Threat Actor Naming Taxonomy
Exchanging threat actor information across cybersecurity organizations is no easy task, as each organization operates under different circumstances and interests. To address this challenge, AhnLab has developed a threat actor naming taxonomy designed to complement existing industry classification methods and enable more systematic management of diverse threat actor types.
AhnLab classifies threat actors into Larva and Arthropod based on their identification stage.
This concept is inspired by the transformation process in which larvae that initially appear similar evolve into distinct arthropods over time — intuitively representing how the true identity of threat actors is gradually revealed as analysis progresses.
Larva: Unidentified Threat Actor
Larva refers to an unidentified threat actor in the early stage, where attribution information has not yet been confirmed. All threat actors are initially classified and managed as Larva until additional attribution details are identified.
Unidentified threat actors are assigned an ID in the format "Larva-YY###", where "YY" indicates the year of detection and "###" indicates the order of detection within that year. For example, "Larva-26001" refers to the first unidentified threat actor confirmed in 2026.
Larva is a fixed designation assigned at or above the Incident level within the cyber threat management framework. Once sufficient attribution is obtained through further analysis, the Larva is linked to an Arthropod, representing an identified threat actor.
The linkage to an Arthropod is not fixed and may be updated (added, modified, or removed) as new information becomes available. For instance, if a threat actor initially attributed to North Korea is later identified as originating from China, the associated Arthropod can be changed from Ant to Cricket.

Arthropod: Identified Threat Actor
Once sufficient attribution information is obtained for a Larva, it is linked to a corresponding Arthropod based on its association with a specific country or organization.
Arthropods are broadly categorized into State-Sponsored Threat Actors and Non-State Threat Actors.
State-Sponsored Threat Actors
State-sponsored threat actors are classified using unique Arthropod names assigned to each country.
If a threat actor exhibits APT characteristics but its sponsoring country is not clearly identified, it is classified as Mantis.
State-sponsored threat actors do not exist as a single group, but rather as multiple distinct groups within a nation. To identify and differentiate these groups, AhnLab uses the following naming structure:
TA + Modifier + Arthropod
This approach preserves country-level representation while enabling clear distinction between threat actors operating within the same nation.
Examples:
- TA-GiantAnt - A North Korean-sponsored attack group known as Lazarus
- TA-RedAnt - A North Korean-sponsored attack group known as RedEyes
- TA-ShadowCricket - A Chinese-sponsored attack group known as ShadowForce
Non-State Threat Actors
Cybercriminals, ransomware groups, and hacktivists may have ties to specific nations, but for classification purposes, activity type takes precedence over national affiliation. Non-state threat actors are categorized and managed according to their primary objective and attack characteristics.
The naming of non-state threat actors follows the structure below.
TA + Arthropod + YY + ###
Example: TA-Beetle-25001

Three-Stage Cyber Threat Management Framework
AhnLab's three-stage cyber threat management framework defines the levels of cyber threat activity as: Incident (individual attack case) → Operation (coordinated attack activity) → Campaign (long-term, organized attack activity). The framework provides a structured approach to managing threat elements at each stage, from individual attacks to long-term campaigns.

Stage 1: Incident
An incident refers to an individual attack with an identified victim or an affected organization. According to our framework, we assign a title "INC-YYMMDD-###“ for each incident. It means "INC (Incident)-YYMMDD (Year/Month/Day)-### (Order)". The focus is on analyzing the characteristics of the event, the extent of the damage, and the techniques leveraged by a threat actor. As a result, organizations can accurately identify the cyber attack case and set the foundation for investigating the operation at a higher level.
Stage 2: Operation
An operation is composed of multiple incidents. The priority in this stage is to comprehensively analyze the characteristics, targets, and techniques to identify connections between multiple incidents. It is also important to understand the patterns and intentions of malicious activities. We assign the name of an operation as "OP-YYMMDD—# ##", which follows the same structure as the Incident naming convention.
As for the analysis of the operation, we considered key elements as follows :
- - Goal : The attacker's ultimate objective
- - Target : Attack targets including organizations, industries, and regions
- - Malware : Types and characteristics of malware used
- - Tool : Software and program used in the attack
- - Vulnerability : Exploited vulnerabilities
- - Technique : Leveraged tactics, techniques and procedures
- - Infrastructure : Infrastructure (C2, proxy, etc.) used in the attack
By analyzing these factors, we can identify the unique characteristics and patterns of each operation and more accurately track the activities of threat actors. In this stage, it is important to understand that multiple threat actors can be involved in a single operation. Our framework considers that multiple threat actors can collaborate to perform cyber attacks, which is why a larva can be linked to multiple arthropods. In real-world scenarios, it is common for individuals, hired hackers, or cyber threat groups to collaborate toward a common goal.
Stage 3: Campaign
A campaign is a long-term, organized cyber attack activity that lasts for at least several months to over a year. It consists of two or more operations and utilizes various techniques over a long period to achieve long-term goals. We define campaigns after conducting relentless analysis and investigations.
The campaign analysis focuses on uncovering malicious activities comprised of multiple operations to achieve long-term goals rather than a short-term individual cyber-attack. The objective at this stage is to understand the attacker’s ultimate strategies and goals. Therefore, we investigate cases where multiple threat actors have cooperated or acted independently over a long period of time.
For more details of our new threat actor taxonomy and cyber threat activity framework, please read the PDF at the top of the webpage.