You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
[Threat Actor](https://www.misp-galaxy.org/threat-actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group.
722
722
723
-
Category: *actor* - source: *MISP Project* - total: *953* elements
723
+
Category: *actor* - source: *MISP Project* - total: *963* elements
Copy file name to clipboardExpand all lines: clusters/threat-actor.json
+124Lines changed: 124 additions & 0 deletions
Original file line number
Diff line number
Diff line change
@@ -19976,6 +19976,130 @@
19976
19976
},
19977
19977
"uuid": "266af6b4-1f11-4043-9de1-90527406f406",
19978
19978
"value": "NetRunnerPR"
19979
+
},
19980
+
{
19981
+
"description": "CL-STA-1087 is a suspected state-sponsored espionage campaign operating out of China, targeting military organizations in Southeast Asia. The actor has demonstrated operational patience, maintaining dormant access for extended periods while focusing on precision intelligence collection and employing robust operational security measures. Their infrastructure includes the use of a legitimate cloud service for C2 operations, indicating a cloud-native approach. File timestamps and other indicators trace the campaign's activity back to 2020, suggesting a long-running operation.",
"description": "UNC6426 exploited a supply chain compromise of the nx npm package to steal a developer's GitHub Personal Access Token and gain access to a victim's cloud environment. They abused the GitHub-to-AWS OpenID Connect trust to create a new administrator role, leveraging overly permissive permissions associated with the compromised GitHub-Actions-CloudFormation role. Using the legitimate open-source tool Nord Stream, UNC6426 conducted reconnaissance and extracted secrets from CI/CD environments, leading to the exfiltration of files from AWS S3 buckets and data destruction. The actor escalated to full AWS administrator permissions in under 72 hours.",
"description": "Z-Pentest Alliance is a pro-Russian hacktivist group known for targeting industrial control systems and operational technology systems, particularly in Italy and Israel. The group has claimed responsibility for various attacks, including gaining control of a water supply management system and disrupting aviation authorities' websites. Z-Pentest Alliance operates within a larger alliance of hacktivist groups, often collaborating on politically motivated operations, including DDoS campaigns. The group has been linked to the GRU and is associated with the NoName057 group, sharing tools and intelligence.",
"description": "313 Team is an Iraq-based threat actor that has conducted coordinated DDoS campaigns targeting multiple government servers in the UAE, Kuwait, and Romania, often in response to political statements. They have claimed responsibility for significant disruptions, including a one-hour shutdown of Romania’s National Tax Agency and an 18-hour outage of Kuwait's national e-government portal. The group has also engaged in website defacements, showcasing coordinated branding with other aligned groups. Their operations reflect a focus on government infrastructure, employing DDoS techniques and leveraging public political discourse as justification for their attacks.",
"description": "TA2723 is a financially-motivated, high-volume credential phishing threat actor known for spoofing Microsoft OneDrive, LinkedIn, and DocuSign. Proofpoint Threat Research has observed TA2723 conducting OAuth device code phishing campaigns, utilizing tools like Squarephish and Graphish to enhance their operations. The use of these tools allows TA2723 to mitigate the short-lived nature of device codes, facilitating larger campaigns. Successful attacks can lead to M365 account takeover, data exfiltration, and lateral movement.",
"description": "Dark Engine has emerged as a significant threat actor targeting industrial control systems and SCADA systems in sectors such as metallurgy and food processing. The group has conducted multiple ICS-targeted incidents, with a pronounced operational surge in June 2025. Additionally, Dark Engine is involved in a campaign that embeds fraudulent CAPTCHA prompts into legitimate WordPress sites, utilizing SEO poisoning to harvest login credentials. Reports also indicate a data leak from Dark Engine that exposed sensitive phone data in the U.S.",
"description": "Cyber Islamic Resistance is a hacktivist collective ideologically aligned with Iran, engaging in operations such as website defacements, DDoS attacks, and data exfiltration targeting Israeli and Western entities. They have claimed breaches of Israeli cybersecurity firms and academic platforms, framing their actions as part of a broader narrative of retaliation. The group has also targeted critical infrastructure, asserting access to industrial control systems and operational technology environments. Their activities are often presented as part of a coordinated cyber mobilization campaign, emphasizing psychological and reputational impacts.",
"description": "Conquerors Electronic Army operates under the “Wa’d al-Akhira” banner and has claimed multiple attacks against Israeli targets, including civil emergency alerting and healthcare sectors, utilizing rented stresser infrastructure and CheckHost proof-of-disruption links. The group has embedded links to a UK-registered charity in their operations, suggesting a potential disruption attempt rather than solely an information operation. Security company Radware identified Conquerors Electronic Army as one of the primary actors behind a series of DDoS attacks targeting government entities in the Middle East. Their activities indicate a focus on both disruptive and influence operations.",
"description": "Keymous is a threat actor known for executing extensive DDoS attacks across multiple Arab countries, targeting government ministries and critical infrastructure. The group has claimed access to sensitive data, including over 300,000 records from Israel's Ministry of Education, and has engaged in reconnaissance activities against various ministries in Bahrain and other nations. Keymous employs diverse infrastructure, including compromised IoT devices and DDoS-for-hire platforms, to amplify attack bandwidth. Their operations have been characterized by a focus on politically motivated cyberattacks, particularly in the context of regional conflicts.",
"description": "APTIran has claimed responsibility for a large-scale campaign targeting Israeli critical infrastructure, asserting infiltration of government ministries, hospitals, universities, and financial institutions as retaliation for Israeli military operations. The group has leaked over 350,000 Israeli government login credentials and approximately 300 internal databases, while also threatening to create a 'zombie' network from infected devices. They have reportedly deployed ransomware strains such as ALPHV and LockBit as part of their offensive toolkit. Additionally, APTIran has made unverified claims of compromising Israeli water control systems and the state-owned food security agency Jordan Silos and Supply General Co.",
0 commit comments