Hacker Groups#

Reference catalog of named threat actors, nation-state APTs, hacktivist collectives, financially-motivated crews, and ransomware-as-a-service brands. Naming conventions vary by vendor (Mandiant APT##, CrowdStrike animal-themes, Microsoft weather-themes, Kaspersky Crouching X); the same group often has half a dozen aliases.

Sourced from public attribution by Mandiant, CrowdStrike, Microsoft, Cisco Talos, Kaspersky, ESET, Recorded Future, and MITRE ATT&CK Groups (G####). For the authoritative catalog, follow the references at the end.

Naming themes#

Each major vendor maps groups to a different motif. Knowing the motif tells you which vendor’s reports you’re reading:

Vendor

Convention

Mandiant

APT1APT45 for advanced persistent threats; UNC#### for unattributed clusters; FIN## for financially motivated.

CrowdStrike

Country animal: Bear (Russia), Panda (China), Kitten (Iran), Chollima (DPRK), Tiger (India), Buffalo (Vietnam), Jackal (hacktivist), Spider (criminal).

Microsoft

Weather: Storm-#### (emerging), then Blizzard (Russia), Typhoon (China), Sleet (DPRK), Sandstorm (Iran), Tempest (criminal), Tsunami (private offensive).

Kaspersky

Descriptive (Equation, Crouching Yeti).

Cisco Talos

Greek / animal hybrid (Cobalt Mirage, etc.).

ESET

Sednit, InvisiMole, etc.

Symantec

Animal phyla (Buckeye, Cadet).

Recorded Future

RedXXX (Chinese), TAGXXX for tracked groups.

MITRE ATT&CK

G0001G####, the cross-walk catalog.

Russia (Bear / Blizzard)#

State-affiliated and intelligence-aligned. The major actors and their commonly-attributed sponsoring service:

Group

Aliases / sponsor

APT28

Fancy Bear, STRONTIUM / Forest Blizzard, Sednit, Sofacy, Pawn Storm. GRU 26165.

APT29

Cozy Bear, NOBELIUM / Midnight Blizzard, The Dukes, YTTRIUM. SVR. (SolarWinds, Office365 abuses.)

Sandworm

Voodoo Bear / Seashell Blizzard, Iron Viking. GRU 74455. (NotPetya, Ukraine grid attacks.)

Turla

Snake, Venomous Bear, Waterbug, Krypton. Long-running cyber-espionage.

Gamaredon

Primitive Bear, Armageddon, ACTINIUM. FSB-attributed Ukraine focus.

Berserk Bear

Energetic Bear, Crouching Yeti, Dragonfly. Energy-sector intrusions.

Conti / TrickBot ecosystem

Wizard Spider; criminal but Russia-protected; Black Basta, Royal, ALPHV/BlackCat, LockBit are downstream / parallel.

EvilCorp

INDRIK SPIDER / Manatee Tempest. Dridex, BitPaymer, WastedLocker. OFAC-sanctioned 2019.

Killnet, NoName057

Pro-Russia hacktivist / DDoS collectives.

China (Panda / Typhoon)#

Group

Aliases / sponsor

APT1

Comment Crew, PLA Unit 61398. The original 2013 Mandiant report.

APT3

Gothic Panda, BUCKEYE. MSS-linked; Boyusec.

APT10

Stone Panda, MenuPass, CVNX, ChessMaster, BRONZE RIVERSIDE. MSS Tianjin.

APT41

Wicked Panda, BARIUM, Winnti, Double Dragon. Dual espionage + criminal.

APT40

Leviathan, BRONZE MOHAWK, KRYPTONITE PANDA. MSS Hainan. Maritime / academic targeting.

APT31

Zirconium / Judgment Panda, Violet Typhoon. MSS.

APT27

Emissary Panda, LuckyMouse, Bronze Union.

APT15

Vixen Panda, Ke3chang.

Volt Typhoon

BRONZE SILHOUETTE. Critical infrastructure pre-positioning.

Salt Typhoon

Telecom-focused intrusions (2024-2025).

Storm-0558

Microsoft cloud key theft (2023).

Naikon

PLA Unit 78020. SE Asia regional.

Mustang Panda

BRONZE PRESIDENT, RedDelta. Government / NGO.

Tick

Bronze Butler. Japan industrial.

Goblin Panda

Conimes. SE Asia.

Iran (Kitten / Sandstorm)#

Group

Aliases / sponsor

APT33

Elfin / Refined Kitten / Peach Sandstorm. IRGC; aerospace, energy.

APT34

OilRig / Helix Kitten / Hazel Sandstorm. Middle East government, energy.

APT35

Charming Kitten / Mint Sandstorm / Phosphorus, Magic Hound. IRGC.

APT39

Remix Kitten / Itg07 / Chafer. IRGC; telecom, travel.

