Hacker Groups#
Reference catalog of named threat actors, nation-state APTs,
hacktivist collectives, financially-motivated crews, and
ransomware-as-a-service brands. Naming conventions vary by vendor
(Mandiant APT##, CrowdStrike animal-themes, Microsoft
weather-themes, Kaspersky Crouching X); the same group often
has half a dozen aliases.
Sourced from public attribution by Mandiant, CrowdStrike, Microsoft, Cisco Talos, Kaspersky, ESET, Recorded Future, and MITRE ATT&CK Groups (G####). For the authoritative catalog, follow the references at the end.
Naming themes#
Each major vendor maps groups to a different motif. Knowing the motif tells you which vendor’s reports you’re reading:
Vendor |
Convention |
|---|---|
Mandiant |
|
CrowdStrike |
Country animal: Bear (Russia), Panda (China), Kitten (Iran), Chollima (DPRK), Tiger (India), Buffalo (Vietnam), Jackal (hacktivist), Spider (criminal). |
Microsoft |
Weather: Storm-#### (emerging), then Blizzard (Russia), Typhoon (China), Sleet (DPRK), Sandstorm (Iran), Tempest (criminal), Tsunami (private offensive). |
Kaspersky |
Descriptive ( |
Cisco Talos |
Greek / animal hybrid ( |
ESET |
Sednit, InvisiMole, etc. |
Symantec |
Animal phyla ( |
Recorded Future |
|
MITRE ATT&CK |
|
Russia (Bear / Blizzard)#
State-affiliated and intelligence-aligned. The major actors and their commonly-attributed sponsoring service:
Group |
Aliases / sponsor |
|---|---|
APT28 |
Fancy Bear, STRONTIUM / Forest Blizzard, Sednit, Sofacy, Pawn Storm. GRU 26165. |
APT29 |
Cozy Bear, NOBELIUM / Midnight Blizzard, The Dukes, YTTRIUM. SVR. (SolarWinds, Office365 abuses.) |
Sandworm |
Voodoo Bear / Seashell Blizzard, Iron Viking. GRU 74455. (NotPetya, Ukraine grid attacks.) |
Turla |
Snake, Venomous Bear, Waterbug, Krypton. Long-running cyber-espionage. |
Gamaredon |
Primitive Bear, Armageddon, ACTINIUM. FSB-attributed Ukraine focus. |
Berserk Bear |
Energetic Bear, Crouching Yeti, Dragonfly. Energy-sector intrusions. |
Conti / TrickBot ecosystem |
Wizard Spider; criminal but Russia-protected; |
EvilCorp |
INDRIK SPIDER / Manatee Tempest. Dridex, BitPaymer, WastedLocker. OFAC-sanctioned 2019. |
Killnet, NoName057 |
Pro-Russia hacktivist / DDoS collectives. |
China (Panda / Typhoon)#
Group |
Aliases / sponsor |
|---|---|
APT1 |
Comment Crew, PLA Unit 61398. The original 2013 Mandiant report. |
APT3 |
Gothic Panda, BUCKEYE. MSS-linked; Boyusec. |
APT10 |
Stone Panda, MenuPass, CVNX, ChessMaster, BRONZE RIVERSIDE. MSS Tianjin. |
APT41 |
Wicked Panda, BARIUM, Winnti, Double Dragon. Dual espionage + criminal. |
APT40 |
Leviathan, BRONZE MOHAWK, KRYPTONITE PANDA. MSS Hainan. Maritime / academic targeting. |
APT31 |
Zirconium / Judgment Panda, Violet Typhoon. MSS. |
APT27 |
Emissary Panda, LuckyMouse, Bronze Union. |
APT15 |
Vixen Panda, Ke3chang. |
Volt Typhoon |
BRONZE SILHOUETTE. Critical infrastructure pre-positioning. |
Salt Typhoon |
Telecom-focused intrusions (2024-2025). |
Storm-0558 |
Microsoft cloud key theft (2023). |
Naikon |
PLA Unit 78020. SE Asia regional. |
Mustang Panda |
BRONZE PRESIDENT, RedDelta. Government / NGO. |
Tick |
Bronze Butler. Japan industrial. |
Goblin Panda |
Conimes. SE Asia. |
Iran (Kitten / Sandstorm)#
Group |
Aliases / sponsor |
|---|---|
APT33 |
Elfin / Refined Kitten / Peach Sandstorm. IRGC; aerospace, energy. |
APT34 |
OilRig / Helix Kitten / Hazel Sandstorm. Middle East government, energy. |
APT35 |
Charming Kitten / Mint Sandstorm / Phosphorus, Magic Hound. IRGC. |
APT39 |
Remix Kitten / Itg07 / Chafer. IRGC; telecom, travel. |
APT42 |
Mint Sandstorm subset; phishing of NGOs and dissidents. |
MuddyWater |
Mango Sandstorm, Static Kitten, Mercury, T-APT-14. MOIS-linked. |
Pioneer Kitten |
Fox Kitten, Parisite, UNC757. Initial-access broker into Iran-linked ransomware. |
APT34 / Lyceum |
Hexane. |
North Korea (Chollima / Sleet)#
Group |
