This page aims to list active groups in cyberspace that are recent and possibly still active. The motivations and target countries are present, the methodology as well as the links to Telegram channels or sites found on the internet. The goal is to provide an easily searchable list for your digital monitoring and asset protection.
Please note however, this list does not contain the IOCs, below the table you will find links allowing you to analyze the data you have found and compare it with the known bases.
- HIBP (check if email is compromised)
- IntelX (check if your data is present)
- DeHashed (check if your data is present)
- AbuseIP
- CriminalIP
- Joesandbox
- Virustotal
- URLscan
- MITRE-GROUPS
- MITREATTACK
- Crowdstrike
- Anomali
- Abuse.sh
- SANS
- CVE
- Talos
- ExploitAlert
- Malpedia
- OpenFishFeeds
- Ransomwatch
- Checkpoint
You can also use OSINT tools, from my repository or from the Awesome-osint
More information about CTI : awesome-threat-intelligence
Here is the list of active cybercriminal groups, this table is updated manually after research and cross-referencing of sources, the aim being to get as close as possible to the truth. The information may turn out to be inaccurate despite the profiling work carried out. The groups listed have been active since 2020 maximum in order to keep a useful list.
I advise you to particularly monitor the groups listed in order to obtain any vital information, some operate in a grouped manner, you may be able to plan and prepare your defense in the event of an attack targeting your perimeter.
| Group | Country | Know impacted Target | Motivation | Method - signature | Channels | More infos |
|---|---|---|---|---|---|---|
| CONTI | russia | multiple | cyber-terrorism, financial motivation | ransomware (Ryuk usage), dataleaks, phishing, RDP hacking | Rocket.Chat usage | |
| THE GLORIAMIST | possible french hacking | https://t.me/s/GLORIAMISTS | ||||
| LAPSUS$ | Government, tech compagny | financial motivation | social engineering, MFA fatigue, ransomware, exploits | https://t.me/minsaudebr https://t.me/s/GroupLapsus | ||
| ARES | Ares Rootkit, Trojan | |||||
| TheLulzsec | not defined, new group | https://t.me/s/thelulzsec https://t.me/s/LulzSec_Off | ||||
| 8BASE | Finland ? | “honest and simple pentesters” | ransomware, dataleaks | gitlab[.]com/jcube-group/clients/apex/8base-v2 - 95.216.51[.]74 - https://t.me/eightbase | ||
| TCG | ||||||
| Killnet | russia | Ukrainian | Russian patriots, pro-Kremlin | ddos, defacement | https://t.me/s/killnet_reservs | know username : Raty’s - real name : Arseni Yeliseyeu |
| DarkSide | Russia | mutiple occidental countries | Financial ? Russian intelligence with peuso-code of ethics | REvil ransomware, dataleaks | ||
| BlackDragonSec | India | Indonesia | offensive security operations all across the globe | ddos | https://blackdragonsec.org/ | |
| Kingsman | ||||||
| Volt Typhoon | China | US | Chinese cyber operation team, spying | exploit on unpatched network devices | ||
| Medusa | ransomware, MedusaLocker, phishing, privilege escalation, evasion, exfiltration | http://medusaxko7jxtrojdkxo66j7ck4q5tgktf7uqsqyfry4ebnxlcbkccyd.onion/ | ||||
| Cyber.Anarchy.Squad | Ukrainian group ? | Russian, Belarusian | political motivation, anarchist group ? | dataleak | https://t.me/s/cyber_anarchy_squad | |
| Anonymous Sudan | sudan, russia | Sweden, Denmark, America, Australia, Israel | "anti-Muslim activity", religious or political motication, extremist ? | ddos, HTTP attacks | https://t.me/s/xAnonymousSudan | |
| Arvin Club | Iran | India, Iran, Russia | ransomware, data exfiltration | https://t.me/s/arvinclub1 | ||
| AgainstTheWest | China | Political motivation, targets communist systems, Provided information to NATO and US | dataleaks on RaidForums | https://github.com/AgainstTheWest/ | ||
| Bl00dy ransomware gang | US | Financial motivation | LockBit ransomware | https://t.me/bl00dy_Ransomware_Gang | ||
| Blackshadow Hackers | Iran | Israel | Political motivation | Pay2Key ransomware , dataleaks | ||
| ThreatSec | Not in US | india | hacktivist group, pseudo-ethical motives | ddos attacks, system intrusion, webpage defacement, dataleaks, XSS, XML, XXE et SQL | https://t.me/s/threatsec?before=155 | know username : Wiz |
| GhostSec | irak, syria, russia | The group wants to disrupt Islamist extremist movements, also financial motives | ransomware GhostLocker, payloads distribution | https://t.me/s/ghostsecc/168 | ||
| Stormous | russia | India, Ukraine | Pro-russian, political motivation | coordinated ddos attacks, ransomware | https://t.me/s/STORMOUS_HACKER?before=2671 | |
| Blackforums | old darkweb forum, now with five F group, financial motivation | Illegal hacking services | https://t.me/blackforumsarchive | |||
| SiegedSec | India, Pakistan, Indonesia, South Africa, USA, Philippines, Costa Rica, Mexico | Anarchist group ? Apolitical ? | dataleak, defacement, SQL injection, XSS | https://t.me/s/SiegedSecurity | know username : cialulz | |
| R00tk1t Cyber Team | Israel | South Africa, Malaysia | pro-Israelian group | dataleak, defacement, exploits | https://t.me/s/R00TK1TOFF | |
| Anonymous Russia | Ukrainian group ? | Russia | Political motivation, related to Ukrainian Conflict | MeowBot attack, malicious scripts | https://t.me/anon_by1 | |
| DeltaBoys | Multiple location | exposing corrupt governments, hacker alliance | zero-day vulnerabilities and human error attacks. | |||
| Shad0de | France | data leaks, ransomware, exfiltration | https://t.me/s/xxShad0dexx?before=307 | |||
| The Shadow Brokers | Russia | zero-day exploits, hacking tools delivery | https://t.me/s/xtheshadowbrokers | |||
| Quartz Wolf | Russia | Phishing, malware delivery | https://t.me/quartzbotnet | |||
| Lone Wolf | Lahore-based | Afghanistan, India | Trojan, remote access hack, fake company, credential stealer | |||
| CyberToufan | Iran | data exfiltration, leaks, phishing | https://t.me/s/CyberToufanBackup | |||
| MalekTeam | Iran | Israel | Religious and political motives | dataleaks | https://malekteam.ac/ | |
| Cyber Aveng3rs | Israel | Political and financial motivation | ransomware | https://t.me/cyberaveng3rs | ||
| Five Families | Brazil, cuba, taiwan, south africa | Hacker alliance, hacktivists | website hacking, dataleaks, XSS, XXE, SQL injection, ransomware | know username : Wiz | ||
| ZulikGroup | Russia | Lithuanian, Estonian, Ukrainian,Polish | Political motivation | phishing, malware, network attacks, and social engineering | https://t.me/ZulikGroupTG | |
| APT 34 | Iran | malware distributor, Excel macros and PowerShell-based exploits | ||||
| KittenSec | Greece, France, Chile, Panama, Italy, US, romania | hacktivist and anarchist group, motivated by a desire to expose corruption | dataleaks | https://t.me/kittensec | ||
| Lazarus Group / APT38 | North Korean | occidental countries | spying, financial, political motives | ransomware, Log4j, NineRAT malware | ||
| DragonForce Malaysia | Malaysia | Israel | pro-Palestinian group | ddos, defacement attacks | https://t.me/dragonforceio | |
| Cyb3r_Drag0nz_Team | Malaysia | Israel | pro-Palestinian group | defacement attacks | https://t.me/Cyb3r_Drag0nz | |
| X7root | Israel | anti-Israel group | defacement attacks, dataleaks | https://t.me/s/x7seller | ||
| Snatch Team | Financial motivation | Snatch Ransomware, brute-force attacks | https://t.me/s/snatch_news?before=115 | know username : Truniger | ||
| DeaDXInject | Russia | Pro-russia hacktivist | AiDLocker Ransomware | |||
| ShadowHacker | India | web application exploits, se, phishing | https://t.me/s/shadowleakss?before=135 | |||
| Breachforums | Financial motivation | dataleaks sales and hacker exchange | https://breachforums.is/ | know uername : Baphomet | ||
| nohidespace | Russia | Financial motivation | Combolist Sales | https://nohide.space | ||
| MTB | Bangladesh | India, Israel | Religious and political motives | ddos | https://t.me/s/mysteriousteambangladesh | |
| Haghjhoyan / Peace Seekers | Iran | Israel | Pro-Iran hacktivist group | se, vnc hack, trojan infection | ||
| YareGomnam | Iran | US | pro-Iranian group | https://t.me/YareGomnam_IRGC | ||
| NoName057(16) | russia | Ukrainian and occidental countries | pro-russian group, political motivation | ddos attacks, DDoSia tool dev | https://t.me/s/noname05716 | |
| IT Army of Ukraine | Ukrainian, international actors | Russia | cyberwarfare organisation | ddos, defacements,leaks, hacking | https://telegram.me/s/itarmyofukraine2022 | |
| admin@338 | China | Government | spying | Dropbox payload delivery, LOWBALL malware | --- | --- |
| Wizard Spider | russia | Government | not defined, financial motivation ? | ransomware (ryuk, conti Trickbot...) | --- | --- |
| ZIRCONIUM | China | china | political motivation | phishing, dropbox C2, exploits, malwares | --- | --- |
| Tonto Team | China | South Korea, Japan, Taiwan | political motivation | EternalBlue exploits, malicious dll | --- | --- |
| APT29 / IRON RITUAL | Russia | Government, NATO | political motivation, spying | multiple | --- | --- |
| 0ktapus | social engineering, phishing | --- | --- | |||
| Sandworm Team | Russia | Probably related to Russia's GRU | brutte force, malware dev, ddos, phishing, exploits | --- | --- | |
| POLONIUM | Lebanon-based | Israel | Probably related to Iran MOIS | Onedrive and Dropbox C2, fake websites, phishing | --- | --- |
| Moses Staff | Israel | spying | PyDCrypt malware, bootkit, StrifeWater trojan | https://t.me/s/moses_staff_se2 | --- | |
| Metador | probably Spanish | Middle East, Africa | spying | C2, wmi, PS scripts, metaMain Mafalda malwares | --- | |
| LuminousMoth | China | Philippines, Thailand, Asia | spying | C2, malicious dll, data exfiltration, malwares | --- | |
| Pinchy Spider | Financial motivation | phishing, ransomware GandCrab, REvil | --- | |||
| Ember Bear | Russian | Ukrainian | defacement attacks | --- | ||
| AQUATIC PANDA | China | Industrial espionage | Log4Shell attacks, njRAT payloads | --- |
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent