Trending Adversaries

ShinyHunters is a financially motivated cybercrime and extortion group active since at least 2020. Known aliases in the provided content include bling_libra, shinyhunter, shiny_hunters, UNC6040, and UNC6240. The content also references related clusters and broader activity involving UNC6395, UNC5537, and UNC6661. The group is described as prolific in large-scale data theft and pay-or-leak extortion campaigns across multiple sectors, including education, healthcare/medical device, finance, and enterprise SaaS users. Reported victims and claimed victims in the provided content include Kodak, CFGI, Medtronic, the Council of Europe, educational institutions such as Glendale Community College, Moody Bible Institute, Illinois Central College, Houston City College, and organizations affected through Oracle PeopleSoft and Salesforce-related campaigns. The content also links ShinyHunters to breaches involving Instructure/Canvas, Charter Communications, the University of Nottingham, and attacks affecting more than 100 organizations. Tradecraft described in the content includes social engineering and vishing, especially help-desk impersonation; abuse of trusted identity and SaaS workflows; malicious Salesforce connected apps; theft and use of OAuth tokens; exploitation of third-party integrations such as Salesloft Drift; and bulk data exfiltration for extortion. In the UNC6040 campaign, an attacker called a help desk, impersonated internal IT, and guided an employee through a troubleshooting process that resulted in approval of a malicious Salesforce connected app, yielding an OAuth token with the user’s permissions. Related activity described as UNC6395 used stolen OAuth tokens tied to trusted integrations and gained access without malware, login prompts, or suspicious endpoint artifacts. The content states these methods can bypass MFA without password spraying or traditional exploit chains. The group is also reported to have exploited Oracle PeopleSoft zero-day CVE-2026-35273, an unauthenticated remote code execution flaw affecting PeopleTools 8.61 and 8.62, in a campaign targeting at least 100 organizations and more than 300 PeopleSoft instances, many in the education sector. The Council of Europe claim is specifically tied in the content to this vulnerability. The content characterizes ShinyHunters as resilient organizationally, with the brand reappearing after forum seizures and arrests. It states the group remained active in 2026 despite multiple disruptions, and references founder Sébastien Raoult being extradited and sentenced. The content further states that by 2025 the ShinyHunters identity had expanded through a 'Scattered LAPSUS$ Hunters' federation combining ShinyHunters brand recognition with Scattered Spider social-engineering expertise and LAPSUS$-style aggressive tactics. Additional reporting in the content links ShinyHunters to collaboration or overlap with Scattered Spider, The Com, and LAPSUS$, and describes cloud-focused intrusion activity, SSO targeting, insider recruitment, and possible development of a 'shinysp1d3r' ransomware-as-a-service capability, though these latter points are attributed to EclecticIQ assessments.

DragonForce is a cybercriminal ransomware operation active since at least 2023, described in the reporting as a ransomware-as-a-service (RaaS) operation that later adopted a cartel-style structure and publicly rebranded as a "ransomware cartel" in 2025. The group operates an affiliate model, with reporting noting an 80% revenue share and aggressive recruitment on English-speaking cybercrime forums. Content also states that DragonForce has been linked to Scattered Spider, and that affiliates attributed to Scattered Spider reportedly used DragonForce in attacks on UK retailers Marks & Spencer, Co-op, and Harrods in 2025. EclecticIQ reporting further assesses collaboration between DragonForce affiliates and other eCrime actors including ShinyHunters. Victimology in the provided content shows broad, opportunistic targeting rather than a single vertical focus. Reported targets include a major U.S. services firm, multiple UK organizations, and victims across sectors including business services, manufacturing, construction, technology, healthcare, finance, logistics, retail, and managed service providers. The content states DragonForce affiliates commonly exploit exposed remote access infrastructure and compromised credentials, including internet-facing RDP gateways, public-facing RDP, SSL-VPN accounts, and edge devices such as Ivanti Connect Secure, Fortinet FortiOS, and SonicWall SSL-VPN. Observed tradecraft includes brute-force or credential-compromise access via RDP; DLL sideloading using legitimate executables including VirtualBox and DbgView64.exe; account creation; firewall and Windows configuration changes; reconnaissance with tools such as PingCastle, SoftPerfect NetScan, and Advanced IP Scanner; credential theft including browser credential theft and use of Get-VeeamCreds.ps1; lateral movement via PsExec and internal RDP; use of Cobalt Strike, AnyDesk, SimpleHelp, PowerShell encoded commands, rPivot, and Mimikatz; exfiltration with Restic; and ransomware deployment with associated ransom notes including readme.txt, [rand].README.txt, and readme.xt. A prominent recent capability described in the content is the custom Go-based backdoor Backdoor.Turn, used in a DragonForce intrusion against a major U.S. services company. Symantec and Carbon Black reported that Backdoor.Turn abused Microsoft Teams TURN relay infrastructure by obtaining an anonymous Teams visitor token, relaying traffic through legitimate Microsoft infrastructure, and then establishing QUIC communications to the real command-and-control server. The reporting states this made malicious traffic appear as normal Microsoft Teams activity and was the first known in-the-wild malware abuse of Teams TURN relays in this manner. Backdoor.Turn reportedly supported command execution, process creation, network scanning, LDAP and Active Directory mapping, lateral movement with stolen credentials, TLS certificate capture, and browser credential theft. In the cited intrusion, DragonForce reportedly remained in the victim environment for one to two months. The content also highlights extensive defense evasion, especially Bring Your Own Vulnerable Driver (BYOVD) tradecraft used to disable security tools at kernel level. Reported drivers and tooling include Huawei HWAuidoOs2Ec.sys as part of Havoc Process Terminator, Topaz Antifraud wsftprm.sys (CVE-2023-52271), Tower of Fantasy GameDriverx64.sys (CVE-2025-61155), K7 Security K7RKScan.sys (CVE-2025-1055), KslD.sys, TruesightKiller, ThrottleBlood, and the ABYSSWORKER malicious driver masquerading as a Palo Alto Networks component. Reporting also notes DragonForce alongside process-killer driver tradecraft sets and states that some DragonForce-related actors ban attacks on Russian-linked targets.

