A group monitored as REF2924 by Elastic Security Labs is wielding novel data-stealing malware — an HTTP listener written in C# dubbed Naplistener by t...

Threat Actor Profile

REF2924

State-sponsored threat group originating from CN.

Real-Time Alerts

Actor Overview

Origin Country
CN

Related Threat Reports

Premium
APT Campaign Analysis - Q4 2025Dec 2025
New Tactics Observed in WildDec 2025
Infrastructure Mapping ReportDec 2025
Stay Updated

Get alerts when new intel on REF2924 is published.

Actor Details

Primary Name
REF2924
Data Source
Precursor Intelligence
Need API Access?

Integrate threat actor data into your SIEM or SOAR.

View Plans →