Real-time attack mapping, CVE intelligence, APT actor profiles, and IOC data aggregated and curated by the CT Cyber Defence SOC team. Refreshed continuously from global threat feeds.
Elevated ransomware activity. APT42 and Scattered Spider actively targeting UK/EU financial sector.
High-severity CVEs actively exploited in the wild, curated from NVD, CISA KEV, and our own threat hunting telemetry. Last updated May 2025.
Nation-state, cybercriminal, and hacktivist groups actively targeting organisations in our client sectors. Profiles based on current intelligence and MITRE ATT&CK mappings.
Highly sophisticated espionage group targeting government, diplomatic, and technology organisations. Known for long-dwell-time intrusions, supply chain attacks (SolarWinds), and Microsoft 365 credential theft via password spray and OAuth abuse.
Dual-mission group conducting both state-sponsored espionage and financially motivated cybercrime. Prolific use of zero-day exploits, supply chain compromises, and destructive tools alongside ransomware deployment for financial gain.
English-language cybercriminal group specialising in social engineering for MFA bypass and SIM-swapping. Responsible for high-profile breaches of MGM Resorts, Caesars, and multiple telecom providers. Deploying ALPHV/BlackCat ransomware.
Prolific ransomware-as-a-service group. Despite law enforcement takedown attempts in 2024, remains active with reconstituted infrastructure. Uses intermittent encryption for speed, exfiltrates data before encryption for double extortion.
Iranian state intelligence group conducting credential harvesting, surveillance, and destructive attacks against journalists, human rights organisations, government, and critical infrastructure. Active spear phishing campaigns targeting UK targets in 2025.
Pro-Russian hacktivist group conducting DDoS campaigns against NATO member state government, banking, and critical infrastructure. Uses Telegram to recruit DDoS participants and announce targets. Primarily availability-focused, limited intrusion capability.
Curated IOCs from our SOC telemetry and public threat feeds. Import to your SIEM or block list. Updated continuously.
| Type | Indicator | Threat Actor | Description | Confidence | Tags |
|---|---|---|---|---|---|
| IP | 185.220.101.47 | Scattered Spider | Tor exit node used in MFA bypass campaign | HIGH | |
| Domain | update-checker[.]net | APT29 | C2 domain masquerading as software update service | HIGH | |
| Hash | a3f8b2c1...e4d9 | LockBit 3.0 | LockBit Black ransomware payload (SHA256 truncated) | HIGH | |
| IP | 45.155.205.233 | APT41 | Cobalt Strike C2 beacon infrastructure (VPS-hosted) | HIGH | |
| Domain | microsoftonline-auth[.]com | APT42 | Credential phishing page impersonating Microsoft 365 login | HIGH | |
| URL | hxxps://cdn[.]hacker-svr[.]ru/p.exe | Unknown (RU-nexus) | Malware delivery URL — Lumma stealer dropper | MED | |
| IP | 194.165.16.11 | LockBit 3.0 | LockBit exfiltration staging server (confirmed 2025-04) | HIGH | |
| Hash | 7d9f4e3a...b2c8 | APT41 | PlugX remote access tool variant (SHA256 truncated) | MED | |
| Domain | secure-docusign[.]io | Unknown TA | DocuSign impersonation phishing domain — credential harvest | HIGH | |
| IP | 91.92.251.103 | APT42 | Iranian APT42 phishing kit C2 / credential receiver | MED | |
| Domain | vpn-client-update[.]org | APT29 | Malware delivery disguised as VPN client update package | HIGH | |
| Hash | f1e2d3c4...a9b0 | Scattered Spider | BYOVD driver used to terminate EDR processes before encryption | HIGH |
Our SOC team monitors all of the above actors and IOCs 24/7 — and actively hunts for their TTPs across client environments. Find out if you're already exposed.