Trending Threat Actors

TeamPCP is a financially motivated cybercrime threat actor tracked by Google Threat Intelligence as UNC6780. Known aliases in the provided content include deadcatx3, pcpcat, persypcp, shellforce, team_pcp, and UNC6780. The group is described as specializing in software supply-chain attacks against the open-source ecosystem, particularly developer tooling, open-source security utilities, and AI middleware. Across the provided reporting, TeamPCP is linked to repeated compromises of npm and PyPI packages, GitHub Actions, and Visual Studio Code extensions. The group is associated with the Shai-Hulud and Mini Shai-Hulud malware campaigns, including self-replicating credential-stealing activity that targets developer workstations and CI/CD environments. Reported objectives and collection targets include GitHub tokens, CI/CD credentials, cloud credentials, Kubernetes secrets, SSH keys, HashiCorp Vault tokens, browser-stored secrets, shell history, and other developer authentication material. Reported techniques include package hijacking, malicious preinstall hooks, abuse of trusted publishing workflows and GitHub Actions OIDC identities, exfiltration through attacker-controlled GitHub repositories and fallback infrastructure, persistence via backdoors and system services, and lateral movement via AWS SSM and Kubernetes. The content links TeamPCP to attacks or claimed attacks involving GitHub, PyPI, npm, Trivy, TanStack, LiteLLM, Mistral AI, Telnyx SDK, Checkmarx/KICS, durabletask, guardrails-ai, actions-cool GitHub Actions, and packages in the @antv namespace. TeamPCP also claimed responsibility for a GitHub intrusion in which GitHub said the actor’s claim of roughly 3,800 to 4,000 stolen internal repositories was directionally consistent with its investigation; GitHub stated its assessment was that the exfiltration involved GitHub-internal repositories only. The reporting also states that TeamPCP previously claimed responsibility for a European Commission-related breach tied to cloud credentials stolen during an earlier Trivy compromise. Overall, the provided content consistently characterizes TeamPCP as a prolific 2026 supply-chain-focused cybercrime actor targeting trusted developer ecosystems to steal credentials, compromise downstream software distribution, and monetize stolen data.

Fox Tempest is a financially motivated threat actor tracked by Microsoft that has operated a malware-signing-as-a-service (MSaaS) operation since at least May 2025. Rather than directly conducting intrusions, Fox Tempest functioned as an upstream enabler in the malware and ransomware supply chain by helping other cybercriminals make malicious software appear legitimate through fraudulent code signing. According to the provided reporting, Fox Tempest abused Microsoft Artifact Signing infrastructure to obtain short-lived Microsoft-issued code-signing certificates, typically valid for 72 hours, and used them to sign malicious binaries. The actor operated the signspace[.]cloud platform, where customers could upload malware and receive signed files, and later shifted in February 2026 to providing pre-configured virtual machines hosted on Cloudzy to streamline signing operations. Microsoft also reported that Fox Tempest created hundreds of Azure tenants and subscriptions, generated more than 1,000 fraudulent certificates, and sold access to the service for roughly $5,000 to $9,000, including priority tiers. Customer coordination reportedly occurred through Telegram and online forms. Fox Tempest-signed malware was used to disguise malicious files as legitimate software including Microsoft Teams, AnyDesk, PuTTY, and Webex, helping malware bypass security controls based on allow-lists and publisher reputation. Malware and ransomware linked in the content to Fox Tempest-supported activity include Rhysida, Oyster (also called Broomstick or CleanUpLoader), Lumma Stealer, and Vidar. Microsoft linked the service to multiple threat actors and ransomware affiliates, including Vanilla Tempest, Storm-0501, Storm-2561, and Storm-0249, as well as affiliates associated with INC, Qilin, Akira, and BlackByte. Vanilla Tempest is specifically described as using Fox Tempest-signed trojanized Microsoft Teams installers to deploy Oyster and, in some cases, Rhysida ransomware. The downstream impact described in the content includes attacks against healthcare, education, government, and financial services organizations, with victims reported in the United States, France, India, and China, and broader global impact. Microsoft disrupted the operation in May 2026 by seizing infrastructure including signspace[.]cloud, taking offline hundreds of virtual machines, blocking access to supporting code-hosting infrastructure, removing fraudulent accounts, and revoking more than 1,000 certificates. The legal action also named Vanilla Tempest as a co-conspirator. No additional aliases for Fox Tempest beyond the provided name are directly stated in the content.

Qilin is a ransomware operation and ransomware-as-a-service ecosystem. Known aliases in the provided content include Agenda, Gold Feather, Qilin, Qilin Gang, Qilin Ransomware, Qilin Ransomware Gang, Qilin Ransomware Group, Qirin, and Water Galura. The group is described as one of the most prominent ransomware operations in 2026, maintaining the leading position for multiple quarters, with reporting citing 338 publicly posted victims in Q1 2026 and 391 global incidents in one Q1 2026 report. Reported targeting is broad rather than industry-limited, with healthcare, IT, manufacturing, finance, education, government, and financial services specifically mentioned, and activity affecting organizations globally, including South Korea. A reported 2025 intrusion against Covenant Health exposed data from about 478,000 patients. The content describes Qilin as operating through affiliates and as part of a broader ecosystem. Securotrop is described as a ransomware-as-a-service operation operating within the Qilin network, using Qilin code while maintaining its own leak site. The Gentlemen is assessed in multiple reports as a continuation or reorganization of prior affiliate activity tied to the Qilin ecosystem and reportedly managed by the Russian-speaking actor "hastalamuerte"; one report states Hastalamuerte was a former Qilin affiliate. Qilin is also described as having ties or alliances with other ransomware actors through shared affiliates or ecosystem relationships, including INC, Akira, BlackByte, and DragonForce. Microsoft-linked reporting states affiliates associated with Qilin used the Fox Tempest malware-signing service. Tactics and techniques directly mentioned in the content include data theft and double extortion, use of affiliates to scale attacks, encryption of victim files, and the ability to terminate antivirus-related processes and services. Qilin is also referenced in ATT&CK-aligned detection content under T1486, Data Encrypted for Impact. The reporting further places Qilin in campaigns targeting IT service providers and manufacturing supply chains in early 2026.

