Attacker Behavior Analytics

Attacker Behavior Detection rules analyze the stream of endpoint and log events coming from event sources and look for events that might indicate attacker behavior. The Rapid7 Threat Intelligence team makes frequent updates to our detections to adapt to the ever-changing tactics of malicious actors.

Browse our existing Attacker Behavior detections and review newly published detections and actionable recommendations.

GroupDescriptionAlternate Names
APT GroupsAdvanced persistent threat (APT) groups are threat actors operated by nation states or state-sponsored groups. Our ready-made detection rules detect the following APT groups: APT1, APT10, APT12, APT15, APT16, APT17, APT18, APT19, APT20, APT27, APT3, APT31, APT32, APT33, APT36, APT37, APT39, APT40, APT41, APT5.
BlackOasisBlackOasis is a Middle Eastern-based threat group. This threat group has targeted prominent figures in the United Nations, opposition bloggers, activists, regional news correspondents, and think tanks.
BlackTechBlackTech is a cyber espionage group that has targeted victims in East Asia, primarilyTaiwan, and also Japan and Hong Kong.CIRCUIT PANDA, HUAPI, Temp.Overboard
Blind EagleBlind Eagle is a suspected South American espionage group that has been active since at least 2018. The group primarily targets Colombian government institutions and corporations.APT-C-36
BRONZE BUTLERBRONZE BUTLER is a cyber espionage group that appears to be Chinese-based and has been active since at least 2008. This group has primarily targeted Japanese organizations.REDBALDKNIGHT, Tick
CarbanakCarbanak is a threat group that primarily targets banks, and also refers to malware of the same name.Anunak, Carbon Spider
Cobalt GroupCobalt Group is a financially motivated threat group that has primarily targeted financial institutions. This threat group has conducted intrusions to steal money by targeting ATM, card processing, payment, and SWIFT systems.Cobalt, Cobalt Gang, Cobalt Spider, GOLD KINGSWOOD
Dark CaracalDark Caracal is a threat group attributed to the Lebanese General Directorate of General Security (GDGS) and has operated since at least 2012.
DarkhotelDarkhotel is a threat group that has conducted activity on hotel and business center WiFi and physical connections, and peer-to-peer and file sharing networks.APT-C-06, DUBNIUM, Fallout Team, Karba, Luder, Nemim, Nemin, Pioneer, Shadow Crane, SIG25, Tapaoux
DarkHydrusDarkHydrus is a threat group that has targeted government agencies and educational institutions in the Middle East since at least 2016.LazyMeerkat
Deep PandaDeep Panda is a suspected Chinese-based threat group that has targeted several industries, including government, defense, financial, and telecommunications.APT26, Black Vine, Group 13, JerseyMikes, KungFu Kittens, PinkPanther, Shell Crew, Turbine Panda, WebMasters
DragonOKDragonOK is a threat group that has targeted Japanese organizations with phishing emails.Moafee
Dust StormDust Storm is a threat group that has targeted multiple industries in Japan, South Korea, the United States, Europe, and several Southeast Asian countries.Stone Panda
ElderwoodThis group has targeted defense organizations, supply chain manufacturers, human rights and nongovernmental organizations (NGOs), and IT service providers.Beijing Group, Elderwood Gang, Sneaky Panda
Energetic BearThis group initially targeted defense and aviation companies, but shifted focus on the energy industry in early 2013. This group has also targeted companies related to industrial control systems.ALLANITE, Crouching Yeti, Dragonfly, ELECTRUM, Group 24, Havex, IRON LIBERTY, Koala Team, Palmetto Fusion
FIN GroupsFinancial threat groups (FIN) comprise of actors that target financial institutions. The following rules detect the presence of FIN groups based on publicly available information: FIN4, FIN5, FIN6, FIN7, FIN8, FIN10.
GallmakerGallmaker is a cyber espionage group that has targeted victims in the Middle East and has primarily targeted victims in the defense, military, and government industries.
Gamaredon GroupGamaredon Group is a threat group that has been active since at least 2013, and has targeted individuals with probable involvement in the Ukrainian government.
