Threat Intel Solutions

**Executive Summary**———————This article lists selected threat actors tracked by Palo Alto Networks Unit 42, using our specific designators for these groups. We’ve organized them in alphabetical order of [their assigned constellation](https://unit42.paloaltonetworks.com/unit-42-threat-group-naming-update/). The information presented here is a list of threat actors, along with key information like the category of threat actor, industries typically impacted and a summary of the overall threat. We intend this to be a centralized destination for readers to review the breadth of our research on these notable cyber threats. For more information on the attribution process, [read about Unit 42’s Attribution Framework](https://unit42.paloaltonetworks.com/unit-42-attribution-framework/).Palo Alto Networks customers are better protected from threat actors through the use of our products like our [Next-Generation Firewall](https://www.paloaltonetworks.com/network-security/next-generation-firewall) with [Cloud-Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions) that include [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire), [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security), [Advanced Threat Prevention](https://docs.paloaltonetworks.com/advanced-threat-prevention) and [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering). Our customers are also better protected through our line of [Cortex](https://www.paloaltonetworks.com/cortex) products and [Prisma SASE](https://www.paloaltonetworks.com/sase).If you think you might have been compromised or have an urgent matter, contact the [Unit 42 Incident Response team](https://start.paloaltonetworks.com/contact-unit42.html).**Related Unit 42 Topics** [**Cybercrime**](https://unit42.paloaltonetworks.com/category/cybercrime/), **[Nation-State Cyberattacks](https://unit42.paloaltonetworks.com/category/nation-state-cyberattacks/)****Nation-State Threat Actor Groups**————————————Unit 42 considers the following groups to have a motivation that is primarily state-backed rather than financial. There can also be some cybercrime motivation for threat groups in this category, but we believe their main motivation is in furthering the interest of their sponsoring nation.Draco — Pakistan—————–Draco, the dragon, is the constellation chosen for threat actor groups from Pakistan. These groups have been seen targeting India and other South Asian countries.### Mocking Draco#### Also Known AsG1008, sidecopy, unc2269, white dev 55#### SummaryMocking Draco is a Pakistan-based threat actor that has been operating since at least 2019, mainly targeting South Asian countries and more specifically India and Afghanistan. Their malware’s common name, Sidecopy, comes from its infection chain that tries to mimic the malware SideWinder. This actor has reported similarities with Opaque Draco and is possibly a subdivision of this actor.#### Sectors ImpactedMocking Draco has previously impacted organizations in the following sectors:* Government### Opaque Draco#### Also Known AsAPT36, C-Major, Cmajor, COPPER FIELDSTONE, Fast-Cargo, G0134, Green Halvidar, Havildar Team, Lapis, Mythic Leopard, ProjectM, Transparent Tribe#### SummaryOpaque Draco is a Pakistan-based threat group that has been active since 2013. They primarily target Indian governmental, military and educational sectors.#### Sectors ImpactedOpaque Draco has previously impacted organizations in the following sectors:* Education* Government* MilitaryLynx — Belarus—————Belarusian threat groups are named for the constellation Lynx.### White Lynx#### Also Known AsGhostwriter, Storm-0257, UNC1151#### SummaryWhite Lynx is a nation-state threat actor assessed with high confidence to be linked with the Belarusian government. Their main focus is on countries neighboring Belarus, such as Ukraine, Lithuania, Latvia, Poland and Germany. Their targeting also includes Belarusian dissidents, media entities and journalists.#### Sectors ImpactedWhite Lynx has previously impacted organizations in the following sectors:* Construction* Education* Federal Government* Healthcare* High Technology* Insurance* Manufacturing* Media and Entertainment* Nonprofits* Pharma and Life Sciences* Professional and Legal Services* Real Estate* State and Local Government* Wholesale and RetailPisces — North Korea———————Threat actor groups attributed to North Korea are represented by the constellation Pisces. These groups have impacted many industries with a focus on cyberespionage and financial crime.### Jumpy Pisces#### Also Known AsAndariel, Black Artemis, COVELLITE, Onyx Sleet, PLUTONIUM, Silent Chollima, Stonefly, UNC614, Lazarus, Lazarus Group#### SummaryJumpy Pisces is a nation-state threat actor associated with the notorious Lazarus Group and the Democratic People’s Republic of Korea (DPRK). Jumpy Pisces is believed to be a subgroup of the Lazarus group that branched out around 2013. The group has demonstrated a high degree of adaptability, complexity and technical expertise in its operations, with a focus on cyber espionage, financial crime and ransomware attacks.Jumpy Pisces primarily targets South Korean entities with a variety of attack vectors, including spear phishing, watering hole attacks and supply chain attacks. They have been observed exploiting vulnerabilities in various software, including asset management programs and known but unpatched public services, to distribute its malware. The group also abuses legitimate software and proxy and tunneling tools for its malicious activities.#### Sectors ImpactedJumpy Pisces has previously impacted organizations in the following sectors:* Aerospace and Defense* Financial Services* Government* Healthcare* IT Services* Manufacturing* Pharma and Life Sciences* Utilities and Energy### Slow Pisces#### Also Known AsDark River, DEV-0954, Jade Sleet, Storm-0954, Trader Traitor, TraderTraitor, UNC4899, Lazarus, Lazarus Group#### SummarySlow Pisces is North Korea’s nation state threat group under Reconnaissance General Bureau (RGB) of DPRK. It’s believed to be a spin-off from the Lazarus group with focus on financial gathering and crypto industry targeting goals. Their primary task since 2020 is generating revenue for the DPRK regime and they do so by targeting organizations that handle large volumes of cryptocurrency. They have reportedly stolen in excess of $1 billion in 2023 alone.Secondary to revenue generation, Slow Pisces has also compromised aerospace, defense and industrial organizations, likely with the aim of espionage to advance DPRK’s military capabilities.#### Sectors ImpactedSlow Pisces has previously impacted organizations in the following sectors:* Aerospace and Defense* Cryptocurrency Industry* Financial Services* High TechnologySerpens — Iran—————Iranian-attributed groups are named for the constellation Serpens, the snake. Our research on these groups highlights their targets and TTPs as they evolve.