Threat actor profiling · technical attribution by Fortgale
CTI · capability 01 · Threat Actor Profiling

Know who is attacking you.

Most SOC teams close alerts. Few know who is behind them. Threat Actor Profiling turns generic incidents — phishing, malware, cloud attacks — into adversary knowledge: MITRE-mapped TTPs, observed infrastructure, victimology, attribution with explicit confidence level.

Request a TA briefing See the real dossiers ↓
180+Profiled actors
4-stepAttribution method
4 levelsConfidence rating
Frameworks · standards
MITRE ATT&CK
Diamond Model
STIX 2.1
TAXII 2.1
Analysis · discipline
OSINT
HUMINT
TECHINT
Reverse engineering
The problem

SOC data without attribution is blind.

An alert closed without knowing who triggered it is a lost learning opportunity. Repeated thousands of times a year, it becomes the reason defences do not improve despite growing investment.

01

Volume without priority

Thousands of alerts a day, all with similar severity. Without profiling, the SOC team treats mass spam and CFO-targeted spear-phishing the same way.

02

Targeted indistinguishable from opportunistic

The same technical vector (e.g. a phishing email) can be random spam or an attack prepared over weeks. Without attribution, the difference does not surface.

03

Generic defence

Without knowing who is attacking, controls are applied indiscriminately: block everything, alert on everything, log everything. Result: noise, fatigue, rising costs, and defensive ROI dropping.

The distinction that changes everything

«Who could» vs «who is» attacking.

Generic threat intelligence describes the landscape. Threat actor profiling identifies the operational adversary of the specific organisation, based on its real incidents and victimology.

Threat landscape · «who could»
  • Abstract taxonomy of famous groups
  • Generic sector trends
  • Macro aggregate statistics
  • Useful for initial CISO orientation
  • Quarterly or annual update
Necessary, but not sufficient
Threat actor profiling · «who is»
  • Actors that have touched the specific organisation
  • TTPs observed on the customer's own incidents
  • Victimology consistent with sector/geo
  • Drives concrete defence decisions
  • Continuous update · feedback loop with the SOC
Operational · actionable
The method · 4 steps

From SOC alert to documented attribution.

It is not a mystical process. It is a documentable technical pipeline, applicable to every incident of meaningful relevance. The result always includes an explicit confidence level — even when evidence is not enough to attribute, Fortgale says so.

  1. 01
    From SOC alert to forensic evidence

    Triage and artefact collection

    Extraction and forensic preservation of every artefact: payloads, IPs, domains, hashes, full email headers, endpoint logs, network telemetry. No containment action until IOCs have been consolidated.

    EDR triageEmail forensicsNetwork captureMemory snapshot
  2. 02
    From artefact to pattern

    MITRE ATT&CK correlation and profile matching

    Mapping observed TTPs on the MITRE ATT&CK framework and comparing them with profiles of threat actors already tracked by the CTI team. Identification of overlap across tactic, technique, sub-technique.

    MITRE ATT&CKTTP mappingProfile matchingSigma rules
  3. 03
    From pattern to fingerprint

    Infrastructure · tooling · code · victimology

    Analysis of C2 infrastructure (ASN, registrar, hosting patterns, TLS fingerprints), tooling (loaders, RATs, packers), malware code (similarity hashing, language artefacts) and victimology (sector, geography, size).

    C2 fingerprintCode similarityReverse engineeringVictimology
  4. 04
    From fingerprint to attribution

    Documented attribution + confidence level

    Formulation of explicit attribution with a confidence level (high / medium / low / insufficient). When evidence is insufficient, the most likely hypotheses are stated without overreach. Rushed attribution is a widespread bad practice in commercial CTI — Fortgale does not engage in it.

    Confidence high/med/lowDocumented attributionRanked hypothesesInternal peer review
Deep-dives by vector

How Fortgale attributes incident by incident.

Three vectors cover over 90% of the incidents observed: phishing, malware, cloud attacks. For each, a specific attribution methodology.

