Threat Landscape

Mar 23 — Jun 08 (weekly, 26-week baseline) · Last updated: 2026-06-15 16:00 UTC
Detailed Analysis Mar 23 — Jun 08
Prepositioning
⇋ SHIFTING
0 this week
▼ Falling (-20.4%/w) Shift: -86.8%
Details
Mean: 8.4/w Z-score: -0.73 Recent 3w avg: 3.3/w Prior 3w avg: 25.3/w Total: 218
Initial access brokering
⇋ SHIFTING
0 this week
▼ Falling (-14.1%/w) Shift: -89.7%
Details
Mean: 10.3/w Z-score: -1.06 Recent 3w avg: 2.7/w Prior 3w avg: 26.0/w Total: 210
Espionage
⇋ SHIFTING
0 this week
▼ Falling (-19.1%/w) Shift: -89.5%
Details
Mean: 5.6/w Z-score: -0.68 Recent 3w avg: 2.0/w Prior 3w avg: 19.0/w Total: 145
Ransomware
⇋ SHIFTING
0 this week
▶ Stable (-7.5%/w) Shift: -88.0%
Details
Mean: 4.5/w Z-score: -1.45 Recent 3w avg: 1.0/w Prior 3w avg: 8.3/w Total: 63
Crypto theft
⇋ SHIFTING
0 this week
▼ Falling (-21.7%/w) Shift: -70.0%
Details
Mean: 1.5/w Z-score: -0.65 Recent 3w avg: 1.0/w Prior 3w avg: 3.3/w Total: 39
Account takeover (ATO)
⇋ SHIFTING
0 this week
▶ Stable (-8.6%/w) Shift: -75.0%
Details
Mean: 1.3/w Z-score: -0.67 Recent 3w avg: 1.0/w Prior 3w avg: 4.0/w Total: 35
BEC / Wire fraud
⇋ SHIFTING
0 this week
▼ Falling (-11.2%/w) Shift: -80.0%
Details
Mean: 2.0/w Z-score: -1.15 Recent 3w avg: 0.7/w Prior 3w avg: 3.3/w Total: 32
Data exposure
⇋ SHIFTING
0 this week
▶ Stable (1.8%/w) Shift: -66.7%
Details
Mean: 1.0/w Z-score: -0.64 Recent 3w avg: 1.3/w Prior 3w avg: 4.0/w Total: 25
Wiper / Sabotage
⇋ SHIFTING
0 this week
▶ Stable (-9.6%/w) Shift: -100.0%
Details
Mean: 2.0/w Z-score: -0.88 Recent 3w avg: 0.0/w Prior 3w avg: 2.0/w Total: 19
Influence operations
⇋ SHIFTING
0 this week
▼ Falling (-15.9%/w) Shift: -80.0%
Details
Mean: 0.6/w Z-score: -0.61 Recent 3w avg: 0.3/w Prior 3w avg: 1.7/w Total: 16
Payment card theft
⇋ SHIFTING
0 this week
▼ Falling (-18.2%/w) Shift: -80.0%
Details
Mean: 0.5/w Z-score: -0.55 Recent 3w avg: 0.3/w Prior 3w avg: 1.7/w Total: 12
Ad fraud
⇋ SHIFTING
0 this week
▶ Stable (-1.5%/w) Shift: -100.0%
Details
Mean: 1.2/w Z-score: -0.87 Recent 3w avg: 0.0/w Prior 3w avg: 2.0/w Total: 11
Credential theft
▼ LOW
0 this week
▶ Stable (-6.3%/w) Shift: -89.2%
Details
Mean: 15.6/w Z-score: -1.64 Recent 3w avg: 2.7/w Prior 3w avg: 24.7/w Total: 181

Low Volume

< 10 articles — limited statistical significance
Cryptojacking
⇋ SHIFTING
8 total (12w)
DDoS
⇋ SHIFTING
8 total (12w)
Sextortion
⇋ SHIFTING
4 total (12w)
Archetype Status This Week Mean Z-Score Total (12w) Trend Shift
Prepositioning shifting 0 8.4 -0.73 218 -20.4%/w -86.8%
Initial access brokering shifting 0 10.3 -1.06 210 -14.1%/w -89.7%
Espionage shifting 0 5.6 -0.68 145 -19.1%/w -89.5%
Ransomware shifting 0 4.5 -1.45 63 -7.5%/w -88.0%
Crypto theft shifting 0 1.5 -0.65 39 -21.7%/w -70.0%
Account takeover (ATO) shifting 0 1.3 -0.67 35 -8.6%/w -75.0%
BEC / Wire fraud shifting 0 2.0 -1.15 32 -11.2%/w -80.0%
Data exposure shifting 0 1.0 -0.64 25 +1.8%/w -66.7%
Wiper / Sabotage shifting 0 2.0 -0.88 19 -9.6%/w -100.0%
Influence operations shifting 0 0.6 -0.61 16 -15.9%/w -80.0%
Payment card theft shifting 0 0.5 -0.55 12 -18.2%/w -80.0%
Ad fraud shifting 0 1.2 -0.87 11 -1.5%/w -100.0%
Cryptojacking shifting 0 1.0 -0.83 8 -8.0%/w -50.0%
DDoS shifting 0 1.0 -0.98 8 -9.5%/w -100.0%
Sextortion shifting 0 0.2 -0.46 4 +18.2%/w -100.0%
Credential theft declining 0 15.6 -1.64 181 -6.3%/w -89.2%