Vanilla Tempest is a financially motivated ransomware and extortion threat actor tracked by Microsoft, also known as DEV-0832, Vice Spider, and Vice Society. The content states Microsoft has observed the group since at least 2021, with other reporting in the content placing Vice Society’s emergence in summer 2021 and Vanilla Tempest activity since at least July 2022. It is described as focusing on deploying ransomware and exfiltrating data for extortion, including double extortion. The actor has targeted schools, hospitals, and other critical organizations worldwide, with multiple references to healthcare and education victims. The content specifically notes hospitals among ransomware gangs struck by Vanilla Tempest and references Vice Society claiming the Los Angeles School District. Broader Vice Society reporting in the content says the group has attacked healthcare, educational, and manufacturing organizations in Europe and the United States and disproportionately targeted the education sector. Vanilla Tempest has used multiple ransomware families over time rather than a single exclusive locker. Families directly mentioned in the content include Rhysida, BlackCat, Quantum Locker, Zeppelin, Hello Kitty, RedAlert, PolyVice, and Ink/INC. The content also states Vice Society has a history of delivering third-party lockers such as Hello Kitty, Zeppelin, RedAlert, and Rhysida, and that Microsoft observed Vanilla Tempest using Ink ransomware in attacks against U.S. hospitals in August 2024. Tradecraft described in the content includes SEO poisoning, malvertising, fake ads, and bogus download pages impersonating legitimate software, especially Microsoft Teams. Microsoft states Vanilla Tempest used fake MSTeamsSetup.exe installers hosted on malicious domains mimicking Microsoft Teams, with users likely directed there via SEO poisoning and purchased advertisements. The signed fake installers delivered the Oyster backdoor, also known as Broomstick or CleanUpLoader, and in some cases led to Rhysida ransomware deployment. The content also notes use of trojanized installers for other software and references Oyster as a modular implant/loader used to deliver follow-on payloads. The actor is also linked in the content to GootLoader infections delivered via SEO poisoning, followed by hands-on-keyboard activity. Additional tooling and techniques mentioned include PowerShell scripts, repurposed legitimate tools, exploitation of publicly disclosed vulnerabilities, backdoors such as SystemBC, Supper, PortStarter, and Stuffer, and post-compromise use of tools including Cobalt Strike, PowerShell Empire, and Mimikatz. Vice Society reporting in the content also mentions exploitation of PrintNightmare vulnerabilities CVE-2021-1675 and CVE-2021-34527, use of compromised credentials against internet-facing applications, lateral movement, privilege escalation, disabling antivirus, and deleting logs. The content strongly links Vanilla Tempest to abuse of fraudulent or abused code-signing infrastructure. Microsoft revoked more than 200 certificates used by Vanilla Tempest to sign fake Teams installers spreading Oyster and Rhysida ransomware. The content further states Vanilla Tempest began using Fox Tempest’s malware-signing-as-a-service as early as June 2025, uploading payloads such as trojanized Microsoft Teams installers for fraudulent signing. Microsoft named Vanilla Tempest as a co-conspirator in legal action against Fox Tempest. Through this service, Vanilla Tempest used signed malware distributed via legitimate purchased advertisements, malvertising, SEO poisoning, and fake ads. Malware and payloads directly associated with this activity in the content include Oyster, Lumma Stealer, Vidar, and Rhysida. The content does not provide high-confidence nation-state attribution for Vanilla Tempest. It consistently describes the actor as financially motivated.

UAT-8616 is a highly sophisticated threat actor cluster tracked by Cisco Talos that has targeted Cisco Catalyst SD-WAN infrastructure since at least 2023. Cisco attributed exploitation of CVE-2026-20127 and CVE-2026-20182 to UAT-8616 with high confidence. The actor used these authentication bypass vulnerabilities to gain unauthorized access to Cisco Catalyst SD-WAN Controller and SD-WAN Manager systems, including by creating rogue peers in organizations and obtaining access as a high-privileged non-root internal account. Observed post-compromise activity included adding SSH keys, modifying NETCONF configurations, creating local user accounts that mimicked legitimate accounts, and escalating privileges to root. Cisco reported that in previously detected attacks, UAT-8616 downgraded software versions and exploited CVE-2022-20775 to escalate privileges to root, then restored the original software version. Cisco Talos also reported log clearing, deletion of shell and network connection history, modification of startup scripts, use of NETCONF on port 830 and SSH for movement between SD-WAN appliances, and efforts to establish persistent footholds in high-value organizations, including critical infrastructure sectors. Cisco stated that infrastructure used by UAT-8616 overlaps with Operational Relay Box networks monitored by Talos. Multiple reports describe UAT-8616 as an alleged China-nexus group, but Cisco reporting also noted that researchers did not specifically align the actor to a particular nation-state. Known alias in the provided content: uat_8616.

ShinyHunters is a cybercriminal extortion group known for large-scale data theft and pay-or-leak operations. The content describes the group as specializing in large-scale data breaches and extortion, frequently targeting major organizations in the technology, finance, retail, and education sectors, and often stealing millions of records at once. Known aliases in the provided content include bling_libra, shinyhunter, shinyhunters, shiny_hunters, UNC6040, and UNC6240. Recent activity in the content centers on attacks against Instructure's Canvas learning management system and 7-Eleven. In the Canvas incidents, ShinyHunters claimed responsibility for stealing more than 3.6 TB of data and hundreds of millions of records affecting thousands of educational organizations, then used the same vulnerability again to deface login portals with ransom messages and pressure the victim into negotiations. Reporting in the content states the intrusion involved multiple cross-site scripting vulnerabilities in Canvas user-generated content features, allowing hijacking of authenticated admin sessions and privileged actions in the Free-for-Teacher environment. Stolen data described by the victim included usernames, email addresses, course names, enrollment information, student ID numbers, and messages. The group also claimed responsibility for a 7-Eleven breach involving more than 600,000 Salesforce records and is described as having targeted Salesforce customers over the past year, including campaigns referred to as Salesloft Drift and Salesforce Aura data theft attacks. The content also attributes to ShinyHunters breaches or claimed breaches involving Addi and references claims involving Google, Cisco, PornHub, the European Commission, Match Group, Rockstar Games, ADT, Vimeo, McGraw-Hill, Medtronic, Zara, Ticketmaster, Infinite Campus, Harvard, Princeton, and the University of Pennsylvania. The group is described as publishing stolen data on Tor-based leak sites and using extortion to prevent release. Tactics and techniques directly mentioned in the content include large-scale data exfiltration, extortion via leak sites, social engineering and pretexting, including phone-based pretexting and voice phishing, use of stolen credentials, cloud abuse, compromise of developer environments, and in some cases exploitation of SaaS and Salesforce environments. The FBI reporting cited in the content says ShinyHunters commonly escalates pressure through threatening emails, text messages, and phone calls to victims and family members, and that some incidents have involved swatting. One cited report describes the group as a loose affiliation of teenagers and young adults based in the United States and the United Kingdom. The content characterizes ShinyHunters as a cybercriminal group; it does not directly identify the actor as a nation-state.