Vector 01

Phishing attribution

From a seemingly generic campaign to kit + operator

A phishing email is rarely an isolated event. Fortgale analyses the kit used (Tycoon 2FA, Mamba 2FA, Caffeine, EvilProxy, NakedPages, W3LL, Greatness), the landing page architecture, the delivery infrastructure (registrar, ASN, certificate fingerprint), the victimisation pattern and the operator behind the campaign — kits are not all used in the same way.

  • AiTM toolkit Tycoon 2FA · Mamba 2FA · Caffeine · EvilProxy · W3LL — distinctive fingerprints across landing pages, redirect chains, session cookie hijack.
  • Spear-phishing operator LinkedIn reconnaissance, OSINT lookups on the victim, contextualisation (customer logo, real person, business process).
  • MFA bypass attribution Distinction between AiTM kits, social-engineering SIM-swap, automated push fatigue, OAuth consent phishing. Each method points to a different operational cluster.
  • EU-targeted vs broad-spray Volume, segmentation of customer domains, copy in native European languages vs machine translation, national bank/agency logos — indicators of European-continent targeting.
For the Board

For the Board: attributing an AiTM campaign to a specific operator translates into 2-4 targeted controls (conditional access policy, FIDO2 hardware for top targets, geo-fencing, IdP-side detection rules) — not 1,000 emails to analyse manually.

Vector 02

Malware attribution

From binary sample to family, author, infrastructure

A piece of malware is not just a hash to block. Fortgale analyses code similarity (BinDiff, ssdeep, TLSH, Vector35 reuse), packers and crypters chosen, C2 protocols (custom or known framework), persistence patterns, language artefacts (comments, debug paths, PDB, encoding), PE timestamps and compilation times. Every technical choice narrows the circle of likely authors.

  • Code similarity & reuse Identification of code blocks shared across families (e.g. SystemBC, Matanbuchus, BumbleBee → frequently linked operators).
  • Packer / crypter choice PrivateLoader vs SmokeLoader vs custom Themida → affiliation cluster.
  • C2 protocol fingerprint JA3/JA3S TLS fingerprint, self-signed certificate patterns, HTTP header signatures, Tor vs cleartext, beacon timing.
  • Language & culture artefacts String encoding (CP1251 Russian, GBK Chinese), commit timezone on reused open-source components, PDB paths with usernames, dialect tags.
  • Operational tempo Compilation timestamp patterns (working hours of a given timezone), recompilation frequency, infrastructure rotation cadence.
For the Board

For the Board: distinguishing a commodity loader sold on forums from a custom, targeted malware radically changes the required response level — generic vs custom is the difference between patching and full DFIR.

Vector 03

Cloud attack attribution

Microsoft 365 · AWS · Azure · GCP · OAuth abuse

Cloud attacks are the fastest-growing vector — and the one where most CTI vendors are least prepared. Fortgale tracks IAM enumeration patterns, OAuth consent abuse, token theft chains, cloud-native persistence (federated identity backdoor, hidden service principal, app registration sleeper) and exfiltration through legitimate APIs.

  • OAuth abuse signatures Patterns of illegitimate app consent, scopes requested (Mail.ReadWrite, offline_access, full_access_as_user), app naming patterns (mimicking Microsoft, branded as HR tools), on-behalf-of flow abuse.
  • Token theft attribution Distinction between adversary-in-the-middle, infostealer-driven (RedLine, Lumma, Vidar), browser cookie exfiltration, PRT theft. Each method correlates with distinct operational clusters.
  • Cloud persistence patterns Service principal sleepers, federated identity poisoning (Solorigate-style), conditional access tampering, Microsoft Graph subscription abuse.
  • Identity-as-perimeter Analysis of sign-in patterns, non-trivial impossible travel, device join anomalies, primary refresh token abuse, MFA bypass via legacy app-password.
  • Living-off-the-cloud Use of legitimate APIs (Power Automate, Logic Apps, Lambda functions) as C2 and exfiltration channels — a strongly growing vector in 2025-2026.
For the Board

For the Board: an attributed OAuth consent abuse translates into 3 concrete controls (admin consent workflow, app governance policy, conditional access for non-verified apps) — tools already present in Microsoft tenants, only to be properly configured.

