Threat Actors¶

This section provides a structured reference for the adversaries driving demand across every cybersecurity market segment. Understanding who is attacking, how they operate, and what they target is essential context for evaluating defensive products, identifying underserved market gaps, and anticipating where the next wave of security spending will flow.

The threat actor landscape has become more complex, more interconnected, and more commercially driven than at any point in the history of cybersecurity. The traditional boundaries between nation-state espionage, organized cybercrime, and ideological hacktivism have eroded to the point where attribution itself has become one of the hardest problems in the field. A single intrusion may involve a nation-state sponsor, a criminal initial access broker, a ransomware-as-a-service platform, and a hacktivist front -- all operating within the same kill chain.

This catalog attempts to impose structure on that complexity. Each group is listed with all known aliases across major vendor taxonomies, its assessed origin and objectives, current activity status, and a summary of key tactics, techniques, and procedures (TTPs). Where deep-dive analysis pages exist, they are linked directly.

How to Use This Page¶

This index serves multiple audiences:

• Product teams and builders should use the Category Comparison and Market Implications sections to understand which threat actors create demand for which product categories. If you are building an OT/ICS security product, the China and Russia sections -- particularly Volt Typhoon, Sandworm, and CyberAv3ngers -- define your threat model.
• Investors and analysts should focus on the Convergence Trends and Market Implications sections to understand how threat actor evolution drives market growth. The ransomware ecosystem's resilience despite law enforcement takedowns, for example, signals sustained demand for EDR, MDR, and data security products.
• Security practitioners and CISOs should use the Master Threat Actor Table as a lookup reference when consuming threat intelligence from multiple vendor sources. The Vendor Naming Conventions section helps resolve the alias problem that plagues multi-vendor environments.
• Threat intelligence analysts should use the deep-dive links to access detailed per-actor analysis, including MITRE ATT&CK mappings, campaign timelines, and IOC references.

Threat Actor Taxonomy¶

The following diagram illustrates the major categories of threat actors and the operational relationships between them. These boundaries are increasingly blurred: nation-states outsource to cybercriminals, ransomware groups adopt state-level TTPs, and hacktivists serve as proxies for intelligence agencies.

Key observations from the taxonomy:

• Nation-state actors sit at the top of the sophistication pyramid but increasingly rely on criminal infrastructure (initial access brokers, commodity malware, bulletproof hosting) to maintain operational tempo and complicate attribution.
• Cybercrime has fully industrialized. The ransomware-as-a-service (RaaS) model means that the developer, the affiliate who deploys the ransomware, and the initial access broker who sold the foothold may all be different entities with no direct organizational relationship.
• Ideological actors (hacktivists) have been revitalized by the Russia-Ukraine conflict and the Israel-Hamas war, but many "hacktivist" groups are state-directed or state-tolerated proxies rather than independent movements.
• Insider threats remain the most difficult category to address with technology alone, requiring a combination of identity controls, data security, and organizational culture.
• AI-augmented threats are not yet a separate category of actor but are amplifying the capabilities of every existing category, lowering the barrier to entry for less sophisticated groups.

Convergence Trends¶

Several structural shifts are reshaping how these categories interact:

1. State-criminal convergence. North Korea's Lazarus Group operates ransomware to fund the regime. Russian intelligence services tolerate (and occasionally task) cybercriminal groups like Evil Corp. Iran-linked actors deploy wipers disguised as ransomware. The line between "state actor" and "criminal" is increasingly a policy fiction.

2. The initial access broker economy. IABs have created a liquid market for network access, decoupling the "break-in" phase from the "exploit" phase. A single compromised VPN credential sold on a dark web forum may be purchased by a ransomware affiliate, a nation-state proxy, or both. This commoditization of access means that even sophisticated actors may begin their operations with tools and accesses that look identical to commodity crime.

3. Hacktivist laundering. State intelligence services increasingly use hacktivist personas to conduct operations that would be diplomatically costly if attributed to government agencies. The GRU's use of XakNet and similar fronts, and Iran's use of CyberAv3ngers, exemplify this pattern. The operational security is often deliberately poor -- the goal is plausible deniability, not genuine anonymity.

4. Ransomware ecosystem fragmentation and reformation. Law enforcement takedowns (Hive in January 2023, LockBit in February 2024, ALPHV/BlackCat exit scam in March 2024) disrupt but do not destroy the ecosystem. Affiliates, developers, and operators reform under new brands within weeks. The technical barriers to launching a new RaaS have never been lower.

5. Supply chain as the preferred vector. Across all actor categories, the trend toward supply chain compromise -- whether targeting MSPs (APT10), software vendors (APT29/SolarWinds), or file transfer platforms (Cl0p/MOVEit) -- reflects a rational optimization: compromise one supplier, gain access to thousands of downstream targets.

