APT / THREAT GROUP
Responder
3
aliases
Last seen:Mar 17, 2026
Intelligence Profile
Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.
Threat Analysis
Responder is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.
Intelligence Reports Mentioning Responder
Webinar: The hidden bottlenecks in network incident response
BleepingComputer· May 19, 2026
Iranian government hackers using Chaos ransomware as cover, researchers say
The Record· May 7, 2026
Federal agencies must patch cPanel bug by Sunday, CISA says
The Record· May 1, 2026
Cyber incident responders who carried out ransomware attacks given 4-year sentences
The Record· May 1, 2026
From the field to the report and back again: How incident responders can use the Year in Review
Cisco Talos Blog· Apr 9, 2026
Incident responders, s'il vous plait: Invites lead to odd malware events
Sophos X-Ops· Mar 29, 2026
Iran-linked ransomware gang targeted US healthcare org amid military conflict
The Record· Mar 24, 2026
External References
Quick Facts
TypeAPT / Threat Group
Aliases3
Also Known As
Responderpy.responderSpiderLabs Responder
External Intelligence
Malpedia: py.responderResearch Links
Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.