### Academic Serpens#### Also Known AsCOBALT DICKENS, DEV-0118, Mabna Institute, Silent Librarian, Yellow Nabu#### SummaryAcademic Serpens is a state-sponsored group active since at least 2013 that is attributed to Iran, which has traditionally focused on Middle Eastern targets and Nordic universities in the EU. Members of Academic Serpens are affiliated with the Iran-based Mabna Institute, which has conducted cyber intrusions at the behest of the government of Iran, specifically the Islamic Revolutionary Guard Corps (IRGC). They have targeted research and proprietary data at universities, government agencies and private sector companies worldwide. There has been a notable decrease in activity from this group since the international COVID crisis in 2020.#### Sectors ImpactedAcademic Serpens has previously impacted organizations in the following sectors:* Education* Government### Agent Serpens#### Also Known AsMint Sandstorm (Microsoft), Charming Kitten (Crowdstrike)APT35, Ballistic Bobcat, Cobalt Illusion, Damselfly, Direfate, G0059, Greycatfish, Group 83, Iridium Group, ITG18, Magic Hound, Newscaster, Phosphorus, Saffron Rose, TA453, White Phosphorous, Yellow Garuda#### SummaryAgent Serpens is a suspected nation-state threat actor the threat intelligence community attributes to Iran, with links to the Islamic Revolutionary Guard Corps (IRGC). It has been active since at least 2015.Agent Serpens is known for sophisticated social engineering (especially spear phishing), malware development and persistent, adaptive tactics. The group uses a diverse and evolving toolkit to facilitate all stages of their attacks, from initial access to command and control (C2). This includes custom-developed backdoors like SnailResin, SlugResin and Sponsor, which the threat actors designed to be used for gaining persistent access and data exfiltration.The group’s arsenal also features credential harvesting kits such as GCollection and DWP, which enable the theft of email user accounts. Agonizing Serpens abuses legitimate tools like PowerShell to deploy tools like AnvilEcho, TAMECAT and CharmPower that enable malicious activities within compromised environments.The group’s use of Android malware like PINEFLOWER demonstrates an interest in mobile surveillance, likely for monitoring targets and gathering intelligence. Additionally, Agent Serpens incorporates readily available open-source tools like Mimikatz, Chisel and Plink to augment their capabilities and support different phases of their operations.#### Sectors ImpactedAgent Serpens has previously impacted organizations in the following sectors:* Automotive* Civil Engineering* Colleges And Universities* Education* Federal Government* Financial Services* Healthcare* Higher Education* High Technology* Manufacturing* Media and Entertainment* Noncommercial* Research Organizations* Pharmaceutical and Life Sciences* Telecommunications### Agonizing Serpens#### Also Known AsPink Sandstrom (Microsoft), Spectral Kitten (CrowdStrike)Agrius, Americium, Black Shadow, Blackshadow, Cobalt Shadow, Darkrypt, UNC2428, Yellow Dev 21#### Summary[Agonizing Serpens](https://unit42.paloaltonetworks.com/tag/agonizing-serpens/) is a suspected nation-state threat actor attributed to Iran. This group has primarily disrupted Israeli organizations since 2020, and is linked to attacks throughout the Middle East. The group’s modus operandi involves strategically exfiltrating sensitive data before deploying destructive ransomware and wiper malware to disrupt systems and cover their tracks. This group has targeted organizations in the education, technology and financial sectors.#### Sectors ImpactedAgonizing Serpens has previously impacted organizations in the following sectors:* Education* Financial Services* Insurance* IT Services* Nonclassifiable Establishments* Professional and Legal Services* Wholesale and Retail### Boggy Serpens#### Also Known AsMango Sandstorm (Microsoft), Static Kitten (CrowdStrike)Cobalt Ulster, Earth Vetala, G0069, Mercury, Muddywater, Seedworm, Temp.Zagros, Yellow Nix#### SummaryActive since at least 2017, Boggy Serpens is an Iranian, state-sponsored, cyberespionage group that US Cyber Command has attributed to Iran’s Ministry of Intelligence and Security (MOIS).The group’s primary objective is cyberespionage aligned with Iranian government interests. This includes intelligence gathering, operational disruption and responding to regional conflicts, particularly those involving Israel.#### Sectors ImpactedBoggy Serpens has previously impacted organizations in the following sectors:* Financial Services* Healthcare* Insurance* Telecommunications* Transportation and Logistics### Devious Serpens#### Also Known AsCobalt Fireside, Curium, G1012, Imperial Kitten, Tortoiseshell, Yellow Liderc#### SummaryDevious Serpens are an Iranian-based threat actor known for using social engineering tactics as well as malware that communicates via IMAP. Their attacks use watering hole attacks as well as their own controlled sites meant to impersonate employment opportunities that might interest their victims.The malware that they have built often uses IMAP with specific email addresses for command and control (C2). With such tools, communication typically occurs via specific folders and message protocols on the C2 email address.#### Sectors ImpactedDevious Serpens has previously impacted organizations in the following sectors:* Aerospace and Defense* Information Technology Services### Evasive Serpens#### #### Also Known AsAlibaba, APT34, Chrysene, Cobalt Gypsy, Crambus, Europium, G0049, Group 41, Hazel Sandstorm, Helix Kitten, IRN2, OilRig, Powbat, TEMP.Akapav, Twisted Kitten, Yossi#### SummaryEvasive Serpens is a threat group Unit 42 discovered in May 2016. They are a nation-state threat group attributed to Iran. This threat group is extremely persistent and relies heavily on spear phishing as their initial attack vector. However, they have also been associated with other more complex attacks such as credential harvesting campaigns and DNS hijacking.In their spear phishing attacks, Evasive Serpens preferred macro-enabled Microsoft Office (Word and Excel) documents to install their custom payloads that came as portable executables (PE), PowerShell and VBScripts. The group’s custom payloads frequently used DNS tunneling as a C2 channel.#### Sectors ImpactedEvasive Serpens has previously impacted organizations in the following sectors:* Chemical Manufacturing* Financial Services* Government* Telecommunications* Utilities and EnergyTaurus — China—————Chinese threat actor groups take their name from the constellation Taurus — the bull. Due to the long history and multiplicity of Chinese APTs, there is a lot to be discovered about these groups in our research archives.### Alloy Taurus#### Also Known AsGranite Typhoon (Microsoft), Phantom Panda (CrowdStrike)G0093, Gallium, Operation Soft Cell, Othorene, Red Dev 4#### Summary[Alloy Taurus](https://unit42.paloaltonetworks.com/tag/alloy-taurus/) has been active since at least 2012 and is a suspected nation-state threat actor group attributed to China.The group is known for its long-term cyberespionage campaigns, primarily targeting telecommunications companies, government entities and financial institutions across Southeast Asia, Europe and Africa. Their operations are characterized by multi-wave intrusions aimed at establishing persistent footholds within compromised networks.Alloy Taurus gains initial access by exploiting vulnerabilities in internet-facing applications.Alloy Taurus employs a range of custom and modified malware for multiple operating systems to enhance their espionage capabilities, move laterally and evade detection. This includes backdoors, web shells, credential harvesting tools as well as legitimate applications, such as VPN and remote management tools.#### Sectors ImpactedAlloy Taurus has previously impacted organizations in the following sectors:* Federal Government* Financial Services* State and Local Government* Telecommunications* Transportation and Logistics### Charging Taurus#### Also Known AsCircle Typhoon, DEV-0322, TGR-STA-0027, Tilted Temple#### SummaryCharging Taurus is a state-sponsored cyberespionage group attributed to China, active since 2021. The group’s goal is to steal intellectual property aligned with China’s national interests. The group is capable of exploiting undisclosed zero-day vulnerabilities. The group has a possible tie to [Insidious Taurus](#post-135181-_q3xis2d3s34f).#### Sectors ImpactedCharging Taurus has previously impacted organizations in the following sectors:* Aerospace and Defense* Biotechnology* High Technology* Semiconductor Industry### Dicing Taurus#### Also Known AsJackpot Panda#### SummaryDicing Taurus is a state-sponsored group attributed to China. They focus on the illegal online gambling sector in Southeast Asia, particularly emphasizing data collection for monitoring and countering related activities in China. The i-Soon leak in February 2024 revealed that i-Soon was likely involved in Dicing Taurus’s operations, along with the Ministry of Public Security of China.The group is also responsible for distributing a trojanized installer for CloudChat, a chat application popular with Chinese-speaking illegal gambling communities in mainland China. The trojanized installer served from CloudChat’s website contained the first stage of a multi-step process.#### Sectors ImpactedDicing Taurus has previously impacted organizations in the following sectors:* Online Gambling* Software and Technology### Digging Taurus#### Also Known AsBRONZE HIGHLAND, Daggerfly, Evasive Panda, StormBamboo#### SummaryDigging Taurus is a suspected nation-state threat group attributed to China, which has been active since at least 2012. The group targets organizations from around the world, including those in Taiwan, Hong Kong, Mainland China, India and Africa. Their activities, including intelligence collection, align with Chinese interests. This group has targeted organizations with advanced malware frameworks like MgBot and CloudScout. They strategically use different initial access vectors, including supply-chain attacks and DNS poisoning.#### Sectors ImpactedDigging Taurus has previously impacted organizations in the following sectors:* Computer Integrated Systems Design* Executive Offices* General Government Administration* Local Government* Nonprofit* Telecommunications### Insidious Taurus#### Also Known AsBRONZE SILHOUETTE, DEV-0391, UNC3236, Vanguard Panda, Volt Typhoon, Voltzite, G1017#### Summary[Insidious Taurus](https://unit42.paloaltonetworks.com/tag/insidious-taurus/) is a Chinese state-sponsored actor typically focusing on espionage and information gathering, active since 2021. Insidious Taurus evades detection by using various living-off-the-land (LotL) techniques, using in-built system tools to perform their objectives and blend in with regular system noise.The actor leverages compromised small office/home office (SOHO) network devices as intermediate infrastructure to further obscure their activity. Insidious Taurus exploits vulnerabilities in internet-facing devices and systems as an initial access vector.#### Sectors ImpactedInsidious Taurus has previously impacted organizations in the following sectors:* Aerospace and Defense* Information Technology Services* Manufacturing* Telecommunications* Transportation and Logistics* Utilities### Jumper Taurus#### Also Known AsAPT40, BRONZE MOHAWK, Electric Panda, Gadolinium, Gingham Typhoon, IslandDreams, Kryptonite Panda, Ladon, Leviathon, Pickleworm, Red Ladon, TEMP.Jumper, TEMP.Periscope#### SummaryJumper Taurus is a state-sponsored cyberespionage group believed to be linked to the Chinese government. Active since at least 2013, the group has consistently demonstrated advanced tactics, techniques and procedures (TTPs), supporting China’s strategic objectives in sensitive research or holding strategic geopolitical relationships.The group’s operations use phishing emails and exploit web server vulnerabilities for initial access. The group has shown a particular interest in maritime-related targets, those associated with China’s naval modernization efforts and the Belt and Road Initiative.#### Sectors ImpactedJumper Taurus has previously impacted organizations in the following sectors:* Education* Financial Services* Government* Healthcare* Utilities and Energy### Nuclear Taurus#### Also Known AsBronze Vapor, Chimera, G0114, Red Charon, THORIUM, Tumbleweed Typhoon#### SummaryNuclear Taurus is a suspected nation-state threat actor attributed to China. Active since at least 2017, the group has consistently conducted stealthy, long-term intrusions into organizations, focusing on espionage operations targeting high-technology companies.#### Sectors ImpactedNuclear Taurus has previously impacted organizations in the following sectors:* Aerospace and Defense* High Technology* Semiconductor* Transportation and Logistics### Playful Taurus#### #### Also Known AsNylon Typhoon (Microsoft), Vixen Panda (CrowdStrike)APT15, Backdoor Diplomacy, BRONZE PALACE, Buck09, Bumble Bee, G0004, Gref, Ke3chang, Mirage, Nickel, Playful Dragon, Red Hera, RoyalAPT#### Summary[Playful Taurus](https://unit42.paloaltonetworks.com/tag/playful-taurus/) is a Chinese state-sponsored threat actor with a history of cyber espionage activity dating back to at least 2010. Primarily targeting government entities, diplomatic organizations, and NGOs across Southeast Asia, Europe, and Latin America, Playful Taurus focuses on intelligence gathering and data exfiltration to support Chinese political and economic interests.