Actor sub-clusters& lineages

Lazarus Group operates as the umbrella for DPRK's primary offensive cyber program, with Andariel (3rd Bureau, espionage + destructive) and BlueNoroff (APT38, financial crime) as formally distinct sub-clusters under the Reconnaissance General Bureau. Western indictments and CISA advisories treat these as operationally separate, sharing tradecraft and tooling but with distinct mission profiles. Tracking the hierarchy matters because sanctions designations, indictment attributions, and detection rules frequently name the sub-cluster rather than the umbrella.

Void Manticore (MOIS-affiliated) operates public-facing hacktivist personas to create plausible deniability while claiming politically motivated operations. Handala presents as a pro-Palestinian collective (active since Dec 2023, targeting Israeli infrastructure), while Homeland Justice was the persona used in the 2022 Albania government attack. Attribution from Mandiant and Check Point links both to the same Iranian operator pool. Understanding persona relationships is essential for correct attribution — treating Handala as an independent actor leads to duplicated tracking and missed connections to broader MOIS campaigns.

Conti's February 2022 collapse — triggered by pro-Russia statements that prompted insiders to leak its source code and internal chats — seeded multiple successor groups. Black Basta absorbed significant Conti operator and builder overlap and ran as the dominant Conti spinoff through 2023–2024. BlackSuit (via Royal, via the Quantum subgroup) represents a parallel lineage. Tracking these as a family helps defenders understand why Black Basta / BlackSuit incidents share TTPs with the Conti playbook.

DarkSide (Colonial Pipeline, May 2021) rebranded as BlackMatter after law-enforcement pressure, then re-emerged as ALPHV/BlackCat in late 2021. After the FBI disrupted ALPHV in December 2023 and the group exit-scammed affiliates in March 2024, the affiliate base migrated largely to RansomHub, which also absorbed former LockBit affiliates after Operation Cronos. The chain illustrates how RaaS ecosystem pressure does not destroy adversary capacity — it redistributes it. Pioneer Kitten (Iran, IAB) sold network access downstream to ALPHV affiliates per CISA AA24-241A, showing cross-national opportunistic collaboration.

Scattered Spider (UNC3944 / Octo Tempest) began as a social-engineering crew before pivoting to ransomware via an affiliate relationship with ALPHV/BlackCat (MGM Resorts, Caesars Entertainment, 2023). After ALPHV's exit-scam they shifted to RansomHub. By 2025–2026 public reporting describes a partial brand-merge with ShinyHunters under the 'Scattered Lapsus$ Hunters' label, suggesting operator overlap or shared infrastructure. These affiliations reflect the fluid identity common in anglophone cybercrime networks — attribution should track operator capabilities, not just group names.