Aliases / sponsor |
|---|---|
Lazarus Group |
HIDDEN COBRA, ZINC / Diamond Sleet, Labyrinth Chollima. RGB. (Sony 2014, WannaCry 2017, Bangladesh Bank, ongoing crypto heists.) |
APT37 |
ScarCruft, Reaper, InkySquid, Ricochet Chollima. RGB; political dissidents, ROK government. |
APT38 |
BlueNoroff, Stardust Chollima. Lazarus subgroup; SWIFT / financial heists. |
Kimsuky |
Velvet Chollima, Black Banshee, Thallium / Emerald Sleet. Espionage of think tanks, academics. |
Andariel |
Silent Chollima, Onyx Sleet / PLUTONIUM. RGB; ROK military / defense. |
APT43 |
Kimsuky subset, Sapphire Sleet. Cryptocurrency theft + espionage. |
Other state-aligned#
Group |
Notes |
|---|---|
Equation Group |
Attributed to NSA TAO; Stuxnet co-authoring; the Shadow Brokers’ source corpus. |
Lamberts (Longhorn) |
Attributed to CIA; long-running European / Middle East ops. |
APT-C-23 |
|
APT-C-36 (Blind Eagle) |
Colombia-focused; financial. |
SideWinder |
Rattlesnake; Indian-aligned, Pakistan / China focus. |
Donot Team (APT-C-35) |
Indian-aligned, South Asia focus. |
Patchwork |
Dropping Elephant, Sectoz; India-aligned. |
Bahamut |
Mercenary; multi-region targeting. |
DeathStalker |
Mercenary; PowerSing toolset. |
Ransomware brands#
Brand |
Notes |
|---|---|
Conti |
Disbanded May 2022 after internal leak; affiliates scattered into Black Basta, Royal, BlackByte, Karakurt. |
LockBit |
Most prolific 2022-2024. Disrupted Feb 2024 by |
ALPHV / BlackCat |
Rust-based RaaS; exit-scammed Feb 2024 after the Change Healthcare ransom. |
Royal / Blacksuit |
Conti spin-off. |
Cl0p |
File-transfer-zero-day specialists (MOVEit, GoAnywhere, Accellion). |
Black Basta |
Conti spin-off. |
Akira |
2023 emergence; VMware ESXi targeting. |
Play |
Aggressive vs. local government in 2023. |
Hive |
Disrupted Jan 2023 by FBI key extraction. |
REvil / Sodinokibi |
Disrupted 2021 (Russian arrests + US action). |
DarkSide |
Colonial Pipeline (May 2021); rebranded BlackMatter then quiet. |
Maze |
Original double-extortion model; disbanded 2020. |
Ryuk |
Wizard Spider; precursor to Conti. |
Vice Society / RhySida |
Education-sector focus. |
Medusa, 8Base, NoEscape |
Ongoing 2024-2025 brands. |
Hacktivist / criminal#
Group |
Notes |
|---|---|
Anonymous |
Decentralized banner; many factions, varying skill. |
LulzSec |
2011 crew; many members later prosecuted. |
Lapsus$ |
Teenage extortion crew (2022); Microsoft, Nvidia, Okta, Samsung, Rockstar leaks. |
SCATTERED SPIDER |
Octo Tempest / 0ktapus. Social engineering of help desks; MGM, Caesars, Twilio, Cloudflare. Linked to Lapsus$ tactics. |
Karakurt |
Conti-aligned extortion-only; no encryption. |
Black Reward |
Iran-targeting hacktivists. |
Predatory Sparrow |
Anti-Iran (Israel-linked, suspected); claimed steel plant + gas pump attacks. |
Killnet |
Pro-Russia DDoS collective. |
NoName057(16) |
Pro-Russia DDoS. |
IT Army of Ukraine |
Pro-Ukraine DDoS / scraping; Telegram-coordinated. |
GhostSec, AnonGhost |
Loose hacktivist banners. |
Initial-access brokers#
Brokers sell network access to ransomware affiliates and state-adjacent buyers. Names rotate fast; tracked publicly via GroupSense, KELA, Flashpoint, Recorded Future:
Marketo, early IAB market.
Dispossessor, LockBit successor IAB (2024).
EvilCorp / Manatee Tempest, both ransomware operator and IAB.
Pioneer Kitten / Fox Kitten, Iran-aligned IAB selling to ransomware.
TA577 / Hive0118, Latrodectus / IcedID -> Black Basta.
TA578, BazarLoader / Bumblebee -> Conti / successors.
TA571, IcedID / Pikabot operator.
References#
MITRE ATT&CK Groups, the cross-walk between vendor names; the standard catalog.
MISP threat-actors galaxy, machine-readable catalog.
ETDA APT Groups, searchable cross-reference.
Ransomware.live, live ransomware victim tracker.
Hacking, techniques these groups use.
Sigma, detection-rule format that often references group IDs.