Threat intelligence
Threat actors
Cumulative actor profiles from the Auto-CTI pipeline: attribution from curated reference data, targeting and summaries distilled from processed reporting. Click a card for the full profile.
Russia
Relevant · espionage / aptRussia is a state-sponsored threat actor that conducts cyberattacks on critical infrastructure, as warned by the US and allies. Russia uses social engineering to compromise messaging accounts and engages in espionage, such as spying on NATO transport routes using hacked cameras. The threat persists for countries including Switzerland. The US offers bounties for Russian hackers following attacks on Signal.
TeamPCP
Relevant · supply chainTeamPCP is a threat group known for large-scale supply chain attacks on open source ecosystems. They target package managers like npm and PyPI to inject malicious code into widely used libraries. The campaign involves container escape techniques and is documented under the name 'Mini Shai-Hulud'. Their activities have been observed through mid-2026 and pose a significant risk to the software supply chain.
HAFNIUM
Silk Typhoon
Affects your stack · Microsoft Windows Server 2022HAFNIUM is a state-sponsored threat actor group that recently exploited multiple critical vulnerabilities in Microsoft Exchange Server, including CVE-2022-41082, CVE-2021-26858, CVE-2021-27065, and CVE-2021-26857. These vulnerabilities allowed remote code execution and were used in targeted attacks.
Russian state-sponsored APT
Relevant · espionage / aptThe Russian state-sponsored APT targets network devices such as routers to gain access. Official warnings emphasize the ongoing threat. Recently, a WinRAR vulnerability was exploited to attack Ukrainian organizations. This demonstrates the continued focus on Ukraine and the use of vulnerabilities in widely used software.
Turla
Snake · Venomous Bear · Secret Blizzard
Relevant · espionage / aptTurla is a Russian threat actor known for espionage and destructive attacks. The EU has imposed sanctions on Russia related to severe cyberattacks and sabotage. According to Google, Turla uses the new STOCKSTAY backdoor in espionage attacks in Ukraine.
Nightmare Eclipse
Nightmare Eclipse is a threat actor associated with the 'RoguePlanet' zero-day vulnerability. Recent reports indicate that Microsoft is working on a patch for this exploit. There is no further information on targeted sectors or regions.
Gamaredon
Primitive Bear · Aqua Blizzard · Shuckworm
Relevant · espionage / aptGamaredon is a Russian APT group that is expanding its attacks on Ukraine. Recent reports indicate the use of new malware and cloud service abuse. The group has upgraded its arsenal and exploits vulnerabilities such as WinRAR to deliver malware like GammaWorm and GammaSteel.
The Gentlemen
Affects your stack · Microsoft Defender for EndpointThe Gentlemen is a Ransomware-as-a-Service group known for using custom backdoors and evolving tactics. They employ the GentleKiller EDR framework to disable up to 400 security processes. Their ransomware spreads like a worm and has claimed 478 victims.
China
Relevant · espionage / aptChina conducts cyber espionage targeting universities and other organizations. German domestic intelligence warns of increased vigilance at universities. Google has exposed a Chinese espionage group that has been undetected in networks since 2023. Additionally, a dual-method cyberattack was launched against Czech organizations.
ShinyHunters
Relevant · industrial / ot espionageShinyHunters is a threat actor group known for abusing OAuth in SaaS-based applications. Recent reports highlight the need to defend SaaS applications against such attacks. The group targets cloud services. No specific malware details are evident from the provided headlines.
Iran
Relevant · espionage / aptIran has expanded its cyber activities beyond critical infrastructure to broader targets. Despite a ceasefire agreement, Iranian hackers continue their attacks unabated. The threat thus persists regardless of diplomatic developments. This indicates that Iran remains a persistent cyber threat.
UAT-7810
UAT-7810 is a China-linked threat actor expanding its ORB network with the new LONGLEASH malware. The actor reportedly achieves a 54% success rate in its operations.
ToddyCat
Relevant · espionage / aptToddyCat is a threat actor that, according to a Q1 2026 threat landscape report, targets industrial automation systems. The actor is also associated with a hidden email assistant, indicating email-based espionage. These capabilities suggest a focus on industrial espionage.
