Threat Actors
The Threat Actors page displays a centralized list of all Threat Actor profiles curated by the Rapid7 Labs team. You can use the filters to refine the list results to a specific targeted region, targeted industry, or threat actor type.
What is a threat actor?
A threat actor is an individual or group posing a cybersecurity threat. Threat actors have specific motives, such as financial gain, espionage, activism, or sabotage, and utilize various tactics, techniques, and procedures (TTPs) to achieve their objectives.
There are three types of threat actor:
- Cybercrime: Threat actors motivated by financial gain, typically involved in fraud, data theft, and illegal trade on underground markets. Their operations range from phishing to large-scale data breaches.
- Nation State: Government-backed actors conducting cyber espionage, sabotage, or influence campaigns to support political, economic, or military objectives. Often highly sophisticated and persistent.
- Ransomware: Criminal groups or affiliates who use malware to encrypt victims’ data and demand payment for decryption. Increasingly professionalized, sometimes overlapping with both cybercrime and nation-state ecosystems.
Select a threat actor to go to an overview and view further details, listed in this table:
| Overview Field | Description |
|---|---|
| Aliases | The alternative names by which the threat actor is known. |
| Description | A descriptive overview of the threat actor’s activity. |
| Targeted Countries | The countries in which the threat actor has been observed to be active. |
| Targeted Industries | The industries in which the threat actor has been observed to be active. |
| TTPs | Tactics, techniques and procedures (TTPs) are the behaviours of the threat actor. |
| Associated Malware | Malware that has been observed to be used by the threat actors. |
| Campaigns | The campaigns that the threat actors have been attributed to. You can select a Campaign to open its overview in the Campaigns module. |
IOCs
The IOCs tab lists all indicators of compromise (IOCs) associated with the threat actor. The table displays each IOC’s type, decay score, and the date and time it was last updated.
What are IOCs?
Indicators of Compromise (IOCs) are pieces of evidence that suggest a system, network, or domain may have been breached or compromised by a cyberattack.
IOCs act as early warning signals, enabling organisations to detect, investigate, and respond to threats. However, IOCs are inherently volatile, as adversaries frequently modify or abandon them to evade detection, requiring continuous monitoring and intelligence updates to maintain their effectiveness.
What is a decay score?
Each IOC has a decay score, a dynamic model that measures the diminishing relevance of IOCs over time. This scoring reflects the reality that threat actors often abandon or rotate infrastructure after detection, exposure, or operational shifts. By applying a decay score, organizations can prioritize threat intelligence efforts by focusing on active, high-risk IOCs while deprecating outdated or less relevant ones.
When Rapid7 Labs identifies malicious IP addresses or URLs linked to threat actor campaigns, these indicators are initially assigned a high-confidence score, up to the maximum possible score of 100 for the highest-risk IOCs. Over a predefined period, typically 60 days, this score gradually decreases daily until it reaches 0, signifying that the indicator has transitioned from actively malicious to a status of historically malicious.
However, if renewed malicious activity involving the same indicator is detected during this decay period, the indicator’s decay score resets back to its initial high-confidence score, restarting the decay cycle.
Benefits of decay scores include:
- Reducing false positives by ensuring outdated IOCs do not linger indefinitely in active blocklists.
- Allowing security teams to prioritize fresh, relevant threats.
- Optimizing resource allocation by preventing unnecessary investigations into obsolete indicators.
To filter the IOCs list:
- In the IOCs tab, select the Filter dropdown.
- Select one or more IOC types to refine the list.
The table updates to show only IOCs that match your selected types.
To export the IOCs list:
- In the IOCs tab, select Export CSV.
A CSV file containing the current IOCs list downloads to your browser’s default download location.
To open an IOC in Investigations:
- In the IOCs table, locate the IOC you want to investigate.
- Under the Actions column, select the briefcase icon.
The IOC opens in Threat Investigations, where you can access further enriched information about the indicator.
Search Logs for Threat Actor IOCs
The Search logs for IOCs dropdown lets you pivot directly from a threat actor profile into SIEM (InsightIDR) Log Search , with a query pre-built from the threat actor’s curated IOCs. This lets you quickly check whether any indicators associated with the threat actor have appeared in your environment, without having to build a query from scratch.
This feature is available to customers using both Threat Intelligence (Intelligence Hub) and SIEM (InsightIDR).
To search your logs for threat actor IOCs:
- From the threat actor overview page, select the Search logs for IOCs dropdown.
- Select an IOC type from the list:
- Domain
- Hostname
- IP
- MD5
- SHA1
- SHA256
- URL
- SIEM (InsightIDR) Log Search opens in a new browser tab, pre-populated with a query built from the threat actor’s IOCs for the selected type.
The query opens with these default filters applied:
| Filter | Default Value |
|---|---|
| IOC decay score | ≥ 30 |
| IOC last updated | ≤ 60 days ago |
| Informational IOCs | Excluded |
These defaults focus the search on active, high-confidence indicators while filtering out IOCs that are likely stale or originate from commonly misused legitimate infrastructure. You can modify any of these filters directly in Log Search before running or saving the query.
Informational IOCs
To help you make informed decisions about potential threats, some associated IOCs are tagged as Informational. This tag identifies IOCs that are of trusted origin but have been exploited for malicious purposes, such as IP addresses, domains, or hashes. These IOCs may appear anomalous but are commonly used by essential services or business-critical infrastructure. Blocking these IOCs without understanding their context could disrupt key operations or third-party services in your environment.
The Informational tag allows you to:
- Identify legitimate but misused IOCs that are associated with services like public CDNs, mail relays, or cloud-based applications.
- Exclude or filter these IOCs from blocklists or active responses to prevent unintended service outages.
- Prioritize IOCs that represent true threats to your environment.
Integrations May Require IOC Rule Adjustments
“If you’re integrating Threat Intelligence data with detection or enforcement tools
Use Case Example
When reviewing a list of IOCs, you may encounter domains such as smtp.office365.com, or public IPs associated with well-known content delivery networks (CDNs). These may be tagged as Informational to flag their potential misuse without implying a need for immediate containment.
- Use the Informational tag as a filter to quickly isolate or exclude these IOCs.
- Incorporate the tag into your review workflow to avoid false positives and ensure legitimate traffic is not unintentionally disrupted.
- Reference this tag during incident triage to focus investigation and remediation efforts on confirmed malicious threats.
CVEs
The CVEs listed here are associated with the threat actor. Selecting a CVE from the list will open it in the Rapid7 AttackerKB feed in a new tab on your browser, where you can view further information on the CVE, such as descriptions and public references.
What are CVEs?
Common vulnerabilities and exposures (CVEs) are publicly known cybersecurity vulnerabilities.
Each CVE is assigned a standardized identifier which typically follows the format CVE-[year]-[identifier number], for example, CVE-2023-23397 (this example is a Microsoft Outlook Elevation of Privilege vulnerability from 2023).
CVEs enable consistent communication and referencing of vulnerabilities, helping security teams track, assess, and remediate issues across different systems and software.
When a CVE appears in a threat actor or campaign profile, it indicates that the vulnerability has been observed or reported as exploited by the threat actor or leveraged in a malicious operation.