INC Ransom, also referred to as Inc, INC, and inc_ransomware, is a ransomware group first reported in the provided content as surfacing in July 2023. The content states that it targets a wide range of victims, including organizations in healthcare, education, and government, and that it has heavily targeted healthcare organizations. Reported victim examples in the content include Sandhills Medical Foundation, Chapter 13 Trustee Office of Rod Danielson, Westminster Village Greenwood, and Sandhills Medical Foundation was described as the group’s largest claimed breach by number of affected records. The content states that INC Ransom uses spear phishing and exploitation of known software vulnerabilities for intrusion, steals data and encrypts systems to pressure victims into paying ransom, and has been associated with the use of SystemSettingsAdminFlows.exe, a native Windows utility, to disable Windows Defender. ATT&CK techniques explicitly annotated in the content for INC Ransom include T1190 Exploit Public-Facing Application, T1608.001 Upload Malware, T1608.002 Upload Tool, T1053 Scheduled Task/Job, T1059.003 Windows Command Shell, T1219 Remote Access Tools, and T1685 Disable or Modify Tools. The content also links affiliates associated with INC to Fox Tempest, a malware-signing-as-a-service operation disrupted by Microsoft. According to the provided reporting, Fox Tempest was tied to ransomware affiliates behind INC, and Microsoft said affiliates associated with INC used that service alongside affiliates tied to Qilin, Akira, and BlackByte. No nation-state attribution is stated in the provided content. Known aliases in the provided content include gold_ionic, inc, inc_ransom, and inc_ransomware.

Akira is a ransomware gang that first emerged in March 2023. It is described as targeting small- to medium-sized businesses, with reported victim sectors including education, finance, manufacturing, real estate, healthcare, and legal services. The group conducts double-extortion activity by encrypting systems and stealing data, then extorting victims for payment to restore systems and prevent release of stolen information. The content states that Akira claimed 772 ransomware attacks in 2025, of which 112 were confirmed by targeted organizations, and had claimed 248 additional attacks in 2026 at the time of reporting, with 14 confirmed so far. In Q1 2026 reporting cited here, Akira ranked among the most active ransomware groups, including 154 victims in one dataset and 200 incidents in another. The group was also described as one of the dominant operators in Q1 2026 alongside Qilin, The Gentlemen, and LockBit. Reported victimology in the content includes breaches of Rodenburg Law Firm and BUHLMANN North America LP, and Akira was cited as having breached IT service providers serving defense and government sectors in early 2026. The content also notes that nine of Akira’s confirmed 2025 attacks affected legal firms in the United States. Akira is linked in the content to affiliates using the Fox Tempest malware-signing-as-a-service operation. Microsoft said Fox Tempest was tied to ransomware affiliates associated with Akira, and malware signed through that service was used by ransomware groups including Akira. Related reporting states that affiliates uploaded malware to the Fox Tempest platform to have it signed with fraudulent short-lived certificates, then distributed it via fake websites, malvertising, and SEO poisoning while impersonating legitimate software. The content explicitly associates Akira with defense evasion behavior, stating that Akira has disabled or modified security tools, mapped to MITRE ATT&CK T1685 (Disable or Modify Tools). Akira is also referenced in Splunk detections related to defense impairment and ransomware-associated precursor behavior. Known aliases in the provided content include Akira Ransomware, Akira Ransomware Actors, Akira Ransomware Gang, Akira Ransomware Group, Gold Sahara, Howling Scorpius, Punk Spider, and Storm-1567.

Lazarus Group is a DPRK-linked threat actor and North Korean hacking syndicate. Aliases in the provided content include APT-C-26, BadClone, Black Artemis, Copernicium, Diamond Sleet, Genie Spider, Guardians of Peace, Hidden Cobra, Labyrinth Chollima, Nickel Academy, Nickel Gladstone, Pukchong, PurpleBravo, Selective Pisces, Stardust Chollima, Storm-0139, Storm-0954, Storm-1222, Storm-1877, TA404, TAG-121, TempHermit, UNC2970, WaterPlum, and Zinc. The content links Lazarus Group to long-running developer-focused social engineering and malware campaigns, especially Contagious Interview, in which operators impersonate recruiters and target cryptocurrency and Web3 developers with fake job interviews, fabricated company identities, malicious coding-test repositories, trojanized video-conferencing applications, and malicious GitHub content. Reported delivery and execution mechanisms include malicious VS Code tasks.json files using runOn: folderOpen, abuse of npm lifecycle scripts, malicious Git hooks such as pre-commit and post-checkout hooks, and trojanized conferencing software. Malware and tooling explicitly associated in the content include BeaverTail, InvisibleFerret, OtterCookie, FCCCall, TangoDelta, and SHARPKNOT. OtterCookie is described as a JavaScript implant using Socket.IO C2 with capabilities including screen capture, clipboard collection, and keystroke logging. BeaverTail and InvisibleFerret are associated with credential theft, browser data theft, cryptocurrency wallet theft, persistence, remote access, keylogging, and file exfiltration. The content also describes Lazarus activity targeting software supply chains and developer ecosystems. It states Lazarus pioneered the weaponization of malicious tasks.json files and maintained a sustained presence in PyPI and npm targeting AI and developer tool packages under the campaign name Graphalgo. Additional Lazarus-linked tasks.json campaigns named in the content include Fake Font, Malicious Dictionary, TasksJacker, and PolinRider. Reported tradecraft includes hiding payloads in nonstandard files such as .woff2 font files, injecting malicious tasks.json into compromised repositories, rewriting Git history, and spoofing author metadata to conceal changes. Infrastructure described in the content includes a shared Lazarus-linked host used both as a BeaverTail FTP exfiltration sink and as OtterCookie command-and-control infrastructure, as well as an exposed Jenkins server assessed as operator-controlled infrastructure that supported both fake cryptocurrency-exchange deployment and FCCCall malware builds. The Jenkins environment reportedly produced customized FCCCall installers in Docker-based clean-room builds and was tied to broader Contagious Interview operations. The content further associates Lazarus Group with cryptocurrency and on-chain theft activity. It references canonical Lazarus cryptocurrency theft targeting exchanges via insider compromise, money laundering and on-chain footprint reporting, public attribution of the Kelp DAO exploit to Lazarus, and LayerZero Labs’ statement that Lazarus compromised internal RPC nodes used by its DVN during the April 18 exploit affecting Kelp DAO’s rsETH bridge. The content also notes that subsequent investigations attributed the 2017 WannaCry ransomware outbreak to groups linked to North Korea, particularly Lazarus Group, with support from the United States and the United Kingdom. For defense evasion, the content specifically states that Lazarus malware TangoDelta attempts to terminate McAfee-related processes and that SHARPKNOT disables the Microsoft Windows System Event Notification and Alerter services.

Storm-0249 is a financially motivated cybercriminal threat actor tracked by Microsoft as an initial access broker active since 2021. It is known for distributing BazaLoader, IcedID, Bumblebee, Emotet, and later Latrodectus, and for brokering network access to ransomware operators. Reporting in the provided content describes Storm-0249 as having evolved from noisy mass-phishing and email-delivered malware campaigns into more targeted, stealthy operations that prepare victim environments for ransomware attacks. Storm-0249 has been observed using tax-themed phishing and fake DocuSign lures to deliver BruteRatel C4 and Latrodectus, and later shifting in early March 2025 from email-based delivery to compromising legitimate websites, likely via WordPress vulnerabilities, and using the ClickFix social-engineering technique. Microsoft also linked Storm-0249 to large-scale phishing and malvertising campaigns using ClickFix. In these campaigns, victims are tricked into executing malicious commands, including curl commands from the Windows Run dialog. The content states that Storm-0249 abuses trusted Microsoft Windows utilities and endpoint detection and response components to stealthily load malware, establish persistence, and support ransomware operators. Reported tradecraft includes domain spoofing, DLL sideloading, fileless PowerShell execution, and abuse of legitimate signed security software processes, particularly SentinelOne components such as SentinelAgentWorker.exe. In the described intrusion chain, a malicious MSI executed with SYSTEM privileges drops a trojanized DLL alongside a legitimate SentinelOne executable in AppData, enabling sideloading, command-and-control communications, reconnaissance, and persistence while blending into trusted EDR activity. The actor has also been reported using reg.exe and findstr.exe to extract MachineGuid and other system identifiers in preparation for ransomware deployment. Storm-0249 is described as selling or providing footholds to downstream ransomware actors. Microsoft specifically notes that other actors, including Storm-0501, may use footholds already established by access brokers such as Storm-0249. The content also links Storm-0249 to Fox Tempest, a malware-signing-as-a-service operation tracked since September 2025. Microsoft reported that Storm-0249 used Fox Tempest-signed malware in active intrusions, including campaigns delivered through malvertising, SEO poisoning, and fake ads. Fox Tempest provided signing services to multiple ransomware-related actors, including Storm-0249, Vanilla Tempest, Storm-0501, and Storm-2561. Known alias in the provided content: storm_0249.

Storm-0501 is a Microsoft-tracked threat actor linked to the Fox Tempest malware-signing-as-a-service ecosystem. Since September 2025, Microsoft has linked Storm-0501 to Fox Tempest alongside Vanilla Tempest, Storm-2561, and Storm-0249. Storm-0501 used Fox Tempest-signed malware in active intrusions, including campaigns delivered through malvertising, SEO poisoning, and fake ads. Fox Tempest provided short-lived Microsoft-issued code-signing certificates via abuse of Microsoft Artifact Signing, enabling malware used by associated actors to appear legitimate and bypass security controls. Content also associates Storm-0501 with ATT&CK techniques including PowerShell (T1059.001), Shared Modules (T1129), Create Account (T1136), Cloud Accounts (T1078.004), Account Manipulation (T1098), Exfiltration to Cloud Storage (T1567.002), Exploit Public-Facing Application (T1190), IIS Components (T1505.004), Web Shell (T1505.003), Regsvr32 (T1218.010), Unsecured Credentials (T1552), and OS Credential Dumping (T1003).

LAPSUS$ is a financially motivated cybercrime and extortion group known for data theft, public leak-site operations, and social-engineering-driven intrusions. Provided aliases include DEV-0537, Lapsus, Slippy Spider, and Strawberry Tempest. The content also describes operational overlap and ecosystem ties with ShinyHunters, Scattered Spider/UNC3944, and composite groupings including Scattered LAPSUS$ Shiny Hunters (SLSH) and Scattered Lapsus$ Hunters. Across the provided reporting, LAPSUS$ is repeatedly associated with attacks based on stolen credentials, social engineering, cloud abuse, and compromise of developer environments. The content specifically notes that groups such as LAPSUS$ often "log in rather than hack in" and that phone-based pretexting was popularized by groups including LAPSUS$. The group is referenced in multiple extortion and leak contexts. Reporting states that data stolen in the GitHub internal repository incident was later offered for sale in cooperation with LAPSUS$ and listed on the LAPSUS$ leak site. Checkmarx stated that data exfiltrated from its GitHub repositories on March 30, 2026 was later published by LAPSUS$ on April 25, 2026. LAPSUS$ also claimed possession of approximately 4 TB of Mercor data, including source code, databases, video and identity verification data, and VPN account information, although the content notes researchers could not verify access to the alleged leaked Mercor data at the time of writing. The content also references the group’s 2022 intrusion into Okta, which Okta said affected a small number of customers. Several reports characterize LAPSUS$ as part of a broader, loosely decentralized cybercrime ecosystem with overlap among ShinyHunters and Scattered Spider rather than as a nation-state actor.

Storm-2561 is a Microsoft-tracked cybercriminal threat actor / activity cluster active since May 2025. The actor is known for distributing malware through SEO poisoning and impersonating popular software vendors and trusted brands. Reported activity includes SEO-poisoning campaigns that redirect users searching for legitimate enterprise software, especially VPN products, to spoofed download sites and attacker-controlled GitHub repositories hosting malicious ZIP files and trojanized installers. Microsoft attributed credential-theft campaigns using fake VPN clients to Storm-2561, including signed trojans masquerading as trusted VPN software that steal VPN credentials, use DLL sideloading, and establish persistence via the Windows RunOnce registry key. Microsoft also reported Storm-2561 campaigns involving fake VPN downloads that installed signed trojans and stole VPN credentials, and noted abuse of legitimate services as part of the operation. Earlier reporting cited Storm-2561 activity targeting searches for software from vendors such as SonicWall, Hanwha Vision, and Pulse Secure / Ivanti Secure Access, with prior campaigns delivering Bumblebee; Microsoft podcast reporting also described a trojanized SonicWall SSL VPN NetExtender variant delivering credential-stealing malware referred to as SilentRoute. Microsoft further linked Storm-2561 to Fox Tempest, a malware-signing-as-a-service operation that provided signed malware used in real intrusions delivered through malvertising, SEO poisoning, legitimate purchased advertisements, and fake ads. Fox Tempest-signed malware used by linked operators included malware families such as Rhysida, Oyster, Lumma Stealer, and Vidar. Known alias in the provided content: storm_2561.

Storm-2949 is a threat actor tracked by Microsoft Threat Intelligence that targets Microsoft 365 and Azure production environments with the objective of exfiltrating sensitive data from high-value assets. The actor abuses legitimate applications, identity features, and cloud administration capabilities rather than relying primarily on custom malware. Reported activity begins with social engineering and credential phishing against privileged users, including IT personnel and senior leadership. In described intrusions, Storm-2949 used a fake technical interview pretext and posed as IT support to drive MFA-fatigue and abuse Microsoft Entra ID Self-Service Password Reset (SSPR), persuading victims to approve MFA prompts. After account takeover, the actor reset passwords, removed existing MFA methods, and re-registered Microsoft Authenticator on attacker-controlled devices to maintain access. Post-compromise, Storm-2949 used Microsoft Graph API and custom Python scripts to enumerate users, roles, applications, and persistence opportunities in the tenant. The actor accessed and exfiltrated data from OneDrive and SharePoint, with particular interest in sensitive IT operational documents, VPN configurations, and remote access procedures. The actor then expanded into Azure by abusing privileged Azure RBAC roles and management-plane operations. Reported targets included Azure App Services, Azure Key Vaults, Azure Storage accounts, Azure SQL servers, and Azure virtual machines. Observed techniques included retrieving App Service publishing profiles via microsoft.Web/sites/publishxml/action; manipulating Key Vault access policies and RBAC permissions to read secrets and connection strings; modifying SQL firewall rules to enable access and later deleting those rules; changing storage account network access settings; abusing microsoft.Storage/storageAccounts/listkeys/action and SAS generation to download blobs; and using Azure VMAccess and Run Command to create rogue local administrator accounts, execute commands, attempt to obtain managed identity tokens, and weaken Microsoft Defender protections. Storm-2949 also established persistence on endpoints using legitimately signed remote management tools, specifically ConnectWise ScreenConnect and Syncro/Servably, including a ScreenConnect deployment served from 185.241.208[.]243:9090. The actor deployed ScreenConnect on Azure VMs and used it for host discovery, domain enumeration, credential harvesting, and exfiltration of .pfx certificate files. The content states that no custom malware family was used in the intrusion chain; instead, the actor relied on legitimate cloud control-plane functions and signed RMM tools. Malpedia identifies the customized ScreenConnect variant associated with this activity as Evilconwi. Infrastructure referenced in the reporting includes 176.123.4[.]44 and 91.208.197[.]87, associated with ALEXHOST SRL, and 185.241.208[.]243, associated with 1337 Services GmbH / Njalla. No nation-state attribution is stated in the provided content. Known alias in the provided content: Storm-2949.