Qilin is a ransomware-as-a-service (RaaS) operation that surfaced in August 2022. Known aliases in the provided content include Agenda, Gold Feather, Qilin, Qilin Gang, Qilin Ransomware, Qilin Ransomware Gang, Qilin Ransomware Group, Qirin, and Water Galura. The group is described as one of the most prolific ransomware brands in 2026, with reporting in the provided content stating it was the most prolific by published victim count and had claimed more than 400 victims on its dark web leak site. Rapid7 estimated Qilin generated approximately $193 million between July 2025 and March 2026. The content identifies Qilin as an active ransomware threat across multiple regions and sectors. It was listed among the leading ransomware groups active in the Middle East, Turkey, and Africa in Q1 2026, and Sophos reporting cited in the content identified Qilin as one of the most prevalent ransomware brands in 2025 incident-response cases. The content also notes public-sector and healthcare impact, including references to the Synnovis attack and NHS-related breaches. Observed tradecraft in the provided content includes use of valid compromised credentials for initial access, including VPN access where multifactor authentication was absent; double extortion involving data theft and encryption; use of Group Policy Objects for malicious deployment; and credential theft from victim environments. In one Sophos case from July 2024, Qilin actors used compromised VPN credentials, modified the default domain policy to deploy a malicious logon GPO, harvested credentials stored in Google Chrome across endpoints, exfiltrated the harvested data, cleared logs, and then used GPO again to deploy the ransomware. Cisco Talos reporting in the content states Qilin operators used valid compromised credentials for initial access, a victim-customized binary encryptor, and CyberDuck for data exfiltration. Check Point linked at least one confirmed post-compromise incident involving exploitation of CVE-2026-50751 to a Qilin affiliate with medium confidence; associated tradecraft in that reporting included VPS-based infrastructure, Tox for command-and-control, Rclone for exfiltration, and retrieval of ELF payloads targeting Linux-based gateway infrastructure. The content also links Qilin affiliates to use of commercial or shared EDR-killer tooling. ESET telemetry cited in the content states DemoKiller has been used by affiliates of Qilin, Akira, and Gentlemen, and separate reporting linked CardSpaceKiller to intrusions involving Qilin. Additional reporting in the content associates Qilin with broader ransomware ecosystem use of HeartCrypt-packed EDR-killer tooling. The content further states that The Gentlemen is assessed by Group-IB to be a splinter of the Qilin operation. Specifically, the administrator of The Gentlemen previously ran a Qilin affiliate crew known as ArmCorp and reportedly left Qilin after a payment dispute in July 2025 over an unpaid commission.

UNC6508 is a PRC-nexus, China-linked cyber espionage threat cluster that Google Threat Intelligence Group attributed with high confidence to a sophisticated campaign targeting North American academic, medical, and military research institutions, including clinical providers, academic centers, military health institutions, advocacy groups, and health regulatory bodies in the United States and Canada. Google traced the earliest known compromise to September 2023 and reported activity continuing through November 2025, with the actor remaining undetected in some victim environments for more than a year. The cluster consistently targeted externally accessible REDCap servers and was observed probing vulnerable legacy REDCap versions, although the exact initial access method was not confirmed. After compromise, UNC6508 conducted internal reconnaissance, searched for database and service account credentials, and deployed a web shell for persistence. Roughly three months after initial intrusion, the actor deployed custom malware named INFINITERED (also written as InfiniteRed), a REDCap-focused malware family that trojanized legitimate system files, intercepted REDCap upgrades to preserve persistence, harvested usernames and passwords from the login process, stored stolen credentials in local REDCap database tables, and provided backdoor access via encrypted payloads delivered through HTTP cookies. Reported INFINITERED capabilities included beaconing host and database details, executing shell commands, running SQL queries, and transferring files. More than a year after initial compromise, UNC6508 used stolen REDCap credentials to access an administrator account and abused legitimate Google Workspace content compliance rules for covert email exfiltration. The actor created a malicious rule named "Patroit" that silently Bcc-forwarded emails matching nearly 150 keywords, regular expressions, email addresses, and phone numbers to an attacker-controlled Gmail account. Google described this abuse of domain-level content compliance rules as a novel exfiltration technique among PRC-nexus actors. The collection priorities reflected interest in geo-strategic policy, military strategy and equipment, advanced technology including artificial intelligence and uncrewed systems, offensive cyber programs, and medical research, which Google assessed aligned with the strategic interests of the People’s Republic of China. UNC6508 also used obfuscation infrastructure including compromised routers, residential proxies, VPS infrastructure, and US-based relay networks to hinder detection and attribution. Google reported disrupting some of the actor’s infrastructure and disabling the Gmail account used for exfiltration. No additional aliases or confirmed subgroup names were provided in the content.

Handala is an Iran-linked threat actor and hacktivist persona assessed with high confidence as a front for Iran’s Ministry of Intelligence and Security (MOIS). The actor is described as operating within the Banished Kitten cyber ecosystem and is also tracked as VOID MANTICORE by Microsoft and Storm-0842 by Check Point Research. Reported aliases in the provided content include Banished Kitten, Dune, Handala Hack, Handala Hack Team, Homeland Justice, Red Sandstorm, Storm-0842, and Void Manticore. Sophos content also states that Handala Hack Team was first observed in 2023 and is operated by COBALT MYSTIQUE. The actor has targeted U.S. and Israeli organizations, including critical infrastructure and healthcare/medical technology entities. Reported victims and claimed targets in the content include Stryker, California Water Service (Cal Water), and Israeli military- or municipal-related systems. In March 2026, Handala claimed and was reported as conducting a destructive wiper attack against Stryker; the content states the operation disrupted ordering, distribution, and manufacturing operations for several weeks, and Handala claimed to have exfiltrated 50 terabytes of data. In June 2026, Handala claimed a compromise of California Water Service and published a 5 GB proof-of-concept data dump. Dataminr assessed that the exposed material included customer billing personally identifiable information and plaintext administrative credentials for an internal RTKBase NTRIP/GPS correction environment spanning multiple districts. The available reporting in the content states that no OT/ICS or water-treatment disruption was confirmed, despite Handala’s public claims that it could disturb water supply flow. The content describes Handala as combining hack-and-leak activity, data exfiltration, psychological operations, and destructive capabilities. Reported tooling and effects include custom wipers such as win.handala, Handala Wiper, and Hamsa Wiper, as well as Master Boot Record overwriting capabilities. The actor is also associated in the content with data theft, public release of stolen information, threats on Telegram and X, and exaggerated or unverified claims timed to coincide with geopolitical events. Multiple sources in the content note that Handala has a tendency to overstate its capabilities or operational impact, including in claims regarding Israeli radar or signal-network disruption. The actor is linked in the content to broader pro-Iran hacktivist activity following U.S. and Israeli strikes on Iran. Reported tactics and behaviors include website defacement, DDoS attacks, doxxing, credential attacks, ransomware or wiper deployment, exploitation of internet-exposed systems, and hack-and-leak operations. One Talos reference in the content states that after ShroudedSnooper establishes persistence, subsequent actors such as Storm-0842 may use that access for espionage, ransomware, or disruptive wiper activity.

Outsider Enterprise is a China-based cybercrime network and phishing-as-a-service operation. Reporting in the provided content says it coordinates through Telegram and distributes a phishing kit/platform called Outsider to other criminals, lowering the barrier to entry for large-scale smishing and phishing campaigns. The service was reportedly sold by subscription starting at $88 per week or $200 per month and offered more than 290 prebuilt templates impersonating trusted brands and entities including Google, YouTube, banks, wireless carriers, government agencies, DMVs, the U.S. Postal Service, package delivery services, and toll systems such as E-ZPass. According to Google and the FBI reporting cited in the content, Outsider Enterprise enabled fake text-message campaigns and phishing websites designed to steal passwords, payment card data, other personal information, and in some cases MFA-related data such as SMS codes, PINs, email codes, app approvals, and one-time passcodes. The content states that victim data was captured in real time through the platform. Campaign lures included package notices, bank warnings, missed deliveries, unpaid tolls, parking violations, account-compromise alerts, and similar brand-impersonation themes. The content also states that the group used AI in support of its operations, including encouraging customers to use Google Gemini and other AI platforms to generate phishing-page HTML and related scam infrastructure, which could then be imported into the Outsider kit to expand phishing-page variations beyond the built-in templates. The operation is described as active since at least 2023 and targeting victims in the United States and dozens of other countries. The provided reporting links Outsider Enterprise to more than 9,000 fake websites, more than one million fraudulent URLs, millions of scam texts, and large-scale theft of payment card data. Google, the FBI, and partners including Lumen Technologies/Black Lotus Labs reportedly disrupted the operation through domain and infrastructure seizures, seizure of a Shopify storefront and payment wallets, and related legal action by Google. No additional aliases or sub-groups beyond the name Outsider Enterprise are directly supported in the provided content.

