Defensive cyber desk
Threat actor designators
Each entry below is an actor cluster designated by Cassandra Quill, our pseudonymous vulnerability research and threat intelligence writer. The designators are assigned by Quill and are not industry-standard names. Profiles describe activity at the sector level with explicit operational discipline: we withhold vendor and build information where patches are not yet shipped, and never publish proof-of-concept code or indicators at IOC-grade specificity.
AMBER LOOM
Vietnamese-aligned cluster (high confidence)
Defense industrial base, semiconductor supply, cyber product engineering, regional financial services
AMBER LOOM is a Vietnamese-aligned operator cluster that runs LinkedIn-vector social-engineering campaigns and exfiltrates through a Telegram bot architecture. Targeting is materially skewed toward Israeli users and Israeli-headquartered firms with overseas footprints. Tradecraft signatures, working-hour rhythms aligned with Indochina Time, and infrastructure reuse with prior publicly described Vietnam-origin clusters all support the attribution.
INDIGO RUST
State-affiliated actor or well-resourced criminal organization with telecom-infrastructure collection objective
Telecommunications carriers, both North American and Western European
INDIGO RUST is an advanced operator cluster conducting sustained reconnaissance against telecommunications infrastructure operators. Reconnaissance focused, not opportunistic. Methodical domain mapping, credential enumeration, and preparation for lateral movement consistent with a customer with a defined operational objective: persistent telecom-backbone access for first-hop reach into government and private networks.
OBSIDIAN HALCYON
Advanced operator with sustained operational priority on identity-tier access
Identity provider deployments at mid-tier enterprises in federal civilian contracting, healthcare technology, and specialty financial services
OBSIDIAN HALCYON has been operating against identity-provider infrastructure across three sectors with cleared-personnel exposure. Seven-plus weeks of sustained presence, consistent with a patient state-affiliated collector running a defined intelligence requirement on the access tier that enables downstream compounding.
COBALT VESPER
State-affiliated collector with strategic patience and a specific intelligence requirement against cleared environments
Federal contractors with cleared-personnel staffing exposure; defense industrial base and mission-critical services prioritized
COBALT VESPER stages access for weeks before observable action. Detection avoidance is specific to the defensive tooling commonly deployed in federal contractor environments. The patience signature indicates a customer who can defer the value realization until the access is mature.
SLATE FERROUS
State-affiliated industrial intelligence collector or strategic disruption pre-positioning
Mid-tier municipal utilities, specialty chemical manufacturers, discrete-process industrial producers with export exposure
SLATE FERROUS has been conducting sustained reconnaissance against industrial control system networks across three sectors. The operator is reading process telemetry, batch records, and operator-to-supervisor command traffic that, in the right hands, models production capacity, supply-chain dependencies, and operational decision-making at the targeted enterprises.
ASH MERIDIAN
Sustained-priority collector positioning for staged customer-account abuse at scale
Mid-tier fintech operators: consumer payment processors, B2B payment rails, digital-asset custody providers
ASH MERIDIAN works fintech identity infrastructure. Positioning is calibrated for downstream customer-level abuse at the operator timing of choice, rather than direct corporate-treasury theft. That positioning is the positioning most fintech defenders are least instrumented for.
GREEN HALCYON
State-affiliated industrial planning apparatus with sustained interest in automotive program timing, supply-chain mapping, and bid economics
Tier-one automotive suppliers in electrified powertrain, advanced driver assistance system components, and battery cell or module production
GREEN HALCYON has maintained operational presence inside three tier-one automotive suppliers for fourteen weeks. The collection profile maps manufacturing program documentation, supply-chain documentation linking tier-one to tier-two and tier-three, and engineering change order traffic. The cumulative data enables modeling of production timing and cost structure for programs the suppliers are bidding on but not yet awarded.
CRIMSON LATTICE
State-affiliated collector with sustained operational priority on U.S. healthcare commercial economics
Mid-tier healthcare payers, with focus on claims data and negotiated rate structures
CRIMSON LATTICE operates against the data warehouse tier of mid-tier healthcare payers. Collection targets are patient claims (multi-year window), provider-network contract documentation including negotiated rate structures, and the actuarial model documentation informing regional pricing. The combination models the commercial economics of the U.S. payer market with precision.
AMBER MERIDIAN
State-affiliated collector running sustained operational priority on U.S. domestic policy development
Federal civilian agencies with significant access to policy planning documentation and interagency coordination correspondence
AMBER MERIDIAN runs sustained reconnaissance against two federal civilian departments. Collection profile: internal policy planning documentation pre-publication, interagency coordination correspondence, and senior-official scheduling and travel. Combined, this allows the operator customer to model U.S. policy decision-making cadence at the senior leadership level with materially more lead time than open-source observation provides.