Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to intelligence

Trending Adversaries

Who's moving, and how fast. Mallory tracks named threat actors across vendor reports, researcher analysis, and underground chatter, then surfaces the ones picking up momentum this week.

Ranked by Mallory's mention-velocity model across sources.

Mention map · Last week

Sized by mentions
Tile size: mentions · Color: mention volume·HighestHighMediumLowLowest

Top 24 threat actors · Last week

#1ShinyHunters
Cybercrime

ShinyHunters is a cybercrime extortion group known for data theft and "pay or leak" operations. Aliases and related names mentioned in the content include bling_libra, shinyhunter, shinyhunters, shiny_hunters, UNC6040, and UNC6240. The group is repeatedly described as an extortion gang or threat group rather than a nation-state actor. Based on the provided content, ShinyHunters has targeted high-profile organizations across multiple sectors, including healthcare, higher education, entertainment, insurance, and large enterprises. Reported victims or claimed victims in the content include Madison Square Garden, Moody Bible Institute, Medtronic, AdaptHealth, Nissan, Nottingham University, the National Association of Insurance Commissioners, Illinois Central College, and the University of Nottingham. The content states that the group was behind an Oracle PeopleSoft attack spree dating from late May 2026 that potentially affected more than 100 organizations, mostly in higher education. Tactics and techniques directly mentioned in the content include social engineering, credential theft, exploitation of Oracle PeopleSoft zero-day CVE-2026-35273 for unauthenticated remote code execution, data exfiltration, leak-site extortion, and use of stolen data to pressure victims into paying ransoms. In one reported case, the group allegedly gained access to Madison Square Garden by socially engineering a low-level employee. In the AdaptHealth incident, activity consistent with ShinyHunters involved social engineering of a third-party contractor, credential compromise, access to cloud business applications, and theft of patient data. In the Vercel-related incident, extortion was conducted under the ShinyHunters persona on BreachForums after attackers used stolen OAuth tokens and accessed customer environment variables. The content also notes that groups like ShinyHunters can cause major damage without relying on malware or zero-days in every case, although the group also exploited the PeopleSoft zero-day campaign. The group operates leak infrastructure and has publicly listed victims on dark web or Tor-based leak sites, threatening publication of stolen data unless payment is made. The content describes ShinyHunters leaking stolen data from victims including Medtronic, AdaptHealth, Moody Bible Institute, and Madison Square Garden, and references additional dumps affecting tens of millions of people. The content also states that ShinyHunters has claimed compromises of more than 300 PeopleSoft instances across more than 100 organizations worldwide. The content further notes overlap or cooperation with other cybercriminal groups. It states that ShinyHunters has at times teamed up with Scattered Spider and LAPSUS$ in overlapping activity, and that the group has repeatedly been affected by law enforcement takedowns but continues to re-emerge in different forms.

Mentions36
#2Scattered Spider
Financially Motivated

Scattered Spider is a financially motivated cybercrime collective active since 2022. It is also tracked as 0ktapus, Octo Tempest, UNC3944, Muddled Libra, Scatter Swine, Starfraud, Roasted 0ktapus, DEV-0971, LUCR-3, and Storm-0875. The group is described in the content as a loose, primarily English-speaking community composed largely of teenagers and young adults from the United States, the United Kingdom, and other European countries. According to the cited U.S. Department of Justice and related reporting, Scattered Spider has been involved in more than 100 network intrusions and generated more than $100 million in ransom or extortion payments, with millions more in victim damages. The group has targeted U.S. companies and other major organizations across sectors including retail, insurance, telecommunications, and aviation; the content also references high-profile victims and linked incidents involving MGM Resorts, Caesars Entertainment, Marks & Spencer, Harrods, Co-op, Transport for London, Erie Insurance, Philadelphia Insurance Companies, Allianz Life, and Aflac-related attack waves. The group’s hallmark tradecraft is highly targeted social engineering rather than software exploitation. Reported techniques include impersonating employees to corporate IT help desks, fraudulent credential and MFA-device resets, password-reset abuse, MFA bombing/fatigue, phishing SMS messages, callback phishing, Telegram phishing, SIM swapping, and credential-harvesting pages. After access, Scattered Spider is described as stealing data, encrypting systems or data, conducting lateral movement, extorting victims with cryptocurrency demands, and threatening to leak stolen data. The content also states that the group has used the Genymobile Android emulator in some MFA-related activity, ngrok for persistent unauthorized access in at least one intrusion, and BYOVD techniques using the STONESTOP loader and POORTRY kernel driver toolkit to gain privileges and evade endpoint defenses. One report in the content says the group primarily targets telecommunication service providers and large Fortune 2000 organizations with valuable intellectual property, and may operate as an initial access broker or affiliate for ALPHV/BlackCat. The content further links Scattered Spider to ransomware and extortion activity, including use of DragonForce ransomware against British retailers, and notes reporting that the group has partnered with ransomware operations including Qilin, RansomHub, and DragonForce. The group is repeatedly characterized as extortion-focused and social-engineering-driven.

Mentions19
#3INC

INC Ransom is a financially motivated ransomware-as-a-service (RaaS) operation that emerged in 2023, with reporting in the provided content placing its emergence in August 2023 or mid-2023. It is also referred to as INC, Gold Ionic, inc_ransom, and inc_ransomware. The group is described as one of the most active ransomware operations in 2026, with researchers attributing more than 800 victims to it globally and some reporting citing more than 830 victims. INC uses double-extortion tactics, operating both private negotiation infrastructure and a public leak site to pressure victims by threatening disclosure of stolen data. The content states that INC targets a broad range of sectors, with repeated references to healthcare, education, manufacturing, legal services, technology, construction, government, and professional services. Multiple reports in the content say the group has a strong U.S. victim concentration, while also operating globally. One report says its top targeted sectors in 2026 were legal services, manufacturing, technology, health care, and construction, and notes that education had previously been a primary target. Initial access methods directly mentioned in the content include spear phishing, valid accounts obtained from initial access brokers, exploitation of vulnerable public-facing applications, exposed remote services, and compromised credentials. Specific vulnerabilities cited in reporting associated with INC activity include Citrix NetScaler flaws CVE-2023-3519 and CVE-2025-5777, Fortinet FortiClient EMS CVE-2023-48788, and SimpleHelp CVE-2024-57727; one report also mentions Citrix Bleed/CVE-2023-4966, SimpleHelp CVE-2023-35082, and WhatsUp Gold CVE-2024-4885. Post-compromise behavior described in the content includes reconnaissance for domain controllers, backup infrastructure, virtualization platforms, file servers, and sensitive data repositories; credential theft and dumping; privilege escalation; lateral movement using legitimate administrative tools and compromised accounts; data exfiltration before encryption; and ransomware deployment across Windows and Linux/ESXi environments. Tools and techniques explicitly mentioned include RDP, PsExec, PowerShell, WMI, Cobalt Strike, AnyDesk, ScreenConnect, TeamViewer, 7-Zip, rclone, and Bring Your Own Vulnerable Driver using filwfp.sys, filnk.sys, and fildds.sys. The group is also reported to have used a modified Veeam credential-dumping script that supports newer salted DPAPI-protected credentials. The malware/tooling details in the content state that both the Windows and Linux/ESXi INC encryptors were rewritten in Rust, with cross-platform capability and partial-encryption behavior noted. The Linux/ESXi variant is described as capable of shutting down virtual machines. One infrastructure exposure described an active INC affiliate targeting the Asia-Pacific region and included Windows and Linux encryptors, deployment scripts, exfiltrated victim data, Active Directory enumeration outputs, Kerberos tickets, DPAPI backup master keys, VPN artifacts, and a Rust-based Linux encryptor suite cross-compiled for 14 CPU architectures. The content also links INC Ransom to the FortiBleed credential-harvesting campaign. SOCRadar reported that an operator tied to FortiBleed infrastructure was logged into the negotiation panels of both INC Ransom and Lynx, and that victim overlap existed between FortiBleed data and INC-linked data. The reporting assesses FortiBleed as a separate likely Russian-speaking initial access broker operation supplying access to downstream ransomware actors including INC Ransom, rather than proving INC itself operated FortiBleed. Known related groups and aliases directly mentioned in the content include Lynx and Sinobi as related ransomware families tied to underground sales of INC source code in 2024. Several reports state Lynx emerged about a year after INC and is widely assessed as an evolved variant or rebrand of INC. MITRE ATT&CK v16 is cited in the content as adding Inc Ransom as group G1032 and describing it as using double-extortion tactics.

