APT41 — Enhanced Profile
APT41 is a prolific Chinese state-sponsored threat actor conducting both espionage and financially motivated intrusions. With 3,535 evidence items across 36 distinct sources and 2 pipelines, APT41 targets technology, healthcare, telecom, and government sectors globally. Attributed to Chinese Ministry of State Security contractors operating under MITRE G0096. Arsenal includes 4 malware families, 19 CVEs, and 9 ATT&CK techniques.
Geographic Targeting
Industry Targeting
APT41's top five targeted industries by evidence count. Technology, Government/Defense, and Telecom lead — consistent with a state-sponsored actor with both espionage and financially-motivated mandates.
Infrastructure / Tooling
APT41's malware arsenal spans custom RATs, rootkits, and commercial tools. Jasmin RAT dominates evidence volume with 19 references, while WINNKIT represents the most advanced kernel-level capability. Evidence counts reflect pipeline observations across the collection window.
CVE Arsenal
APT41-cluster evidence references 19 CVEs spanning Apache, Microsoft Exchange, Pulse Secure, Citrix, F5, GitLab, MobileIron, and Atlassian. The top 10 by CVSS score define the primary attack-surface exposure exploited within hours of public disclosure.
Tactics, Techniques, and Procedures
Named Victims
Black Swarm captured the following named victims from APT41-cluster evidence. Evidence counts reflect repeated dark-web observation across multiple collection cycles.
+ 18 additional victims in pipeline
Collection Coverage
Evidence arrival density across the 17-day collection window. APT41 has 2 active pipelines — dark web (60%) and OSINT feed (40%). No social pipeline signal in this window.
Campaign Tracker
Named campaigns associated with the APT41 cluster in Black Swarm evidence. Campaign linkage comes from entity resolution and analyst tagging.
MITRE ATT&CK Mapping
Ecosystem
Intelligence Profile
Honest Scope-Bounding
Severity: Base high boosted by multi-source. 3,535 items across 36 sources reflect APT41's broad collection footprint — not 3,535 independent intrusions.
Double Dragon designation: The financially motivated ransomware operations (Jasmin, Incransom) are separate from espionage tradecraft. Do not conflate espionage victims with ransomware victims.
Evidence mix: The 2-pipeline split (dark web 60% / OSINT feed 40%) reflects monitoring infrastructure bias. Social pipeline has zero APT41 signals in this window.
9 ATT&CK techniques: Real APT41 tradecraft is broader. Only techniques with direct evidence-pipeline signal are shown. Resource Development and Reconnaissance stages are known gaps.
CVE enrichment partial: 19 CVEs tracked but only a subset have full NVD data in pipeline. CVSS shown from NVD public records.
DragonForce — Enhanced Profile
DragonForce is a ransomware-as-a-service (RaaS) operation with open registration — affiliates can build their own RaaS team within one hour. The group operates a Tor-hosted leak site (DragonBlog) and runs a sustained double-extortion model, listing exfiltrated file sizes and download links for victim data. With 7,554 evidence items across 3 pipelines, DragonForce is the most-observed ransomware operation in Black Swarm's collection window.
Geographic Targeting
Industry Targeting
DragonForce's top targeted industries by evidence count, derived from pipeline tagging.
Infrastructure / Tooling
Malware families and tooling attributed to the DragonForce cluster.
Tactics, Techniques, and Procedures
Named Victims
Victims captured from DragonForce cluster evidence. Counts reflect repeated dark-web observation across collection cycles.
Collection Coverage
Evidence arrival density across the collection window for DragonForce.
Campaign Tracker
Named campaigns associated with the DragonForce cluster are not currently isolated in pipeline tagging. Campaign linkage requires analyst enrichment beyond cluster-level evidence aggregation.
MITRE ATT&CK Mapping
Ecosystem
Intelligence Profile
Honest Scope-Bounding
DragonForce's open-registration model means affiliate counts and TTPs vary widely. The 7,554 evidence count reflects leak-site postings and indexer mirrors, not 7,554 separate intrusions. Victim sectors include legal, franchising, landscaping, medical equipment, flooring, construction — broad mid-market targeting with no clear vertical preference.
