How Microsoft names threat actors | Microsoft Patch Tuesday: May 2025 | Apple Updates Everything: May 2025 Edition
Microsoft uses a naming taxonomy for threat actors aligned with the theme of weather. We intend to bring better clarity to customers and other security researchers with this taxonomy. We offer a more organized, articulate, and easy way to reference threat actors so that organizations can better prioritize and protect themselves. We also aim to aid security researchers, who are already confronted with an overwhelming amount of threat intelligence data.
Microsoft categorizes threat actors into five key groups:
Nation-state actors: cyber operators acting on behalf of or directed by a nation/state-aligned program, irrespective of whether for espionage, financial gain, or retribution. Microsoft observed that most nation state actors continue to focus operations and attacks on government agencies, intergovernmental organizations, nongovernmental organizations, and think tanks for traditional espionage or surveillance objectives.
Financially motivated actors: cyber campaigns/groups directed by a criminal organization/person with motivations of financial gain and aren't associated with high confidence to a known non-nation state or commercial entity. This category includes ransomware operators, business email compromise, phishing, and other groups with purely financial or extortion motivations.
Private sector offensive actors (PSOAs): cyber activity led by commercial actors that are known/legitimate legal entities, that create and sell cyberweapons to customers who then select targets and operate the cyberweapons. These tools were observed targeting and surveiling dissidents, human rights defenders, journalists, civil society advocates, and other private citizens, threatening many global human rights efforts.
Influence operations: information campaigns communicated online or offline in a manipulative fashion to shift perceptions, behaviors, or decisions by target audiences to further a group or a nation's interests and objectives.
Groups in development: a temporary designation given to an unknown, emerging, or developing threat activity. This designation allows Microsoft to track a group as a discrete set of information until we can reach high confidence about the origin or identity of the actor behind the operation. Once criteria are met, a group in development is converted to a named actor or merged into existing names.
In this taxonomy, a weather event or family name represents one of the above categories. For nation-state actors, we assigned a family name to a country/region of origin tied to attribution. For example, Typhoon indicates origin or attribution to China. For other actors, the family name represents a motivation. For example, Tempest indicates financially motivated actors.
Threat actors within the same weather family are given an adjective to distinguish actor groups with distinct tactics, techniques, and procedures (TTPs), infrastructure, objectives, or other identified patterns. For groups in development, we use a temporary designation of Storm and a four-digit number where there's a newly discovered, unknown, emerging, or developing cluster of threat activity.
The following table shows how the family names map to the threat actors that we track.
