Threat actors

Browse the library

Filter by region, category, or recent update. Each profile opens in full: Diamond Model, capability scoring, victimology, TTPs, IOCs, sources.

Name	Type	Attribution	Capability	Status	Last Updated
APT28	Nation-State	Russian GRU 85th Main Special Service Center (Unit 26165)	high	🔴	12 May 26
APT44	Nation-State	Russian GRU Unit 74455 (Main Centre for Special Technologies / GTsST)	high	🔴	12 May 26
Handala Hack	Nation-State	Iran Ministry of Intelligence and Security (MOIS)	high	🔴	12 May 26
Lazarus Group	Nation-State	DPRK Reconnaissance General Bureau, 3rd Bureau	high	🔴	12 May 26
ShinyHunters	Cybercrime	Loose criminal collective; overlaps with Scattered Spider and LAPSUS$ under the Scattered Lapsus$ Hunters (SLSH) banner	high	🔴	12 May 26
TeamPCP	Cybercrime	Self-described loose-knit collective; no confirmed state nexus; spokesperson handle T00001B	high	🔴	12 May 26
Volt Typhoon	Nation-State	PRC state-sponsored; assessed PLA / MSS nexus (specific unit not publicly attributed)	high	🔴	12 May 26
APT29	Nation-State	Russian Foreign Intelligence Service (SVR)	high	🔴	12 Apr 26
MuddyWater	Nation-State	Iranian Ministry of Intelligence and Security (MOIS)	moderate	🔴	12 Apr 26
Salt Typhoon	Nation-State	PRC Ministry of State Security	high	🔴	12 Apr 26

12 May 26 APT28

Operation Masquerade router/DNS-hijack takedown (Apr 2026) followed sustained 2025 logistics-targeting campaign (CISA AA25-141A). Active 2026 Microsoft zero-day chain (CVE-2026-21513) ongoing.
12 May 26 APT44

Late-Dec 2025 Poland power infrastructure attack used DynoWiper plus LLM-generated LazyWiper against RTUs and HMIs at wind/solar farms and a power plant — tactical pivot to edge-device misconfiguration as primary initial access vector continues through 2026.
12 May 26 Handala Hack

March 2026: claimed wiper attack on Stryker (200K devices wiped via Intune, 50TB exfil) and leak of 300+ emails from FBI Director Patel's personal account. DOJ seized 4 MOIS-linked domains; State Department posted $10M reward.
12 May 26 Lazarus Group

Sustained 2026 crypto theft pace — ~$500M lifted from KelpDAO and Drift in April. New 'Mach-O Man' macOS social-engineering campaign targets fintech and crypto executives via ClickFix paste-to-terminal lures.
12 May 26 ShinyHunters

Second wave against Instructure Canvas in May 2026; March 2026 Telus extortion ($65M demand, claimed 1PB stolen); ongoing Salesforce Experience Cloud campaign via modified AuraInspector tooling.
12 May 26 TeamPCP

Active multi-ecosystem supply chain cascade. Cisco source-code theft via Trivy-linked breach disclosed 11-Apr-2026; CanisterSprawl npm worm identified; 26-day pause ended late April with Bitwarden CLI and xinference PyPI compromises. Vect RaaS partnership active.
12 May 26 Volt Typhoon

April 2026 CISA AA26-113A advisory confirms maturation of covert ORB networks beyond KV Botnet. 2025 observations show pivot from IT-only access to direct OT/ICS device interaction and operational data theft. ASIO confirmed Australian targeting Nov 2025.
12 Apr 26 APT29

Active as of Q1 2026. Aug 2025 watering hole campaign disrupted by Amazon targeting Microsoft 365 via device code authentication abuse. Jan 2025 GRAPELOADER/WINELOADER spearphishing targeting European diplomats confirmed by Check Point.
12 Apr 26 MuddyWater

Active in US networks since Feb 2026 pre-positioning before Operation Epic Fury; deployed Dindoor backdoor against US bank, airport, defense supply chain firm; Operation Olalampo launched Jan 2026 targeting MENA.
12 Apr 26 Salt Typhoon

FBI confirms threat 'still very much ongoing' into 2026; 200+ orgs across 80 countries compromised; US congressional committees breached Dec 2025

Browse the library

Nation-State: PRC

Nation-State: Russia

Nation-State: Iran

Nation-State: DPRK

Cybercriminal / Ransomware