GCMANGCMAN is a threat group that has focused on targeting banks to transfer money to e-currency services.
Gorgon GroupGorgon Group is a threat group whose members are suspected to be Pakistani-based, or have other connections to Pakistan. This threat group has performed criminal and targeted attacks, including campaigns against governmental organizations in the United Kingdom, Spain, Russia, and the United States.
Group5Group5 is a threat group with suspected Iranian connections. This threat group has targeted individuals connected to the Syrian opposition through spear phishing and watering hole attacks.
Group 72Group 72 is a cyber espionage group suspected to be associated with the Chinese government.
HoneybeeHoneybee is a campaign led by an unknown malicious actor that has targeted humanitarian aid organizations, and has been active in Vietnam, Singapore, Argentina, Japan, Indonesia, and Canada.
KeyBoyKeyBoy is an unaffiliated threat group that has led targeted campaigns against victims in Taiwan, the Philippines, and Hong Kong. This threat group has primarily targeted the government, healthcare, transportation, and high-tech industries.APT23, Operation Tropic Trooper, Pirate Panda, Tropic Trooper
Lazarus GroupLazarus Group is a threat group that has been attributed to the North Korean government.Andariel, Appleworm, APT-C-26, APT38, Bluenoroff, Bureau 121, COVELLITE, Dark Seoul, GOP, Group 77, Guardian of Peace, Guardians of Peace, Hastati Group, HIDDEN COBRA, Labyrinth Chollima, Lazarus, NewRomanic Cyber Army Team, NICKEL ACADEMY, Operation AppleJesus, Operation DarkSeoul, Operation GhostSecret, Operation Troy, Silent Chollima, Stardust Chollima, Subgroup: Andariel, Subgroup: Bluenoroff, Unit 121, Whois Hacking Team, WHOis Team, ZINC
LeafminerLeafminer is an Iranian threat group that has targeted government organizations and business entities in the Middle East.Raspite
Lotus BlossomLotus Blossom is a threat group that has targeted government and military organizations in Southeast Asia.DRAGONFISH, Elise, Esile, Spring Dragon, ST Group
MacheteMachete is a threat group that has been active since at least 2010, and has targeted high-profile government entities in Latin American countries.El Machete, machete-apt
MofangMofang is a likely Chinese-based cyber espionage group, named for its frequent practice of imitating a victim's infrastructure.Superman
MoleratsMolerats is a politically-motivated threat group that has been active since 2012. This group has primarily targeted victims in the Middle East, Europe, and the United States.Extreme Jackal, Gaza Cybergang, Gaza Hackers Team, Moonlight, Operation Molerats
MuddyWaterMuddyWater is an Iranian-based threat group that has primarily targeted Middle Eastern countries, but has also targeted European and North American countries. This group has primarily targeted victims in the telecommunications, government IT services, and oil industries.Seedworm, Static Kitten, TEMP.Zagros
NaikonNaikon is a threat group that has focused on victims around the South China Sea. This threat group has been attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020).APT30, APT.Naikon, Camerashy, Hellsing, Lotus Panda, Override Panda, PLA Unit 78020
NEODYMIUMNEODYMIUM is an activity group that conducted a campaign in May 2016 and has primarily targeted Turkish victims.
Night DragonNight Dragon is a campaign name for activity involving a primarily Chinese-based threat group.
OrangewormOrangeworm is a threat group that has targeted organizations in the healthcare industry in the United States, Europe, and Asia since at least 2015, for the suspected purpose of corporate espionage.
PatchworkPatchwork is a cyber espionage group that has been active since at least December 2015. While this group has not been definitively attributed to India, circumstantial evidence suggests that this group may be a pro-Indian or Indian-based entity. Patchwork has targeted industries related to diplomatic and government agencies.APT-C-09, Chinastrats, Dropping Elephant, Hangover Group, MONSOON, Operation Hangover, Quilted Tiger, Sarit
PLATINUMPLATINUM is an activity group that has targeted victims associated with governments and related organizations in South and Southeast Asia.TwoForOne
Poseidon GroupPoseidon group is a threat group that has used information exfiltrated from victims to blackmail companies into contracting Poseidon Group as a security firm.
