APT KNOWLEDGE BASE
// THREAT ACTOR PROFILES · MITRE ATT&CK TTPs · TACTICS & TECHNIQUES FOR SOC TRAINING
172 actors · Updated: 2026-04-14 06:22 UTC
Source: MITRE ATT&CK STIX/JSON — github.com/mitre/cti
ACTORS BY NATION
TOP 10 TECHNIQUES USED
MOTIVATION BREAKDOWN
GROUPS FIRST ACTIVE (BY ERA)
MITRE ATT&CK Coverage Map
0
172 actors
Click cell → filter actors
/
Operators: ttp:   nation:   sector:   alias:    · Multi-word = AND  · Press / to focus
172 actors
MITRE ATT&CK Tactic Reference Techniques used by profiled actors
Reconnaissance
Resource Development
Initial Access
Execution
Persistence
Privilege Escalation
Defense Evasion
Credential Access
Discovery
Lateral Movement
Collection
Exfiltration
Command & Control
Impact
Indrik Spider
Evil Corp Manatee Tempest DEV-0243 +1 more
Russia
28 techniques
[Indrik Spider](https://attack.mitre.org/groups/G0119) is a Russia-based cybercriminal group that has been active since at least 2014. [Indrik Spider](https://attack.mitre.org/groups/G0119) initially started with the [Dridex](https://attack.mitre.org/software/S0384) banking Trojan, and then by 2017 they began running ransomware operations using [BitPaymer](https://attack.mitre.org/software/S0570),
TARGET SECTORS
MITRE ID: G0119
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
LuminousMoth
Unknown
24 techniques
[LuminousMoth](https://attack.mitre.org/groups/G1014) is a Chinese-speaking cyber espionage group that has been active since at least October 2020. [LuminousMoth](https://attack.mitre.org/groups/G1014) has targeted high-profile organizations, including government entities, in Myanmar, the Philippines, Thailand, and other parts of Southeast Asia. Some security researchers have concluded there is a
MITRE ID: G1014
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Medusa Group
Unknown
50 techniques
[Medusa Group](https://attack.mitre.org/groups/G1051) has been active since at least 2021 and was initially operated as a closed ransomware group before evolving into a Ransomware-as-a-Service (RaaS) operation. Some reporting indicates that certain attacks may still be conducted directly by the ransomware’s core developers. Public sources have also referred to the group as “Spearwing” or “Medusa A
MITRE ID: G1051
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Wizard Spider
UNC1878 TEMP.MixMaster Grim Spider +5 more
Unknown
49 techniques
[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations,
MITRE ID: G0102
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Elderwood
Elderwood Gang Beijing Group Sneaky Panda
Unknown
6 techniques
[Elderwood](https://attack.mitre.org/groups/G0066) is a suspected Chinese cyber espionage group that was reportedly responsible for the 2009 Google intrusion known as Operation Aurora. The group has targeted defense organizations, supply chain manufacturers, human rights and nongovernmental organizations (NGOs), and IT service providers.
MITRE ID: G0066
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
FIN7
GOLD NIAGARA ITG14 Carbon Spider +2 more
Russia
50 techniques
[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013. [FIN7](https://attack.mitre.org/groups/G0046) has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, pharmaceutical, and utilities industries in the United States. A p
MITRE ID: G0046
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
UNC3886
Unknown
35 techniques
[UNC3886](https://attack.mitre.org/groups/G1048) is a China-nexus cyberespionage group that has been active since at least 2022, targeting defense, technology, and telecommunication organizations located in the United States and the Asia-Pacific-Japan (APJ) regions. [UNC3886](https://attack.mitre.org/groups/G1048) has displayed a deep understanding of edge devices and virtualization technologies t
MITRE ID: G1048
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Velvet Ant
Unknown
21 techniques
[Velvet Ant](https://attack.mitre.org/groups/G1047) is a threat actor operating since at least 2021. [Velvet Ant](https://attack.mitre.org/groups/G1047) is associated with complex persistence mechanisms, the targeting of network devices and appliances during operations, and the use of zero day exploits.
MITRE ID: G1047
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
WIRTE
Unknown
10 techniques
[WIRTE](https://attack.mitre.org/groups/G0090) is a threat group that has been active since at least August 2018. [WIRTE](https://attack.mitre.org/groups/G0090) has targeted government, diplomatic, financial, military, legal, and technology organizations in the Middle East and Europe.
MITRE ID: G0090
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Dragonfly
TEMP.Isotope DYMALLOY Berserk Bear +6 more
Unknown
47 techniques
[Dragonfly](https://attack.mitre.org/groups/G0035) is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16. Active since at least 2010, [Dragonfly](https://attack.mitre.org/groups/G0035) has targeted defense and aviation companies, government entities, companies related to industrial control systems, and critical infrastructure sectors worldwide thr
MITRE ID: G0035
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
OilRig
COBALT GYPSY IRN2 APT34 +8 more
China
58 techniques
[OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to at
MITRE ID: G0049
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Equation
Unknown
4 techniques
[Equation](https://attack.mitre.org/groups/G0020) is a sophisticated threat group that employs multiple remote access tools. The group is known to use zero-day exploits and has developed the capability to overwrite the firmware of hard disk drives.
TARGET SECTORS
MITRE ATT&CK TECHNIQUES
MITRE ID: G0020
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Fox Kitten
UNC757 Parisite Pioneer Kitten +2 more
Unknown
31 techniques
[Fox Kitten](https://attack.mitre.org/groups/G0117) is threat actor with a suspected nexus to the Iranian government that has been active since at least 2017 against entities in the Middle East, North Africa, Europe, Australia, and North America. [Fox Kitten](https://attack.mitre.org/groups/G0117) has targeted multiple industrial verticals including oil and gas, technology, government, defense, he
MITRE ID: G0117
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Lazarus Group
Labyrinth Chollima HIDDEN COBRA Guardians of Peace +3 more
North Korea
68 techniques
[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). [Lazarus Group](https://attack.mitre.org/groups/G0032) has been active since at least 2009 and is reportedly responsible for the November 2014 destructive wiper attack on Sony Pictures Entertainment, identified by Novetta as part of Op
MITRE ID: G0032
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Aquatic Panda
Unknown
25 techniques
[Aquatic Panda](https://attack.mitre.org/groups/G0143) is a suspected China-based threat group with a dual mission of intelligence collection and industrial espionage. Active since at least May 2020, [Aquatic Panda](https://attack.mitre.org/groups/G0143) has primarily targeted entities in the telecommunications, technology, and government sectors.
MITRE ID: G0143
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Daggerfly
Evasive Panda BRONZE HIGHLAND
Unknown
17 techniques
[Daggerfly](https://attack.mitre.org/groups/G1034) is a People's Republic of China-linked APT entity active since at least 2012. [Daggerfly](https://attack.mitre.org/groups/G1034) has targeted individuals, government and NGO entities, and telecommunication companies in Asia and Africa. [Daggerfly](https://attack.mitre.org/groups/G1034) is associated with exclusive use of [MgBot](https://attack.mit
MITRE ID: G1034
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
TeamTNT
Unknown
42 techniques
[TeamTNT](https://attack.mitre.org/groups/G0139) is a threat group that has primarily targeted cloud and containerized environments. The group as been active since at least October 2019 and has mainly focused its efforts on leveraging cloud and container resources to deploy cryptocurrency miners in victim environments.
MITRE ID: G0139
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
TA505
Hive0065 Spandex Tempest CHIMBORAZO
Russia
24 techniques
[TA505](https://attack.mitre.org/groups/G0092) is a cyber criminal group that has been active since at least 2014. [TA505](https://attack.mitre.org/groups/G0092) is known for frequently changing malware, driving global trends in criminal malware distribution, and ransomware campaigns involving [Clop](https://attack.mitre.org/software/S0611).
MITRE ID: G0092
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Inception
Inception Framework Cloud Atlas
Unknown
20 techniques
[Inception](https://attack.mitre.org/groups/G0100) is a cyber espionage group active since at least 2014. The group has targeted multiple industries and governmental entities primarily in Russia, but has also been active in the United States and throughout Europe, Asia, Africa, and the Middle East.
MITRE ID: G0100
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
admin@338
Unknown
12 techniques
[admin@338](https://attack.mitre.org/groups/G0018) is a China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as [PoisonIvy](https://attack.mitre.org/software/S0012), as well as some non-public backdoors.