Threat actor category Type Family name
|
Threat actor category |
Type |
Family name |
|---|---|---|
|
Nation-state |
China |
Typhoon |
|
Nation-state |
China |
Typhoon |
|
Financially motivated |
Financially motivated |
Tempest |
|
Private sector offensive actors |
PSOAs |
Tsunami |
|
Influence operations |
Influence operations |
Flood |
|
Groups in development |
Groups in development |
Storm |
|
Threat actor name |
Origin/Threat actor category |
Other names |
|---|---|---|
|
Amethyst Rain |
Lebanon |
VolcanicTimber, Volatile Cedar |
|
China |
Storm-0558 |
|
|
Russia |
ACTINIUM, PRIMITIVE BEAR, Gamaredon, Armageddon, UNC530, shuckworm, SectorC08 |
|
|
Berry Sandstorm |
Iran |
Storm-0852 |
|
Blue Tsunami |
Israel, Private sector offensive actor |
|
|
Brass Typhoon |
China |
BARIUM, WICKED PANDA, APT41 |
|
Brocade Typhoon |
China |
BORON, GOTHIC PANDA, UPS, APT3, OLDCARP, TG-0110, Red Sylvan, CYBRAN |
|
Burgundy Sandstorm |
Iran |
REMIX KITTEN, Cadelle, Chafer |
|
Russia |
DEV-0586, EMBER BEAR |
|
|
Canary Typhoon |
China |
CIRCUIT PANDA, APT24, Palmerworm, BlackTech |
|
Canvas Cyclone |
Vietnam |
BISMUTH, OCEAN BUFFALO, OceanLotus, APT32 |
|
Caramel Tsunami |
Israel, Private sector offensive actor |
DEV-0236 |
|
Private sector offensive actor |
|
|
|
Charcoal Typhoon |
China |
CHROMIUM, AQUATIC PANDA, ControlX, RedHotel, BRONZE UNIVERSITY |
|
Checkered Typhoon |
China |
CHLORINE, DEEP PANDA, ATG50, APT19, TG-3551, Red Gargoyle |
|
Cinnamon Tempest |
China, Financially motivated |
DEV-0401, HighGround |
|
Circle Typhoon |
China |
DEV-0322, EMISSARY PANDA, APT6, APT27 |
|
North Korea |
Storm-0139, Storm-1222, LABYRINTH CHOLLIMA |
|
|
Cotton Sandstorm |
Iran |
NEPTUNIUM, HAYWIRE KITTEN, Vice Leaker |
|
Covert network |
ORB07 |
|
|
Crescent Typhoon |
China |
CESIUM |
|
Crimson Sandstorm |
Iran |
CURIUM, IMPERIAL KITTEN, Tortoise Shell, HOUSEBLEND, TA456 |
|
Cuboid Sandstorm |
Iran |
DEV-0228, IMPERIAL KITTEN |
|
Austria, Private sector offensive actor |
DEV-0291 |
|
|
North Korea |
ZINC, LABYRINTH CHOLLIMA, Black Artemis, Lazarus |
|
|
Emerald Sleet |
North Korea |
THALLIUM, VELVET CHOLLIMA, RGB-D5, Black Banshee, Kimsuky, Greendinosa |
|
Fallow Squall |
Singapore |
PLATINUM, PARASITE, RUBYVINE, GINGERSNAP |
|
China |
Storm-0919, ETHEREAL PANDA |
|
|
Russia |
STRONTIUM, FANCY BEAR, Sednit, ATG2, Sofacy, Blue Athena, Z-Lom Team, Operation Pawn Storm, Tsar Team, CrisisFour, HELLFIRE, APT28 |
|
|
Ghost Blizzard |
Russia |
BROMINE, BERSERK BEAR, TG-4192, Koala Team, Blue Kraken, Crouching Yeti, Dragonfly |
|
Gingham Typhoon |
China |
GADOLINIUM, KRYPTONITE PANDA, TEMP.Periscope, Leviathan, JJDoor, APT40, Feverdream |
|
Granite Typhoon |
China |
GALLIUM, PHANTOM PANDA |
|
Gray Sandstorm |
Iran |
DEV-0343 |
|
Hazel Sandstorm |
Iran |
EUROPIUM, HELIX KITTEN, COLBALT GYPSY, Crambus, OilRig, APT34 |
|
Heart Typhoon |
China |
HELIUM, AURORA PANDA, APT17, Hidden Lynx, ATG3, Red Typhon, KAOS, TG-8153, SportsFans, DeputyDog, Tailgater |
|
Hexagon Typhoon |
China |
HYDROGEN, NUMBERED PANDA, Calc Team, Red Anubis, APT12, DNS-Calc, HORDE |
|
Houndstooth Typhoon |
China |
HASSIUM, DRAGNET PANDA, isoon, deepclif |
|
Jade Sleet |
North Korea |
Storm-0954, LABYRINTH CHOLLIMA |
|
Lace Tempest |
Financially motivated |
DEV-0950 |
|
Lemon Sandstorm |
Iran |
RUBIDIUM, PIONEER KITTEN |
|
Leopard Typhoon |
China |
