Threat Actor Groups Tracked by Palo Alto Networks Unit 42

This post is also available in: 日本語 (Japanese)

Executive Summary

This article lists the threat actors tracked by Palo Alto Networks Unit 42, using our specific designators for these groups. We've organized them in alphabetical order of their assigned constellation. The information presented here is a comprehensive list of these threat actors, along with key information like the category of threat actor, industries typically impacted and a summary of the overall threat. We intend this to be a centralized destination for readers to review the breadth of our research on these notable cyber threats.

Palo Alto Networks customers are better protected from threat actors through the use of our products like our Next-Generation Firewall with Cloud-Delivered Security Services that include Advanced WildFire, Advanced DNS Security, Advanced Threat Prevention and Advanced URL Filtering. Our customers are also better protected through our line of Cortex products and Prisma SASE.

If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.

Related Unit 42 Topics	Cybercrime, Nation-State Cyberattacks

Nation-State Threat Actor Groups

Unit 42 considers the following groups to have a motivation that is primarily state-backed rather than financial. There can also be some cybercrime motivation for threat groups in this category, but we believe their main motivation is in furthering the interest of their sponsoring nation.

Draco – Pakistan

Draco, the dragon, is the constellation chosen for threat actor groups from Pakistan. These groups have been seen targeting India and other South Asian countries.

Mocking Draco

Also Known As

G1008, sidecopy, unc2269, white dev 55

Summary

Mocking Draco is a Pakistan-based threat actor that has been operating since at least 2019, mainly targeting South Asian countries and more specifically India and Afghanistan. Their malware’s common name, Sidecopy, comes from its infection chain that tries to mimic the malware of Venomous Gemini, which is called SideWinder. This actor has reported similarities with Opaque Draco and is possibly a subdivision of this actor.

Sectors Impacted

Mocking Draco has previously impacted organizations in the following sectors:

• Government

Opaque Draco

Also Known As

APT36, C-Major, Cmajor, COPPER FIELDSTONE, Fast-Cargo, G0134, Green Halvidar, Havildar Team, Lapis, Mythic Leopard, ProjectM, Transparent Tribe

Summary

Opaque Draco is a Pakistan-based threat group that has been active since 2013. They primarily target Indian governmental, military and educational sectors.

Sectors Impacted

Opaque Draco has previously impacted organizations in the following sectors:

• Education
• Government
• Military

Gemini – India

Threat actor groups from India are named for the constellation Gemini.

Venomous Gemini

Also Known As

DEV-0124, Dropping Elephant, Leafperphorator, Orange Chandi, Rattlesnake, Razor Tiger, Sidewinder, T-APT-04, UNC1687, G0121

Summary

Venomous Gemini represents a threat group (or groups) with a suspected Indian nexus that has been active since 2012. Venomous Gemini is active and frequently targets Pakistan and, to a lesser extent, other countries in Asia including Nepal, Sri Lanka, Bangladesh and China. Their primary targets include government and military organizations, but other industries have been reported targets as well.

Sectors Impacted

Venomous Gemini has previously impacted organizations in the following sectors:

• Federal Government
• Military

Lynx – Belarus

Belarusian threat groups are named for the constellation Lynx.

White Lynx

Also Known As

Ghostwriter, Storm-0257, UNC1151

Summary

White Lynx is a nation-state threat actor assessed with high confidence to be linked with the Belarusian government. Their main focus is on countries neighboring Belarus, such as Ukraine, Lithuania, Latvia, Poland and Germany. Their targeting also includes Belarusian dissidents, media entities and journalists.

Sectors Impacted

White Lynx has previously impacted organizations in the following sectors:

• Construction
• Education
• Federal Government
• Healthcare
• High Technology
• Insurance
• Manufacturing
• Media and Entertainment
• Non-profits
• Pharma and Life Sciences
• Professional and Legal Services
• Real Estate
• State and Local Government
• Wholesale and Retail

Pisces – North Korea

Threat actor groups attributed to North Korea are represented by the constellation Pisces. These groups have impacted many industries with a focus on cyberespionage and financial crime.

Jumpy Pisces

Also Known As

Andariel, Black Artemis, COVELLITE, Onyx Sleet, PLUTONIUM, Silent Chollima, Stonefly, UNC614, Lazarus, Lazarus Group

Summary

Jumpy Pisces is a nation-state threat actor associated with the notorious Lazarus Group and the Democratic People’s Republic of Korea (DPRK). Jumpy Pisces is believed to be a subgroup of the Lazarus group that branched out around 2013. The group has demonstrated a high degree of adaptability, complexity and technical expertise in its operations, with a focus on cyber espionage, financial crime and ransomware attacks.

Jumpy Pisces primarily targets South Korean entities with a variety of attack vectors, including spear phishing, watering hole attacks and supply chain attacks. They have been observed exploiting vulnerabilities in various software, including asset management programs and known but unpatched public services, to distribute its malware. The group also abuses legitimate software and proxy and tunneling tools for its malicious activities.

Sectors Impacted

Jumpy Pisces has previously impacted organizations in the following sectors:

• Aerospace and Defense
• Financial Services
• Government
• Healthcare
• IT Services
• Manufacturing
• Pharma and Life Sciences
• Utilities and Energy

Slow Pisces

Also Known As

Dark River, DEV-0954, Jade Sleet, Storm-0954, Trader Traitor, TraderTraitor, UNC4899, Lazarus, Lazarus Group

Summary

Slow Pisces is North Korea's nation state threat group under Reconnaissance General Bureau (RGB) of DPRK. It's believed to be a spin-off from the Lazarus group with focus on financial gathering and crypto industry targeting goals. Their primary task since 2020 is generating revenue for the DPRK regime and they do so by targeting organizations that handle large volumes of cryptocurrency. They have reportedly stolen in excess of $1 billion in 2023 alone.

Secondary to revenue generation, Slow Pisces has also compromised aerospace, defense and industrial organizations, likely with the aim of espionage to advance DPRK’s military capabilities.

Sectors Impacted

Slow Pisces has previously impacted organizations in the following sectors:

• Aerospace and Defense
• Cryptocurrency Industry
• Financial Services
• High Technology

Serpens – Iran

Iranian-attributed groups are named for the constellation Serpens, the snake. Our research on these groups highlights their targets and TTPs as they evolve.

Academic Serpens

Also Known As

COBALT DICKENS, DEV-0118, Mabna Institute, Silent Librarian, Yellow Nabu

Summary

Academic Serpens is a state-sponsored group active since at least 2013 that is attributed to Iran, which has traditionally focused on Middle Eastern targets and Nordic universities in the EU. Members of Academic Serpens are affiliated with the Iran-based Mabna Institute, which has conducted cyber intrusions at the behest of the government of Iran, specifically the Islamic Revolutionary Guard Corps (IRGC). They have targeted research and proprietary data at universities, government agencies and private sector companies worldwide. There has been a notable decrease in activity from this group since the international COVID crisis in 2020.

