Information about threat actors
Special privileges required
Threat Actors are only available to users with the Threat Landscape module.
Threat actors are known persons or groups responsible for security incidents.
Threat actors in VirusTotal are identified by a UUID, but it's also possible to retrieve them using one of the threat actor's name. For example, these three requests are equivalent:
https://www.virustotal.com/api/v3/threat_actors/Comment Crewhttps://www.virustotal.com/api/v3/threat_actors/APT1https://www.virustotal.com/api/v3/threat_actors/1cb7e1cc-d695-42b1-92f4-fd0112a3c9be
Object Attributes
A threat actor object contains the following attributes:
aliases: <list of strings> alternative names by which the threat actor is known.description: <string> description / context about the threat actor.first_seen_date: <integer> estimated threat actor's first seen date of activity (UTC timestamp).last_seen_date: <integer> estimated threat actor's last seen date of activity (UTC timestamp).last_modification_date: <integer> last time when the threat actor was updated (UTC timestamp).name: <string> threat actor's name.recent_activity_relative_change: <float> ratio of change between the last two "recent activity" periods. Note: "recent activity" periods are comprised of 14 days.recent_activity_summary: <list_of_integers> time series representing the activity of the indicators of compromise related to the threat actor. (2 weeks)related_entities_count<integer> estimated number of related IOCs to the threat actor.source_region<string> threat actor's source region.sponsor_region<string> region sponsoring the threat actor.targeted_industries<list of strings> list of industries the threat actor has targeted.targeted_regions<list of strings> list of regions the threat actor has targeted.
{
"data": {
"attributes": {
"aliases": [<string>],
"description": <string>,
"first_seen_date": <int:timestamp>,
"last_seen_date": <int:timestamp>,
"last_modification_date": <int:timestamp>,
"name": <string>,
"related_entities_count": <int>,
"recent_activity_relative_change":<float>,
"recent_activity_summary":[<int>],
"source_region": <string>,
"sponsor_region": <string>,
"targeted_industries": [<string>]
},
"type": "threat_actor",
"id": <string>,
"links": {
"self": "https://www.virustotal.com/api/v3/threat_actors/<id>"
}
}
}
{
"data": {
"attributes": {
"first_seen_date": 1341966080,
"description": "Lotus Blossom is a threat group that has targeted government and military organizations in Southeast Asia.",
"targeted_regions": [
"JP",
"PH",
"HK",
"ID",
"TW",
"VN"
],
"aliases": [
"Spring Dragon",
"ST Group",
"Esile",
"DRAGONFISH",
"BRONZE ELGIN",
"ATK1",
"G0030",
"Red Salamander"
],
"last_seen_date": 1658337941,
"related_entities_count": 205,
"targeted_industries": [
"Military",
"Government, Administration"
],
"source_region": "CN",
"last_modification_date": 1658407852,
"sponsor_region": "CN",
"name": "Lotus Blossom",
"recent_activity_relative_change": 0.39,
"recent_activity_summary": [
30436,
26799,
27709,
29112,
26659,
29997,
18676,
35813,
28992,
33486,
24593,
25648,
26175,
29243
],
},
"type": "threat_actor",
"id": "lotus_blossom",
"links": {
"self": "https://virustotal.com/api/v3/threat_actors/32fafa69-fe3c-49db-afd4-aac2664bcf0d"
}
}
}
Relationships
In addition to the previously described attributes, threat actor objects contain relationships with other objects in our dataset that can be retrieved as explained in the Relationships section.
The following table shows a summary of available relationships.
| Relationship | Return object type |
|---|---|
| collections | List of Collections |
| comments | List of Comments |
| references | List of References |
| related_domains | List of Domains |
| related_files | List of Files |
| related_ip_addresses | List of IP addresses |
| related_references | List of References |
| related_urls | List of URLs |