AhnLab

  • Privacy & Security
  • EULA
  • Contact Us
  • Terms of Use
  • Sitemap

Subscribe to Our Newsletter

Stay informed with AhnLab’s latest threat intelligence
and security insights delivered monthly to your inbox.

Country
AhnLab V3 Engine VersionOES :
Update Engine Now →
  • Visit our LinkedIn Profile
  • Visit our Twitter page
  • Visit our YouTube channel
  • © AhnLab, Inc. All rights reserved.
  • ASEC
  • MyCompany(ELS)
  • AhnLab Document Center
skip navigation
  • 메뉴
  • 본문
  • 하단 정보(링크)
  • Products
    • AhnLab PLUS Platform
    • AhnLab Endpoint PLUS
      • Anti-Malware
      • EPP
      • Sandbox (ATD)
      • EDR
      • SMB Security
      • Mobile Security
    • AhnLab Network PLUS
      • NGFW
      • IPS
      • DDoS Mitigation
      • Sandbox (ATD)
      • Threat Management
    • AhnLab Cloud PLUS
      • CWPP
      • Cloud NGFW
      • Cloud IPS
      • Cloud Threat Management
    • AhnLab Connect PLUS
      • XDR
      • Threat Intelligence
      • SOAR
    • AhnLab CPS PLUS
      • CPS Protection Management
      • OT Endpoint Protection
      • OT IDS
      • OT Portable AV
      • OT Firewall
      • OT Data Diode
      • OT Network Sandbox
      • IT Endpoint Protection
      • IT Anti-Malware
      • CPS Threat Intelligence
    • AhnLab AI PLUS
    • All Products and Services
  • Services
    • AhnLab Service PLUS
      • MDR
      • MSS
      • Professional Service
      • Security Consulting
      • Digital Forensics
      • Cloud Managed Service
      • Global Partners
    • All Products and Services
  • Solution
    • Ransomware Protection
    • Hybrid Cloud Security
    • Zero Trust
    • CPS Protection
    • SOC Modernization
    • TDR
    • DDoS Mitigation
  • Support
    • Technical Support
    • Threat Inquiry
    • Online Support
      • Q&A
    • Notice
    • Download
    • AhnLab Document Center
  • Content Center
    • Content Center
      • Cybersecurity 101
    • ASEC
      • Threat Descriptions
      • Threat Actor Naming
      • ASEC Security Advisory
      • ASEC Blog
    • Highlights
      • MITRE ATT&CK Eval Round 7
      • AhnLab 30th Anniversary
      • Frost Radar CPS Security Leader
  • Partners
  • Company
    • About Us
    • Strategic Materials
my page
Sign InSign Up
언어 선택

No recent searches

HOME
Content Center
  • Products
  • Services
  • Solution
  • Support
  • Content Center
  • Partners
  • Company
ASEC
  • Content Center
  • ASEC
  • Highlights
Threat Actor Naming
  • Threat Descriptions
  • Threat Actor Naming
  • ASEC Security Advisory
  • ASEC Blog
    • Contact Us
    • My Company
    • Security Map

Threat Actor Naming and Taxonomy

Download Report

This is how we name and classify threat actors and their attacks across the world.

Threat Actor Naming Taxonomy

Exchanging threat actor information across cybersecurity organizations is no easy task, as each organization operates under different circumstances and interests. To address this challenge, AhnLab has developed a threat actor naming taxonomy designed to complement existing industry classification methods and enable more systematic management of diverse threat actor types.

AhnLab classifies threat actors into Larva and Arthropod based on their identification stage.

This concept is inspired by the transformation process in which larvae that initially appear similar evolve into distinct arthropods over time — intuitively representing how the true identity of threat actors is gradually revealed as analysis progresses.

Larva: Unidentified Threat Actor

Larva refers to an unidentified threat actor in the early stage, where attribution information has not yet been confirmed. All threat actors are initially classified and managed as Larva until additional attribution details are identified.

Larva: Unidentified Threat Actor
Category Name Threat Actor Type
Unidentified
Threat Actor
Larva Unidentified threat actor

Unidentified threat actors are assigned an ID in the format "Larva-YY###", where "YY" indicates the year of detection and "###" indicates the order of detection within that year. For example, "Larva-26001" refers to the first unidentified threat actor confirmed in 2026.

Larva is a fixed designation assigned at or above the Incident level within the cyber threat management framework. Once sufficient attribution is obtained through further analysis, the Larva is linked to an Arthropod, representing an identified threat actor.

The linkage to an Arthropod is not fixed and may be updated (added, modified, or removed) as new information becomes available. For instance, if a threat actor initially attributed to North Korea is later identified as originating from China, the associated Arthropod can be changed from Ant to Cricket.

The process of our new threat actor taxonomy

Arthropod: Identified Threat Actor

Once sufficient attribution information is obtained for a Larva, it is linked to a corresponding Arthropod based on its association with a specific country or organization.

Arthropods are broadly categorized into State-Sponsored Threat Actors and Non-State Threat Actors.

State-Sponsored Threat Actors

State-sponsored threat actors are classified using unique Arthropod names assigned to each country.

If a threat actor exhibits APT characteristics but its sponsoring country is not clearly identified, it is classified as Mantis.

State-Sponsored Threat Actors
Category Name Threat Actor Type
State-Sponsored
Threat Actor
Mantis APT – sponsoring nation unconfirmed
Ant North Korea suspected
Cricket China suspected
Dragonfly South Korea suspected
Butterfly Vietnam suspected
Firefly Pakistan suspected
Mosquito India suspected
Tick Kazakhstan suspected
Wasp Russia suspected
Spider United States suspected
Scorpion Iran suspected
Hornet Israel suspected
Moth Lebanon suspected
Glowworm UAE suspected
Earwig Türkiye suspected

State-sponsored threat actors do not exist as a single group, but rather as multiple distinct groups within a nation. To identify and differentiate these groups, AhnLab uses the following naming structure:

TA + Modifier + Arthropod

This approach preserves country-level representation while enabling clear distinction between threat actors operating within the same nation.

Examples:

  • TA-GiantAnt - A North Korean-sponsored attack group known as Lazarus
  • TA-RedAnt - A North Korean-sponsored attack group known as RedEyes
  • TA-ShadowCricket - A Chinese-sponsored attack group known as ShadowForce
Non-State Threat Actors

Cybercriminals, ransomware groups, and hacktivists may have ties to specific nations, but for classification purposes, activity type takes precedence over national affiliation. Non-state threat actors are categorized and managed according to their primary objective and attack characteristics.

State-Sponsored Threat Actors
Category Name Threat Actor Type
Non-State Threat Actor Beetle Cybercriminal group
Tarantula Ransomware group
Cicada Hacktivist group

The naming of non-state threat actors follows the structure below.

TA + Arthropod + YY + ###

Example: TA-Beetle-25001

Threat Actor Icons & Names

Three-Stage Cyber Threat Management Framework

AhnLab's three-stage cyber threat management framework defines the levels of cyber threat activity as: Incident (individual attack case) → Operation (coordinated attack activity) → Campaign (long-term, organized attack activity). The framework provides a structured approach to managing threat elements at each stage, from individual attacks to long-term campaigns.

State-Sponsored Threat Actors
Category Name Meaning Description
Stage 1 Incident Individual attack case An individual attack case with an identified victim or affected organization
Stage 2 Operation Attack activity A unit grouping multiple incidents into a single coordinated attack activity
Stage 3 Campaign Long-term, organized attack activity An organized attack activity comprising two or more operations,
sustained over a minimum of several months to more than a year
Three-Stage Cyber Threat Management Framework
Stage 1: Incident

An incident refers to an individual attack with an identified victim or an affected organization. According to our framework, we assign a title "INC-YYMMDD-###“ for each incident. It means "INC (Incident)-YYMMDD (Year/Month/Day)-### (Order)". The focus is on analyzing the characteristics of the event, the extent of the damage, and the techniques leveraged by a threat actor. As a result, organizations can accurately identify the cyber attack case and set the foundation for investigating the operation at a higher level.

Stage 2: Operation

An operation is composed of multiple incidents. The priority in this stage is to comprehensively analyze the characteristics, targets, and techniques to identify connections between multiple incidents. It is also important to understand the patterns and intentions of malicious activities. We assign the name of an operation as "OP-YYMMDD—# ##", which follows the same structure as the Incident naming convention.

As for the analysis of the operation, we considered key elements as follows :

  • - Goal : The attacker's ultimate objective
  • - Target : Attack targets including organizations, industries, and regions
  • - Malware : Types and characteristics of malware used
  • - Tool : Software and program used in the attack
  • - Vulnerability : Exploited vulnerabilities
  • - Technique : Leveraged tactics, techniques and procedures
  • - Infrastructure : Infrastructure (C2, proxy, etc.) used in the attack

By analyzing these factors, we can identify the unique characteristics and patterns of each operation and more accurately track the activities of threat actors. In this stage, it is important to understand that multiple threat actors can be involved in a single operation. Our framework considers that multiple threat actors can collaborate to perform cyber attacks, which is why a larva can be linked to multiple arthropods. In real-world scenarios, it is common for individuals, hired hackers, or cyber threat groups to collaborate toward a common goal.

Stage 3: Campaign

A campaign is a long-term, organized cyber attack activity that lasts for at least several months to over a year. It consists of two or more operations and utilizes various techniques over a long period to achieve long-term goals. We define campaigns after conducting relentless analysis and investigations.

The campaign analysis focuses on uncovering malicious activities comprised of multiple operations to achieve long-term goals rather than a short-term individual cyber-attack. The objective at this stage is to understand the attacker’s ultimate strategies and goals. Therefore, we investigate cases where multiple threat actors have cooperated or acted independently over a long period of time.

For more details of our new threat actor taxonomy and cyber threat activity framework, please read the PDF at the top of the webpage.