A
Akira, a ransomware group active since March 2023, operates as a Ransomware-as-a-Service (RaaS) platform targeting organizations globally across critical industries, including healthcare, manufacturing, and finance. Leveraging advanced tactics such as exploiting VPN vulnerabilities and double extortion, Akira poses a significant threat to businesses and infrastructure worldwide.
Ransomware groups come and go, but Alpha Spider (also known as the ALPHV Ransomware Group or ALPHV Blackcat) refuses to fade into the shadows. Emerging onto the scene in November 2021, this cybercrime group is responsible for one of the most advanced Ransomware-as-a-Service (RaaS) operations. Even afterlaw enforcement seized their infrastructure in December 2023, Alpha Spider recalibrated and continued its operations, proving that resilience isn’t always a good thing. Their agility, stealth, and technical expertise present a formidable threat in today’s advanced cyber threat landscape. So, who is Alpha Spider, what do they do, and how can you safeguard your organization from them?
Andariel, also known as "Jumpy Pisces," is a North Korean-linked cyber espionage and ransomware group believed to have emerged around 2015. Affiliated with the infamous Lazarus Group, Andariel is known for targeting financial institutions, government entities, and enterprises through advanced ransomware campaigns and sophisticated phishing schemes. Their operations often aim to fund North Korea's regime or gather intelligence.
APT1, also known as "Comment Crew," is a highly sophisticated Advanced Persistent Threat (APT) group believed to have been operational since at least 2006. It has been linked to China, specifically affiliated with the Chinese People's Liberation Army (PLA). The group's primary focus is cyber espionage, targeting a variety of industries through tactics such as spear phishing, data exfiltration, and malware deployment.
APT10, also known as MenuPass, Red Apollo, or Stone Panda, is a highly sophisticated cyber espionage group believed to be linked to China’s Ministry of State Security (MSS). Active since at least 2009, APT10 leverages advanced malware, spear-phishing, and supply-chain compromises to target global industries. Their campaigns focus on stealing intellectual property and sensitive data, making them one of the most notorious espionage groups to date.
APT3, also known as Gothic Panda, UPS Team, Pirate Panda, and Buckeye, is a Chinese state-sponsored cyber-espionage group active since at least 2007. Believed to operate under the Ministry of State Security (MSS) in Guangdong, APT3 is infamous for targeting critical sectors like aerospace, defense, telecommunications, and engineering. They employ advanced tactics, including custom malware and zero-day exploits, to conduct extensive intelligence gathering.
APT37, also known as Reaper or ScarCruft, is a North Korean advanced persistent threat (APT) group that has been active since at least 2012. This state-sponsored group focuses heavily on cyber espionage, leveraging spear phishing and advanced zero-day exploits to infiltrate targets. APT37 supports North Korea’s strategic goals, specifically in defense, security, and surveillance within both regional and global contexts.
Published: 11/21/2025Written by: Monica BurgessAvaddon was a Ransomware-as-a-Service (RaaS) operation that made a lot of noise between 2020 and 2021. This cybercrime group was known for its double-extortion tactics, not only encrypting victim data but also stealing it and threatening to leak it on their dark web site. They even threw in DDoS attacks to really pressure victims into paying up.
B
Babuk is a cybercrime group that first popped up in early 2021, quickly making a name for itself with a ransomware-as-a-service (RaaS) model. These actors are known for double extortion—encrypting a victim's files while also stealing sensitive data and threatening to leak it. They primarily target large corporate and government entities.
BianLian is a ransomware and data extortion group, first observed in June 2022. Likely based in Russia, the group targets critical infrastructure sectors in the U.S. and Australia. Known for their exfiltration-based extortion tactics, BianLian has shifted away from encrypting systems, focusing instead on data theft and extortion.
Bitwise Spider is a prominent and highly active threat actor group first identified in 2019. Operating within the ransomware ecosystem, this group specializes in leveraging advanced social engineering tactics, sophisticated malware variants, and relentless ransomware-as-a-service (RaaS) models. Bitwise Spider has been linked to numerous cyberattacks globally, targeting critical industries like healthcare, finance, and manufacturing.
BlackCat (also known as ALPHV) is a sophisticated ransomware group first observed in late 2021. Widely recognized for its use of advanced ransomware-as-a-service (RaaS) operations, BlackCat targets organizations across various industries and leverages double extortion tactics to pressure victims. With alleged ties to other prominent cybercriminal groups, BlackCat is among the most disruptive players in the ransomware ecosystem.
BlackMatter is a ransomware-as-a-service (RaaS) cybercrime group that first popped up in July 2021. Believed to be a rebrand of the notorious DarkSide group, BlackMatter quickly made a name for itself by targeting critical infrastructure. The group is known for leveraging previously compromised credentials to infiltrate networks and encrypt data, demanding hefty ransoms in Bitcoin and Monero.
Bluenoroff (also known as Gleaming Pisces) is a high-profile threat actor operating under the North Korean-affiliated Lazarus Group, first identified in 2014. This financially motivated group specializes in targeting cryptocurrencies and the financial sector using advanced social engineering, malware-based attacks, and emerging technologies. Their sophisticated operations reflect high levels of organization and state sponsorship.
Brain Spider is a global cybercriminal group, first emerged in 2019, and is known for its expertise in ransomware attacks and access brokering. With its sophisticated operations, high level of coordination, and affiliation with other threat actors, Brain Spider continues to pose a critical threat to organizations worldwide by targeting industries like healthcare, finance, and government.