APT42

Mint Sandstorm subset; phishing of NGOs and dissidents.

MuddyWater

Mango Sandstorm, Static Kitten, Mercury, T-APT-14. MOIS-linked.

Pioneer Kitten

Fox Kitten, Parisite, UNC757. Initial-access broker into Iran-linked ransomware.

APT34 / Lyceum

Hexane.

North Korea (Chollima / Sleet)#

Group

Aliases / sponsor

Lazarus Group

HIDDEN COBRA, ZINC / Diamond Sleet, Labyrinth Chollima. RGB. (Sony 2014, WannaCry 2017, Bangladesh Bank, ongoing crypto heists.)

APT37

ScarCruft, Reaper, InkySquid, Ricochet Chollima. RGB; political dissidents, ROK government.

APT38

BlueNoroff, Stardust Chollima. Lazarus subgroup; SWIFT / financial heists.

Kimsuky

Velvet Chollima, Black Banshee, Thallium / Emerald Sleet. Espionage of think tanks, academics.

Andariel

Silent Chollima, Onyx Sleet / PLUTONIUM. RGB; ROK military / defense.

APT43

Kimsuky subset, Sapphire Sleet. Cryptocurrency theft + espionage.

Other state-aligned#

Group

Notes

Equation Group

Attributed to NSA TAO; Stuxnet co-authoring; the Shadow Brokers’ source corpus.

Lamberts (Longhorn)

Attributed to CIA; long-running European / Middle East ops.

APT-C-23

Molerats / Desert Falcons. Aligned with Hamas-adjacent interests.

APT-C-36 (Blind Eagle)

Colombia-focused; financial.

SideWinder

Rattlesnake; Indian-aligned, Pakistan / China focus.

Donot Team (APT-C-35)

Indian-aligned, South Asia focus.

Patchwork

Dropping Elephant, Sectoz; India-aligned.

Bahamut

Mercenary; multi-region targeting.

DeathStalker

Mercenary; PowerSing toolset.

Ransomware brands#

Brand

Notes

Conti

Disbanded May 2022 after internal leak; affiliates scattered into Black Basta, Royal, BlackByte, Karakurt.

LockBit

Most prolific 2022-2024. Disrupted Feb 2024 by Operation Cronos (NCA + FBI + Europol).

ALPHV / BlackCat

Rust-based RaaS; exit-scammed Feb 2024 after the Change Healthcare ransom.

Royal / Blacksuit

Conti spin-off.

Cl0p

File-transfer-zero-day specialists (MOVEit, GoAnywhere, Accellion).

Black Basta

Conti spin-off.

Akira

2023 emergence; VMware ESXi targeting.

Play

Aggressive vs. local government in 2023.

Hive

Disrupted Jan 2023 by FBI key extraction.

REvil / Sodinokibi

Disrupted 2021 (Russian arrests + US action).

DarkSide

Colonial Pipeline (May 2021); rebranded BlackMatter then quiet.

Maze

Original double-extortion model; disbanded 2020.

Ryuk

Wizard Spider; precursor to Conti.

Vice Society / RhySida

Education-sector focus.

Medusa, 8Base, NoEscape

Ongoing 2024-2025 brands.

Hacktivist / criminal#

Group

Notes

Anonymous

Decentralized banner; many factions, varying skill.

LulzSec

2011 crew; many members later prosecuted.

Lapsus$

Teenage extortion crew (2022); Microsoft, Nvidia, Okta, Samsung, Rockstar leaks.

SCATTERED SPIDER

Octo Tempest / 0ktapus. Social engineering of help desks; MGM, Caesars, Twilio, Cloudflare. Linked to Lapsus$ tactics.

Karakurt

Conti-aligned extortion-only; no encryption.

Black Reward

Iran-targeting hacktivists.

Predatory Sparrow

Anti-Iran (Israel-linked, suspected); claimed steel plant + gas pump attacks.

Killnet

Pro-Russia DDoS collective.

NoName057(16)

Pro-Russia DDoS.

IT Army of Ukraine

Pro-Ukraine DDoS / scraping; Telegram-coordinated.

GhostSec, AnonGhost

Loose hacktivist banners.

Initial-access brokers#

Brokers sell network access to ransomware affiliates and state-adjacent buyers. Names rotate fast; tracked publicly via GroupSense, KELA, Flashpoint, Recorded Future:

  • Marketo, early IAB market.

  • Dispossessor, LockBit successor IAB (2024).

  • EvilCorp / Manatee Tempest, both ransomware operator and IAB.

  • Pioneer Kitten / Fox Kitten, Iran-aligned IAB selling to ransomware.

  • TA577 / Hive0118, Latrodectus / IcedID -> Black Basta.

  • TA578, BazarLoader / Bumblebee -> Conti / successors.

  • TA571, IcedID / Pikabot operator.

References#