// Threat Actor Registry

Tracked Threat Actors & Cybercrime Groups

Threat actors, APT groups, and cybercrime clusters observed across DeepFalcon daily reports. Profiles updated as new intelligence is published. Click any actor for linked report history.

3
Active Threats
2
Monitoring
1
Disrupted
6
Total Tracked
30d
Report Window
S9
Storm-2949
Microsoft Threat Cluster · Unattributed
Active
Cloud-focused threat cluster specializing in identity-based attacks against Microsoft Entra ID and Azure environments. Known for achieving full cloud-wide data exfiltration — Key Vaults, storage accounts, SQL databases, M365 mailboxes — without deploying any traditional malware. Uses compromised developer identities and Entra ID SSPR abuse as primary entry vectors.
First observed: 2025
Primary target: Azure · M365
Attribution: Unattributed
Reports: 3 findings
LotL / No Malware Identity Abuse
View in Threat Reports
T2
Tycoon2FA Operators
PhaaS Platform Operators · Cybercrime
Active
Operators of the Tycoon2FA Phishing-as-a-Service (PhaaS) platform. Following a March 2026 law enforcement disruption, operators migrated infrastructure and pivoted from AiTM credential relay to OAuth Device Code phishing. Actively recruiting affiliates and targeting Microsoft 365 and Entra ID environments globally. 8.3 billion email phishing threats attributed to platform affiliates in Q1 2026.
First observed: 2023
Primary target: M365 · Entra ID
Status: Post-disruption rebuild
Reports: 5 findings
PhaaS AiTM → Device Code
View in Threat Reports
DS
DriveSurge
Initial Access Broker · Pay-Per-Install
Active
Newly identified Initial Access Broker (IAB) operating a Pay-Per-Install (PPI) model. Injects malicious scripts into thousands of legitimate high-reputation websites, routing visitors through a Traffic Distribution System (zTDS) that delivers ClickFix or FakeUpdates payloads. Cross-platform capability confirmed on both Windows and macOS. Active since at least September 2025.
First observed: Sep 2025
Primary target: Windows · macOS
Attribution: Unattributed
Reports: 2 findings · 15 IOCs
IAB ClickFix Drive-By
View in Threat Reports
ET
EvilTokens Operators
PhaaS Platform · Device Code Phishing
Monitoring
Operators of the EvilTokens PhaaS toolkit, delivering OAuth Device Code phishing against Microsoft 365 via AI-driven automation that circumvents the standard 15-minute code expiration window. Targeted 340+ organisations across five countries. Expanding to Gmail and Okta phishing. Operates via Telegram bot infrastructure.
First observed: 2025
Primary target: M365 · Gmail · Okta
Attribution: Unattributed
Reports: 2 findings
PhaaS Device Code
View in Threat Reports
FT
Fox Tempest
Malware-Signing-as-a-Service · Cybercrime
Disrupted
Operators of a Malware-Signing-as-a-Service (MSaaS) platform disrupted by Microsoft DCU in May 2026 (OpFauxSign). Used Azure Artifact Signing to generate short-lived 72-hour code-signing certificates allowing malware to appear as legitimate signed software. Charged $5,000–$9,000 per certificate. Infrastructure seized — signspace[.]cloud and hundreds of Azure VMs taken offline.
Active period: 2025 — May 2026
Disrupted: May 20, 2026
Attribution: Unattributed
Reports: 2 findings
Azure Abuse MSaaS
View in Threat Reports
JX
JINX-0164
Financially Motivated · Crypto Targeting
Monitoring
Financially motivated threat actor targeting cryptocurrency organizations via LinkedIn social engineering. Uses convincing fake recruiter and business contact profiles to deliver custom macOS RAT (AUDIOFIX) and Go backdoor (MINIRAT). Escalated in April 2026 to supply chain attacks — trojanized npm package @velora-dex/sdk v4.9.1. Techniques overlap with North Korean threat clusters.
First observed: Mid-2025
Primary target: Crypto · macOS
Attribution: DPRK overlap suspected
Reports: 1 finding
Social Engineering Supply Chain
View in Threat Reports