North Korea
Relevant · supply chainNorth Korean hackers are increasingly conducting supply chain attacks to compromise open source software. These campaigns aim to infiltrate developers and organizations. Microsoft recently linked a supply chain attack on the AI platform Mastra AI to North Korean threat actors.
Russian Intelligence Services
Relevant · espionage / aptRussian intelligence services target messenger backup keys to gain access to communications. They use fake support texts to steal messaging credentials. The FBI and Ukrainian authorities warn about these attacks.
Russian intelligence services
Relevant · espionage / aptRussian intelligence services are targeting Signal backup recovery keys to intercept encrypted communications, according to FBI reports. This technique is likely deployed against high-value targets such as government officials, journalists, and activists. The warning highlights the persistent cyber espionage threat posed by Russian state actors.
Russian-speaking threat actors
Affects your stack · Fortinet FortiGateRussian-speaking threat actors are targeting Fortinet FortiGate devices. The campaign, dubbed 'FortiBleed', has compromised over 86,000 devices and is harvesting credentials. CISA is warning affected customers about these attacks.
DragonForce
Relevant · ransomwareDragonForce is a ransomware group that abuses Microsoft Teams relay servers to disguise command-and-control traffic for a backdoor called Backdoor.Turn. This technique allows the group to conduct ransomware attacks while evading detection.
Qilin
Relevant · ransomwareThe Qilin ransomware group has exploited a zero-day vulnerability in Check Point VPNs to conduct ransomware attacks. Reports indicate Qilin is responsible for recent attacks targeting VPN infrastructure. The attacks highlight the group's ability to leverage security vulnerabilities effectively.
TA4922
Relevant · phishing / becTA4922 is a China-linked threat actor conducting phishing attacks. According to recent reports, TA4922 has expanded its phishing campaigns to the United Kingdom, Germany, Italy, and South Africa. This expansion indicates a broadening of their geographic targeting. No further details about their methods or victims are currently available.
Fox Tempest
Affects your stack · Microsoft Defender for EndpointFox Tempest is a threat actor notable for multi-stage Linux intrusions, gaining access via edge appliances like F5 and collaboration software such as Confluence to achieve enterprise-wide compromise.
CL-STA-1132
Affects your stack · Microsoft Remote Desktop GatewayCL-STA-1132 is a threat actor exploiting zero-day vulnerabilities in Palo Alto Networks PAN-OS. Recent reporting indicates exploitation of a flaw in the Captive Portal and a critical buffer overflow in the User-ID Authentication Portal to achieve unauthenticated remote code execution. The group targets systems running PAN-OS, likely for espionage or network compromise. Activities include exploitation of CVE-2026-0300.
UNC6692
Relevant · ManufacturingUNC6692 is a threat group that combines social engineering with malware and cloud abuse. They deployed custom malware suites to compromise targets. The group used sophisticated social engineering techniques. Additionally, they abused cloud infrastructure for malicious purposes.
Russian intelligence agency
Relevant · espionage / aptThe Russian intelligence agency is conducting hacking attacks that, according to an advisory, focus on NATO logistics and Ukrainian troops. They hack cameras to obtain confidential information. These activities demonstrate a continued interest in military movements and operations.
UNK_CustomCloak
Affects your stack · Microsoft Entra IDUNK_CustomCloak uses OAuth Client ID spoofing to validate stolen Microsoft Entra credentials. This technique enables attackers to take over compromised accounts. No further details are known about this actor.
Russian APT, Salt Typhoon
Relevant · espionage / aptRussian APT groups are conducting cyberattacks on critical infrastructure routers, according to warnings from the US and allies. These attacks aim to compromise networks and steal sensitive information. Affected entities are primarily in the US and allied nations. Security agencies urge increased vigilance and protective measures.
Russian state intelligence services
Relevant · espionage / aptRussian state intelligence services pose a persistent threat to critical infrastructure. Recent reports indicate that the UK and its allies are calling for enhanced defensive measures. The actors employ advanced cyber operations for espionage purposes.
