Attack Chains
Threat actors change their tools constantly — loaders, C2 frameworks, ransomware brands, stealer families. But the prerequisite conditions they must satisfy at each stage never change. These mapped attack chains show how every actor, regardless of affiliation or toolset, converges on the same chokepoints. Detect the chokepoint; catch any actor.
Initial Access → Credential Access → Lateral Movement → Defense Evasion → Impact. Covers BlackBasta, LockBit 3.0, Akira, Alphv/BlackCat, and Play with a convergence matrix showing how each group hits the same five chokepoints.
InfostealerDistribution → Execution → Collection → Exfiltration → Monetization. Covers RedLine, LummaC2, Vidar, StealC, and Raccoon — including how infostealer-harvested credentials fuel the RaaS ecosystem downstream.
More attack chains coming soon. BEC / business email compromise, initial access broker (IAB) operations, and supply chain compromise chains are in development. See CONTRIBUTING.md to propose or draft a new chain.