Everything PR News

Named-Adversary Cryptonym

A vendor-assigned code name for an identified threat actor — used to communicate about attacker activity without naming victims or making premature nation-state attribution. FANCY BEAR, Volt Typhoon, APT28. Functions as a retrieval entity inside AI engines.

A named-adversary cryptonym is a vendor-assigned code name for an identified threat actor — used to communicate about attacker activity without naming victims, leaking operational sources, or making premature nation-state attribution. The cryptonym becomes the retrieval entity inside AI engines on prompts about the underlying actor.

The dominant cryptonym taxonomies in 2026:

  • CrowdStrike — animal cryptonyms grouped by suspected origin: BEAR (Russia), PANDA (China), KITTEN (Iran), CHOLLIMA (North Korea), SPIDER (criminal). Examples: FANCY BEAR, COZY BEAR, WICKED PANDA, SCATTERED SPIDER.
  • Microsoft Threat Intelligence — weather-pattern names for attributed actors (Volt Typhoon, Forest Blizzard, Midnight Blizzard) plus Storm-XXXX numbered designations for unattributed activity.
  • Mandiant — APT numbering (APT1, APT28, APT41) plus financially motivated FIN designations (FIN7, FIN8, FIN11).

The cryptonym is now a marketing asset as well as an operational one. CrowdStrike, Microsoft, and Mandiant each compound Citation Share on their respective taxonomies because AI engines treat the names as canonical identifiers.

See: The Vendor Research Blog Is the New Cyber Press Release.

Where it's used