LEAD, WICKED PANDA, TG-2633, TG-3279, Mana, KAOS, Red Diablo, Winnti Group |
|
Lilac Typhoon |
China |
DEV-0234 |
|
Linen Typhoon |
China |
IODINE, EMISSARY PANDA, Red Phoenix, Hippo, Lucky Mouse, BOWSER, APT27, Wekby2, UNC215, TG-3390 |
|
Luna Tempest |
Financially motivated |
|
|
Magenta Dust |
Türkiye |
PROMETHIUM, StrongPity, SmallPity |
|
Manatee Tempest |
Russia |
DEV-0243, INDRIK SPIDER |
|
Iran |
MERCURY, STATIC KITTEN, SeedWorm, TEMP.Zagros, MuddyWater |
|
|
Türkiye |
SILICON, COSMIC WOLF, Sea Turtle, UNC1326 |
|
|
Marigold Sandstorm |
Iran |
DEV-500, VENGEFUL KITTEN |
|
Russia |
NOBELIUM, COZY BEAR, UNC2452, APT29 |
|
|
Iran |
PHOSPHORUS, CHARMING KITTEN, Parastoo, Newscaster, APT35 |
|
|
North Korea |
Storm-1789, LABYRINTH CHOLLIMA |
|
|
Mulberry Typhoon |
China |
MANGANESE, KEYHOLE PANDA, Backdoor-DPD, COVENANT, CYSERVICE, Bottle, Red Horus, Red Naga, Auriga, APT5, ATG48, TG-2754, tabcteng |
|
Mustard Tempest |
Financially motivated |
DEV-0206, INDRIK SPIDER |
|
Russia, Influence operations |
Storm-1516, CopyCop |
|
|
Night Tsunami |
Israel |
DEV-0336 |
|
Nylon Typhoon |
China |
NICKEL, VIXEN PANDA, Playful Dragon, RedRiver, ke3chang, APT15, Mirage |
|
Financially motivated |
SCATTERED SPIDER, 0ktapus |
|
|
Onyx Sleet |
North Korea |
PLUTONIUM, SILENT CHOLLIMA, StoneFly, Tdrop2 campaign, DarkSeoul, Black Chollima, Andariel, APT45 |
|
Opal Sleet |
North Korea |
OSMIUM, VELVET CHOLLIMA, Planedown, Konni, APT43 |
|
Iran |
HOLMIUM, REFINED KITTEN, APT33, Elfin |
|
|
Pearl Sleet |
North Korea |
LAWRENCIUM |
|
Periwinkle Tempest |
Russia |
DEV-0193, WIZARD SPIDER |
|
Phlox Tempest |
Israel, Financially motivated |
DEV-0796 |
|
Pink Sandstorm |
Iran |
AMERICIUM, SPECTRAL KITTEN, Agrius, Deadwood, BlackShadow, SharpBoys, FireAnt, Justice Blade |
|
Pinstripe Lightning |
|
NIOBIUM, RENEGADE JACKAL, Desert Falcons, Scimitar, Arid Viper |
|
Pistachio Tempest |
Financially motivated |
DEV-0237 |
|
Lebanon |
POLONIUM, INCENDIARY JACKAL |
|
|
Pumpkin Sandstorm |
Iran |
DEV-0146 |
|
Purple Typhoon |
China |
POTASSIUM, STONE PANDA, GOLEM, Evilgrab, AEON, LIVESAFE, ChChes, APT10, Haymaker, Webmonder, Foxtrot, Foxmail, MenuPass, Red Apollo |
|
Raspberry Typhoon |
China |
RADIUM, LOTUS PANDA, LotusBlossom, APT30 |
|
Red Sandstorm |
Iran |
Storm-0842, BANISHED KITTEN, Void Manticore |
|
Ruby Sleet |
North Korea |
CERIUM, VELVET CHOLLIMA |
|
Ruza Flood |
Russia, Influence operations |
|
|
Salmon Typhoon |
China |
SODIUM, MAVERICK PANDA, APT4 |
|
Salt Typhoon |
China |
OPERATOR PANDA, GhostEmperor, FamousSparrow |
|
Sangria Tempest |
Ukraine, Financially motivated |
ELBRUS, CARBON SPIDER |
|
Sapphire Sleet |
North Korea |
COPERNICIUM, STARDUST CHOLLIMA, Genie Spider, BlueNoroff, CageyChameleon, CryptoCore |
|
Satin Typhoon |
China |
SCANDIUM, DYNAMITE PANDA, COMBINE, TG-0416, SILVERVIPER, Red Wraith, APT18, Elderwood Group, Wekby |
|
Russia |
IRIDIUM, VOODOO BEAR, BE2, UAC-0113, Blue Echidna, Sandworm, PHANTOM, BlackEnergy Lite, APT44 |
|
|
Russia |
KRYPTON, VENOMOUS BEAR, Uroburos, Snake, Blue Python, Turla, WRAITH, ATG26 |
|
|
Sefid Flood |
Iran, Influence operations |
|
|
Shadow Typhoon |
China |
Storm-0062, DarkShadow, Oro0lxy |
|
Silk Typhoon |
China |
HAFNIUM, MURKY PANDA, timmy |
|
Smoke Sandstorm |
Iran |
IMPERIAL KITTEN, UNC1549 |
|
Spandex Tempest |
Financially motivated |
MONTY SPIDER, TA505 |
|
Russia |
