Threat Intelligence · Updated daily from MITRE ATT&CK & OSINT

Threat Actor Catalog

Q: What is a threat actor?

A threat actor is a named group (or individual) that conducts intrusions, espionage, fraud, or extortion. Naming lets defenders cluster intrusions that share infrastructure, tooling, or tradecraft, so a CVE alert tied to APT29 carries different urgency than the same CVE tied to a low-skill commodity crew.

Q: How often is the catalog updated?

Daily. The api/cron/threat-intel-ingest.php job refreshes curated CVE-to-actor mappings every 24 hours. Newly named groups are added when two independent public sources concur on attribution; speculative names are held back until they harden.

The named groups behind today's intrusions. Filter by motivation, search by name or alias, and click through to exploited CVEs and attributed campaigns. Curated from MITRE ATT&CK Groups plus open-source threat intelligence.

Actors tracked

Nation-state

Ransomware

Active · last 2y

Loading…

Methodology

The catalog starts from MITRE ATT&CK Groups, the canonical public registry of named intrusion sets, and currently holds 172+ actors. On top of that base we attach per-CVE attribution drawn from public threat intelligence: Trend Micro reports, Mandiant write-ups, ThreatPost coverage, and government advisories from CISA, NCSC, and CERT teams. Where two independent sources agree that a given group has weaponised a given CVE, the link is added; where only one source has named it, the link is held until a second source concurs.

The catalog refreshes daily via api/cron/threat-intel-ingest.php, which pulls curated CVE-to-actor mappings, reconciles aliases (APT29 = Cozy Bear = Midnight Blizzard), and updates last-seen timestamps. Curation favours verifiable attribution over speculation. Vendor-only naming (one analyst report, no corroboration) does not promote a group into the main list. This is deliberate: a thinner catalog of well-attested actors is more useful for prioritisation than a sprawling one that mixes solid attribution with marketing names.

Where MITRE ATT&CK does not formally track a group (most ransomware affiliates fall in this gap), we add them from leak-site monitoring and CISA #StopRansomware advisories. The result is one surface that covers nation-state APTs, ransomware operators, financially motivated cybercrime crews, and hacktivist groups in a single browsable index.

How to use the catalog

Security teams use the actor catalog in four common ways:

Sector targeting research. Filter by motivation, then read group profiles to see which industries each actor has historically hit. Useful for sector-level threat models and board reporting.
CVE-to-actor mapping for patch prioritisation. If your scanner flags a CVE, click through to see which actors have used it. A KEV CVE attached to three nation-state groups gets a different SLA than one with no attributed exploitation.
Tactic clustering by motivation. The motivation facet (nation-state, ransomware, cybercrime, hacktivism) groups actors who share goals and therefore tradecraft. Helpful for tabletop exercises and red-team scoping.
Pivot to the ransomware tracker. Groups with active leak sites link to /ransomware, where you can see victim posts, sector concentration, and 30-day momentum without leaving the site.

The catalog is read-only and indexable. There is no login wall on actor profiles, CVE links, or the index itself. The intended use is reference material that a security analyst can land on from a Google search and use immediately.

Frequently asked questions

What is a threat actor?

A named group (or individual) that conducts intrusions, espionage, fraud, or extortion. Naming lets defenders cluster intrusions that share infrastructure, tooling, or tradecraft, so a CVE alert tied to APT29 carries different urgency than the same CVE tied to a low-skill commodity crew.

How is this different from MITRE ATT&CK Groups?

MITRE ATT&CK Groups is the canonical base. We layer per-CVE attribution from public threat intel feeds (Trend Micro, Mandiant, ThreatPost, government advisories) on top, plus the ransomware groups MITRE does not track formally. The result is a single catalog where you can pivot from a CVE to the actors known to weaponise it.

Why do you list ransomware groups under "Threat actors" too?

Because they are. Operationally, LockBit and Cl0p run intrusions that look a lot like espionage groups: initial access via known CVEs, lateral movement, data theft. Listing them here lets defenders treat the actor list as one surface. The dedicated ransomware tracker still exists for leak-site activity.

How often is it updated?

Daily. The ingest job refreshes curated CVE-to-actor mappings every 24 hours. Newly named groups are added when two independent public sources concur on attribution; speculative names are held back until they harden.

How do you handle attribution disputes?

Conservatively. If two reputable sources disagree on whether an intrusion is APT28 or APT29, the CVE is tagged with both and the dispute is surfaced on each actor profile rather than picked. Speculative groups (one-source claims, vendor-only naming) are not promoted to the main catalog.

Can I export this data?

Yes. Enterprise plans get TAXII 2.1 at /taxii2/ and a MISP-compatible feed at /api/misp/events. Both expose the same actor catalog plus per-CVE attribution as STIX objects, suitable for ingest into a TIP or SIEM.