Skip to content
Auto-CTI

Threat intelligence

Threat actors

Cumulative actor profiles from the Auto-CTI pipeline: attribution from curated reference data, targeting and summaries distilled from processed reporting. Click a card for the full profile.

88 / 88 actors

Russia

Relevant · espionage / apt
Nation-state inferred

Russia is a state-sponsored threat actor that conducts cyberattacks on critical infrastructure, as warned by the US and allies. Russia uses social engineering to compromise messaging accounts and engages in espionage, such as spying on NATO transport routes using hacked cameras. The threat persists for countries including Switzerland. The US offers bounties for Russian hackers following attacks on Signal.

Communication Services Communications Technology
6 Mentions · Last seen 13 Jul 2026 Active

TeamPCP

Relevant · supply chain
Cybercrime inferred

TeamPCP is a threat group known for large-scale supply chain attacks on open source ecosystems. They target package managers like npm and PyPI to inject malicious code into widely used libraries. The campaign involves container escape techniques and is documented under the name 'Mini Shai-Hulud'. Their activities have been observed through mid-2026 and pose a significant risk to the software supply chain.

supply chain Containerized Environments Software Supply Chain
6 Mentions · Last seen 08 Jun 2026 Dormant

HAFNIUM

Silk Typhoon

Affects your stack · Microsoft Windows Server 2022
Nation-state

HAFNIUM is a state-sponsored threat actor group that recently exploited multiple critical vulnerabilities in Microsoft Exchange Server, including CVE-2022-41082, CVE-2021-26858, CVE-2021-27065, and CVE-2021-26857. These vulnerabilities allowed remote code execution and were used in targeted attacks.

4 Mentions · Last seen 30 Sept 2022 Historical

Russian state-sponsored APT

Relevant · espionage / apt
Unknown

The Russian state-sponsored APT targets network devices such as routers to gain access. Official warnings emphasize the ongoing threat. Recently, a WinRAR vulnerability was exploited to attack Ukrainian organizations. This demonstrates the continued focus on Ukraine and the use of vulnerabilities in widely used software.

3 Mentions · Last seen 13 Jul 2026 Active

Turla

Snake · Venomous Bear · Secret Blizzard

Relevant · espionage / apt
Nation-state

Turla is a Russian threat actor known for espionage and destructive attacks. The EU has imposed sanctions on Russia related to severe cyberattacks and sabotage. According to Google, Turla uses the new STOCKSTAY backdoor in espionage attacks in Ukraine.

3 Mentions · Last seen 13 Jul 2026 Active

Nightmare Eclipse

Unknown

Nightmare Eclipse is a threat actor associated with the 'RoguePlanet' zero-day vulnerability. Recent reports indicate that Microsoft is working on a patch for this exploit. There is no further information on targeted sectors or regions.

3 Mentions · Last seen 09 Jul 2026 Active

Gamaredon

Primitive Bear · Aqua Blizzard · Shuckworm

Relevant · espionage / apt
Nation-state

Gamaredon is a Russian APT group that is expanding its attacks on Ukraine. Recent reports indicate the use of new malware and cloud service abuse. The group has upgraded its arsenal and exploits vulnerabilities such as WinRAR to deliver malware like GammaWorm and GammaSteel.

3 Mentions · Last seen 29 Jun 2026 Active

The Gentlemen

Affects your stack · Microsoft Defender for Endpoint
Unknown

The Gentlemen is a Ransomware-as-a-Service group known for using custom backdoors and evolving tactics. They employ the GentleKiller EDR framework to disable up to 400 security processes. Their ransomware spreads like a worm and has claimed 478 victims.

3 Mentions · Last seen 29 Jun 2026 Active

China

Relevant · espionage / apt
Unknown inferred

China conducts cyber espionage targeting universities and other organizations. German domestic intelligence warns of increased vigilance at universities. Google has exposed a Chinese espionage group that has been undetected in networks since 2023. Additionally, a dual-method cyberattack was launched against Czech organizations.

education
3 Mentions · Last seen 25 Jun 2026 Active

ShinyHunters

Relevant · industrial / ot espionage
Cybercrime inferred

ShinyHunters is a threat actor group known for abusing OAuth in SaaS-based applications. Recent reports highlight the need to defend SaaS applications against such attacks. The group targets cloud services. No specific malware details are evident from the provided headlines.

SaaS Cloud services
2 Mentions · Last seen 13 Jul 2026 Active

Iran

Relevant · espionage / apt
Nation-state inferred

Iran has expanded its cyber activities beyond critical infrastructure to broader targets. Despite a ceasefire agreement, Iranian hackers continue their attacks unabated. The threat thus persists regardless of diplomatic developments. This indicates that Iran remains a persistent cyber threat.

critical infrastructure
2 Mentions · Last seen 09 Jul 2026 Active

UAT-7810

Unknown

UAT-7810 is a China-linked threat actor expanding its ORB network with the new LONGLEASH malware. The actor reportedly achieves a 54% success rate in its operations.

2 Mentions · Last seen 09 Jul 2026 Active

ToddyCat

Relevant · espionage / apt
Nation-state inferred

ToddyCat is a threat actor that, according to a Q1 2026 threat landscape report, targets industrial automation systems. The actor is also associated with a hidden email assistant, indicating email-based espionage. These capabilities suggest a focus on industrial espionage.

Industrial Automation
2 Mentions · Last seen 07 Jul 2026 Active

North Korea

Relevant · supply chain
Nation-state inferred

North Korean hackers are increasingly conducting supply chain attacks to compromise open source software. These campaigns aim to infiltrate developers and organizations. Microsoft recently linked a supply chain attack on the AI platform Mastra AI to North Korean threat actors.

Artificial Intelligence Technology Software Development
2 Mentions · Last seen 06 Jul 2026 Active

Russian Intelligence Services

Relevant · espionage / apt
Nation-state inferred

Russian intelligence services target messenger backup keys to gain access to communications. They use fake support texts to steal messaging credentials. The FBI and Ukrainian authorities warn about these attacks.

defense Communications
2 Mentions · Last seen 29 Jun 2026 Active

Russian intelligence services

Relevant · espionage / apt
Nation-state inferred

Russian intelligence services are targeting Signal backup recovery keys to intercept encrypted communications, according to FBI reports. This technique is likely deployed against high-value targets such as government officials, journalists, and activists. The warning highlights the persistent cyber espionage threat posed by Russian state actors.

Government Individuals defense
2 Mentions · Last seen 26 Jun 2026 Active

Russian-speaking threat actors

Affects your stack · Fortinet FortiGate
Unknown

Russian-speaking threat actors are targeting Fortinet FortiGate devices. The campaign, dubbed 'FortiBleed', has compromised over 86,000 devices and is harvesting credentials. CISA is warning affected customers about these attacks.

2 Mentions · Last seen 19 Jun 2026 Active

DragonForce

Relevant · ransomware
Unknown

DragonForce is a ransomware group that abuses Microsoft Teams relay servers to disguise command-and-control traffic for a backdoor called Backdoor.Turn. This technique allows the group to conduct ransomware attacks while evading detection.

2 Mentions · Last seen 18 Jun 2026 Active

Qilin

Relevant · ransomware
Unknown

The Qilin ransomware group has exploited a zero-day vulnerability in Check Point VPNs to conduct ransomware attacks. Reports indicate Qilin is responsible for recent attacks targeting VPN infrastructure. The attacks highlight the group's ability to leverage security vulnerabilities effectively.

2 Mentions · Last seen 09 Jun 2026 Dormant

TA4922

Relevant · phishing / bec
Unknown

TA4922 is a China-linked threat actor conducting phishing attacks. According to recent reports, TA4922 has expanded its phishing campaigns to the United Kingdom, Germany, Italy, and South Africa. This expansion indicates a broadening of their geographic targeting. No further details about their methods or victims are currently available.