#### Sectors ImpactedPlayful Taurus has previously impacted organizations in the following sectors:* Government* Nonprofits* Telecommunications### Sentinel Taurus#### Also Known AsEarth Empusa, Evil Eye, EvilBamboo, Poison Carp#### SummarySentinel Taurus is a state-sponsored threat group that has shown significant interest in Tibetan, Uyghur and Taiwanese targets. The group reportedly used spear phishing and watering hole techniques to deliver iOS and Android mobile malware payloads to their targets.#### Sectors ImpactedSentinel Taurus has previously impacted organizations in the following sectors:* Education* State and Local Government### Starchy Taurus#### Also Known AsBARIUM, Winnti Group#### SummaryActive since at least 2012, Starchy Taurus is a threat group that researchers have assessed as a Chinese state-sponsored espionage group that also conducts financially-motivated operations in over 14 countries.#### Sectors ImpactedStarchy Taurus has previously impacted organizations in the following sectors:* Healthcare* Technology* Telecoms* Video games### Stately Taurus#### #### Also Known AsTwill Typhoon (Microsoft), Mustang Panda (CrowdStrike)Bronze Fillmore, BRONZE PRESIDENT, DEV-0117, Earth Preta, G0129, HoneyMyte, Luminous Moth, PKPLUG, Red Lich, RedDelta, TA416, Tantalum, TEMP.Hex#### Summary[Stately Taurus](https://unit42.paloaltonetworks.com/tag/stately-taurus/) is a nation-state threat actor attributed to China. The group has been active since at least 2012. Their campaigns are designed to gather sensitive information and exert political influence, aligning with Chinese state interests. This includes monitoring and influencing political developments in regions of strategic importance, such as the South China Sea and areas involved in the global 5G rollout.#### Sectors ImpactedStately Taurus has previously impacted organizations in the following sectors:* Education* Federal Government* Media and Entertainment* National Security* Professional and Legal servicesUrsa — Russia————–Russian threat groups tracked by Unit 42 are named for the Ursa constellation. We report on these groups regularly and have a significant archive of material.### Cloaked Ursa#### Also Known AsMidnight Blizzard (Microsoft), Cozy Bear (CrowdStrike)APT29, Backswimmer, Blue Kitsune, Blue Nova, Cozy, CozyDuke, Dark Halo, DEV-0473, Dukes, Eurostrike, G0016, Group 100, Hagensia, Iron Hemlock, Iron Ritual, Nobelium, Noblebaron, Office Monkeys, Office Space, Solarstorm, TAG-11, The Dukes, UAC-0029, UNC2452, UNC3524, YTTRIUM#### Summary[Cloaked Ursa](https://unit42.paloaltonetworks.com/tag/cloaked-ursa/) is a nation-state threat actor attributed to Russia’s Foreign Intelligence Service (SVR) that has been active since at least 2008. This group targets government, diplomatic, and critical infrastructure entities worldwide across regions such as North America, Europe, and countries opposing Russian geopolitical objectives. Cloaked Ursa’s primary focus is intelligence gathering and data exfiltration to support Russian foreign policy goals, gain strategic advantage in geopolitical conflicts, and monitor and disrupt the activities of perceived adversaries.#### Sectors ImpactedCloaked Ursa has previously impacted organizations in the following sectors:* Federal Government* Government* High Technology* Manufacturing* Utilities and Energy### Fighting Ursa#### #### Also Known AsAPT28, Fancy Bear, G0007, Group 74, IRON TWILIGHT, Pawn Storm, PawnStorm, Sednit, SNAKEMACKEREL, Sofacy, STRONTIUM, Swallowtail, TG-4127, Threat Group-4127, Tsar Team, TsarTeam, UAC-0028#### Summary[Fighting Ursa](https://unit42.paloaltonetworks.com/tag/fighting-ursa/) is a nation-state threat group attributed to Russia’s General Staff Main Intelligence Directorate (GRU), 85th special Service Centre (GTsSS) military intelligence Unit 26165. They are well known for their focus on targets of Russian interest, especially those of military interest. They are known as one of the two Russian groups that compromised the Democratic National Committee (DNC) and Democratic Congressional Campaign Committee (DCCC) during the 2016 election cycle.#### Sectors ImpactedFighting Ursa has previously impacted organizations in the following sectors:* Aerospace and Defense* Education* Federal Government* Government* IT Services* Media* Telecommunications* Transportation* Transportation and Logistics* Utilities and Energy### Mythic Ursa#### Also Known AsBlue Callisto, Callisto, Callisto Group, COLDRIVER, Dancing Salome, Grey Pro, IRON FRONTIER, Reuse Team, SEABORGIUM, Star Blizzard#### SummaryMythic Ursa is a Russian group linked to Russia’s ‘Centre 18’ Federal Security Service (FSB) division, focused on credential harvesting from high-profile individuals. This group often uses fake accounts to establish rapport with their targets and eventually sends a phishing link to gather credentials. This group was last observed using custom malware in November 2022.#### Sectors ImpactedMythic Ursa has previously impacted organizations in the following sectors:* Aerospace and Defense* Federal Government* Higher Education* International Affairs* Transportation and Logistics### Pensive Ursa#### Also Known AsTurla, Uroburos, Snake, BELUGASTURGEON, Boulder Bear, G0010, Group 88, IRON HUNTER, Iron Pioneer, Krypton, Minime, Popeye, Turla Team, Venomous Bear, Waterbug, White Atlas, WhiteBear, Witchcoven#### Summary[Pensive Ursa](https://unit42.paloaltonetworks.com/tag/pensive-ursa/) is a Russian-based threat group operating since at least 2004, which is linked to Russia’s ‘Centre 18′ Federal Security Service (FSB).#### Sectors ImpactedPensive Ursa has previously impacted organizations in the following sectors:* Defense Systems and Equipment* Education* Government* Healthcare* Nonprofit* Pharmaceutical Preparations* Research### Razing Ursa#### #### Also Known AsBlackEnergy, Blue Echidna, Cyclops Blink, ELECTRUM, G0034, Grey Tornado, IRIDIUM, IRON VIKING, OlympicDestroyer, Quedagh, Sandworm, Sandworm Team, Telebots, UAC-0082, Voodoo Bear#### SummaryRazing Ursa is a nation-state group attributed to a subgroup of the Russian General Staff Main Intelligence Directorate (GRU). They use spear phishing and vulnerabilities to access systems with the goal of espionage or destruction. This group’s activities have targeted industrial control systems or use distributed denial of service (DDoS) attacks to disrupt critical infrastructure.#### Sectors ImpactedRazing Ursa has previously impacted organizations in the following sectors:* Federal Government* Financial Services* Media and Entertainment* Telecommunications* Transportation and Logistics* Utilities and Energy### Trident Ursa#### #### Also Known AsActinium, Armageddon, DEV-0157, G0047, Gamaredon Group, IRON TILDEN, Primitive Bear, Shuckworm, UAC-0010#### Summary[Trident Ursa](https://unit42.paloaltonetworks.com/tag/trident-ursa/) is a nation-state threat group that has been active since at least 2013. This group has targeted individuals likely related to the Ukrainian government and military and is likely the actor behind the 2015 Operation Armageddon that delivered remote access tools, such as UltraVNC and Remote Manipulator System (RMS). The group previously used commodity tools but began using custom-developed tools in 2016.