Source Attribution
ThreatActor.info is a research index built from public, attributed sources plus analyst-reviewed enrichment. This page summarizes the source families used by the site, how we use them, and where source-specific attribution appears.
How attribution is handled
- Actor and malware pages show a Source Attribution panel when structured source metadata is available.
- Actor pages also list additional provenance sources when a profile combines multiple datasets.
- Imported records keep source names, upstream URLs, retrieval timestamps, license fields when available, and source-specific attribution text in
_data/actors/*.yml. - Linked reports, advisories, articles, and external research remain owned by their original publishers.
- The site is for educational and research purposes only; verify source material independently before relying on it.
Source inventory
| Source | How it is used | Attribution and license notes |
|---|---|---|
| MITRE ATT&CK (STIX data) | Group descriptions; ATT&CK IDs; technique/tactic/campaign/mitigation/software pages and actor relationships (ttps, software, campaigns); optional denormalized attck_techniques / attck_software / attck_references for APIs. |
MITRE permission notice appears on affected pages and in structured actor metadata for records imported from STIX. |
| abuse.ch ThreatFox | Recent community IOC snapshots merged into existing actors when malware names or tags match (provenance.threatfox). |
ThreatFox data is attributed to abuse.ch; use is subject to abuse.ch terms and fair-use expectations for the community API. |
| MISP Galaxy | Threat actor identities, aliases, descriptions, references, and relationship context. | Imported MISP Galaxy records are marked as sourced from the MISP Galaxy threat-actor cluster and treated as CC0 licensed where that source metadata is present. |
| RansomLook and RansomLook repository | Ransomware group names, aliases, descriptions, and reference-backed enrichment. | RansomLook-derived data is attributed as RansomLook and marked CC BY 4.0 with the Creative Commons license URL in structured source metadata. |
| Malpedia by Fraunhofer FKIE | Malware-family metadata and actor relationship enrichment. | Malpedia-derived metadata is attributed to Malpedia/Fraunhofer FKIE and carries the Malpedia legal URL and CC BY-NC-SA 3.0 license metadata when imported. |
| ETDA / ThaiCERT Threat Group Cards | Threat group cards, aliases, malware, operations, and timeline hints. | Imported ETDA/ThaiCERT data is attributed as derived from the public Threat Group Cards and adapted for research enrichment. |
| tropChaud Categorized Adversary TTPs | Offline snapshot under data/imports/categorized-adversary-ttps/; merged MITRE group–technique links with ETDA pivot metadata (victim industry/country, motivation). Powers /api/categorized_* JSON and /categorized-adversary-ttps/. |
MIT-licensed dataset; upstream merges MITRE ATT&CK (see MITRE permission notice) and ETDA Threat Group Cards (copyright ETDA as cited upstream). Attribution text appears on the pivots page and matching actor panels. |
| APTnotes | Report-index provenance, source links, and chronology hints. | APTnotes is used as a report index; copyright in linked reports remains with the original publishers. |
| APT Groups & Operations | Alias, operation, malware, and report crosswalk enrichment. | The public spreadsheet is attributed as a secondary research aid and crosswalk, not as a sole authoritative source. |
| CISA Known Exploited Vulnerabilities Catalog | Known-exploited vulnerability context linked to selected actor pages. | CISA KEV is attributed as a public government catalog; KEV entries are treated as vulnerability context, not as standalone actor attribution. |
| BushidoToken Breach Report Collection | Reviewed breach-report links for existing actors. | The collection is attributed as a report index; linked reports remain owned by their original publishers. |
| BushidoUK Ransomware Tool Matrix | Reviewed ransomware tradecraft and tool observations for existing actors. | The matrix is attributed as a secondary ransomware tradecraft reference, not sole attribution evidence. |
| BushidoUK Ransomware Vulnerability Matrix | Reviewed CVE and exploitation observations for existing ransomware actors. | The matrix is attributed as a secondary exploitation reference, not sole attribution evidence. |
| BushidoUK Russian APT Tool Matrix | Reviewed Russian APT tool observations for existing actors. | The matrix is attributed as a secondary Russian APT tradecraft reference, not sole attribution evidence. |
| Curated Intelligence MOVEit Transfer Tracking | CL0P/MOVEit campaign event timeline enrichment. | The tracking repository is attributed for event collection; linked reports remain owned by their original publishers. |
| BreachHQ Threat Actors | Snapshot-backed secondary actor index used for reviewed name/alias matching and cross-source triage. | BreachHQ data is attributed to Beyond Identity; this project treats it as a secondary reference index and preserves source provenance rather than sole attribution evidence. |
| EternalLiberty | Alias cross-reference enrichment. | EternalLiberty is attributed as a secondary alias crosswalk, not a sole authoritative source. |
| Analyst notes and manual entries | Temporary coverage for subjects not yet covered by automated public sources. | Manual entries are labeled as analyst notes or manual curation and should be superseded when a reviewed automated source becomes available. |
| Security news and reference fetchers | Optional article/reference discovery utilities, including MISP references and security news feeds. | These utilities collect links and summaries for review; source publishers retain ownership of their articles and reports. |
Operational controls
- Importers fetch snapshots into local cache paths and apply reviewed mappings before changing canonical actor YAML.
- Importers avoid build-time network dependencies; generated pages and APIs are deterministic from committed content.
- Source-specific provenance is preserved under each actor’s
provenanceblock when enrichment comes from multiple sources. - Volatile infrastructure and raw leak-site material are not automatically imported.
For implementation details, see the importer documentation, data flow notes, and schema documentation.