A threat group is a coordinated set of attackers that may share tools, goals, infrastructure, or operating habits. The label is often used when analysts see repeated patterns across multiple intrusions but cannot or do not assign every action to a single named person.
This matters because grouping attacks helps defenders connect scattered events into one campaign. A threat group may reuse malware, phishing themes, command-and-control servers, or the same account abuse techniques across different targets. In practice, security teams use this attribution to prioritize alerts, hunt for related activity, block shared infrastructure, and tune controls such as identity protection, segmentation, and anomaly detection. Even when attribution is uncertain, recognizing a coordinated group can reveal the attacker’s likely objectives and make repeated operations harder to scale.