Insights
Research, detection engineering notes, and incident response lessons learned.
7 Apr 2025
Gallium is a cyber espionage group attributed to China, active since at least 2012. The group has been observed conducting highly targeted operations against telecommunications providers, government entities, and critical infrastructure, primarily in Asia and the Middle East, though European organisations—including those in the UK—have also been affected.
Read article
7 Apr 2025
Ghostwriter, also tracked as UNC1151, is a cyber influence and espionage operation attributed to actors aligned with Belarus, with potential support or collaboration from Russian military intelligence. First publicly identified in 2017, Ghostwriter has conducted coordinated disinformation campaigns and cyber intrusions targeting political, military, and civil institutions across NATO member states, with particular focus on Poland, Lithuania, Latvia, and Ukraine.
Read article
7 Apr 2025
Hellcat is a newly emerged ransomware group active since early 2024, known for its use of double extortion tactics and aggressive targeting of vulnerable infrastructure. Despite its relative youth in the cyber threat landscape, Hellcat has already demonstrated notable sophistication, including support for cross-platform environments and tailored encryption payloads for specific enterprise systems.
Read article
7 Apr 2025
Hunters International, often referred to simply as Hunters, is a financially motivated ransomware group that emerged in late 2023. Operating a structured Ransomware-as-a-Service (RaaS) model, Hunters offers its platform to affiliates while managing infrastructure, data leak portals, and ransom negotiations.
Read article
7 Apr 2025
Incransom is a newly identified ransomware group, first observed in early 2024, that has rapidly gained attention for its aggressive, fast-impact attacks on small and mid-sized organisations. The group employs a double extortion strategy, combining rapid encryption of critical systems with the theft of sensitive data to increase leverage during ransom negotiations.
Read article
7 Apr 2025
KelvinSec is an opportunistic cybercrime collective active since at least 2022. The group is known for targeting vulnerable systems, stealing data, and leaking or selling that information via dark web forums and Telegram channels. Although it presents itself with ideological overtones, KelvinSec’s primary motivation appears to be financial, often demanding payment in exchange for withholding or deleting stolen data.
Read article
7 Apr 2025
KillSec (short for “Kill Security”) is a self-proclaimed hacktivist collective that emerged in early 2022, and has since been linked to a series of politically motivated distributed denial-of-service (DDoS) attacks, data leaks, and website defacements. Unlike financially driven ransomware groups, KillSec claims to act in response to geopolitical events, aligning itself with anti-Western, anti-NATO, and pro-Russian narratives.
Read article
7 Apr 2025
LockBit 3.0, also known asLockBit Black, is one of the most dominant ransomware variants in operation today. Active since mid-2022, it represents the third major iteration of the LockBit malware family. The group operates a Ransomware-as-a-Service (RaaS) model, allowing affiliates to deploy LockBit while the core developers manage infrastructure and ransom negotiations.
Read article
7 Apr 2025
MalasLocker is a relatively new ransomware and data extortion group first observed in 2023. Unlike traditional financially motivated threat actors, MalasLocker operates with an unusual extortion model: instead of demanding ransom payments in cryptocurrency, victims are instructed to donate to a selected charity and provide proof of their donation to recover their data.
Read article
7 Apr 2025
Medusa is a highly active ransomware group first observed in late 2022, operating under a double extortion model with increasing aggression. The group quickly rose to prominence in 2023 for its high-impact intrusions, its distinctive leak site branded as the “Medusa Blog,” and its use of public-facing shaming tactics to pressure victims into payment.
Read article
7 Apr 2025
MetaEncryptor is a relatively new but technically adept ransomware group first observed in mid-2023. Despite its youth, the group has already demonstrated strong capabilities in evasion, persistence, and targeted extortion, positioning itself as a growing threat within the cybercriminal landscape. MetaEncryptor operates under a double extortion model, combining the encryption of internal systems with the exfiltration and threatened publication of sensitive data.
Read article
7 Apr 2025
Mustang Panda is a well-established Chinese cyber espionage group that has been active since at least 2012. Also tracked under aliases such as RedDelta, TA416, HoneyMyte, and Bronze President, the group primarily targets government agencies, non-governmental organisations, policy research institutes, and religious groups. It is known for using sophisticated phishing campaigns, often leveraging current geopolitical events to deliver malware payloads.
Read article