Sectors Impacted

Academic Serpens has previously impacted organizations in the following sectors:

• Education
• Government

Agent Serpens

Also Known As

APT35, APT42, Ballistic Bobcat, Charming Kitten, Cobalt Illusion, Damselfly, DireFate, G0059, Greycatfish, Group 83, Iridium Group, ITG18, Magic Hound, Mint Sandstorm, Newscaster, PHOSPHOROUS, PHOSPHORUS, Saffron Rose, TA453, White Phosphorous, Yellow Garuda

Summary

Agent Serpens is an Iranian-sponsored threat group that conducts long-term, resource-intensive cyberespionage operations, likely on behalf of the Islamic Revolutionary Guard Corps (IRGC). This group targets dissidents, activists, journalists and other groups that pose a risk or protests against the Iranian government, with a notable focus on groups in Israel and the U.S. For initial access, they have traditionally used spear phishing, exploitation or remote access devices and they have also focused on credential harvesting. They use both commodity malware (infostealers) and custom malware.

Sectors Impacted

Agent Serpens has previously impacted organizations in the following sectors:

• Automotive
• Civil Engineering
• Education
• Federal Government
• Finance
• Financial Services
• Healthcare
• High Technology
• Higher Education
• Manufacturing
• Media and Entertainment
• Noncommercial Research Organizations
• Pharma and Life Sciences
• Telecommunications

Agonizing Serpens

Also Known As

Agrius, BlackShadow, Pink Sandstorm, Spectral Kitten

Summary

Agonizing Serpens is a nation-state group active since 2020, attributed to Iran’s Ministry of Intelligence and Security (MOIS). This group engages in espionage, ransomware and destructive malware attacks against targets in the Middle East, with a significant focus on attacks against Israel. Their focus is data stealing and espionage, then deploying wipers to cover their tracks.

Sectors Impacted

Agonizing Serpens has previously impacted organizations in the following sectors:

• Education
• Information Technology
• Insurance
• Professional and Legal Services
• Wholesale and Retail

Boggy Serpens

Also Known As

COBALT ULSTER, Earth Vetala, G0069, Mercury, MuddyWater, Seedworm, Static Kitten, TEMP.Zagros, Yellow Nix

Summary

Boggy Serpens is a cyberespionage group active since at least 2017 that is assessed to be a subordinate element within Iran’s Ministry of Intelligence and Security (MOIS). Boggy Serpens has targeted a range of government organizations and private organizations across sectors including telecommunications, local government, defense, oil and natural gas in the Middle East, Asia, Africa, Europe and North America.

They traditionally gain access via spear phishing and exploitation of publicly known vulnerabilities. They provide stolen data and access to the Iranian government as well as other threat actors. Boggy Serpens develops custom malware and they make extensive use of obfuscated PowerShell scripts.

Sectors Impacted

Boggy Serpens has previously impacted organizations in the following sectors:

• Financial Services
• Healthcare
• Insurance
• Telecommunications
• Transportation and Logistics

Devious Serpens

Also Known As

Cobalt Fireside, Curium, G1012, Imperial Kitten, Tortoiseshell, Yellow Liderc

Summary

Devious Serpens are an Iranian-based threat actor known for using social engineering tactics as well as malware that communicates via IMAP. Their attacks use watering hole attacks as well as their own controlled sites meant to impersonate employment opportunities that might interest their victims.

The malware that they have built often uses IMAP with specific email addresses for command and control (C2). With such tools, communication typically occurs via specific folders and message protocols on the C2 email address.

Sectors Impacted

Devious Serpens has previously impacted organizations in the following sectors:

• Aerospace and Defense
• Information Technology Services

Evasive Serpens

Also Known As

Alibaba, APT34, Chrysene, Cobalt Gypsy, Crambus, Europium, G0049, Group 41, Hazel Sandstorm, Helix Kitten, IRN2, OilRig, Powbat, TEMP.Akapav, Twisted Kitten, Yossi

Summary

Evasive Serpens is a threat group Unit 42 discovered in May 2016. They are a nation-state threat group attributed to Iran. This threat group is extremely persistent and relies heavily on spear phishing as their initial attack vector. However, they have also been associated with other more complex attacks such as credential harvesting campaigns and DNS hijacking.

In their spear phishing attacks, Evasive Serpens preferred macro-enabled Microsoft Office (Word and Excel) documents to install their custom payloads that came as portable executables (PE), PowerShell and VBScripts. The group’s custom payloads frequently used DNS tunneling as a C2 channel.

Sectors Impacted

Evasive Serpens has previously impacted organizations in the following sectors:

• Chemical Manufacturing
• Financial Services
• Government
• Telecommunications
• Utilities and Energy

Taurus – China

Chinese threat actor groups take their name from the constellation Taurus – the bull. Due to the long history and multiplicity of Chinese APTs, there is a lot to be discovered about these groups in our research archives.

Alloy Taurus

Also Known As

G0093, GALLIUM, Granite Typhoon, Operation Soft Cell, Othorene, Red Dev 4

Summary

Alloy Taurus is a cyberespionage group that has been active since at least 2012. This threat actor exploits internet-facing web applications to gain initial access to victim organizations.

Once they have access, they use a mixture of custom tools, malware and open-source tools (or custom variants). They sometimes sign code with legitimate, stolen certificates. They have compromised targets in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, Nepal, the Philippines, Russia, South Africa and Vietnam.

Sectors Impacted

Alloy Taurus has previously impacted organizations in the following sectors:

• Federal Government
• Financial Services
• Telecommunications

Charging Taurus

Also Known As

Circle Typhoon, DEV-0322, TGR-STA-0027, Tilted Temple

Summary

Charging Taurus is a state-sponsored cyberespionage group attributed to China, active since 2021. The group's goal is to steal intellectual property aligned with China's national interests. The group is capable of exploiting undisclosed zero-day vulnerabilities. The group has a possible tie to Insidious Taurus.

Sectors Impacted

Charging Taurus has previously impacted organizations in the following sectors:

• Aerospace and Defense
• Biotechnology
• High Technology
• Semiconductor Industry

Dicing Taurus

Also Known As

Jackpot Panda

Summary

Dicing Taurus is a state-sponsored group attributed to China. They focus on the illegal online gambling sector in Southeast Asia, particularly emphasizing data collection for monitoring and countering related activities in China. The i-Soon leak in February 2024 revealed that i-Soon was likely involved in Dicing Taurus's operations, along with the Ministry of Public Security of China.

