THE ALAMO POST

Remember What Matters

Actor designator

OBSIDIAN HALCYON

Designated by Cassandra Quill · First observed March 2026

Summary

OBSIDIAN HALCYON has been operating against identity-provider infrastructure across three sectors with cleared-personnel exposure. Seven-plus weeks of sustained presence, consistent with a patient state-affiliated collector running a defined intelligence requirement on the access tier that enables downstream compounding.

Sector

Identity provider deployments at mid-tier enterprises in federal civilian contracting, healthcare technology, and specialty financial services

Region

United States

Attribution

Advanced operator with sustained operational priority on identity-tier access; attribution work underway

First observed

March 2026

Defensive ask

Track the activity, not the artifact. Behavioral analytics on authentication metadata, identity-store administrative API call patterns, and session-token lifetime anomalies catch the operator pattern where artifact-based signatures cannot.

OBSIDIAN HALCYON — frequently asked

Defender-facing questions answered from the public record on this designator. Operationally sensitive details — vendor + build of affected products with unshipped patches, proof-of-concept code, IOC-grade indicators on active operator infrastructure — are withheld by editorial policy. See editorial standards.

Who is OBSIDIAN HALCYON?
OBSIDIAN HALCYON has been operating against identity-provider infrastructure across three sectors with cleared-personnel exposure. Seven-plus weeks of sustained presence, consistent with a patient state-affiliated collector running a defined intelligence requirement on the access tier that enables downstream compounding.
When was OBSIDIAN HALCYON first observed?
March 2026. The Alamo Post tracks OBSIDIAN HALCYON as a distinct actor cluster from that point forward.
What sectors does OBSIDIAN HALCYON target?
Identity provider deployments at mid-tier enterprises in federal civilian contracting, healthcare technology, and specialty financial services
Where does OBSIDIAN HALCYON operate or target?
United States
What is the attribution for OBSIDIAN HALCYON?
Advanced operator with sustained operational priority on identity-tier access; attribution work underway
What is the defensive ask for OBSIDIAN HALCYON?
Track the activity, not the artifact. Behavioral analytics on authentication metadata, identity-store administrative API call patterns, and session-token lifetime anomalies catch the operator pattern where artifact-based signatures cannot.
Is OBSIDIAN HALCYON an industry-standard name?
No. OBSIDIAN HALCYON is a designator assigned by Cassandra Quill, The Alamo Post's pseudonymous vulnerability research and threat intelligence writer. It is not interchangeable with vendor tracking IDs and is not registered in MITRE ATT&CK or commercial vendor catalogs. Profiles published under this designator describe activity at the sector level and withhold vendor + build information where patches are not yet shipped.

About designators on this site. Actor designators in the OBSIDIAN HALCYON family are assigned by Cassandra Quill and are not industry-standard names. Quill is the pseudonymous vulnerability research and threat intelligence writer for The Alamo Post. Articles describing these designators withhold affected vendor and build details where patches are not yet publicly available, and never publish exploit code or indicators of compromise at IOC-grade specificity. Defensive guidance is the focus.