{
 "meta": {
  "generated": "2026-07-04",
  "source": "security-resilience.ai",
  "license": "CC BY 4.0",
  "count": 568,
  "attribution": "Threat-actor data: security-resilience.ai"
 },
 "actors": [
  {
   "actor_id": "C0001",
   "canonical_name": "Frankenstein",
   "aliases": [
    "Frankenstein"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 39,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/campaigns/C0001",
   "cve_ids": [],
   "technique_ids": [
    "T1005",
    "T1016",
    "T1020",
    "T1027",
    "T1033",
    "T1036",
    "T1041",
    "T1047",
    "T1053",
    "T1057",
    "T1059",
    "T1071",
    "T1082",
    "T1105",
    "T1119",
    "T1127",
    "T1140",
    "T1203",
    "T1204",
    "T1221",
    "T1497",
    "T1518",
    "T1566",
    "T1573",
    "T1588"
   ],
   "subtechnique_ids": [
    "T1027.010",
    "T1036.004",
    "T1053.005",
    "T1059.001",
    "T1059.003",
    "T1059.005",
    "T1071.001",
    "T1127.001",
    "T1204.002",
    "T1497.001",
    "T1518.001",
    "T1566.001",
    "T1573.001",
    "T1588.002"
   ]
  },
  {
   "actor_id": "C0002",
   "canonical_name": "Night Dragon",
   "aliases": [
    "Night Dragon"
   ],
   "category": "state",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 43,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "211",
     "label": "Oil & Gas Extraction",
     "evidence": "McAfee Night Dragon reports the campaign targeted oil, energy, and petrochemical companies to collect data on oil and gas field production systems and SCADA.",
     "source": "McAfee Night Dragon"
    },
    {
     "naics": "325",
     "label": "Chemical Manufacturing",
     "evidence": "McAfee Night Dragon reports the campaign targeted oil, energy, and petrochemical companies.",
     "source": "McAfee Night Dragon"
    },
    {
     "naics": "22",
     "label": "Utilities",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "2211",
     "label": "Electric Power Generation, Transmission & Distribution",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/campaigns/C0002",
   "cve_ids": [],
   "technique_ids": [
    "T1003",
    "T1005",
    "T1008",
    "T1027",
    "T1033",
    "T1059",
    "T1071",
    "T1074",
    "T1078",
    "T1083",
    "T1105",
    "T1110",
    "T1112",
    "T1114",
    "T1133",
    "T1190",
    "T1204",
    "T1219",
    "T1550",
    "T1566",
    "T1568",
    "T1583",
    "T1584",
    "T1588",
    "T1608",
    "T1685"
   ],
   "subtechnique_ids": [
    "T1003.002",
    "T1027.002",
    "T1027.013",
    "T1059.003",
    "T1071.001",
    "T1074.002",
    "T1078.002",
    "T1110.002",
    "T1114.001",
    "T1204.001",
    "T1550.002",
    "T1566.002",
    "T1583.004",
    "T1584.004",
    "T1588.001",
    "T1588.002",
    "T1608.001"
   ]
  },
  {
   "actor_id": "C0004",
   "canonical_name": "CostaRicto",
   "aliases": [
    "CostaRicto"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 15,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "52",
     "label": "Finance & Insurance",
     "evidence": "BlackBerry CostaRicto November 2020 states the campaign targeted multiple industries with a large number being financial institutions.",
     "source": "BlackBerry CostaRicto November 2020"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/campaigns/C0004",
   "cve_ids": [],
   "technique_ids": [
    "T1005",
    "T1046",
    "T1053",
    "T1090",
    "T1105",
    "T1133",
    "T1572",
    "T1583",
    "T1587",
    "T1588"
   ],
   "subtechnique_ids": [
    "T1053.005",
    "T1090.003",
    "T1583.001",
    "T1587.001",
    "T1588.002"
   ]
  },
  {
   "actor_id": "C0005",
   "canonical_name": "Operation Spalax",
   "aliases": [
    "Operation Spalax"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 24,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "9211",
     "label": "Executive, Legislative & Other General Government Support",
     "evidence": "MITRE ATT&CK C0005 states Operation Spalax primarily targeted Colombian government organizations (cited ESET Operation Spalax Jan 2021).",
     "source": "ESET Operation Spalax Jan 2021"
    },
    {
     "naics": "211",
     "label": "Oil & Gas Extraction",
     "evidence": "MITRE ATT&CK C0005 states Operation Spalax targeted private companies in the energy industry (cited ESET Operation Spalax Jan 2021).",
     "source": "ESET Operation Spalax Jan 2021"
    },
    {
     "naics": "331",
     "label": "Primary Metal Manufacturing",
     "evidence": "MITRE ATT&CK C0005 states Operation Spalax targeted private companies in the metallurgical industry (cited ESET Operation Spalax Jan 2021).",
     "source": "ESET Operation Spalax Jan 2021"
    },
    {
     "naics": "22",
     "label": "Utilities",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "9221",
     "label": "Justice, Public Order & Safety",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "522",
     "label": "Credit Intermediation & Related Activities (Banking)",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/campaigns/C0005",
   "cve_ids": [],
   "technique_ids": [
    "T1027",
    "T1059",
    "T1102",
    "T1140",
    "T1204",
    "T1218",
    "T1497",
    "T1566",
    "T1568",
    "T1583",
    "T1588",
    "T1608"
   ],
   "subtechnique_ids": [
    "T1027.002",
    "T1027.003",
    "T1027.013",
    "T1204.001",
    "T1204.002",
    "T1218.011",
    "T1566.001",
    "T1566.002",
    "T1583.001",
    "T1588.001",
    "T1588.002",
    "T1608.001"
   ]
  },
  {
   "actor_id": "C0006",
   "canonical_name": "Operation Honeybee",
   "aliases": [
    "Operation Honeybee"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 43,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "62",
     "label": "Health Care & Social Assistance",
     "evidence": "MITRE ATT&CK C0006 states Operation Honeybee targeted humanitarian aid organizations (McAfee Honeybee).",
     "source": "McAfee Honeybee"
    },
    {
     "naics": "92812",
     "label": "International Affairs",
     "evidence": "MITRE ATT&CK C0006 states Operation Honeybee targeted inter-Korean affairs organizations (McAfee Honeybee).",
     "source": "McAfee Honeybee"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/campaigns/C0006",
   "cve_ids": [],
   "technique_ids": [
    "T1005",
    "T1027",
    "T1036",
    "T1041",
    "T1057",
    "T1059",
    "T1070",
    "T1071",
    "T1074",
    "T1082",
    "T1083",
    "T1105",
    "T1106",
    "T1112",
    "T1140",
    "T1204",
    "T1543",
    "T1548",
    "T1553",
    "T1560",
    "T1569",
    "T1574",
    "T1583",
    "T1585",
    "T1588"
   ],
   "subtechnique_ids": [
    "T1027.013",
    "T1036.005",
    "T1059.003",
    "T1059.005",
    "T1070.004",
    "T1071.002",
    "T1074.001",
    "T1204.002",
    "T1543.003",
    "T1548.002",
    "T1553.002",
    "T1560.001",
    "T1569.002",
    "T1574.011",
    "T1583.001",
    "T1583.004",
    "T1585.002",
    "T1588.004"
   ]
  },
  {
   "actor_id": "C0007",
   "canonical_name": "FunnyDream",
   "aliases": [
    "FunnyDream"
   ],
   "category": "state",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 19,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "9211",
     "label": "Executive, Legislative & Other General Government Support",
     "evidence": "Targeted government organizations in Malaysia, Philippines, Taiwan, Vietnam per MITRE description citing Bitdefender FunnyDream Campaign November 2020.",
     "source": "Bitdefender FunnyDream Campaign November 2020"
    },
    {
     "naics": "22",
     "label": "Utilities",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/campaigns/C0007",
   "cve_ids": [],
   "technique_ids": [
    "T1016",
    "T1018",
    "T1047",
    "T1049",
    "T1057",
    "T1059",
    "T1082",
    "T1105",
    "T1560",
    "T1583",
    "T1585",
    "T1588"
   ],
   "subtechnique_ids": [
    "T1059.003",
    "T1059.005",
    "T1560.001",
    "T1583.001",
    "T1585.002",
    "T1588.001",
    "T1588.002"
   ]
  },
  {
   "actor_id": "C0010",
   "canonical_name": "C0010",
   "aliases": [
    "C0010"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 14,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "481",
     "label": "Air Transportation",
     "evidence": "Mandiant UNC3890 Aug 2022 states C0010 targeted Israeli aviation organizations.",
     "source": "Mandiant UNC3890 Aug 2022"
    },
    {
     "naics": "483",
     "label": "Water Transportation",
     "evidence": "Mandiant UNC3890 Aug 2022 states C0010 targeted Israeli shipping organizations.",
     "source": "Mandiant UNC3890 Aug 2022"
    },
    {
     "naics": "22",
     "label": "Utilities",
     "evidence": "Mandiant UNC3890 Aug 2022 states C0010 targeted Israeli energy organizations.",
     "source": "Mandiant UNC3890 Aug 2022"
    },
    {
     "naics": "62",
     "label": "Health Care & Social Assistance",
     "evidence": "Mandiant UNC3890 Aug 2022 states C0010 targeted Israeli healthcare organizations.",
     "source": "Mandiant UNC3890 Aug 2022"
    },
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "Mandiant UNC3890 Aug 2022 states C0010 targeted Israeli government organizations.",
     "source": "Mandiant UNC3890 Aug 2022"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/campaigns/C0010",
   "cve_ids": [],
   "technique_ids": [
    "T1105",
    "T1189",
    "T1583",
    "T1584",
    "T1587",
    "T1588",
    "T1608"
   ],
   "subtechnique_ids": [
    "T1583.001",
    "T1584.001",
    "T1587.001",
    "T1588.002",
    "T1608.001",
    "T1608.002",
    "T1608.004"
   ]
  },
  {
   "actor_id": "C0011",
   "canonical_name": "C0011",
   "aliases": [
    "C0011"
   ],
   "category": "state",
   "sponsor": {
    "country": "IN"
   },
   "cve_count": 0,
   "technique_count": 14,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "61",
     "label": "Educational Services",
     "evidence": "MITRE ATT&CK description of C0011 states the campaign targeted students at universities and colleges in India (Cisco Talos Transparent Tribe Education Campaign July 2022).",
     "source": "Cisco Talos Transparent Tribe Education Campaign July 2022"
    },
    {
     "naics": "81",
     "label": "Other Services (except Public Administration)",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "92811",
     "label": "National Security",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/campaigns/C0011",
   "cve_ids": [],
   "technique_ids": [
    "T1059",
    "T1204",
    "T1566",
    "T1583",
    "T1587",
    "T1608"
   ],
   "subtechnique_ids": [
    "T1059.005",
    "T1204.001",
    "T1204.002",
    "T1566.001",
    "T1566.002",
    "T1583.001",
    "T1587.003",
    "T1608.001"
   ]
  },
  {
   "actor_id": "C0012",
   "canonical_name": "Operation CuckooBees",
   "aliases": [
    "Operation CuckooBees"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 48,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "31",
     "label": "Manufacturing",
     "evidence": "Cybereason OperationCuckooBees May 2022 explicitly states the campaign targeted manufacturing companies to steal blueprints and R&D documents.",
     "source": "Cybereason OperationCuckooBees May 2022"
    },
    {
     "naics": "334",
     "label": "Computer & Electronic Product Manufacturing",
     "evidence": "Cybereason OperationCuckooBees May 2022 reports targeting of technology companies for source code and technology blueprints, aligning with computer/electronic product manufacturing.",
     "source": "Cybereason OperationCuckooBees May 2022"
    },
    {
     "naics": "51",
     "label": "Information",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/campaigns/C0012",
   "cve_ids": [],
   "technique_ids": [
    "T1003",
    "T1005",
    "T1007",
    "T1016",
    "T1018",
    "T1027",
    "T1033",
    "T1036",
    "T1049",
    "T1053",
    "T1057",
    "T1059",
    "T1069",
    "T1071",
    "T1078",
    "T1082",
    "T1083",
    "T1087",
    "T1120",
    "T1124",
    "T1133",
    "T1135",
    "T1190",
    "T1201",
    "T1505",
    "T1543",
    "T1547",
    "T1560",
    "T1574",
    "T1588"
   ],
   "subtechnique_ids": [
    "T1003.002",
    "T1027.010",
    "T1027.011",
    "T1036.005",
    "T1053.005",
    "T1059.003",
    "T1059.005",
    "T1069.001",
    "T1071.001",
    "T1078.002",
    "T1087.001",
    "T1087.002",
    "T1505.003",
    "T1543.003",
    "T1547.006",
    "T1560.001",
    "T1574.001",
    "T1588.002"
   ]
  },
  {
   "actor_id": "C0013",
   "canonical_name": "Operation Sharpshooter",
   "aliases": [
    "Operation Sharpshooter"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 22,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "2211",
     "label": "Electric Power Generation, Transmission & Distribution",
     "evidence": "MITRE ATT&CK C0013 states Operation Sharpshooter targeted nuclear and energy companies (McAfee Sharpshooter December 2018).",
     "source": "McAfee Sharpshooter December 2018"
    },
    {
     "naics": "92811",
     "label": "National Security",
     "evidence": "MITRE ATT&CK C0013 states Operation Sharpshooter targeted defense and government entities (McAfee Sharpshooter December 2018).",
     "source": "McAfee Sharpshooter December 2018"
    },
    {
     "naics": "52",
     "label": "Finance & Insurance",
     "evidence": "MITRE ATT&CK C0013 states Operation Sharpshooter targeted financial companies (McAfee Sharpshooter December 2018).",
     "source": "McAfee Sharpshooter December 2018"
    },
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "22",
     "label": "Utilities",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/campaigns/C0013",
   "cve_ids": [],
   "technique_ids": [
    "T1036",
    "T1055",
    "T1059",
    "T1090",
    "T1105",
    "T1106",
    "T1204",
    "T1547",
    "T1559",
    "T1583",
    "T1584",
    "T1587",
    "T1608"
   ],
   "subtechnique_ids": [
    "T1036.005",
    "T1059.005",
    "T1204.002",
    "T1547.001",
    "T1559.002",
    "T1583.006",
    "T1584.004",
    "T1587.001",
    "T1608.001"
   ]
  },
  {
   "actor_id": "C0014",
   "canonical_name": "Operation Wocao",
   "aliases": [
    "Operation Wocao"
   ],
   "category": "state",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 95,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "9211",
     "label": "Executive, Legislative & Other General Government Support",
     "evidence": "FoxIT Wocao December 2019 states actors compromised government organizations worldwide.",
     "source": "FoxIT Wocao December 2019"
    },
    {
     "naics": "481",
     "label": "Air Transportation",
     "evidence": "FoxIT Wocao December 2019 states actors compromised aviation companies.",
     "source": "FoxIT Wocao December 2019"
    },
    {
     "naics": "23",
     "label": "Construction",
     "evidence": "FoxIT Wocao December 2019 states actors compromised construction companies.",
     "source": "FoxIT Wocao December 2019"
    },
    {
     "naics": "22",
     "label": "Utilities",
     "evidence": "FoxIT Wocao December 2019 states actors compromised energy companies.",
     "source": "FoxIT Wocao December 2019"
    },
    {
     "naics": "52",
     "label": "Finance & Insurance",
     "evidence": "FoxIT Wocao December 2019 states actors compromised finance companies.",
     "source": "FoxIT Wocao December 2019"
    },
    {
     "naics": "62",
     "label": "Health Care & Social Assistance",
     "evidence": "FoxIT Wocao December 2019 states actors compromised health care companies.",
     "source": "FoxIT Wocao December 2019"
    },
    {
     "naics": "524",
     "label": "Insurance Carriers & Related Activities",
     "evidence": "FoxIT Wocao December 2019 states actors compromised insurance companies.",
     "source": "FoxIT Wocao December 2019"
    },
    {
     "naics": "48",
     "label": "Transportation & Warehousing",
     "evidence": "FoxIT Wocao December 2019 states actors compromised transportation companies.",
     "source": "FoxIT Wocao December 2019"
    },
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "FoxIT Wocao December 2019 states actors compromised software development companies.",
     "source": "FoxIT Wocao December 2019"
    },
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/campaigns/C0014",
   "cve_ids": [],
   "technique_ids": [
    "T1001",
    "T1003",
    "T1005",
    "T1007",
    "T1012",
    "T1016",
    "T1018",
    "T1021",
    "T1027",
    "T1033",
    "T1036",
    "T1041",
    "T1046",
    "T1047",
    "T1049",
    "T1053",
    "T1055",
    "T1056",
    "T1057",
    "T1059",
    "T1069",
    "T1070",
    "T1071",
    "T1074",
    "T1078",
    "T1082",
    "T1083",
    "T1087",
    "T1090",
    "T1095",
    "T1105",
    "T1106",
    "T1111",
    "T1112",
    "T1115",
    "T1119",
    "T1120",
    "T1124",
    "T1133",
    "T1135",
    "T1190",
    "T1505",
    "T1518",
    "T1552",
    "T1555",
    "T1558",
    "T1560",
    "T1569",
    "T1570",
    "T1571",
    "T1573",
    "T1583",
    "T1585",
    "T1587",
    "T1588",
    "T1589",
    "T1680",
    "T1685",
    "T1686"
   ],
   "subtechnique_ids": [
    "T1003.001",
    "T1003.006",
    "T1016.001",
    "T1021.002",
    "T1027.005",
    "T1027.010",
    "T1036.005",
    "T1053.005",
    "T1056.001",
    "T1059.001",
    "T1059.003",
    "T1059.005",
    "T1059.006",
    "T1069.001",
    "T1070.004",
    "T1071.001",
    "T1074.001",
    "T1078.002",
    "T1078.003",
    "T1087.002",
    "T1090.001",
    "T1090.003",
    "T1505.003",
    "T1518.001",
    "T1552.004",
    "T1555.005",
    "T1558.003",
    "T1560.001",
    "T1569.002",
    "T1573.002",
    "T1583.004",
    "T1585.002",
    "T1587.001",
    "T1588.002",
    "T1685.005",
    "T1686.003"
   ]
  },
  {
   "actor_id": "C0015",
   "canonical_name": "C0015",
   "aliases": [
    "C0015"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 46,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/campaigns/C0015",
   "cve_ids": [],
   "technique_ids": [
    "T1005",
    "T1016",
    "T1018",
    "T1021",
    "T1027",
    "T1030",
    "T1036",
    "T1039",
    "T1047",
    "T1055",
    "T1057",
    "T1059",
    "T1069",
    "T1074",
    "T1083",
    "T1105",
    "T1124",
    "T1135",
    "T1204",
    "T1218",
    "T1219",
    "T1482",
    "T1486",
    "T1553",
    "T1566",
    "T1567",
    "T1570",
    "T1588"
   ],
   "subtechnique_ids": [
    "T1021.001",
    "T1055.001",
    "T1059.003",
    "T1059.005",
    "T1059.007",
    "T1069.001",
    "T1069.002",
    "T1074.001",
    "T1204.002",
    "T1218.005",
    "T1218.010",
    "T1218.011",
    "T1219.002",
    "T1553.002",
    "T1566.001",
    "T1567.002",
    "T1588.001",
    "T1588.002"
   ]
  },
  {
   "actor_id": "C0016",
   "canonical_name": "Operation Dust Storm",
   "aliases": [
    "Operation Dust Storm"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 1,
   "technique_count": 24,
   "idf_score": 4.29,
   "exclusive_cve_count": 1,
   "active_year_min": 2011,
   "active_year_max": 2011,
   "sectors": [
    {
     "naics": "2211",
     "label": "Electric Power Generation, Transmission & Distribution",
     "evidence": "Cylance Dust Storm reports shift to targets supporting Japan's critical infrastructure including electricity generation.",
     "source": "Cylance Dust Storm"
    },
    {
     "naics": "211",
     "label": "Oil & Gas Extraction",
     "evidence": "Cylance Dust Storm reports shift to targets supporting Japan's critical infrastructure including oil and natural gas.",
     "source": "Cylance Dust Storm"
    },
    {
     "naics": "52",
     "label": "Finance & Insurance",
     "evidence": "Cylance Dust Storm reports shift to targets supporting Japan's critical infrastructure including finance.",
     "source": "Cylance Dust Storm"
    },
    {
     "naics": "48",
     "label": "Transportation & Warehousing",
     "evidence": "Cylance Dust Storm reports shift to targets supporting Japan's critical infrastructure including transportation.",
     "source": "Cylance Dust Storm"
    },
    {
     "naics": "23",
     "label": "Construction",
     "evidence": "Cylance Dust Storm reports shift to targets supporting Japan's critical infrastructure including construction.",
     "source": "Cylance Dust Storm"
    },
    {
     "naics": "92811",
     "label": "National Security",
     "evidence": "Cylance Dust Storm notes initial targeting of government and defense-related intelligence targets before 2015 shift.",
     "source": "Cylance Dust Storm"
    },
    {
     "naics": "22",
     "label": "Utilities",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "2212",
     "label": "Natural Gas Distribution",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [
    [
     "microsoft",
     1
    ]
   ],
   "mitre_url": "https://attack.mitre.org/campaigns/C0016",
   "cve_ids": [
    "CVE-2011-1255"
   ],
   "technique_ids": [
    "T1027",
    "T1036",
    "T1059",
    "T1140",
    "T1189",
    "T1203",
    "T1204",
    "T1218",
    "T1518",
    "T1566",
    "T1568",
    "T1583",
    "T1585"
   ],
   "subtechnique_ids": [
    "T1027.002",
    "T1027.013",
    "T1059.005",
    "T1059.007",
    "T1204.001",
    "T1204.002",
    "T1218.005",
    "T1566.001",
    "T1566.002",
    "T1583.001",
    "T1585.002"
   ]
  },
  {
   "actor_id": "C0017",
   "canonical_name": "C0017",
   "aliases": [
    "C0017"
   ],
   "category": "state-contractor",
   "sponsor": {
    "country": "CN",
    "agency": "MSS"
   },
   "cve_count": 0,
   "technique_count": 40,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "9211",
     "label": "Executive, Legislative & Other General Government Support",
     "evidence": "C0017 compromised at least six U.S. state government networks (Mandiant APT41).",
     "source": "Mandiant APT41"
    },
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/campaigns/C0017",
   "cve_ids": [],
   "technique_ids": [
    "T1001",
    "T1003",
    "T1005",
    "T1016",
    "T1027",
    "T1033",
    "T1036",
    "T1041",
    "T1048",
    "T1053",
    "T1059",
    "T1071",
    "T1074",
    "T1090",
    "T1102",
    "T1105",
    "T1134",
    "T1140",
    "T1190",
    "T1505",
    "T1560",
    "T1567",
    "T1574",
    "T1588",
    "T1680"
   ],
   "subtechnique_ids": [
    "T1001.003",
    "T1003.002",
    "T1027.002",
    "T1036.004",
    "T1036.005",
    "T1048.003",
    "T1053.005",
    "T1059.003",
    "T1059.007",
    "T1071.001",
    "T1074.001",
    "T1102.001",
    "T1505.003",
    "T1560.003",
    "T1588.002"
   ]
  },
  {
   "actor_id": "C0018",
   "canonical_name": "C0018",
   "aliases": [
    "C0018"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 3,
   "technique_count": 26,
   "idf_score": 12.871,
   "exclusive_cve_count": 3,
   "active_year_min": 2021,
   "active_year_max": 2021,
   "sectors": [
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [
    [
     "application",
     2
    ],
    [
     "network",
     2
    ],
    [
     "linux",
     2
    ],
    [
     "microsoft",
     1
    ]
   ],
   "mitre_url": "https://attack.mitre.org/campaigns/C0018",
   "cve_ids": [
    "CVE-2021-31206",
    "CVE-2021-44832",
    "CVE-2021-45105"
   ],
   "technique_ids": [
    "T1016",
    "T1021",
    "T1027",
    "T1033",
    "T1036",
    "T1046",
    "T1047",
    "T1059",
    "T1071",
    "T1072",
    "T1105",
    "T1190",
    "T1218",
    "T1219",
    "T1486",
    "T1570",
    "T1571",
    "T1588"
   ],
   "subtechnique_ids": [
    "T1021.001",
    "T1027.010",
    "T1036.005",
    "T1059.001",
    "T1071.001",
    "T1218.011",
    "T1219.002",
    "T1588.002"
   ]
  },
  {
   "actor_id": "C0021",
   "canonical_name": "C0021",
   "aliases": [
    "C0021"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 26,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "211",
     "label": "Oil & Gas Extraction",
     "evidence": "MITRE ATT&CK C0021 description states targeting of private-sector corporations in the oil and gas industry, citing FireEye APT29 Nov 2018.",
     "source": "FireEye APT29 Nov 2018"
    },
    {
     "naics": "325",
     "label": "Chemical Manufacturing",
     "evidence": "MITRE ATT&CK C0021 description states targeting of private-sector corporations in the chemical industry, citing FireEye APT29 Nov 2018.",
     "source": "FireEye APT29 Nov 2018"
    },
    {
     "naics": "61",
     "label": "Educational Services",
     "evidence": "MITRE ATT&CK C0021 description states targeting of educational institutions, citing FireEye APT29 Nov 2018.",
     "source": "FireEye APT29 Nov 2018"
    },
    {
     "naics": "72",
     "label": "Accommodation & Food Services",
     "evidence": "MITRE ATT&CK C0021 description states targeting of private-sector corporations in the hospitality industry, citing FireEye APT29 Nov 2018.",
     "source": "FireEye APT29 Nov 2018"
    },
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "MITRE ATT&CK C0021 description states targeting of public sector institutions, citing FireEye APT29 Nov 2018.",
     "source": "FireEye APT29 Nov 2018"
    },
    {
     "naics": "81",
     "label": "Other Services (except Public Administration)",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/campaigns/C0021",
   "cve_ids": [],
   "technique_ids": [
    "T1027",
    "T1059",
    "T1071",
    "T1095",
    "T1105",
    "T1140",
    "T1204",
    "T1218",
    "T1566",
    "T1573",
    "T1583",
    "T1584",
    "T1588",
    "T1608"
   ],
   "subtechnique_ids": [
    "T1027.009",
    "T1027.010",
    "T1059.001",
    "T1071.001",
    "T1204.001",
    "T1218.011",
    "T1566.002",
    "T1573.002",
    "T1583.001",
    "T1584.001",
    "T1588.002",
    "T1608.001"
   ]
  },
  {
   "actor_id": "C0022",
   "canonical_name": "Operation Dream Job",
   "aliases": [
    "Operation Dream Job",
    "Operation North Star",
    "Operation Interception"
   ],
   "category": "state",
   "sponsor": {
    "country": "KP",
    "agency": "RGB",
    "unit": "Bureau 121 / Lab 110"
   },
   "cve_count": 3,
   "technique_count": 81,
   "idf_score": 10.674,
   "exclusive_cve_count": 1,
   "active_year_min": 2026,
   "active_year_max": 2026,
   "sectors": [
    {
     "naics": "3364",
     "label": "Aerospace Product & Parts Manufacturing",
     "evidence": "MITRE ATT&CK C0022 states Operation Dream Job targeted the aerospace sector (ClearSky Lazarus Aug 2020).",
     "source": "MITRE ATT&CK C0022"
    },
    {
     "naics": "92811",
     "label": "National Security",
     "evidence": "MITRE ATT&CK C0022 states Operation Dream Job targeted the defense sector (ClearSky Lazarus Aug 2020).",
     "source": "MITRE ATT&CK C0022"
    },
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "MITRE ATT&CK C0022 states Operation Dream Job targeted the government sector (ClearSky Lazarus Aug 2020).",
     "source": "MITRE ATT&CK C0022"
    },
    {
     "naics": "515",
     "label": "Broadcasting",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [
    [
     "other",
     1
    ],
    [
     "linux",
     1
    ],
    [
     "microsoft",
     1
    ]
   ],
   "mitre_url": "https://attack.mitre.org/campaigns/C0022",
   "cve_ids": [
    "CVE-2018-2025010",
    "CVE-2026-31635",
    "CVE-2026-45585"
   ],
   "technique_ids": [
    "T1005",
    "T1027",
    "T1036",
    "T1041",
    "T1047",
    "T1053",
    "T1059",
    "T1070",
    "T1071",
    "T1083",
    "T1087",
    "T1105",
    "T1106",
    "T1110",
    "T1204",
    "T1218",
    "T1220",
    "T1221",
    "T1497",
    "T1505",
    "T1534",
    "T1547",
    "T1553",
    "T1560",
    "T1566",
    "T1567",
    "T1573",
    "T1583",
    "T1584",
    "T1585",
    "T1587",
    "T1588",
    "T1589",
    "T1591",
    "T1593",
    "T1608",
    "T1614",
    "T1622",
    "T1684"
   ],
   "subtechnique_ids": [
    "T1027.002",
    "T1027.013",
    "T1036.008",
    "T1053.005",
    "T1059.001",
    "T1059.003",
    "T1059.005",
    "T1070.004",
    "T1071.001",
    "T1087.002",
    "T1204.001",
    "T1204.002",
    "T1218.010",
    "T1218.011",
    "T1497.001",
    "T1497.003",
    "T1505.004",
    "T1547.001",
    "T1553.002",
    "T1560.001",
    "T1566.001",
    "T1566.002",
    "T1566.003",
    "T1567.002",
    "T1573.001",
    "T1583.001",
    "T1583.004",
    "T1583.006",
    "T1584.001",
    "T1584.004",
    "T1585.001",
    "T1585.002",
    "T1587.001",
    "T1587.002",
    "T1588.002",
    "T1588.003",
    "T1591.004",
    "T1593.001",
    "T1608.001",
    "T1608.002",
    "T1614.001",
    "T1684.001"
   ]
  },
  {
   "actor_id": "C0023",
   "canonical_name": "Operation Ghost",
   "aliases": [
    "Operation Ghost"
   ],
   "category": "state",
   "sponsor": {
    "country": "RU",
    "agency": "SVR"
   },
   "cve_count": 0,
   "technique_count": 16,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "92812",
     "label": "International Affairs",
     "evidence": "ESET Dukes October 2019 reports Operation Ghost targeted European ministries of foreign affairs and a Washington D.C. EU-country embassy.",
     "source": "ESET Dukes October 2019"
    },
    {
     "naics": "22",
     "label": "Utilities",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/campaigns/C0023",
   "cve_ids": [],
   "technique_ids": [
    "T1001",
    "T1027",
    "T1078",
    "T1102",
    "T1546",
    "T1583",
    "T1585",
    "T1587"
   ],
   "subtechnique_ids": [
    "T1001.002",
    "T1027.003",
    "T1078.002",
    "T1102.002",
    "T1546.003",
    "T1583.001",
    "T1585.001",
    "T1587.001"
   ]
  },
  {
   "actor_id": "C0024",
   "canonical_name": "SolarWinds Compromise",
   "aliases": [
    "SolarWinds Compromise"
   ],
   "category": "state",
   "sponsor": {
    "country": "RU",
    "agency": "SVR"
   },
   "cve_count": 2,
   "technique_count": 96,
   "idf_score": 4.843,
   "exclusive_cve_count": 0,
   "active_year_min": 2021,
   "active_year_max": 2026,
   "sectors": [
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "MITRE ATT&CK C0024 description states victims included government organizations, corroborated by USG Joint Statement SolarWinds January 2021.",
     "source": "USG Joint Statement SolarWinds January 2021"
    },
    {
     "naics": "517",
     "label": "Telecommunications",
     "evidence": "MITRE ATT&CK C0024 description states victims included telecom organizations, corroborated by multiple cited reports including FireEye SUNBURST Backdoor December 2020.",
     "source": "FireEye SUNBURST Backdoor December 2020"
    },
    {
     "naics": "54",
     "label": "Professional, Scientific & Technical Services",
     "evidence": "MITRE ATT&CK C0024 description states victims included consulting organizations, corroborated by MSTIC NOBELIUM May 2021 and Mandiant UNC2452 APT29 April 2022.",
     "source": "Mandiant UNC2452 APT29 April 2022"
    },
    {
     "naics": "51",
     "label": "Information",
     "evidence": "MITRE ATT&CK C0024 description states victims included technology organizations, corroborated by Volexity SolarWinds and CrowdStrike StellarParticle January 2022.",
     "source": "CrowdStrike StellarParticle January 2022"
    },
    {
     "naics": "92811",
     "label": "National Security",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [
    [
     "application",
     1
    ],
    [
     "microsoft",
     1
    ]
   ],
   "mitre_url": "https://attack.mitre.org/campaigns/C0024",
   "cve_ids": [
    "CVE-2020-8554",
    "CVE-2026-20929"
   ],
   "technique_ids": [
    "T1003",
    "T1005",
    "T1016",
    "T1018",
    "T1021",
    "T1036",
    "T1047",
    "T1048",
    "T1053",
    "T1057",
    "T1059",
    "T1069",
    "T1070",
    "T1071",
    "T1074",
    "T1078",
    "T1083",
    "T1087",
    "T1090",
    "T1098",
    "T1105",
    "T1114",
    "T1133",
    "T1140",
    "T1190",
    "T1195",
    "T1199",
    "T1213",
    "T1218",
    "T1482",
    "T1484",
    "T1539",
    "T1546",
    "T1550",
    "T1552",
    "T1553",
    "T1555",
    "T1558",
    "T1560",
    "T1568",
    "T1583",
    "T1584",
    "T1587",
    "T1589",
    "T1606",
    "T1665",
    "T1680",
    "T1685",
    "T1686"
   ],
   "subtechnique_ids": [
    "T1003.006",
    "T1016.001",
    "T1021.001",
    "T1021.002",
    "T1021.006",
    "T1036.004",
    "T1036.005",
    "T1048.002",
    "T1053.005",
    "T1059.001",
    "T1059.003",
    "T1059.005",
    "T1069.002",
    "T1070.004",
    "T1070.006",
    "T1070.008",
    "T1071.001",
    "T1074.002",
    "T1078.002",
    "T1078.003",
    "T1078.004",
    "T1087.002",
    "T1090.001",
    "T1098.001",
    "T1098.002",
    "T1098.003",
    "T1098.005",
    "T1114.002",
    "T1195.002",
    "T1213.003",
    "T1218.011",
    "T1484.002",
    "T1546.003",
    "T1550.001",
    "T1550.004",
    "T1552.004",
    "T1553.002",
    "T1555.003",
    "T1558.003",
    "T1560.001",
    "T1583.001",
    "T1584.001",
    "T1587.001",
    "T1589.001",
    "T1606.001",
    "T1606.002",
    "T1685.001"
   ]
  },
  {
   "actor_id": "C0025",
   "canonical_name": "2016 Ukraine Electric Power Attack",
   "aliases": [
    "2016 Ukraine Electric Power Attack"
   ],
   "category": "state",
   "sponsor": {
    "country": "RU",
    "agency": "GRU",
    "unit": "Unit 74455"
   },
   "cve_count": 1,
   "technique_count": 28,
   "idf_score": 4.29,
   "exclusive_cve_count": 1,
   "active_year_min": 2015,
   "active_year_max": 2015,
   "sectors": [
    {
     "naics": "2211",
     "label": "Electric Power Generation, Transmission & Distribution",
     "evidence": "Campaign used Industroyer malware to target Ukrainian electric distribution substations (MITRE C0025).",
     "source": "Dragos Crashoverride 2018"
    },
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [
    [
     "network",
     1
    ]
   ],
   "mitre_url": "https://attack.mitre.org/campaigns/C0025",
   "cve_ids": [
    "CVE-2015-5374"
   ],
   "technique_ids": [
    "T1003",
    "T1018",
    "T1021",
    "T1027",
    "T1036",
    "T1047",
    "T1059",
    "T1098",
    "T1110",
    "T1136",
    "T1505",
    "T1543",
    "T1554",
    "T1570",
    "T1685"
   ],
   "subtechnique_ids": [
    "T1003.001",
    "T1021.002",
    "T1027.002",
    "T1036.005",
    "T1036.008",
    "T1036.010",
    "T1059.001",
    "T1059.003",
    "T1059.005",
    "T1136.002",
    "T1505.001",
    "T1543.003",
    "T1685.001"
   ]
  },
  {
   "actor_id": "C0026",
   "canonical_name": "C0026",
   "aliases": [
    "C0026"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 8,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/campaigns/C0026",
   "cve_ids": [],
   "technique_ids": [
    "T1005",
    "T1030",
    "T1105",
    "T1560",
    "T1568",
    "T1583"
   ],
   "subtechnique_ids": [
    "T1560.001",
    "T1583.001"
   ]
  },
  {
   "actor_id": "C0027",
   "canonical_name": "C0027",
   "aliases": [
    "C0027"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 1,
   "technique_count": 42,
   "idf_score": 1.246,
   "exclusive_cve_count": 0,
   "active_year_min": 2026,
   "active_year_max": 2026,
   "sectors": [
    {
     "naics": "517",
     "label": "Telecommunications",
     "evidence": "MITRE ATT&CK description of C0027 states it targeted telecommunications companies, citing Crowdstrike TELCO BPO Campaign December 2022.",
     "source": "Crowdstrike TELCO BPO Campaign December 2022"
    },
    {
     "naics": "56",
     "label": "Administrative & Support, Waste Management",
     "evidence": "MITRE ATT&CK description of C0027 states it targeted business process outsourcing (BPO) companies, citing Crowdstrike TELCO BPO Campaign December 2022.",
     "source": "Crowdstrike TELCO BPO Campaign December 2022"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [
    [
     "microsoft",
     1
    ]
   ],
   "mitre_url": "https://attack.mitre.org/campaigns/C0027",
   "cve_ids": [
    "CVE-2026-20929"
   ],
   "technique_ids": [
    "T1003",
    "T1021",
    "T1046",
    "T1047",
    "T1069",
    "T1078",
    "T1087",
    "T1090",
    "T1098",
    "T1102",
    "T1105",
    "T1133",
    "T1190",
    "T1213",
    "T1219",
    "T1530",
    "T1566",
    "T1572",
    "T1578",
    "T1588",
    "T1589",
    "T1598",
    "T1621",
    "T1684"
   ],
   "subtechnique_ids": [
    "T1003.006",
    "T1021.007",
    "T1069.003",
    "T1078.004",
    "T1087.003",
    "T1087.004",
    "T1098.001",
    "T1098.003",
    "T1098.005",
    "T1213.002",
    "T1219.002",
    "T1566.004",
    "T1578.002",
    "T1588.002",
    "T1589.001",
    "T1598.001",
    "T1598.004",
    "T1684.001"
   ]
  },
  {
   "actor_id": "C0028",
   "canonical_name": "2015 Ukraine Electric Power Attack",
   "aliases": [
    "2015 Ukraine Electric Power Attack"
   ],
   "category": "state",
   "sponsor": {
    "country": "RU",
    "agency": "GRU",
    "unit": "Unit 74455"
   },
   "cve_count": 3,
   "technique_count": 25,
   "idf_score": 12.871,
   "exclusive_cve_count": 3,
   "active_year_min": 2014,
   "active_year_max": 2014,
   "sectors": [
    {
     "naics": "2211",
     "label": "Electric Power Generation, Transmission & Distribution",
     "evidence": "MITRE ATT&CK C0028 states Sandworm used BlackEnergy3/KillDisk to disrupt Ukrainian transmission/distribution substations (Booz Allen Hamilton).",
     "source": "Booz Allen Hamilton"
    },
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [
    [
     "application",
     3
    ]
   ],
   "mitre_url": "https://attack.mitre.org/campaigns/C0028",
   "cve_ids": [
    "CVE-2014-6277",
    "CVE-2014-7186",
    "CVE-2014-7187"
   ],
   "technique_ids": [
    "T1018",
    "T1040",
    "T1055",
    "T1056",
    "T1059",
    "T1070",
    "T1071",
    "T1078",
    "T1105",
    "T1112",
    "T1133",
    "T1136",
    "T1204",
    "T1218",
    "T1566",
    "T1570",
    "T1685"
   ],
   "subtechnique_ids": [
    "T1056.001",
    "T1059.005",
    "T1070.004",
    "T1071.001",
    "T1136.002",
    "T1204.002",
    "T1218.011",
    "T1566.001"
   ]
  },
  {
   "actor_id": "C0029",
   "canonical_name": "Cutting Edge",
   "aliases": [
    "Cutting Edge"
   ],
   "category": "state",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 42,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "517",
     "label": "Telecommunications",
     "evidence": "Mandiant Cutting Edge January 2024 and Volexity Ivanti Zero-Day Exploitation January 2024 report Cutting Edge targeting telecommunications sector via Ivanti VPN zero-days.",
     "source": "Mandiant Cutting Edge January 2024"
    },
    {
     "naics": "52",
     "label": "Finance & Insurance",
     "evidence": "Mandiant Cutting Edge January 2024 and Volexity Ivanti Global Exploitation January 2024 report Cutting Edge targeting financial sector via Ivanti VPN zero-days.",
     "source": "Mandiant Cutting Edge January 2024"
    },
    {
     "naics": "3364",
     "label": "Aerospace Product & Parts Manufacturing",
     "evidence": "Mandiant Cutting Edge January 2024 reports Cutting Edge targeting aerospace sector as part of U.S. defense industrial base operations.",
     "source": "Mandiant Cutting Edge January 2024"
    },
    {
     "naics": "92811",
     "label": "National Security",
     "evidence": "Mandiant Cutting Edge January 2024 explicitly states Cutting Edge targeted the U.S. defense industrial base with Ivanti Connect Secure exploits.",
     "source": "Mandiant Cutting Edge January 2024"
    },
    {
     "naics": "51",
     "label": "Information",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/campaigns/C0029",
   "cve_ids": [],
   "technique_ids": [
    "T1003",
    "T1005",
    "T1021",
    "T1027",
    "T1055",
    "T1056",
    "T1059",
    "T1070",
    "T1071",
    "T1078",
    "T1082",
    "T1095",
    "T1105",
    "T1190",
    "T1205",
    "T1505",
    "T1554",
    "T1560",
    "T1572",
    "T1584",
    "T1588",
    "T1594",
    "T1595",
    "T1685"
   ],
   "subtechnique_ids": [
    "T1003.001",
    "T1003.003",
    "T1021.001",
    "T1021.002",
    "T1021.004",
    "T1027.013",
    "T1056.001",
    "T1056.003",
    "T1059.006",
    "T1070.004",
    "T1070.006",
    "T1071.004",
    "T1078.002",
    "T1505.003",
    "T1560.001",
    "T1584.008",
    "T1588.002",
    "T1595.002"
   ]
  },
  {
   "actor_id": "C0030",
   "canonical_name": "Triton Safety Instrumented System Attack",
   "aliases": [
    "Triton Safety Instrumented System Attack"
   ],
   "category": "state",
   "sponsor": {
    "country": "RU"
   },
   "cve_count": 0,
   "technique_count": 18,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "325",
     "label": "Chemical Manufacturing",
     "evidence": "MITRE ATT&CK C0030 and FireEye TRITON 2017/2018 report TEMP.Veles Triton malware deployed against a petrochemical organization targeting Triconex SIS controllers.",
     "source": "FireEye TRITON 2017"
    },
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/campaigns/C0030",
   "cve_ids": [],
   "technique_ids": [
    "T1003",
    "T1027",
    "T1036",
    "T1053",
    "T1056",
    "T1059",
    "T1573",
    "T1587",
    "T1588",
    "T1595"
   ],
   "subtechnique_ids": [
    "T1003.001",
    "T1027.005",
    "T1036.005",
    "T1053.005",
    "T1056.003",
    "T1059.001",
    "T1587.001",
    "T1588.002"
   ]
  },
  {
   "actor_id": "C0032",
   "canonical_name": "C0032",
   "aliases": [
    "C0032"
   ],
   "category": "state",
   "sponsor": {
    "country": "RU"
   },
   "cve_count": 0,
   "technique_count": 28,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/campaigns/C0032",
   "cve_ids": [],
   "technique_ids": [
    "T1003",
    "T1021",
    "T1036",
    "T1053",
    "T1059",
    "T1070",
    "T1074",
    "T1078",
    "T1133",
    "T1505",
    "T1546",
    "T1571",
    "T1572",
    "T1583",
    "T1588"
   ],
   "subtechnique_ids": [
    "T1003.001",
    "T1021.001",
    "T1021.004",
    "T1036.005",
    "T1053.005",
    "T1059.001",
    "T1070.004",
    "T1070.006",
    "T1074.001",
    "T1505.003",
    "T1546.012",
    "T1583.003",
    "T1588.002"
   ]
  },
  {
   "actor_id": "C0033",
   "canonical_name": "C0033",
   "aliases": [
    "C0033"
   ],
   "category": "state",
   "sponsor": {
    "country": "TR"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/campaigns/C0033",
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "C0034",
   "canonical_name": "2022 Ukraine Electric Power Attack",
   "aliases": [
    "2022 Ukraine Electric Power Attack"
   ],
   "category": "state",
   "sponsor": {
    "country": "RU",
    "agency": "GRU",
    "unit": "Unit 74455"
   },
   "cve_count": 0,
   "technique_count": 16,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "2211",
     "label": "Electric Power Generation, Transmission & Distribution",
     "evidence": "Targeted Ukrainian electric utility SCADA system to issue unauthorized commands (Mandiant-Sandworm-Ukraine-2022; Dragos-Sandworm-Ukraine-2022).",
     "source": "Mandiant-Sandworm-Ukraine-2022"
    },
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/campaigns/C0034",
   "cve_ids": [],
   "technique_ids": [
    "T1036",
    "T1053",
    "T1059",
    "T1095",
    "T1484",
    "T1485",
    "T1505",
    "T1543",
    "T1570",
    "T1572"
   ],
   "subtechnique_ids": [
    "T1036.004",
    "T1053.005",
    "T1059.001",
    "T1484.001",
    "T1505.003",
    "T1543.002"
   ]
  },
  {
   "actor_id": "C0035",
   "canonical_name": "KV Botnet Activity",
   "aliases": [
    "KV Botnet Activity"
   ],
   "category": "state",
   "sponsor": {
    "country": "CN",
    "agency": "PLA"
   },
   "cve_count": 1,
   "technique_count": 28,
   "idf_score": 4.29,
   "exclusive_cve_count": 1,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "2211",
     "label": "Electric Power Generation, Transmission & Distribution",
     "evidence": "MITRE ATT&CK description states KV Botnet was used by Volt Typhoon to reach victims in energy sector critical infrastructure (Lumen KVBotnet 2023).",
     "source": "Lumen KVBotnet 2023"
    },
    {
     "naics": "517",
     "label": "Telecommunications",
     "evidence": "MITRE ATT&CK description states KV Botnet was used by Volt Typhoon to reach victims in telecommunication companies (Lumen KVBotnet 2023).",
     "source": "Lumen KVBotnet 2023"
    },
    {
     "naics": "22",
     "label": "Utilities",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "9221",
     "label": "Justice, Public Order & Safety",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [
    [
     "other",
     1
    ]
   ],
   "mitre_url": "https://attack.mitre.org/campaigns/C0035",
   "cve_ids": [
    "CVE-2022-27997"
   ],
   "technique_ids": [
    "T1016",
    "T1036",
    "T1055",
    "T1057",
    "T1059",
    "T1070",
    "T1082",
    "T1083",
    "T1095",
    "T1105",
    "T1222",
    "T1518",
    "T1546",
    "T1564",
    "T1571",
    "T1573",
    "T1583",
    "T1584",
    "T1685"
   ],
   "subtechnique_ids": [
    "T1036.004",
    "T1055.009",
    "T1059.004",
    "T1070.004",
    "T1222.002",
    "T1518.001",
    "T1564.013",
    "T1583.003",
    "T1584.008"
   ]
  },
  {
   "actor_id": "C0036",
   "canonical_name": "Pikabot Distribution February 2024",
   "aliases": [
    "Pikabot Distribution February 2024"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 6,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/campaigns/C0036",