Mentions11
#4Lynx

Lynx is a financially motivated ransomware group operating as a ransomware-as-a-service (RaaS) operation and using a double extortion model that combines encryption with data exfiltration. The group was first observed in July 2024. Multiple sources in the provided content describe Lynx as closely linked to INC Ransom: it is believed to have purchased or used INC source code, is widely assessed as an evolved variant or rebrand of INC, and on-chain behavior has also shown links between the two operations. Known related groups or strains mentioned in the content include INC Ransom and Sinobi. The content links Lynx directly to the FortiBleed campaign. SOCRadar reported that an operator associated with FortiBleed infrastructure was logged into the negotiation panels of both INC Ransom and Lynx, and that FortiBleed-harvested FortiGate access was used in at least 12 ransomware deployments. In that reporting, Lynx is described as a downstream user of access obtained through large-scale credential harvesting from Fortinet FortiGate devices. The broader FortiBleed intrusion chain included credential harvesting, VPN compromise, domain controller access, domain administrator access, and ransomware deployment. Additional tradecraft in the provided content associates Lynx with ransomware intrusions following EDR-killer activity, and Sophos reported a Lynx ransomware attack that leveraged the QDoor backdoor. The content also notes Lynx among ransomware families observed after an EDR Killer -> ransomware sequence. Victimology in the provided content includes claims against organizations such as Australian truck dealership Brown and Hurley, from which Lynx claimed to have stolen about 170 GB of data, and a May 2025 breach at Davies, McFarland, & Carroll affecting 54,712 people. The content also states that Lynx was linked in 2026 to a healthcare-sector intrusion targeting a provider organization. One source says Lynx claimed it intended to avoid targeting governmental institutions, hospitals, or non-profit organizations, but other provided content states it was linked to a healthcare intrusion in 2026.

Mentions10
#5Qilin
Financially Motivated

Qilin is a Russian-speaking, suspected Russia-linked ransomware-as-a-service (RaaS) operation active since March 2022. Known aliases in the provided content include Agenda, Qirin, Gold Feather, Water Galura, Qilin Gang, and Qilin Ransomware. The group uses a double-extortion model, encrypting victim systems and threatening to publish stolen data on its leak site, including through sample-document postings and open auction listings. The content describes Qilin as one of the most active ransomware groups during 2025-2026, with broad geographic reach and operations in 26 of 31 countries covered in one European study. It is described as leading industrial-sector ransomware activity since March 2025 and as aggressively recruiting affiliates after disruptions to LockBit and RansomHub. Qilin has also been ranked among the highest-risk ransomware groups in H1 2025. Reported targeting spans healthcare, government, universities, manufacturing, industrial and OT-adjacent environments, and other organizations with sufficient revenue to pay ransoms. Specific incidents mentioned include the Synnovis attack that disrupted London hospitals during the 2024 UK election campaign, a leak-site claim against Musashino University in Japan, and social-media attribution in the Central Bank of Libya incident, although the latter was not confirmed by the victim. Tactics and techniques directly mentioned in the content include exploitation of exposed perimeter infrastructure, especially Fortinet vulnerabilities such as CVE-2024-21762 and CVE-2024-55591; use of stolen or brokered credentials in ransomware intrusion chains; persistence via Windows Run and RunOnce registry keys; DLL injection into svchost.exe after enabling SeDebugPrivilege; and pre-encryption modules named ShadowsRemover, ProcessKiller, and ServicesKiller. In industrial reporting, Qilin is described as using BYOVD techniques to disable antivirus and EDR on Windows systems. The content states Qilin uses AES-256 encryption with RSA-wrapped keys and drops a ransom note named -RECOVER-README.txt. The group operates within a broader criminal ecosystem. The content says Qilin has recruited affiliates, has been linked to access-broker activity involving Woodgnat/KongTuke and ModeloRAT in some intrusion chains, and has been associated with partnerships or attempted cooperation involving DragonForce, LockBit, RansomHub, and Scattered Spider-linked operations. A splinter group, The Gentlemen, is described as having emerged from the Qilin ecosystem after founders previously operated as a Qilin affiliate called ArmCorp.

Mentions9OriginRU
#6TA505
Financially Motivated

TA505 is a financially motivated cybercrime threat actor associated in the provided content with the Cl0p/Clop ransomware and extortion operation. Known aliases in the content include TA505, Cl0p/Clop, Graceful Spider, Gold Tahoe, Hive0065, Monty Spider, Spandex Tempest, and Chimborazo. The content also links TA505 to malware delivery activity involving Get2Downloader and ServHelper. Based on the provided material, TA505/Cl0p has conducted large-scale data theft and extortion campaigns, including mass exploitation of Progress Software MOVEit Transfer in May 2023 via a zero-day vulnerability, with subsequent publication of victim names and stolen data on its leak site when ransom demands were not met. The content describes Cl0p as a Russian-speaking hacking group in connection with the MOVEit campaign. The group also exploited Oracle E-Business Suite vulnerabilities, including CVE-2025-61882 in zero-day attacks beginning as early as August 2025, targeting multiple U.S. universities as well as Logitech, GlobalLogic, the Washington Post, and Oracle E-Business Suite customers more broadly. The content further states that TA505 (CL0P) exploited a Cleo vulnerability to target a large number of companies in H1 2025. The content ties TA505 to malware operations using Get2Downloader, first observed in 2019 and known to deliver malware including Sdbbot. A separate TA505 analysis in the content describes a ServHelper intrusion chain beginning with malicious Excel 4.0 macros downloading an MSI-based loader, which retrieved rdy.exe, installed a digitally signed ServHelper DLL (dxdiag.dll), established C2 communications with medastr[.]com/docs/s.php, collected host and workgroup/domain information, executed commands including net group /domain, used PowerShell for reconnaissance, and established persistence via a Run key. The analysis notes operator interest in domain-joined systems and assesses financial organizations as likely targets. The content also reflects Cl0p’s use of leak-site pressure tactics, including deadlines, name-and-shame postings, negotiation pressure, and removal of victims from the leak site when payment was believed to have occurred.

