Threat Actor Most Wanted
Curated list of the most significant threat actors and cybercriminal groups currently active — prioritized by risk and global impact.
.-""""-.
/ \
/_ _\
// \ / \\
|\__\ /__/|
\ || /
\ /__\ /
| | | |
\ \ / /
\ \/ /
\ /
\/
|| || ||
|| || ||
_||_ _||_ _||_
| OSINT CABAL |
,;;;,;
;;;;;;;
.-'-\`,\, '/\_
.' \\ ("\`(\_)
/ \`-,.'\\ \_/
\\ \/\`--\`
\\ \\ \
/ /| |
/\_/ |_|
( \_\ ( \_\
12 actors listed
LockBit
CRITICALProlific Ransomware-as-a-Service operation responsible for thousands of attacks worldwide. Known for advanced encryption, data exfiltration, and a dedicated leak site.
Aliases: LockBit 2.0, LockBit 3.0, LockBit Black
Origin: Russia
Tools: LockBit encryptor, StealBit, LockBit Negotiator
APT29 (Cozy Bear)
CRITICALRussian state-sponsored threat group attributed to the SVR. Known for supply chain attacks, diplomatic targets, and long-term espionage campaigns.
Aliases: Cozy Bear, The Dukes, NOBELIUM
Origin: Russia
Tools: SolarWinds backdoor, Beacon, PowerShell implants
BlackCat (ALPHV)
CRITICALRust-based RaaS group known for sophisticated attacks, data extortion, and targeting critical infrastructure across multiple sectors.
Aliases: ALPHV, Noberus
Origin: Russia
Tools: BlackCat encryptor, Tor leak site, Exfiltration tools
Lazarus Group
CRITICALNorth Korean state-sponsored threat group responsible for destructive attacks, cryptocurrency thefts, and the Sony Pictures breach.
Aliases: Hidden Cobra, ZINC, APT38
Origin: North Korea
Tools: Destructive wipers, RATs, Cryptocurrency traders
Black Basta
HIGHRansomware group first observed in 2022. Uses double-extortion tactics and has targeted enterprises across North America and Europe.
Origin: Russia
Tools: Black Basta encryptor, QakBot, Cobalt Strike
Scattered Spider
HIGHHighly social engineering-focused criminal group targeting SaaS platforms and cloud environments. Known for SIM-swapping and MFA bypass.
Aliases: UNC3944, Muddled Libra
Origin: US/UK
Tools: Social engineering toolkit, RATs, Cloud exploitation
APT41 (Winnti)
HIGHChinese state-sponsored group with dual motivations of espionage and financial gain. Targets gaming, tech, and healthcare sectors.
Aliases: Winnti, BARIUM, ShadowPad
Origin: China
Tools: Winnti backdoor, ShadowPad, PlugX
Clop
HIGHRansomware group notorious for exploiting zero-day vulnerabilities in file transfer software (Accellion, GoAnywhere, MOVEit).
Aliases: TA505, FIN11
Origin: Russia
Tools: Clop encryptor, MOVEit exploit, GoAnywhere exploit
APT33 (Elfin)
MEDIUMIranian state-sponsored threat group targeting aerospace, energy, and petrochemical sectors with destructive wiper attacks.
Aliases: Elfin, Refined Kitten, Magnallium
Origin: Iran
Tools: Shamoon wiper, DDoS tools, RATs
Kimsesky
MEDIUMNorth Korean threat group focused on intelligence gathering against South Korean government, think tanks, and academia.
Aliases: Black Banshee, Thallium, Velvet Chollima
Origin: North Korea
Tools: BabyShark, Kimusky RAT, AppleSeed
Killnet
MEDIUMPro-Russian hacktivist group known for large-scale DDoS attacks against governments and critical infrastructure in NATO countries.
Aliases: Killnet, From Russia with Love
Origin: Russia
Tools: DDoS tools, Web defacement, Leak sites
SiegedSec
MEDIUMHacktivist group known for targeting pro-LGBTQ+ causes and government entities with data breaches and leaks.
Aliases: SiegedSec
Origin: International
Tools: Telegram leak channels, Social engineering