LockBit is a prolific ransomware-as-a-service (RaaS) operation active since 2019 and previously known as ABCD. It is widely associated with double extortion, combining file encryption with theft of victim data and threats of public exposure. The group has operated multiple versions and brands including LockBit 2.0, LockBit 3.0, and LockBit Black; known aliases in the provided content include abcd_ransomware, lockbit_20, lockbit30, lockbit_30, lockbit_40, lockbit_50, lockbit_black, lockbit_gang, lockbit_green, lockbit_group, and lockbitsupp. LockBit 3.0/LockBit Black is described as an evolution of the LockBit family with roots extending to BlackMatter. The content describes LockBit as one of the most prolific and mature ransomware brands, and as a major centralized group whose disruption in February 2024 under Operation Cronos had broad effects across the ransomware ecosystem. Reporting cited in the content states that after the disruption, affiliates scattered into smaller factions, while LockBitSupp publicly claimed the operation would return with new Onion sites. The leaked LockBit 3.0 source code is described as having fueled many new variants. LockBit commonly uses double extortion and has added threats of data exposure to its ransom notes. It has been referenced as targeting enterprise environments and using both Windows and Linux/ESXi lockers; the content notes that organized ransomware groups including LockBit have focused on ESXi, using built-in hypervisor tools to kill guest machines before encrypting critical hypervisor files. SentinelLABS also noted no obvious similarity between Babuk-derived ESXi lockers and the ESXi lockers used by LockBit. Techniques and tooling directly mentioned in the content include delivery through third-party frameworks such as Cobalt Strike, including infection chains where SocGholish dropped Cobalt Strike and then delivered LockBit 3.0. A SentinelOne case described a LockBit intrusion in which attackers side-loaded Cobalt Strike Beacon through the signed VMwareXferlogs.exe utility using a malicious glib-2.0.dll and an RC4-encrypted payload. The malicious DLL performed anti-debugging checks, removed EDR/EPP userland hooks by restoring clean code from disk, and patched ETW and AMSI before decrypting and launching Beacon. SentinelOne assessed that this side-loading functionality may have been implemented by an affiliate rather than LockBit core developers, and later linked the activity to Microsoft-tracked affiliate DEV-0401. LockBit intrusions in the content are also associated with extensive defense evasion and EDR-disabling activity. The group has been linked to Poortry/BurntCigar, a malicious kernel driver and loader set used to disable or impair endpoint protection and observed in attacks involving LockBit, CUBA, BlackCat, Medusa, and RansomHub. Poortry evolved from an EDR killer into a rootkit-like EDR wiper capable of patching kernel callbacks, interfering with filter drivers, killing security processes, and deleting critical EDR files. LockBit intrusions were also associated with SmilingKiller, and separate reporting states that a LockBit-affiliated actor used Backstab in November 2022 and AuKill in February 2023 to disable EDR processes before ransomware deployment. LockBit 3.0 is described as preserving prior encryption and propagation capabilities while adding affiliate-management features, leak-site improvements, and anti-analysis mechanisms. Technical behaviors directly mentioned include attempts to execute with administrative privileges and use a CMSTP UAC bypass if needed; persistence via installation of multiple Windows services; termination of backup, VSS, Veeam, Sophos SQL, and Exchange-related services; termination of user processes such as Office and mail applications; writing a copy of itself to %programdata%; rapid encryption; dropping ransom notes and changing the desktop wallpaper; and requiring a sample- or campaign-specific passphrase supplied with the -pass parameter. Anti-analysis features mentioned include code packing, obfuscation, dynamic function resolution, function trampolines, debugger-detection checks, ThreadHideFromDebugger, and modification of DbgUiRemoteBreakin. The content also notes operational norms and ecosystem behavior associated with LockBit. It is cited as one of several ransomware groups that ban attacks on Russian-linked or broader CIS-linked targets. LockBit is repeatedly referenced as a major ransomware brand whose affiliates and former affiliates have moved into other groups, including The Gentlemen. The content also notes that LockBit remained active across multiple regions and time periods, including the META region in Q1 2026.

Scattered Spider is a financially motivated, English-speaking cybercrime threat actor. Known aliases in the provided content include 0ktapus, DEV-0971, LUCR-3, Muddled Libra, Octo Tempest, Oktapus, Roasted 0ktapus, ScatteredSpider, Scattered Spider, Scattered Swine, Scatter Swine, Star Fraud, Storm-0875, and UNC3944. The group is associated in the content with strong social-engineering and voice-phishing capability. The content states that Scattered Spider expertise was incorporated into the "Scattered LAPSUS$ Hunters" federation by 2025, combining ShinyHunters brand recognition, Scattered Spider social engineering, and LAPSUS$ tactics. Multiple references assess with high confidence that some Scattered Spider members were hired by ShinyHunters to conduct vishing and social-engineering campaigns against enterprise victims, including campaigns targeting Salesforce application authorization workflows. The content also states that Scattered Spider has leaned on legitimate remote-access tools such as Ngrok and Fleetdeck. Victim targeting in the provided material includes enterprise organizations and major UK retailers. The content specifically links affiliates attributed to Scattered Spider to the June 2025 attacks on Marks & Spencer, Co-op, and Harrods, where DragonForce ransomware was reportedly used. Separate reporting in the content links DragonForce to Scattered Spider and describes sophisticated post-compromise tradecraft including use of a custom Go-based malware, Backdoor.Turn, to hide command-and-control traffic via Microsoft Teams TURN relay infrastructure, as well as BYOVD-based privilege escalation and disabling of security tools. The content also places Scattered Spider in the broader ransomware ecosystem as an English-speaking group and notes loose connections or collaboration with ShinyHunters, The Com, LAPSUS$, and DragonForce affiliates. Only the relationships explicitly stated in the content are included here.