   "cve_ids": [],
   "technique_ids": [
    "T1059",
    "T1566",
    "T1574"
   ],
   "subtechnique_ids": [
    "T1059.001",
    "T1059.007",
    "T1566.002"
   ]
  },
  {
   "actor_id": "C0037",
   "canonical_name": "Water Curupira Pikabot Distribution",
   "aliases": [
    "Water Curupira Pikabot Distribution"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 14,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/campaigns/C0037",
   "cve_ids": [],
   "technique_ids": [
    "T1059",
    "T1105",
    "T1140",
    "T1204",
    "T1218",
    "T1566",
    "T1589"
   ],
   "subtechnique_ids": [
    "T1059.003",
    "T1059.007",
    "T1204.001",
    "T1204.002",
    "T1218.011",
    "T1566.001",
    "T1589.002"
   ]
  },
  {
   "actor_id": "C0038",
   "canonical_name": "HomeLand Justice",
   "aliases": [
    "HomeLand Justice"
   ],
   "category": "state",
   "sponsor": {
    "country": "IR"
   },
   "cve_count": 0,
   "technique_count": 36,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "9211",
     "label": "Executive, Legislative & Other General Government Support",
     "evidence": "HomeLand Justice targeted Albanian government networks in July/Sept 2022 per CISA Iran Albanian Attacks September 2022 and Microsoft Albanian Government Attacks September 2022.",
     "source": "CISA Iran Albanian Attacks September 2022"
    },
    {
     "naics": "22",
     "label": "Utilities",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "92812",
     "label": "International Affairs",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "9221",
     "label": "Justice, Public Order & Safety",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/campaigns/C0038",
   "cve_ids": [],
   "technique_ids": [
    "T1003",
    "T1021",
    "T1036",
    "T1041",
    "T1046",
    "T1047",
    "T1059",
    "T1078",
    "T1087",
    "T1098",
    "T1105",
    "T1114",
    "T1134",
    "T1190",
    "T1486",
    "T1505",
    "T1561",
    "T1570",
    "T1588",
    "T1685"
   ],
   "subtechnique_ids": [
    "T1003.001",
    "T1021.001",
    "T1021.002",
    "T1036.005",
    "T1059.001",
    "T1059.003",
    "T1078.001",
    "T1087.003",
    "T1098.002",
    "T1114.002",
    "T1134.001",
    "T1505.003",
    "T1561.002",
    "T1588.002",
    "T1588.003",
    "T1685.001"
   ]
  },
  {
   "actor_id": "C0039",
   "canonical_name": "Versa Director Zero Day Exploitation",
   "aliases": [
    "Versa Director Zero Day Exploitation"
   ],
   "category": "state",
   "sponsor": {
    "country": "CN",
    "agency": "PLA"
   },
   "cve_count": 0,
   "technique_count": 13,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "517",
     "label": "Telecommunications",
     "evidence": "Lumen Versa 2024 reports zero-day exploitation of Versa Director servers at ISPs to capture credentials for follow-on access.",
     "source": "Lumen Versa 2024"
    },
    {
     "naics": "518",
     "label": "Computing Infrastructure Providers, Data Processing & Hosting",
     "evidence": "Lumen Versa 2024 reports zero-day exploitation of Versa Director servers at MSPs to capture credentials for follow-on access.",
     "source": "Lumen Versa 2024"
    },
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/campaigns/C0039",
   "cve_ids": [],
   "technique_ids": [
    "T1056",
    "T1071",
    "T1095",
    "T1190",
    "T1505",
    "T1573",
    "T1584",
    "T1587"
   ],
   "subtechnique_ids": [
    "T1071.001",
    "T1505.003",
    "T1573.002",
    "T1584.008",
    "T1587.001"
   ]
  },
  {
   "actor_id": "C0040",
   "canonical_name": "APT41 DUST",
   "aliases": [
    "APT41 DUST"
   ],
   "category": "state-contractor",
   "sponsor": {
    "country": "CN",
    "agency": "MSS"
   },
   "cve_count": 0,
   "technique_count": 42,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "483",
     "label": "Water Transportation",
     "evidence": "MITRE ATT&CK C0040 states APT41 DUST targeted shipping for information gathering (Google Cloud APT41 2024).",
     "source": "Google Cloud APT41 2024"
    },
    {
     "naics": "48",
     "label": "Transportation & Warehousing",
     "evidence": "MITRE ATT&CK C0040 states APT41 DUST targeted logistics for information gathering (Google Cloud APT41 2024).",
     "source": "Google Cloud APT41 2024"
    },
    {
     "naics": "515",
     "label": "Broadcasting",
     "evidence": "MITRE ATT&CK C0040 states APT41 DUST targeted media for information gathering (Google Cloud APT41 2024).",
     "source": "Google Cloud APT41 2024"
    },
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/campaigns/C0040",
   "cve_ids": [],
   "technique_ids": [
    "T1027",
    "T1036",
    "T1070",
    "T1071",
    "T1074",
    "T1102",
    "T1105",
    "T1119",
    "T1213",
    "T1505",
    "T1543",
    "T1553",
    "T1560",
    "T1567",
    "T1569",
    "T1573",
    "T1574",
    "T1583",
    "T1586",
    "T1588",
    "T1593",
    "T1594",
    "T1596"
   ],
   "subtechnique_ids": [
    "T1027.013",
    "T1036.004",
    "T1070.004",
    "T1071.001",
    "T1074.001",
    "T1213.006",
    "T1505.003",
    "T1543.003",
    "T1553.002",
    "T1560.001",
    "T1567.002",
    "T1569.002",
    "T1573.002",
    "T1574.001",
    "T1583.007",
    "T1586.003",
    "T1588.003",
    "T1593.002",
    "T1596.005"
   ]
  },
  {
   "actor_id": "C0041",
   "canonical_name": "FrostyGoop Incident",
   "aliases": [
    "FrostyGoop Incident"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 7,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "2213",
     "label": "Water, Sewage & Other Systems",
     "evidence": "Targeted municipal district heating company in Ukraine impacting civilian heating services (Dragos FROSTYGOOP 2024).",
     "source": "Dragos FROSTYGOOP 2024"
    },
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/campaigns/C0041",
   "cve_ids": [],
   "technique_ids": [
    "T1003",
    "T1071",
    "T1190",
    "T1505",
    "T1689"
   ],
   "subtechnique_ids": [
    "T1003.002",
    "T1505.003"
   ]
  },
  {
   "actor_id": "C0042",
   "canonical_name": "Outer Space",
   "aliases": [
    "Outer Space"
   ],
   "category": "state",
   "sponsor": {
    "country": "IR",
    "agency": "MOIS"
   },
   "cve_count": 0,
   "technique_count": 14,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/campaigns/C0042",
   "cve_ids": [],
   "technique_ids": [
    "T1027",
    "T1059",
    "T1071",
    "T1105",
    "T1217",
    "T1584",
    "T1585",
    "T1587"
   ],
   "subtechnique_ids": [
    "T1027.013",
    "T1059.005",
    "T1071.001",
    "T1584.004",
    "T1585.003",
    "T1587.001"
   ]
  },
  {
   "actor_id": "C0043",
   "canonical_name": "Indian Critical Infrastructure Intrusions",
   "aliases": [
    "Indian Critical Infrastructure Intrusions"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 12,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "2211",
     "label": "Electric Power Generation, Transmission & Distribution",
     "evidence": "MITRE ATT&CK description states campaign focused on IT breaches in Indian electric utility entities (RecordedFuture RedEcho 2021).",
     "source": "RecordedFuture RedEcho 2021"
    },
    {
     "naics": "48",
     "label": "Transportation & Warehousing",
     "evidence": "MITRE ATT&CK description states campaign focused on IT breaches in Indian logistics firms (RecordedFuture RedEcho 2021).",
     "source": "RecordedFuture RedEcho 2021"
    },
    {
     "naics": "22",
     "label": "Utilities",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/campaigns/C0043",
   "cve_ids": [],
   "technique_ids": [
    "T1071",
    "T1568",
    "T1571",
    "T1573",
    "T1583",
    "T1584",
    "T1588",
    "T1599"
   ],
   "subtechnique_ids": [
    "T1071.001",
    "T1573.002",
    "T1583.001",
    "T1588.004"
   ]
  },
  {
   "actor_id": "C0044",
   "canonical_name": "Juicy Mix",
   "aliases": [
    "Juicy Mix"
   ],
   "category": "state",
   "sponsor": {
    "country": "IR",
    "agency": "MOIS"
   },
   "cve_count": 0,
   "technique_count": 22,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/campaigns/C0044",
   "cve_ids": [],
   "technique_ids": [
    "T1053",
    "T1059",
    "T1071",
    "T1074",
    "T1082",
    "T1132",
    "T1140",
    "T1217",
    "T1518",
    "T1555",
    "T1584",
    "T1587"
   ],
   "subtechnique_ids": [
    "T1053.005",
    "T1059.001",
    "T1059.005",
    "T1071.001",
    "T1074.001",
    "T1132.001",
    "T1555.003",
    "T1555.004",
    "T1584.004",
    "T1587.001"
   ]
  },
  {
   "actor_id": "C0045",
   "canonical_name": "ShadowRay",
   "aliases": [
    "ShadowRay"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 16,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "61",
     "label": "Educational Services",
     "evidence": "MITRE ATT&CK description of ShadowRay explicitly states targeting of the education sector via CVE-2023-48022 (Oligo ShadowRay Campaign MAR 2024).",
     "source": "Oligo ShadowRay Campaign MAR 2024"
    },
    {
     "naics": "523",
     "label": "Securities, Commodity Contracts & Other Financial Investments",
     "evidence": "MITRE ATT&CK description of ShadowRay explicitly states targeting of the cryptocurrency sector via CVE-2023-48022 (Oligo ShadowRay Campaign MAR 2024).",
     "source": "Oligo ShadowRay Campaign MAR 2024"
    },
    {
     "naics": "325",
     "label": "Chemical Manufacturing",
     "evidence": "MITRE ATT&CK description of ShadowRay explicitly states targeting of the biopharma sector via CVE-2023-48022 (Oligo ShadowRay Campaign MAR 2024).",
     "source": "Oligo ShadowRay Campaign MAR 2024"
    },
    {
     "naics": "22",
     "label": "Utilities",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/campaigns/C0045",
   "cve_ids": [],
   "technique_ids": [
    "T1003",
    "T1016",
    "T1027",
    "T1059",
    "T1068",
    "T1105",
    "T1190",
    "T1496",
    "T1546",
    "T1588"
   ],
   "subtechnique_ids": [
    "T1003.008",
    "T1027.013",
    "T1059.006",
    "T1496.001",
    "T1546.004",
    "T1588.002"
   ]
  },
  {
   "actor_id": "C0046",
   "canonical_name": "ArcaneDoor",
   "aliases": [
    "ArcaneDoor"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 2,
   "technique_count": 30,
   "idf_score": 8.581,
   "exclusive_cve_count": 2,
   "active_year_min": 2018,
   "active_year_max": 2025,
   "sectors": [
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "MITRE ATT&CK description states ArcaneDoor primarily focused on government and critical infrastructure networks (Cisco ArcaneDoor 2024; CCCS ArcaneDoor 2024).",
     "source": "Cisco ArcaneDoor 2024"
    },
    {
     "naics": "22",
     "label": "Utilities",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [
    [
     "network",
     2
    ]
   ],
   "mitre_url": "https://attack.mitre.org/campaigns/C0046",
   "cve_ids": [
    "CVE-2018-0101",
    "CVE-2025-20363"
   ],
   "technique_ids": [
    "T1014",
    "T1020",
    "T1036",
    "T1037",
    "T1040",
    "T1041",
    "T1055",
    "T1059",
    "T1070",
    "T1071",
    "T1082",
    "T1102",
    "T1119",
    "T1133",
    "T1140",
    "T1190",
    "T1556",
    "T1557",
    "T1583",
    "T1587",
    "T1653",
    "T1685",
    "T1690"
   ],
   "subtechnique_ids": [
    "T1070.004",
    "T1071.001",
    "T1102.003",
    "T1583.003",
    "T1583.006",
    "T1587.001",
    "T1587.003"
   ]
  },
  {
   "actor_id": "C0047",
   "canonical_name": "RedDelta Modified PlugX Infection Chain Operations",
   "aliases": [
    "RedDelta Modified PlugX Infection Chain Operations"
   ],
   "category": "state-contractor",
   "sponsor": {
    "country": "CN",
    "agency": "MSS"
   },
   "cve_count": 0,
   "technique_count": 36,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/campaigns/C0047",
   "cve_ids": [],
   "technique_ids": [
    "T1027",
    "T1036",
    "T1059",
    "T1071",
    "T1082",
    "T1090",
    "T1095",
    "T1203",
    "T1204",
    "T1218",
    "T1480",
    "T1547",
    "T1553",
    "T1564",
    "T1566",
    "T1574",
    "T1583",
    "T1588",
    "T1608"
   ],
   "subtechnique_ids": [
    "T1027.013",
    "T1036.004",
    "T1059.001",
    "T1071.001",
    "T1204.001",
    "T1204.002",
    "T1218.007",
    "T1218.014",
    "T1547.001",
    "T1553.002",
    "T1564.001",
    "T1566.001",
    "T1566.002",
    "T1574.001",
    "T1583.001",
    "T1588.004",
    "T1608.001"
   ]
  },
  {
   "actor_id": "C0048",
   "canonical_name": "Operation MidnightEclipse",
   "aliases": [
    "Operation MidnightEclipse"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 25,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/campaigns/C0048",
   "cve_ids": [],
   "technique_ids": [
    "T1003",
    "T1005",
    "T1021",
    "T1053",
    "T1059",
    "T1071",
    "T1074",
    "T1078",
    "T1090",
    "T1105",
    "T1190",
    "T1559",
    "T1584",
    "T1588"
   ],
   "subtechnique_ids": [
    "T1003.003",
    "T1021.002",
    "T1021.006",
    "T1053.003",
    "T1059.004",
    "T1071.001",
    "T1074.001",
    "T1078.002",
    "T1584.003",
    "T1584.006",
    "T1588.002"
   ]
  },
  {
   "actor_id": "C0049",
   "canonical_name": "Leviathan Australian Intrusions",
   "aliases": [
    "Leviathan Australian Intrusions"
   ],
   "category": "state",
   "sponsor": {
    "country": "CN",
    "agency": "MSS",
    "unit": "Hainan Bureau"
   },
   "cve_count": 0,
   "technique_count": 32,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/campaigns/C0049",
   "cve_ids": [],
   "technique_ids": [
    "T1018",
    "T1021",
    "T1041",
    "T1056",
    "T1068",
    "T1074",
    "T1078",
    "T1082",
    "T1111",
    "T1135",
    "T1190",
    "T1212",
    "T1213",
    "T1482",
    "T1505",
    "T1528",
    "T1552",
    "T1558",
    "T1588",
    "T1594",
    "T1615",
    "T1686"
   ],
   "subtechnique_ids": [
    "T1021.002",
    "T1021.004",
    "T1074.001",
    "T1078.002",
    "T1078.003",
    "T1213.006",
    "T1505.003",
    "T1552.001",
    "T1558.003",
    "T1588.006"
   ]
  },
  {
   "actor_id": "C0050",
   "canonical_name": "J-magic Campaign",
   "aliases": [
    "J-magic Campaign"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 8,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "334",
     "label": "Computer & Electronic Product Manufacturing",
     "evidence": "Lumen J-Magic JAN 2025 states J-magic targeted semiconductor sector routers.",
     "source": "Lumen J-Magic JAN 2025"
    },
    {
     "naics": "22",
     "label": "Utilities",
     "evidence": "Lumen J-Magic JAN 2025 states J-magic targeted energy sector routers.",
     "source": "Lumen J-Magic JAN 2025"
    },
    {
     "naics": "31",
     "label": "Manufacturing",
     "evidence": "Lumen J-Magic JAN 2025 states J-magic targeted manufacturing sector routers.",
     "source": "Lumen J-Magic JAN 2025"
    },
    {
     "naics": "51",
     "label": "Information",
     "evidence": "Lumen J-Magic JAN 2025 states J-magic targeted IT sector routers.",
     "source": "Lumen J-Magic JAN 2025"
    },
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/campaigns/C0050",
   "cve_ids": [],
   "technique_ids": [
    "T1036",
    "T1583",
    "T1587",
    "T1588"
   ],
   "subtechnique_ids": [
    "T1036.005",
    "T1583.003",
    "T1587.003",
    "T1588.001"
   ]
  },
  {
   "actor_id": "C0051",
   "canonical_name": "APT28 Nearest Neighbor Campaign",
   "aliases": [
    "APT28 Nearest Neighbor Campaign"
   ],
   "category": "state",
   "sponsor": {
    "country": "RU",
    "agency": "GRU",
    "unit": "Unit 26165"
   },
   "cve_count": 0,
   "technique_count": 28,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/campaigns/C0051",
   "cve_ids": [],
   "technique_ids": [
    "T1003",
    "T1006",
    "T1016",
    "T1021",
    "T1059",
    "T1074",
    "T1090",
    "T1110",
    "T1140",
    "T1560",
    "T1561",
    "T1567",
    "T1584",
    "T1669",
    "T1686"
   ],
   "subtechnique_ids": [
    "T1003.002",
    "T1003.003",
    "T1016.002",
    "T1021.001",
    "T1021.002",
    "T1059.001",
    "T1059.003",
    "T1074.001",
    "T1090.001",
    "T1110.003",
    "T1560.001",
    "T1561.001",
    "T1686.003"
   ]
  },
  {
   "actor_id": "C0052",
   "canonical_name": "SPACEHOP Activity",
   "aliases": [
    "SPACEHOP Activity"
   ],
   "category": "state",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 7,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/campaigns/C0052",
   "cve_ids": [],
   "technique_ids": [
    "T1090",
    "T1190",
    "T1583",
    "T1588"
   ],
   "subtechnique_ids": [
    "T1090.003",
    "T1583.003",
    "T1588.002"
   ]
  },
  {
   "actor_id": "C0053",
   "canonical_name": "FLORAHOX Activity",
   "aliases": [
    "FLORAHOX Activity"
   ],
   "category": "state",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 9,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "22",
     "label": "Utilities",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/campaigns/C0053",
   "cve_ids": [],
   "technique_ids": [
    "T1059",
    "T1090",
    "T1190",
    "T1583",
    "T1584"
   ],
   "subtechnique_ids": [
    "T1059.004",
    "T1090.003",
    "T1583.003",
    "T1584.008"
   ]
  },
  {
   "actor_id": "C0055",
   "canonical_name": "Quad7 Activity",
   "aliases": [
    "Quad7 Activity"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 22,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "Microsoft Storm-0940 states Storm-0940 used Quad7 credentials to target government agencies.",
     "source": "Microsoft Storm-0940"
    },
    {
     "naics": "211",
     "label": "Oil & Gas Extraction",
     "evidence": "Microsoft Storm-0940 states Storm-0940 used Quad7 credentials to target energy firms.",
     "source": "Microsoft Storm-0940"
    },
    {
     "naics": "54",
     "label": "Professional, Scientific & Technical Services",
     "evidence": "Microsoft Storm-0940 states Storm-0940 used Quad7 credentials to target law firms and think tanks.",
     "source": "Microsoft Storm-0940"
    },
    {
     "naics": "92811",
     "label": "National Security",
     "evidence": "Microsoft Storm-0940 states Storm-0940 used Quad7 credentials to target defense industrial base entities.",
     "source": "Microsoft Storm-0940"
    },
    {
     "naics": "22",
     "label": "Utilities",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "81",
     "label": "Other Services (except Public Administration)",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/campaigns/C0055",
   "cve_ids": [],
   "technique_ids": [
    "T1027",
    "T1059",
    "T1071",
    "T1090",
    "T1105",
    "T1110",
    "T1190",
    "T1571",
    "T1584",
    "T1589",
    "T1665",
    "T1685"
   ],
   "subtechnique_ids": [
    "T1027.011",
    "T1059.004",
    "T1071.001",
    "T1071.002",
    "T1090.002",
    "T1090.003",
    "T1110.003",
    "T1584.005",
    "T1584.008",
    "T1589.002"
   ]
  },
  {
   "actor_id": "C0056",
   "canonical_name": "RedPenguin",
   "aliases": [
    "RedPenguin"
   ],
   "category": "state",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 1,
   "technique_count": 32,
   "idf_score": 4.29,
   "exclusive_cve_count": 1,
   "active_year_min": 2025,
   "active_year_max": 2025,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [
    [
     "network",
     1
    ]
   ],
   "mitre_url": "https://attack.mitre.org/campaigns/C0056",
   "cve_ids": [
    "CVE-2025-21590"
   ],
   "technique_ids": [
    "T1014",
    "T1016",
    "T1027",
    "T1036",
    "T1040",
    "T1041",
    "T1055",
    "T1057",
    "T1059",
    "T1070",
    "T1078",
    "T1090",
    "T1095",
    "T1104",
    "T1105",
    "T1140",
    "T1203",
    "T1205",
    "T1554",
    "T1571",
    "T1573",
    "T1587",
    "T1690"
   ],
   "subtechnique_ids": [
    "T1027.013",
    "T1036.005",
    "T1059.004",
    "T1059.008",
    "T1070.004",
    "T1070.007",
    "T1090.003",
    "T1573.001",
    "T1587.001"
   ]
  },
  {
   "actor_id": "C0057",
   "canonical_name": "3CX Supply Chain Attack",
   "aliases": [
    "3CX Supply Chain Attack"
   ],
   "category": "state",
   "sponsor": {
    "country": "KP"
   },
   "cve_count": 0,
   "technique_count": 31,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "92811",
     "label": "National Security",
     "evidence": "Mandiant 3cx UNC4736 2023 states subsequent targeting focused on defense-sector victims after 3CX compromise.",
     "source": "Mandiant 3cx UNC4736 2023"
    },
    {
     "naics": "523",
     "label": "Securities, Commodity Contracts & Other Financial Investments",
     "evidence": "Kaspersky 3CX Gopuram 2023 states subsequent targeting focused on cryptocurrency-sector victims after 3CX compromise.",
     "source": "Kaspersky 3CX Gopuram 2023"
    },
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 2,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/campaigns/C0057",
   "cve_ids": [],
   "technique_ids": [
    "T1027",
    "T1055",
    "T1071",
    "T1078",
    "T1102",
    "T1189",
    "T1195",
    "T1203",
    "T1217",
    "T1218",
    "T1543",
    "T1546",
    "T1553",
    "T1559",
    "T1573",
    "T1574",
    "T1620",
    "T1678"
   ],
   "subtechnique_ids": [
    "T1027.009",
    "T1027.013",
    "T1055.002",
    "T1071.001",
    "T1102.001",
    "T1195.002",
    "T1218.007",
    "T1218.015",
    "T1543.004",
    "T1546.016",
    "T1553.002",
    "T1573.001",
    "T1574.001"
   ]
  },
  {
   "actor_id": "C0058",
   "canonical_name": "SharePoint ToolShell Exploitation",
   "aliases": [
    "SharePoint ToolShell Exploitation"
   ],
   "category": "state",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 7,
   "technique_count": 49,
   "idf_score": 29.34,
   "exclusive_cve_count": 6,
   "active_year_min": 2021,
   "active_year_max": 2026,
   "sectors": [
    {
     "naics": "52",
     "label": "Finance & Insurance",
     "evidence": "MITRE ATT&CK description states ToolShell campaign targeted finance among other industries (Citation: Microsoft SharePoint Exploit JUL 2025).",
     "source": "Microsoft SharePoint Exploit JUL 2025"
    },
    {
     "naics": "61",
     "label": "Educational Services",
     "evidence": "MITRE ATT&CK description states ToolShell campaign targeted education among other industries (Citation: Microsoft SharePoint Exploit JUL 2025).",
     "source": "Microsoft SharePoint Exploit JUL 2025"
    },
    {
     "naics": "22",
     "label": "Utilities",
     "evidence": "MITRE ATT&CK description states ToolShell campaign targeted energy among other industries (Citation: Microsoft SharePoint Exploit JUL 2025).",
     "source": "Microsoft SharePoint Exploit JUL 2025"
    },
    {
     "naics": "62",
     "label": "Health Care & Social Assistance",
     "evidence": "MITRE ATT&CK description states ToolShell campaign targeted healthcare among other industries (Citation: Microsoft SharePoint Exploit JUL 2025).",
     "source": "Microsoft SharePoint Exploit JUL 2025"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [
    [
     "microsoft",
     4
    ],
    [
     "other",
     2
    ],
    [
     "application",
     2
    ],
    [
     "macos",
     1
    ],
    [
     "linux",
     1
    ]
   ],
   "mitre_url": "https://attack.mitre.org/campaigns/C0058",
   "cve_ids": [
    "CVE-2021-28474",
    "CVE-2025-0921",
    "CVE-2025-23304",
    "CVE-2025-49706",
    "CVE-2025-53771",
    "CVE-2025-66478",
    "CVE-2026-22584"
   ],
   "technique_ids": [
    "T1003",
    "T1005",
    "T1027",
    "T1033",
    "T1041",
    "T1047",
    "T1053",
    "T1059",
    "T1071",
    "T1074",
    "T1082",
    "T1083",
    "T1090",
    "T1105",
    "T1112",
    "T1119",
    "T1140",
    "T1190",
    "T1484",
    "T1486",
    "T1505",
    "T1552",
    "T1569",
    "T1570",
    "T1572",
    "T1583",
    "T1585",
    "T1588",
    "T1595",
    "T1620",
    "T1657",
    "T1685"
   ],
   "subtechnique_ids": [
    "T1003.001",
    "T1027.002",
    "T1027.010",
    "T1053.005",
    "T1059.001",
    "T1059.003",
    "T1071.001",
    "T1074.001",
    "T1484.001",
    "T1505.003",
    "T1505.004",
    "T1552.001",
    "T1569.002",
    "T1583.001",
    "T1585.002",
    "T1588.002",
    "T1595.002"
   ]
  },
  {
   "actor_id": "C0059",
   "canonical_name": "Salesforce Data Exfiltration",
   "aliases": [
    "Salesforce Data Exfiltration"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 27,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "22",
     "label": "Utilities",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/campaigns/C0059",
   "cve_ids": [],
   "technique_ids": [
    "T1020",
    "T1036",
    "T1059",
    "T1078",
    "T1083",
    "T1090",
    "T1213",
    "T1567",
    "T1585",
    "T1586",
    "T1587",
    "T1588",
    "T1598",
    "T1608",
    "T1671",
    "T1684"
   ],
   "subtechnique_ids": [
    "T1059.006",
    "T1078.002",
    "T1090.003",
    "T1213.004",
    "T1585.002",
    "T1586.002",
    "T1587.001",
    "T1588.002",
    "T1598.004",
    "T1608.005",
    "T1684.001"
   ]
  },
  {
   "actor_id": "C0060",
   "canonical_name": "Operation AkaiRy\u016b",
   "aliases": [
    "Operation AkaiRy\u016b",
    "AkaiRy\u016b"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 40,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/campaigns/C0060",
   "cve_ids": [],
   "technique_ids": [
    "T1016",
    "T1036",
    "T1047",
    "T1059",
    "T1070",
    "T1082",
    "T1083",
    "T1127",
    "T1137",
    "T1204",
    "T1217",
    "T1219",
    "T1553",
    "T1566",
    "T1585",
    "T1586",
    "T1587",
    "T1588",
    "T1608",
    "T1685"
   ],
   "subtechnique_ids": [
    "T1036.008",
    "T1059.001",
    "T1059.003",
    "T1059.005",
    "T1070.004",
    "T1127.001",
    "T1137.001",
    "T1204.001",
    "T1204.002",
    "T1219.001",
    "T1553.002",
    "T1566.001",
    "T1566.002",
    "T1585.002",
    "T1585.003",
    "T1586.002",
    "T1587.001",
    "T1588.002",
    "T1608.005",
    "T1685.005"
   ]
  },
  {
   "actor_id": "C0061",
   "canonical_name": "Operation Digital Eye",
   "aliases": [
    "Operation Digital Eye"
   ],
   "category": "state",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 37,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "54",
     "label": "Professional, Scientific & Technical Services",
     "evidence": "MITRE ATT&CK description states Operation Digital Eye targeted business-to-business IT service providers (SentinelOne operationDigitalEye Dec 2024).",
     "source": "SentinelOne operationDigitalEye Dec 2024"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/campaigns/C0061",
   "cve_ids": [],
   "technique_ids": [
    "T1003",
    "T1018",
    "T1021",
    "T1033",
    "T1036",
    "T1059",
    "T1069",
    "T1070",
    "T1087",
    "T1098",
    "T1106",
    "T1190",
    "T1219",
    "T1505",
    "T1543",
    "T1550",
    "T1569",
    "T1588",
    "T1591",
    "T1614",
    "T1665"
   ],
   "subtechnique_ids": [
    "T1003.001",
    "T1003.002",
    "T1021.001",
    "T1036.005",
    "T1059.003",
    "T1069.001",
    "T1070.004",
    "T1087.001",
    "T1098.004",
    "T1219.001",
    "T1505.003",
    "T1543.003",
    "T1550.002",
    "T1569.002",
    "T1588.002",
    "T1614.001"
   ]
  },
  {
   "actor_id": "C0062",
   "canonical_name": "Anthropic AI-orchestrated Campaign",
   "aliases": [
    "Anthropic AI-orchestrated Campaign"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 36,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "325",
     "label": "Chemical Manufacturing",
     "evidence": "MITRE ATT&CK description states the campaign targeted ~30 entities in the chemical sector (Citation: Anthropic AI Orchestrated Campaign NOV 2025).",
     "source": "Anthropic AI Orchestrated Campaign NOV 2025"
    },
    {
     "naics": "52",
     "label": "Finance & Insurance",
     "evidence": "MITRE ATT&CK description states the campaign targeted ~30 entities in the financial sector (Citation: Anthropic AI Orchestrated Campaign NOV 2025).",
     "source": "Anthropic AI Orchestrated Campaign NOV 2025"
    },
    {
     "naics": "51",
     "label": "Information",
     "evidence": "MITRE ATT&CK description states the campaign targeted ~30 entities in the technology sector (Citation: Anthropic AI Orchestrated Campaign NOV 2025).",
     "source": "Anthropic AI Orchestrated Campaign NOV 2025"
    },
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "MITRE ATT&CK description states the campaign targeted ~30 entities in the government sector (Citation: Anthropic AI Orchestrated Campaign NOV 2025).",
     "source": "Anthropic AI Orchestrated Campaign NOV 2025"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/campaigns/C0062",
   "cve_ids": [],
   "technique_ids": [
    "T1005",
    "T1016",
    "T1046",
    "T1049",
    "T1074",
    "T1078",
    "T1082",
    "T1083",
    "T1087",
    "T1119",
    "T1136",
    "T1190",
    "T1213",
    "T1552",
    "T1567",
    "T1584",
    "T1587",
    "T1588",
    "T1590",
    "T1592",
    "T1595",
    "T1683"
   ],
   "subtechnique_ids": [
    "T1074.001",
    "T1078.003",
    "T1136.001",
    "T1213.006",
    "T1552.001",
    "T1584.004",
    "T1587.004",
    "T1588.002",
    "T1588.007",
    "T1590.004",
    "T1592.002",
    "T1592.004",
    "T1595.001",
    "T1595.002"
   ]
  },
  {
   "actor_id": "C0063",
   "canonical_name": "2025 Poland Wiper Attacks",
   "aliases": [
    "2025 Poland Wiper Attacks",
    "2025 Poland Wiper Campaign"
   ],
   "category": "state",
   "sponsor": {
    "country": "RU"
   },
   "cve_count": 0,
   "technique_count": 77,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "2211",
     "label": "Electric Power Generation, Transmission & Distribution",
     "evidence": "MITRE ATT&CK description states the campaign targeted Polish energy infrastructure including >30 wind/photovoltaic farms and a CHP plant (Dragos ELECTRUM JAN 2026).",
     "source": "Dragos ELECTRUM JAN 2026"
    },
    {
     "naics": "31",
     "label": "Manufacturing",
     "evidence": "MITRE ATT&CK description states the campaign targeted a manufacturing sector company in addition to energy infrastructure (ESET DynoWiper JAN 2026).",
     "source": "ESET DynoWiper JAN 2026"
    },
    {
     "naics": "22",
     "label": "Utilities",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/campaigns/C0063",
   "cve_ids": [],
   "technique_ids": [
    "T1003",
    "T1006",
    "T1016",
    "T1021",
    "T1027",
    "T1036",
    "T1046",
    "T1048",
    "T1049",
    "T1053",
    "T1057",
    "T1059",
    "T1074",
    "T1078",
    "T1083",
    "T1090",
    "T1102",
    "T1105",
    "T1110",
    "T1113",
    "T1114",
    "T1133",
    "T1140",
    "T1484",
    "T1485",
    "T1490",
    "T1495",
    "T1529",
    "T1530",
    "T1550",
    "T1555",
    "T1556",
    "T1558",
    "T1560",
    "T1567",
    "T1570",
    "T1571",
    "T1583",
    "T1584",
    "T1587",
    "T1588",
    "T1590",
    "T1602",
    "T1608",
    "T1686"
   ],
   "subtechnique_ids": [
    "T1003.001",
    "T1003.002",
    "T1003.003",
    "T1021.001",
    "T1027.013",
    "T1036.005",
    "T1048.003",
    "T1059.003",
    "T1059.004",
    "T1059.008",
    "T1074.001",
    "T1078.002",
    "T1078.004",
    "T1090.003",
    "T1102.002",
    "T1110.002",
    "T1114.002",
    "T1484.001",
    "T1550.002",
    "T1556.006",
    "T1560.001",
    "T1567.004",
    "T1583.006",
    "T1584.001",
    "T1584.003",
    "T1584.008",
    "T1587.001",
    "T1588.007",
    "T1590.006",
    "T1602.002",
    "T1608.002",
    "T1686.002"
   ]
  },
  {
   "actor_id": "COMP-ADIDAS-NIKE-2014",
   "canonical_name": "Adidas AG (Nike 3-designer civil suit 2014)",
   "aliases": [
    "Adidas AG (Nike 3-designer civil suit 2014)",
    "Adidas",
    "Adidas Group"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "DE"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-AIRBUS-BOEING-CIVIL",
   "canonical_name": "Airbus SE (Boeing 787 fuselage civil counter-claim 2010)",
   "aliases": [
    "Airbus SE (Boeing 787 fuselage civil counter-claim 2010)",
    "Airbus",
    "Airbus SE",
    "EADS"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "NL"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-AIRBUS-EUROCOPTER-DEFENDANT",
   "canonical_name": "Airbus Helicopters (Eurocopter, Sikorsky composite-blade case)",
   "aliases": [
    "Airbus Helicopters (Eurocopter, Sikorsky composite-blade case)",
    "Airbus Helicopters",
    "Eurocopter",
    "Airbus Helicopters Inc"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "FR"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-AMAZON-WALMART-LOGISTICS",
   "canonical_name": "Amazon.com (Walmart logistics engineer recruitment civil claims)",
   "aliases": [
    "Amazon.com (Walmart logistics engineer recruitment civil claims)",
    "Amazon",
    "Amazon.com Inc",
    "AWS"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-ANTHROPIC-OPENAI",
   "canonical_name": "Anthropic (OpenAI / Google researcher-recruitment claims)",
   "aliases": [
    "Anthropic (OpenAI / Google researcher-recruitment claims)",
    "Anthropic",
    "Anthropic PBC"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-APPLE-MASIMO",
   "canonical_name": "Apple Inc. (Masimo pulse-oximetry trade-secret 2020-2024)",
   "aliases": [
    "Apple Inc. (Masimo pulse-oximetry trade-secret 2020-2024)",
    "Apple",
    "Apple Inc"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 2,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-ATOS-SOPRA",
   "canonical_name": "Atos SE (Sopra Steria / Capgemini civil disputes)",
   "aliases": [
    "Atos SE (Sopra Steria / Capgemini civil disputes)",
    "Atos",
    "Atos SE",
    "Atos Origin"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "FR"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 3,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-AUDI-VW-BYD",
   "canonical_name": "Audi AG / VW Group (BYD-recruitment defendants 2022-2024)",
   "aliases": [
    "Audi AG / VW Group (BYD-recruitment defendants 2022-2024)",
    "Audi",
    "Audi AG",
    "Volkswagen",
    "VW Group"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "DE"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-AVANT",
   "canonical_name": "Avant! Corporation (Cadence Design Systems case)",
   "aliases": [
    "Avant! Corporation (Cadence Design Systems case)",
    "Avant!",
    "Avant Corporation"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-BAIC",
   "canonical_name": "BAIC Group (Daimler / Hyundai alleged engineer beneficiary)",
   "aliases": [
    "BAIC Group (Daimler / Hyundai alleged engineer beneficiary)",
    "BAIC",
    "BAIC Group",
    "Beijing Automotive"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 2,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-BAIDU-APOLLO",
   "canonical_name": "Baidu Apollo (Waymo / Tesla alleged engineer beneficiary)",
   "aliases": [
    "Baidu Apollo (Waymo / Tesla alleged engineer beneficiary)",
    "Baidu",
    "Baidu Apollo",
    "\u767e\u5ea6",
    "Apollo Auto"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 3,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-BMW-MERCEDES-2021",
   "canonical_name": "BMW AG (Mercedes / Daimler civil engineer-recruitment disputes)",
   "aliases": [
    "BMW AG (Mercedes / Daimler civil engineer-recruitment disputes)",
    "BMW",
    "Bayerische Motoren Werke AG"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "DE"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 3,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-BOE",
   "canonical_name": "BOE Technology Group",
   "aliases": [
    "BOE Technology Group",
    "BOE",
    "BOE Technology",
    "\u4eac\u4e1c\u65b9"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-BOE-SAMSUNG-OLED",
   "canonical_name": "BOE Technology (Samsung Display OLED ITC trade-secret 2023-2025)",
   "aliases": [
    "BOE Technology (Samsung Display OLED ITC trade-secret 2023-2025)",
    "BOE",
    "BOE Technology Group",
    "\u4eac\u4e1c\u65b9"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-BOSCH-BMW-2017",
   "canonical_name": "Robert Bosch GmbH (BMW e-axle insider-recruitment 2017)",
   "aliases": [
    "Robert Bosch GmbH (BMW e-axle insider-recruitment 2017)",
    "Robert Bosch GmbH",
    "Bosch"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "DE"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-BYD-TESLA",
   "canonical_name": "BYD Company (alleged Tesla cases)",
   "aliases": [
    "BYD Company (alleged Tesla cases)",
    "BYD",
    "BYD Company",
    "\u6bd4\u4e9a\u8fea"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-CAPGEMINI-IT",
   "canonical_name": "Capgemini SE (IT-consultancy non-compete civil disputes)",
   "aliases": [
    "Capgemini SE (IT-consultancy non-compete civil disputes)",
    "Capgemini",
    "Capgemini SE",
    "Cap Gemini"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "FR"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 3,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-CATL",
   "canonical_name": "CATL (Contemporary Amperex Technology)",
   "aliases": [
    "CATL (Contemporary Amperex Technology)",
    "CATL",
    "Contemporary Amperex Technology",
    "\u5b81\u5fb7\u65f6\u4ee3"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 3,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-CGNPC",
   "canonical_name": "China General Nuclear Power Corp (CGNPC)",
   "aliases": [
    "China General Nuclear Power Corp (CGNPC)",
    "CGNPC",
    "China General Nuclear Power Corporation",
    "China General Nuclear"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-CITADEL-JUMP",
   "canonical_name": "Citadel Securities (Jump Trading trade-secret 2014-2016)",
   "aliases": [
    "Citadel Securities (Jump Trading trade-secret 2014-2016)",
    "Citadel",
    "Citadel Securities LLC"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-CLOUDFLARE-AKAMAI",
   "canonical_name": "Cloudflare (Akamai trade-secret civil claims)",
   "aliases": [
    "Cloudflare (Akamai trade-secret civil claims)",
    "Cloudflare",
    "Cloudflare Inc"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 2,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-COINBASE-BINANCE-US",
   "canonical_name": "Coinbase Global (Binance.US civil exchange-engineer claims)",
   "aliases": [
    "Coinbase Global (Binance.US civil exchange-engineer claims)",
    "Coinbase",
    "Coinbase Global Inc"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-CONTINENTAL-BOSCH",
   "canonical_name": "Continental AG (Bosch / Schaeffler civil disputes)",
   "aliases": [
    "Continental AG (Bosch / Schaeffler civil disputes)",
    "Continental",
    "Continental AG"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "DE"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 2,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-COUPA-SAP-ARIBA",
   "canonical_name": "Coupa Software (SAP Ariba civil claims over employee defection)",
   "aliases": [
    "Coupa Software (SAP Ariba civil claims over employee defection)",
    "Coupa",
    "Coupa Software Inc"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-CROWDSTRIKE-MCAFEE",
   "canonical_name": "CrowdStrike (McAfee / Symantec civil claims)",
   "aliases": [
    "CrowdStrike (McAfee / Symantec civil claims)",
    "CrowdStrike",
    "CrowdStrike Holdings Inc"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 3,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-CXMT",
   "canonical_name": "ChangXin Memory Technologies (CXMT / DRAM)",
   "aliases": [
    "ChangXin Memory Technologies (CXMT / DRAM)",
    "CXMT",
    "ChangXin Memory",
    "ChangXin Memory Technologies",
    "\u957f\u946b\u5b58\u50a8"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 2,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-DASSAULT-SAFRAN",
   "canonical_name": "Dassault Aviation (Safran civil IP disputes)",
   "aliases": [
    "Dassault Aviation (Safran civil IP disputes)",
    "Dassault Aviation",
    "Dassault"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "FR"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-DATADOG-NEW-RELIC",
   "canonical_name": "Datadog (New Relic / Dynatrace civil claims over hires)",
   "aliases": [
    "Datadog (New Relic / Dynatrace civil claims over hires)",
    "Datadog",
    "Datadog Inc"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 2,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-DBN",
   "canonical_name": "DBN Group / Beijing Dabeinong Technology",
   "aliases": [
    "DBN Group / Beijing Dabeinong Technology",
    "DBN Group",
    "Beijing Dabeinong",
    "Dabeinong",
    "DBN"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-DJI",
   "canonical_name": "DJI / SZ DJI Technology (Textron $279M drone-patent verdict)",
   "aliases": [
    "DJI / SZ DJI Technology (Textron $279M drone-patent verdict)",
    "DJI",
    "SZ DJI Technology",
    "Da-Jiang Innovations",
    "\u5927\u7586"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 3,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-DOCUSIGN-ADOBE",
   "canonical_name": "DocuSign (Adobe Sign / Echosign civil non-compete claims)",
   "aliases": [
    "DocuSign (Adobe Sign / Echosign civil non-compete claims)",
    "DocuSign",
    "DocuSign Inc"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-DONGFANG-JINGYUAN",
   "canonical_name": "Dongfang Jingyuan Electron (ASML software case)",
   "aliases": [
    "Dongfang Jingyuan Electron (ASML software case)",
    "Dongfang Jingyuan",
    "Dongfang Jingyuan Electron",
    "DJEL"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-DOORDASH-UBER",
   "canonical_name": "DoorDash (Uber Eats / Postmates trade-secret civil disputes)",
   "aliases": [
    "DoorDash (Uber Eats / Postmates trade-secret civil disputes)",
    "DoorDash",
    "DoorDash Inc"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 2,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-EPIC-APPLE-2021",
   "canonical_name": "Epic Games v. Apple (US antitrust / civil)",
   "aliases": [
    "Epic Games v. Apple (US antitrust / civil)",
    "Epic v. Apple"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-EPIC-GOOGLE-2023",
   "canonical_name": "Epic Games v. Google (US antitrust jury verdict)",
   "aliases": [
    "Epic Games v. Google (US antitrust jury verdict)",
    "Epic v. Google"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-ERICSSON-NORTEL",
   "canonical_name": "Ericsson (Nortel Networks IP dispute)",
   "aliases": [
    "Ericsson (Nortel Networks IP dispute)",
    "Ericsson",
    "Ericsson Inc"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "SE"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-EVOBUS-BGH-2017",
   "canonical_name": "EvoBus / Daimler (Reisebusboerse, BGH I ZR 64/14)",
   "aliases": [
    "EvoBus / Daimler (Reisebusboerse, BGH I ZR 64/14)",
    "EvoBus trade-secret case"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "DE"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 2,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-FOXCONN-APPLE",
   "canonical_name": "Hon Hai / Foxconn (Apple manufacturing-IP civil disputes)",
   "aliases": [
    "Hon Hai / Foxconn (Apple manufacturing-IP civil disputes)",
    "Foxconn",
    "Hon Hai",
    "Hon Hai Precision Industry",
    "\u9e3f\u6d77"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "TW"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 2,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-FUJIAN-JINHUA",
   "canonical_name": "Fujian Jinhua Integrated Circuit (DRAM)",
   "aliases": [
    "Fujian Jinhua Integrated Circuit (DRAM)",
    "Fujian Jinhua",
    "Jinhua",
    "JHICC",
    "\u664b\u534e"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-GAC",
   "canonical_name": "GAC Group (Honda / Toyota JV-defection civil disputes)",
   "aliases": [
    "GAC Group (Honda / Toyota JV-defection civil disputes)",
    "GAC",
    "GAC Group",
    "Guangzhou Automobile"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-GEELY-WM",
   "canonical_name": "Geely Holding (WM Motor 2024 record damages plaintiff)",
   "aliases": [
    "Geely Holding (WM Motor 2024 record damages plaintiff)",
    "Geely",
    "Geely Holding",
    "Zhejiang Geely Holding"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-GOOGLE-CIVIL-DEFENDANT",
   "canonical_name": "Google LLC (civil insider-recruitment defendant)",
   "aliases": [
    "Google LLC (civil insider-recruitment defendant)",
    "Google",
    "Google LLC",
    "Alphabet"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 2,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-HESAI",
   "canonical_name": "Hesai Group (Velodyne / Ouster LiDAR civil disputes)",
   "aliases": [
    "Hesai Group (Velodyne / Ouster LiDAR civil disputes)",
    "Hesai",
    "Hesai Group",
    "Hesai Technology",
    "\u79be\u8d5b"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-HUAWEI",
   "canonical_name": "Huawei Technologies (multiple IP-theft cases)",
   "aliases": [
    "Huawei Technologies (multiple IP-theft cases)",
    "Huawei",
    "Huawei Technologies"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 2,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-HYTERA",
