Russian-speaking ransomware-as-a-service operation, first observed November 2021, notable as the first prominent ransomware family written in Rust. Operated the affiliate program responsible for the…
DPRK state-sponsored intrusion set publicly attributed to the Reconnaissance General Bureau's 3rd Bureau (Andariel). Treated by MITRE as a sub-cluster of Lazarus Group; conducts both espionage agains…
Russian state-sponsored intrusion set publicly attributed to the SVR. Long history of espionage operations against Western government, diplomatic, think tank, and technology targets, including the So…
PRC state-affiliated intrusion set publicly attributed by the U.S. DOJ to the Guangzhou-based front company Boyusec (Guangzhou Bo Yu Information Technology), working in concert with the Ministry of S…
Iranian state-affiliated intrusion set publicly attributed to Rana Intelligence Computing — an MOIS (Ministry of Intelligence and Security) front company sanctioned by the U.S. Treasury OFAC in Septe…
Russian state-sponsored intrusion set publicly assessed by the UK NCSC and Five Eyes partners as 'almost certainly subordinate to FSB Centre 18'. Conducts targeted credential-phishing operations agai…
Russian-speaking ransomware operation that ran the dominant double-extortion brand of 2020-2022. After the group publicly declared support for the Russian invasion of Ukraine in February 2022, an ins…
Russian-speaking ransomware-as-a-service operation active from August 2020 to May 2021, when an affiliate's compromise of Colonial Pipeline triggered the fuel-supply crisis on the U.S. East Coast and…
Chinese state-sponsored intrusion set assessed to operate on behalf of the Ministry of State Security (MSS). Best known for the OPM breach (discovered May 2014, exfiltration through April 2015) — the…
Russian state-sponsored intrusion set publicly attributed by the U.S. DOJ and Treasury OFAC to FSB Center 16 (Military Unit 71330). Long-running targeting of the energy, nuclear, water, aviation, and…
PRC state-affiliated intrusion set operating through Integrity Technology Group — a Beijing-based, publicly-traded cybersecurity contractor sanctioned by the U.S. Treasury OFAC in January 2025. Speci…
PRC state-sponsored intrusion set tracked by Anthropic under the internal designation GTG-1002, publicly disclosed in Anthropic's November 2025 threat-intelligence report as the actor behind the **fi…
Pro-Palestine hacktivist persona operated by the Iranian MOIS-affiliated **Void Manticore** cluster — see the parent actor entry for the full attribution chain. Named for the Naji al-Ali cartoon char…
Russian-speaking ransomware-as-a-service operation active since mid-2023, notable for sustained targeting of UK NHS trusts and U.S. healthcare providers. Major UK incidents: **NHS Dumfries and Gallow…
Iranian state-affiliated intrusion set publicly attributed by FBI, CISA, and DC3 in joint advisory AA24-241A as connected to the Government of Iran and operating partly through an Iranian IT-services…
PLA 54th Research Institute (Strategic Support Force Unit 54466) members indicted by the U.S. DOJ on 10 February 2020 for the Equifax data breach of May–July 2017. Four military personnel — Wu Zhiyon…
Financially-motivated cybercrime collective active since April 2020, responsible for some of the largest data-theft and extortion incidents of the post-2020 era. Operationally blends credential-stuff…
Iranian state-sponsored intrusion set publicly attributed to the Ministry of Intelligence and Security (MOIS), specialised in destructive operations and conducting them under a rotating set of public…
Russian state-sponsored intrusion set responsible for the December 2017 TRITON/TRISIS malware attack on the Triconex safety instrumented system (SIS) at a Saudi Arabian petrochemical facility — the f…