Russian GRU
Relevant · DACHThe EU imposed sanctions on Russian GRU military hackers over cyberattacks. These attacks likely targeted EU member states. The GRU is a known threat actor responsible for offensive cyber operations.
APT28
Fancy Bear · Sofacy · Sednit
Relevant · espionage / aptAPT28, also known as Fancy Bear, is a cyber unit attributed to Russia's FSB. Recent reporting holds the group responsible for an attack on Poland's power grid. This incident prompted the first joint cyber sanctions from the UK and EU.
O-UNC-066
Affects your stack · Microsoft Entra IDO-UNC-066 is a threat actor group recently observed in a campaign using fake Microsoft Entra passkey enrollment. Users are tricked into registering for a fraudulent passkey, granting unauthorized access to Microsoft 365 accounts. This technique allows attackers to bypass multi-factor authentication. No specific targeted sectors or regions have been disclosed.
Helix
Relevant · phishing / becThe new Helix vishing group has emerged in attacks targeting data theft from SharePoint. Through voice phishing, victims are tricked into revealing credentials. The group does not use known malware but relies on social engineering. Details on target industries and regions are currently unknown.
Hyadina
Affects your stack · Microsoft Defender for EndpointHyadina is a threat group linked to the GodDamn Ransomware. This ransomware uses a PoisonX driver to bypass endpoint defenses. Nothing is currently known about further targets or activities of the group.
LapDogs
Relevant · espionage / aptLapDogs is a China-linked APT group. According to recent reports, it has expanded its arsenal with new 'Leash' backdoors. This backdoor expansion indicates ongoing capability development. Further details on targeted sectors or regions are not known from the reporting.
Russian state-sponsored threat actors
Affects your stack · Ubiquiti UniFiThe given headline does not provide information about Russian state-sponsored threat actors. It reports on critical security patches for Ubiquiti UniFi products.
EvilTokens
Relevant · phishing / becEvilTokens is a threat actor linked to a new wave of ghost phishing attacks that bypass traditional email security measures. These attacks likely aim to compromise credentials or tokens. The recent campaign highlights the evolving tactics used to infiltrate email systems.
Volt Typhoon
Vanguard Panda · Bronze Silhouette · Voltzite
Relevant · espionage / aptVolt Typhoon, a China-linked threat actor, was featured in a war game scenario focusing on hacking the US water supply, as indicated by recent reporting.
Storm-2372
Relevant · phishing / becStorm-2372 is a threat group notable for using the DEBULL tooling. This tooling abuses the Microsoft device-code flow to obtain authentication tokens. Targets are Microsoft 365 accounts, suggesting widespread phishing campaigns. The group may be state-sponsored or financially motivated.
PolinRider
Relevant · espionage / aptPolinRider is a threat actor with limited available information. The provided reporting only includes a generic headline without details on targets or methods. No specific sectors, regions, or malware are known.
Lynx ransomware group
Affects your stack · Fortinet FortiGateThe Lynx ransomware group is a criminal organization that conducts ransomware attacks. It has been linked to the FortiBleed campaign, which focuses on credential theft. No further details about its target sectors or regions are known from the available reporting.
CyberAv3ngers, IRGC-linked groups, Russian state actors, Chinese state actors
Relevant · ManufacturingIranian, Russian, and Chinese state actors, including CyberAv3ngers and IRGC-linked groups, are targeting water systems for sabotage. These attacks threaten critical infrastructure and could endanger public safety.
UNC5792, UNC4221
Relevant · espionage / aptUNC5792 and UNC4221 are believed to be Russian state-sponsored hacking groups. They have been linked to attacks targeting messaging apps. The US has offered a $10 million bounty for information on these hackers. The attacks continue to evolve.
Woodgnat
Affects your stack · Microsoft Remote Desktop GatewayWoodgnat is a threat actor recently linked to the new 'Mistic' Remote Access Trojan (RAT). This RAT opens the door to several ransomware families, indicating potential use as a first-stage malware. Further details on targeted sectors or regions are not available.