BlackCat, also known as ALPHV, AlphaV, AlphaVM, and Noberus, is a ransomware-as-a-service (RaaS) operation whose payloads are written in Rust and support both Windows and Linux, including VMware ESXi environments. The group emerged in late 2021 and is widely referenced as ALPHV/BlackCat. It markets its services on underground forums, recruits affiliates, maintains leak sites for double extortion, and shares ransom payments with affiliates. Reported extortion tactics include encrypting systems, threatening to leak stolen data, DDoS threats, and intimidation of victim employees and customers. The group uses bulletproof hosting for its websites and a Bitcoin mixer to anonymize transactions. BlackCat is notable as the first known Rust-based ransomware operation referenced in the content. Its malware supports multiple encryption modes, including intermittent or partial-encryption modes such as HeadOnly, DotPattern, SmartPattern, and AdvancedSmartPattern, in addition to full encryption. It uses AES when hardware acceleration is available and otherwise falls back to ChaCha20. Samples require an access-token parameter at execution time, gather the system UUID to generate a victim-specific access key, attempt privilege escalation including via the COM Elevation Moniker, delete shadow copies, terminate processes and services that may interfere with encryption, and present victims with a ransom note and modified wallpaper directing them to a TOR-based payment portal. BlackCat also includes VMware-focused options such as avoiding VM termination or snapshot deletion on ESXi. The group has been associated with attacks against cloud and virtualized environments. In 2023, Sophos X-Ops reported BlackCat deploying ransomware against victim Azure Storage accounts using the Sphynx encryptor by bulk-downloading blobs, encrypting them, and reuploading them to overwrite the originals. The content also notes BlackCat among organized ransomware groups that adopted Linux lockers and focused on ESXi, using built-in ESXi tools to kill guest machines before encrypting critical hypervisor files. BlackCat has been linked in the content to use of the Poortry malicious kernel driver, alongside Stonestop, as part of ransomware intrusions to disable or impair endpoint protection. Sophos linked Poortry usage to attacks involving BlackCat as well as other ransomware families. The content also notes that a similar technique was used by Egregor and BlackCat in relation to access-token-style execution controls. Victimology in the content includes organizations in Australia, India, and the United States, with ransom demands reportedly ranging from $400,000 to $3,000,000 in Bitcoin or Monero. Specific incidents referenced include the April 2023 attack on Australian law firm HWL Ebsworth, where BlackCat reportedly exfiltrated about 3.6 TB of data and later released 1.45 TB publicly, and the February 2024 Change Healthcare incident, where stolen Citrix credentials without MFA led to data theft affecting more than 100 million patients and a reported $22 million ransom payment to a BlackCat affiliate. The content also states that the ALPHV/BlackCat gang received $22 million from one ransom payment alone. The group is described as having been disrupted or shut down by 2024, with later reporting noting INC benefited from the shutdown of ALPHV/BlackCat and that RansomHub emerged after the demise of ALPHV/BlackCat. The content also references ALPHV’s January 2024 exit scam as a major market event. Security researchers cited in the content believe former Conti members later splintered into multiple ransomware groups, including BlackCat, but this is presented as a researcher belief rather than a definitive organizational lineage.

FulcrumSec is a financially motivated cybercriminal data-theft and extortion group that emerged in late 2025, with reporting placing its emergence in September or October 2025. The group is described as a hack-and-leak or pure extortion actor that specializes in breaching corporate cloud environments, particularly AWS and Azure, exfiltrating sensitive data, and demanding payment to prevent publication or sale. Some reporting also attributes double-extortion and ransomware activity to FulcrumSec, including a claimed attack on the Global Schools Foundation. FulcrumSec operates a leak site on the clearnet at fulcrumsec.net and maintains a Tor mirror. Across the cited incidents, FulcrumSec repeatedly claimed initial access through exposed credentials, hardcoded GitHub personal access tokens, embedded cloud credentials, unpatched internet-facing applications, and exploitation of the React2Shell vulnerability (CVE-2025-55182). Reported post-compromise activity includes cloning private repositories, harvesting additional secrets, accessing AWS Secrets Manager, Redshift and other databases, S3 buckets, Azure and AWS cloud storage, and exfiltrating large data volumes before extortion. The group is also described as publishing detailed breach reports and sample data on underground forums and leak sites. Victims and claimed targets in the provided content include Novo Nordisk, LexisNexis Legal & Professional, Arup Group, Global Schools Foundation, Wound Technology Network (Woundtech), Unique Computing LLC, ReFocus AI, Gennet AI, and a California-based mortgage broker. Reported victim sectors include pharmaceuticals, legal/data analytics, engineering, education, healthcare, insurance, AI/technology, and financial services. In the Novo Nordisk incident, FulcrumSec claimed it spent more than two months in the company’s environment, stole roughly 1.3 TB of data, and demanded $25 million. The group claimed access to clinical trial data, employee and physician data, source code, proprietary drug information, and internal AI assets. Novo Nordisk confirmed unauthorized access to limited internal IT systems and exposure of some pseudonymized clinical-trial data, but broader theft claims were not independently verified in the content. In the LexisNexis incident, FulcrumSec claimed it exploited an unpatched React frontend via React2Shell on February 24, 2026 to access AWS infrastructure and exfiltrate about 2.04 GB of data, including millions of records, database tables, and AWS secrets. LexisNexis confirmed unauthorized access to a limited number of servers containing primarily legacy data. In the Arup Group incident, FulcrumSec claimed initial access in September 2025 via a GitHub personal access token hardcoded in JavaScript on a forgotten subdomain, leading to access to more than 10,000 private repositories and additional AWS and Azure credentials. The group claimed theft of GitHub repositories, cloud data, database backups, source code, and sensitive client and infrastructure information. The content also attributes to FulcrumSec a claimed breach of three interconnected organizations sharing a single AWS account—Unique Computing LLC, ReFocus AI, and Gennet AI—via exploitation of React2Shell, as well as a claimed breach of Woundtech involving plaintext AWS and database credentials and exfiltration of healthcare data. Additional reporting says FulcrumSec claimed theft of more than 19,000 mortgage application documents from a California-based mortgage broker. No nation-state attribution is supported by the provided content. Known alias in the content: fulcrumsec.

The Gentlemen is a ransomware-as-a-service (RaaS) cybercrime group tracked by Microsoft as Storm-2697. The group emerged in mid-2025, with reporting placing its public emergence between July and September 2025, and rapidly became one of the most active ransomware operations by victim count. Multiple sources in the content describe it as the second most active or second most prolific ransomware brand in 2026, with hundreds of victims listed on its dark-web leak site across dozens of countries. The group is financially motivated and uses double extortion, combining file encryption with data theft and leak-site pressure. The content links The Gentlemen to Russian-speaking operators and describes it as Russia-adjacent in behavior, including a prohibition on targeting Russia and CIS countries. Reporting cited in the content links the operation with high confidence to Alexander Andreevich Yapaev of Izhevsk, Russia. The group’s lead operator or administrator is described under the aliases hastalamuerte and zeta88, with additional aliases including ArmCorp, SantaMuerte, nobody0, santamuerte, and bu4vs appearing in attribution reporting. PRODAFT tracks the operation as Phantom Mantis and reports that Phantom Mantis transitioned into The Gentlemen as an independent partnership program in July 2025 after previously operating as an affiliate using LockBit, Qilin, and Medusa resources. Multiple reports also state that the group’s lineage runs through Qilin, including claims that its operators defected from Qilin after a payment dispute. The Gentlemen operates an aggressive affiliate model offering affiliates 90% of ransom payments, with some reporting also noting 97% for data-only extortion. The content states this unusually favorable split helped attract experienced affiliates from older ransomware operations including DragonForce and LockBit. Reporting based on leaked internal chats states the group had nine core members, while other reporting describes about 20 members. The group publicly recruited affiliates on BreachForums in May 2026 and secured an announced partnership there. The group targets organizations globally, with victims spread across 66 countries. The content states only a minority of victims are in the United States, with significant activity in Latin America, Europe, and Asia. Sectors directly mentioned as targeted include manufacturing, technology, business services, healthcare, industrial organizations, information technology, and some consumer-facing organizations. Specific geographic concentrations mentioned in the content include Thailand, the United Kingdom, Brazil, Germany, and India, and separate reporting says Europe is a primary focus. Initial access methods described in the content include exploitation of internet-facing systems and use of stolen credentials. Specific access vectors mentioned include exposed VPNs and firewalls, SonicWall SSL VPN credential spraying, Fortinet FortiOS and FortiProxy CVE-2024-55591, compromised Outlook Web Access accounts, Microsoft 365 accounts, Okta SSO tokens, infostealer-derived credentials and session cookies, brute-forced VPN credentials, internet-facing RDP, and older Active Directory weaknesses including ZeroLogon and PetitPotam. The content also states the group maintained access to large numbers of compromised FortiGate devices and validated VPN credentials. Post-compromise tradecraft described in the content includes rapid reconnaissance, LDAP domain enumeration, privileged group discovery, credential theft, DCSync, abuse of Active Directory Certificate Services ESC1 misconfigurations, PKINIT, UnPAC the hash, lateral movement with NetExec, PsExec, WMI, WinRM, PowerShell Remoting, SMB administrative shares, and RDP, and persistence through scheduled tasks, registry changes, AnyDesk, and creation of privileged accounts. The group exfiltrates data using tools including rclone and WinSCP, and uses SystemBC as a proxy and backdoor tool, with Cobalt Strike as command and control or backup command and control. The Gentlemen uses a Go-based cross-platform ransomware family for Windows and Linux, with a separate C-based ESXi locker also described in the content. The malware is reported to target Windows, Linux, NAS, BSD, and ESXi environments. Encryption details directly mentioned include XChaCha20 for file encryption and Curve25519 or X25519 for key exchange, with per-file ephemeral keys. The ransomware supports self-propagation or worm-like lateral movement over SMB and administrative shares, and can be deployed domain-wide through Group Policy Objects and scheduled tasks. Reported payload behavior includes dropping README-GENTLEMEN.txt, deleting shadow copies, stopping backup, database, virtualization, and security services, clearing Windows event logs, disabling Microsoft Defender, and adding exclusions. The content also describes environment-specific EDR bypass and BYOVD techniques using vulnerable signed drivers including ThrottleBlood.sys or ThrottleStop.sys-derived tooling and viragt64.sys. The content states the group uses AI-assisted tooling in its operations. Leaked chats reportedly showed use of AI for coding the negotiation panel, development support, and analysis of stolen data with open-weight models. The same leaked materials also indicated the group studied the Black Basta chat leak as a training reference and reverse engineered or reused techniques from Babuk, Qilin, LockBit 5.0, and Medusa. Known aliases and related designations directly mentioned in the content include Storm-2697, Phantom Mantis, ArmCorp, hastalamuerte, zeta88, SantaMuerte, santamuerte, nobody0, and bu4vs.