#### Sectors ImpactedTrident Ursa has previously impacted organizations in the following sectors:* Finance* Wholesale and Retail**Cybercrime Threat Actor Groups**———————————-Unit 42 considers the following groups to have a motivation that is primarily financial rather than political. There can be some political motivation for threat groups in this category, but we consider their main motivation to be perpetrating cybercrime. This category is split into two groups: cybercrime in general, and then ransomware.### Libra — CybercrimeCybercrime is represented by the constellation Libra — a fitting choice, using the imagery of scales of justice.### Bling Libra#### Also Known AsShiny Hunters, ShinyCorp, ShinyHunters, UNC5537#### SummaryBling Libra is an extortionist group and data broker active since at least 2020. Initially operating on RaidForums, a key member now holds an administrative role on BreachForums.The group publishes stolen data, particularly after failed extortion attempts, to bolster its reputation. Bling Libra targets industries worldwide, including telecommunications, financial services, entertainment and high technology, across the U.S., Europe, Asia, the Middle East and Latin America.The group gains access through stolen credentials obtained via infostealer malware and phishing campaigns. Its tactics include exploiting unsecured cloud storage, weak security configurations, and using custom tools like FROSTBITE along with publicly available tools.#### Sectors ImpactedBling Libra has previously impacted organizations in the following sectors:* Financial Services* High Technology* Hospitality* Media and Entertainment* Real Estate* Telecommunications* Wholesale and Retail### Muddled Libra#### Also Known AsOcto Tempest (Microsoft), Scattered Spider (CrowdStrike)G1015, Roasted 0ktapus, Scatter Swine, Star Fraud, UNC3944#### Summary[Muddled Libra](https://unit42.paloaltonetworks.com/tag/muddled-libra/) is a financially motivated cyberthreat group active since at least May 2022.The group is composed of English-speaking members, some as young as 16. The group initially engaged in SIM swapping and credential harvesting, primarily targeting individuals for cryptocurrency theft. They have since evolved their operations to include data theft and ransomware deployment, aiming to extort large organizations for financial gain. Primarily targeting U.S.-based companies, Muddled Libra has expanded its focus from telecommunications and business process outsourcing (BPO) sectors to a diverse range of industries such as retail, hospitality, gaming, manufacturing and financial services.#### Sectors ImpactedMuddled Libra has previously impacted organizations in the following sectors:* High Technology* Hospitality* Media and Entertainment* Professional and Legal Services* Telecommunications### Scorpius — RansomwareRansomware groups get their naming convention from the constellation Scorpius, and are a frequent target of our research.### Ambitious Scorpius#### Also Known AsALPHV, BlackCat, blackcat_raas#### Summary[Ambitious Scorpius](https://unit42.paloaltonetworks.com/tag/ambitious-scorpius/) is a RaaS group that uses multi-extortion, distributing BlackCat ransomware. The ransomware family was first observed in November 2021. The group is suspected to be of Russian origin and is a possible successor of DarkSide and BlackMatter. The group solicits for affiliates in known cybercrime forums, offering to allow them to keep 80-90% of the ransom payment.A significant disruption by joint law enforcement in December 2023 appears to have dealt the group a significant blow. Despite actively listing new victims through February 2024, about 40% of the victims were smaller businesses rather than the high value targets usually seen.#### Sectors ImpactedAmbitious Scorpius has previously impacted organizations in the following sectors:* Aerospace and Defense* Agriculture* Construction* Education* Federal Government* Financial Services* Healthcare* High Technology* Hospitality* Insurance* Manufacturing* Media and Entertainment* Mining* Nonprofits* Pharma and Life Sciences* Professional and Legal Services* Real Estate* State and Local Government* Telecommunications* Transportation and Logistics* Utilities and Energy* Wholesale and Retail### Bashful Scorpius#### Also Known AsNokoyawa#### SummaryBashful Scorpius ransomware group was first observed in February 2022, distributing Nokoyawa ransomware, which is potentially an evolution of Nemty and Karma ransomware. Bashful Scorpius uses a multi-extortion strategy, in which attackers demand payment both for a decryptor to restore access to encrypted files and for not disclosing stolen data.This group distributes their ransomware payloads through various means, including third-party frameworks such as Cobalt Strike and phishing emails. The creators of Nokoyawa ransomware have repurposed functions from the leaked Babuk ransomware source code.Ransomware operators using Nokoyawa ransomware wield a command set that allows them to exercise precise control over the execution and ultimate outcome of the infection. This further increases the threat’s effectiveness and potential damage.#### Sectors ImpactedBashful Scorpius has previously impacted organizations in the following sectors:* Agriculture* Construction* Education* Finance* Healthcare* High Technology* Nonprofits* Professional and Legal Services* State and Local Government* Transportation and Logistics* Utilities and Energy* Wholesale and Retail### Bitter Scorpius#### Also Known AsBianLian, bianlian_group#### SummaryInitially discovered in July 2022, [Bitter Scorpius](https://unit42.paloaltonetworks.com/tag/bitter-scorpius/) is a ransomware group that uses double-extortion (T1486, T1657). The group is known for being highly adaptable and quickly leverages newly disclosed vulnerabilities. They have been among the top ten most active ransomware groups since 2023.Bitter Scorpius distributes the BianLian ransomware, which is written in the Go programming language. The group gains initial access by exploiting external-facing remote services (T1190, T1133) and using custom remote access malware to maintain persistence.According to previous research, the threat actors appear technically sophisticated in compromising targeted networks but are likely inexperienced overall based on the following behaviors observed during investigations:* Mistakenly sends data from one victim to another* Possesses a relatively stable backdoor toolkit but an encryption tool that remains in active development, including an evolving ransom note* Maintains unreliable infrastructure, as stated through the group’s admission on their Onion site#### Sectors ImpactedBitter Scorpius has previously impacted organizations in the following sectors:* Aerospace and