Cobalt Group — Enhanced Profile
The cobalt_group cluster aggregates multiple ransomware operations sharing common tagging rather than a single unified actor — Cuba/Colddraw (active since 2019), Black Basta (RaaS, 2022), Snatch (Safe Mode evasion, 2021), and Yanluowang (small enterprise). Cluster also includes Cobalt Strike Beacon C2 infrastructure detections. With 4,992 evidence items, 27 CVEs, and 2,925 distinct victim tags, this cluster is broad but low-attribution-confidence.
Geographic Targeting
Industry Targeting
Cobalt Group's top targeted industries by evidence count, derived from pipeline tagging.
Infrastructure / Tooling
Malware families and tooling attributed to the Cobalt Group cluster.
CVE Arsenal
Cobalt Group cluster evidence references 10 CVEs. Top entries by CVSS define the primary attack-surface exposure exploited within hours of public disclosure.
Tactics, Techniques, and Procedures
Named Victims
Victims captured from Cobalt Group cluster evidence. Counts reflect repeated dark-web observation across collection cycles.
Collection Coverage
Evidence arrival density across the collection window for Cobalt Group.
Campaign Tracker
Named campaigns associated with the Cobalt Group cluster are not currently isolated in pipeline tagging. Campaign linkage requires analyst enrichment beyond cluster-level evidence aggregation.
MITRE ATT&CK Mapping
Ecosystem
Intelligence Profile
Honest Scope-Bounding
The cobalt_group cluster_key is a routing taxonomy, not an attribution claim. Cuba, Black Basta, Snatch, and Yanluowang are operationally independent. Confidence in cluster coherence as a single actor is low; this profile represents the aggregate signal across all operations sharing the tag.
Qilin — Enhanced Profile
Qilin is a ransomware-as-a-service (RaaS) operation conducting double-extortion attacks across 16+ sectors including manufacturing, healthcare, financial services, public sector, education, and energy. Infrastructure includes Tor-hosted .onion leak sites, victim data publication, and negotiation chat portals. With 1,196 evidence items across 3 pipelines and 1,081 distinct victim tags, Qilin shows sustained operational tempo.
Geographic Targeting
Industry Targeting
Qilin's top targeted industries by evidence count, derived from pipeline tagging.
Infrastructure / Tooling
Malware families and tooling attributed to the Qilin cluster.
CVE Arsenal
Qilin cluster evidence references 2 CVEs. Top entries by CVSS define the primary attack-surface exposure exploited within hours of public disclosure.
Tactics, Techniques, and Procedures
Named Victims
Victims captured from Qilin cluster evidence. Counts reflect repeated dark-web observation across collection cycles.
Collection Coverage
Evidence arrival density across the collection window for Qilin.
Campaign Tracker
Named campaigns associated with the Qilin cluster are not currently isolated in pipeline tagging. Campaign linkage requires analyst enrichment beyond cluster-level evidence aggregation.
MITRE ATT&CK Mapping
Ecosystem
Intelligence Profile
Honest Scope-Bounding
Qilin's broad sector coverage reflects opportunistic targeting rather than vertical specialization. The 1,196 evidence count includes leak-site posts mirrored across multiple indexers (ransomware.live, ransomwatch). No social-engineering or initial-access tradecraft detail is captured in our pipeline.
Everest Group — Enhanced Profile
The everest_group cluster is largely unattributed — multiple evidence items reference the Everest Group name and website, but tags such as static-website, html, and client-side-javascript indicate that much of the captured signal is benign website indexing rather than ransomware activity. Confidence is split: 100% for tier4_replay sources, 0% for everest- sources. With 1,165 evidence items, this cluster has high noise.
Geographic Targeting
Industry Targeting
Everest Group's top targeted industries by evidence count, derived from pipeline tagging.
Infrastructure / Tooling
Malware families and tooling attributed to the Everest Group cluster.
Tactics, Techniques, and Procedures
Named Victims
Victims captured from Everest Group cluster evidence. Counts reflect repeated dark-web observation across collection cycles.
Collection Coverage
Evidence arrival density across the collection window for Everest Group.
Campaign Tracker
Named campaigns associated with the Everest Group cluster are not currently isolated in pipeline tagging. Campaign linkage requires analyst enrichment beyond cluster-level evidence aggregation.
