Unveiled the Threat Actors

In this blog, we will discuss some of the famous threat actors and learn about their famous hacks, what are their techniques, and other required details on how they performed those big hacks.

First, we have to know about the naming criteria of Threat Actors, how the names of threat actors are decided.

Cybersecurity companies always use different names for the same threat actors.

Example: CrowdStrike used Animal’s name for the nations the Threat Actors originated (if the threat actor is from Russia, their name should be something with Bear, if they are from China, the name should be Panda). In the case of Microsoft, they associate the threat actors with names on Theme of Weather, whereas Mandiant uses Numbers to provide the names to threat Actors.

The list is big and why there were so many aliases, this article will help you to understand that:

The APT Name Game: How Grim Threat Actors Get Goofy Monikers

Let’s deep dive to the list which provide the details around dominant threat actors in several categories:

Dominant State-Sponsored Threat Actors List

1. APT 28 (Fancy Bear)
2. APT 29 (Cozy Bear)
3. Emissary Panda
4. APT 33
5. Charming Kitten
6. Lazarus Groups
7. Midnight Blizzard (NOBELIUM)

Dominant Info stealer Threat Actors List

1. LummaC2
2. Raccoon Stealer
3. Redline Stealer
4. Rhadamanthys
5. Vidar
6. StrelaStealer
7. Gozi
8. AZORult

Dominant Ransomware Threat Actors List

1. LockBit
2. The Cl0p gang (also known as TA505)
3. Alphv/BlackCat
4. Black Basta
5. Vice Society
6. Royal
7. Everest
8. Scattered Spider (also known as UNC3944)

The list of threat actors is very big, as every year, new threat actors are introduced.

Let’s start talking about some of the famous threat actors and learn about their origin, techniques, famous hacks, and so on.

1. APT29 (Cozy Bear, The Dukes)

• Names: APT 29 (Given by Mandiant), Cozy Bear (Given by Crowdstrike), The Dukes (Given by F-Secure), Group 100 (Given by Talos), Yttrium (Given by Microsoft), Iron Hemlock (Given by SecureWorks), Minidionis (Given by Palo Alto), CloudLook (Given by Kaspersky), ATK 7 (Given by Thales), Grizzly Steppe (Given by US Government).
• Origin: Russia
• Descriptions: APT29 is a threat group that has been attributed to Russia’s Foreign Intelligence Service (SVR). They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks.
• Focus: Cyber espionage (spying) targeting government, energy, and healthcare sectors.
• Techniques: Spear-phishing, custom malware, and leveraging legitimate tools for persistence.
• Tools Used: ATI-Agent, AtNow, CloudDuke, Cobalt Strike, CosmicDuke, CozyDuke, FatDuke, GeminiDuke, HammerDuke, LiteDuke, meek, Mimikatz, MiniDuke, OnionDuke, PinchDuke, PolyglotDuke, POSHSPY, PowerDuke, RegDuke, SeaDuke, tDiscoverer and Living off the Land.
• Notable Campaign: APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015. In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes. Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.

2. APT28 (Fancy Bear, Sofacy)

• Names: APT 28 (Given by Mandiant), Fancy Bear (Given by Crowdstrike), The Dukes (Given by F-Secure), Sofacy (Given by Talos), Strontium (Given by Microsoft), Iron Twilight (Given by SecureWorks), Sofacy Group (Given by Palo Alto), Sofacy (Given by Kaspersky), APT 28 (Given by Thales), APT 28 (Given by US Government).
• Origin: Russia
• Description: APT28 is a threat group that has been attributed to Russia’s General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165. This group has been active since at least 2004.
• Focus: Cyber espionage (spying) against military, government, and media entities.
• Techniques: Spear-phishing, exploitation of zero-day vulnerabilities, and deployment of malware like X-Agent.
• Notable Campaigns: APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations. Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.