PROMETHIUMPromethium is an activity group that conducted a campaign in May 2016 and has primarily targeted Turkish victims.StrongPity
RancorRancor is a threat group that has led targeted campaigns against Southeast Asia.Rancor Group
RockeRocke is an alleged Chinese-speaking threat group who has primarily used cryptojacking to steal victim system resources to mine cryptocurrency.
RTMRTM is a cyber criminal group that has been active since at least 2015, and has primarily targeted victims of remote banking systems in Russia and neighboring countries.
Sandworm TeamSandworm Team is a destructive Russian-based threat group attributed to Russian GRU Unit 74455 by the United States Department of Justice and United Kingdom National Cyber Security Centre.Black Energy, Black Energy (Group), ELECTRUM, Iron Viking, Quedagh, Sandworm, TeleBots, TEMP.Noble, VOODOO BEAR
Scarlet MimicScarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government.
SilverTerrierSilverTerrier is a Nigerian threat group that has been seen active since 2014. SilverTerrier has primarily targeted organizations in high technology, higher education, and manufacturing industries.
Soft CellSoft Cell is a group that is reportedly affiliated with, and sponsored by China. This group has been active since at least 2012, and has compromised high-profile telecommunications networks.
SowbugSowbug is a threat group that has conducted targeted attacks against organizations in South America and Southeast Asia, particularly government entities, since at least 2015.
Stealth FalconStealth Falcon is a threat group that has conducted targeted spyware attacks against Emirati journalists, activists, and dissidents since at least 2012.FruityArmor
Stolen PencilStolen Pencil is a suspected North Korean-based threat group that has been active since at least May 2018. This threat group appears to have targeted academic institutions, but its motives remain unclear.
StriderStrider is a threat group that has been active since at least 2011, and has targeted victims in Russia, China, Sweden, Belgium, Iran, and Rwanda.ProjectSauron
SuckflySuckfly is a Chinese-based threat group that has been active since at least 2014.Axiom
TA459TA459 is a suspected Chinses-based threat group that has targeted several countries, including Russia, Belarus, and Mongolia.
TaidoorTaidoor is a threat group that has been active since at least 2009, and has primarily targeted the Taiwanese government.
The White CompanyThe White Company is a suspected state-sponsored threat actor with advanced capabilities. From 2017 through 2018, the group led the Operation Shaheen espionage campaign that targeted government and military organizations in Pakistan.
Threat Group-1314Threat Group-1314 is a threat group that has used compromised credentials to log into victim remote access infrastructure.TG-1314
ThripThrip is an espionage group that has targeted satellite communications, telecoms, and defense contractor companies in the United States and Southeast Asia.Lotus Panda
TurlaTurla is a Russian-based threat group that has infected victims in over 45 countries, spanning multiple industries, including government, embassies, military, education, research, and pharmaceutical since 2004.Krypton, Snake, Turla Group, VENOMOUS BEAR, Waterbug, WhiteBear
Velvet ChollimaVelvet Chollima is a North Korean-based threat group that has been active since at least September 2013. This threat group has targeted Korean think tanks and organizations attempting to interrupt North Korean nuclear technology advancement.Kimsuki, Kimsuky
WhiteflyWhitefly is a cyber espionage group that has been active since at least 2017. This group has primarily targeted organizations in Singapore across several industries and focused on stealing large amounts of sensitive information.
Windows Suspicious ProcessThese detections identify attacker techniques used by malicious actors to perform a variety of tasks on the host’s environment.
WindshiftWindShift is a threat group that has been active since at least 2017, and has targeted specific individuals for surveillance in government departments and critical infrastructure across the Middle East.Bahamut
WIRTEWIRTE is a threat group that has been active since at least August 2018. The group has focused on targeting Middle East defense and diplomats.
Wizard SpiderWIZARD SPIDER is financially motivated group that has been conducting ransomware campaigns since at least August 2018, primarily targeting large organizations.TEMP.MixMaster, GRIM SPIDER