   "canonical_name": "Hytera Communications (Motorola DMR case)",
   "aliases": [
    "Hytera Communications (Motorola DMR case)",
    "Hytera",
    "Hytera Communications"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-INDRA-SISTEMAS",
   "canonical_name": "Indra Sistemas (Spanish defense civil IP disputes)",
   "aliases": [
    "Indra Sistemas (Spanish defense civil IP disputes)",
    "Indra",
    "Indra Sistemas SA"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "ES"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 2,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-INSTA360",
   "canonical_name": "Insta360 (DJI patent counter-suit 2026)",
   "aliases": [
    "Insta360 (DJI patent counter-suit 2026)",
    "Insta360",
    "Arashi Vision",
    "\u5f71\u77f3"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-INSTACART",
   "canonical_name": "Instacart (Maplebear) \u2014 DoorDash trade-secret civil dispute",
   "aliases": [
    "Instacart (Maplebear) \u2014 DoorDash trade-secret civil dispute",
    "Instacart",
    "Maplebear Inc"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 2,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-INTEL-MICRON",
   "canonical_name": "Intel Corp. (Micron 2018-2020 NAND civil counter-claims)",
   "aliases": [
    "Intel Corp. (Micron 2018-2020 NAND civil counter-claims)",
    "Intel",
    "Intel Corporation"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-IQVIA",
   "canonical_name": "IQVIA Holdings (Veeva counter-claim defendant)",
   "aliases": [
    "IQVIA Holdings (Veeva counter-claim defendant)",
    "IQVIA",
    "IMS Health",
    "Quintiles IMS"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-KIA-FORD",
   "canonical_name": "Kia Corporation (Ford / Hyundai civil disputes)",
   "aliases": [
    "Kia Corporation (Ford / Hyundai civil disputes)",
    "Kia",
    "Kia Motors",
    "Kia Corporation"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "KR"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-KLARNA-PAGAYA",
   "canonical_name": "Klarna Bank (Pagaya BNPL underwriting suit 2026)",
   "aliases": [
    "Klarna Bank (Pagaya BNPL underwriting suit 2026)",
    "Klarna",
    "Klarna Bank AB",
    "Klarna Group"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "SE"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-LEONARDO-BAE",
   "canonical_name": "Leonardo S.p.A. (BAE / Lockheed civil defense-IP disputes)",
   "aliases": [
    "Leonardo S.p.A. (BAE / Lockheed civil defense-IP disputes)",
    "Leonardo",
    "Leonardo SpA",
    "Finmeccanica"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "IT"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 2,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-LG-ENERGY-SK",
   "canonical_name": "LG Energy Solution (SK Innovation 2019-2021 ITC $1.8B)",
   "aliases": [
    "LG Energy Solution (SK Innovation 2019-2021 ITC $1.8B)",
    "LG Energy Solution",
    "LG Chem",
    "LGES"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "KR"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-LUCID-TESLA",
   "canonical_name": "Lucid Motors (Tesla engineer-recruitment suits)",
   "aliases": [
    "Lucid Motors (Tesla engineer-recruitment suits)",
    "Lucid",
    "Lucid Group",
    "Lucid Motors Inc"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-LUFTHANSA-TECHNIK",
   "canonical_name": "Lufthansa Technik (Boeing IP dispute 2018-2020)",
   "aliases": [
    "Lufthansa Technik (Boeing IP dispute 2018-2020)",
    "Lufthansa Technik",
    "LHT"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "DE"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-MEDALLIA-QUALTRICS",
   "canonical_name": "Qualtrics (Medallia trade-secret civil claim 2019)",
   "aliases": [
    "Qualtrics (Medallia trade-secret civil claim 2019)",
    "Qualtrics",
    "Qualtrics International Inc"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-MEDIATEK-QUALCOMM",
   "canonical_name": "MediaTek Inc. (Qualcomm civil patent + non-compete disputes)",
   "aliases": [
    "MediaTek Inc. (Qualcomm civil patent + non-compete disputes)",
    "MediaTek",
    "MediaTek Inc",
    "\u806f\u767c\u79d1"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "TW"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-MEGVII",
   "canonical_name": "Megvii Technology (Face++ \u2014 US Entity-Listed)",
   "aliases": [
    "Megvii Technology (Face++ \u2014 US Entity-Listed)",
    "Megvii",
    "Face++",
    "\u65f7\u89c6\u79d1\u6280"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-MERCEDES-NIO",
   "canonical_name": "Mercedes-Benz Group (NIO / BYD engineer-recruitment disputes)",
   "aliases": [
    "Mercedes-Benz Group (NIO / BYD engineer-recruitment disputes)",
    "Mercedes-Benz",
    "Daimler AG",
    "Mercedes-Benz Group AG"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "DE"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-META-SNAP-ANTITRUST",
   "canonical_name": "Meta Platforms (Snap discovery dispute over rival documents)",
   "aliases": [
    "Meta Platforms (Snap discovery dispute over rival documents)",
    "Meta",
    "Facebook",
    "Meta Platforms Inc"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-MICROSOFT-SALESFORCE",
   "canonical_name": "Microsoft Corp. (Salesforce / Slack engineer recruitment claims)",
   "aliases": [
    "Microsoft Corp. (Salesforce / Slack engineer recruitment claims)",
    "Microsoft",
    "Microsoft Corporation",
    "MSFT"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-NESTLE-FOOD-TECH",
   "canonical_name": "Nestl\u00e9 SA (food-technology civil non-compete disputes)",
   "aliases": [
    "Nestl\u00e9 SA (food-technology civil non-compete disputes)",
    "Nestle",
    "Nestl\u00e9",
    "Nestle SA"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "CH"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 4,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-NIO",
   "canonical_name": "NIO Inc. (alleged Tesla / Apple engineer beneficiary)",
   "aliases": [
    "NIO Inc. (alleged Tesla / Apple engineer beneficiary)",
    "NIO",
    "NIO Inc",
    "\u851a\u6765"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 3,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-NOKIA-GEELY-5G",
   "canonical_name": "Geely Auto (Nokia 5G SEP suit UPC 2024)",
   "aliases": [
    "Geely Auto (Nokia 5G SEP suit UPC 2024)",
    "Geely",
    "Geely Auto",
    "Zhejiang Geely Holding"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-NOKIA-HUAWEI-2007",
   "canonical_name": "Nokia (Huawei engineer-recruitment dispute 2007)",
   "aliases": [
    "Nokia (Huawei engineer-recruitment dispute 2007)",
    "Nokia",
    "Nokia Networks",
    "Nokia Solutions"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "FI"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-NVIDIA-VALEO",
   "canonical_name": "NVIDIA Corp. (Valeo source-code 2023 verdict)",
   "aliases": [
    "NVIDIA Corp. (Valeo source-code 2023 verdict)",
    "NVIDIA",
    "NVIDIA Corporation"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-OLAPLEX-LOREAL",
   "canonical_name": "L'Or\u00e9al SA (Olaplex 2019 trade-secret + patent verdict)",
   "aliases": [
    "L'Or\u00e9al SA (Olaplex 2019 trade-secret + patent verdict)",
    "L'Or\u00e9al",
    "Loreal",
    "L'Oreal USA"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "FR"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-OPENAI-GOOGLE-DEEPMIND",
   "canonical_name": "OpenAI (Google / DeepMind researcher-defection civil claims)",
   "aliases": [
    "OpenAI (Google / DeepMind researcher-defection civil claims)",
    "OpenAI",
    "OpenAI LP"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 2,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-OPPO-NOKIA",
   "canonical_name": "OPPO (Nokia / InterDigital SEP defendants 2021-2023)",
   "aliases": [
    "OPPO (Nokia / InterDigital SEP defendants 2021-2023)",
    "OPPO",
    "Guangdong Oppo Mobile",
    "OPPO Mobile"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-PALANTIR",
   "canonical_name": "Palantir Technologies (i2 Group trade-secret 2010-2013)",
   "aliases": [
    "Palantir Technologies (i2 Group trade-secret 2010-2013)",
    "Palantir",
    "Palantir Technologies Inc"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-PANGANG",
   "canonical_name": "Pangang Group (TiO2 chloride-route beneficiary)",
   "aliases": [
    "Pangang Group (TiO2 chloride-route beneficiary)",
    "Pangang",
    "Pangang Group",
    "\u6500\u94a2\u96c6\u56e2"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-PEGATRON",
   "canonical_name": "Pegatron Corp. (Apple / Foxconn civil cross-disputes)",
   "aliases": [
    "Pegatron Corp. (Apple / Foxconn civil cross-disputes)",
    "Pegatron",
    "Pegatron Corporation",
    "\u548c\u78a9"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "TW"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-PINTEREST-FACEBOOK",
   "canonical_name": "Pinterest (Facebook / Twitter civil non-compete claims)",
   "aliases": [
    "Pinterest (Facebook / Twitter civil non-compete claims)",
    "Pinterest",
    "Pinterest Inc"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 2,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-PIRELLI-CONTI-2013",
   "canonical_name": "Pirelli (Continental tire-pattern dispute)",
   "aliases": [
    "Pirelli (Continental tire-pattern dispute)",
    "Pirelli",
    "Pirelli & C SpA"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "IT"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-PIRELLI-MICHELIN",
   "canonical_name": "Pirelli & C. SpA (Michelin / Bridgestone civil disputes)",
   "aliases": [
    "Pirelli & C. SpA (Michelin / Bridgestone civil disputes)",
    "Pirelli",
    "Pirelli & C SpA"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "IT"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 3,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-PONY-AI",
   "canonical_name": "Pony.ai (alleged Waymo / Apple engineer beneficiary)",
   "aliases": [
    "Pony.ai (alleged Waymo / Apple engineer beneficiary)",
    "Pony.ai",
    "Pony AI Inc",
    "\u5c0f\u9a6c\u667a\u884c"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 3,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-QUANERGY-VELODYNE",
   "canonical_name": "Quanergy Systems (Velodyne LiDAR 2016 cross-suits)",
   "aliases": [
    "Quanergy Systems (Velodyne LiDAR 2016 cross-suits)",
    "Quanergy",
    "Quanergy Systems Inc"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-RENTECH-MILLENNIUM",
   "canonical_name": "Millennium Partners (Renaissance Technologies trade-secret 2003)",
   "aliases": [
    "Millennium Partners (Renaissance Technologies trade-secret 2003)",
    "Millennium",
    "Millennium Management",
    "Millennium Partners"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-RIVIAN-TESLA-2020",
   "canonical_name": "Rivian Automotive (Tesla 2020 trade-secret civil suit)",
   "aliases": [
    "Rivian Automotive (Tesla 2020 trade-secret civil suit)",
    "Rivian",
    "Rivian Automotive Inc"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-ROBINHOOD-CITADEL-HFT",
   "canonical_name": "Robinhood Markets (Citadel and IEX HFT-engineer civil claims)",
   "aliases": [
    "Robinhood Markets (Citadel and IEX HFT-engineer civil claims)",
    "Robinhood",
    "Robinhood Markets Inc"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-SAAB-DEFENSE",
   "canonical_name": "Saab AB (Swedish defense civil IP cross-claims)",
   "aliases": [
    "Saab AB (Swedish defense civil IP cross-claims)",
    "Saab",
    "Saab AB",
    "Saab Defense"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "SE"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-SAIC",
   "canonical_name": "SAIC Motor (Volkswagen / GM JV-defection civil disputes)",
   "aliases": [
    "SAIC Motor (Volkswagen / GM JV-defection civil disputes)",
    "SAIC",
    "SAIC Motor",
    "\u4e0a\u6c7d\u96c6\u56e2"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 2,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-SAMSUNG-SDI",
   "canonical_name": "Samsung SDI (LG Chem / CATL civil disputes)",
   "aliases": [
    "Samsung SDI (LG Chem / CATL civil disputes)",
    "Samsung SDI",
    "Samsung SDI Co Ltd"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "KR"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-SAP",
   "canonical_name": "SAP (TomorrowNow / Oracle case)",
   "aliases": [
    "SAP (TomorrowNow / Oracle case)",
    "SAP",
    "SAP AG",
    "TomorrowNow"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "DE"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-SCHAEFFLER-CONTI",
   "canonical_name": "Schaeffler Group (Continental takeover insider-trading)",
   "aliases": [
    "Schaeffler Group (Continental takeover insider-trading)",
    "Schaeffler",
    "Schaeffler AG",
    "Schaeffler Group"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "DE"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-SCHNEIDER-2018",
   "canonical_name": "Schneider Electric ex-engineers criminal conviction (France 2018)",
   "aliases": [
    "Schneider Electric ex-engineers criminal conviction (France 2018)",
    "Schneider Electric trade-secret"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "FR"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-SENSETIME",
   "canonical_name": "SenseTime Group (US Entity-Listed AI vendor)",
   "aliases": [
    "SenseTime Group (US Entity-Listed AI vendor)",
    "SenseTime",
    "\u5546\u6c64\u79d1\u6280",
    "SenseTime Group Inc"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 2,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-SENTINELONE-CYLANCE",
   "canonical_name": "SentinelOne (Cylance / BlackBerry civil claims)",
   "aliases": [
    "SentinelOne (Cylance / BlackBerry civil claims)",
    "SentinelOne",
    "SentinelOne Inc"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 3,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-SERVICENOW-BMC",
   "canonical_name": "ServiceNow (BMC Software trade-secret civil disputes)",
   "aliases": [
    "ServiceNow (BMC Software trade-secret civil disputes)",
    "ServiceNow",
    "ServiceNow Inc"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 2,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-SIEMENS-WESTINGHOUSE",
   "canonical_name": "Siemens Energy (Westinghouse turbine-disc dispute 2019)",
   "aliases": [
    "Siemens Energy (Westinghouse turbine-disc dispute 2019)",
    "Siemens Energy",
    "Siemens AG"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "DE"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-SINOVEL",
   "canonical_name": "Sinovel Wind Group (American Superconductor case)",
   "aliases": [
    "Sinovel Wind Group (American Superconductor case)",
    "Sinovel",
    "Sinovel Wind Group"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-SK-INNOVATION",
   "canonical_name": "SK Innovation (LG Chem 2019-2021 ITC defendant)",
   "aliases": [
    "SK Innovation (LG Chem 2019-2021 ITC defendant)",
    "SK Innovation",
    "SK On",
    "SKI"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "KR"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-SNAP-APPLE-VISION",
   "canonical_name": "Snap Inc. (Apple Vision Pro defendant 2025-2026)",
   "aliases": [
    "Snap Inc. (Apple Vision Pro defendant 2025-2026)",
    "Snap",
    "Snap Inc.",
    "Snapchat"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-SNOWFLAKE-TERADATA",
   "canonical_name": "Snowflake (Teradata civil claims over engineer defections)",
   "aliases": [
    "Snowflake (Teradata civil claims over engineer defections)",
    "Snowflake",
    "Snowflake Inc"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 3,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-SPOTIFY-VOXTONEPRO",
   "canonical_name": "Spotify Technology (VoxTonePRO/Mujae 2020 trade-secret)",
   "aliases": [
    "Spotify Technology (VoxTonePRO/Mujae 2020 trade-secret)",
    "Spotify",
    "Spotify Technology SA"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "SE"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-STELLANTIS-RENAULT",
   "canonical_name": "Stellantis NV (Renault / PSA legacy civil engineer disputes)",
   "aliases": [
    "Stellantis NV (Renault / PSA legacy civil engineer disputes)",
    "Stellantis",
    "Stellantis NV",
    "PSA Group"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "NL"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-TANIUM",
   "canonical_name": "Tanium Inc. (McAfee customer-list dispute)",
   "aliases": [
    "Tanium Inc. (McAfee customer-list dispute)",
    "Tanium",
    "Tanium Inc"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-TATA-TCS",
   "canonical_name": "Tata Consultancy Services (Epic Systems case)",
   "aliases": [
    "Tata Consultancy Services (Epic Systems case)",
    "Tata Consultancy Services",
    "TCS",
    "Tata Consulting"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "IN"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-THALES-DEFENSE",
   "canonical_name": "Thales Group (Atos / Safran civil defense-IP disputes)",
   "aliases": [
    "Thales Group (Atos / Safran civil defense-IP disputes)",
    "Thales",
    "Thales SA",
    "Thales Group"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "FR"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-TIANMA",
   "canonical_name": "Tianma Microelectronics",
   "aliases": [
    "Tianma",
    "Tianma Microelectronics",
    "\u5929\u9a6c"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-TOMTOM-MICROSOFT-NAV",
   "canonical_name": "TomTom NV (Microsoft FAT32 / GPS patent dispute 2009)",
   "aliases": [
    "TomTom NV (Microsoft FAT32 / GPS patent dispute 2009)",
    "TomTom",
    "TomTom NV",
    "TomTom International"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "NL"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-TSMC-GLOBALFOUNDRIES",
   "canonical_name": "TSMC (GlobalFoundries 2019 patent cross-suits)",
   "aliases": [
    "TSMC (GlobalFoundries 2019 patent cross-suits)",
    "TSMC",
    "Taiwan Semiconductor Manufacturing",
    "\u53f0\u7a4d\u96fb"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "TW"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-TWILIO-SENDGRID",
   "canonical_name": "Twilio (Bandwidth / Vonage civil claims after SendGrid)",
   "aliases": [
    "Twilio (Bandwidth / Vonage civil claims after SendGrid)",
    "Twilio",
    "Twilio Inc"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 2,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-TWO-SIGMA",
   "canonical_name": "Two Sigma Investments (alumni trade-secret civil disputes)",
   "aliases": [
    "Two Sigma Investments (alumni trade-secret civil disputes)",
    "Two Sigma",
    "Two Sigma Investments LP"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-UBER",
   "canonical_name": "Uber Technologies (Waymo IP-theft beneficiary)",
   "aliases": [
    "Uber Technologies (Waymo IP-theft beneficiary)",
    "Uber",
    "Uber Technologies",
    "Otto Motors"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-UMC-OTHER",
   "canonical_name": "UMC (post-Jinhua semiconductor civil disputes)",
   "aliases": [
    "UMC (post-Jinhua semiconductor civil disputes)",
    "UMC",
    "United Microelectronics",
    "\u806f\u83ef\u96fb\u5b50"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "TW"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 2,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-UNILEVER-NESTLE",
   "canonical_name": "Unilever PLC (Nestl\u00e9 / P&G civil disputes)",
   "aliases": [
    "Unilever PLC (Nestl\u00e9 / P&G civil disputes)",
    "Unilever",
    "Unilever PLC",
    "Unilever NV"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "GB"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 2,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-VEEVA-IQVIA",
   "canonical_name": "Veeva Systems (IQVIA trade-secret 2017-2025)",
   "aliases": [
    "Veeva Systems (IQVIA trade-secret 2017-2025)",
    "Veeva",
    "Veeva Systems Inc"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-VELODYNE-OUSTER",
   "canonical_name": "Velodyne LiDAR / Ouster Inc. (multiple IP disputes)",
   "aliases": [
    "Velodyne LiDAR / Ouster Inc. (multiple IP disputes)",
    "Velodyne",
    "Velodyne Lidar",
    "Ouster",
    "Ouster Inc"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 2,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-VOLKSWAGEN-LOPEZ",
   "canonical_name": "Volkswagen AG (L\u00f3pez/GM 1993 case)",
   "aliases": [
    "Volkswagen AG (L\u00f3pez/GM 1993 case)",
    "Volkswagen",
    "VW",
    "Volkswagen AG"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "DE"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 2,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-WAYMO-UBER-CIVIL-2017",
   "canonical_name": "Waymo v. Uber (civil trade-secret, US)",
   "aliases": [
    "Waymo v. Uber (civil trade-secret, US)",
    "Waymo v. Uber"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-WERIDE",
   "canonical_name": "WeRide (alleged Apple / Waymo engineer beneficiary)",
   "aliases": [
    "WeRide (alleged Apple / Waymo engineer beneficiary)",
    "WeRide",
    "WeRide.ai",
    "\u6587\u8fdc\u77e5\u884c"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 2,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-WISTRON",
   "canonical_name": "Wistron Corp. (Apple / Compal civil disputes)",
   "aliases": [
    "Wistron Corp. (Apple / Compal civil disputes)",
    "Wistron",
    "Wistron Corporation",
    "\u7def\u5275"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "TW"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-WM-MOTOR",
   "canonical_name": "WM Motor (Geely 2024 SPC trade-secret defendant)",
   "aliases": [
    "WM Motor (Geely 2024 SPC trade-secret defendant)",
    "WM Motor",
    "Weltmeister",
    "\u5a01\u9a6c\u6c7d\u8f66"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-WORKDAY-ORACLE",
   "canonical_name": "Workday (Oracle HCM civil claims)",
   "aliases": [
    "Workday (Oracle HCM civil claims)",
    "Workday",
    "Workday Inc"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 2,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-XPENG",
   "canonical_name": "XPeng Motors (XMotors \u2014 Apple autonomous beneficiary)",
   "aliases": [
    "XPeng Motors (XMotors \u2014 Apple autonomous beneficiary)",
    "XPeng",
    "XPeng Motors",
    "XMotors",
    "Xpeng Inc"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-YMTC",
   "canonical_name": "Yangtze Memory Technologies (YMTC)",
   "aliases": [
    "Yangtze Memory Technologies (YMTC)",
    "YMTC",
    "Yangtze Memory",
    "Yangtze Memory Technologies",
    "\u957f\u6c5f\u5b58\u50a8"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-ZOOM-CISCO-WEBEX",
   "canonical_name": "Zoom Video Communications (Cisco WebEx civil claims)",
   "aliases": [
    "Zoom Video Communications (Cisco WebEx civil claims)",
    "Zoom",
    "Zoom Video Communications Inc"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "COMP-ZTE-NOKIA",
   "canonical_name": "ZTE Corporation (Nokia / Ericsson SEP cross-disputes)",
   "aliases": [
    "ZTE Corporation (Nokia / Ericsson SEP cross-disputes)",
    "ZTE",
    "ZTE Corporation",
    "\u4e2d\u5174"
   ],
   "category": "competitor",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 3,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "G0001",
   "canonical_name": "Axiom",
   "aliases": [
    "Axiom",
    "Group 72"
   ],
   "category": "state",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 22,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "3364",
     "label": "Aerospace Product & Parts Manufacturing",
     "evidence": "MITRE ATT&CK states Axiom has targeted the aerospace sector since at least 2008 (Citation: Kaspersky Winnti April 2013).",
     "source": "Kaspersky Winnti April 2013"
    },
    {
     "naics": "92811",
     "label": "National Security",
     "evidence": "MITRE ATT&CK states Axiom has targeted the defense sector since at least 2008 (Citation: Novetta Winnti April 2015).",
     "source": "Novetta Winnti April 2015"
    },
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "MITRE ATT&CK states Axiom has targeted the government sector since at least 2008 (Citation: Cisco Group 72).",
     "source": "Cisco Group 72"
    },
    {
     "naics": "31",
     "label": "Manufacturing",
     "evidence": "MITRE ATT&CK states Axiom has targeted the manufacturing sector since at least 2008 (Citation: Group 72).",
     "source": "Group 72"
    },
    {
     "naics": "51",
     "label": "Information",
     "evidence": "MITRE ATT&CK states Axiom has targeted the media sector since at least 2008 (Citation: Kaspersky Winnti June 2015).",
     "source": "Kaspersky Winnti June 2015"
    },
    {
     "naics": "515",
     "label": "Broadcasting",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0001",
   "cve_ids": [],
   "technique_ids": [
    "T1001",
    "T1003",
    "T1005",
    "T1021",
    "T1078",
    "T1189",
    "T1190",
    "T1203",
    "T1546",
    "T1553",
    "T1560",
    "T1563",
    "T1566",
    "T1583",
    "T1584"
   ],
   "subtechnique_ids": [
    "T1001.002",
    "T1021.001",
    "T1546.008",
    "T1563.002",
    "T1583.002",
    "T1583.003",
    "T1584.005"
   ]
  },
  {
   "actor_id": "G0002",
   "canonical_name": "Moafee",
   "aliases": [
    "Moafee"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 2,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0002",
   "cve_ids": [],
   "technique_ids": [
    "T1027"
   ],
   "subtechnique_ids": [
    "T1027.001"
   ]
  },
  {
   "actor_id": "G0003",
   "canonical_name": "Cleaver",
   "aliases": [
    "Cleaver",
    "Threat Group 2889",
    "TG-2889",
    "Operation Cleaver",
    "Op Cleaver",
    "Tarh Andishan",
    "Alibaba",
    "Cobalt Gypsy",
    "G0003"
   ],
   "category": "state",
   "sponsor": {
    "country": "IR"
   },
   "cve_count": 0,
   "technique_count": 10,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0003",
   "cve_ids": [],
   "technique_ids": [
    "T1003",
    "T1557",
    "T1585",
    "T1587",
    "T1588"
   ],
   "subtechnique_ids": [
    "T1003.001",
    "T1557.002",
    "T1585.001",
    "T1587.001",
    "T1588.002"
   ]
  },
  {
   "actor_id": "G0004",
   "canonical_name": "Ke3chang",
   "aliases": [
    "Ke3chang",
    "APT15",
    "Mirage",
    "Vixen Panda",
    "GREF",
    "Playful Dragon",
    "RoyalAPT",
    "NICKEL",
    "Nylon Typhoon",
    "Metushy",
    "Lurid",
    "Social Network Team",
    "Royal APT",
    "BRONZE PALACE",
    "BRONZE DAVENPORT",
    "BRONZE IDLEWOOD",
    "G0004",
    "Red Vulture"
   ],
   "category": "state",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 1,
   "technique_count": 63,
   "idf_score": 3.192,
   "exclusive_cve_count": 0,
   "active_year_min": 2026,
   "active_year_max": 2026,
   "sectors": [
    {
     "naics": "211",
     "label": "Oil & Gas Extraction",
     "evidence": "MITRE ATT&CK description states Ke3chang targeted oil, citing Mandiant Operation Ke3chang November 2014.",
     "source": "Mandiant Operation Ke3chang November 2014"
    },
    {
     "naics": "9211",
     "label": "Executive, Legislative & Other General Government Support",
     "evidence": "MITRE ATT&CK description states Ke3chang targeted government, citing Mandiant Operation Ke3chang November 2014.",
     "source": "Mandiant Operation Ke3chang November 2014"
    },
    {
     "naics": "92811",
     "label": "National Security",
     "evidence": "MITRE ATT&CK description states Ke3chang targeted military, citing Mandiant Operation Ke3chang November 2014.",
     "source": "Mandiant Operation Ke3chang November 2014"
    },
    {
     "naics": "92812",
     "label": "International Affairs",
     "evidence": "MITRE ATT&CK description states Ke3chang targeted diplomatic entities, citing Mandiant Operation Ke3chang November 2014.",
     "source": "Mandiant Operation Ke3chang November 2014"
    },
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "81",
     "label": "Other Services (except Public Administration)",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [
    [
     "microsoft",
     1
    ]
   ],
   "mitre_url": "https://attack.mitre.org/groups/G0004",
   "cve_ids": [
    "CVE-2026-21236"
   ],
   "technique_ids": [
    "T1003",
    "T1005",
    "T1007",
    "T1016",
    "T1018",
    "T1020",
    "T1021",
    "T1027",
    "T1033",
    "T1036",
    "T1041",
    "T1049",
    "T1056",
    "T1057",
    "T1059",
    "T1069",
    "T1071",
    "T1078",
    "T1082",
    "T1083",
    "T1087",
    "T1105",
    "T1114",
    "T1119",
    "T1133",
    "T1140",
    "T1190",
    "T1213",
    "T1543",
    "T1547",
    "T1558",
    "T1560",
    "T1569",
    "T1583",
    "T1587",
    "T1588",
    "T1614"
   ],
   "subtechnique_ids": [
    "T1003.001",
    "T1003.002",
    "T1003.003",
    "T1003.004",
    "T1021.002",
    "T1036.002",
    "T1036.005",
    "T1056.001",
    "T1059.003",
    "T1069.002",
    "T1071.001",
    "T1071.004",
    "T1078.004",
    "T1087.001",
    "T1087.002",
    "T1114.002",
    "T1213.002",
    "T1543.003",
    "T1547.001",
    "T1558.001",
    "T1560.001",
    "T1569.002",
    "T1583.005",
    "T1587.001",
    "T1588.002",
    "T1614.001"
   ]
  },
  {
   "actor_id": "G0005",
   "canonical_name": "APT12",
   "aliases": [
    "APT12",
    "IXESHE",
    "DynCalc",
    "Numbered Panda",
    "DNSCALC"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 1,
   "technique_count": 9,
   "idf_score": 1.246,
   "exclusive_cve_count": 0,
   "active_year_min": 2026,
   "active_year_max": 2026,
   "sectors": [
    {
     "naics": "511",
     "label": "Publishing Industries (Including Software)",
     "evidence": "MITRE ATT&CK description (citing Meyers Numbered Panda) states APT12 targeted media outlets.",
     "source": "Meyers Numbered Panda"
    },
    {
     "naics": "334",
     "label": "Computer & Electronic Product Manufacturing",
     "evidence": "MITRE ATT&CK description (citing Meyers Numbered Panda) states APT12 targeted high-tech companies.",
     "source": "Meyers Numbered Panda"
    },
    {
     "naics": "92811",
     "label": "National Security",
     "evidence": "MITRE ATT&CK description (citing Meyers Numbered Panda) states APT12 targeted multiple governments.",
     "source": "Meyers Numbered Panda"
    },
    {
     "naics": "515",
     "label": "Broadcasting",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [
    [
     "microsoft",
     1
    ]
   ],
   "mitre_url": "https://attack.mitre.org/groups/G0005",
   "cve_ids": [
    "CVE-2026-20929"
   ],
   "technique_ids": [
    "T1102",
    "T1203",
    "T1204",
    "T1566",
    "T1568"
   ],
   "subtechnique_ids": [
    "T1102.002",
    "T1204.002",
    "T1566.001",
    "T1568.003"
   ]
  },
  {
   "actor_id": "G0006",
   "canonical_name": "APT1",
   "aliases": [
    "APT1",
    "Comment Crew",
    "Comment Group",
    "Comment Panda",
    "PLA Unit 61398",
    "Byzantine Candor",
    "Group 3",
    "TG-8223",
    "Brown Fox",
    "GIF89a",
    "ShadyRAT",
    "G0006"
   ],
   "category": "state",
   "sponsor": {
    "country": "CN",
    "agency": "PLA",
    "unit": "Unit 61398"
   },
   "cve_count": 2,
   "technique_count": 36,
   "idf_score": 4.422,
   "exclusive_cve_count": 0,
   "active_year_min": 2017,
   "active_year_max": 2021,
   "sectors": [
    {
     "naics": "334",
     "label": "Computer & Electronic Product Manufacturing",
     "evidence": "Mandiant APT1 report details systematic compromise of computer/electronics manufacturers for IP theft across 141 victims.",
     "source": "Mandiant APT1"
    },
    {
     "naics": "3364",
     "label": "Aerospace Product & Parts Manufacturing",
     "evidence": "Mandiant APT1 report explicitly lists aerospace manufacturers among the 20 industries repeatedly targeted by Unit 61398.",
     "source": "Mandiant APT1"
    },
    {
     "naics": "517",
     "label": "Telecommunications",
     "evidence": "Mandiant APT1 report documents repeated intrusions against telecommunications providers for network access and data exfiltration.",
     "source": "Mandiant APT1"
    },
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Mandiant APT1 report cites targeting of software publishers to steal source code and product designs.",
     "source": "Mandiant APT1"
    },
    {
     "naics": "92811",
     "label": "National Security",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [
    [
     "application",
     2
    ]
   ],
   "mitre_url": "https://attack.mitre.org/groups/G0006",
   "cve_ids": [
    "CVE-2017-6328",
    "CVE-2020-6789"
   ],
   "technique_ids": [
    "T1003",
    "T1005",
    "T1007",
    "T1016",
    "T1021",
    "T1036",
    "T1049",
    "T1057",
    "T1059",
    "T1087",
    "T1114",
    "T1119",
    "T1135",
    "T1550",
    "T1560",
    "T1566",
    "T1583",
    "T1584",
    "T1585",
    "T1588"
   ],
   "subtechnique_ids": [
    "T1003.001",
    "T1021.001",
    "T1036.005",
    "T1059.003",
    "T1087.001",
    "T1114.001",
    "T1114.002",
    "T1550.002",
    "T1560.001",
    "T1566.001",
    "T1566.002",
    "T1583.001",
    "T1584.001",
    "T1585.002",
    "T1588.001",
    "T1588.002"
   ]
  },
  {
   "actor_id": "G0007",
   "canonical_name": "APT28",
   "aliases": [
    "APT28",
    "IRON TWILIGHT",
    "SNAKEMACKEREL",
    "Swallowtail",
    "Group 74",
    "Sednit",
    "Sofacy",
    "Pawn Storm",
    "Fancy Bear",
    "STRONTIUM",
    "Tsar Team",
    "Threat Group-4127",
    "TG-4127",
    "Forest Blizzard",
    "FROZENLAKE",
    "GruesomeLarch",
    "SIG40",
    "Grizzly Steppe",
    "G0007",
    "ATK5",
    "Fighting Ursa",
    "ITG05",
    "Blue Athena",
    "TA422",
    "T-APT-12",
    "APT-C-20",
    "UAC-0028",
    "UAC-0001",
    "BlueDelta"
   ],
   "category": "state",
   "sponsor": {
    "country": "RU",
    "agency": "GRU",
    "unit": "Unit 26165"
   },
   "cve_count": 1,
   "technique_count": 129,
   "idf_score": 1.246,
   "exclusive_cve_count": 0,
   "active_year_min": 2026,
   "active_year_max": 2026,
   "sectors": [
    {
     "naics": "2211",
     "label": "Electric Power Generation, Transmission & Distribution",
     "evidence": "US District Court Indictment GRU Oct 2018 details APT28 operations against a US nuclear facility.",
     "source": "US District Court Indictment GRU Oct 2018"
    },
    {
     "naics": "9211",
     "label": "Executive, Legislative & Other General Government Support",
     "evidence": "Crowdstrike DNC June 2016 reports APT28 compromise of DNC and Democratic Congressional Campaign Committee.",
     "source": "Crowdstrike DNC June 2016"
    },
    {
     "naics": "92812",
     "label": "International Affairs",
     "evidence": "US District Court Indictment GRU Oct 2018 details APT28 operations against OPCW and Spiez Swiss Chemicals Laboratory.",
     "source": "US District Court Indictment GRU Oct 2018"
    },
    {
     "naics": "325",
     "label": "Chemical Manufacturing",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "92811",
     "label": "National Security",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 7,
   "top_product_categories": [
    [
     "microsoft",
     1
    ]
   ],
   "mitre_url": "https://attack.mitre.org/groups/G0007",
   "cve_ids": [
    "CVE-2026-20929"
   ],
   "technique_ids": [
    "T1001",
    "T1003",
    "T1005",
    "T1014",
    "T1021",
    "T1025",
    "T1027",
    "T1030",
    "T1036",
    "T1037",
    "T1039",
    "T1040",
    "T1048",
    "T1056",
    "T1057",
    "T1059",
    "T1068",
    "T1070",
    "T1071",
    "T1074",
    "T1078",
    "T1083",
    "T1090",
    "T1091",
    "T1092",
    "T1098",
    "T1102",
    "T1105",
    "T1110",
    "T1113",
    "T1114",
    "T1119",
    "T1120",
    "T1133",
    "T1134",
    "T1137",
    "T1140",
    "T1189",
    "T1190",
    "T1199",
    "T1203",
    "T1204",
    "T1210",
    "T1211",
    "T1213",
    "T1218",
    "T1221",
    "T1498",
    "T1505",
    "T1528",
    "T1542",
    "T1546",
    "T1547",
    "T1550",
    "T1557",
    "T1559",
    "T1560",
    "T1564",
    "T1566",
    "T1567",
    "T1573",
    "T1583",
    "T1584",
    "T1586",
    "T1588",
    "T1589",
    "T1591",
    "T1595",
    "T1596",
    "T1598",
    "T1669",
    "T1684",
    "T1685"
   ],
   "subtechnique_ids": [
    "T1001.001",
    "T1003.001",
    "T1003.003",
    "T1021.002",
    "T1027.013",
    "T1036.005",
    "T1037.001",
    "T1048.002",
    "T1056.001",
    "T1059.001",
    "T1059.003",
    "T1070.004",
    "T1070.006",
    "T1071.001",
    "T1071.003",
    "T1074.001",
    "T1074.002",
    "T1078.004",
    "T1090.002",
    "T1090.003",
    "T1098.002",
    "T1102.002",
    "T1110.001",
    "T1110.003",
    "T1114.002",
    "T1134.001",
    "T1137.002",
    "T1204.001",
    "T1204.002",
    "T1213.002",
    "T1218.011",
    "T1505.003",
    "T1542.003",
    "T1546.015",
    "T1547.001",
    "T1550.001",
    "T1550.002",
    "T1557.004",
    "T1559.002",
    "T1560.001",
    "T1564.001",
    "T1564.003",
    "T1566.001",
    "T1573.001",
    "T1583.001",
    "T1583.003",
    "T1583.006",
    "T1584.008",
    "T1586.002",
    "T1588.002",
    "T1588.007",
    "T1589.001",
    "T1595.002",
    "T1598.003",
    "T1684.001",
    "T1685.005"
   ]
  },
  {
   "actor_id": "G0008",
   "canonical_name": "Carbanak",
   "aliases": [
    "Carbanak",
    "Anunak",
    "FIN7",
    "CARBON SPIDER",
    "GOLD NIAGARA",
    "Calcium",
    "ATK32",
    "G0046",
    "G0008",
    "Coreid",
    "Sangria Tempest",
    "ELBRUS",
    "JokerStash"
   ],
   "category": "state",
   "sponsor": {
    "country": "RU"
   },
   "cve_count": 0,
   "technique_count": 14,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "522",
     "label": "Credit Intermediation & Related Activities (Banking)",
     "evidence": "MITRE ATT&CK description states Carbanak has targeted financial institutions since at least 2013 (Kaspersky Carbanak).",
     "source": "Kaspersky Carbanak"
    },
    {
     "naics": "52",
     "label": "Finance & Insurance",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0008",
   "cve_ids": [],
   "technique_ids": [
    "T1036",
    "T1078",
    "T1102",
    "T1218",
    "T1219",
    "T1543",
    "T1588",
    "T1686"
   ],
   "subtechnique_ids": [
    "T1036.004",
    "T1036.005",
    "T1102.002",
    "T1218.011",
    "T1543.003",
    "T1588.002"
   ]
  },
  {
   "actor_id": "G0009",
   "canonical_name": "Deep Panda",
   "aliases": [
    "Deep Panda",
    "Shell Crew",
    "WebMasters",
    "KungFu Kittens",
    "PinkPanther",
    "Black Vine",
    "APT19",
    "Codoso",
    "TEMP.Avengers",
    "Group 13",
    "BRONZE FIRESTONE",
    "G0009",
    "G0073",
    "Pupa",
    "Sunshop Group",
    "Checkered Typhoon"
   ],
   "category": "state",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 2,
   "technique_count": 17,
   "idf_score": 4.422,
   "exclusive_cve_count": 0,
   "active_year_min": 2017,
   "active_year_max": 2021,
   "sectors": [
    {
     "naics": "92811",
     "label": "National Security",
     "evidence": "MITRE ATT&CK states Deep Panda targets government and defense (Alperovitch 2014).",
     "source": "Alperovitch 2014"
    },
    {
     "naics": "52",
     "label": "Finance & Insurance",
     "evidence": "MITRE ATT&CK states Deep Panda targets financial sector (Alperovitch 2014).",
     "source": "Alperovitch 2014"
    },
    {
     "naics": "517",
     "label": "Telecommunications",
     "evidence": "MITRE ATT&CK states Deep Panda targets telecommunications (Alperovitch 2014).",
     "source": "Alperovitch 2014"
    },
    {
     "naics": "62",
     "label": "Health Care & Social Assistance",
     "evidence": "MITRE ATT&CK attributes Anthem healthcare intrusion to Deep Panda (ThreatConnect Anthem).",
     "source": "ThreatConnect Anthem"
    },
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 1,
   "top_product_categories": [
    [
     "application",
     2
    ]
   ],
   "mitre_url": "https://attack.mitre.org/groups/G0009",
   "cve_ids": [
    "CVE-2017-6328",
    "CVE-2020-6789"
   ],
   "technique_ids": [
    "T1018",
    "T1021",
    "T1027",
    "T1047",
    "T1057",
    "T1059",
    "T1218",
    "T1505",
    "T1546",
    "T1564"
   ],
   "subtechnique_ids": [
    "T1021.002",
    "T1027.005",
    "T1059.001",
    "T1218.010",
    "T1505.003",
    "T1546.008",
    "T1564.003"
   ]
  },
  {
   "actor_id": "G0010",
   "canonical_name": "Turla",
   "aliases": [
    "Turla",
    "IRON HUNTER",
    "Group 88",
    "Waterbug",
    "WhiteBear",
    "Snake",
    "Krypton",
    "Venomous Bear",
    "Secret Blizzard",
    "BELUGASTURGEON",
    "WRAITH",
    "Uroburos",
    "Pfinet",
    "TAG_0530",
    "Hippo Team",
    "Pacifier APT",
    "Popeye",
    "SIG23",
    "MAKERSMARK",
    "ATK13",
    "G0010",
    "ITG12",
    "Blue Python",
    "SUMMIT",
    "UNC4210",
    "UAC-0144",
    "UAC-0024",
    "UAC-0003"
   ],
   "category": "state",
   "sponsor": {
    "country": "RU",
    "agency": "FSB",
    "unit": "Center 16"
   },
   "cve_count": 0,
   "technique_count": 92,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "92811",
     "label": "National Security",
     "evidence": "MITRE ATT&CK notes Turla compromised military and national security victims (Kaspersky Turla).",
     "source": "Kaspersky Turla"
    },
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "MITRE ATT&CK notes Turla compromised government victims (ESET Gazer Aug 2017).",
     "source": "ESET Gazer Aug 2017"
    },
    {
     "naics": "61",
     "label": "Educational Services",
     "evidence": "MITRE ATT&CK notes Turla compromised education victims (CrowdStrike VENOMOUS BEAR).",
     "source": "CrowdStrike VENOMOUS BEAR"
    },
    {
     "naics": "54",
     "label": "Professional, Scientific & Technical Services",
     "evidence": "MITRE ATT&CK notes Turla compromised research victims (ESET Turla Mosquito Jan 2018).",
     "source": "ESET Turla Mosquito Jan 2018"
    },
    {
     "naics": "325",
     "label": "Chemical Manufacturing",
     "evidence": "MITRE ATT&CK notes Turla compromised pharmaceutical victims (Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023).",
     "source": "Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023"
    },
    {
     "naics": "3391",
     "label": "Medical Equipment & Supplies",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "92812",
     "label": "International Affairs",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0010",
   "cve_ids": [],
   "technique_ids": [
    "T1005",
    "T1007",
    "T1012",
    "T1016",
    "T1018",
    "T1021",
    "T1025",
    "T1027",
    "T1036",
    "T1049",
    "T1055",
    "T1057",
    "T1059",
    "T1068",
    "T1069",
    "T1071",
    "T1078",
    "T1082",
    "T1083",
    "T1087",
    "T1090",
    "T1102",
    "T1105",
    "T1106",
    "T1110",
    "T1112",
    "T1120",
    "T1124",
    "T1134",
    "T1140",
    "T1189",
    "T1201",
    "T1204",
    "T1213",
    "T1518",
    "T1546",
    "T1547",
    "T1553",
    "T1555",
    "T1560",
    "T1564",
    "T1566",
    "T1567",
    "T1570",
    "T1583",
    "T1584",
    "T1587",
    "T1588",
    "T1615",
    "T1685"
   ],
   "subtechnique_ids": [
    "T1016.001",
    "T1021.002",
    "T1027.005",
    "T1027.010",
    "T1027.011",
    "T1036.005",
    "T1055.001",
    "T1059.001",
    "T1059.003",
    "T1059.005",
    "T1059.006",
    "T1059.007",
    "T1069.001",
    "T1069.002",
    "T1071.001",
    "T1071.003",
    "T1078.003",
    "T1087.001",
    "T1087.002",
    "T1090.001",
    "T1102.002",
    "T1134.002",
    "T1204.001",
    "T1213.006",
    "T1518.001",
    "T1546.003",
    "T1546.013",
    "T1547.001",
    "T1547.004",
    "T1553.006",
    "T1555.004",
    "T1560.001",
    "T1564.012",
    "T1566.002",
    "T1567.002",
    "T1583.006",
    "T1584.003",
    "T1584.004",
    "T1584.006",
    "T1587.001",
    "T1588.001",
    "T1588.002"
   ]
  },
  {
   "actor_id": "G0011",
   "canonical_name": "PittyTiger",
   "aliases": [
    "PittyTiger",
    "APT24",
    "PITTY PANDA",
    "G0011",
    "Temp.Pittytiger"
   ],
   "category": "state",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 3,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0011",
   "cve_ids": [],
   "technique_ids": [
    "T1078",
    "T1588"
   ],
   "subtechnique_ids": [
    "T1588.002"
   ]
  },
  {
   "actor_id": "G0012",
   "canonical_name": "Darkhotel",
   "aliases": [
    "Darkhotel",
    "DUBNIUM",
    "Zigzag Hail",
    "Fallout Team",
    "Karba",
    "Luder",
    "Nemim",
    "Nemin",
    "Tapaoux",
    "Pioneer",
    "Shadow Crane",
    "APT-C-06",
    "SIG25",
    "TUNGSTEN BRIDGE",
    "T-APT-02",
    "G0012",
    "ATK52"
   ],
   "category": "state",
   "sponsor": {
    "country": "KR"
   },
   "cve_count": 0,
   "technique_count": 34,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "92811",
     "label": "National Security",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "72",
