APT-ShadowByte is a financially motivated threat group targeting the financial sector. Their Operation ShadowByte campaign observed in early 2024 leveraged spear-phishing attachments and standard web protocols for command-and-control. The group operates under the aliases ShadowByte and FinancialHunter.

Sandworm is a Russian GRU Unit 74455 threat actor responsible for some of the most destructive cyberattacks on record. The group deployed BlackEnergy against Ukrainian power grids in 2015–2016, NotPetya in 2017 — the most costly cyberattack in history — and Industroyer/CRASHOVERRIDE against Ukrainian transmission systems. They remain highly active targeting Ukrainian and Western infrastructure.

APT28 is a Russian GRU Unit 26165 threat actor with a long history of cyber espionage and influence operations. They were attributed to the 2016 DNC breach, the WADA hack, and attacks on the German Bundestag. The group uses a custom implant family (X-Agent, CHOPSTICK) and frequently exploits zero-day vulnerabilities in Microsoft and enterprise software.

APT29 is linked to the Russian SVR foreign intelligence service. The group achieved global notoriety through the SolarWinds supply-chain compromise in 2020, in which the SUNBURST backdoor was distributed to ~18,000 organizations. They maintain long-term access inside victim environments and prioritize counterintelligence and diplomatic targets. In 2024 they were attributed to breaches of Microsoft corporate email.

Lazarus Group is attributed to North Korea's Reconnaissance General Bureau. They are responsible for the 2014 Sony Pictures attack, the 2016 Bangladesh Bank SWIFT heist (~$81M stolen), and the 2017 WannaCry ransomware outbreak. The group has stolen billions in cryptocurrency to fund the North Korean state, targeting DeFi platforms, exchanges, and blockchain companies.

Kimsuky is a North Korean cyber espionage group tasked with collecting political and strategic intelligence, primarily from South Korean institutions. The group is prolific in spear-phishing campaigns against Korean-language targets and frequently impersonates journalists and policy researchers. They deploy custom malware families like BabyShark and AppleSeed to maintain persistence.

APT41 is a Chinese state-sponsored threat actor unique in conducting both espionage operations on behalf of the Chinese state and financially motivated intrusions for personal gain. The group has targeted video game companies for in-game currency theft alongside sensitive IP theft from healthcare and telecom sectors. They are prolific exploiters of internet-facing vulnerabilities and widely use ShadowPad.

Volt Typhoon is a Chinese state-sponsored actor identified in 2023 targeting US critical infrastructure. The group is notable for using living-off-the-land techniques — relying on built-in OS tools and legitimate credentials rather than custom malware — making detection difficult. US and allied governments assess the group is pre-positioning for potential disruptive attacks in the event of conflict.

Hafnium is a Chinese state-sponsored group attributed to the mass exploitation of Microsoft Exchange Server ProxyLogon vulnerabilities in early 2021. The campaign affected hundreds of thousands of Exchange servers globally. Hafnium deployed web shells for persistent access and exfiltrated email from defense, legal, and research organizations.

Equation Group is widely attributed to the NSA's Tailored Access Operations (TAO) unit. The group developed some of the most sophisticated tooling ever documented, including firmware-level implants (GrayFish) that survive disk reformatting. Tools leaked by the Shadow Brokers in 2016–2017 — including EternalBlue — were subsequently weaponized in WannaCry and NotPetya outbreaks.

Turla is a long-running Russian FSB cyber espionage group with a history stretching back to Agent.btz in 2008. The group is known for technical innovation including using satellite internet links for C2 and hijacking other threat actors' infrastructure. The Snake/Uroburos platform is one of the most complex and persistent malware frameworks documented to date.

FIN7 is a financially motivated criminal group responsible for over $1 billion in losses across the restaurant, hospitality, and retail sectors. They are known for sophisticated spear-phishing campaigns impersonating legitimate vendors and deploying the Carbanak backdoor to compromise POS systems. Despite numerous arrests, the group continues to operate and has diversified into ransomware affiliate activity.

LockBit is the longest-running and most prolific ransomware-as-a-service operation, accounting for a significant share of global ransomware incidents from 2022 through 2024. The LockBit 3.0 builder was leaked in 2022, enabling many copycats. Despite Operation Cronos law enforcement action in early 2024 which seized infrastructure and arrested affiliates, the group attempted to resume operations.

BlackCat/ALPHV was notable for being the first major ransomware written in Rust, enabling cross-platform deployment on Windows, Linux, and ESXi. The group performed double extortion (encrypt + exfiltrate). After a law enforcement operation in late 2023, the group exit-scammed affiliates following the Change Healthcare attack in early 2024, seizing ransom payment while blaming law enforcement.

Clop is a ransomware group known for large-scale exploitation of zero-day vulnerabilities in file transfer tools. In 2021 they exploited Accellion FTA; in 2023 they mass-exploited MOVEit Transfer (CVE-2023-34362), compromising hundreds of organizations globally including US federal agencies. The group typically exfiltrates data and extorts without always encrypting, prioritizing data-leak pressure.

Rhysida emerged in mid-2023 and quickly established itself as a notable ransomware threat to healthcare and education. The group attacked Prospect Medical Holdings and the British Library, among others. A vulnerability in the Rhysida ransomware's RNG allowed researchers to develop a decryptor in early 2024, though the group continued operations with updated builds.

