Emerging Threat Actors Spotlighted by DARKFEED

/MEDIUM
SCW darkwebthreat-intelransomwaremalware
Emerging Threat Actors Spotlighted by DARKFEED

DARKFEED has identified a watchlist of emerging threat groups that have appeared within the last 30 days, detailing their observed attack volumes and initial detection dates. The group ‘ALP001’ leads this new cohort with 14 recorded attacks since its first appearance on March 22, 2026. Close behind is ‘Attacker’, noted for 13 attacks, and ‘Lapsus’ with 12 attacks, both having emerged in late March 2026.

Other notable groups include ‘NetRunner’ and ‘KRYBIT’, each with 6 and 4 attacks respectively, first observed on April 3, 2026. ‘Secp0’ also registered 4 attacks since its debut on March 9, 2026. The list further includes ‘Exitium’ with 3 attacks (first seen March 12, 2026), a second entry for ‘ALP-001’ with 2 attacks (also first seen March 22, 2026), and ‘Loki’ with a single attack observed on March 12, 2026.

This compilation offers a snapshot of the evolving threat landscape, highlighting newly active entities that security professionals should monitor. The data underscores the dynamic nature of cyber threats and the importance of continuous intelligence gathering.

What This Means For You

  • Security teams should proactively incorporate these newly identified threat actors (e.g., ALP001, Attacker, Lapsus) into their threat intelligence platforms and adjust detection rules and incident response playbooks to account for their tactics, techniques, and procedures.

By Shimi's Cyber World Editorial

🔎
Is your vendor affected? Start hunting now. Search by organization or domain, set watchlist alerts, and get notified when your third parties are compromised.
Open Intel Bot →

Related coverage

Grafana Breach: Missed Token Rotation After TanStack Supply Chain Attack

BleepingComputer reports that the recent Grafana data breach stemmed from a single GitHub workflow token that was not rotated following the TanStack npm supply-chain attack....

threat-inteldata-breachmalwaretools
/SCW Research /MEDIUM /⚙ 3 Sigma

Microsoft Disrupts Fox Tempest Malware-Signing-as-a-Service

Microsoft has successfully disrupted a sophisticated malware-signing-as-a-service (MSaaS) operation. The Hacker News reports this scheme, attributed to a threat actor dubbed Fox Tempest, weaponized Microsoft's...

threat-intelvulnerabilitymalwareransomwaremicrosoft
/SCW Vulnerability Desk /MEDIUM /⚑ 3 IOCs

Identity Alone Isn't Enough: Device Security Must Share the Load

BleepingComputer highlights a critical shift in Zero Trust strategy: identity checks are no longer sufficient to secure access. Attackers are increasingly bypassing traditional identity verification...

threat-inteldata-breachmalwareidentity
/SCW Research /MEDIUM