Track and analyze APT groups, ransomware gangs, hacktivists and cybercrime organizations — their targets, malware, techniques and IOCs updated in real time.
500+ Threat Actors
100K+ IOC Indicators
10K+ ATT&CK Techniques
Target Country All Countries
NoName057 APT 05716nnm · Nnm05716 · NoName057(16) · NoName05716
Target Sectors
Food Manufacturing Other Information Services Monetary Authorities-Central Bank Credit Unions +52 Associated Malware
limerat agent_btz Smoke Loader Asprox+53 Related CVEs
CVE-2025-64669 CVE-2025-5777 CVE-2025-34067 CVE-2025-2857 +13 ATT&CK IDs
T1453 T1105 - Ingress Tool Transfer T1095 - Non Application Layer Protocol T1497 - Virtualization/Sandbox Evasion +218 Target Countries
Canada United StatesTarget Sectors
Professional&Technical Services Educational Services HealthCare & Social Assistance Public Administration +2 ATT&CK IDs
T1190 - Exploit Public Facing Application T1003 - OS Credential Dumping T1078 - Valid Accounts T1567 - Exfiltration Over Web Service +1 Target Sectors
Funds, Trusts, and Other Financial Vehicles Hospitals Public Administration Oil & Gas +32 Associated Malware
win.flash_developRelated CVEs
CVE-2025-59287 ATT&CK IDs
T1078.001 T1068 T1105 T1193
Lazarus Group APT APT 38 · APT-C-26 · APT38 · ATK117
Target Sectors
Food Manufacturing Hospitals Manufacturing Public Administration +58 Associated Malware
win.sierras win.neddnloader win.snatchcrypto win.coredn+82 Related CVEs
CVE-2025-9491 CVE-2025-9074 CVE-2025-8088 CVE-2025-7775 +256 ATT&CK IDs
T1561 - Disk Wipe T1547.008 - LSASS Driver T1568.002 T1112 - Modify Registry +547 Target Sectors
Construction of Buildings Food Manufacturing Other Information Services Software Publishers +187 Related CVEs
CVE-2026-50752 CVE-2026-50751 CVE-2025-5777 CVE-2025-53771 +32 ATT&CK IDs
T1486 T1490 T1078 T1071.001 +1
thegentlemen Ransomware The Gentlemen Ransomware · the gentlemen
Target Sectors
Construction of Buildings Food Manufacturing Other Information Services Rail Transportation +144 Related CVEs
CVE-2025-7771 CVE-2025-33073 CVE-2025-32433 CVE-2024-55591 +2 ATT&CK IDs
T1190 T1078 T1087 T1046 +4
shinyhunters Ransomware UNC6040 · Scattered Lapsus$ Hunters (SLH) · ShinyCorp
Target Sectors
Food Manufacturing Other Information Services Credit Unions Rail Transportation +89 Related CVEs
CVE-2026-35273 CVE-2025-61884 CVE-2025-61882 CVE-2025-55234 +16
DragonForce Ransomware Water Tambanakua
Target Sectors
Construction of Buildings Food Manufacturing Other Information Services Monetary Authorities-Central Bank +131 Related CVEs
CVE-2025-6264 CVE-2025-61155 CVE-2025-59287 CVE-2025-47176 +21 ATT&CK IDs
T1071.001 T1499 T1569.002 SOCRadar Threat Actor Database is a free repository of structured intelligence profiles covering over 500 documented cyber threat actors — nation-state APT groups, ransomware operations, hacktivist collectives and financially motivated cybercrime organizations. Each profile aggregates origin country, targeted sectors and geographies, attributed malware families, known aliases, historical campaigns, MITRE ATT&CK technique coverage and indicators of compromise. No account required.
F.A.Q. Common questions about threat actors and APT groups
What is the Threat Actor Intelligence database? The SOCRadar Threat Actor Intelligence database is a free, continuously updated repository of profiles for nation-state groups, cybercriminal organizations, ransomware gangs, hacktivists, and advanced persistent threat (APT) actors. Each profile aggregates intelligence from open-source research, dark web monitoring, and SOCRadar's proprietary telemetry to give security teams a comprehensive view of who is operating in the current threat landscape.
What information is included in a threat actor profile? Each threat actor profile includes: known aliases and group names, country of origin or suspected attribution, motivation (financial, espionage, ideological, destructive), active since date, targeted industries and geographies, preferred attack techniques mapped to MITRE ATT&CK, malware families and tools used, associated campaigns, recent activity timeline, and key indicators of compromise (IOCs). Ransomware group profiles additionally include confirmed victim counts and leak site details.
How is threat actor attribution determined? Attribution is based on multiple convergent evidence sources: shared malware code and tooling, infrastructure overlaps (shared IPs, domains, hosting providers), operational patterns and working hours, language artifacts in malware samples, target selection consistency, and dark web communications. SOCRadar clearly distinguishes between high-confidence attribution (multiple corroborating sources) and low-confidence attribution (circumstantial evidence), following industry-standard intelligence assessment practices.
How can I use threat actor intelligence to protect my organization? Identify which threat actors target your industry and geography, then use their known TTPs (tactics, techniques, and procedures) to assess your defensive coverage. If an actor known to target your sector uses specific attack vectors (spear-phishing, VPN exploitation, supply chain compromise), you can prioritize defenses accordingly. Threat actor IOCs can be loaded into SIEM, EDR, and firewall blocklists for proactive detection. During incident response, actor profiles help predict attacker behavior and lateral movement patterns.
What is the difference between APT groups and cybercriminal groups? APT (Advanced Persistent Threat) groups are typically state-sponsored or state-affiliated actors whose primary motivation is espionage, intellectual property theft, or strategic disruption. They operate with significant resources, sophisticated tooling, and long dwell times. Cybercriminal groups are primarily financially motivated — ransomware, fraud, credential theft, and cryptomining. The distinction matters for response: APT intrusions often require a full forensic investigation and potential law enforcement engagement, while criminal incidents typically follow faster remediation and recovery patterns.