Category Comparison¶

Actor Sophistication Spectrum¶

The sophistication spectrum is not static -- it shifts as tools and techniques proliferate downward from advanced actors to commodity criminals:

• Tier 1 (Very High): Custom zero-day development, supply chain implants, firmware-level persistence, satellite C2 hijacking, living-off-the-land at scale. Examples: Volt Typhoon, APT29, Sandworm, Turla.
• Tier 2 (High): Exploitation of known vulnerabilities within days of disclosure, custom malware families, advanced social engineering, multi-stage intrusion chains. Examples: APT41, Lazarus, APT28, Cl0p.
• Tier 3 (Moderate): Use of commodity tools (Cobalt Strike, Metasploit), purchased exploits, off-the-shelf RATs, established RaaS platforms. Examples: Most ransomware affiliates, FIN12, Scattered Spider.
• Tier 4 (Low): DDoS-for-hire, defacement tools, public exploit scripts, phishing kits purchased from underground markets. Examples: Most hacktivist groups, low-tier IABs, script-based actors.

A critical dynamic: techniques that were Tier 1 two years ago are often Tier 3 today. Living-off-the-land techniques pioneered by advanced Chinese actors are now used by ransomware affiliates. OAuth and cloud token abuse demonstrated by APT29 is now a standard part of the cybercrime playbook. AI-augmented phishing, once hypothetical, is now accessible to anyone with access to an LLM. This downward diffusion of techniques is a primary driver of the expanding attack surface that cybersecurity vendors must address.

Vendor Naming Conventions¶

Different threat intelligence vendors assign their own names to the same actor groups, creating significant confusion. A single group like APT28 may appear as "Fancy Bear" in CrowdStrike reporting, "Forest Blizzard" in Microsoft advisories, "Sofacy" in Kaspersky research, and "Iron Twilight" in Secureworks analysis. This reference table maps the major naming schemes.

Understanding the Naming Problem¶

The proliferation of naming conventions is not merely an inconvenience -- it actively hinders threat intelligence sharing and operational coordination. When a CISO receives alerts referencing "Midnight Blizzard" from Microsoft Defender, "Cozy Bear" from CrowdStrike Falcon, and "APT29" from Mandiant, correlating these as the same actor requires either deep expertise or a lookup table. This fragmentation has spawned an entire sub-industry of threat intelligence platforms focused on entity resolution and alias mapping.

The table below maps naming conventions across the ten most widely referenced threat intelligence vendors.

Naming Scheme by Vendor¶

Master Threat Actor Table¶

This catalog organizes all major known threat actor groups by origin and category. The Deep-Dive column links to detailed analysis pages where available. Groups are listed roughly in order of current assessed activity level and impact within each category.

China¶

China-linked actors represent the largest and most diverse nation-state cyber program, with an estimated dozens of distinct operational teams under multiple government and military organizations. Operations span from strategic pre-positioning in critical infrastructure (Volt Typhoon) to mass espionage campaigns targeting intellectual property, government secrets, and telecom infrastructure. Many groups are assessed to operate under the Ministry of State Security (MSS), the People's Liberation Army Strategic Support Force (PLA SSF), or contracted civilian entities that provide offensive capabilities on a quasi-commercial basis.

The 2024-2025 period saw two watershed developments in China-attributed operations:

• Volt Typhoon represented a strategic shift from espionage to pre-positioning -- maintaining persistent access in U.S. critical infrastructure (water, energy, transportation, communications) without conducting any data exfiltration, strongly suggesting preparation for potential destructive or disruptive operations during a future conflict. CISA Director Easterly described this as China "burrowing in" to critical infrastructure.
• Salt Typhoon compromised at least nine U.S. telecommunications providers, gaining access to lawful intercept systems (wiretap infrastructure) and the communications metadata of senior U.S. government officials. This was described by Senator Warner as "the worst telecom hack in our nation's history."

These operations, combined with the sheer breadth of Chinese cyber activity (25+ distinct tracked groups), make China the most significant nation-state cyber threat by volume and scope.

Russia¶

Russia-linked actors are divided across three primary intelligence services -- the GRU (military intelligence, responsible for APT28 and Sandworm), the SVR (foreign intelligence, responsible for APT29), and the FSB (domestic/signals intelligence, responsible for Turla, Gamaredon, and others). Additionally, Russia tolerates and occasionally directs cybercriminal groups that operate from Russian territory, creating a gray zone between state and criminal operations.

The Russia-Ukraine conflict has produced an unprecedented volume of destructive cyber operations (primarily by Sandworm/Seashell Blizzard and Cadet Blizzard/Ember Bear against Ukrainian targets) while simultaneously generating a new generation of hacktivist proxy groups that operate under the direction or tolerance of Russian intelligence. Notably, Russian cyber operations against Ukraine have been extensively documented by Microsoft, ESET, and CERT-UA, creating the most detailed public record of nation-state cyber warfare ever compiled.