3. APT41 (Winnti Group, Barium)

• Names: APT 41 (Given by FireEye), Wicked Panda (Given by Crowdstrike), Blackfly (Given by F-Secure), BRASS TYPHOON (Given by Microsoft), WICKED SPIDER (Given by SecureWorks), Winnti (Given by Kaspersky), BARIUM (Given by US Government)
• Origin: China
• Description: APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries
• Focus: Espionage and financially motivated operations across various industries.
• Techniques: Supply chain attacks, use of stolen code-signing certificates, and deployment of backdoors.
• Tools Used: BIFROST, Bluether, DRIGO, IconDown, KIVARS, PLEAD and XBOW.
• Notable Campaigns: In 2012, individual members of APT41 conducted primarily financially motivated operations focused on the video game industry before expanding into likely state-sponsored activity. This is remarkable because explicit financially motivated targeting is unusual among Chinese state-sponsored threat groups, and evidence suggests these two motivations were balanced concurrently from 2014 onward.

4. APT10 (Stone Panda, MenuPass Group)

• Names: APT 10 (Given by Mandiant), Stone Panda (Given by Crowdstrike), menuPass Team (Given by Symantec), Red Apollo (Given by PwC), CVNX (given by BAE Systems), Hogfish (Given by iDefense), Happyyongzi (Given by FireEye) Potassium (Given by Microsoft), menuPass (Given by Palo Alto), ATK 41 (Given by Thales), TA429 (Given by Proofpoint).
• Origin: China
• Description: menuPass is a threat group that has been active since at least 2006. Individual members of menuPass are known to have acted in association with the Chinese Ministry of State Security’s (MSS) Tianjin State Security Bureau and worked for the Huaying Haitai Science and Technology Development Company.
• Focus: Cyber espionage targeting managed service providers (MSPs) and their clients.
• Techniques: Spear-phishing, use of the Quasar RAT, and credential theft.
• Tools Used: Anel, BloodHound, certutil, ChChes, China Chopper, Cobalt Strike, Derusbi, DILLJUICE, DILLWEED, Emdivi, EvilGrab RAT, Gh0st RAT, Htran, Impacket, Invoke the Hash, Mimikatz, nbtscan, PlugX, Poison Ivy, Poldat, PowerSploit, PowerView, PsExec, PsList, pwdump, Quarks PwDump, QuasarRAT, RedLeaves, Rubeus, SharpSploit, SNUGRIDE, Trochilus RAT and Living off the Land.
• Notable Campaigns: menuPass has targeted healthcare, defense, aerospace, finance, maritime, biotechnology, energy, and government sectors globally, with an emphasis on Japanese organizations. In 2016 and 2017, the group is known to have targeted managed IT service providers (MSPs), manufacturing and mining companies, and a university.

5. APT33 (Elfin)

• Names: APT 33 (Given by Mandiant), Refined Kitten (Given by Crowdstrike), Elfin (Given by Crowdstrike), Holmium (Given by Microsoft), ATK 35 (Given by Thales Magnallium (Given by Dragos), TA451 (Given by Proofpoint)
• Origin: Iran
• Description: APT33 is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors.
• Focus: Espionage (spying) targeting aerospace and energy sectors.
• Techniques: Spear-phishing, use of custom malware like Shamoon, and password spraying.
• Tools Used: AutoIt backdoor, DarkComet, DistTrack, EmpireProject, Filerase, JuicyPotato, LaZagne, Mimikatz, NanoCore RAT, NetWire RC, PoshC2, PowerBand, PowerSploit, POWERTON, PsList, PupyRAT, QuasarRAT, RemcosRAT, Ruler, SHAPESHIFT, StoneDrill, TURNEDUP and Living off the Land.
• Notable Campaigns: Attacks on Multiple Organizations in Saudi Arabia and U.S. The Elfin espionage group (aka APT33) has remained highly active over the past three years, attacking at least 50 organizations in Saudi Arabia, the United States, and a range of other countries.

6. APT38

• Names: APT 38 (Given by Mandiant), Stardust Chollima (Given by Crowdstrike), Bluenoroff (Given by Kaspersky), ATK 117 (Given by Thales)
• Origin: North Korea
• Description: APT38 is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau. Active since at least 2014, APT38 has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide.
• Focus: Financial theft through cyber operations.
• Techniques: SWIFT system exploitation, spear-phishing, and deployment of custom malware.
• Notable Campaigns: The Group has been linked to a February 2016 attack against the Bangladesh Central bank that resulted in more than $850 million in fraudulent SWIFT network transactions, $80 million of which still has not been recovered.

