This article lists the threat actors tracked by Palo Alto Networks Unit 42, using our specific designators for these groups. We've organized them in alphabetical order of their assigned constellation. The information presented here is a comprehensive list of these threat actors, along with key information like the category of threat actor, industries typically impacted and a summary of the overall threat. We intend this to be a centralized destination for readers to review the breadth of our research on these notable cyber threats.
Palo Alto Networks customers are better protected from threat actors through the use of our products like our Next-Generation Firewall with Cloud-Delivered Security Services that include Advanced WildFire, Advanced DNS Security, Advanced Threat Prevention and Advanced URL Filtering. Our customers are also better protected through our line of Cortex products and Prisma SASE.
If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.
Related Unit 42 Topics | Cybercrime, Nation-State Cyberattacks |
Unit 42 considers the following groups to have a motivation that is primarily state-backed rather than financial. There can also be some cybercrime motivation for threat groups in this category, but we believe their main motivation is in furthering the interest of their sponsoring nation.
Draco, the dragon, is the constellation chosen for threat actor groups from Pakistan. These groups have been seen targeting India and other South Asian countries.
G1008, sidecopy, unc2269, white dev 55
Mocking Draco is a Pakistan-based threat actor that has been operating since at least 2019, mainly targeting South Asian countries and more specifically India and Afghanistan. Their malware’s common name, Sidecopy, comes from its infection chain that tries to mimic the malware of Venomous Gemini, which is called SideWinder. This actor has reported similarities with Opaque Draco and is possibly a subdivision of this actor.
Mocking Draco has previously impacted organizations in the following sectors:
APT36, C-Major, Cmajor, COPPER FIELDSTONE, Fast-Cargo, G0134, Green Halvidar, Havildar Team, Lapis, Mythic Leopard, ProjectM, Transparent Tribe
Opaque Draco is a Pakistan-based threat group that has been active since 2013. They primarily target Indian governmental, military and educational sectors.
Opaque Draco has previously impacted organizations in the following sectors:
Threat actor groups from India are named for the constellation Gemini.
DEV-0124, Dropping Elephant, Leafperphorator, Orange Chandi, Rattlesnake, Razor Tiger, Sidewinder, T-APT-04, UNC1687, G0121
Venomous Gemini represents a threat group (or groups) with a suspected Indian nexus that has been active since 2012. Venomous Gemini is active and frequently targets Pakistan and, to a lesser extent, other countries in Asia including Nepal, Sri Lanka, Bangladesh and China. Their primary targets include government and military organizations, but other industries have been reported targets as well.
Venomous Gemini has previously impacted organizations in the following sectors:
Belarusian threat groups are named for the constellation Lynx.
Ghostwriter, Storm-0257, UNC1151
White Lynx is a nation-state threat actor assessed with high confidence to be linked with the Belarusian government. Their main focus is on countries neighboring Belarus, such as Ukraine, Lithuania, Latvia, Poland and Germany. Their targeting also includes Belarusian dissidents, media entities and journalists.
White Lynx has previously impacted organizations in the following sectors:
Threat actor groups attributed to North Korea are represented by the constellation Pisces. These groups have impacted many industries with a focus on cyberespionage and financial crime.
Andariel, Black Artemis, COVELLITE, Onyx Sleet, PLUTONIUM, Silent Chollima, Stonefly, UNC614, Lazarus, Lazarus Group
Jumpy Pisces is a nation-state threat actor associated with the notorious Lazarus Group and the Democratic People’s Republic of Korea (DPRK). Jumpy Pisces is believed to be a subgroup of the Lazarus group that branched out around 2013. The group has demonstrated a high degree of adaptability, complexity and technical expertise in its operations, with a focus on cyber espionage, financial crime and ransomware attacks.
Jumpy Pisces primarily targets South Korean entities with a variety of attack vectors, including spear phishing, watering hole attacks and supply chain attacks. They have been observed exploiting vulnerabilities in various software, including asset management programs and known but unpatched public services, to distribute its malware. The group also abuses legitimate software and proxy and tunneling tools for its malicious activities.
Jumpy Pisces has previously impacted organizations in the following sectors:
Dark River, DEV-0954, Jade Sleet, Storm-0954, Trader Traitor, TraderTraitor, UNC4899, Lazarus, Lazarus Group
Slow Pisces is North Korea's nation state threat group under Reconnaissance General Bureau (RGB) of DPRK. It's believed to be a spin-off from the Lazarus group with focus on financial gathering and crypto industry targeting goals. Their primary task since 2020 is generating revenue for the DPRK regime and they do so by targeting organizations that handle large volumes of cryptocurrency. They have reportedly stolen in excess of $1 billion in 2023 alone.
Secondary to revenue generation, Slow Pisces has also compromised aerospace, defense and industrial organizations, likely with the aim of espionage to advance DPRK’s military capabilities.
Slow Pisces has previously impacted organizations in the following sectors:
Iranian-attributed groups are named for the constellation Serpens, the snake. Our research on these groups highlights their targets and TTPs as they evolve.