2 Mentions · Last seen 04 Jun 2026 Dormant

Fox Tempest

Affects your stack · Microsoft Defender for Endpoint
Cybercrime

Fox Tempest is a threat actor notable for multi-stage Linux intrusions, gaining access via edge appliances like F5 and collaboration software such as Confluence to achieve enterprise-wide compromise.

2 Mentions · Last seen 25 May 2026 Dormant

CL-STA-1132

Affects your stack · Microsoft Remote Desktop Gateway
Nation-state

CL-STA-1132 is a threat actor exploiting zero-day vulnerabilities in Palo Alto Networks PAN-OS. Recent reporting indicates exploitation of a flaw in the Captive Portal and a critical buffer overflow in the User-ID Authentication Portal to achieve unauthenticated remote code execution. The group targets systems running PAN-OS, likely for espionage or network compromise. Activities include exploitation of CVE-2026-0300.

Information Technology
2 Mentions · Last seen 07 May 2026 Dormant

UNC6692

Relevant · Manufacturing
Unknown

UNC6692 is a threat group that combines social engineering with malware and cloud abuse. They deployed custom malware suites to compromise targets. The group used sophisticated social engineering techniques. Additionally, they abused cloud infrastructure for malicious purposes.

2 Mentions · Last seen 27 Apr 2026 Dormant

Russian intelligence agency

Relevant · espionage / apt
Unknown

The Russian intelligence agency is conducting hacking attacks that, according to an advisory, focus on NATO logistics and Ukrainian troops. They hack cameras to obtain confidential information. These activities demonstrate a continued interest in military movements and operations.

Logistics Military
1 Mentions · Last seen 14 Jul 2026 Active

UNK_CustomCloak

Affects your stack · Microsoft Entra ID
Unknown

UNK_CustomCloak uses OAuth Client ID spoofing to validate stolen Microsoft Entra credentials. This technique enables attackers to take over compromised accounts. No further details are known about this actor.

1 Mentions · Last seen 14 Jul 2026 Active

Russian APT, Salt Typhoon

Relevant · espionage / apt
Nation-state

Russian APT groups are conducting cyberattacks on critical infrastructure routers, according to warnings from the US and allies. These attacks aim to compromise networks and steal sensitive information. Affected entities are primarily in the US and allied nations. Security agencies urge increased vigilance and protective measures.

Critical Infrastructure
1 Mentions · Last seen 14 Jul 2026 Active

Russian state intelligence services

Relevant · espionage / apt
Unknown

Russian state intelligence services pose a persistent threat to critical infrastructure. Recent reports indicate that the UK and its allies are calling for enhanced defensive measures. The actors employ advanced cyber operations for espionage purposes.

1 Mentions · Last seen 13 Jul 2026 Active

Russian GRU

Relevant · DACH
Unknown

The EU imposed sanctions on Russian GRU military hackers over cyberattacks. These attacks likely targeted EU member states. The GRU is a known threat actor responsible for offensive cyber operations.

1 Mentions · Last seen 13 Jul 2026 Active

APT28

Fancy Bear · Sofacy · Sednit

Relevant · espionage / apt
Nation-state

APT28, also known as Fancy Bear, is a cyber unit attributed to Russia's FSB. Recent reporting holds the group responsible for an attack on Poland's power grid. This incident prompted the first joint cyber sanctions from the UK and EU.

Energy
1 Mentions · Last seen 12 Jul 2026 Active

O-UNC-066

Affects your stack · Microsoft Entra ID
Unknown

O-UNC-066 is a threat actor group recently observed in a campaign using fake Microsoft Entra passkey enrollment. Users are tricked into registering for a fraudulent passkey, granting unauthorized access to Microsoft 365 accounts. This technique allows attackers to bypass multi-factor authentication. No specific targeted sectors or regions have been disclosed.

1 Mentions · Last seen 10 Jul 2026 Active

Helix

Relevant · phishing / bec
Nation-state inferred

The new Helix vishing group has emerged in attacks targeting data theft from SharePoint. Through voice phishing, victims are tricked into revealing credentials. The group does not use known malware but relies on social engineering. Details on target industries and regions are currently unknown.

1 Mentions · Last seen 09 Jul 2026 Active

Hyadina

Affects your stack · Microsoft Defender for Endpoint
Unknown

Hyadina is a threat group linked to the GodDamn Ransomware. This ransomware uses a PoisonX driver to bypass endpoint defenses. Nothing is currently known about further targets or activities of the group.

1 Mentions · Last seen 09 Jul 2026 Active

LapDogs

Relevant · espionage / apt
Unknown

LapDogs is a China-linked APT group. According to recent reports, it has expanded its arsenal with new 'Leash' backdoors. This backdoor expansion indicates ongoing capability development. Further details on targeted sectors or regions are not known from the reporting.

1 Mentions · Last seen 08 Jul 2026 Active

Russian state-sponsored threat actors

Affects your stack · Ubiquiti UniFi
Unknown

The given headline does not provide information about Russian state-sponsored threat actors. It reports on critical security patches for Ubiquiti UniFi products.

1 Mentions · Last seen 08 Jul 2026 Active

EvilTokens

Relevant · phishing / bec
Unknown

EvilTokens is a threat actor linked to a new wave of ghost phishing attacks that bypass traditional email security measures. These attacks likely aim to compromise credentials or tokens. The recent campaign highlights the evolving tactics used to infiltrate email systems.

1 Mentions · Last seen 08 Jul 2026 Active

Volt Typhoon

Vanguard Panda · Bronze Silhouette · Voltzite

Relevant · espionage / apt
Nation-state

Volt Typhoon, a China-linked threat actor, was featured in a war game scenario focusing on hacking the US water supply, as indicated by recent reporting.

Water Supply
1 Mentions · Last seen 08 Jul 2026 Active

Storm-2372

Relevant · phishing / bec
Unknown

Storm-2372 is a threat group notable for using the DEBULL tooling. This tooling abuses the Microsoft device-code flow to obtain authentication tokens. Targets are Microsoft 365 accounts, suggesting widespread phishing campaigns. The group may be state-sponsored or financially motivated.

1 Mentions · Last seen 07 Jul 2026 Active

PolinRider

Relevant · espionage / apt
Unknown

PolinRider is a threat actor with limited available information. The provided reporting only includes a generic headline without details on targets or methods. No specific sectors, regions, or malware are known.

1 Mentions · Last seen 06 Jul 2026 Active

Lynx ransomware group

Affects your stack · Fortinet FortiGate
Unknown

The Lynx ransomware group is a criminal organization that conducts ransomware attacks. It has been linked to the FortiBleed campaign, which focuses on credential theft. No further details about its target sectors or regions are known from the available reporting.

1 Mentions · Last seen 01 Jul 2026 Active

CyberAv3ngers, IRGC-linked groups, Russian state actors, Chinese state actors

Relevant · Manufacturing
Unknown

Iranian, Russian, and Chinese state actors, including CyberAv3ngers and IRGC-linked groups, are targeting water systems for sabotage. These attacks threaten critical infrastructure and could endanger public safety.

Water and Wastewater Systems
1 Mentions · Last seen 29 Jun 2026 Active

UNC5792, UNC4221

Relevant · espionage / apt
Unknown

UNC5792 and UNC4221 are believed to be Russian state-sponsored hacking groups. They have been linked to attacks targeting messaging apps. The US has offered a $10 million bounty for information on these hackers. The attacks continue to evolve.

1 Mentions · Last seen 29 Jun 2026 Active

Woodgnat

Affects your stack · Microsoft Remote Desktop Gateway
Unknown

Woodgnat is a threat actor recently linked to the new 'Mistic' Remote Access Trojan (RAT). This RAT opens the door to several ransomware families, indicating potential use as a first-stage malware. Further details on targeted sectors or regions are not available.

1 Mentions · Last seen 24 Jun 2026 Active

StrikeShark

Unknown

StrikeShark is a threat actor recently observed in a campaign delivering Cobalt Strike through SharkLoader. No further details about targeted sectors or regions are available from the reporting.