Dossiers · profiled actors

Seven real examples of Fortgale technical profiles.

Three actors tracked and attributed by the Fortgale CTI team with research published on the blog. One global Initial Access Broker. Three of the most active ransomware groups against Europe in 2024-2026. These are the kind of dossiers a customer receives.

APT · Espionage · 2026

Operation Storming Tide

Mora_001
Origin
Russian origin · APT
Vector
Fortinet exploitation · Matanbuchus 3.0 · SystemBC
Victimology
European companies · manufacturing supply chain

Multi-stage campaign attributed to Mora_001. The Fortgale IR team tracked it internally as FortiSync Quasar: Fortinet exploitation, Matanbuchus 3.0 deployment, Astarion RAT and SystemBC. Evolution from ransomware operations to pure espionage. Exfiltration blocked.

APT · EspionageFortinet 0-dayMatanbuchus 3.0Astarion RAT
Confidence · High Open the dossier →
Cyber Espionage · 2023-active

PhishSurf Nebula

PhishSurf Nebula
Origin
Unconfirmed origin · APT-level resources
Vector
Banking & Finance · Europe · MFA bypass · AiTM
Victimology
European banking sector · top management

Advanced cyber-espionage group with primary focus on the European banking sector. MFA bypass via AiTM, infrastructure distributed across regional registrars, social engineering prepared with extensive OSINT. Significant resources behind the operation.

Banking & FinanceAiTM phishingMFA bypassCyber espionage
Confidence · Medium Open the dossier →
Threat Actor · 2022-active

Nebula Broker

Nebula Broker
Origin
European origin · custom tooling
Vector
BrokerLoader (custom) · EU targeting
Victimology
European organisations · supply chain

Tracked by Fortgale since March 2022: European actor with internally developed malware (BrokerLoader). Rare case of a local actor with custom offensive capabilities. Documented exclusively by Fortgale CTI.

European threat actorCustom malwareBrokerLoaderInitial access broker
Confidence · High Open the dossier →
Worm/Loader · 2021-active

Raspberry Robin

Raspberry Robin · DEV-0856 / Storm-0856
Origin
Initial access broker · Russian-affiliated
Vector
USB worm · Windows Installer abuse · Tor C2
Victimology
Pre-ransomware access broker · multi-sector EU/US

USB worm that evolved into a top-tier Initial Access Broker for ransomware groups (LockBit, Akira, Clop). Distinctive pattern: msiexec chained with regsvr32, abuse of rundll32 via fodhelper.exe, Tor onion C2, follow-on downloaders for FakeUpdates, IcedID, Bumblebee. EU telemetry growing through 2025-2026.

Initial access brokerUSB wormTor C2Pre-ransomware
Confidence · High Open the dossier →
Ransomware · 2024-active · top group

RansomHub

RansomHub · RaaS
Origin
Successor to ALPHV/BlackCat · ex-affiliates
Vector
RaaS · double extortion · Linux/ESXi/Windows builders
Victimology
Multi-sector enterprise · healthcare · manufacturing · public sector

Emerged in early 2024 after the collapse of ALPHV/BlackCat, RansomHub quickly absorbed high-level affiliates (including the one behind the Change Healthcare case). Linux/ESXi/Windows builders, proprietary exfiltration tooling, Tor leak site. Top by EU enterprise impact in 2024-2025.

