Threat Actors
The Threat Actors module displays a centralized list of all Threat Actor profiles curated by our Rapid7 Labs team. You can use the filters to refine the list results to a specific targeted region, targeted industry, or threat actor type.
What is a threat actor?
What is a threat actor?
A threat actor is an individual or group posing a cybersecurity threat. Threat actors have specific motives, such as financial gain, espionage, activism, or sabotage, and utilize various tactics, techniques, and procedures (TTPs) to achieve their objectives.
There are three types of threat actor:
- Cybercrime: Threat actors motivated by financial gain, typically involved in fraud, data theft, and illegal trade on underground markets. Their operations range from phishing to large-scale data breaches.
- Nation State: Government-backed actors conducting cyber espionage, sabotage, or influence campaigns to support political, economic, or military objectives. Often highly sophisticated and persistent.
- Ransomware: Criminal groups or affiliates who use malware to encrypt victims’ data and demand payment for decryption. Increasingly professionalized, sometimes overlapping with both cybercrime and nation-state ecosystems.
Selecting a threat actor from the list will direct you to an overview where you can view further details, listed in the following table:
| Overview Field | Description |
|---|---|
| Aliases | The alternative names by which the threat actor is known. |
| Description | A descriptive overview of the threat actor’s activity. |
| Targeted Countries | The countries in which the threat actor has been observed to be active. |
| Targeted Industries | The industries in which the threat actor has been observed to be active. |
| TTPs | Tactics, techniques and procedures (TTPs) are the behaviours of the threat actor. |
| Associated Malware | Malware that has been observed to be used by the threat actors. |
| Campaigns | The campaigns that the threat actors have been attributed to. You can select a Campaign to open its overview in the Campaigns module. |
From the overview page, you can navigate through the tabs to view the following information associated with the threat actor:
IOCs
The IOCs tab lists all of the IOCs (indicators of compromise) associated with the threat actor. Each IOC has a type, a decay score and a date and time when the IOC was last updated.
You can use the filter to refine the IOCs list by type, and you can export the IOCs list to a downloadable CSV file.
Clicking on the briefcase icon under the Actions column will open the IOC in the Investigation module, which provides further enriched information.
What are IOCs?
What are IOCs?
Indicators of Compromise (IOCs) are pieces of evidence that suggest a system, network, or domain may have been breached or compromised by a cyberattack.
IOCs act as early warning signals, enabling organisations to detect, investigate, and respond to threats. However, IOCs are inherently volatile, as adversaries frequently modify or abandon them to evade detection, requiring continuous monitoring and intelligence updates to maintain their effectiveness.
What is a decay score?
What is a decay score?
Each IOC has a Decay Score, a dynamic model that measures the diminishing relevance of IOCs over time. This scoring reflects the reality that threat actors often abandon or rotate infrastructure after detection, exposure, or operational shifts. By applying a Decay Score, organizations can prioritize threat intelligence efforts by focusing on active, high-risk IOCs while deprecating outdated or less relevant ones.
When Rapid7 Labs identifies malicious IP addresses or URLs linked to threat actor campaigns, these indicators are initially assigned a high-confidence score, up to the maximum possible score of 100 for the highest-risk IOCs. Over a predefined period, typically 60 days, this score gradually decreases daily until it reaches 0, signifying that the indicator has transitioned from actively malicious to a status of historically malicious.
However, if renewed malicious activity involving the same indicator is detected during this decay period, the indicator’s Decay Score resets back to its initial high-confidence score, restarting the decay cycle.
Benefits of Decay Scores include:
- Reducing false positives by ensuring outdated IOCs do not linger indefinitely in active blocklists.
- Allowing security teams to prioritize fresh, relevant threats.
- Optimizing resource allocation by preventing unnecessary investigations into obsolete indicators.
CVEs
The CVEs listed here are associated with the threat actor. Selecting a CVE from the list will open it in the Rapid7 AttackerKB feed in a new tab on your browser, where you can view further information on the CVE, such as descriptions and public references.
What are CVEs?
What are CVEs?
Common vulnerabilities and exposures (CVEs) are publicly known cybersecurity vulnerabilities.
Each CVE is assigned a standardized identifier which typically follows the format CVE-[year]-[identifier number], for example, CVE-2023-23397 (this example is a Microsoft Outlook Elevation of Privilege vulnerability from 2023).
CVEs enable consistent communication and referencing of vulnerabilities, helping security teams track, assess, and remediate issues across different systems and software.
When a CVE appears in a threat actor profile or campaign, it indicates that the vulnerability has been observed or reported as exploited by the threat actor or leveraged in a malicious operation.