The threat landscape is scattered with animals: pandas, bears, and even kittens — all dangerous cyber creatures. There’s even sandworms and sandstorms. These names are commonly used by vendors, researchers and threat intelligence companies to designate APTs, Advanced Persistent Threats. Each company has its own nomenclature: Microsoft uses a weather system, Palo Alto’s Unit 41 references star constellations, and in 2013, Mandiant (now Google) published a report on the initial APT1, which is associated with the Chinese government. MITRE maintains an extensive list of commonly known threat actor groups; threat intelligence researchers usually keep their own “Spreadsheet of Doom”, a Who’s Who of threat actors.

Newcomers to cyber threat intelligence (CTI) examine such a list and observe that Magic Hound is also called TA453, COBALT ILLUSION, Charming Kitten, ITG18, Phosphorus, Newscaster, APT35, or Mint Sandstorm. They are then tempted to draw a big equals sign between all these names. Which name to use is left to the author or their employer; sometimes, it is simply what initially stuck in public perception. For example, I read more about “Charming Kitten” and less about “Magic Hound”.

However, APTs are a construct.

They are not clear-cut entities.

Rather, these names are similar to blind people who touch an elephant for the first time and describe their impression of what an elephant is (Sinology side note: 盲人摸像). Each company requires data to form any threat intelligence. For those who sit at the intelligence source, this means customer data, such as agents running on customer devices, or employees responding to customer incidents. Sophos serves many SMEs, which means their data is based on small companies who are often easily compromised. Google Mandiant responds to incidents of Fortune 500 companies, who operate on a global scale and usually have a decent security posture. Kaspersky has lost a lot of Western customers since the war in Ukraine started, which means their customers are now in other parts of the world, with different IT environments than Europe. Consequently, the data that formed “Magic Hound” won’t be identical to the one that constructed “Charming Kitten”. Based on some similarities however, they are commonly grouped together. As a result, analysts see the various names of a group on MITRE’s web site and use their names interchangeably, which is imprecise and misses this key background knowledge.

And what distinguishes your run-of-the-mill script kiddie from an APT? What turns a UNC (UNCagetorized threat actor, Mandiant) into a Kitten (threat actor linked to Iran, CrowdStrike)? Most vendors have their “secret magic sauce” that marks the birth of a threat group. As an open-source, vendor-neutral rule of thumb: An activity group can be formed when two vertices of the Diamond Model overlap across intrusions or campaigns, for example overlaps in infrastructure and victims. Note that this must not be necessarily an “APT”; and all companies will have their own methodology of what constitutes “their” APTs.

Finally, APTs change over time. China’s PLA and general governmental system have been overhauled multiple times under Xi Jinping, and the TTPs of the Lazarus Group has surely not stayed identical since 2009.

Which name to use, then? CTI is, like its big aunt Journalism, about who consumes the intelligence. Most of your audiences won’t be aware of the minutiae detailed in this blog post. They likely don’t even care. So: Use the threat actor name that fits your audience, but try to point out somewhere whose nomenclature it is and provide one, two alternative names. If you say “ELECTRUM”, my brain will draw a blank, but if you say “Sandworm”, I’ll see the elephant.

Image Source: Nightcafe/Flux 2

Last modified on 2026-03-22