DPRK state-sponsored intrusion set publicly attributed to the Reconnaissance General Bureau's 3rd Bureau (Andariel). Treated by MITRE as a sub-cluster of Lazarus Group; conducts both espionage agains…
Russian military-intelligence (GRU Unit 26165) intrusion set. Long-running espionage operations against military, government, political, and media targets, including the 2016 DNC intrusion and sustai…
PRC state-affiliated intrusion set publicly attributed by the U.S. DOJ to the Guangzhou-based front company Boyusec (Guangzhou Bo Yu Information Technology), working in concert with the Ministry of S…
Iranian state-sponsored actor publicly assessed to operate on behalf of the Iranian government, with persistent targeting of Middle East government, financial, energy, and telecommunications organiza…
Chinese state-sponsored cyberespionage actor publicly attributed to the Ministry of State Security (MSS) Hainan State Security Department. Targets maritime industries, defense, government, and resear…
Russian state-sponsored intrusion set publicly assessed by Microsoft as associated with the GRU but operationally distinct from Forest Blizzard (APT28) and Seashell Blizzard (Sandworm). Conducted the…
Russian-speaking double-extortion crew historically aligned with TA505/FIN11. Specialized in mass exploitation of managed-file-transfer software zero-days: Accellion FTA (2020), GoAnywhere MFT (early…
Russian state-sponsored intrusion set publicly attributed by the U.S. DOJ and Treasury OFAC to FSB Center 16 (Military Unit 71330). Long-running targeting of the energy, nuclear, water, aviation, and…
PRC state-affiliated intrusion set operating through Integrity Technology Group — a Beijing-based, publicly-traded cybersecurity contractor sanctioned by the U.S. Treasury OFAC in January 2025. Speci…
PRC state-sponsored intrusion set tracked by Anthropic under the internal designation GTG-1002, publicly disclosed in Anthropic's November 2025 threat-intelligence report as the actor behind the **fi…
PRC state-sponsored intrusion set named by Microsoft for the January 2021 mass exploitation of on-prem Exchange Server via the ProxyLogon chain (CVE-2021-26855 / -26857 / -26858 / -27065). Hafnium op…
Public-facing hacktivist persona operated by the Iranian MOIS-affiliated Void Manticore cluster, used for the July 2022 destructive intrusion of the Albanian government's central IT infrastructure. T…
Iranian state-affiliated intrusion set publicly attributed by FBI, CISA, and DC3 in joint advisory AA24-241A as connected to the Government of Iran and operating partly through an Iranian IT-services…
PLA 54th Research Institute (Strategic Support Force Unit 54466) members indicted by the U.S. DOJ on 10 February 2020 for the Equifax data breach of May–July 2017. Four military personnel — Wu Zhiyon…
Closed-group ransomware operation (no public affiliate program) active since mid-2022, named for the '.play' extension appended to encrypted files. Heavy exploitation of FortiOS SSL-VPN flaws and Mic…
Russia-aligned intrusion set conducting hybrid espionage and financially-motivated operations — ESET, Microsoft, and Unit 42 track it as a single actor straddling state-objective targeting (Ukrainian…
PRC state-backed actor responsible for the 2024 intrusions into U.S. commercial telecommunications providers — among the most consequential telecom-targeted operations on the public record. Operates…
Iranian state-sponsored intrusion set publicly attributed to the Ministry of Intelligence and Security (MOIS), specialised in destructive operations and conducting them under a rotating set of public…