C
First spotted in March 2023, this double-extortion operation quickly made a name for itself by hitting large commercial entities. They’re known for exploiting VPN vulnerabilities, but their most unique move is encrypting their own binary to avoid detection. Ouch.
Carbon Spider stands as one of the most sophisticated and adaptable financially motivated cybercriminal groups operating today. Known by multiple aliases including FIN7, GOLD NIAGARA, and ITG14, this Eastern European threat actor has evolved from point-of-sale thieves to ransomware operators since their emergence around 2013-2015.
Chaotic Spider, also known as 0mid16B, is a Southeast Asia–based cyber threat actor active since September 2021. Operating under aliases like Desorden and ALTDOS, this actor specializes in exploiting vulnerabilities, particularly via SQL injection, to exfiltrate and monetize sensitive data. Notably, the group eschews custom malware, focusing instead on infiltration and selling compromised information.
Charming Kitten, also known as APT35, Phosphorus, Ajax Security Team, and ITG18, is a sophisticated Iranian cyber-espionage group active since at least 2011. Closely affiliated with the Islamic Revolutionary Guard Corps (IRGC), their activities focus on cyber espionage, surveillance, and geopolitical influence. Utilizing spear-phishing, impersonation, and custom malware to infiltrate high-profile individuals and industries, they remain a persistent and dangerous threat actor.
Clockwork Spider is a financially motivated cybercriminal threat actor first observed around 2014. This group is known for operating Retefe, a banking malware primarily used to harvest credentials and execute financial wire fraud schemes. Classified as opportunistic, their attacks target victims in high-value jurisdictions and sectors, with a particular focus on financial institutions and individual banking customers.
Clop, an infamous ransomware group, surfaced around 2019 and has quickly become a significant name in the cybercriminal ecosystem. Known for their sophisticated attacks and high-value targets, Clop predominantly focuses on extortion, data theft, and financial disruption. Reportedly a Russian-speaking group, Clop has targeted industries such as healthcare, education, government, and more, leaving a trail of compromised systems worldwide.
Cobalt Group, also known as Cobalt Gang, is a financially motivated cybercrime organization that emerged around 2016. Known for its sophisticated and large-scale attacks on banks, ATMs, and payment systems, this group pioneered modern ATM jackpotting operations. Closely associated with Carbanak and FIN7, Cobalt Group has stolen an estimated €1 billion globally through targeted financial attacks.
Copy Kittens, also known as Slayer Kitten, is an Iranian cyberespionage group active since at least 2013. Affiliated with Iranian state interests, the group employs advanced tactics, techniques, and procedures (TTPs) to target governments, IT, and media sectors globally. Their campaigns, such as Operation Wilted Tulip, highlight their focus on information theft and espionage.
Cosmic Wolf is a Turkey-linked espionage group active since 2017, known for DNS hijacking, cloud credential theft, and targeting telecommunications infrastructure. The group operates under multiple aliases, including Sea Turtle, Teal Kurma, and Marbled Dust.
APT29, also known as Cozy Bear, is a state-sponsored cyber-espionage group associated with Russian intelligence agencies. Active since at least 2008, the group is infamous for its sophisticated and stealthy campaigns targeting governments, political entities, and multinational corporations. Their arsenal includes spear-phishing, credential theft, and customized malware operations.
Curly Spider is a Russian-speaking cybercrime group that emerged in 2019 and operates within the ransomware-as-a-service (RaaS) ecosystem. Most well-known for its creation of the Snake (Ekans) ransomware family, the group's activity signifies a major shift in ransomware campaigns, explicitly targeting industrial control systems (ICS). By adopting a double-extortion model, Curly Spider disrupts critical operational technology (OT) environments, demanding payment through encryption and data exposure threats.
D
DarkSide is a ransomware-as-a-service (RaaS) group that emerged in 2020 and is believed to operate out of Eastern Europe, with strong indications of links to Russia. Specializing in double extortion tactics, DarkSide has targeted various industries but largely refrains from attacking organizations in CIS countries. Their operations are marked by professional branding and strategic victim selection.
Demon Spider is a cybercriminal entity known for its role in the malware-as-a-service (MaaS) landscape. Emerging as a developer and distributor of the Matanbuchus downloader, this threat actor offers affiliates access to customized, two-stage malware solutions via controlled infrastructure and affiliate-friendly tooling. While much of Demon Spider’s operations remain obscured, they are an active player in modern cybercrime.
Donut Spider is a financially motivated threat actor active since 2021. Known for Big Game Hunting campaigns, this group developed the HelloXD and D0nut ransomware families. They run a private Ransomware-as-a-Service (RaaS) operation under the D#nut Ransomware Team name, using advanced techniques to target high-value organizations across industries. The group employs the open-source Donut framework to generate shellcode and execute payloads stealthily.
Doppel Spider, also known as GOLD HERON, is a Russian-based cybercriminal group active since at least April 2019. They are infamous for operating ransomware families like DoppelPaymer and DoppelDridex, targeting organizations globally with sophisticated tactics.
E
Egregor is a sophisticated ransomware-as-a-service (RaaS) operation that burst onto the scene in September 2020, quickly gaining notoriety as the heir apparent to the infamous Maze ransomware group. Known for its double-extortion tactics, Egregor not only encrypts victim data but also exfiltrates it, threatening public release to pressure companies into paying up.