Conti was a prolific, well-organized ransomware group active from 2020 until it disbanded in 2022. The group targeted more than 1,000 victims worldwide, including organizations across 47 U.S. states, Puerto Rico, the District of Columbia, and 31 countries. Reported victim sectors included healthcare organizations, government agencies, educational institutions, businesses, and critical infrastructure. The FBI estimated that Conti generated at least $150 million in ransom payments by January 2022. Conti conducted double-extortion ransomware operations: members breached victim networks, encrypted files, stole data, and demanded ransom payments to restore access and prevent public disclosure of stolen information. Court documents and reporting state that Conti operators used malware loaders to support attacks and that the group was closely linked to the TrickBot ecosystem. Content also states that Conti emerged from the Ryuk gang. Leaks revealed that Conti had an unusually structured organization resembling a legitimate company, including middle management and a human resources department. The group was described as ruthless and highly organized. Conti shut down in 2022 after internal chat leaks, with some reporting tying the fallout to the group’s support for the Russian government following the invasion of Ukraine. Reporting cited in the content also describes alleged ties between Conti-linked figures and Russian intelligence or political patrons, but those ties are presented as reporting and leaked-chat allegations rather than established fact. Former Conti members are reported to have splintered or rebranded into multiple successor groups and sub-groups. Directly mentioned successors and related rebrands include Zeon, Black Basta, and Quantum; Quantum later rebranded to Royal and then BlackSuit. Additional reporting in the content links former Conti members to other operations including UNC3753/Silent Ransom Group, and assesses 3AM as tied to one of the core teams of the disbanded Conti group. Known alias in the provided content: Conti.

APT28, also known as Fancy Bear, Sofacy, Sednit, Strontium, Forest Blizzard, BlueDelta, Fighting Ursa, Pawn Storm, Tsar Team, Group 74, and UAC-0028, is identified in the content as a Russian state threat actor affiliated with the GRU, specifically Unit 26165. The content describes APT28 as targeting foreign ministries, law enforcement agencies, IT managed service providers, defense contractors in Poland and Germany, critical energy infrastructure in Ukraine, and U.S. political organizations including the DCCC. Reported activity includes phishing and malicious Microsoft Office attachments with macro scripts, use of PowerShell including hidden windows, collection of local files, and use of Forfiles to locate PDF, Excel, and Word documents and search compromised systems for specific terms. The content also states that an APT28 backdoor may collect the entire contents of an inserted USB device. The content describes a significant infrastructure shift in which APT28 moved from rented VPS infrastructure to compromised SOHO routers and consumer edge devices to build a harder-to-trace network. Reported operations included control of Ubiquiti EdgeRouter devices via a MooBot-based botnet, later expansion to MikroTik and TP-Link routers in FrostArmada, DNS manipulation on compromised routers to redirect traffic, theft of credentials and OAuth tokens including for Microsoft 365, and hosting phishing pages on residential IP space. The group was also reported to route malware communications through legitimate cloud platforms and to use a custom C++ backdoor called BeardShell that leveraged cloud storage APIs for command and control. Additional tooling mentioned in the content includes the AI-assisted stealer LameHug, the Slimagent keylogger with code lineage tied to X-Agent, Headlace information-stealing malware in a CERT-UA-reported campaign attributed to BlueDelta, and historical malware lineage associated with X-Agent. The content also notes that APT28 has used short-lived, single-purpose tools and reused cloud backends across file-hosting providers.

Volt Typhoon is a China-linked, state-backed threat actor focused on stealthy intrusion and prepositioning activity, particularly against critical infrastructure. The content describes it as a Chinese state-linked campaign exposed against U.S. infrastructure and cites it as a high-profile example of adversaries establishing footholds in technology that underpins critical national infrastructure to enable rapid exploitation and mass disruption during conflict. Reported targeting includes largely U.S. critical national infrastructure, military-related networks, and U.S. military entities, as well as directories containing vulnerability-testing and cyber-related content and facilities data such as construction drawings. The actor is associated with living-off-the-land tradecraft, using victim-owned tools, systems, and credentials rather than conventional malware, which the content says can make detection difficult. Mentioned behaviors include account discovery using commands such as "net group /dom" and "net group \"Domain Admins\" /dom", directory enumeration, and network configuration/topology discovery using commands including ipconfig, "netsh interface firewall show all", and "netsh interface portproxy show all". The content also links Volt Typhoon with the KV botnet and describes JDY as a China-nexus covert reconnaissance network that began as one cluster of the larger KV botnet. Known aliases in the provided content include BRONZE SILHOUETTE, DEV-0391, Insidious Taurus, Storm-0391, UNC3236, Vanguard Panda, and VOLTZITE.