North Korea¶

North Korean cyber operations serve a unique dual purpose: intelligence collection and revenue generation for a sanctions-isolated regime. The Reconnaissance General Bureau (RGB) oversees most cyber units, with Lazarus Group and its subgroups responsible for an estimated $1.5B+ in cryptocurrency theft in 2024 alone (including the $1.5B Bybit hack in February 2025, the largest single cryptocurrency theft in history). The IT worker fraud scheme -- placing North Korean operatives in remote IT jobs at Western companies using stolen or fabricated identities -- represents an innovative approach to both revenue generation and potential insider access. The FBI estimates thousands of North Korean IT workers are employed at companies worldwide.

North Korean actors are notable for their operational versatility: the same organizational umbrella conducts financial crime (cryptocurrency theft, SWIFT fraud), espionage (defense sector, nuclear programs), destructive attacks (Sony Pictures, 2014), and supply chain compromises -- often simultaneously.

Iran¶

Iran's cyber capabilities have matured significantly since the Stuxnet era, with operations split between the Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence and Security (MOIS). Iranian actors are distinguished by their willingness to conduct destructive operations (wipers, ICS attacks) and their increasing integration of influence operations with cyber intrusions -- a pattern Mandiant calls "hack-and-leak." The Israel-Hamas conflict (October 2023 onward) has significantly intensified Iranian cyber operations, with both IRGC and MOIS-linked groups increasing their tempo of attacks against Israeli, American, and Gulf state targets.

Iranian groups are generally assessed as less technically sophisticated than their Chinese and Russian counterparts, but they compensate with operational aggressiveness and a willingness to accept risk of attribution. Several Iranian groups have demonstrated the ability to conduct destructive operations against operational technology (OT) targets -- CyberAv3ngers' targeting of Unitronics PLCs at water utilities in late 2023 being a prominent example.

Ransomware Groups¶

The ransomware ecosystem has consolidated around the RaaS model, where developers maintain the encryption platform and affiliates conduct the actual intrusions. Law enforcement disruptions in 2023-2024 (Hive, LockBit, ALPHV/BlackCat) have fragmented but not eliminated the ecosystem -- affiliates simply migrate to the next available platform. The trend toward data exfiltration without encryption ("extortion-only") reflects both improved backup resilience among defenders and the realization that data theft alone generates sufficient leverage.

Other Cybercrime¶

Beyond ransomware, the cybercrime ecosystem includes financially motivated groups that specialize in initial access brokerage, malware distribution, point-of-sale fraud, business email compromise, and other schemes. Many of these groups serve as the upstream supply chain for ransomware operators. The distinction between "ransomware groups" and "other cybercrime" is increasingly artificial -- groups like FIN7 have evolved from POS fraud to ransomware access provision, and Scattered Spider moved from SIM swapping to enterprise ransomware in under two years.

Hacktivism and Influence Operations¶

The hacktivist landscape has been transformed by geopolitical conflict. The Russia-Ukraine war and the Israel-Hamas war have created two distinct ecosystems of politically motivated cyber activity, many of which are either directly controlled by or loosely affiliated with state intelligence services.

Emerging: AI-Augmented Threat Actors¶

While not a distinct group, the use of AI by existing threat actors is reshaping the landscape and deserves specific attention. As of early 2026, AI augmentation has moved beyond the experimental stage into routine operational use by both nation-state and cybercriminal actors.

Implications for Defenders¶

The AI augmentation of threat actors has several concrete implications for cybersecurity product strategy:

• Email security must evolve beyond static indicators. AI-generated phishing eliminates the grammatical errors, awkward phrasing, and template patterns that traditional detections rely on. Behavioral analysis (sender reputation, communication graph anomalies, intent analysis) becomes the primary detection layer.
• Security awareness training faces an existential challenge. If AI can generate perfect phishing emails customized to each recipient, click-rate-based training metrics become meaningless. The field must shift toward reporting culture and organizational resilience rather than individual phishing simulation pass rates.
• Identity verification needs out-of-band confirmation for high-risk transactions. Deepfake voice and video mean that a phone call or video conference is no longer sufficient to verify identity for actions like wire transfers, credential resets, or access grants.
• Endpoint and network security vendors must assume that malware will increasingly evade static signatures. Behavioral detection, memory forensics, and anomaly-based approaches gain further importance.
• Threat intelligence platforms must track not just which actors use AI, but how AI changes their operational tempo and targeting patterns. Faster reconnaissance and exploit development means shorter windows between vulnerability disclosure and mass exploitation.

Market Implications by Actor Category¶

Understanding which threat actors drive which market segments is essential for product strategy and investment analysis. The following summarizes the primary market implications of each actor category.

Nation-state actors (China, Russia, North Korea, Iran):

• Drive demand for threat intelligence platforms -- organizations need attribution context, IOC feeds, and campaign tracking to understand whether they are targeted by state actors
• Create the business case for network detection and response (NDR) and OT/IoT security -- ICS/SCADA targeting by Sandworm, CyberAv3ngers, and Volt Typhoon makes industrial security a board-level concern
• Validate Zero Trust architecture investments -- living-off-the-land techniques used by Volt Typhoon and APT29 bypass perimeter-based defenses entirely
• Justify cloud security spending -- APT29's exploitation of OAuth tokens, Azure AD, and cloud services demonstrates that cloud environments are primary targets, not safe havens

Ransomware and cybercrime actors:

• Represent the single largest driver of endpoint security (EDR/XDR) spending -- ransomware is the threat that CISOs lose sleep over and boards fund against
• Fuel the MDR/MSSP market -- organizations that cannot staff 24/7 SOCs turn to managed services specifically because of ransomware risk
• Drive data security and backup investments -- the shift to double extortion (encrypt + exfiltrate) means that backups alone are no longer sufficient
• Create demand for email security -- phishing remains the dominant initial access vector for ransomware affiliates
• Expand the cyber insurance market, which in turn imposes security requirements that drive product adoption across multiple segments

Hacktivists and influence operators:

• Drive DDoS mitigation and web application firewall (WAF) demand -- DDoS remains the primary hacktivist tool
• Create awareness (if not always budget) for security awareness training and influence operation detection
• The state-proxy hacktivist trend validates investment in threat intelligence that can distinguish genuine grassroots hacktivism from state-directed operations

Insider threats:

• Drive the data loss prevention (DLP) and data security posture management (DSPM) markets
• Justify identity governance and administration (IGA) and privileged access management (PAM) investments
• Create demand for user and entity behavior analytics (UEBA) -- detecting anomalous access patterns is the primary technical control against malicious insiders

Deep-Dive Pages¶

The following individual threat actor deep-dives are available or planned. Each deep-dive includes detailed TTP analysis mapped to MITRE ATT&CK, campaign timelines, notable incidents, defensive recommendations, and market impact assessment.

Available¶

Planned¶

Deep-dive pages for the following actors are planned, prioritized by market impact:

• Scattered Spider / Octo Tempest -- Social engineering innovation, identity attack vectors
• Cl0p -- Mass exploitation model, file transfer platform targeting
• Kimsuky / APT43 -- Credential theft ecosystem, IT worker fraud scheme
• Turla / Secret Blizzard -- Advanced tradecraft, infrastructure hijacking
• APT35 / Charming Kitten -- Social engineering sophistication, mobile surveillance
• Black Basta -- Post-Conti ecosystem evolution
• RansomHub -- Post-disruption ecosystem reformation

Cross-References¶

Sources¶

This catalog draws from the following primary sources. Individual group entries reference specific reports in their deep-dive pages.

• MITRE ATT&CK -- Groups knowledge base and technique mappings
• CISA -- Advisories, alerts, and joint cybersecurity bulletins (especially Joint CSAs with FBI, NSA)
• Microsoft Threat Intelligence -- Threat actor profiles, naming taxonomy, blog publications
• Mandiant/Google Threat Intelligence -- M-Trends annual reports, APT research, UNC tracking
• CrowdStrike -- Annual Global Threat Reports, adversary profiles
• Recorded Future -- Insikt Group research, threat actor TAG tracking
• Dragos -- ICS/OT-specific threat group analysis (annual Year in Review reports)
• Secureworks -- Counter Threat Unit (CTU) research and State of the Threat reports
• Unit 42 (Palo Alto Networks) -- Threat actor and campaign reports
• ESET -- APT activity reports, threat research blog
• Kaspersky GReAT -- APT research and reporting
• The DFIR Report -- Community-driven intrusion analysis with detailed TTP documentation
• Cisco Talos -- Threat research, vulnerability intelligence, and campaign tracking
• Check Point Research -- Threat intelligence publications and campaign analysis
• Sophos X-Ops -- Active adversary reports and ransomware ecosystem analysis
• ENISA -- EU Agency for Cybersecurity threat landscape reports

Key Annual Reports¶

The following recurring publications are particularly valuable for tracking threat actor evolution year-over-year:

Glossary¶

This glossary defines the acronyms and key terms used throughout the cybersecurity market research site. Use it as a quick reference when navigating segment analyses, pain-point discussions, and opportunity assessments.

A¶

B¶

C¶

D¶

E¶

F/G¶

H¶

I¶

L¶

M¶

N¶

O¶

P¶

R¶

S¶

T¶

V¶

X¶

Z¶