Emerging in 2021, Ember Bear—commonly recognized as UAC-0056 or Lorec53—is a Russian state-sponsored cyber espionage group closely tied to the GRU. Known for spear-phishing and wiper malware like WhisperGate, they target critical infrastructure, governments, and defense sectors, often leveraging destructive tactics alongside data theft.
Active since at least 2010, Emissary Panda—also known by aliases such as APT27, LuckyMouse, and Bronze Union—is a Chinese state-sponsored advanced persistent threat (APT) group. Known for its industrial espionage and geopolitical intelligence missions, this group employs advanced tactics such as spearphishing, strategic web compromises, and custom malware to infiltrate high-value targets globally.
Ethereal Panda is a Chinese-aligned advanced persistent threat (APT) group, also referred to by aliases such as Flax Typhoon, RedJuliett, Storm-0919, and UNC5007. First observed publicly around mid-2021, this nation-state actor is known for its focus on espionage and intelligence gathering. Ethereal Panda employs a stealthy approach, leveraging legitimate tools and living-off-the-land methods to infiltrate targets across academia, government, technology, and telecommunications.
F
Famous Chollima is a North Korea-aligned cyber threat actor, emerging mid-2024, and linked to both financial theft and state-sponsored intelligence operations. Known for targeting cryptocurrency and blockchain sectors, this group employs sophisticated social engineering tactics and custom malware to infiltrate organizations globally.
Fancy Bear, also known as APT28, is a Russian state-sponsored cyber espionage group active since at least 2004. This group represents a highly-skilled Advanced Persistent Threat (APT) actor, consistently linked to the Main Intelligence Directorate of the Russian Federation (GRU). Fancy Bear is known for its use of zero-day vulnerabilities, spear-phishing campaigns, and sophisticated malware in targeting governmental, military, and critical infrastructure organizations worldwide for intelligence gathering. Their activities reflect the strategic interests of the Russian state.
Ferocious Kitten is an Iranian-aligned advanced persistent threat (APT) group first identified in 2015. This group primarily engages in cyber espionage operations, with a focus on Middle Eastern targets but has been observed reaching into global networks. Known for using malicious Telegram applications as a lure, Ferocious Kitten is affiliated with broader Iranian state-backed activity clusters. Their primary methods include surveillance malware, phishing, and social engineering campaigns.
FIN7, also known as the Carbanak Group or Carbon Spider, is a financially motivated cybercrime group that has been active since approximately 2015. Originating from Eastern Europe, their operations focus heavily on the theft of payment card data via POS system compromises, ransomware deployment, and extortion tactics. Their evolving techniques and organizational structure set them apart as one of the most sophisticated cybercrime syndicates today.
Fox Kitten—a nation-state-aligned threat actor linked to Iran—first emerged in 2017, gaining recognition for its methodical exploitation of VPN and remote-access vulnerabilities. Operating as a critical element in Iran’s APT ecosystem, Fox Kitten specializes in espionage enablement, targeting industries like defense, aviation, and energy. Their tactics revolve around establishing long-term footholds, granting access for multi-stage operations by other Iranian threat groups.
Frozen Spider, also known by aliases such as White Kali, is a criminal ransomware group classified as financially motivated. Active since late 2022, this Ransomware-as-a-Service (RaaS) operation is known for deploying Medusa ransomware to target high-value organizations in what is often referred to as “Big Game Hunting” (BGH). Their double-extortion tactics make them a serious threat to organizations globally.
G
Gallium, also known as Phantom Panda , Alloy Taurus, and Granite Typhoon, is a China-based threat actor that has been on the scene since at least 2012. This group is known for its focus on espionage, particularly targeting telecommunications companies to get their hands on sensitive data. They typically gain access by exploiting unpatched, internet-facing services—a classic move that’s still shockingly effective.
Ghost Jackal is a sophisticated and elusive cyber threat actor that is known for leveraging advanced tactics, techniques, and procedures (TTPs) to target various industries globally. Ghost Jackal's activities have made them a significant concern for cybersecurity professionals and organizations worldwide.
Gossamer Bear, also known as Callisto, SEABORGIUM, TA446, and other aliases, is a sophisticated Advanced Persistent Threat (APT) group linked to Russia. Emerging in recent years, this group primarily conducts cyber-espionage operations, employing tactics such as credential harvesting, phishing, and leak campaigns. Affiliated with the Russian Federal Security Service (FSB), Gossamer Bear targets geopolitical entities, defense sectors, and NATO states.
Fancy Bear, also known as APT28, is a Russian state-sponsored cyber espionage group active since at least 2004. This group represents a highly-skilled Advanced Persistent Threat (APT) actor, consistently linked to the Main Intelligence Directorate of the Russian Federation (GRU). Fancy Bear is known for its use of zero-day vulnerabilities, spear-phishing campaigns, and sophisticated malware in targeting governmental, military, and critical infrastructure organizations worldwide for intelligence gathering. Their activities reflect the strategic interests of the Russian state.
H
Helix Kitten, also referred to as APT34, OilRig, or Chrysene, is an Iran-nexus cyberespionage group active since the mid-2010s. Known for orchestrating highly targeted intrusions, they utilize spear-phishing, PowerShell-based implants, and custom backdoors to breach organizations in the Middle East and beyond. Helix Kitten primarily focuses on intelligence collection, aligning with Iranian geopolitical objectives.
Hermit Spider is a sophisticated threat actor linked to government-backed cyber espionage campaigns. Emerging around 2022, this highly advanced group specializes in deploying customized Android spyware, leveraging zero-day vulnerabilities to infiltrate and monitor targeted devices. Known for stealthy operation and precision, their primary focus lies in high-value espionage across sensitive industries and government entities.