COBALT DICKENS, DEV-0118, Mabna Institute, Silent Librarian, Yellow Nabu
Academic Serpens is a state-sponsored group active since at least 2013 that is attributed to Iran, which has traditionally focused on Middle Eastern targets and Nordic universities in the EU. Members of Academic Serpens are affiliated with the Iran-based Mabna Institute, which has conducted cyber intrusions at the behest of the government of Iran, specifically the Islamic Revolutionary Guard Corps (IRGC). They have targeted research and proprietary data at universities, government agencies and private sector companies worldwide. There has been a notable decrease in activity from this group since the international COVID crisis in 2020.
Academic Serpens has previously impacted organizations in the following sectors:
APT35, APT42, Ballistic Bobcat, Charming Kitten, Cobalt Illusion, Damselfly, DireFate, G0059, Greycatfish, Group 83, Iridium Group, ITG18, Magic Hound, Mint Sandstorm, Newscaster, PHOSPHOROUS, PHOSPHORUS, Saffron Rose, TA453, White Phosphorous, Yellow Garuda
Agent Serpens is an Iranian-sponsored threat group that conducts long-term, resource-intensive cyberespionage operations, likely on behalf of the Islamic Revolutionary Guard Corps (IRGC). This group targets dissidents, activists, journalists and other groups that pose a risk or protests against the Iranian government, with a notable focus on groups in Israel and the U.S. For initial access, they have traditionally used spear phishing, exploitation or remote access devices and they have also focused on credential harvesting. They use both commodity malware (infostealers) and custom malware.
Agent Serpens has previously impacted organizations in the following sectors:
Agrius, BlackShadow, Pink Sandstorm, Spectral Kitten
Agonizing Serpens is a nation-state group active since 2020, attributed to Iran’s Ministry of Intelligence and Security (MOIS). This group engages in espionage, ransomware and destructive malware attacks against targets in the Middle East, with a significant focus on attacks against Israel. Their focus is data stealing and espionage, then deploying wipers to cover their tracks.
Agonizing Serpens has previously impacted organizations in the following sectors:
COBALT ULSTER, Earth Vetala, G0069, Mercury, MuddyWater, Seedworm, Static Kitten, TEMP.Zagros, Yellow Nix
Boggy Serpens is a cyberespionage group active since at least 2017 that is assessed to be a subordinate element within Iran’s Ministry of Intelligence and Security (MOIS). Boggy Serpens has targeted a range of government organizations and private organizations across sectors including telecommunications, local government, defense, oil and natural gas in the Middle East, Asia, Africa, Europe and North America.
They traditionally gain access via spear phishing and exploitation of publicly known vulnerabilities. They provide stolen data and access to the Iranian government as well as other threat actors. Boggy Serpens develops custom malware and they make extensive use of obfuscated PowerShell scripts.
Boggy Serpens has previously impacted organizations in the following sectors:
Cobalt Fireside, Curium, G1012, Imperial Kitten, Tortoiseshell, Yellow Liderc
Devious Serpens are an Iranian-based threat actor known for using social engineering tactics as well as malware that communicates via IMAP. Their attacks use watering hole attacks as well as their own controlled sites meant to impersonate employment opportunities that might interest their victims.
The malware that they have built often uses IMAP with specific email addresses for command and control (C2). With such tools, communication typically occurs via specific folders and message protocols on the C2 email address.
Devious Serpens has previously impacted organizations in the following sectors:
Alibaba, APT34, Chrysene, Cobalt Gypsy, Crambus, Europium, G0049, Group 41, Hazel Sandstorm, Helix Kitten, IRN2, OilRig, Powbat, TEMP.Akapav, Twisted Kitten, Yossi
Evasive Serpens is a threat group Unit 42 discovered in May 2016. They are a nation-state threat group attributed to Iran. This threat group is extremely persistent and relies heavily on spear phishing as their initial attack vector. However, they have also been associated with other more complex attacks such as credential harvesting campaigns and DNS hijacking.
In their spear phishing attacks, Evasive Serpens preferred macro-enabled Microsoft Office (Word and Excel) documents to install their custom payloads that came as portable executables (PE), PowerShell and VBScripts. The group’s custom payloads frequently used DNS tunneling as a C2 channel.
Evasive Serpens has previously impacted organizations in the following sectors:
Chinese threat actor groups take their name from the constellation Taurus – the bull. Due to the long history and multiplicity of Chinese APTs, there is a lot to be discovered about these groups in our research archives.
G0093, GALLIUM, Granite Typhoon, Operation Soft Cell, Othorene, Red Dev 4
Alloy Taurus is a cyberespionage group that has been active since at least 2012. This threat actor exploits internet-facing web applications to gain initial access to victim organizations.
Once they have access, they use a mixture of custom tools, malware and open-source tools (or custom variants). They sometimes sign code with legitimate, stolen certificates. They have compromised targets in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, Nepal, the Philippines, Russia, South Africa and Vietnam.