APT41 is a China-linked threat actor associated in the provided content with cyber espionage activity and tracked under numerous aliases including Aquatic Panda, Earth Lusca, Winnti, Winnti Group, Barium, Brass Typhoon, Bronze University, Charcoal Typhoon, RedHotel, TAG-22, Wicked Panda, and FishMonger. The content indicates overlap and umbrella relationships among these names, including reporting that FishMonger is believed to be operated by the Chinese contractor I-SOON and falls under the broader Winnti Group umbrella, and that Earth Lusca is also tracked as Aquatic Panda, Bronze University, Charcoal Typhoon, and RedHotel. The actor is described as targeting government entities, particularly organizations involved in foreign affairs, technology, and telecommunications, with activity observed across Southeast Asia, Central Asia, the Balkans, and in cases involving Honduras, Taiwan, Thailand, and Pakistan. The content also mentions prior targeting of universities in Hong Kong during the 2019 civil protests and attacks against public-facing servers worldwide. Tactics and techniques directly mentioned in the content include exploitation of public-facing applications and server-side N-day vulnerabilities; use of web shells; PowerShell execution; creation and modification of Windows services for persistence; lateral movement with Cobalt Strike; file and directory discovery including execution of /bin/pwd; execution of whoami including via WMIEXEC on remote machines; and use of watering-hole attacks. Specific vulnerabilities and platforms referenced in relation to Earth Lusca activity include Fortinet, GitLab, Microsoft Exchange ProxyShell, Progress Telerik UI, and Zimbra. Malware and tooling directly associated in the content include SprySOCKS, ShadowPad, Linux Winnti/elf.winnti, Spyder, Cobalt Strike, FunnySwitch, BIOPASS RAT, DUSTPAN, and Trochilus-derived backdoor capability. SprySOCKS is described as a backdoor first documented as Linux-focused and later observed in Windows variants WIN_DRV and WIN_PLUS. The Windows variants support more than 30 commands, communicate over TCP, UDP, and WebSocket, and provide system enumeration, process and service control, file management, SOCKS proxying, and keylogging. WIN_DRV is described as using kernel drivers such as RawWNPF and DriverLoader to hide processes, files, registry keys, and network connections, and to divert TCP traffic; WIN_PLUS is described as using DLL side-loading, scheduled tasks, and Windows Print Processor abuse for persistence. The content also notes limited indications of possible UEFI bootkit involvement exploiting CVE-2023-24932. For APT41 specifically, the content states that the group modified legitimate Windows services to install malware backdoors, created the StorSyncSvc service to persist Cobalt Strike, used Windows service names such as Windows Defend for DUSTPAN persistence, and executed whoami and /bin/pwd on victims.

Lazarus Group is a North Korea-attributed threat actor associated with both espionage and financially motivated operations. Aliases in the provided content include APT-C-26, BadClone, Contagious Interview, Coral Sleet, DeceptiveDevelopment, DEV#POPPER, Diamond Sleet, Famous Chollima, Genie Spider, Gwisin Gang, Labyrinth Chollima, Nickel Tapestry, Pukchong, PurpleBravo, Purple_Bravo, Selective Pisces, Storm-1877, TA404, TAG-121, TempHermit, Tenacious Pungsan, UNC2970, UNC5267, Void Dokkaebi, and WaterPlum. The content describes Lazarus Group as targeting finance, cryptocurrency, and defense organizations, and links it to campaigns including Operation AppleJeus and Operation Dream Job. In Dream Job, Lazarus used fake recruiter-style lures and malicious job-themed documents, including malicious Microsoft Word attachments delivered via spearphishing emails, to target victims in defense and aerospace-related contexts. The content also notes overlap between North Korea-linked PurpleBravo/TAG-120 activity and the Contagious Interview campaign targeting software developers in the cryptocurrency industry, with malware including BeaverTail, InvisibleFerret, and OtterCookie. Tradecraft directly mentioned in the content includes use of compromised servers to host malware; command-and-control over HTTP and HTTPS; shellcode embedded in macros to decrypt and manually map DLLs and shellcode at runtime; use of VBA macros to set files to System and Hidden and use dot-prefixed filenames to hide files from Finder; installation of malware as new Windows services; enumeration of logged-on users; file and directory discovery across drives and identification of target files by extension; collection of network configuration data, including IP address, gateways, subnet mask, DHCP information, and WINS availability; and Active Directory account discovery, including querying compromised AD servers for employee and administrator account lists during Operation Dream Job. The content also links Lazarus Group to malware and tooling including WannaCry, Hermes, BLINDINGCAN, and OpenCarrot. One cited intrusion involved use of the Lazarus-linked OpenCarrot backdoor against the Russian defense organization NPO Mashinostroyeniya; OpenCarrot was described as a persistent Windows service DLL supporting reconnaissance, process and filesystem manipulation, proxying, and multi-channel command-and-control. The content further references Lazarus-linked supply-chain activity, including attacks involving Able Desktop and WIZVERA VeraPort.

Play is a ransomware group active since 2022. The provided content describes it as one of the more consistent and active ransomware operations, with reporting stating it has infected more than 1,200 victims globally and has primarily affected organizations in the United States, Canada, and the United Kingdom. Sectors directly mentioned in the content include manufacturing, business, technology, healthcare, education, legal services, industrial/manufacturing, and agriculture/food production. Specific victim examples mentioned include MyPillow, Dallis Law Firm, Corley Manufacturing, and Urschel. Known aliases in the provided content include Balloonfly, PlayCrypt, play_ransomware, play_ransomware_gang, and play_ransomware_group. The content also references possible connections between Play and other ransomware ecosystem actors, including reporting that RansomHub had connections with Play, Medusa, and BianLian, but does not establish subgroup structure for Play itself. The content describes Play as a double-extortion actor that commonly exfiltrates data before encryption and operates a public data leak site. It notes that Play has split victims' files into chunks for exfiltration and that most actors in the same reporting set, including Play, move quickly in victim environments. Huntress reporting cited in the content says Play was among the faster ransomware groups to deploy ransomware and that Play carried out fewer than 10 actions on average before deployment. Tradecraft directly attributed to Play in the content includes use of the custom .NET information-stealing and reconnaissance tool Grixba. Grixba is described as harvesting installed software information, user credentials, cryptocurrency wallet data, and messaging application data. The content states Play used Grixba to enumerate network information and to list security files and processes. Across analyzed versions, Grixba retained WMI, WinRM, Remote Registry, and Remote Services enumeration behavior, included a log-clearing mode using Windows Event Log APIs, and modified ntdll.dll memory protection as part of execution and EDR-unhooking behavior. The content also states every analyzed Grixba version was dropped via RDP into C:\Users\Public\Music\ on target Windows servers. The content also links Play to Linux/ESXi ransomware capability. SentinelLABS assessed a Play ESXi sample as the first known Linux version of Play ransomware. That sample referenced the .FinDom extension and the ransom email address findomswitch@fastmail.pw, and the report states it shared file-searching functionality with baseline Babuk and used the Sosemanuk cipher for encryption. More broadly, the content places Play among ransomware groups increasingly targeting Linux and ESXi environments. Additional reporting in the content notes an unconfirmed possible connection between Play or one of its affiliates and CastleLoader infrastructure observed by Recorded Future during exfiltration involving a known Play victim. The same source explicitly states that this connection remains unconfirmed and that no public reporting had associated Play with WarmCookie or CastleLoader at that time.

