Threat Actor Intelligence

INC Ransomware

AKA: GOLD IONIC, G1032, Vanilla Tempest (affiliate)

#1 most deployed ransomware in July 2025 with 300+ victims. RaaS double-extortion operation targeting healthcare and government. Windows + Linux/ESXi variants. Lynx ransomware derivative.

Salt Typhoon

AKA: Earth Estries, Ghost Emperor, UNC2286, FamousSparrow

PRC MSS-affiliated actor responsible for largest telecom breach in US history. 9 major carriers compromised, CALEA lawful intercept weaponized. $10M FBI bounty.

Flax Typhoon

AKA: Raptor Train, Ethereal Panda, RedJuliett

Operates 200,000+ device Raptor Train botnet via Integrity Technology Group. Compromised SOHO routers, NAS, IP cameras serve as proxy infrastructure. FBI disrupted Sep 2024.

UNC5221 / WARP PANDA

AKA: UNC5337 (merged), UTA0178

China-nexus state-sponsored espionage actor targeting edge devices and virtualization infrastructure. Known for BRICKSTORM backdoor, 393-day average dwell time, and 5+ zero-day exploits.

Qilin Ransomware

AKA: Agenda

#1 ransomware threat to US SLTT organizations. Known for GPO-based Chrome credential harvesting and BYOVD EDR evasion with dark.sys driver.

Scattered Spider

AKA: UNC3944, Octo Tempest, 0ktapus

Social engineering specialists targeting identity providers. Known for SIM swapping, MFA bombing, and help desk impersonation.

APT44 / Sandworm

AKA: Sandworm Team, Voodoo Bear, IRIDIUM

Russian military intelligence unit responsible for NotPetya, Olympic Destroyer, and ongoing attacks against Ukraine and NATO allies.

Volt Typhoon

AKA: VOLTZITE, Bronze Silhouette, Vanguard Panda, Insidious Taurus

China-nexus actor pre-positioning in US critical infrastructure. Living-off-the-land techniques for long-term persistence.

Z-Pentest

AKA: ZPT

Pro-Russian hacktivist group targeting industrial control systems and critical infrastructure in NATO countries.

SafePay Ransomware

Emerging RaaS operation with unique encryption and double extortion tactics. Growing victim count in Q4 2024.