GhostEmperor is referenced here as an alias set overlapping with Earth Estries, FamousSparrow, Operator Panda, RedMike/Red Mike, Salt Typhoon, UNC2286, and UNC5807. Based on the provided content, the most widely recognized name is Salt Typhoon. The content describes Salt Typhoon as a China-associated or Chinese state-sponsored espionage threat actor targeting telecommunications and other critical sectors. Reported targeted sectors include telecommunications, government, transportation, lodging, military networks, and critical infrastructure such as electricity, water, and internet services. The group compromised telecom providers in the U.S. and abroad, breached U.S. lawful intercept systems used for court-ordered surveillance, and FBI reporting in the content states the intrusions have been active since at least 2019. The access to lawful intercept systems is described as itself delivering intelligence value, consistent with espionage objectives rather than disruptive action. Tradecraft directly mentioned in the content includes exploitation of public-facing applications and perimeter infrastructure, especially backbone routers, edge devices, firewalls, VPNs, and vulnerable Microsoft Exchange/IIS environments. ATT&CK techniques explicitly associated in the content include T1190 Exploit Public-Facing Application, T1505.003 Web Shell, T1505.004 IIS Components, T1059 Command and Scripting Interpreter, T1136 Create Account, T1078.004 Cloud Accounts, T1098 Account Manipulation, T1572 Protocol Tunneling, T1608.001 Upload Malware, and T1608.002 Upload Tool. The content also states that advanced actors such as Salt Typhoon often rely on classic playbooks and known vulnerabilities in perimeter devices with patches already available. The content also notes overlap between FamousSparrow and clusters tracked as Earth Estries and Salt Typhoon, but only says this overlap exists; it does not establish they are definitively the same actor. A Bitdefender-attributed FamousSparrow intrusion against an Azerbaijani oil and gas company exploited ProxyNotShell on Microsoft Exchange, used multiple web shells, and deployed Deed RAT and TernDoor/Terndoor across multiple waves, with repeated re-entry after remediation. Because the content frames this as overlap rather than confirmed identity, those details should be treated as related cluster activity rather than conclusively core Salt Typhoon activity.

APT38 is a North Korea-linked threat actor. In the provided content, it is associated with the aliases BlueNoroff, BeagleBoyz, CageyChameleon, CryptoCore, DangerousPassword, LeeryTurtle, Masan, Nickel Tapestry, Sapphire Sleet, TA444, and UNC1069. The content specifically describes UNC1069/Sapphire Sleet as a financially motivated North Korea-nexus actor and links BlueNoroff and UNC1069 malware overlaps to DPRK attribution. Reported activity includes the March 2026 axios npm supply-chain compromise, in which trojanized axios versions 1.14.1 and 0.30.4 introduced the malicious dependency plain-crypto-js. The campaign was attributed by Google Threat Intelligence Group to UNC1069, with Microsoft tracking the same activity as Sapphire Sleet; Elastic reported overlap between the delivered macOS Mach-O payload and WAVESHAPER, a C++ backdoor attributed by Mandiant to UNC1069, and noted links between the internal project name macWebT and BlueNoroff’s documented webT module. The content also states that APT38 has used unhooked DLLs to disable EDR or antivirus tools. ATT&CK techniques explicitly associated with APT38 in the content include T1190 Exploit Public-Facing Application, T1505.003 Web Shell, T1059 Command and Scripting Interpreter, T1059.001 PowerShell, T1059.003 Windows Command Shell, T1112 Modify Registry, T1689 Downgrade Attack, and T1204.002 Malicious File Execution. The content additionally lists APT38 in association with UDL-file-based spearphishing attachment activity.

Webworm is a China-aligned APT group, also tracked as Space Pirates and UAT-8302. Reporting in the provided content describes the group as active since at least 2022, with one source stating activity since at least 2017. It initially focused on targets in Asia and has more recently shifted toward Europe, while also showing activity in South Africa. Observed 2025 victims included government organizations in Belgium, Italy, Poland, Serbia, Spain, and a university in South Africa. Additional historical targeting mentioned in the content includes government and enterprise organizations in Russia, Georgia, Mongolia, and other Asian countries, including the IT services, aerospace, and electric power sectors. The group has used malware families including McRat (9002 RAT), Trochilus, and Gh0st RAT, but the content states it has shifted away from traditional RATs toward legitimate, semi-legitimate, and custom proxy tooling. In 2025, Webworm introduced two backdoors: EchoCreep, which uses Discord for command-and-control, and GraphWorm, which uses Microsoft Graph API and OneDrive for command-and-control. EchoCreep supports file upload, runtime reporting, and command execution. GraphWorm persists via user logon and Windows Run keys, creates a unique victim ID from host attributes, uses separate OneDrive folders and subfolders for tasking and results, and supports file transfer and command execution. Webworm also used open-source and custom proxy and tunneling tools including SoftEther VPN, iox, frp, WormFrp, ChainWorm, SmuxProxy, and WormSocket. The content states ESET assessed the breadth and complexity of these tools suggest Webworm may be building a covert proxy network from compromised systems, and that the group uses proxy tooling together with SoftEther VPN to increase stealth and obscure origin. Webworm was also linked to a GitHub repository masquerading as a WordPress fork that staged malware and tools, including SoftEther VPN. For reconnaissance and possible initial access, the content states Webworm used open-source tools such as dirsearch and nuclei against more than 50 targets, and researchers found a proof-of-concept exploit for CVE-2017-7692 in SquirrelMail that may have been used against a Serbian target. The initial access pathway is otherwise described as unknown. The group also used a compromised Amazon S3 bucket for WormFrp configuration retrieval and likely data exfiltration; reported files included virtual machine snapshots tied to an Italian government entity and exfiltrated files from a Spanish government organization between December 2025 and January 2026. The content also notes overlaps or links with other China-aligned clusters including FishMonger and SixLittleMonkeys.

UAC-0184 is a Russia-aligned threat actor targeting Ukrainian military and government entities, including representatives of the Ukrainian Defence Forces and the Verkhovna Rada. The group is also tracked as Hive0156, UNC5435, and MB-0007. CERT-UA reported increased UAC-0184 activity during 2024 focused on gaining access to computers used by Ukrainian Defense Forces personnel to steal documents and messenger data. The actor uses social engineering and spearphishing with military- and government-themed lures, including malicious ZIP archives and weaponized LNK files disguised as PDF, Word, Excel, DOCX, RTF, and XLSX documents. Delivery channels directly mentioned in the reporting include Viber, as well as messengers, dating platforms, and previously Signal and Telegram. Observed initial access and staging tradecraft includes LNK execution, bitsadmin/BITS transfers, mshta.exe launching HTA payloads, hidden PowerShell downloaders, and geo-fenced or otherwise gated payload delivery. Reported malware and tooling associated with UAC-0184 include Remcos RAT, Hijack Loader, and XWorm. Multiple intrusion chains are described. One chain uses bitsadmin to fetch HTA files that execute via mshta.exe, then PowerShell downloads dctrprraclus.zip, which is extracted under %APPDATA%\ApplicationData32 and launches a DLL side-loading chain involving legitimate Plane9 components, openvr_api.dll, kernel-diag.lib, and filter.bin. The payload is decoded using XOR and LZNT1 decompression and ultimately side-loaded into legitimate signed binaries including Microsoft-signed VSLauncher.exe. Another reported path uses a template-driven HTA crypter with embedded VBScript and PowerShell to decrypt an AES-256-CBC blob, gunzip it, and reflectively load a .NET assembly. A parallel signed-third-party sideloading path uses the legitimate signed Bitdefender Endpoint Security deployer bddeploy.exe to hijack deploy.dll via DLL search order hijacking. The actor has also been reported using legitimate executables such as CFlux.exe and Chime.exe for DLL side-loading, module stomping, and in-memory payload reconstruction. Persistence mechanisms directly mentioned include scheduled tasks, registry Run Keys, and process injection or process hollowing. In some campaigns, Hijack Loader is used to fetch additional payloads and Remcos RAT is injected into chime.exe. UAC-0184 has been observed repurposing legitimate PassMark BurnInTest / PassMark Endpoint components for covert communications over UDP and TCP port 31339, including multicast discovery traffic to 224.0.0.255:31339, and the tooling reportedly includes MiniDumpWriteDump capability. Reporting also notes infrastructure hosted on disposable Cloudflare Pages, Netlify, and novelty-TLD domains. The group is consistently described as conducting cyber-espionage and intelligence-gathering operations against Ukraine, with tradecraft centered on trusted-process abuse, DLL side-loading, reflective loading, staged payload delivery, and messenger-based social engineering.

The Gentlemen is a ransomware-as-a-service (RaaS) and double-extortion cybercriminal operation that emerged publicly in mid-to-late 2025 and rapidly became one of the most active ransomware groups globally by early 2026. Reporting in the provided content consistently describes it as a high-volume, relatively sophisticated operation with hundreds of publicly claimed victims in 2026 and broader telemetry suggesting substantially more compromises than those disclosed on its leak site. The group is repeatedly linked in the content to the Qilin ecosystem. Multiple sources assess The Gentlemen as a continuation or reorganization of prior Qilin-affiliate activity rather than a wholly new operation. The content also repeatedly associates the operation with the Russian-speaking actor hastalamuerte, including reporting that The Gentlemen emerged after a dispute with Qilin and that administrator zeta88 is also known as hastalamuerte. The content further notes Moscow-hour activity patterns and targeting behavior consistent with broader Russian-speaking ransomware norms, including the absence of Russia/CIS victims in one dataset. The Gentlemen operates an affiliate model advertised on underground forums, recruiting penetration testers and other technically skilled actors. The content states affiliates typically receive 90% of ransom proceeds, with one report also noting 97% for data-only extortion attacks. Internal leak reporting describes a structured backend and affiliate panel supporting payload generation, victim management, negotiation handling, ransom estimation, stolen-data uploads, and decryptor management. Named internal accounts observed in leaked material include zeta88, Kunder, qbit, JeLLy, Protagor, Bl0ck, Wick, quant, and mAst3r. The group targets enterprise environments worldwide across roughly 70 countries. Sectors specifically highlighted in the content include professional services, manufacturing, technology, healthcare, government, education, finance, and insurance. Geographic reporting shows broad international activity, with notable victim concentrations in APAC, Europe, Latin America, and North America; several sources note that the United States represented a smaller share of The Gentlemen victims than is typical for many ransomware groups, while Thailand was unusually prominent. The Gentlemen targets Windows, Linux, NAS, BSD, and VMware ESXi environments. The content describes Go-based lockers for Windows, Linux, NAS, and BSD, and a separate ESXi-focused locker written in C. The operation uses double extortion by stealing data before encryption and threatening publication on its leak site if victims do not pay. Some reporting also notes negotiations via affiliate-controlled Tox or Session IDs rather than only through the public leak portal, and references an X/Twitter presence used to pressure victims. Initial access and intrusion tradecraft described in the content include abuse of exposed remote services, compromised credentials, purchased access from brokers, stealer-log-derived credentials, and attacks against internet-facing edge devices. Fortinet FortiGate VPN appliances are repeatedly identified as a major access vector, including exploitation of CVE-2024-55591 and use of brute-forced or pre-compromised FortiGate credentials. Cisco edge devices are also mentioned, along with tracking of CVE-2025-32433 and CVE-2025-33073. Additional access paths in the content include stolen OWA/M365 credentials and NTLM relay activity. Post-compromise behavior described in the content includes Active Directory reconnaissance, identification of privileged users, host enumeration, lateral movement, credential harvesting, and domain-wide deployment. Tools and malware explicitly associated with The Gentlemen in the provided content include SystemBC, Cobalt Strike, AnyDesk, Advanced IP Scanner, Nmap, WinSCP, PsExec, WMI, PowerShell, ZeroPulse, Velociraptor, NetExec, RelayKing, TaskHound, PrivHound, CertiHound, PowerZure, RegPwn, KslDump, KslKatz, PowerRun, KillAV, EDRStartupHinder, gfreeze, glinker, DumpBrowserSecrets, and gogo.exe. The content also describes use of living-off-the-land techniques, Cloudflare-based tunneling, Group Policy abuse for mass deployment, and purpose-built EDR-killer or defense-evasion tooling. The ransomware itself is described as requiring a password argument at execution, dropping ransom notes named READMEGENTLEMEN.txt or README-GENTLEMEN.txt, and using variable six-character encrypted-file extensions. Reported behavior includes full encryption of smaller files and partial encryption of larger files to accelerate impact, deletion of shadow copies, clearing of event logs, optional wiping behavior, and termination of services related to databases, backups, virtualization platforms, remote access tools, and enterprise applications. The ESXi variant is described as shutting down virtual machines, inhibiting recovery, and using persistence mechanisms such as crontab, rc.local, or copying itself to /bin/.vmware-authd. Several reports in the content discuss a May 2026 compromise of The Gentlemen’s own internal systems, including its Rocket backend. That leak reportedly exposed internal chats, databases, backend infrastructure, affiliate activity, victim-management tooling, operational workflows, and discussions about attack methods, credential abuse, and EDR-killer tools. The content states the leak linked administrator zeta88 to hastalamuerte and provided insight into a tightly coordinated core team. Despite the breach, the group was reported to remain active. Known aliases and closely associated names directly mentioned in the content include The Gentlemen, hastalamuerte, and zeta88. The content does not provide high-confidence evidence of formal sub-groups beyond affiliates operating under the RaaS model.

