Track and analyze APT groups, ransomware gangs, hacktivists and cybercrime organizations — their targets, malware, techniques and IOCs updated in real time.
500+ Threat Actors
100K+ IOC Indicators
10K+ ATT&CK Techniques
Target Country All Countries SOCRadar Threat Actor Database is a free repository of structured intelligence profiles covering over 500 documented cyber threat actors — nation-state APT groups, ransomware operations, hacktivist collectives and financially motivated cybercrime organizations. Each profile aggregates origin country, targeted sectors and geographies, attributed malware families, known aliases, historical campaigns, MITRE ATT&CK technique coverage and indicators of compromise. No account required.
F.A.Q. Common questions about threat actors and APT groups
What is the Threat Actor Intelligence database? The SOCRadar Threat Actor Intelligence database is a free, continuously updated repository of profiles for nation-state groups, cybercriminal organizations, ransomware gangs, hacktivists, and advanced persistent threat (APT) actors. Each profile aggregates intelligence from open-source research, dark web monitoring, and SOCRadar's proprietary telemetry to give security teams a comprehensive view of who is operating in the current threat landscape.
What information is included in a threat actor profile? Each threat actor profile includes: known aliases and group names, country of origin or suspected attribution, motivation (financial, espionage, ideological, destructive), active since date, targeted industries and geographies, preferred attack techniques mapped to MITRE ATT&CK, malware families and tools used, associated campaigns, recent activity timeline, and key indicators of compromise (IOCs). Ransomware group profiles additionally include confirmed victim counts and leak site details.
How is threat actor attribution determined? Attribution is based on multiple convergent evidence sources: shared malware code and tooling, infrastructure overlaps (shared IPs, domains, hosting providers), operational patterns and working hours, language artifacts in malware samples, target selection consistency, and dark web communications. SOCRadar clearly distinguishes between high-confidence attribution (multiple corroborating sources) and low-confidence attribution (circumstantial evidence), following industry-standard intelligence assessment practices.
How can I use threat actor intelligence to protect my organization? Identify which threat actors target your industry and geography, then use their known TTPs (tactics, techniques, and procedures) to assess your defensive coverage. If an actor known to target your sector uses specific attack vectors (spear-phishing, VPN exploitation, supply chain compromise), you can prioritize defenses accordingly. Threat actor IOCs can be loaded into SIEM, EDR, and firewall blocklists for proactive detection. During incident response, actor profiles help predict attacker behavior and lateral movement patterns.
What is the difference between APT groups and cybercriminal groups? APT (Advanced Persistent Threat) groups are typically state-sponsored or state-affiliated actors whose primary motivation is espionage, intellectual property theft, or strategic disruption. They operate with significant resources, sophisticated tooling, and long dwell times. Cybercriminal groups are primarily financially motivated — ransomware, fraud, credential theft, and cryptomining. The distinction matters for response: APT intrusions often require a full forensic investigation and potential law enforcement engagement, while criminal incidents typically follow faster remediation and recovery patterns.