The group is also responsible for distributing a trojanized installer for CloudChat, a chat application popular with Chinese-speaking illegal gambling communities in mainland China. The trojanized installer served from CloudChat’s website contained the first stage of a multi-step process.

Sectors Impacted

Dicing Taurus has previously impacted organizations in the following sectors:

• Online Gambling
• Software and Technology

Digging Taurus

Also Known As

BRONZE HIGHLAND, Daggerfly, Evasive Panda

Summary

Digging Taurus is a China-based group that has been active since at least 2012, conducting cyberespionage targeting individuals, government institutions and organizations.

Sectors Impacted

Digging Taurus has previously impacted organizations in the following sectors:

• Computer Integrated Systems Design
• Executive Offices
• Non-profit
• State and Local Government
• Telecommunications

Insidious Taurus

Also Known As

BRONZE SILHOUETTE, DEV-0391, UNC3236, Vanguard Panda, Volt Typhoon, Voltzite, G1017

Summary

Insidious Taurus is a Chinese state-sponsored actor typically focusing on espionage and information gathering, active since 2021. Insidious Taurus evades detection by using various living-off-the-land (LotL) techniques, using in-built system tools to perform their objectives and blend in with regular system noise.

The actor leverages compromised small office/home office (SOHO) network devices as intermediate infrastructure to further obscure their activity. Insidious Taurus exploits vulnerabilities in internet-facing devices and systems as an initial access vector.

Sectors Impacted

Insidious Taurus has previously impacted organizations in the following sectors:

• Aerospace and Defense
• Information Technology Services
• Manufacturing
• Telecommunications
• Transportation and Logistics
• Utilities

Jumper Taurus

Also Known As

APT40, BRONZE MOHAWK, Electric Panda, Gadolinium, Gingham Typhoon, IslandDreams, Kryptonite Panda, Ladon, Leviathon, Pickleworm, Red Ladon, TEMP.Jumper, TEMP.Periscope

Summary

Jumper Taurus is a state-sponsored cyberespionage group believed to be linked to the Chinese government. Active since at least 2013, the group has consistently demonstrated advanced tactics, techniques and procedures (TTPs), supporting China's strategic objectives in sensitive research or holding strategic geopolitical relationships.

The group's operations use phishing emails and exploit web server vulnerabilities for initial access. The group has shown a particular interest in maritime-related targets, those associated with China's naval modernization efforts and the Belt and Road Initiative.

Sectors Impacted

Jumper Taurus has previously impacted organizations in the following sectors:

• Education
• Financial Services
• Government
• Healthcare
• Utilities and Energy

Playful Taurus

Also Known As

APT15, Backdoor Diplomacy, BRONZE PALACE, Buck09, Bumble Bee, G0004, Gref, Ke3chang, Mirage, Nickel, Playful Dragon, Red Hera, RoyalAPT, Vixen Panda

Summary

Playful Taurus is a state-sponsored espionage group attributed to China. The group has been active since at least 2010. Playful Taurus has historically targeted government and diplomatic entities across North and South America, Africa and the Middle East. They leverage a mix of commodity tooling and malware as well as custom backdoors.

Sectors Impacted

Playful Taurus has previously impacted organizations in the following sectors:

• Government
• Non-profits
• Telecommunications

Sentinel Taurus

Also Known As

Earth Empusa, Evil Eye, EvilBamboo, Poison Carp

Summary

Sentinel Taurus is a state-sponsored threat group that has shown significant interest in Tibetan, Uyghur and Taiwanese targets. The group reportedly used spear phishing and watering hole techniques to deliver iOS and Android mobile malware payloads to their targets.

Sectors Impacted

Sentinel Taurus has previously impacted organizations in the following sectors:

• Education
• State and Local Government

Stately Taurus

Also Known As

Rhysida, Bronze Fillmore, BRONZE PRESIDENT, DEV-0117, G0129, HoneyMyte, Luminous Moth, Mustang Panda, PKPLUG, Red Lich, RedDelta, TA416, Tantalum, TEMP.Hex

Summary

Stately Taurus is a China-based cyberespionage threat actor that was first observed in 2017, but they may have been conducting operations since at least 2012. Stately Taurus has targeted government entities, nonprofits, religious and other non-governmental organizations in countries including the U.S., Europe, Mongolia, Myanmar, Pakistan and Vietnam.

Sectors Impacted

Stately Taurus has previously impacted organizations in the following sectors:

• Federal Government
• Professional and Legal Services

Ursa – Russia

Russian threat groups tracked by Unit 42 are named for the Ursa constellation. We report on these groups regularly and have a significant archive of material.

Cloaked Ursa

Also Known As

APT29, Backswimmer, Blue Kitsune, Blue Nova, Cozy, CozyBear, CozyDuke, Dark Halo, DEV-0473, Dukes, Eurostrike, G0016, Group 100, Hagensia, Iron Hemlock, Iron Ritual, Midnight Blizzard, Nobelium, Noblebaron, Office Monkeys, Office Space, Solarstorm,  TAG-11, The Dukes, UAC-0029, UNC2452, YTTRIUM, UNC3524

Summary

Cloaked Ursa is a nation-state threat group that has been attributed to Russia's Foreign Intelligence Service (SVR). They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes and think tanks. Cloaked Ursa reportedly compromised the Democratic National Committee (DNC) starting in the summer of 2015 and they were responsible for the SolarWinds breach in 2019-2020.

Sectors Impacted

Cloaked Ursa has previously impacted organizations in the following sectors:

• Federal Government
• High Technology
• Manufacturing
• Utilities

Fighting Ursa

Also Known As

APT28, Fancy Bear, G0007, Group 74, IRON TWILIGHT, Pawn Storm, PawnStorm, Sednit, SNAKEMACKEREL, Sofacy, STRONTIUM, Swallowtail, TG-4127, Threat Group-4127, Tsar Team, TsarTeam, UAC-0028

Summary

Fighting Ursa is a nation-state threat group attributed to Russia’s General Staff Main Intelligence Directorate (GRU), 85th special Service Centre (GTsSS) military intelligence Unit 26165. They are well known for their focus on targets of Russian interest, especially those of military interest. They are known as one of the two Russian groups that compromised the Democratic National Committee (DNC) and Democratic Congressional Campaign Committee (DCCC) during the 2016 election cycle.

Sectors Impacted

Fighting Ursa has previously impacted organizations in the following sectors:

• Aerospace and Defense
• Education
• Federal Government
• Government
• IT Services
• Media
• Telecommunications
• Transportation
• Transportation and Logistics
• Utilities and Energy

Mythic Ursa

Also Known As

Blue Callisto, Callisto, Callisto Group, COLDRIVER, Dancing Salome, Grey Pro, IRON FRONTIER, Reuse Team, SEABORGIUM, Star Blizzard

Summary

Mythic Ursa is a Russian group linked to Russia’s “Centre 18” Federal Security Service (FSB) division, focused on credential harvesting from high-profile individuals. This group often uses fake accounts to establish rapport with their targets and eventually sends a phishing link to gather credentials. This group was last observed using custom malware in November 2022.