1 Mentions · Last seen 24 Jun 2026 Active

Russian Initial-Access Broker

Affects your stack · Fortinet FortiGate
Unknown

A Russian Initial Access Broker is behind the FortiBleed campaign. The actor exploits vulnerabilities in Fortinet devices to gain initial network access. This access is then sold to other cybercriminals. Little is known about the broker's identity.

1 Mentions · Last seen 23 Jun 2026 Active

Russian ransomware group

Affects your stack · Fortinet FortiGate
Unknown

A Russian ransomware group is exploiting the FortiBleed vulnerability. The attacks target various organizations. An update shows recent developments among the affected victims.

1 Mentions · Last seen 19 Jun 2026 Active

Gentlemen

Relevant · ransomware
Unknown

Gentlemen is a ransomware group that uses multiple EDR killers to disable security solutions. This allows them to spread their ransomware more effectively and encrypt systems. Little is known about their specific targets, but the group employs advanced techniques to bypass defenses.

1 Mentions · Last seen 18 Jun 2026 Active

Sapphire Sleet

Relevant · supply chain
Nation-state

Sapphire Sleet is a threat actor group recently involved in a supply chain attack on the npm package 'Mastra'. The attackers compromised the package and inserted a malicious postinstall payload that executes upon installation. The exact targets and malware details remain unclear. The incident highlights the risks of supply chain attacks in the software development lifecycle.

Software development
1 Mentions · Last seen 18 Jun 2026 Dormant

Dropping Elephant

Relevant · industrial / ot espionage
Unknown

Dropping Elephant is a threat actor whose tradecraft is tracked through a China-themed loader chain. The headline suggests an analysis of their tactics. No further details on targeted sectors or regions are available from the report.

1 Mentions · Last seen 17 Jun 2026 Dormant

Russian-speaking threat actor group

Affects your stack · Fortinet FortiGate
Unknown

A Russian-speaking threat actor group conducted a sweeping credential-harvesting campaign, compromising over 30,000 Fortinet devices. The goal was to steal login credentials. Further details on targeted sectors or regions are currently unknown.

1 Mentions · Last seen 17 Jun 2026 Dormant

Shai-Hulud

Relevant · supply chain
Unknown

Shai-Hulud is a threat actor linked to a supply-chain worm. This worm exploits vulnerabilities in GitHub that were previously dismissed by GitHub as non-security issues. Researchers report that the worm infiltrates the supply chain and spreads through these flaws.

Technology Software Development
1 Mentions · Last seen 16 Jun 2026 Dormant

China-linked

Relevant · espionage / apt
Nation-state inferred

A China-linked threat actor is using the SprySOCKS backdoor, which has expanded to Windows systems with driver-based stealth. Recent reporting indicates an expansion of capabilities. No information on targets or affected regions is available yet.

1 Mentions · Last seen 16 Jun 2026 Dormant

APT37

Relevant · espionage / apt
Nation-state inferred

APT37 is a North Korean cyber espionage group. Recent reporting describes how the group uses fake Microsoft alerts to deploy NarwhalRAT malware. Further details on targeted sectors and countries are not provided in this headline.

1 Mentions · Last seen 16 Jun 2026 Dormant

China-linked APT

Relevant · espionage / apt
Nation-state inferred

This China-linked APT group abused Google Workspace rules to steal emails from research and defense organizations. The attackers leveraged legitimate cloud platform features to stay undetected. The incident highlights the growing threat of cloud-based espionage.

Research Defense government
1 Mentions · Last seen 15 Jun 2026 Dormant

Contagious Interview

Relevant · supply chain
Nation-state inferred

The North Korean threat actor 'Contagious Interview' is known for turning developer tools into malware delivery channels. They likely use trojanized development packages or fake interview processes to compromise developers. Their activities target the global developer community. Recent reports indicate that North Korean hackers are increasingly infiltrating popular developer tools.