Mentions8
#7Kimsuky

Kimsuky is a DPRK-linked cyber espionage threat actor associated in the content with North Korea’s Reconnaissance General Bureau. Reported aliases include APT43, APT-C-55, Black Banshee, Cerium, Earth Imp, Emerald Sleet, GreenDinosa, Kimsuky Group, Konni, Konni Group, Opal Sleet, Osmium, PlaneDown, RGB D5, Ruby Sleet, SharpTongue, Sparkling Pisces, Springtail, TA406, TA427, Thallium, and Velvet Chollima. The content also notes that Konni Group/TA406 is generally understood to fall under the Kimsuky cluster, and references a GoldDragon cluster of Kimsuky activity. The actor is described as conducting espionage and reconnaissance operations, including campaigns against defense, political, and North Korea-related individuals, South Korean government officials, NGOs, government agencies, media organizations, and corporate staff. The content also references targeting of cryptocurrency workers and technical employees at crypto exchanges through fake job and interview lures. One report describes extensive targeting of Naver-related infrastructure, while another notes overlap between UNC3782 and APT43/Kimsuky but says attribution remains unclear. Tradecraft in the content centers on spearphishing, impersonation, and multi-stage malware delivery. Kimsuky has impersonated a foreign advisor, embassy employee, think tank employee, and a Japanese diplomat. Reported delivery mechanisms and lures include malicious LNK files, CHM files, Word documents, HTA files, PDF-linked phishing, and fake CAPTCHA or device-registration pages using ClickFix-style social engineering. The content states that Kimsuky incorporated ClickFix into intrusion workflows, and that North Korean operators used a fake-job "ClickFake Interview" variant targeting cryptocurrency workers. Observed malware behavior in the content includes use of PowerShell, VBScript, scheduled tasks, Windows services, and registry-based persistence. One Kimsuky-attributed chain used a CHM lure named Review.chm to launch hidden PowerShell, decode and execute VBScript, profile the host via WMI, enumerate directories and running processes, exfiltrate Base64-encoded host inventory, and establish persistence via a hidden scheduled task named Edge Updater. Another campaign disguised malware as a military and security academic journal, abused Dropbox and GitHub for staging, and persisted by registering a VBE file as a scheduled task. A separate GoldDragon cluster used multi-stage delivery, abused Google blog services, and ultimately stole keyboard input, browser credentials and cookies, and screenshots. The content also references repeated use of LOTS-style tradecraft and KimJongRAT in reporting tied to Kimsuky. The content further associates Kimsuky with real-world exploitation of CVE-2024-1709 in ConnectWise ScreenConnect. It also references likely Kimsuky infrastructure overlap in Android malware research where Naver-themed phishing artifacts and the string "Million OK !!!!" resembled prior Kimsuky operations, though that specific linkage is presented as suspected rather than confirmed.

Mentions7OriginKP
#8DragonForce

DragonForce is a ransomware group active since December 2023 that operates a Ransomware-as-a-Service (RaaS) model and markets itself as a cartel. It has maintained a presence on BreachForums, RAMP, and Exploit to leak stolen data, promote its services, and recruit affiliates, initial access brokers, and pentesters. Reported associated or related groups and relationships mentioned in the content include BlackLock, RansomHub, Scattered Spider, DEVMAN, LockBit, and attempted public cooperation with Qilin and LockBit. The content also states DragonForce announced a RaaS partnership with BreachForums and that reporting assessed RansomHub was taken over by DragonForce and shut down. The group is described as affiliate-driven and using a double-extortion model, with data exfiltration and leak-site publication in addition to encryption. It has targeted organizations in sectors including healthcare and medical imaging, and reporting cited in the content says many top-tier RaaS gangs including DragonForce draw close to half of their publicly claimed victims from the United States. One cited leak-site example is VIP Imaging in the United States healthcare sector. Technically, the content states DragonForce developed and deployed ransomware based on leaked LockBit 3.0 (LockBit Black) and Conti source code, with both Windows and Linux variants. Linux variants support ESXi, NAS, and RHEL environments. Reported capabilities include ChaCha8-based configuration decryption and file encryption, RSA-4096-protected metadata, optional filename Base32 encoding, network-share encryption over SMB, scheduled-task persistence, wallpaper and icon changes, and shadow-copy deletion. The group’s generated binaries retained BYOVD-based process termination functionality by default, and reporting states DragonForce used vulnerable drivers such as truesight.sys and rentdrv2.sys for process killing. Intrusion activity attributed to DragonForce in the content includes initial access via exposed remote desktop servers using valid domain accounts, possible exploitation of unknown SQL or MSSQL server vulnerabilities, or purchased access from other criminals. Post-compromise activity described in the content includes PowerShell payload delivery, Cobalt Strike Beacon, SystemBC persistence, Mimikatz for LSASS credential dumping, ADFind and netscanold.exe for discovery, RDP-based lateral movement, credential theft, data exfiltration, and ransomware deployment at scale, including campaigns exploiting MSP tooling. The content also attributes a custom Go backdoor, Backdoor.Turn, to DragonForce. Backdoor.Turn disguises command-and-control traffic as Microsoft Teams traffic by abusing the TURN protocol, obtaining an anonymous Teams visitor token, using a legitimate TURN relay, and then establishing a QUIC session to the real command server. In the reported intrusion, DragonForce also used DLL sideloading, fake accounts, Windows security changes, and BYOVD techniques with vulnerable signed drivers from Huawei, Topaz Antifraud, Tower of Fantasy, and K7 Security, as well as the ABYSSWORKER malicious driver masquerading as a Palo Alto Networks product. The content further links DragonForce affiliates to use of the BYOVD EDR-killer tool ThrottleBlood, which has been observed in DragonForce and MedusaLocker-related intrusions.

Mentions7
#9UNC4221

UNC4221 is a Russia-linked cyber threat cluster also tracked as UAC-0185. U.S. authorities describe it as operating on behalf of Russian military services, and some reporting characterizes it as associated with Russian military intelligence. The activity is publicly tracked alongside UNC5792 in FBI/CISA and U.S. State Department reporting. UNC4221 has targeted Signal and WhatsApp accounts through phishing and social engineering rather than by compromising the applications’ encryption. Reported targets include current and former U.S. government officials, military personnel and leaders, allied personnel, journalists, political figures, key officials in Ukraine, diplomats, policy analysts, NGOs supporting Ukraine, and researchers focused on security and Russian affairs. Reporting also states that UNC4221 has singled out Signal accounts used by Ukrainian military personnel. Observed tradecraft includes impersonating messaging-platform support accounts, sending fake support or security messages, soliciting verification codes, account PINs, and Signal Backup Recovery Keys, and abusing legitimate device-linking features to connect attacker-controlled devices to victim accounts. Related reporting also describes the use of fake or modified Signal group invite pages and malicious QR-code/device-linking lures to hijack accounts. Once access is obtained, the actors can read private and group conversations, access contact lists and group chats, and use compromised accounts for follow-on phishing. Google Threat Intelligence Group reporting cited in the content links UNC4221/UAC-0185 to phishing infrastructure mimicking the Kropyva application used by the Armed Forces of Ukraine. The content also states that UNC4221 used Android malware STALECOOKIE, which mimics Ukraine’s DELTA battlefield management platform to steal browser cookies, and used ClickFix to deliver the TINYWHALE downloader, which then dropped MeshAgent remote management software. Additional reporting in the content places UNC4221 among Russian clusters focused on battlefield technology, secure communications, and attacks on Ukrainian and allied defense assets.