APT37, also known as ScarCruft, Reaper, InkySquid, Ricochet Chollima, Group123, and TEMP.Reaper/tempreaper, is a North Korean state-sponsored threat actor. The content describes the group conducting cyber espionage and intelligence collection, with targeting that includes South Korean media organizations, academics, high-profile experts in North Korean affairs, journalists covering the DPRK, diplomatic and North Korean human rights organizations and people, a Russian missile engineering and defense organization, consumers of threat intelligence reporting such as researchers and cybersecurity professionals, and individuals of interest to the North Korean regime including refugees and defectors via a compromised gaming platform serving the Yanbian region in China. Reported tradecraft includes spear-phishing with attachments and links, including Microsoft Account security notification impersonation, cybersecurity advisory lures, WhatsApp-style social engineering is not attributed to this actor in the content, and phishing emails impersonating trusted or relevant senders. Delivery mechanisms described for APT37 include ZIP archives containing malicious LNK files, oversized LNK files disguised as Hangul Word Processor or document files, and earlier HWP documents with embedded OLE objects. The group has used multi-stage infection chains involving PowerShell, batch scripts, in-memory payload execution, scheduled-task persistence, and command execution via malicious shortcuts. The content also notes use of Flash zero-days CVE-2016-4171 and CVE-2018-4878. Malware and tooling directly associated in the content include NarwhalRAT, RokRAT, and Goldbackdoor, with Goldbackdoor assessed as a successor to Bluelight. NarwhalRAT is described as a Python-based RAT delivered through Microsoft-themed phishing and LNK execution, with capabilities including keylogging, screenshot capture, audio recording, USB data collection/exfiltration, active window collection, file upload, remote command execution, and switching command-and-control servers. RokRAT is described as a custom ScarCruft backdoor. Goldbackdoor was used against journalists and supports remote command execution, keylogging, file operations, self-uninstallation, and exfiltration through Google Drive and Microsoft OneDrive. The actor’s command-and-control tradecraft in the content includes HTTPS, Microsoft Graph API, Korean relay websites, pCloud API dead-drop resolver functionality, and use of public cloud services including pCloud, Yandex Cloud, Google Drive, and Microsoft OneDrive. The content also attributes a Linux email server compromise at a Russian defense organization to ScarCruft. Overall, the reporting characterizes APT37/ScarCruft as a DPRK-linked espionage actor focused on information gathering, with recurring use of spear-phishing, LNK-based execution chains, cloud-backed C2, and surveillance-oriented malware.

FishMonger is a China-linked cyberespionage threat actor active since at least 2019 and assessed to operate under the broader Winnti Group umbrella. The group is also tracked as Earth Lusca and has additionally been associated in the provided content with TAG-22, Aquatic Panda, and Red Dev 10. Multiple sources in the content assess that FishMonger is operated by the Chinese contractor I-SOON (also written iSoon), including ESET’s high-confidence attribution of Operation FishMedley to the group and its independent determination that FishMonger is operated by I-SOON. The actor primarily targets government entities and other organizations of strategic interest. Reported victims and targeting in the content include government organizations in Honduras, Taiwan, Thailand, and Pakistan during 2023–2024; universities in Hong Kong in 2020; and, in Operation FishMedley during 2022, governmental organizations, NGOs, a geopolitical think tank, a Catholic organization, and a Catholic charity in Taiwan, Hungary, Turkey, Thailand, the United States, and France. FishMonger is linked in the content to the SprySOCKS backdoor, including newly identified Windows variants after earlier Linux-only use. The Windows variants, WIN_DRV and WIN_PLUS, were used against government organizations and support command-and-control over TCP, UDP, and WebSocket with more than 30 commands for system discovery, process and service control, file management, SOCKS proxying, and keylogging. Reported stealth and persistence techniques include DLL side-loading, scheduled tasks, process doppelgänging into svchost.exe, abuse of the Windows Print Spooler via a print processor, and kernel-driver-based hiding of processes, files, registry keys, and network connections. The content also notes limited indications that some attacks may have involved a UEFI bootkit component possibly exploiting CVE-2023-24932. Beyond SprySOCKS, the group’s tooling in the provided content includes ShadowPad, Spyder, SodaMaster, RPipeCommander, Cobalt Strike, FunnySwitch, and BIOPASS RAT. In Operation FishMedley, operators used ShadowPad, SodaMaster, Spyder, and RPipeCommander, along with credential dumping, DLL side-loading, PowerShell, Impacket, LSASS dumping, SAM hive theft, Firefox credential theft, lateral movement, and likely data exfiltration via Dropbox tooling. The content also states FishMonger is known for watering-hole attacks. The provided material also notes overlaps or links between FishMonger and other China-aligned clusters, including Webworm, SixLittleMonkeys, and Space Pirates, and identifies FishMonger as one of several ShadowPad-using activity clusters tracked since 2017.

Kimsuky is a North Korean state-sponsored threat actor. Reported aliases in the provided content include APT43, APT-C-55, Black Banshee, Cerium, Earth Imp, Emerald Sleet, GreenDinosa, Kimsuky Group, Konni, Konni APT, Konni Group, Opal Sleet, Osmium, PlaneDown, RGB-D5, Ruby Sleet, SharpTongue, Sparkling Pisces, Springtail, TA406, TA427, Thallium, and Velvet Chollima. Proofpoint states that activity broadly tracked by the community as Kimsuky is tracked by Proofpoint as three separate clusters: TA406, TA408, and TA427, and specifically describes TA406 as associated with Kimsuky. The content describes Kimsuky as conducting espionage-focused operations and credential theft campaigns, with targeting that includes South Korean government systems, foreign policy experts, journalists, NGOs, research, education, government, and media organizations, as well as experts in North Korean affairs. One cited intrusion was attributed to Kimsuky against South Korean government entities including the Ministry of Foreign Affairs and the Defense Counterintelligence Command. Proofpoint also states that TA406, as part of Kimsuky-related activity, has conducted cybercrime, sextortion, and financially motivated campaigns including cryptocurrency targeting. Tradecraft directly mentioned in the content includes luring victims into opening malicious email attachments and malicious LNK shortcut files, use of obfuscated and Base64-decoded VBScript or PowerShell, fileless execution of downloaded PowerShell payloads, persistence via Windows services and Windows Task Scheduler, use of HTTP GET and POST for command and control, use of compromised and acquired infrastructure including Blogspot to host beacons, file exfiltrators, and implants, and use of external or legitimate services in operations. The content also states Kimsuky has created new services for persistence, can enumerate files and directories on infected systems, and has used ipconfig /all and email web beacons to gather network configuration information. One information-gathering module was noted as hiding an AV software window from the victim. Recent activity in the provided content includes a malicious .LNK sample themed around South Korean nuclear-powered submarine cooperation strategy, described as Base64-encoded and downloading a dummy file from GitHub, and a separate campaign using LNK files disguised as personal information consent forms. In that campaign, the LNK executed obfuscated PowerShell, downloaded additional payloads from an external source, established persistence with Task Scheduler, opened a decoy document, deleted itself, and led to information theft and backdoor loading. The information-stealing behavior in that case was described as similar to prior Kimsuky activity and included collection of security product, operating system, network, IP, drive, recent file, and process information.

