Published: March 2026 | Last reviewed: March 22, 2026
// actor_attribution
Know Who Is Behind the Threat
The Actor Attribution Explorer profiles 166 threat actors across 32 nations. Each actor profile includes MITRE ATT&CK technique mapping, tooling arsenal, operational tradecraft, associated campaigns, and cross-actor correlation through a radial mind-map visualization.
What You Get Per Actor
Every actor profile is a structured intelligence dossier built from cross-referencing the threats, IOCs, detections, and MITRE techniques associated with that actor across the entire Threadlinqs dataset.
Radial Mind-Map
Interactive visualization with 8 branch categories (MITRE, IOCs, Timeline, CVEs, Tools, Detections, Targets, Related Actors). Pan, zoom, and expand branches to explore relationships.
MITRE Heatstrip
Technique-level coverage map showing which ATT&CK techniques the actor uses most frequently across their tracked campaigns.
Arsenal Analysis
Cataloged tooling including custom malware families, open-source tools, living-off-the-land binaries, and shared infrastructure.
Operational Tradecraft
Behavioral patterns extracted from campaign analysis: preferred initial access vectors, persistence mechanisms, C2 protocols, and exfiltration methods.
Cross-Actor Correlation
Shared IOCs, techniques, and infrastructure links between actors. Identifies tool sharing, supply chain relationships, and operational overlap.
Nation-State Mapping
Attribution to nation-state sponsors with confidence assessment, aliases across vendor naming conventions, and geopolitical context.
Top Nation-State Origins
Threat actors are tracked across 32 nations. The distribution reflects the current state of the global cyber threat landscape as observed through active campaign analysis.
Sample Actor Profile
Below is a condensed view of the data available for each threat actor. The full profile includes expandable branches for every category.
ACTOR PROFILEActor: Volt Typhoon
Aliases: BRONZE SILHOUETTE, Vanguard Panda, DEV-0391
Nation: China (PRC)
Category: APT / Espionage
Active: 2021 - present
Threats: 7 linked reports
MITRE Techniques (Top 5):
T1190 Exploit Public-Facing Application
T1059 Command and Scripting Interpreter
T1078 Valid Accounts
T1021 Remote Services
T1027 Obfuscated Files or Information
Arsenal:
Living-off-the-Land (LOLBins), Impacket, netsh,
certutil, wmic, PowerShell (minimal), built-in
Windows tools for lateral movement
Targets:
Critical infrastructure, telecommunications,
utilities, government, maritime, education
Actor Categories
Actors are classified by operational motivation and organizational structure to help prioritize your defensive focus.
- APT / Nation-State -- State-sponsored groups with strategic intelligence objectives
- Cybercrime / RaaS -- Financially motivated groups operating ransomware and extortion schemes
- Espionage -- Long-term access operations focused on data theft and surveillance
- Hacktivist -- Ideologically motivated groups targeting specific organizations or governments
- MaaS Operators -- Malware-as-a-Service providers distributing access to multiple buyer groups
- Initial Access Brokers -- Specialist groups selling network access to downstream operators
// author
Threadlinqs Intel Team
Security Engineer at Threadlinqs Intelligence. Researching active threats, building detection rules, and mapping adversary tradecraft across SPL, KQL, and Sigma.
medium.com/@hatim.bakkali10