SEABORGIUM, COLDRIVER, Callisto Group, BlueCharlie, TA446 |
|
|
Storm-0216 |
Financially motivated |
TUNNEL SPIDER, UNC2198 |
|
Storm-0230 |
Group in development |
WIZARD SPIDER, Conti Team 1 |
|
Storm-0247 |
China |
ToddyCat, Websiic |
|
Storm-0252 |
Group in development |
CHATTY SPIDER |
|
Storm-0288 |
Group in development |
FIN8 |
|
Storm-0302 |
Group in development |
NARWHAL SPIDER, TA544 |
|
Group in development |
|
|
|
Group in development |
|
|
|
Financially motivated |
|
|
|
Storm-0538 |
Group in development |
SKELETON SPIDER, FIN6 |
|
Financially motivated |
|
|
|
Financially motivated |
|
|
|
Storm-0671 |
Group in development |
UNC2596, Tropicalscorpius |
|
China |
|
|
|
Russia |
RomCom, Underground Team |
|
|
Group in development |
|
|
|
Financially motivated |
APOTHECARY SPIDER |
|
|
Financially motivated |
|
|
|
China, Financially motivated |
|
|
|
Storm-1194 |
Group in development |
MONTI |
|
Group in development |
|
|
|
Storm-1516 |
Russia, Influence operations |
|
|
Financially motivated |
PUNK SPIDER |
|
|
Financially motivated |
|
|
|
Influence operations |
|
|
|
Financially motivated |
CURLY SPIDER |
|
|
Group in development |
|
|
|
Storm-1982 |
China |
SneakyCheff, UNK_SweetSpecter |
|
Iran, Influence operations |
|
|
|
China |
TAG-100 |
|
|
Group in development |
|
|
|
Strawberry Tempest |
Financially motivated |
DEV-0537, SLIPPY SPIDER, LAPSUS$ |
|
Sunglow Blizzard |
|
DEV-0665 |
|
Swirl Typhoon |
China |
TELLURIUM, STALKER PANDA, Tick, Bronze Butler, REDBALDKNIGHT |
|
Taffeta Typhoon |
China |
TECHNETIUM, TURBINE PANDA, TG-0055, Red Kobold, JerseyMikes, APT26, BEARCLAW |
|
Taizi Flood |
China, Influence operations |
Dragonbridge, Spamouflage |
|
Tumbleweed Typhoon |
China |
THORIUM, Karst |
|
Twill Typhoon |
China |
TANTALUM, MUSTANG PANDA, BRONZE PRESIDENT, LuminousMoth |
|
Financially motivated |
DEV-0832, VICE SPIDER, Vice Society |
|
|
Velvet Tempest |
Financially motivated |
DEV-0504, ALPHA SPIDER |
|
Violet Typhoon |
China |
ZIRCONIUM, JUDGMENT PANDA, Chameleon, APT31, WebFans |
|
Russia |
Laundry Bear |
|
|
Volga Flood |
Russia, Influence operations |
Storm-1841, Rybar |
|
China |
VANGUARD PANDA, BRONZE SILHOUETTE |
|
|
Wheat Tempest |
Financially motivated |
GOLD, Gatak |
|
Wisteria Tsunami |
India, Private sector offensive actor |
DEV-0605, MintedSoil |
|
Yulong Flood |
China, Influence operations |
Storm-1852 |
|
Zigzag Hail |
Korea |
DUBNIUM, SHADOW CRANE, Nemim, TEMPLAR, TieOnJoe, Fallout Team, Purple Pygmy, Dark Hotel, Egobot, Tapaoux, PALADIN, APT-C-60 |
Read our announcement about this taxonomy for more information: https://aka.ms/threatactorsblog
Putting intelligence
into the hands of security professionals
Intel profiles in Microsoft Defender Threat Intelligence bring crucial insights
about threat actors. These insights enable security teams to get the context
they need as they prepare for and respond to threats.
Additionally, the Microsoft Defender Threat Intelligence Intel Profiles API provides the most up-to-date threat actor infrastructure visibility in the industry today. Updated information is crucial in enabling threat intelligence and security operations (SecOps) teams to streamline their advanced threat hunting and analysis workflows. Learn more about this API in the documentation: Use the threat intelligence APIs in Microsoft Graph (preview).