Defensive cyber desk
Threat actor designators
Each entry below is an actor cluster designated by Cassandra Quill, our pseudonymous vulnerability research and threat intelligence writer. The designators are assigned by Quill and are not industry-standard names. Profiles describe activity at the sector level with explicit operational discipline: we withhold vendor and build information where patches are not yet shipped, and never publish proof-of-concept code or indicators at IOC-grade specificity.
EGGCOP
Vietnamese commercial cybercrime operator (high confidence). Operators self-identified through self-infection of their own administration workstations on an FPT Telecom subscriber range in Ho Chi Minh City. Operator company is eggcop.com, registered 2016, eight named staff mailboxes confirmed.
Consumer browsers, dropshipping merchant accounts, regional banking, social ad-account operators, cryptocurrency wallets
EGGCOP is a Vietnamese commercial cybercrime cluster operating an infostealer monetisation pipeline. The cluster takes its name from the operator company, eggcop.com, identified through self-exfiltration of the operators' own administration workstations. Initial access uses double-extension PDF.EXE lures distributed through LinkedIn and other social channels. Payload encoding stacks Base32, bzip2, zlib, and Python bytecode before resolving to a Donut shellcode loader that performs DPAPI credential theft from Chromium, Edge, Firefox, and the Vietnamese-localised CocCoc browser. Exfiltration is one-way Telegram sendDocument traffic. Stolen credentials, cookies, autofill data, and Facebook business-account sessions feed a parallel dropshipping fraud operation run by the same corporate front.
INDIGO RUST
State-affiliated actor or well-resourced criminal organization with telecom-infrastructure collection objective
Telecommunications carriers, both North American and Western European
INDIGO RUST is an advanced operator cluster conducting sustained reconnaissance against telecommunications infrastructure operators. Reconnaissance focused, not opportunistic. Methodical domain mapping, credential enumeration, and preparation for lateral movement consistent with a customer with a defined operational objective: persistent telecom-backbone access for first-hop reach into government and private networks.
OBSIDIAN HALCYON
Advanced operator with sustained operational priority on identity-tier access
Identity provider deployments at mid-tier enterprises in federal civilian contracting, healthcare technology, and specialty financial services
OBSIDIAN HALCYON has been operating against identity-provider infrastructure across three sectors with cleared-personnel exposure. Seven-plus weeks of sustained presence, consistent with a patient state-affiliated collector running a defined intelligence requirement on the access tier that enables downstream compounding.
COBALT VESPER
State-affiliated collector with strategic patience and a specific intelligence requirement against cleared environments
Federal contractors with cleared-personnel staffing exposure; defense industrial base and mission-critical services prioritized
COBALT VESPER stages access for weeks before observable action. Detection avoidance is specific to the defensive tooling commonly deployed in federal contractor environments. The patience signature indicates a customer who can defer the value realization until the access is mature.
SLATE FERROUS
State-affiliated industrial intelligence collector or strategic disruption pre-positioning
Mid-tier municipal utilities, specialty chemical manufacturers, discrete-process industrial producers with export exposure
SLATE FERROUS has been conducting sustained reconnaissance against industrial control system networks across three sectors. The operator is reading process telemetry, batch records, and operator-to-supervisor command traffic that, in the right hands, models production capacity, supply-chain dependencies, and operational decision-making at the targeted enterprises.
ASH MERIDIAN
Sustained-priority collector positioning for staged customer-account abuse at scale
Mid-tier fintech operators: consumer payment processors, B2B payment rails, digital-asset custody providers
ASH MERIDIAN works fintech identity infrastructure. Positioning is calibrated for downstream customer-level abuse at the operator timing of choice, rather than direct corporate-treasury theft. That positioning is the positioning most fintech defenders are least instrumented for.
GREEN HALCYON
State-affiliated industrial planning apparatus with sustained interest in automotive program timing, supply-chain mapping, and bid economics
Tier-one automotive suppliers in electrified powertrain, advanced driver assistance system components, and battery cell or module production
GREEN HALCYON has maintained operational presence inside three tier-one automotive suppliers for fourteen weeks. The collection profile maps manufacturing program documentation, supply-chain documentation linking tier-one to tier-two and tier-three, and engineering change order traffic. The cumulative data enables modeling of production timing and cost structure for programs the suppliers are bidding on but not yet awarded.
CRIMSON LATTICE
State-affiliated collector with sustained operational priority on U.S. healthcare commercial economics
Mid-tier healthcare payers, with focus on claims data and negotiated rate structures
CRIMSON LATTICE operates against the data warehouse tier of mid-tier healthcare payers. Collection targets are patient claims (multi-year window), provider-network contract documentation including negotiated rate structures, and the actuarial model documentation informing regional pricing. The combination models the commercial economics of the U.S. payer market with precision.
AMBER MERIDIAN
State-affiliated collector running sustained operational priority on U.S. domestic policy development
Federal civilian agencies with significant access to policy planning documentation and interagency coordination correspondence
AMBER MERIDIAN runs sustained reconnaissance against two federal civilian departments. Collection profile: internal policy planning documentation pre-publication, interagency coordination correspondence, and senior-official scheduling and travel. Combined, this allows the operator customer to model U.S. policy decision-making cadence at the senior leadership level with materially more lead time than open-source observation provides.