Threat Actor Registry
38 APT groups and threat actors tracked
| Name | Aliases | Affiliation | Motivation | Status |
|---|---|---|---|---|
| APT1 | Comment Crew, Comment Panda, TG-8223 +3 | China (PLA Unit 61398) | Espionage | inactive |
| APT10 | MenuPass, Stone Panda, Red Apollo +3 | China (Ministry of State Security) | Espionage | active |
| APT27 | Emissary Panda, TG-3390, Iron Tiger +3 | China | Espionage | active |
| APT28 | Fancy Bear, STRONTIUM, Sofacy +5 | Russia (GRU Unit 26165) | Espionage | active |
| APT29 | Cozy Bear, The Dukes, NOBELIUM +4 | Russia (SVR - Foreign Intelligence Service) | Espionage | active |
| APT31 | Zirconium, Judgment Panda, Violet Typhoon +1 | China (Ministry of State Security) | Espionage | active |
| APT38 | Bluenoroff, Stardust Chollima, BeagleBoyz +1 | North Korea (Reconnaissance General Bureau) | Financial | active |
| APT40 | Leviathan, BRONZE MOHAWK, TEMP.Periscope +2 | China (Ministry of State Security, Hainan) | Espionage | active |
| APT41 | Double Dragon, Winnti, BARIUM +2 | China (Ministry of State Security) | Espionage / Financial | active |
| BlackBasta | GOLD BOMBARD | Unknown | Financial | active |
| BlackCat / ALPHV | ALPHV, Noberus, UNC4466 | Cybercriminal (Russian-speaking) | Financial | inactive |
| Cl0p | CLOP, Cl0p Gang | Cybercriminal (Russian-speaking) | Financial | active |
| DragonForce | DragonForce Malaysia | Cybercriminal | Financial / Extortion | active |
| Evil Corp | Indrik Spider, Dridex Gang, UNC2165 +1 | Cybercriminal (Russian) | Financial | active |
| EvilTokens | Evil Tokens | Phishing-as-a-service (PhaaS) | Credential Theft / Financial | active |
| FIN11 | TA505 (overlapping), DEV-0950 | Cybercriminal (Russian-speaking) | Financial | active |
| FIN12 | Pistol Tempest, DEV-0237 | Cybercriminal (Russian-speaking) | Financial | active |
| FIN7 | Carbanak, Carbon Spider, ELBRUS +2 | Cybercriminal (Eastern European) | Financial | active |
| FulcrumSec | Cybercriminal | Data Theft / Extortion | active | |
| Handala | Handala Hack Team, Handala Group | Pro-Palestinian Hacktivist | Hacktivism / Disruption | active |
| Lazarus Group | HIDDEN COBRA, Zinc, Labyrinth Chollima | North Korea (Reconnaissance General Bureau) | Financial / Espionage | active |
| LockBit | LockBit Gang, ABCD ransomware, Bitwise Spider | Cybercriminal (Russian-speaking) | Financial | inactive |
| Medusa | Medusa Ransomware Gang, Medusa Blog | Cybercriminal | Financial | active |
| Mr. Raccoon | Raccoon | Criminal persona (extortion) | Data Theft / Extortion | active |
| Play Ransomware | PLAY, Playcrypt | Cybercriminal | Financial | active |
| Qilin | Cybercriminal (ransomware-as-a-service) | Financial / Extortion | active | |
| RansomHouse | Jolly Scorpius | Cybercriminal | Financial | active |
| Salt Typhoon | UNC2286 | China (PRC state-sponsored) | Espionage | active |
| Sandworm | IRIDIUM, TeleBots, Voodoo Bear +3 | Russia (GRU Unit 74455) | Destructive / Espionage | active |
| Scattered Spider | UNC3944, Roasted 0ktapus, Scatter Swine +3 | Cybercriminal (English-speaking) | Financial | active |
| ShinyHunters | SH, UNC5537 | Cybercriminal | Financial | active |
| Storm-2372 | Suspected nation-state | Espionage | active | |
| TA505 | GOLD TAHOE, Hive0065, SectorJ04 | Cybercriminal (Russian-speaking) | Financial | active |
| TeamPCP | Team PCP, DeadCatx3, PCPcat +1 | Cybercriminal (cloud-native / supply-chain intrusion) | Financial / Extortion | active |
| Turla | Snake, Venomous Bear, IRON HUNTER +4 | Russia (FSB Center 16) | Espionage | active |
| UNC6783 | Criminal (uncategorized cluster) | Data Theft / Extortion | active | |
| Volt Typhoon | BRONZE SILHOUETTE, Vanguard Panda, DEV-0391 +2 | China (PRC state-sponsored) | Espionage / Pre-positioning | active |
| Wizard Spider | GRIM SPIDER, UNC1878, TEMP.MixMaster +1 | Cybercriminal (Russian) | Financial | inactive |