Threat Actor Profiles
Unmasking cyber adversaries for proactive defense
In-Depth Intelligence on Global Cyber Threat Groups
Understanding who’s behind an attack is just as important as knowing how they do it. Different attackers have different goals and methods, and knowing these can help you build better defenses. Our free Threat Actor Profiles help you connect the dots to give you deeper insight into the motivations, tactics, and targets of today’s most active cyber adversaries.
Each profile offers a concise, intelligence-driven summary of known threat groups, from state-sponsored APTs to financially motivated ransomware gangs. By exploring these profiles, security teams gain valuable context that informs everything from incident response to proactive threat hunting.
With this information, you can:
-
Anticipate likely attack vectors
-
Tailor defenses to specific threat behaviors
-
Enhance threat correlation and alert prioritization
-
Support strategic security planning with attacker-aligned insights.
Threat Actor Profiles
APT40 (also known by names such as Leviathan, Kryptonite Panda, and Bronze Mohawk) is a Chinese state-sponsored advanced persistent threat linked to the Ministry of State Security’s Hainan State Security Department. The actor focuses on cyberespionage and regularly targets government, maritime, defense, aerospace, biomedical, and research institutions. Its operations have been observed across multiple continents, including Asia, Australia, Europe, and North America.
Energetic Bear (also known by numerous aliases) is a sophisticated, state-sponsored cyber espionage group primarily focused on intelligence gathering. They are consistently linked to the Russian Federation and have demonstrated capabilities in targeting critical infrastructure sectors. Their operations are characterized by long-term persistence, stealth, and a focus on exfiltrating sensitive information rather than causing widespread disruption, though disruption has occurred as a side effect.
RansomHub is a cyber threat actor specializing in ransomware attacks, operating as a Ransomware-as-a-Service (RaaS) model. It emerged in February 2024 and has rapidly become one of the largest currently operating, known for its aggressive tactics and links to other ransomware variants. Actively recruits affiliates from other ransomware groups, including ALPHV and LockBit, to expand its reach and attack capabilities. The origin and specific actors behind RansomHub remain unknown.
Hazy Tiger, also known by aliases such as TA397, Bitter, and T-APT-17, is an India-linked targeted intrusion group active since at least 2015. Primarily focused on espionage, information theft, and financial gain, this actor persistently targets government, diplomatic, defense, and financial sectors, with ongoing campaigns reported as recently as May 2025. Though linked to India, Hazy Tiger has not been formally attributed to any state or criminal syndicate and has gradually expanded its operations from South and East Asia to include European government entities.
Scattered Spider is a financially motivated ransomware group that has various aliases including The Com, Muddled Libra, UNC3944, Starfraud, Octo Tempest, and Scatter Swine. This threat actor primarily targets large organizations in the hospitality, entertainment, technology, retail, telecommunications, and business process outsourcing sectors. Known for its sophisticated social engineering tactics and data exfiltration extortion schemes, Scattered Spider has been active since May 2022 and remains very active.
APT41 is a highly sophisticated and very active Chinese state-sponsored advanced persistent threat (APT) group. It engages in both cyber espionage and financially motivated cybercrime activities. APT41 is known by numerous aliases, including Barium, Wicked Panda, Wicked Spider, Double Dragon, Blackfly and Bronze Atlas. The group’s motivations are multifaceted, involving information theft and espionage for state interests, financial gain through cybercriminal activities, and potentially sabotage.
ToddyCat is an advanced persistent threat (APT) group engaged in cyber espionage operations, primarily targeting governmental and military entities within Europe and Asia. The group utilizes sophisticated backdoors and advanced infiltration techniques to achieve its espionage objectives. ToddyCat does not have any publicly recognized aliases attributed by cybersecurity companies. Its motivations are primarily aligned with information theft and espionage.
APT39 is a cyber espionage group primarily attributed to the Iranian Ministry of Intelligence and Security (MOIS). It is classified as a state-sponsored Advanced Persistent Threat (APT) group, also known by aliases such as Chafer, REMIX KITTEN, COBALT HICKMAN, ITG07, and Cadelspy. The group’s motivations are primarily focused on information theft and espionage, targeting individuals and entities deemed threats by the Iranian government.
UNC5812 is a Russian espionage and influence operation that targets Ukrainian military recruits and engages in disinformation campaigns. This threat actor primarily uses malware delivery via Telegram channels and websites to compromise devices while spreading anti-mobilization narratives. Active since at least 2023, UNC5812 has not been conclusively tied to a specific Russian agency but operates in alignment with broader state interests, focusing on psychological operations and battlefield disruption.