Unmasking Cyber Threat Actors: Proactive Intelligence, Hunting, and Dark Web Insights

In today’s rapidly evolving cyber landscape, cyber security teams must move beyond traditional defense mechanisms and adopt a proactive approach to threat intelligence. Cyber adversaries operate with diverse objectives and target various sectors, each employing distinct tactics. Understanding these actors—how they operate, what motivates them, and where they communicate—is essential for developing a resilient security posture because it helps cybersecurity teams stay ahead of threats, adapt their defenses, and shut down attacks before they gain traction.

Understanding cyber threat actors: adversary group classification

Before discussing how to deal with cyber threat groups, we must first define who they are. Threat actors come in different forms, each with distinct motivations, tactics, and levels of sophistication. 

In this section, we conduct adversary group classification. The five primary types of cyber threat actors are:

1. Nation-State Actors (APTs) 

• Motivation: Espionage, military, political, or economic gain.
• Targets: Governments, critical infrastructure, defense contractors, corporations, and research institutions.
• Example: APT41 (China), Lazarus Group (North Korea)

APT groups are highly sophisticated and well-funded. Each group operates under the direction of a specific government. Their objectives typically involve long-term cyber espionage campaigns, intellectual property theft, and occasionally, disruptive or destructive cyberattacks. 

2. Cybercriminals

• Motivation: Financial gain through cybercrime (ransomware, fraud, data theft).
• Targets: Businesses, financial institutions, healthcare, and individuals.
• Example: LockBit, BlackCat (ALPHV)

Cybercriminals operate either as part of organized crime groups or as independent actors. Their primary focus is on monetizing stolen data, deploying ransomware, and selling illicit goods on the dark web. As attack techniques and expertise in this field have advanced, many cybercriminals have adopted the Ransomware-as-a-Service (RaaS) model. This approach allows them to sell access to malware and attack frameworks, enabling even less-skilled threat actors to execute sophisticated cyberattacks.

3. Hacktivists

• • Motivation: Political or ideological activism.
  • Targets: Governments, corporations, law enforcement, and political organizations.

• Example: Anonymous, Killnet, GhostSec

Hacktivists conduct cyberattacks to promote social or political causes, often in retaliation against perceived injustices. Their attacks are typically disruptive rather than financially motivated, with the goal of exposing sensitive information, defacing websites, or disrupting services.

4. Insider Threats

• Motivation: Revenge, financial gain, negligence, or coercion.
• Targets: Internal corporate systems, databases, intellectual property.
• Examples:
  • An upset employee, motivated by revenge after being passed over for a promotion, exfiltrates sensitive customer data and sells it to a competitor. 
  • An employee falls victim to a phishing scam, inadvertently granting attackers access to critical systems, resulting in a ransomware infection.

Insider threats come from individuals within an organization—employees, contractors, or business partners—who misuse their legitimate access. Unlike external attacks, insider threats bypass traditional security defenses and can be harder to detect.

5. Script Kiddies and Low-Skilled Threat Actors

• Motivation: Recognition, challenge, boredom, cyber vandalism.
• Targets: Random websites, online gaming platforms, small businesses.

Script kiddies are inexperienced individuals who use pre-built hacking tools and automated scripts without fully understanding how they work. While they lack the sophistication of nation-state actors or organized cybercriminals, they can still cause significant disruption—especially when leveraging DDoS attacks, website defacements, or basic malware distribution.

From Understanding Threat Actors to Hunting Their Activity

Recognizing the different hacker group names and types is just the first step. To effectively defend against them, cybersecurity teams must go beyond identification, leveraging real-time threat intelligence to proactively track, detect, and mitigate threats before they escalate into full-blown attacks.

Hunting for Specific Threat Activity: IOC vs. IOA Approach

Threat hunting is a proactive security strategy that involves actively searching for signs of malicious activity within an organization’s environment before an attack can fully materialize. 