Defense* Agriculture* Construction* Education* Financial Services* Healthcare* High Technology* Hospitality* Insurance* Manufacturing* Media and Entertainment* Mining* Nonprofits* Pharma and Life Sciences* Professional and Legal Services* Real Estate* State and Local Government* Telecommunications* Transportation and Logistics* Utilities and Energy* Wholesale and Retail### Blustering Scorpius#### Also Known AsStormous#### SummaryBlustering Scorpius is an Arabic-speaking cybercrime group that first appeared in 2021. They gained fame by exploiting tensions in the Russia-Ukraine war and targeting Western entities in 2022. They initially sought to specifically target entities in the U.S. but quickly began targeting entities based on global political tensions. While the group has claimed numerous attacks, they have also been accused of posting fake data or claiming attacks perpetrated by other groups.Blustering Scorpius gains initial access via phishing, vulnerability exploits, remote data protocol (RDP), credential abuse and malvertising. They use X (Twitter) and Telegram to advertise their exploits and to reach their followers and affiliates. The group also uses social engineering to exploit emotions surrounding geopolitical tensions.Blustering Scorpius began joint operations with GhostSec on July 13, 2023, which they announced via GhostSec’s Telegram channel. The two groups have gone on to jointly attack multiple entities in various countries and industries.#### Sectors ImpactedBlustering Scorpius has previously impacted organizations in the following sectors:* Education* Financial Services* High Technology* Manufacturing* Media and Entertainment* Telecommunications* Utilities and Energy* Wholesale and Retail### Chubby Scorpius#### Also Known AsCl0p, CL0P#### SummaryThe [Chubby Scorpius](https://unit42.paloaltonetworks.com/tag/chubby-scorpius/) group, first observed [in February 2019](https://unit42.paloaltonetworks.com/clop-ransomware/), is a financially motivated ransomware group known for its sophisticated operations and large-scale attacks using the Cl0P ransomware. They operate under a ransomware-as-a-service (RaaS) model, meaning they develop and maintain the ransomware while affiliates carry out the attacks.In June 2021, [six suspected members of the Cl0p ransomware gang were arrested](https://www.interpol.int/en/News-and-Events/News/2021/INTERPOL-led-operation-takes-down-prolific-cybercrime-ring) in Ukraine during a series of raids conducted in and around Kyiv. Ukrainian law enforcement, working with investigators from South Korea and the United States, searched 21 homes and seized various devices including computers, smartphones and servers. They also confiscated approximately $184,000 USD in what is believed to be ransom payments.#### Sectors ImpactedChubby Scorpius has previously impacted organizations in the following sectors:* Aerospace and Defense* Agriculture* Construction* Education* Financial Services* Healthcare* High Technology* Hospitality* Industrial Automation Industry* Insurance* Manufacturing* Media and Entertainment* Mining* Nonprofit* Pharma and Life Sciences* Professional and Legal Services* Real Estate* State and Local Government* Telecommunications* Transportation and Logistics* Utilities and Energy* Wholesale and Retail### Dapper Scorpius#### Also Known AsBlackSuit#### SummaryDapper Scorpius is a ransomware group that emerged in early May 2023, distributing BlackSuit ransomware, impacting a broad range of organizations globally. This group is suspected to be the Ignoble Scorpius ransomware group (aka Royal Ransomware) rebranded.Unlike many ransomware operations that use a RaaS model, Dapper Scorpius operates as a private group without affiliates, most likely composed of ex-Conti and ex-Ignoble Scorpius members. Dapper Scorpius employs a multifaceted distribution strategy that includes phishing campaigns, malicious email attachments, SEO poisoning and using loaders like GootLoader for deploying their ransomware payload.#### Sectors ImpactedDapper Scorpius has previously impacted organizations in the following sectors:* Construction* Education* Federal Government* Financial Services* Healthcare* High Technology* Insurance* Manufacturing* Media and Entertainment* Nonprofits* Real Estate* State and Local Government* Transportation and Logistics* Wholesale and Retail### Dark Scorpius#### Also Known AsStorm-1811 (Microsoft), Curly Spider (CrowdStrike)Black Basta, Black_Basta, BlackBasta, Cardina, UNC4393#### Summary[Dark Scorpius](https://unit42.paloaltonetworks.com/tag/dark-scorpius/) is a financially motivated ransomware-as-a-service (RaaS) group, with suspected ties to the defunct Conti group. These two groups use similar tactics, techniques, procedures (TTPs) and infrastructure.Dark Scorpius operations involve double extortion, encrypting data (T1486) and threatening public disclosure of sensitive information to coerce ransom payments (T1657). First observed in April 2022, they target critical infrastructure and high-profile organizations globally, causing significant disruptions and financial losses.While Dark Scorpius has impacted organizations globally, their reported compromises skewed more toward developed countries such as the U.S., UK, Germany and Canada. While organizations in developed countries are most frequently targeted due to their potential for high-value payouts, this threat actor maintains an opportunistic approach, suggesting they will target any vulnerable organization if the opportunity for profit arises. The group avoids operations within the Commonwealth of Independent States, a common behavior observed in Russia-based groups.As a RaaS group, Dark Scorpius has affiliates that leverage a wide set of TTPs to achieve their objectives. As such, what we capture in this report may differ from the activities they employ in future attacks.The group exclusively uses the Black Basta ransomware for data encryption (T1486) after exfiltrating files with tools such as RClone (S1040, T1048, T1567).#### Sectors ImpactedDark Scorpius has previously impacted organizations in the following sectors:* Aerospace and Defense* Agriculture* Construction* Healthcare* High Technology* Hospitality* Insurance* Manufacturing* Media and Entertainment* Mining* Nonprofits* Pharma and Life Sciences* Professional and Legal Services* Real Estate* State and Local Government* Telecommunications* Transportation and Logistics* Utilities and Energy* Wholesale and Retail### Fiddling Scorpius#### Also Known AsPlay, PlayCrypt#### SummaryFiddling Scorpius is a sophisticated cybercriminal organization that emerged in June 2022. This group is notorious for its double-extortion tactics, where they exfiltrate sensitive data before encrypting systems and demanding ransom payments to prevent data leaks.The tooling employed by Fiddling Scorpius includes a mix of custom and publicly available tools for command and control (C2), lateral movement, credential dumping, and data exfiltration. The primary impact of their attacks is data encryption with a .play extension, causing significant operational disruptions.