ETS
Home
Created by Claudiu Tabac - © 2026
This material is open for educational and research use. Commercial use without explicit permission from the author is not allowed.
Actor Models (ICTAM-011 → ICTAM-020)
A technical reference for cybersecurity professionals tracking identity-layer attack patterns from criminal groups, ransomware operators, and RaaS affiliates.
These threat actors specialize in credential theft, MFA bypass, token replay, OAuth abuse, and exploitation of cloud and hybrid IAM misconfigurations. Their operations are characterized by high-volume, opportunistic, and financially motivated identity compromise campaigns.
Threat Actor Taxonomy Overview
10
Actor Groups
Documented identity-focused threat actors in this taxonomy range
8
Primary TTPs
Core identity compromise techniques employed across groups
95%
Financial Motive
Percentage of actors driven by ransomware or data theft monetization
This taxonomy focuses exclusively on actors whose primary attack vector involves identity infrastructure compromise. These groups represent the evolution from traditional malware-centric operations to identity-first attack chains that exploit weaknesses in authentication, authorization, and privilege management systems.
ICTAM-011: Scattered Spider / Oktapus
Primary Attack Vector
Scattered Spider pioneered large-scale MFA fatigue campaigns combined with sophisticated social engineering targeting identity helpdesks. The group executes SIM swap attacks to intercept one-time codes and conducts rapid account takeover through push notification spam.
Their operational focus centers on bypassing SSO mechanisms by stealing session cookies for token replay attacks. SMS-based MFA and phone-porting vulnerabilities are consistently exploited for initial access.
Key Identity TTPs
  • MFA fatigue and push spam
  • SIM swap interception
  • Helpdesk social engineering
  • Session cookie theft
  • Token replay attacks
  • SSO bypass techniques

The group achieves lateral movement by compromising privileged identities through social engineering rather than traditional malware deployment, making detection significantly more challenging.
ICTAM-012: LAPSUS$
Social Engineering Focus
Pure social engineering to obtain high-privilege accounts. Targets Okta and Microsoft administrators through insider recruitment and bribery schemes.
Identity Provider Takeover
Complete identity provider compromise through helpdesk exploitation. Steals session and refresh tokens from compromised devices for sustained access.
Supply Chain Impact
Targets CI/CD identity paths for supply-chain compromise. Performs rapid privilege escalation and token replay for long-lived persistence mechanisms.
LAPSUS$ demonstrated that weak helpdesk verification flows represent a critical vulnerability in enterprise identity architectures. Their operations highlighted the need for robust identity verification procedures beyond standard password reset workflows.
ICTAM-013 & ICTAM-014: Ransomware Identity Chains
BlackCat / ALPHV
BlackCat executes high-impact identity compromise to enable ransomware deployment without traditional malware vectors. The group steals privileged credentials from Windows Active Directory and cloud systems simultaneously.
They exploit MFA gaps and Conditional Access misconfigurations, conducting reconnaissance of directory roles and privileged groups. OAuth and app registrations are abused for covert administrative access and persistence.
Identity Persistence
  • Long-lived machine identities
  • OAuth app abuse
  • Directory role enumeration
LockBit
LockBit performs large-scale credential harvesting campaigns before ransomware deployment. The group moves laterally using privileged accounts while exploiting weak identity audit trails to hide movement patterns.
Initial access is gained through password spraying and brute-force attacks. Token replay bypasses MFA protections. Machine and service accounts provide silent escalation paths throughout the kill chain.
Attack Methodology
  • Password spraying campaigns
  • Token replay for MFA bypass
  • Service account exploitation
ICTAM-015 & ICTAM-016: Data Exfiltration Specialists
Hive Ransomware
Conducts identity-focused intrusion prior to ransomware delivery. Steals admin credentials and cloud secrets through exploitation of legacy authentication protocols to circumvent MFA.
Uses app tokens and machine identities for persistence, moving quickly to compromise identity infrastructure before initiating encryption operations.
Clop
Specializes in large-scale data theft through identity compromise. Exploits zero-day vulnerabilities to harvest identity tokens and performs credential-based lateral movement across hybrid systems.
Token replay bypasses MFA protections. OAuth and app impersonation enable stealthy data exfiltration through legitimate service principal credentials.
Both groups demonstrate sophisticated understanding of cloud identity architectures, specifically targeting the identity layer to minimize detection footprint while maximizing data access.
ICTAM-017: FIN7 Financial Operations
Credential Harvesting
FIN7 specializes in credential harvesting for financial theft operations targeting payment systems and point-of-sale infrastructure.
01
Initial Compromise
Social engineering campaigns to compromise privileged identities within financial processing environments
02
Token Theft
Session token harvesting for cloud account takeover targeting payment system administrators
03
Lateral Movement
Harvested cloud identity tokens enable movement across POS systems and financial infrastructure
04
Monetization
Identity abuse within payment processing chains for direct financial theft operations
The group's targeting of payment system identities represents a specialized threat requiring enhanced monitoring of financial processing service accounts and elevated privileges within payment gateway infrastructures.
ICTAM-018: Conti Legacy Operations
Credential Harvesting
Intensive credential harvesting operations across enterprise environments with systematic enumeration of privileged accounts and administrative access paths.
Privilege Escalation
Rapid privilege escalation using identity-based techniques. Exploits weak MFA implementations and bypassable Conditional Access configurations.
Token Replay
Token replay attacks for cloud service access. Aggressive targeting of privileged access paths throughout hybrid identity infrastructure.
Despite the group's dissolution, Conti's identity-focused operational playbook continues to influence ransomware operations across multiple successor groups. Their techniques established methodologies now widely adopted across the ransomware ecosystem for identity layer compromise.
ICTAM-019: DarkSide / BlackMatter
Operational Profile
DarkSide and its successor BlackMatter conducted targeted identity compromise operations specifically designed to support ransomware deployment campaigns.
The group demonstrated sophisticated understanding of hybrid identity environments, exploiting both on-premises Active Directory and cloud identity services within the same attack chains.
1
Initial Access
Stolen administrator credentials used to disable security controls and monitoring systems
2
Reconnaissance
Identity reconnaissance phase before system encryption to map privilege relationships
3
Persistence
Cloud tokens and machine identities exploited for persistence across hybrid environments
4
Lateral Movement
Identity-based lateral movement between on-premises and cloud resources
ICTAM-020: Vice Society
1
Credential Attacks
Heavy reliance on stolen credentials and identity abuse. Performs systematic brute-force and password spray attacks against internet-facing authentication endpoints.
2
Admin Path Exploitation
Exploits unprotected identity administrator paths within cloud environments. Targets weakly secured administrative portals and privileged access management systems.
3
Session Hijacking
Stolen session cookies enable fast privilege escalation without triggering MFA challenges. Cookie theft focuses on high-privilege administrator sessions.
4
Machine Identity Persistence
Establishes persistence through machine identity compromise. Service accounts and automated system identities provide long-term access without user interaction.
Vice Society's operations demonstrate the continuing effectiveness of basic credential attacks against organizations with insufficient identity security controls. Their success highlights the critical need for comprehensive identity protection strategies.
Identity Defense Considerations
Authentication Hardening
  • Phishing-resistant MFA deployment
  • Conditional Access policy enforcement
  • Session token lifetime reduction
  • Helpdesk verification procedures
Monitoring & Detection
  • Identity behavior analytics
  • Privileged access monitoring
  • Token replay detection
  • Lateral movement tracking
Architecture Controls
  • Zero trust identity models
  • Privileged access management
  • Machine identity governance
  • OAuth security hardening
Effective defense against these actor groups requires comprehensive identity security programs addressing authentication, authorization, and privileged access across hybrid environments. Traditional perimeter security offers minimal protection against identity-first attack chains.
Incident response teams should prioritize identity compromise indicators during investigations involving these actor groups, as their attack chains often bypass traditional endpoint detection mechanisms through abuse of legitimate identity infrastructure.
About
Created by Claudiu Tabac — © 2026
This framework is open for educational and research use. Commercial use without explicit permission from the author is not allowed.