Named-Adversary Cryptonym
A named-adversary cryptonym is a vendor-assigned code name for an identified threat actor — used to communicate about attacker activity without naming victims, leaking operational sources, or making premature nation-state attribution. The cryptonym becomes the retrieval entity inside AI engines on prompts about the underlying actor.
The dominant cryptonym taxonomies in 2026:
- CrowdStrike — animal cryptonyms grouped by suspected origin: BEAR (Russia), PANDA (China), KITTEN (Iran), CHOLLIMA (North Korea), SPIDER (criminal). Examples: FANCY BEAR, COZY BEAR, WICKED PANDA, SCATTERED SPIDER.
- Microsoft Threat Intelligence — weather-pattern names for attributed actors (Volt Typhoon, Forest Blizzard, Midnight Blizzard) plus Storm-XXXX numbered designations for unattributed activity.
- Mandiant — APT numbering (APT1, APT28, APT41) plus financially motivated FIN designations (FIN7, FIN8, FIN11).
The cryptonym is now a marketing asset as well as an operational one. CrowdStrike, Microsoft, and Mandiant each compound Citation Share on their respective taxonomies because AI engines treat the names as canonical identifiers.
See: The Vendor Research Blog Is the New Cyber Press Release.