MITRE ATT&CK Mapping
Ecosystem
Intelligence Profile
Honest Scope-Bounding
This cluster has high noise from benign website indexing. The 1,165 evidence count includes static-website tags, which suggests crawled site mirrors rather than ransomware leak-site activity. Treat with caution; investigate cluster_key disambiguation before acting.
Deadeye Jackal — Enhanced Profile
Deadeye Jackal is a ransomware operation observed posting new victim entries on its Tor-hosted leak site, targeting mid-sized organizations across multiple sectors with 14-day countdowns to full data publication. Cross-pipeline corroboration is strong: ransomwatch (clearnet GitHub mirror) and ransomware.live indexed the same listings within hours. 1,161 evidence items, 704 distinct victim tags, sustained tempo.
Geographic Targeting
Industry Targeting
Deadeye Jackal's top targeted industries by evidence count, derived from pipeline tagging.
Infrastructure / Tooling
Malware families and tooling attributed to the Deadeye Jackal cluster.
Tactics, Techniques, and Procedures
Named Victims
Victims captured from Deadeye Jackal cluster evidence. Counts reflect repeated dark-web observation across collection cycles.
Collection Coverage
Evidence arrival density across the collection window for Deadeye Jackal.
Campaign Tracker
Named campaigns associated with the Deadeye Jackal cluster are not currently isolated in pipeline tagging. Campaign linkage requires analyst enrichment beyond cluster-level evidence aggregation.
MITRE ATT&CK Mapping
Ecosystem
Intelligence Profile
Honest Scope-Bounding
The 1,161 evidence count reflects multi-mirror amplification of the same underlying leak posts (Tor leak site → ransomwatch → ransomware.live). De-duplicated victim count is 704. No initial-access tradecraft detail is captured in our pipeline.
CoinbaseCartel — Enhanced Profile
Coinbasecartel is a ransomware group observed targeting Hospitals, Retail, and Construction sectors, with operational tempo increasing in recent weeks based on leak-site activity. Cluster is dark-web heavy (1,044 evidence items from dark_web, only 7 from social). Polish hospital network represents the largest concentrated victim group. With 1,051 evidence items.
Geographic Targeting
Industry Targeting
CoinbaseCartel's top targeted industries by evidence count, derived from pipeline tagging.
Infrastructure / Tooling
Malware families and tooling attributed to the CoinbaseCartel cluster.
Tactics, Techniques, and Procedures
Named Victims
Victims captured from CoinbaseCartel cluster evidence. Counts reflect repeated dark-web observation across collection cycles.
Collection Coverage
Evidence arrival density across the collection window for CoinbaseCartel.
Campaign Tracker
Named campaigns associated with the CoinbaseCartel cluster are not currently isolated in pipeline tagging. Campaign linkage requires analyst enrichment beyond cluster-level evidence aggregation.
MITRE ATT&CK Mapping
Ecosystem
Intelligence Profile
Honest Scope-Bounding
Coinbasecartel signal is overwhelmingly from dark-web leak-site monitoring. The cluster has 21 distinct victim tags — much lower than other ransomware groups at the same evidence count, suggesting concentrated repeat-monitoring of a smaller victim set.
Scattered Spider — Enhanced Profile
Scattered Spider is a financially-motivated cybercrime group known for aggressive social engineering and MFA bypass targeting financial services and high-tech sectors. Named tooling observed: PROMPTFLUX, BRICKSTORM, QUIETVAULT, PROMPTSTEAL. Referenced in Mandiant M-Trends 2026. With 930 evidence items, primarily from social pipeline (554) plus OSINT-feed corroboration (374).
Geographic Targeting
Industry Targeting
Scattered Spider's top targeted industries by evidence count, derived from pipeline tagging.
Infrastructure / Tooling
Malware families and tooling attributed to the Scattered Spider cluster.
Tactics, Techniques, and Procedures
Named Victims
Victims captured from Scattered Spider cluster evidence. Counts reflect repeated dark-web observation across collection cycles.
Collection Coverage
Evidence arrival density across the collection window for Scattered Spider.
Campaign Tracker
Named campaigns associated with the Scattered Spider cluster are not currently isolated in pipeline tagging. Campaign linkage requires analyst enrichment beyond cluster-level evidence aggregation.
