The Lenaean Breeder Taxonomy
A Scientific Classification System for Threat Actor Doctrines
Overview
The Lenaean Breeder Taxonomy extends the principles of the Lenaean Taxonomy to the operator side of the M&M ecosystem. Where the Lenaean Taxonomy classifies Malmons by observable behavior, the Breeder Taxonomy classifies threat actor doctrines by operational character: tempo, risk tolerance, preferred kill-chain stage, and strategic objective.
Vendor-assigned names — the BEARs, PANDAs, SPIDERs, and KITTENs of commercial threat intelligence — are explicitly excluded. They violate three of the five Lenaean Guiding Principles: they encode attribution bias (Principle 1), often glorify the actor through memorable branding (Principle 2), and anchor identity to ancestry rather than behavior (Principle 3). The Breeder Taxonomy closes these risks by inheritance, not new policy.
The Naming Structure
Every Breeder receives a four-part scientific designation:
<Geography><Doctrine> <Motivation> (<Era>)
1. Geography — Regional Prefix
A Latin regional marker fused directly to the Doctrine Kingdom name. Factual and attribution-neutral — describes operational provenance as documented in open sources, not political allegiance.
| Prefix | Region |
|---|---|
| Borealis | Northern Europe, Russia, CIS |
| Orientalis | East Asia (China, Korea, Japan, SE Asia) |
| Persica | Middle East and Iran |
| Meridionalis | South Asia, Southeast Asia |
| Atlantica | North America, Western Europe |
| Australis | Sub-Saharan Africa, Southern Hemisphere |
| Globalis | Multi-regional or unattributed |
2. Doctrine Kingdom — Operational Character (-ica suffix)
Five kingdoms encoding operational doctrine. See full definitions below.
- Aggressica — Speed, noise, and shock
- Patientica — Dwell time and depth
- Opportunica — Adaptability and target-of-opportunity exploitation
- Ideologica — Narrative and psychological operations
- Insidica — Insider access and supply-chain positioning
3. Motivation — Strategic Objective (-or suffix)
| Suffix | Objective |
|---|---|
| Espionor | Intelligence collection and exfiltration |
| Cryptor | Financial gain through encryption or extortion |
| Sabotor | Disruption, destruction, or denial |
| Insidor | Long-term access, pre-positioning |
| Propagandor | Influence, disinformation, narrative shaping |
4. Era — Decade of Peak Activity
Parenthetical decade marker: 2000s, 2010s, 2020s. Signals operational maturity and the threat landscape in which the doctrine was optimised.
The Five Doctrine Kingdoms
Aggressica — The Strike Doctrine
“Speed is superiority. Noise is acceptable. The first-mover advantage outweighs operational security.”
Aggressica operators move fast and accept detection risk in exchange for impact. They favour destructive or disruptive payloads, zero-day expenditure, and parallel campaign threading. Dwell time is measured in days, not months. Attribution is tolerated as a side effect of operational tempo.
Signature behaviors:
- Rapid initial access → lateral movement → payload deployment pipeline
- High exploit expenditure; zero-days consumed without hoarding
- Parallel targeting of multiple victims in a single campaign window
- Destructive or high-visibility payloads (wipers, ransomware, DDoS)
- Low investment in post-exploitation stealth; persistence is secondary
Doctrine Bonus: +1 to Exploit and Lateral Movement TTPs; -1 to Persistence TTPs
Special Mechanic — BLITZ: Once per game, the Aggressica player may burn a zero-day. Apply +3 to the next attack roll. Immediately trigger a Detection check — the aggressive expenditure leaves forensic artifacts. Success on the Detection check does not cancel the bonus; it simply adds an evidence breadcrumb for the Blue team.
Patientica — The Dwell Doctrine
“Access is the asset. The longer you remain undetected, the deeper the intelligence harvest.”
Patientica operators treat discovery as mission failure. They invest heavily in persistence mechanisms, redundant access paths, and low-signal exfiltration. Campaigns are measured in months or years. Infrastructure is rotated slowly to avoid detection-signature accumulation. The final-stage payload may never be deployed — the collection itself is the product.