APT38 is a North Korea-attributed threat actor associated in the provided content with the broader Lazarus ecosystem and overlapping aliases including BlueNoroff, Sapphire Sleet, Alluring Pisces, BeagleBoyz, Citrine Sleet, Diamond Sleet, Hidden Cobra, Labyrinth Chollima, Lazarus Group, and Stardust Chollima. The content explicitly ties APT38/Lazarus-related activity to DPRK state actors and describes motivations including financial gain and espionage, with targeting focused on finance, cryptocurrency, and defense. Mentioned malware and campaigns linked in the content include WannaCry, Hermes, BLINDINGCAN, Operation AppleJeus, and Dream Job. Tradecraft and reporting in the content describe fake-recruiter and job-themed social-engineering campaigns against cryptocurrency developers and job-seeking software developers, including trojanized coding challenges and malicious interview projects delivered through GitHub or Visual Studio-themed lures. Techniques directly mentioned in the content include PowerShell execution (T1059.001), exploitation for privilege escalation (T1068), and Windows service persistence/installation (T1543.003). The content also notes association with suspicious loading of cldapi.dll by uncommon processes and references overlaps between APT38 and Microsoft-tracked Sapphire Sleet/BlueNoroff activity, while also stating that attribution for some specific incidents is not confirmed.

Gentlemen is a ransomware-as-a-service (RaaS) group first identified in August 2025 and active since at least September 2025. It is described as one of the fastest-growing and most active emerging ransomware groups in late 2025 and 2026. The group operates a double-extortion model, exfiltrating data before encrypting systems, and has used an affiliate model in which operators develop and maintain tooling for affiliates. Reporting cited in the content states the group offers affiliates a 90% share of ransom payments and centrally provides endpoint detection and response (EDR) killing tools rather than leaving that function to affiliates. Gentlemen targets medium and large enterprises and has victim concentrations in Southeast Asia, South America, and Western Europe, with attacks reported across at least 17 countries and sectors including healthcare, manufacturing, insurance, construction, government, banking, police, and power. The group has been linked to incidents affecting Romanian critical infrastructure, including Oltenia Energy Complex, and has claimed responsibility for attacks such as the one on Mackay Sugar. The group’s tradecraft includes use of compromised credentials, targeting of Internet-exposed services, Group Policy modification, termination of security and backup services, encrypted exfiltration with tools such as WinSCP, and deployment of README-GENTLEMEN.txt ransom notes. Its ransomware has been described as Go-based, using X25519 and XChaCha20, and using anti-analysis measures such as requiring a password argument for execution. Gentlemen is also noted for Bring Your Own Vulnerable Driver (BYOVD) techniques and for standardized defense evasion through a centrally maintained EDR-killer suite. ESET reported that Gentlemen’s in-house EDR-killing framework, named GentleKiller, has at least eight variants, targets more than 400 process names associated with dozens of security products, impersonates legitimate products, and abuses vulnerable or malicious drivers. The group also uses third-party or leaked EDR-killer tools including HexKiller, ThrottleBlood, HavocKiller, and DemoKiller, standardized with shared evasion layers, fake metadata, copied certificates and icons, and packers such as Enigma or Themida. Gentlemen has also been observed rapidly incorporating newly disclosed BYOVD proof-of-concept techniques. Known aliases in the provided content are limited to Gentlemen / The Gentlemen. The content also notes the group maintained a presence on the Rehub forum since September 2025.

Medusa is a cybercrime ransomware group/ransomware brand active in the broader ransomware-as-a-service ecosystem. The provided content refers to it as Medusa, Medusa Group, medusa_ransomware, and medusa_ransomware_group. Reporting in the content links Medusa to other ransomware ecosystems through shared affiliates, tooling, and operational overlap, including connections noted with Play, BianLian, LockBit, Qilin, Embargo, BlackLock, DragonForce, BlackSuit, Akira, Crytox, MedusaLocker, and RansomHub. The group is associated in the content with double-extortion style ransomware activity and victim shaming/leak-site behavior; one cited example says Medusa claimed responsibility for an attack on SimonMed Imaging and threatened to leak stolen data affecting nearly 1.3 million patients. The content also notes Medusa as one of the ransomware brands that persisted across datasets from 2020 through 2025. Tactics and techniques directly associated with Medusa in the content include PowerShell execution (ATT&CK T1059.001), use of multi-hop proxy/anonymizer infrastructure for command and control or evasion (T1090.003), exploitation for privilege escalation (T1068), and Windows service abuse for persistence/installation (T1543.003). The content also states that Medusa has used vulnerable or signed drivers to modify security solutions on victim devices, and multiple reports link Medusa intrusions to EDR-killing tooling and BYOVD-style defense evasion. Specifically, Sophos linked Poortry/Stonestop use to attacks involving Medusa; ESET reported AbyssKiller being used by affiliates of Medusa, DragonForce, and BlackSuit; and ESET/Sophos linked CardSpaceKiller to intrusions involving Medusa, Qilin, Akira, Crytox, and MedusaLocker. Separate reporting also describes a HeartCrypt-packed AV/EDR-killer tool observed in attack chains that culminated in Medusa ransomware deployment. The content further associates Medusa with abuse of legitimate remote-access tooling such as AnyDesk for persistence and post-compromise operations, and with broader ransomware tradecraft including exploitation of internet-facing systems, credential abuse, defense evasion, and pre-encryption disabling of security controls. While the content references personnel and affiliate crossover involving other groups that had prior experience with Medusa, it does not attribute Medusa to a nation state.

Velvet Ant is a China-linked or China-nexus cyber espionage threat actor tracked by Sygnia. Sygnia attributed a long-running intrusion campaign dubbed Operation Highland to this group, reporting that it remained inside one organization’s network for nearly a decade, with forensic artifacts dating back to 2016. The actor moved from internet-facing systems through the IT network into a segregated critical infrastructure segment with no direct internet connectivity. In Operation Highland, Velvet Ant established deep persistence on Linux systems by backdooring core authentication components. It replaced legitimate pam_unix.so PAM modules with malicious variants and trojanized OpenSSH components including ssh, sshd, and scp. These modifications enabled authentication bypass via a hardcoded password, harvesting of legitimate credentials, logging of commands typed during SSH sessions, and storage of captured data in hidden or encrypted files. Sygnia identified nine distinct PAM backdoor variants, indicating a deliberate and well-resourced operation. The group also appended attacker-controlled keys to authorized_keys files, allowing password-free access that could survive password rotation. To maintain access and move laterally, Velvet Ant used a modified GS-Netcat reverse shell on internet-facing Linux servers, disguised with names such as auditd and process names resembling kernel threads. It used persistence via systemd unit files and SysVinit scripts, modified Nginx and FastCGI configurations, and deployed a custom SSH-triggered binary and a Perl or custom SOCKS5 proxy for tunneling and lateral movement. Sygnia reported that the group avoided phishing and brute-force techniques in this campaign. The content also links Velvet Ant to prior abuse of trusted infrastructure. Sygnia reported that the actor exploited legacy F5 BIG-IP appliances for persistence, including use of a modified /etc/rc.local file, the custom tools VELVETSTING for decoding and executing inbound commands, and VELVETTAP for packet capture. Velvet Ant also exploited Cisco NX-OS CVE-2024-20399 after authentication to plant the VELVETSHELL backdoor on Nexus switches and escape the NX-OS CLI to access the underlying operating system for arbitrary command execution. In Windows environments, Velvet Ant used DLL search order hijacking, including a malicious iviewers.dll masquerading as the legitimate OLE/COM Object Viewer, launched multiple svchost processes and injected code into them, used PlugX as a follow-on payload, transferred tools via SMB and Windows administrative shares, and used wmiexec.py from Impacket for remote execution. The group also attempted to disable local security tools and EDR software and modified firewall settings with netsh.exe to open random high-numbered listener ports. Known aliases directly reflected in the content are limited to Velvet Ant. Operation Highland is the campaign name associated with this actor in the provided material.