Kimsuky is a North Korea-linked threat actor associated with cyber espionage and financially motivated operations. Aliases in the provided content include APT43, APT-C-55, Black Banshee, Cerium, Earth Imp, Emerald Sleet, GreenDinosa, Kimsuky Group, Konni, Konni APT, Konni Group, Opal Sleet, Osmium, PlaneDown, RGB-D5, Ruby Sleet, SharpTongue, Sparkling Pisces, Springtail, TA406, TA427, Thallium, and Velvet Chollima. The content describes Kimsuky conducting multiple spear-phishing campaigns in 2025, including operations targeting corporate recruiters, cryptocurrency investors and developers, defense-sector officials, graduate school administrators, and primarily South Korean public and private organizations. PebbleDash-related activity was also observed against defense-related entities in Brazil and Germany, while AppleSeed activity more often targeted government organizations. Initial access commonly relied on spear-phishing attachments disguised as documents, including LNK files masquerading as PDFs and JSE files with double extensions, as well as droppers in JSE, PIF, SCR, and EXE formats. In some cases the actor also contacted targets via messengers. Across the described campaigns, Kimsuky displayed decoy content while silently deploying malware, establishing persistence, and opening command-and-control channels. Reported malware and tooling associated with the actor in the content include PebbleDash-based families such as HelloDoor, httpMalice, MemLoad, and httpTroy; AppleSeed and HappyDoor; MoonPeak, described as a customized .NET XenoRAT variant; and use of VSCode Remote Tunneling and DWAgent for remote access and persistence. The broader arsenal listed in the content also includes BabyShark, RandomQuery, xRAT, XenoRAT, and TutRAT. The actor was described as heavily abusing legitimate services and platforms to blend malicious traffic with normal activity and evade reputation-based defenses, including GitHub raw APIs and repositories, Microsoft CDN, GitLab, Dropbox, VSCode tunnels, Cloudflare Quick Tunnels, Ngrok, and compromised South Korean websites. One campaign used a VSCode tunnel named "bizeugene" and exfiltrated authentication details to a compromised South Korean website. Another financially motivated track, active since June 2025 under the Velvet Chollima / Kimsuky / APT43 / Ruby Sleet naming, distributed a counterfeit cryptocurrency trading application called Tralert FX to steal browser credentials and wallet data from retail cryptocurrency traders. That campaign used an EV-signed installer tied to AgilusTech LLC, staged multiple components, persisted via scheduled tasks, and used GitLab for both command-and-control and exfiltration. The content attributes several defense evasion and persistence behaviors to Kimsuky, including disabling Windows UAC, adding Microsoft Defender exclusions, turning off Windows Security Center, hiding AV software windows, creating scheduled tasks, modifying the registry, and using Run keys or services for persistence. ATT&CK techniques explicitly referenced in the content for Kimsuky include T1567.002 Exfiltration to Cloud Storage, T1685 Disable or Modify Tools, T1059.001 PowerShell, T1204.002 Malicious File Execution, T1112 Modify Registry, T1027.010 Command Obfuscation, and T1689 Downgrade Attack. The provided reporting assesses that Kimsuky has evolved both malware and post-exploitation tradecraft, including use of Rust-based malware, GitHub-authenticated VSCode tunnels, Cloudflare-hosted infrastructure, and probable LLM-generated code comments, while maintaining infrastructure patterns tied to free South Korean hosting domains and compromised South Korean websites. Based on targets, infrastructure, and malware characteristics, the content states that PebbleDash and AppleSeed clusters were assessed with medium-high confidence as Kimsuky-affiliated and aligned with broader APT43 / Ruby Sleet tracking.

LockBit is a ransomware-as-a-service (RaaS) operation first observed in 2019 and initially known as ABCD. It is a financially motivated cybercriminal group with a large affiliate network and a double-extortion model, combining file encryption with data theft and leak-site pressure. Known aliases in the provided content include ABCD, LockBit, LockBit 2.0, LockBit 3.0, LockBit Black, LockBit 4.0, LockBit 5.0, LockBit Green, LockBit Gang, LockBit Group, and LockBitSupp. The content describes LockBit as one of the leading and most mature RaaS operations, with affiliates allowed to target a broad range of organizations, including critical infrastructure and medical facilities, while avoiding post-Soviet countries. Victims mentioned in the content span private business, healthcare, manufacturing, financial, government, educational, and medical sectors. The group has been linked in the content to attacks against Foxconn facilities in Mexico in 2022 and Foxsemicon in 2024, and affiliates continued targeting healthcare organizations in 2026, including through third-party compromise and supply-chain access. LockBit has released multiple versions over time. The content states LockBit 2.0 appeared in 2021, LockBit 3.0/LockBit Black in 2022, LockBit 4.0 at the start of 2025, and LockBit 5.0 in September 2025. LockBit 5.0 is described as supporting Windows, Linux, and ESXi, using XChaCha20 and Curve25519, random 16-character encrypted-file extensions, and enhanced evasion and anti-analysis features. Reported Windows behaviors include process hollowing into defrag.exe, DLL unhooking, ETW patching, event log clearing, anti-debugging, self-deletion, and checks for Russian language or geographic indicators. The ESXi variant targets /vmfs/ paths and can terminate virtual machines to unlock files. Earlier content also describes LockBit 3.0 as highly resistant to detection and analysis, very fast at encryption, and capable of autonomous spreading. The content also associates LockBit affiliates with use of exposed or attacker-controlled remote management infrastructure and supply-chain compromise. Huntress reported incidents in 2026 involving exploitation of CVE-2026-1731 in Bomgar Remote Support, followed by reconnaissance, privilege escalation, deployment of AnyDesk or Atera, and LockBit ransomware execution, and assessed that the deployments likely used the leaked LockBit 3.0 builder. Separate reporting cited infrastructure associated with prior LockBit-, Qilin-, and ALPHV/BlackCat-related activity. Law-enforcement disruption is a major part of LockBit’s recent history. The content states Operation Cronos disrupted LockBit in early 2024, with server seizures, arrests, wallet freezes, and takedown of the leak site. The UK National Crime Agency infiltration in October 2024 reportedly found that since at least December 2022 the group had not deleted victim data despite receiving ransom payments to do so. Despite disruption, the group rebuilt infrastructure and continued operating. In Q1 2026, the content reports LockBit 5.0 posted 163 victims, ranking fourth globally, indicating continued affiliate activity and recovery after the 2024 disruption. The content also notes that state-linked actors have been observed using LockBit ransomware, but it does not characterize LockBit itself as a nation-state actor.