Signature behaviors:
- Extended pre-exploitation reconnaissance before first access attempt
- Multiple overlapping persistence mechanisms (scheduled tasks, registry, firmware)
- Low-and-slow exfiltration via encrypted channels mimicking legitimate traffic
- Redundant C2 infrastructure with long-cycle beaconing intervals
- Deliberate footprint minimisation; Living-off-the-Land preference
Doctrine Bonus: +1 to Persistence and Exfiltration TTPs; -1 to Phishing/SE TTPs
Special Mechanic — NEST: Once per game, the Patientica player may declare a NEST turn. Skip all offensive actions for that round. If Blue team fails to score a detection event during the NEST turn, the Patientica player gains +2 to all Persistence rolls in the following round, representing deepened implant consolidation.
Opportunica — The Pivot Doctrine
“Target lock is a luxury. The best attack surface is whichever one opened today.”
Opportunica operators are structurally adaptable. They maintain broad initial-access tooling, shift targets based on newly published vulnerabilities or leaked credentials, and pivot between attack vectors rapidly when one is contained. They favour identity-based attacks because credentials are portable across environments.
Signature behaviors:
- Credential harvesting as primary first-stage activity
- Rapid retargeting when a vector is blocked — containment of vector A does not close vector B
- Heavy reliance on commodity tooling and criminal-market access brokers
- Social engineering leveraging impersonation of IT, HR, and helpdesk functions
- Targeting of identity providers (Okta, Azure AD, SSO systems) before network pivoting
Doctrine Bonus: +1 to Credential and Phishing/SE TTPs; -1 to Persistence TTPs
Special Mechanic — PIVOT: Once per game, the Opportunica player may switch attack vector mid-sequence for 1 action at no cost. A Blue team containment action applied to the previous vector does not carry over to the new vector. The pivot must be declared before the Blue team resolves their containment action for that round.
Ideologica — The Narrative Doctrine
“The most effective exploit targets cognition. Systems follow people.”
Ideologica operators prioritise psychological access over technical access. Spearphishing campaigns are meticulously researched. Personas are sustained over weeks. The goal may not be data — it may be influence, disinformation seeding, or the erosion of institutional trust. Technical TTPs serve the narrative objective.
Signature behaviors:
- Highly personalised spearphishing using OSINT-derived social context
- Sustained persona operations (fake researchers, journalists, diplomatic contacts)
- Disinformation campaigns coordinated with technical intrusion timing
- Targeting of policy influencers, journalists, academics, and civil society
- Technical exploitation as secondary to social-engineering entry
Doctrine Bonus: +1 to Phishing/SE TTPs; -1 to Exploit TTPs
Special Mechanic — WHISPER: Once per turn, the Ideologica player may re-roll any social-engineering check and take the higher result. However, each WHISPER activation leaves one evidence breadcrumb (a forensic artifact the Blue team may collect). Breadcrumbs accumulate; three breadcrumbs trigger a mandatory attribution-analysis round for the Blue team.
Insidica — The Supply Chain Doctrine
“The hardest perimeter to defend is the one you built yourself, with someone else’s code.”
Insidica operators access targets through trusted relationships: software vendors, managed service providers, contractor accounts, hardware supply chains. Initial access is not forced — it is inherited from a legitimate trust relationship. Detection is impeded because the traffic and credentials look authorised.
Signature behaviors:
- Compromise of software build pipelines, update mechanisms, or vendor portals
- Use of valid credentials belonging to trusted third parties
- Targeting MSPs, IT contractors, and SaaS providers as pivot infrastructure
- Long-dwell supply-chain positioning before activation against final targets
- Hardware or firmware implants in delivery chain
Doctrine Bonus: +1 to Credential TTPs; -1 to Exfiltration TTPs (trusted-channel access reduces the marginal difficulty of exfiltration only modestly — the real payoff is access, not extraction speed)
Special Mechanic — BLEND: On the first turn of active exploitation, the Insidica player skips the Detection check entirely. They are already inside — the traffic looks legitimate. Subsequent turns follow normal detection rules. BLEND may only fire once per engagement; once the anomaly baseline is reset, detection proceeds normally.
The Five Lenaean Guiding Principles (Restated for Breeders)
The same five principles that govern Malmon classification apply without modification to Breeder classification. They are restated here for operational clarity.
Neutrality: No attribution bias. The system classifies doctrine and behavior, not nationality or political allegiance. Geography markers describe documented operational provenance as recorded in public sources; they carry no normative weight.
No Glorification: The Doctrine Kingdoms and their specimen appendices are scientific records, not leaderboards. Notable specimens are documented for educational accuracy, not celebrated for capability.