7. Lazarus Group (Hidden Cobra)

· Names: Lazarus Group (Given by Kaspersky), Labyrinth Chollima (Given by Crowdstrike), Group 77 (Given by Talos), Hastati Group (Given by SecureWorks), Whois Hacking Team (Given by McAfee), NewRomanic Cyber Army Team (Given by McAfee), Zinc (Given by Microsoft), Hidden Cobra (Given by Trend Micro), Nickel Academy (Given by SecureWorks), APT-C-26 (Given by Qihoo 360), ATK 3 (Given by Thales), T-APT-15 (Given by Tencent), SectorA01 (Given by ThreatRecon)

· Origin: North Korea

· Description: Lazarus Group is a North Korean state-sponsored cyber threat group that has been attributed to the Reconnaissance General Bureau. The group has been active since at least 2009

· Focus: Cyber espionage, financial theft, and disruptive attacks.

· Techniques: Spear-phishing, use of custom malware, and watering hole attacks.

· Tools Used: 3Rat Client, Andaratm, AppleJeus, ARTFULPIE, Aryan, ATMDtrack, AuditCred, BADCALL, Bankshot, BanSwift, BISTROMATH, Bitsran, BlindToad, BootWreck, Brambul, BUFFETLINE, Castov, CheeseTray, CleanToad, ClientTraficForwarder, Concealment Troy, Contopee, COPPERHEDGE, Dacls RAT, DarkComet, DeltaCharlie, Destover, Dozer, DoublePulsar, Dtrack, Duuzer, DyePack, ELECTRICFISH, EternalBlue, FALLCHILL, FASTCash, Fimlis, Gh0st RAT, HARDRAIN, Hawup, Hermes, HOPLIGHT, HOTCROISSANT, HotelAlfa, Hotwax, HtDnDownLoader, Http Dr0pper, HTTP Troy, Joanap, Jokra, KEYMARBLE, KillDisk, Koredos, Lazarus, Mimikatz, Mydoom, NachoCheese, NestEgg, NukeSped, OpBlockBuster, PEBBLEDASH, PhanDoor, PowerBrace, PowerRatankba, PowerShell RAT, PowerSpritz, PowerTask, Proxysvc, ProcDump, PSLogger, Quickcafe, Ratankba, RatankbaPOS, RawDisk, Recon, RedShawl, Rifdoor, Rising Sun, Romeos, RomeoAlfa, RomeoBravo, RomeoCharlie, RomeoDelta, RomeoEcho, RomeoFoxtrot, RomeoGolf, RomeoHotel, RomeoMike, RomeoNovember, RomeoWhiskey, SHARPKNOT, SheepRAT, SierraAlfa, SierraCharlie, SLICKSHOES, TAINTEDSCRIBE, Tdrop, Tdrop2, Troy, TYPEFRAME, Volgmer, WannaCry, WbBot, WolfRAT, Wormhole and Yort

· Notable Campaigns: They first came to substantial media notice in 2013 with a series of coordinated attacks against an assortment of South Korean broadcasters and financial institutions using DarkSeoul, a wiper program that overwrites sections of the victims’ master boot record.

In November 2014, a large-scale breach of Sony Pictures was attributed to Lazarus. The attack was notable due to its substantial penetration across Sony networks, the extensive amount of data exfiltrated and leaked, as well of use of a wiper in a possible attempt to erase forensic evidence. Attribution on the attacks was largely hazy, but the FBI released a statement tying the Sony breach to the earlier DarkSeoul attack and officially attributed both incidents to North Korea.

Fast forward to May 2017 with the widespread outbreak of WannaCry, a piece of ransomware that used an SMB exploit as an attack vector. Attribution to North Korea rested largely on code reuse between WannaCry and previous North Korean attacks, but this was considered to be thin grounds given the common practice of tool sharing between regional threat groups.