StrikeShark
StrikeShark is a threat actor recently observed in a campaign delivering Cobalt Strike through SharkLoader. No further details about targeted sectors or regions are available from the reporting.
Russian Initial-Access Broker
Affects your stack · Fortinet FortiGateA Russian Initial Access Broker is behind the FortiBleed campaign. The actor exploits vulnerabilities in Fortinet devices to gain initial network access. This access is then sold to other cybercriminals. Little is known about the broker's identity.
Russian ransomware group
Affects your stack · Fortinet FortiGateA Russian ransomware group is exploiting the FortiBleed vulnerability. The attacks target various organizations. An update shows recent developments among the affected victims.
Gentlemen
Relevant · ransomwareGentlemen is a ransomware group that uses multiple EDR killers to disable security solutions. This allows them to spread their ransomware more effectively and encrypt systems. Little is known about their specific targets, but the group employs advanced techniques to bypass defenses.
Sapphire Sleet
Relevant · supply chainSapphire Sleet is a threat actor group recently involved in a supply chain attack on the npm package 'Mastra'. The attackers compromised the package and inserted a malicious postinstall payload that executes upon installation. The exact targets and malware details remain unclear. The incident highlights the risks of supply chain attacks in the software development lifecycle.
Dropping Elephant
Relevant · industrial / ot espionageDropping Elephant is a threat actor whose tradecraft is tracked through a China-themed loader chain. The headline suggests an analysis of their tactics. No further details on targeted sectors or regions are available from the report.
Russian-speaking threat actor group
Affects your stack · Fortinet FortiGateA Russian-speaking threat actor group conducted a sweeping credential-harvesting campaign, compromising over 30,000 Fortinet devices. The goal was to steal login credentials. Further details on targeted sectors or regions are currently unknown.
Shai-Hulud
Relevant · supply chainShai-Hulud is a threat actor linked to a supply-chain worm. This worm exploits vulnerabilities in GitHub that were previously dismissed by GitHub as non-security issues. Researchers report that the worm infiltrates the supply chain and spreads through these flaws.
China-linked
Relevant · espionage / aptA China-linked threat actor is using the SprySOCKS backdoor, which has expanded to Windows systems with driver-based stealth. Recent reporting indicates an expansion of capabilities. No information on targets or affected regions is available yet.
APT37
Relevant · espionage / aptAPT37 is a North Korean cyber espionage group. Recent reporting describes how the group uses fake Microsoft alerts to deploy NarwhalRAT malware. Further details on targeted sectors and countries are not provided in this headline.
China-linked APT
Relevant · espionage / aptThis China-linked APT group abused Google Workspace rules to steal emails from research and defense organizations. The attackers leveraged legitimate cloud platform features to stay undetected. The incident highlights the growing threat of cloud-based espionage.
Contagious Interview
Relevant · supply chainThe North Korean threat actor 'Contagious Interview' is known for turning developer tools into malware delivery channels. They likely use trojanized development packages or fake interview processes to compromise developers. Their activities target the global developer community. Recent reports indicate that North Korean hackers are increasingly infiltrating popular developer tools.
UNC6508
Relevant · espionage / aptUNC6508 is a China-nexus threat actor targeting the public and private medical community. The actor pursues research in artificial intelligence, cybersecurity, medical, and national defense fields. UNC6508 is known to steal sensitive information from these sectors. No further technical details or associated malware were mentioned in the provided reports.
Velvet Ant
Relevant · supply chainVelvet Ant is a China-linked threat actor known for backdooring a Linux login software. This backdoor allowed the group to hide in compromised systems for nearly a decade. The attack represents a supply chain compromise that granted persistent access.
Void Blizzard
Relevant · espionage / aptVoid Blizzard is a threat actor linked to espionage activities. Recent reporting indicates that a Russian national was charged in connection with a campaign by this group. The exact targets and methods of the campaign are unknown. The group is believed to be state-sponsored.