Technology
1 Mentions · Last seen 15 Jun 2026 Dormant

UNC6508

Relevant · espionage / apt
Nation-state inferred

UNC6508 is a China-nexus threat actor targeting the public and private medical community. The actor pursues research in artificial intelligence, cybersecurity, medical, and national defense fields. UNC6508 is known to steal sensitive information from these sectors. No further technical details or associated malware were mentioned in the provided reports.

healthcare artificial intelligence cybersecurity
1 Mentions · Last seen 15 Jun 2026 Dormant

Velvet Ant

Relevant · supply chain
Unknown

Velvet Ant is a China-linked threat actor known for backdooring a Linux login software. This backdoor allowed the group to hide in compromised systems for nearly a decade. The attack represents a supply chain compromise that granted persistent access.

1 Mentions · Last seen 12 Jun 2026 Dormant

Void Blizzard

Relevant · espionage / apt
Nation-state

Void Blizzard is a threat actor linked to espionage activities. Recent reporting indicates that a Russian national was charged in connection with a campaign by this group. The exact targets and methods of the campaign are unknown. The group is believed to be state-sponsored.

1 Mentions · Last seen 11 Jun 2026 Dormant

Chaotic Eclipse

Relevant · Manufacturing
Unknown

Chaotic Eclipse is a threat group that continues to actively use Windows exploits, including a new BitLocker bypass. The group shows sustained activity focusing on exploiting vulnerabilities in Windows systems.

1 Mentions · Last seen 11 Jun 2026 Dormant

Nightmare-Eclipse

Relevant · industrial / ot espionage
Unknown

Nightmare-Eclipse is a threat actor known for releasing Microsoft exploits. They recently dropped another exploit called RoguePlanet. Further details about their targets and operations are not provided in the reporting.

1 Mentions · Last seen 10 Jun 2026 Dormant

China-nexus state-sponsored actors

Relevant · espionage / apt
Unknown

China-nexus state-sponsored actors operate the JDY botnet, which has expanded to over 1,500 devices. It is used for cyber reconnaissance purposes. The threat demonstrates the expansion and capabilities of Chinese actors in cyberspace.

1 Mentions · Last seen 10 Jun 2026 Dormant

China-nexus APT, Glassworm, Crimson Collective

Relevant · espionage / apt
Unknown

The CrowdStrike 2026 Technology Threat Landscape Report indicates that China's ambitions are fueling cyber attacks. China-nexus APT groups such as Glassworm and the Crimson Collective are key actors. These groups target the technology sector to gain strategic advantages.

technology
1 Mentions · Last seen 10 Jun 2026 Dormant

Salt Typhoon

GhostEmperor · FamousSparrow · UNC2286

Relevant · espionage / apt
Nation-state
1 Mentions · Last seen 09 Jun 2026 Dormant

Earth Dahu, SHADOW-EARTH-066

Relevant · DACH
Unknown

Earth Dahu (SHADOW-EARTH-066) is a Russia-aligned group exploiting a WinRAR vulnerability to deploy stealer malware in Ukraine. The attacks aim to steal sensitive information from compromised systems. The group operates in Russia's interest and focuses on Ukrainian targets.

1 Mentions · Last seen 09 Jun 2026 Dormant

APT29, UNC6692

Relevant · espionage / apt
Unknown

The threat actor APT29, also known as UNC6692, has been linked to a social engineering campaign via Microsoft Teams. In this campaign, attackers impersonate IT support. The campaign was reported under the headline 'When “Hi, This Is IT” Comes Through Microsoft Teams'. This underscores the use of legitimate communication platforms for deception.

1 Mentions · Last seen 08 Jun 2026 Dormant

NSO Group

Relevant · phishing / bec
Unknown

NSO Group is an Israeli company known for developing spyware such as Pegasus. According to recent reporting, WhatsApp disrupted new phishing attacks using NSO spyware. The attacks were carried out via phishing messages on WhatsApp. NSO Group faces international criticism for using surveillance software against civil society and governments.