     "label": "Accommodation & Food Services",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0012",
   "cve_ids": [],
   "technique_ids": [
    "T1016",
    "T1027",
    "T1036",
    "T1056",
    "T1057",
    "T1059",
    "T1080",
    "T1082",
    "T1083",
    "T1091",
    "T1105",
    "T1124",
    "T1140",
    "T1189",
    "T1203",
    "T1204",
    "T1497",
    "T1518",
    "T1547",
    "T1553",
    "T1566",
    "T1573"
   ],
   "subtechnique_ids": [
    "T1027.013",
    "T1036.005",
    "T1056.001",
    "T1059.003",
    "T1204.002",
    "T1497.001",
    "T1497.002",
    "T1518.001",
    "T1547.001",
    "T1553.002",
    "T1566.001",
    "T1573.001"
   ]
  },
  {
   "actor_id": "G0013",
   "canonical_name": "APT30",
   "aliases": [
    "APT30"
   ],
   "category": "state",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 4,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0013",
   "cve_ids": [],
   "technique_ids": [
    "T1204",
    "T1566"
   ],
   "subtechnique_ids": [
    "T1204.002",
    "T1566.001"
   ]
  },
  {
   "actor_id": "G0016",
   "canonical_name": "APT29",
   "aliases": [
    "APT29",
    "IRON RITUAL",
    "IRON HEMLOCK",
    "NobleBaron",
    "Dark Halo",
    "NOBELIUM",
    "UNC2452",
    "YTTRIUM",
    "The Dukes",
    "Cozy Bear",
    "CozyDuke",
    "SolarStorm",
    "Blue Kitsune",
    "UNC3524",
    "Midnight Blizzard",
    "Group 100",
    "Minidionis",
    "SeaDuke",
    "Grizzly Steppe",
    "G0016",
    "ATK7",
    "Cloaked Ursa",
    "TA421",
    "ITG11",
    "BlueBravo",
    "UAC-0029"
   ],
   "category": "state",
   "sponsor": {
    "country": "RU",
    "agency": "SVR"
   },
   "cve_count": 3,
   "technique_count": 96,
   "idf_score": 9.134,
   "exclusive_cve_count": 1,
   "active_year_min": 2010,
   "active_year_max": 2026,
   "sectors": [
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "MITRE ATT&CK profile states APT29 targets government networks in Europe and NATO countries (citing GRIZZLY STEPPE JAR and Crowdstrike DNC June 2016).",
     "source": "GRIZZLY STEPPE JAR"
    },
    {
     "naics": "54",
     "label": "Professional, Scientific & Technical Services",
     "evidence": "MITRE ATT&CK profile states APT29 targets research institutes and think tanks (citing F-Secure The Dukes).",
     "source": "F-Secure The Dukes"
    },
    {
     "naics": "92811",
     "label": "National Security",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "61",
     "label": "Educational Services",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "81",
     "label": "Other Services (except Public Administration)",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 1,
   "top_product_categories": [
    [
     "microsoft",
     2
    ],
    [
     "application",
     1
    ]
   ],
   "mitre_url": "https://attack.mitre.org/groups/G0016",
   "cve_ids": [
    "CVE-2010-0232",
    "CVE-2020-8554",
    "CVE-2026-20929"
   ],
   "technique_ids": [
    "T1003",
    "T1005",
    "T1016",
    "T1021",
    "T1027",
    "T1036",
    "T1037",
    "T1047",
    "T1053",
    "T1059",
    "T1068",
    "T1070",
    "T1078",
    "T1087",
    "T1090",
    "T1098",
    "T1105",
    "T1110",
    "T1114",
    "T1133",
    "T1136",
    "T1190",
    "T1199",
    "T1203",
    "T1204",
    "T1218",
    "T1505",
    "T1528",
    "T1546",
    "T1547",
    "T1548",
    "T1550",
    "T1553",
    "T1556",
    "T1566",
    "T1568",
    "T1573",
    "T1583",
    "T1586",
    "T1587",
    "T1588",
    "T1595",
    "T1621",
    "T1649",
    "T1651",
    "T1665",
    "T1685"
   ],
   "subtechnique_ids": [
    "T1003.002",
    "T1003.004",
    "T1016.001",
    "T1021.007",
    "T1027.001",
    "T1027.002",
    "T1027.006",
    "T1036.005",
    "T1037.004",
    "T1053.005",
    "T1059.001",
    "T1059.006",
    "T1059.009",
    "T1070.004",
    "T1070.006",
    "T1078.003",
    "T1078.004",
    "T1087.004",
    "T1090.002",
    "T1090.003",
    "T1090.004",
    "T1098.002",
    "T1098.005",
    "T1110.001",
    "T1110.003",
    "T1114.002",
    "T1136.003",
    "T1204.001",
    "T1204.002",
    "T1218.005",
    "T1505.003",
    "T1546.003",
    "T1546.008",
    "T1547.001",
    "T1548.002",
    "T1550.003",
    "T1553.005",
    "T1556.007",
    "T1566.001",
    "T1566.002",
    "T1566.003",
    "T1583.006",
    "T1586.002",
    "T1586.003",
    "T1587.001",
    "T1587.003",
    "T1588.002",
    "T1595.002",
    "T1685.002"
   ]
  },
  {
   "actor_id": "G0017",
   "canonical_name": "DragonOK",
   "aliases": [
    "DragonOK",
    "Moafee",
    "BRONZE OVERBROOK",
    "G0017",
    "G0002",
    "Shallow Taurus"
   ],
   "category": "state",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0017",
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "G0018",
   "canonical_name": "admin@338",
   "aliases": [
    "admin@338",
    "TEMPER PANDA",
    "Admin338",
    "Team338",
    "MAGNESIUM",
    "G0018"
   ],
   "category": "state",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 18,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "52",
     "label": "Finance & Insurance",
     "evidence": "MITRE ATT&CK states admin@338 primarily targeted organizations involved in financial, economic, and trade policy (Citation: FireEye admin@338).",
     "source": "FireEye admin@338"
    },
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0018",
   "cve_ids": [],
   "technique_ids": [
    "T1007",
    "T1016",
    "T1036",
    "T1049",
    "T1059",
    "T1069",
    "T1082",
    "T1083",
    "T1087",
    "T1203",
    "T1204",
    "T1566"
   ],
   "subtechnique_ids": [
    "T1036.005",
    "T1059.003",
    "T1069.001",
    "T1087.001",
    "T1204.002",
    "T1566.001"
   ]
  },
  {
   "actor_id": "G0019",
   "canonical_name": "Naikon",
   "aliases": [
    "Naikon",
    "PLA Unit 78020",
    "OVERRIDE PANDA",
    "Camerashy",
    "BRONZE GENEVA",
    "G0019",
    "BRONZE STERLING",
    "G0013"
   ],
   "category": "state",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 1,
   "technique_count": 23,
   "idf_score": 2.681,
   "exclusive_cve_count": 0,
   "active_year_min": 2010,
   "active_year_max": 2022,
   "sectors": [
    {
     "naics": "9211",
     "label": "Executive, Legislative & Other General Government Support",
     "evidence": "Naikon targeted government organizations in Southeast Asia (Baumgartner Naikon 2015).",
     "source": "Baumgartner Naikon 2015"
    },
    {
     "naics": "92811",
     "label": "National Security",
     "evidence": "Naikon targeted military organizations in Southeast Asia (Baumgartner Naikon 2015).",
     "source": "Baumgartner Naikon 2015"
    },
    {
     "naics": "92812",
     "label": "International Affairs",
     "evidence": "Naikon targeted UNDP and ASEAN (Baumgartner Naikon 2015).",
     "source": "Baumgartner Naikon 2015"
    },
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 2,
   "top_product_categories": [
    [
     "microsoft",
     1
    ]
   ],
   "mitre_url": "https://attack.mitre.org/groups/G0019",
   "cve_ids": [
    "CVE-2010-3333"
   ],
   "technique_ids": [
    "T1016",
    "T1018",
    "T1036",
    "T1046",
    "T1047",
    "T1053",
    "T1078",
    "T1137",
    "T1204",
    "T1518",
    "T1547",
    "T1566",
    "T1574"
   ],
   "subtechnique_ids": [
    "T1036.004",
    "T1036.005",
    "T1053.005",
    "T1078.002",
    "T1137.006",
    "T1204.002",
    "T1518.001",
    "T1547.001",
    "T1566.001",
    "T1574.001"
   ]
  },
  {
   "actor_id": "G0020",
   "canonical_name": "Equation",
   "aliases": [
    "Equation",
    "Equation Group",
    "Tilded Team",
    "EQGRP",
    "G0020"
   ],
   "category": "state",
   "sponsor": {
    "country": "US",
    "agency": "NSA",
    "unit": "TAO"
   },
   "cve_count": 3,
   "technique_count": 7,
   "idf_score": 11.08,
   "exclusive_cve_count": 1,
   "active_year_min": 2010,
   "active_year_max": 2022,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [
    [
     "microsoft",
     3
    ]
   ],
   "mitre_url": "https://attack.mitre.org/groups/G0020",
   "cve_ids": [
    "CVE-2010-2568",
    "CVE-2012-0159",
    "CVE-2013-3894"
   ],
   "technique_ids": [
    "T1120",
    "T1480",
    "T1542",
    "T1564"
   ],
   "subtechnique_ids": [
    "T1480.001",
    "T1542.002",
    "T1564.005"
   ]
  },
  {
   "actor_id": "G0021",
   "canonical_name": "Molerats",
   "aliases": [
    "Molerats",
    "Operation Molerats",
    "Gaza Cybergang",
    "Gaza Hackers Team",
    "Extreme Jackal",
    "Moonlight",
    "ALUMINUM SARATOGA",
    "G0021",
    "BLACKSTEM"
   ],
   "category": "state",
   "sponsor": {
    "country": "PS"
   },
   "cve_count": 0,
   "technique_count": 25,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0021",
   "cve_ids": [],
   "technique_ids": [
    "T1027",
    "T1053",
    "T1057",
    "T1059",
    "T1105",
    "T1140",
    "T1204",
    "T1218",
    "T1547",
    "T1553",
    "T1555",
    "T1566"
   ],
   "subtechnique_ids": [
    "T1027.015",
    "T1053.005",
    "T1059.001",
    "T1059.005",
    "T1059.007",
    "T1204.001",
    "T1204.002",
    "T1218.007",
    "T1547.001",
    "T1553.002",
    "T1555.003",
    "T1566.001",
    "T1566.002"
   ]
  },
  {
   "actor_id": "G0022",
   "canonical_name": "APT3",
   "aliases": [
    "APT3",
    "Gothic Panda",
    "Pirpi",
    "UPS Team",
    "Buckeye",
    "Threat Group-0110",
    "TG-0110"
   ],
   "category": "state-contractor",
   "sponsor": {
    "country": "CN",
    "agency": "MSS",
    "unit": "Guangdong Bureau"
   },
   "cve_count": 2,
   "technique_count": 69,
   "idf_score": 4.422,
   "exclusive_cve_count": 0,
   "active_year_min": 2017,
   "active_year_max": 2021,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [
    [
     "application",
     2
    ]
   ],
   "mitre_url": "https://attack.mitre.org/groups/G0022",
   "cve_ids": [
    "CVE-2017-6328",
    "CVE-2020-6789"
   ],
   "technique_ids": [
    "T1003",
    "T1005",
    "T1016",
    "T1018",
    "T1021",
    "T1027",
    "T1033",
    "T1036",
    "T1041",
    "T1049",
    "T1053",
    "T1056",
    "T1057",
    "T1059",
    "T1069",
    "T1070",
    "T1074",
    "T1078",
    "T1082",
    "T1083",
    "T1087",
    "T1090",
    "T1095",
    "T1098",
    "T1104",
    "T1105",
    "T1110",
    "T1136",
    "T1203",
    "T1204",
    "T1218",
    "T1543",
    "T1546",
    "T1547",
    "T1552",
    "T1555",
    "T1560",
    "T1564",
    "T1566",
    "T1574"
   ],
   "subtechnique_ids": [
    "T1003.001",
    "T1021.001",
    "T1021.002",
    "T1027.002",
    "T1027.005",
    "T1036.010",
    "T1053.005",
    "T1056.001",
    "T1059.001",
    "T1059.003",
    "T1070.004",
    "T1074.001",
    "T1078.002",
    "T1087.001",
    "T1090.002",
    "T1098.007",
    "T1110.002",
    "T1136.001",
    "T1204.001",
    "T1218.011",
    "T1543.003",
    "T1546.008",
    "T1547.001",
    "T1552.001",
    "T1555.003",
    "T1560.001",
    "T1564.003",
    "T1566.002",
    "T1574.001"
   ]
  },
  {
   "actor_id": "G0023",
   "canonical_name": "APT16",
   "aliases": [
    "APT16",
    "SVCMONDR",
    "G0023"
   ],
   "category": "state",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 2,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0023",
   "cve_ids": [],
   "technique_ids": [
    "T1584"
   ],
   "subtechnique_ids": [
    "T1584.004"
   ]
  },
  {
   "actor_id": "G0024",
   "canonical_name": "Putter Panda",
   "aliases": [
    "Putter Panda",
    "APT2",
    "MSUpdater",
    "PLA Unit 61486",
    "4HCrew",
    "SULPHUR",
    "SearchFire",
    "TG-6952",
    "G0024"
   ],
   "category": "state",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 7,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0024",
   "cve_ids": [],
   "technique_ids": [
    "T1027",
    "T1055",
    "T1547",
    "T1685"
   ],
   "subtechnique_ids": [
    "T1027.013",
    "T1055.001",
    "T1547.001"
   ]
  },
  {
   "actor_id": "G0025",
   "canonical_name": "APT17",
   "aliases": [
    "APT17",
    "Deputy Dog",
    "Group 8",
    "AURORA PANDA",
    "Hidden Lynx",
    "Tailgater Team",
    "Dogfish",
    "BRONZE KEYSTONE",
    "G0025",
    "Group 72",
    "G0001",
    "Axiom",
    "HELIUM",
    "Heart Typhoon"
   ],
   "category": "state",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 3,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "FireEye APT17 reports APT17 targeted U.S. government entities.",
     "source": "FireEye APT17"
    },
    {
     "naics": "3364",
     "label": "Aerospace Product & Parts Manufacturing",
     "evidence": "FireEye APT17 reports APT17 targeted the defense industry.",
     "source": "FireEye APT17"
    },
    {
     "naics": "54",
     "label": "Professional, Scientific & Technical Services",
     "evidence": "FireEye APT17 reports APT17 targeted law firms.",
     "source": "FireEye APT17"
    },
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "FireEye APT17 reports APT17 targeted information technology companies.",
     "source": "FireEye APT17"
    },
    {
     "naics": "212",
     "label": "Mining (except Oil & Gas)",
     "evidence": "FireEye APT17 reports APT17 targeted mining companies.",
     "source": "FireEye APT17"
    },
    {
     "naics": "51",
     "label": "Information",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "92811",
     "label": "National Security",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0025",
   "cve_ids": [],
   "technique_ids": [
    "T1583",
    "T1585"
   ],
   "subtechnique_ids": [
    "T1583.006"
   ]
  },
  {
   "actor_id": "G0026",
   "canonical_name": "APT18",
   "aliases": [
    "APT18",
    "TG-0416",
    "Dynamite Panda",
    "Threat Group-0416",
    "SCANDIUM",
    "PLA Navy",
    "Wekby",
    "G0026",
    "Satin Typhoon"
   ],
   "category": "state",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 18,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "31",
     "label": "Manufacturing",
     "evidence": "MITRE ATT&CK states APT18 targeted manufacturing (Dell Lateral Movement).",
     "source": "Dell Lateral Movement"
    },
    {
     "naics": "62",
     "label": "Health Care & Social Assistance",
     "evidence": "MITRE ATT&CK states APT18 targeted medical (Dell Lateral Movement).",
     "source": "Dell Lateral Movement"
    },
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "MITRE ATT&CK states APT18 targeted government (Dell Lateral Movement).",
     "source": "Dell Lateral Movement"
    },
    {
     "naics": "51",
     "label": "Information",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0026",
   "cve_ids": [],
   "technique_ids": [
    "T1027",
    "T1053",
    "T1059",
    "T1070",
    "T1071",
    "T1078",
    "T1082",
    "T1083",
    "T1105",
    "T1133",
    "T1547"
   ],
   "subtechnique_ids": [
    "T1027.013",
    "T1053.002",
    "T1059.003",
    "T1070.004",
    "T1071.001",
    "T1071.004",
    "T1547.001"
   ]
  },
  {
   "actor_id": "G0027",
   "canonical_name": "Threat Group-3390",
   "aliases": [
    "Threat Group-3390",
    "Earth Smilodon",
    "TG-3390",
    "Emissary Panda",
    "BRONZE UNION",
    "APT27",
    "Iron Tiger",
    "LuckyMouse",
    "Linen Typhoon",
    "GreedyTaotie",
    "TEMP.Hippo",
    "Red Phoenix",
    "Budworm",
    "Group 35",
    "ZipToken",
    "Lucky Mouse",
    "G0027",
    "Iron Taurus",
    "Circle Typhoon"
   ],
   "category": "state",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 5,
   "technique_count": 83,
   "idf_score": 18.156,
   "exclusive_cve_count": 2,
   "active_year_min": 2010,
   "active_year_max": 2026,
   "sectors": [
    {
     "naics": "3364",
     "label": "Aerospace Product & Parts Manufacturing",
     "evidence": "MITRE ATT&CK G0027 states TG-3390 targeted aerospace sector (citing SecureWorks BRONZE UNION June 2017).",
     "source": "SecureWorks BRONZE UNION June 2017"
    },
    {
     "naics": "92811",
     "label": "National Security",
     "evidence": "MITRE ATT&CK G0027 states TG-3390 targeted government and defense sectors (citing SecureWorks BRONZE UNION June 2017).",
     "source": "SecureWorks BRONZE UNION June 2017"
    },
    {
     "naics": "51",
     "label": "Information",
     "evidence": "MITRE ATT&CK G0027 states TG-3390 targeted technology sector (citing SecureWorks BRONZE UNION June 2017).",
     "source": "SecureWorks BRONZE UNION June 2017"
    },
    {
     "naics": "21",
     "label": "Mining, Quarrying, Oil & Gas Extraction",
     "evidence": "MITRE ATT&CK G0027 states TG-3390 targeted energy sector (citing SecureWorks BRONZE UNION June 2017).",
     "source": "SecureWorks BRONZE UNION June 2017"
    },
    {
     "naics": "31",
     "label": "Manufacturing",
     "evidence": "MITRE ATT&CK G0027 states TG-3390 targeted manufacturing sector (citing SecureWorks BRONZE UNION June 2017).",
     "source": "SecureWorks BRONZE UNION June 2017"
    },
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "22",
     "label": "Utilities",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [
    [
     "linux",
     2
    ],
    [
     "microsoft",
     2
    ],
    [
     "application",
     1
    ]
   ],
   "mitre_url": "https://attack.mitre.org/groups/G0027",
   "cve_ids": [
    "CVE-2010-0738",
    "CVE-2017-15303",
    "CVE-2026-21236",
    "CVE-2026-31635",
    "CVE-2026-45585"
   ],
   "technique_ids": [
    "T1003",
    "T1005",
    "T1012",
    "T1016",
    "T1018",
    "T1021",
    "T1027",
    "T1030",
    "T1033",
    "T1046",
    "T1047",
    "T1049",
    "T1053",
    "T1055",
    "T1056",
    "T1059",
    "T1068",
    "T1070",
    "T1071",
    "T1074",
    "T1078",
    "T1087",
    "T1105",
    "T1112",
    "T1119",
    "T1133",
    "T1140",
    "T1189",
    "T1190",
    "T1195",
    "T1199",
    "T1203",
    "T1204",
    "T1210",
    "T1505",
    "T1543",
    "T1547",
    "T1548",
    "T1555",
    "T1560",
    "T1566",
    "T1567",
    "T1574",
    "T1583",
    "T1588",
    "T1608",
    "T1685"
   ],
   "subtechnique_ids": [
    "T1003.001",
    "T1003.002",
    "T1003.004",
    "T1021.006",
    "T1027.002",
    "T1027.013",
    "T1027.015",
    "T1053.002",
    "T1055.012",
    "T1056.001",
    "T1059.001",
    "T1059.003",
    "T1070.004",
    "T1070.005",
    "T1071.001",
    "T1074.001",
    "T1074.002",
    "T1087.001",
    "T1195.002",
    "T1204.002",
    "T1505.003",
    "T1543.003",
    "T1547.001",
    "T1548.002",
    "T1555.005",
    "T1560.002",
    "T1566.001",
    "T1567.002",
    "T1574.001",
    "T1583.001",
    "T1588.002",
    "T1588.003",
    "T1608.001",
    "T1608.002",
    "T1608.004",
    "T1685.001"
   ]
  },
  {
   "actor_id": "G0028",
   "canonical_name": "Threat Group-1314",
   "aliases": [
    "Threat Group-1314",
    "TG-1314"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 7,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "22",
     "label": "Utilities",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0028",
   "cve_ids": [],
   "technique_ids": [
    "T1021",
    "T1059",
    "T1072",
    "T1078"
   ],
   "subtechnique_ids": [
    "T1021.002",
    "T1059.003",
    "T1078.002"
   ]
  },
  {
   "actor_id": "G0029",
   "canonical_name": "Scarlet Mimic",
   "aliases": [
    "Scarlet Mimic",
    "G0029",
    "Golfing Taurus"
   ],
   "category": "state",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 3,
   "technique_count": 2,
   "idf_score": 10.569,
   "exclusive_cve_count": 1,
   "active_year_min": 2010,
   "active_year_max": 2022,
   "sectors": [
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "81",
     "label": "Other Services (except Public Administration)",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [
    [
     "microsoft",
     3
    ],
    [
     "macos",
     1
    ],
    [
     "application",
     1
    ]
   ],
   "mitre_url": "https://attack.mitre.org/groups/G0029",
   "cve_ids": [
    "CVE-2010-2572",
    "CVE-2010-2883",
    "CVE-2010-3333"
   ],
   "technique_ids": [
    "T1036"
   ],
   "subtechnique_ids": [
    "T1036.002"
   ]
  },
  {
   "actor_id": "G0030",
   "canonical_name": "Lotus Blossom",
   "aliases": [
    "Lotus Blossom",
    "DRAGONFISH",
    "Spring Dragon",
    "RADIUM",
    "Raspberry Typhoon",
    "Bilbug",
    "Thrip",
    "LOTUS PANDA",
    "ST Group",
    "BRONZE ELGIN",
    "ATK1",
    "G0030",
    "Red Salamander",
    "Billbug"
   ],
   "category": "state",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 1,
   "technique_count": 27,
   "idf_score": 3.597,
   "exclusive_cve_count": 0,
   "active_year_min": 2010,
   "active_year_max": 2022,
   "sectors": [
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "MITRE ATT&CK description states Lotus Blossom has 'largely targeting various entities in Asia' including 'government and related targets' since at least 2009 (Lotus Blossom Jun 2015).",
     "source": "Lotus Blossom Jun 2015"
    },
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "MITRE ATT&CK notes targeting of 'digital certificate issuers' in addition to government targets (Symantec Bilbug 2022).",
     "source": "Symantec Bilbug 2022"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [
    [
     "macos",
     1
    ],
    [
     "microsoft",
     1
    ],
    [
     "application",
     1
    ]
   ],
   "mitre_url": "https://attack.mitre.org/groups/G0030",
   "cve_ids": [
    "CVE-2010-2883"
   ],
   "technique_ids": [
    "T1012",
    "T1016",
    "T1018",
    "T1046",
    "T1047",
    "T1049",
    "T1074",
    "T1083",
    "T1087",
    "T1090",
    "T1112",
    "T1134",
    "T1482",
    "T1539",
    "T1543",
    "T1560",
    "T1588"
   ],
   "subtechnique_ids": [
    "T1016.001",
    "T1074.001",
    "T1087.001",
    "T1087.002",
    "T1090.001",
    "T1090.003",
    "T1543.003",
    "T1560.001",
    "T1560.003",
    "T1588.002"
   ]
  },
  {
   "actor_id": "G0032",
   "canonical_name": "Lazarus Group",
   "aliases": [
    "Lazarus Group",
    "Labyrinth Chollima",
    "HIDDEN COBRA",
    "Guardians of Peace",
    "ZINC",
    "NICKEL ACADEMY",
    "Diamond Sleet",
    "Operation DarkSeoul",
    "Dark Seoul",
    "Hastati Group",
    "Andariel",
    "Unit 121",
    "Bureau 121",
    "NewRomanic Cyber Army Team",
    "Bluenoroff",
    "Subgroup: Bluenoroff",
    "Group 77",
    "Operation Troy",
    "Operation GhostSecret",
    "Operation AppleJeus",
    "APT38",
    "APT 38",
    "Stardust Chollima",
    "Whois Hacking Team",
    "Appleworm",
    "APT-C-26",
    "NICKEL GLADSTONE",
    "COVELLITE",
    "ATK3",
    "G0032",
    "ATK117",
    "G0082",
    "Citrine Sleet",
    "DEV-0139",
    "DEV-1222",
    "Sapphire Sleet",
    "COPERNICIUM",
    "TA404",
    "BeagleBoyz",
    "Moonstone Sleet",
    "Black Artemis"
   ],
   "category": "state",
   "sponsor": {
    "country": "KP",
    "agency": "RGB",
    "unit": "Bureau 121 / Lab 110"
   },
   "cve_count": 12,
   "technique_count": 128,
   "idf_score": 36.236,
   "exclusive_cve_count": 1,
   "active_year_min": 2017,
   "active_year_max": 2022,
   "sectors": [
    {
     "naics": "22",
     "label": "Utilities",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 1,
   "top_product_categories": [
    [
     "application",
     10
    ],
    [
     "linux",
     3
    ],
    [
     "microsoft",
     2
    ],
    [
     "macos",
     1
    ],
    [
     "network",
     1
    ]
   ],
   "mitre_url": "https://attack.mitre.org/groups/G0032",
   "cve_ids": [
    "CVE-2015-6585",
    "CVE-2017-4946",
    "CVE-2019-15637",
    "CVE-2021-3018",
    "CVE-2021-40684",
    "CVE-2021-44142",
    "CVE-2021-45837",
    "CVE-2022-22005",
    "CVE-2022-24663",
    "CVE-2022-24664",
    "CVE-2022-24665",
    "CVE-2022-24785"
   ],
   "technique_ids": [
    "T1001",
    "T1005",
    "T1008",
    "T1010",
    "T1012",
    "T1016",
    "T1021",
    "T1027",
    "T1033",
    "T1036",
    "T1041",
    "T1046",
    "T1047",
    "T1048",
    "T1049",
    "T1053",
    "T1055",
    "T1056",
    "T1057",
    "T1059",
    "T1070",
    "T1071",
    "T1074",
    "T1078",
    "T1082",
    "T1083",
    "T1090",
    "T1098",
    "T1102",
    "T1104",
    "T1105",
    "T1106",
    "T1110",
    "T1124",
    "T1132",
    "T1134",
    "T1140",
    "T1189",
    "T1202",
    "T1203",
    "T1204",
    "T1218",
    "T1485",
    "T1489",
    "T1491",
    "T1529",
    "T1542",
    "T1543",
    "T1547",
    "T1553",
    "T1557",
    "T1560",
    "T1561",
    "T1564",
    "T1566",
    "T1571",
    "T1573",
    "T1574",
    "T1583",
    "T1584",
    "T1585",
    "T1587",
    "T1588",
    "T1589",
    "T1591",
    "T1620",
    "T1680",
    "T1685",
    "T1686"
   ],
   "subtechnique_ids": [
    "T1001.003",
    "T1021.001",
    "T1021.002",
    "T1021.004",
    "T1027.007",
    "T1027.009",
    "T1027.013",
    "T1036.003",
    "T1036.004",
    "T1036.005",
    "T1048.003",
    "T1053.005",
    "T1055.001",
    "T1056.001",
    "T1059.001",
    "T1059.003",
    "T1059.005",
    "T1070.003",
    "T1070.004",
    "T1070.006",
    "T1071.001",
    "T1074.001",
    "T1090.001",
    "T1090.002",
    "T1102.002",
    "T1110.003",
    "T1132.001",
    "T1134.002",
    "T1204.002",
    "T1218.005",
    "T1218.011",
    "T1491.001",
    "T1542.003",
    "T1543.003",
    "T1547.001",
    "T1547.009",
    "T1553.002",
    "T1557.001",
    "T1560.002",
    "T1560.003",
    "T1561.001",
    "T1561.002",
    "T1564.001",
    "T1566.001",
    "T1566.002",
    "T1566.003",
    "T1573.001",
    "T1574.001",
    "T1574.013",
    "T1583.001",
    "T1583.006",
    "T1584.004",
    "T1585.001",
    "T1585.002",
    "T1587.001",
    "T1588.002",
    "T1588.004",
    "T1589.002",
    "T1686.003"
   ]
  },
  {
   "actor_id": "G0033",
   "canonical_name": "Poseidon Group",
   "aliases": [
    "Poseidon Group",
    "G0033"
   ],
   "category": "state",
   "sponsor": {
    "country": "BR"
   },
   "cve_count": 0,
   "technique_count": 11,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0033",
   "cve_ids": [],
   "technique_ids": [
    "T1003",
    "T1007",
    "T1036",
    "T1049",
    "T1057",
    "T1059",
    "T1087"
   ],
   "subtechnique_ids": [
    "T1036.005",
    "T1059.001",
    "T1087.001",
    "T1087.002"
   ]
  },
  {
   "actor_id": "G0034",
   "canonical_name": "Sandworm Team",
   "aliases": [
    "Sandworm Team",
    "ELECTRUM",
    "Telebots",
    "IRON VIKING",
    "BlackEnergy (Group)",
    "Quedagh",
    "Voodoo Bear",
    "IRIDIUM",
    "Seashell Blizzard",
    "FROZENBARENTS",
    "APT44",
    "Sandworm",
    "TEMP.Noble",
    "G0034",
    "Blue Echidna",
    "UAC-0113",
    "UAC-0082"
   ],
   "category": "state",
   "sponsor": {
    "country": "RU",
    "agency": "GRU",
    "unit": "Unit 74455"
   },
   "cve_count": 2,
   "technique_count": 109,
   "idf_score": 3.927,
   "exclusive_cve_count": 0,
   "active_year_min": 2010,
   "active_year_max": 2026,
   "sectors": [
    {
     "naics": "2211",
     "label": "Electric Power Generation, Transmission & Distribution",
     "evidence": "US DOJ indictment 2020 + Dragos ELECTRUM.",
     "source": "overlay"
    },
    {
     "naics": "92812",
     "label": "International Affairs",
     "evidence": "US DOJ indictment 2020 + Dragos ELECTRUM.",
     "source": "overlay"
    },
    {
     "naics": "92811",
     "label": "National Security",
     "evidence": "US DOJ indictment 2020 + Dragos ELECTRUM.",
     "source": "overlay"
    },
    {
     "naics": "9211",
     "label": "Executive, Legislative & Other General Government Support",
     "evidence": "US District Court Indictment GRU Unit 74455 October 2020 cites 2015/2016 attacks on Ukrainian government organizations and 2018-2019 Georgia attacks.",
     "source": "US District Court Indictment GRU Unit 74455 October 2020"
    },
    {
     "naics": "325",
     "label": "Chemical Manufacturing",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 1,
   "top_product_categories": [
    [
     "microsoft",
     2
    ]
   ],
   "mitre_url": "https://attack.mitre.org/groups/G0034",
   "cve_ids": [
    "CVE-2010-3333",
    "CVE-2026-20929"
   ],
   "technique_ids": [
    "T1003",
    "T1005",
    "T1018",
    "T1021",
    "T1027",
    "T1033",
    "T1036",
    "T1040",
    "T1041",
    "T1047",
    "T1049",
    "T1053",
    "T1056",
    "T1059",
    "T1070",
    "T1071",
    "T1072",
    "T1078",
    "T1082",
    "T1083",
    "T1087",
    "T1090",
    "T1102",
    "T1105",
    "T1106",
    "T1132",
    "T1133",
    "T1140",
    "T1190",
    "T1195",
    "T1199",
    "T1203",
    "T1204",
    "T1213",
    "T1218",
    "T1219",
    "T1485",
    "T1486",
    "T1489",
    "T1490",
    "T1491",
    "T1499",
    "T1505",
    "T1539",
    "T1555",
    "T1561",
    "T1566",
    "T1570",
    "T1571",
    "T1583",
    "T1584",
    "T1585",
    "T1586",
    "T1587",
    "T1588",
    "T1589",
    "T1590",
    "T1591",
    "T1592",
    "T1593",
    "T1594",
    "T1595",
    "T1598",
    "T1608"
   ],
   "subtechnique_ids": [
    "T1003.001",
    "T1003.003",
    "T1021.002",
    "T1027.010",
    "T1036.005",
    "T1053.005",
    "T1056.001",
    "T1059.001",
    "T1059.005",
    "T1070.004",
    "T1071.001",
    "T1078.002",
    "T1087.002",
    "T1087.003",
    "T1102.002",
    "T1132.001",
    "T1195.002",
    "T1204.001",
    "T1204.002",
    "T1213.006",
    "T1218.011",
    "T1491.002",
    "T1505.003",
    "T1555.003",
    "T1561.002",
    "T1566.001",
    "T1566.002",
    "T1583.001",
    "T1583.004",
    "T1584.004",
    "T1584.005",
    "T1585.001",
    "T1585.002",
    "T1586.001",
    "T1587.001",
    "T1588.002",
    "T1588.006",
    "T1589.002",
    "T1589.003",
    "T1590.001",
    "T1591.002",
    "T1592.002",
    "T1595.002",
    "T1598.003",
    "T1608.001"
   ]
  },
  {
   "actor_id": "G0035",
   "canonical_name": "Dragonfly",
   "aliases": [
    "Dragonfly",
    "TEMP.Isotope",
    "DYMALLOY",
    "Berserk Bear",
    "TG-4192",
    "Crouching Yeti",
    "IRON LIBERTY",
    "Energetic Bear",
    "Ghost Blizzard",
    "BROMINE",
    "ALLANITE",
    "CASTLE",
    "Group 24",
    "Havex",
    "Koala Team",
    "G0035",
    "ATK6",
    "ITG15",
    "Blue Kraken"
   ],
   "category": "state",
   "sponsor": {
    "country": "RU",
    "agency": "FSB"
   },
   "cve_count": 0,
   "technique_count": 82,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "2211",
     "label": "Electric Power Generation, Transmission & Distribution",
     "evidence": "MITRE ATT&CK description states Dragonfly targeted critical infrastructure and ICS companies, corroborated by CISA AA20-296A Berserk Bear December 2020 and Dragos DYMALLOY.",
     "source": "CISA AA20-296A Berserk Bear December 2020"
    },
    {
     "naics": "3364",
     "label": "Aerospace Product & Parts Manufacturing",
     "evidence": "MITRE ATT&CK explicitly lists targeting of defense and aviation companies via supply-chain and spearphishing attacks.",
     "source": "Symantec Dragonfly"
    },
    {
     "naics": "92811",
     "label": "National Security",
     "evidence": "MITRE ATT&CK states Dragonfly targeted government entities and national security organizations worldwide.",
     "source": "DOJ Russia Targeting Critical Infrastructure March 2022"
    },
    {
     "naics": "22",
     "label": "Utilities",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "481",
     "label": "Air Transportation",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0035",
   "cve_ids": [],
   "technique_ids": [
    "T1003",
    "T1005",
    "T1012",
    "T1016",
    "T1018",
    "T1021",
    "T1033",
    "T1036",
    "T1053",
    "T1059",
    "T1069",
    "T1070",
    "T1071",
    "T1074",
    "T1078",
    "T1083",
    "T1087",
    "T1098",
    "T1105",
    "T1110",
    "T1112",
    "T1113",
    "T1114",
    "T1133",
    "T1135",
    "T1136",
    "T1187",
    "T1189",
    "T1190",
    "T1195",
    "T1203",
    "T1204",
    "T1210",
    "T1221",
    "T1505",
    "T1547",
    "T1560",
    "T1564",
    "T1566",
    "T1583",
    "T1584",
    "T1588",
    "T1591",
    "T1595",
    "T1598",
    "T1608",
    "T1685",
    "T1686"
   ],
   "subtechnique_ids": [
    "T1003.002",
    "T1003.003",
    "T1003.004",
    "T1021.001",
    "T1036.010",
    "T1053.005",
    "T1059.001",
    "T1059.003",
    "T1059.006",
    "T1069.002",
    "T1070.004",
    "T1071.002",
    "T1074.001",
    "T1087.002",
    "T1098.007",
    "T1110.002",
    "T1114.002",
    "T1136.001",
    "T1195.002",
    "T1204.002",
    "T1505.003",
    "T1547.001",
    "T1564.002",
    "T1566.001",
    "T1583.001",
    "T1583.003",
    "T1584.004",
    "T1588.002",
    "T1591.002",
    "T1595.002",
    "T1598.002",
    "T1598.003",
    "T1608.004",
    "T1685.005"
   ]
  },
  {
   "actor_id": "G0036",
   "canonical_name": "GCMAN",
   "aliases": [
    "GCMAN",
    "G0036"
   ],
   "category": "state",
   "sponsor": {
    "country": "RU"
   },
   "cve_count": 0,
   "technique_count": 3,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0036",
   "cve_ids": [],
   "technique_ids": [
    "T1021"
   ],
   "subtechnique_ids": [
    "T1021.004",
    "T1021.005"
   ]
  },
  {
   "actor_id": "G0037",
   "canonical_name": "FIN6",
   "aliases": [
    "FIN6",
    "Magecart Group 6",
    "ITG08",
    "Skeleton Spider",
    "TAAL",
    "Camouflage Tempest",
    "White Giant",
    "GOLD FRANKLIN",
    "ATK88",
    "G0037",
    "TA4557",
    "Storm-0538"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 58,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "44",
     "label": "Retail Trade",
     "evidence": "FIN6 targeted and compromised PoS systems in the retail sector (FireEye FIN6 April 2016).",
     "source": "FireEye FIN6 April 2016"
    },
    {
     "naics": "72",
     "label": "Accommodation & Food Services",
     "evidence": "FIN6 targeted and compromised PoS systems in the hospitality sector (FireEye FIN6 April 2016).",
     "source": "FireEye FIN6 April 2016"
    },
    {
     "naics": "522",
     "label": "Credit Intermediation & Related Activities (Banking)",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0037",
   "cve_ids": [],
   "technique_ids": [
    "T1003",
    "T1005",
    "T1018",
    "T1021",
    "T1027",
    "T1036",
    "T1046",
    "T1047",
    "T1048",
    "T1053",
    "T1059",
    "T1068",
    "T1070",
    "T1074",
    "T1078",
    "T1087",
    "T1095",
    "T1102",
    "T1110",
    "T1119",
    "T1134",
    "T1204",
    "T1213",
    "T1547",
    "T1553",
    "T1555",
    "T1560",
    "T1566",
    "T1569",
    "T1572",
    "T1573",
    "T1588",
    "T1685"
   ],
   "subtechnique_ids": [
    "T1003.001",
    "T1003.003",
    "T1021.001",
    "T1027.010",
    "T1036.004",
    "T1048.003",
    "T1053.005",
    "T1059.001",
    "T1059.003",
    "T1059.007",
    "T1070.004",
    "T1074.002",
    "T1087.002",
    "T1110.002",
    "T1204.002",
    "T1213.006",
    "T1547.001",
    "T1553.002",
    "T1555.003",
    "T1560.003",
    "T1566.001",
    "T1566.003",
    "T1569.002",
    "T1573.002",
    "T1588.002"
   ]
  },
  {
   "actor_id": "G0038",
   "canonical_name": "Stealth Falcon",
   "aliases": [
    "Stealth Falcon",
    "FruityArmor",
    "G0038"
   ],
   "category": "state",
   "sponsor": {
    "country": "AE"
   },
   "cve_count": 0,
   "technique_count": 19,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "515",
     "label": "Broadcasting",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "81",
     "label": "Other Services (except Public Administration)",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0038",
   "cve_ids": [],
   "technique_ids": [
    "T1005",
    "T1012",
    "T1016",
    "T1033",
    "T1041",
    "T1047",
    "T1053",
    "T1057",
    "T1059",
    "T1071",
    "T1082",
    "T1555",
    "T1573"
   ],
   "subtechnique_ids": [
    "T1053.005",
    "T1059.001",
    "T1071.001",
    "T1555.003",
    "T1555.004",
    "T1573.001"
   ]
  },
  {
   "actor_id": "G0039",
   "canonical_name": "Suckfly",
   "aliases": [
    "Suckfly",
    "APT22",
    "G0039",
    "BRONZE OLIVE",
    "Group 46"
   ],
   "category": "state",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 7,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0039",
   "cve_ids": [],
   "technique_ids": [
    "T1003",
    "T1046",
    "T1059",
    "T1078",
    "T1553"
   ],
   "subtechnique_ids": [
    "T1059.003",
    "T1553.002"
   ]
  },
  {
   "actor_id": "G0040",
   "canonical_name": "Patchwork",
   "aliases": [
    "Patchwork",
    "Hangover Group",
    "Dropping Elephant",
    "Chinastrats",
    "MONSOON",
    "Operation Hangover",
    "QUILTED TIGER",
    "Sarit",
    "APT-C-09",
    "ZINC EMERSON",
    "ATK11",
    "G0040",
    "Orange Athos",
    "Thirsty Gemini"
   ],
   "category": "state",
   "sponsor": {
    "country": "IN"
   },
   "cve_count": 0,
   "technique_count": 63,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "9211",
     "label": "Executive, Legislative & Other General Government Support",
     "evidence": "MITRE ATT&CK states Patchwork targets diplomatic and government agencies (Cymmetria Patchwork).",
     "source": "Cymmetria Patchwork"
    },
    {
     "naics": "54",
     "label": "Professional, Scientific & Technical Services",
     "evidence": "Patchwork conducted spearphishing against U.S. think tank groups in 2018 (Volexity Patchwork June 2018).",
     "source": "Volexity Patchwork June 2018"
    },
    {
     "naics": "81",
     "label": "Other Services (except Public Administration)",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "92812",
     "label": "International Affairs",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0040",
   "cve_ids": [],
   "technique_ids": [
    "T1005",
    "T1021",
    "T1027",
    "T1033",
    "T1036",
    "T1053",
    "T1055",
    "T1059",
    "T1070",
    "T1074",
    "T1082",
    "T1083",
    "T1102",
    "T1105",
    "T1112",
    "T1119",
    "T1132",
    "T1189",
    "T1197",
    "T1203",
    "T1204",
    "T1518",
    "T1547",
    "T1548",
    "T1553",
    "T1555",
    "T1559",
    "T1560",
    "T1566",
    "T1574",
    "T1587",
    "T1588",
    "T1598",
    "T1680"
   ],
   "subtechnique_ids": [
    "T1021.001",
    "T1027.001",
    "T1027.002",
    "T1027.005",
    "T1027.010",
    "T1036.005",
    "T1053.005",
    "T1055.012",
    "T1059.001",
    "T1059.003",
    "T1059.005",
    "T1070.004",
    "T1074.001",
    "T1102.001",
    "T1132.001",
    "T1204.001",
    "T1204.002",
    "T1518.001",
    "T1547.001",
    "T1548.002",
    "T1553.002",
    "T1555.003",
    "T1559.002",
    "T1566.001",
    "T1566.002",
    "T1574.001",
    "T1587.002",
    "T1588.002",
    "T1598.003"
   ]
  },
  {
   "actor_id": "G0041",
   "canonical_name": "Strider",
   "aliases": [
    "Strider",
    "ProjectSauron",
    "Sauron",
    "Project Sauron",
    "G0041"
   ],
   "category": "state",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 6,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0041",
   "cve_ids": [],
   "technique_ids": [
    "T1090",
    "T1556",
    "T1564"
   ],
   "subtechnique_ids": [
    "T1090.001",
    "T1556.002",
    "T1564.005"
   ]
  },
  {
   "actor_id": "G0043",
   "canonical_name": "Group5",
   "aliases": [
    "Group5",
    "G0043"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 7,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0043",
   "cve_ids": [],
   "technique_ids": [
    "T1027",
    "T1056",
    "T1070",
    "T1113"
   ],
   "subtechnique_ids": [
    "T1027.013",
    "T1056.001",
    "T1070.004"
   ]
  },
  {
   "actor_id": "G0044",
   "canonical_name": "Winnti Group",
   "aliases": [
    "Winnti Group",
    "Blackfly",
    "APT41",
    "G0096",
    "TA415",
    "Grayfly",
    "LEAD",
    "BARIUM",
    "WICKED SPIDER",
    "WICKED PANDA",
    "BRONZE ATLAS",
    "BRONZE EXPORT",
    "Red Kelpie",
    "G0044",
    "Earth Baku",
    "Amoeba",
    "HOODOO",
    "Brass Typhoon",
    "Winnti",
    "Double Dragon",
    "TG-2633",
    "Leopard Typhoon"
   ],
   "category": "state",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 2,
   "technique_count": 8,
   "idf_score": 4.422,
   "exclusive_cve_count": 0,
   "active_year_min": 2017,
   "active_year_max": 2021,
   "sectors": [
    {
     "naics": "71",
     "label": "Arts, Entertainment & Recreation",
     "evidence": "MITRE ATT&CK G0044 states Winnti has heavily targeted the gaming industry (citing Kaspersky Winnti April 2013, Kaspersky Winnti June 2015, Novetta Winnti April 2015).",
     "source": "Kaspersky Winnti April 2013"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [
    [
     "application",
     2
    ]
   ],
   "mitre_url": "https://attack.mitre.org/groups/G0044",
   "cve_ids": [
    "CVE-2017-6328",
    "CVE-2020-6789"
   ],
   "technique_ids": [
    "T1014",
    "T1057",
    "T1083",
    "T1105",
    "T1553",
    "T1583"
   ],
   "subtechnique_ids": [
    "T1553.002",
    "T1583.001"
   ]
  },
  {
   "actor_id": "G0045",
   "canonical_name": "menuPass",
   "aliases": [
    "menuPass",
    "Cicada",
    "POTASSIUM",
    "Stone Panda",
    "APT10",
    "Red Apollo",
    "CVNX",
    "HOGFISH",
    "BRONZE RIVERSIDE",
    "Menupass Team",
    "happyyongzi",
    "Cloud Hopper",
    "ATK41",
    "G0045",
    "Granite Taurus",
    "TA429",
    "Purple Typhoon"
   ],
   "category": "state",
   "sponsor": {
    "country": "CN",
    "agency": "MSS",
    "unit": "Tianjin Bureau"
   },
   "cve_count": 2,
   "technique_count": 65,
   "idf_score": 4.422,
   "exclusive_cve_count": 0,
   "active_year_min": 2017,
   "active_year_max": 2021,
   "sectors": [
    {
     "naics": "62",
     "label": "Health Care & Social Assistance",
     "evidence": "MITRE ATT&CK profile states menuPass targeted healthcare sector, citing FireEye APT10 April 2017 and PWC Cloud Hopper April 2017.",
     "source": "FireEye APT10 April 2017"
    },
    {
     "naics": "92811",
     "label": "National Security",
     "evidence": "MITRE ATT&CK profile states menuPass targeted defense sector, citing DOJ APT10 Dec 2018 indictment.",
     "source": "DOJ APT10 Dec 2018"
    },
    {
     "naics": "3364",
     "label": "Aerospace Product & Parts Manufacturing",
     "evidence": "MITRE ATT&CK profile states menuPass targeted aerospace sector, citing Palo Alto menuPass Feb 2017.",
     "source": "Palo Alto menuPass Feb 2017"
    },
    {
     "naics": "52",
     "label": "Finance & Insurance",
     "evidence": "MITRE ATT&CK profile states menuPass targeted finance sector, citing FireEye APT10 April 2017.",
     "source": "FireEye APT10 April 2017"
    },
    {
     "naics": "483",
     "label": "Water Transportation",
     "evidence": "MITRE ATT&CK profile states menuPass targeted maritime sector, citing FireEye APT10 April 2017.",
     "source": "FireEye APT10 April 2017"
    },
    {
     "naics": "211",
     "label": "Oil & Gas Extraction",
     "evidence": "MITRE ATT&CK profile states menuPass targeted energy sector, citing Palo Alto menuPass Feb 2017.",
     "source": "Palo Alto menuPass Feb 2017"
    },
    {
     "naics": "212",
     "label": "Mining (except Oil & Gas)",
     "evidence": "MITRE ATT&CK profile states menuPass targeted mining companies in 2016-2017, citing PWC Cloud Hopper April 2017.",
     "source": "PWC Cloud Hopper April 2017"
    },
    {
     "naics": "31",
     "label": "Manufacturing",
     "evidence": "MITRE ATT&CK profile states menuPass targeted manufacturing companies in 2016-2017, citing PWC Cloud Hopper April 2017.",
     "source": "PWC Cloud Hopper April 2017"
    },
    {
     "naics": "61",
     "label": "Educational Services",
     "evidence": "MITRE ATT&CK profile states menuPass targeted a university in 2016-2017, citing PWC Cloud Hopper April 2017.",
     "source": "PWC Cloud Hopper April 2017"
    },
    {
     "naics": "51",
     "label": "Information",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "22",
     "label": "Utilities",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [
    [
     "application",
     2
    ]
   ],
   "mitre_url": "https://attack.mitre.org/groups/G0045",
   "cve_ids": [
    "CVE-2017-6328",
    "CVE-2020-6789"
   ],
   "technique_ids": [
    "T1003",
    "T1005",
    "T1016",
    "T1018",
    "T1021",
    "T1027",
    "T1036",
    "T1039",
    "T1046",
    "T1047",
    "T1049",
    "T1053",
    "T1055",
    "T1056",
    "T1059",
    "T1070",
    "T1074",
    "T1078",
    "T1083",
    "T1087",
    "T1090",
    "T1105",
    "T1106",
    "T1119",
    "T1140",
    "T1190",
    "T1199",
    "T1204",
    "T1210",
    "T1218",
    "T1553",
    "T1560",
    "T1566",
    "T1568",
    "T1574",
    "T1583",
    "T1588"
   ],
   "subtechnique_ids": [
    "T1003.002",
    "T1003.003",
    "T1003.004",
    "T1021.001",
    "T1021.004",
    "T1027.013",
    "T1036.003",
    "T1036.005",
    "T1053.005",
    "T1055.012",
    "T1056.001",
    "T1059.001",
    "T1059.003",
    "T1070.003",
    "T1070.004",
    "T1074.001",
    "T1074.002",
    "T1087.002",
    "T1090.002",
    "T1204.002",
    "T1218.004",
    "T1553.002",
    "T1560.001",
    "T1566.001",
    "T1568.001",
    "T1574.001",
    "T1583.001",
    "T1588.002"
   ]
  },
  {
   "actor_id": "G0046",
   "canonical_name": "FIN7",