ALPHV/BlackCat is a Russian-speaking ransomware-as-a-service (RaaS) threat actor and ransomware operation, also referred to as AlphV, BlackCat, Noberus, and in the provided aliases Embargo. The group emerged around late 2021 and became a major extortion threat, with court documents stating it targeted more than 1,000 victims worldwide. It is described as now defunct or having declined in direct activity, but its tooling and affiliate ecosystem continued to influence ransomware operations and healthcare targeting in 2026. The operation used a RaaS model in which core developers maintained the malware, negotiation portals, and leak infrastructure, while affiliates conducted intrusions and shared ransom proceeds, with multiple reports in the content stating a 20% cut to administrators and 80% to affiliates. ALPHV/BlackCat is described as using high-impact extortion campaigns and double extortion, encrypting victim systems while threatening to publish stolen data. Reported intrusion methods and tradecraft in the content include use of stolen credentials, phishing emails, exposed RDP services, lateral movement, disabling security tools, file encryption, and cryptocurrency ransom demands. The malware is described as Rust-based and capable of targeting Windows and Linux. The group is repeatedly linked to attacks against U.S. companies and healthcare-related targets. The content specifically notes healthcare sector attacks, including use of Brute Ratel in healthcare intrusions, and references the 2024 Change Healthcare attack attributed to ALPHV/BlackCat. Additional reporting in the content states that although direct ALPHV activity declined, its tooling and affiliate ecosystem continued to shape healthcare ransomware activity in 2026 through successor operations and shared techniques. The content also documents extensive U.S. law enforcement action against ALPHV/BlackCat. In December 2023, the FBI disrupted the operation by developing a decryption tool, assisting hundreds of victims, saving an estimated $99 million in ransom payments, and seizing several ALPHV/BlackCat websites. Multiple criminal cases in the content describe affiliates and facilitators, including Ryan Goldberg, Kevin Martin, and Angelo Martino, who pleaded guilty or were sentenced for deploying or facilitating ALPHV/BlackCat ransomware attacks in 2023. Martino, a former ransomware negotiator, admitted sharing confidential victim information with BlackCat operators to increase ransom demands. The content further notes ecosystem links and downstream associations: infrastructure tied to other activity has been associated with ALPHV/BlackCat; KongTuke was reported to sell infections to AlphV/BlackCat affiliates; and Nitrogen was described as suspected of links to the ALPHV/BlackCat ecosystem. Known aliases in the provided content include AlphV, ALPHV BlackCat, BlackCat, BlackCat/ALPHV, ALPHV/BlackCat, Noberus, and the provided alias Embargo.

CoinbaseCartel is a cybercriminal data extortion crew that emerged in September 2025. Reporting in the provided content describes it as focused on data theft and extortion rather than traditional ransomware operations, although some reporting also refers to it as a ransomware group. The group has been linked to dark web leak-site activity and extortion demands against victims including Grafana Labs, SK Telecom, and Renesas Electronics. In the Grafana Labs incident, CoinbaseCartel was reported to have claimed responsibility, listed Grafana Labs on its dark web site on May 15, 2026, and attempted to blackmail the company to prevent release of stolen codebase data. The content states that CoinbaseCartel relies on stolen credentials and social engineering to gain access to victim networks and does not use ransomware during attacks. Reported victim sectors include healthcare, technology, transportation, manufacturing, and business services. The content says the group has attempted to extort more than 100 companies since September 2025, and separate reporting cited in the content says it has amassed 170 victims. Multiple reports in the content assess CoinbaseCartel as an offshoot of broader cybercriminal ecosystems including Scattered Lapsus$ Hunters (SLSH), and the ShinyHunters, Scattered Spider, and LAPSUS$ ecosystems. Known alias in the provided content: coinbasecartel.

Rhysida is a financially motivated cybercriminal ransomware group that first surfaced in May 2023 and operates a ransomware-as-a-service model in which affiliates use its malware and infrastructure. The group is described as targeting healthcare, education, and government sectors, including hospitals, healthcare systems, schools, museums, and public-sector entities, using opportunistic intrusion methods. Reported Rhysida activity in 2025 and 2026 involved both data exfiltration and encryption to pressure victims into paying ransom, with use of a public data leak site for extortion. The content states that Rhysida previously operated as Vice Society in 2021 and rebranded to Rhysida in 2023. Rhysida is also described as closely associated with the WIZARD SPIDER nebula, and some reporting links Rhysida operators using OysterLoader to the broader WIZARD SPIDER and Vanilla Tempest ecosystem. Rhysida has been linked to OysterLoader, a multi-stage C++ loader also tracked as Broomstick and CleanUp. OysterLoader has been used in campaigns associated with Rhysida and delivered through fake software download sites and malvertising/SEO-poisoning lures impersonating software such as Microsoft Teams, PuTTY, WinSCP, Zoom, Google Authenticator, and AI software. The loader is commonly delivered as a signed MSI and uses anti-analysis and evasion features including API hammering, anti-debugging, dynamic API resolution, custom LZMA-based decompression, environment checks, steganographic payload delivery, scheduled-task persistence, and evolving HTTP/HTTPS C2 workflows. The content also states that Rhysida used malicious Bing advertisements to deliver OysterLoader and used malware packing and code-signing certificates, including abuse of Microsoft Trusted Signing, to reduce detection and increase trust. Microsoft reporting in the content says malware signed through the Fox Tempest malware-signing-as-a-service operation was used by Rhysida and that Fox Tempest provided services to Rhysida for at least a year. Rhysida is also listed among ransomware operators served by KongTuke, a traffic distribution system and initial access broker that used compromised WordPress sites and fake CAPTCHA/ClickFix lures to deliver second-stage payloads. Victim examples directly mentioned in the content include Heart South Cardiovascular Group, Phoenix Art Museum, Bellflower Unified School District, Cookeville Regional Medical Center, Carthage, Texas, and Oregon’s Department of Environmental Quality. The content states Rhysida claimed the Oregon DEQ attack in April 2025 and demanded $2.6 million after claiming to have stolen 2.5 TB of data. It also states Rhysida claimed the Heart South breach in November 2025 and demanded six bitcoin, claimed the Phoenix Art Museum breach in February 2026 and demanded 10 bitcoin, and claimed responsibility for the Cookeville Regional Medical Center attack, alleging exfiltration of 538 GB of data. The content further notes Talos assessed with moderate confidence that Rhysida and MoneyMessage were involved in two pre-ransomware engagements in Q1 2026. Overall, the reporting consistently characterizes Rhysida as an active ransomware and extortion threat with sustained operations through 2026, especially against healthcare organizations.