Sectors Impacted

Mythic Ursa has previously impacted organizations in the following sectors:

• Aerospace and Defense
• Federal Government
• Higher Education
• International Affairs
• Transportation and Logistics

Pensive Ursa

Also Known As

Turla, Uroburos, Snake, BELUGASTURGEON, Boulder Bear, G0010, Group 88, IRON HUNTER, Iron Pioneer, Krypton, Minime, Popeye, Turla Team, Venomous Bear, Waterbug, White Atlas, WhiteBear, Witchcoven

Summary

Pensive Ursa is a Russian-based threat group operating since at least 2004, which is linked to Russia’s “Centre 18” Federal Security Service (FSB).

Sectors Impacted

Pensive Ursa has previously impacted organizations in the following sectors:

• Defense Systems and Equipment
• Education
• Government
• Healthcare
• Non-profit
• Pharmaceutical Preparations
• Research

Razing Ursa

Also Known As

BlackEnergy, Blue Echidna, Cyclops Blink, ELECTRUM, G0034, Grey Tornado, IRIDIUM, IRON VIKING, OlympicDestroyer, Quedagh, Sandworm, Sandworm Team, Telebots, UAC-0082, Voodoo Bear

Summary

Razing Ursa is a nation-state group attributed to a subgroup of the Russian General Staff Main Intelligence Directorate (GRU). They use spear phishing and vulnerabilities to access systems with the goal of espionage or destruction. This group's activities have targeted industrial control systems or use distributed denial of service (DDoS) attacks to disrupt critical infrastructure.

Sectors Impacted

Razing Ursa has previously impacted organizations in the following sectors:

• Federal Government
• Financial Services
• Media and Entertainment
• Telecommunications
• Transportation and Logistics
• Utilities and Energy

Trident Ursa

Also Known As

Actinium, Armageddon, DEV-0157, G0047, Gamaredon Group, IRON TILDEN, Primitive Bear, Shuckworm, UAC-0010

Summary

Trident Ursa is a nation-state threat group that has been active since at least 2013. This group has targeted individuals likely related to the Ukrainian government and military and is likely the actor behind the 2015 Operation Armageddon that delivered remote access tools, such as UltraVNC and Remote Manipulator System (RMS). The group previously used commodity tools but began using custom-developed tools in 2016.

Sectors Impacted

Trident Ursa has previously impacted organizations in the following sectors:

• Finance
• Wholesale and Retail

Cybercrime Threat Actor Groups

Unit 42 considers the following groups to have a motivation that is primarily financial rather than political. There can be some political motivation for threat groups in this category, but we consider their main motivation to be perpetrating cybercrime. This category is split into two groups: cybercrime in general, and then ransomware.

Libra – Cybercrime

Cybercrime is represented by the constellation Libra – a fitting choice, using the imagery of scales of justice.

Muddled Libra

Also Known As

G1015, Scattered Spider, Roasted 0ktapus, Scatter Swine, Star Fraud, UNC3944

Summary

Muddled Libra is a cybercrime group first reported in late 2022. They use the 0ktapus phishing kit and are considered a significant threat to global organizations through their targeted phishing and smishing campaigns. This group’s malware rapidly distinguished itself by enabling low-skilled attackers to launch sophisticated credential and MFA code thefts, impacting over a hundred organizations worldwide.

As they evolved, Muddled Libra expanded their capabilities, transitioning from mere phishing operations to complex supply chain attacks aimed at high-value cryptocurrency targets. The group's operational model showcased an innovative blend of traditional cybercrime tactics and modern digital extortion methods, including joining the Ambitious Scorpius RaaS affiliate program in 2023. This move underscored their shift toward a comprehensive cybercriminal operation, leveraging ransomware to enact data theft, encryption and extortion.

They also expanded their efforts to target software-as-a-service (SaaS) applications and cloud service provider (CSP) environments to leverage stored data for attack progression and extortion.

Sectors Impacted

Muddled Libra has previously impacted organizations in the following sectors:

• Financial Services
• High Technology
• Hospitality
• Media and Entertainment
• Mining
• Professional and Legal Services
• Telecommunications

Scorpius – Ransomware

Ransomware groups get their naming convention from the constellation Scorpius, and are a frequent target of our research.

Ambitious Scorpius

Also Known As

ALPHV, BlackCat, blackcat_raas

Summary

Ambitious Scorpius is a RaaS group that uses multi-extortion, distributing BlackCat ransomware. The ransomware family was first observed in November 2021. The group is suspected to be of Russian origin and is a possible successor of DarkSide and BlackMatter. The group solicits for affiliates in known cybercrime forums, offering to allow them to keep 80-90% of the ransom payment.

A significant disruption by joint law enforcement in December 2023 appears to have dealt the group a significant blow. Despite actively listing new victims through February 2024, about 40% of the victims were smaller businesses rather than the high value targets usually seen.

Sectors Impacted

Ambitious Scorpius has previously impacted organizations in the following sectors:

• Aerospace and Defense
• Agriculture
• Construction
• Education
• Federal Government
• Financial Services
• Healthcare
• High Technology
• Hospitality
• Insurance
• Manufacturing
• Media and Entertainment
• Mining
• Non-profits
• Pharma and Life Sciences
• Professional and Legal Services
• Real Estate
• State and Local Government
• Telecommunications
• Transportation and Logistics
• Utilities and Energy
• Wholesale and Retail

Bashful Scorpius

Also Known As

Nokoyawa

Summary

Bashful Scorpius ransomware group was first observed in February 2022, distributing Nokoyawa ransomware, which is potentially an evolution of Nemty and Karma ransomware. Bashful Scorpius uses a multi-extortion strategy, in which attackers demand payment both for a decryptor to restore access to encrypted files and for not disclosing stolen data.

This group distributes their ransomware payloads through various means, including third-party frameworks such as Cobalt Strike and phishing emails. The creators of Nokoyawa ransomware have repurposed functions from the leaked Babuk ransomware source code.

Ransomware operators using Nokoyawa ransomware wield a command set that allows them to exercise precise control over the execution and ultimate outcome of the infection. This further increases the threat’s effectiveness and potential damage.

