2,004 indexed
ACTORSThreat actors
2004 threat-actor records from MISP-Galaxy v341. Filter by attributed country, or for country / sector / MITRE-Group facets see /explore/actors. Authored by Adam Lundqvist.
Showing 201–250 of 1,546 in Other · page 5 of 31
| ID | Title | Summary |
|---|---|---|
| CIBERINTELIGENCIASV | CiberInteligenciaSV | CiberInteligenciaSV is a threat actor that leaked 5.1 million Salvadoran records on Breach Forums. They have also compromised El Salvador's state Bitcoin walle… |
| CIRCUS-SPIDER | CIRCUS SPIDER | According to Crowdstrike, the NetWalker ransomware is being developed and maintained by a Russian-speaking actor designated as CIRCUS SPIDER. Initially discove… |
| CL-STA-0043 | CL-STA-0043 | CL-STA-0043 is a highly skilled and sophisticated threat actor, believed to be a nation-state, targeting governmental entities in the Middle East and Africa. T… |
| CL-STA-0043 | CL-STA-0043 | CL-STA-0043 is a highly skilled and sophisticated threat actor, believed to be a nation-state, targeting governmental entities in the Middle East and Africa. T… |
| CL-STA-0048 | CL-STA-0048 | CL-STA-0048 is a Chinese state-backed APT that targets strategic sectors in South Asia, particularly government and telecommunications entities, with a focus o… |
| CL-STA-1009 | CL-STA-1009 | CL-STA-1009 is a threat activity cluster associated with a suspected nation-state actor utilizing the Airstalk malware family, which includes both PowerShell a… |
| CL-STA-1009 | CL-STA-1009 | CL-STA-1009 is a threat activity cluster associated with a suspected nation-state actor utilizing the Airstalk malware family, which includes both PowerShell a… |
| CL-STA-1020 | CL-STA-1020 | CL-STA-1020 targets Southeast Asian government networks, employing AWS Lambda Function URLs configured with AuthType: NONE for stealthy command-and-control com… |
| CL-STA-1087 | CL-STA-1087 | CL-STA-1087 is a suspected state-sponsored espionage campaign operating out of China, targeting military organizations in Southeast Asia. The actor has demonst… |
| CL-UNK-1068 | CL-UNK-1068 | CL-UNK-1068 is a Chinese threat actor that has targeted critical infrastructure in Asia, primarily focusing on cyberespionage. They utilize cross-platform tool… |
| CLEAVER | Cleaver | A group of cyber actors utilizing infrastructure located in Iran have been conducting computer network exploitation activity against public and private U.S. or… |
| CLEVER-KITTEN | Clever Kitten | |
| CLOCKWORK SPIDER | CLOCKWORK SPIDER | CLOCKWORK SPIDER is a threat actor catalogued by MISP-Galaxy (MISP-Galaxy v341). Original record: Opportunistic actor that installs custom root certificate on … |
| CLOCKWORK-SPIDER | CLOCKWORK SPIDER | Opportunistic actor that installs custom root certificate on victim to support man-in-the-middle network monitoring. |
| CloudSorcerer | CloudSorcerer | CloudSorcerer is a sophisticated APT targeting Russian government entities, utilizing cloud infrastructure for stealth monitoring and data exfiltration. The ma… |
| CLOUDSORCERER | CloudSorcerer | CloudSorcerer is a sophisticated APT targeting Russian government entities, utilizing cloud infrastructure for stealth monitoring and data exfiltration. The ma… |
| Cobalt | Cobalt | A criminal group dubbed Cobalt is behind synchronized ATM heists that saw machines across Europe, CIS countries (including Russia), and Malaysia being raided s… |
| COBALT | Cobalt | A criminal group dubbed Cobalt is behind synchronized ATM heists that saw machines across Europe, CIS countries (including Russia), and Malaysia being raided s… |
| COBALT JUNO | COBALT JUNO | COBALT JUNO has operated since at least 2013 and focused on targets located in the Middle East including Iran, Jordan, Egypt & Lebanon. COBALT JUNO custom spyw… |
| COBALT-JUNO | COBALT JUNO | COBALT JUNO has operated since at least 2013 and focused on targets located in the Middle East including Iran, Jordan, Egypt & Lebanon. COBALT JUNO custom spyw… |
| COBALT KATANA | COBALT KATANA | COBALT KATANA has been active since at least March 2018, and it focuses many of its operations on organizations based in or associated with Kuwait. The group h… |
| COBALT-KATANA | COBALT KATANA | COBALT KATANA has been active since at least March 2018, and it focuses many of its operations on organizations based in or associated with Kuwait. The group h… |
| Codefinger | Codefinger | Codefinger is a ransomware group that targets Amazon S3 buckets by exploiting AWS’s Server-Side Encryption with Customer Provided Keys to encrypt victim data. … |
| CODEFINGER | Codefinger | Codefinger is a ransomware group that targets Amazon S3 buckets by exploiting AWS’s Server-Side Encryption with Customer Provided Keys to encrypt victim data. … |
| Coinbase Cartel | Coinbase Cartel | Coinbase Cartel is a ransomware threat actor that emerged in September 2025, focusing on data exfiltration rather than encryption, and has claimed over 60 vict… |
| COINBASE-CARTEL | Coinbase Cartel | Coinbase Cartel is a ransomware threat actor that emerged in September 2025, focusing on data exfiltration rather than encryption, and has claimed over 60 vict… |
| Cold River | Cold River | In short, “Cold River” is a sophisticated threat (actor) that utilizes DNS subdomain hijacking, certificate spoofing, and covert tunneled command and control t… |
| COLD-RIVER | Cold River | In short, “Cold River” is a sophisticated threat (actor) that utilizes DNS subdomain hijacking, certificate spoofing, and covert tunneled command and control t… |
| ComicForm | ComicForm | ComicForm is an emerging cyber threat actor tracked since at least April 2025, specializing in targeted phishing campaigns against organizations in Eurasian co… |
| COMICFORM | ComicForm | ComicForm is an emerging cyber threat actor tracked since at least April 2025, specializing in targeted phishing campaigns against organizations in Eurasian co… |
| Common Raven | Common Raven | Common Raven is a threat actor catalogued by MISP-Galaxy (MISP-Galaxy v341). The group is also tracked as OPERA1ER, NXSMS, DESKTOP-GROUP. Original record: Thre… |
| COMMON-RAVEN | Common Raven | Threat actor Common Raven has been actively targeting financial sector institutions, compromising their SWIFT payment infrastructure to send out fraudulent pay… |
| CONFUCIOUS | Confucious | Confucius is an APT organization funded by India. It has been carrying out cyber attacks since 2013. Its main targets are India's neighbouring countries such a… |
| Conquerors Electronic Army | Conquerors Electronic Army | Conquerors Electronic Army operates under the “Wa’d al-Akhira” banner and has claimed multiple attacks against Israeli targets, including civil emergency alert… |
| CONQUERORS-ELECTRONIC-ARMY | Conquerors Electronic Army | Conquerors Electronic Army operates under the “Wa’d al-Akhira” banner and has claimed multiple attacks against Israeli targets, including civil emergency alert… |
| Contagious Interview | Contagious Interview | Contagious Interview is a North Korea–aligned threat group active since 2023. The group conducts both cyberespionage and financially motivated operations, incl… |
| CONTAGIOUS-INTERVIEW | Contagious Interview | Contagious Interview is a North Korea–aligned threat group active since 2023. The group conducts both cyberespionage and financially motivated operations, incl… |
| Copy-Paste | Copy-Paste | Copy-Paste is a threat actor catalogued by MISP-Galaxy (MISP-Galaxy v341). Operational targeting focuses on the Government sector. Documented victim organisati… |
| COPY-PASTE | Copy-Paste | The title ‘Copy-paste compromises’ is derived from the actor’s heavy use of tools copied almost identically from open source given by The Australian Government. |
| COPYKITTENS | CopyKittens | |
| CORALRAIDER | CoralRaider | CoralRaider is a financially motivated threat actor of Vietnamese origin, targeting victims in Asian and Southeast Asian countries since at least 2023. They us… |
| CORSAIR-JACKAL | Corsair Jackal | |
| Cosmic Lynx | Cosmic Lynx | Cosmic Lynx is a threat actor catalogued by MISP-Galaxy (MISP-Galaxy v341). Original record: Cosmic Lynx is a Russia-based BEC cybercriminal organization that … |
| COSMIC-LYNX | Cosmic Lynx | Cosmic Lynx is a Russia-based BEC cybercriminal organization that has significantly impacted the email threat landscape with sophisticated, high-dollar phishin… |
| CosmicBeetle | CosmicBeetle | CosmicBeetle is a threat actor known for deploying the ScRansom ransomware, which has replaced its previous variant, Scarab. The actor utilizes a custom toolse… |
| COSMICBEETLE | CosmicBeetle | CosmicBeetle is a threat actor known for deploying the ScRansom ransomware, which has replaced its previous variant, Scarab. The actor utilizes a custom toolse… |
| CostaRicto | CostaRicto | CostaRicto is a cyber-espionage threat actor that operates as a mercenary group, offering its services to various clients globally. They use bespoke malware to… |
| COSTARICTO | CostaRicto | CostaRicto is a cyber-espionage threat actor that operates as a mercenary group, offering its services to various clients globally. They use bespoke malware to… |
| COTTON-SANDSTORM | Cotton Sandstorm | Cotton Sandstorm is an Iranian threat actor involved in hack-and-leak operations. They have targeted various organizations, including the French satirical maga… |
| CoughingDown | CoughingDown | CoughingDown is a threat group attributed to various cyber campaigns, including the deployment of the EAGERBEE backdoor, which utilizes service manipulation an… |