   "aliases": [
    "FIN7",
    "GOLD NIAGARA",
    "ITG14",
    "Carbon Spider",
    "ELBRUS",
    "Sangria Tempest"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 1,
   "technique_count": 93,
   "idf_score": 1.246,
   "exclusive_cve_count": 0,
   "active_year_min": 2026,
   "active_year_max": 2026,
   "sectors": [
    {
     "naics": "44",
     "label": "Retail Trade",
     "evidence": "MITRE ATT&CK description states FIN7 targeted retail industry (citing FireEye FIN7 April 2017, Mandiant FIN7 Apr 2022).",
     "source": "Mandiant FIN7 Apr 2022"
    },
    {
     "naics": "72",
     "label": "Accommodation & Food Services",
     "evidence": "MITRE ATT&CK description states FIN7 targeted restaurant, hospitality and food & beverage industries (citing FireEye FIN7 April 2017, Mandiant FIN7 Apr 2022).",
     "source": "Mandiant FIN7 Apr 2022"
    },
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "MITRE ATT&CK description states FIN7 targeted software industry (citing FireEye FIN7 April 2017, Mandiant FIN7 Apr 2022).",
     "source": "Mandiant FIN7 Apr 2022"
    },
    {
     "naics": "54",
     "label": "Professional, Scientific & Technical Services",
     "evidence": "MITRE ATT&CK description states FIN7 targeted consulting industry (citing FireEye FIN7 April 2017, Mandiant FIN7 Apr 2022).",
     "source": "Mandiant FIN7 Apr 2022"
    },
    {
     "naics": "52",
     "label": "Finance & Insurance",
     "evidence": "MITRE ATT&CK description states FIN7 targeted financial services industry (citing FireEye FIN7 April 2017, Mandiant FIN7 Apr 2022).",
     "source": "Mandiant FIN7 Apr 2022"
    },
    {
     "naics": "3391",
     "label": "Medical Equipment & Supplies",
     "evidence": "MITRE ATT&CK description states FIN7 targeted medical equipment industry (citing FireEye FIN7 April 2017, Mandiant FIN7 Apr 2022).",
     "source": "Mandiant FIN7 Apr 2022"
    },
    {
     "naics": "518",
     "label": "Computing Infrastructure Providers, Data Processing & Hosting",
     "evidence": "MITRE ATT&CK description states FIN7 targeted cloud services industry (citing FireEye FIN7 April 2017, Mandiant FIN7 Apr 2022).",
     "source": "Mandiant FIN7 Apr 2022"
    },
    {
     "naics": "515",
     "label": "Broadcasting",
     "evidence": "MITRE ATT&CK description states FIN7 targeted media industry (citing FireEye FIN7 April 2017, Mandiant FIN7 Apr 2022).",
     "source": "Mandiant FIN7 Apr 2022"
    },
    {
     "naics": "48",
     "label": "Transportation & Warehousing",
     "evidence": "MITRE ATT&CK description states FIN7 targeted transportation industry (citing FireEye FIN7 April 2017, Mandiant FIN7 Apr 2022).",
     "source": "Mandiant FIN7 Apr 2022"
    },
    {
     "naics": "325",
     "label": "Chemical Manufacturing",
     "evidence": "MITRE ATT&CK description states FIN7 targeted pharmaceutical industry (citing FireEye FIN7 April 2017, Mandiant FIN7 Apr 2022).",
     "source": "Mandiant FIN7 Apr 2022"
    },
    {
     "naics": "22",
     "label": "Utilities",
     "evidence": "MITRE ATT&CK description states FIN7 targeted utilities industry (citing FireEye FIN7 April 2017, Mandiant FIN7 Apr 2022).",
     "source": "Mandiant FIN7 Apr 2022"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [
    [
     "microsoft",
     1
    ]
   ],
   "mitre_url": "https://attack.mitre.org/groups/G0046",
   "cve_ids": [
    "CVE-2026-20929"
   ],
   "technique_ids": [
    "T1005",
    "T1008",
    "T1021",
    "T1027",
    "T1033",
    "T1036",
    "T1047",
    "T1053",
    "T1057",
    "T1059",
    "T1069",
    "T1071",
    "T1078",
    "T1082",
    "T1087",
    "T1091",
    "T1102",
    "T1105",
    "T1113",
    "T1124",
    "T1125",
    "T1140",
    "T1190",
    "T1195",
    "T1204",
    "T1210",
    "T1218",
    "T1219",
    "T1486",
    "T1497",
    "T1543",
    "T1546",
    "T1547",
    "T1553",
    "T1558",
    "T1559",
    "T1564",
    "T1566",
    "T1567",
    "T1569",
    "T1571",
    "T1572",
    "T1583",
    "T1587",
    "T1588",
    "T1591",
    "T1608",
    "T1620",
    "T1674",
    "T1686"
   ],
   "subtechnique_ids": [
    "T1021.001",
    "T1021.004",
    "T1021.005",
    "T1027.010",
    "T1027.016",
    "T1036.004",
    "T1036.005",
    "T1053.005",
    "T1059.001",
    "T1059.003",
    "T1059.005",
    "T1059.007",
    "T1069.002",
    "T1071.004",
    "T1078.003",
    "T1087.002",
    "T1102.002",
    "T1195.002",
    "T1204.001",
    "T1204.002",
    "T1218.005",
    "T1218.011",
    "T1497.002",
    "T1543.003",
    "T1546.011",
    "T1547.001",
    "T1553.002",
    "T1558.003",
    "T1559.002",
    "T1564.001",
    "T1564.003",
    "T1566.001",
    "T1566.002",
    "T1567.002",
    "T1569.002",
    "T1583.001",
    "T1583.006",
    "T1587.001",
    "T1588.002",
    "T1591.004",
    "T1608.001",
    "T1608.004",
    "T1608.005"
   ]
  },
  {
   "actor_id": "G0047",
   "canonical_name": "Gamaredon Group",
   "aliases": [
    "Gamaredon Group",
    "IRON TILDEN",
    "Primitive Bear",
    "ACTINIUM",
    "Armageddon",
    "Shuckworm",
    "DEV-0157",
    "Aqua Blizzard",
    "NastyShrew",
    "Blue Otso",
    "BlueAlpha",
    "G0047",
    "Trident Ursa",
    "UAC-0010",
    "Winterflounder"
   ],
   "category": "state",
   "sponsor": {
    "country": "RU"
   },
   "cve_count": 1,
   "technique_count": 91,
   "idf_score": 2.681,
   "exclusive_cve_count": 0,
   "active_year_min": 2026,
   "active_year_max": 2026,
   "sectors": [
    {
     "naics": "9221",
     "label": "Justice, Public Order & Safety",
     "evidence": "MITRE ATT&CK description states Gamaredon targeted law enforcement and judiciary organizations in Ukraine (Palo Alto Gamaredon Feb 2017, ESET Gamaredon June 2020).",
     "source": "MITRE ATT&CK G0047"
    },
    {
     "naics": "92811",
     "label": "National Security",
     "evidence": "MITRE ATT&CK description states Gamaredon targeted military organizations in Ukraine since at least 2013 (Microsoft Actinium February 2022).",
     "source": "MITRE ATT&CK G0047"
    },
    {
     "naics": "81",
     "label": "Other Services (except Public Administration)",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [
    [
     "application",
     1
    ]
   ],
   "mitre_url": "https://attack.mitre.org/groups/G0047",
   "cve_ids": [
    "CVE-2026-22813"
   ],
   "technique_ids": [
    "T1001",
    "T1005",
    "T1012",
    "T1016",
    "T1020",
    "T1021",
    "T1025",
    "T1027",
    "T1033",
    "T1036",
    "T1039",
    "T1041",
    "T1047",
    "T1053",
    "T1055",
    "T1057",
    "T1059",
    "T1070",
    "T1071",
    "T1080",
    "T1082",
    "T1083",
    "T1090",
    "T1091",
    "T1095",
    "T1102",
    "T1105",
    "T1106",
    "T1112",
    "T1113",
    "T1119",
    "T1120",
    "T1137",
    "T1140",
    "T1204",
    "T1218",
    "T1221",
    "T1480",
    "T1491",
    "T1497",
    "T1518",
    "T1534",
    "T1547",
    "T1559",
    "T1561",
    "T1564",
    "T1566",
    "T1568",
    "T1571",
    "T1583",
    "T1587",
    "T1588",
    "T1608",
    "T1620",
    "T1685"
   ],
   "subtechnique_ids": [
    "T1016.001",
    "T1021.005",
    "T1027.004",
    "T1027.010",
    "T1027.012",
    "T1027.015",
    "T1027.016",
    "T1036.005",
    "T1053.005",
    "T1059.001",
    "T1059.003",
    "T1059.005",
    "T1070.004",
    "T1071.001",
    "T1090.003",
    "T1102.002",
    "T1102.003",
    "T1204.001",
    "T1204.002",
    "T1218.005",
    "T1218.011",
    "T1491.001",
    "T1497.001",
    "T1518.001",
    "T1547.001",
    "T1559.001",
    "T1561.001",
    "T1564.003",
    "T1566.001",
    "T1568.001",
    "T1583.001",
    "T1583.003",
    "T1583.006",
    "T1587.003",
    "T1588.002",
    "T1608.001"
   ]
  },
  {
   "actor_id": "G0048",
   "canonical_name": "RTM",
   "aliases": [
    "RTM",
    "G0048"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 13,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "522",
     "label": "Credit Intermediation & Related Activities (Banking)",
     "evidence": "MITRE ATT&CK states RTM primarily targets users of remote banking systems in Russia/neighboring countries (Citation: ESET RTM Feb 2017).",
     "source": "ESET RTM Feb 2017"
    },
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0048",
   "cve_ids": [],
   "technique_ids": [
    "T1102",
    "T1189",
    "T1204",
    "T1219",
    "T1547",
    "T1566",
    "T1574"
   ],
   "subtechnique_ids": [
    "T1102.001",
    "T1204.002",
    "T1219.002",
    "T1547.001",
    "T1566.001",
    "T1574.001"
   ]
  },
  {
   "actor_id": "G0049",
   "canonical_name": "OilRig",
   "aliases": [
    "OilRig",
    "COBALT GYPSY",
    "IRN2",
    "APT34",
    "Helix Kitten",
    "Evasive Serpens",
    "Hazel Sandstorm",
    "EUROPIUM",
    "ITG13",
    "Earth Simnavaz",
    "Crambus",
    "TA452",
    "Twisted Kitten",
    "APT 34",
    "ATK40",
    "G0049"
   ],
   "category": "state",
   "sponsor": {
    "country": "IR",
    "agency": "MOIS"
   },
   "cve_count": 1,
   "technique_count": 103,
   "idf_score": 1.246,
   "exclusive_cve_count": 0,
   "active_year_min": 2026,
   "active_year_max": 2026,
   "sectors": [
    {
     "naics": "52",
     "label": "Finance & Insurance",
     "evidence": "MITRE ATT&CK G0049 states OilRig targeted financial sector (citing FireEye APT34 Dec 2017).",
     "source": "FireEye APT34 Dec 2017"
    },
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "MITRE ATT&CK G0049 states OilRig targeted government sector (citing Palo Alto OilRig April 2017).",
     "source": "Palo Alto OilRig April 2017"
    },
    {
     "naics": "211",
     "label": "Oil & Gas Extraction",
     "evidence": "MITRE ATT&CK G0049 states OilRig targeted energy sector (citing ClearSky OilRig Jan 2017).",
     "source": "ClearSky OilRig Jan 2017"
    },
    {
     "naics": "325",
     "label": "Chemical Manufacturing",
     "evidence": "MITRE ATT&CK G0049 states OilRig targeted chemical sector (citing Palo Alto OilRig May 2016).",
     "source": "Palo Alto OilRig May 2016"
    },
    {
     "naics": "517",
     "label": "Telecommunications",
     "evidence": "MITRE ATT&CK G0049 states OilRig targeted telecommunications sector (citing Unit42 OilRig Playbook 2023).",
     "source": "Unit42 OilRig Playbook 2023"
    },
    {
     "naics": "22",
     "label": "Utilities",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [
    [
     "microsoft",
     1
    ]
   ],
   "mitre_url": "https://attack.mitre.org/groups/G0049",
   "cve_ids": [
    "CVE-2026-20929"
   ],
   "technique_ids": [
    "T1003",
    "T1005",
    "T1007",
    "T1008",
    "T1012",
    "T1016",
    "T1021",
    "T1025",
    "T1027",
    "T1033",
    "T1036",
    "T1046",
    "T1047",
    "T1048",
    "T1049",
    "T1053",
    "T1056",
    "T1057",
    "T1059",
    "T1068",
    "T1069",
    "T1070",
    "T1071",
    "T1078",
    "T1082",
    "T1087",
    "T1105",
    "T1110",
    "T1112",
    "T1113",
    "T1115",
    "T1119",
    "T1120",
    "T1133",
    "T1137",
    "T1140",
    "T1195",
    "T1201",
    "T1203",
    "T1204",
    "T1218",
    "T1219",
    "T1497",
    "T1505",
    "T1543",
    "T1552",
    "T1553",
    "T1555",
    "T1556",
    "T1566",
    "T1572",
    "T1573",
    "T1583",
    "T1586",
    "T1587",
    "T1588",
    "T1608",
    "T1686"
   ],
   "subtechnique_ids": [
    "T1003.001",
    "T1003.004",
    "T1003.005",
    "T1021.001",
    "T1021.004",
    "T1027.005",
    "T1027.013",
    "T1036.005",
    "T1048.003",
    "T1053.005",
    "T1056.001",
    "T1059.001",
    "T1059.003",
    "T1059.005",
    "T1069.001",
    "T1069.002",
    "T1070.004",
    "T1071.001",
    "T1071.004",
    "T1078.002",
    "T1087.001",
    "T1087.002",
    "T1137.004",
    "T1204.001",
    "T1204.002",
    "T1218.001",
    "T1497.001",
    "T1505.003",
    "T1543.003",
    "T1552.001",
    "T1553.002",
    "T1555.003",
    "T1555.004",
    "T1556.002",
    "T1566.001",
    "T1566.002",
    "T1566.003",
    "T1573.002",
    "T1583.001",
    "T1586.002",
    "T1587.001",
    "T1588.002",
    "T1588.003",
    "T1608.001",
    "T1686.003"
   ]
  },
  {
   "actor_id": "G0050",
   "canonical_name": "APT32",
   "aliases": [
    "APT32",
    "SeaLotus",
    "OceanLotus",
    "APT-C-00",
    "Canvas Cyclone",
    "BISMUTH",
    "OceanLotus Group",
    "Ocean Lotus",
    "Cobalt Kitty",
    "Sea Lotus",
    "APT-32",
    "APT 32",
    "Ocean Buffalo",
    "POND LOACH",
    "TIN WOODLAWN",
    "ATK17",
    "G0050"
   ],
   "category": "state",
   "sponsor": {
    "country": "VN"
   },
   "cve_count": 0,
   "technique_count": 106,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "515",
     "label": "Broadcasting",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0050",
   "cve_ids": [],
   "technique_ids": [
    "T1003",
    "T1012",
    "T1016",
    "T1018",
    "T1021",
    "T1027",
    "T1033",
    "T1036",
    "T1041",
    "T1046",
    "T1047",
    "T1048",
    "T1049",
    "T1053",
    "T1055",
    "T1056",
    "T1059",
    "T1068",
    "T1070",
    "T1071",
    "T1072",
    "T1078",
    "T1082",
    "T1083",
    "T1087",
    "T1102",
    "T1105",
    "T1112",
    "T1135",
    "T1137",
    "T1189",
    "T1203",
    "T1204",
    "T1216",
    "T1218",
    "T1222",
    "T1505",
    "T1543",
    "T1547",
    "T1550",
    "T1552",
    "T1560",
    "T1564",
    "T1566",
    "T1569",
    "T1570",
    "T1571",
    "T1574",
    "T1583",
    "T1585",
    "T1588",
    "T1589",
    "T1598",
    "T1608",
    "T1685"
   ],
   "subtechnique_ids": [
    "T1003.001",
    "T1021.002",
    "T1027.010",
    "T1027.011",
    "T1027.013",
    "T1027.016",
    "T1036.003",
    "T1036.004",
    "T1036.005",
    "T1048.003",
    "T1053.005",
    "T1056.001",
    "T1059.001",
    "T1059.003",
    "T1059.005",
    "T1059.007",
    "T1070.004",
    "T1070.006",
    "T1071.001",
    "T1071.003",
    "T1078.003",
    "T1087.001",
    "T1204.001",
    "T1204.002",
    "T1216.001",
    "T1218.005",
    "T1218.010",
    "T1218.011",
    "T1222.002",
    "T1505.003",
    "T1543.003",
    "T1547.001",
    "T1550.002",
    "T1550.003",
    "T1552.002",
    "T1564.001",
    "T1564.003",
    "T1564.004",
    "T1566.001",
    "T1566.002",
    "T1569.002",
    "T1574.001",
    "T1583.001",
    "T1583.006",
    "T1585.001",
    "T1588.002",
    "T1589.002",
    "T1598.003",
    "T1608.001",
    "T1608.004",
    "T1685.005"
   ]
  },
  {
   "actor_id": "G0051",
   "canonical_name": "FIN10",
   "aliases": [
    "FIN10",
    "G0051"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 17,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0051",
   "cve_ids": [],
   "technique_ids": [
    "T1021",
    "T1033",
    "T1053",
    "T1059",
    "T1070",
    "T1078",
    "T1547",
    "T1570",
    "T1588"
   ],
   "subtechnique_ids": [
    "T1021.001",
    "T1053.005",
    "T1059.001",
    "T1059.003",
    "T1070.004",
    "T1078.003",
    "T1547.001",
    "T1588.002"
   ]
  },
  {
   "actor_id": "G0052",
   "canonical_name": "CopyKittens",
   "aliases": [
    "CopyKittens",
    "Slayer Kitten",
    "G0052"
   ],
   "category": "state",
   "sponsor": {
    "country": "IR"
   },
   "cve_count": 0,
   "technique_count": 14,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0052",
   "cve_ids": [],
   "technique_ids": [
    "T1059",
    "T1090",
    "T1218",
    "T1553",
    "T1560",
    "T1564",
    "T1588"
   ],
   "subtechnique_ids": [
    "T1059.001",
    "T1218.011",
    "T1553.002",
    "T1560.001",
    "T1560.003",
    "T1564.003",
    "T1588.002"
   ]
  },
  {
   "actor_id": "G0053",
   "canonical_name": "FIN5",
   "aliases": [
    "FIN5",
    "G0053"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 16,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "72",
     "label": "Accommodation & Food Services",
     "evidence": "MITRE ATT&CK states FIN5 targeted restaurant and hotel industries (FireEye Respond Webinar July 2017; Mandiant FIN5 GrrCON Oct 2016).",
     "source": "Mandiant FIN5 GrrCON Oct 2016"
    },
    {
     "naics": "71",
     "label": "Arts, Entertainment & Recreation",
     "evidence": "MITRE ATT&CK states FIN5 targeted gaming industry (FireEye Respond Webinar July 2017; DarkReading FireEye FIN5 Oct 2015).",
     "source": "DarkReading FireEye FIN5 Oct 2015"
    },
    {
     "naics": "522",
     "label": "Credit Intermediation & Related Activities (Banking)",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0053",
   "cve_ids": [],
   "technique_ids": [
    "T1018",
    "T1059",
    "T1070",
    "T1074",
    "T1078",
    "T1090",
    "T1110",
    "T1119",
    "T1133",
    "T1588",
    "T1685"
   ],
   "subtechnique_ids": [
    "T1070.004",
    "T1074.001",
    "T1090.002",
    "T1588.002",
    "T1685.005"
   ]
  },
  {
   "actor_id": "G0054",
   "canonical_name": "Sowbug",
   "aliases": [
    "Sowbug",
    "G0054"
   ],
   "category": "state",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 13,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "Symantec Sowbug Nov 2017 states Sowbug targeted government entities in South America and Southeast Asia since at least 2015.",
     "source": "Symantec Sowbug Nov 2017"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0054",
   "cve_ids": [],
   "technique_ids": [
    "T1003",
    "T1036",
    "T1039",
    "T1056",
    "T1059",
    "T1082",
    "T1083",
    "T1135",
    "T1560"
   ],
   "subtechnique_ids": [
    "T1036.005",
    "T1056.001",
    "T1059.003",
    "T1560.001"
   ]
  },
  {
   "actor_id": "G0055",
   "canonical_name": "NEODYMIUM",
   "aliases": [
    "NEODYMIUM",
    "G0055"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 12,
   "technique_count": 0,
   "idf_score": 42.762,
   "exclusive_cve_count": 0,
   "active_year_min": 2008,
   "active_year_max": 2022,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [
    [
     "application",
     7
    ],
    [
     "microsoft",
     5
    ],
    [
     "linux",
     3
    ],
    [
     "macos",
     1
    ]
   ],
   "mitre_url": "https://attack.mitre.org/groups/G0055",
   "cve_ids": [
    "CVE-2008-2551",
    "CVE-2010-0188",
    "CVE-2010-0840",
    "CVE-2010-1297",
    "CVE-2010-2568",
    "CVE-2010-3336",
    "CVE-2010-3653",
    "CVE-2011-0097",
    "CVE-2012-0056",
    "CVE-2013-1493",
    "CVE-2013-2460",
    "CVE-2015-0072"
   ],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "G0056",
   "canonical_name": "PROMETHIUM",
   "aliases": [
    "PROMETHIUM",
    "StrongPity",
    "G0056"
   ],
   "category": "state",
   "sponsor": {
    "country": "TR"
   },
   "cve_count": 12,
   "technique_count": 19,
   "idf_score": 42.762,
   "exclusive_cve_count": 0,
   "active_year_min": 2008,
   "active_year_max": 2022,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [
    [
     "application",
     7
    ],
    [
     "microsoft",
     5
    ],
    [
     "linux",
     3
    ],
    [
     "macos",
     1
    ]
   ],
   "mitre_url": "https://attack.mitre.org/groups/G0056",
   "cve_ids": [
    "CVE-2008-2551",
    "CVE-2010-0188",
    "CVE-2010-0840",
    "CVE-2010-1297",
    "CVE-2010-2568",
    "CVE-2010-3336",
    "CVE-2010-3653",
    "CVE-2011-0097",
    "CVE-2012-0056",
    "CVE-2013-1493",
    "CVE-2013-2460",
    "CVE-2015-0072"
   ],
   "technique_ids": [
    "T1036",
    "T1078",
    "T1189",
    "T1204",
    "T1205",
    "T1543",
    "T1547",
    "T1553",
    "T1587"
   ],
   "subtechnique_ids": [
    "T1036.004",
    "T1036.005",
    "T1078.003",
    "T1204.002",
    "T1205.001",
    "T1543.003",
    "T1547.001",
    "T1553.002",
    "T1587.002",
    "T1587.003"
   ]
  },
  {
   "actor_id": "G0059",
   "canonical_name": "Magic Hound",
   "aliases": [
    "Magic Hound",
    "TA453",
    "COBALT ILLUSION",
    "Charming Kitten",
    "ITG18",
    "Phosphorus",
    "Newscaster",
    "APT35",
    "Mint Sandstorm",
    "Newscaster Team",
    "G0059",
    "TunnelVision",
    "COBALT MIRAGE",
    "Agent Serpens"
   ],
   "category": "state",
   "sponsor": {
    "country": "IR",
    "agency": "IRGC"
   },
   "cve_count": 0,
   "technique_count": 109,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "92811",
     "label": "National Security",
     "evidence": "Targets European/U.S./Middle Eastern government and military personnel per MITRE ATT&CK description citing FireEye APT35 2018 and ClearSky Kittens Back 3 August 2020.",
     "source": "FireEye APT35 2018"
    },
    {
     "naics": "61",
     "label": "Educational Services",
     "evidence": "Targets academics via social engineering campaigns per MITRE ATT&CK description citing Certfa Charming Kitten January 2021.",
     "source": "Certfa Charming Kitten January 2021"
    },
    {
     "naics": "51",
     "label": "Information",
     "evidence": "Targets journalists via long-term espionage operations per MITRE ATT&CK description citing ClearSky Kittens Back 3 August 2020.",
     "source": "ClearSky Kittens Back 3 August 2020"
    },
    {
     "naics": "62",
     "label": "Health Care & Social Assistance",
     "evidence": "Targets WHO (health organization) via complex social engineering per MITRE ATT&CK description citing Secureworks COBALT ILLUSION Threat Profile.",
     "source": "Secureworks COBALT ILLUSION Threat Profile"
    },
    {
     "naics": "515",
     "label": "Broadcasting",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0059",
   "cve_ids": [],
   "technique_ids": [
    "T1003",
    "T1005",
    "T1016",
    "T1018",
    "T1021",
    "T1027",
    "T1033",
    "T1036",
    "T1046",
    "T1047",
    "T1049",
    "T1053",
    "T1056",
    "T1057",
    "T1059",
    "T1070",
    "T1071",
    "T1078",
    "T1082",
    "T1083",
    "T1087",
    "T1090",
    "T1098",
    "T1102",
    "T1105",
    "T1112",
    "T1113",
    "T1114",
    "T1136",
    "T1189",
    "T1190",
    "T1204",
    "T1218",
    "T1482",
    "T1486",
    "T1505",
    "T1547",
    "T1560",
    "T1564",
    "T1566",
    "T1567",
    "T1570",
    "T1571",
    "T1572",
    "T1573",
    "T1583",
    "T1584",
    "T1585",
    "T1586",
    "T1588",
    "T1589",
    "T1590",
    "T1591",
    "T1592",
    "T1595",
    "T1598",
    "T1685",
    "T1686"
   ],
   "subtechnique_ids": [
    "T1003.001",
    "T1016.001",
    "T1016.002",
    "T1021.001",
    "T1027.010",
    "T1027.013",
    "T1036.004",
    "T1036.005",
    "T1036.010",
    "T1053.005",
    "T1056.001",
    "T1059.001",
    "T1059.003",
    "T1059.005",
    "T1070.003",
    "T1070.004",
    "T1071.001",
    "T1078.001",
    "T1078.002",
    "T1087.003",
    "T1098.002",
    "T1098.007",
    "T1102.002",
    "T1114.001",
    "T1114.002",
    "T1136.001",
    "T1204.001",
    "T1204.002",
    "T1218.011",
    "T1505.003",
    "T1547.001",
    "T1560.001",
    "T1564.003",
    "T1566.002",
    "T1566.003",
    "T1583.001",
    "T1583.006",
    "T1584.001",
    "T1585.001",
    "T1585.002",
    "T1586.002",
    "T1588.002",
    "T1589.001",
    "T1589.002",
    "T1590.005",
    "T1591.001",
    "T1592.002",
    "T1595.002",
    "T1598.003",
    "T1685.001",
    "T1686.003"
   ]
  },
  {
   "actor_id": "G0060",
   "canonical_name": "BRONZE BUTLER",
   "aliases": [
    "BRONZE BUTLER",
    "REDBALDKNIGHT",
    "Tick",
    "Nian",
    "STALKER PANDA",
    "G0060",
    "Stalker Taurus",
    "PLA Unit 61419",
    "Swirl Typhoon"
   ],
   "category": "state",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 58,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "MITRE ATT&CK description states BRONZE BUTLER primarily targets Japanese government organizations (Trend Micro Daserf Nov 2017).",
     "source": "Trend Micro Daserf Nov 2017"
    },
    {
     "naics": "325",
     "label": "Chemical Manufacturing",
     "evidence": "MITRE ATT&CK description states BRONZE BUTLER targets industrial chemistry and biotechnology organizations (Trend Micro Daserf Nov 2017).",
     "source": "Trend Micro Daserf Nov 2017"
    },
    {
     "naics": "334",
     "label": "Computer & Electronic Product Manufacturing",
     "evidence": "MITRE ATT&CK description states BRONZE BUTLER targets electronics manufacturing organizations (Secureworks BRONZE BUTLER Oct 2017).",
     "source": "Secureworks BRONZE BUTLER Oct 2017"
    },
    {
     "naics": "31",
     "label": "Manufacturing",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0060",
   "cve_ids": [],
   "technique_ids": [
    "T1003",
    "T1005",
    "T1007",
    "T1018",
    "T1027",
    "T1036",
    "T1039",
    "T1053",
    "T1059",
    "T1070",
    "T1071",
    "T1080",
    "T1083",
    "T1087",
    "T1102",
    "T1105",
    "T1113",
    "T1124",
    "T1132",
    "T1140",
    "T1189",
    "T1203",
    "T1204",
    "T1518",
    "T1547",
    "T1548",
    "T1550",
    "T1560",
    "T1566",
    "T1573",
    "T1574",
    "T1588",
    "T1685"
   ],
   "subtechnique_ids": [
    "T1003.001",
    "T1027.001",
    "T1027.003",
    "T1036.002",
    "T1036.005",
    "T1053.002",
    "T1053.005",
    "T1059.001",
    "T1059.003",
    "T1059.005",
    "T1059.006",
    "T1070.004",
    "T1071.001",
    "T1087.002",
    "T1102.001",
    "T1132.001",
    "T1204.002",
    "T1547.001",
    "T1548.002",
    "T1550.003",
    "T1560.001",
    "T1566.001",
    "T1573.001",
    "T1574.001",
    "T1588.002"
   ]
  },
  {
   "actor_id": "G0061",
   "canonical_name": "FIN8",
   "aliases": [
    "FIN8",
    "Syssphinx",
    "ATK113",
    "G0061"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 56,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "44",
     "label": "Retail Trade",
     "evidence": "MITRE ATT&CK description states FIN8 targets retail sector (FireEye Fin8 May 2016).",
     "source": "FireEye Fin8 May 2016"
    },
    {
     "naics": "52",
     "label": "Finance & Insurance",
     "evidence": "MITRE ATT&CK description states FIN8 targets financial sector (FireEye Fin8 May 2016).",
     "source": "FireEye Fin8 May 2016"
    },
    {
     "naics": "524",
     "label": "Insurance Carriers & Related Activities",
     "evidence": "MITRE ATT&CK description states FIN8 targets insurance sector (FireEye Fin8 May 2016).",
     "source": "FireEye Fin8 May 2016"
    },
    {
     "naics": "71",
     "label": "Arts, Entertainment & Recreation",
     "evidence": "MITRE ATT&CK description states FIN8 targets entertainment sector (FireEye Fin8 May 2016).",
     "source": "FireEye Fin8 May 2016"
    },
    {
     "naics": "72",
     "label": "Accommodation & Food Services",
     "evidence": "MITRE ATT&CK description states FIN8 targets hospitality sector (FireEye Fin8 May 2016).",
     "source": "FireEye Fin8 May 2016"
    },
    {
     "naics": "325",
     "label": "Chemical Manufacturing",
     "evidence": "MITRE ATT&CK description states FIN8 targets chemical sector (Bitdefender Sardonic Aug 2021).",
     "source": "Bitdefender Sardonic Aug 2021"
    },
    {
     "naics": "51",
     "label": "Information",
     "evidence": "MITRE ATT&CK description states FIN8 targets technology sector (Symantec FIN8 Jul 2023).",
     "source": "Symantec FIN8 Jul 2023"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0061",
   "cve_ids": [],
   "technique_ids": [
    "T1003",
    "T1016",
    "T1018",
    "T1021",
    "T1027",
    "T1033",
    "T1047",
    "T1048",
    "T1053",
    "T1055",
    "T1059",
    "T1068",
    "T1070",
    "T1071",
    "T1074",
    "T1078",
    "T1082",
    "T1102",
    "T1105",
    "T1112",
    "T1134",
    "T1204",
    "T1482",
    "T1486",
    "T1518",
    "T1546",
    "T1560",
    "T1566",
    "T1573",
    "T1588",
    "T1685"
   ],
   "subtechnique_ids": [
    "T1003.001",
    "T1016.001",
    "T1021.001",
    "T1021.002",
    "T1027.010",
    "T1048.003",
    "T1053.005",
    "T1055.004",
    "T1059.001",
    "T1059.003",
    "T1070.004",
    "T1071.001",
    "T1074.002",
    "T1134.001",
    "T1204.001",
    "T1204.002",
    "T1518.001",
    "T1546.003",
    "T1560.001",
    "T1566.001",
    "T1566.002",
    "T1573.002",
    "T1588.002",
    "T1588.003",
    "T1685.005"
   ]
  },
  {
   "actor_id": "G0062",
   "canonical_name": "TA459",
   "aliases": [
    "TA459",
    "G0062"
   ],
   "category": "state",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 8,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0062",
   "cve_ids": [],
   "technique_ids": [
    "T1059",
    "T1203",
    "T1204",
    "T1566"
   ],
   "subtechnique_ids": [
    "T1059.001",
    "T1059.005",
    "T1204.002",
    "T1566.001"
   ]
  },
  {
   "actor_id": "G0063",
   "canonical_name": "BlackOasis",
   "aliases": [
    "BlackOasis",
    "G0063"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 1,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "81",
     "label": "Other Services (except Public Administration)",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "515",
     "label": "Broadcasting",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0063",
   "cve_ids": [],
   "technique_ids": [
    "T1027"
   ],
   "subtechnique_ids": []
  },
  {
   "actor_id": "G0064",
   "canonical_name": "APT33",
   "aliases": [
    "APT33",
    "HOLMIUM",
    "Elfin",
    "Peach Sandstorm",
    "APT 33",
    "MAGNALLIUM",
    "Refined Kitten",
    "COBALT TRINITY",
    "G0064",
    "ATK35",
    "TA451"
   ],
   "category": "state",
   "sponsor": {
    "country": "IR",
    "agency": "IRGC"
   },
   "cve_count": 0,
   "technique_count": 47,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "481",
     "label": "Air Transportation",
     "evidence": "MITRE ATT&CK states particular interest in aviation sector citing FireEye APT33 Sept 2017 and FireEye APT33 Webinar Sept 2017.",
     "source": "FireEye APT33 Sept 2017"
    },
    {
     "naics": "211",
     "label": "Oil & Gas Extraction",
     "evidence": "MITRE ATT&CK states particular interest in energy sector citing FireEye APT33 Sept 2017 and FireEye APT33 Webinar Sept 2017.",
     "source": "FireEye APT33 Sept 2017"
    },
    {
     "naics": "22",
     "label": "Utilities",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0064",
   "cve_ids": [],
   "technique_ids": [
    "T1003",
    "T1027",
    "T1040",
    "T1048",
    "T1053",
    "T1059",
    "T1068",
    "T1071",
    "T1078",
    "T1105",
    "T1110",
    "T1132",
    "T1203",
    "T1204",
    "T1546",
    "T1547",
    "T1552",
    "T1555",
    "T1560",
    "T1566",
    "T1571",
    "T1573",
    "T1588"
   ],
   "subtechnique_ids": [
    "T1003.001",
    "T1003.004",
    "T1003.005",
    "T1027.013",
    "T1048.003",
    "T1053.005",
    "T1059.001",
    "T1059.005",
    "T1071.001",
    "T1078.004",
    "T1110.003",
    "T1132.001",
    "T1204.001",
    "T1204.002",
    "T1546.003",
    "T1547.001",
    "T1552.001",
    "T1552.006",
    "T1555.003",
    "T1560.001",
    "T1566.001",
    "T1566.002",
    "T1573.001",
    "T1588.002"
   ]
  },
  {
   "actor_id": "G0065",
   "canonical_name": "Leviathan",
   "aliases": [
    "Leviathan",
    "MUDCARP",
    "Kryptonite Panda",
    "Gadolinium",
    "BRONZE MOHAWK",
    "TEMP.Jumper",
    "APT40",
    "TEMP.Periscope",
    "Gingham Typhoon",
    "G0065",
    "ATK29",
    "TA423",
    "Red Ladon",
    "ITG09",
    "ISLANDDREAMS"
   ],
   "category": "state",
   "sponsor": {
    "country": "CN",
    "agency": "MSS",
    "unit": "Hainan Bureau"
   },
   "cve_count": 3,
   "technique_count": 73,
   "idf_score": 5.668,
   "exclusive_cve_count": 0,
   "active_year_min": 2017,
   "active_year_max": 2026,
   "sectors": [
    {
     "naics": "61",
     "label": "Educational Services",
     "evidence": "MITRE ATT&CK description states Leviathan targeted academia (CISA AA21-200A APT40 July 2021).",
     "source": "CISA AA21-200A APT40 July 2021"
    },
    {
     "naics": "3364",
     "label": "Aerospace Product & Parts Manufacturing",
     "evidence": "MITRE ATT&CK description states Leviathan targeted aerospace/aviation (FireEye Periscope March 2018).",
     "source": "FireEye Periscope March 2018"
    },
    {
     "naics": "3391",
     "label": "Medical Equipment & Supplies",
     "evidence": "MITRE ATT&CK description states Leviathan targeted biomedical (CISA AA21-200A APT40 July 2021).",
     "source": "CISA AA21-200A APT40 July 2021"
    },
    {
     "naics": "92811",
     "label": "National Security",
     "evidence": "MITRE ATT&CK description states Leviathan targeted defense industrial base (CISA AA21-200A APT40 July 2021).",
     "source": "CISA AA21-200A APT40 July 2021"
    },
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "MITRE ATT&CK description states Leviathan targeted government (Proofpoint Leviathan Oct 2017).",
     "source": "Proofpoint Leviathan Oct 2017"
    },
    {
     "naics": "62",
     "label": "Health Care & Social Assistance",
     "evidence": "MITRE ATT&CK description states Leviathan targeted healthcare (CISA AA21-200A APT40 July 2021).",
     "source": "CISA AA21-200A APT40 July 2021"
    },
    {
     "naics": "31",
     "label": "Manufacturing",
     "evidence": "MITRE ATT&CK description states Leviathan targeted manufacturing (CISA Leviathan 2024).",
     "source": "CISA Leviathan 2024"
    },
    {
     "naics": "483",
     "label": "Water Transportation",
     "evidence": "MITRE ATT&CK description states Leviathan targeted maritime (FireEye APT40 March 2019).",
     "source": "FireEye APT40 March 2019"
    },
    {
     "naics": "48",
     "label": "Transportation & Warehousing",
     "evidence": "MITRE ATT&CK description states Leviathan targeted transportation (CISA AA21-200A APT40 July 2021).",
     "source": "CISA AA21-200A APT40 July 2021"
    },
    {
     "naics": "481",
     "label": "Air Transportation",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [
    [
     "application",
     2
    ],
    [
     "microsoft",
     1
    ]
   ],
   "mitre_url": "https://attack.mitre.org/groups/G0065",
   "cve_ids": [
    "CVE-2017-6328",
    "CVE-2020-6789",
    "CVE-2026-20929"
   ],
   "technique_ids": [
    "T1003",
    "T1021",
    "T1027",
    "T1041",
    "T1047",
    "T1055",
    "T1059",
    "T1074",
    "T1078",
    "T1090",
    "T1102",
    "T1105",
    "T1133",
    "T1140",
    "T1189",
    "T1190",
    "T1197",
    "T1203",
    "T1204",
    "T1218",
    "T1505",
    "T1534",
    "T1546",
    "T1547",
    "T1553",
    "T1559",
    "T1560",
    "T1566",
    "T1567",
    "T1572",
    "T1583",
    "T1584",
    "T1585",
    "T1586",
    "T1587",
    "T1589",
    "T1595"
   ],
   "subtechnique_ids": [
    "T1003.001",
    "T1021.001",
    "T1021.004",
    "T1027.001",
    "T1027.003",
    "T1027.013",
    "T1027.015",
    "T1055.001",
    "T1059.001",
    "T1059.005",
    "T1074.001",
    "T1074.002",
    "T1090.003",
    "T1102.003",
    "T1204.001",
    "T1204.002",
    "T1218.010",
    "T1505.003",
    "T1546.003",
    "T1547.001",
    "T1547.009",
    "T1553.002",
    "T1559.002",
    "T1566.001",
    "T1566.002",
    "T1567.002",
    "T1583.001",
    "T1584.004",
    "T1584.008",
    "T1585.001",
    "T1585.002",
    "T1586.001",
    "T1586.002",
    "T1587.004",
    "T1589.001",
    "T1595.002"
   ]
  },
  {
   "actor_id": "G0066",
   "canonical_name": "Elderwood",
   "aliases": [
    "Elderwood",
    "Elderwood Gang",
    "Beijing Group",
    "Sneaky Panda",
    "SIG22",
    "G0066"
   ],
   "category": "state",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 1,
   "technique_count": 12,
   "idf_score": 3.597,
   "exclusive_cve_count": 0,
   "active_year_min": 2026,
   "active_year_max": 2026,
   "sectors": [
    {
     "naics": "31",
     "label": "Manufacturing",
     "evidence": "MITRE ATT&CK notes targeting of supply chain manufacturers (Symantec Elderwood Sept 2012).",
     "source": "Symantec Elderwood Sept 2012"
    },
    {
     "naics": "518",
     "label": "Computing Infrastructure Providers, Data Processing & Hosting",
     "evidence": "MITRE ATT&CK notes targeting of IT service providers (Symantec Elderwood Sept 2012).",
     "source": "Symantec Elderwood Sept 2012"
    },
    {
     "naics": "92811",
     "label": "National Security",
     "evidence": "MITRE ATT&CK notes targeting of defense organizations (Symantec Elderwood Sept 2012).",
     "source": "Symantec Elderwood Sept 2012"
    },
    {
     "naics": "81",
     "label": "Other Services (except Public Administration)",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 1,
   "top_product_categories": [
    [
     "other",
     1
    ]
   ],
   "mitre_url": "https://attack.mitre.org/groups/G0066",
   "cve_ids": [
    "CVE-2026-8732"
   ],
   "technique_ids": [
    "T1027",
    "T1105",
    "T1189",
    "T1203",
    "T1204",
    "T1566"
   ],
   "subtechnique_ids": [
    "T1027.002",
    "T1027.013",
    "T1204.001",
    "T1204.002",
    "T1566.001",
    "T1566.002"
   ]
  },
  {
   "actor_id": "G0067",
   "canonical_name": "APT37",
   "aliases": [
    "APT37",
    "InkySquid",
    "ScarCruft",
    "Reaper",
    "Group123",
    "TEMP.Reaper",
    "Ricochet Chollima",
    "APT 37",
    "Group 123",
    "Operation Daybreak",
    "Operation Erebus",
    "Reaper Group",
    "Red Eyes",
    "Venus 121",
    "ATK4",
    "G0067",
    "Moldy Pisces",
    "APT-C-28"
   ],
   "category": "state",
   "sponsor": {
    "country": "KP"
   },
   "cve_count": 4,
   "technique_count": 40,
   "idf_score": 17.162,
   "exclusive_cve_count": 4,
   "active_year_min": 2014,
   "active_year_max": 2016,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [
    [
     "application",
     2
    ],
    [
     "microsoft",
     2
    ],
    [
     "other",
     1
    ],
    [
     "mobile",
     1
    ],
    [
     "macos",
     1
    ],
    [
     "linux",
     1
    ]
   ],
   "mitre_url": "https://attack.mitre.org/groups/G0067",
   "cve_ids": [
    "CVE-2013-0808",
    "CVE-2013-4979",
    "CVE-2015-3105",
    "CVE-2016-0147"
   ],
   "technique_ids": [
    "T1005",
    "T1027",
    "T1033",
    "T1036",
    "T1053",
    "T1055",
    "T1057",
    "T1059",
    "T1071",
    "T1082",
    "T1102",
    "T1105",
    "T1106",
    "T1120",
    "T1123",
    "T1189",
    "T1203",
    "T1204",
    "T1529",
    "T1547",
    "T1548",
    "T1555",
    "T1559",
    "T1561",
    "T1566"
   ],
   "subtechnique_ids": [
    "T1027.003",
    "T1036.001",
    "T1053.005",
    "T1059.003",
    "T1059.005",
    "T1059.006",
    "T1071.001",
    "T1102.002",
    "T1204.002",
    "T1547.001",
    "T1548.002",
    "T1555.003",
    "T1559.002",
    "T1561.002",
    "T1566.001"
   ]
  },
  {
   "actor_id": "G0068",
   "canonical_name": "PLATINUM",
   "aliases": [
    "PLATINUM",
    "TwoForOne",
    "G0068",
    "ATK33"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 15,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "9211",
     "label": "Executive, Legislative & Other General Government Support",
     "evidence": "MITRE ATT&CK profile states PLATINUM focused on targets associated with governments and related organizations (Microsoft PLATINUM April 2016).",
     "source": "Microsoft PLATINUM April 2016"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0068",
   "cve_ids": [],
   "technique_ids": [
    "T1003",
    "T1036",
    "T1055",
    "T1056",
    "T1068",
    "T1095",
    "T1105",
    "T1189",
    "T1204",
    "T1566"
   ],
   "subtechnique_ids": [
    "T1003.001",
    "T1056.001",
    "T1056.004",
    "T1204.002",
    "T1566.001"
   ]
  },
  {
   "actor_id": "G0069",
   "canonical_name": "MuddyWater",
   "aliases": [
    "MuddyWater",
    "Earth Vetala",
    "MERCURY",
    "Static Kitten",
    "Seedworm",
    "TEMP.Zagros",
    "Mango Sandstorm",
    "TA450",
    "MuddyKrill",
    "COBALT ULSTER",
    "G0069",
    "ATK51",
    "Boggy Serpens"
   ],
   "category": "state",
   "sponsor": {
    "country": "IR",
    "agency": "MOIS"
   },
   "cve_count": 2,
   "technique_count": 94,
   "idf_score": 6.971,
   "exclusive_cve_count": 1,
   "active_year_min": 2026,
   "active_year_max": 2026,
   "sectors": [
    {
     "naics": "517",
     "label": "Telecommunications",
     "evidence": "MITRE ATT&CK G0069 states MuddyWater targeted telecommunications organizations (citing Unit 42 MuddyWater Nov 2017).",
     "source": "Unit 42 MuddyWater Nov 2017"
    },
    {
     "naics": "9211",
     "label": "Executive, Legislative & Other General Government Support",
     "evidence": "MITRE ATT&CK G0069 states MuddyWater targeted local government organizations (citing DHS CISA AA22-055A).",
     "source": "DHS CISA AA22-055A MuddyWater February 2022"
    },
    {
     "naics": "52",
     "label": "Finance & Insurance",
     "evidence": "MITRE ATT&CK G0069 states MuddyWater targeted finance organizations (citing ClearSky MuddyWater Nov 2018).",
     "source": "ClearSky MuddyWater Nov 2018"
    },
    {
     "naics": "92811",
     "label": "National Security",
     "evidence": "MITRE ATT&CK G0069 states MuddyWater targeted defense organizations (citing CYBERCOM Iranian Intel Cyber January 2022).",
     "source": "CYBERCOM Iranian Intel Cyber January 2022"
    },
    {
     "naics": "211",
     "label": "Oil & Gas Extraction",
     "evidence": "MITRE ATT&CK G0069 states MuddyWater targeted oil and natural gas organizations (citing Talos MuddyWater Jan 2022).",
     "source": "Talos MuddyWater Jan 2022"
    },
    {
     "naics": "2212",
     "label": "Natural Gas Distribution",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [
    [
     "other",
     1
    ],
    [
     "application",
     1
    ]
   ],
   "mitre_url": "https://attack.mitre.org/groups/G0069",
   "cve_ids": [
    "CVE-2017-01995",
    "CVE-2026-22813"
   ],
   "technique_ids": [
    "T1003",
    "T1016",
    "T1027",
    "T1033",
    "T1036",
    "T1041",
    "T1047",
    "T1049",
    "T1053",
    "T1057",
    "T1059",
    "T1071",
    "T1074",
    "T1082",
    "T1083",
    "T1087",
    "T1090",
    "T1102",
    "T1104",
    "T1105",
    "T1113",
    "T1132",
    "T1137",
    "T1140",
    "T1190",
    "T1203",
    "T1204",
    "T1210",
    "T1218",
    "T1219",
    "T1518",
    "T1534",
    "T1547",
    "T1548",
    "T1552",
    "T1555",
    "T1559",
    "T1560",
    "T1566",
    "T1567",
    "T1571",
    "T1573",
    "T1574",
    "T1583",
    "T1588",
    "T1590",
    "T1684",
    "T1685"
   ],
   "subtechnique_ids": [
    "T1003.001",
    "T1003.004",
    "T1003.005",
    "T1027.003",
    "T1027.004",
    "T1027.010",
    "T1036.005",
    "T1053.005",
    "T1059.001",
    "T1059.003",
    "T1059.005",
    "T1059.006",
    "T1059.007",
    "T1071.001",
    "T1074.001",
    "T1087.002",
    "T1090.002",
    "T1102.002",
    "T1132.001",
    "T1137.001",
    "T1204.001",
    "T1204.002",
    "T1204.004",
    "T1218.003",
    "T1218.005",
    "T1218.011",
    "T1219.002",
    "T1518.001",
    "T1547.001",
    "T1548.002",
    "T1552.001",
    "T1555.003",
    "T1559.001",
    "T1559.002",
    "T1560.001",
    "T1566.001",
    "T1566.002",
    "T1567.002",
    "T1573.001",
    "T1574.001",
    "T1583.001",
    "T1583.006",
    "T1588.001",
    "T1588.002",
    "T1590.004",
    "T1684.001"
   ]
  },
  {
   "actor_id": "G0070",
   "canonical_name": "Dark Caracal",
   "aliases": [
    "Dark Caracal",
    "G0070"
   ],
   "category": "state",
   "sponsor": {
    "country": "LB"
   },
   "cve_count": 0,
   "technique_count": 19,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0070",
   "cve_ids": [],
   "technique_ids": [
    "T1005",
    "T1027",
    "T1059",
    "T1071",
    "T1083",
    "T1113",
    "T1189",
    "T1204",
    "T1218",
    "T1547",
    "T1566"
   ],
   "subtechnique_ids": [
    "T1027.002",
    "T1027.013",
    "T1059.003",
    "T1071.001",
    "T1204.002",
    "T1218.001",
    "T1547.001",
    "T1566.003"
   ]
  },
  {
   "actor_id": "G0071",
   "canonical_name": "Orangeworm",
   "aliases": [
    "Orangeworm"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 4,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "62",
     "label": "Health Care & Social Assistance",
     "evidence": "MITRE ATT&CK states Orangeworm targeted healthcare sector orgs in US/Europe/Asia since 2015 (Symantec Orangeworm April 2018).",
     "source": "Symantec Orangeworm April 2018"
    },
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0071",
   "cve_ids": [],
   "technique_ids": [
    "T1021",
    "T1071"
   ],
   "subtechnique_ids": [
    "T1021.002",
    "T1071.001"
   ]
  },
  {
   "actor_id": "G0073",
   "canonical_name": "APT19",
   "aliases": [
    "APT19",
    "Codoso",
    "C0d0so0",
    "Codoso Team",
    "Sunshop Group"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 3,
   "technique_count": 32,
   "idf_score": 8.712,
   "exclusive_cve_count": 1,
   "active_year_min": 2017,
   "active_year_max": 2021,
   "sectors": [
    {
     "naics": "92811",
     "label": "National Security",
     "evidence": "MITRE ATT&CK cites FireEye APT19 reporting APT19 targeting defense sector.",
     "source": "FireEye APT19"
    },
    {
     "naics": "523",
     "label": "Securities, Commodity Contracts & Other Financial Investments",
     "evidence": "MITRE ATT&CK cites FireEye APT19 on 2017 phishing of seven investment firms.",
     "source": "FireEye APT19"
    },
    {
     "naics": "211",
     "label": "Oil & Gas Extraction",
     "evidence": "MITRE ATT&CK description citing FireEye APT19 lists energy sector targeting.",
     "source": "FireEye APT19"
    },
    {
     "naics": "325",
     "label": "Chemical Manufacturing",
     "evidence": "MITRE ATT&CK cites FireEye APT19 reporting pharmaceutical industry targeting.",
     "source": "FireEye APT19"
    },
    {
     "naics": "517",
     "label": "Telecommunications",
     "evidence": "MITRE ATT&CK cites FireEye APT19 on telecommunications sector targeting.",
     "source": "FireEye APT19"
    },
    {
     "naics": "334",
     "label": "Computer & Electronic Product Manufacturing",
     "evidence": "MITRE ATT&CK cites FireEye APT19 listing high tech industry targeting.",
     "source": "FireEye APT19"
    },
    {
     "naics": "61",
     "label": "Educational Services",
     "evidence": "MITRE ATT&CK cites FireEye APT19 reporting education sector targeting.",
     "source": "FireEye APT19"
    },
    {
     "naics": "31",
     "label": "Manufacturing",
     "evidence": "MITRE ATT&CK cites FireEye APT19 listing manufacturing industry targeting.",
     "source": "FireEye APT19"
    },
    {
     "naics": "54",
     "label": "Professional, Scientific & Technical Services",
     "evidence": "MITRE ATT&CK cites FireEye APT19 on 2017 phishing of seven law firms.",
     "source": "FireEye APT19"
    },
    {
     "naics": "52",
     "label": "Finance & Insurance",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "3391",
     "label": "Medical Equipment & Supplies",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "22",
     "label": "Utilities",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [
    [
     "application",
     3
    ]
   ],
   "mitre_url": "https://attack.mitre.org/groups/G0073",
   "cve_ids": [
    "CVE-2017-1099",
    "CVE-2017-6328",
    "CVE-2020-6789"
   ],
   "technique_ids": [
    "T1016",
    "T1027",
    "T1033",
    "T1059",
    "T1071",
    "T1082",
    "T1112",
    "T1132",
    "T1140",
    "T1189",
    "T1204",
    "T1218",
    "T1543",
    "T1547",
    "T1564",
    "T1566",
    "T1574",
    "T1588"
   ],
   "subtechnique_ids": [
    "T1027.010",
    "T1027.013",
    "T1059.001",
    "T1071.001",
    "T1132.001",
    "T1204.002",
    "T1218.010",
    "T1218.011",
    "T1543.003",
    "T1547.001",
    "T1564.003",
    "T1566.001",
    "T1574.001",
    "T1588.002"
   ]
  },
  {
   "actor_id": "G0075",
   "canonical_name": "Rancor",
   "aliases": [
    "Rancor",
    "Rancor group",
    "G0075",
    "Rancor Taurus"
   ],
   "category": "state",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 16,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0075",
   "cve_ids": [],
   "technique_ids": [
    "T1053",
    "T1059",
    "T1071",
    "T1105",
    "T1204",
    "T1218",
    "T1546",
    "T1566"
   ],
   "subtechnique_ids": [
    "T1053.005",
    "T1059.003",
    "T1059.005",
    "T1071.001",
    "T1204.002",
    "T1218.007",
    "T1546.003",
    "T1566.001"
   ]
  },
  {
   "actor_id": "G0076",
   "canonical_name": "Thrip",
   "aliases": [
    "Thrip",
    "G0076",
    "ATK78"
   ],
   "category": "state",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 8,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "517",
     "label": "Telecommunications",
     "evidence": "Symantec Thrip June 2018 reports Thrip targeted satellite communications and telecoms companies.",
     "source": "Symantec Thrip June 2018"
    },
    {
     "naics": "3364",
     "label": "Aerospace Product & Parts Manufacturing",
     "evidence": "Symantec Thrip June 2018 reports Thrip targeted defense contractor companies.",
     "source": "Symantec Thrip June 2018"
    },
    {
     "naics": "92811",
     "label": "National Security",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0076",
   "cve_ids": [],
   "technique_ids": [
    "T1048",
    "T1059",
    "T1219",
    "T1588"
   ],
   "subtechnique_ids": [
    "T1048.003",
    "T1059.001",
    "T1219.002",
    "T1588.002"
   ]
  },
  {
   "actor_id": "G0077",
   "canonical_name": "Leafminer",
   "aliases": [
    "Leafminer",
    "Raspite"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 26,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0077",
   "cve_ids": [],
   "technique_ids": [
    "T1003",
    "T1018",
    "T1027",
    "T1046",
    "T1055",
    "T1059",
    "T1083",
    "T1110",
    "T1114",
    "T1136",
    "T1189",
    "T1552",
    "T1555",
    "T1588"
   ],
   "subtechnique_ids": [
    "T1003.001",
    "T1003.004",
    "T1003.005",
    "T1027.010",
    "T1055.013",
    "T1059.007",
    "T1110.003",
    "T1114.002",
    "T1136.001",
    "T1552.001",
    "T1555.003",
    "T1588.002"
   ]
  },
  {
   "actor_id": "G0078",
   "canonical_name": "Gorgon Group",
   "aliases": [
    "Gorgon Group",
    "The Gorgon Group",
    "Subaat",
    "ATK92",
    "G0078",
    "Pasty Gemini"
   ],
   "category": "state",
   "sponsor": {
    "country": "PK"
   },
   "cve_count": 0,
   "technique_count": 23,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "9211",
     "label": "Executive, Legislative & Other General Government Support",
     "evidence": "MITRE ATT&CK description (citing Unit 42 Gorgon Group Aug 2018) states campaigns against government organizations in UK, Spain, Russia and US.",
     "source": "Unit 42 Gorgon Group Aug 2018"
    },
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0078",
   "cve_ids": [],
   "technique_ids": [
    "T1055",
    "T1059",
    "T1105",
    "T1106",
    "T1112",
    "T1140",
    "T1204",
    "T1547",
    "T1564",
    "T1566",
    "T1588",
    "T1685"
   ],
   "subtechnique_ids": [
    "T1055.002",
    "T1055.012",
    "T1059.001",
    "T1059.003",
    "T1059.005",
    "T1204.002",
    "T1547.001",
    "T1547.009",
    "T1564.003",
    "T1566.001",
    "T1588.002"
   ]
  },
  {
   "actor_id": "G0079",
   "canonical_name": "DarkHydrus",
   "aliases": [
    "DarkHydrus",
    "LazyMeerkat",
    "G0079",
    "Obscure Serpens"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 12,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "61",
     "label": "Educational Services",
     "evidence": "MITRE ATT&CK description states DarkHydrus targeted educational institutions in the Middle East (Unit 42 DarkHydrus July 2018).",
     "source": "Unit 42 DarkHydrus July 2018"
    },
    {
     "naics": "9211",
     "label": "Executive, Legislative & Other General Government Support",
     "evidence": "MITRE ATT&CK description states DarkHydrus targeted government agencies in the Middle East (Unit 42 DarkHydrus July 2018).",
     "source": "Unit 42 DarkHydrus July 2018"
    },
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0079",
   "cve_ids": [],
   "technique_ids": [
    "T1059",
    "T1187",
    "T1204",
    "T1221",
    "T1564",
    "T1566",
    "T1588"
   ],
   "subtechnique_ids": [
    "T1059.001",
    "T1204.002",
    "T1564.003",
    "T1566.001",
    "T1588.002"
   ]
  },
  {
   "actor_id": "G0080",
   "canonical_name": "Cobalt Group",
   "aliases": [
    "Cobalt Group",
    "GOLD KINGSWOOD",
    "Cobalt Gang",
    "Cobalt Spider",
    "Cobalt",
    "G0080",
    "Mule Libra"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 52,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "522",
     "label": "Credit Intermediation & Related Activities (Banking)",
     "evidence": "MITRE ATT&CK profile states Cobalt Group has primarily targeted banks/financial institutions since 2016 to steal funds via ATM, SWIFT and payment systems (Group IB Cobalt Aug 2017; Proofpoint Cobalt June 2017).",
     "source": "Group IB Cobalt Aug 2017"
    },
    {
     "naics": "52",
     "label": "Finance & Insurance",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0080",
   "cve_ids": [],
   "technique_ids": [
    "T1021",
    "T1027",
    "T1037",
    "T1046",
    "T1053",
    "T1055",
    "T1059",
    "T1068",
    "T1070",
    "T1071",
    "T1105",
    "T1195",
    "T1203",
    "T1204",
    "T1218",
    "T1219",
    "T1220",
    "T1518",
    "T1543",
    "T1547",
    "T1548",
    "T1559",
    "T1566",
    "T1572",
    "T1573",
    "T1588"
   ],
   "subtechnique_ids": [
    "T1021.001",
    "T1027.010",
    "T1037.001",
    "T1053.005",
    "T1059.001",
    "T1059.003",
    "T1059.005",
    "T1059.007",
    "T1070.004",
    "T1071.001",
    "T1071.004",
    "T1195.002",
    "T1204.001",
    "T1204.002",
    "T1218.003",
    "T1218.008",
    "T1218.010",
    "T1518.001",
    "T1543.003",
    "T1547.001",
    "T1548.002",
    "T1559.002",
    "T1566.001",
    "T1566.002",
    "T1573.002",
    "T1588.002"
   ]
  },
  {
   "actor_id": "G0081",
   "canonical_name": "Tropic Trooper",
   "aliases": [
    "Tropic Trooper",
    "Pirate Panda",
    "KeyBoy",
    "APT23",
    "BRONZE HOBART",
    "G0081",
    "Red Orthrus",
    "Earth Centaur"
   ],
   "category": "state",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 1,
   "technique_count": 56,
   "idf_score": 1.246,
   "exclusive_cve_count": 0,
   "active_year_min": 2026,
   "active_year_max": 2026,
   "sectors": [
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "MITRE ATT&CK G0081 states Tropic Trooper targets government alongside healthcare, transportation and high-tech.",
     "source": "TrendMicro Tropic Trooper Mar 2018"
    },
    {
     "naics": "62",
     "label": "Health Care & Social Assistance",
     "evidence": "MITRE ATT&CK G0081 states Tropic Trooper targets healthcare alongside government, transportation and high-tech.",
     "source": "TrendMicro Tropic Trooper Mar 2018"
    },
    {
     "naics": "48",
     "label": "Transportation & Warehousing",
     "evidence": "MITRE ATT&CK G0081 states Tropic Trooper targets transportation alongside government, healthcare and high-tech.",
     "source": "TrendMicro Tropic Trooper Mar 2018"
    },
    {
     "naics": "334",
     "label": "Computer & Electronic Product Manufacturing",
     "evidence": "MITRE ATT&CK G0081 states Tropic Trooper targets high-tech industries alongside government, healthcare and transportation.",
     "source": "TrendMicro Tropic Trooper Mar 2018"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [
    [
     "microsoft",
     1
    ]
   ],
   "mitre_url": "https://attack.mitre.org/groups/G0081",
   "cve_ids": [
    "CVE-2026-20929"
   ],
   "technique_ids": [
    "T1016",
    "T1020",
    "T1027",
    "T1033",
    "T1036",
    "T1046",
    "T1049",
    "T1052",
    "T1055",
    "T1057",
    "T1059",
    "T1070",
    "T1071",
    "T1078",
    "T1082",
    "T1083",
    "T1091",
    "T1105",
    "T1106",
    "T1119",
    "T1132",
    "T1135",
    "T1140",
    "T1203",
    "T1204",
    "T1221",
    "T1505",
    "T1518",
    "T1543",
    "T1547",
    "T1564",
    "T1566",
    "T1573",
    "T1574",
    "T1680"
   ],
   "subtechnique_ids": [
    "T1027.003",
    "T1027.013",
    "T1036.005",
    "T1052.001",
    "T1055.001",
    "T1059.003",
    "T1070.004",
    "T1071.001",
    "T1071.004",
    "T1078.003",
    "T1132.001",
    "T1204.002",
    "T1505.003",
    "T1518.001",
    "T1543.003",
    "T1547.001",
    "T1547.004",
    "T1564.001",
    "T1566.001",
    "T1573.002",
    "T1574.001"
   ]
  },
  {
   "actor_id": "G0082",
   "canonical_name": "APT38",
   "aliases": [
    "APT38",
    "NICKEL GLADSTONE",
    "BeagleBoyz",
    "Bluenoroff",
    "Stardust Chollima",
    "Sapphire Sleet",
    "COPERNICIUM"
   ],
   "category": "state",
   "sponsor": {
    "country": "KP",
    "agency": "RGB"
   },
   "cve_count": 2,
   "technique_count": 77,
   "idf_score": 5.536,
   "exclusive_cve_count": 1,
   "active_year_min": 2016,
   "active_year_max": 2026,
   "sectors": [
    {
     "naics": "522",
     "label": "Credit Intermediation & Related Activities (Banking)",
     "evidence": "APT38 targeted banks and financial institutions including Bancomext and Banco de Chile (FireEye APT38 Oct 2018; CISA AA20-239A BeagleBoyz August 2020).",
     "source": "FireEye APT38 Oct 2018"
    },
    {
     "naics": "523",
     "label": "Securities, Commodity Contracts & Other Financial Investments",
     "evidence": "APT38 targeted cryptocurrency exchanges as part of financial operations (MITRE ATT&CK description citing multiple reports).",
     "source": "MITRE ATT&CK"
    },
    {
     "naics": "71",
     "label": "Arts, Entertainment & Recreation",
     "evidence": "APT38 targeted casinos alongside banks and cryptocurrency exchanges (MITRE ATT&CK description).",
     "source": "MITRE ATT&CK"
    },
    {
     "naics": "52",
     "label": "Finance & Insurance",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 3,
   "top_product_categories": [
    [
     "microsoft",
     2
    ],
    [
     "macos",
     1
    ],
    [
     "application",
     1
    ]
   ],
   "mitre_url": "https://attack.mitre.org/groups/G0082",
   "cve_ids": [
    "CVE-2016-4119",
    "CVE-2026-20929"
   ],
   "technique_ids": [
    "T1005",
    "T1027",
    "T1033",
    "T1036",
    "T1049",
    "T1053",
    "T1055",
    "T1056",
    "T1057",
    "T1059",
    "T1070",
    "T1071",
    "T1082",
    "T1083",
    "T1105",
    "T1106",
    "T1110",
    "T1112",
    "T1115",
    "T1135",
    "T1140",
    "T1189",
    "T1204",
    "T1217",
    "T1218",
    "T1480",
    "T1485",
    "T1486",
    "T1505",
    "T1518",
    "T1529",
    "T1543",
    "T1548",
    "T1553",
    "T1561",
    "T1565",
    "T1566",
    "T1569",
    "T1583",
    "T1588",
    "T1685",
    "T1686",
    "T1690"
   ],
   "subtechnique_ids": [
    "T1027.002",
    "T1036.003",
    "T1036.006",
    "T1053.003",
    "T1053.005",
    "T1056.001",
    "T1059.001",
    "T1059.003",
    "T1059.005",
    "T1070.004",
    "T1070.006",
    "T1071.001",
    "T1204.001",
    "T1204.002",
    "T1218.001",
    "T1218.005",
    "T1218.007",
    "T1218.011",
    "T1480.002",
    "T1505.003",
    "T1518.001",
    "T1543.003",
    "T1548.002",
    "T1553.005",
    "T1561.002",
    "T1565.001",
    "T1565.002",
    "T1565.003",
    "T1566.001",
    "T1569.002",
    "T1583.001",
    "T1588.002",
    "T1685.005",
    "T1686.002"
   ]
  },
  {
   "actor_id": "G0083",
   "canonical_name": "SilverTerrier",
   "aliases": [
    "SilverTerrier"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 5,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "31",
     "label": "Manufacturing",
     "evidence": "MITRE ATT&CK description states SilverTerrier mainly targets manufacturing, citing Unit42 SilverTerrier 2018.",
     "source": "Unit42 SilverTerrier 2018"
    },
    {
     "naics": "61",
     "label": "Educational Services",
     "evidence": "MITRE ATT&CK description states SilverTerrier mainly targets higher education, citing Unit42 SilverTerrier 2018.",
     "source": "Unit42 SilverTerrier 2018"
    },
    {
     "naics": "334",
     "label": "Computer & Electronic Product Manufacturing",
     "evidence": "MITRE ATT&CK description states SilverTerrier mainly targets high technology, citing Unit42 SilverTerrier 2018.",
     "source": "Unit42 SilverTerrier 2018"
    },
    {
     "naics": "51",
     "label": "Information",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0083",
   "cve_ids": [],
   "technique_ids": [
    "T1071",
    "T1657"
   ],
   "subtechnique_ids": [
    "T1071.001",
    "T1071.002",
    "T1071.003"
   ]
  },
  {
   "actor_id": "G0084",
   "canonical_name": "Gallmaker",
   "aliases": [
    "Gallmaker"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 11,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "92811",
     "label": "National Security",
     "evidence": "MITRE ATT&CK profile states Gallmaker targeted defense, military and government sectors (citing Symantec Gallmaker Oct 2018).",
     "source": "Symantec Gallmaker Oct 2018"
    },
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0084",
   "cve_ids": [],
   "technique_ids": [
    "T1027",
    "T1059",
    "T1204",
    "T1559",
    "T1560",
    "T1566"
   ],
   "subtechnique_ids": [
    "T1059.001",
    "T1204.002",
    "T1559.002",
    "T1560.001",
    "T1566.001"
   ]
  },
  {
   "actor_id": "G0085",
   "canonical_name": "FIN4",
   "aliases": [
    "FIN4",
    "WOLF SPIDER",
    "G0085"
   ],
   "category": "state",
   "sponsor": {
    "country": "RO"
   },
   "cve_count": 0,
   "technique_count": 20,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "325",
     "label": "Chemical Manufacturing",
     "evidence": "MITRE ATT&CK and FireEye FIN4 Stealing Insider NOV 2014 report FIN4 targeting confidential info on pharmaceutical companies.",
     "source": "FireEye FIN4 Stealing Insider NOV 2014"
    },
    {
     "naics": "62",
     "label": "Health Care & Social Assistance",
     "evidence": "MITRE ATT&CK and FireEye Hacking FIN4 Dec 2014 report FIN4 targeting confidential info on healthcare companies.",
     "source": "FireEye Hacking FIN4 Dec 2014"
    },
    {
     "naics": "52",
     "label": "Finance & Insurance",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "3391",
     "label": "Medical Equipment & Supplies",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0085",
   "cve_ids": [],
   "technique_ids": [
    "T1056",
    "T1059",
    "T1071",
    "T1078",
    "T1090",
    "T1114",
    "T1204",
    "T1564",
    "T1566"
   ],
   "subtechnique_ids": [
    "T1056.001",
    "T1056.002",
    "T1059.005",
    "T1071.001",
    "T1090.003",
    "T1114.002",
    "T1204.001",
    "T1204.002",
    "T1564.008",
    "T1566.001",
    "T1566.002"
   ]
  },
  {
   "actor_id": "G0087",
   "canonical_name": "APT39",
   "aliases": [
    "APT39",
    "ITG07",
    "Chafer",
    "Remix Kitten",
    "COBALT HICKMAN",
    "G0087",
    "Radio Serpens",
    "TA454",
    "Burgundy Sandstorm"
   ],
   "category": "state",
   "sponsor": {
    "country": "IR"
   },
   "cve_count": 0,
   "technique_count": 72,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "481",
     "label": "Air Transportation",
     "evidence": "FireEye APT39 Jan 2019 states APT39 targeted travel industry to track individuals of interest to MOIS.",
     "source": "FireEye APT39 Jan 2019"
    },
    {
     "naics": "72",
     "label": "Accommodation & Food Services",
     "evidence": "FireEye APT39 Jan 2019 states APT39 targeted hospitality industry to track individuals of interest to MOIS.",
     "source": "FireEye APT39 Jan 2019"
    },
    {
     "naics": "61",
     "label": "Educational Services",
     "evidence": "FireEye APT39 Jan 2019 states APT39 targeted academic industry to track individuals of interest to MOIS.",
     "source": "FireEye APT39 Jan 2019"
    },
    {
     "naics": "517",
     "label": "Telecommunications",
     "evidence": "FireEye APT39 Jan 2019 states APT39 targeted telecommunications industry to track individuals of interest to MOIS.",
     "source": "FireEye APT39 Jan 2019"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0087",
   "cve_ids": [],
   "technique_ids": [
    "T1003",
    "T1005",
    "T1012",
    "T1018",
    "T1021",
    "T1027",
    "T1033",
    "T1036",
    "T1041",
    "T1046",
    "T1053",
    "T1056",
    "T1059",
    "T1070",
    "T1071",
    "T1074",
    "T1078",
    "T1083",
    "T1090",
    "T1102",
    "T1105",
    "T1110",
    "T1113",
    "T1115",
    "T1135",
    "T1136",
    "T1140",
    "T1190",
    "T1197",
    "T1204",
    "T1505",
    "T1546",
    "T1547",
    "T1553",
    "T1555",
    "T1560",
    "T1566",
    "T1569",
    "T1588"
   ],
   "subtechnique_ids": [
    "T1003.001",
    "T1021.001",
    "T1021.002",
    "T1021.004",
    "T1027.002",
    "T1027.013",
    "T1036.005",
    "T1053.005",
    "T1056.001",
    "T1059.001",
    "T1059.005",
    "T1059.006",
    "T1059.010",
    "T1070.004",
    "T1071.001",
    "T1071.004",
    "T1074.001",
    "T1090.001",
    "T1090.002",
    "T1102.002",
    "T1136.001",
    "T1204.001",
    "T1204.002",
    "T1505.003",
    "T1546.010",
    "T1547.001",
    "T1547.009",
    "T1553.006",
    "T1560.001",
    "T1566.001",
    "T1566.002",
    "T1569.002",
    "T1588.002"
   ]
  },
  {
   "actor_id": "G0088",
   "canonical_name": "TEMP.Veles",
   "aliases": [
    "TEMP.Veles",
    "XENOTIME",
    "G0088",
    "ATK91"
   ],
   "category": "state",
   "sponsor": {
    "country": "RU"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "211",
     "label": "Oil & Gas Extraction",
     "evidence": "FireEye TEMP.Veles 2018 and Dragos Xenotime 2018 report XENOTIME/TRITON targeting oil-and-gas ICS safety systems at petrochemical facilities.",
     "source": "FireEye TEMP.Veles 2018"
    },
    {
     "naics": "22",
     "label": "Utilities",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0088",
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "G0089",
   "canonical_name": "The White Company",
   "aliases": [
    "The White Company"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 12,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "92811",
     "label": "National Security",
     "evidence": "Cylance Shaheen Nov 2018 reports Operation Shaheen targeting government and military organizations in Pakistan.",
     "source": "Cylance Shaheen Nov 2018"
    },
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0089",
   "cve_ids": [],
   "technique_ids": [
    "T1027",
    "T1070",
    "T1124",
    "T1203",
    "T1204",
    "T1518",
    "T1566"
   ],
   "subtechnique_ids": [
    "T1027.002",
    "T1070.004",
    "T1204.002",
    "T1518.001",
    "T1566.001"
   ]
  },
  {
   "actor_id": "G0090",
   "canonical_name": "WIRTE",
   "aliases": [
    "WIRTE",
    "Ashen Lepus"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 42,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "9211",
     "label": "Executive, Legislative & Other General Government Support",
     "evidence": "MITRE ATT&CK states WIRTE targeted diplomatic organizations to gather intelligence (Lab52 WIRTE Apr 2019).",
     "source": "MITRE ATT&CK WIRTE"
    },
    {
     "naics": "522",
     "label": "Credit Intermediation & Related Activities (Banking)",
     "evidence": "MITRE ATT&CK states WIRTE targeted financial organizations to gather intelligence (Kaspersky WIRTE November 2021).",
     "source": "MITRE ATT&CK WIRTE"
    },
    {
     "naics": "92811",
     "label": "National Security",
     "evidence": "MITRE ATT&CK states WIRTE targeted military organizations to gather intelligence (Check Point Wirte NOV 2024).",
     "source": "MITRE ATT&CK WIRTE"
    },
    {
     "naics": "54",
     "label": "Professional, Scientific & Technical Services",
     "evidence": "MITRE ATT&CK states WIRTE targeted legal organizations to gather intelligence (Palo Alto Ashen Lepus DEC 2025).",
     "source": "MITRE ATT&CK WIRTE"
    },
    {
     "naics": "51",
     "label": "Information",
     "evidence": "MITRE ATT&CK states WIRTE targeted technology organizations to gather intelligence (Lab52 WIRTE Apr 2019).",
     "source": "MITRE ATT&CK WIRTE"
    },
    {
     "naics": "52",
     "label": "Finance & Insurance",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "92812",
     "label": "International Affairs",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0090",
   "cve_ids": [],
   "technique_ids": [
    "T1027",
    "T1036",
    "T1041",
    "T1059",
    "T1071",
    "T1074",
    "T1105",
    "T1106",
    "T1114",
    "T1140",
    "T1204",
    "T1218",
    "T1497",
    "T1566",
    "T1571",
    "T1574",
    "T1583",
    "T1586",
    "T1588",
    "T1608",
    "T1684"
   ],
   "subtechnique_ids": [
    "T1027.010",
    "T1027.015",
    "T1036.005",
    "T1059.001",
    "T1059.003",
    "T1059.005",
    "T1071.001",
    "T1074.001",
    "T1114.001",
    "T1204.001",
    "T1204.002",
    "T1218.010",
    "T1497.001",
    "T1566.001",
    "T1566.002",
    "T1574.001",
    "T1583.001",
    "T1586.002",
    "T1588.002",
    "T1608.001",
    "T1684.001"
   ]
  },
  {
   "actor_id": "G0091",
   "canonical_name": "Silence",
   "aliases": [
    "Silence",
    "Whisper Spider"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 43,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "521",
     "label": "Monetary Authorities \u2014 Central Bank",
     "evidence": "Compromised Russian Central Bank's Automated Workstation Client (Cyber Forensicator Silence Jan 2019; SecureList Silence Nov 2017).",
     "source": "Cyber Forensicator Silence Jan 2019"
    },
    {
     "naics": "522",
     "label": "Credit Intermediation & Related Activities (Banking)",
     "evidence": "Targeted banks via ATMs and card processing systems in multiple countries (SecureList Silence Nov 2017).",
     "source": "SecureList Silence Nov 2017"
    },
    {
     "naics": "52",
     "label": "Finance & Insurance",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0091",
   "cve_ids": [],
   "technique_ids": [
    "T1003",
    "T1018",
    "T1021",
    "T1027",
    "T1036",
    "T1053",
    "T1055",
    "T1059",
    "T1070",
    "T1072",
    "T1078",
    "T1090",
    "T1105",
    "T1106",
    "T1112",
    "T1113",
    "T1125",
    "T1204",
    "T1218",
    "T1547",
    "T1553",
    "T1566",
    "T1569",
    "T1571",
    "T1588"
   ],
   "subtechnique_ids": [
    "T1003.001",
    "T1021.001",
    "T1027.010",
    "T1036.005",
    "T1053.005",
    "T1059.001",
    "T1059.003",
    "T1059.005",
    "T1059.007",
    "T1070.004",
    "T1090.002",
    "T1204.002",
    "T1218.001",
    "T1547.001",
    "T1553.002",
    "T1566.001",
    "T1569.002",
    "T1588.002"
   ]
  },
  {
   "actor_id": "G0092",
   "canonical_name": "TA505",
   "aliases": [
    "TA505",
    "Hive0065",
    "Spandex Tempest",
    "CHIMBORAZO"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 1,
   "technique_count": 51,
   "idf_score": 3.192,
   "exclusive_cve_count": 0,
   "active_year_min": 2026,
   "active_year_max": 2026,
   "sectors": [
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [
    [
     "microsoft",
     1
    ]
   ],
   "mitre_url": "https://attack.mitre.org/groups/G0092",
   "cve_ids": [
    "CVE-2026-21236"
   ],
   "technique_ids": [
    "T1027",
    "T1055",
    "T1059",
    "T1069",
    "T1071",
    "T1078",
    "T1087",
    "T1105",
    "T1106",
    "T1112",
    "T1140",
    "T1204",
    "T1218",
    "T1486",
    "T1552",
    "T1553",
    "T1555",
    "T1559",
    "T1566",
    "T1568",
    "T1583",
    "T1588",
    "T1608",
    "T1685"
   ],
   "subtechnique_ids": [
    "T1027.002",
    "T1027.010",
    "T1027.013",
    "T1055.001",
    "T1059.001",
    "T1059.003",
    "T1059.005",
    "T1059.007",
    "T1071.001",
    "T1078.002",
    "T1087.003",
    "T1204.001",
    "T1204.002",
    "T1218.007",
    "T1218.011",
    "T1552.001",
    "T1553.002",
    "T1553.005",
    "T1555.003",
    "T1559.002",
    "T1566.001",
    "T1566.002",
    "T1568.001",
    "T1583.001",
    "T1588.001",
    "T1588.002",
    "T1608.001"
   ]
  },
  {
   "actor_id": "G0093",
   "canonical_name": "GALLIUM",
   "aliases": [
    "GALLIUM",
    "Granite Typhoon"
   ],
   "category": "state",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 45,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "517",
     "label": "Telecommunications",
     "evidence": "Targets telecommunications providers via Operation Soft Cell (Cybereason Soft Cell June 2019).",
     "source": "Cybereason Soft Cell June 2019"
    },
    {
     "naics": "522",
     "label": "Credit Intermediation & Related Activities (Banking)",
     "evidence": "Primarily targets financial institutions (MITRE ATT&CK GALLIUM description).",
     "source": "Microsoft GALLIUM December 2019"
    },
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "Primarily targets government entities (MITRE ATT&CK GALLIUM description).",
     "source": "Microsoft GALLIUM December 2019"
    },
    {
     "naics": "52",
     "label": "Finance & Insurance",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0093",
   "cve_ids": [],
   "technique_ids": [
    "T1003",
    "T1005",
    "T1016",
    "T1018",
    "T1027",
    "T1033",
    "T1036",
    "T1041",
    "T1047",
    "T1049",
    "T1053",
    "T1059",
    "T1074",
    "T1078",
    "T1090",
    "T1105",
    "T1133",
    "T1136",
    "T1190",
    "T1505",
    "T1550",
    "T1553",
    "T1560",
    "T1570",
    "T1574",
    "T1583",
    "T1588"
   ],
   "subtechnique_ids": [
    "T1003.001",
    "T1003.002",
    "T1027.002",
    "T1027.005",
    "T1036.003",
    "T1053.005",
    "T1059.001",
    "T1059.003",
    "T1074.001",
    "T1090.002",
    "T1136.002",
    "T1505.003",
    "T1550.002",
    "T1553.002",
    "T1560.001",
    "T1574.001",
    "T1583.004",
    "T1588.002"
   ]
  },
  {
   "actor_id": "G0094",
   "canonical_name": "Kimsuky",
   "aliases": [
    "Kimsuky",
    "Black Banshee",
    "Velvet Chollima",
    "Emerald Sleet",
    "THALLIUM",
    "APT43",
    "TA427",
    "Springtail",
    "Earth Kumiho",
    "PatheticSlug"
   ],
   "category": "state",
   "sponsor": {
    "country": "KP",
    "agency": "RGB"
   },
   "cve_count": 3,
   "technique_count": 171,
   "idf_score": 10.569,
   "exclusive_cve_count": 1,
   "active_year_min": 2025,
   "active_year_max": 2026,
   "sectors": [
    {
     "naics": "9211",
     "label": "Executive, Legislative & Other General Government Support",
     "evidence": "MITRE ATT&CK and CISA AA20-301A Kimsuky report Kimsuky initially targeted South Korean government agencies and later expanded to government organizations in multiple countries.",
     "source": "CISA AA20-301A Kimsuky"
    },
    {
     "naics": "61",
     "label": "Educational Services",
     "evidence": "MITRE ATT&CK description states Kimsuky expanded operations to organizations in the education sector across the US, Japan, Russia and Europe.",
     "source": "CISA AA20-301A Kimsuky"
    },
    {
     "naics": "2211",
     "label": "Electric Power Generation, Transmission & Distribution",
     "evidence": "Kimsuky assessed responsible for 2014 Korea Hydro & Nuclear Power Co. compromise per MITRE ATT&CK citing multiple reports.",
     "source": "Netscout Stolen Pencil Dec 2018"
    },
    {
     "naics": "31",
     "label": "Manufacturing",
     "evidence": "MITRE ATT&CK notes Kimsuky operations expanded to include organizations in the manufacturing sector.",
     "source": "CISA AA20-301A Kimsuky"
    },
    {
     "naics": "92811",
     "label": "National Security",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "81",
     "label": "Other Services (except Public Administration)",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 2,
   "top_product_categories": [
    [
     "application",
     2
    ],
    [
     "microsoft",
     1
    ]
   ],
   "mitre_url": "https://attack.mitre.org/groups/G0094",
   "cve_ids": [
    "CVE-2025-12562",
    "CVE-2025-49706",
    "CVE-2026-22813"
   ],
   "technique_ids": [
    "T1003",
    "T1005",
    "T1007",
    "T1012",
    "T1016",
    "T1020",
    "T1021",
    "T1027",
    "T1033",
    "T1036",
    "T1040",
    "T1041",
    "T1053",
    "T1055",
    "T1056",
    "T1057",
    "T1059",
    "T1070",
    "T1071",
    "T1074",
    "T1078",
    "T1082",
    "T1083",
    "T1098",
    "T1102",
    "T1105",
    "T1106",
    "T1111",
    "T1112",
    "T1113",
    "T1114",
    "T1115",
    "T1124",
    "T1132",
    "T1133",
    "T1136",
    "T1140",
    "T1176",
    "T1185",
    "T1190",
    "T1204",
    "T1205",
    "T1217",
    "T1218",
    "T1219",
    "T1480",
    "T1489",
    "T1497",
    "T1505",
    "T1518",
    "T1534",
    "T1539",
    "T1543",
    "T1546",
    "T1547",
    "T1550",
    "T1552",
    "T1553",
    "T1555",
    "T1557",
    "T1559",
    "T1560",
    "T1564",
    "T1566",
    "T1567",
    "T1568",
    "T1583",
    "T1584",
    "T1585",
    "T1586",
    "T1587",
    "T1588",
    "T1589",
    "T1591",
    "T1593",
    "T1594",
    "T1596",
    "T1598",
    "T1608",
    "T1620",
    "T1657",
    "T1678",
    "T1680",
    "T1682",
    "T1684",
    "T1685",
    "T1686"
   ],
   "subtechnique_ids": [
    "T1003.001",
    "T1021.001",
    "T1027.001",
    "T1027.002",
    "T1027.007",
    "T1027.010",
    "T1027.012",
    "T1027.013",
    "T1027.015",
    "T1027.016",
    "T1036.004",
    "T1036.005",
    "T1036.007",
    "T1053.005",
    "T1055.001",
    "T1055.012",
    "T1056.001",
    "T1056.003",
    "T1059.001",
    "T1059.003",
    "T1059.005",
    "T1059.006",
    "T1059.007",
    "T1070.004",
    "T1070.006",
    "T1071.001",
    "T1071.002",
    "T1071.003",
    "T1074.001",
    "T1078.003",
    "T1098.007",
    "T1102.001",
    "T1102.002",
    "T1114.002",
    "T1114.003",
    "T1132.002",
    "T1136.001",
    "T1176.001",
    "T1204.001",
    "T1204.002",
    "T1204.004",
    "T1218.005",
    "T1218.010",
    "T1218.011",
    "T1219.002",
    "T1480.002",
    "T1497.001",
    "T1505.003",
    "T1518.001",
    "T1543.003",
    "T1546.001",
    "T1547.001",
    "T1550.002",
    "T1552.001",
    "T1552.004",
    "T1553.002",
    "T1555.003",
    "T1559.001",
    "T1560.001",
    "T1560.003",
    "T1564.002",
    "T1564.003",
    "T1564.011",
    "T1566.001",
    "T1566.002",
    "T1567.002",
    "T1583.001",
    "T1583.004",
    "T1583.006",
    "T1584.001",
    "T1585.001",
    "T1585.002",
    "T1586.002",
    "T1587.001",
    "T1588.002",
    "T1588.003",
    "T1588.005",
    "T1589.002",
    "T1589.003",
    "T1593.001",
    "T1593.002",
    "T1598.003",
    "T1608.001",
    "T1684.001"
   ]
  },
  {
   "actor_id": "G0095",
   "canonical_name": "Machete",
   "aliases": [
    "Machete",
    "APT-C-43",
    "El Machete",
    "machete-apt",
    "G0095"
   ],
   "category": "state",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 17,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "92811",
     "label": "National Security",
     "evidence": "MITRE ATT&CK description states Machete targets government institutions, intelligence services and military units (Cylance Machete Mar 2017; ESET Machete July 2019).",
     "source": "Cylance Machete Mar 2017"
    },
    {
     "naics": "517",
     "label": "Telecommunications",
     "evidence": "MITRE ATT&CK description states Machete targets telecommunications companies (Cylance Machete Mar 2017; Securelist Machete Aug 2014).",
     "source": "Cylance Machete Mar 2017"
    },
    {
     "naics": "2211",
     "label": "Electric Power Generation, Transmission & Distribution",
     "evidence": "MITRE ATT&CK description states Machete targets power companies (Cylance Machete Mar 2017; ESET Machete July 2019).",
     "source": "ESET Machete July 2019"
    },
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0095",
   "cve_ids": [],
   "technique_ids": [
    "T1036",
    "T1053",
    "T1059",
    "T1189",
    "T1204",
    "T1218",
    "T1566"
   ],
   "subtechnique_ids": [
    "T1036.005",
    "T1053.005",
    "T1059.003",
    "T1059.005",
    "T1059.006",
    "T1204.001",
    "T1204.002",
    "T1218.007",
    "T1566.001",
    "T1566.002"
   ]
  },
  {
   "actor_id": "G0096",
   "canonical_name": "APT41",
   "aliases": [
    "APT41",
    "Wicked Panda",
    "Brass Typhoon",
    "BARIUM"
   ],
   "category": "state-contractor",
   "sponsor": {
    "country": "CN",
    "agency": "MSS"
   },
   "cve_count": 2,
   "technique_count": 115,
   "idf_score": 4.422,
   "exclusive_cve_count": 0,
   "active_year_min": 2017,
   "active_year_max": 2021,
   "sectors": [
    {
     "naics": "62",
     "label": "Health Care & Social Assistance",
     "evidence": "MITRE ATT&CK profile states APT41 targeted healthcare (citing FireEye APT41 Aug 2019).",
     "source": "FireEye APT41 Aug 2019"
    },
    {
     "naics": "517",
     "label": "Telecommunications",
     "evidence": "MITRE ATT&CK profile states APT41 targeted telecom (citing FireEye APT41 Aug 2019).",
     "source": "FireEye APT41 Aug 2019"
    },
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "MITRE ATT&CK profile states APT41 targeted technology and video game industries (citing FireEye APT41 Aug 2019).",
     "source": "FireEye APT41 Aug 2019"
    },
    {
     "naics": "52",
     "label": "Finance & Insurance",
     "evidence": "MITRE ATT&CK profile states APT41 targeted finance (citing FireEye APT41 Aug 2019).",
     "source": "FireEye APT41 Aug 2019"
    },
    {
     "naics": "61",
     "label": "Educational Services",
     "evidence": "MITRE ATT&CK profile states APT41 targeted education (citing FireEye APT41 Aug 2019).",
     "source": "FireEye APT41 Aug 2019"
    },
    {
     "naics": "44",
     "label": "Retail Trade",
     "evidence": "MITRE ATT&CK profile states APT41 targeted retail (citing FireEye APT41 Aug 2019).",
     "source": "FireEye APT41 Aug 2019"
    },
    {
     "naics": "51",
     "label": "Information",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [
    [
     "application",
     2
    ]
   ],
   "mitre_url": "https://attack.mitre.org/groups/G0096",
   "cve_ids": [
    "CVE-2017-6328",
    "CVE-2020-6789"
   ],
   "technique_ids": [
    "T1003",
    "T1005",
    "T1008",
    "T1012",
    "T1014",
    "T1016",
    "T1018",
    "T1021",
    "T1027",
    "T1030",
    "T1033",
    "T1036",
    "T1037",
    "T1046",
    "T1047",
    "T1049",
    "T1053",
    "T1055",
    "T1056",
    "T1059",
    "T1069",
    "T1070",
    "T1071",
    "T1078",
    "T1082",
    "T1083",
    "T1087",
    "T1090",
    "T1098",
    "T1102",
    "T1104",
    "T1105",
    "T1110",
    "T1112",
    "T1133",
    "T1135",
    "T1136",
    "T1190",
    "T1195",
    "T1197",
    "T1203",
    "T1213",
    "T1218",
    "T1480",
    "T1484",
    "T1486",
    "T1496",
    "T1542",
    "T1543",
    "T1546",
    "T1547",
    "T1550",
    "T1553",
    "T1555",
    "T1560",
    "T1566",
    "T1568",
    "T1569",
    "T1570",
    "T1574",
    "T1588",
    "T1595",
    "T1596",
    "T1599",
    "T1684",
    "T1685"
   ],
   "subtechnique_ids": [
    "T1003.001",
    "T1003.002",
    "T1003.003",
    "T1021.001",
    "T1021.002",
    "T1027.002",
    "T1036.004",
    "T1036.005",
    "T1053.005",
    "T1056.001",
    "T1059.001",
    "T1059.003",
    "T1059.004",
    "T1070.003",
    "T1070.004",
    "T1071.001",
    "T1071.002",
    "T1071.004",
    "T1087.001",
    "T1087.002",
    "T1098.007",
    "T1102.001",
    "T1136.001",
    "T1195.002",
    "T1213.003",
    "T1218.001",
    "T1218.011",
    "T1480.001",
    "T1484.001",
    "T1496.001",
    "T1542.003",
    "T1543.003",
    "T1546.008",
    "T1547.001",
    "T1550.002",
    "T1553.002",
    "T1555.003",
    "T1560.001",
    "T1566.001",
    "T1568.002",
    "T1569.002",
    "T1574.001",
    "T1574.006",
    "T1588.002",
    "T1595.002",
    "T1595.003",
    "T1596.005",
    "T1684.001",
    "T1685.005"
   ]
  },
  {
   "actor_id": "G0098",
   "canonical_name": "BlackTech",
   "aliases": [
    "BlackTech",
    "Palmerworm"
   ],
   "category": "state",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 20,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "23",
     "label": "Construction",
     "evidence": "MITRE ATT&CK description states BlackTech compromised construction company networks (citing TrendMicro BlackTech June 2017).",
     "source": "TrendMicro BlackTech June 2017"
    },
    {
     "naics": "334",
     "label": "Computer & Electronic Product Manufacturing",
     "evidence": "MITRE ATT&CK description states BlackTech compromised electronics company networks (citing Symantec Palmerworm Sep 2020).",
     "source": "Symantec Palmerworm Sep 2020"
    },
    {
     "naics": "52",
     "label": "Finance & Insurance",
     "evidence": "MITRE ATT&CK description states BlackTech compromised financial company networks (citing TrendMicro BlackTech June 2017).",
     "source": "TrendMicro BlackTech June 2017"
    },
    {
     "naics": "51",
     "label": "Information",
     "evidence": "MITRE ATT&CK description states BlackTech compromised media company networks (citing TrendMicro BlackTech June 2017).",
     "source": "TrendMicro BlackTech June 2017"
    },
    {
     "naics": "54",
     "label": "Professional, Scientific & Technical Services",
     "evidence": "MITRE ATT&CK description states BlackTech compromised engineering company networks (citing Symantec Palmerworm Sep 2020).",
     "source": "Symantec Palmerworm Sep 2020"
    },
    {
     "naics": "515",
     "label": "Broadcasting",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0098",
   "cve_ids": [],
   "technique_ids": [
    "T1021",
    "T1036",
    "T1046",
    "T1106",
    "T1190",
    "T1203",
    "T1204",
    "T1566",
    "T1574",
    "T1588"
   ],
   "subtechnique_ids": [
    "T1021.004",
    "T1036.002",
    "T1204.001",
    "T1204.002",
    "T1566.001",
    "T1566.002",
    "T1574.001",
    "T1588.002",
    "T1588.003",
    "T1588.004"
   ]
  },
  {
   "actor_id": "G0099",
   "canonical_name": "APT-C-36",
   "aliases": [
    "APT-C-36",
    "Blind Eagle",
    "TAG-144",
    "AguilaCiega",
    "APT-Q-98"
   ],
   "category": "state",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 54,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "52",
     "label": "Finance & Insurance",
     "evidence": "MITRE ATT&CK G0099 states APT-C-36 targeted entities in the financial sector (QiAnXin APT-C-36 Feb2019, Kaspersky BlindEagle AUG 2024).",
     "source": "QiAnXin APT-C-36 Feb2019"
    },
    {
     "naics": "22",
     "label": "Utilities",
     "evidence": "MITRE ATT&CK G0099 states APT-C-36 targeted entities in the energy sector (Check Point Blind Eagle MAR 2025, Recorded Future TAG-144 AUG 2025).",
     "source": "Check Point Blind Eagle MAR 2025"
    },
    {
     "naics": "31",
     "label": "Manufacturing",
     "evidence": "MITRE ATT&CK G0099 states APT-C-36 targeted professional manufacturing sector entities (Kaspersky BlindEagle AUG 2024).",
     "source": "Kaspersky BlindEagle AUG 2024"
    },
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "MITRE ATT&CK G0099 states APT-C-36 targeted government institutions (QiAnXin APT-C-36 Feb2019, Recorded Future TAG-144 AUG 2025).",
     "source": "Recorded Future TAG-144 AUG 2025"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0099",
   "cve_ids": [],
   "technique_ids": [
    "T1027",
    "T1036",
    "T1047",
    "T1053",
    "T1055",
    "T1059",
    "T1105",
    "T1133",
    "T1204",
    "T1480",
    "T1534",
    "T1564",
    "T1566",
    "T1568",
    "T1571",
    "T1574",
    "T1583",
    "T1584",
    "T1586",
    "T1587",
    "T1588",
    "T1593",
    "T1608",
    "T1683",
    "T1684"
   ],
   "subtechnique_ids": [
    "T1027.003",
    "T1027.013",
    "T1027.016",
    "T1036.004",
    "T1036.005",
    "T1053.005",
    "T1055.012",
    "T1059.001",
    "T1059.005",
    "T1059.007",
    "T1204.001",
    "T1204.002",
    "T1564.003",
    "T1566.001",
    "T1566.002",
    "T1574.001",
    "T1583.001",
    "T1583.003",
    "T1583.006",
    "T1584.005",
    "T1586.002",
    "T1586.003",
    "T1587.001",
    "T1588.001",
    "T1588.002",
    "T1608.001",
    "T1683.001",
    "T1683.002",
    "T1684.001"
   ]
  },
  {
   "actor_id": "G0100",
   "canonical_name": "Inception",
   "aliases": [
    "Inception",
    "Inception Framework",
    "Cloud Atlas",
    "Clean Ursa",
    "OXYGEN",
    "G0100",
    "ATK116",
    "Blue Odin"
   ],
   "category": "state",
   "sponsor": {
    "country": "RU"
   },
   "cve_count": 0,
   "technique_count": 34,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0100",
   "cve_ids": [],
   "technique_ids": [
    "T1005",
    "T1027",
    "T1057",
    "T1059",
    "T1069",
    "T1071",
    "T1082",
    "T1083",
    "T1090",
    "T1102",
    "T1203",
    "T1204",
    "T1218",
    "T1221",
    "T1518",
    "T1547",
    "T1555",
    "T1566",
    "T1573",
    "T1588"
   ],
   "subtechnique_ids": [
    "T1027.013",
    "T1059.001",
    "T1059.005",
    "T1069.002",
    "T1071.001",
    "T1090.003",
    "T1204.002",
    "T1218.005",
    "T1218.010",
    "T1547.001",
    "T1555.003",
    "T1566.001",
    "T1573.001",
    "T1588.002"
   ]
  },
  {
   "actor_id": "G0102",
   "canonical_name": "Wizard Spider",
   "aliases": [
    "Wizard Spider",
    "UNC1878",
    "TEMP.MixMaster",
    "Grim Spider",
    "FIN12",
    "GOLD BLACKBURN",
    "ITG23",
    "Periwinkle Tempest",
    "DEV-0193",
    "Pistachio Tempest",
    "DEV-0237"
   ],
   "category": "state",
   "sponsor": {
    "country": "RU"
   },
   "cve_count": 1,
   "technique_count": 92,
   "idf_score": 1.246,
   "exclusive_cve_count": 0,
   "active_year_min": 2026,
   "active_year_max": 2026,
   "sectors": [
    {
     "naics": "622",
     "label": "Hospitals",
     "evidence": "MITRE ATT&CK description states Wizard Spider conducted ransomware campaigns against hospitals, citing DHS/CISA Ransomware Targeting Healthcare October 2020.",
     "source": "DHS/CISA Ransomware Targeting Healthcare October 2020"
    },
    {
     "naics": "62",
     "label": "Health Care & Social Assistance",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [
    [
     "microsoft",
     1
    ]
   ],
   "mitre_url": "https://attack.mitre.org/groups/G0102",
   "cve_ids": [
    "CVE-2026-20929"
   ],
   "technique_ids": [
    "T1003",
    "T1005",