BianLian began as a traditional encrypt-and-extort ransomware group but shifted to exfiltration-only extortion following the public release of a decryptor by Avast in early 2023. The group uses a Go-based implant and gains initial access primarily through compromised Remote Desktop Protocol credentials and exploitation of internet-facing vulnerabilities.

Qilin (also tracked as Agenda) is a ransomware-as-a-service operation with affiliates operating across multiple sectors. The group gained significant attention in 2024 after attacking Synnovis, a UK pathology services provider, causing disruption to NHS blood transfusion services across London hospitals. The ransomware is written in Go and Rust with VMware ESXi targeting capability.

Conti was one of the most prolific ransomware operations until its dissolution in mid-2022. The group attacked the Costa Rica government in 2022, demanding $20M and causing a national emergency declaration. Internal chat logs were leaked following the group's public support for Russia after the Ukraine invasion, exposing their operations and personnel. Members dispersed into multiple successor groups.

REvil was a prominent ransomware-as-a-service operation responsible for the Kaseya VSA supply-chain attack in July 2021, which affected up to 1,500 organizations. The group received a $11M ransom from JBS Foods. REvil went dark following the Kaseya attack amid law enforcement pressure; Russian authorities arrested members in January 2022. The group attempted a brief resurgence in 2022 before disbanding.

Storm-1747 operates a phishing-as-a-service platform distributing the Tycoon 2FA and Rockstar 2FA adversary-in-the-middle kits, which bypass multifactor authentication by relaying credentials and session cookies in real time. The service is offered to criminal affiliates on Telegram. Campaigns primarily target Microsoft 365 and other cloud identity providers.

Scattered Spider is a financially-motivated, English-speaking collective known for elite social engineering — help-desk impersonation, SIM swapping, and real-time MFA-fatigue/AiTM — to seize identity-provider and cloud access, then deploy ransomware (historically ALPHV/BlackCat, later RansomHub). High-profile 2023–2025 intrusions include MGM Resorts and Caesars. Members overlap with the broader "Comm" cybercrime community.

RansomHub emerged in early 2024 and rapidly became one of the most prolific RaaS operations, absorbing affiliates after the ALPHV/BlackCat exit-scam and the LockBit takedown. It uses a high affiliate payout split, double extortion, and the bring-your-own-vulnerable-driver tool EDRKillShifter to disable endpoint protection. Subject of CISA advisory AA24-242A.

Akira is a high-volume double-extortion ransomware operation active since March 2023, with code and crypto-payment overlaps to Conti. It commonly gains entry via VPN appliances lacking MFA (notably Cisco ASA/FTD CVE-2023-20269) and known Fortinet/SonicWall flaws, then exfiltrates data and deploys Windows and Linux/ESXi encryptors. Subject of CISA advisory AA24-109A.

Black Basta is a Conti-spinoff RaaS active since April 2022, responsible for 500+ victims across North America, Europe and Australia. 2024–2025 campaigns paired email-bombing with Microsoft Teams vishing and Quick Assist remote-access social engineering to deploy payloads. Subject of CISA advisory AA24-131A; internal chat leaks in 2025 exposed its operations.

Play (PlayCrypt) is a closed-group double-extortion ransomware operation active since mid-2022 with 300+ confirmed victims. It exploits FortiOS and Microsoft Exchange ProxyNotShell-class flaws for access, uses intermittent encryption for speed, and uniquely instructs victims to negotiate over email rather than a Tor portal. Subject of CISA advisory AA23-352A (updated 2025).

Medusa is a RaaS (distinct from MedusaLocker) active since 2023, surpassing 300 victims by 2025 with triple extortion and a public "Medusa Blog" leak site. Initial access via exploited public-facing apps (notably Fortinet and ScreenConnect) and broker-bought credentials; it deploys the ABYSSWORKER driver to blind EDR. Subject of CISA advisory AA25-071A.

Salt Typhoon is a Chinese state espionage group that, disclosed in late 2024, deeply compromised multiple major US telecommunications providers — accessing call-detail records, the lawful-intercept (CALEA) infrastructure, and communications of government and political targets. One of the most significant telecom-espionage campaigns on record; remediation was still ongoing into 2025.

MuddyWater is an Iranian Ministry of Intelligence (MOIS) espionage group active since 2017, known for spearphishing that lures victims into installing legitimate remote-management tools (Atera, SimpleHelp, ScreenConnect) for hands-on access, backed by the MuddyC2Go framework. Heavily targets Middle Eastern government, telecom and defense, with elevated activity against Israeli organizations.

APT33 is an Iranian IRGC-linked group active since ~2013 against aerospace, defense and energy targets in the US and Gulf. 2023–2024 campaigns (tracked as Peach Sandstorm) used large-scale password spraying followed by the custom Tickler and FalseFont backdoors for long-term intelligence collection; the group is historically linked to destructive Shamoon-class wiper activity.

APT35 (Charming Kitten) is an Iranian IRGC-aligned espionage group specializing in elaborate, patient social-engineering — fake personas, journalist/scholar impersonation, and credential-harvesting — against policy experts, journalists and dissidents. It uses the HYPERSCRAPE tool to silently exfiltrate victim mailboxes and the modular BellaCiao/POWERSTAR implants. Activity continued through 2024–2025 including targeting of political campaigns.

INC Ransom is a double-extortion operation active since mid-2023, notable for high-impact healthcare attacks (including NHS Scotland). Its source code was reportedly sold in 2024 and the operation substantially overlaps with the successor "Lynx" brand. Initial access via exploited public-facing services and valid accounts, followed by living-off-the-land lateral movement.