MITRE ID: G0018
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
BlackTech
Palmerworm
Unknown
10 techniques
[BlackTech](https://attack.mitre.org/groups/G0098) is a suspected Chinese cyber espionage group that has primarily targeted organizations in East Asia--particularly Taiwan, Japan, and Hong Kong--and the US since at least 2013. [BlackTech](https://attack.mitre.org/groups/G0098) has used a combination of custom malware, dual-use tools, and living off the land tactics to compromise media, constructio
MITRE ID: G0098
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
APT42
Unknown
27 techniques
[APT42](https://attack.mitre.org/groups/G1044) is an Iranian-sponsored threat group that conducts cyber espionage and surveillance. The group primarily focuses on targets in the Middle East region, but has targeted a variety of industries and countries since at least 2015. [APT42](https://attack.mitre.org/groups/G1044) starts cyber operations through spearphishing emails and/or the PINEFLOWER Andr
MITRE ID: G1044
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Malteiro
Unknown
11 techniques
[Malteiro](https://attack.mitre.org/groups/G1026) is a financially motivated criminal group that is likely based in Brazil and has been active since at least November 2019. The group operates and distributes the [Mispadu](https://attack.mitre.org/software/S1122) banking trojan via a Malware-as-a-Service (MaaS) business model. [Malteiro](https://attack.mitre.org/groups/G1026) mainly targets victim
MITRE ID: G1026
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Earth Lusca
TAG-22 Charcoal Typhoon CHROMIUM +1 more
Unknown
34 techniques
[Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Ta
MITRE ID: G1006
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Play
Unknown
22 techniques
[Play](https://attack.mitre.org/groups/G1040) is a ransomware group that has been active since at least 2022 deploying [Playcrypt](https://attack.mitre.org/software/S1162) ransomware against the business, government, critical infrastructure, healthcare, and media sectors in North America, South America, and Europe. [Play](https://attack.mitre.org/groups/G1040) actors employ a double-extortion mod
MITRE ID: G1040
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Sandworm Team
ELECTRUM Telebots IRON VIKING +7 more
Russia
64 techniques
[Sandworm Team](https://attack.mitre.org/groups/G0034) is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455. This group has been active since at least 2009. In October 2020, the US indicted six GRU Unit 74455 officers associated with [Sandworm Team](https://attack.mitre
MITRE ID: G0034
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
TA577
Unknown
5 techniques
[TA577](https://attack.mitre.org/groups/G1037) is an initial access broker (IAB) that has distributed [QakBot](https://attack.mitre.org/software/S0650) and [Pikabot](https://attack.mitre.org/software/S1145), and was among the first observed groups distributing [Latrodectus](https://attack.mitre.org/software/S1160) in 2023.
MITRE ID: G1037
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Turla
IRON HUNTER Group 88 Waterbug +6 more
Unknown
50 techniques
[Turla](https://attack.mitre.org/groups/G0010) is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. [Turla](https://attack.mitre.org/groups/G0010) is kno
MITRE ID: G0010
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Suckfly
Unknown
5 techniques
[Suckfly](https://attack.mitre.org/groups/G0039) is a China-based threat group that has been active since at least 2014.
MITRE ID: G0039
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Ember Bear
UNC2589 Bleeding Bear DEV-0586 +3 more
Unknown
40 techniques
[Ember Bear](https://attack.mitre.org/groups/G1003) is a Russian state-sponsored cyber espionage group that has been active since at least 2020, linked to Russia's General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155). [Ember Bear](https://attack.mitre.org/groups/G1003) has primarily focused operations against Ukrainian government and telecommunication ent
MITRE ID: G1003
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
FIN6
Magecart Group 6 ITG08 Skeleton Spider +2 more
Unknown
33 techniques
[FIN6](https://attack.mitre.org/groups/G0037) is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors.
MITRE ID: G0037
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Silence
Whisper Spider
Unknown
25 techniques
[Silence](https://attack.mitre.org/groups/G0091) is a financially motivated threat actor targeting financial institutions in different countries. The group was first seen in June 2016. Their main targets reside in Russia, Ukraine, Belarus, Azerbaijan, Poland and Kazakhstan. They compromised various banking systems, including the Russian Central Bank's Automated Workstation Client, ATMs, and card p
MITRE ID: G0091
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Patchwork
Hangover Group Dropping Elephant Chinastrats +2 more
Unknown
34 techniques
[Patchwork](https://attack.mitre.org/groups/G0040) is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. [Patchwork](https://attack.mitre.org/groups/G0040) has been seen targeting industries related to diplomatic and government agencies. Much of the
MITRE ID: G0040
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
APT28
IRON TWILIGHT SNAKEMACKEREL Swallowtail +12 more
Russia
71 techniques
[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165. This group has been active since at least 2004. [APT28](https://attack.mitre.org/groups/G0007) reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, an
MITRE ID: G0007
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Aoqin Dragon
Unknown
9 techniques
[Aoqin Dragon](https://attack.mitre.org/groups/G1007) is a suspected Chinese cyber espionage threat group that has been active since at least 2013. [Aoqin Dragon](https://attack.mitre.org/groups/G1007) has primarily targeted government, education, and telecommunication organizations in Australia, Cambodia, Hong Kong, Singapore, and Vietnam. Security researchers noted a potential association betwee
MITRE ID: G1007
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Cinnamon Tempest
DEV-0401 Emperor Dragonfly BRONZE STARLIGHT
Unknown
16 techniques
[Cinnamon Tempest](https://attack.mitre.org/groups/G1021) is a China-based threat group that has been active since at least 2021 deploying multiple strains of ransomware based on the leaked [Babuk](https://attack.mitre.org/software/S0638) source code. [Cinnamon Tempest](https://attack.mitre.org/groups/G1021) does not operate their ransomware on an affiliate model or purchase access but appears to
MITRE ID: G1021
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
HEXANE
Lyceum Siamesekitten Spirlin
Unknown
29 techniques
[HEXANE](https://attack.mitre.org/groups/G1001) is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. Targeted companies have been located in the Middle East and Africa, including Israel, Saudi Arabia, Kuwait, Morocco, and Tunisia. [HEXANE](https://attack.mitre.org/groups/G1001)'s TTPs appear si
MITRE ID: G1001
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Darkhotel
DUBNIUM Zigzag Hail
Unknown
22 techniques
[Darkhotel](https://attack.mitre.org/groups/G0012) is a suspected South Korean threat group that has targeted victims primarily in East Asia since at least 2004. The group's name is based on cyber espionage operations conducted via hotel Internet networks against traveling executives and other select guests. [Darkhotel](https://attack.mitre.org/groups/G0012) has also conducted spearphishing campai
MITRE ID: G0012
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Ke3chang
APT15 Mirage Vixen Panda +5 more
China
37 techniques
[Ke3chang](https://attack.mitre.org/groups/G0004) is a threat group attributed to actors operating out of China. [Ke3chang](https://attack.mitre.org/groups/G0004) has targeted oil, government, diplomatic, military, and NGOs in Central and South America, the Caribbean, Europe, and North America since at least 2010.
MITRE ID: G0004
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Volt Typhoon
BRONZE SILHOUETTE Vanguard Panda DEV-0391 +3 more
Unknown
57 techniques
[Volt Typhoon](https://attack.mitre.org/groups/G1017) is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021 primarily targeting critical infrastructure organizations in the US and its territories including Guam. [Volt Typhoon](https://attack.mitre.org/groups/G1017)'s targeting and pattern of behavior have been assessed as pre-positioning to enable lat
MITRE ID: G1017
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Leafminer
Raspite
Unknown
14 techniques
[Leafminer](https://attack.mitre.org/groups/G0077) is an Iranian threat group that has targeted government organizations and business entities in the Middle East since at least early 2017.
MITRE ID: G0077
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Magic Hound
TA453 COBALT ILLUSION Charming Kitten +5 more
China
57 techniques
[Magic Hound](https://attack.mitre.org/groups/G0059) is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European, U.S., and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via
MITRE ID: G0059
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
APT29
IRON RITUAL IRON HEMLOCK NobleBaron +11 more
Russia
47 techniques
[APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR). They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. [APT29](https://attack.mitre.org/groups/G0016) reportedly compromised the Democratic National Committee starting
MITRE ID: G0016
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
EXOTIC LILY
Unknown
11 techniques
[EXOTIC LILY](https://attack.mitre.org/groups/G1011) is a financially motivated group that has been closely linked with [Wizard Spider](https://attack.mitre.org/groups/G0102) and the deployment of ransomware including [Conti](https://attack.mitre.org/software/S0575) and [Diavol](https://attack.mitre.org/software/S0659). [EXOTIC LILY](https://attack.mitre.org/groups/G1011) may be acting as an initi
MITRE ID: G1011
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Cobalt Group
GOLD KINGSWOOD Cobalt Gang Cobalt Spider
Unknown
26 techniques
[Cobalt Group](https://attack.mitre.org/groups/G0080) is a financially motivated threat group that has primarily targeted financial institutions since at least 2016. The group has conducted intrusions to steal money via targeting ATM systems, card processing, payment systems and SWIFT systems. [Cobalt Group](https://attack.mitre.org/groups/G0080) has mainly targeted banks in Eastern Europe, Centra
MITRE ID: G0080
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Andariel
Silent Chollima PLUTONIUM Onyx Sleet
Unknown
12 techniques
[Andariel](https://attack.mitre.org/groups/G0138) is a North Korean state-sponsored threat group that has been active since at least 2009. [Andariel](https://attack.mitre.org/groups/G0138) has primarily focused its operations--which have included destructive attacks--against South Korean government agencies, military organizations, and a variety of domestic companies; they have also conducted cybe
MITRE ID: G0138
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
HAFNIUM
Operation Exchange Marauder Silk Typhoon
Unknown
37 techniques
[HAFNIUM](https://attack.mitre.org/groups/G0125) is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. [HAFNIUM](https://attack.mitre.org/groups/G0125) primarily targets entities in the US across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors,
MITRE ID: G0125
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
APT39
ITG07 Chafer Remix Kitten
China
39 techniques
[APT39](https://attack.mitre.org/groups/G0087) is one of several names for cyber espionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since at least 2014. [APT39](https://attack.mitre.org/groups/G0087) has primarily targeted the travel, hospitality, academic, and telecommunications industries in Iran and acro
MITRE ID: G0087
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
MuddyWater
Earth Vetala MERCURY Static Kitten +4 more
Iran
43 techniques
[MuddyWater](https://attack.mitre.org/groups/G0069) is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS). Since at least 2017, [MuddyWater](https://attack.mitre.org/groups/G0069) has targeted a range of government and private organizations across sectors, including telecommunications, local government, defense, and oil and natur
MITRE ID: G0069
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
APT38
NICKEL GLADSTONE BeagleBoyz Bluenoroff +3 more
China
41 techniques
[APT38](https://attack.mitre.org/groups/G0082) is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau. Active since at least 2014, [APT38](https://attack.mitre.org/groups/G0082) has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at leas
MITRE ID: G0082
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Transparent Tribe
COPPER FIELDSTONE APT36 Mythic Leopard +1 more
China
12 techniques
[Transparent Tribe](https://attack.mitre.org/groups/G0134) is a suspected Pakistan-based threat group that has been active since at least 2013, primarily targeting diplomatic, defense, and research organizations in India and Afghanistan.