Mentions7OriginRU
#10UNC5792

UNC5792 is a Russian cyber-espionage threat cluster publicly tracked as UNC5792 and also referred to as UAC-0195, with reporting noting partial overlap with CERT-UA’s UAC-0195. U.S. authorities associate UNC5792 with officers tied to Russia’s Federal Security Service (FSB), including the FSB Border Guards. The group has been linked to phishing and social-engineering campaigns targeting commercial messaging applications, especially Signal and WhatsApp, and has also been described as targeting secure communications and defense-related assets connected to Ukraine and allied interests. Reported targeting includes current and former U.S. government officials, military leadership and personnel, allied personnel, diplomats and foreign affairs officials, journalists, political figures, officials in Ukraine, NGOs supporting Ukraine, policy analysts, security researchers, academic researchers in Russian affairs, and Armenian civil society and public-sector entities. Broader reporting also places UNC5792 among Russian clusters focusing on battlefield technology, secure communications, and direct attacks on Ukrainian and allied defense assets. The group’s tradecraft centers on social engineering rather than breaking application encryption. Reported techniques include impersonating Signal support, soliciting verification codes, account PINs, and increasingly Signal Backup Recovery Keys; abusing legitimate linked-device functionality; using malicious QR codes; and modifying legitimate-looking Signal group invite pages so that victims are redirected to attacker-controlled device-linking flows. Reporting states that theft of Backup Recovery Keys can allow restoration of encrypted backups and access to historical private and group messages, and that compromised accounts have been used for follow-on phishing against additional targets. Public reporting also states that UNC5792 has used malicious group invites that link victim Signal accounts to attacker-controlled devices. Known aliases and related designations directly mentioned in the content are UAC-0195 and, in one report, partial overlap with CERT-UA’s UAC-0195.

Mentions7OriginRU
#11Lazarus

Lazarus Group is a North Korea-linked threat actor, widely associated with DPRK state-sponsored activity and financially motivated operations. Known aliases in the provided content include Black Artemis, Copernicium, Diamond Sleet, Guardians of Peace, Hidden Cobra, Labyrinth Chollima, Lazarus APT, Lazarus Group, Nickel Academy, Nickel Gladstone, Stardust Chollima, Storm-0139, Storm-0954, Storm-1222, UNC1069, UNC1720, and Zinc. The content also references sub-groups or affiliated clusters including BlueNoroff and Sapphire Sleet, and notes Stardust Chollima and Labyrinth Chollima in Lazarus-linked activity. The actor is described as targeting financial institutions, cryptocurrency organizations, developers, and software supply chains. Reported targeting includes cryptocurrency exchanges and platforms such as ByBit, Solana/DeFi-related organizations, and developer ecosystems through npm package compromises and recruiter-themed social engineering. The content states that Lazarus has courted security researchers and developers for years, including posing as recruiters or fellow researchers, delivering malicious Visual Studio projects, and using fake interviews and coding challenges in operations such as Dream Job and the broader Contagious Interview ecosystem. Tradecraft directly mentioned in the content includes social engineering via LinkedIn and fake interviews; impersonation of HR hiring personnel; malicious npm packages masquerading as legitimate tooling; hidden install-time execution; staged payload delivery; environment checks to evade sandboxes and cloud development environments; credential theft; browser and cryptocurrency wallet theft; remote access trojans; clipboard capture; file collection; interactive terminal access; and malware designed to operate largely or entirely in memory. One Lazarus-linked framework described in the content uses DPAPILoader, RemotePELoader, and RemotePE to achieve memory-resident execution, command execution, file manipulation, process management, and data access while minimizing forensic visibility. The content links Lazarus to multiple financially motivated and disruptive operations. It references the February 24, 2025 compromise of an offline Ethereum wallet from ByBit resulting in theft of $1.5 billion in digital assets. It also references attribution of attacks on crypto and DeFi organizations, including LayerZero attribution of the KelpDAO bridge attack to Lazarus Group and Mandiant attribution of a Solana-related exploit to a DPRK-affiliated threat actor using months-long social engineering and durable-nonce abuse. The content further states that BlueNoroff, described as an affiliate or subgroup of Lazarus, has been associated with financially motivated campaigns designed to generate revenue for Pyongyang and with software supply-chain compromises such as the Mastra npm incident. Historically, the content states that Lazarus has been linked to the 2014 Sony Pictures Entertainment attack, the Bangladesh Central Bank SWIFT theft, attempted bank intrusions, and WannaCry ransomware. It describes a progression from earlier DDoS and destructive attacks against U.S. and South Korean targets to cyber espionage, bank fraud, ransomware, and cryptocurrency theft. Overall, the provided material portrays Lazarus Group as a long-running North Korea-linked threat actor combining espionage, destructive activity, financial theft, and increasingly sophisticated supply-chain and developer-focused operations.

Mentions6OriginKP
#12TeamPCP

TeamPCP is a cybercriminal threat actor focused on large-scale software supply chain compromise, credential theft, data exfiltration, and extortion. The group is also referred to as storm_2999 and has been reported under additional aliases including PCPcat, ShellForce, DeadCatx3, Persy_PCP, and CipherForce. TeamPCP first appeared in late December 2025 and initially focused on exploiting misconfigured Docker APIs and Kubernetes clusters in cloud environments before shifting in 2026 to high-impact compromises of trusted developer and security tooling. In March 2026, TeamPCP conducted a multi-wave supply chain campaign affecting GitHub Actions, Docker Hub, npm, OpenVSX, and PyPI. Confirmed compromises mentioned in the content include Aqua Security Trivy and related GitHub Actions, Checkmarx KICS and AST GitHub Actions, LiteLLM, and the Telnyx Python SDK. The actor poisoned legitimate releases, force-pushed tags, modified packages and workflows, and distributed trojanized updates through official channels. The campaign targeted CI/CD pipelines, cloud infrastructure, and developer environments to steal cloud access tokens, SSH keys, Kubernetes secrets, API keys, environment variables, and other authentication material. TeamPCP malware and tooling mentioned in the content include CanisterWorm, SANDCLOCK, Mini Shai-Hulud, Miasma, and the TeamPCP Cloud Stealer. Reported behaviors include scraping CI runner memory, querying cloud metadata services, harvesting credentials from files and environment variables, creating fallback GitHub exfiltration repositories such as tpcp-docs and docs-tpcp, establishing persistence via systemd-based droppers, and self-propagating across npm and PyPI ecosystems. The content also states that TeamPCP used stale npm maintainer recovery email domains to hijack accounts and publish malicious package versions. The group has engaged in extortion by publishing victim names on a leak site and threatening disclosure of stolen data. Multiple sources in the content describe an operational partnership announced in late March 2026 between TeamPCP and the Vect ransomware group, combining TeamPCP’s credential theft and data theft capabilities with Vect’s ransomware deployment infrastructure. The content also states that TeamPCP has operated or used CipherForce as a separate ransomware or leak channel. TeamPCP is described throughout the content as a criminal actor rather than a nation-state group.