8. FIN7

• Names: FIN7 (Given by Fireye), ATK 32 (Given by Thales), APT-C-11 (Given by Qihoo 360)
• Origin: Russia
• Description: FIN7 is a financially-motivated threat group that has been active since 2013. FIN7 has primarily targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, and utilities industries in the U.S. A portion of FIN7 was run out of a front company called Combi Security and often used point-of-sale malware for targeting efforts
• Focus: Financially motivated attacks targeting the hospitality and retail sectors.
• Techniques: Spear-phishing, use of point-of-sale malware, and deployment of backdoors.
• Tools Used: 7Logger, Astra, Bateleur, BIOLOAD, Boostwrite, Carbanak, Cobalt Strike, DNSMessenger, Griffon, HALFBAKED, Meterpreter, Mimikatz, POWERSOURCE, RDFSNIFFER and SQLRAT.
• Notable Campaigns: High-profile breaches including Red Robin, Chili’s, Arby’s, Burgerville, Omni Hotels and Saks Fifth Avenue, among many others. Fifth Avenue, Saks Off 5th, and Lord & Taylor department stores — all owned by The Hudson’s Bay Company — acknowledged a data breach impacting more than five million credit and debit card numbers.

9. Carbanak Group

• Names: Carbanak (Given by KasperSky), Anunak (Given by Group-IB), Carbon Spider (Given by Crowdstrike)
• Origin: Ukraine
• Description: Carbanak is a threat group that mainly targets banks. It also refers to malware of the same name (Carbanak). It is sometimes referred to as FIN7, but these appear to be two groups using the same Carbanak malware and are therefore tracked separately.
• Focus: Financially motivated attacks targeting the hospitality and retail sectors.
• Techniques: Spear-phishing, use of point-of-sale malware, and deployment of backdoors.
• Tools Used: Antak, Ave Maria, BABYMETAL, Backdoor Batel, Bateleur, BELLHOP, Boostwrite, Cain & Abel, Carbanak, Cobalt Strike, DNSMessenger, DNSRat, DRIFTPIN, FlawedAmmyy, Griffon, HALFBAKED, Harpy, JS Flash, KLRD, Mimikatz, MBR Eraser, Odinaff, POWERPIPE, POWERSOURCE, PsExec, SocksBot, SoftPerfect Network Scanner, SQLRAT, TeamViewer and TinyMet.
• Notable Campaigns: Mastermind behind EUR 1 billion cyber bank robbery arrested in Spain.

10. TA505

• Names: TA505 (Given by Proofpoint), Graceful Spider (Given by Crowdstrike), Gold Evergreen (Given by SecureWorks), TEMP.Warlock (Given by FireEye), ATK 103 (Given by Thales), SectorJ04 (Given by ThreatRecon), Hive0065 (Given by IBM), Chimborazo (Given by Microsoft)
• Origin: Russia
• Description: TA505 is responsible for the largest malicious spam campaigns, distributing instances of the Dridex banking Trojan, Locky ransomware, Jaff ransomware, The Trick banking Trojan. TA505 is arguably one of the most significant financially motivated threat actors because of the extraordinary volumes of messages they send. The variety of malware delivered by the group also demonstrates their deep connections to the underground malware scene.
• Focus: Financially motivated attacks using large-scale phishing campaigns.
• Techniques: Distribution of banking trojans, ransomware, and remote access tools.
• Tools Used: Amadey, AndroMut, Bart, Clop, CryptoLocker, CryptoMix, Dridex, Dudear, EmailStealer, FlawedAmmyy, FlawedGrace, FlowerPippi, GameOver Zeus, Gelup, Get2, GlobeImposter, Jaff, Kegotip, Locky, MINEBRIDGE, Neutrino, Philadelphia, Pony, RockLoader, RMS, SDBbot, ServHelper, Shifu, Snatch, TinyMet, Zeus and Living off the Land.
• Notable Campaigns: TA505 introduced their first geo-targeted campaign dropping either Locky or The Trick banking Trojan. In this campaign, HTML files were attached to emails inquiring about the status of an invoice.

