Threat Actors Database

JuiceLedger is a threat actor known for infostealing through their JuiceStealer .NET assembly. They have evolved from spreading fraudulent applications to conducting supply chain attacks, targeting PyPI contributors with phishing campaigns and typosquatting. Their malicious packages contain a code snippet that downloads and executes JuiceStealer, which has evolved to support additional browsers and Discord. Victims of JuiceLedger attacks are advised to reset passwords and report any suspicious activity to [email protected].

RedJuliett is a likely Chinese state-sponsored threat actor targeting government, academic, technology, and diplomatic organizations in Taiwan. They exploit vulnerabilities in network edge devices for initial access and use SQL injection and directory traversal exploits against web and SQL applications. The group operates from Fuzhou, China, and aims to support Beijing's intelligence collection on Taiwan's economic and diplomatic relations. RedJuliett has also expanded its operations to compromise organizations in other countries such as Hong Kong, Malaysia, and the United States.

SneakyChef is a threat actor known for using the SugarGh0st RAT to target government agencies, research institutions, and organizations worldwide. They have been active since at least August 2023, with a focus on leveraging old and new command and control domains. The group has been observed using lures in the form of scanned documents related to Ministries of Foreign Affairs and embassies. Talos Intelligence assesses with medium confidence that the operators are likely Chinese-speaking based on language preferences and specific targets.

ALTDOS is a threat actor group that has targeted entities in Southeast Asia, including Singapore, Thailand, and Malaysia. They have been involved in data breaches of companies in various sectors, such as real estate and retail, compromising sensitive information like customer names, bank account numbers, and transaction details. ALTDOS uses tactics like ransomware attacks, data exfiltration, and dumping data publicly or for sale on underground forums. The group has been known to demand ransom payments from victims, but also leaks data if demands are not met.

BlueHornet is an advanced persistent threat group targeting government organizations in China, North Korea, Iran, and Russia. They have compromised and leaked data from other APT groups like Kryptonite Panda and Lazarus Group. BlueHornet has been involved in campaigns such as Operation Renminbi, Operation Ruble, and Operation EUSec, focusing on exfiltrating region-specific data and selling it on the dark web. They have also been known to collaborate with different threat actors and have recently disclosed a zero-day exploit in NGINX 1.18.

Hellhounds is an APT group targeting organizations in Russia, using a modified version of Pupy RAT called Decoy Dog. They gain initial access through vulnerable web services and trusted relationships, with a focus on the public sector and IT companies. The group has been active since at least 2019, maintaining covert presence inside compromised organizations by modifying open-source projects to evade detection. Hellhounds have successfully targeted at least 48 victims, including a telecom operator where they disrupted services.

IntelBroker is a threat actor known for orchestrating high-profile data breaches targeting companies like Apple, Zscaler, and Facebook Marketplace. They have a reputation for selling access to compromised systems and data on underground forums like BreachForums. IntelBroker has claimed responsibility for breaches involving government agencies such as Europol, the U.S. Department of Transportation, and the Pentagon, leaking sensitive information and classified documents. The actor has been linked to breaches at companies like Acuity, General Electric, and Home Depot, showcasing a pattern of targeting critical infrastructure and major corporations.

DRAGONBRIDGE is a Chinese state-sponsored threat actor known for engaging in information operations to promote the political interests of the People's Republic of China. They have been observed using AI-generated images and videos to spread propaganda on social media platforms. The group has targeted various countries and regions, including the US, Taiwan, and Japan, with narratives promoting pro-PRC viewpoints. DRAGONBRIDGE has been linked to campaigns discrediting the US political system, sowing division between allies, and criticizing specific companies and individuals.

Boolka is a threat actor known for infecting websites with malicious JavaScript scripts for data exfiltration. They have been carrying out opportunistic SQL injection attacks since at least 2022. Boolka has developed a malware delivery platform based on the BeEF framework and has been distributing the BMANAGER trojan. Their activities demonstrate a progression from basic website infections to more sophisticated malware operations.

CloudSorcerer is a sophisticated APT targeting Russian government entities, utilizing cloud infrastructure for stealth monitoring and data exfiltration. The malware leverages APIs and authentication tokens to access cloud resources for command and control, with GitHub serving as its initial C2 server. CloudSorcerer operates as separate modules depending on the process it's running in, executing from a single executable and utilizing complex inter-process communication through Windows pipes. The actor behind CloudSorcerer shows similarities to the CloudWizard APT in modus operandi, but the unique code and functionality suggest it is a new threat actor inspired by previous techniques.

The 8220 Gang, also known as Water Sigbin, is a threat actor group that focuses on deploying cryptocurrency-mining malware. They exploit vulnerabilities in Oracle WebLogic servers, such as CVE-2017-3506 and CVE-2023-21839, to deliver cryptocurrency miners using PowerShell scripts. The group has demonstrated a sophisticated multistage loading technique to deploy the PureCrypter loader and XMRIG crypto miner. They are known for using obfuscation techniques, such as hexadecimal encoding and code obfuscation, to evade detection and compromise systems.

Void Banshee is an APT group targeting North America, Europe, and Southeast Asia for information theft and financial gain. They exploit vulnerabilities like CVE-2024-38112 to deliver the Atlantida info-stealer through malicious PDFs disguised as book files. The group uses internet shortcuts with MHTML protocol handlers to access and execute files through disabled Internet Explorer, posing a significant threat to organizations. Void Banshee's TTPs include crafting URL strings to control window sizes in IE and using HTML files to hide malicious downloads from victims.

CRYSTALRAY is a threat actor known for leveraging open source tools like zmap and SSH-Snake to conduct widespread vulnerability scanning and exploitation. They target victims to collect and sell credentials, deploy cryptominers, and maintain persistence in compromised environments. CRYSTALRAY uses multiple backdoors to control access and spreads through victim networks using SSH-Snake. The actor also uses tools like Platypus for managing victims and extracting sensitive information from compromised systems.

Rostelecom's security team has discovered a new APT group that is breaching companies via industrial PLCs. Named Lifting Zmiy, the group's first attacks were traced back to October 2023. The group targeted PLCs from Russian company Tech-Automatics usually used with elevators and which were still using their default passwords. Rostelecom has linked the group to intrusions at a Russian government contractor, two telecom operators, and an IT company. The company says the group collected and exfiltrated data and then destroyed the victim's infrastructure. Rostelecom says Lifting Zmiy uses Starlink infrastructure for attacks and appears to operate out of Eastern Europe.

NullBulge is a cybercriminal threat group targeting AI and gaming focused entities. They weaponize code in publicly available repositories to distribute malware, including LockBit ransomware. The group claims to be motivated by a pro-art, anti-AI cause, but their activities indicate a financial focus. NullBulge uses obfuscated code in public repositories and malicious mods to target their victims.

Threat actor 888 is a hacker active in 2024, targeting companies for data breaches. They've hit Microsoft, BMW (Hong Kong), and others in tech, freight, and oil & gas industries

UAC-0063 is a threat actor linked to Russian APT28, known for targeting government entities in Ukraine and Central Asia for cyber espionage operations. They utilize keyloggers, backdoors, and malware like Hatvibe and Cherryspy to compromise systems and exfiltrate sensitive information. The group has been active since at least 2021 and has shown interest in targeting organizations in Mongolia, Kazakhstan, Kyrgyzstan, Israel, and India. Their TTPs include spear-phishing campaigns and exploiting vulnerabilities in software products like HFS HTTP File Server and Rejetto file-sharing servers.

Stargazer Goblin is a threat actor group that operates the Stargazers Ghost Network on GitHub, distributing malware and malicious links through multiple accounts. They utilize compromised and created accounts to evade detection and quickly replace banned components to continue their operations. The group has been estimated to have earned approximately $100,000 from their malicious activities, offering a Distribution as a Service platform for other threat actors to distribute their malware. Stargazer Goblin has been involved in distributing various malware families, including Atlantida Stealer, Rhadamanthys, RisePro, Lumma Stealer, and RedLine.

UAC-0102 is a threat actor group targeting UKR.NET users through phishing attacks. They distribute emails with HTML file attachments that redirect users to a fraudulent website to steal authentication data. Security teams can use Sigma rules to detect their phishing campaigns and leverage IOCs provided by CERT-UA to hunt for their activity in SIEM or EDR environments.

APT45 is a North Korean cyber threat actor that has been active since at least 2009. They have conducted espionage campaigns targeting government agencies and defense industries, as well as financially-motivated operations, including ransomware development. APT45 has targeted critical infrastructure, financial organizations, nuclear research facilities, and healthcare and pharmaceutical companies. They use a mix of publicly available tools, modified malware, and custom malware families in their operations.