    "T1016",
    "T1018",
    "T1021",
    "T1027",
    "T1033",
    "T1036",
    "T1041",
    "T1047",
    "T1048",
    "T1053",
    "T1055",
    "T1059",
    "T1070",
    "T1071",
    "T1074",
    "T1078",
    "T1082",
    "T1087",
    "T1105",
    "T1112",
    "T1133",
    "T1135",
    "T1136",
    "T1197",
    "T1204",
    "T1210",
    "T1218",
    "T1222",
    "T1489",
    "T1490",
    "T1518",
    "T1543",
    "T1547",
    "T1550",
    "T1552",
    "T1553",
    "T1555",
    "T1557",
    "T1558",
    "T1560",
    "T1566",
    "T1567",
    "T1569",
    "T1570",
    "T1585",
    "T1588",
    "T1685"
   ],
   "subtechnique_ids": [
    "T1003.001",
    "T1003.002",
    "T1003.003",
    "T1021.001",
    "T1021.002",
    "T1021.006",
    "T1027.010",
    "T1036.004",
    "T1048.003",
    "T1053.005",
    "T1055.001",
    "T1059.001",
    "T1059.003",
    "T1070.004",
    "T1071.001",
    "T1074.001",
    "T1078.002",
    "T1087.002",
    "T1136.001",
    "T1136.002",
    "T1204.001",
    "T1204.002",
    "T1218.011",
    "T1222.001",
    "T1518.001",
    "T1518.002",
    "T1543.003",
    "T1547.001",
    "T1547.004",
    "T1550.002",
    "T1552.006",
    "T1553.002",
    "T1555.004",
    "T1557.001",
    "T1558.003",
    "T1560.001",
    "T1566.001",
    "T1566.002",
    "T1567.002",
    "T1569.002",
    "T1585.002",
    "T1588.002",
    "T1588.003"
   ]
  },
  {
   "actor_id": "G0103",
   "canonical_name": "Mofang",
   "aliases": [
    "Mofang"
   ],
   "category": "state",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 9,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "92811",
     "label": "National Security",
     "evidence": "FOX-IT May 2016 Mofang reports focused attacks on government, military and critical infrastructure including weapons industries.",
     "source": "FOX-IT May 2016 Mofang"
    },
    {
     "naics": "3361",
     "label": "Motor Vehicle Manufacturing",
     "evidence": "FOX-IT May 2016 Mofang reports focused attacks on automobile sector.",
     "source": "FOX-IT May 2016 Mofang"
    },
    {
     "naics": "22",
     "label": "Utilities",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0103",
   "cve_ids": [],
   "technique_ids": [
    "T1027",
    "T1204",
    "T1566"
   ],
   "subtechnique_ids": [
    "T1027.013",
    "T1027.015",
    "T1204.001",
    "T1204.002",
    "T1566.001",
    "T1566.002"
   ]
  },
  {
   "actor_id": "G0105",
   "canonical_name": "DarkVishnya",
   "aliases": [
    "DarkVishnya"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 13,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "522",
     "label": "Credit Intermediation & Related Activities (Banking)",
     "evidence": "MITRE ATT&CK description states DarkVishnya targeted financial institutions and attacked at least 8 banks (Securelist DarkVishnya Dec 2018).",
     "source": "Securelist DarkVishnya Dec 2018"
    },
    {
     "naics": "52",
     "label": "Finance & Insurance",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0105",
   "cve_ids": [],
   "technique_ids": [
    "T1040",
    "T1046",
    "T1059",
    "T1110",
    "T1135",
    "T1200",
    "T1219",
    "T1543",
    "T1571",
    "T1588"
   ],
   "subtechnique_ids": [
    "T1059.001",
    "T1543.003",
    "T1588.002"
   ]
  },
  {
   "actor_id": "G0106",
   "canonical_name": "Rocke",
   "aliases": [
    "Rocke"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 50,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "523",
     "label": "Securities, Commodity Contracts & Other Financial Investments",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0106",
   "cve_ids": [],
   "technique_ids": [
    "T1014",
    "T1018",
    "T1021",
    "T1027",
    "T1036",
    "T1037",
    "T1046",
    "T1053",
    "T1055",
    "T1057",
    "T1059",
    "T1070",
    "T1071",
    "T1082",
    "T1102",
    "T1105",
    "T1140",
    "T1190",
    "T1222",
    "T1496",
    "T1518",
    "T1543",
    "T1547",
    "T1552",
    "T1564",
    "T1571",
    "T1574",
    "T1685",
    "T1686"
   ],
   "subtechnique_ids": [
    "T1021.004",
    "T1027.002",
    "T1027.004",
    "T1036.005",
    "T1053.003",
    "T1055.002",
    "T1059.004",
    "T1059.006",
    "T1070.004",
    "T1070.006",
    "T1071.001",
    "T1102.001",
    "T1222.002",
    "T1496.001",
    "T1518.001",
    "T1543.002",
    "T1547.001",
    "T1552.004",
    "T1564.001",
    "T1574.006",
    "T1685.006"
   ]
  },
  {
   "actor_id": "G0107",
   "canonical_name": "Whitefly",
   "aliases": [
    "Whitefly"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 1,
   "technique_count": 15,
   "idf_score": 4.29,
   "exclusive_cve_count": 1,
   "active_year_min": 2016,
   "active_year_max": 2016,
   "sectors": [
    {
     "naics": "622",
     "label": "Hospitals",
     "evidence": "Linked to attack against Singapore\u2019s largest public health organization SingHealth (Symantec Whitefly March 2019).",
     "source": "Symantec Whitefly March 2019"
    }
   ],
   "victim_count": 1,
   "top_product_categories": [
    [
     "microsoft",
     1
    ]
   ],
   "mitre_url": "https://attack.mitre.org/groups/G0107",
   "cve_ids": [
    "CVE-2016-0051"
   ],
   "technique_ids": [
    "T1003",
    "T1027",
    "T1036",
    "T1059",
    "T1068",
    "T1105",
    "T1204",
    "T1574",
    "T1588"
   ],
   "subtechnique_ids": [
    "T1003.001",
    "T1027.013",
    "T1036.005",
    "T1204.002",
    "T1574.001",
    "T1588.002"
   ]
  },
  {
   "actor_id": "G0108",
   "canonical_name": "Blue Mockingbird",
   "aliases": [
    "Blue Mockingbird"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 35,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "523",
     "label": "Securities, Commodity Contracts & Other Financial Investments",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0108",
   "cve_ids": [],
   "technique_ids": [
    "T1003",
    "T1021",
    "T1027",
    "T1036",
    "T1047",
    "T1053",
    "T1059",
    "T1082",
    "T1090",
    "T1112",
    "T1134",
    "T1190",
    "T1218",
    "T1496",
    "T1543",
    "T1546",
    "T1569",
    "T1574",
    "T1588"
   ],
   "subtechnique_ids": [
    "T1003.001",
    "T1021.001",
    "T1021.002",
    "T1027.013",
    "T1036.005",
    "T1053.005",
    "T1059.001",
    "T1059.003",
    "T1218.010",
    "T1218.011",
    "T1496.001",
    "T1543.003",
    "T1546.003",
    "T1569.002",
    "T1574.012",
    "T1588.002"
   ]
  },
  {
   "actor_id": "G0112",
   "canonical_name": "Windshift",
   "aliases": [
    "Windshift",
    "Bahamut"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 24,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "9211",
     "label": "Executive, Legislative & Other General Government Support",
     "evidence": "MITRE ATT&CK description states Windshift targets individuals for surveillance in government departments, citing SANS Windshift August 2018.",
     "source": "SANS Windshift August 2018"
    },
    {
     "naics": "22",
     "label": "Utilities",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0112",
   "cve_ids": [],
   "technique_ids": [
    "T1027",
    "T1033",
    "T1036",
    "T1047",
    "T1057",
    "T1059",
    "T1071",
    "T1082",
    "T1105",
    "T1189",
    "T1204",
    "T1518",
    "T1547",
    "T1566"
   ],
   "subtechnique_ids": [
    "T1036.001",
    "T1059.005",
    "T1071.001",
    "T1204.001",
    "T1204.002",
    "T1518.001",
    "T1547.001",
    "T1566.001",
    "T1566.002",
    "T1566.003"
   ]
  },
  {
   "actor_id": "G0114",
   "canonical_name": "Chimera",
   "aliases": [
    "Chimera"
   ],
   "category": "state",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 82,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "334",
     "label": "Computer & Electronic Product Manufacturing",
     "evidence": "MITRE ATT&CK states Chimera targets semiconductor industry in Taiwan (Cycraft Chimera April 2020).",
     "source": "Cycraft Chimera April 2020"
    },
    {
     "naics": "481",
     "label": "Air Transportation",
     "evidence": "MITRE ATT&CK states Chimera targets data from the airline industry (NCC Group Chimera January 2021).",
     "source": "NCC Group Chimera January 2021"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0114",
   "cve_ids": [],
   "technique_ids": [
    "T1003",
    "T1007",
    "T1012",
    "T1016",
    "T1018",
    "T1021",
    "T1027",
    "T1033",
    "T1036",
    "T1039",
    "T1041",
    "T1046",
    "T1047",
    "T1049",
    "T1053",
    "T1057",
    "T1059",
    "T1069",
    "T1070",
    "T1071",
    "T1074",
    "T1078",
    "T1083",
    "T1087",
    "T1105",
    "T1106",
    "T1110",
    "T1111",
    "T1114",
    "T1119",
    "T1124",
    "T1133",
    "T1135",
    "T1201",
    "T1213",
    "T1217",
    "T1482",
    "T1550",
    "T1556",
    "T1560",
    "T1567",
    "T1569",
    "T1570",
    "T1572",
    "T1574",
    "T1588",
    "T1589",
    "T1680",
    "T1685"
   ],
   "subtechnique_ids": [
    "T1003.003",
    "T1021.001",
    "T1021.002",
    "T1021.006",
    "T1027.010",
    "T1036.005",
    "T1053.005",
    "T1059.001",
    "T1059.003",
    "T1069.001",
    "T1070.004",
    "T1070.006",
    "T1071.001",
    "T1071.004",
    "T1074.001",
    "T1074.002",
    "T1078.002",
    "T1087.001",
    "T1087.002",
    "T1110.003",
    "T1110.004",
    "T1114.001",
    "T1114.002",
    "T1213.002",
    "T1550.002",
    "T1556.001",
    "T1560.001",
    "T1567.002",
    "T1569.002",
    "T1574.001",
    "T1588.002",
    "T1589.001",
    "T1685.005"
   ]
  },
  {
   "actor_id": "G0115",
   "canonical_name": "GOLD SOUTHFIELD",
   "aliases": [
    "GOLD SOUTHFIELD",
    "Pinchy Spider"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 1,
   "technique_count": 12,
   "idf_score": 1.246,
   "exclusive_cve_count": 0,
   "active_year_min": 2026,
   "active_year_max": 2026,
   "sectors": [
    {
     "naics": "22",
     "label": "Utilities",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [
    [
     "microsoft",
     1
    ]
   ],
   "mitre_url": "https://attack.mitre.org/groups/G0115",
   "cve_ids": [
    "CVE-2026-20929"
   ],
   "technique_ids": [
    "T1027",
    "T1059",
    "T1113",
    "T1133",
    "T1190",
    "T1195",
    "T1199",
    "T1219",
    "T1566"
   ],
   "subtechnique_ids": [
    "T1027.010",
    "T1059.001",
    "T1195.002"
   ]
  },
  {
   "actor_id": "G0117",
   "canonical_name": "Fox Kitten",
   "aliases": [
    "Fox Kitten",
    "UNC757",
    "Parisite",
    "Pioneer Kitten",
    "RUBIDIUM",
    "Lemon Sandstorm"
   ],
   "category": "state",
   "sponsor": {
    "country": "IR"
   },
   "cve_count": 2,
   "technique_count": 54,
   "idf_score": 5.536,
   "exclusive_cve_count": 1,
   "active_year_min": 2026,
   "active_year_max": 2026,
   "sectors": [
    {
     "naics": "211",
     "label": "Oil & Gas Extraction",
     "evidence": "MITRE ATT&CK G0117 description states Fox Kitten targeted oil and gas vertical, citing ClearSky Fox Kitten February 2020 and Dragos PARISITE.",
     "source": "ClearSky Fox Kitten February 2020"
    },
    {
     "naics": "31",
     "label": "Manufacturing",
     "evidence": "MITRE ATT&CK G0117 description states Fox Kitten targeted manufacturing vertical, citing CrowdStrike PIONEER KITTEN August 2020.",
     "source": "CrowdStrike PIONEER KITTEN August 2020"
    },
    {
     "naics": "62",
     "label": "Health Care & Social Assistance",
     "evidence": "MITRE ATT&CK G0117 description states Fox Kitten targeted healthcare vertical, citing ClearSky Pay2Kitten December 2020.",
     "source": "ClearSky Pay2Kitten December 2020"
    },
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "MITRE ATT&CK G0117 description states Fox Kitten targeted government vertical, citing CISA AA20-259A Iran-Based Actor September 2020.",
     "source": "CISA AA20-259A Iran-Based Actor September 2020"
    },
    {
     "naics": "92811",
     "label": "National Security",
     "evidence": "MITRE ATT&CK G0117 description states Fox Kitten targeted defense vertical, citing CrowdStrike PIONEER KITTEN August 2020.",
     "source": "CrowdStrike PIONEER KITTEN August 2020"
    },
    {
     "naics": "54",
     "label": "Professional, Scientific & Technical Services",
     "evidence": "MITRE ATT&CK G0117 description states Fox Kitten targeted engineering vertical, citing ClearkSky Fox Kitten February 2020.",
     "source": "ClearkSky Fox Kitten February 2020"
    },
    {
     "naics": "51",
     "label": "Information",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [
    [
     "other",
     1
    ],
    [
     "microsoft",
     1
    ]
   ],
   "mitre_url": "https://attack.mitre.org/groups/G0117",
   "cve_ids": [
    "CVE-2018-1579",
    "CVE-2026-20929"
   ],
   "technique_ids": [
    "T1003",
    "T1005",
    "T1012",
    "T1018",
    "T1021",
    "T1027",
    "T1036",
    "T1039",
    "T1046",
    "T1053",
    "T1059",
    "T1078",
    "T1083",
    "T1087",
    "T1090",
    "T1102",
    "T1105",
    "T1110",
    "T1136",
    "T1190",
    "T1210",
    "T1213",
    "T1217",
    "T1505",
    "T1530",
    "T1546",
    "T1552",
    "T1555",
    "T1560",
    "T1572",
    "T1585"
   ],
   "subtechnique_ids": [
    "T1003.001",
    "T1003.003",
    "T1021.001",
    "T1021.002",
    "T1021.004",
    "T1021.005",
    "T1027.010",
    "T1027.013",
    "T1036.004",
    "T1036.005",
    "T1053.005",
    "T1059.001",
    "T1059.003",
    "T1087.001",
    "T1087.002",
    "T1136.001",
    "T1213.005",
    "T1505.003",
    "T1546.008",
    "T1552.001",
    "T1555.005",
    "T1560.001",
    "T1585.001"
   ]
  },
  {
   "actor_id": "G0119",
   "canonical_name": "Indrik Spider",
   "aliases": [
    "Indrik Spider",
    "Evil Corp",
    "Manatee Tempest",
    "DEV-0243",
    "UNC2165"
   ],
   "category": "state",
   "sponsor": {
    "country": "RU"
   },
   "cve_count": 1,
   "technique_count": 47,
   "idf_score": 1.246,
   "exclusive_cve_count": 0,
   "active_year_min": 2026,
   "active_year_max": 2026,
   "sectors": [
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "522",
     "label": "Credit Intermediation & Related Activities (Banking)",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [
    [
     "microsoft",
     1
    ]
   ],
   "mitre_url": "https://attack.mitre.org/groups/G0119",
   "cve_ids": [
    "CVE-2026-20929"
   ],
   "technique_ids": [
    "T1003",
    "T1007",
    "T1012",
    "T1018",
    "T1021",
    "T1036",
    "T1047",
    "T1059",
    "T1074",
    "T1078",
    "T1105",
    "T1112",
    "T1136",
    "T1204",
    "T1484",
    "T1486",
    "T1489",
    "T1552",
    "T1555",
    "T1558",
    "T1567",
    "T1583",
    "T1584",
    "T1585",
    "T1587",
    "T1590",
    "T1685"
   ],
   "subtechnique_ids": [
    "T1003.001",
    "T1021.001",
    "T1021.004",
    "T1036.005",
    "T1059.001",
    "T1059.003",
    "T1059.007",
    "T1074.001",
    "T1078.002",
    "T1136.001",
    "T1204.002",
    "T1484.001",
    "T1552.001",
    "T1555.005",
    "T1558.003",
    "T1567.002",
    "T1584.004",
    "T1585.002",
    "T1587.001",
    "T1685.005"
   ]
  },
  {
   "actor_id": "G0120",
   "canonical_name": "Evilnum",
   "aliases": [
    "Evilnum"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 19,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0120",
   "cve_ids": [],
   "technique_ids": [
    "T1059",
    "T1070",
    "T1105",
    "T1204",
    "T1219",
    "T1497",
    "T1539",
    "T1548",
    "T1555",
    "T1566",
    "T1574"
   ],
   "subtechnique_ids": [
    "T1059.007",
    "T1070.004",
    "T1204.001",
    "T1219.002",
    "T1497.001",
    "T1548.002",
    "T1566.002",
    "T1574.001"
   ]
  },
  {
   "actor_id": "G0121",
   "canonical_name": "Sidewinder",
   "aliases": [
    "Sidewinder",
    "T-APT-04",
    "Rattlesnake"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 1,
   "technique_count": 42,
   "idf_score": 4.29,
   "exclusive_cve_count": 1,
   "active_year_min": 2018,
   "active_year_max": 2018,
   "sectors": [
    {
     "naics": "92811",
     "label": "National Security",
     "evidence": "MITRE ATT&CK description states Sidewinder targets government and military entities (ATT Sidewinder January 2021).",
     "source": "ATT Sidewinder January 2021"
    },
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [
    [
     "application",
     1
    ]
   ],
   "mitre_url": "https://attack.mitre.org/groups/G0121",
   "cve_ids": [
    "CVE-2018-4876"
   ],
   "technique_ids": [
    "T1016",
    "T1020",
    "T1027",
    "T1033",
    "T1036",
    "T1057",
    "T1059",
    "T1071",
    "T1074",
    "T1082",
    "T1083",
    "T1105",
    "T1119",
    "T1124",
    "T1203",
    "T1204",
    "T1218",
    "T1518",
    "T1547",
    "T1559",
    "T1566",
    "T1574",
    "T1598"
   ],
   "subtechnique_ids": [
    "T1027.010",
    "T1027.013",
    "T1036.005",
    "T1059.001",
    "T1059.005",
    "T1059.007",
    "T1071.001",
    "T1074.001",
    "T1204.001",
    "T1204.002",
    "T1218.005",
    "T1518.001",
    "T1547.001",
    "T1559.002",
    "T1566.001",
    "T1566.002",
    "T1574.001",
    "T1598.002",
    "T1598.003"
   ]
  },
  {
   "actor_id": "G0122",
   "canonical_name": "Silent Librarian",
   "aliases": [
    "Silent Librarian",
    "TA407",
    "COBALT DICKENS"
   ],
   "category": "state",
   "sponsor": {
    "country": "IR"
   },
   "cve_count": 0,
   "technique_count": 20,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "61",
     "label": "Educational Services",
     "evidence": "MITRE ATT&CK states Silent Librarian targeted research and proprietary data at universities worldwide (DOJ Iran Indictments March 2018).",
     "source": "DOJ Iran Indictments March 2018"
    },
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "MITRE ATT&CK states Silent Librarian targeted research and proprietary data at government agencies worldwide (DOJ Iran Indictments March 2018).",
     "source": "DOJ Iran Indictments March 2018"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0122",
   "cve_ids": [],
   "technique_ids": [
    "T1078",
    "T1110",
    "T1114",
    "T1583",
    "T1585",
    "T1588",
    "T1589",
    "T1594",
    "T1598",
    "T1608"
   ],
   "subtechnique_ids": [
    "T1110.003",
    "T1114.003",
    "T1583.001",
    "T1585.002",
    "T1588.002",
    "T1588.004",
    "T1589.002",
    "T1589.003",
    "T1598.003",
    "T1608.005"
   ]
  },
  {
   "actor_id": "G0123",
   "canonical_name": "Volatile Cedar",
   "aliases": [
    "Volatile Cedar",
    "Lebanese Cedar"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 7,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0123",
   "cve_ids": [],
   "technique_ids": [
    "T1105",
    "T1190",
    "T1505",
    "T1595"
   ],
   "subtechnique_ids": [
    "T1505.003",
    "T1595.002",
    "T1595.003"
   ]
  },
  {
   "actor_id": "G0124",
   "canonical_name": "Windigo",
   "aliases": [
    "Windigo"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 7,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "9221",
     "label": "Justice, Public Order & Safety",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0124",
   "cve_ids": [],
   "technique_ids": [
    "T1005",
    "T1059",
    "T1082",
    "T1083",
    "T1090",
    "T1189",
    "T1518"
   ],
   "subtechnique_ids": []
  },
  {
   "actor_id": "G0125",
   "canonical_name": "HAFNIUM",
   "aliases": [
    "HAFNIUM",
    "Operation Exchange Marauder",
    "Silk Typhoon",
    "ATK233",
    "G0125",
    "Red Dev 13",
    "MURKY PANDA"
   ],
   "category": "state",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 3,
   "technique_count": 66,
   "idf_score": 12.871,
   "exclusive_cve_count": 3,
   "active_year_min": 2021,
   "active_year_max": 2021,
   "sectors": [
    {
     "naics": "54",
     "label": "Professional, Scientific & Technical Services",
     "evidence": "MITRE ATT&CK G0125 lists law firms, policy think tanks and infectious disease researchers as targets (Microsoft HAFNIUM March 2020).",
     "source": "Microsoft HAFNIUM March 2020"
    },
    {
     "naics": "61",
     "label": "Educational Services",
     "evidence": "MITRE ATT&CK G0125 explicitly names higher education institutions among HAFNIUM targets (Microsoft HAFNIUM March 2020).",
     "source": "Microsoft HAFNIUM March 2020"
    },
    {
     "naics": "62",
     "label": "Health Care & Social Assistance",
     "evidence": "MITRE ATT&CK G0125 cites infectious disease researchers as targeted entities (Microsoft HAFNIUM March 2020).",
     "source": "Microsoft HAFNIUM March 2020"
    },
    {
     "naics": "81",
     "label": "Other Services (except Public Administration)",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "92811",
     "label": "National Security",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [
    [
     "microsoft",
     3
    ]
   ],
   "mitre_url": "https://attack.mitre.org/groups/G0125",
   "cve_ids": [
    "CVE-2021-26412",
    "CVE-2021-26854",
    "CVE-2021-27078"
   ],
   "technique_ids": [
    "T1003",
    "T1005",
    "T1016",
    "T1018",
    "T1033",
    "T1057",
    "T1059",
    "T1068",
    "T1071",
    "T1078",
    "T1083",
    "T1095",
    "T1098",
    "T1105",
    "T1110",
    "T1114",
    "T1119",
    "T1132",
    "T1136",
    "T1190",
    "T1199",
    "T1213",
    "T1218",
    "T1505",
    "T1530",
    "T1550",
    "T1555",
    "T1560",
    "T1564",
    "T1567",
    "T1583",
    "T1584",
    "T1589",
    "T1590",
    "T1592",
    "T1593",
    "T1685"
   ],
   "subtechnique_ids": [
    "T1003.001",
    "T1003.003",
    "T1016.001",
    "T1059.001",
    "T1059.003",
    "T1071.001",
    "T1078.003",
    "T1078.004",
    "T1110.003",
    "T1114.002",
    "T1132.001",
    "T1136.002",
    "T1213.002",
    "T1218.011",
    "T1505.003",
    "T1550.001",
    "T1555.006",
    "T1560.001",
    "T1564.001",
    "T1567.002",
    "T1583.003",
    "T1583.005",
    "T1583.006",
    "T1584.005",
    "T1589.002",
    "T1590.005",
    "T1592.004",
    "T1593.003",
    "T1685.005"
   ]
  },
  {
   "actor_id": "G0126",
   "canonical_name": "Higaisa",
   "aliases": [
    "Higaisa"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 41,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "9211",
     "label": "Executive, Legislative & Other General Government Support",
     "evidence": "MITRE ATT&CK description states Higaisa targeted government and public organizations in North Korea (citing Malwarebytes Higaisa 2020, Zscaler Higaisa 2020, PTSecurity Higaisa 2020).",
     "source": "Malwarebytes Higaisa 2020"
    },
    {
     "naics": "42",
     "label": "Wholesale Trade",
     "evidence": "MITRE ATT&CK description states Higaisa targeted trade organizations in North Korea (citing Malwarebytes Higaisa 2020, Zscaler Higaisa 2020, PTSecurity Higaisa 2020).",
     "source": "Zscaler Higaisa 2020"
    },
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0126",
   "cve_ids": [],
   "technique_ids": [
    "T1001",
    "T1016",
    "T1027",
    "T1029",
    "T1036",
    "T1041",
    "T1053",
    "T1057",
    "T1059",
    "T1071",
    "T1082",
    "T1090",
    "T1106",
    "T1124",
    "T1140",
    "T1203",
    "T1204",
    "T1220",
    "T1547",
    "T1564",
    "T1566",
    "T1573",
    "T1574",
    "T1680"
   ],
   "subtechnique_ids": [
    "T1001.003",
    "T1027.001",
    "T1027.013",
    "T1027.015",
    "T1036.004",
    "T1053.005",
    "T1059.003",
    "T1059.005",
    "T1059.007",
    "T1071.001",
    "T1090.001",
    "T1204.002",
    "T1547.001",
    "T1564.003",
    "T1566.001",
    "T1573.001",
    "T1574.001"
   ]
  },
  {
   "actor_id": "G0127",
   "canonical_name": "TA551",
   "aliases": [
    "TA551",
    "GOLD CABIN",
    "Shathak",
    "Shakthak",
    "ATK236",
    "G0127",
    "Monster Libra"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 23,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0127",
   "cve_ids": [],
   "technique_ids": [
    "T1027",
    "T1036",
    "T1059",
    "T1071",
    "T1105",
    "T1132",
    "T1204",
    "T1218",
    "T1566",
    "T1568",
    "T1589"
   ],
   "subtechnique_ids": [
    "T1027.003",
    "T1027.010",
    "T1059.003",
    "T1071.001",
    "T1132.001",
    "T1204.002",
    "T1218.005",
    "T1218.010",
    "T1218.011",
    "T1566.001",
    "T1568.002",
    "T1589.002"
   ]
  },
  {
   "actor_id": "G0128",
   "canonical_name": "ZIRCONIUM",
   "aliases": [
    "ZIRCONIUM",
    "APT31",
    "Violet Typhoon"
   ],
   "category": "state",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 2,
   "technique_count": 42,
   "idf_score": 7.888,
   "exclusive_cve_count": 1,
   "active_year_min": 2013,
   "active_year_max": 2013,
   "sectors": [
    {
     "naics": "92812",
     "label": "International Affairs",
     "evidence": "Targets prominent leaders in the international affairs community (MITRE ATT&CK citing Microsoft Targeting Elections September 2020 and Check Point APT31 February 2021).",
     "source": "Microsoft Targeting Elections September 2020"
    },
    {
     "naics": "9211",
     "label": "Executive, Legislative & Other General Government Support",
     "evidence": "Targeted individuals associated with the 2020 US presidential election (MITRE ATT&CK citing Microsoft Targeting Elections September 2020).",
     "source": "Microsoft Targeting Elections September 2020"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [
    [
     "microsoft",
     2
    ]
   ],
   "mitre_url": "https://attack.mitre.org/groups/G0128",
   "cve_ids": [
    "CVE-2013-3128",
    "CVE-2013-3894"
   ],
   "technique_ids": [
    "T1012",
    "T1016",
    "T1027",
    "T1033",
    "T1036",
    "T1041",
    "T1059",
    "T1068",
    "T1082",
    "T1090",
    "T1102",
    "T1105",
    "T1124",
    "T1140",
    "T1204",
    "T1218",
    "T1547",
    "T1555",
    "T1566",
    "T1567",
    "T1573",
    "T1583",
    "T1584",
    "T1598",
    "T1665"
   ],
   "subtechnique_ids": [
    "T1027.002",
    "T1036.004",
    "T1059.003",
    "T1059.006",
    "T1090.003",
    "T1102.002",
    "T1204.001",
    "T1218.007",
    "T1547.001",
    "T1555.003",
    "T1566.002",
    "T1567.002",
    "T1573.001",
    "T1583.001",
    "T1583.006",
    "T1584.008",
    "T1598.003"
   ]
  },
  {
   "actor_id": "G0129",
   "canonical_name": "Mustang Panda",
   "aliases": [
    "Mustang Panda",
    "TA416",
    "RedDelta",
    "BRONZE PRESIDENT",
    "STATELY TAURUS",
    "FIREANT",
    "CAMARO DRAGON",
    "EARTH PRETA",
    "HIVE0154",
    "TWILL TYPHOON",
    "TANTALUM",
    "LUMINOUS MOTH",
    "UNC6384",
    "TEMP.Hex",
    "Red Lich",
    "ClumsyToad"
   ],
   "category": "state-contractor",
   "sponsor": {
    "country": "CN",
    "agency": "MSS"
   },
   "cve_count": 2,
   "technique_count": 114,
   "idf_score": 3.927,
   "exclusive_cve_count": 0,
   "active_year_min": 2026,
   "active_year_max": 2026,
   "sectors": [
    {
     "naics": "9211",
     "label": "Executive, Legislative & Other General Government Support",
     "evidence": "MITRE ATT&CK description states Mustang Panda targeted government organizations (BlackBerry MUSTANG PANDA October 2022; Anomali MUSTANG PANDA October 2019).",
     "source": "MITRE ATT&CK G0129"
    },
    {
     "naics": "92812",
     "label": "International Affairs",
     "evidence": "MITRE ATT&CK description states Mustang Panda targeted diplomatic organizations (Eset PlugX Korplug Mustang Panda March 2022; Cisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022).",
     "source": "MITRE ATT&CK G0129"
    },
    {
     "naics": "54",
     "label": "Professional, Scientific & Technical Services",
     "evidence": "MITRE ATT&CK description states Mustang Panda targeted think tanks, research entities and NGOs (Secureworks BRONZE PRESIDENT December 2019; Crowdstrike MUSTANG PANDA June 2018).",
     "source": "MITRE ATT&CK G0129"
    },
    {
     "naics": "81",
     "label": "Other Services (except Public Administration)",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [
    [
     "microsoft",
     1
    ],
    [
     "application",
     1
    ]
   ],
   "mitre_url": "https://attack.mitre.org/groups/G0129",
   "cve_ids": [
    "CVE-2026-20929",
    "CVE-2026-22813"
   ],
   "technique_ids": [
    "T1001",
    "T1003",
    "T1016",
    "T1018",
    "T1027",
    "T1036",
    "T1041",
    "T1046",
    "T1047",
    "T1048",
    "T1049",
    "T1052",
    "T1053",
    "T1057",
    "T1059",
    "T1069",
    "T1070",
    "T1071",
    "T1072",
    "T1074",
    "T1082",
    "T1083",
    "T1087",
    "T1091",
    "T1095",
    "T1102",
    "T1105",
    "T1106",
    "T1119",
    "T1129",
    "T1140",
    "T1176",
    "T1203",
    "T1204",
    "T1205",
    "T1218",
    "T1219",
    "T1505",
    "T1518",
    "T1546",
    "T1547",
    "T1553",
    "T1557",
    "T1560",
    "T1564",
    "T1566",
    "T1567",
    "T1572",
    "T1573",
    "T1574",
    "T1583",
    "T1585",
    "T1586",
    "T1587",
    "T1588",
    "T1593",
    "T1598",
    "T1608",
    "T1622",
    "T1654",
    "T1678"
   ],
   "subtechnique_ids": [
    "T1001.003",
    "T1003.001",
    "T1003.003",
    "T1003.006",
    "T1027.007",
    "T1027.012",
    "T1027.016",
    "T1036.005",
    "T1036.007",
    "T1036.008",
    "T1048.003",
    "T1052.001",
    "T1053.005",
    "T1059.001",
    "T1059.003",
    "T1059.005",
    "T1059.007",
    "T1069.002",
    "T1070.004",
    "T1070.006",
    "T1071.001",
    "T1074.001",
    "T1087.002",
    "T1176.002",
    "T1204.001",
    "T1204.002",
    "T1218.004",
    "T1218.005",
    "T1219.001",
    "T1219.002",
    "T1505.003",
    "T1546.003",
    "T1547.001",
    "T1553.002",
    "T1560.001",
    "T1560.003",
    "T1564.001",
    "T1566.001",
    "T1566.002",
    "T1567.002",
    "T1573.001",
    "T1574.001",
    "T1574.005",
    "T1583.001",
    "T1583.006",
    "T1585.002",
    "T1586.002",
    "T1587.001",
    "T1588.002",
    "T1588.003",
    "T1588.004",
    "T1598.003",
    "T1608.001"
   ]
  },
  {
   "actor_id": "G0130",
   "canonical_name": "Ajax Security Team",
   "aliases": [
    "Ajax Security Team",
    "Operation Woolen-Goldfish",
    "AjaxTM",
    "Rocket Kitten",
    "Flying Kitten",
    "Operation Saffron Rose"
   ],
   "category": "state",
   "sponsor": {
    "country": "IR"
   },
   "cve_count": 1,
   "technique_count": 10,
   "idf_score": 1.246,
   "exclusive_cve_count": 0,
   "active_year_min": 2026,
   "active_year_max": 2026,
   "sectors": [
    {
     "naics": "3364",
     "label": "Aerospace Product & Parts Manufacturing",
     "evidence": "FireEye Operation Saffron Rose 2013 reports Ajax Security Team targeting the US defense industrial base.",
     "source": "FireEye Operation Saffron Rose 2013"
    },
    {
     "naics": "92811",
     "label": "National Security",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [
    [
     "microsoft",
     1
    ]
   ],
   "mitre_url": "https://attack.mitre.org/groups/G0130",
   "cve_ids": [
    "CVE-2026-20929"
   ],
   "technique_ids": [
    "T1056",
    "T1105",
    "T1204",
    "T1555",
    "T1566"
   ],
   "subtechnique_ids": [
    "T1056.001",
    "T1204.002",
    "T1555.003",
    "T1566.001",
    "T1566.003"
   ]
  },
  {
   "actor_id": "G0131",
   "canonical_name": "Tonto Team",
   "aliases": [
    "Tonto Team",
    "Earth Akhlut",
    "BRONZE HUNTLEY",
    "CactusPete",
    "Karma Panda"
   ],
   "category": "state",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 2,
   "technique_count": 23,
   "idf_score": 5.536,
   "exclusive_cve_count": 1,
   "active_year_min": 2019,
   "active_year_max": 2026,
   "sectors": [
    {
     "naics": "21",
     "label": "Mining, Quarrying, Oil & Gas Extraction",
     "evidence": "MITRE ATT&CK states Tonto Team targeted mining organizations (Citation: Kaspersky CactusPete Aug 2020).",
     "source": "Kaspersky CactusPete Aug 2020"
    },
    {
     "naics": "22",
     "label": "Utilities",
     "evidence": "MITRE ATT&CK states Tonto Team targeted energy organizations (Citation: Kaspersky CactusPete Aug 2020).",
     "source": "Kaspersky CactusPete Aug 2020"
    },
    {
     "naics": "52",
     "label": "Finance & Insurance",
     "evidence": "MITRE ATT&CK states Tonto Team targeted financial organizations (Citation: Kaspersky CactusPete Aug 2020).",
     "source": "Kaspersky CactusPete Aug 2020"
    },
    {
     "naics": "61",
     "label": "Educational Services",
     "evidence": "MITRE ATT&CK states Tonto Team targeted education organizations (Citation: Kaspersky CactusPete Aug 2020).",
     "source": "Kaspersky CactusPete Aug 2020"
    },
    {
     "naics": "62",
     "label": "Health Care & Social Assistance",
     "evidence": "MITRE ATT&CK states Tonto Team targeted healthcare organizations (Citation: Kaspersky CactusPete Aug 2020).",
     "source": "Kaspersky CactusPete Aug 2020"
    },
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "MITRE ATT&CK states Tonto Team targeted government organizations (Citation: Kaspersky CactusPete Aug 2020).",
     "source": "Kaspersky CactusPete Aug 2020"
    },
    {
     "naics": "92811",
     "label": "National Security",
     "evidence": "MITRE ATT&CK states Tonto Team targeted military organizations (Citation: Kaspersky CactusPete Aug 2020).",
     "source": "Kaspersky CactusPete Aug 2020"
    },
    {
     "naics": "51",
     "label": "Information",
     "evidence": "MITRE ATT&CK states Tonto Team targeted technology organizations (Citation: Kaspersky CactusPete Aug 2020).",
     "source": "Kaspersky CactusPete Aug 2020"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [
    [
     "microsoft",
     2
    ],
    [
     "application",
     1
    ]
   ],
   "mitre_url": "https://attack.mitre.org/groups/G0131",
   "cve_ids": [
    "CVE-2019-9489",
    "CVE-2026-20929"
   ],
   "technique_ids": [
    "T1003",
    "T1056",
    "T1059",
    "T1068",
    "T1069",
    "T1090",
    "T1105",
    "T1135",
    "T1203",
    "T1204",
    "T1210",
    "T1505",
    "T1566",
    "T1574"
   ],
   "subtechnique_ids": [
    "T1056.001",
    "T1059.001",
    "T1059.006",
    "T1069.001",
    "T1090.002",
    "T1204.002",
    "T1505.003",
    "T1566.001",
    "T1574.001"
   ]
  },
  {
   "actor_id": "G0133",
   "canonical_name": "Nomadic Octopus",
   "aliases": [
    "Nomadic Octopus",
    "DustSquad"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 1,
   "technique_count": 11,
   "idf_score": 3.597,
   "exclusive_cve_count": 0,
   "active_year_min": 2026,
   "active_year_max": 2026,
   "sectors": [
    {
     "naics": "9211",
     "label": "Executive, Legislative & Other General Government Support",
     "evidence": "MITRE ATT&CK description states the group primarily targeted local governments in Central Asia (ESET Nomadic Octopus 2018).",
     "source": "ESET Nomadic Octopus 2018"
    },
    {
     "naics": "92812",
     "label": "International Affairs",
     "evidence": "MITRE ATT&CK description states the group primarily targeted diplomatic missions in Central Asia (Securelist Octopus Oct 2018).",
     "source": "Securelist Octopus Oct 2018"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [
    [
     "other",
     1
    ]
   ],
   "mitre_url": "https://attack.mitre.org/groups/G0133",
   "cve_ids": [
    "CVE-2026-8732"
   ],
   "technique_ids": [
    "T1036",
    "T1059",
    "T1105",
    "T1204",
    "T1564",
    "T1566"
   ],
   "subtechnique_ids": [
    "T1059.001",
    "T1059.003",
    "T1204.002",
    "T1564.003",
    "T1566.001"
   ]
  },
  {
   "actor_id": "G0134",
   "canonical_name": "Transparent Tribe",
   "aliases": [
    "Transparent Tribe",
    "COPPER FIELDSTONE",
    "APT36",
    "Mythic Leopard",
    "ProjectM"
   ],
   "category": "state",
   "sponsor": {
    "country": "PK"
   },
   "cve_count": 1,
   "technique_count": 23,
   "idf_score": 2.681,
   "exclusive_cve_count": 0,
   "active_year_min": 2010,
   "active_year_max": 2022,
   "sectors": [
    {
     "naics": "92811",
     "label": "National Security",
     "evidence": "MITRE ATT&CK description states Transparent Tribe targets defense organizations, citing Proofpoint Operation Transparent Tribe March 2016 and Talos Transparent Tribe May 2021.",
     "source": "Proofpoint Operation Transparent Tribe March 2016"
    },
    {
     "naics": "92812",
     "label": "International Affairs",
     "evidence": "MITRE ATT&CK description states Transparent Tribe targets diplomatic organizations, citing Proofpoint Operation Transparent Tribe March 2016 and Kaspersky Transparent Tribe August 2020.",
     "source": "Proofpoint Operation Transparent Tribe March 2016"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [
    [
     "microsoft",
     1
    ]
   ],
   "mitre_url": "https://attack.mitre.org/groups/G0134",
   "cve_ids": [
    "CVE-2010-3333"
   ],
   "technique_ids": [
    "T1027",
    "T1036",
    "T1059",
    "T1189",
    "T1203",
    "T1204",
    "T1564",
    "T1566",
    "T1568",
    "T1583",
    "T1584",
    "T1608"
   ],
   "subtechnique_ids": [
    "T1027.013",
    "T1036.005",
    "T1059.005",
    "T1204.001",
    "T1204.002",
    "T1564.001",
    "T1566.001",
    "T1566.002",
    "T1583.001",
    "T1584.001",
    "T1608.004"
   ]
  },
  {
   "actor_id": "G0135",
   "canonical_name": "BackdoorDiplomacy",
   "aliases": [
    "BackdoorDiplomacy"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 21,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "92812",
     "label": "International Affairs",
     "evidence": "BackdoorDiplomacy targeted Ministries of Foreign Affairs (ESET BackdoorDiplomacy Jun 2021).",
     "source": "ESET BackdoorDiplomacy Jun 2021"
    },
    {
     "naics": "517",
     "label": "Telecommunications",
     "evidence": "BackdoorDiplomacy targeted telecommunication companies (ESET BackdoorDiplomacy Jun 2021).",
     "source": "ESET BackdoorDiplomacy Jun 2021"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0135",
   "cve_ids": [],
   "technique_ids": [
    "T1027",
    "T1036",
    "T1046",
    "T1049",
    "T1055",
    "T1074",
    "T1095",
    "T1105",
    "T1120",
    "T1190",
    "T1505",
    "T1574",
    "T1588"
   ],
   "subtechnique_ids": [
    "T1036.004",
    "T1036.005",
    "T1055.001",
    "T1074.001",
    "T1505.003",
    "T1574.001",
    "T1588.001",
    "T1588.002"
   ]
  },
  {
   "actor_id": "G0136",
   "canonical_name": "IndigoZebra",
   "aliases": [
    "IndigoZebra"
   ],
   "category": "state",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 2,
   "technique_count": 12,
   "idf_score": 6.384,
   "exclusive_cve_count": 0,
   "active_year_min": 2026,
   "active_year_max": 2026,
   "sectors": [
    {
     "naics": "9211",
     "label": "Executive, Legislative & Other General Government Support",
     "evidence": "MITRE ATT&CK states IndigoZebra targets Central Asian governments since 2014 (HackerNews IndigoZebra July 2021).",
     "source": "HackerNews IndigoZebra July 2021"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [
    [
     "linux",
     1
    ],
    [
     "microsoft",
     1
    ]
   ],
   "mitre_url": "https://attack.mitre.org/groups/G0136",
   "cve_ids": [
    "CVE-2026-31635",
    "CVE-2026-45585"
   ],
   "technique_ids": [
    "T1105",
    "T1204",
    "T1566",
    "T1583",
    "T1586",
    "T1588"
   ],
   "subtechnique_ids": [
    "T1204.002",
    "T1566.001",
    "T1583.001",
    "T1583.006",
    "T1586.002",
    "T1588.002"
   ]
  },
  {
   "actor_id": "G0137",
   "canonical_name": "Ferocious Kitten",
   "aliases": [
    "Ferocious Kitten"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 11,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0137",
   "cve_ids": [],
   "technique_ids": [
    "T1036",
    "T1204",
    "T1566",
    "T1583",
    "T1588"
   ],
   "subtechnique_ids": [
    "T1036.002",
    "T1036.005",
    "T1204.002",
    "T1566.001",
    "T1583.001",
    "T1588.002"
   ]
  },
  {
   "actor_id": "G0138",
   "canonical_name": "Andariel",
   "aliases": [
    "Andariel",
    "Silent Chollima",
    "PLUTONIUM",
    "Onyx Sleet"
   ],
   "category": "state",
   "sponsor": {
    "country": "KP",
    "agency": "RGB"
   },
   "cve_count": 11,
   "technique_count": 18,
   "idf_score": 31.946,
   "exclusive_cve_count": 0,
   "active_year_min": 2018,
   "active_year_max": 2022,
   "sectors": [
    {
     "naics": "9211",
     "label": "Executive, Legislative & Other General Government Support",
     "evidence": "MITRE ATT&CK description states Andariel focused operations against South Korean government agencies (citing FSI Andariel Campaign Rifle July 2017, AhnLab Andariel Subgroup of Lazarus June 2018).",
     "source": "MITRE ATT&CK G0138"
    },
    {
     "naics": "92811",
     "label": "National Security",
     "evidence": "MITRE ATT&CK description states Andariel targeted South Korean military organizations (citing CrowdStrike Silent Chollima Adversary September 2021, Treasury North Korean Cyber Groups September 2019).",
     "source": "MITRE ATT&CK G0138"
    },
    {
     "naics": "522",
     "label": "Credit Intermediation & Related Activities (Banking)",
     "evidence": "MITRE ATT&CK description states Andariel conducted financial operations against banks and ATMs (citing TrendMicro New Andariel Tactics July 2018, FSI Andariel Campaign Rifle July 2017).",
     "source": "MITRE ATT&CK G0138"
    },
    {
     "naics": "523",
     "label": "Securities, Commodity Contracts & Other Financial Investments",
     "evidence": "MITRE ATT&CK description states Andariel conducted cyber financial operations against cryptocurrency exchanges (citing AhnLab Andariel Subgroup of Lazarus June 2018).",
     "source": "MITRE ATT&CK G0138"
    },
    {
     "naics": "52",
     "label": "Finance & Insurance",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [
    [
     "application",
     9
    ],
    [
     "linux",
     3
    ],
    [
     "microsoft",
     2
    ],
    [
     "macos",
     1
    ],
    [
     "network",
     1
    ]
   ],
   "mitre_url": "https://attack.mitre.org/groups/G0138",
   "cve_ids": [
    "CVE-2017-4946",
    "CVE-2019-15637",
    "CVE-2021-3018",
    "CVE-2021-40684",
    "CVE-2021-44142",
    "CVE-2021-45837",
    "CVE-2022-22005",
    "CVE-2022-24663",
    "CVE-2022-24664",
    "CVE-2022-24665",
    "CVE-2022-24785"
   ],
   "technique_ids": [
    "T1005",
    "T1027",
    "T1049",
    "T1057",
    "T1105",
    "T1189",
    "T1203",
    "T1204",
    "T1566",
    "T1588",
    "T1590",
    "T1592"
   ],
   "subtechnique_ids": [
    "T1027.003",
    "T1204.002",
    "T1566.001",
    "T1588.001",
    "T1590.005",
    "T1592.002"
   ]
  },
  {
   "actor_id": "G0139",
   "canonical_name": "TeamTNT",
   "aliases": [
    "TeamTNT"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 1,
   "technique_count": 75,
   "idf_score": 4.29,
   "exclusive_cve_count": 1,
   "active_year_min": 2019,
   "active_year_max": 2019,
   "sectors": [
    {
     "naics": "523",
     "label": "Securities, Commodity Contracts & Other Financial Investments",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [
    [
     "application",
     1
    ],
    [
     "linux",
     1
    ]
   ],
   "mitre_url": "https://attack.mitre.org/groups/G0139",
   "cve_ids": [
    "CVE-2019-5736"
   ],
   "technique_ids": [
    "T1007",
    "T1014",
    "T1016",
    "T1021",
    "T1027",
    "T1036",
    "T1046",
    "T1048",
    "T1049",
    "T1057",
    "T1059",
    "T1070",
    "T1071",
    "T1074",
    "T1082",
    "T1083",
    "T1098",
    "T1102",
    "T1105",
    "T1120",
    "T1133",
    "T1136",
    "T1140",
    "T1204",
    "T1219",
    "T1222",
    "T1496",
    "T1518",
    "T1543",
    "T1547",
    "T1552",
    "T1569",
    "T1583",
    "T1587",
    "T1595",
    "T1608",
    "T1609",
    "T1610",
    "T1611",
    "T1613",
    "T1680",
    "T1685",
    "T1686"
   ],
   "subtechnique_ids": [
    "T1021.004",
    "T1027.002",
    "T1027.013",
    "T1036.005",
    "T1059.001",
    "T1059.003",
    "T1059.004",
    "T1059.009",
    "T1059.013",
    "T1070.003",
    "T1070.004",
    "T1071.001",
    "T1074.001",
    "T1098.004",
    "T1136.001",
    "T1204.003",
    "T1222.002",
    "T1496.001",
    "T1518.001",
    "T1543.002",
    "T1543.003",
    "T1547.001",
    "T1552.001",
    "T1552.004",
    "T1552.005",
    "T1569.003",
    "T1583.001",
    "T1587.001",
    "T1595.001",
    "T1595.002",
    "T1608.001",
    "T1685.006"
   ]
  },
  {
   "actor_id": "G0140",
   "canonical_name": "LazyScripter",
   "aliases": [
    "LazyScripter"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 30,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "481",
     "label": "Air Transportation",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0140",
   "cve_ids": [],
   "technique_ids": [
    "T1027",
    "T1036",
    "T1059",
    "T1071",
    "T1102",
    "T1105",
    "T1204",
    "T1218",
    "T1547",
    "T1566",
    "T1583",
    "T1588",
    "T1608"
   ],
   "subtechnique_ids": [
    "T1027.010",
    "T1059.001",
    "T1059.003",
    "T1059.005",
    "T1059.007",
    "T1071.004",
    "T1204.001",
    "T1204.002",
    "T1218.005",
    "T1218.011",
    "T1547.001",
    "T1566.001",
    "T1566.002",