Actor Articles Associated Archetypes
TeamPCP
crime-syndicate
aka Mini Shai-Hulud, Team PCP, Mini Shai-Hulud campaign, Mini Shai-Hulud threat actor, TGR-CRI-1135, TeamPCP (behind the Trivy breach and subsequent operations), TeamPCP (cyber criminal operation), TeamPCP (ex-HellCat affiliate)
Engages in software supply chain compromise attacks, injecting malicious code into software to exfiltrate sensitive secrets (e.g., cloud access tokens, SSH keys). Partners with RaaS and EaaS operators (e.g., LAPSUS$ Group, Vect ransomware) to monetize intrusions.
 78 Credential theft (30) Initial access brokering (25) Prepositioning (7)
Lazarus Group
nation-state
aka UNC1069, Kimsuky, Lazarus, Contagious Interview, Sapphire Sleet, BlueNoroff, Famous Chollima, PolinRider
Targeted developers and the cryptocurrency ecosystem with social engineering schemes, including Operation DreamJob against European drone manufacturers and Operation DangerousPassword compromising the JavaScript library axios.
 44 Espionage (17) Crypto theft (12) Prepositioning (8)
Qilin
crime-syndicate
aka Qilin ransomware operators, Qilin ransomware
Infrastructure (workstation WIN-8OA3CCQAE4D) identified as being associated with Qilin ransomware operations, indicating potential collaboration or shared resources with other ransomware groups.
 18 Ransomware (14) Credential theft (1) DDoS (1)
ShinyHunters
crime-syndicate
aka Bling Libra
Steals data and demands ransom; if the victim does not comply, the data is published or sold to the highest bidder. Known for targeting organizations to exfiltrate personal and sensitive information for extortion purposes.
 16 Ransomware (7) Data exposure (5) Espionage (1)
LockBit
crime-syndicate
aka LockBit affiliates, Artur Sungatov and Ivan Kondratyev, Dmitry Yuryevich Khoroshev, LockBit 5.0, Zservers
Combines encryption with data theft and extortion in ransomware attacks targeting various organizations.
 16 Ransomware (12) Credential theft (2) Espionage (1)
Fancy Bear
nation-state
aka APT28, Forest Blizzard, APT 28, FancyBear, GRU Military Unit 26165, Sednit, TA422
Deployed Covenant and BeardShell implants against Ukrainian military personnel, drone manufacturers, and organizations involved in drone research and development, as well as logistics and transportation companies outside Ukraine. Russia-aligned group.
 14 Espionage (9) Credential theft (3) Ransomware (1)
fraudsters
criminal
aka criminals, Organized scam call centers, scammers, bad actors, online fraudsters, organized crime groups
Individuals or small groups engaging in opportunistic fraud such as bonus abuse, chargeback disputes, and multi-accounting. Uses automation, shared data, and behavioral simulation to evade detection and blend into legitimate user activity.
 13 BEC / Wire fraud (5) Credential theft (3) Ransomware (2)
Handala
nation-state
aka Handala Hack Team, Homeland Justice, Banished Kitten, Handala Hack, Handala Hacking Team, Ministry of Intelligence and Security (MOIS), MOIS Linked Cyber Influence Ecosystem, The Handala Popular Resistance Front (HPR)
Executed significant wiper attacks in early 2026, targeting high-level government officials, doxxing employees of public companies, and conducting disruptive operations against U.S. critical infrastructure, including internet-exposed PLCs in water, energy, and municipal services.
 12 Espionage (3) Influence operations (3) Wiper / Sabotage (2)
advanced persistent threat (APT) actor
crime-syndicate
aka Threat Actor A, Threat Actor B, a threat actor, Operation GriefLure Threat Actor, PRC-nexus threat actor (associated with UNC6201), Suspected China-linked Threat Actor, Threat actor behind DigiCert support portal hack, threat actor exploiting CVE-2024-55224 and CVE-2024-55225
Conducted a large-scale poisoning campaign targeting Ghost CMS by exploiting CVE-2026-26980 to inject malicious JavaScript loaders into articles. The campaign involved automated bulk vulnerability scanning, Admin API key extraction, and dynamic C2 distribution to deliver malware such as stealer trojans via ClickFix social engineering attacks. The group used cloaking domains and updated payloads to evade detection and maintain persistence.
 12 Initial access brokering (4) Prepositioning (4) Credential theft (3)
MuddyWater
nation-state
aka Seedworm, APT34, Dark Scepter, Helix Kitten, Iranian-aligned group connected to the Ministry of Intelligence and Security (MOIS), OilRig, TA402, MuddyWater APT
Develops and deploys malware targeting Israeli water infrastructure, including ZionSiphon, which is designed to sabotage water treatment systems. The group is associated with Iranian cyber activity and exhibits tradecraft consistent with mid-tier Iranian state-aligned operations.
 11 Espionage (6) Wiper / Sabotage (3) Prepositioning (2)
Akira
crime-syndicate
aka Akira ransomware group, Conti ransomware group
Ransomware operators providing ransomware-as-a-service (RaaS), maintaining the ransomware variant, infrastructure, and managing ransom negotiations. Affiliates deploy the ransomware in victim environments.
 11 Ransomware (11)
The Gentlemen
crime-syndicate
aka Hastala, Storm-2697, zeta88, hastalamuerte, The Gentlemen RaaS, The Gentlemen RaaS administrator, The Gentlemen ransomware operation, The Gentlemen Ransomware-as-a-Service
Operates the Gentlemen ransomware-as-a-service (RaaS) platform, managing the RaaS while affiliates carry out attacks. Uses double extortion tactics, encrypting data and exfiltrating sensitive information to pressure victims. Recently partnered with BreachForums to recruit affiliates and expand operations.
 10 Ransomware (10)
EvilTokens
crime-syndicate
aka EvilTokens affiliates, EvilToken, EvilTokens operators, eviltokensadmin, EvilTokens (related infrastructure), EvilTokens administrator, EvilTokens PhaaS
Developed and distributed the EvilTokens phishing-as-a-service toolkit, which automates device code phishing attacks at scale. The toolkit uses AI to generate realistic attack infrastructure and lowers victim friction through responsive design and automated device code generation.
 10 Account takeover (ATO) (6) Credential theft (2) BEC / Wire fraud (2)
Shai-Hulud
crime-syndicate
aka Shai-Hulud attacker, Shai-Hulud threat actor, Shai-Hulud worm campaign, Shai-Hulud 2.0, Shai-Hulud malware, Shai-Hulud worm
Conducted a large-scale supply chain attack on the npm ecosystem by compromising the 'atool' npm account, which owns popular packages like timeago.js. The attack involved publishing malicious versions of over 300 packages across Alibaba's AntV data visualization ecosystem, exfiltrating credentials, and establishing persistence via backdoors in developer tools like VS Code and Claude Code. The attacker used advanced techniques such as memory scraping to extract unmasked secrets from CI runners, GitHub API dead-drops for exfiltration, and OpenTelemetry impersonation for command and control (C2). The attack was well-orchestrated, with deliberate signaling via GitHub repository descriptions using Dune-universe terminology.
 10 Initial access brokering (4) Credential theft (4) Account takeover (ATO) (1)
LAPSUS$
crime-syndicate
aka Scattered Lapsus$ Hunters, LAPSUS$ (new group), LAPSUS$ Group, Scattered Lapsus$
Collaborates with TGR-CRI-1135 to extort organizations via data leak sites as part of extortion-as-a-service (EaaS) operations.
 10 Data exposure (5) Account takeover (ATO) (3) Credential theft (2)
Scattered Spider
crime-syndicate
aka Muddled Libra, Octo Tempest
Targeted entertainment and hospitality organizations with ransomware campaigns, including attacks on reservations, digital keys, point-of-sale (PoS) machines, and loyalty data. Demonstrated capability to disrupt major hotel operators through social-engineering campaigns.
 9 Espionage (3) Prepositioning (2) Ransomware (2)
VECT
crime-syndicate
aka Vect ransomware group, Vect ransomware operators, Vect (ransomware group), VECT Ransomware
Partners with TGR-CRI-1135 to monetize intrusions through ransomware-as-a-service (RaaS) operations, though recent forum removal may impact future collaborations.
 9 Data exposure (3) Credential theft (2) Prepositioning (1)
Clop
crime-syndicate
aka Cl0p, Hazy Scorpius
Exploits vulnerabilities (e.g., Oracle EBS) to conduct data theft and extortion, shifting away from ransomware encryption to pure extortion tactics.
 8 Ransomware (6) Data exposure (1) Initial access brokering (1)
BlackCat
crime-syndicate
aka ALPHV/BlackCat, BlackCat/Alphv, ALPHV, ALPHV BlackCat, operators of ALPHV aka BlackCat ransomware
Engages in ransomware attacks involving encryption and data theft for extortion purposes.
 8 Ransomware (6) Credential theft (2)
CyberAv3ngers
nation-state
aka 313 Team, Cyber Islamic Resistance, Iranian-affiliated advanced persistent threat (APT) actors
Targeted industrial-control systems (ICS) and operational technology (OT), including PLCs in U.S. critical infrastructure such as water, wastewater, and energy sectors. Documented escalation in targeting municipal infrastructure relevant to the World Cup host cities.
 7 Wiper / Sabotage (4) Prepositioning (2) Espionage (1)

State-Sponsored Activity

Attributed nation-state operations (12w)
Iran 16 articles
Active Actors
MuddyWater (9) Handala (6) APT34 (5) OilRig (5) APT42 (3) APT35 (2) Charming Kitten (2) Mint Sandstorm (2)
Operations
Wiper / Sabotage (18) Espionage (12) Prepositioning (3) Influence operations (2) Data exposure (1)
Targeted Sectors
Healthcare and Social Assistance (1) Information (1) Finance and Insurance (1) Manufacturing (1) Professional, Scientific, and Technical Services (1)
Recent articles ROADtools: Dual-Use Framework Exploited by Nation-State Actors for Cloud Intrusi ZionSiphon: A Conceptually Mature but Functionally Constrained ICS-Targeting Mal Seedworm: Iran-Linked APT Group Expands Global Espionage Campaign Using DLL Side Iranian-Nexus Cyber Espionage Campaign Targets Oman: 11 Ministries Compromised a Top Cyber Threat Groups Targeting Organizations: Profiling OilRig, Cozy Bear, La
Russia 21 articles
Active Actors
APT28 (10) Fancy Bear (8) APT29 (5) Forest Blizzard (4) Secret Blizzard (2) Turla (2) Sandworm (2) Midnight Blizzard (1)
Operations
Espionage (24) Credential theft (5) Ransomware (3) Account takeover (ATO) (2) Wiper / Sabotage (1)
Recent articles The Evolving CVE Landscape: AI-Driven Discovery Outpaces Exploitation but Strain Evolution of Kazuar: From Backdoor to Modular Espionage Framework by Secret Bliz ROADtools: Dual-Use Framework Exploited by Nation-State Actors for Cloud Intrusi Midnight Blizzard Attack on Microsoft: A Deep Dive into Nation-State Espionage a Evolution of Kazuar: From Monolithic Backdoor to Modular P2P Botnet Ecosystem
North Korea 23 articles
Active Actors
Lazarus Group (14) Famous Chollima (5) Contagious Interview (3) Kimsuky (2) APT38 (2) APT37 (2) Lazarus (1)
Operations
Espionage (14) Crypto theft (11) Prepositioning (2) Credential theft (1) Initial access brokering (1)
Recent articles Evolution of Void Dokkaebi's InvisibleFerret: Cython Compilation Enhances Evasio Analysis of Kimsuky's Multi-Themed Spear Phishing Campaigns: Exploiting Legitima North Korea's Cybercrime Operations: Funding Military Ambitions and Evading Sanc Inside DPRK’s npm Malware Factory: A 31-Day Campaign of 108 Packages and 261 Ver noon-contracts: Sophisticated DeFi-Targeted npm Supply Chain RAT with Triple Per
China 13 articles
Active Actors
Volt Typhoon (4) Salt Typhoon (4) Mustang Panda (4) APT41 (3) APT31 (2) APT40 (1) APT27 (1) Silk Typhoon (1)
Operations
Espionage (13) Prepositioning (3) Initial access brokering (2) Wiper / Sabotage (2) Influence operations (1)
Targeted Sectors
Electric Power Generation, Transmission and Distribution (1) Water, Sewage and Other Systems (1) Industrial Machinery Manufacturing (1) Other Heavy and Civil Engineering Construction (1) National Security (1)
Recent articles SHADOW-EARTH-053: China-Aligned Cyberespionage Campaign Exploits Legacy Microsof State-Sponsored Cyber Threats: Redefining Incident Response for Advanced Persist AI-Powered Vulnerability Discovery and Exploit Development: The Rise of Mythos P Network Telemetry Unveils Nation-State Pre-Positioning in the Defense Industrial LOTUSLITE v1.1: Mustang Panda Evolves Backdoor Targeting India's Banking Sector
Tracking 650 unique CVEs over the window. Found: persistent 8
CVE-2026-41940
9.3 PERSISTENT
cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
CpanelCpanel WhmCpanel Wp Squared
0 this week 19 total 4w active
Articles The Evolving CVE Landscape: AI-Driven Discovery Outpaces Exploitation but Strain April 2026 High-Impact Vulnerabilities: A Surge in Exploited CVEs and Emerging T Critical Authentication Bypass Vulnerability in Palo Alto Networks PAN-OS (CVE-2 Threat Actor Mr_Rot13 Exploits CVE-2026-41940 to Deploy Multi-Stage Backdoors in Mr_Rot13: A Stealthy Six-Year Cyber Espionage Campaign Exploiting cPanel CVE-202
CVE-2026-31431
7.8 PERSISTENT
In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the associ
Linux Linux KernelRedhat Openshift Container PlatformRedhat Enterprise LinuxAmazon Amazon LinuxCanonical Ubuntu Linux
0 this week 14 total 5w active
Articles The Evolving CVE Landscape: AI-Driven Discovery Outpaces Exploitation but Strain Analysis and Detection of the Linux Kernel Privilege Escalation Vulnerability CV Critical Linux Kernel Zero-Copy Vulnerabilities Enable Trivial Local Privilege E Fragnesia (CVE-2026-46300): Analysis of the New Linux Kernel XFRM ESP-in-TCP Pri Linux Kernel Privilege Escalation Vulnerabilities: Analysis and Detection of Cop
CVE-2025-55182
10.0 PERSISTENT
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-
Facebook ReactVercel Next.Js
0 this week 11 total 6w active
Articles AI in Offensive Cyber Operations: From Experimental Espionage to Scalable Crimin P2Pinfect Botnet: Expansion of Exploitation Vectors and Persistent Threats in Cl PCPJack: A Credential Theft Framework Targeting Exposed Cloud Infrastructure and Comprehensive Cyber Threat Landscape: Global Cyber Operations, Espionage, and Em ShadowLink: Connecting Residential Proxy Networks on Compromised IoT Devices to
CVE-2026-35616
9.8 PERSISTENT
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.
Fortinet Forticlientems
0 this week 10 total 5w active
Articles Exploitation of CVE-2026-35616 in FortiClient EMS: A Deep Dive into the EKZ Info Comprehensive Cyber Threat Landscape: Global Cyber Operations, Espionage, and Em Critical SQL Injection Flaw in FortiClient EMS 7.4.4 Under Active Exploitation Critical Unauthenticated SQL Injection Vulnerability in FortiClient EMS 7.4.4 Un Authentication Bypass in FortiClient EMS via HTTP Header Spoofing and Weak Certi
CVE-2026-20127
10.0 PERSISTENT
A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an unauthenticated, r
Cisco Catalyst Sd-Wan ManagerCisco Sd-Wan Vsmart Controller
0 this week 7 total 5w active
Articles Critical Authentication Bypass Vulnerability in Cisco Catalyst SD-WAN Controller Active Exploitation of Critical Cisco Catalyst SD-WAN Vulnerabilities: A Deep Di Active Exploitation of Cisco Catalyst SD-WAN Vulnerabilities: CVE-2026-20182 and The Efficiency Trap: How Centralized SD-WAN Controllers Concentrate Risk and Att Critical Unauthenticated Buffer Overflow Vulnerability in PAN-OS (CVE-2026-0300)
CVE-2026-3055
9.3 PERSISTENT
Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP leading to memory overread
Citrix Netscaler Application Delivery ControllerCitrix Netscaler Gateway
0 this week 7 total 4w active
CVE-2026-33017
9.3 PERSISTENT
Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows withou
Langflow
0 this week 6 total 4w active
CVE-2026-39987
9.3 PERSISTENT
marimo is a reactive Python notebook. Prior to 0.23.0, Marimo has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint /terminal/ws lacks authentication validation, allowing an unauthenticate
Coreweave Marimo
0 this week 5 total 4w active