MITRE ID: G0134
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
APT32
SeaLotus OceanLotus APT-C-00 +2 more
China
54 techniques
[APT32](https://attack.mitre.org/groups/G0050) is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromise
MITRE ID: G0050
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
BRONZE BUTLER
REDBALDKNIGHT Tick
China
33 techniques
[BRONZE BUTLER](https://attack.mitre.org/groups/G0060) is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in government, biotechnology, electronics manufacturing, and industrial chemistry.
MITRE ID: G0060
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
POLONIUM
Plaid Rain
Unknown
7 techniques
[POLONIUM](https://attack.mitre.org/groups/G1005) is a Lebanon-based group that has primarily targeted Israeli organizations, including critical manufacturing, information technology, and defense industry companies, since at least February 2022. Security researchers assess [POLONIUM](https://attack.mitre.org/groups/G1005) has coordinated their operations with multiple actors affiliated with Iran’s
MITRE ID: G1005
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
APT5
Mulberry Typhoon MANGANESE BRONZE FLEETWOOD +2 more
Unknown
22 techniques
[APT5](https://attack.mitre.org/groups/G1023) is a China-based espionage actor that has been active since at least 2007 primarily targeting the telecommunications, aerospace, and defense industries throughout the U.S., Europe, and Asia. [APT5](https://attack.mitre.org/groups/G1023) has displayed advanced tradecraft and significant interest in compromising networking devices and their underlying so
MITRE ID: G1023
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
BackdoorDiplomacy
Unknown
13 techniques
[BackdoorDiplomacy](https://attack.mitre.org/groups/G0135) is a cyber espionage threat group that has been active since at least 2017. [BackdoorDiplomacy](https://attack.mitre.org/groups/G0135) has targeted Ministries of Foreign Affairs and telecommunication companies in Africa, Europe, the Middle East, and Asia.
MITRE ID: G0135
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Kimsuky
Black Banshee Velvet Chollima Emerald Sleet +4 more
North Korea
72 techniques
[Kimsuky](https://attack.mitre.org/groups/G0094) is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter experts in various fields. Its operations expanded to include the United Nations and organizations in the government, education, business services, and manufacturing sec
MITRE ID: G0094
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Leviathan
MUDCARP Kryptonite Panda Gadolinium +5 more
China
37 techniques
[Leviathan](https://attack.mitre.org/groups/G0065) is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company. Active since at least 2009, [Leviathan](https://attack.mitre.org/groups/G0065) has targeted the following sectors: academia, aerospace/aviation, biomedical, defense
MITRE ID: G0065
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Storm-1811
Unknown
25 techniques
[Storm-1811](https://attack.mitre.org/groups/G1046) is a financially-motivated entity linked to [Black Basta](https://attack.mitre.org/software/S1070) ransomware deployment. [Storm-1811](https://attack.mitre.org/groups/G1046) is notable for unique phishing and social engineering mechanisms for initial access, such as overloading victim email inboxes with non-malicious spam to prompt a fake "help d
MITRE ID: G1046
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Ajax Security Team
Operation Woolen-Goldfish AjaxTM Rocket Kitten +2 more
Unknown
5 techniques
[Ajax Security Team](https://attack.mitre.org/groups/G0130) is a group that has been active since at least 2010 and believed to be operating out of Iran. By 2014 [Ajax Security Team](https://attack.mitre.org/groups/G0130) transitioned from website defacement operations to malware-based cyber espionage campaigns targeting the US defense industrial base and Iranian users of anti-censorship technolog
MITRE ID: G0130
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Akira
GOLD SAHARA PUNK SPIDER Howling Scorpius
Unknown
17 techniques
[Akira](https://attack.mitre.org/groups/G1024) is a ransomware variant and ransomware deployment entity active since at least March 2023. [Akira](https://attack.mitre.org/groups/G1024) uses compromised credentials to access single-factor external access mechanisms such as VPNs for initial access, then various publicly-available tools and techniques for lateral movement. [Akira](https://attack.mitr
MITRE ID: G1024
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Mustang Panda
TA416 RedDelta BRONZE PRESIDENT +11 more
Unknown
61 techniques
[Mustang Panda](https://attack.mitre.org/groups/G0129) is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. [Mustang Panda](https://attack.mitre.org/groups/G0129) has been known to use tailored phishing lures and decoy documents to deliver malicious payloads. [Mustang Panda](https://attack.mitre.org/groups/G0129) has targeted government, diplomati
MITRE ID: G0129
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
LAPSUS$
DEV-0537 Strawberry Tempest
Unknown
32 techniques
[LAPSUS$](https://attack.mitre.org/groups/G1004) is cyber criminal threat group that has been active since at least mid-2021. [LAPSUS$](https://attack.mitre.org/groups/G1004) specializes in large-scale social engineering and extortion operations, including destructive attacks without the use of ransomware. The group has targeted organizations globally, including in the government, manufacturing, h
MITRE ID: G1004
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Chimera
Unknown
48 techniques
[Chimera](https://attack.mitre.org/groups/G0114) is a suspected China-based threat group that has been active since at least 2018 targeting the semiconductor industry in Taiwan as well as data from the airline industry.
MITRE ID: G0114
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
TA2541
Unknown
20 techniques
[TA2541](https://attack.mitre.org/groups/G1018) is a cybercriminal group that has been targeting the aviation, aerospace, transportation, manufacturing, and defense industries since at least 2017. [TA2541](https://attack.mitre.org/groups/G1018) campaigns are typically high volume and involve the use of commodity remote access tools obfuscated by crypters and themes related to aviation, transportat
MITRE ID: G1018
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
ToddyCat
Unknown
24 techniques
[ToddyCat](https://attack.mitre.org/groups/G1022) is a sophisticated threat group that has been active since at least 2020 using custom loaders and malware in multi-stage infection chains against government and military targets across Europe and Asia.
MITRE ID: G1022
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
BITTER
T-APT-17
Unknown
16 techniques
[BITTER](https://attack.mitre.org/groups/G1002) is a suspected South Asian cyber espionage threat group that has been active since at least 2013. [BITTER](https://attack.mitre.org/groups/G1002) has targeted government, energy, and engineering organizations in Pakistan, China, Bangladesh, and Saudi Arabia.
MITRE ID: G1002
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
RTM
Unknown
7 techniques
[RTM](https://attack.mitre.org/groups/G0048) is a cybercriminal group that has been active since at least 2015 and is primarily interested in users of remote banking systems in Russia and neighboring countries. The group uses a Trojan by the same name ([RTM](https://attack.mitre.org/software/S0148)).
MITRE ID: G0048
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
menuPass
Cicada POTASSIUM Stone Panda +5 more
China
37 techniques
[menuPass](https://attack.mitre.org/groups/G0045) is a threat group that has been active since at least 2006. Individual members of [menuPass](https://attack.mitre.org/groups/G0045) are known to have acted in association with the Chinese Ministry of State Security's (MSS) Tianjin State Security Bureau and worked for the Huaying Haitai Science and Technology Development Company. [menuPass](https:/
MITRE ID: G0045
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Storm-0501
Unknown
34 techniques
[Storm-0501](https://attack.mitre.org/groups/G1053) is a financially motivated cyber criminal group that uses commodity and open-source tools to conduct ransomware operations. [Storm-0501](https://attack.mitre.org/groups/G1053) has been active since 2021 and has previously been affiliated with Sabbath Ransomware and other Ransomware-as-a-Service (RaaS) variants such as Hive, [BlackCat](https://att
MITRE ID: G1053
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Tropic Trooper
Pirate Panda KeyBoy
Unknown
35 techniques
[Tropic Trooper](https://attack.mitre.org/groups/G0081) is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan, the Philippines, and Hong Kong. [Tropic Trooper](https://attack.mitre.org/groups/G0081) focuses on targeting government, healthcare, transportation, and high-tech industries and has been active since 2011.
MITRE ID: G0081
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Mustard Tempest
DEV-0206 TA569 GOLD PRELUDE +1 more
Unknown
9 techniques
[Mustard Tempest](https://attack.mitre.org/groups/G1020) is an initial access broker that has operated the [SocGholish](https://attack.mitre.org/software/S1124) distribution network since at least 2017. [Mustard Tempest](https://attack.mitre.org/groups/G1020) has partnered with [Indrik Spider](https://attack.mitre.org/groups/G0119) to provide access for the download of additional malware including
MITRE ID: G1020
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
APT19
Codoso C0d0so0 Codoso Team +1 more
China
18 techniques
[APT19](https://attack.mitre.org/groups/G0073) is a Chinese-based threat group that has targeted a variety of industries, including defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services. In 2017, a phishing campaign was used to target seven law and investment firms. Some analysts track [APT19](https://attack.mitre.org/groups/G0073) a
MITRE ID: G0073
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Moses Staff
DEV-0500 Marigold Sandstorm
Unknown
12 techniques
[Moses Staff](https://attack.mitre.org/groups/G1009) is a suspected Iranian threat group that has primarily targeted Israeli companies since at least September 2021. [Moses Staff](https://attack.mitre.org/groups/G1009) openly stated their motivation in attacking Israeli companies is to cause damage by leaking stolen sensitive data and encrypting the victim's networks without a ransom demand. Sec
MITRE ID: G1009
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Molerats
Operation Molerats Gaza Cybergang
Unknown
12 techniques
[Molerats](https://attack.mitre.org/groups/G0021) is an Arabic-speaking, politically-motivated threat group that has been operating since 2012. The group's victims have primarily been in the Middle East, Europe, and the United States.