Mentions5
#13Black Basta

Black Basta is a financially motivated ransomware operation, also referred to as Storm-1811 in reporting. The group has been described as a mature, highly organized criminal enterprise and has been linked in the content to former Conti-era personnel and relationships with other ransomware and malware operations. Trellix analysis of leaked Matrix chats from September 2023 to September 2024 reported alleged ties between Black Basta leadership and Russian authorities, including claims by leader GG/AA, identified in the leaks as Oleg Nefedov and also linked to Conti’s Tramp, that Russian officials assisted him after an arrest in Armenia. The same reporting said the group operated two offices in Moscow and maintained structured teams, logistics support, operational security procedures, and collaborations with actors linked to BlackSuit/Royal, Rhysida, Cactus, and former Conti/Trickbot activity. The content states Black Basta studied victims carefully before launching phishing and malware campaigns, exploited vulnerabilities, and used intimidation and panic-triggering tactics to pressure victims into paying. Reported tradecraft includes hijacking legitimate email threads and sending phishing emails using QakBot for initial access in November 2022; exploiting Microsoft Quick Assist for initial access and persistence; abusing remote access and RMM tooling such as ScreenConnect; and using social-engineering operations including email bombing followed by Microsoft Teams messages posing as IT support to persuade victims to authorize Quick Assist, AnyDesk, Supremo, or ScreenConnect. The content associates this Teams-based intrusion pattern with Storm-1811/Black Basta and notes progression from initial Teams contact to malicious administrative script execution in as little as 12 minutes. CISA #StopRansomware advisories cited in the content also state that Black Basta uses PsExec as a primary ransomware propagation tool. Leaked Black Basta chats analyzed in the content showed use of ChatGPT for phishing pretexts, malware rewriting, debugging, and automating victim intelligence collection. The group was reported to use or rent malware and loaders including Pikabot, DarkGate, IcedID, and LummaC2, and to develop a custom post-exploitation framework called Breaker. Separate content also notes that Black Basta chat leaks included active discussion of CVE-2024-3400 in Palo Alto PAN-OS. The group’s extortion model is described as deliberate and data-driven, with ransom demands tailored to victim finances, insurance coverage, data sensitivity, contracts, customer relationships, board communications, and recovery posture. The content says Black Basta used multi-extortion pressure tactics including encryption, data theft, DDoS, operational disruption, harassment, and deadline manipulation. One report cited in the content states that before shutting down in 2025, Black Basta attacked 520 victims across 39 industries, used roughly two dozen ransomware variants, and collected at least $107 million in bitcoin payments. The content also links Black Basta to broader cybercrime ecosystems. Woodgnat, also known as KongTuke, an initial access broker active since at least 2024, has been publicly linked to attacks involving Black Basta and other ransomware groups including Qilin, Akira, Rhysida, Interlock, and 8Base. Malware associated with Woodgnat, including ModeloRAT and Backdoor.Mistic, has been tied in reporting to intrusions involving Black Basta-linked downstream access or deployment. Additional reporting in the content describes a kernel driver family, primarily named Driver_win10.sys, observed dropped by Black Basta tooling and adjacent intrusions during 2025. Aliases and related names directly mentioned in the content include Black Basta and Storm-1811.

Mentions5
#14APT28
Groups In Development

APT28 is a Russia-linked threat actor associated in the content with Russia’s GRU, including references to Russia’s main intelligence directorate of the armed forces and MITRE group G0007. The content identifies APT28 aliases including Fancy Bear, Forest Blizzard, Strontium, Sofacy, Sednit, Pawn Storm, Tsar Team, Fighting Ursa, BlueDelta, Iron Twilight, Swallowtail, TG-4127, Threat Group 4127, UAC-0001, and UAC-0028. The content also includes many aliases that are commonly associated with other clusters; only the aliases directly and consistently tied to APT28 in the provided material are included here. Based on the provided content, APT28 conducts cyber espionage and related operations against government, defense, and other strategic targets. Reported targeting includes African government accounts in 2025 for credential theft, internal surveillance, and intelligence gathering, as well as Ukrainian government entities. The content states that APT28 used password spraying against government and defense sectors, launched spear-phishing emails impersonating Ukrainian government officials, and has used malicious Microsoft Office attachments in spear-phishing. Proofpoint also tied APT28 to campaigns incorporating ClickFix into existing intrusion workflows. The content further describes LameHug, which CERT-UA attributed with moderate confidence to APT28, as Python-based malware targeting Ukrainian government entities. LameHug queried Hugging Face-hosted Qwen2.5-Coder-32B-Instruct to dynamically generate Windows reconnaissance and data-theft commands, with different commands produced per environment. This is presented as an example of AI-augmented service abuse that reduced the value of static analysis. Overall, the content portrays APT28 as a Russian state-sponsored espionage actor using credential attacks, spear-phishing, social engineering, and evolving malware-enabled tradecraft, including adoption of ClickFix and AI-assisted malware behavior.

Mentions5OriginRU
#15EvilTokens

EvilTokens is a phishing-as-a-service (PhaaS) platform focused on compromising Microsoft 365 accounts through device code phishing that abuses Microsoft’s OAuth 2.0 Device Authorization Grant workflow. Victims are tricked into entering attacker-generated device codes on Microsoft’s legitimate device login page, allowing operators to obtain access and refresh tokens while bypassing the practical protection of MFA. Reporting states EvilTokens emerged in February 2026, was advertised on Telegram, and has been linked to campaigns affecting more than 340 organizations across five countries. Observed infrastructure and delivery commonly used Cloudflare Workers redirects, and Huntress also tied major activity to Railway-hosted infrastructure. Sekoia reported the service was sold with a $1,500 setup or capture-link offering and a $500 monthly license, while other reporting described subscription tiers ranging from $600 to $1,500. Documented capabilities include centralized administration panels for harvested Microsoft tokens, built-in mailbox access, token management, collaborative access for affiliates, and a custom Portal Browser or ET Browser for managing multiple compromised Microsoft 365 accounts. Sekoia reported EvilTokens requests tokens for Outlook, Graph, Azure, Substrate, and SharePoint and exchanges harvested tokens for a Primary Refresh Token to establish persistence. Reporting also states the platform performs Microsoft Graph reconnaissance and supports business email compromise workflows. Multiple sources state EvilTokens integrated AI into post-compromise and phishing operations. Reported uses include generating personalized phishing lures, analyzing stolen inboxes and documents for financial exposure, identifying payment threads and high-value targets, translating stolen emails, and generating BEC scenarios and draft messages. Huntress described the operation as functioning like a modern tech startup with pricing, demos, support, and customer channels. Cisco Talos reported that ARToken is closely tied to the EvilTokens ecosystem and operates as an affiliate of the EvilTokens operation. Talos found overlapping infrastructure, identical API contracts for device code phishing, matching Primary Refresh Token lifecycle endpoints, shared operational patterns, and similar deployment through Cloudflare Workers. ARToken was described as a more mature affiliate panel supporting token refresh, PRT persistence, inbox rule manipulation, keyword monitoring, SharePoint and OneDrive access, token sharing, and anti-analysis features. Known alias and related name in the provided content: eviltokens; ARToken is described as an affiliate panel or closely linked service within the EvilTokens ecosystem.