MITRE ATT&CK Mapping
Ecosystem
Intelligence Profile
Honest Scope-Bounding
Scattered Spider tradecraft is primarily social engineering — phone-based pretexting, MFA fatigue, SIM swap. Our pipeline captures public reporting and analyst tagging, not first-hand intrusion telemetry. Real victim count is much higher than the 5 distinct tags captured (Casino + retail breaches not all named).
APT14 — Enhanced Profile
The apt14 cluster aggregates four distinct ransomware operations — Spook (2021, defunct), Red Ransomware (2024), Avaddon (2020-2021, defunct), and SafePay (2024+, growing). No evidence links these operations to a single actor; the cluster key is a routing taxonomy. SafePay is the active operation — claimed 471 victims by mid-2025, including UK telematics firm Microlise (1.2TB exfiltration). With 838 evidence items.
Geographic Targeting
Industry Targeting
APT14's top targeted industries by evidence count, derived from pipeline tagging.
Infrastructure / Tooling
Malware families and tooling attributed to the APT14 cluster.
Tactics, Techniques, and Procedures
Named Victims
Victims captured from APT14 cluster evidence. Counts reflect repeated dark-web observation across collection cycles.
Collection Coverage
Evidence arrival density across the collection window for APT14.
Campaign Tracker
Named campaigns associated with the APT14 cluster are not currently isolated in pipeline tagging. Campaign linkage requires analyst enrichment beyond cluster-level evidence aggregation.
MITRE ATT&CK Mapping
Ecosystem
Intelligence Profile
Honest Scope-Bounding
apt14 is a cluster routing taxonomy, not an attribution claim. Spook (active Sep-Oct 2021, 35 victims) and Avaddon (active Feb 2020-Sep 2021, 146 victims) are defunct. Red Ransomware (2024, 16 victims) has limited activity. SafePay is the active operation; 471 victims claimed by mid-2025 with average 38.7-day attack-to-claim delay.
Play — Enhanced Profile
Play ransomware group operates a sophisticated RaaS model responsible for attacks on government, critical infrastructure, and enterprise targets globally. With 1,406 evidence items across 15 distinct sources, Play targets technology, manufacturing, and legal sectors. Notable victims include Cisco and CD Projekt. Arsenal includes 15 malware families and 8 ATT&CK techniques.
Geographic Targeting
Industry Targeting
Play's top five targeted industries by evidence count. Technology, Manufacturing, and Legal Services lead — Play's closed RaaS model favors high-value targets with sensitive data and high ransom tolerance.
Infrastructure / Tooling
Play's toolset combines custom ransomware with commercial and open-source tools for lateral movement and defense evasion. PlayCrypt and HelloKitty represent the primary payloads, while EDRKillShifter is Play's custom EDR-disabling tool unique to this actor cluster.
Tactics, Techniques, and Procedures
Named Victims
Black Swarm captured the following named victims from Play-cluster evidence via the Play leak site. Evidence counts reflect repeated leak-site observation across multiple collection cycles.
+ 18 additional victims in pipeline
Collection Coverage
Evidence arrival density across the 17-day collection window. Dense activity on May 5–8 and May 11–13 reflects burst leak-site publication cycles. 70% dark web, 20% social, 10% OSINT feed.
Campaign Tracker
Named campaigns associated with the Play cluster in Black Swarm evidence.
MITRE ATT&CK Mapping
Ecosystem
Intelligence Profile
Honest Scope-Bounding
Severity: High classification based on evidence volume and notable victims (Cisco, CD Projekt). No critical infrastructure confirmed-breach tags in current evidence.
Evidence counts per victim (133 each): Reflect repeated observation across multiple collection cycles, not 133 separate incidents per victim.
No CVEs: Play operators are known to exploit FortiOS and ProxyNotShell vulnerabilities, but no CVE-level enrichment is present in the current pipeline for this cluster. CVE tagging is a known pipeline gap (RR-195).
Closed RaaS model: Unlike open-affiliate RaaS platforms, Play's victim selection is more controlled. Not all observed tool overlap implies Play operation — EDRKillShifter and Cobalt Strike are shared with multiple other actors.