Chaotic Eclipse
Relevant · ManufacturingChaotic Eclipse is a threat group that continues to actively use Windows exploits, including a new BitLocker bypass. The group shows sustained activity focusing on exploiting vulnerabilities in Windows systems.
Nightmare-Eclipse
Relevant · industrial / ot espionageNightmare-Eclipse is a threat actor known for releasing Microsoft exploits. They recently dropped another exploit called RoguePlanet. Further details about their targets and operations are not provided in the reporting.
China-nexus state-sponsored actors
Relevant · espionage / aptChina-nexus state-sponsored actors operate the JDY botnet, which has expanded to over 1,500 devices. It is used for cyber reconnaissance purposes. The threat demonstrates the expansion and capabilities of Chinese actors in cyberspace.
China-nexus APT, Glassworm, Crimson Collective
Relevant · espionage / aptThe CrowdStrike 2026 Technology Threat Landscape Report indicates that China's ambitions are fueling cyber attacks. China-nexus APT groups such as Glassworm and the Crimson Collective are key actors. These groups target the technology sector to gain strategic advantages.
Salt Typhoon
GhostEmperor · FamousSparrow · UNC2286
Relevant · espionage / aptEarth Dahu, SHADOW-EARTH-066
Relevant · DACHEarth Dahu (SHADOW-EARTH-066) is a Russia-aligned group exploiting a WinRAR vulnerability to deploy stealer malware in Ukraine. The attacks aim to steal sensitive information from compromised systems. The group operates in Russia's interest and focuses on Ukrainian targets.
APT29, UNC6692
Relevant · espionage / aptThe threat actor APT29, also known as UNC6692, has been linked to a social engineering campaign via Microsoft Teams. In this campaign, attackers impersonate IT support. The campaign was reported under the headline 'When “Hi, This Is IT” Comes Through Microsoft Teams'. This underscores the use of legitimate communication platforms for deception.
NSO Group
Relevant · phishing / becNSO Group is an Israeli company known for developing spyware such as Pegasus. According to recent reporting, WhatsApp disrupted new phishing attacks using NSO spyware. The attacks were carried out via phishing messages on WhatsApp. NSO Group faces international criticism for using surveillance software against civil society and governments.
VerdantBamboo
VerdantBamboo is a threat actor deploying a BSD variant of the BRICKSTORM malware on Linux appliances. The campaign targets Linux-based devices. No further information on targeted sectors or regions is available.
UNC3753
According to a warning from Google, the group UNC3753 impersonates IT technicians to gain physical access to office spaces. This tactic indicates targeted intrusion attempts where attackers operate on-site. Further details about target sectors or malware used are currently unknown.
UNC5221
Relevant · espionage / aptUNC5221 is a Chinese advanced persistent threat (APT) group recently observed deploying new malware to maintain access to compromised networks. This backdoor malware allows the actor to remain persistent within infiltrated environments and continue unauthorized activities. No specific target sectors or regions are mentioned in the available headlines.
OP-512
Relevant · industrial / ot espionageOP-512 is a new threat cluster targeting Microsoft IIS servers. The actor uses a custom web shell framework to compromise the servers. The goal is likely to establish persistent access and execute commands. Further details are not available from the provided headlines.
Iranian state-backed ransomware actors
Relevant · ransomwareIranian state-backed ransomware actors use the Nobitex crypto exchange for their operations. The U.S. has imposed sanctions on Nobitex to disrupt these activities.
China-aligned APT
Relevant · espionage / aptChina-aligned APT groups are ramping up attacks, as indicated by a recent report. The Dragon Weave group has targeted entities in the Czech Republic and Taiwan. No further details on targeted sectors or malware used were disclosed.
Akira
Storm-1567 · Punk Spider
Affects your stack · Microsoft Defender for EndpointThe Akira ransomware group's kill chain has been reconstructed from perimeter and endpoint logs. The analysis describes the group's attack sequence. The provided headline does not specify targeted sectors or regions.
FSB, GRU
Relevant · espionage / aptThe Russian domestic intelligence service FSB and military intelligence service GRU are responsible for numerous cyber espionage and sabotage operations. They often target government agencies, critical infrastructure, and political institutions to collect intelligence and exert influence. According to reports, a server network allegedly used to support cyberattacks has been dismantled.