Instead of relying solely on automated detection tools, threat hunters and CTI teams use intelligence-driven techniques to identify emerging threats based on attacker behaviors. Rather than relying on IOCs, which identify past activity, hunting focuses on identifying Indicators of Attack (IOAs) and aligning them with the MITRE ATT&CK framework, a comprehensive matrix that maps out the tactics, techniques, and procedures (TTPs) used by known threat actors. When security teams map identified IOAs to the MITRE ATT&CK framework they can anticipate attacks before they unfold, disrupt threat actors in action, and strengthen their defenses against future threats.

The two primary methodologies used by security teams for threat hunting are:

1. Indicators of Compromise (IOCs) – Traditionally used in incident response, IOCs serve as forensic evidence of past compromises but are not the primary focus of proactive threat hunting. They include IP addresses, file hashes, malicious domains, and registry modifications, which can help detect known threats but are easily evaded by sophisticated attackers. 
2. Indicators of Attack (IOAs) – Proactive behavioral indicators that help detect attacks before they fully develop. IOAs focus on data that shows attacker intent (unusual privilege escalation, unauthorized lateral movement, or exploitation of system vulnerabilities). IOAs are often mapped to the MITRE ATT&CK framework , enabling security teams to correlate suspicious activities with known adversary behaviors.

While IOCs are traditionally associated with incident response, they still play a role in proactive threat hunting. Security teams can use IOCs to track known malicious infrastructure, identify repeated attack patterns, and correlate past activity with emerging threats. Threat hunters can uncover leaked credentials, compromised IPs, or malware hashes before they are widely used in attacks by monitoring the dark web.

By using Lunar, our dark web monitoring platform, you can track and collect mentions of malicious IPs, domains or URLs found in dark web forums, marketplaces, and Telegram channels. Lunar also detects file dumps containing IOC collections, as in the example shown in screenshot, where we detected an IOC dump in the LockBit Telegram channel. 

How to Hunt Using IOAs (MITRE ATT&CK Techniques)

Effective threat hunters follow a structured process that aligns with attacker behaviors rather than static indicators. They leverage MITRE ATT&CK techniques to proactively detect and mitigate threats before they escalate.

Below is a step-by-step process for hunting using IOAs:

Step 1: Define the Threat Hypothesis

Threat hunting begins with a hypothesis. If an adversary gains access to a corporate network using Valid Credentials (T1078) over Remote Desktop Protocol (RDP) (T1021.001), the threat actors may attempt to move laterally across the network, access sensitive systems, or exfiltrate valuable data.

Step 2: Identify Suspicious Remote Access Patterns

Using hunting queries, threat hunters look for repeated RDP login attempts, particularly from unusual locations or unauthorized accounts.

Step 3: Detect Anomalous Behavior Post-Login

Once remote access is confirmed, the next step is to detect unusual activities performed after login, mapping them to MITRE ATT&CK techniques to understand the attack progression. Threat hunters analyze user behavior to identify:

• Discovery (T1082, T1018): The adversary may perform system and network discovery to identify high-value targets.
• Persistence (T1136 – Create Account): Attackers may create new privileged accounts to maintain access.
• Execution (T1059 – Command and Scripting Interpreter): Adversaries may run malicious scripts or PowerShell commands to automate further exploitation.

Step 4: Monitor for Dark Web Mentions

If attackers successfully access internal systems, they may attempt to sell access to compromised machines on dark web marketplaces. Using Lunar, our dark web monitoring platform, threat intelligence teams can monitor underground forums for mentions of company domains in RDP access listings or the company employees’ credentials being sold.

Step 5: Incident Response and Mitigation

Using Lunar helps you gain insights on notable threat actors and their actions, identify early indications, track exploitation trends to anticipate targeted attacks and to build better detection and mitigation strategies.

Staying Ahead of Threat Actors: Proactive Defense Through Intelligence and Hunting

Identifying threat actors is just the first step; proactive hunting and intelligence-driven defense are essential. By leveraging MITRE ATT&CK techniques, tracking IOAs, and monitoring dark web activity, CTI teams can detect threats early, disrupt attack lifecycles, and anticipate emerging risks. Integrating threat actor profiling, structured hunting, and dark web intelligence strengthens security postures, ensuring organizations stay one step ahead of evolving cyber threats.

Learn how to use Lunar, our advanced dark web monitoring tool, for real-time threat intelligence.