RaaSDouble extortionESXi targetingHealthcare · Manufacturing
Confidence · High Open the dossier →
Ransomware · 2023-active · EU-heavy

Akira

Akira · RaaS
Origin
Conti diaspora affiliate · reconstituted
Vector
VPN exploitation (Cisco ASA, SonicWall) · double extortion · ESXi
Victimology
EU mid-market · manufacturing · professional services · construction

Active since March 2023, Akira has maintained a high victimisation cadence through 2024-2026 with a focus on the European mid-market. Dominant initial vector: exploitation of non-MFA VPN appliances (Cisco ASA, SonicWall SSLVPN, known unpatched vulnerabilities). Effective ESXi encryptor, "Akira Dark Site" leak site on Tor with 80s aesthetics.

VPN exploitationESXi encryptorEU mid-marketConti lineage
Confidence · High Open the dossier →
Ransomware · 2023-active · aggressive negotiator

Medusa

Medusa · RaaS
Origin
Unconfirmed · Russophone
Vector
Phishing · public exploits · driver-side BYOVD
Victimology
Public sector · healthcare · education · services · construction

Medusa stands out for aggressive negotiation (public countdown on the leak site with rising ransom demand) and for intensive use of BYOVD (Bring Your Own Vulnerable Driver) to disable EDR. Strong presence in the EU public sector through 2024-2025, with documented incidents at municipalities, regional health authorities, schools.

BYOVDPublic sectorAggressive negotiationLeak site countdown
Confidence · Medium Open the dossier →
Trust · methodology

How confidence is communicated. And when Fortgale does not attribute.

Rushed attribution is one of the most widespread problems in commercial CTI. Fortgale explicitly declares the confidence level of every attribution — and admits when evidence is insufficient.

High

Multiple independent evidences

Overlap across at least 3 independent elements: C2 infrastructure, malware code, MITRE TTPs, victimology, language artefacts. Documented attribution in the report.

Medium

Some evidence, missing elements

Overlap on 1-2 elements, with partial evidence on the rest. Attribution formulated as the most likely hypothesis, with missing elements stated.

Low

Single overlap

A single element of overlap (e.g. one shared IOC). The most likely hypothesis is indicated alongside less likely alternatives. This is not yet attribution.

Insufficient

Evidence not adequate

Fortgale explicitly states that evidence is not enough. The team shares the data collected and observed TTPs, but does not force attribution. Rare among vendors — standard practice here.

The output

What lands on the customer's desk.

Four concrete deliverables — not just a report to archive, but operational material to apply to the SOC, SIEM, endpoints, and Board.

01

Actor profile (PDF + JSON STIX)

Structured document with MITRE-mapped TTPs, IOCs, C2 infrastructure, tooling, victimology, attribution and confidence level. Technical and executive versions in English and Italian.

02

Dedicated detection rules

SIGMA rules for SIEM, YARA for static/dynamic analysis, Snort/Suricata for IDS, custom rules for the customer's MDR platforms.

03

Expanded control set

Concrete list of controls to implement based on the profiled actor: conditional access policy, infrastructure blocks, MFA enforcement on target assets, app consent governance, and more.

04

Technical + executive briefing

Live session with the analysts for the SOC/IR team (technical deep-dive) and a separate session for CISO/Board (business impact, risk, required decisions).

Technical honesty

When TA profiling is not needed.

If the organisation has a limited attack surface and only suffers low-volume opportunistic attacks, threat actor profiling is oversized compared to the value generated. In those cases a standard IOC feed and perimeter protection service is more efficient.

TA profiling becomes critical when: ① the organisation has high-value assets (intellectual property, sensitive data, critical infrastructure); ② operates in target sectors (finance, manufacturing, energy, healthcare, public sector, defence); ③ has already suffered incidents with specific-targeting signals (prior reconnaissance, payload personalisation, attack on top management).

Not sure? Let's talk. If you don't need it, Fortgale will say so.

Integration

Profiling as the engine of the whole defence.

An actor profile does not stay in a PDF. It feeds the SOC, accelerates IR, expands the MDR control set.

