Home/Platform/Actor Attribution
// actor_attribution_explorer

214 Threat Actors Profiled

Nation-state intelligence, adversary dossiers, and cross-actor correlation. Map threat actors to their techniques, infrastructure, tools, and targets across your entire threat landscape.

214
tracked_actors
38
nation_states
465
mitre_techniques
5,575
ioc_correlations
1,897
detection_rules
160+
threat_timelines
// what_is_actor_attribution

From IOCs to Adversaries

Actor attribution connects individual threat events into cohesive adversary profiles, revealing the who behind the what. By mapping techniques, infrastructure, tooling, and targets across hundreds of threat reports, the Attribution Explorer surfaces patterns that link disparate campaigns to the same operators.

Every profile is built from real intelligence: MITRE ATT&CK technique frequency, IOC clustering, shared infrastructure analysis, detection rule coverage, and temporal correlation of campaign timelines. The result is a living dossier for each tracked group, continuously enriched as new threats are ingested.

[ nation_state_mapping ]

Nation-State Intelligence

38 countries mapped to their attributed threat actors. Filter by nation, view geopolitical context, and track state-sponsored campaigns targeting your sector.

[ mitre_profiling ]

Technique Profiling

465 MITRE ATT&CK techniques mapped per actor. See which tactics each group favors, identify overlaps between actors, and prioritize detection coverage.

[ ioc_correlation ]

IOC Correlation Engine

Cross-reference 5,575 indicators across actor profiles. Shared infrastructure, domain patterns, and behavioral fingerprints reveal hidden connections between groups.

[ detection_coverage ]

Detection Coverage Map

1,897 detection rules tied to specific actors. SPL, KQL, and Sigma rules with coverage scores showing your visibility into each group's known tradecraft.

[ timeline_analysis ]

Campaign Timeline

Temporal analysis of actor activity across 160+ threat events. Track campaign cadence, identify dormant groups re-emerging, and correlate activity spikes.

[ arsenal_tracking ]

Arsenal & Tooling

Map each actor's preferred tools, malware families, and exploit chains. From commodity RATs to custom implants, understand the arsenal before it hits your network.

// actor_profiles

Browse Threat Actor Profiles

Filter by nation-state, motivation, or severity. Click any row to expand the profile summary with key metrics, top techniques, arsenal, and target sectors.

APT29 / Cozy Bear
aka Midnight Blizzard, NOBELIUM, The Dukes
Russia
12 threats
// mitre_techniques
47
// iocs_linked
312
// detection_rules
89
// top_tactics
  • T1566 Phishing
  • T1078 Valid Accounts
  • T1071 Application Layer Protocol
// arsenal
  • FoggyWeb
  • MagicWeb
  • SUNBURST
// targets
  • Government
  • Technology
  • Healthcare
APT41 / Wicked Panda
aka BARIUM, Winnti Group, Double Dragon
China
9 threats
// mitre_techniques
52
// iocs_linked
287
// detection_rules
76
// top_tactics
  • T1190 Exploit Public-Facing App
  • T1059 Command & Scripting
  • T1005 Data from Local System
// arsenal
  • ShadowPad
  • PlugX
  • Winnti Backdoor
// targets
  • Gaming
  • Telecom
  • Healthcare
Lazarus Group
aka HIDDEN COBRA, Zinc, APT38
DPRK
11 threats
// mitre_techniques
39
// iocs_linked
248
// detection_rules
64
// top_tactics
  • T1566.001 Spearphishing
  • T1486 Data Encrypted for Impact
  • T1027 Obfuscated Files
// arsenal
  • DTrack
  • ELECTRICFISH
  • AppleJeus
// targets
  • Financial
  • Cryptocurrency
  • Defense
APT33 / Elfin
aka Holmium, Refined Kitten, Magnallium
Iran
7 threats
// mitre_techniques
31
// iocs_linked
156
// detection_rules
42
// top_tactics
  • T1583 Acquire Infrastructure
  • T1110 Brute Force
  • T1053 Scheduled Task/Job
// arsenal
  • Shamoon
  • TURNEDUP
  • StoneDrill
// targets
  • Energy
  • Aerospace
  • Petrochemical
Sandworm / Voodoo Bear
aka IRIDIUM, Seashell Blizzard, Telebots
Russia
14 threats
// mitre_techniques
58
// iocs_linked
401
// detection_rules
103
// top_tactics
  • T1495 Firmware Corruption
  • T1529 System Shutdown/Reboot
  • T1562 Impair Defenses
// arsenal
  • NotPetya
  • Industroyer
  • CaddyWiper
// targets
  • Energy / ICS
  • Government
  • Transportation
// dossier_view

Full Actor Dossier

Each actor profile opens into a tabbed dossier with six intelligence sections. Techniques, indicators, detection rules, campaign timelines, arsenal, and CVE exploitation history are all linked to the source threats.

APT29 / Cozy Bear

Russia // SVR
techniques
indicators
detections
timeline
arsenal
cves
// initial_access
T1566 PhishingT1195 Supply ChainT1078 Valid Accounts
// execution
T1059.001 PowerShellT1204 User Execution
// persistence
T1098 Account ManipulationT1547 Boot/Logon Autostart
// defense_evasion
T1027 Obfuscated FilesT1070 Indicator RemovalT1036 Masquerading
// collection
T1114 Email CollectionT1005 Data from Local System
// command_and_control
T1071 Application LayerT1573 Encrypted Channel
// sample_detection_rule — spl
index=proxy OR index=firewall | where dest_ip IN ("185.*.*.21", "91.*.*.44") | stats count by src_ip, dest_ip, dest_port, _time | where count > 3 | lookup threat_intel_ioc indicator AS dest_ip OUTPUT actor, confidence | where actor="APT29" AND confidence>=80
// known_tools
FoggyWebMagicWebSUNBURSTTEARDROPEnvyScoutGoldMaxCobalt Strike
// exploited_cves
CVE-2023-42793CVE-2023-23397CVE-2021-26855CVE-2020-14882CVE-2019-17026
// first_seen
2008
// last_campaign
March 2026
// detection_coverage
87%
// cross_actor_correlation

Cross-Actor Intelligence

The correlation engine identifies shared infrastructure, overlapping toolsets, and coordinated campaign timing between distinct threat actors. These links surface when multiple groups share C2 domains, exploit the same zero-day within days, or use identical custom implant variants.

Shared Infrastructure Cluster

Three Russian-attributed groups operating from overlapping ASNs and using the same bulletproof hosting provider during Q1 2026 campaigns.

APT29SandwormGamaredon
14 shared IPs

Tool Overlap: ShadowPad Variants

ShadowPad modular backdoor deployed by multiple China-nexus groups with distinct configurations but shared C2 protocol signatures.

APT41APT10Bronze Atlas
3 malware families

Coordinated Exploitation Window

Three unrelated groups exploited CVE-2023-42793 (TeamCity) within 72 hours of each other, suggesting shared vulnerability intelligence or a common broker.

APT29Lazarus GroupAndariel
1 shared CVE, 72hr window

Behavioral Fingerprint Match

DNS tunneling patterns, beacon intervals, and jitter configurations match across campaigns attributed to Iranian groups operating under different aliases.

APT33APT34MuddyWater
6 behavioral matches
// get_started

Map Your Adversaries

214 threat actors. 38 nation-states. Full dossiers with techniques, IOCs, detections, and timelines. Start exploring the actors targeting your industry.

[ explore_actors ] [ view_plans ]