Blog
Research, detection engineering notes, and incident response lessons learned.
Latest
Royal is a highly capable ransomware group that emerged in early 2022, quickly establishing itself as a major player in the double extortion landscape. Noted for its custom-built encryptor, refusal to rely on Ransomware-as-a-Service (RaaS) models, and frequent targeting of healthcare, education, and public sector organisations, Royal has distinguished itself as both tactically effective and operationally autonomous.
Sandworm is a highly destructive Russian state-sponsored threat group attributed to Unit 74455 of the GRU, Russia’s military intelligence agency. The group has been active since at least 2009 and is known for some of the most damaging cyber operations in history, including the 2015 and 2016 attacks on Ukraine’s energy grid and the 2017 NotPetya attack.
Sarcoma is a relatively new but technically competent ransomware group, first identified in early 2024. Like many contemporary cybercriminal entities, Sarcoma operates under a double extortion model, combining traditional ransomware encryption with the theft and threatened exposure of sensitive data. While still considered an emerging threat, Sarcoma’s campaigns demonstrate a high degree of intentionality, persistence, and an increasing level of sophistication.
Scattered Spider, also tracked as Octo Tempest by Microsoft, is a financially motivated threat actor that has rapidly gained prominence for its use of advanced social engineering, SIM swapping, and multi-stage extortion campaigns. First observed in 2022, the group has successfully infiltrated major companies across multiple sectors, including telecommunications, technology, hospitality, and critical infrastructure.
SiegedSec is a politically motivated hacktivist collective that emerged in 2022 and gained notoriety for a series of high-profile data leaks, defacements, and cyber intrusions. The group promotes itself as ideologically driven, frequently referencing opposition to authoritarianism, support for LGBTQ+ rights, and protest against surveillance and government overreach.
Silent Ransom, also referred to as Silk Typhoon by Microsoft, is a Chinese state-aligned threat actor operating at the intersection of cyber espionage and data extortion. The group is known for conducting stealthy intrusions into government, telecom, and critical infrastructure organisations, typically without deploying ransomware in the traditional sense. Instead, it focuses on access operations, credential theft, and selective data exfiltration, occasionally coupled with financial or reputational extortion.
TA406, also tracked as Phosphorus, Charming Kitten, or APT35 in overlapping campaigns, is an Iranian-linked cyber espionage group that has been active since at least 2015. While TA406 shares infrastructure and methodology with other Iranian threat actors, it is uniquely focused on long-term intelligence gathering through persistent spear-phishing campaigns, credential theft, and surveillance of individuals in strategic policy, defence, human rights, and academia.
Trigona is a double extortion ransomware group that emerged publicly in late 2022, and quickly gained attention for its aggressive enterprise targeting, database-specific encryption techniques, and rapid tooling evolution. Trigona combines file encryption with data exfiltration, threatening public release of stolen information via its dark web leak site.
UserSec Collective is a pro-Russian hacktivist entity active since mid-2022. The group promotes itself as a decentralised digital army operating in support of Russian national interests and frequently targets government, financial, and public sector websites across NATO-aligned nations. Like other politically aligned hacktivist groups, UserSec primarily uses denial-of-service attacks and defacement tactics, alongside an active propaganda presence on Telegram and fringe social media platforms.
XakNet Team is a pro-Russian hacktivist group that emerged in the first half of 2022 in the wake of Russia’s full-scale invasion of Ukraine. The group claims to support Russia’s military objectives and engages in a mix of cyber attacks, data leaks, and coordinated disinformation campaigns. XakNet operates primarily through Telegram, where it publishes victim lists, leaked documents, and ideological statements.
Throughout this series, we’ve explored thestrategic frameworks,essential tools, andreal-world scenariosthat define effective threat hunting. Scaling Threat Hunting with Automation and Orchestration delves into the critical strategies of automation and orchestration, revealing how organisations can effectively scale theirthreat-huntingcapabilities without compromising accuracy or effectiveness.
Having covered structured frameworks, methodologies, and essential tools, it’s time to explore real-world scenarios that illustrate the power and effectiveness ofproactive threat hunting. Through these detailed case studies, we aim to highlight practical applications of the techniques and tools we’ve previously discussed, showing clearly how structured methodologies deliver measurable value in detecting and mitigating threats.