Mentions5
#16JADEPUFFER

JADEPUFFER is the name used by Sysdig Threat Research Team for an operator it assessed as an autonomous, LLM-driven or agentic ransomware/extortion threat actor. According to the provided reporting, JADEPUFFER conducted a two-stage intrusion in which it first exploited CVE-2025-3248, a missing-authentication vulnerability in an internet-exposed Langflow instance that allowed arbitrary Python code execution, then pivoted to a separate production server that was the apparent true target. On the compromised Langflow host, JADEPUFFER performed host reconnaissance, harvested secrets, dumped Langflow’s backing PostgreSQL database, scanned reachable internal services, enumerated MinIO object storage, and used default MinIO credentials (minioadmin:minioadmin) where available. Sysdig reported that the actor established persistence via a cron job beaconing to 45.131.66[.]106:4444 every 30 minutes. In the second phase, JADEPUFFER targeted a production environment exposing MySQL and Alibaba Nacos. The reporting states that it connected to MySQL as root using credentials whose source Sysdig could not determine, and attacked Nacos through multiple methods including CVE-2021-29441-style authentication bypass, forged JWTs using Nacos’s default signing key, and direct insertion of a backdoor administrator account into the Nacos database. Sysdig also reported adaptive behavior, including autonomous correction of failed attack steps such as fixing bcrypt-based account creation and adjusting destructive SQL to bypass foreign key constraints. The operation culminated in encryption of 1,342 Nacos configuration items using MySQL AES_ENCRYPT(), deletion of original configuration and history tables, creation of a ransom table named README_RANSOM, and broader destructive dropping of database schemas. The ransom note included the Bitcoin address 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy and the contact e78393397[@]proton[.]me. Sysdig reported that the encryption key was generated, printed once to stdout, and neither stored nor transmitted, making practical recovery unlikely even if ransom were paid. The content states that Sysdig considered the significance of JADEPUFFER not to be novel techniques, but the autonomous chaining of known weaknesses into a complete extortion workflow. No aliases or sub-groups beyond the casing variant JadePuffer/JADEPUFFER are directly supported in the provided content.

Mentions5
#17LAPSUS$
Financially Motivated

LAPSUS$ is a financially motivated extortion threat actor known for data theft, leak-site extortion, and social-engineering-driven account compromise. Known aliases in the provided content include DEV-0537, Lapsus, Slippy Spider, and Strawberry Tempest. The content also describes overlap or collaboration with other criminal actors and brands, including ShinyHunters, Scattered Spider, TeamPCP, and the Scattered LAPSUS$ Hunters federation; Mandiant is cited as linking remnants of LAPSUS$ to The Com. The group is specifically described as using impersonation-based social engineering to gain privileged access, including calling victims’ help desks and impersonating legitimate users with previously gathered information in order to obtain access to privileged accounts. The content also references LAPSUS$ under ATT&CK technique T1068, but does not provide incident-specific evidence tying that technique to the group beyond annotation metadata. In the provided reporting, LAPSUS$ is described as a monetization and extortion partner for TeamPCP. After TeamPCP’s Checkmarx compromise, LAPSUS$ added Checkmarx to its leak site and claimed theft of source code, API keys, database credentials, and employee details. Separate reporting says TeamPCP partnered with established extortion groups including LAPSUS$ to monetize stolen data, and Flare assessed that TeamPCP likely functions as an initial-access supplier to monetization partners including LAPSUS$. Victim claims in the content include AYA Bank and Virta Health. For AYA Bank, LAPSUS$ claimed it infiltrated the bank’s internal network, stole more than 120 GB of sensitive data, added the bank to its leak site, and threatened publication unless a ransom was paid; AYA Bank stated the breach involved an outdated application portal exposing sensitive personal information and said core banking and payment systems were unaffected. For Virta Health, LAPSUS$ claimed responsibility for the attack, listed the company on its leak site, claimed theft of confidential data, and threatened public release unless ransom demands were met. The content also states that LAPSUS$ released a claimed 3 GB AstraZeneca archive for free after failing to sell it via Session encrypted messaging, with Cybernews partially verifying contents consistent with AstraZeneca infrastructure. More broadly, the reporting describes LAPSUS$ as repeatedly disrupted by law enforcement but continuing to re-emerge in different forms and in overlapping activity with other cybercrime actors.

Mentions5
#18Volt Typhoon

Volt Typhoon is a China-linked, state-sponsored threat actor associated with the PRC and tracked under aliases including BRONZE SILHOUETTE, DEV-0391, Insidious Taurus, Storm-0391, UNC3236, Vanguard Panda, VOLTZITE, Voltzite, and G1017. The actor is described as focused on stealthy long-term pre-positioning in critical infrastructure rather than overt disruption, with targeting repeatedly cited across U.S. and broader critical infrastructure sectors including energy, water and wastewater, telecommunications, transportation, and defense-related environments. Multiple references describe the group as infiltrating water and wastewater IT environments and pre-positioning inside telecom networks to enable strategic access ahead of a possible crisis or conflict. The group is consistently characterized by living-off-the-land tradecraft and blending with normal administrative activity. Reported techniques and behaviors directly mentioned in the content include abuse of victim-owned tools, systems, and credentials; use of Windows utilities such as wmic.exe, netsh.exe, PowerShell, ntdsutil.exe, and certutil.exe; network enumeration; exploitation for privilege escalation; PowerShell execution; and use of multi-hop proxy command-and-control. The content states that Volt Typhoon often does not rely on conventional malware, which can make SIEM and SOC detection difficult. The actor is also linked to operational use of compromised SOHO routers and the KV botnet to hide access and relay activity. The content states that compromised end-of-life Cisco and NetGear routers were used to conceal access planted in U.S. communications, energy, water, and transportation systems, and that U.S. authorities disrupted KV-botnet malware from hundreds of such routers in December 2023. Dragos’s VOLTZITE tracking is described as activity overlapping Volt Typhoon and involving covert collection of information on energy and water infrastructure via compromised SOHO routers. The content further notes that Volt Typhoon is a persistent threat in OT and ICS contexts because legitimate engineer VPN access and static OT software baselines can make living-off-the-land activity harder to detect. It is also cited as an active campaign affecting the defense industrial base by mimicking everyday IT tools. Five Eyes joint advisories are described as using Microsoft’s name, Volt Typhoon, as the common label.