Sectors Impacted

Bashful Scorpius has previously impacted organizations in the following sectors:

• Agriculture
• Construction
• Education
• Finance
• Healthcare
• High Technology
• Non-profits
• Professional and Legal Services
• State and Local Government
• Transportation and Logistics
• Utilities and Energy
• Wholesale and Retail

Bitter Scorpius

Also Known As

BianLian, bianlian_group

Summary

Bitter Scorpius ransomware group is highly adaptable and quickly leverages newly disclosed vulnerabilities. Bitter Scorpius distributes BianLian ransomware. The threat actors targeted the ProxyShell vulnerability chain (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) and SonicWall virtual private network (VPN) devices to gain initial access into victim networks.

Active since July 2022, the threat actors also employ multi-extortion techniques, and Living off the Land methodology to move laterally. They adjust their operations based on defensive controls present on infected networks. In addition, the attackers operate a data leak blog on the Tor and Invisible Internet Project (I2P) networks, posing a potential risk for exposing their stolen information. The group has also been observed using extortion without encryption.

Sectors Impacted

Bitter Scorpius has previously impacted organizations in the following sectors:

• Construction
• Education
• Healthcare
• High Technology
• Hospitality
• Manufacturing
• Media and Entertainment
• Pharma and Life Sciences
• Professional and Legal Services
• Real Estate
• Wholesale and Retail

Blustering Scorpius

Also Known As

Stormous

Summary

Blustering Scorpius is an Arabic-speaking cybercrime group that first appeared in 2021. They gained fame by exploiting tensions in the Russia-Ukraine war and targeting Western entities in 2022. They initially sought to specifically target entities in the U.S. but quickly began targeting entities based on global political tensions. While the group has claimed numerous attacks, they have also been accused of posting fake data or claiming attacks perpetrated by other groups.

Blustering Scorpius gains initial access via phishing, vulnerability exploits, remote data protocol (RDP), credential abuse and malvertising. They use X (Twitter) and Telegram to advertise their exploits and to reach their followers and affiliates. The group also uses social engineering to exploit emotions surrounding geopolitical tensions.

Blustering Scorpius began joint operations with GhostSec on July 13, 2023, which they announced via GhostSec’s Telegram channel. The two groups have gone on to jointly attack multiple entities in various countries and industries.

Sectors Impacted

Blustering Scorpius has previously impacted organizations in the following sectors:

• Education
• Financial Services
• High Technology
• Manufacturing
• Media and Entertainment
• Telecommunications
• Utilities and Energy
• Wholesale and Retail

Chubby Scorpius

Also Known As

Cl0p, CL0P

Summary

Chubby Scorpius is a RaaS group that first emerged in February 2019, and distributes Cl0p ransomware. They use extensive spear phishing campaigns for initial compromise. Chubby Scorpius uses a verified and digitally signed binary, enabling it to bypass system defenses more effectively.

Chubby Scorpius employed a multi-extortion tactic where, in addition to encrypting victim data, they also stole data and threatened to publish it on the CL0P^_-LEAKS website on the Tor network. This tactic increased pressure on victims to pay the ransom, as they faced not only data loss but also potential exposure of sensitive information.

The Chubby Scorpius ransomware group takes advantage of zero-day vulnerabilities, such as CVE-2023-0669, in the GoAnywhere MFT platform. The group claimed to have exfiltrated data from the GoAnywhere MFT platform, impacting approximately 130 victims over 10 days. However, there was no evidence of lateral movement within the victims’ networks, indicating that the breach was limited to the GoAnywhere platform itself. The group likely identified upper-level executives of the victim companies through open-source research and sent ransom notes as they analyzed the exfiltrated data.

Cl0p ransomware was used to compromise thousands of victims by threat actors exploiting the MOVEit transfer vulnerability.

Chubby Scorpius typically gains initial access through high-volume spear phishing emails sent to an organization’s employees or by exploiting vulnerabilities in web-exposed assets. Once they gain access, Chubby Scorpius actors use RDP to interact with compromised systems. They also employ web shells to exfiltrate data.

Sectors Impacted

Chubby Scorpius has previously impacted organizations in the following sectors:

• Agriculture
• Construction
• Education
• Finance
• Financial Services
• Healthcare
• High Technology
• Hospitality
• Insurance
• Manufacturing
• Media and Entertainment
• Mining
• Non-profits
• Pharma and Life Sciences
• Professional and Legal Services
• Real Estate
• State and Local Government
• Telecommunications
• Transportation and Logistics
• Utilities and Energy
• Wholesale and Retail

Dapper Scorpius

Also Known As

BlackSuit

Summary

Dapper Scorpius is a ransomware group that emerged in early May 2023, distributing BlackSuit ransomware, impacting a broad range of organizations globally. This group is suspected to be the Ignoble Scorpius ransomware group (aka Royal Ransomware) rebranded.

Unlike many ransomware operations that use a RaaS model, Dapper Scorpius operates as a private group without affiliates, most likely composed of ex-Conti and ex-Ignoble Scorpius members. Dapper Scorpius employs a multifaceted distribution strategy that includes phishing campaigns, malicious email attachments, SEO poisoning and using loaders like GootLoader for deploying their ransomware payload.

Sectors Impacted

Dapper Scorpius has previously impacted organizations in the following sectors:

• Construction
• Education
• Federal Government
• Financial Services
• Healthcare
• High Technology
• Insurance
• Manufacturing
• Media and Entertainment
• Non-profits
• Real Estate
• State and Local Government
• Transportation and Logistics
• Wholesale and Retail

Dark Scorpius

Also Known As

Black Basta

Summary

Dark Scorpius is a Russian RaaS operation that emerged in April 2022, distributing Black Basta ransomware, originating as spin-offs of the Ryuk and Conti ransomware groups. Dark Scorpius experienced rapid growth in attacks by employing multi-extortion tactics, developing ransomware variants for Windows, Linux and VMware ESXi virtual machines.

The group’s deployment tactics include leveraging Qakbot Trojan infections, exploits and phishing emails to infiltrate networks. Dark Scorpius’ strategy for initial access includes collaboration with initial access brokers (IAB).

These brokers enable Dark Scorpius to effortlessly penetrate target networks, streamlining their ransomware deployment and multi-extortion tactics. For second-stage attack execution, Dark Scorpius employs a multi-faceted approach to credential harvesting and lateral movement within networks.

Sectors Impacted

Dark Scorpius has previously impacted organizations in the following sectors:

• Aerospace and Defense
• Agriculture
• Construction
• Financial Services
• Healthcare
• High Technology
• Insurance
• Manufacturing
• Media and Entertainment
• Mining
• Non-profits
• Pharma and Life Sciences
• Professional and Legal Services
• Real Estate
• State and Local Government
• Telecommunications
• Transportation and Logistics
• Utilities and Energy
• Wholesale and Retail

Fiddling Scorpius

Also Known As

Play, PlayCrypt

Summary

Fiddling Scorpius is a ransomware group, distributing Play ransomware, first noted in June 2022. They gained attention in August 2022 after targeting Argentina’s Judiciary of Córdoba. They leverage multi-extortion against victims and have previously leaked financial and personal details, intellectual property and other sensitive data. Ransom demands have been as high as 500 bitcoins, with the promise of a decryption tool upon payment.