11. Cobalt Group

• Names: Cobalt Group (Given by Group-IB), Cobalt Gang (Given by Palo Alto), Cobalt Spider (Given by Crowdstrike), Gold Kingswood (Given by SecureWorks), ATK 67 (Given by Thales)
• Origin: Russia
• Description: Cobalt Group is a financially motivated threat group that has primarily targeted financial institutions since at least 2016. The group has conducted intrusions to steal money via targeting ATM systems, card processing, payment systems and SWIFT systems. Cobalt Group has mainly targeted banks in Eastern Europe, Central Asia, and Southeast Asia
• Focus: Targeting financial institutions for theft.
• Techniques: Spear-phishing, use of the Cobalt Strike framework, and ATM jackpotting.
• Tools Used: ATMSpitter, ATMRipper, AtNow, Cobalt Strike, CobInt, Cyst Downloader, FlawedAmmyy, Formbook, Little Pig, Mimikatz, Metasploit Stager, More_eggs, NSIS, Pony, Sdelete, SoftPerfect Network Scanner, SPID, Taurus Loader, ThreatKit and VenomKit.
• Notable Campaigns: The first attack conducted by the Cobalt group was tracked at a large Russian bank, where hackers attempted to steal money from ATMs. The attackers infiltrated the bank’s network, gained control over it, compromised the domain administrator’s account, and reached the ATM control server.

12. Turla (Snake, Uroburos)

• Names: Turla (Given by Kaspersky), Waterbug (Given by Symantec), Venomous Bear (Given by Crowdstrike), Group 88 (Given by Talos), SIG2, SIG15, SIG23 (Given by NSA), Iron Hunter (Given by SecureWorks), Pacifier APT (Given by Bitdefender), ATK 13 (Given by Thales), ITG12 (Given by IBM), MakersMark (Given by ESET), WhiteBear (Given by SecureList), Snake (Given by BAE System), Secret Blizzard (Given by Trend Micro), Krypton (Given by Microsoft)
• Origin: Russia
• Description: Turla is a Russian-based threat group that has infected victims in over 45 countries, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies since 2004. Heightened activity was seen in mid-2015. Turla is known for conducting watering hole and spearphishing campaigns and leveraging in-house tools and malware. Turla’s espionage platform is mainly used against Windows machines, but has also been seen used against macOS and Linux machines.
• Focus: Cyber espionage against government and military organizations.
• Techniques: Watering hole attacks, use of rootkits, and satellite-based communication for command and control.
• Tools Used: AdobeARM, Agent.BTZ, Agent.DNE, ASPXSpy, ATI-Agent, certutil, CloudDuke, Cobra Carbon System, COMpfun, ComRAT, DoublePulsar, EmpireProject, Epic, EternalBlue, EternalRomance, Gazer, gpresult, HTML5 Encoding, IcedCoffee, Kazuar, KopiLuwak, KSL0T, LightNeuron, Maintools.js, Metasploit, Meterpreter, MiamiBeach, Mimikatz, Mosquito, Nautilus, nbtscan, nbtstat, Neptun, NetFlash, Neuron, Outlook Backdoor, Penquin Turla, PowerShellRunner-based RPC backdoor, PowerStallion, PsExec, pwdump, PyFlash, RocketMan, Satellite Turla, SScan, Skipper, SMBTouch, Topinambour, Tunnus, Uroburos, Windows Credentials Editor, WhiteAtlas, WITCHCOVEN, WRAITH and Living off the Land.
• Notable Campaigns: Multi-Stage attacks with the help of EPIC Malware, exploit vulnerabilities in Adobe PDF and Java to deliver malware with spear phishing emails.

13. Dragonfly (Energetic Bear)

• Names: Energetic Bear (Given by CrowdStrike), Dragonfly (Given by Symantec), Crouching Yeti (Given by Kaspersky), Group 24 (Given by Talos), Koala Team (Given by iSight), Iron Liberty, TG-4192 (Given by SecureWorks), Electrum (Given by Dragos), ATK 6 (Given by Thales)
• Origin: Russia
• Description: Dragonfly is a cyber espionage group that has been attributed to Russia’s Federal Security Service (FSB) Center 16. Active since at least 2010, Dragonfly has targeted defense and aviation companies, government entities, companies related to industrial control systems, and critical infrastructure sectors worldwide through supply chain, spearphishing, and drive-by compromise attacks.
• Focus: Targeting energy sector organizations.
• Techniques: Spear-phishing, watering hole attacks, and use of Havex malware.
• Tools Used: Commix, CrackMapExec, Dirsearch, Dorshel, Havex RAT, Hello EK, Heriplor, Impacket, Industroyer, Inveigh, Karagany, LightsOut EK, Listrix, nmap, Oldrea, PHPMailer, PsExec, SMBTrap, sqlmap, Subbrute, Sublist3r, Sysmain, Wpscan and WSO.
• Notable Campaigns: The number of energy-related websites compromised and injected an iframe into each of them. This iframe then redirected visitors to another compromised legitimate website hosting the Lightsout exploit kit. This in turn exploited either Java or Internet Explorer in order to drop Oldrea or Karagany on the victim’s computer.