Hive, first observed in June 2021, is a notorious ransomware group specializing in double-extortion tactics. Known for targeting critical infrastructures, healthcare, and other industries, they extort victims by encrypting data and threatening to leak it. Despite significant law enforcement disruptions in 2023, fragments of the group remain active, posing ongoing threats to global organizations.
Hive Spider, first identified in June 2021, is a notorious ransomware group operating under a Ransomware-as-a-Service (RaaS) model. Known for its advanced tactics and double extortion methods, Hive Spider has targeted critical infrastructure, including hospitals, causing widespread disruption.
Hook Spider is a notorious initial access broker (IAB) that emerged as a key player in the eCrime ecosystem. Primarily known for selling compromised credentials and remote access endpoints, Hook Spider facilitates ransomware operations and extortion campaigns for groups like Scattered Spider and Vice Spider. Their methods are simple yet effective, often leveraging phishing and brute force techniques to compromise networks.
Hunters International, also referred to as "World Leaks" following their rebranding, is a ransomware group first observed in October 2023. This group initially operated as a Ransomware-as-a-Service (RaaS) entity before transitioning to an extortion-only model. Known for leveraging techniques such as phishing, social engineering, and data theft, they have targeted industries worldwide, exploiting vulnerabilities and threatening data leaks for financial gain.
I
Imperial Kitten is an Iranian advanced persistent threat (APT) group, believed to operate on behalf of the Islamic Revolutionary Guard Corps (IRGC). Active since at least 2017, this threat actor specializes in cyber-espionage, leveraging phishing, malware, and strategic web compromises to target critical industries worldwide. Also referred to by aliases such as Yellow Liderc, Tortoiseshell, TA456, and Crimson Sandstorm, the group is infamous for its attacks on key sectors, including technology, logistics, and defense.
Indrik Spider, also known as Evil Corp, is a highly sophisticated Russian cybercriminal syndicate active since at least 2014. Best known for developing the Dridex banking Trojan and orchestrating large-scale ransomware campaigns, the group has targeted high-profile sectors worldwide, including healthcare and finance, causing severe monetary and operational damages.
J
Jackpot Panda, a China-based threat actor that has been active since at least May 2020. This advanced persistent threat (APT) group focuses heavily on the online gambling ecosystem across East and Southeast Asia. Leveraging supply-chain compromises, phishing, and stealthy post-compromise techniques, they align closely with domestic intelligence priorities of the PRC.
K
Kimsuky (aka "Velvet Chollima" or "Sparkling Pisces") is a North Korean advanced persistent threat (APT) group believed to have been active since around 2012. Known for cyber-espionage operations, Kimsuky primarily targets government entities, think tanks, and media organizations across the United States, Europe, and South Korea. Their arsenal includes spear-phishing campaigns, malware, and sophisticated social engineering tactics.
L
Labyrinth Chollima, active since at least 2009, is a North Korean state-sponsored threat actor operating under the Lazarus Group umbrella. Known for high-profile cyber operations like the Sony Pictures hack and the Bangladesh Bank heist, this group blends espionage, financial theft, and destructive tactics to support the ambitions of the North Korean regime.
The Lazarus Group, also referred to as APT38, HIDDEN COBRA, and Guardians of Peace, is a North Korean state-sponsored cybercriminal organization. Operating since at least 2009, Lazarus specializes in a range of malicious activities including financial theft, cyber espionage, and destructive cyberattacks. They have targeted industries such as finance, government, and critical infrastructure, utilizing sophisticated tactics and custom malware.
Lightning Spider, an eCrime threat actor active since at least November 2019, specializes in financially motivated cyber activities. Operating within a Malware-as-a-Service (MaaS) or Pay-Per-Install (PPI) model, they utilize tools such as the Apolog loader and Satacom downloader to build and operate a botnet of compromised systems. Their scalable infrastructure delivers malware payloads for financial gain, making Lightning Spider a significant enabler of downstream cyber threats.
Lightning Spider, an eCrime threat actor active since at least November 2019, specializes in financially motivated cyber activities. Operating within a Malware-as-a-Service (MaaS) or Pay-Per-Install (PPI) model, they utilize tools such as the Apolog loader and Satacom downloader to build and operate a botnet of compromised systems. Their scalable infrastructure delivers malware payloads for financial gain, making Lightning Spider a significant enabler of downstream cyber threat.
Lockbit ransomware, first identified in 2019, is a highly sophisticated global cyber threat. Known for its ransomware-as-a-service (RaaS) model, it enables affiliates to execute devastating attacks across industries. Leveraging double extortion tactics, Lockbit encrypts sensitive data and demands ransoms, often targeting large organizations worldwide. Its agility and operational efficiency have made it one of the most notorious ransomware groups.
Lockbit ransomware, first identified in 2019, is a highly sophisticated global cyber threat. Known for its ransomware-as-a-service (RaaS) model, it enables affiliates to execute devastating attacks across industries. Leveraging double extortion tactics, Lockbit encrypts sensitive data and demands ransoms, often targeting large organizations worldwide. Its agility and operational efficiency have made it one of the most notorious ransomware groups.
LulzSec (short for "Lulz Security") was a notorious hacktivist group, active mainly during 2011, that targeted high-profile organizations such as governments, corporations, and media outlets. Known for their playful yet disruptive approach, LulzSec conducted attacks "for the lulz" (internet slang for laughs or enjoyment), often exposing security vulnerabilities to make a statement. Despite their short-lived activity, LulzSec’s operations left a lasting impact on cybersecurity practices worldwide.
Lunar Spider is a formidable Russian-speaking eCrime group, active since at least 2017, and operates as a financially motivated collective specializing in malware development and initial access brokerage. Most notably, the group created and deployed the IcedID (also known as BokBot) banking trojan, the Latrodectus downloader, and the Lotus loader family. Known for their adaptability, Lunar Spider has evolved from banking fraud operations to equipping ransomware affiliates by exploiting stolen credentials and deploying advanced post-exploitation frameworks like Brute Ratel and Cobalt Strike. Their tactics make them notorious as they swiftly progress from phishing campaigns to delivering access to high-value criminal partners, targeting vulnerable SMBs and enterprises alike.
M
Masked Spider is an opportunistic eCrime adversary active since May 2022. Operating as a Big Game Hunter (BGH), this threat actor is linked to the development of the BianLian ransomware family. Specializing in attacks targeting Microsoft Windows and VMware ESXi platforms, Masked Spider employs AES-256 encryption with hardcoded keys to encrypt victim data. Although they are believed to have changed operational tactics in early 2023, Masked Spider remains a key player in the ransomware landscape.
The Maze ransomware group burst onto the scene around May 2019 and quickly became infamous for pioneering the "double-extortion" tactic. This cybercrime group didn't just encrypt their victims' data; they stole it first, threatening to leak sensitive information online if the ransom wasn't paid. This method turned a ransomware incident into a full-blown data breach.
The Medusa ransomware group has been making waves since late 2021, operating a Ransomware-as-a-Service (RaaS) model. These actors use double-extortion, meaning they don't just encrypt your data—they steal it first and threaten to leak it on their dark web site. It's a nasty one-two punch designed to maximize pressure.
Mirage Tiger, formerly tracked as the “WiseGuy” cluster, is a targeted intrusion group linked to India. Active since approximately 2017, this advanced persistent threat (APT) actor primarily targets Pakistani government and military organizations. Their operations rely on password-protected Microsoft Office documents with malicious macros as an initial access vector. Public intelligence on this group remains limited, with detailed telemetry gated behind vendor reports.
Monarch Spider is a sophisticated cyber threat actor identified as an exploit broker specializing in the creation, advertisement, and distribution of weaponized exploits targeting multiple vulnerabilities. Emerging as a key player in underground cybercriminal communities, Monarch Spider is known for its expertise in Windows privilege-escalation vulnerabilities, offering exploits to other threat actors. Their ability to develop or obtain zero-day exploits showcases their advanced capabilities and impact within the cyber threat landscape.
Mummy Spider, first identified in 2014, is a Russian-speaking cybercriminal group responsible for the creation and operation of the infamous Emotet malware. Originally a banking Trojan, it has evolved into a powerful modular botnet and malware delivery platform, making Mummy Spider a crucial player in the cybercrime-as-a-service ecosystem. This group gained notoriety for enabling large-scale ransomware campaigns and globally disruptive cyber operations.
Mythic Leopard, also known as Transparent Tribe or APT36, is a Pakistan-linked advanced persistent threat (APT) group active since at least 2013. This state-sponsored actor primarily targets Indian government, military, and defense sectors, employing spear-phishing, malware, and deceptive infrastructure to conduct cyber-espionage operations.
N
Netwalker, also known as Mailto or Circus Spider, is a sophisticated ransomware-as-a-service (RaaS) operation that first appeared in August 2019. This financially motivated cybercrime group gained notoriety for its double extortion tactics, where they not only encrypt a victim's files but also exfiltrate sensitive data and threaten to leak it publicly unless a second ransom is paid.
O
Ocean Buffalo, also widely known as OceanLotus or APT32, is a Vietnam-nexus cyber-espionage group active since at least the mid-2010s. This sophisticated group is infamous for targeting political, commercial, and regional intelligence through tactics such as watering-hole attacks, spear phishing campaigns, and custom malware deployment on macOS, Windows, and Linux systems. Their operations focus heavily on Southeast Asia but extend globally when strategically advantageous.
Odyssey Spider is a financially motivated eCrime adversary first observed in operations as early as late 2018. Known for their sophisticated tactics targeting the hospitality and travel sectors, this group focuses on stealing credit card information during reservation and booking processes. Operating primarily from Brazil, their foothold extends across Latin America and parts of Southwestern Europe, exhibiting increasingly complex methods with each campaign.
Outrider Tiger is a financially motivated cyber threat actor, first identified in June 2023. Known for its development and operation of the Nitrogen loader and LukaLocker ransomware, Outrider Tiger initially operated as an affiliate of the Alphv Ransomware-as-a-Service (RaaS) program until its closure in March 2024.
P
Pinchy Spider, also known as Gold Southfield, is a financially motivated cybercriminal group originating from Russia. Active since 2018, they are infamous for developing and operating GandCrab and REvil ransomware under a Ransomware-as-a-Service (RaaS) model. Their operations focus on high-value targets using advanced tactics like lateral movement and data exfiltration.
Play (also referred to as PlayCrypt) is a financially driven ransomware group first identified in June 2022. Specializing in double-extortion techniques—encrypting files and threatening to publicly leak stolen data—Play has rapidly grown into one of the most active ransomware groups globally. With a primary focus on large enterprises and critical infrastructure, Play has impacted hundreds of organizations worldwide.