Sectors Impacted

Fiddling Scorpius has previously impacted organizations in the following sectors:

• Aerospace and Defense
• Agriculture
• Construction
• Federal Government
• Financial Services
• High Technology
• Hospitality
• Manufacturing
• Media and Entertainment
• Mining
• Non-profit
• Professional and Legal Services
• Real Estate
• State and Local Government
• Transportation and Logistics
• Utilities and Energy
• Wholesale and Retail

Howling Scorpius

Also Known As

Akira

Summary

Howling Scorpius is a RaaS operation initially observed in March 2023, distributing Akira ransomware. The group’s affiliates typically achieve access through VPN appliances in the victim organization, leveraging brute-force attacks, exploitation of vulnerabilities and the purchase of compromised credentials from IAB. Once inside the network, they will attempt reconnaissance to identify where victims store critical data, enumerate Active Directory structures and identify where domain controllers and VMware ESXi servers are.

The group often achieves lateral movement using RDP with valid local administrator accounts. The threat operators try to disable security protections on compromised devices.

The group often uses C2 infrastructure by way of remote access tools like AnyDesk. They occasionally used extortion-only attacks late in 2023, exfiltrating data for payment but not deploying ransomware to the victim’s systems.

Sectors Impacted

Howling Scorpius has previously impacted organizations in the following sectors:

• Education
• High Technology
• Manufacturing
• Non-profits
• Professional and Legal Services
• Real Estate
• Retail
• Transportation and Logistics
• Utilities and Energy

Ignoble Scorpius

Also Known As

Royal, Zeon, royal_group

Summary

Ignoble Scorpius ransomware group was first observed in September 2022, distributing Royal ransomware and using multi-extortion to pressure victims to pay their fee. It is suspected that this group is composed mainly of former members of the Conti ransomware group, who operate covertly and behind closed doors.

Because some of the people in this threat group were part of the development of Ryuk, the predecessor of Conti, they have many years of experience. They have a solid knowledge base for carrying out attacks and know what works when extorting victims. Due to the experience of this group, they have already impacted many organizations across the globe. We’ve observed them making demands of up to $25 million in bitcoin.

This group has leveraged their leak site to publicly extort victims into paying the ransom. Ignoble Scorpius will harass victims until they secure a payment, using techniques such as emailing victims and mass-printing ransom notes.

Sectors Impacted

Ignoble Scorpius has previously impacted organizations in the following sectors:

• Agriculture
• Construction
• Education
• Federal Government
• Finance
• Financial Services
• Healthcare
• High Technology
• Hospitality
• Insurance
• Manufacturing
• Media and Entertainment
• Mining
• Non-profits
• Pharma and Life Sciences
• Professional and Legal Services
• Real Estate
• State and Local Government
• Telecommunications
• Transportation and Logistics
• Utilities and Energy
• Wholesale and Retail

Invisible Scorpius

Also Known As

Cloak

Summary

Invisible Scorpius is a ransomware group targeting small to medium-sized businesses and using initial access brokers (IABs) for initial access. First seen at the end of 2022, the group is believed to be connected to the Stale Scorpius ransomware group after threat actors posted victim information from Stale Scorpius to Invisible Scorpius' leak site.

Sectors Impacted

Invisible Scorpius has previously impacted organizations in the following sectors:

• Federal Government
• Hospitality
• Professional and Legal Services
• State and Local Government
• Transportation and Logistics

Mushy Scorpius

Also Known As

Karakurt, Karakurt Lair, Karakurt Team

Summary

Mushy Scorpius is the group behind Karakurt ransomware, known for focusing on extortion. It has links to the Conti RaaS group. First emerging in 2021, Mushy Scorpius steals intellectual property and demands ransom from victims without encrypting their data, leveraging threats to auction off the sensitive data or release it to the public.

As part of their extortion efforts, they provide victims with screenshots or copies of stolen file directories as evidence of the data theft. They aggressively contact victims' employees, business partners and clients with harassing emails and phone calls. They also leverage stolen data like social security numbers, payment accounts, private emails and other sensitive business information to exert pressure.

Upon receiving ransom payments, Mushy Scorpius has occasionally provided victims with proof that they deleted the stolen files, along with a brief explanation of how they initially breached the victim's defenses. This underlines the group’s focus on financial gain but also that they seek a level of engagement from their victims toward meeting their demands.

Sectors Impacted

Mushy Scorpius has previously impacted organizations in the following sectors:

• Agriculture
• Construction
• Education
• Financial Services
• Healthcare
• High Technology
• Hospitality
• Insurance
• Manufacturing
• Media and Entertainment
• Non-profits
• Pharma and Life Sciences
• Professional and Legal Services
• Real Estate
• State and Local Government
• Telecommunications
• Utilities and Energy
• Wholesale and Retail

Pilfering Scorpius

Also Known As

Robinhood

Summary

Pilfering Scorpius ransomware group gained attention by attacking a number of local and state government entities starting in April 2019. This threat group often gains initial access by phishing, malicious websites and malicious file sharing or downloads.

Once their ransomware has gained access, it obtains persistence by using RDP to spread throughout the victim network. Initial reporting revealed that humans were largely responsible for operating these attacks, as opposed to them being run by automated processes.

Sectors Impacted

Pilfering Scorpius has previously impacted organizations in the following sectors:

• Pharma and Life Sciences
• Utilities and Energy
• Transportation and Logistics
• Education
• Non-profits
• Insurance
• Healthcare
• Manufacturing
• Federal Government
• State and Local Government
• Real Estate
• Construction
• Financial Services
• Agriculture
• Wholesale and Retail

Powerful Scorpius

Also Known As

BlackByte

Summary

Powerful Scorpius is a RaaS group operating since July 2021, distributing BlackByte ransomware. This group’s operational tactics includes exploiting vulnerabilities such as the ProxyShell vulnerability in Microsoft Exchange Servers, using tools like Cobalt Strike, and avoiding detection through obfuscation and anti-debugging techniques.

Their malware checks system languages and exits if it finds Russian or certain Eastern European languages, presumably to avoid impacting systems in those regions. The group uses multi-extortion techniques in their campaigns.