#### Sectors ImpactedFiddling Scorpius has previously impacted organizations in the following sectors:* Aerospace and Defense* Agriculture* Conglomerates* Construction* Federal Government* Financial Services* High Technology* Hospitality* Industrial Automation Industry* Insurance* Manufacturing* Media and Entertainment* Mining* Nonprofits* Professional and Legal Services* Real Estate* State and Local Government* Telecommunications* Transportation and Logistics* Utilities and Energy* Wholesale and Retail### Fiery Scorpius#### Also Known AsHelldown#### Top Impacted Industries* Construction* High Technology* Hospitality* Professional and Legal Services* Transportation and Logistics* Wholesale and Retail### Flighty Scorpius#### Also Known AsABCD, LockBit, LockBit 2.0, LockBit 3.0, LockBit Black, Lockbit_RaaS#### SummaryFlighty Scorpius is a ransomware as a service (RaaS) group, first observed in September 2019. They were initially known for deploying ABCD ransomware, which was so named due to its characteristic .abcd file extension used during attacks. They later rebranded as LockBit when they became a RaaS operation.Flighty Scorpius’ operational model is distinguished by its affiliate program, which they aggressively marketed on underground forums. The group has innovated in affiliate relations, offering direct ransom payments to affiliates before taking its cut, a practice that contrasts with the norm and incentivizes potential partners.Over the years, Flighty Scorpius has developed and released multiple LockBit ransomware variants. Each variant signifies an evolution in the group’s technical capabilities, from faster encryption speeds to more sophisticated extortion techniques. This evolution is mostly as a result of their acquiring different ransomware source code from competitors.The group suffered a major disruption with Operation Cronos in February 2024, which led to law enforcement seizing infrastructure and public-facing websites crucial to LockBit’s operations. They also exposed Russian nationals as members of the group, including its administrator.Despite these law enforcement disruptions Flighty Scorpius has resumed operations, including the potential release of a new ransomware variant.#### Sectors Impacted* Aerospace and Defense* Agriculture* Construction* Cryptocurrency Industry* Education* Federal Government* Financial Services* Healthcare* High Technology* Hospitality* Insurance* Manufacturing* Media and Entertainment* Mining* Nonprofits* Pharma and Life Sciences* Professional and Legal Services* Real Estate* State and Local Government* Telecommunications* Transportation and Logistics* Utilities and Energy* Wholesale and Retail### Fluttering Scorpius#### Also Known AsFOG#### SummaryFluttering Scorpius, the group that distributes FOG ransomware, emerged as a significant threat actor in the ransomware landscape when first observed in April 2024. This group is notorious for exploiting vulnerabilities in widely used software to gain unauthorized access to systems.The group employs various techniques, like using stolen credentials and unpatched vulnerabilities to infiltrate networks. Fluttering Scorpius has shared infrastructure with the Akira ransomware group, which suggests possible collaboration between these groups.Fluttering Scorpius’ operations are marked by rapid encryption attacks and strategically using living-off-the-land binaries (LOLBins) to evade detection.The group focuses on targeting backup and disaster recovery solutions to maximize the impact of their attacks. The group often uses compromised VPN credentials to get a foothold in the victim’s environment. These threat actors accomplish lateral movement using pass-the-hash attacks on administrator accounts to establish RDP connections targeting Hyper-V running on Windows servers. Fluttering Scorpius also uses credential stuffing to take over high-value accounts.#### Sectors Impacted* Agriculture* Construction* Education* Healthcare* Hospitality* Manufacturing* Nonprofits* Professional and Legal Services* State and Local Government* Telecommunications* Utilities and Energy* Wholesale and Retail### Howling Scorpius#### Also Known AsStorm-1567 (Microsoft), Punk Spider (CrowdStrike)Akira#### SummaryHowling Scorpius is a financially motivated ransomware-as-a-service (RaaS) operation observed since early 2023. It employs double extortion tactics, exfiltrating sensitive data before typically encrypting systems.The group targets organizations globally, with a focus on North America, the UK, Australia and Europe. It impacts various sectors, including manufacturing, professional services, education, critical infrastructure and retail.Howling Scorpius targets Windows and Linux/ESXi systems with evolving ransomware variants. It uses various tactics, including exploiting vulnerabilities and credential theft, to exfiltrate data.Dwell times range from less than 24 hours to a month, likely reflecting varying affiliate capabilities. While Howling Scorpius primarily uses double extortion, threatening to publish stolen data if ransom demands are unmet, it has also engaged in extortion-only attacks. In cases we observed during Fall 2023, the group exfiltrated data for payment extortion without deploying ransomware.#### Sectors ImpactedHowling Scorpius has previously impacted organizations in the following sectors:* Agriculture* Agriculture and Food and Beverage Production Industry* Automotive Industry* Civic Leagues and Social Welfare Organizations* Conglomerates* Construction* Consumer Business Industry* Education* Engineering and Construction Industry* Federal Government* Financial Services* Health Care Providers and Services Industry* Health Insurance Providers* Healthcare* High Technology* Hospitality* Hospitality Industry* Industrial Products And Services Industry* Information Technology (IT) or Technology Consulting Industry* Insurance* Investment Management Industry* Law Services and Consulting Industry* Management and Operations Consulting Industry* Manufacturing* Media and Entertainment* Mining* Nonprofits* Oil, Gas and Consumable Fuels Industry* Operational NGOs* Pharma and Life Sciences* Professional and Legal Services* Public Safety* Real Estate* Real Estate Management, Brokerage and Service Provider Industry* Restaurants and Food Service Industry* Retail, Wholesale and Distribution Industry* State and Local Government* Technology Industry* Telecommunications* Telecommunications Industry* Transportation and Logistics* Transportation Industry* Utilities and Energy* Wholesale and Retail### Ignoble Scorpius### Also Known AsBlack Suit, BlackSuit, Dapper Scorpius, Roy, Royal, Royal_Group, Zeon#### Summary[Ignoble Scorpius](https://unit42.paloaltonetworks.com/tag/ignoble-scorpius/) is a cybercriminal organization specializing in ransomware attacks. First emerging in September 2022 as the Royal ransomware group, it rebranded as BlackSuit around May 2023.This group comprises experienced members possibly linked to the defunct Conti group. It has developed custom ransomware payloads, notably introducing the BlackSuit ransomware as a successor to the earlier Royal ransomware. BlackSuit retained over 90% of Royal’s codebase.The group’s ransomware targets Windows and Linux systems, including ESXi servers and employs strong encryption algorithms to render data inaccessible.