Groups | MITRE ATT&CK®

<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1, shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href="/versions/v9/theme/favicon.ico" type='image/x-icon'> <title>Groups | MITRE ATT&CK®</title>  <link rel='stylesheet' href="/versions/v9/theme/style/bootstrap.min.css" /> <link rel='stylesheet' href="/versions/v9/theme/style/bootstrap-glyphicon.min.css" /> <link rel='stylesheet' href="/versions/v9/theme/style/bootstrap-tourist.css" /> <link rel="stylesheet" type="text/css" href="/versions/v9/theme/style.min.css?426cc53a"> </head> <body>  <header> <nav class='navbar navbar-expand-lg navbar-dark fixed-top'> <a class='navbar-brand' href="/versions/v9/"><img src="/versions/v9/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item"> <a href="/versions/v9/matrices/" class="nav-link" ><b>Matrices</b></a> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v9/tactics/mobile/">Mobile</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v9/techniques/mobile/">Mobile</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v9/mitigations/mobile/">Mobile</a> </div> </li> <li class="nav-item"> <a href="/versions/v9/groups" class="nav-link" ><b>Groups</b></a> </li> <li class="nav-item"> <a href="/versions/v9/software/" class="nav-link" ><b>Software</b></a> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/resources/">General Information</a> <a class="dropdown-item" href="/versions/v9/resources/getting-started/">Getting Started</a> <a class="dropdown-item" href="/versions/v9/resources/training/">Training</a> <a class="dropdown-item" href="/versions/v9/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/versions/v9/resources/working-with-attack/">Working with ATT&CK</a> <a class="dropdown-item" href="/versions/v9/resources/faq/">FAQ</a> <a class="dropdown-item" href="/resources/updates/">Updates</a> <a class="dropdown-item" href="/resources/versions/">Versions of ATT&CK</a> <a class="dropdown-item" href="/versions/v9/resources/related-projects/">Related Projects</a> </div> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>  <img src="/versions/v9/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <a href="/versions/v9/resources/contribute/" class="nav-link" ><b>Contribute</b></a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div class="search-icon"></div></button> </li> </ul> </div> </nav> </header>  <div class="container-fluid version-banner"><div class="icon-inline baseline mr-1"><img src="/versions/v9/theme/images/icon-warning-24px.svg"></div>Currently viewing <a href="https://github.com/mitre/cti/releases/tag/ATT%26CK-v9.0" target="_blank">ATT&CK v9.0</a> which was live between April 29, 2021 and October 20, 2021. <a href="/resources/versions/">Learn more about the versioning system</a> or <a href="/">see the live site</a>.</div> <div id='content' class="maincontent">  <div class='container-fluid h-100'> <div class='row h-100'> <div class="nav flex-column col-xl-2 col-lg-3 col-md-3 sidebar nav pt-5 pb-3 pl-3 border-right" id="v-tab" role="tablist" aria-orientation="vertical">  <div class="group-nav-desktop-view"> <span class="heading" id="v-home-tab" aria-selected="false">GROUPS</span> <div class="sidenav"> <div class="sidenav-head active" id="0-0"> <a href="/versions/v9/groups/"> Overview </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="admin@338-admin@338"> <a href="/versions/v9/groups/G0018/"> admin@338 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Ajax Security Team-Ajax Security Team"> <a href="/versions/v9/groups/G0130/"> Ajax Security Team </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT-C-36-APT-C-36"> <a href="/versions/v9/groups/G0099/"> APT-C-36 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT1-APT1"> <a href="/versions/v9/groups/G0006/"> APT1 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT12-APT12"> <a href="/versions/v9/groups/G0005/"> APT12 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT16-APT16"> <a href="/versions/v9/groups/G0023/"> APT16 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT17-APT17"> <a href="/versions/v9/groups/G0025/"> APT17 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT18-APT18"> <a href="/versions/v9/groups/G0026/"> APT18 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT19-APT19"> <a href="/versions/v9/groups/G0073/"> APT19 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT28-APT28"> <a href="/versions/v9/groups/G0007/"> APT28 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT29-APT29"> <a href="/versions/v9/groups/G0016/"> APT29 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT3-APT3"> <a href="/versions/v9/groups/G0022/"> APT3 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT30-APT30"> <a href="/versions/v9/groups/G0013/"> APT30 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT32-APT32"> <a href="/versions/v9/groups/G0050/"> APT32 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT33-APT33"> <a href="/versions/v9/groups/G0064/"> APT33 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT37-APT37"> <a href="/versions/v9/groups/G0067/"> APT37 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT38-APT38"> <a href="/versions/v9/groups/G0082/"> APT38 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT39-APT39"> <a href="/versions/v9/groups/G0087/"> APT39 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT41-APT41"> <a href="/versions/v9/groups/G0096/"> APT41 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Axiom-Axiom"> <a href="/versions/v9/groups/G0001/"> Axiom </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="BlackOasis-BlackOasis"> <a href="/versions/v9/groups/G0063/"> BlackOasis </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="BlackTech-BlackTech"> <a href="/versions/v9/groups/G0098/"> BlackTech </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Blue Mockingbird-Blue Mockingbird"> <a href="/versions/v9/groups/G0108/"> Blue Mockingbird </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Bouncing Golf-Bouncing Golf"> <a href="/versions/v9/groups/G0097/"> Bouncing Golf </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="BRONZE BUTLER-BRONZE BUTLER"> <a href="/versions/v9/groups/G0060/"> BRONZE BUTLER </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Carbanak-Carbanak"> <a href="/versions/v9/groups/G0008/"> Carbanak </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Chimera-Chimera"> <a href="/versions/v9/groups/G0114/"> Chimera </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Cleaver-Cleaver"> <a href="/versions/v9/groups/G0003/"> Cleaver </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Cobalt Group-Cobalt Group"> <a href="/versions/v9/groups/G0080/"> Cobalt Group </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="CopyKittens-CopyKittens"> <a href="/versions/v9/groups/G0052/"> CopyKittens </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Dark Caracal-Dark Caracal"> <a href="/versions/v9/groups/G0070/"> Dark Caracal </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Darkhotel-Darkhotel"> <a href="/versions/v9/groups/G0012/"> Darkhotel </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="DarkHydrus-DarkHydrus"> <a href="/versions/v9/groups/G0079/"> DarkHydrus </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="DarkVishnya-DarkVishnya"> <a href="/versions/v9/groups/G0105/"> DarkVishnya </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Deep Panda-Deep Panda"> <a href="/versions/v9/groups/G0009/"> Deep Panda </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Dragonfly-Dragonfly"> <a href="/versions/v9/groups/G0035/"> Dragonfly </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Dragonfly 2.0-Dragonfly 2.0"> <a href="/versions/v9/groups/G0074/"> Dragonfly 2.0 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="DragonOK-DragonOK"> <a href="/versions/v9/groups/G0017/"> DragonOK </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Dust Storm-Dust Storm"> <a href="/versions/v9/groups/G0031/"> Dust Storm </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Elderwood-Elderwood"> <a href="/versions/v9/groups/G0066/"> Elderwood </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Equation-Equation"> <a href="/versions/v9/groups/G0020/"> Equation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Evilnum-Evilnum"> <a href="/versions/v9/groups/G0120/"> Evilnum </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="FIN10-FIN10"> <a href="/versions/v9/groups/G0051/"> FIN10 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="FIN4-FIN4"> <a href="/versions/v9/groups/G0085/"> FIN4 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="FIN5-FIN5"> <a href="/versions/v9/groups/G0053/"> FIN5 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="FIN6-FIN6"> <a href="/versions/v9/groups/G0037/"> FIN6 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="FIN7-FIN7"> <a href="/versions/v9/groups/G0046/"> FIN7 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="FIN8-FIN8"> <a href="/versions/v9/groups/G0061/"> FIN8 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Fox Kitten-Fox Kitten"> <a href="/versions/v9/groups/G0117/"> Fox Kitten </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Frankenstein-Frankenstein"> <a href="/versions/v9/groups/G0101/"> Frankenstein </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="GALLIUM-GALLIUM"> <a href="/versions/v9/groups/G0093/"> GALLIUM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Gallmaker-Gallmaker"> <a href="/versions/v9/groups/G0084/"> Gallmaker </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Gamaredon Group-Gamaredon Group"> <a href="/versions/v9/groups/G0047/"> Gamaredon Group </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="GCMAN-GCMAN"> <a href="/versions/v9/groups/G0036/"> GCMAN </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="GOLD SOUTHFIELD-GOLD SOUTHFIELD"> <a href="/versions/v9/groups/G0115/"> GOLD SOUTHFIELD </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Gorgon Group-Gorgon Group"> <a href="/versions/v9/groups/G0078/"> Gorgon Group </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Group5-Group5"> <a href="/versions/v9/groups/G0043/"> Group5 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="HAFNIUM-HAFNIUM"> <a href="/versions/v9/groups/G0125/"> HAFNIUM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Higaisa-Higaisa"> <a href="/versions/v9/groups/G0126/"> Higaisa </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Honeybee-Honeybee"> <a href="/versions/v9/groups/G0072/"> Honeybee </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Inception-Inception"> <a href="/versions/v9/groups/G0100/"> Inception </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Indrik Spider-Indrik Spider"> <a href="/versions/v9/groups/G0119/"> Indrik Spider </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Ke3chang-Ke3chang"> <a href="/versions/v9/groups/G0004/"> Ke3chang </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Kimsuky-Kimsuky"> <a href="/versions/v9/groups/G0094/"> Kimsuky </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Lazarus Group-Lazarus Group"> <a href="/versions/v9/groups/G0032/"> Lazarus Group </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Leafminer-Leafminer"> <a href="/versions/v9/groups/G0077/"> Leafminer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Leviathan-Leviathan"> <a href="/versions/v9/groups/G0065/"> Leviathan </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Lotus Blossom-Lotus Blossom"> <a href="/versions/v9/groups/G0030/"> Lotus Blossom </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Machete-Machete"> <a href="/versions/v9/groups/G0095/"> Machete </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Magic Hound-Magic Hound"> <a href="/versions/v9/groups/G0059/"> Magic Hound </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="menuPass-menuPass"> <a href="/versions/v9/groups/G0045/"> menuPass </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Moafee-Moafee"> <a href="/versions/v9/groups/G0002/"> Moafee </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Mofang-Mofang"> <a href="/versions/v9/groups/G0103/"> Mofang </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Molerats-Molerats"> <a href="/versions/v9/groups/G0021/"> Molerats </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="MuddyWater-MuddyWater"> <a href="/versions/v9/groups/G0069/"> MuddyWater </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Mustang Panda-Mustang Panda"> <a href="/versions/v9/groups/G0129/"> Mustang Panda </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Naikon-Naikon"> <a href="/versions/v9/groups/G0019/"> Naikon </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="NEODYMIUM-NEODYMIUM"> <a href="/versions/v9/groups/G0055/"> NEODYMIUM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Night Dragon-Night Dragon"> <a href="/versions/v9/groups/G0014/"> Night Dragon </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="OilRig-OilRig"> <a href="/versions/v9/groups/G0049/"> OilRig </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Operation Wocao-Operation Wocao"> <a href="/versions/v9/groups/G0116/"> Operation Wocao </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Orangeworm-Orangeworm"> <a href="/versions/v9/groups/G0071/"> Orangeworm </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Patchwork-Patchwork"> <a href="/versions/v9/groups/G0040/"> Patchwork </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="PittyTiger-PittyTiger"> <a href="/versions/v9/groups/G0011/"> PittyTiger </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="PLATINUM-PLATINUM"> <a href="/versions/v9/groups/G0068/"> PLATINUM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Poseidon Group-Poseidon Group"> <a href="/versions/v9/groups/G0033/"> Poseidon Group </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="PROMETHIUM-PROMETHIUM"> <a href="/versions/v9/groups/G0056/"> PROMETHIUM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Putter Panda-Putter Panda"> <a href="/versions/v9/groups/G0024/"> Putter Panda </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Rancor-Rancor"> <a href="/versions/v9/groups/G0075/"> Rancor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Rocke-Rocke"> <a href="/versions/v9/groups/G0106/"> Rocke </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="RTM-RTM"> <a href="/versions/v9/groups/G0048/"> RTM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Sandworm Team-Sandworm Team"> <a href="/versions/v9/groups/G0034/"> Sandworm Team </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Scarlet Mimic-Scarlet Mimic"> <a href="/versions/v9/groups/G0029/"> Scarlet Mimic </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Sharpshooter-Sharpshooter"> <a href="/versions/v9/groups/G0104/"> Sharpshooter </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Sidewinder-Sidewinder"> <a href="/versions/v9/groups/G0121/"> Sidewinder </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Silence-Silence"> <a href="/versions/v9/groups/G0091/"> Silence </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Silent Librarian-Silent Librarian"> <a href="/versions/v9/groups/G0122/"> Silent Librarian </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="SilverTerrier-SilverTerrier"> <a href="/versions/v9/groups/G0083/"> SilverTerrier </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Sowbug-Sowbug"> <a href="/versions/v9/groups/G0054/"> Sowbug </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Stealth Falcon-Stealth Falcon"> <a href="/versions/v9/groups/G0038/"> Stealth Falcon </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Stolen Pencil-Stolen Pencil"> <a href="/versions/v9/groups/G0086/"> Stolen Pencil </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Strider-Strider"> <a href="/versions/v9/groups/G0041/"> Strider </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Suckfly-Suckfly"> <a href="/versions/v9/groups/G0039/"> Suckfly </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="TA459-TA459"> <a href="/versions/v9/groups/G0062/"> TA459 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="TA505-TA505"> <a href="/versions/v9/groups/G0092/"> TA505 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="TA551-TA551"> <a href="/versions/v9/groups/G0127/"> TA551 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Taidoor-Taidoor"> <a href="/versions/v9/groups/G0015/"> Taidoor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="TEMP.Veles-TEMP.Veles"> <a href="/versions/v9/groups/G0088/"> TEMP.Veles </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="The White Company-The White Company"> <a href="/versions/v9/groups/G0089/"> The White Company </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Threat Group-1314-Threat Group-1314"> <a href="/versions/v9/groups/G0028/"> Threat Group-1314 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Threat Group-3390-Threat Group-3390"> <a href="/versions/v9/groups/G0027/"> Threat Group-3390 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Thrip-Thrip"> <a href="/versions/v9/groups/G0076/"> Thrip </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Tropic Trooper-Tropic Trooper"> <a href="/versions/v9/groups/G0081/"> Tropic Trooper </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Turla-Turla"> <a href="/versions/v9/groups/G0010/"> Turla </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Volatile Cedar-Volatile Cedar"> <a href="/versions/v9/groups/G0123/"> Volatile Cedar </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Whitefly-Whitefly"> <a href="/versions/v9/groups/G0107/"> Whitefly </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Windigo-Windigo"> <a href="/versions/v9/groups/G0124/"> Windigo </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Windshift-Windshift"> <a href="/versions/v9/groups/G0112/"> Windshift </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Winnti Group-Winnti Group"> <a href="/versions/v9/groups/G0044/"> Winnti Group </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="WIRTE-WIRTE"> <a href="/versions/v9/groups/G0090/"> WIRTE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Wizard Spider-Wizard Spider"> <a href="/versions/v9/groups/G0102/"> Wizard Spider </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="ZIRCONIUM-ZIRCONIUM"> <a href="/versions/v9/groups/G0128/"> ZIRCONIUM </a> </div> </div> </div> <div class="group-nav-mobile-view"> <span class="heading" id="v-home-tab" aria-selected="false">GROUPS</span> <div class="sidenav"> <div class="sidenav-head active" id="0-0"> <a href="/versions/v9/groups/"> Overview </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="9bc10ab42f5041809586a8061be87f54"> <span>A-B</span> <div class="expand-button collapsed" id="9bc10ab42f5041809586a8061be87f54-header" data-toggle="collapse" data-target="#9bc10ab42f5041809586a8061be87f54-body" aria-expanded="false" aria-controls="#9bc10ab42f5041809586a8061be87f54-body"></div> </div> <div class="sidenav-body collapse" id="9bc10ab42f5041809586a8061be87f54-body" aria-labelledby="9bc10ab42f5041809586a8061be87f54-header"> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-eb897c1f5ad6440c8f00aec9a67b84c6"> <a href="/versions/v9/groups/G0018/"> admin@338 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-8fd5ab8725924d97ba0b2eba004f2fee"> <a href="/versions/v9/groups/G0130/"> Ajax Security Team </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-c32bf624d6bf42ce95707467e8b90269"> <a href="/versions/v9/groups/G0099/"> APT-C-36 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-0c3154fe96b343078274c0dc2f23dda1"> <a href="/versions/v9/groups/G0006/"> APT1 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-843a69656c2b482bb3b10d76f7c6e16f"> <a href="/versions/v9/groups/G0005/"> APT12 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-1ab49126b7894fcfae69deeac14618fc"> <a href="/versions/v9/groups/G0023/"> APT16 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-f88228946e41453e92e38c5866a4212f"> <a href="/versions/v9/groups/G0025/"> APT17 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-26f2dc710f78450dbbc1be11faa21ddd"> <a href="/versions/v9/groups/G0026/"> APT18 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-1fdff936c860439ebe70a7ff3be5989d"> <a href="/versions/v9/groups/G0073/"> APT19 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-fb8607b2690341d89cde7ca7a69c91c6"> <a href="/versions/v9/groups/G0007/"> APT28 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-9e54c5fbd52e4859b9fc4fcf11335e4c"> <a href="/versions/v9/groups/G0016/"> APT29 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-3a223da5b87447f0bbd859a5bba79ce0"> <a href="/versions/v9/groups/G0022/"> APT3 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-0fc20a27442549099f96a0595e939e69"> <a href="/versions/v9/groups/G0013/"> APT30 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-311b6fd499004f0ab3c936b9a5db4817"> <a href="/versions/v9/groups/G0050/"> APT32 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-f2d9fa39e41344d3bb3e0d64ba14a219"> <a href="/versions/v9/groups/G0064/"> APT33 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-4706e13c21cf48e59061dbbaab2ecc84"> <a href="/versions/v9/groups/G0067/"> APT37 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-080b6603df0c41b394986e93492c6baa"> <a href="/versions/v9/groups/G0082/"> APT38 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-4df65ad27985448e8d0570867a13bf45"> <a href="/versions/v9/groups/G0087/"> APT39 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-06a4b5899d3549e3aa5e4d4ac0adc511"> <a href="/versions/v9/groups/G0096/"> APT41 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-f1cd11a66db84516a3520405067f85dc"> <a href="/versions/v9/groups/G0001/"> Axiom </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-5fc1a029befe48b587d4dece1a6bfeeb"> <a href="/versions/v9/groups/G0063/"> BlackOasis </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-7d8f8060918143018a61b7d75fae5d61"> <a href="/versions/v9/groups/G0098/"> BlackTech </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-3c28366e21404f609b54930888771a75"> <a href="/versions/v9/groups/G0108/"> Blue Mockingbird </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-b83df494e0cf43a7a348dcfe001722de"> <a href="/versions/v9/groups/G0097/"> Bouncing Golf </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-8080a2475195401ab077c1180ab335bb"> <a href="/versions/v9/groups/G0060/"> BRONZE BUTLER </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="c9652acf849c48b6b237f8b1ebf4fe78"> <span>C-D</span> <div class="expand-button collapsed" id="c9652acf849c48b6b237f8b1ebf4fe78-header" data-toggle="collapse" data-target="#c9652acf849c48b6b237f8b1ebf4fe78-body" aria-expanded="false" aria-controls="#c9652acf849c48b6b237f8b1ebf4fe78-body"></div> </div> <div class="sidenav-body collapse" id="c9652acf849c48b6b237f8b1ebf4fe78-body" aria-labelledby="c9652acf849c48b6b237f8b1ebf4fe78-header"> <div class="sidenav"> <div class="sidenav-head" id="c9652acf849c48b6b237f8b1ebf4fe78-db8b931f952d412e9d12e18c2c6681fc"> <a href="/versions/v9/groups/G0008/"> Carbanak </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="c9652acf849c48b6b237f8b1ebf4fe78-f3581612c373478bad1829f9b42d6481"> <a href="/versions/v9/groups/G0114/"> Chimera </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="c9652acf849c48b6b237f8b1ebf4fe78-dd4c80e77f3e489eb664554c42cdd0ab"> <a href="/versions/v9/groups/G0003/"> Cleaver </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="c9652acf849c48b6b237f8b1ebf4fe78-b1e7f8f3bf7d4258b62f192b87703106"> <a href="/versions/v9/groups/G0080/"> Cobalt Group </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="c9652acf849c48b6b237f8b1ebf4fe78-1d8331b206264aa0bd4524d9de1ef598"> <a href="/versions/v9/groups/G0052/"> CopyKittens </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="c9652acf849c48b6b237f8b1ebf4fe78-147b48ccc2654c4fb25185883229826b"> <a href="/versions/v9/groups/G0070/"> Dark Caracal </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="c9652acf849c48b6b237f8b1ebf4fe78-634f2cae3e0442dba2d09fc987e39e6d"> <a href="/versions/v9/groups/G0012/"> Darkhotel </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="c9652acf849c48b6b237f8b1ebf4fe78-50e56472a5ed4f6195061236a3fb3d00"> <a href="/versions/v9/groups/G0079/"> DarkHydrus </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="c9652acf849c48b6b237f8b1ebf4fe78-08a60dc295e846d89694ff96717072b6"> <a href="/versions/v9/groups/G0105/"> DarkVishnya </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="c9652acf849c48b6b237f8b1ebf4fe78-15a1180154b449aa9c27c65a46dc074b"> <a href="/versions/v9/groups/G0009/"> Deep Panda </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="c9652acf849c48b6b237f8b1ebf4fe78-995ee427b54e4a9aae324ad3f081b0db"> <a href="/versions/v9/groups/G0035/"> Dragonfly </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="c9652acf849c48b6b237f8b1ebf4fe78-41c57f3ed8b240c0a8c6120a2652495c"> <a href="/versions/v9/groups/G0074/"> Dragonfly 2.0 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="c9652acf849c48b6b237f8b1ebf4fe78-8b316a89b77e4e7f837bd4b1f4fad10c"> <a href="/versions/v9/groups/G0017/"> DragonOK </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="c9652acf849c48b6b237f8b1ebf4fe78-a4100800c4f1428bbbe2540845511483"> <a href="/versions/v9/groups/G0031/"> Dust Storm </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="9f2eecc86c504f9eabd959d63728aaa1"> <span>E-F</span> <div class="expand-button collapsed" id="9f2eecc86c504f9eabd959d63728aaa1-header" data-toggle="collapse" data-target="#9f2eecc86c504f9eabd959d63728aaa1-body" aria-expanded="false" aria-controls="#9f2eecc86c504f9eabd959d63728aaa1-body"></div> </div> <div class="sidenav-body collapse" id="9f2eecc86c504f9eabd959d63728aaa1-body" aria-labelledby="9f2eecc86c504f9eabd959d63728aaa1-header"> <div class="sidenav"> <div class="sidenav-head" id="9f2eecc86c504f9eabd959d63728aaa1-59ce950244e04dbc8dba513a6a773287"> <a href="/versions/v9/groups/G0066/"> Elderwood </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9f2eecc86c504f9eabd959d63728aaa1-0cba5b5ed65b4029be092df210cff9aa"> <a href="/versions/v9/groups/G0020/"> Equation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9f2eecc86c504f9eabd959d63728aaa1-3f10859e19074cfb95f376c246350cc5"> <a href="/versions/v9/groups/G0120/"> Evilnum </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9f2eecc86c504f9eabd959d63728aaa1-0842ff6a6e21414ba8f475a9bb395a7c"> <a href="/versions/v9/groups/G0051/"> FIN10 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9f2eecc86c504f9eabd959d63728aaa1-7b7338533d7b4c54bc0ef9eaf4d1a251"> <a href="/versions/v9/groups/G0085/"> FIN4 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9f2eecc86c504f9eabd959d63728aaa1-6af19e38aa4d4b57b5c0606f5a7e8391"> <a href="/versions/v9/groups/G0053/"> FIN5 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9f2eecc86c504f9eabd959d63728aaa1-6464cb233f6f4c53b1ab5db10f23a210"> <a href="/versions/v9/groups/G0037/"> FIN6 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9f2eecc86c504f9eabd959d63728aaa1-48bd3bce115544c5952947533d0b60a3"> <a href="/versions/v9/groups/G0046/"> FIN7 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9f2eecc86c504f9eabd959d63728aaa1-372710aab0084f3c8aba309b6ef2d212"> <a href="/versions/v9/groups/G0061/"> FIN8 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9f2eecc86c504f9eabd959d63728aaa1-b8594e11427448c3a8224726c17cd747"> <a href="/versions/v9/groups/G0117/"> Fox Kitten </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9f2eecc86c504f9eabd959d63728aaa1-e33946268c9c4844bfcde0970048b263"> <a href="/versions/v9/groups/G0101/"> Frankenstein </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="7f34b9e0316841f8b1c5533bc278a8d4"> <span>G-H</span> <div class="expand-button collapsed" id="7f34b9e0316841f8b1c5533bc278a8d4-header" data-toggle="collapse" data-target="#7f34b9e0316841f8b1c5533bc278a8d4-body" aria-expanded="false" aria-controls="#7f34b9e0316841f8b1c5533bc278a8d4-body"></div> </div> <div class="sidenav-body collapse" id="7f34b9e0316841f8b1c5533bc278a8d4-body" aria-labelledby="7f34b9e0316841f8b1c5533bc278a8d4-header"> <div class="sidenav"> <div class="sidenav-head" id="7f34b9e0316841f8b1c5533bc278a8d4-4b7069ae092f469582d5726f70b96eb1"> <a href="/versions/v9/groups/G0093/"> GALLIUM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7f34b9e0316841f8b1c5533bc278a8d4-db030a3ae5d3425e8cc3ccf2cfb84f3b"> <a href="/versions/v9/groups/G0084/"> Gallmaker </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7f34b9e0316841f8b1c5533bc278a8d4-1bebf0070465403494974a0af6d52786"> <a href="/versions/v9/groups/G0047/"> Gamaredon Group </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7f34b9e0316841f8b1c5533bc278a8d4-f69559b91b06468eb923b635e71bcede"> <a href="/versions/v9/groups/G0036/"> GCMAN </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7f34b9e0316841f8b1c5533bc278a8d4-f4789813e37546e89840f110bdcafdba"> <a href="/versions/v9/groups/G0115/"> GOLD SOUTHFIELD </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7f34b9e0316841f8b1c5533bc278a8d4-c4e44253bd5b4a829356d7689056c55f"> <a href="/versions/v9/groups/G0078/"> Gorgon Group </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7f34b9e0316841f8b1c5533bc278a8d4-16adea168fef439786f2d924ab908d83"> <a href="/versions/v9/groups/G0043/"> Group5 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7f34b9e0316841f8b1c5533bc278a8d4-ccffcc3471bf43b5946a606b0a4b9b1a"> <a href="/versions/v9/groups/G0125/"> HAFNIUM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7f34b9e0316841f8b1c5533bc278a8d4-a887df3159bc46088852185e877d7b11"> <a href="/versions/v9/groups/G0126/"> Higaisa </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7f34b9e0316841f8b1c5533bc278a8d4-82b66952833942b781e7d85766e990f8"> <a href="/versions/v9/groups/G0072/"> Honeybee </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="69cb6ac7c257408dbc2b1f5e09965b3f"> <span>I-J</span> <div class="expand-button collapsed" id="69cb6ac7c257408dbc2b1f5e09965b3f-header" data-toggle="collapse" data-target="#69cb6ac7c257408dbc2b1f5e09965b3f-body" aria-expanded="false" aria-controls="#69cb6ac7c257408dbc2b1f5e09965b3f-body"></div> </div> <div class="sidenav-body collapse" id="69cb6ac7c257408dbc2b1f5e09965b3f-body" aria-labelledby="69cb6ac7c257408dbc2b1f5e09965b3f-header"> <div class="sidenav"> <div class="sidenav-head" id="69cb6ac7c257408dbc2b1f5e09965b3f-e0f25da1e47241ed9003cf925c208671"> <a href="/versions/v9/groups/G0100/"> Inception </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="69cb6ac7c257408dbc2b1f5e09965b3f-2bcf49313dcf44908e4b514a118ec380"> <a href="/versions/v9/groups/G0119/"> Indrik Spider </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="cdc4d061012c45d89f82f0ccefd42bbb"> <span>K-L</span> <div class="expand-button collapsed" id="cdc4d061012c45d89f82f0ccefd42bbb-header" data-toggle="collapse" data-target="#cdc4d061012c45d89f82f0ccefd42bbb-body" aria-expanded="false" aria-controls="#cdc4d061012c45d89f82f0ccefd42bbb-body"></div> </div> <div class="sidenav-body collapse" id="cdc4d061012c45d89f82f0ccefd42bbb-body" aria-labelledby="cdc4d061012c45d89f82f0ccefd42bbb-header"> <div class="sidenav"> <div class="sidenav-head" id="cdc4d061012c45d89f82f0ccefd42bbb-61494339efa24892b74cb1bab727ebab"> <a href="/versions/v9/groups/G0004/"> Ke3chang </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="cdc4d061012c45d89f82f0ccefd42bbb-7fcbe0dbfca64881b3d90886fa02a057"> <a href="/versions/v9/groups/G0094/"> Kimsuky </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="cdc4d061012c45d89f82f0ccefd42bbb-bdb1c87e10124497bc426a32b425de37"> <a href="/versions/v9/groups/G0032/"> Lazarus Group </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="cdc4d061012c45d89f82f0ccefd42bbb-26f389bcb54744a2a88e3d8b14ebb187"> <a href="/versions/v9/groups/G0077/"> Leafminer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="cdc4d061012c45d89f82f0ccefd42bbb-01a297ae43e24d27b48dc26f67588c57"> <a href="/versions/v9/groups/G0065/"> Leviathan </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="cdc4d061012c45d89f82f0ccefd42bbb-0173fd0276f24cb2addbf1d49af106f1"> <a href="/versions/v9/groups/G0030/"> Lotus Blossom </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="8bba62bbe3cf487eb3d0e1324d5ea3a7"> <span>M-N</span> <div class="expand-button collapsed" id="8bba62bbe3cf487eb3d0e1324d5ea3a7-header" data-toggle="collapse" data-target="#8bba62bbe3cf487eb3d0e1324d5ea3a7-body" aria-expanded="false" aria-controls="#8bba62bbe3cf487eb3d0e1324d5ea3a7-body"></div> </div> <div class="sidenav-body collapse" id="8bba62bbe3cf487eb3d0e1324d5ea3a7-body" aria-labelledby="8bba62bbe3cf487eb3d0e1324d5ea3a7-header"> <div class="sidenav"> <div class="sidenav-head" id="8bba62bbe3cf487eb3d0e1324d5ea3a7-8edbdbed90584c03b70fc818644a5185"> <a href="/versions/v9/groups/G0095/"> Machete </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="8bba62bbe3cf487eb3d0e1324d5ea3a7-e84a7ed3b84b4dcfb01df20449c1064d"> <a href="/versions/v9/groups/G0059/"> Magic Hound </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="8bba62bbe3cf487eb3d0e1324d5ea3a7-af944ff295644b2db8f5215c30425187"> <a href="/versions/v9/groups/G0045/"> menuPass </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="8bba62bbe3cf487eb3d0e1324d5ea3a7-76aa410923384ac0b07fab724da445b6"> <a href="/versions/v9/groups/G0002/"> Moafee </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="8bba62bbe3cf487eb3d0e1324d5ea3a7-31eff51171d14109ab2ed1ebeb118bbe"> <a href="/versions/v9/groups/G0103/"> Mofang </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="8bba62bbe3cf487eb3d0e1324d5ea3a7-125859f5afd244758c04d908faabd932"> <a href="/versions/v9/groups/G0021/"> Molerats </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="8bba62bbe3cf487eb3d0e1324d5ea3a7-7e1535d22fd949e9a58bafd020550df3"> <a href="/versions/v9/groups/G0069/"> MuddyWater </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="8bba62bbe3cf487eb3d0e1324d5ea3a7-615d6fbe25804bd68bd2f4a1107d920b"> <a href="/versions/v9/groups/G0129/"> Mustang Panda </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="8bba62bbe3cf487eb3d0e1324d5ea3a7-73fa70a5a9cb4c5689c7526e4f66081d"> <a href="/versions/v9/groups/G0019/"> Naikon </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="8bba62bbe3cf487eb3d0e1324d5ea3a7-375acf3b572244a08b896bf8466d0a00"> <a href="/versions/v9/groups/G0055/"> NEODYMIUM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="8bba62bbe3cf487eb3d0e1324d5ea3a7-5eb93e7b5ae146c5b46a5d21fe03a4a7"> <a href="/versions/v9/groups/G0014/"> Night Dragon </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="0ca8ff8ba9024fe09ea2afc61a952501"> <span>O-P</span> <div class="expand-button collapsed" id="0ca8ff8ba9024fe09ea2afc61a952501-header" data-toggle="collapse" data-target="#0ca8ff8ba9024fe09ea2afc61a952501-body" aria-expanded="false" aria-controls="#0ca8ff8ba9024fe09ea2afc61a952501-body"></div> </div> <div class="sidenav-body collapse" id="0ca8ff8ba9024fe09ea2afc61a952501-body" aria-labelledby="0ca8ff8ba9024fe09ea2afc61a952501-header"> <div class="sidenav"> <div class="sidenav-head" id="0ca8ff8ba9024fe09ea2afc61a952501-54768326f6654fb8926eac02f28ad486"> <a href="/versions/v9/groups/G0049/"> OilRig </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="0ca8ff8ba9024fe09ea2afc61a952501-0aacbe0d942b4eb28d5d7d2476fcfd52"> <a href="/versions/v9/groups/G0116/"> Operation Wocao </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="0ca8ff8ba9024fe09ea2afc61a952501-e11639e6af294e1d9b8052e5cd1e620f"> <a href="/versions/v9/groups/G0071/"> Orangeworm </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="0ca8ff8ba9024fe09ea2afc61a952501-5e003492658643c897dc46152eaffcb5"> <a href="/versions/v9/groups/G0040/"> Patchwork </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="0ca8ff8ba9024fe09ea2afc61a952501-e1359725d8ae4cc2a16eee5802effde5"> <a href="/versions/v9/groups/G0011/"> PittyTiger </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="0ca8ff8ba9024fe09ea2afc61a952501-1529d895bd404a2f8856099b8e8fb640"> <a href="/versions/v9/groups/G0068/"> PLATINUM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="0ca8ff8ba9024fe09ea2afc61a952501-d8ce4ed2e7ce4371b8836b1ba5e2cf2d"> <a href="/versions/v9/groups/G0033/"> Poseidon Group </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="0ca8ff8ba9024fe09ea2afc61a952501-e9fd05a2492241b5bc7d3d99d1e5be94"> <a href="/versions/v9/groups/G0056/"> PROMETHIUM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="0ca8ff8ba9024fe09ea2afc61a952501-b2b2da56d6ef4998b5b51cadfa0e4e0f"> <a href="/versions/v9/groups/G0024/"> Putter Panda </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="9c315870cc46405688ed5b4992ea0cd9"> <span>Q-R</span> <div class="expand-button collapsed" id="9c315870cc46405688ed5b4992ea0cd9-header" data-toggle="collapse" data-target="#9c315870cc46405688ed5b4992ea0cd9-body" aria-expanded="false" aria-controls="#9c315870cc46405688ed5b4992ea0cd9-body"></div> </div> <div class="sidenav-body collapse" id="9c315870cc46405688ed5b4992ea0cd9-body" aria-labelledby="9c315870cc46405688ed5b4992ea0cd9-header"> <div class="sidenav"> <div class="sidenav-head" id="9c315870cc46405688ed5b4992ea0cd9-ac912afa8e08410292784c628456c4dd"> <a href="/versions/v9/groups/G0075/"> Rancor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9c315870cc46405688ed5b4992ea0cd9-e37a841ffc72485794a70ba7c13bc8a4"> <a href="/versions/v9/groups/G0106/"> Rocke </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9c315870cc46405688ed5b4992ea0cd9-128de6e01a6b4412a9b684bb75248fe8"> <a href="/versions/v9/groups/G0048/"> RTM </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="87d8075c72ad40fbb19f9022ad8f64b2"> <span>S-T</span> <div class="expand-button collapsed" id="87d8075c72ad40fbb19f9022ad8f64b2-header" data-toggle="collapse" data-target="#87d8075c72ad40fbb19f9022ad8f64b2-body" aria-expanded="false" aria-controls="#87d8075c72ad40fbb19f9022ad8f64b2-body"></div> </div> <div class="sidenav-body collapse" id="87d8075c72ad40fbb19f9022ad8f64b2-body" aria-labelledby="87d8075c72ad40fbb19f9022ad8f64b2-header"> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-5016020b8dd34724af6755ba6ec71120"> <a href="/versions/v9/groups/G0034/"> Sandworm Team </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-701e7ac2250642b481d565530e3de2e1"> <a href="/versions/v9/groups/G0029/"> Scarlet Mimic </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-d297ba1ca5094ca594b4f9effd3d2a63"> <a href="/versions/v9/groups/G0104/"> Sharpshooter </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-d7375e52b3a04157a6ae508927123b95"> <a href="/versions/v9/groups/G0121/"> Sidewinder </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-8722d61de36d488fbe1a5b061595fd95"> <a href="/versions/v9/groups/G0091/"> Silence </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-29bbc5e7d8db40a8886ff19e83a96b41"> <a href="/versions/v9/groups/G0122/"> Silent Librarian </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-a714165996ce4096b5da2a5abbed72c5"> <a href="/versions/v9/groups/G0083/"> SilverTerrier </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-ec9a3b77890f4172b18077a1efb6b0b7"> <a href="/versions/v9/groups/G0054/"> Sowbug </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-a5140dc1144743179e6711320b2b6043"> <a href="/versions/v9/groups/G0038/"> Stealth Falcon </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-4b045f80fec54b1db359b2c97504a3e5"> <a href="/versions/v9/groups/G0086/"> Stolen Pencil </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-3e720da026d74a0da8910ff0ac0db268"> <a href="/versions/v9/groups/G0041/"> Strider </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-69c24c5cfbbe4b039b26265b8b55ebb4"> <a href="/versions/v9/groups/G0039/"> Suckfly </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-2825b0b754b94a25bbde6cb5d9780785"> <a href="/versions/v9/groups/G0062/"> TA459 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-a79283297c4943b98dd0b22780f5def6"> <a href="/versions/v9/groups/G0092/"> TA505 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-4dd0f0bc793a4770a237e2616f0b608f"> <a href="/versions/v9/groups/G0127/"> TA551 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-43a8b490c3904cc194247d4e02fc4296"> <a href="/versions/v9/groups/G0015/"> Taidoor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-0e740212837d485397e122344e69d4ee"> <a href="/versions/v9/groups/G0088/"> TEMP.Veles </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-a03080dbde0840219c117fc3dd9251c8"> <a href="/versions/v9/groups/G0089/"> The White Company </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-bfac41f1e4ed41c18fe176cc94c5b393"> <a href="/versions/v9/groups/G0028/"> Threat Group-1314 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-68731fabd49e404c8160d82eff15b50d"> <a href="/versions/v9/groups/G0027/"> Threat Group-3390 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-23bf52c62b394f2c832876b7cea27d7a"> <a href="/versions/v9/groups/G0076/"> Thrip </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-b40e63fa8c834212b0e3769480b64496"> <a href="/versions/v9/groups/G0081/"> Tropic Trooper </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-d87018444dee40e3b3d9904f9f86521c"> <a href="/versions/v9/groups/G0010/"> Turla </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="1a50e36945244146b3675ab05250650d"> <span>U-V</span> <div class="expand-button collapsed" id="1a50e36945244146b3675ab05250650d-header" data-toggle="collapse" data-target="#1a50e36945244146b3675ab05250650d-body" aria-expanded="false" aria-controls="#1a50e36945244146b3675ab05250650d-body"></div> </div> <div class="sidenav-body collapse" id="1a50e36945244146b3675ab05250650d-body" aria-labelledby="1a50e36945244146b3675ab05250650d-header"> <div class="sidenav"> <div class="sidenav-head" id="1a50e36945244146b3675ab05250650d-cb299810c5d643f0b1de3974367e174e"> <a href="/versions/v9/groups/G0123/"> Volatile Cedar </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="4b4931e3517041d3861283faa2b8c343"> <span>W-X</span> <div class="expand-button collapsed" id="4b4931e3517041d3861283faa2b8c343-header" data-toggle="collapse" data-target="#4b4931e3517041d3861283faa2b8c343-body" aria-expanded="false" aria-controls="#4b4931e3517041d3861283faa2b8c343-body"></div> </div> <div class="sidenav-body collapse" id="4b4931e3517041d3861283faa2b8c343-body" aria-labelledby="4b4931e3517041d3861283faa2b8c343-header"> <div class="sidenav"> <div class="sidenav-head" id="4b4931e3517041d3861283faa2b8c343-a11643f4cca04a36893be9e7a5ebad8f"> <a href="/versions/v9/groups/G0107/"> Whitefly </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="4b4931e3517041d3861283faa2b8c343-8215d91eca124542a1d489bd901c10d5"> <a href="/versions/v9/groups/G0124/"> Windigo </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="4b4931e3517041d3861283faa2b8c343-7186929dafbe4852b778e8a357d449bf"> <a href="/versions/v9/groups/G0112/"> Windshift </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="4b4931e3517041d3861283faa2b8c343-52ba1a0a287943299fe88eac3493c514"> <a href="/versions/v9/groups/G0044/"> Winnti Group </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="4b4931e3517041d3861283faa2b8c343-93553aa3a2fd4173af460f9569c879cd"> <a href="/versions/v9/groups/G0090/"> WIRTE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="4b4931e3517041d3861283faa2b8c343-6848e592c4ce492bbb368b79ee6e735a"> <a href="/versions/v9/groups/G0102/"> Wizard Spider </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="a5819d5e89464ffabceb17e836662294"> <span>Y-Z</span> <div class="expand-button collapsed" id="a5819d5e89464ffabceb17e836662294-header" data-toggle="collapse" data-target="#a5819d5e89464ffabceb17e836662294-body" aria-expanded="false" aria-controls="#a5819d5e89464ffabceb17e836662294-body"></div> </div> <div class="sidenav-body collapse" id="a5819d5e89464ffabceb17e836662294-body" aria-labelledby="a5819d5e89464ffabceb17e836662294-header"> <div class="sidenav"> <div class="sidenav-head" id="a5819d5e89464ffabceb17e836662294-2779946926394bc19a3c66031d634130"> <a href="/versions/v9/groups/G0128/"> ZIRCONIUM </a> </div> </div> </div> </div> </div>  </div> <div class="tab-content col-xl-10 col-lg-9 col-md-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/versions/v9/">Home</a></li> <li class="breadcrumb-item">Groups</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <div class="overflow-x-auto"> <h1> Groups </h1> <p>Groups are sets of related intrusion activity that are tracked by a common name in the security community. Analysts track clusters of activities using various analytic methodologies and terms such as threat groups, activity groups, threat actors, intrusion sets, and campaigns. Some groups have multiple names associated with similar activities due to various organizations tracking similar activities by different names. Organizations' group definitions may partially overlap with groups designated by other organizations and may disagree on specific activity.</p> <p>For the purposes of the Group pages, the MITRE ATT&CK team uses the term Group to refer to any of the above designations for a cluster of adversary activity. The team makes a best effort to track overlaps between names based on publicly reported associations, which are designated as “Associated Groups” on each page (formerly labeled “Aliases”), because we believe these overlaps are useful for analyst awareness. We do not represent these names as exact overlaps and encourage analysts to do additional research.</p> <p>Groups are mapped to publicly reported technique use and original references are included. The information provided does not represent all possible technique use by Groups, but rather a subset that is available solely through open source reporting. Groups are also mapped to reported Software used, and technique use for that Software is tracked separately on each Software page.</p> <h6 class="table-object-count">Groups: 122</h6> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> <th scope="col">Associated Groups</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/versions/v9/groups/G0018"> G0018 </a> </td> <td> <a href="/versions/v9/groups/G0018"> admin@338 </a> </td> <td> </td> <td> <p><a href="/versions/v9/groups/G0018">admin@338</a> is a China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as <a href="/versions/v9/software/S0012">PoisonIvy</a>, as well as some non-public backdoors. </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0130"> G0130 </a> </td> <td> <a href="/versions/v9/groups/G0130"> Ajax Security Team </a> </td> <td> Operation Woolen-Goldfish, AjaxTM, Rocket Kitten, Flying Kitten, Operation Saffron Rose </td> <td> <p><a href="/versions/v9/groups/G0130">Ajax Security Team</a> is a group that has been active since at least 2010 and believed to be operating out of Iran. By 2014 <a href="/versions/v9/groups/G0130">Ajax Security Team</a> transitioned from website defacement operations to malware-based cyber espionage campaigns targeting the US defense industrial base and Iranian users of anti-censorship technologies.</p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0099"> G0099 </a> </td> <td> <a href="/versions/v9/groups/G0099"> APT-C-36 </a> </td> <td> Blind Eagle </td> <td> <p><a href="/versions/v9/groups/G0099">APT-C-36</a> is a suspected South America espionage group that has been active since at least 2018. The group mainly targets Colombian government institutions as well as important corporations in the financial sector, petroleum industry, and professional manufacturing.</p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0006"> G0006 </a> </td> <td> <a href="/versions/v9/groups/G0006"> APT1 </a> </td> <td> Comment Crew, Comment Group, Comment Panda </td> <td> <p><a href="/versions/v9/groups/G0006">APT1</a> is a Chinese threat group that has been attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398. </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0005"> G0005 </a> </td> <td> <a href="/versions/v9/groups/G0005"> APT12 </a> </td> <td> IXESHE, DynCalc, Numbered Panda, DNSCALC </td> <td> <p><a href="/versions/v9/groups/G0005">APT12</a> is a threat group that has been attributed to China. The group has targeted a variety of victims including but not limited to media outlets, high-tech companies, and multiple governments.</p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0023"> G0023 </a> </td> <td> <a href="/versions/v9/groups/G0023"> APT16 </a> </td> <td> </td> <td> <p><a href="/versions/v9/groups/G0023">APT16</a> is a China-based threat group that has launched spearphishing campaigns targeting Japanese and Taiwanese organizations. </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0025"> G0025 </a> </td> <td> <a href="/versions/v9/groups/G0025"> APT17 </a> </td> <td> Deputy Dog </td> <td> <p><a href="/versions/v9/groups/G0025">APT17</a> is a China-based threat group that has conducted network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations. </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0026"> G0026 </a> </td> <td> <a href="/versions/v9/groups/G0026"> APT18 </a> </td> <td> TG-0416, Dynamite Panda, Threat Group-0416 </td> <td> <p><a href="/versions/v9/groups/G0026">APT18</a> is a threat group that has operated since at least 2009 and has targeted a range of industries, including technology, manufacturing, human rights groups, government, and medical. </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0073"> G0073 </a> </td> <td> <a href="/versions/v9/groups/G0073"> APT19 </a> </td> <td> Codoso, C0d0so0, Codoso Team, Sunshop Group </td> <td> <p><a href="/versions/v9/groups/G0073">APT19</a> is a Chinese-based threat group that has targeted a variety of industries, including defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services. In 2017, a phishing campaign was used to target seven law and investment firms. Some analysts track <a href="/versions/v9/groups/G0073">APT19</a> and <a href="/versions/v9/groups/G0009">Deep Panda</a> as the same group, but it is unclear from open source information if the groups are the same. </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0007"> G0007 </a> </td> <td> <a href="/versions/v9/groups/G0007"> APT28 </a> </td> <td> SNAKEMACKEREL, Swallowtail, Group 74, Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, Threat Group-4127, TG-4127 </td> <td> <p><a href="/versions/v9/groups/G0007">APT28</a> is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165. This group has been active since at least 2004. </p><p><a href="/versions/v9/groups/G0007">APT28</a> reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. In 2018, the US indicted five GRU Unit 26165 officers associated with <a href="/versions/v9/groups/G0007">APT28</a> for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations. Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as <a href="/versions/v9/groups/G0034">Sandworm Team</a>. </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0016"> G0016 </a> </td> <td> <a href="/versions/v9/groups/G0016"> APT29 </a> </td> <td> Dark Halo, StellarParticle, NOBELIUM, UNC2452, YTTRIUM, The Dukes, Cozy Bear, CozyDuke </td> <td> <p><a href="/versions/v9/groups/G0016">APT29</a> is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR). They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. <a href="/versions/v9/groups/G0016">APT29</a> reportedly compromised the Democratic National Committee starting in the summer of 2015.</p><p>In April 2021, the US and UK governments attributed the SolarWinds supply chain compromise cyber operation to the SVR; public statements included citations to <a href="/versions/v9/groups/G0016">APT29</a>, Cozy Bear, and The Dukes. Victims of this campaign included government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East. Industry reporting referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, and Dark Halo.</p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0022"> G0022 </a> </td> <td> <a href="/versions/v9/groups/G0022"> APT3 </a> </td> <td> Gothic Panda, Pirpi, UPS Team, Buckeye, Threat Group-0110, TG-0110 </td> <td> <p><a href="/versions/v9/groups/G0022">APT3</a> is a China-based threat group that researchers have attributed to China's Ministry of State Security. This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap. As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong. </p><p>MITRE has also developed an APT3 Adversary Emulation Plan.</p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0013"> G0013 </a> </td> <td> <a href="/versions/v9/groups/G0013"> APT30 </a> </td> <td> </td> <td> <p><a href="/versions/v9/groups/G0013">APT30</a> is a threat group suspected to be associated with the Chinese government. While <a href="/versions/v9/groups/G0019">Naikon</a> shares some characteristics with <a href="/versions/v9/groups/G0013">APT30</a>, the two groups do not appear to be exact matches.</p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0050"> G0050 </a> </td> <td> <a href="/versions/v9/groups/G0050"> APT32 </a> </td> <td> SeaLotus, OceanLotus, APT-C-00 </td> <td> <p><a href="/versions/v9/groups/G0050">APT32</a> is a threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as with foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims. The group is believed to be Vietnam-based.</p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0064"> G0064 </a> </td> <td> <a href="/versions/v9/groups/G0064"> APT33 </a> </td> <td> HOLMIUM, Elfin </td> <td> <p><a href="/versions/v9/groups/G0064">APT33</a> is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors. </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0067"> G0067 </a> </td> <td> <a href="/versions/v9/groups/G0067"> APT37 </a> </td> <td> ScarCruft, Reaper, Group123, TEMP.Reaper </td> <td> <p><a href="/versions/v9/groups/G0067">APT37</a> is a suspected North Korean cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. <a href="/versions/v9/groups/G0067">APT37</a> has also been linked to following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, Northern Korean Human Rights, and Evil New Year 2018. </p><p>North Korean group definitions are known to have significant overlap, and the name <a href="/versions/v9/groups/G0032">Lazarus Group</a> is known to encompass a broad range of activity. Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea. Some organizations track North Korean clusters or groups such as Bluenoroff, <a href="/versions/v9/groups/G0067">APT37</a>, and <a href="/versions/v9/groups/G0082">APT38</a> separately, while other organizations may track some activity associated with those group names by the name Lazarus Group.</p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0082"> G0082 </a> </td> <td> <a href="/versions/v9/groups/G0082"> APT38 </a> </td> <td> </td> <td> <p><a href="/versions/v9/groups/G0082">APT38</a> is a financially-motivated threat group that is backed by the North Korean regime. The group mainly targets banks and financial institutions and has targeted more than 16 organizations in at least 13 countries since at least 2014.</p><p>North Korean group definitions are known to have significant overlap, and the name <a href="/versions/v9/groups/G0032">Lazarus Group</a> is known to encompass a broad range of activity. Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea. Some organizations track North Korean clusters or groups such as Bluenoroff, <a href="/versions/v9/groups/G0067">APT37</a>, and <a href="/versions/v9/groups/G0082">APT38</a> separately, while other organizations may track some activity associated with those group names by the name Lazarus Group.</p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0087"> G0087 </a> </td> <td> <a href="/versions/v9/groups/G0087"> APT39 </a> </td> <td> REMIX KITTEN, ITG07, Chafer </td> <td> <p><a href="/versions/v9/groups/G0087">APT39</a> is one of several names for cyberespionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since at least 2014. <a href="/versions/v9/groups/G0087">APT39</a> has primarily targeted the travel, hospitality, academic, and telecommunications industries in Iran and across Asia, Africa, Europe, and North America to track individuals and entities considered to be a threat by the MOIS.</p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0096"> G0096 </a> </td> <td> <a href="/versions/v9/groups/G0096"> APT41 </a> </td> <td> WICKED PANDA </td> <td> <p><a href="/versions/v9/groups/G0096">APT41</a> is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. <a href="/versions/v9/groups/G0096">APT41</a> has been active since as early as 2012. The group has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries.</p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0001"> G0001 </a> </td> <td> <a href="/versions/v9/groups/G0001"> Axiom </a> </td> <td> Group 72 </td> <td> <p><a href="/versions/v9/groups/G0001">Axiom</a> is a cyber espionage group suspected to be associated with the Chinese government. It is responsible for the Operation SMN campaign. Though both this group and <a href="/versions/v9/groups/G0044">Winnti Group</a> use the malware <a href="/versions/v9/software/S0141">Winnti for Windows</a>, the two groups appear to be distinct based on differences in reporting on the groups' TTPs and targeting. </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0063"> G0063 </a> </td> <td> <a href="/versions/v9/groups/G0063"> BlackOasis </a> </td> <td> </td> <td> <p><a href="/versions/v9/groups/G0063">BlackOasis</a> is a Middle Eastern threat group that is believed to be a customer of Gamma Group. The group has shown interest in prominent figures in the United Nations, as well as opposition bloggers, activists, regional news correspondents, and think tanks. A group known by Microsoft as <a href="/versions/v9/groups/G0055">NEODYMIUM</a> is reportedly associated closely with <a href="/versions/v9/groups/G0063">BlackOasis</a> operations, but evidence that the group names are aliases has not been identified. </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0098"> G0098 </a> </td> <td> <a href="/versions/v9/groups/G0098"> BlackTech </a> </td> <td> </td> <td> <p><a href="/versions/v9/groups/G0098">BlackTech</a> is a cyber espionage group operating against targets in East Asia, particularly Taiwan, and occasionally, Japan and Hong Kong.</p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0108"> G0108 </a> </td> <td> <a href="/versions/v9/groups/G0108"> Blue Mockingbird </a> </td> <td> </td> <td> <p><a href="/versions/v9/groups/G0108">Blue Mockingbird</a> is a cluster of observed activity involving Monero cryptocurrency-mining payloads in dynamic-link library (DLL) form on Windows systems. The earliest observed Blue Mockingbird tools were created in December 2019.</p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0097"> G0097 </a> </td> <td> <a href="/versions/v9/groups/G0097"> Bouncing Golf </a> </td> <td> </td> <td> <p><a href="/versions/v9/groups/G0097">Bouncing Golf</a> is a cyberespionage campaign targeting Middle Eastern countries.</p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0060"> G0060 </a> </td> <td> <a href="/versions/v9/groups/G0060"> BRONZE BUTLER </a> </td> <td> REDBALDKNIGHT, Tick </td> <td> <p><a href="/versions/v9/groups/G0060">BRONZE BUTLER</a> is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in government, biotechnology, electronics manufacturing, and industrial chemistry.</p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0008"> G0008 </a> </td> <td> <a href="/versions/v9/groups/G0008"> Carbanak </a> </td> <td> Anunak, Carbon Spider </td> <td> <p><a href="/versions/v9/groups/G0008">Carbanak</a> is a threat group that mainly targets banks. It also refers to malware of the same name (<a href="/versions/v9/software/S0030">Carbanak</a>). It is sometimes referred to as <a href="/versions/v9/groups/G0046">FIN7</a>, but these appear to be two groups using the same <a href="/versions/v9/software/S0030">Carbanak</a> malware and are therefore tracked separately. </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0114"> G0114 </a> </td> <td> <a href="/versions/v9/groups/G0114"> Chimera </a> </td> <td> </td> <td> <p><a href="/versions/v9/groups/G0114">Chimera</a> is a suspected China-based threat group that has been active since at least 2018 targeting the semiconductor industry in Taiwan as well as data from the airline industry.</p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0003"> G0003 </a> </td> <td> <a href="/versions/v9/groups/G0003"> Cleaver </a> </td> <td> Threat Group 2889, TG-2889 </td> <td> <p><a href="/versions/v9/groups/G0003">Cleaver</a> is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver. Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 (TG-2889). </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0080"> G0080 </a> </td> <td> <a href="/versions/v9/groups/G0080"> Cobalt Group </a> </td> <td> Cobalt Gang, Cobalt Spider </td> <td> <p><a href="/versions/v9/groups/G0080">Cobalt Group</a> is a financially motivated threat group that has primarily targeted financial institutions. The group has conducted intrusions to steal money via targeting ATM systems, card processing, payment systems and SWIFT systems. <a href="/versions/v9/groups/G0080">Cobalt Group</a> has mainly targeted banks in Eastern Europe, Central Asia, and Southeast Asia. One of the alleged leaders was arrested in Spain in early 2018, but the group still appears to be active. The group has been known to target organizations in order to use their access to then compromise additional victims. Reporting indicates there may be links between <a href="/versions/v9/groups/G0080">Cobalt Group</a> and both the malware <a href="/versions/v9/software/S0030">Carbanak</a> and the group <a href="/versions/v9/groups/G0008">Carbanak</a>. </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0052"> G0052 </a> </td> <td> <a href="/versions/v9/groups/G0052"> CopyKittens </a> </td> <td> </td> <td> <p><a href="/versions/v9/groups/G0052">CopyKittens</a> is an Iranian cyber espionage group that has been operating since at least 2013. It has targeted countries including Israel, Saudi Arabia, Turkey, the U.S., Jordan, and Germany. The group is responsible for the campaign known as Operation Wilted Tulip. </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0070"> G0070 </a> </td> <td> <a href="/versions/v9/groups/G0070"> Dark Caracal </a> </td> <td> </td> <td> <p><a href="/versions/v9/groups/G0070">Dark Caracal</a> is threat group that has been attributed to the Lebanese General Directorate of General Security (GDGS) and has operated since at least 2012. </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0012"> G0012 </a> </td> <td> <a href="/versions/v9/groups/G0012"> Darkhotel </a> </td> <td> DUBNIUM </td> <td> <p><a href="/versions/v9/groups/G0012">Darkhotel</a> is a suspected South Korean threat group that has targeted victims primarily in East Asia since at least 2004. The group's name is based on cyber espionage operations conducted via hotel Internet networks against traveling executives and other select guests. <a href="/versions/v9/groups/G0012">Darkhotel</a> has also conducted spearphishing campaigns and infected victims through peer-to-peer and file sharing networks.</p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0079"> G0079 </a> </td> <td> <a href="/versions/v9/groups/G0079"> DarkHydrus </a> </td> <td> </td> <td> <p><a href="/versions/v9/groups/G0079">DarkHydrus</a> is a threat group that has targeted government agencies and educational institutions in the Middle East since at least 2016. The group heavily leverages open-source tools and custom payloads for carrying out attacks. </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0105"> G0105 </a> </td> <td> <a href="/versions/v9/groups/G0105"> DarkVishnya </a> </td> <td> </td> <td> <p><a href="/versions/v9/groups/G0105">DarkVishnya</a> is a financially motivated threat actor targeting financial institutions in Eastern Europe. In 2017-2018 the group attacked at least 8 banks in this region.</p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0009"> G0009 </a> </td> <td> <a href="/versions/v9/groups/G0009"> Deep Panda </a> </td> <td> Shell Crew, WebMasters, KungFu Kittens, PinkPanther, Black Vine </td> <td> <p><a href="/versions/v9/groups/G0009">Deep Panda</a> is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications. The intrusion into healthcare company Anthem has been attributed to <a href="/versions/v9/groups/G0009">Deep Panda</a>. This group is also known as Shell Crew, WebMasters, KungFu Kittens, and PinkPanther. <a href="/versions/v9/groups/G0009">Deep Panda</a> also appears to be known as Black Vine based on the attribution of both group names to the Anthem intrusion. Some analysts track <a href="/versions/v9/groups/G0009">Deep Panda</a> and <a href="/versions/v9/groups/G0073">APT19</a> as the same group, but it is unclear from open source information if the groups are the same. </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0035"> G0035 </a> </td> <td> <a href="/versions/v9/groups/G0035"> Dragonfly </a> </td> <td> TG-4192, Crouching Yeti, IRON LIBERTY, Energetic Bear </td> <td> <p><a href="/versions/v9/groups/G0035">Dragonfly</a> is a cyber espionage group that has been active since at least 2011. They initially targeted defense and aviation companies but shifted to focus to include the energy sector in early 2013. They have also targeted companies related to industrial control systems. </p><p>A similar group emerged in 2015 and was identified by Symantec as <a href="/versions/v9/groups/G0074">Dragonfly 2.0</a>. There is debate over the extent of the overlap between <a href="/versions/v9/groups/G0035">Dragonfly</a> and <a href="/versions/v9/groups/G0074">Dragonfly 2.0</a>, but there is sufficient evidence to lead to these being tracked as two separate groups. </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0074"> G0074 </a> </td> <td> <a href="/versions/v9/groups/G0074"> Dragonfly 2.0 </a> </td> <td> IRON LIBERTY, DYMALLOY, Berserk Bear </td> <td> <p><a href="/versions/v9/groups/G0074">Dragonfly 2.0</a> is a suspected Russian group that has targeted government entities and multiple U.S. critical infrastructure sectors since at least December 2015. There is debate over the extent of overlap between <a href="/versions/v9/groups/G0074">Dragonfly 2.0</a> and <a href="/versions/v9/groups/G0035">Dragonfly</a>, but there is sufficient evidence to lead to these being tracked as two separate groups. </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0017"> G0017 </a> </td> <td> <a href="/versions/v9/groups/G0017"> DragonOK </a> </td> <td> </td> <td> <p><a href="/versions/v9/groups/G0017">DragonOK</a> is a threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tools, <a href="/versions/v9/groups/G0017">DragonOK</a> is thought to have a direct or indirect relationship with the threat group <a href="/versions/v9/groups/G0002">Moafee</a>. It is known to use a variety of malware, including Sysget/HelloBridge, PlugX, PoisonIvy, FormerFirstRat, NFlog, and NewCT. </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0031"> G0031 </a> </td> <td> <a href="/versions/v9/groups/G0031"> Dust Storm </a> </td> <td> </td> <td> <p><a href="/versions/v9/groups/G0031">Dust Storm</a> is a threat group that has targeted multiple industries in Japan, South Korea, the United States, Europe, and several Southeast Asian countries. </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0066"> G0066 </a> </td> <td> <a href="/versions/v9/groups/G0066"> Elderwood </a> </td> <td> Elderwood Gang, Beijing Group, Sneaky Panda </td> <td> <p><a href="/versions/v9/groups/G0066">Elderwood</a> is a suspected Chinese cyber espionage group that was reportedly responsible for the 2009 Google intrusion known as Operation Aurora. The group has targeted defense organizations, supply chain manufacturers, human rights and nongovernmental organizations (NGOs), and IT service providers. </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0020"> G0020 </a> </td> <td> <a href="/versions/v9/groups/G0020"> Equation </a> </td> <td> </td> <td> <p><a href="/versions/v9/groups/G0020">Equation</a> is a sophisticated threat group that employs multiple remote access tools. The group is known to use zero-day exploits and has developed the capability to overwrite the firmware of hard disk drives. </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0120"> G0120 </a> </td> <td> <a href="/versions/v9/groups/G0120"> Evilnum </a> </td> <td> </td> <td> <p><a href="/versions/v9/groups/G0120">Evilnum</a> is a financially motivated threat group that has been active since at least 2018.</p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0051"> G0051 </a> </td> <td> <a href="/versions/v9/groups/G0051"> FIN10 </a> </td> <td> </td> <td> <p><a href="/versions/v9/groups/G0051">FIN10</a> is a financially motivated threat group that has targeted organizations in North America since at least 2013 through 2016. The group uses stolen data exfiltrated from victims to extort organizations. </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0085"> G0085 </a> </td> <td> <a href="/versions/v9/groups/G0085"> FIN4 </a> </td> <td> </td> <td> <p><a href="/versions/v9/groups/G0085">FIN4</a> is a financially-motivated threat group that has targeted confidential information related to the public financial market, particularly regarding healthcare and pharmaceutical companies, since at least 2013. <a href="/versions/v9/groups/G0085">FIN4</a> is unique in that they do not infect victims with typical persistent malware, but rather they focus on capturing credentials authorized to access email and other non-public correspondence.</p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0053"> G0053 </a> </td> <td> <a href="/versions/v9/groups/G0053"> FIN5 </a> </td> <td> </td> <td> <p><a href="/versions/v9/groups/G0053">FIN5</a> is a financially motivated threat group that has targeted personally identifiable information and payment card information. The group has been active since at least 2008 and has targeted the restaurant, gaming, and hotel industries. The group is made up of actors who likely speak Russian. </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0037"> G0037 </a> </td> <td> <a href="/versions/v9/groups/G0037"> FIN6 </a> </td> <td> Magecart Group 6, SKELETON SPIDER, ITG08 </td> <td> <p><a href="/versions/v9/groups/G0037">FIN6</a> is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors.</p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0046"> G0046 </a> </td> <td> <a href="/versions/v9/groups/G0046"> FIN7 </a> </td> <td> </td> <td> <p><a href="/versions/v9/groups/G0046">FIN7</a> is a financially-motivated threat group that has primarily targeted the U.S. retail, restaurant, and hospitality sectors since mid-2015. They often use point-of-sale malware. A portion of <a href="/versions/v9/groups/G0046">FIN7</a> was run out of a front company called Combi Security. <a href="/versions/v9/groups/G0046">FIN7</a> is sometimes referred to as <a href="/versions/v9/groups/G0008">Carbanak</a> Group, but these appear to be two groups using the same <a href="/versions/v9/software/S0030">Carbanak</a> malware and are therefore tracked separately. </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0061"> G0061 </a> </td> <td> <a href="/versions/v9/groups/G0061"> FIN8 </a> </td> <td> </td> <td> <p><a href="/versions/v9/groups/G0061">FIN8</a> is a financially motivated threat group known to launch tailored spearphishing campaigns targeting the retail, restaurant, and hospitality industries. </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0117"> G0117 </a> </td> <td> <a href="/versions/v9/groups/G0117"> Fox Kitten </a> </td> <td> UNC757, PIONEER KITTEN, Parisite </td> <td> <p><a href="/versions/v9/groups/G0117">Fox Kitten</a> is threat actor with a suspected nexus to the Iranian government that has been active since at least 2017 against entities in the Middle East, North Africa, Europe, Australia, and North America. <a href="/versions/v9/groups/G0117">Fox Kitten</a> has targeted multiple industrial verticals including oil and gas, technology, government, defense, healthcare, manufacturing, and engineering.</p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0101"> G0101 </a> </td> <td> <a href="/versions/v9/groups/G0101"> Frankenstein </a> </td> <td> </td> <td> <p><a href="/versions/v9/groups/G0101">Frankenstein</a> is a campaign carried out between January and April 2019 by unknown threat actors. The campaign name comes from the actors' ability to piece together several unrelated components. </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0093"> G0093 </a> </td> <td> <a href="/versions/v9/groups/G0093"> GALLIUM </a> </td> <td> Operation Soft Cell </td> <td> <p><a href="/versions/v9/groups/G0093">GALLIUM</a> is a group that has been active since at least 2012, primarily targeting high-profile telecommunications networks. <a href="/versions/v9/groups/G0093">GALLIUM</a> has been identified in some reporting as likely a Chinese state-sponsored group, based in part on tools used and TTPs commonly associated with Chinese threat actors.</p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0084"> G0084 </a> </td> <td> <a href="/versions/v9/groups/G0084"> Gallmaker </a> </td> <td> </td> <td> <p><a href="/versions/v9/groups/G0084">Gallmaker</a> is a cyberespionage group that has targeted victims in the Middle East and has been active since at least December 2017. The group has mainly targeted victims in the defense, military, and government sectors.</p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0047"> G0047 </a> </td> <td> <a href="/versions/v9/groups/G0047"> Gamaredon Group </a> </td> <td> </td> <td> <p><a href="/versions/v9/groups/G0047">Gamaredon Group</a> is a threat group that has been active since at least 2013 and has targeted individuals likely involved in the Ukrainian government. The name <a href="/versions/v9/groups/G0047">Gamaredon Group</a> comes from a misspelling of the word "Armageddon", which was detected in the adversary's early campaigns.</p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0036"> G0036 </a> </td> <td> <a href="/versions/v9/groups/G0036"> GCMAN </a> </td> <td> </td> <td> <p><a href="/versions/v9/groups/G0036">GCMAN</a> is a threat group that focuses on targeting banks for the purpose of transferring money to e-currency services. </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0115"> G0115 </a> </td> <td> <a href="/versions/v9/groups/G0115"> GOLD SOUTHFIELD </a> </td> <td> </td> <td> <p><a href="/versions/v9/groups/G0115">GOLD SOUTHFIELD</a> is a financially motivated threat group active since at least 2019 that operates the <a href="/versions/v9/software/S0496">REvil</a> Ransomware-as-a Service (RaaS). <a href="/versions/v9/groups/G0115">GOLD SOUTHFIELD</a> provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments.</p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0078"> G0078 </a> </td> <td> <a href="/versions/v9/groups/G0078"> Gorgon Group </a> </td> <td> </td> <td> <p><a href="/versions/v9/groups/G0078">Gorgon Group</a> is a threat group consisting of members who are suspected to be Pakistan-based or have other connections to Pakistan. The group has performed a mix of criminal and targeted attacks, including campaigns against government organizations in the United Kingdom, Spain, Russia, and the United States. </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0043"> G0043 </a> </td> <td> <a href="/versions/v9/groups/G0043"> Group5 </a> </td> <td> </td> <td> <p><a href="/versions/v9/groups/G0043">Group5</a> is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. <a href="/versions/v9/groups/G0043">Group5</a> has used two commonly available remote access tools (RATs), <a href="/versions/v9/software/S0385">njRAT</a> and <a href="/versions/v9/software/S0336">NanoCore</a>, as well as an Android RAT, DroidJack. </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0125"> G0125 </a> </td> <td> <a href="/versions/v9/groups/G0125"> HAFNIUM </a> </td> <td> Operation Exchange Marauder </td> <td> <p><a href="/versions/v9/groups/G0125">HAFNIUM</a> is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. <a href="/versions/v9/groups/G0125">HAFNIUM</a> primarily targets entities in the US across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.</p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0126"> G0126 </a> </td> <td> <a href="/versions/v9/groups/G0126"> Higaisa </a> </td> <td> </td> <td> <p><a href="/versions/v9/groups/G0126">Higaisa</a> is a threat group suspected to have South Korean origins. <a href="/versions/v9/groups/G0126">Higaisa</a> has targeted government, public, and trade organizations in North Korea; however, they have also carried out attacks in China, Japan, Russia, Poland, and other nations. <a href="/versions/v9/groups/G0126">Higaisa</a> was first disclosed in early 2019 but is assessed to have operated as early as 2009.</p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0072"> G0072 </a> </td> <td> <a href="/versions/v9/groups/G0072"> Honeybee </a> </td> <td> </td> <td> <p><a href="/versions/v9/groups/G0072">Honeybee</a> is a campaign led by an unknown actor that targets humanitarian aid organizations and has been active in Vietnam, Singapore, Argentina, Japan, Indonesia, and Canada. It has been an active operation since August of 2017 and as recently as February 2018. </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0100"> G0100 </a> </td> <td> <a href="/versions/v9/groups/G0100"> Inception </a> </td> <td> Inception Framework, Cloud Atlas </td> <td> <p><a href="/versions/v9/groups/G0100">Inception</a> is a cyber espionage group active since at least 2014. The group has targeted multiple industries and governmental entities primarily in Russia, but has also been active in the United States and throughout Europe, Asia, Africa, and the Middle East.</p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0119"> G0119 </a> </td> <td> <a href="/versions/v9/groups/G0119"> Indrik Spider </a> </td> <td> </td> <td> <p><a href="/versions/v9/groups/G0119">Indrik Spider</a> is a financially motivated threat group that has leveraged the Dridex banking trojan since at least June 2014 and delivered ransomware variants since 2017. </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0004"> G0004 </a> </td> <td> <a href="/versions/v9/groups/G0004"> Ke3chang </a> </td> <td> APT15, Mirage, Vixen Panda, GREF, Playful Dragon, RoyalAPT </td> <td> <p><a href="/versions/v9/groups/G0004">Ke3chang</a> is a threat group attributed to actors operating out of China. <a href="/versions/v9/groups/G0004">Ke3chang</a> has targeted several industries, including oil, government, military, and more. </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0094"> G0094 </a> </td> <td> <a href="/versions/v9/groups/G0094"> Kimsuky </a> </td> <td> Thallium, Black Banshee, Velvet Chollima </td> <td> <p><a href="/versions/v9/groups/G0094">Kimsuky</a> is a North Korean-based threat group that has been active since at least September 2013. The group initially focused on targeting Korean think tanks and DPRK/nuclear-related targets, expanding recently to the United States, Russia, and Europe. The group was attributed as the actor behind the Korea Hydro & Nuclear Power Co. compromise.</p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0032"> G0032 </a> </td> <td> <a href="/versions/v9/groups/G0032"> Lazarus Group </a> </td> <td> HIDDEN COBRA, Guardians of Peace, ZINC, NICKEL ACADEMY </td> <td> <p><a href="/versions/v9/groups/G0032">Lazarus Group</a> is a threat group that has been attributed to the North Korean government. The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. Malware used by <a href="/versions/v9/groups/G0032">Lazarus Group</a> correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain. In late 2017, <a href="/versions/v9/groups/G0032">Lazarus Group</a> used KillDisk, a disk-wiping tool, in an attack against an online casino based in Central America. </p><p>North Korean group definitions are known to have significant overlap, and the name <a href="/versions/v9/groups/G0032">Lazarus Group</a> is known to encompass a broad range of activity. Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea. Some organizations track North Korean clusters or groups such as Bluenoroff, <a href="/versions/v9/groups/G0067">APT37</a>, and <a href="/versions/v9/groups/G0082">APT38</a> separately, while other organizations may track some activity associated with those group names by the name Lazarus Group.</p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0077"> G0077 </a> </td> <td> <a href="/versions/v9/groups/G0077"> Leafminer </a> </td> <td> Raspite </td> <td> <p><a href="/versions/v9/groups/G0077">Leafminer</a> is an Iranian threat group that has targeted government organizations and business entities in the Middle East since at least early 2017. </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0065"> G0065 </a> </td> <td> <a href="/versions/v9/groups/G0065"> Leviathan </a> </td> <td> TEMP.Jumper, APT40, TEMP.Periscope </td> <td> <p><a href="/versions/v9/groups/G0065">Leviathan</a> is a cyber espionage group that has been active since at least 2013. The group generally targets defense and government organizations, but has also targeted a range of industries including engineering firms, shipping and transportation, manufacturing, defense, government offices, and research universities in the United States, Western Europe, and along the South China Sea. </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0030"> G0030 </a> </td> <td> <a href="/versions/v9/groups/G0030"> Lotus Blossom </a> </td> <td> DRAGONFISH, Spring Dragon </td> <td> <p><a href="/versions/v9/groups/G0030">Lotus Blossom</a> is a threat group that has targeted government and military organizations in Southeast Asia. </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0095"> G0095 </a> </td> <td> <a href="/versions/v9/groups/G0095"> Machete </a> </td> <td> APT-C-43, El Machete </td> <td> <p><a href="/versions/v9/groups/G0095">Machete</a> is a suspected Spanish-speaking cyber espionage group that has been active since at least 2010. It has primarily focused its operations within Latin America, with a particular emphasis on Venezuela, but also in the US, Europe, Russia, and parts of Asia. <a href="/versions/v9/groups/G0095">Machete</a> generally targets high-profile organizations such as government institutions, intelligence services, and military units, as well as telecommunications and power companies.</p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0059"> G0059 </a> </td> <td> <a href="/versions/v9/groups/G0059"> Magic Hound </a> </td> <td> COBALT ILLUSION, Charming Kitten, ITG18, Phosphorus, Newscaster, APT35 </td> <td> <p><a href="/versions/v9/groups/G0059">Magic Hound</a> is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, dating back as early as 2014. The group typically targets U.S. and Middle Eastern military organizations, as well as other government personnel, via complex social engineering campaigns.</p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0045"> G0045 </a> </td> <td> <a href="/versions/v9/groups/G0045"> menuPass </a> </td> <td> Cicada, POTASSIUM, Stone Panda, APT10, Red Apollo, CVNX, HOGFISH </td> <td> <p><a href="/versions/v9/groups/G0045">menuPass</a> is a threat group that has been active since at least 2006. Individual members of <a href="/versions/v9/groups/G0045">menuPass</a> are known to have acted in association with the Chinese Ministry of State Security's (MSS) Tianjin State Security Bureau and worked for the Huaying Haitai Science and Technology Development Company.</p><p><a href="/versions/v9/groups/G0045">menuPass</a> has targeted healthcare, defense, aerospace, finance, maritime, biotechnology, energy, and government sectors globally, with an emphasis on Japanese organizations. In 2016 and 2017, the group is known to have targeted managed IT service providers (MSPs), manufacturing and mining companies, and a university.</p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0002"> G0002 </a> </td> <td> <a href="/versions/v9/groups/G0002"> Moafee </a> </td> <td> </td> <td> <p><a href="/versions/v9/groups/G0002">Moafee</a> is a threat group that appears to operate from the Guandong Province of China. Due to overlapping TTPs, including similar custom tools, Moafee is thought to have a direct or indirect relationship with the threat group <a href="/versions/v9/groups/G0017">DragonOK</a>. </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0103"> G0103 </a> </td> <td> <a href="/versions/v9/groups/G0103"> Mofang </a> </td> <td> </td> <td> <p><a href="/versions/v9/groups/G0103">Mofang</a> is a likely China-based cyber espionage group, named for its frequent practice of imitating a victim's infrastructure. This adversary has been observed since at least May 2012 conducting focused attacks against government and critical infrastructure in Myanmar, as well as several other countries and sectors including military, automobile, and weapons industries.</p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0021"> G0021 </a> </td> <td> <a href="/versions/v9/groups/G0021"> Molerats </a> </td> <td> Operation Molerats, Gaza Cybergang </td> <td> <p><a href="/versions/v9/groups/G0021">Molerats</a> is an Arabic-speaking, politically-motivated threat group that has been operating since 2012. The group's victims have primarily been in the Middle East, Europe, and the United States.</p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0069"> G0069 </a> </td> <td> <a href="/versions/v9/groups/G0069"> MuddyWater </a> </td> <td> Earth Vetala , MERCURY, Static Kitten, Seedworm, TEMP.Zagros </td> <td> <p><a href="/versions/v9/groups/G0069">MuddyWater</a> is an Iranian threat group that has primarily targeted Middle Eastern nations, and has also targeted European and North American nations. The group's victims are mainly in the telecommunications, government (IT services), and oil sectors. Activity from this group was previously linked to <a href="/versions/v9/groups/G0046">FIN7</a>, but the group is believed to be a distinct group possibly motivated by espionage.</p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0129"> G0129 </a> </td> <td> <a href="/versions/v9/groups/G0129"> Mustang Panda </a> </td> <td> TA416, RedDelta, BRONZE PRESIDENT </td> <td> <p><a href="/versions/v9/groups/G0129">Mustang Panda</a> is a China-based cyber espionage threat actor that was first observed in 2017 but may have been conducting operations since at least 2014. <a href="/versions/v9/groups/G0129">Mustang Panda</a> has targeted government entities, nonprofits, religious, and other non-governmental organizations in the U.S., Germany, Mongolia, Myanmar, Pakistan, and Vietnam, among others. </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0019"> G0019 </a> </td> <td> <a href="/versions/v9/groups/G0019"> Naikon </a> </td> <td> </td> <td> <p><a href="/versions/v9/groups/G0019">Naikon</a> is a threat group that has focused on targets around the South China Sea. The group has been attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau(Military Unit Cover Designator 78020). While <a href="/versions/v9/groups/G0019">Naikon</a> shares some characteristics with <a href="/versions/v9/groups/G0013">APT30</a>, the two groups do not appear to be exact matches.</p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0055"> G0055 </a> </td> <td> <a href="/versions/v9/groups/G0055"> NEODYMIUM </a> </td> <td> </td> <td> <p><a href="/versions/v9/groups/G0055">NEODYMIUM</a> is an activity group that conducted a campaign in May 2016 and has heavily targeted Turkish victims. The group has demonstrated similarity to another activity group called <a href="/versions/v9/groups/G0056">PROMETHIUM</a> due to overlapping victim and campaign characteristics. <a href="/versions/v9/groups/G0055">NEODYMIUM</a> is reportedly associated closely with <a href="/versions/v9/groups/G0063">BlackOasis</a> operations, but evidence that the group names are aliases has not been identified. </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0014"> G0014 </a> </td> <td> <a href="/versions/v9/groups/G0014"> Night Dragon </a> </td> <td> </td> <td> <p><a href="/versions/v9/groups/G0014">Night Dragon</a> is a campaign name for activity involving a threat group that has conducted activity originating primarily in China. </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0049"> G0049 </a> </td> <td> <a href="/versions/v9/groups/G0049"> OilRig </a> </td> <td> COBALT GYPSY, IRN2, HELIX KITTEN, APT34 </td> <td> <p><a href="/versions/v9/groups/G0049">OilRig</a> is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of industries, including financial, government, energy, chemical, and telecommunications, and has largely focused its operations within the Middle East. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests. This group was previously tracked under two distinct groups, APT34 and OilRig, but was combined due to additional reporting giving higher confidence about the overlap of the activity.</p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0116"> G0116 </a> </td> <td> <a href="/versions/v9/groups/G0116"> Operation Wocao </a> </td> <td> </td> <td> <p><a href="/versions/v9/groups/G0116">Operation Wocao</a> described activities carried out by a China-based cyber espionage adversary. <a href="/versions/v9/groups/G0116">Operation Wocao</a> targeted entities within the government, managed service providers, energy, health care, and technology sectors across several countries, including China, France, Germany, the United Kingdom, and the United States. <a href="/versions/v9/groups/G0116">Operation Wocao</a> used similar TTPs and tools to APT20, suggesting a possible overlap.</p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0071"> G0071 </a> </td> <td> <a href="/versions/v9/groups/G0071"> Orangeworm </a> </td> <td> </td> <td> <p><a href="/versions/v9/groups/G0071">Orangeworm</a> is a group that has targeted organizations in the healthcare sector in the United States, Europe, and Asia since at least 2015, likely for the purpose of corporate espionage. </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0040"> G0040 </a> </td> <td> <a href="/versions/v9/groups/G0040"> Patchwork </a> </td> <td> Hangover Group, Dropping Elephant, Chinastrats, MONSOON, Operation Hangover </td> <td> <p><a href="/versions/v9/groups/G0040">Patchwork</a> is a cyberespionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. <a href="/versions/v9/groups/G0040">Patchwork</a> has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. <a href="/versions/v9/groups/G0040">Patchwork</a> was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018. </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0011"> G0011 </a> </td> <td> <a href="/versions/v9/groups/G0011"> PittyTiger </a> </td> <td> </td> <td> <p><a href="/versions/v9/groups/G0011">PittyTiger</a> is a threat group believed to operate out of China that uses multiple different types of malware to maintain command and control. </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0068"> G0068 </a> </td> <td> <a href="/versions/v9/groups/G0068"> PLATINUM </a> </td> <td> </td> <td> <p><a href="/versions/v9/groups/G0068">PLATINUM</a> is an activity group that has targeted victims since at least 2009. The group has focused on targets associated with governments and related organizations in South and Southeast Asia. </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0033"> G0033 </a> </td> <td> <a href="/versions/v9/groups/G0033"> Poseidon Group </a> </td> <td> </td> <td> <p><a href="/versions/v9/groups/G0033">Poseidon Group</a> is a Portuguese-speaking threat group that has been active since at least 2005. The group has a history of using information exfiltrated from victims to blackmail victim companies into contracting the <a href="/versions/v9/groups/G0033">Poseidon Group</a> as a security firm. </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0056"> G0056 </a> </td> <td> <a href="/versions/v9/groups/G0056"> PROMETHIUM </a> </td> <td> StrongPity </td> <td> <p><a href="/versions/v9/groups/G0056">PROMETHIUM</a> is an activity group focused on espionage that has been active since at least 2012. The group has conducted operations globally with a heavy emphasis on Turkish targets. <a href="/versions/v9/groups/G0056">PROMETHIUM</a> has demonstrated similarity to another activity group called <a href="/versions/v9/groups/G0055">NEODYMIUM</a> due to overlapping victim and campaign characteristics.</p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0024"> G0024 </a> </td> <td> <a href="/versions/v9/groups/G0024"> Putter Panda </a> </td> <td> APT2, MSUpdater </td> <td> <p><a href="/versions/v9/groups/G0024">Putter Panda</a> is a Chinese threat group that has been attributed to Unit 61486 of the 12th Bureau of the PLA’s 3rd General Staff Department (GSD). </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0075"> G0075 </a> </td> <td> <a href="/versions/v9/groups/G0075"> Rancor </a> </td> <td> </td> <td> <p><a href="/versions/v9/groups/G0075">Rancor</a> is a threat group that has led targeted campaigns against the South East Asia region. <a href="/versions/v9/groups/G0075">Rancor</a> uses politically-motivated lures to entice victims to open malicious documents. </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0106"> G0106 </a> </td> <td> <a href="/versions/v9/groups/G0106"> Rocke </a> </td> <td> </td> <td> <p><a href="/versions/v9/groups/G0106">Rocke</a> is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency. The name <a href="/versions/v9/groups/G0106">Rocke</a> comes from the email address "rocke@live.cn" used to create the wallet which held collected cryptocurrency. Researchers have detected overlaps between <a href="/versions/v9/groups/G0106">Rocke</a> and the Iron Cybercrime Group, though this attribution has not been confirmed.</p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0048"> G0048 </a> </td> <td> <a href="/versions/v9/groups/G0048"> RTM </a> </td> <td> </td> <td> <p><a href="/versions/v9/groups/G0048">RTM</a> is a cybercriminal group that has been active since at least 2015 and is primarily interested in users of remote banking systems in Russia and neighboring countries. The group uses a Trojan by the same name (<a href="/versions/v9/software/S0148">RTM</a>). </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0034"> G0034 </a> </td> <td> <a href="/versions/v9/groups/G0034"> Sandworm Team </a> </td> <td> ELECTRUM, Telebots, IRON VIKING, BlackEnergy (Group), Quedagh, VOODOO BEAR </td> <td> <p><a href="/versions/v9/groups/G0034">Sandworm Team</a> is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455. This group has been active since at least 2009.</p><p>In October 2020, the US indicted six GRU Unit 74455 officers associated with <a href="/versions/v9/groups/G0034">Sandworm Team</a> for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide <a href="/versions/v9/software/S0368">NotPetya</a> attack, targeting of the 2017 French presidential campaign, the 2018 <a href="/versions/v9/software/S0365">Olympic Destroyer</a> attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019. Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as <a href="/versions/v9/groups/G0007">APT28</a>.</p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0029"> G0029 </a> </td> <td> <a href="/versions/v9/groups/G0029"> Scarlet Mimic </a> </td> <td> </td> <td> <p><a href="/versions/v9/groups/G0029">Scarlet Mimic</a> is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by <a href="/versions/v9/groups/G0029">Scarlet Mimic</a> and <a href="/versions/v9/groups/G0024">Putter Panda</a>, it has not been concluded that the groups are the same. </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0104"> G0104 </a> </td> <td> <a href="/versions/v9/groups/G0104"> Sharpshooter </a> </td> <td> </td> <td> <p>Operation <a href="/versions/v9/groups/G0104">Sharpshooter</a> is the name of a cyber espionage campaign discovered in October 2018 targeting nuclear, defense, energy, and financial companies. Though overlaps between this adversary and <a href="/versions/v9/groups/G0032">Lazarus Group</a> have been noted, definitive links have not been established.</p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0121"> G0121 </a> </td> <td> <a href="/versions/v9/groups/G0121"> Sidewinder </a> </td> <td> T-APT-04, Rattlesnake </td> <td> <p><a href="/versions/v9/groups/G0121">Sidewinder</a> is a suspected Indian threat actor group that has been active since at least 2012. They have been observed targeting government, military, and business entities throughout Asia, primarily focusing on Pakistan, China, Nepal, and Afghanistan.</p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0091"> G0091 </a> </td> <td> <a href="/versions/v9/groups/G0091"> Silence </a> </td> <td> WHISPER SPIDER </td> <td> <p><a href="/versions/v9/groups/G0091">Silence</a> is a financially motivated threat actor targeting financial institutions in different countries. The group was first seen in June 2016. Their main targets reside in Russia, Ukraine, Belarus, Azerbaijan, Poland and Kazakhstan. They compromised various banking systems, including the Russian Central Bank's Automated Workstation Client, ATMs, and card processing. </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0122"> G0122 </a> </td> <td> <a href="/versions/v9/groups/G0122"> Silent Librarian </a> </td> <td> TA407, COBALT DICKENS </td> <td> <p><a href="/versions/v9/groups/G0122">Silent Librarian</a> is a group that has targeted research and proprietary data at universities, government agencies, and private sector companies worldwide since at least 2013. Members of <a href="/versions/v9/groups/G0122">Silent Librarian</a> are known to have been affiliated with the Iran-based Mabna Institute which has conducted cyber intrusions at the behest of the government of Iran, specifically the Islamic Revolutionary Guard Corps (IRGC).</p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0083"> G0083 </a> </td> <td> <a href="/versions/v9/groups/G0083"> SilverTerrier </a> </td> <td> </td> <td> <p><a href="/versions/v9/groups/G0083">SilverTerrier</a> is a Nigerian threat group that has been seen active since 2014. <a href="/versions/v9/groups/G0083">SilverTerrier</a> mainly targets organizations in high technology, higher education, and manufacturing.</p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0054"> G0054 </a> </td> <td> <a href="/versions/v9/groups/G0054"> Sowbug </a> </td> <td> </td> <td> <p><a href="/versions/v9/groups/G0054">Sowbug</a> is a threat group that has conducted targeted attacks against organizations in South America and Southeast Asia, particularly government entities, since at least 2015. </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0038"> G0038 </a> </td> <td> <a href="/versions/v9/groups/G0038"> Stealth Falcon </a> </td> <td> </td> <td> <p><a href="/versions/v9/groups/G0038">Stealth Falcon</a> is a threat group that has conducted targeted spyware attacks against Emirati journalists, activists, and dissidents since at least 2012. Circumstantial evidence suggests there could be a link between this group and the United Arab Emirates (UAE) government, but that has not been confirmed. </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0086"> G0086 </a> </td> <td> <a href="/versions/v9/groups/G0086"> Stolen Pencil </a> </td> <td> </td> <td> <p><a href="/versions/v9/groups/G0086">Stolen Pencil</a> is a threat group likely originating from DPRK that has been active since at least May 2018. The group appears to have targeted academic institutions, but its motives remain unclear.</p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0041"> G0041 </a> </td> <td> <a href="/versions/v9/groups/G0041"> Strider </a> </td> <td> ProjectSauron </td> <td> <p><a href="/versions/v9/groups/G0041">Strider</a> is a threat group that has been active since at least 2011 and has targeted victims in Russia, China, Sweden, Belgium, Iran, and Rwanda.</p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0039"> G0039 </a> </td> <td> <a href="/versions/v9/groups/G0039"> Suckfly </a> </td> <td> </td> <td> <p><a href="/versions/v9/groups/G0039">Suckfly</a> is a China-based threat group that has been active since at least 2014. </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0062"> G0062 </a> </td> <td> <a href="/versions/v9/groups/G0062"> TA459 </a> </td> <td> </td> <td> <p><a href="/versions/v9/groups/G0062">TA459</a> is a threat group believed to operate out of China that has targeted countries including Russia, Belarus, Mongolia, and others. </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0092"> G0092 </a> </td> <td> <a href="/versions/v9/groups/G0092"> TA505 </a> </td> <td> Hive0065 </td> <td> <p><a href="/versions/v9/groups/G0092">TA505</a> is a financially motivated threat group that has been active since at least 2014. The group is known for frequently changing malware and driving global trends in criminal malware distribution.</p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0127"> G0127 </a> </td> <td> <a href="/versions/v9/groups/G0127"> TA551 </a> </td> <td> GOLD CABIN, Shathak </td> <td> <p><a href="/versions/v9/groups/G0127">TA551</a> is a financially-motivated threat group that has been active since at least 2018. The group has primarily targeted English, German, Italian, and Japanese speakers through email-based malware distribution campaigns. </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0015"> G0015 </a> </td> <td> <a href="/versions/v9/groups/G0015"> Taidoor </a> </td> <td> </td> <td> <p><a href="/versions/v9/groups/G0015">Taidoor</a> is a threat group that has operated since at least 2009 and has primarily targeted the Taiwanese government. </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0088"> G0088 </a> </td> <td> <a href="/versions/v9/groups/G0088"> TEMP.Veles </a> </td> <td> XENOTIME </td> <td> <p><a href="/versions/v9/groups/G0088">TEMP.Veles</a> is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing TRITON, a malware framework designed to manipulate industrial safety systems.</p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0089"> G0089 </a> </td> <td> <a href="/versions/v9/groups/G0089"> The White Company </a> </td> <td> </td> <td> <p><a href="/versions/v9/groups/G0089">The White Company</a> is a likely state-sponsored threat actor with advanced capabilities. From 2017 through 2018, the group led an espionage campaign called Operation Shaheen targeting government and military organizations in Pakistan.</p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0028"> G0028 </a> </td> <td> <a href="/versions/v9/groups/G0028"> Threat Group-1314 </a> </td> <td> TG-1314 </td> <td> <p><a href="/versions/v9/groups/G0028">Threat Group-1314</a> is an unattributed threat group that has used compromised credentials to log into a victim's remote access infrastructure. </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0027"> G0027 </a> </td> <td> <a href="/versions/v9/groups/G0027"> Threat Group-3390 </a> </td> <td> TG-3390, Emissary Panda, BRONZE UNION, APT27, Iron Tiger, LuckyMouse </td> <td> <p><a href="/versions/v9/groups/G0027">Threat Group-3390</a> is a Chinese threat group that has extensively used strategic Web compromises to target victims. The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, and manufacturing sectors. </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0076"> G0076 </a> </td> <td> <a href="/versions/v9/groups/G0076"> Thrip </a> </td> <td> </td> <td> <p><a href="/versions/v9/groups/G0076">Thrip</a> is an espionage group that has targeted satellite communications, telecoms, and defense contractor companies in the U.S. and Southeast Asia. The group uses custom malware as well as "living off the land" techniques. </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0081"> G0081 </a> </td> <td> <a href="/versions/v9/groups/G0081"> Tropic Trooper </a> </td> <td> Pirate Panda, KeyBoy </td> <td> <p><a href="/versions/v9/groups/G0081">Tropic Trooper</a> is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan, the Philippines, and Hong Kong. <a href="/versions/v9/groups/G0081">Tropic Trooper</a> focuses on targeting government, healthcare, transportation, and high-tech industries and has been active since 2011.</p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0010"> G0010 </a> </td> <td> <a href="/versions/v9/groups/G0010"> Turla </a> </td> <td> Group 88, Belugasturgeon, Waterbug, WhiteBear, VENOMOUS BEAR, Snake, Krypton </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> is a Russian-based threat group that has infected victims in over 45 countries, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies since 2004. Heightened activity was seen in mid-2015. <a href="/versions/v9/groups/G0010">Turla</a> is known for conducting watering hole and spearphishing campaigns and leveraging in-house tools and malware. <a href="/versions/v9/groups/G0010">Turla</a>’s espionage platform is mainly used against Windows machines, but has also been seen used against macOS and Linux machines.</p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0123"> G0123 </a> </td> <td> <a href="/versions/v9/groups/G0123"> Volatile Cedar </a> </td> <td> Lebanese Cedar </td> <td> <p><a href="/versions/v9/groups/G0123">Volatile Cedar</a> is a Lebanese threat group that has targeted individuals, companies, and institutions worldwide. <a href="/versions/v9/groups/G0123">Volatile Cedar</a> has been operating since 2012 and is motivated by political and ideological interests.</p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0107"> G0107 </a> </td> <td> <a href="/versions/v9/groups/G0107"> Whitefly </a> </td> <td> </td> <td> <p><a href="/versions/v9/groups/G0107">Whitefly</a> is a cyber espionage group that has been operating since at least 2017. The group has targeted organizations based mostly in Singapore across a wide variety of sectors, and is primarily interested in stealing large amounts of sensitive information. The group has been linked to an attack against Singapore’s largest public health organization, SingHealth.</p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0124"> G0124 </a> </td> <td> <a href="/versions/v9/groups/G0124"> Windigo </a> </td> <td> </td> <td> <p>The <a href="/versions/v9/groups/G0124">Windigo</a> group has been operating since at least 2011, compromising thousands of Linux and Unix servers using the <a href="/versions/v9/software/S0377">Ebury</a> SSH backdoor to create a spam botnet. Despite law enforcement intervention against the creators, <a href="/versions/v9/groups/G0124">Windigo</a> operators continued updating <a href="/versions/v9/software/S0377">Ebury</a> through 2019.</p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0112"> G0112 </a> </td> <td> <a href="/versions/v9/groups/G0112"> Windshift </a> </td> <td> Bahamut </td> <td> <p><a href="/versions/v9/groups/G0112">Windshift</a> is a threat group that has been active since at least 2017, targeting specific individuals for surveillance in government departments and critical infrastructure across the Middle East.</p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0044"> G0044 </a> </td> <td> <a href="/versions/v9/groups/G0044"> Winnti Group </a> </td> <td> Blackfly </td> <td> <p><a href="/versions/v9/groups/G0044">Winnti Group</a> is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting. Some reporting suggests a number of other groups, including <a href="/versions/v9/groups/G0001">Axiom</a>, <a href="/versions/v9/groups/G0025">APT17</a>, and <a href="/versions/v9/groups/G0004">Ke3chang</a>, are closely linked to <a href="/versions/v9/groups/G0044">Winnti Group</a>. </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0090"> G0090 </a> </td> <td> <a href="/versions/v9/groups/G0090"> WIRTE </a> </td> <td> </td> <td> <p><a href="/versions/v9/groups/G0090">WIRTE</a> is a threat group that has been active since at least August 2018. The group focuses on targeting Middle East defense and diplomats.</p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0102"> G0102 </a> </td> <td> <a href="/versions/v9/groups/G0102"> Wizard Spider </a> </td> <td> UNC1878, TEMP.MixMaster, Grim Spider </td> <td> <p><a href="/versions/v9/groups/G0102">Wizard Spider</a> is a financially motivated criminal group that has been conducting ransomware campaigns since at least August 2018 against a variety of organizations, ranging from major corporations to hospitals.</p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0128"> G0128 </a> </td> <td> <a href="/versions/v9/groups/G0128"> ZIRCONIUM </a> </td> <td> APT31 </td> <td> <p><a href="/versions/v9/groups/G0128">ZIRCONIUM</a> is a threat group operating out of China, active since at least 2017, that has targeted individuals associated with the 2020 US presidential election and prominent leaders in the international affairs community.</p> </td> </tr> </tbody> </table> </div> </div> </div> </div> </div> </div> </div> </div> </div>  <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner">  <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">×</div> </div> </div>  <div id="search-body" class="search-body"> <div class="results" id="search-results">  </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <footer class="footer p-3"> <div class="container-fluid"> <div class="row"> <div class="col-4 col-sm-4 col-md-3"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/versions/v9/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="col-6 col-sm-6 text-center"> <p> © 2015-2021, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </p> <div class="row"> <div class="col text-right"> <small> <a href="/versions/v9/resources/privacy" class="footer-link">Privacy Policy</a> </small> </div> <div class="col text-center"> <small> <a href="/versions/v9/resources/terms-of-use" class="footer-link">Terms of Use</a> </small> </div> <div class="col text-left "> <small> <a href="/versions/v9/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" title="ATT&CK content version 9.0Website version 3.3.1">ATT&CK v9.0</a> </small> </div> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col"> <div class="footer-float-right-responsive-brand"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-primary w-100">  <img src="/versions/v9/theme/images/twitter.png" class="mr-1 twitter-icon"> <b>@MITREattack</b> </a> </div> <div class=""> <a href="/versions/v9/contact" class="btn btn-primary w-100"> Contact </a> </div> </div> </div> </div> </div> </div> </footer> </div>  <script src="/versions/v9/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/versions/v9/theme/scripts/popper.min.js"></script> <script src="/versions/v9/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/versions/v9/theme/scripts/site.js"></script> <script src="/versions/v9/theme/scripts/flexsearch.es5.js"></script> <script src="/versions/v9/theme/scripts/localforage.min.js"></script> <script src="/versions/v9/theme/scripts/settings.js?5635"></script> <script src="/versions/v9/theme/scripts/search_babelized.js"></script>  <script src="/versions/v9/theme/scripts/navigation.js"></script> </body> </html>

CINXE.COM

Groups | MITRE ATT&CK®