Sectors Impacted

Powerful Scorpius has previously impacted organizations in the following sectors:

• Financial Services
• Food and Agriculture
• Government
• Manufacturing
• Wholesale and Retail

Procedural Scorpius

Also Known As

ThreeAM, 3AM

Summary

Procedural Scorpius is a ransomware group discovered in September 2023, when researchers noticed Procedural Scorpius’ malware being deployed in a failed LockBit attack. This group distributes 3 am ransomware, and is thought to be linked to two other notorious ransomware groups, Conti and Ignoble Scorpius (distributor of Royal ransomware).

Procedural Scorpius escalates their extortion tactics by contacting their victim's social media followers, informing them of the data leak. They also use bots that post on highly visible X accounts to advertise the leaks. Procedural Scorpius targets medium to large companies in countries not within the Commonwealth of Independent States (CIS).

Sectors Impacted

Procedural Scorpius has previously impacted organizations in the following sectors:

• Agriculture
• Financial Services
• Manufacturing
• Professional and Legal Services
• Wholesale and Retail

Protesting Scorpius

Also Known As

Cactus

Summary

Protesting Scorpius is a ransomware group that has been active since at least March 2023, primarily targeting large commercial entities. The group secures initial access to target networks by exploiting vulnerabilities in VPN appliances.

Upon gaining entry, Protesting Scorpius enumerates local and network user accounts as well as endpoints. They then create new user accounts and deploy ransomware encryptors across the network via custom scripts and scheduled tasks. Protesting Scorpius participates in extortion and data exfiltration.

Sectors Impacted

Protesting Scorpius has previously impacted organizations in the following sectors:

• Hospitality
• Wholesale and Retail

Salty Scorpius

Also Known As

Trigona

Summary

Salty Scorpius claims to be a highly profitable operation, launching global attacks deploying Trigona ransomware with promises of 20%-50% returns from each successful endeavor. First identified in October 2022, their operations partnered with network access brokers, who provided them with compromised credentials via the Russian Anonymous Marketplace (RAMP) forum. This collaboration was crucial for gaining the initial access needed to infiltrate their targets.

Salty Scorpius has ties to the CryLock group, evidenced by their shared methodologies, strategies and the identical ransom note filenames and email addresses they employ. By April 2023, Salty Scorpius shifted their focus toward exploiting compromised Microsoft SQL (MSSQL) servers, leveraging brute-force attacks to penetrate these systems.

This group also performs detailed reconnaissance within the target’s network, malware distribution via remote monitoring and management (RMM) software, creation of new user accounts and then finally deployment of ransomware.

They were disrupted by hacktivists in 2023, but posts have appeared on their leak site in 2024.

Sectors Impacted

Salty Scorpius has previously impacted organizations in the following sectors:

• Hospitality
• Wholesale and Retail

Shifty Scorpius

Also Known As

Hunters International

Summary

Security researchers widely believe the Shifty Scorpius RaaS group is a rebrand of Itchy Scorpius (aka HIVE) due to significant code overlap between the two groups’ ransomware samples. However, Shifty Scorpius claims to be an independent group that acquired the source code and infrastructure directly from Itchy Scorpius.

Unlike other ransomware groups, Shifty Scorpius primarily focuses on data exfiltration, not encryption. Initially discovered in October of 2023, attacks by Shifty Scorpius are largely opportunistic. Their victims are in a variety of industries and regions, however this group appears to regularly impact healthcare entities.

Sectors Impacted

Shifty Scorpius has previously impacted organizations in the following sectors:

• Education
• Financial Services
• Healthcare
• Hospitality
• Manufacturing
• Transportation and Logistics

Spicy Scorpius

Also Known As

Avos, AvosLocker

Summary

Spicy Scorpius is a RaaS group that first emerged as a significant threat in 2021. This group uses multi-extortion tactics and remote administration tool AnyDesk for manual operation on victim machines. They can operate in safe mode to evade security measures. They also auction stolen data on their site in addition to their ransom demand.

The group’s deployment strategies include leveraging vulnerabilities like Log4Shell for initial access. This group has a level of organization resembling that of legitimate tech businesses rather than traditional cybercrime operations.

The threat they use has evolved to specifically target Linux systems and VMware ESXi servers since its debut, where many similar operations primarily focus on Windows systems.

Sectors Impacted

Spicy Scorpius has previously impacted organizations in the following sectors:

• Agriculture
• Construction
• Education
• Finance
• Financial Services
• Healthcare
• High Technology
• Hospitality
• Insurance
• Manufacturing
• Mining
• Non-profits
• Pharma and Life Sciences
• Professional and Legal Services
• Real Estate
• State and Local Government
• Telecommunications
• Transportation and Logistics
• Utilities and Energy
• Wholesale and Retail

Spikey Scorpius

Also Known As

Agenda, Qilin, Qilin Team

Summary

Spikey Scorpius operates as an affiliate program for RaaS that codes their payloads in Rust and Go, often tailoring them to each victim for maximum impact. To achieve this, threat actors employ strategies like altering file extensions of encrypted files and terminating specific processes and services. Spikey Scorpius leverages multi-extortion with a proprietary data leak site containing unique company IDs and leaked account information.

Sectors Impacted

Spikey Scorpius has previously impacted organizations in the following sectors:

• Agriculture
• Construction
• Education
• Federal Government
• Financial Services
• Healthcare
• High Technology
• Hospitality
• Insurance
• Manufacturing
• Media and Entertainment
• Pharma and Life Sciences
• Professional and Legal Services
• Real Estate
• Telecommunications
• Transportation and Logistics
• Utilities and Energy
• Wholesale and Retail

Spoiled Scorpius

Also Known As

RansomHub

Summary

Spoiled Scorpius is a RaaS operation that was first observed in February 2024, managed by an actor known as “koley” or “BackHub.” The threat actor started operations on forums like XSS and RAMP. As a newcomer to the ransomware landscape the actor's reliability is still unknown.

This group uses complex tactics to coerce victim compliance, including cold calling extortion and DDoS attacks. Their RansomHub management panel offers features like ransom campaign customization, victim communication and data negotiation tools. The group’s model provides 90% profit share with affiliates and 10% for the core group.

The Spoiled Scorpius owner has established rules against attacks in specific regions such as China, Cuba, North Korea and Commonwealth of Independent States (CIS) countries. Although this is a common restriction, it could indicate the actor is operating from one of those countries.

The group also sets boundaries against attacks on non-profit organizations, and there are rules preventing additional attacks against victims that have already paid their ransom.

Sectors Impacted

Spoiled Scorpius has previously impacted organizations in the following sectors:

• Agriculture
• Construction
• Education
• Financial Services
• Healthcare
• High Technology
• Manufacturing
• Pharma and Life Sciences
• Professional and Legal Services
• Transportation and Logistics
• Utilities and Energy
• Wholesale and Retail

Squalid Scorpius

Also Known As

8Base

Summary

Squalid Scorpius ransomware group first emerged in March 2022, using a multi-extortion tactic. The group initially remained under the radar with relatively few attacks, but in June 2023, their activity spiked dramatically, showcasing a more aggressive approach.