Nimbus Manticore
Nimbus Manticore is a threat actor operating during the Iranian conflict. Its operations are described as 'Fast and Furious', indicating swift and intensive attacks. No further details on targeted sectors or malware are available from the provided reporting.
Screening Serpens
Relevant · espionage / aptScreening Serpens is an Iranian Advanced Persistent Threat (APT) group tracked in espionage campaigns in 2026.
APT29
Cozy Bear · Nobelium · Midnight Blizzard
Relevant · espionage / aptAPT29, also known as Cozy Bear, is a nation-state actor. Recent reporting highlights the use of ROADtools for cloud-based operations. Tactics focus on compromising cloud identities.
Cloud Atlas
Inception · Clean Ursa
Affects your stack · Microsoft Active DirectoryCloud Atlas is a threat actor that was active in the second half of 2025 and early 2026. During this period, it deployed new tools and a new payload. No detailed information about targeted sectors or affected regions is available.
Webworm
Space Pirates
Relevant · espionage / aptWebworm is a Chinese threat actor. It has been observed using Discord and Microsoft Graph APIs to target European Union governments. The attacks involve exploiting these services to gain access to government systems.
lwxat
lwxat is a Chinese-speaking threat actor associated with a commodity BadIIS ecosystem. This Malware-as-a-Service infrastructure targets IIS web servers. The actor is mentioned in a report tracking this ecosystem.
Storm-2949
Relevant · ManufacturingStorm-2949 is a threat group that caused a cloud-wide security incident through the compromise of an identity. The actors use stolen credentials to move laterally within cloud infrastructures. Little is known about the specific targets and malware used. The incident highlights the importance of identity protection in cloud environments.
UNC6671
Relevant · ransomwareUNC6671 is a threat actor associated with the vishing-based extortion operation BlackFile. It uses voice phishing to extort victims. No further details on targeted sectors, regions, or malware are currently available.
Kimsuky
Velvet Chollima · Emerald Sleet · Thallium
Relevant · espionage / aptKimsuky is a North Korean cyber threat actor known for espionage operations. Recent reports indicate that the group is targeting organizations with PebbleDash-based tools. This campaign highlights the persistent threat posed by North Korean actors. The exact targets and affected regions are currently unspecified.
BufferZoneCorp
Relevant · phishing / becBufferZoneCorp is a threat actor that poisons Ruby Gems and Go modules to exploit CI pipelines for credential theft. By injecting malicious code into package dependencies, the attacker compromises development environments. The goal is to steal credentials to gain access to additional systems. These attacks endanger the integrity of software supply chains.
UAT-4356
UAT-4356 is a threat actor recently observed targeting Cisco Firepower devices. Limited information is currently available about the actor's exact methods and objectives. Further research is needed to complete the profile.
Chinese state-sponsored APT group
Relevant · supply chainThe actor is a Chinese state-sponsored APT group conducting supply chain attacks in the hypersonic technology sector. The group targets organizations involved in the development of hypersonic weapons or vehicles. A recent report discusses a solution for detecting such attacks without needing to know the payload. Specific targets and malware used are not known from the available information.
BRICKSTORM
Affects your stack · VMware vSphere 8 / ESXiBRICKSTORM is a threat actor group associated with a malware of the same name. The recent report 'vSphere and BRICKSTORM Malware: A Defender's Guide' focuses on their activities targeting VMware vSphere environments. No further specific information about targeted sectors or regions is available. The malware appears to aim at virtualized infrastructures.
UNC1069
Relevant · supply chainUNC1069 is a North Korea-linked threat actor that recently executed a supply chain attack by compromising the widely used Axios NPM package. This incident highlights their focus on software supply chain attacks to target a broad range of victims.
UNC6201, UNC5807
No specific information about UNC6201 and UNC5807 is available from the provided headline. The M-Trends 2026 report provides general insights and strategies from Mandiant. Therefore, no further details can be inferred.