#### Sectors ImpactedIgnoble Scorpius has previously impacted organizations in the following sectors:* Agriculture* Construction* Education* Federal Government* Financial Services* Healthcare* High Technology* Hospitality* Insurance* Manufacturing* Media and Entertainment* Nonclassifiable Establishments* Nonprofits* Pharma and Life Sciences* Professional and Legal Services* Real Estate* State and Local Government* Telecommunications* Transportation and Logistics* Utilities and Energy* Wholesale and Retail### Invisible Scorpius#### Also Known AsCloak#### SummaryInvisible Scorpius is a ransomware group targeting small to medium-sized businesses and using initial access brokers (IABs) for initial access. First seen at the end of 2022, the group is believed to be connected to the Stale Scorpius ransomware group after threat actors posted victim information from Stale Scorpius to Invisible Scorpius’ leak site.#### Sectors ImpactedInvisible Scorpius has previously impacted organizations in the following sectors:* Federal Government* Hospitality* Professional and Legal Services* State and Local Government* Transportation and Logistics### Mushy Scorpius#### Also Known AsKarakurt, Karakurt Lair, Karakurt Team#### SummaryMushy Scorpius is the group behind Karakurt ransomware, known for focusing on extortion. It has links to the Conti RaaS group. First emerging in 2021, Mushy Scorpius steals intellectual property and demands ransom from victims without encrypting their data, leveraging threats to auction off the sensitive data or release it to the public.As part of their extortion efforts, they provide victims with screenshots or copies of stolen file directories as evidence of the data theft. They aggressively contact victims’ employees, business partners and clients with harassing emails and phone calls. They also leverage stolen data like social security numbers, payment accounts, private emails and other sensitive business information to exert pressure.Upon receiving ransom payments, Mushy Scorpius has occasionally provided victims with proof that they deleted the stolen files, along with a brief explanation of how they initially breached the victim’s defenses. This underlines the group’s focus on financial gain but also that they seek a level of engagement from their victims toward meeting their demands.#### Sectors ImpactedMushy Scorpius has previously impacted organizations in the following sectors:* Agriculture* Construction* Education* Financial Services* Healthcare* High Technology* Hospitality* Insurance* Manufacturing* Media and Entertainment* Nonprofits* Pharma and Life Sciences* Professional and Legal Services* Real Estate* State and Local Government* Telecommunications* Utilities and Energy* Wholesale and Retail### Pilfering Scorpius#### Also Known AsRobinhood#### SummaryPilfering Scorpius ransomware group gained attention by attacking a number of local and state government entities starting in April 2019. This threat group often gains initial access by phishing, malicious websites and malicious file sharing or downloads.Once their ransomware has gained access, it obtains persistence by using RDP to spread throughout the victim network. Initial reporting revealed that humans were largely responsible for operating these attacks, as opposed to them being run by automated processes.#### Sectors ImpactedPilfering Scorpius has previously impacted organizations in the following sectors:* Pharma and Life Sciences* Utilities and Energy* Transportation and Logistics* Education* Nonprofits* Insurance* Healthcare* Manufacturing* Federal Government* State and Local Government* Real Estate* Construction* Financial Services* Agriculture* Wholesale and Retail### Powerful Scorpius#### Also Known AsBlackByte#### Summary[Powerful Scorpius](https://unit42.paloaltonetworks.com/tag/powerful-scorpius/) is a RaaS group operating since July 2021, distributing BlackByte ransomware. This group’s operational tactics includes exploiting vulnerabilities such as the ProxyShell vulnerability in Microsoft Exchange Servers, using tools like Cobalt Strike, and avoiding detection through obfuscation and anti-debugging techniques.Their malware checks system languages and exits if it finds Russian or certain Eastern European languages, presumably to avoid impacting systems in those regions. The group uses multi-extortion techniques in their campaigns.#### Sectors ImpactedPowerful Scorpius has previously impacted organizations in the following sectors:* Financial Services* Food and Agriculture* Government* Manufacturing* Wholesale and Retail### Procedural Scorpius#### Also Known AsThreeAM, 3AM#### SummaryProcedural Scorpius is a ransomware group discovered in September 2023, when researchers noticed Procedural Scorpius’ malware being deployed in a failed LockBit attack. This group distributes 3 am ransomware, and is thought to be linked to two other notorious ransomware groups, Conti and Ignoble Scorpius (distributor of Royal ransomware).Procedural Scorpius escalates their extortion tactics by contacting their victim’s social media followers, informing them of the data leak. They also use bots that post on highly visible X accounts to advertise the leaks. Procedural Scorpius targets medium to large companies in countries not within the Commonwealth of Independent States (CIS).#### Sectors ImpactedProcedural Scorpius has previously impacted organizations in the following sectors:* Agriculture* Financial Services* Manufacturing* Professional and Legal Services* Wholesale and Retail### Protesting Scorpius#### Also Known AsCactus, Cactus Ransomware Group#### SummaryProtesting Scorpius emerged as a ransomware threat actor in March 2023, employing double-extortion tactics. The group distinguishes itself through innovative tactics, often securing initial access to target networks by exploiting vulnerabilities in internet-facing software and services, such as virtual private network (VPN) appliances. This includes the use of zero-day vulnerabilities. The group also gains access through phishing attacks or by acquiring credentials via partnerships with malware distributors.Protesting Scorpius targets are located primarily in the U.S. T…

Related Tags:
TAMECAT

LockBit 2.0

TA407

COBALT DICKENS

BlackByte

Hecamede

T1133 – External Remote Services Mitigation

Earth Simnavaz

Crambus

Associated Indicators: