Threat Actor Registry

63 APT groups and threat actors tracked

Name	Aliases	Affiliation	Motivation	Status
Akira	Akira ransomware, GOLD SAHARA, PUNK SPIDER +1	Cybercriminal	Financial	active
APT1	Comment Crew, Comment Panda, TG-8223 +3	China (PLA Unit 61398)	Espionage	inactive
APT10	MenuPass, Stone Panda, Red Apollo +3	China (Ministry of State Security)	Espionage	active
APT27	Emissary Panda, TG-3390, Iron Tiger +3	China	Espionage	active
APT28	Fancy Bear, STRONTIUM, Sofacy +5	Russia (GRU Unit 26165)	Espionage	active
APT29	Cozy Bear, The Dukes, NOBELIUM +4	Russia (SVR - Foreign Intelligence Service)	Espionage	active
APT31	Zirconium, Judgment Panda, Violet Typhoon +1	China (Ministry of State Security)	Espionage	active
APT32	OceanLotus, SeaLotus, APT-C-00 +3	Vietnam (assessed state-sponsored)	Espionage	active
APT33 / Elfin	APT33, Elfin, HOLMIUM +1	Iran (Islamic Revolutionary Guard Corps)	Espionage	active
APT34 / OilRig	APT34, OilRig, Helix Kitten +6	Iran (suspected)	Espionage	active
APT35 / Charming Kitten	APT35, Charming Kitten, Phosphorus +6	Iran (assessed)	Espionage	active
APT37 / Reaper	APT37, Reaper, ScarCruft +4	North Korea (assessed)	Espionage	active
APT38	Bluenoroff, Stardust Chollima, BeagleBoyz +1	North Korea (Reconnaissance General Bureau)	Financial	active
APT40	Leviathan, BRONZE MOHAWK, TEMP.Periscope +2	China (Ministry of State Security, Hainan)	Espionage	active
APT41	Double Dragon, Winnti, BARIUM +2	China (Ministry of State Security)	Espionage / Financial	active
BlackBasta	GOLD BOMBARD	Unknown	Financial	active
BlackCat / ALPHV	ALPHV, Noberus, UNC4466	Cybercriminal (Russian-speaking)	Financial	inactive
BlackSuit	Royal, Zeon, Ignoble Scorpius	Suspected former Conti ransomware members	Financial	active
Cl0p	CLOP, Cl0p Gang	Cybercriminal (Russian-speaking)	Financial	active
Conti	Conti Ransomware Group	Russia-aligned	Financial / Ransomware Extortion	inactive
DarkHotel	DUBNIUM, Zigzag Hail, Tapaoux +2	South Korea (assessed)	Espionage	active
DarkSide	DarkSide ransomware	Cybercriminal	Financial / Ransomware Extortion	unknown
Dragonfly	Energetic Bear, Crouching Yeti, Group 24 +1	Russian Federation	Espionage	active
DragonForce	DragonForce Malaysia	Cybercriminal	Financial / Extortion	active
Equation Group	EQUATION	United States (assessed)	Espionage	unknown
Evil Corp	Indrik Spider, Dridex Gang, UNC2165 +1	Cybercriminal (Russian)	Financial	active
EvilTokens	Evil Tokens	Phishing-as-a-service (PhaaS)	Credential Theft / Financial	active
FIN11	TA505 (overlapping), DEV-0950	Cybercriminal (Russian-speaking)	Financial	active
FIN12	Pistol Tempest, DEV-0237	Cybercriminal (Russian-speaking)	Financial	active
FIN6	ITG08, Skeleton Spider	Cybercriminal	Financial	active
FIN7	Carbanak, Carbon Spider, ELBRUS +2	Cybercriminal (Eastern European)	Financial	active
FulcrumSec		Cybercriminal	Data Theft / Extortion	active
Hafnium	HAFNIUM, G0125	China-aligned	Espionage / Intelligence Collection	unknown
Handala	Handala Hack Team, Handala Group	Pro-Palestinian Hacktivist	Hacktivism / Disruption	active
Kimsuky	APT43, Black Banshee, Velvet Chollima +6	North Korea (assessed)	Espionage	active
LAPSUS$	DEV-0537, Strawberry Tempest	Cybercriminal	Extortion / Data Theft	unknown
Lazarus Group	HIDDEN COBRA, Zinc, Labyrinth Chollima	North Korea (Reconnaissance General Bureau)	Financial / Espionage	active
LockBit	LockBit Gang, ABCD ransomware, Bitwise Spider	Cybercriminal (Russian-speaking)	Financial	inactive
Medusa	Medusa Ransomware Gang, Medusa Blog	Cybercriminal	Financial	active
Mr. Raccoon	Raccoon	Criminal persona (extortion)	Data Theft / Extortion	active
MuddyWater	Earth Vetala, MERCURY, Static Kitten +5	Iranian Ministry of Intelligence and Security	Espionage	active
Mustang Panda	BRONZE PRESIDENT, Earth Preta, HoneyMyte +4	China	Espionage	active
Play Ransomware	PLAY, Playcrypt	Cybercriminal	Financial	active
Qilin		Cybercriminal (ransomware-as-a-service)	Financial / Extortion	active
RansomHouse	Jolly Scorpius	Cybercriminal	Financial	active
RansomHub	Cyclops, Knight	Cybercriminal	Financial / Ransomware Extortion	active
REvil / Sodinokibi	REvil, Sodinokibi, GOLD SOUTHFIELD +1	Cybercriminal	Financial / Ransomware Extortion	unknown
Rhysida		Cybercriminal (Ransomware)	Financial	active
Salt Typhoon	UNC2286	China (PRC state-sponsored)	Espionage	active
Sandworm	IRIDIUM, TeleBots, Voodoo Bear +3	Russia (GRU Unit 74455)	Destructive / Espionage	active
Scattered Spider	UNC3944, Roasted 0ktapus, Scatter Swine +3	Cybercriminal (English-speaking)	Financial	active
ShinyHunters	SH, UNC5537	Cybercriminal	Financial	active
Storm-2372		Suspected nation-state	Espionage	active
TA505	GOLD TAHOE, Hive0065, SectorJ04	Cybercriminal (Russian-speaking)	Financial	active
TeamPCP	Team PCP, DeadCatx3, PCPcat +1	Cybercriminal (cloud-native / supply-chain intrusion)	Financial / Extortion	active
TEMP.Veles / XENOTIME	TEMP.Veles, XENOTIME	Russia-aligned	Sabotage / Safety-System Disruption	unknown
Transparent Tribe / APT36	APT36, COPPER FIELDSTONE, Mythic Leopard +1	Pakistan (suspected)	Espionage	active
Turla	Snake, Venomous Bear, IRON HUNTER +4	Russia (FSB Center 16)	Espionage	active
UNC3886		China	Espionage	active
UNC6671 / BlackFile	UNC6671, BlackFile, Cordial Spider +3	Cybercriminal	Financial / Data Extortion	active
UNC6783		Criminal (uncategorized cluster)	Data Theft / Extortion	active
Volt Typhoon	BRONZE SILHOUETTE, Vanguard Panda, DEV-0391 +2	China (PRC state-sponsored)	Espionage / Pre-positioning	active
Wizard Spider	GRIM SPIDER, UNC1878, TEMP.MixMaster +1	Cybercriminal (Russian)	Financial	inactive