14. Wizard Spider

• Names: Wizard Spider, Grim Spider (Given by CrowdStrike), TEMP.MixMaster (Given by FireEye), Gold Blackburn (Given by SecureWorks)
• Origin: Russia
• Description: Wizard Spider is a Russia-based financially motivated threat group originally known for the creation and deployment of TrickBot since at least 2016. Wizard Spider possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.
• Focus: Financially motivated cybercrime, including ransomware attacks.
• Techniques: Utilizes malware such as TrickBot and Ryuk ransomware; employs phishing campaigns and exploits vulnerabilities for initial access.
• Tools Used: AdFind, Anchor, BazarBackdoor, BloodHound, Cobalt Strike, Dyre, Gophe, InvokeSMBAutoBrute, LaZagne, PowerSploit, PowerTrick, Ryuk, SessionGopher, TrickBot, TrickMo and Upatre.
• Notable Campaigns: Epiq Global, an international e-discovery and managed services company, has taken its systems offline globally after the ransomware attack performed by Wizard Spider.

15. LockBit Gang

• Names: Bitwise Spider (Given by CrowdStrike), LockBit Gang
• Origin: Not confirm, but they are from Russia
• Description: LockBit ransomware takes as little as five minutes to deploy the encryption routine on target systems once it lands on the victim network. Joining the ransomware-as-a-service (RaaS) business in September 2019, LockBit is atypical in that it’s driven by automated processes for quick spreading across the victim network, identifying valuable systems and locking them up. LockBit attacks leave few traces for forensic analysis as the malware loads into the system memory, with logs and supporting files removed upon execution..
• Focus: Financially motivated ransomware actor targeting critical infra, manufacturing, technology and retail sectors.
• Techniques: They utilizes malware StealBit for performing the ransomware; they also operates RaaS (Ransomware-as-a-service) model, where they associate with other groups to conduct ransomware attacks using their tools and infrastructure, also they ask for double extortion where they first encrypt the victim’s system and extract the information, and after that threatens them to post it online if they not pay the ransom.
• Tools Used: 3AM, CrackMapExec, EmpireProject, LockBit, Mimikatz, PsExec.
• Notable Campaigns: In April 2021, UK rail network Merseyrail likely hit by Lockbit ransomware, after that In Aug 2021, Accenture confirms hack after LockBit ransomware data leak threats, after that In Oct 2021, LockBit 2.0 ransomware hit Israeli defense firm E.M.I.T. Aviation Consulting, after that in March 2022, Rail giant Wabtec discloses data breach after Lockbit ransomware attack.

To deep dive into particular threat actor’s profiles with information such as what are their targeted nations, targeted industries, and the tools used by them, refer to these resources:

Groups

Threat Actor Groups Tracked by Palo Alto Networks Unit 42

Threat Actors (powered by MISP)

Crowdstrike Threat Landscape: APTs & Adversary Groups

Threat Group Cards: A Threat Actor Encyclopedia

How Microsoft names threat actors - Microsoft Defender XDR

EternalLiberty/EternalLiberty.csv at main · StrangerealIntel/EternalLiberty

Cyber Threat Group Profiles: Their Objectives, Aliases, and Malware Tools

LevelBlue - Open Threat Exchange

Targeted cyberattacks logbook

Thanks For Reading Till Here, If You Like the Content and Want To Support Me The Best Way is —

1. Leave a Clap👋and your thoughts 💬 below.️
2. Follow Me On Medium.
3. Connect With Me On

Twitter: https://twitter.com/i_amsphinx

LinkedIn: https://www.linkedin.com/in/pathakabhi24/

GitHub: https://github.com/pathakabhi24