MITRE ID: G0021
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Stealth Falcon
Unknown
13 techniques
[Stealth Falcon](https://attack.mitre.org/groups/G0038) is a threat group that has conducted targeted spyware attacks against Emirati journalists, activists, and dissidents since at least 2012. Circumstantial evidence suggests there could be a link between this group and the United Arab Emirates (UAE) government, but that has not been confirmed.
MITRE ID: G0038
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
DarkVishnya
Unknown
10 techniques
[DarkVishnya](https://attack.mitre.org/groups/G0105) is a financially motivated threat actor targeting financial institutions in Eastern Europe. In 2017-2018 the group attacked at least 8 banks in this region.
MITRE ID: G0105
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
APT37
InkySquid ScarCruft Reaper +3 more
China
25 techniques
[APT37](https://attack.mitre.org/groups/G0067) is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. [APT37](https://attack.mitre.org/groups/G0067) has also been linked to the following cam
MITRE ID: G0067
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Threat Group-1314
TG-1314
Unknown
4 techniques
[Threat Group-1314](https://attack.mitre.org/groups/G0028) is an unattributed threat group that has used compromised credentials to log into a victim's remote access infrastructure.
MITRE ID: G0028
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
APT41
Wicked Panda Brass Typhoon BARIUM
China
66 techniques
[APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, ret
MITRE ID: G0096
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
INC Ransom
GOLD IONIC
Unknown
25 techniques
[INC Ransom](https://attack.mitre.org/groups/G1032) is a ransomware and data extortion threat group associated with the deployment of [INC Ransomware](https://attack.mitre.org/software/S1139) that has been active since at least July 2023. [INC Ransom](https://attack.mitre.org/groups/G1032) has targeted organizations worldwide most commonly in the industrial, healthcare, and education sectors in t
MITRE ID: G1032
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
FIN13
Elephant Beetle
Unknown
42 techniques
[FIN13](https://attack.mitre.org/groups/G1016) is a financially motivated cyber threat group that has targeted the financial, retail, and hospitality industries in Mexico and Latin America, as early as 2016. [FIN13](https://attack.mitre.org/groups/G1016) achieves its objectives by stealing intellectual property, financial data, mergers and acquisition information, or PII.
MITRE ID: G1016
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Group5
Unknown
4 techniques
[Group5](https://attack.mitre.org/groups/G0043) is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. [Group5](https://attack.mitre.org/groups/G0043) has used two commonly available remote access tools (RATs), [nj
TARGET SECTORS
MITRE ID: G0043
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
PLATINUM
Unknown
10 techniques
[PLATINUM](https://attack.mitre.org/groups/G0068) is an activity group that has targeted victims since at least 2009. The group has focused on targets associated with governments and related organizations in South and Southeast Asia.
MITRE ID: G0068
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
GALLIUM
Granite Typhoon
Unknown
27 techniques
[GALLIUM](https://attack.mitre.org/groups/G0093) is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. This group is particularly known for launching Operation Soft Cell, a long-term
MITRE ID: G0093
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
FIN10
Unknown
9 techniques
[FIN10](https://attack.mitre.org/groups/G0051) is a financially motivated threat group that has targeted organizations in North America since at least 2013 through 2016. The group uses stolen data exfiltrated from victims to extort organizations.
MITRE ID: G0051
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Winnti Group
Blackfly
China
6 techniques
[Winnti Group](https://attack.mitre.org/groups/G0044) is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting. Some reporting suggests a number of other groups, including [Axiom](https://attack.mitre.org/groups/G0001), [APT17](https://attack.mitre.org/groups/G0025), and
MITRE ID: G0044
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
FIN8
Syssphinx
Unknown
30 techniques
[FIN8](https://attack.mitre.org/groups/G0061) is a financially motivated threat group that has been active since at least January 2016, and known for targeting organizations in the hospitality, retail, entertainment, insurance, technology, chemical, and financial sectors. In June 2021, security researchers detected [FIN8](https://attack.mitre.org/groups/G0061) switching from targeting point-of-sal
MITRE ID: G0061
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Rocke
Unknown
28 techniques
[Rocke](https://attack.mitre.org/groups/G0106) is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency. The name [Rocke](https://attack.mitre.org/groups/G0106) comes from the email address "rocke@live.cn" used to create the wallet which held collected cryptocurrency. Researchers hav
MITRE ID: G0106
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
RedEcho
Unknown
5 techniques
[RedEcho](https://attack.mitre.org/groups/G1042) is a People’s Republic of China-related threat actor associated with long-running intrusions in Indian critical infrastructure entities. [RedEcho](https://attack.mitre.org/groups/G1042) overlaps with various other PRC-linked threat groups, such as [APT41](https://attack.mitre.org/groups/G0096), and is linked to [ShadowPad](https://attack.mitre.org/s
TARGET SECTORS
MITRE ID: G1042
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Saint Bear
Storm-0587 TA471 UAC-0056 +1 more
Unknown
13 techniques
[Saint Bear](https://attack.mitre.org/groups/G1031) is a Russian-nexus threat actor active since early 2021, primarily targeting entities in Ukraine and Georgia. The group is notable for a specific remote access tool, [Saint Bot](https://attack.mitre.org/software/S1018), and information stealer, [OutSteel](https://attack.mitre.org/software/S1017) in campaigns. [Saint Bear](https://attack.mitre.org
MITRE ID: G1031
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Scattered Spider
Roasted 0ktapus Octo Tempest Storm-0875 +1 more
Unknown
50 techniques
[Scattered Spider](https://attack.mitre.org/groups/G1015) is a native English-speaking cybercriminal group active since at least 2022. The group initially targeted customer relationship management (CRM) providers, business process outsourcing (BPO) firms, and telecommunications and technology companies before expanding in 2023 to gaming, hospitality, retail, managed service provider (MSP), manuf
MITRE ID: G1015
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
CURIUM
Crimson Sandstorm TA456 Tortoise Shell +1 more
Unknown
15 techniques
[CURIUM](https://attack.mitre.org/groups/G1012) is an Iranian threat group, first reported in September 2019 and active since at least July 2018, targeting IT service providers in the Middle East. [CURIUM](https://attack.mitre.org/groups/G1012) has since invested in building relationships with potential targets via social media over a period of months to establish trust and confidence before sendi
MITRE ID: G1012
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Windigo
Unknown
7 techniques
The [Windigo](https://attack.mitre.org/groups/G0124) group has been operating since at least 2011, compromising thousands of Linux and Unix servers using the [Ebury](https://attack.mitre.org/software/S0377) SSH backdoor to create a spam botnet. Despite law enforcement intervention against the creators, [Windigo](https://attack.mitre.org/groups/G0124) operators continued updating [Ebury](https://at
MITRE ID: G0124
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Blue Mockingbird
Unknown
19 techniques
[Blue Mockingbird](https://attack.mitre.org/groups/G0108) is a cluster of observed activity involving Monero cryptocurrency-mining payloads in dynamic-link library (DLL) form on Windows systems. The earliest observed Blue Mockingbird tools were created in December 2019.
MITRE ID: G0108
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
RedCurl
Unknown
32 techniques
[RedCurl](https://attack.mitre.org/groups/G1039) is a threat actor active since 2018 notable for corporate espionage targeting a variety of locations, including Ukraine, Canada and the United Kingdom, and a variety of industries, including but not limited to travel agencies, insurance companies, and banks. [RedCurl](https://attack.mitre.org/groups/G1039) is allegedly a Russian-speaking threat acto
MITRE ID: G1039
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
FIN4
Unknown
9 techniques
[FIN4](https://attack.mitre.org/groups/G0085) is a financially-motivated threat group that has targeted confidential information related to the public financial market, particularly regarding healthcare and pharmaceutical companies, since at least 2013. [FIN4](https://attack.mitre.org/groups/G0085) is unique in that they do not infect victims with typical persistent malware, but rather they focus
MITRE ID: G0085
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Contagious Interview
DeceptiveDevelopment Gwisin Gang Tenacious Pungsan +3 more
Unknown
33 techniques
[Contagious Interview](https://attack.mitre.org/groups/G1052) is a North Korea–aligned threat group active since 2023. The group conducts both cyberespionage and financially motivated operations, including the theft of cryptocurrency and user credentials. [Contagious Interview](https://attack.mitre.org/groups/G1052) targets Windows, Linux, and macOS systems, with a particular focus on individuals
MITRE ID: G1052
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Gorgon Group
Unknown
12 techniques
[Gorgon Group](https://attack.mitre.org/groups/G0078) is a threat group consisting of members who are suspected to be Pakistan-based or have other connections to Pakistan. The group has performed a mix of criminal and targeted attacks, including campaigns against government organizations in the United Kingdom, Spain, Russia, and the United States.
MITRE ID: G0078
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Sidewinder
T-APT-04 Rattlesnake
Unknown
23 techniques
[Sidewinder](https://attack.mitre.org/groups/G0121) is a suspected Indian threat actor group that has been active since at least 2012. They have been observed targeting government, military, and business entities throughout Asia, primarily focusing on Pakistan, China, Nepal, and Afghanistan.
MITRE ID: G0121
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Higaisa
Unknown
24 techniques
[Higaisa](https://attack.mitre.org/groups/G0126) is a threat group suspected to have South Korean origins. [Higaisa](https://attack.mitre.org/groups/G0126) has targeted government, public, and trade organizations in North Korea; however, they have also carried out attacks in China, Japan, Russia, Poland, and other nations. [Higaisa](https://attack.mitre.org/groups/G0126) was first disclosed in ear
MITRE ID: G0126
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
APT30
China
2 techniques
[APT30](https://attack.mitre.org/groups/G0013) is a threat group suspected to be associated with the Chinese government. While [Naikon](https://attack.mitre.org/groups/G0019) shares some characteristics with [APT30](https://attack.mitre.org/groups/G0013), the two groups do not appear to be exact matches.
TARGET SECTORS
MITRE ID: G0013
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Windshift
Bahamut
Unknown
14 techniques
[Windshift](https://attack.mitre.org/groups/G0112) is a threat group that has been active since at least 2017, targeting specific individuals for surveillance in government departments and critical infrastructure across the Middle East.
MITRE ID: G0112
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Confucius
Confucius APT
Unknown
16 techniques
[Confucius](https://attack.mitre.org/groups/G0142) is a cyber espionage group that has primarily targeted military personnel, high-profile personalities, business persons, and government organizations in South Asia since at least 2013. Security researchers have noted similarities between [Confucius](https://attack.mitre.org/groups/G0142) and [Patchwork](https://attack.mitre.org/groups/G0040), part
MITRE ID: G0142
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
BlackByte
Hecamede
Unknown
43 techniques
[BlackByte](https://attack.mitre.org/groups/G1043) is a ransomware threat actor operating since at least 2021. [BlackByte](https://attack.mitre.org/groups/G1043) is associated with several versions of ransomware also labeled [BlackByte Ransomware](https://attack.mitre.org/software/S1180). [BlackByte](https://attack.mitre.org/groups/G1043) ransomware operations initially used a common encryption ke
MITRE ID: G1043
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Threat Group-3390
Earth Smilodon TG-3390 Emissary Panda +5 more
Unknown
47 techniques
[Threat Group-3390](https://attack.mitre.org/groups/G0027) is a Chinese threat group that has extensively used strategic Web compromises to target victims. The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, manufacturing and gambling/betting sectors.
MITRE ID: G0027
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Tonto Team
Earth Akhlut BRONZE HUNTLEY CactusPete +1 more
Unknown
14 techniques
[Tonto Team](https://attack.mitre.org/groups/G0131) is a suspected Chinese state-sponsored cyber espionage threat group that has primarily targeted South Korea, Japan, Taiwan, and the United States since at least 2009; by 2020 they expanded operations to include other Asian as well as Eastern European countries. [Tonto Team](https://attack.mitre.org/groups/G0131) has targeted government, military,
MITRE ID: G0131
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Gamaredon Group
IRON TILDEN Primitive Bear ACTINIUM +4 more
Unknown
55 techniques
[Gamaredon Group](https://attack.mitre.org/groups/G0047) is a suspected Russian cyber espionage group that has targeted military, law enforcement, judiciary, non-profit, and non-governmental organizations in Ukraine since at least 2013. The name [Gamaredon Group](https://attack.mitre.org/groups/G0047) derives from a misspelling of the word "Armageddon," found in early campaigns. In November 2021,
MITRE ID: G0047
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Agrius
Pink Sandstorm AMERICIUM Agonizing Serpens +1 more
Unknown
20 techniques
[Agrius](https://attack.mitre.org/groups/G1030) is an Iranian threat actor active since 2020 notable for a series of ransomware and wiper operations in the Middle East, with an emphasis on Israeli targets. Public reporting has linked [Agrius](https://attack.mitre.org/groups/G1030) to Iran's Ministry of Intelligence and Security (MOIS).
MITRE ID: G1030
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Sea Turtle
Teal Kurma Marbled Dust Cosmic Wolf +1 more
Unknown
22 techniques
[Sea Turtle](https://attack.mitre.org/groups/G1041) is a Türkiye-linked threat actor active since at least 2017 performing espionage and service provider compromise operations against victims in Asia, Europe, and North America. [Sea Turtle](https://attack.mitre.org/groups/G1041) is notable for targeting registrars managing ccTLDs and complex DNS-based intrusions where the threat actor compromised
MITRE ID: G1041
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Rancor
Unknown
8 techniques
[Rancor](https://attack.mitre.org/groups/G0075) is a threat group that has led targeted campaigns against the South East Asia region. [Rancor](https://attack.mitre.org/groups/G0075) uses politically-motivated lures to entice victims to open malicious documents.
MITRE ID: G0075
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Moonstone Sleet
Storm-1789
Unknown
23 techniques
[Moonstone Sleet](https://attack.mitre.org/groups/G1036) is a North Korean-linked threat actor executing both financially motivated attacks and espionage operations. The group previously overlapped significantly with another North Korean-linked entity, [Lazarus Group](https://attack.mitre.org/groups/G0032), but has differentiated its tradecraft since 2023. [Moonstone Sleet](https://attack.mitre.or
MITRE ID: G1036
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
TA551
GOLD CABIN Shathak
Unknown
11 techniques
[TA551](https://attack.mitre.org/groups/G0127) is a financially-motivated threat group that has been active since at least 2018. The group has primarily targeted English, German, Italian, and Japanese speakers through email-based malware distribution campaigns.
MITRE ID: G0127
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Salt Typhoon
Unknown
14 techniques
[Salt Typhoon](https://attack.mitre.org/groups/G1045) is a People's Republic of China (PRC) state-backed actor that has been active since at least 2019 and responsible for numerous compromises of network infrastructure at major U.S. telecommunication and internet service providers (ISP).
MITRE ID: G1045
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Axiom
Group 72
Unknown
15 techniques
[Axiom](https://attack.mitre.org/groups/G0001) is a suspected Chinese cyber espionage group that has targeted the aerospace, defense, government, manufacturing, and media sectors since at least 2008. Some reporting suggests a degree of overlap between [Axiom](https://attack.mitre.org/groups/G0001) and [Winnti Group](https://attack.mitre.org/groups/G0044) but the two groups appear to be distinct ba
MITRE ID: G0001
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Dark Caracal
Unknown
11 techniques
[Dark Caracal](https://attack.mitre.org/groups/G0070) is threat group that has been attributed to the Lebanese General Directorate of General Security (GDGS) and has operated since at least 2012.
MITRE ID: G0070
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Nomadic Octopus
DustSquad
Unknown
6 techniques
[Nomadic Octopus](https://attack.mitre.org/groups/G0133) is a Russian-speaking cyber espionage threat group that has primarily targeted Central Asia, including local governments, diplomatic missions, and individuals, since at least 2014. [Nomadic Octopus](https://attack.mitre.org/groups/G0133) has been observed conducting campaigns involving Android and Windows malware, mainly using the Delphi pro
MITRE ID: G0133
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
APT12
IXESHE DynCalc Numbered Panda +1 more
China
5 techniques
[APT12](https://attack.mitre.org/groups/G0005) is a threat group that has been attributed to China. The group has targeted a variety of victims including but not limited to media outlets, high-tech companies, and multiple governments.
MITRE ID: G0005
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
APT3
Gothic Panda Pirpi UPS Team +3 more
China
40 techniques
[APT3](https://attack.mitre.org/groups/G0022) is a China-based threat group that researchers have attributed to China's Ministry of State Security. This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap. As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organiza
MITRE ID: G0022
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Putter Panda
APT2 MSUpdater
Unknown
4 techniques
[Putter Panda](https://attack.mitre.org/groups/G0024) is a Chinese threat group that has been attributed to Unit 61486 of the 12th Bureau of the PLA’s 3rd General Staff Department (GSD).
MITRE ID: G0024
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Metador
Unknown
8 techniques
[Metador](https://attack.mitre.org/groups/G1013) is a suspected cyber espionage group that was first reported in September 2022. [Metador](https://attack.mitre.org/groups/G1013) has targeted a limited number of telecommunication companies, internet service providers, and universities in the Middle East and Africa. Security researchers named the group [Metador](https://attack.mitre.org/groups/G1013
MITRE ID: G1013
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
TA459
Unknown
4 techniques
[TA459](https://attack.mitre.org/groups/G0062) is a threat group believed to operate out of China that has targeted countries including Russia, Belarus, Mongolia, and others.
MITRE ID: G0062
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
ZIRCONIUM
APT31 Violet Typhoon
China
25 techniques
[ZIRCONIUM](https://attack.mitre.org/groups/G0128) is a threat group operating out of China, active since at least 2017, that has targeted individuals associated with the 2020 US presidential election and prominent leaders in the international affairs community.
MITRE ID: G0128
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
APT1
Comment Crew Comment Group Comment Panda
China
20 techniques
[APT1](https://attack.mitre.org/groups/G0006) is a Chinese threat group that has been attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398.
MITRE ID: G0006
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Naikon
Unknown
13 techniques
[Naikon](https://attack.mitre.org/groups/G0019) is assessed to be a state-sponsored cyber espionage group attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020). Active since at least 2010, [Naikon](https://attack.mitre.org/groups/G0019) has primarily conducted operations against government, m
MITRE ID: G0019
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Sowbug
Unknown
9 techniques
[Sowbug](https://attack.mitre.org/groups/G0054) is a threat group that has conducted targeted attacks against organizations in South America and Southeast Asia, particularly government entities, since at least 2015.
MITRE ID: G0054
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Mofang
Unknown
3 techniques
[Mofang](https://attack.mitre.org/groups/G0103) is a likely China-based cyber espionage group, named for its frequent practice of imitating a victim's infrastructure. This adversary has been observed since at least May 2012 conducting focused attacks against government and critical infrastructure in Myanmar, as well as several other countries and sectors including military, automobile, and weapons
MITRE ID: G0103
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Machete
APT-C-43 El Machete
Unknown
7 techniques
[Machete](https://attack.mitre.org/groups/G0095) is a suspected Spanish-speaking cyber espionage group that has been active since at least 2010. It has primarily focused its operations within Latin America, with a particular emphasis on Venezuela, but also in the US, Europe, Russia, and parts of Asia. [Machete](https://attack.mitre.org/groups/G0095) generally targets high-profile organizations suc
MITRE ID: G0095
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
FIN5
Unknown
10 techniques
[FIN5](https://attack.mitre.org/groups/G0053) is a financially motivated threat group that has targeted personally identifiable information and payment card information. The group has been active since at least 2008 and has targeted the restaurant, gaming, and hotel industries. The group is made up of actors who likely speak Russian.
MITRE ID: G0053
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Winter Vivern
TA473 UAC-0114
Unknown
22 techniques
Winter Vivern is a group linked to Russian and Belorussian interests active since at least 2020 targeting various European government and NGO entities, along with sporadic targeting of Indian and US victims. The group leverages a combination of document-based phishing activity and server-side exploitation for initial access, leveraging adversary-controlled and -created infrastructure for follow-on
MITRE ID: G1035
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
SideCopy
Unknown
15 techniques
[SideCopy](https://attack.mitre.org/groups/G1008) is a Pakistani threat group that has primarily targeted South Asian countries, including Indian and Afghani government personnel, since at least 2019. [SideCopy](https://attack.mitre.org/groups/G1008)'s name comes from its infection chain that tries to mimic that of [Sidewinder](https://attack.mitre.org/groups/G0121), a suspected Indian threat grou
MITRE ID: G1008
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
APT33
HOLMIUM Elfin Peach Sandstorm
China
23 techniques
[APT33](https://attack.mitre.org/groups/G0064) is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors.
MITRE ID: G0064
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Lotus Blossom
DRAGONFISH Spring Dragon RADIUM +3 more
Unknown
17 techniques
[Lotus Blossom](https://attack.mitre.org/groups/G0030) is a long-standing threat group largely targeting various entities in Asia since at least 2009. In addition to government and related targets, [Lotus Blossom](https://attack.mitre.org/groups/G0030) has also targeted entities such as digital certificate issuers.
MITRE ID: G0030
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
GOLD SOUTHFIELD
Pinchy Spider
Unknown
9 techniques
[GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) is a financially motivated threat group active since at least 2018 that operates the [REvil](https://attack.mitre.org/software/S0496) Ransomware-as-a Service (RaaS). [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments. By
MITRE ID: G0115
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Volatile Cedar
Lebanese Cedar
Unknown
4 techniques
[Volatile Cedar](https://attack.mitre.org/groups/G0123) is a Lebanese threat group that has targeted individuals, companies, and institutions worldwide. [Volatile Cedar](https://attack.mitre.org/groups/G0123) has been operating since 2012 and is motivated by political and ideological interests.
MITRE ID: G0123
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Evilnum
Unknown
11 techniques
[Evilnum](https://attack.mitre.org/groups/G0120) is a financially motivated threat group that has been active since at least 2018.
MITRE ID: G0120
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Cleaver
Threat Group 2889 TG-2889
Unknown
5 techniques
[Cleaver](https://attack.mitre.org/groups/G0003) is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver. Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 (TG-2889).
MITRE ID: G0003
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
TEMP.Veles
XENOTIME
Unknown
0 techniques
[TEMP.Veles](https://attack.mitre.org/groups/G0088) is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing [TRITON](https://attack.mitre.org/software/S0609), a malware framework designed to manipulate industrial safety systems.
TARGET SECTORS
MITRE ATT&CK TECHNIQUES
MITRE ID: G0088
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
DarkHydrus
Unknown
7 techniques
[DarkHydrus](https://attack.mitre.org/groups/G0079) is a threat group that has targeted government agencies and educational institutions in the Middle East since at least 2016. The group heavily leverages open-source tools and custom payloads for carrying out attacks.
MITRE ID: G0079
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Whitefly
Unknown
9 techniques
[Whitefly](https://attack.mitre.org/groups/G0107) is a cyber espionage group that has been operating since at least 2017. The group has targeted organizations based mostly in Singapore across a wide variety of sectors, and is primarily interested in stealing large amounts of sensitive information. The group has been linked to an attack against Singapore’s largest public health organization, SingHe
MITRE ID: G0107
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Silent Librarian
TA407 COBALT DICKENS
Unknown
10 techniques
[Silent Librarian](https://attack.mitre.org/groups/G0122) is a group that has targeted research and proprietary data at universities, government agencies, and private sector companies worldwide since at least 2013. Members of [Silent Librarian](https://attack.mitre.org/groups/G0122) are known to have been affiliated with the Iran-based Mabna Institute which has conducted cyber intrusions at the b
MITRE ID: G0122
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
APT18
TG-0416 Dynamite Panda Threat Group-0416
China
11 techniques
[APT18](https://attack.mitre.org/groups/G0026) is a threat group that has operated since at least 2009 and has targeted a range of industries, including technology, manufacturing, human rights groups, government, and medical.
MITRE ID: G0026
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Carbanak
Anunak
Russia
8 techniques
[Carbanak](https://attack.mitre.org/groups/G0008) is a cybercriminal group that has used [Carbanak](https://attack.mitre.org/software/S0030) malware to target financial institutions since at least 2013. [Carbanak](https://attack.mitre.org/groups/G0008) may be linked to groups tracked separately as [Cobalt Group](https://attack.mitre.org/groups/G0080) and [FIN7](https://attack.mitre.org/groups/G004
MITRE ID: G0008
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Orangeworm
Unknown
2 techniques
[Orangeworm](https://attack.mitre.org/groups/G0071) is a group that has targeted organizations in the healthcare sector in the United States, Europe, and Asia since at least 2015, likely for the purpose of corporate espionage. Reverse engineering of [Kwampirs](https://attack.mitre.org/software/S0236), directly associated with [Orangeworm](https://attack.mitre.org/groups/G0071) activity, indicates
TARGET SECTORS
MITRE ID: G0071
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Deep Panda
Shell Crew WebMasters KungFu Kittens +2 more
Unknown
10 techniques
[Deep Panda](https://attack.mitre.org/groups/G0009) is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications. The intrusion into healthcare company Anthem has been attributed to [Deep Panda](https://attack.mitre.org/groups/G0009). This group is also known as Shell Crew, WebMasters, KungFu Kittens, and PinkPanther. [Dee
MITRE ID: G0009
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
APT-C-36
Blind Eagle
Unknown
9 techniques
[APT-C-36](https://attack.mitre.org/groups/G0099) is a suspected South America espionage group that has been active since at least 2018. The group mainly targets Colombian government institutions as well as important corporations in the financial sector, petroleum industry, and professional manufacturing.
MITRE ID: G0099
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
The White Company
Unknown
7 techniques
[The White Company](https://attack.mitre.org/groups/G0089) is a likely state-sponsored threat actor with advanced capabilities. From 2017 through 2018, the group led an espionage campaign called Operation Shaheen targeting government and military organizations in Pakistan.
MITRE ID: G0089
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Poseidon Group
Unknown
7 techniques
[Poseidon Group](https://attack.mitre.org/groups/G0033) is a Portuguese-speaking threat group that has been active since at least 2005. The group has a history of using information exfiltrated from victims to blackmail victim companies into contracting the [Poseidon Group](https://attack.mitre.org/groups/G0033) as a security firm.
MITRE ID: G0033
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
LazyScripter
Unknown
13 techniques
[LazyScripter](https://attack.mitre.org/groups/G0140) is threat group that has mainly targeted the airlines industry since at least 2018, primarily using open-source toolsets.
MITRE ID: G0140
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Gallmaker
Unknown
6 techniques
[Gallmaker](https://attack.mitre.org/groups/G0084) is a cyberespionage group that has targeted victims in the Middle East and has been active since at least December 2017. The group has mainly targeted victims in the defense, military, and government sectors.
MITRE ID: G0084
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
MoustachedBouncer
Unknown
7 techniques
[MoustachedBouncer](https://attack.mitre.org/groups/G1019) is a cyberespionage group that has been active since at least 2014 targeting foreign embassies in Belarus.
MITRE ID: G1019
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
CopyKittens
Unknown
7 techniques
[CopyKittens](https://attack.mitre.org/groups/G0052) is an Iranian cyber espionage group that has been operating since at least 2013. It has targeted countries including Israel, Saudi Arabia, Turkey, the U.S., Jordan, and Germany. The group is responsible for the campaign known as Operation Wilted Tulip.
MITRE ID: G0052
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Star Blizzard
SEABORGIUM Callisto Group TA446 +1 more
Unknown
15 techniques
[Star Blizzard](https://attack.mitre.org/groups/G1033) is a cyber espionage and influence group originating in Russia that has been active since at least 2019. [Star Blizzard](https://attack.mitre.org/groups/G1033) campaigns align closely with Russian state interests and have included persistent phishing and credential theft against academic, defense, government, NGO, and think tank organizations
MITRE ID: G1033
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Thrip
Unknown
4 techniques
[Thrip](https://attack.mitre.org/groups/G0076) is an espionage group that has targeted satellite communications, telecoms, and defense contractor companies in the U.S. and Southeast Asia. The group uses custom malware as well as "living off the land" techniques.
TARGET SECTORS
MITRE ID: G0076
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
PROMETHIUM
StrongPity
Unknown
9 techniques
[PROMETHIUM](https://attack.mitre.org/groups/G0056) is an activity group focused on espionage that has been active since at least 2012. The group has conducted operations globally with a heavy emphasis on Turkish targets. [PROMETHIUM](https://attack.mitre.org/groups/G0056) has demonstrated similarity to another activity group called [NEODYMIUM](https://attack.mitre.org/groups/G0055) due to overlap
MITRE ID: G0056
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
GCMAN
Unknown
1 techniques
[GCMAN](https://attack.mitre.org/groups/G0036) is a threat group that focuses on targeting banks for the purpose of transferring money to e-currency services.
TARGET SECTORS
MITRE ATT&CK TECHNIQUES
MITRE ID: G0036
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Ferocious Kitten
Unknown
5 techniques
[Ferocious Kitten](https://attack.mitre.org/groups/G0137) is a threat group that has primarily targeted Persian-speaking individuals in Iran since at least 2015.
MITRE ID: G0137
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
PittyTiger
Unknown
2 techniques
[PittyTiger](https://attack.mitre.org/groups/G0011) is a threat group believed to operate out of China that uses multiple different types of malware to maintain command and control.
TARGET SECTORS
MITRE ATT&CK TECHNIQUES
MITRE ID: G0011
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
APT17
Deputy Dog
China
2 techniques
[APT17](https://attack.mitre.org/groups/G0025) is a China-based threat group that has conducted network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations.
TARGET SECTORS
MITRE ATT&CK TECHNIQUES
MITRE ID: G0025
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Water Galura
GOLD FEATHER
Unknown
3 techniques
[Water Galura](https://attack.mitre.org/groups/G1050) are the operators of the [Qilin](https://attack.mitre.org/software/S1242) Ransomware-as-a-Service (RaaS) who handle payload generation, ransom negotiations, and the publication of stolen data for [Qilin](https://attack.mitre.org/software/S1242) affilates recruited on Russian cybercrime forums. [Water Galura](https://attack.mitre.org/groups/G105
TARGET SECTORS
MITRE ATT&CK TECHNIQUES
MITRE ID: G1050
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
BlackOasis
Unknown
1 techniques
[BlackOasis](https://attack.mitre.org/groups/G0063) is a Middle Eastern threat group that is believed to be a customer of Gamma Group. The group has shown interest in prominent figures in the United Nations, as well as opposition bloggers, activists, regional news correspondents, and think tanks. A group known by Microsoft as [NEODYMIUM](https://attack.mitre.org/groups/G0055) is reportedly assoc
TARGET SECTORS
MITRE ATT&CK TECHNIQUES
MITRE ID: G0063
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
IndigoZebra
Unknown
6 techniques
[IndigoZebra](https://attack.mitre.org/groups/G0136) is a suspected Chinese cyber espionage group that has been targeting Central Asian governments since at least 2014.
MITRE ID: G0136
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
SilverTerrier
Unknown
2 techniques
[SilverTerrier](https://attack.mitre.org/groups/G0083) is a Nigerian threat group that has been seen active since 2014. [SilverTerrier](https://attack.mitre.org/groups/G0083) mainly targets organizations in high technology, higher education, and manufacturing.
TARGET SECTORS
MITRE ATT&CK TECHNIQUES
MITRE ID: G0083
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Strider
ProjectSauron
Unknown
3 techniques
[Strider](https://attack.mitre.org/groups/G0041) is a threat group that has been active since at least 2011 and has targeted victims in Russia, China, Sweden, Belgium, Iran, and Rwanda.
TARGET SECTORS
MITRE ATT&CK TECHNIQUES
MITRE ID: G0041
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
AppleJeus
Gleaming Pisces Citrine Sleet UNC1720 +1 more
Unknown
2 techniques
[AppleJeus](https://attack.mitre.org/groups/G1049) is a North Korean state-sponsored threat group attributed to the Reconnaissance General Bureau. Associated with the broader [Lazarus Group](https://attack.mitre.org/groups/G0032) umbrella of actors, [AppleJeus](https://attack.mitre.org/groups/G1049) has been active since at least 2018 and is closely aligned in resources with TEMP.hermit, another D
TARGET SECTORS
MITRE ATT&CK TECHNIQUES
MITRE ID: G1049
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Scarlet Mimic
Unknown
1 techniques
[Scarlet Mimic](https://attack.mitre.org/groups/G0029) is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by [Scarlet Mimic](https://attack.mitre.org/groups/G0029) and [Putter Panda](htt
TARGET SECTORS
MITRE ATT&CK TECHNIQUES
MITRE ID: G0029
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
TA578
Unknown
4 techniques
[TA578](https://attack.mitre.org/groups/G1038) is a threat actor that has used contact forms and email to initiate communications with victims and to distribute malware including [Latrodectus](https://attack.mitre.org/software/S1160), [IcedID](https://attack.mitre.org/software/S0483), and [Bumblebee](https://attack.mitre.org/software/S1039).
TARGET SECTORS
MITRE ID: G1038
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
APT16
China
1 techniques
[APT16](https://attack.mitre.org/groups/G0023) is a China-based threat group that has launched spearphishing campaigns targeting Japanese and Taiwanese organizations.
TARGET SECTORS
MITRE ATT&CK TECHNIQUES
MITRE ID: G0023
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Moafee
Unknown
1 techniques
[Moafee](https://attack.mitre.org/groups/G0002) is a threat group that appears to operate from the Guandong Province of China. Due to overlapping TTPs, including similar custom tools, Moafee is thought to have a direct or indirect relationship with the threat group [DragonOK](https://attack.mitre.org/groups/G0017).
TARGET SECTORS
MITRE ATT&CK TECHNIQUES
MITRE ID: G0002
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
NEODYMIUM
Unknown
0 techniques
[NEODYMIUM](https://attack.mitre.org/groups/G0055) is an activity group that conducted a campaign in May 2016 and has heavily targeted Turkish victims. The group has demonstrated similarity to another activity group called [PROMETHIUM](https://attack.mitre.org/groups/G0056) due to overlapping victim and campaign characteristics. [NEODYMIUM](https://attack.mitre.org/groups/G0055) is reportedly as
TARGET SECTORS
MITRE ATT&CK TECHNIQUES
MITRE ID: G0055
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
DragonOK
Unknown
0 techniques
[DragonOK](https://attack.mitre.org/groups/G0017) is a threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tools, [DragonOK](https://attack.mitre.org/groups/G0017) is thought to have a direct or indirect relationship with the threat group [Moafee](https://attack.mitre.org/groups/G0002). It is known to use a variety of malwa
TARGET SECTORS
MITRE ATT&CK TECHNIQUES
MITRE ID: G0017
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
APT-C-23
Mantis Arid Viper Desert Falcon +4 more
Unknown
0 techniques
[APT-C-23](https://attack.mitre.org/groups/G1028) is a threat group that has been active since at least 2014. [APT-C-23](https://attack.mitre.org/groups/G1028) has primarily focused its operations on the Middle East, including Israeli military assets. [APT-C-23](https://attack.mitre.org/groups/G1028) has developed mobile spyware targeting Android and iOS devices since 2017.
