Blog
Research, detection engineering notes, and incident response lessons learned.
Latest
Charming Kitten, also known as APT35, Phosphorus, Newscaster, and TA453, is a state-sponsored cyber espionage group linked to the Islamic Revolutionary Guard Corps (IRGC) of Iran. Active since at least 2014, Charming Kitten is known for its targeted credential harvesting, social engineering, and espionage operations against individuals and organisations in the academic, governmental, defence, human rights, and journalistic sectors.
Cl0p is a high-impact ransomware group operating under a double extortion model, best known for its targeted exploitation of enterprise file transfer systems and public data leaks involving some of the world’s largest organisations. Active since at least 2019, Cl0p (also styled as Clop) operates a sophisticated, financially motivated operation that combines custom ransomware tooling, advanced vulnerability exploitation, and a well-maintained leak portal.
Crypto24 is an emerging ransomware group first identified in early 2024, known for its data theft and encryption-based extortion campaigns. Operating with a quiet but deliberate methodology, Crypto24 favours low-volume, high-impact attacks, typically against small to mid-sized enterprises with moderate cybersecurity maturity and valuable operational data.
DarkVault is a relatively new but increasingly active ransomware group, first identified in late 2023, and quickly establishing itself as a quiet but formidable actor in the double extortion space. The group targets medium to large organisations across Europe, the UK, and North America, with an emphasis on finance, professional services, logistics, legal, and technology sectors.
Dunghill Leak is a data extortion group that emerged publicly in 2023. The group became known for targeting government agencies, educational institutions, and critical infrastructure organisations, primarily in Europe and North America. Unlike most ransomware groups, Dunghill Leak appears to focus entirely on data theft and public exposure, with little to no evidence of file encryption.
Gallium is a cyber espionage group attributed to China, active since at least 2012. The group has been observed conducting highly targeted operations against telecommunications providers, government entities, and critical infrastructure, primarily in Asia and the Middle East, though European organisations—including those in the UK—have also been affected.
Ghostwriter, also tracked as UNC1151, is a cyber influence and espionage operation attributed to actors aligned with Belarus, with potential support or collaboration from Russian military intelligence. First publicly identified in 2017, Ghostwriter has conducted coordinated disinformation campaigns and cyber intrusions targeting political, military, and civil institutions across NATO member states, with particular focus on Poland, Lithuania, Latvia, and Ukraine.
Hellcat is a newly emerged ransomware group active since early 2024, known for its use of double extortion tactics and aggressive targeting of vulnerable infrastructure. Despite its relative youth in the cyber threat landscape, Hellcat has already demonstrated notable sophistication, including support for cross-platform environments and tailored encryption payloads for specific enterprise systems.
Hunters International, often referred to simply as Hunters, is a financially motivated ransomware group that emerged in late 2023. Operating a structured Ransomware-as-a-Service (RaaS) model, Hunters offers its platform to affiliates while managing infrastructure, data leak portals, and ransom negotiations.
Incransom is a newly identified ransomware group, first observed in early 2024, that has rapidly gained attention for its aggressive, fast-impact attacks on small and mid-sized organisations. The group employs a double extortion strategy, combining rapid encryption of critical systems with the theft of sensitive data to increase leverage during ransom negotiations.
KelvinSec is an opportunistic cybercrime collective active since at least 2022. The group is known for targeting vulnerable systems, stealing data, and leaking or selling that information via dark web forums and Telegram channels. Although it presents itself with ideological overtones, KelvinSec’s primary motivation appears to be financial, often demanding payment in exchange for withholding or deleting stolen data.
KillSec (short for “Kill Security”) is a self-proclaimed hacktivist collective that emerged in early 2022, and has since been linked to a series of politically motivated distributed denial-of-service (DDoS) attacks, data leaks, and website defacements. Unlike financially driven ransomware groups, KillSec claims to act in response to geopolitical events, aligning itself with anti-Western, anti-NATO, and pro-Russian narratives.