Alloy Taurus has previously impacted organizations in the following sectors:
Circle Typhoon, DEV-0322, TGR-STA-0027, Tilted Temple
Charging Taurus is a state-sponsored cyberespionage group attributed to China, active since 2021. The group's goal is to steal intellectual property aligned with China's national interests. The group is capable of exploiting undisclosed zero-day vulnerabilities. The group has a possible tie to Insidious Taurus.
Charging Taurus has previously impacted organizations in the following sectors:
Jackpot Panda
Dicing Taurus is a state-sponsored group attributed to China. They focus on the illegal online gambling sector in Southeast Asia, particularly emphasizing data collection for monitoring and countering related activities in China. The i-Soon leak in February 2024 revealed that i-Soon was likely involved in Dicing Taurus's operations, along with the Ministry of Public Security of China.
The group is also responsible for distributing a trojanized installer for CloudChat, a chat application popular with Chinese-speaking illegal gambling communities in mainland China. The trojanized installer served from CloudChat’s website contained the first stage of a multi-step process.
Dicing Taurus has previously impacted organizations in the following sectors:
BRONZE HIGHLAND, Daggerfly, Evasive Panda
Digging Taurus is a China-based group that has been active since at least 2012, conducting cyberespionage targeting individuals, government institutions and organizations.
Digging Taurus has previously impacted organizations in the following sectors:
BRONZE SILHOUETTE, DEV-0391, UNC3236, Vanguard Panda, Volt Typhoon, Voltzite, G1017
Insidious Taurus is a Chinese state-sponsored actor typically focusing on espionage and information gathering, active since 2021. Insidious Taurus evades detection by using various living-off-the-land (LotL) techniques, using in-built system tools to perform their objectives and blend in with regular system noise.
The actor leverages compromised small office/home office (SOHO) network devices as intermediate infrastructure to further obscure their activity. Insidious Taurus exploits vulnerabilities in internet-facing devices and systems as an initial access vector.
Insidious Taurus has previously impacted organizations in the following sectors:
APT40, BRONZE MOHAWK, Electric Panda, Gadolinium, Gingham Typhoon, IslandDreams, Kryptonite Panda, Ladon, Leviathon, Pickleworm, Red Ladon, TEMP.Jumper, TEMP.Periscope
Jumper Taurus is a state-sponsored cyberespionage group believed to be linked to the Chinese government. Active since at least 2013, the group has consistently demonstrated advanced tactics, techniques and procedures (TTPs), supporting China's strategic objectives in sensitive research or holding strategic geopolitical relationships.
The group's operations use phishing emails and exploit web server vulnerabilities for initial access. The group has shown a particular interest in maritime-related targets, those associated with China's naval modernization efforts and the Belt and Road Initiative.
Jumper Taurus has previously impacted organizations in the following sectors:
APT15, Backdoor Diplomacy, BRONZE PALACE, Buck09, Bumble Bee, G0004, Gref, Ke3chang, Mirage, Nickel, Playful Dragon, Red Hera, RoyalAPT, Vixen Panda
Playful Taurus is a state-sponsored espionage group attributed to China. The group has been active since at least 2010. Playful Taurus has historically targeted government and diplomatic entities across North and South America, Africa and the Middle East. They leverage a mix of commodity tooling and malware as well as custom backdoors.
Playful Taurus has previously impacted organizations in the following sectors:
Earth Empusa, Evil Eye, EvilBamboo, Poison Carp
Sentinel Taurus is a state-sponsored threat group that has shown significant interest in Tibetan, Uyghur and Taiwanese targets. The group reportedly used spear phishing and watering hole techniques to deliver iOS and Android mobile malware payloads to their targets.
Sentinel Taurus has previously impacted organizations in the following sectors:
Rhysida, Bronze Fillmore, BRONZE PRESIDENT, DEV-0117, G0129, HoneyMyte, Luminous Moth, Mustang Panda, PKPLUG, Red Lich, RedDelta, TA416, Tantalum, TEMP.Hex
Stately Taurus is a China-based cyberespionage threat actor that was first observed in 2017, but they may have been conducting operations since at least 2012. Stately Taurus has targeted government entities, nonprofits, religious and other non-governmental organizations in countries including the U.S., Europe, Mongolia, Myanmar, Pakistan and Vietnam.
Stately Taurus has previously impacted organizations in the following sectors:
Russian threat group tracked by Unit 42 are named for the Ursa constellation. We report on these groups regularly and have a significant archive of material.
APT29, Backswimmer, Blue Kitsune, Blue Nova, Cozy, CozyBear, CozyDuke, Dark Halo, DEV-0473, Dukes, Eurostrike, G0016, Group 100, Hagensia, Iron Hemlock, Iron Ritual, Midnight Blizzard, Nobelium, Noblebaron, Office Monkeys, Office Space, Solarstorm, StellarParticle, TAG-11, The Dukes, UAC-0029, UNC2452, YTTRIUM, UNC3524
Cloaked Ursa is a nation-state threat group that has been attributed to Russia's Foreign Intelligence Service (SVR). They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes and think tanks. Cloaked Ursa reportedly compromised the Democratic National Committee (DNC) starting in the summer of 2015 and they were responsible for the SolarWinds breach in 2019-2020.