Primitive Bear is a Russia-aligned threat actor closely affiliated with the Russian Federal Security Service (FSB), specifically FSB Center 18. First observed active during the annexation of Crimea in 2014, this group specializes in psychological operations, disinformation, and phishing campaigns. They play a significant role within Russia’s hybrid warfare doctrine, blending cyber operations with propaganda to destabilize adversaries, specifically targeting Ukraine, NATO, and Eastern European political organizations.
Punk Spider, first spotted in 2023, is a Big-Game-Hunting (BGH) ransomware group tied to the Akira ransomware-as-a-service (RaaS) operation. This actor specializes in double-extortion, meaning they don't just encrypt your data—they steal it first and threaten to leak it online. They often get in through weak VPNs and use legitimate tools to move around undetected.
Q
The Qilin cybercrime group, a Russian-speaking Ransomware-as-a-Service (RaaS) operation, popped onto the scene around August 2022. Initially known for their "Agenda" ransomware, these actors have a nasty habit of targeting critical sectors. They provide their affiliates with customizable malware, making them a flexible and dangerous threat to watch out for.
Quantum Spider, also known by aliases MountLocker, SunRiseLocker, and AstroLocker, is a Big Game Hunting (BGH) adversary first observed in August 2020. Operating as a Ransomware-as-a-Service (RaaS), this group employs double extortion tactics, encrypting files and threatening to leak sensitive data if ransoms are not paid.
R
Ransomhub, a Ransomware-as-a-Service (RaaS) group, emerged in February 2024 and quickly gained notoriety for targeting critical infrastructure sectors. Known for their double extortion tactics, Ransomhub has impacted over 200 organizations globally, leveraging advanced techniques to exfiltrate and encrypt sensitive data.
Razor Tiger, also known as SideWinder, APT-C-17, and Rattlesnake, is a nation-state-sponsored threat actor active since at least 2012. Believed to operate from India, the group specializes in cyber-espionage targeting military, government, and maritime sectors. Razor Tiger employs spear-phishing, fileless malware, and advanced infrastructure to achieve its objectives.
Refined Kitten, also known as APT33, is a suspected Iran-linked advanced persistent threat (APT) group that emerged around 2013. This group specializes in cyberespionage and potential disruptive tactics, leveraging spear-phishing, malware, and supply chain compromises. Known for their targeted attacks on energy, aviation, and defense sectors, Refined Kitten remains a formidable force in cyber operations globally.
Remix Kitten, also referred to as APT39 or Chafer, is an Iran-linked cyber espionage group active since around 2012. Associated with Iran’s Ministry of Intelligence and Security (MOIS), Remix Kitten primarily conducts espionage operations targeting sectors like telecommunications, travel, academia, and government. Their tactics involve spear-phishing, credential harvesting, and deploying custom backdoors to collect sensitive intelligence that aligns with Iranian state goals.
Renaissance Spider, sometimes stylized as RENAISSANCE SPIDER, is a financially motivated eCrime threat actor based in the Russian Federation. First observed in mid-2019, this group is notorious for its use of malspam campaigns and targeted intrusion operations. Beyond pure financial crime, they conduct influence and sabotage efforts using inauthentic hacktivist personas like "DaVinci Group" and "Fire Cells Group."
Renegade Jackal, also known by aliases such as Desert Varnish, UNC718, Desert Falcons, and Arid Viper, is a sophisticated cyber threat actor that has been active in the Middle East since at least 2015. Believed to have a nexus with pro-Palestinian interest groups, this actor commonly employs phishing and social engineering tactics to infiltrate targets tied to government or diplomatic entities in the region. Their primary motivation appears to be intelligence gathering, making them a key adversary for cybersecurity defenders.
REvil, also known as Sodinokibi, is a notorious ransomware-as-a-service (RaaS) threat actor, first observed in 2019. Broadly attributed as Russian-speaking and Russia-based, the group is infamous for its high-impact operations targeting industries globally with double-extortion tactics. Its attacks have caused major disruptions, impacting organizations from small businesses to international enterprises.
Rhysida is a ransomware-as-a-service (RaaS) group that emerged in May 2023. Known for its "double extortion" tactics, the group encrypts files and threatens to publicize stolen data if ransoms are not paid. Operating under the guise of a “cybersecurity team,” Rhysida primarily targets industries such as healthcare, education, and government.Rhysida is a ransomware-as-a-service group using double extortion tactics to target industries like healthcare, education, and government with file encryption and data leaks.
Rice Spider, first tracked by CrowdStrike, is classified as a criminal service provider within the cybercrime ecosystem. Emerging as a key enabler for eCrime and Big Game Hunting (BGH) groups, their primary methods include Crypter-as-a-Service (CaaS) and DLL sideloading techniques to obscure and deliver malware payloads. While Rice Spider itself does not carry out ransomware attacks or extortion, their tools and services make them a pivotal part of large-scale cyber intrusions.
Ricochet Chollima, also known as APT37, is a North Korean-linked threat actor believed to have emerged in 2012. This group is known for its cyber espionage operations targeting media, research, and public sectors globally. Their methods include phishing, malware deployment, and exploitation of Android vulnerabilities, making them a persistent and stealthy threat in the cybersecurity landscape.
Robot Spider is a prominent threat actor specializing in Crypter-as-a-Service (CaaS) operations, active since 2017. Operating from Brazil, Robot Spider collaborates predominantly with LATAM-based eCrime adversaries, enabling targeted attacks through advanced encryption services that cloak malware and remote access tools (RATs) to evade defense mechanisms.