Behavior over Ancestry: A Breeder’s Kingdom is determined by operational doctrine, not by who funds them, who their predecessors were, or what government they nominally serve. Doctrinal classification may change across eras if operational character shifts.
Intellectual Humility: The taxonomy is extensible. A sixth Doctrine Kingdom may emerge as threat actor behavior evolves. The system should not be treated as complete.
Coexistence: Lenaean designations complement common names and vendor taxonomies; they do not replace them. An incident report may use both APT28 and Borealisaggressica Espionor (2010s) — they describe different things.
Notable Specimens by Doctrine Kingdom
Real-world threat groups appear here as documented case studies drawn from public threat intelligence. They are not playable factions. Lenaean designations are illustrative, not authoritative attributions.
Aggressica Specimens
| Lenaean Designation | Common Names | Behavioral Note |
|---|---|---|
| Borealisaggressica Sabotor (2010s) | APT28 / FANCY BEAR / Sofacy | GRU-attributed; rapid spearphishing and exploitation campaigns against political, military, and infrastructure targets; accepted high attribution risk in exchange for operational tempo. |
| Borealisaggressica Sabotor (2010s) | Sandworm | BlackEnergy/NotPetya operator; destructive wiper deployment with minimal dwell; willing to burn infrastructure for single high-impact events. |
| Borealisaggressica Cryptor (2020s) | Cl0p (TA505) | Aggressive mass-exploitation of file-transfer vulnerabilities (MOVEit, GoAnywhere) with rapid extortion pipeline; industrialised attack tempo. |
Patientica Specimens
| Lenaean Designation | Common Names | Behavioral Note |
|---|---|---|
| Orientalispatientica Espionor (2020s) | LIMINAL PANDA / MURKY PANDA | Documented multi-year dwell operations in telecommunications infrastructure; low-and-slow exfiltration of call-record metadata. |
| Orientalispatientica Espionor (2010s) | APT41 (espionage track) | Dual-mission operator; Patientica doctrine applied to nation-state intelligence collection track; years-long access to technology sector targets. |
| Persicapatientica Espionor (2010s) | OilRig / APT34 | Long-running Middle East intelligence collection; custom implant maintenance over multi-year campaigns; careful footprint management. |
Opportunica Specimens
| Lenaean Designation | Common Names | Behavioral Note |
|---|---|---|
| Atlanticaopportunica Cryptor (2020s) | UNC3944 / SCATTERED SPIDER / 0ktapus | English-speaking criminal group; identity-provider targeting via social engineering against IT helpdesks; rapid pivot across victims when containment attempted. |
| Globalisopportunica Cryptor (2020s) | Lapsus$ | OSINT-driven credential attacks; SIM swapping; insider recruitment; rapid chained compromise of multiple high-value targets in short windows. |
| Globalisopportunica Espionor (2010s) | FIN7 | Opportunistic financial sector targeting; adapted TTPs rapidly in response to law enforcement and containment; victim retargeting after partial disruption. |
Ideologica Specimens
| Lenaean Designation | Common Names | Behavioral Note |
|---|---|---|
| Persicaideologica Espionor (2010s) | CHARMING KITTEN / APT42 | Highly personalised spearphishing against journalists, academics, and policy figures; sustained persona operations; narrative-driven targeting. |
| Persicaideologica Propagandor (2010s) | MuddyWater / MERCURY | Multi-layer social-engineering campaigns; targets civil society and government; psychological access as primary vector before technical exploitation. |
| Borealisideologica Propagandor (2010s) | Ghostwriter | Coordinated disinformation campaigns with technical intrusion support; narrative objective primary, data exfiltration secondary. |
Insidica Specimens
| Lenaean Designation | Common Names | Behavioral Note |
|---|---|---|
| Orientalisinsidica Espionor (2020s) | FAMOUS CHOLLIMA / Lazarus Group (IT worker track) | Documented insertion of DPRK-affiliated IT workers into Western companies; insider access leveraged for long-term financial and intelligence collection. |
| Orientalisinsidica Espionor (2010s) | LAZARUS GROUP (supply chain track) | SolarWinds-era supply-chain methodology; compromise of software build pipelines; trusted-channel access to thousands of downstream targets. |
| Orientalisinsidica Insidor (2010s) | APT41 (criminal track) | Supply-chain and gaming-industry targeting; hardware and software supply-chain manipulation for persistent access. |