Cloaked Ursa has previously impacted organizations in the following sectors:
APT28, Fancy Bear, G0007, Group 74, IRON TWILIGHT, Pawn Storm, PawnStorm, Sednit, SNAKEMACKEREL, Sofacy, STRONTIUM, Swallowtail, TG-4127, Threat Group-4127, Tsar Team, TsarTeam, UAC-0028
Fighting Ursa is a nation-state threat group attributed to Russia’s General Staff Main Intelligence Directorate (GRU), 85th special Service Centre (GTsSS) military intelligence Unit 26165. They are well known for their focus on targets of Russian interest, especially those of military interest. They are known as one of the two Russian groups that compromised the Democratic National Committee (DNC) and Democratic Congressional Campaign Committee (DCCC) during the 2016 election cycle.
Fighting Ursa has previously impacted organizations in the following sectors:
Blue Callisto, Callisto, Callisto Group, COLDRIVER, Dancing Salome, Grey Pro, IRON FRONTIER, Reuse Team, SEABORGIUM, Star Blizzard
Mythic Ursa is a Russian group linked to Russia’s “Centre 18” Federal Security Service (FSB) division, focused on credential harvesting from high-profile individuals. This group often uses fake accounts to establish rapport with their targets and eventually sends a phishing link to gather credentials. This group was last observed using custom malware in November 2022.
Mythic Ursa has previously impacted organizations in the following sectors:
Turla, Uroburos, Snake, BELUGASTURGEON, Boulder Bear, G0010, Group 88, IRON HUNTER, Iron Pioneer, Krypton, Minime, Popeye, Turla Team, Venomous Bear, Waterbug, White Atlas, WhiteBear, Witchcoven
Pensive Ursa is a Russian-based threat group operating since at least 2004, which is linked to Russia’s “Centre 18” Federal Security Service (FSB).
Pensive Ursa has previously impacted organizations in the following sectors:
BlackEnergy, Blue Echidna, Cyclops Blink, ELECTRUM, G0034, Grey Tornado, IRIDIUM, IRON VIKING, OlympicDestroyer, Quedagh, Sandworm, Sandworm Team, Telebots, UAC-0082, Voodoo Bear
Razing Ursa is a nation-state group attributed to a subgroup of the Russian General Staff Main Intelligence Directorate (GRU). They use spear phishing and vulnerabilities to access systems with the goal of espionage or destruction. This group's activities have targeted industrial control systems or use distributed denial of service (DDoS) attacks to disrupt critical infrastructure.
Razing Ursa has previously impacted organizations in the following sectors:
Actinium, Armageddon, DEV-0157, G0047, Gamaredon Group, IRON TILDEN, Primitive Bear, Shuckworm, UAC-0010
Trident Ursa is a nation-state threat group that has been active since at least 2013. This group has targeted individuals likely related to the Ukrainian government and military and is likely the actor behind the 2015 Operation Armageddon that delivered remote access tools, such as UltraVNC and Remote Manipulator System (RMS). The group previously used commodity tools but began using custom-developed tools in 2016.
Trident Ursa has previously impacted organizations in the following sectors:
Unit 42 considers the following groups to have a motivation that is primarily financial rather than political. There can be some political motivation for threat groups in this category, but we consider their main motivation to be perpetrating cybercrime. This category is split into two groups: cybercrime in general, and then ransomware.
Cybercrime is represented by the constellation Libra – a fitting choice, using the imagery of scales of justice.
G1015, Scattered Spider, Roasted 0ktapus, Scatter Swine, Star Fraud, UNC3944
Muddled Libra is a cybercrime group first reported in late 2022. They use the 0ktapus phishing kit and are considered a significant threat to global organizations through their targeted phishing and smishing campaigns. This group’s malware rapidly distinguished itself by enabling low-skilled attackers to launch sophisticated credential and MFA code thefts, impacting over a hundred organizations worldwide.
As they evolved, Muddled Libra expanded their capabilities, transitioning from mere phishing operations to complex supply chain attacks aimed at high-value cryptocurrency targets. The group's operational model showcased an innovative blend of traditional cybercrime tactics and modern digital extortion methods, including joining the Ambitious Scorpius RaaS affiliate program in 2023. This move underscored their shift toward a comprehensive cybercriminal operation, leveraging ransomware to enact data theft, encryption and extortion.
They also expanded their efforts to target software-as-a-service (SaaS) applications and cloud service provider (CSP) environments to leverage stored data for attack progression and extortion.
Muddled Libra has previously impacted organizations in the following sectors:
Ransomware groups get their naming convention from the constellation Scorpius, and are a frequent target of our research.
ALPHV, BlackCat, blackcat_raas
Ambitious Scorpius is a RaaS group that uses multi-extortion, distributing BlackCat ransomware. The ransomware family was first observed in November 2021. The group is suspected to be of Russian origin and is a possible successor of DarkSide and BlackMatter. The group solicits for affiliates in known cybercrime forums, offering to allow them to keep 80-90% of the ransom payment.
