Threat-actor profiles, written by an operator.

APT28

High capability

Primary target set

Logistics, defense industrial base, government, telecommunications, technology services

Operation Masquerade router/DNS-hijack takedown (Apr 2026) followed sustained 2025 logistics-targeting campaign (CISA AA25-141A). Active 2026 Microsoft zero-day chain (CVE-2026-21513) ongoing.

Nation-State

APT44

High capability

Primary target set

Energy, telecommunications, government, defense industrial base, transportation, water, critical manufacturing

Late-Dec 2025 Poland power infrastructure attack used DynoWiper plus LLM-generated LazyWiper against RTUs and HMIs at wind/solar farms and a power plant — tactical pivot to edge-device misconfiguration as primary initial access vector continues through 2026.

Nation-State

Handala Hack

High capability

Primary target set

Healthcare, defense, telecommunications, government, energy, financial services, manufacturing

March 2026: claimed wiper attack on Stryker (200K devices wiped via Intune, 50TB exfil) and leak of 300+ emails from FBI Director Patel's personal account. DOJ seized 4 MOIS-linked domains; State Department posted $10M reward.

Nation-State

Lazarus Group

High capability

Primary target set

Cryptocurrency exchanges, DeFi protocols, blockchain developers, defense industrial base, healthcare

Sustained 2026 crypto theft pace — ~$500M lifted from KelpDAO and Drift in April. New 'Mach-O Man' macOS social-engineering campaign targets fintech and crypto executives via ClickFix paste-to-terminal lures.

Cybercrime

ShinyHunters

High capability

Primary target set

Telecommunications, SaaS/cloud platforms, higher education, hospitality and gaming, fintech, food service and retail

Second wave against Instructure Canvas in May 2026; March 2026 Telus extortion ($65M demand, claimed 1PB stolen); ongoing Salesforce Experience Cloud campaign via modified AuraInspector tooling.

Cybercrime

TeamPCP

High capability

Primary target set

Open-source security tooling, CI/CD pipelines, cloud-native infrastructure, AI/ML platforms

Active multi-ecosystem supply chain cascade. Cisco source-code theft via Trivy-linked breach disclosed 11-Apr-2026; CanisterSprawl npm worm identified; 26-day pause ended late April with Bitwarden CLI and xinference PyPI compromises. Vect RaaS partnership active.

Nation-State

Volt Typhoon

High capability

Primary target set

Telecommunications, energy, water and wastewater, transportation systems, government facilities

April 2026 CISA AA26-113A advisory confirms maturation of covert ORB networks beyond KV Botnet. 2025 observations show pivot from IT-only access to direct OT/ICS device interaction and operational data theft. ASIO confirmed Australian targeting Nov 2025.

Nation-State

Last updated April 12, 2026

APT29

High capability

Primary target set

Government, diplomatic entities, think tanks, technology providers, defense industrial base, higher education

Active as of Q1 2026. Aug 2025 watering hole campaign disrupted by Amazon targeting Microsoft 365 via device code authentication abuse. Jan 2025 GRAPELOADER/WINELOADER spearphishing targeting European diplomats confirmed by Check Point.

Nation-State

Last updated April 12, 2026

MuddyWater

Moderate capability

Primary target set

Government, telecommunications, defense, energy, critical infrastructure

Active in US networks since Feb 2026 pre-positioning before Operation Epic Fury; deployed Dindoor backdoor against US bank, airport, defense supply chain firm; Operation Olalampo launched Jan 2026 targeting MENA.

Nation-State

Last updated April 12, 2026

Salt Typhoon

High capability

Primary target set

Telecommunications, government, ISPs, universities, defense industrial base

FBI confirms threat 'still very much ongoing' into 2026; 200+ orgs across 80 countries compromised; US congressional committees breached Dec 2025