TARGET SECTORS
MITRE ATT&CK TECHNIQUES
MITRE ID: G1028
↗ MITRE ↗ OTX ↗ IOC Search letter-spacing:1px;">
Technique Quick Reference Click a technique above to highlight actors that use it
IDNAMETACTICUSED BY
T1566 Phishing Initial Access
LuminousMoth Wizard Spider Elderwood FIN7 WIRTE Dragonfly OilRig Lazarus Group TA505 Inception admin@338 BlackTech APT42 Malteiro Earth Lusca Sandworm Team TA577 Turla FIN6 Silence Patchwork APT28 Darkhotel Magic Hound APT29 EXOTIC LILY Cobalt Group Andariel APT39 MuddyWater APT38 Transparent Tribe APT32 BRONZE BUTLER Kimsuky Leviathan Storm-1811 Ajax Security Team Mustang Panda TA2541 ToddyCat BITTER RTM menuPass Tropic Trooper Mustard Tempest APT19 Molerats APT37 APT41 INC Ransom PLATINUM FIN8 Saint Bear CURIUM RedCurl FIN4 Contagious Interview Gorgon Group Sidewinder Higaisa APT30 Windshift Confucius Threat Group-3390 Tonto Team Gamaredon Group Sea Turtle Rancor Moonstone Sleet TA551 Axiom Dark Caracal Nomadic Octopus APT12 APT3 TA459 ZIRCONIUM APT1 Naikon Mofang Machete Winter Vivern SideCopy APT33 GOLD SOUTHFIELD Evilnum DarkHydrus APT-C-36 The White Company LazyScripter Gallmaker Star Blizzard Ferocious Kitten IndigoZebra AppleJeus
T1078 Valid Accounts Initial Access / Persistence
Indrik Spider Medusa Group Wizard Spider FIN7 UNC3886 Velvet Ant Dragonfly OilRig Fox Kitten Lazarus Group Aquatic Panda TA505 Play Sandworm Team Turla Suckfly Ember Bear FIN6 Silence APT28 Cinnamon Tempest Ke3chang Volt Typhoon Magic Hound APT29 HAFNIUM APT39 APT32 POLONIUM APT5 Kimsuky Leviathan Akira LAPSUS$ Chimera ToddyCat menuPass Storm-0501 Tropic Trooper Threat Group-1314 APT41 INC Ransom FIN13 GALLIUM FIN10 FIN8 Scattered Spider FIN4 BlackByte Threat Group-3390 Agrius Sea Turtle Axiom APT3 Naikon FIN5 APT33 Silent Librarian APT18 Carbanak Star Blizzard PROMETHIUM PittyTiger
T1190 Exploit Public-Facing App Initial Access
Medusa Group FIN7 UNC3886 Dragonfly Fox Kitten BlackTech Earth Lusca Play Sandworm Team Ember Bear APT28 Cinnamon Tempest Ke3chang Volt Typhoon Magic Hound APT29 HAFNIUM APT39 MuddyWater APT5 BackdoorDiplomacy Kimsuky Leviathan ToddyCat menuPass Storm-0501 Moses Staff APT41 INC Ransom FIN13 GALLIUM Rocke Blue Mockingbird BlackByte Threat Group-3390 Agrius Sea Turtle Salt Typhoon Axiom Winter Vivern GOLD SOUTHFIELD Volatile Cedar
T1195 Supply Chain Compromise Initial Access
FIN7 Dragonfly OilRig Daggerfly Sandworm Team Ember Bear Cobalt Group APT41 Threat Group-3390 Moonstone Sleet GOLD SOUTHFIELD
T1059 Command & Scripting Interp. Execution
Indrik Spider Medusa Group Wizard Spider FIN7 UNC3886 Velvet Ant WIRTE Dragonfly OilRig Fox Kitten Lazarus Group Aquatic Panda Daggerfly TeamTNT TA505 Inception admin@338 APT42 Malteiro Earth Lusca Play Sandworm Team TA577 Turla Suckfly Ember Bear FIN6 Silence Patchwork APT28 Cinnamon Tempest HEXANE Darkhotel Ke3chang Volt Typhoon Leafminer Magic Hound APT29 Cobalt Group HAFNIUM APT39 MuddyWater APT38 Transparent Tribe APT32 BRONZE BUTLER APT5 Kimsuky Leviathan Storm-1811 Akira Mustang Panda Chimera TA2541 ToddyCat menuPass Storm-0501 Tropic Trooper APT19 Molerats Stealth Falcon DarkVishnya APT37 Threat Group-1314 APT41 INC Ransom FIN13 GALLIUM FIN10 FIN8 Rocke Saint Bear Scattered Spider CURIUM Windigo Blue Mockingbird RedCurl FIN4 Contagious Interview Gorgon Group Sidewinder Higaisa Windshift Confucius BlackByte Threat Group-3390 Tonto Team Gamaredon Group Agrius Sea Turtle Rancor TA551 Dark Caracal Nomadic Octopus APT3 Metador TA459 ZIRCONIUM APT1 Sowbug Machete FIN5 Winter Vivern SideCopy APT33 GOLD SOUTHFIELD Evilnum DarkHydrus Whitefly APT18 Deep Panda APT-C-36 Poseidon Group LazyScripter Gallmaker MoustachedBouncer CopyKittens Star Blizzard Thrip TA578
T1203 Exploitation for Exec. Execution
Elderwood UNC3886 Dragonfly OilRig Lazarus Group Inception admin@338 BlackTech Sandworm Team Ember Bear Patchwork APT28 Aoqin Dragon Darkhotel APT29 EXOTIC LILY Cobalt Group Andariel MuddyWater Transparent Tribe APT32 BRONZE BUTLER Leviathan Mustang Panda BITTER Tropic Trooper APT37 APT41 Saint Bear Sidewinder Higaisa Confucius Threat Group-3390 Tonto Team Sea Turtle Axiom APT12 APT3 TA459 APT33 The White Company
T1204 User Execution Execution
Indrik Spider LuminousMoth Wizard Spider Elderwood FIN7 WIRTE Dragonfly OilRig Lazarus Group Daggerfly TeamTNT TA505 Inception admin@338 BlackTech Malteiro Earth Lusca Sandworm Team TA577 Turla FIN6 Silence Patchwork APT28 Aoqin Dragon HEXANE Darkhotel Magic Hound APT29 EXOTIC LILY Cobalt Group Andariel APT39 MuddyWater APT38 Transparent Tribe APT32 BRONZE BUTLER Kimsuky Leviathan Storm-1811 Ajax Security Team Mustang Panda LAPSUS$ TA2541 BITTER RTM menuPass Tropic Trooper Mustard Tempest APT19 Molerats APT37 PLATINUM FIN8 Saint Bear Scattered Spider CURIUM RedCurl FIN4 Contagious Interview Gorgon Group Sidewinder Higaisa APT30 Windshift Confucius Threat Group-3390 Tonto Team Gamaredon Group Rancor Moonstone Sleet TA551 Dark Caracal Nomadic Octopus APT12 APT3 TA459 ZIRCONIUM Naikon Mofang Machete Winter Vivern SideCopy APT33 Evilnum DarkHydrus Whitefly APT-C-36 The White Company LazyScripter Gallmaker Star Blizzard PROMETHIUM Ferocious Kitten IndigoZebra TA578
T1071 App Layer Protocol Command & Control
LuminousMoth Medusa Group Wizard Spider FIN7 Velvet Ant WIRTE Dragonfly OilRig Lazarus Group Daggerfly TeamTNT TA505 Inception APT42 Sandworm Team Turla Ember Bear APT28 Ke3chang Magic Hound Cobalt Group HAFNIUM APT39 MuddyWater APT38 APT32 BRONZE BUTLER Kimsuky Mustang Panda Chimera BITTER Tropic Trooper APT19 Stealth Falcon APT37 APT41 INC Ransom FIN13 FIN8 Rocke RedEcho RedCurl FIN4 Contagious Interview Sidewinder Higaisa Windshift Confucius BlackByte Threat Group-3390 Gamaredon Group Sea Turtle Rancor Moonstone Sleet TA551 Dark Caracal Metador Winter Vivern APT33 APT18 Orangeworm LazyScripter SilverTerrier
T1090 Proxy Command & Control
Medusa Group Velvet Ant Fox Kitten Lazarus Group Inception Earth Lusca Sandworm Team Turla Ember Bear Silence APT28 Cinnamon Tempest Volt Typhoon Magic Hound APT29 APT39 MuddyWater POLONIUM Leviathan LAPSUS$ menuPass APT41 FIN13 GALLIUM Scattered Spider Windigo Blue Mockingbird FIN4 Contagious Interview Higaisa Tonto Team Gamaredon Group APT3 ZIRCONIUM FIN5 Lotus Blossom MoustachedBouncer CopyKittens Strider
T1105 Ingress Tool Transfer Command & Control
Indrik Spider LuminousMoth Medusa Group Wizard Spider Elderwood FIN7 WIRTE Dragonfly OilRig Fox Kitten Lazarus Group Aquatic Panda Daggerfly TeamTNT TA505 Play Sandworm Team Turla Silence Patchwork APT28 Cinnamon Tempest HEXANE Darkhotel Ke3chang Volt Typhoon Magic Hound APT29 Cobalt Group Andariel HAFNIUM APT39 MuddyWater APT38 APT32 BRONZE BUTLER BackdoorDiplomacy Kimsuky Leviathan Storm-1811 Ajax Security Team Mustang Panda Chimera TA2541 BITTER menuPass Tropic Trooper Mustard Tempest Moses Staff Molerats APT37 APT41 INC Ransom FIN13 PLATINUM GALLIUM Winnti Group FIN8 Rocke Scattered Spider Gorgon Group Sidewinder Windshift Confucius BlackByte Threat Group-3390 Tonto Team Gamaredon Group Rancor Moonstone Sleet TA551 Nomadic Octopus APT3 Metador ZIRCONIUM Winter Vivern SideCopy APT33 Volatile Cedar Evilnum Whitefly APT18 APT-C-36 LazyScripter IndigoZebra
T1056 Input Capture Credential Access
OilRig Lazarus Group APT42 Sandworm Team APT28 HEXANE Darkhotel Ke3chang Volt Typhoon Magic Hound APT39 APT38 APT32 APT5 Kimsuky Storm-1811 Ajax Security Team menuPass APT41 FIN13 Group5 PLATINUM RedCurl FIN4 Threat Group-3390 Tonto Team APT3 Sowbug Winter Vivern
T1110 Brute Force Credential Access
Dragonfly OilRig Fox Kitten Lazarus Group Turla Ember Bear FIN6 APT28 HEXANE Leafminer APT29 HAFNIUM APT39 APT38 Chimera Storm-0501 DarkVishnya APT41 Agrius Salt Typhoon APT3 FIN5 APT33 Silent Librarian
T1486 Data Encrypted for Impact Impact
Indrik Spider Medusa Group FIN7 TA505 Sandworm Team Magic Hound APT38 Storm-1811 Akira Storm-0501 APT41 INC Ransom FIN8 Scattered Spider BlackByte Moonstone Sleet Water Galura
T1027 Obfuscated Files/Info Defense Evasion
Medusa Group Wizard Spider Elderwood FIN7 UNC3886 OilRig Fox Kitten Lazarus Group Aquatic Panda TeamTNT TA505 Inception Malteiro Earth Lusca Play Sandworm Team TA577 Turla FIN6 Silence Patchwork APT28 Aoqin Dragon HEXANE Darkhotel Ke3chang Volt Typhoon Leafminer Magic Hound APT29 Cobalt Group Andariel APT39 MuddyWater APT38 Transparent Tribe APT32 BRONZE BUTLER BackdoorDiplomacy Kimsuky Leviathan Storm-1811 Akira Mustang Panda Chimera TA2541 BITTER menuPass Storm-0501 Tropic Trooper APT19 Moses Staff Molerats APT37 APT41 Group5 GALLIUM FIN8 Rocke Saint Bear Blue Mockingbird RedCurl Contagious Interview Sidewinder Higaisa Windshift Threat Group-3390 Gamaredon Group Sea Turtle Moonstone Sleet TA551 Dark Caracal APT3 Putter Panda Metador ZIRCONIUM Mofang APT33 GOLD SOUTHFIELD Whitefly APT18 Deep Panda APT-C-36 The White Company LazyScripter Gallmaker MoustachedBouncer BlackOasis Moafee