A significant disruption by joint law enforcement in December 2023 appears to have dealt the group a significant blow. Despite actively listing new victims through February 2024, about 40% of the victims were smaller businesses rather than the high value targets usually seen.
Ambitious Scorpius has previously impacted organizations in the following sectors:
Nokoyawa
Bashful Scorpius ransomware group was first observed in February 2022, distributing Nokoyawa ransomware, which is potentially an evolution of Nemty and Karma ransomware. Bashful Scorpius uses a multi-extortion strategy, in which attackers demand payment both for a decryptor to restore access to encrypted files and for not disclosing stolen data.
This group distributes their ransomware payloads through various means, including third-party frameworks such as Cobalt Strike and phishing emails. The creators of Nokoyawa ransomware have repurposed functions from the leaked Babuk ransomware source code.
Ransomware operators using Nokoyawa ransomware wield a command set that allows them to exercise precise control over the execution and ultimate outcome of the infection. This further increases the threat’s effectiveness and potential damage.
Bashful Scorpius has previously impacted organizations in the following sectors:
BianLian, bianlian_group
Bitter Scorpius ransomware group is highly adaptable and quickly leverages newly disclosed vulnerabilities. Bitter Scorpius distributes BianLian ransomware. The threat actors targeted the ProxyShell vulnerability chain (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) and SonicWall virtual private network (VPN) devices to gain initial access into victim networks.
Active since July 2022, the threat actors also employ multi-extortion techniques, and Living off the Land methodology to move laterally. They adjust their operations based on defensive controls present on infected networks. In addition, the attackers operate a data leak blog on the Tor and Invisible Internet Project (I2P) networks, posing a potential risk for exposing their stolen information. The group has also been observed using extortion without encryption.
Bitter Scorpius has previously impacted organizations in the following sectors:
Stormous
Blustering Scorpius is an Arabic-speaking cybercrime group that first appeared in 2021. They gained fame by exploiting tensions in the Russia-Ukraine war and targeting Western entities in 2022. They initially sought to specifically target entities in the U.S. but quickly began targeting entities based on global political tensions. While the group has claimed numerous attacks, they have also been accused of posting fake data or claiming attacks perpetrated by other groups.
Blustering Scorpius gains initial access via phishing, vulnerability exploits, remote data protocol (RDP), credential abuse and malvertising. They use X (Twitter) and Telegram to advertise their exploits and to reach their followers and affiliates. The group also uses social engineering to exploit emotions surrounding geopolitical tensions.
Blustering Scorpius began joint operations with GhostSec on July 13, 2023, which they announced via GhostSec’s Telegram channel. The two groups have gone on to jointly attack multiple entities in various countries and industries.
Blustering Scorpius has previously impacted organizations in the following sectors:
Cl0p, CL0P
Chubby Scorpius is a RaaS group that first emerged in February 2019, and distributes Cl0p ransomware. They use extensive spear phishing campaigns for initial compromise. Chubby Scorpius uses a verified and digitally signed binary, enabling it to bypass system defenses more effectively.
Chubby Scorpius employed a multi-extortion tactic where, in addition to encrypting victim data, they also stole data and threatened to publish it on the CL0P^_-LEAKS website on the Tor network. This tactic increased pressure on victims to pay the ransom, as they faced not only data loss but also potential exposure of sensitive information.
The Chubby Scorpius ransomware group takes advantage of zero-day vulnerabilities, such as CVE-2023-0669, in the GoAnywhere MFT platform. The group claimed to have exfiltrated data from the GoAnywhere MFT platform, impacting approximately 130 victims over 10 days. However, there was no evidence of lateral movement within the victims’ networks, indicating that the breach was limited to the GoAnywhere platform itself. The group likely identified upper-level executives of the victim companies through open-source research and sent ransom notes as they analyzed the exfiltrated data.
Cl0p ransomware was used to compromise thousands of victims by threat actors exploiting the MOVEit transfer vulnerability.
Chubby Scorpius typically gains initial access through high-volume spear phishing emails sent to an organization’s employees or by exploiting vulnerabilities in web-exposed assets. Once they gain access, Chubby Scorpius actors use RDP to interact with compromised systems. They also employ web shells to exfiltrate data.
Chubby Scorpius has previously impacted organizations in the following sectors:
BlackSuit
Dapper Scorpius is a ransomware group that emerged in early May 2023, distributing BlackSuit ransomware, impacting a broad range of organizations globally. This group is suspected to be the Ignoble Scorpius ransomware group (aka Royal Ransomware) rebranded.
Unlike many ransomware operations that use a RaaS model, Dapper Scorpius operates as a private group without affiliates, most likely composed of ex-Conti and ex-Ignoble Scorpius members. Dapper Scorpius employs a multifaceted distribution strategy that includes phishing campaigns, malicious email attachments, SEO poisoning and using loaders like GootLoader for deploying their ransomware payload.
Dapper Scorpius has previously impacted organizations in the following sectors:
Black Basta
Dark Scorpius is a Russian RaaS operation that emerged in April 2022, distributing Black Basta ransomware, originating as spin-offs of the Ryuk and Conti ransomware groups. Dark Scorpius experienced rapid growth in attacks by employing multi-extortion tactics, developing ransomware variants for Windows, Linux and VMware ESXi virtual machines.
