WHITEPAPER

Recorded Future’s Threat Actor and Malware Taxonomy

A reference document for Recorded Future’s naming conventions for threat actor groups

Insikt Group, Recorded Future's threat intelligence research arm, tracks global threat actors and activity groups. In 2018, they adopted a taxonomy for classifying APT groups from the "Big 4" countries—China, Russia, Iran, and North Korea—using national flag colors and NATO phonetic alphabet codewords. Insikt's methodology has since advanced, allowing for better tracking of threat actors and their activities.

This white paper outlines Recorded Future's naming conventions for threat actor groups and newly identified malware. The unique taxonomy accurately reflects overlaps and divergences in activity, infrastructure, and TTPs with existing group names.

Download Now

About the Author

Insikt Group

Recorded Future’s threat research division, comprising analysts and security researchers with deep government, law enforcement, military, and intelligence agency experience.

Insikt Group's mission is to produce intelligence on a range of cyber and geopolitical threats that reduces risk for clients, enables tangible outcomes, and prevents business disruption. Coverage areas include research on state-sponsored threat groups; financially-motivated threat actors on the darknet and criminal underground; newly emerging malware and attacker infrastructure; strategic geopolitics; and influence operations.

Copyright © 2025 Recorded Future, Inc.