Royal Spider, also known as "Royal" or "BlackSuit," is a Russian cybercriminal group specializing in Ransomware-as-a-Service (RaaS) operations. Emerging in early 2022, the group employs advanced double extortion techniques, targeting sectors like healthcare, critical infrastructure, and finance globally. With ransom demands ranging from $1 million to $10 million, Royal Spider has quickly become a notable threat actor in the cybersecurity landscape.
S
Salt Typhoon is a highly sophisticated advanced persistent threat (APT) group with ties to the Chinese government. Emerging around 2020, this state-sponsored actor specializes in cyber espionage and data theft. They primarily gain initial access by exploiting known vulnerabilities in public-facing applications and network devices, making them a serious threat to global telecommunications and critical infrastructure.
Salty Spider, also associated with the Sality malware and botnet, is a financially motivated eCrime group that has been active since 2003. Operating primarily from Russia, this group employs polymorphic file infectors and peer-to-peer propagation to infect systems globally. They are known for their large-scale botnet campaigns, cryptocurrency theft, cryptojacking, and occasional politically motivated cyberattacks.
Samba Spider is a cybercrime threat actor linked to the Mispadu banking trojan. This group primarily targets users in Latin America, with a strong focus on systems using Spanish and Portuguese languages. They are known for their classic, yet effective, spam campaigns designed to trick people into downloading malware that steals banking credentials and other sensitive data.
Scattered Spider, also tracked as UNC3944, Starfraud, and Muddled Libra, is a prominent cybercriminal group active since at least 2022 (CISA). The collective is notorious for social engineering schemes, advanced phishing campaigns, and the use of Ransomware-as-a-Service (RaaS). Targeting industries like telecommunications, retail, healthcare, and critical infrastructure, their operations frequently revolve around data theft, extortion, and ransomware deployment.
Silent Chollima is a sophisticated threat actor group affiliated with the Democratic People's Republic of Korea (DPRK), first observed around 2007-2009. Known for its strategic espionage and destructive cyber capabilities, this group has recently expanded its operations to include financially motivated attacks like ransomware and extortion to fund its activities. It operates with a high degree of technical skill, often exploiting known vulnerabilities and using custom malware.
Slippy Spider, also known as Lapsus$, is a cybercriminal group that emerged around late 2021, quickly growing notorious for their brazen data extortion tactics and disruptive attacks on large corporations and governments. Known for targeting prominent industries, this group uses creative and unconventional infiltration techniques that exploit both technical vulnerabilities and social engineering weaknesses.
Solar Spider is a financially motivated eCrime actor that loves to go phishing. Known for its targeted campaigns against banks and financial services, this group uses sophisticated social engineering and custom malware to get what it wants. Their signature tool is the JSOutProx remote access trojan (RAT), a nasty piece of JavaScript-based malware.
Sprite Spider, an eCrime actor, emerged in 2015 and is known for its targeted ransomware campaigns using Defray777. This group specializes in big game hunting (BGH) ransomware attacks, often targeting ESXi servers to maximize impact. Their operations have evolved significantly, making them one of the most destructive ransomware groups in recent years.
Stardust Chollima, also known by aliases like BlueNoroff and APT38, is a North Korea-linked, state-sponsored cyber threat actor. Emerging as a sophisticated group, their primary methods include large-scale financial heists, malware campaigns on macOS, and phishing. They are suspected of playing a crucial role in funding the regime through advanced cyber operations targeting financial and cryptocurrency sectors.
Static Kitten, also known as MuddyWater, Seedworm, TEMP.Zagros, and Mercury, is a sophisticated Iranian state-sponsored cyberespionage group that has operated since at least 2017. Strongly linked to Iran's Ministry of Intelligence and Security (MOIS), this group employs a variety of advanced tactics and techniques, including spear-phishing campaigns, PowerShell-based backdoors, and Android spyware, to target governments, academia, telecommunications, and NGOs primarily in the Middle East and Central Asia.
T
TA505 is a prolific Russian-speaking cybercrime group, first observed in 2014, renowned for its industrial-scale operations in phishing, malware distribution, and access brokering for ransomware affiliates. Leveraging an extensive arsenal of custom tools, such as Locky ransomware and Dridex banking Trojan, TA505 has targeted countless organizations globally across financial, healthcare, and government sectors.
TEMP.Hermit, also known as Selective Pisces, is a sophisticated and highly active threat actor group believed to have emerged around 2021. Known for its cyber-espionage campaigns, TEMP.Hermit primarily uses advanced, stealthy malware and phishing tactics to target government agencies, critical infrastructure, and private sector organizations globally. Their operational precision and technique adaptability suggest an advanced, well-organized structure.
Traveling Spider is a sophisticated eCrime threat actor specializing in ransomware development and operations. Emerging in the cybercrime landscape under various aliases, this group is known for its involvement in creating and distributing multiple ransomware variants. Operating primarily out of the Russian Federation, Traveling Spider utilizes affiliate programs and advanced extortion techniques to target organizations globally.
TUNNEL SPIDER is an advanced, financially motivated cybercriminal group known for its "Big Game Hunting" tactics. This group targets large, lucrative organizations to deploy ransomware for high-value payouts. They are the primary actors associated with Cactus ransomware and have been observed as affiliates for several other major Ransomware-as-a-Service (RaaS) operations, making them a significant and versatile threat.
