Top Threat Actors - Q4 2024
In Q4 2024, major ransomware groups and new threat actors using AI and zero-days reshaped the global cyber threat landscape, escalating risks and redefining security priorities.
Welcome back to Hall of Hacks Weekly
On Q4 2024, we traced the movements of the most disruptive actors, from long-standing ransomware crews expanding their operations to newly identified groups leveraging AI and zero-day exploits. Their actions didn’t just make headlines, they redrew the map of cyber risk.
First time seeing this?
Mapping Cyber Adversaries
The Q4 2024 data includes 180 tracked threat actor activities from across the globe, representing a broad spectrum of cyber activities including APT (Advanced Persistent Threat) operations, state-sponsored espionage, cybercriminal campaigns, ransomware attacks, and hacktivist movements. While many of these actors appear multiple times due to their involvement in distinct cyber incidents, the overall landscape underscores the prominence of Russia, China, Iran, and North Korea in state-sponsored and APT operations. Eastern Europe and groups of unknown origin account for a significant share of ransomware and cybercriminal activities.
Key trends included:
Well-established threat groups remained active, including APT29, APT38, RansomHub, and RomCom.
In December 2024, LockBit announced plans for a comeback with the release of LockBit 4.0, slated for February 2025.
T-Mobile detected and thwarted infiltration attempts by hackers believed to be linked to China's state-sponsored group, Salt Typhoon.
CeranaKeeper emerged as a new China-based state-sponsored threat actor, adding to the expanding landscape of State-Sponsored actors activity.
Lesser-known actors also contributed, reflecting the growing diversity of cyber adversaries.
Q4 2024 highlighted a globally dispersed threat landscape, with threat actors operating across various regions and sectors, notably Russia and China being the most active.
The threat landscape remains persistent and multifaceted, combining state-sponsored operations, cybercriminal activity, and emerging tactics.
Top 5 Threat Actors of Q4 2024
In Q4 2024, the top five most active threat actors were APT29, RansomHub, APT38, NoName057, and Black Basta. APT29, a Russian state-sponsored group, led the activity with six tracked operations, maintaining its reputation for high-level cyber espionage. RansomHub, a ransomware group from Eastern Europe, surged in prominence with six major incidents, reflecting the continued rise of financially motivated cybercrime. APT38 from North Korea followed closely with five known operations, further underlining the country's aggressive cyber strategy to generate funds through cyber theft. Also notable was NoName057, a Russian-aligned cybercriminal group, responsible for five disruptive campaigns. Finally, Black Basta, a Russian ransomware group, conducted at least three significant attacks, maintaining its presence among the most prolific ransomware operators of the quarter
APT29 also known as “Cozy Bear,” is a Russian state-sponsored threat group linked to the Foreign Intelligence Service (SVR). In Q4 2024, it remained highly active, executing sophisticated cyber-espionage campaigns targeting government and diplomatic entities to gather sensitive intelligence.
RansomHub emerged as a dominant ransomware group in Q4 2024, responsible for six major attacks across various sectors. The group employs data extortion tactics, encrypting victims’ systems and threatening public leaks unless ransoms are paid.
APT38 a financially motivated North Korean threat actor with ties to the country’s infamous Lazarus Group. It focused on attacking financial institutions, conducting high-stakes cyberheists to support the regime’s sanctioned economy.
NoName057 a Russian-aligned hacktivist group, carried out politically motivated attacks, primarily using DDoS campaigns to disrupt critical infrastructure and media organizations. In Q4, their operations spiked, aligning with geopolitical tensions and propaganda efforts.
Black Basta a solidified its status as a leading ransomware group by orchestrating at least three high-impact attacks during the quarter. Known for double extortion tactics, the group encrypts data while simultaneously threatening public exposure to maximize pressure on victims.
Why These Threat Actors Stand Out
These threat actors stand out in Q4 2024 due to the scale, sophistication, and strategic intent behind their operations. APT29 and APT38 represent state-sponsored espionage and financial theft campaigns driven by geopolitical goals, while RansomHub and Black Basta showcase the persistent threat of organized ransomware syndicates that are increasingly professionalized and ruthless in targeting critical infrastructure. Meanwhile, NoName057 exemplifies the rise of hacktivism weaponized for political influence, disrupting services and spreading propaganda under the guise of activism. Together, they reflect the evolving cyber threat landscape, where nation-state tactics blend with financially and ideologically motivated attacks, making defense increasingly complex and urgent.
Where They Are from
APT29 – Russia
A state-sponsored group affiliated with Russia’s Foreign Intelligence Service (SVR).
RansomHub – Eastern Europe
A financially motivated ransomware group operating primarily out of Eastern Europe.
APT38 – North Korea
A North Korean threat actor focused on cyber-enabled financial theft, linked to the Lazarus Group.
NoName057 – Russia
A pro-Russian hacktivist group engaging in politically motivated cyberattacks.
Black Basta – Russia
A Russian ransomware syndicate known for its double extortion tactics and corporate targeting.
Industry Impact
1. Government & Public Sector: Government agencies, diplomatic entities, and public infrastructure were heavily targeted, especially by state-sponsored actors like APT29 and hacktivist groups like NoName057. These attacks aimed to steal classified data, disrupt operations, or push geopolitical agendas.
2. Financial Services: Banks, fintech platforms, and cryptocurrency exchanges faced severe threats, particularly from APT38 and RansomHub. Financial theft and ransomware extortion remained primary motivations, putting billions of dollars at risk.
3. Healthcare & Education: Hospitals, clinics, and universities were prime ransomware targets due to their critical nature and often outdated security infrastructure. Groups like RansomHub and Black Basta exploited these vulnerabilities to extract high ransom payments.
4. Manufacturing & Critical Infrastructure: Manufacturers, utility providers, and industrial networks were targeted for both espionage and disruption. Black Basta, in particular, focused on operational shutdowns and data theft in these sectors.
5. Media & Communications: Media outlets and public communication platforms were attacked by hacktivist groups like NoName057 to suppress narratives, spread propaganda, or retaliate against perceived political enemies.
Coming Next Week
In our next edition, we’ll dive into the most impactful threats that shaped Q4 2024. From stealthy rootkits and self-spreading worms to powerful botnets, data-harvesting infostealers, and relentless ransomware strains, we’ll examine how these threats operated, who deployed them, and why they dominated the global cyber threat landscape. Whether it's classic trojans or modern spyware, we’ll unpack the tools that powered some of the most disruptive campaigns of the quarter.
Copyright © 2025 CyberMaterial. All Rights Reserved.
Follow CyberMaterial on:
Substack, LinkedIn, Twitter, Reddit, Instagram, Facebook, YouTube, and Medium.