Mentions5
#19The Gentlemen

The Gentlemen is a financially motivated ransomware-as-a-service (RaaS) operation that emerged in mid-to-late 2025 and rapidly became one of the most active ransomware groups in 2026. Multiple reports describe it as a splinter or rebrand from the Qilin ecosystem, with founders previously operating as the Qilin affiliate ArmCorp and leaving after a reported payment dispute. The group is tracked by Microsoft as Storm-2697. Reported aliases and associated personas include Phantom Mantis, ArmCorp, hastalamuerte, zeta88, and LARVA-368; reporting also links the operation to Russian national Alexander Andreevich Yapaev with high confidence. The group uses an aggressive affiliate model, including a 90% revenue share, and has attracted experienced affiliates from other ransomware operations including DragonForce and LockBit. The Gentlemen conducts double-extortion ransomware attacks and has claimed hundreds of victims globally across dozens of countries and multiple sectors, including manufacturing, healthcare, energy, government, transportation, education, financial services, IT services, construction, logistics, and critical infrastructure. Reporting states it targets large corporations and critical infrastructure worldwide, with victim distribution noted across Southeast Asia, South America, Western Europe, and other regions. Initial access commonly relies on exploited internet-facing systems and valid credentials rather than zero-days. Reported access vectors include exposed edge devices, Fortinet and Cisco appliances, unpatched VPNs, internet-facing RDP, remote management tools, stolen credentials from infostealers, initial access brokers, compromised Outlook Web Access accounts, and credential spraying against SSL VPNs. The group has also been reported exploiting vulnerabilities such as FortiOS CVE-2024-55591 and abusing older Active Directory weaknesses including ZeroLogon, PetitPotam, and AD CS ESC1 misconfigurations. Post-compromise tradecraft includes living-off-the-land techniques and use of legitimate administrative tools such as PsExec and AnyDesk; Active Directory enumeration with SharpADWS; network reconnaissance with NetScan, Advanced IP Scanner, and netsh packet capture; lateral movement via Group Policy and PsExec; credential theft and DCSync; and exfiltration using tools such as rclone. Reporting also describes custom tooling, reconnaissance, network sniffing capability, and a custom Go backdoor communicating with C2 81.177.215.15:9443. A defining characteristic of The Gentlemen is centralized defense evasion support for affiliates. ESET reported that the group provides a standardized EDR-killer suite led by the in-house GentleKiller framework, with at least eight variants impersonating legitimate software and abusing vulnerable or malicious signed kernel drivers via BYOVD to disable security tools. GentleKiller reportedly targets more than 400 processes across 48 security vendors. The group has also been observed using or distributing other EDR-killer tools including HexKiller, ThrottleBlood, HavocKiller, UnknownKiller, and PoisonKiller, and rapidly incorporating newly disclosed BYOVD techniques. Additional observed drivers and tools used for defense evasion include ProcessMonitorDriver.sys, wamsdk.sys, gamedriverx64.sys, biontdrv.sys, inpoutx64.sys, wsftprm.sys, Havoc.sys, Windows Kernel Explorer, OpenArk64, and attempts to disable or uninstall Microsoft Defender and Kaspersky. The ransomware tooling is cross-platform. Reporting describes a mature Go-based ransomware family used across Windows, Linux, ESXi, NAS, and BSD, as well as C-based variants including an ESXi locker and an emerging Windows-focused C implant. The Go variant uses Curve25519/X25519 with XChaCha20, supports self-propagation and GPO-based deployment, can stop virtual machines and services, modify ACLs, remove shadow copies, clear logs, wipe free space, and drop README-GENTLEMEN.txt ransom notes while sometimes changing the desktop wallpaper. A Windows-focused C variant uses AES-256-GCM with RSA and writes !-READ-ME—-GEN-TLE-MEN-!.txt ransom notes. Reporting also notes worm-like lateral movement capability. The group has been linked to use of AI tools in development and operations. Content specifically mentions use of ChatGPT, Gemini, and Claude, with leaked chats supporting that assessment, including use of AI-assisted tooling and development of components such as the negotiation panel. Known sub-grouping or affiliate-related references in the content include Phantom Mantis as the precursor identity and affiliate-linked tooling such as the Rust-based credential stealer OxideHarvest, which ESET attributed to an affiliate named quant rather than the core operators.

Mentions4
#20Gamaredon Group

Gamaredon is a Russia-aligned advanced persistent threat group, also tracked as Actinium, APT-C-53, Aqua Blizzard, Armageddon, DEV-0157, Iron Tilden, Primitive Bear, SectorC08, Shuckworm, Trident Ursa, and UNC530. The content describes it as one of the most active groups targeting Ukraine, active since at least 2013, and linked in the reporting to Russia’s domestic intelligence apparatus; the Security Service of Ukraine is cited as attributing the group to the 18th Center of Information Security of Russia’s FSB. Throughout 2025, Gamaredon maintained an aggressive cyberespionage campaign focused exclusively on Ukrainian governmental and military institutions, with the objective of exfiltrating sensitive information to support Russian interests in the war against Ukraine. ESET observed 35 distinct spear-phishing campaigns in 2025, most of them in the second half of the year. Delivery methods included archive attachments, XHTML files using HTML smuggling, malicious HTA downloaders, and in some cases exploitation of the patched WinRAR vulnerability CVE-2025-8088 to place a downloader in the Windows Startup folder for persistence. The group expanded its malware arsenal with six new PowerShell-based tools: PteroDee, PteroCache, PteroDum, PteroOdd, PteroEffigy, and PteroPaste. Reported functions included in-memory retrieval and execution of PowerShell or VBScript payloads, obtaining command-and-control information from services such as GoFile and Telegra.ph, USB weaponization, and persistence orchestration. Gamaredon also continued using or reviving tools such as PteroSand, PteroLNK, PteroPaste, PteroSetup, PteroPSDoor, and PteroVDoor. PteroLNK and PteroPaste were used for lateral movement via infected USB and network drives, while PteroSetup replaced legitimate installer files with malicious 7z archives. A major operational trend in 2025 was increased abuse of legitimate and third-party services to conceal infrastructure, stage payloads, resolve command-and-control, and exfiltrate data. The content specifically mentions tunnels, serverless workers, dynamic DNS, PaaS platforms, and services including Telegra.ph, Teletype, Rentry.co, Write.as, Dropbox, GoFile, DEV Community, Mastodon, Lesma, Nopaste.net, Paste.ee, Wasabi, Tebi, and Intercolo. Reporting also notes use of Microsoft and Cloudflare tunneling services and Cloudflare Workers. Gamaredon used HTTP and HTTPS for command-and-control communications and registered domains to stage payloads. The content also attributes several ATT&CK-style behaviors to Gamaredon, including PowerShell execution, use of hidden console execution via hidcon to run batch files, automatic scanning for interesting documents on compromised systems, listing files of interest such as Office documents, stealing data from newly connected logical volumes including USB drives, and attempting to get users to open Office attachments with malicious macros. Some reporting cited in the content also notes collaboration with Turla in early 2025.