Turbine Panda, also known as APT26, is a state-sponsored Chinese threat actor affiliated with the Jiangsu Bureau of the Ministry of State Security (JSSD). First observed around 2010, this sophisticated group notably employs tactics like espionage and supply chain compromises. Their primary focus includes intellectual property theft and economic espionage targeting the aerospace, defense, and energy sectors.
V
Vampire Spider, an emerging cyber threat actor, is known for its role as a malware tool vendor facilitating other cybercriminals. Since gaining public notice around 2023, it has developed and licensed tools like Strigoi Master and services such as RegXploit to enable malware deployment. Their primary focus appears to be profit-driven through the commercialization of ransomware-as-a-service (RaaS).
Vanguard Panda, also known as Volt Typhoon, Bronze Silhouette, DEV-0391, and several other aliases, is a Chinese state-sponsored Advanced Persistent Threat (APT) group. Active since at least mid-2021, this group specializes in cyber espionage and critical infrastructure reconnaissance. By leveraging stealth-based "living-off-the-land" strategies and exploiting known vulnerabilities, Vanguard Panda poses a significant global cybersecurity risk.
Active since at least October 2021, Vault Panda is a China-nexus advanced persistent threat (APT) group known for cyber-espionage. This group doesn't play favorites, targeting a wide range of sectors including financial services, defense, and government to collect intelligence. They use a shared arsenal of malware common among Chinese threat actors to get the job done.
Active since at least October 2021, Vault Panda is a China-nexus advanced persistent threat (APT) group known for cyber-espionage. This group doesn't play favorites, targeting a wide range of sectors including financial services, defense, and government to collect intelligence. They use a shared arsenal of malware common among Chinese threat actors to get the job done.
Venomous Bear, also referred to as Turla, Snake, Uroboros, and other aliases, is a sophisticated cyber-espionage group attributed to Russia's Federal Security Service (FSB). Active since at least 2004, this advanced persistent threat (APT) group specializes in gathering intelligence through state-of-the-art malware, stealthy campaigns, and strategic targeting methods.
Vertigo Panda is a China-nexus advanced persistent threat (APT) group that spun up around mid-2020. Though a separate crew, they operate adjacent to the notorious Mustang Panda. These actors are all about espionage, primarily targeting government, defense, and even religious organizations across Europe and other parts of the world.
Vice Society, also known as DEV-0832 or Vanilla Tempest, is a notorious ransomware and extortion group first identified in mid-2021. This financially motivated actor has become infamous for targeting educational institutions, healthcare providers, manufacturing entities, and government sectors. Leveraging a double extortion model—encrypting victim data while simultaneously threatening to leak sensitive information—Vice Society has demonstrated a centralized operational structure rather than relying on an affiliate-based model, as seen with other ransomware groups. Below, we present a detailed profile outlining Vice Society’s tactics, techniques, targets, and observed indicators of compromise.
Vice Spider is a Russian-speaking ransomware group active since at least April 2021. Known for leveraging identity-based attacks and exploiting vulnerabilities, they primarily use ransomware variants like Zeppelin and Hello Kitty. Their operations often involve double extortion tactics, targeting sectors with limited cybersecurity resources.
Viking Spider is a cybercriminal group known for developing and deploying the Ragnar Locker ransomware. Emerging in late 2019, the group employs big game hunting (BGH) tactics to target high-value organizations. They are linked to the broader "Ransom Cartel," a network of ransomware operators.
Vixen Panda, also known as APT15 and Ke3chang, is a China-affiliated Advanced Persistent Threat (APT) group active since at least 2010. Known for its focus on cyberespionage, this group targets government, military, and diplomatic entities, particularly those involved in geopolitical issues. Their primary methods include spearphishing campaigns, custom backdoors, and exploiting public-facing applications.
Voodoo Bear, also known by aliases such as Sandworm, Telebots, and BlackEnergy, is a highly advanced Russian state-sponsored threat actor. Known to be affiliated with the GRU's Unit 74455, Voodoo Bear specializes in cyber espionage, sabotage, and influence operations. Active since at least 2008, the group primarily targets critical infrastructure, government agencies, and global enterprises using destructive malware and sophisticated techniques.
W
Wandering Spider, active since at least April 2020, is a notorious Big Game Hunting (BGH) adversary. Known for their use of a variety of ransomware families, this group has been linked to sophisticated attacks targeting organizations of all sizes. Their notable tools include Black Basta, DoppelPaymer, and REvil, among others.
Wicked Panda is a China-based, state-sponsored threat actor group identified as one of the most prolific intrusion collectives in the world. Active since the mid-2000s, they are recognized for their extensive cyber espionage operations, intellectual property theft, and surveillance activities. Leveraging sophisticated tactics, techniques, and supply-chain compromises, they have targeted industries and governments globally, aligning their objectives with Chinese state interests.
Wicked Spider, a financially-motivated threat actor and a component of the Chinese nexus group APT41, emerged as a key cyber adversary. Known for its dual capability of criminal profit-making and state-sponsored espionage, Wicked Spider leverages advanced techniques like spear-phishing, supply chain attacks, and certificate theft to target industries globally, with a strong focus on gaming and technology.
Wizard Spider is a prolific Russia-linked cybercrime syndicate, active since at least 2016. Known for its connection to TrickBot and Conti ransomware operations, the group specializes in financially motivated cyberattacks, leveraging advanced malware, phishing campaigns, and double extortion ransomware tactics. Their operations impact critical sectors worldwide, reflecting their cartel-like structure and sophisticated methods.
