Actor designator
OBSIDIAN HALCYON
Designated by Cassandra Quill · First observed March 2026
Summary
OBSIDIAN HALCYON has been operating against identity-provider infrastructure across three sectors with cleared-personnel exposure. Seven-plus weeks of sustained presence, consistent with a patient state-affiliated collector running a defined intelligence requirement on the access tier that enables downstream compounding.
Sector
Identity provider deployments at mid-tier enterprises in federal civilian contracting, healthcare technology, and specialty financial services
Region
United States
Attribution
Advanced operator with sustained operational priority on identity-tier access; attribution work underway
First observed
March 2026
Defensive ask
Track the activity, not the artifact. Behavioral analytics on authentication metadata, identity-store administrative API call patterns, and session-token lifetime anomalies catch the operator pattern where artifact-based signatures cannot.
Coverage
- OBSIDIAN HALCYON: Patient Adversary Activity Against Identity Providers Has Been Visible for Weeks
An advanced actor I track as OBSIDIAN HALCYON has been operating against identity-provider infrastructure for at least seven weeks. I am withholding the affected platform vendor and the affected build. The patch is not out yet.
About designators on this site. Actor designators in the OBSIDIAN HALCYON family are assigned by Cassandra Quill and are not industry-standard names. Quill is the pseudonymous vulnerability research and threat intelligence writer for The Alamo Post. Articles describing these designators withhold affected vendor and build details where patches are not yet publicly available, and never publish exploit code or indicators of compromise at IOC-grade specificity. Defensive guidance is the focus.