Mentions4OriginRU
#21Lazarus

Lazarus Group is a North Korea-attributed threat actor associated with financially motivated and espionage activity. Known aliases in the provided content include APT-C-26, BadClone, Contagious Interview, Coral Sleet, DeceptiveDevelopment, DEV#POPPER, Diamond Sleet, Famous Chollima, Genie Spider, Gwisin Gang, Labyrinth Chollima, Nickel Tapestry, Pukchong, PurpleBravo, Selective Pisces, Storm-1877, TA404, TAG-121, TempHermit, Tenacious Pungsan, UNC2970, UNC5267, Void Dokkaebi, and WaterPlum. The content links Lazarus Group to the broader Contagious Interview / Famous Chollima activity, a North Korea-aligned campaign targeting software developers and cryptocurrency-sector personnel through fake job recruitment, recruiter impersonation, interviews, coding assessments, and malicious repositories or packages. Reporting cited in the content describes malicious npm, PyPI, Go, Packagist, and Chrome extension activity tied to this ecosystem, including campaigns such as PolinRider and Rollup-themed npm impersonation. Malware families and tooling mentioned in connection with this activity include BeaverTail, OtterCookie, DEV#POPPER, InvisibleFerret, and OmniStealer. The described tradecraft includes compromised maintainer accounts, tampering with legitimate repositories, malicious VS Code task files configured to run on folder open, obfuscated JavaScript loaders hidden in configuration files or fake font files, retrieval of encrypted second-stage payloads from blockchain-related infrastructure, remote access, credential theft, browser and wallet theft, file collection, clipboard capture, and Git history rewriting to conceal repository tampering. The content also references Operation Dream Job, in which Lazarus Group impersonated HR hiring personnel through LinkedIn messages and interviews, used malicious job-themed documents and Word attachments delivered via spearphishing, queried compromised Active Directory servers to obtain employee and administrator account lists, used compromised servers to host malware, and conducted command and control over HTTP and HTTPS. Additional behaviors directly mentioned for Lazarus Group include creating new services for persistence, identifying target files by extension, enumerating files and directories across drives, enumerating logged-on users, using shellcode within macros to decrypt and manually map DLLs and shellcode at runtime, using hidden files or hidden attributes, and conducting supply-chain attacks, including references to the Able Desktop and WIZVERA VeraPort compromises. The content also names campaigns associated with Lazarus Group including Operation AppleJeus and Dream Job, and malware including WannaCry, Hermes, and BLINDINGCAN.

Mentions3OriginKP
#22Armored Likho

Armored Likho is a previously undocumented threat actor attributed to phishing-led attacks targeting government agencies and the electric power sector, with observed victims in Russia, Brazil, and Kazakhstan. Kaspersky assessed with medium confidence that Armored Likho may overlap with BI.ZONE's Eagle Werewolf cluster based on circumstantial evidence, tooling, persistence, tasking logic, and command-and-control similarities; Eagle Werewolf has also been tracked targeting government and defense organizations involved in UAV development and manufacturing. The content states Armored Likho appears to combine cyber-espionage operations against organizations with financially motivated activity against private individuals. Observed tradecraft includes spear-phishing emails themed as official government notices, social programs, humanitarian aid requests, psychological tests, and debt-clearance certificates. Delivery chains used RAR/ZIP archives containing either NSIS-built EXE droppers or malicious LNK files. The LNK-based chain abused ZDI-CAN-25373 / CVE-2025-9491 to conceal command-line content and trigger obfuscated PowerShell that downloaded a loader and displayed decoy documents. Other chains used EXE droppers that launched decoy applications, executed legitimate binaries, and injected malicious code to start loaders. Payload staging involved downloading archives from GitHub repositories, unpacking them under %AppData%\WindowsHelper, installing Python components and dependencies, and creating VBScript files plus scheduled tasks for persistence. A key malware family in these operations is BusySnake Stealer, a previously unreported Python-based Windows infostealer obfuscated with PyArmor. BusySnake runs as a background .pyw process, communicates with command-and-control infrastructure, and establishes persistence via VBScript and scheduled tasks, including newer variants using the Schedule.Service COM object. Reported capabilities include clipboard theft, file inventorying and metadata collection, document exfiltration, screenshot capture, keylogging, theft of Chromium and Firefox passwords, browser cookie theft, OTP secret discovery, cryptocurrency wallet JSON theft, Telegram Desktop session and credential theft, reverse SSH tunneling via Go2Tunnel functionality, RustDesk deployment or activation for remote control, and in newer versions in-memory execution of arbitrary Python scripts fetched from C2 with task-state tracking. The content also notes architectural overlaps between BusySnake and AquilaRAT, and similarities with Go2Tunnel, supporting the Armored Likho/Eagle Werewolf linkage. Known alias: Eagle Werewolf (based on circumstantial evidence in the provided content). Related tooling and malware mentioned in the content include BusySnake Stealer, AquilaRAT, Go2Tunnel, and RustDesk.

Mentions3
#23IPIDEA

IPIDEA is identified in the content as a China-based company operating a large residential proxy network. Google and partners disrupted IPIDEA in January 2026, and the content states that at its peak it was one of the largest networks of its kind. The reporting describes IPIDEA as converting consumer devices into proxy nodes by installing malicious code, including via applications and games, free VPN applications, SDK-based integrations, fake Windows and Android applications, and software preinstalled on low-cost Android TV streaming devices. Named SDK packages associated with the activity include Castar, Earn, Hex, and Packet SDK. When installed, the malware turns devices into exit nodes that relay network traffic, conceal the true origin of activity behind residential IP addresses, and can also direct infected devices to participate in DDoS attacks. The content also states that researchers identified more than 3,000 Windows files and 600 Android applications tied to the scheme, including fake software impersonating OneDrive Sync and Windows Update. IPIDEA marketed itself as a legitimate proxy service provider and used SDK tools to attract developers, but investigations and reports cited in the content indicate the network was used for questionable and malicious purposes.

Mentions3
#24BADBOX 2.0

BADBOX, including the later BADBOX 2.0 cluster, is an Android/IoT botnet and malware ecosystem affecting primarily Android TV devices, smart TVs, streaming boxes, set-top boxes, and other uncertified off-brand IoT devices. The content states the original BADBOX was identified in 2023 and primarily involved Android devices compromised with backdoor malware prior to purchase, indicating supply-chain preinstallation. BADBOX 2.0 was discovered after disruption of the original campaign in 2024. The activity is described as compromising devices either before purchase or via backdoored or trojanized applications during setup. Multiple sources in the content state that BADBOX 2.0 has compromised millions of devices globally, with Google saying more than 10 million uncertified devices were affected. The ecosystem has been linked to proxy monetization: infected devices are used as residential proxy exit nodes, and Google reporting cited in the content says botnets such as BADBOX 2.0 package proxy plugins. The content also states that IPIDEA SDKs played a key role in adding devices to the BADBOX 2.0 botnet, and that components of BADBOX 2.0 overlap with Popa/NetNut. The botnet is associated with hijacked Android TV devices and has been used to support fraud and other criminal activity through residential IP proxying. The content also notes HTML5-based cashout infrastructure as a pattern previously observed in BADBOX 2.0, alongside SlopAds and Low5. One source in the content describes BADBOX 2.0 as a rival Chinese-nexus family. The broader Android TV botnet ecosystem discussed in the content places BADBOX among large criminal botnets competing for vulnerable Android TV devices. Known aliases in the provided content are badbox and badbox_20.

Mentions3