1 Mentions · Last seen 08 Jun 2026 Dormant

VerdantBamboo

Unknown

VerdantBamboo is a threat actor deploying a BSD variant of the BRICKSTORM malware on Linux appliances. The campaign targets Linux-based devices. No further information on targeted sectors or regions is available.

1 Mentions · Last seen 08 Jun 2026 Dormant

UNC3753

Unknown

According to a warning from Google, the group UNC3753 impersonates IT technicians to gain physical access to office spaces. This tactic indicates targeted intrusion attempts where attackers operate on-site. Further details about target sectors or malware used are currently unknown.

1 Mentions · Last seen 06 Jun 2026 Dormant

UNC5221

Relevant · espionage / apt
Nation-state inferred

UNC5221 is a Chinese advanced persistent threat (APT) group recently observed deploying new malware to maintain access to compromised networks. This backdoor malware allows the actor to remain persistent within infiltrated environments and continue unauthorized activities. No specific target sectors or regions are mentioned in the available headlines.

1 Mentions · Last seen 05 Jun 2026 Dormant

OP-512

Relevant · industrial / ot espionage
Unknown

OP-512 is a new threat cluster targeting Microsoft IIS servers. The actor uses a custom web shell framework to compromise the servers. The goal is likely to establish persistent access and execute commands. Further details are not available from the provided headlines.

1 Mentions · Last seen 05 Jun 2026 Dormant

Iranian state-backed ransomware actors

Relevant · ransomware
Unknown

Iranian state-backed ransomware actors use the Nobitex crypto exchange for their operations. The U.S. has imposed sanctions on Nobitex to disrupt these activities.

1 Mentions · Last seen 03 Jun 2026 Dormant

China-aligned APT

Relevant · espionage / apt
Unknown

China-aligned APT groups are ramping up attacks, as indicated by a recent report. The Dragon Weave group has targeted entities in the Czech Republic and Taiwan. No further details on targeted sectors or malware used were disclosed.

1 Mentions · Last seen 01 Jun 2026 Dormant

Akira

Storm-1567 · Punk Spider

Affects your stack · Microsoft Defender for Endpoint
Cybercrime

The Akira ransomware group's kill chain has been reconstructed from perimeter and endpoint logs. The analysis describes the group's attack sequence. The provided headline does not specify targeted sectors or regions.

1 Mentions · Last seen 27 May 2026 Dormant

FSB, GRU

Relevant · espionage / apt
Unknown

The Russian domestic intelligence service FSB and military intelligence service GRU are responsible for numerous cyber espionage and sabotage operations. They often target government agencies, critical infrastructure, and political institutions to collect intelligence and exert influence. According to reports, a server network allegedly used to support cyberattacks has been dismantled.

1 Mentions · Last seen 25 May 2026 Dormant

Nimbus Manticore

Unknown

Nimbus Manticore is a threat actor operating during the Iranian conflict. Its operations are described as 'Fast and Furious', indicating swift and intensive attacks. No further details on targeted sectors or malware are available from the provided reporting.

1 Mentions · Last seen 22 May 2026 Dormant

Screening Serpens

Relevant · espionage / apt
Nation-state inferred

Screening Serpens is an Iranian Advanced Persistent Threat (APT) group tracked in espionage campaigns in 2026.

technology defense
1 Mentions · Last seen 22 May 2026 Dormant

APT29

Cozy Bear · Nobelium · Midnight Blizzard

Relevant · espionage / apt
Nation-state

APT29, also known as Cozy Bear, is a nation-state actor. Recent reporting highlights the use of ROADtools for cloud-based operations. Tactics focus on compromising cloud identities.

1 Mentions · Last seen 22 May 2026 Dormant

Cloud Atlas

Inception · Clean Ursa

Affects your stack · Microsoft Active Directory
Nation-state

Cloud Atlas is a threat actor that was active in the second half of 2025 and early 2026. During this period, it deployed new tools and a new payload. No detailed information about targeted sectors or affected regions is available.

