statements. They started supporting Russia but now seem to attack anyone they can for publicity and money.
TA505
TA505 sends billions of spam emails with malware attached. They started with banking malware but now do ransomware too. They are one of the most active criminal hacking groups in the world.
Turla
Turla is one of the oldest and most sophisticated Russian hacking teams, operating since the 1990s. They're so advanced they once hijacked satellite internet connections to hide their attacks. They've been known to hack other hacking groups and use their infrastructure. Their main targets are government agencies and embassies.
UNC1151 (Ghostwriter)
UNC1151 is Belarus's hacking team that spreads disinformation and hacks government websites. They work closely with Russian intelligence and have attacked Polish and Lithuanian government networks.
Volt Typhoon
Volt Typhoon is a Chinese government hacking group that's been quietly breaking into American power plants, water systems, and other critical infrastructure. They're not stealing data—they're setting up access they could use to cause disruption if there's ever a conflict with China. They're extremely stealthy and don't use malware, making them hard to detect.
Winnti Group
Winnti started by hacking video game companies but now attacks all kinds of tech firms. They sneak their malware into legitimate software updates, so when you update your software, you also install their backdoor.
Wizard Spider
Wizard Spider is the gang behind TrickBot and Conti ransomware, which together have caused billions in damage. They operate like a business with departments for development, HR, and negotiations.
Is your business exposed?
Check if your company data is circulating on the dark web
Free scan • No credit card required