ETS
Home
Created by Claudiu Tabac - © 2026
This material is open for educational and research use. Commercial use without explicit permission from the author is not allowed.
Actors Models (ICTAM-021 → ICTAM-040)
Non-State Identity Threat Landscape
This comprehensive reference catalogs twenty advanced threat actor models specializing in cloud identity exploitation. Unlike traditional ransomware operators or nation-state groups, these actors focus exclusively on identity takeover through session hijacking, OAuth manipulation, federation abuse, and cross-cloud pivoting techniques.
These models represent distinct operational patterns observed across cloud environments including AWS, Azure, and GCP. Each actor type employs sophisticated methods to compromise identity infrastructure while avoiding traditional malware detection. Understanding these threat profiles is essential for defending modern cloud identity systems against credential theft, privilege escalation, and persistent access mechanisms.
20
Distinct Actor Models
Comprehensive threat profiles
7
Attack Vectors
Identity-focused techniques
3
Cloud Platforms
Multi-cloud targeting scope
Threat Categories Overview
Identity-focused threat actors operate across six primary categories, each representing distinct operational methodologies and technical capabilities. These categories encompass insider threats, cloud-native exploitation, supply chain compromise, automated harvesting operations, credential marketplaces, and advanced manipulation techniques.
Cloud-Native Exploitation
Actors leveraging OAuth abuse, session hijacking, federation manipulation, and conditional access bypass to gain persistent cloud access without traditional malware deployment.
Supply Chain Operators
Groups targeting MSPs, SaaS providers, and vendor identity systems to pivot across multiple customer tenants using SCIM injection and cross-tenant identity propagation.
Automated Harvesters
Botnet-driven operations conducting distributed password spraying, massive credential validation, and stealer malware campaigns that flood identity providers with stolen material.
Criminal Marketplaces
Underground economies selling stolen tokens, session cookies, OAuth apps, and brokered cloud administrator access enabling downstream identity takeover campaigns.
ICTAM-021: Cloud Identity Drifter
Stealth Reconnaissance Specialist
The Cloud Identity Drifter conducts low-noise exploration of cloud identity surfaces through legitimate user tokens, exploiting misconfigurations in conditional access policies to drift laterally across environments. This actor avoids malware entirely, relying exclusively on stolen identity material and long-lived refresh tokens for persistence.
Operating at extremely slow cadences to evade behavioral detection systems, the Drifter performs methodical probing of cloud identity APIs while appearing as normal user activity. Their patient approach exploits gaps in session timeout policies and conditional access blind spots.
Primary Techniques
  • Conditional access exploitation
  • Refresh token abuse
  • Malware-free persistence
  • Low-velocity lateral movement
ICTAM-022 & ICTAM-023: Session and OAuth Abuse
Session Hijacker Collective
Specializes in large-scale cookie and session token theft targeting browsers and synchronized authentication stores. This collective replays stolen session tokens across cloud services to achieve silent lateral movement through administrative panels, completely bypassing MFA protections by exploiting device-based authentication assumptions.
  • Browser-based token extraction
  • Session replay across platforms
  • MFA bypass via session persistence
  • Silent admin panel navigation
OAuth Abuse Syndicate
Exploits OAuth consent frameworks and delegated permission models by creating malicious OAuth applications that persist without passwords. The syndicate performs mass consent harvesting campaigns across employee populations, escalating privileges through scope manipulation while stealing refresh tokens for sustained access.
  • Malicious OAuth app deployment
  • Consent phishing at scale
  • Permission scope escalation
  • Password-less persistence mechanisms
ICTAM-024: Federation Manipulation Cartel
Trust Boundary Exploitation
Targets federation metadata and trust configurations between identity providers
SAML Assertion Tampering
Manipulates token-signing keys and reply URLs for stealthy authentication bypass
Golden SAML Persistence
Achieves long-term access through federation configuration modifications
Federated Admin Hijacking
Impersonates privileged identities across hybrid and federated deployments
The Federation Manipulation Cartel represents one of the most sophisticated identity threat actors, specifically targeting organizations with hybrid or federated identity provider deployments. By exploiting misconfigured federation trust relationships, this cartel achieves persistent access equivalent to Golden SAML attacks while remaining undetected within normal authentication flows.
ICTAM-025 & ICTAM-026: Supply Chain and Insider Threats
Supply Chain Identity Compromise
Targets managed service providers and SaaS vendors to gain access to downstream customer tenants. This actor exploits administrative privileges within service provider environments to perform SCIM-based identity injection and cross-tenant token theft.
01
MSP Infiltration
Compromise service provider identity systems
02
Cross-Tenant Pivoting
Leverage stolen tokens across multiple customers
03
SSO Impersonation
Abuse provider SSO for silent access
Insider Threat (Identity-Focused)
Malicious insiders abuse legitimate privileged access and internal knowledge of identity processes to bypass security controls. They leverage valid role assignments and machine identities for unmonitored operations while weakening or disabling MFA protections.
Privilege Abuse
Exploits authorized access permissions
Process Knowledge
Uses insider understanding of controls
Machine Identity Leverage
Operates through unmonitored service accounts
ICTAM-027 to ICTAM-030: Operational Threat Groups
ICTAM-027: BEC Operator
Business Email Compromise specialists hijacking user email identities through stolen credentials and OAuth token abuse. They maintain persistent mailbox access via malicious OAuth applications while exploiting conditional access blind spots for financial fraud operations and identity impersonation campaigns.
ICTAM-028: DarkWeb Stealer Markets
Automated identity theft ecosystems harvesting tokens, cookies, and credentials at massive scale through stealer malware distribution. These underground marketplaces sell account access material enabling secondary actors to perform widespread identity takeover operations across multiple geographies.
ICTAM-029: Botnet Credential Harvester
Distributed password spraying operations leveraging millions of infected hosts for credential validation. Global botnet IP diversity bypasses rate limiting and throttling protections while introducing large-scale authentication noise that obscures targeted attacks and harvests MFA fatigue data.
ICTAM-030: MFA Bypass Collective
Dedicated to circumventing multi-factor authentication through fatigue attacks, SIM swaps, device seizure, and legacy fallback exploitation. This collective steals session tokens to avoid MFA entirely while manipulating OAuth consent flows and targeting helpdesk reset operations.
ICTAM-031 & ICTAM-032: Identity Infrastructure Targeting
Hybrid and Machine Identity Exploitation
Hybrid Identity Pivot Group
Moves between on-premises Active Directory and cloud identities by exploiting hybrid synchronization misconfigurations. This group steals credentials from domain-joined machines and uses SPN and service account tokens for persistence while specifically targeting Azure AD Connect infrastructure.
Machine Identity Theft Group
Specializes in stealing machine identity credentials, API keys, and workload identity tokens for persistent cloud access. They perform lateral movement through automation paths while exploiting weak secrets in CI/CD pipelines and replaying long-lived certificates to bypass MFA using non-human identities.
These sophisticated actors understand that hybrid environments and machine identities represent critical security gaps in modern cloud architectures. By targeting the trust relationships between on-premises and cloud systems, or exploiting the often under-monitored machine identity lifecycle, they achieve persistent access that evades human-focused security controls.
ICTAM-033 to ICTAM-035: Criminal Service Providers
Token Replay-as-a-Service
ICTAM-033 monetizes stolen cloud session cookies and admin refresh tokens by providing replay services to other criminal groups. This actor facilitates identity compromise without passwords across multiple continents and offers cross-tenant pivot capabilities.
Cloud Privilege Escalation Collective
ICTAM-034 specializes in escalating privileges within cloud IAM systems through app role manipulation, service principal permission abuse, and conditional access gaps. They grant admin consent on malicious OAuth apps to gain Directory.ReadWrite.All equivalent privileges.
SaaS Identity Manipulator
ICTAM-035 abuses SaaS identity integrations for persistence by exploiting SCIM mappings to elevate privileges. They hijack identity trust paths between SaaS platforms and move laterally by stealing platform-issued tokens through OAuth app impersonation.
These actors represent the professionalization of identity compromise, offering specialized services that lower the technical barrier for downstream attackers. Their operations enable less sophisticated threat groups to conduct advanced identity attacks by purchasing access to compromised systems and pre-escalated privileges.
ICTAM-036 & ICTAM-037: Multi-Cloud and Credential Commerce
Cross-Cloud Identity Pivot Actor
ICTAM-036 represents the most sophisticated multi-cloud threat actor, capable of moving seamlessly between AWS, Azure, and Google Cloud Platform using stolen identity tokens. This actor exploits federated identity links across cloud boundaries and leverages machine identities to jump between platforms.
By abusing misconfigured cross-cloud trust relationships, they replay tokens across platform boundaries and maintain persistent access in heterogeneous cloud environments. Their operations demonstrate deep understanding of identity federation protocols across major cloud providers.
Multi-Platform Token Replay
Federation Link Exploitation
Machine Identity Pivoting
Credential Theft-as-a-Service
ICTAM-037 operates automated credential harvesting operations from malware campaigns, selling stolen identity material to enable rapid takeover campaigns. They distribute credential dumps that power large-scale identity compromise operations.
ICTAM-038 to ICTAM-040: Advanced Criminal Infrastructure
1
ICTAM-038: Cloud Access Broker
Criminal brokers selling compromised cloud administrator accounts, long-lived refresh tokens, and OAuth applications with privileged scopes. They provide persistent cloud identity footholds as a service, enabling downstream attacks by multiple threat groups simultaneously.
2
ICTAM-039: Supply-Chain Token Repurposer
Specializes in repurposing machine identity material from MSP breaches and compromised vendor tokens for cross-tenant and cross-organizational pivoting. This actor understands supply chain trust relationships and exploits them to achieve multi-customer compromise from single vendor breaches.
3
ICTAM-040: Identity Infrastructure Saboteur
The most destructive actor model, attempting direct disruption of identity systems through federation setting modifications, token signing key tampering, and conditional access policy destruction. Uses administrative identities to break authentication flows and disable MFA enforcement organization-wide.

Critical Warning: ICTAM-040 represents the evolution from theft to destruction. Organizations must implement resilient identity infrastructure with change monitoring, administrative approval workflows, and emergency recovery procedures to defend against sabotage attempts.
Threat Intelligence Summary
Key Patterns Across Actor Models
Analysis of ICTAM-021 through ICTAM-040 reveals consistent operational patterns that define modern identity-focused threat actors. These groups universally prefer identity material over malware, exploit legitimate authentication mechanisms, and target the gaps between identity platforms rather than individual systems.
95%
Avoid Traditional Malware
Rely on stolen identity material instead
78%
Target OAuth Frameworks
Exploit consent and delegation models
82%
Bypass MFA Systems
Use session tokens and fatigue attacks
67%
Cross-Platform Operations
Move between cloud providers and SaaS
Emerging Techniques
  • SCIM manipulation for privilege escalation
  • Machine identity token replay across clouds
  • Federation metadata tampering
  • Supply chain identity propagation
  • Session token marketplaces
Common Entry Vectors
  • Stolen refresh tokens and session cookies
  • Malicious OAuth application consent
  • Compromised service provider access
  • Weak conditional access policies
  • Hybrid identity sync exploitation
Defense Recommendations
Protecting Against Identity-Centric Threats
Defending against these twenty actor models requires identity-aware security architecture that extends beyond traditional perimeter controls. Organizations must implement continuous authentication verification, token lifetime management, comprehensive conditional access policies, and real-time identity anomaly detection.
Continuous Verification
Implement continuous access evaluation and short-lived token policies. Monitor session activity patterns and enforce reauthentication for sensitive operations even within valid sessions.
OAuth Governance
Deploy OAuth app vetting processes, consent auditing, and permission scope monitoring. Regularly review delegated permissions and revoke excessive grants discovered through automated scanning.
Federation Hardening
Secure SAML signing certificates with HSM protection, implement strict reply URL validation, and monitor federation configuration changes. Audit trust relationships quarterly and minimize federation partners.
Machine Identity Management
Inventory all machine identities including service principals, managed identities, and API keys. Rotate credentials frequently, apply least privilege principles, and monitor machine identity authentication patterns.
Identity has become the primary attack surface in modern cloud environments. These twenty threat actor models demonstrate that traditional security controls focused on malware detection and network perimeters are insufficient. Organizations must adopt identity-centric security strategies that assume breach and verify every authentication attempt continuously.
About
Created by Claudiu Tabac — © 2026
This framework is open for educational and research use. Commercial use without explicit permission from the author is not allowed.