1 Mentions · Last seen 22 May 2026 Dormant

Webworm

Space Pirates

Relevant · espionage / apt
Nation-state

Webworm is a Chinese threat actor. It has been observed using Discord and Microsoft Graph APIs to target European Union governments. The attacks involve exploiting these services to gain access to government systems.

Government
1 Mentions · Last seen 22 May 2026 Dormant

lwxat

Unknown

lwxat is a Chinese-speaking threat actor associated with a commodity BadIIS ecosystem. This Malware-as-a-Service infrastructure targets IIS web servers. The actor is mentioned in a report tracking this ecosystem.

1 Mentions · Last seen 19 May 2026 Dormant

Storm-2949

Relevant · Manufacturing
Unknown

Storm-2949 is a threat group that caused a cloud-wide security incident through the compromise of an identity. The actors use stolen credentials to move laterally within cloud infrastructures. Little is known about the specific targets and malware used. The incident highlights the importance of identity protection in cloud environments.

1 Mentions · Last seen 18 May 2026 Dormant

UNC6671

Relevant · ransomware
Unknown

UNC6671 is a threat actor associated with the vishing-based extortion operation BlackFile. It uses voice phishing to extort victims. No further details on targeted sectors, regions, or malware are currently available.

1 Mentions · Last seen 15 May 2026 Dormant

Kimsuky

Velvet Chollima · Emerald Sleet · Thallium

Relevant · espionage / apt
Nation-state

Kimsuky is a North Korean cyber threat actor known for espionage operations. Recent reports indicate that the group is targeting organizations with PebbleDash-based tools. This campaign highlights the persistent threat posed by North Korean actors. The exact targets and affected regions are currently unspecified.

1 Mentions · Last seen 14 May 2026 Dormant

BufferZoneCorp

Relevant · phishing / bec
Unknown

BufferZoneCorp is a threat actor that poisons Ruby Gems and Go modules to exploit CI pipelines for credential theft. By injecting malicious code into package dependencies, the attacker compromises development environments. The goal is to steal credentials to gain access to additional systems. These attacks endanger the integrity of software supply chains.

Software Development
1 Mentions · Last seen 01 May 2026 Dormant

UAT-4356

Unknown

UAT-4356 is a threat actor recently observed targeting Cisco Firepower devices. Limited information is currently available about the actor's exact methods and objectives. Further research is needed to complete the profile.

1 Mentions · Last seen 23 Apr 2026 Dormant

Chinese state-sponsored APT group

Relevant · supply chain
Unknown

The actor is a Chinese state-sponsored APT group conducting supply chain attacks in the hypersonic technology sector. The group targets organizations involved in the development of hypersonic weapons or vehicles. A recent report discusses a solution for detecting such attacks without needing to know the payload. Specific targets and malware used are not known from the available information.

Defense Aerospace
1 Mentions · Last seen 22 Apr 2026 Dormant

BRICKSTORM

Affects your stack · VMware vSphere 8 / ESXi
Unknown

BRICKSTORM is a threat actor group associated with a malware of the same name. The recent report 'vSphere and BRICKSTORM Malware: A Defender's Guide' focuses on their activities targeting VMware vSphere environments. No further specific information about targeted sectors or regions is available. The malware appears to aim at virtualized infrastructures.

1 Mentions · Last seen 02 Apr 2026 Dormant

UNC1069

Relevant · supply chain
Nation-state inferred

UNC1069 is a North Korea-linked threat actor that recently executed a supply chain attack by compromising the widely used Axios NPM package. This incident highlights their focus on software supply chain attacks to target a broad range of victims.

Softwareentwicklung Open-Source-Ökosystem
1 Mentions · Last seen 31 Mar 2026 Dormant

UNC6201, UNC5807

Unknown

No specific information about UNC6201 and UNC5807 is available from the provided headline. The M-Trends 2026 report provides general insights and strategies from Mandiant. Therefore, no further details can be inferred.

1 Mentions · Last seen 23 Mar 2026 Dormant
ESC