They leverage encryption techniques alongside name-and-shame strategies to pressure victims into paying ransoms. Squalid Scorpius has used a number of ransomware variants, including a customized version of the Phobos ransomware. This indicates their technical adaptability, as well as their focus on evading detection and maximizing impact. This adaptability is evident in their use of advanced encryption techniques and strategies to bypass User Account Control (UAC) mechanisms on Windows systems, enabling them to execute their malicious payloads without immediate detection.

Sectors Impacted

Squalid Scorpius has previously impacted organizations in the following sectors:

• Utilities and Energy
• Wholesale and Retail

Squeaking Scorpius

Also Known As

Rhysida

Summary

Squeaking Scorpius is a RaaS group first observed in May 2023, which uses multi-extortion and discloses victim data. Their primary means of initial access is through phishing emails or using stolen credentials to authenticate to remote services, such as through VPNs, especially in organizations not using multi-factor authentication.

Once in a victim’s environment, they use Living off the Land (LotL) techniques including PowerShell for enumerating the environments and RDP connections for lateral movement. They have also used Cobalt Strike in victim environments as well as a script that terminates anti-malware programs. The group distributes Rhysida ransomware, which encrypts data using a 4096-bit RSA encryption key.

Some researchers have suggested links between this group and the actors behind Vice Society ransomware, suggesting a rebrand.

Sectors Impacted

Squeaking Scorpius has previously impacted organizations in the following sectors:

• Education
• State and Local Government

Stale Scorpius

Also Known As

Good Day

Summary

Stale Scorpius is a ransomware group initially observed in May of 2023. Their infrastructure as well as purported victims are closely linked with Invisible Scorpius, leading researchers to believe the groups are connected. Contact information such as threat actor channels and email addresses that were observed in Invisible Scorpius attacks have also been seen in Stale Scorpius attacks.

Sectors Impacted

Stale Scorpius has previously impacted organizations in the following sectors:

• Construction
• Education
• Federal Government
• Healthcare
• High Technology
• Insurance
• Manufacturing
• Media and Entertainment
• Non-profits
• Pharma and Life Sciences
• Professional and Legal Services
• Real Estate
• State and Local Government
• Wholesale and Retail

Stumped Scorpius

Also Known As

NoEscape, No Escape

Summary

Stumped Scorpius is a RaaS group that first emerged in May 2023 and quickly established themselves as a successor to the Avaddon ransomware group, which ceased operations in 2021. Stumped Scorpius uses aggressive multi-extortion tactics, targeting a broad range of industries including healthcare.

They encrypt files on Windows, Linux and VMware ESXi servers, demanding ransoms ranging from hundreds of thousands of dollars to over $10 million. Their developers claim to have built the malware and infrastructure from scratch, differentiating the threat from other ransomware families that often repurpose existing code.

Stumped Scorpius employs techniques like reflective DLL injection to target VMware ESXi servers. They have a robust RaaS platform that allows affiliates to customize attacks, including encryption strategies and ransom demands.

Their ransomware can bypass UAC on Windows, executing commands to delete shadow copies and system backups to prevent file recovery. It also uses the Microsoft Enhanced RSA and AES Cryptographic Provider for file encryption.

Sectors Impacted

Stumped Scorpius has previously impacted organizations in the following sectors:

• Education
• Federal Government
• Media and Entertainment

Transforming Scorpius

Also Known As

Medusa (Note: Medusa should not be confused with a similarly named RaaS, MedusaLocker, which has been available since 2019)

Summary

Transforming Scorpius is a RaaS group first observed in June 2021, which typically uses AES2-256 encryption and encrypted C2 channels in multi-extortion operations. Transforming Scorpius targets various file types while avoiding certain extensions like DLL, EXE and LNK, and excludes specific folders from encryption to ensure the system’s operability remains intact.

Sectors Impacted

Transforming Scorpius has previously impacted organizations in the following sectors:

• Construction
• Education
• Federal Government
• Healthcare
• High Technology
• Insurance
• Manufacturing
• Media and Entertainment
• Non-profits
• Pharma and Life Sciences
• Professional and Legal Services
• Real Estate
• State and Local Government
• Wholesale and Retail

Twinkling Scorpius

Also Known As

HelloKitty, Gookie, HelloGookie

Summary

Twinkling Scorpius is a ransomware group distributing HelloKitty ransomware that was identified in November 2020, targeting Windows systems and using unpatched vulnerabilities like those in SonicWall devices to gain initial access to victim networks. In July 2021, Unit 42 observed the group using a Linux variant of HelloKitty targeting VMware’s ESXi hypervisor.

The group uses both email and Tor chats for communications. In late 2023, the ransomware developer and operator, also known as Gookee/kapuchin0 and Guki, leaked the source code and shut the operation down.

In March 2024, the group rebranded, and now calls themselves Gookie or HelloGookie. To mark the occasion of the rebrand, the malware author released the data stolen in the CD Projekt Red breach and 2022 Cisco attack.

Sectors Impacted

Twinkling Scorpius has previously impacted organizations in the following sectors:

• Aerospace and Defense
• Information Technology Services

Weary Scorpius

Also Known As

Phobos

Summary

Weary Scorpius is a RaaS group that first appeared in 2018, distributing Phobos ransomware. Their creations are closely related to the Dharma ransomware family, sharing similar tactics and techniques.

Despite its simplistic design, the Phobos ransomware has gained popularity among cybercriminals due to its effectiveness in compromising systems through well-established vectors like insecure RDP connections and phishing emails. The threat primarily targets servers, capitalizing on their value to organizations to demand higher ransoms​​​​​​. It employs a partial encryption strategy for large files, reducing the time required to complete its encryption routine​​​​.

Over time, the ransomware evolved to incorporate techniques aimed at reducing the efficacy of recovery efforts. This included activities such as disabling system recovery options and deleting shadow copies and backup catalogs.

Phobos ransomware has been reported in various countries, including the U.S., Portugal, Brazil and Japan. This wide targeting spectrum underscores Weary Scorpius' adaptability and the threat they pose to a diverse range of organizations.

Sectors Impacted

Weary Scorpius has previously impacted organizations in the following sectors:

• Education
• Finance
• Healthcare
• High Technology
• Hospitality
• Professional and Legal Services
• Wholesale and Retail

Updated Aug. 7, 2024, at 12:05 p.m. PT to clarify headings. 

Updated Sept. 3, 2024, at 9:56 a.m. PT to remove StellarParticle from Cloaked Ursa akas.