The group’s deployment tactics include leveraging Qakbot Trojan infections, exploits and phishing emails to infiltrate networks. Dark Scorpius’ strategy for initial access includes collaboration with initial access brokers (IAB).
These brokers enable Dark Scorpius to effortlessly penetrate target networks, streamlining their ransomware deployment and multi-extortion tactics. For second-stage attack execution, Dark Scorpius employs a multi-faceted approach to credential harvesting and lateral movement within networks.
Dark Scorpius has previously impacted organizations in the following sectors:
Play, PlayCrypt
Fiddling Scorpius is a ransomware group, distributing Play ransomware, first noted in June 2022. They gained attention in August 2022 after targeting Argentina’s Judiciary of Córdoba. They leverage multi-extortion against victims and have previously leaked financial and personal details, intellectual property and other sensitive data. Ransom demands have been as high as 500 bitcoins, with the promise of a decryption tool upon payment.
Fiddling Scorpius has previously impacted organizations in the following sectors:
8Base
Squalid Scorpius ransomware group first emerged in March 2022, using a multi-extortion tactic. The group initially remained under the radar with relatively few attacks, but in June 2023, their activity spiked dramatically, showcasing a more aggressive approach.
They leverage encryption techniques alongside name-and-shame strategies to pressure victims into paying ransoms. Squalid Scorpius has used a number of ransomware variants, including a customized version of the Phobos ransomware. This indicates their technical adaptability, as well as their focus on evading detection and maximizing impact. This adaptability is evident in their use of advanced encryption techniques and strategies to bypass User Account Control (UAC) mechanisms on Windows systems, enabling them to execute their malicious payloads without immediate detection.
Squalid Scorpius has previously impacted organizations in the following sectors:
Akira
Howling Scorpius is a RaaS operation initially observed in March 2023, distributing Akira ransomware. The group’s affiliates typically achieve access through VPN appliances in the victim organization, leveraging brute-force attacks, exploitation of vulnerabilities and the purchase of compromised credentials from IAB. Once inside the network, they will attempt reconnaissance to identify where victims store critical data, enumerate Active Directory structures and identify where domain controllers and VMware ESXi servers are.
The group often achieves lateral movement using RDP with valid local administrator accounts. The threat operators try to disable security protections on compromised devices.
The group often uses C2 infrastructure by way of remote access tools like AnyDesk. They occasionally used extortion-only attacks late in 2023, exfiltrating data for payment but not deploying ransomware to the victim’s systems.
Howling Scorpius has previously impacted organizations in the following sectors:
Royal, Zeon, royal_group
Ignoble Scorpius ransomware group was first observed in September 2022, distributing Royal ransomware and using multi-extortion to pressure victims to pay their fee. It is suspected that this group is composed mainly of former members of the Conti ransomware group, who operate covertly and behind closed doors.
Because some of the people in this threat group were part of the development of Ryuk, the predecessor of Conti, they have many years of experience. They have a solid knowledge base for carrying out attacks and know what works when extorting victims. Due to the experience of this group, they have already impacted many organizations across the globe. We’ve observed them making demands of up to $25 million in bitcoin.
This group has leveraged their leak site to publicly extort victims into paying the ransom. Ignoble Scorpius will harass victims until they secure a payment, using techniques such as emailing victims and mass-printing ransom notes.
Ignoble Scorpius has previously impacted organizations in the following sectors:
Cloak
Invisible Scorpius is a ransomware group targeting small to medium-sized businesses and using initial access brokers (IABs) for initial access. First seen at the end of 2022, the group is believed to be connected to the Stale Scorpius ransomware group after threat actors posted victim information from Stale Scorpius to Invisible Scorpius' leak site.
Invisible Scorpius has previously impacted organizations in the following sectors:
Karakurt, Karakurt Lair, Karakurt Team
Mushy Scorpius is the group behind Karakurt ransomware, known for focusing on extortion. It has links to the Conti RaaS group. First emerging in 2021, Mushy Scorpius steals intellectual property and demands ransom from victims without encrypting their data, leveraging threats to auction off the sensitive data or release it to the public.
As part of their extortion efforts, they provide victims with screenshots or copies of stolen file directories as evidence of the data theft. They aggressively contact victims' employees, business partners and clients with harassing emails and phone calls. They also leverage stolen data like social security numbers, payment accounts, private emails and other sensitive business information to exert pressure.
Upon receiving ransom payments, Mushy Scorpius has occasionally provided victims with proof that they deleted the stolen files, along with a brief explanation of how they initially breached the victim's defenses. This underlines the group’s focus on financial gain but also that they seek a level of engagement from their victims toward meeting their demands.
Mushy Scorpius has previously impacted organizations in the following sectors:
Robinhood
Pilfering Scorpius ransomware group gained attention by attacking a number of local and state government entities starting in April 2019. This threat group often gains initial access by phishing, malicious websites and malicious file sharing or downloads.
Once their ransomware has gained access, it obtains persistence by using RDP to spread throughout the victim network. Initial reporting revealed that humans were largely responsible for operating these attacks, as opposed to them being run by automated processes.
Pilfering Scorpius has previously impacted organizations in the following sectors:
BlackByte
Powerful Scorpius is a RaaS group operating since July 2021, distributing BlackByte ransomware. This group’s operational tactics includes exploiting vulnerabilities such as the ProxyShell vulnerability in Microsoft Exchange Servers, using tools like Cobalt Strike, and avoiding detection through obfuscation and anti-debugging techniques.
Their malware checks system languages and exits if it finds Russian or certain Eastern European languages, presumably to avoid impacting systems in those regions. The group uses multi-extortion techniques in their campaigns.
Powerful Scorpius has previously impacted organizations in the following sectors:
ThreeAM, 3AM
Procedural Scorpius is a ransomware group discovered in September 2023, when researchers noticed Procedural Scorpius’ malware being deployed in a failed LockBit attack. This group distributes 3 am ransomware, and is thought to be linked to two other notorious ransomware groups, Conti and Ignoble Scorpius (distributor of Royal ransomware).
Procedural Scorpius escalates their extortion tactics by contacting their victim's social media followers, informing them of the data leak. They also use bots that post on highly visible X accounts to advertise the leaks. Procedural Scorpius targets medium to large companies in countries not within the Commonwealth of Independent States (CIS).
Procedural Scorpius has previously impacted organizations in the following sectors:
Cactus
Protesting Scorpius is a ransomware group that has been active since at least March 2023, primarily targeting large commercial entities. The group secures initial access to target networks by exploiting vulnerabilities in VPN appliances.
Upon gaining entry, Protesting Scorpius enumerates local and network user accounts as well as endpoints. They then create new user accounts and deploy ransomware encryptors across the network via custom scripts and scheduled tasks. Protesting Scorpius participates in extortion and data exfiltration.
Protesting Scorpius has previously impacted organizations in the following sectors:
Trigona
Salty Scorpius claims to be a highly profitable operation, launching global attacks deploying Trigona ransomware with promises of 20%-50% returns from each successful endeavor. First identified in October 2022, their operations partnered with network access brokers, who provided them with compromised credentials via the Russian Anonymous Marketplace (RAMP) forum. This collaboration was crucial for gaining the initial access needed to infiltrate their targets.
Salty Scorpius has ties to the CryLock group, evidenced by their shared methodologies, strategies and the identical ransom note filenames and email addresses they employ. By April 2023, Salty Scorpius shifted their focus toward exploiting compromised Microsoft SQL (MSSQL) servers, leveraging brute-force attacks to penetrate these systems.
This group also performs detailed reconnaissance within the target’s network, malware distribution via remote monitoring and management (RMM) software, creation of new user accounts and then finally deployment of ransomware.
They were disrupted by hacktivists in 2023, but posts have appeared on their leak site in 2024.
Salty Scorpius has previously impacted organizations in the following sectors:
Hunters International
Security researchers widely believe the Shifty Scorpius RaaS group is a rebrand of Itchy Scorpius (aka HIVE) due to significant code overlap between the two groups’ ransomware samples. However, Shifty Scorpius claims to be an independent group that acquired the source code and infrastructure directly from Itchy Scorpius.
Unlike other ransomware groups, Shifty Scorpius primarily focuses on data exfiltration, not encryption. Initially discovered in October of 2023, attacks by Shifty Scorpius are largely opportunistic. Their victims are in a variety of industries and regions, however this group appears to regularly impact healthcare entities.
Shifty Scorpius has previously impacted organizations in the following sectors:
Avos, AvosLocker
Spicy Scorpius is a RaaS group that first emerged as a significant threat in 2021. This group uses multi-extortion tactics and remote administration tool AnyDesk for manual operation on victim machines. They can operate in safe mode to evade security measures. They also auction stolen data on their site in addition to their ransom demand.
The group’s deployment strategies include leveraging vulnerabilities like Log4Shell for initial access. This group has a level of organization resembling that of legitimate tech businesses rather than traditional cybercrime operations.
The threat they use has evolved to specifically target Linux systems and VMware ESXi servers since its debut, where many similar operations primarily focus on Windows systems.
Spicy Scorpius has previously impacted organizations in the following sectors:
Agenda, Qilin, Qilin Team
Spikey Scorpius operates as an affiliate program for RaaS that codes their payloads in Rust and Go, often tailoring them to each victim for maximum impact. To achieve this, threat actors employ strategies like altering file extensions of encrypted files and terminating specific processes and services. Spikey Scorpius leverages multi-extortion with a proprietary data leak site containing unique company IDs and leaked account information.
Spikey Scorpius has previously impacted organizations in the following sectors:
RansomHub
Spoiled Scorpius is a RaaS operation that was first observed in February 2024, managed by an actor known as “koley” or “BackHub.” The threat actor started operations on forums like XSS and RAMP. As a newcomer to the ransomware landscape the actor's reliability is still unknown.
This group uses complex tactics to coerce victim compliance, including cold calling extortion and DDoS attacks. Their RansomHub management panel offers features like ransom campaign customization, victim communication and data negotiation tools. The group’s model provides 90% profit share with affiliates and 10% for the core group.
The Spoiled Scorpius owner has established rules against attacks in specific regions such as China, Cuba, North Korea and Commonwealth of Independent States (CIS) countries. Although this is a common restriction, it could indicate the actor is operating from one of those countries.
The group also sets boundaries against attacks on non-profit organizations, and there are rules preventing additional attacks against victims that have already paid their ransom.
Spoiled Scorpius has previously impacted organizations in the following sectors:
Rhysida
Squeaking Scorpius is a RaaS group first observed in May 2023, which uses multi-extortion and discloses victim data. Their primary means of initial access is through phishing emails or using stolen credentials to authenticate to remote services, such as through VPNs, especially in organizations not using multi-factor authentication.
Once in a victim’s environment, they use Living off the Land (LotL) techniques including PowerShell for enumerating the environments and RDP connections for lateral movement. They have also used Cobalt Strike in victim environments as well as a script that terminates anti-malware programs. The group distributes Rhysida ransomware, which encrypts data using a 4096-bit RSA encryption key.
Some researchers have suggested links between this group and the actors behind Vice Society ransomware, suggesting a rebrand.
Squeaking Scorpius has previously impacted organizations in the following sectors:
Good Day
Stale Scorpius is a ransomware group initially observed in May of 2023. Their infrastructure as well as purported victims are closely linked with Invisible Scorpius, leading researchers to believe the groups are connected. Contact information such as threat actor channels and email addresses that were observed in Invisible Scorpius attacks have also been seen in Stale Scorpius attacks.
Stale Scorpius has previously impacted organizations in the following sectors:
NoEscape, No Escape
Stumped Scorpius is a RaaS group that first emerged in May 2023 and quickly established themselves as a successor to the Avaddon ransomware group, which ceased operations in 2021. Stumped Scorpius uses aggressive multi-extortion tactics, targeting a broad range of industries including healthcare.
They encrypt files on Windows, Linux and VMware ESXi servers, demanding ransoms ranging from hundreds of thousands of dollars to over $10 million. Their developers claim to have built the malware and infrastructure from scratch, differentiating the threat from other ransomware families that often repurpose existing code.
Stumped Scorpius employs techniques like reflective DLL injection to target VMware ESXi servers. They have a robust RaaS platform that allows affiliates to customize attacks, including encryption strategies and ransom demands.
Their ransomware can bypass UAC on Windows, executing commands to delete shadow copies and system backups to prevent file recovery. It also uses the Microsoft Enhanced RSA and AES Cryptographic Provider for file encryption.
Stumped Scorpius has previously impacted organizations in the following sectors:
Medusa (Note: Medusa should not be confused with a similarly named RaaS, MedusaLocker, which has been available since 2019)
Transforming Scorpius is a RaaS group first observed in June 2021, which typically uses AES2-256 encryption and encrypted C2 channels in multi-extortion operations. Transforming Scorpius targets various file types while avoiding certain extensions like DLL, EXE and LNK, and excludes specific folders from encryption to ensure the system’s operability remains intact.
Transforming Scorpius has previously impacted organizations in the following sectors:
HelloKitty, Gookie, HelloGookie
Twinkling Scorpius is a ransomware group distributing HelloKitty ransomware that was identified in November 2020, targeting Windows systems and using unpatched vulnerabilities like those in SonicWall devices to gain initial access to victim networks. In July 2021, Unit 42 observed the group using a Linux variant of HelloKitty targeting VMware’s ESXi hypervisor.
The group uses both email and Tor chats for communications. In late 2023, the ransomware developer and operator, also known as Gookee/kapuchin0 and Guki, leaked the source code and shut the operation down.
In March 2024, the group rebranded, and now calls themselves Gookie or HelloGookie. To mark the occasion of the rebrand, the malware author released the data stolen in the CD Projekt Red breach and 2022 Cisco attack.
Twinkling Scorpius has previously impacted organizations in the following sectors:
Phobos
Weary Scorpius is a RaaS group that first appeared in 2018, distributing Phobos ransomware. Their creations are closely related to the Dharma ransomware family, sharing similar tactics and techniques.
Despite its simplistic design, the Phobos ransomware has gained popularity among cybercriminals due to its effectiveness in compromising systems through well-established vectors like insecure RDP connections and phishing emails. The threat primarily targets servers, capitalizing on their value to organizations to demand higher ransoms. It employs a partial encryption strategy for large files, reducing the time required to complete its encryption routine.
Over time, the ransomware evolved to incorporate techniques aimed at reducing the efficacy of recovery efforts. This included activities such as disabling system recovery options and deleting shadow copies and backup catalogs.
Phobos ransomware has been reported in various countries, including the U.S., Portugal, Brazil and Japan. This wide targeting spectrum underscores Weary Scorpius' adaptability and the threat they pose to a diverse range of organizations.
Weary Scorpius has previously impacted organizations in the following sectors: