Black Swarm Industry Threat Profiles

Industry — Sector Threat Profiles

5 industries · multi-pipeline corroboration · since pipeline activation 2026-04-27
Black Swarm/Industry/Healthcare
TLP : CLEAR — PUBLIC RELEASE

Healthcare · Sector Profile

Hospitals · Pharma · Medical Devices · Health IT · Dental — Highest high-severity concentration of any sector
163 ITEMS 140 HIGH-SEV 22,246 EVIDENCE RANSOMWARE-DOMINANT

Healthcare carries the highest high-severity concentration of any sector: 140 of 163 items (86%) are HIGH or CRITICAL, with 9 items rated CRITICAL. The attack surface is driven by patient-data value, regulatory pressure to pay, and operational disruption leverage. Ten distinct threat actors target this sector, led by Qilin (1,196 evidence items), APT14, and a CVE-2023-28252 exploitation campaign. The TTP footprint spans 39 unique ATT&CK techniques — the broadest of any sector.

9 CRITICAL 140 HIGH-SEVERITY 39 ATTCK TECHNIQUES RANSOMWARE-DOMINANT
163
Threat Items
Dominant in this sector
140
High / Critical
86% of sector
22,246
Evidence Items
Multi-pipeline corroborated
10
Top Actors
Qilin · APT14 · LockBit
T1486
Lead Technique
Data Encrypted for Impact
9
Critical Items
Highest crit count
01

Geographic Spread

Top targets · 2026-04-27 onward

US-dominant with strong Western-European presence. Germany and the UK rank high due to healthcare-specific ransomware targeting of hospital networks and pharmaceutical supply chains.

Top Targeted Countries
02

Active Campaigns

Evidence volume by actor

Top threat actors targeting healthcare ranked by evidence volume. Bar width is proportional to corroborated evidence count across all pipelines.

03

Active Threat Actors

Ecosystem targeting healthcare

Radial ecosystem view of actors currently targeting healthcare. Node size scales with evidence count. Central node represents the sector; satellite nodes are active threat groups.

04

TTPs Observed

MITRE ATT&CK · 39 techniques

Healthcare has the broadest TTP footprint of any sector with 39 unique ATT&CK techniques. The kill-chain coverage spans every phase from Initial Access through Impact, indicating mature, full-spectrum threat activity.

05

Intelligence Profile

Severity Distribution
Source Pipeline
⚠ Honest Scope-Bounding

Evidence skews toward ransomware leak-site posting. BEC, insider threats, and medical-device-specific exploitation are underrepresented in the current pipeline.

Sources: intelligence.threat_items + evidence.items · ransomware.live · Tor leak-site captures · HC3 advisories · MITRE ATT&CK

Cross-reference: Manufacturing · Financial Services · Threat Actor Profiles

Black Swarm/Industry/Manufacturing
TLP : CLEAR — PUBLIC RELEASE

Manufacturing · Sector Profile

Industrial · Automotive · Aerospace · Pharma · Engineering — Highest absolute item count
179 ITEMS 151 HIGH-SEV 24,262 EVIDENCE MULTI-RAAS DOMINANT

Manufacturing leads all sectors in absolute item count (179) and evidence volume (24,262). The attack signature is textbook RaaS — VPN or cloud-account intrusion, data exfiltration to cloud storage, encryption. Play ransomware leads with 1,406 evidence items, followed by Deadeye Jackal (1,161) and APT14 (838). The TTP footprint spans 49 unique ATT&CK techniques, reflecting the broadest attack-surface diversity in the dataset. Western-industrialized geographies dominate: US, Germany, Canada, UK, France, Australia.

151 HIGH-SEVERITY RANSOMWARE-MONOLITH WESTERN-INDUSTRIAL 49 ATTCK TECHNIQUES
179
Threat Items
Highest of any sector
151
High / Critical
84% of sector
24,262
Evidence Items
Multi-pipeline corroborated
10
Top Actors
Play · Deadeye Jackal · APT14
T1486
Lead Technique
Data Encrypted for Impact
49
Unique Techniques
Broadest TTP footprint
01

Geographic Spread

Top targets · 2026-04-27 onward

Concentrated in Western-industrialized economies. The US is dominant; Canada, the UK, Italy, France, and Australia all carry substantial volume. Marker size scales with evidence-row count.

Top Targeted Countries
02

Active Campaigns

Evidence volume by actor

Top threat actors targeting manufacturing ranked by evidence volume. Play ransomware leads with 1,406 evidence items across multi-sector campaigns with heavy manufacturing concentration.

03

Active Threat Actors

Ecosystem targeting manufacturing

Radial ecosystem view of actors currently targeting manufacturing. Node size scales with evidence count. The sector shows high actor diversity with both RaaS operators and state-aligned groups.

04

TTPs Observed

MITRE ATT&CK · 49 techniques

Manufacturing has the highest unique technique count (49). Six of the leading techniques map to data-encryption and cloud-exfiltration playbooks. Event-triggered execution and service creation techniques reflect OT-adjacent tradecraft.

05

Intelligence Profile

Severity Distribution
Source Pipeline
⚠ Honest Scope-Bounding

Coverage is ransomware-dominant. OT/ICS-specific threats and supply-chain compromise at the manufacturing level are not well-captured by the current collection sources.

Sources: intelligence.threat_items + evidence.items · Tor leak-site captures · Mastodon ransomware-watch · MITRE ATT&CK

Cross-reference: Healthcare · Technology · Threat Actor Profiles

Black Swarm/Industry/Financial Services
TLP : CLEAR — PUBLIC RELEASE

Financial Services · Sector Profile

Banks · Fintech · Insurance · Payments · Exchanges — Multi-vector threat landscape
142 ITEMS 118 HIGH-SEV 15,884 EVIDENCE MULTI-VECTOR

Financial Services carries 142 threat items with 118 at HIGH or CRITICAL severity (83%). Unlike the ransomware-monolith signature of Manufacturing and Healthcare, the financial sector shows a more diverse actor mix: Scattered Spider (930 evidence), APT14 (838), CVE-2023-28252 campaign (837), and NightSpire (317 with 15 ATT&CK techniques — the most technique-rich actor in this sector). The TTP profile includes 38 unique techniques with DLL side-loading (T1574.002) as a distinctive technique not seen in other sectors.

4 CRITICAL 118 HIGH-SEVERITY 38 ATTCK TECHNIQUES DLL SIDE-LOADING DISTINCTIVE
142
Threat Items
Dominant in this sector
118
High / Critical
83% of sector
15,884
Evidence Items
Multi-pipeline corroborated
10
Top Actors
Scattered Spider · APT14 · NightSpire
T1486
Lead Technique
Data Encrypted for Impact
15
NightSpire Techniques
Most technique-rich actor
01

Geographic Spread

Top targets · 2026-04-27 onward

US-dominant with Western-Europe distribution. Financial services targeting is geographically broad but concentrated in major financial centers.

Top Targeted Countries
02

Active Campaigns

Evidence volume by actor

Top threat actors targeting financial services ranked by evidence volume. Scattered Spider leads with social-engineering-heavy campaigns against financial institutions.

03

Active Threat Actors

Ecosystem targeting financial services

Radial ecosystem view of actors currently targeting financial services. The sector shows diverse actor types: social-engineering specialists, state-aligned groups, and ransomware operators.

04

TTPs Observed

MITRE ATT&CK · 38 techniques

Financial services has 38 unique ATT&CK techniques. The distinctive technique is DLL Side-Loading (T1574.002), observed only in this sector. Token manipulation (T1134) and data encoding (T1132) reflect credential-theft and exfiltration tradecraft aligned with financial-data targeting.

05

Intelligence Profile

Severity Distribution
Source Pipeline
⚠ Honest Scope-Bounding

Classic financial-fraud TTPs (BEC, wire-fraud, card skimming, vishing) are not captured. Evidence is limited to ransomware and data-theft patterns.

Sources: intelligence.threat_items + evidence.items · Tor leak-site captures · MITRE ATT&CK

Cross-reference: Healthcare · Technology · Live Feed

Black Swarm/Industry/Technology
TLP : CLEAR — PUBLIC RELEASE

Technology · Sector Profile

Software · SaaS · Cloud · Hardware · Semiconductors — DragonForce mega-cluster dominates
166 ITEMS 136 HIGH-SEV 29,834 EVIDENCE DRAGONFORCE-DOMINANT

Technology carries the highest evidence volume of any sector (29,834), driven by the DragonForce mega-cluster (7,554 evidence items — the single largest actor-level evidence set in production). Play (1,406), APT14 (838), and Akira (803) round out the top actors. The sector shows 46 unique ATT&CK techniques with strong representation of supply-chain compromise (T1195.002) and event-triggered execution techniques, reflecting the tech sector's role as both direct target and supply-chain vector.

3 CRITICAL 136 HIGH-SEVERITY DRAGONFORCE 7,554 EVIDENCE SUPPLY-CHAIN VECTOR
166
Threat Items
Dominant in this sector
136
High / Critical
82% of sector
29,834
Evidence Items
Highest evidence volume
10
Top Actors
DragonForce · Play · APT14
T1486
Lead Technique
Data Encrypted for Impact
7,554
DragonForce Evidence
Largest single actor
01

Geographic Spread

Top targets · 2026-04-27 onward

Concentrated in major technology hubs. The US leads with strong presence in the UK, Canada, Australia, Italy, and Germany. The technology sector's geographic spread tracks closely with software-industry concentration.

Top Targeted Countries
02

Active Campaigns

Evidence volume by actor

Top threat actors targeting technology ranked by evidence volume. DragonForce dominates with 7,554 evidence items — more than 5x the next-largest actor.

03

Active Threat Actors

Ecosystem targeting technology

Radial ecosystem view of actors currently targeting the technology sector. DragonForce's outsized node reflects its dominant evidence volume. The mix includes both ransomware operators and state-aligned APT groups.

04

TTPs Observed

MITRE ATT&CK · 46 techniques

Technology has 46 unique ATT&CK techniques — the second-broadest after Manufacturing. Supply-chain compromise (T1195.002), event-triggered execution, and phishing for information (T1598) are notable inclusions that reflect the tech sector's dual role as target and attack vector.

05

Intelligence Profile

Severity Distribution
Source Pipeline
⚠ Honest Scope-Bounding

Supply-chain signal exists but is thin (TA505/Cl0p only). Zero-day exploitation in SaaS platforms is underrepresented.

Sources: intelligence.threat_items + evidence.items · Tor leak-site captures · Mastodon · Bluesky · MITRE ATT&CK

Cross-reference: Manufacturing · Energy · Threat Actor Profiles

Black Swarm/Industry/Energy
TLP : CLEAR — PUBLIC RELEASE

Energy · Sector Profile

Oil & Gas · Power · Utilities · Renewables · Nuclear — ICS-adjacent threat landscape
103 ITEMS 86 HIGH-SEV 12,506 EVIDENCE ICS-ADJACENT

Energy carries 103 threat items with 86 at HIGH or CRITICAL severity (83%), including 3 CRITICAL items. The sector is notable for a CVE-2020-1472 (Zerologon) campaign cluster rated CRITICAL with 12 ATT&CK techniques — the most technique-rich actor in this sector. Play ransomware (1,406 evidence) and Deadeye Jackal (1,161) lead by volume, while ICS-adjacent actors like Design Group (416 evidence, 3 techniques) and BrainCipher (290 evidence) reflect energy-specific targeting. The TTP profile spans 34 unique techniques with account manipulation (T1098) as a distinctive technique.

3 CRITICAL 86 HIGH-SEVERITY ZEROLOGON CAMPAIGN ICS-ADJACENT ACTORS
103
Threat Items
Dominant in this sector
86
High / Critical
83% of sector
12,506
Evidence Items
Multi-pipeline corroborated
10
Top Actors
Play · Deadeye Jackal · APT14
T1486
Lead Technique
Data Encrypted for Impact
34
Unique Techniques
ICS-adjacent footprint
01

Geographic Spread

Top targets · 2026-04-27 onward

Energy targeting spans major energy-producing and consuming nations. The US and Germany lead, reflecting their large energy-infrastructure footprints. UK, Saudi Arabia, Australia, and Canada round out the top targets consistent with global energy distribution.

Top Targeted Countries
02

Active Campaigns

Evidence volume by actor

Top threat actors targeting energy ranked by evidence volume. Play ransomware and Deadeye Jackal lead by volume, while ICS-adjacent actors carry smaller but more targeted evidence sets.

03

Active Threat Actors

Ecosystem targeting energy

Radial ecosystem view of actors currently targeting the energy sector. The mix includes both commodity ransomware operators and energy-sector-specific threat groups, including a CRITICAL-rated CVE campaign.

04

TTPs Observed

MITRE ATT&CK · 34 techniques

Energy has 34 unique ATT&CK techniques — fewer than Manufacturing or Healthcare, reflecting a narrower but more ICS-adjacent tradecraft profile. Account manipulation (T1098) and valid accounts with default credentials (T1078.001) are distinctive techniques that align with OT-environment targeting.

05

Intelligence Profile

Severity Distribution
Source Pipeline
⚠ Honest Scope-Bounding

Critical infrastructure and SCADA/ICS-specific threats are underrepresented. Geopolitical attribution is inferred, not confirmed.

Sources: intelligence.threat_items + evidence.items · Tor leak-site captures · ICS-CERT · MITRE ATT&CK

Cross-reference: Manufacturing · Technology · Threat Actor Profiles

Black Swarm Industry Threat Profiles · 5 sectors · Compiled 2026-05-15 · Window: since pipeline activation 2026-04-27

Primary sources: Black Swarm intelligence.threat_items + evidence.items · ransomware.live · Mastodon ransomware-watch · multi-pipeline OSINT corroboration · MITRE ATT&CK

Live Feed · Threat Actor Profiles · About Black Swarm Intelligence · Architecture