In-house European SOC · 24·7·365

Detection rules born from profiling

Every newly profiled TA generates SIGMA, YARA, and custom MDR rules distributed to the SOC. The SOC applies them in real time to every monitored customer.

Discover the SOC →
MDR · augmented detection

Detection enriched with actor profiles

The Fortgale MDR does not rely solely on EDR vendor rules: it enriches them with profiles of active threat actors, lifting detection rates and reducing false positives.

Discover MDR →
IR · accelerated response

Attribution that shortens containment

During an incident, knowing who is attacking accelerates containment and remediation: anticipate the next moves, block typical exfiltration patterns, brief the Board with data.

Contact the IR team →
CTI · sister capability

The other 6 CTI capabilities

Threat Intelligence Feed STIX/TAXII · Vertical advisories · Executive Briefing · Deep & Dark Web · Attack Surface Management · Brand & Social Intelligence. Threat Actor Profiling is capability 01 of 7.

See all capabilities →
Take to the Board

Three slides. Just three.

The CISO reads this page. Then has to explain it in 5 minutes to a Board of Directors that does not speak MITRE. Fortgale prepares it.

01 · The state

How many profiled attacks the organisation has faced in the last 6 months · how many targeted vs opportunistic · trend.

02 · The adversary

Who is attacking (profiled clusters) · why (motivation · victimology) · explicit confidence level.

03 · The response

Expanded control set · estimated cost · expected impact · implementation timeline · residual risk.

The "3 Board slides" pack is included in every Executive Briefing · also available on request.

FAQ

Frequently asked questions on TA Profiling.

What is the difference between threat actor profiling and generic threat intelligence?

Generic threat intelligence describes the threat landscape in the abstract (famous groups, sectors at risk, trends). Threat actor profiling identifies who is actually attacking a specific organisation, based on its real incidents, attack surface, and victimology. The first informs the CISO; the second drives concrete defence decisions.

How do you distinguish a targeted attack from an opportunistic one?

Through behavioural indicators: pre-attack reconnaissance on the target (LinkedIn, OSINT), payload personalisation (logo, persona, customer context), timing (target office hours), preferred vectors (CFO, HR, IT admin). A generic attack treats the victim as just another IP; a targeted one treats them as an asset. The difference weighs heavily on response priority.

Can I receive an on-demand profile of a specific actor?

Yes. The Fortgale CTI team produces on-demand profiles of single threat actors when a customer suspects or suffers an attack from a specific group. The profile includes MITRE-mapped TTPs, observed infrastructure, tooling, victimology, associated IOCs, and dedicated detection rules (SIGMA, YARA). Typical delivery time: 3-10 days depending on complexity.

How does attribution confidence level work?

Four levels: High (multiple independent corroborating technical evidences — infrastructure, code, TTPs, victimology), Medium (some evidence with missing or ambiguous elements), Low (single overlap element, most likely hypothesis), Insufficient (evidence inadequate for attribution — stated explicitly). Fortgale does not force attribution where evidence falls short.

When does threat actor profiling NOT make sense?

When the organisation has a limited attack surface and only suffers low-volume opportunistic attacks, TA profiling is oversized compared to the value generated. In those cases a standard IOC feed and perimeter protection service is more efficient. TA profiling becomes critical when the organisation has high-value assets, operates in target sectors (finance, manufacturing, energy, healthcare, public sector) or has already suffered incidents with specific-targeting signals.

How long does it take to profile a threat actor?

A first-level profile (TTPs + IOCs + infrastructure) typically takes 3-7 days. A complete profile with documented technical attribution, tooling analysis, and victimology takes 2-4 weeks. For actors already in the Fortgale database (180+) the profile is available in 24-48 hours. For unknown actors, it depends on the quantity and quality of evidence collected.

Start with profiling

Who is attacking you right now?

Bring a recent incident — phishing, malware, suspicious cloud access. The Fortgale CTI team will produce a free mini-profile within 5 business days. No commitment: just evidence.

Response time: < 1 business day.