    "T1583.001",
    "T1583.006",
    "T1588.001",
    "T1608.001"
   ]
  },
  {
   "actor_id": "G0142",
   "canonical_name": "Confucius",
   "aliases": [
    "Confucius",
    "Confucius APT"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 28,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "MITRE ATT&CK description states Confucius has primarily targeted government organizations in South Asia (citing TrendMicro Confucius APT Feb 2018).",
     "source": "TrendMicro Confucius APT Feb 2018"
    },
    {
     "naics": "92811",
     "label": "National Security",
     "evidence": "MITRE ATT&CK description states Confucius has primarily targeted military personnel in South Asia (citing TrendMicro Confucius APT Feb 2018).",
     "source": "TrendMicro Confucius APT Feb 2018"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G0142",
   "cve_ids": [],
   "technique_ids": [
    "T1041",
    "T1053",
    "T1059",
    "T1071",
    "T1083",
    "T1105",
    "T1119",
    "T1203",
    "T1204",
    "T1218",
    "T1221",
    "T1547",
    "T1566",
    "T1567",
    "T1583",
    "T1680"
   ],
   "subtechnique_ids": [
    "T1053.005",
    "T1059.001",
    "T1059.005",
    "T1071.001",
    "T1204.001",
    "T1204.002",
    "T1218.005",
    "T1547.001",
    "T1566.001",
    "T1566.002",
    "T1567.002",
    "T1583.006"
   ]
  },
  {
   "actor_id": "G0143",
   "canonical_name": "Aquatic Panda",
   "aliases": [
    "Aquatic Panda"
   ],
   "category": "state",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 1,
   "technique_count": 49,
   "idf_score": 1.246,
   "exclusive_cve_count": 0,
   "active_year_min": 2026,
   "active_year_max": 2026,
   "sectors": [
    {
     "naics": "517",
     "label": "Telecommunications",
     "evidence": "MITRE ATT&CK profile states Aquatic Panda primarily targeted telecommunications sector (CrowdStrike AQUATIC PANDA December 2021).",
     "source": "CrowdStrike AQUATIC PANDA December 2021"
    },
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "MITRE ATT&CK profile states Aquatic Panda primarily targeted government sectors (CrowdStrike AQUATIC PANDA December 2021).",
     "source": "CrowdStrike AQUATIC PANDA December 2021"
    },
    {
     "naics": "51",
     "label": "Information",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [
    [
     "microsoft",
     1
    ]
   ],
   "mitre_url": "https://attack.mitre.org/groups/G0143",
   "cve_ids": [
    "CVE-2026-20929"
   ],
   "technique_ids": [
    "T1003",
    "T1005",
    "T1007",
    "T1021",
    "T1027",
    "T1033",
    "T1036",
    "T1047",
    "T1059",
    "T1070",
    "T1078",
    "T1082",
    "T1087",
    "T1105",
    "T1112",
    "T1218",
    "T1518",
    "T1543",
    "T1550",
    "T1560",
    "T1574",
    "T1588",
    "T1595",
    "T1654",
    "T1685"
   ],
   "subtechnique_ids": [
    "T1003.001",
    "T1021.001",
    "T1021.002",
    "T1021.004",
    "T1027.010",
    "T1036.004",
    "T1036.005",
    "T1059.001",
    "T1059.003",
    "T1059.004",
    "T1070.003",
    "T1070.004",
    "T1078.002",
    "T1218.011",
    "T1518.001",
    "T1543.003",
    "T1550.002",
    "T1560.001",
    "T1574.001",
    "T1574.006",
    "T1588.001",
    "T1588.002",
    "T1595.002",
    "T1685.005"
   ]
  },
  {
   "actor_id": "G1001",
   "canonical_name": "HEXANE",
   "aliases": [
    "HEXANE",
    "Lyceum",
    "Siamesekitten",
    "Spirlin"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 52,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "211",
     "label": "Oil & Gas Extraction",
     "evidence": "MITRE ATT&CK description states HEXANE has targeted oil & gas organizations since 2017 (citing Dragos Hexane).",
     "source": "Dragos Hexane"
    },
    {
     "naics": "517",
     "label": "Telecommunications",
     "evidence": "MITRE ATT&CK description states HEXANE has targeted telecommunications and ISP organizations since 2017 (citing Dragos Hexane).",
     "source": "Dragos Hexane"
    },
    {
     "naics": "481",
     "label": "Air Transportation",
     "evidence": "MITRE ATT&CK description states HEXANE has targeted aviation organizations since 2017 (citing Dragos Hexane).",
     "source": "Dragos Hexane"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G1001",
   "cve_ids": [],
   "technique_ids": [
    "T1010",
    "T1016",
    "T1018",
    "T1021",
    "T1027",
    "T1033",
    "T1049",
    "T1053",
    "T1056",
    "T1057",
    "T1059",
    "T1069",
    "T1082",
    "T1102",
    "T1105",
    "T1110",
    "T1204",
    "T1518",
    "T1534",
    "T1546",
    "T1555",
    "T1567",
    "T1583",
    "T1585",
    "T1586",
    "T1588",
    "T1589",
    "T1591",
    "T1608"
   ],
   "subtechnique_ids": [
    "T1016.001",
    "T1021.001",
    "T1027.010",
    "T1053.005",
    "T1056.001",
    "T1059.001",
    "T1059.005",
    "T1069.001",
    "T1102.002",
    "T1110.003",
    "T1204.002",
    "T1546.003",
    "T1555.003",
    "T1567.002",
    "T1583.001",
    "T1583.002",
    "T1585.001",
    "T1585.002",
    "T1586.002",
    "T1588.002",
    "T1589.002",
    "T1591.004",
    "T1608.001"
   ]
  },
  {
   "actor_id": "G1002",
   "canonical_name": "BITTER",
   "aliases": [
    "BITTER",
    "T-APT-17"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 26,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "9211",
     "label": "Executive, Legislative & Other General Government Support",
     "evidence": "MITRE ATT&CK description states BITTER targeted government organizations, citing Forcepoint BITTER Pakistan Oct 2016 and Cisco Talos Bitter Bangladesh May 2022.",
     "source": "Cisco Talos Bitter Bangladesh May 2022"
    },
    {
     "naics": "22",
     "label": "Utilities",
     "evidence": "MITRE ATT&CK description states BITTER targeted energy organizations, citing Forcepoint BITTER Pakistan Oct 2016 and Cisco Talos Bitter Bangladesh May 2022.",
     "source": "Forcepoint BITTER Pakistan Oct 2016"
    },
    {
     "naics": "54",
     "label": "Professional, Scientific & Technical Services",
     "evidence": "MITRE ATT&CK description states BITTER targeted engineering organizations, citing Forcepoint BITTER Pakistan Oct 2016 and Cisco Talos Bitter Bangladesh May 2022.",
     "source": "Cisco Talos Bitter Bangladesh May 2022"
    },
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G1002",
   "cve_ids": [],
   "technique_ids": [
    "T1027",
    "T1036",
    "T1053",
    "T1068",
    "T1071",
    "T1095",
    "T1105",
    "T1203",
    "T1204",
    "T1559",
    "T1566",
    "T1568",
    "T1573",
    "T1583",
    "T1588",
    "T1608"
   ],
   "subtechnique_ids": [
    "T1027.013",
    "T1036.004",
    "T1053.005",
    "T1071.001",
    "T1204.002",
    "T1559.002",
    "T1566.001",
    "T1583.001",
    "T1588.002",
    "T1608.001"
   ]
  },
  {
   "actor_id": "G1003",
   "canonical_name": "Ember Bear",
   "aliases": [
    "Ember Bear",
    "UNC2589",
    "Bleeding Bear",
    "DEV-0586",
    "Cadet Blizzard",
    "Frozenvista",
    "UAC-0056",
    "SaintBear",
    "TA471",
    "Nascent Ursa",
    "Nodaria",
    "Storm-0587",
    "DEV-0587",
    "Saint Bear",
    "Lorec53",
    "Lorec Bear"
   ],
   "category": "state",
   "sponsor": {
    "country": "RU"
   },
   "cve_count": 2,
   "technique_count": 61,
   "idf_score": 5.536,
   "exclusive_cve_count": 1,
   "active_year_min": 2022,
   "active_year_max": 2026,
   "sectors": [
    {
     "naics": "9211",
     "label": "Executive, Legislative & Other General Government Support",
     "evidence": "MITRE ATT&CK description states Ember Bear primarily focused operations against Ukrainian government entities (Cadet Blizzard emerges as novel threat actor).",
     "source": "Cadet Blizzard emerges as novel threat actor"
    },
    {
     "naics": "517",
     "label": "Telecommunications",
     "evidence": "MITRE ATT&CK description states Ember Bear primarily focused operations against Ukrainian telecommunication entities (Cadet Blizzard emerges as novel threat actor).",
     "source": "Cadet Blizzard emerges as novel threat actor"
    },
    {
     "naics": "22",
     "label": "Utilities",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [
    [
     "network",
     1
    ],
    [
     "linux",
     1
    ],
    [
     "microsoft",
     1
    ]
   ],
   "mitre_url": "https://attack.mitre.org/groups/G1003",
   "cve_ids": [
    "CVE-2022-27666",
    "CVE-2026-20929"
   ],
   "technique_ids": [
    "T1003",
    "T1005",
    "T1018",
    "T1021",
    "T1036",
    "T1046",
    "T1047",
    "T1053",
    "T1059",
    "T1070",
    "T1071",
    "T1078",
    "T1090",
    "T1095",
    "T1110",
    "T1112",
    "T1114",
    "T1119",
    "T1125",
    "T1133",
    "T1190",
    "T1195",
    "T1203",
    "T1210",
    "T1491",
    "T1505",
    "T1550",
    "T1552",
    "T1560",
    "T1561",
    "T1567",
    "T1570",
    "T1571",
    "T1572",
    "T1583",
    "T1585",
    "T1588",
    "T1595",
    "T1654"
   ],
   "subtechnique_ids": [
    "T1003.001",
    "T1003.002",
    "T1003.004",
    "T1036.005",
    "T1053.005",
    "T1059.001",
    "T1070.004",
    "T1071.004",
    "T1078.001",
    "T1090.003",
    "T1110.003",
    "T1491.002",
    "T1505.003",
    "T1550.002",
    "T1552.001",
    "T1561.002",
    "T1567.002",
    "T1583.003",
    "T1588.001",
    "T1588.005",
    "T1595.001",
    "T1595.002"
   ]
  },
  {
   "actor_id": "G1004",
   "canonical_name": "LAPSUS$",
   "aliases": [
    "LAPSUS$",
    "DEV-0537",
    "Strawberry Tempest"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 62,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "MITRE ATT&CK G1004 states LAPSUS$ targeted government sector (citing MSTIC DEV-0537 Mar 2022).",
     "source": "MSTIC DEV-0537 Mar 2022"
    },
    {
     "naics": "31",
     "label": "Manufacturing",
     "evidence": "MITRE ATT&CK G1004 states LAPSUS$ targeted manufacturing sector (citing MSTIC DEV-0537 Mar 2022).",
     "source": "MSTIC DEV-0537 Mar 2022"
    },
    {
     "naics": "61",
     "label": "Educational Services",
     "evidence": "MITRE ATT&CK G1004 states LAPSUS$ targeted higher education sector (citing MSTIC DEV-0537 Mar 2022).",
     "source": "MSTIC DEV-0537 Mar 2022"
    },
    {
     "naics": "22",
     "label": "Utilities",
     "evidence": "MITRE ATT&CK G1004 states LAPSUS$ targeted energy sector (citing MSTIC DEV-0537 Mar 2022).",
     "source": "MSTIC DEV-0537 Mar 2022"
    },
    {
     "naics": "62",
     "label": "Health Care & Social Assistance",
     "evidence": "MITRE ATT&CK G1004 states LAPSUS$ targeted healthcare sector (citing MSTIC DEV-0537 Mar 2022).",
     "source": "MSTIC DEV-0537 Mar 2022"
    },
    {
     "naics": "517",
     "label": "Telecommunications",
     "evidence": "MITRE ATT&CK G1004 states LAPSUS$ targeted telecommunications sector (citing MSTIC DEV-0537 Mar 2022).",
     "source": "MSTIC DEV-0537 Mar 2022"
    },
    {
     "naics": "515",
     "label": "Broadcasting",
     "evidence": "MITRE ATT&CK G1004 states LAPSUS$ targeted media sector (citing MSTIC DEV-0537 Mar 2022).",
     "source": "MSTIC DEV-0537 Mar 2022"
    },
    {
     "naics": "51",
     "label": "Information",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G1004",
   "cve_ids": [],
   "technique_ids": [
    "T1003",
    "T1005",
    "T1068",
    "T1069",
    "T1078",
    "T1087",
    "T1090",
    "T1098",
    "T1111",
    "T1114",
    "T1133",
    "T1136",
    "T1199",
    "T1204",
    "T1213",
    "T1485",
    "T1489",
    "T1531",
    "T1552",
    "T1555",
    "T1578",
    "T1583",
    "T1584",
    "T1586",
    "T1588",
    "T1589",
    "T1591",
    "T1593",
    "T1597",
    "T1598",
    "T1621",
    "T1684"
   ],
   "subtechnique_ids": [
    "T1003.003",
    "T1003.006",
    "T1069.002",
    "T1078.004",
    "T1087.002",
    "T1098.003",
    "T1114.003",
    "T1136.003",
    "T1213.001",
    "T1213.002",
    "T1213.003",
    "T1213.005",
    "T1552.008",
    "T1555.003",
    "T1555.005",
    "T1578.002",
    "T1578.003",
    "T1583.003",
    "T1584.002",
    "T1586.002",
    "T1588.001",
    "T1588.002",
    "T1589.001",
    "T1589.002",
    "T1591.002",
    "T1591.004",
    "T1593.003",
    "T1597.002",
    "T1598.004",
    "T1684.001"
   ]
  },
  {
   "actor_id": "G1005",
   "canonical_name": "POLONIUM",
   "aliases": [
    "POLONIUM",
    "Plaid Rain"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 11,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "31",
     "label": "Manufacturing",
     "evidence": "MITRE ATT&CK description states POLONIUM targeted critical manufacturing and defense industry companies (citing Microsoft POLONIUM June 2022).",
     "source": "Microsoft POLONIUM June 2022"
    },
    {
     "naics": "51",
     "label": "Information",
     "evidence": "MITRE ATT&CK description states POLONIUM targeted information technology companies (citing Microsoft POLONIUM June 2022).",
     "source": "Microsoft POLONIUM June 2022"
    },
    {
     "naics": "92811",
     "label": "National Security",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G1005",
   "cve_ids": [],
   "technique_ids": [
    "T1078",
    "T1090",
    "T1102",
    "T1199",
    "T1567",
    "T1583",
    "T1588"
   ],
   "subtechnique_ids": [
    "T1102.002",
    "T1567.002",
    "T1583.006",
    "T1588.002"
   ]
  },
  {
   "actor_id": "G1006",
   "canonical_name": "Earth Lusca",
   "aliases": [
    "Earth Lusca",
    "TAG-22",
    "Charcoal Typhoon",
    "CHROMIUM",
    "ControlX"
   ],
   "category": "state",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 63,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "MITRE ATT&CK description states Earth Lusca targeted government institutions (TrendMicro EarthLusca 2022).",
     "source": "TrendMicro EarthLusca 2022"
    },
    {
     "naics": "517",
     "label": "Telecommunications",
     "evidence": "MITRE ATT&CK description states Earth Lusca targeted telecommunications companies (TrendMicro EarthLusca 2022).",
     "source": "TrendMicro EarthLusca 2022"
    },
    {
     "naics": "61",
     "label": "Educational Services",
     "evidence": "MITRE ATT&CK description states Earth Lusca targeted educational institutions (TrendMicro EarthLusca 2022).",
     "source": "TrendMicro EarthLusca 2022"
    },
    {
     "naics": "523",
     "label": "Securities, Commodity Contracts & Other Financial Investments",
     "evidence": "MITRE ATT&CK description states Earth Lusca targeted cryptocurrency trading platforms (TrendMicro EarthLusca 2022).",
     "source": "TrendMicro EarthLusca 2022"
    },
    {
     "naics": "71",
     "label": "Arts, Entertainment & Recreation",
     "evidence": "MITRE ATT&CK description states Earth Lusca targeted gambling companies (TrendMicro EarthLusca 2022).",
     "source": "TrendMicro EarthLusca 2022"
    },
    {
     "naics": "54",
     "label": "Professional, Scientific & Technical Services",
     "evidence": "MITRE ATT&CK description states Earth Lusca targeted COVID-19 research organizations (TrendMicro EarthLusca 2022).",
     "source": "TrendMicro EarthLusca 2022"
    },
    {
     "naics": "22",
     "label": "Utilities",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "515",
     "label": "Broadcasting",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G1006",
   "cve_ids": [],
   "technique_ids": [
    "T1003",
    "T1007",
    "T1016",
    "T1018",
    "T1027",
    "T1033",
    "T1036",
    "T1047",
    "T1049",
    "T1053",
    "T1057",
    "T1059",
    "T1090",
    "T1098",
    "T1112",
    "T1140",
    "T1189",
    "T1190",
    "T1204",
    "T1210",
    "T1218",
    "T1482",
    "T1543",
    "T1547",
    "T1548",
    "T1560",
    "T1566",
    "T1567",
    "T1574",
    "T1583",
    "T1584",
    "T1588",
    "T1595",
    "T1608"
   ],
   "subtechnique_ids": [
    "T1003.001",
    "T1003.006",
    "T1027.003",
    "T1036.005",
    "T1053.005",
    "T1059.001",
    "T1059.005",
    "T1059.006",
    "T1059.007",
    "T1098.004",
    "T1204.001",
    "T1204.002",
    "T1218.005",
    "T1543.003",
    "T1547.012",
    "T1548.002",
    "T1560.001",
    "T1566.002",
    "T1567.002",
    "T1574.001",
    "T1583.001",
    "T1583.004",
    "T1583.006",
    "T1584.004",
    "T1584.006",
    "T1588.001",
    "T1588.002",
    "T1595.002",
    "T1608.001"
   ]
  },
  {
   "actor_id": "G1007",
   "canonical_name": "Aoqin Dragon",
   "aliases": [
    "Aoqin Dragon"
   ],
   "category": "state",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 1,
   "technique_count": 13,
   "idf_score": 2.681,
   "exclusive_cve_count": 0,
   "active_year_min": 2010,
   "active_year_max": 2022,
   "sectors": [
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "Aoqin Dragon primarily targeted government organizations (SentinelOne Aoqin Dragon June 2022).",
     "source": "SentinelOne Aoqin Dragon June 2022"
    },
    {
     "naics": "61",
     "label": "Educational Services",
     "evidence": "Aoqin Dragon primarily targeted education organizations (SentinelOne Aoqin Dragon June 2022).",
     "source": "SentinelOne Aoqin Dragon June 2022"
    },
    {
     "naics": "517",
     "label": "Telecommunications",
     "evidence": "Aoqin Dragon primarily targeted telecommunication organizations (SentinelOne Aoqin Dragon June 2022).",
     "source": "SentinelOne Aoqin Dragon June 2022"
    },
    {
     "naics": "22",
     "label": "Utilities",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [
    [
     "microsoft",
     1
    ]
   ],
   "mitre_url": "https://attack.mitre.org/groups/G1007",
   "cve_ids": [
    "CVE-2010-3333"
   ],
   "technique_ids": [
    "T1027",
    "T1036",
    "T1083",
    "T1091",
    "T1203",
    "T1204",
    "T1570",
    "T1587",
    "T1588"
   ],
   "subtechnique_ids": [
    "T1027.002",
    "T1204.002",
    "T1587.001",
    "T1588.002"
   ]
  },
  {
   "actor_id": "G1008",
   "canonical_name": "SideCopy",
   "aliases": [
    "SideCopy"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 25,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "9211",
     "label": "Executive, Legislative & Other General Government Support",
     "evidence": "MITRE ATT&CK profile states SideCopy has primarily targeted Indian and Afghani government personnel (citing MalwareBytes SideCopy Dec 2021).",
     "source": "MalwareBytes SideCopy Dec 2021"
    },
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G1008",
   "cve_ids": [],
   "technique_ids": [
    "T1016",
    "T1036",
    "T1059",
    "T1082",
    "T1105",
    "T1106",
    "T1204",
    "T1218",
    "T1518",
    "T1566",
    "T1574",
    "T1584",
    "T1598",
    "T1608",
    "T1614"
   ],
   "subtechnique_ids": [
    "T1036.005",
    "T1059.005",
    "T1204.002",
    "T1218.005",
    "T1518.001",
    "T1566.001",
    "T1574.001",
    "T1584.001",
    "T1598.002",
    "T1608.001"
   ]
  },
  {
   "actor_id": "G1009",
   "canonical_name": "Moses Staff",
   "aliases": [
    "Moses Staff",
    "DEV-0500",
    "Marigold Sandstorm"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 20,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "Cybereason StrifeWater Feb 2022 reports Moses Staff targeted government entities in multiple countries including Israel.",
     "source": "Cybereason StrifeWater Feb 2022"
    },
    {
     "naics": "52",
     "label": "Finance & Insurance",
     "evidence": "Cybereason StrifeWater Feb 2022 reports Moses Staff targeted finance companies outside Israel.",
     "source": "Cybereason StrifeWater Feb 2022"
    },
    {
     "naics": "48",
     "label": "Transportation & Warehousing",
     "evidence": "Cybereason StrifeWater Feb 2022 reports Moses Staff targeted travel companies outside Israel.",
     "source": "Cybereason StrifeWater Feb 2022"
    },
    {
     "naics": "21",
     "label": "Mining, Quarrying, Oil & Gas Extraction",
     "evidence": "Cybereason StrifeWater Feb 2022 reports Moses Staff targeted energy companies outside Israel.",
     "source": "Cybereason StrifeWater Feb 2022"
    },
    {
     "naics": "31",
     "label": "Manufacturing",
     "evidence": "Cybereason StrifeWater Feb 2022 reports Moses Staff targeted manufacturing companies outside Israel.",
     "source": "Cybereason StrifeWater Feb 2022"
    },
    {
     "naics": "22",
     "label": "Utilities",
     "evidence": "Cybereason StrifeWater Feb 2022 reports Moses Staff targeted utility companies outside Israel.",
     "source": "Cybereason StrifeWater Feb 2022"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G1009",
   "cve_ids": [],
   "technique_ids": [
    "T1016",
    "T1021",
    "T1027",
    "T1082",
    "T1087",
    "T1105",
    "T1190",
    "T1505",
    "T1553",
    "T1587",
    "T1588",
    "T1686"
   ],
   "subtechnique_ids": [
    "T1021.002",
    "T1027.013",
    "T1087.001",
    "T1505.003",
    "T1553.002",
    "T1587.001",
    "T1588.002",
    "T1686.003"
   ]
  },
  {
   "actor_id": "G1011",
   "canonical_name": "EXOTIC LILY",
   "aliases": [
    "EXOTIC LILY"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 22,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "51",
     "label": "Information",
     "evidence": "MITRE ATT&CK description states EXOTIC LILY targeted IT since Sept 2021, citing Google EXOTIC LILY March 2022.",
     "source": "Google EXOTIC LILY March 2022"
    },
    {
     "naics": "54",
     "label": "Professional, Scientific & Technical Services",
     "evidence": "MITRE ATT&CK description states EXOTIC LILY targeted cybersecurity since Sept 2021, citing Google EXOTIC LILY March 2022.",
     "source": "Google EXOTIC LILY March 2022"
    },
    {
     "naics": "62",
     "label": "Health Care & Social Assistance",
     "evidence": "MITRE ATT&CK description states EXOTIC LILY targeted healthcare since Sept 2021, citing Google EXOTIC LILY March 2022.",
     "source": "Google EXOTIC LILY March 2022"
    },
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G1011",
   "cve_ids": [],
   "technique_ids": [
    "T1102",
    "T1203",
    "T1204",
    "T1566",
    "T1583",
    "T1585",
    "T1589",
    "T1593",
    "T1594",
    "T1597",
    "T1608"
   ],
   "subtechnique_ids": [
    "T1204.001",
    "T1204.002",
    "T1566.001",
    "T1566.002",
    "T1566.003",
    "T1583.001",
    "T1585.001",
    "T1585.002",
    "T1589.002",
    "T1593.001",
    "T1608.001"
   ]
  },
  {
   "actor_id": "G1012",
   "canonical_name": "CURIUM",
   "aliases": [
    "CURIUM",
    "Crimson Sandstorm",
    "TA456",
    "Tortoise Shell",
    "Yellow Liderc"
   ],
   "category": "state",
   "sponsor": {
    "country": "IR"
   },
   "cve_count": 0,
   "technique_count": 29,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "518",
     "label": "Computing Infrastructure Providers, Data Processing & Hosting",
     "evidence": "Symantec Tortoiseshell 2019 reports CURIUM targeting IT service providers in the Middle East.",
     "source": "Symantec Tortoiseshell 2019"
    },
    {
     "naics": "92811",
     "label": "National Security",
     "evidence": "Proofpoint TA456 Defense Contractor July 2021 reports CURIUM targeting defense contractors.",
     "source": "Proofpoint TA456 Defense Contractor July 2021"
    },
    {
     "naics": "515",
     "label": "Broadcasting",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G1012",
   "cve_ids": [],
   "technique_ids": [
    "T1005",
    "T1041",
    "T1048",
    "T1059",
    "T1082",
    "T1124",
    "T1189",
    "T1204",
    "T1505",
    "T1566",
    "T1583",
    "T1584",
    "T1585",
    "T1598",
    "T1608"
   ],
   "subtechnique_ids": [
    "T1048.002",
    "T1059.001",
    "T1204.002",
    "T1505.003",
    "T1566.001",
    "T1566.003",
    "T1583.001",
    "T1583.003",
    "T1583.004",
    "T1584.006",
    "T1585.001",
    "T1585.002",
    "T1598.003",
    "T1608.004"
   ]
  },
  {
   "actor_id": "G1013",
   "canonical_name": "Metador",
   "aliases": [
    "Metador"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 15,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "517",
     "label": "Telecommunications",
     "evidence": "Metador targeted telecommunication companies and internet service providers (SentinelLabs Metador Sept 2022).",
     "source": "SentinelLabs Metador Sept 2022"
    },
    {
     "naics": "61",
     "label": "Educational Services",
     "evidence": "Metador targeted universities in the Middle East and Africa (SentinelLabs Metador Sept 2022).",
     "source": "SentinelLabs Metador Sept 2022"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G1013",
   "cve_ids": [],
   "technique_ids": [
    "T1027",
    "T1059",
    "T1070",
    "T1071",
    "T1095",
    "T1105",
    "T1546",
    "T1588"
   ],
   "subtechnique_ids": [
    "T1027.013",
    "T1059.003",
    "T1070.004",
    "T1071.001",
    "T1546.003",
    "T1588.001",
    "T1588.002"
   ]
  },
  {
   "actor_id": "G1014",
   "canonical_name": "LuminousMoth",
   "aliases": [
    "LuminousMoth"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 42,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "9211",
     "label": "Executive, Legislative & Other General Government Support",
     "evidence": "Targeted government entities in Myanmar, Philippines, Thailand and SE Asia (MITRE ATT&CK citing Kaspersky LuminousMoth July 2021 and Bitdefender LuminousMoth July 2021).",
     "source": "Kaspersky LuminousMoth July 2021"
    },
    {
     "naics": "22",
     "label": "Utilities",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G1014",
   "cve_ids": [],
   "technique_ids": [
    "T1005",
    "T1030",
    "T1033",
    "T1036",
    "T1041",
    "T1053",
    "T1071",
    "T1083",
    "T1091",
    "T1105",
    "T1112",
    "T1204",
    "T1539",
    "T1547",
    "T1553",
    "T1557",
    "T1560",
    "T1564",
    "T1566",
    "T1567",
    "T1574",
    "T1587",
    "T1588",
    "T1608"
   ],
   "subtechnique_ids": [
    "T1036.005",
    "T1053.005",
    "T1071.001",
    "T1204.001",
    "T1547.001",
    "T1553.002",
    "T1557.002",
    "T1564.001",
    "T1566.002",
    "T1567.002",
    "T1574.001",
    "T1587.001",
    "T1588.001",
    "T1588.002",
    "T1588.004",
    "T1608.001",
    "T1608.004",
    "T1608.005"
   ]
  },
  {
   "actor_id": "G1015",
   "canonical_name": "Scattered Spider",
   "aliases": [
    "Scattered Spider",
    "Roasted 0ktapus",
    "Octo Tempest",
    "Storm-0875",
    "UNC3944"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 1,
   "technique_count": 83,
   "idf_score": 1.246,
   "exclusive_cve_count": 0,
   "active_year_min": 2026,
   "active_year_max": 2026,
   "sectors": [
    {
     "naics": "517",
     "label": "Telecommunications",
     "evidence": "MSTIC Octo Tempest Operations October 2023 states initial targeting of telecommunications companies.",
     "source": "MSTIC Octo Tempest Operations October 2023"
    },
    {
     "naics": "31",
     "label": "Manufacturing",
     "evidence": "MSTIC Octo Tempest Operations October 2023 states expansion in 2023 to manufacturing sector.",
     "source": "MSTIC Octo Tempest Operations October 2023"
    },
    {
     "naics": "44",
     "label": "Retail Trade",
     "evidence": "MSTIC Octo Tempest Operations October 2023 states expansion in 2023 to retail sector.",
     "source": "MSTIC Octo Tempest Operations October 2023"
    },
    {
     "naics": "52",
     "label": "Finance & Insurance",
     "evidence": "MSTIC Octo Tempest Operations October 2023 states expansion in 2023 to financial sector.",
     "source": "MSTIC Octo Tempest Operations October 2023"
    },
    {
     "naics": "72",
     "label": "Accommodation & Food Services",
     "evidence": "MSTIC Octo Tempest Operations October 2023 states expansion in 2023 to hospitality sector.",
     "source": "MSTIC Octo Tempest Operations October 2023"
    },
    {
     "naics": "51",
     "label": "Information",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 3,
   "top_product_categories": [
    [
     "microsoft",
     1
    ]
   ],
   "mitre_url": "https://attack.mitre.org/groups/G1015",
   "cve_ids": [
    "CVE-2026-20929"
   ],
   "technique_ids": [
    "T1003",
    "T1006",
    "T1016",
    "T1018",
    "T1021",
    "T1041",
    "T1059",
    "T1068",
    "T1069",
    "T1070",
    "T1074",
    "T1078",
    "T1082",
    "T1083",
    "T1087",
    "T1090",
    "T1098",
    "T1105",
    "T1114",
    "T1133",
    "T1136",
    "T1204",
    "T1213",
    "T1217",
    "T1219",
    "T1484",
    "T1486",
    "T1490",
    "T1530",
    "T1538",
    "T1539",
    "T1543",
    "T1552",
    "T1553",
    "T1555",
    "T1556",
    "T1564",
    "T1567",
    "T1572",
    "T1578",
    "T1580",
    "T1583",
    "T1585",
    "T1588",
    "T1589",
    "T1598",
    "T1621",
    "T1657",
    "T1684",
    "T1685"
   ],
   "subtechnique_ids": [
    "T1003.003",
    "T1021.001",
    "T1021.004",
    "T1021.007",
    "T1059.001",
    "T1059.004",
    "T1069.002",
    "T1070.008",
    "T1078.004",
    "T1087.002",
    "T1098.003",
    "T1114.003",
    "T1213.003",
    "T1213.005",
    "T1219.002",
    "T1484.002",
    "T1543.002",
    "T1552.001",
    "T1552.004",
    "T1553.002",
    "T1555.005",
    "T1556.006",
    "T1556.009",
    "T1564.008",
    "T1567.002",
    "T1578.002",
    "T1583.001",
    "T1585.001",
    "T1588.001",
    "T1588.002",
    "T1598.003",
    "T1598.004",
    "T1684.001"
   ]
  },
  {
   "actor_id": "G1016",
   "canonical_name": "FIN13",
   "aliases": [
    "FIN13",
    "Elephant Beetle"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 75,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "52",
     "label": "Finance & Insurance",
     "evidence": "MITRE ATT&CK description states FIN13 has targeted the financial industry (citing Mandiant FIN13 Aug 2022 and Sygnia Elephant Beetle Jan 2022).",
     "source": "Mandiant FIN13 Aug 2022"
    },
    {
     "naics": "44",
     "label": "Retail Trade",
     "evidence": "MITRE ATT&CK description states FIN13 has targeted the retail industry (citing Mandiant FIN13 Aug 2022 and Sygnia Elephant Beetle Jan 2022).",
     "source": "Mandiant FIN13 Aug 2022"
    },
    {
     "naics": "72",
     "label": "Accommodation & Food Services",
     "evidence": "MITRE ATT&CK description states FIN13 has targeted the hospitality industry (citing Mandiant FIN13 Aug 2022 and Sygnia Elephant Beetle Jan 2022).",
     "source": "Mandiant FIN13 Aug 2022"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G1016",
   "cve_ids": [],
   "technique_ids": [
    "T1003",
    "T1005",
    "T1016",
    "T1021",
    "T1036",
    "T1046",
    "T1047",
    "T1049",
    "T1053",
    "T1056",
    "T1059",
    "T1069",
    "T1071",
    "T1074",
    "T1078",
    "T1082",
    "T1083",
    "T1087",
    "T1090",
    "T1098",
    "T1105",
    "T1133",
    "T1134",
    "T1135",
    "T1136",
    "T1140",
    "T1190",
    "T1505",
    "T1547",
    "T1550",
    "T1552",
    "T1556",
    "T1560",
    "T1564",
    "T1565",
    "T1572",
    "T1574",
    "T1587",
    "T1588",
    "T1589",
    "T1590",
    "T1657"
   ],
   "subtechnique_ids": [
    "T1003.001",
    "T1003.002",
    "T1003.003",
    "T1016.001",
    "T1021.001",
    "T1021.002",
    "T1021.004",
    "T1021.006",
    "T1036.004",
    "T1036.005",
    "T1053.005",
    "T1056.001",
    "T1059.001",
    "T1059.003",
    "T1059.005",
    "T1071.001",
    "T1074.001",
    "T1078.001",
    "T1087.002",
    "T1090.001",
    "T1098.007",
    "T1134.003",
    "T1136.001",
    "T1505.003",
    "T1547.001",
    "T1550.002",
    "T1552.001",
    "T1560.001",
    "T1564.001",
    "T1574.001",
    "T1587.001",
    "T1588.002",
    "T1590.004"
   ]
  },
  {
   "actor_id": "G1017",
   "canonical_name": "Volt Typhoon",
   "aliases": [
    "Volt Typhoon",
    "BRONZE SILHOUETTE",
    "Vanguard Panda",
    "DEV-0391",
    "UNC3236",
    "Voltzite",
    "Insidious Taurus",
    "DazedToad"
   ],
   "category": "state",
   "sponsor": {
    "country": "CN",
    "agency": "PLA"
   },
   "cve_count": 4,
   "technique_count": 98,
   "idf_score": 15.552,
   "exclusive_cve_count": 3,
   "active_year_min": 2025,
   "active_year_max": 2026,
   "sectors": [
    {
     "naics": "22",
     "label": "Utilities",
     "evidence": "CISA AA24-038A PRC Critical Infrastructure February 2024 reports Volt Typhoon targeting US critical infrastructure organizations for OT pre-positioning.",
     "source": "CISA AA24-038A PRC Critical Infrastructure February 2024"
    },
    {
     "naics": "2211",
     "label": "Electric Power Generation, Transmission & Distribution",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [
    [
     "application",
     2
    ],
    [
     "other",
     2
    ]
   ],
   "mitre_url": "https://attack.mitre.org/groups/G1017",
   "cve_ids": [
    "CVE-2025-0283",
    "CVE-2025-64119",
    "CVE-2025-7746",
    "CVE-2026-22813"
   ],
   "technique_ids": [
    "T1003",
    "T1005",
    "T1006",
    "T1007",
    "T1010",
    "T1012",
    "T1016",
    "T1018",
    "T1021",
    "T1027",
    "T1033",
    "T1036",
    "T1046",
    "T1047",
    "T1049",
    "T1056",
    "T1057",
    "T1059",
    "T1068",
    "T1069",
    "T1070",
    "T1074",
    "T1078",
    "T1083",
    "T1087",
    "T1090",
    "T1105",
    "T1112",
    "T1113",
    "T1120",
    "T1124",
    "T1133",
    "T1140",
    "T1190",
    "T1217",
    "T1218",
    "T1497",
    "T1505",
    "T1518",
    "T1552",
    "T1555",
    "T1560",
    "T1570",
    "T1573",
    "T1584",
    "T1587",
    "T1588",
    "T1589",
    "T1590",
    "T1591",
    "T1592",
    "T1593",
    "T1594",
    "T1596",
    "T1614",
    "T1654",
    "T1680",
    "T1685"
   ],
   "subtechnique_ids": [
    "T1003.001",
    "T1003.003",
    "T1016.001",
    "T1021.001",
    "T1027.002",
    "T1036.005",
    "T1036.008",
    "T1056.001",
    "T1059.001",
    "T1059.003",
    "T1059.004",
    "T1069.001",
    "T1069.002",
    "T1070.004",
    "T1070.007",
    "T1074.001",
    "T1078.002",
    "T1087.001",
    "T1087.002",
    "T1090.001",
    "T1090.003",
    "T1497.001",
    "T1505.003",
    "T1552.004",
    "T1555.003",
    "T1560.001",
    "T1573.001",
    "T1584.003",
    "T1584.004",
    "T1584.005",
    "T1584.008",
    "T1587.004",
    "T1588.002",
    "T1588.006",
    "T1589.002",
    "T1590.004",
    "T1590.006",
    "T1591.004",
    "T1596.005",
    "T1685.005"
   ]
  },
  {
   "actor_id": "G1018",
   "canonical_name": "TA2541",
   "aliases": [
    "TA2541"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 42,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "481",
     "label": "Air Transportation",
     "evidence": "MITRE ATT&CK description states TA2541 targets aviation industry, citing Proofpoint TA2541 February 2022 and Cisco Operation Layover September 2021.",
     "source": "Proofpoint TA2541 February 2022"
    },
    {
     "naics": "3364",
     "label": "Aerospace Product & Parts Manufacturing",
     "evidence": "MITRE ATT&CK description states TA2541 targets aerospace industry, citing Proofpoint TA2541 February 2022 and Cisco Operation Layover September 2021.",
     "source": "Cisco Operation Layover September 2021"
    },
    {
     "naics": "31",
     "label": "Manufacturing",
     "evidence": "MITRE ATT&CK description states TA2541 targets manufacturing industry, citing Proofpoint TA2541 February 2022 and Cisco Operation Layover September 2021.",
     "source": "Proofpoint TA2541 February 2022"
    },
    {
     "naics": "48",
     "label": "Transportation & Warehousing",
     "evidence": "MITRE ATT&CK description states TA2541 targets transportation industry, citing Proofpoint TA2541 February 2022 and Cisco Operation Layover September 2021.",
     "source": "Proofpoint TA2541 February 2022"
    },
    {
     "naics": "92811",
     "label": "National Security",
     "evidence": "MITRE ATT&CK description states TA2541 targets defense industry, citing Proofpoint TA2541 February 2022 and Cisco Operation Layover September 2021.",
     "source": "Cisco Operation Layover September 2021"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G1018",
   "cve_ids": [],
   "technique_ids": [
    "T1016",
    "T1027",
    "T1036",
    "T1047",
    "T1053",
    "T1055",
    "T1059",
    "T1082",
    "T1105",
    "T1204",
    "T1218",
    "T1518",
    "T1547",
    "T1566",
    "T1568",
    "T1573",
    "T1583",
    "T1588",
    "T1608",
    "T1685"
   ],
   "subtechnique_ids": [
    "T1016.001",
    "T1027.002",
    "T1027.013",
    "T1027.015",
    "T1036.005",
    "T1053.005",
    "T1055.012",
    "T1059.001",
    "T1059.005",
    "T1204.001",
    "T1204.002",
    "T1218.005",
    "T1518.001",
    "T1547.001",
    "T1566.001",
    "T1566.002",
    "T1573.002",
    "T1583.001",
    "T1583.006",
    "T1588.001",
    "T1588.002",
    "T1608.001"
   ]
  },
  {
   "actor_id": "G1019",
   "canonical_name": "MoustachedBouncer",
   "aliases": [
    "MoustachedBouncer"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 11,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "92812",
     "label": "International Affairs",
     "evidence": "Targets foreign embassies in Belarus (MoustachedBouncer ESET August 2023).",
     "source": "ESET MoustachedBouncer August 2023"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G1019",
   "cve_ids": [],
   "technique_ids": [
    "T1027",
    "T1059",
    "T1068",
    "T1074",
    "T1090",
    "T1113",
    "T1659"
   ],
   "subtechnique_ids": [
    "T1027.002",
    "T1059.001",
    "T1059.007",
    "T1074.002"
   ]
  },
  {
   "actor_id": "G1020",
   "canonical_name": "Mustard Tempest",
   "aliases": [
    "Mustard Tempest",
    "DEV-0206",
    "TA569",
    "GOLD PRELUDE",
    "UNC1543"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 18,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G1020",
   "cve_ids": [],
   "technique_ids": [
    "T1036",
    "T1082",
    "T1105",
    "T1189",
    "T1204",
    "T1566",
    "T1583",
    "T1584",
    "T1608"
   ],
   "subtechnique_ids": [
    "T1036.005",
    "T1204.001",
    "T1566.002",
    "T1583.004",
    "T1583.008",
    "T1584.001",
    "T1608.001",
    "T1608.004",
    "T1608.006"
   ]
  },
  {
   "actor_id": "G1021",
   "canonical_name": "Cinnamon Tempest",
   "aliases": [
    "Cinnamon Tempest",
    "DEV-0401",
    "Emperor Dragonfly",
    "BRONZE STARLIGHT",
    "SLIME34"
   ],
   "category": "state",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 1,
   "technique_count": 26,
   "idf_score": 4.29,
   "exclusive_cve_count": 1,
   "active_year_min": 2023,
   "active_year_max": 2023,
   "sectors": [
    {
     "naics": "52",
     "label": "Finance & Insurance",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [
    [
     "application",
     1
    ]
   ],
   "mitre_url": "https://attack.mitre.org/groups/G1021",
   "cve_ids": [
    "CVE-2021-4428"
   ],
   "technique_ids": [
    "T1021",
    "T1047",
    "T1059",
    "T1078",
    "T1080",
    "T1090",
    "T1105",
    "T1140",
    "T1190",
    "T1484",
    "T1543",
    "T1567",
    "T1572",
    "T1574",
    "T1588",
    "T1657"
   ],
   "subtechnique_ids": [
    "T1021.002",
    "T1059.001",
    "T1059.003",
    "T1059.006",
    "T1078.002",
    "T1484.001",
    "T1543.003",
    "T1567.002",
    "T1574.001",
    "T1588.002"
   ]
  },
  {
   "actor_id": "G1022",
   "canonical_name": "ToddyCat",
   "aliases": [
    "ToddyCat"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 38,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "92811",
     "label": "National Security",
     "evidence": "MITRE ATT&CK states ToddyCat targeted government and military targets (Kaspersky ToddyCat June 2022).",
     "source": "Kaspersky ToddyCat June 2022"
    },
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G1022",
   "cve_ids": [],
   "technique_ids": [
    "T1005",
    "T1018",
    "T1021",
    "T1036",
    "T1047",
    "T1049",
    "T1053",
    "T1057",
    "T1059",
    "T1069",
    "T1074",
    "T1078",
    "T1083",
    "T1087",
    "T1095",
    "T1106",
    "T1190",
    "T1518",
    "T1560",
    "T1564",
    "T1566",
    "T1567",
    "T1680",
    "T1686"
   ],
   "subtechnique_ids": [
    "T1021.002",
    "T1036.005",
    "T1053.005",
    "T1059.001",
    "T1059.003",
    "T1069.002",
    "T1074.002",
    "T1078.002",
    "T1087.002",
    "T1518.001",
    "T1560.001",
    "T1564.003",
    "T1566.003",
    "T1567.002"
   ]
  },
  {
   "actor_id": "G1023",
   "canonical_name": "APT5",
   "aliases": [
    "APT5",
    "Mulberry Typhoon",
    "MANGANESE",
    "BRONZE FLEETWOOD",
    "Keyhole Panda",
    "UNC2630"
   ],
   "category": "state",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 42,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "517",
     "label": "Telecommunications",
     "evidence": "MITRE ATT&CK states APT5 primarily targets the telecommunications industry (Mandiant Advanced Persistent Threats).",
     "source": "Mandiant Advanced Persistent Threats"
    },
    {
     "naics": "3364",
     "label": "Aerospace Product & Parts Manufacturing",
     "evidence": "MITRE ATT&CK states APT5 primarily targets the aerospace industry (NSA APT5 Citrix Threat Hunting December 2022).",
     "source": "NSA APT5 Citrix Threat Hunting December 2022"
    },
    {
     "naics": "92811",
     "label": "National Security",
     "evidence": "MITRE ATT&CK states APT5 primarily targets the defense industry (Microsoft East Asia Threats September 2023).",
     "source": "Microsoft East Asia Threats September 2023"
    },
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G1023",
   "cve_ids": [],
   "technique_ids": [
    "T1003",
    "T1021",
    "T1036",
    "T1049",
    "T1053",
    "T1055",
    "T1056",
    "T1057",
    "T1059",
    "T1070",
    "T1074",
    "T1078",
    "T1083",
    "T1098",
    "T1136",
    "T1190",
    "T1505",
    "T1554",
    "T1560",
    "T1583",
    "T1654",
    "T1685"
   ],
   "subtechnique_ids": [
    "T1003.001",
    "T1003.002",
    "T1021.001",
    "T1021.004",
    "T1036.005",
    "T1053.003",
    "T1056.001",
    "T1059.001",
    "T1059.003",
    "T1070.003",
    "T1070.004",
    "T1070.006",
    "T1074.001",
    "T1078.002",
    "T1078.004",
    "T1098.007",
    "T1136.001",
    "T1505.003",
    "T1560.001",
    "T1583.005"
   ]
  },
  {
   "actor_id": "G1024",
   "canonical_name": "Akira",
   "aliases": [
    "Akira",
    "GOLD SAHARA",
    "PUNK SPIDER",
    "Howling Scorpius"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 1,
   "technique_count": 24,
   "idf_score": 4.29,
   "exclusive_cve_count": 1,
   "active_year_min": 2023,
   "active_year_max": 2023,
   "sectors": [
    {
     "naics": "511",
     "label": "Publishing Industries (Including Software)",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [
    [
     "network",
     1
    ]
   ],
   "mitre_url": "https://attack.mitre.org/groups/G1024",
   "cve_ids": [
    "CVE-2023-20263"
   ],
   "technique_ids": [
    "T1018",
    "T1021",
    "T1027",
    "T1036",
    "T1059",
    "T1078",
    "T1133",
    "T1213",
    "T1219",
    "T1482",
    "T1486",
    "T1531",
    "T1558",
    "T1560",
    "T1567",
    "T1657",
    "T1685"
   ],
   "subtechnique_ids": [
    "T1021.001",
    "T1027.001",
    "T1036.005",
    "T1059.001",
    "T1213.002",
    "T1560.001",
    "T1567.002"
   ]
  },
  {
   "actor_id": "G1026",
   "canonical_name": "Malteiro",
   "aliases": [
    "Malteiro"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 19,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "522",
     "label": "Credit Intermediation & Related Activities (Banking)",
     "evidence": "SCILabs Malteiro 2021 describes Malteiro distributing the Mispadu banking trojan to target financial victims in Latin America and Europe.",
     "source": "SCILabs Malteiro 2021"
    },
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G1026",
   "cve_ids": [],
   "technique_ids": [
    "T1027",
    "T1055",
    "T1059",
    "T1082",
    "T1140",
    "T1204",
    "T1518",
    "T1555",
    "T1566",
    "T1614",
    "T1657"
   ],
   "subtechnique_ids": [
    "T1027.013",
    "T1055.001",
    "T1059.005",
    "T1204.002",
    "T1518.001",
    "T1555.003",
    "T1566.001",
    "T1614.001"
   ]
  },
  {
   "actor_id": "G1028",
   "canonical_name": "APT-C-23",
   "aliases": [
    "APT-C-23",
    "Mantis",
    "Arid Viper",
    "Desert Falcon",
    "TAG-63",
    "Grey Karkadann",
    "Big Bang APT",
    "Two-tailed Scorpion"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "92811",
     "label": "National Security",
     "evidence": "MITRE ATT&CK states APT-C-23 focused operations on Israeli military assets (symantec_mantis).",
     "source": "Symantec Mantis"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G1028",
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "G1030",
   "canonical_name": "Agrius",
   "aliases": [
    "Agrius",
    "Pink Sandstorm",
    "AMERICIUM",
    "Agonizing Serpens",
    "BlackShadow"
   ],
   "category": "state",
   "sponsor": {
    "country": "IR"
   },
   "cve_count": 0,
   "technique_count": 30,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G1030",
   "cve_ids": [],
   "technique_ids": [
    "T1003",
    "T1005",
    "T1018",
    "T1021",
    "T1036",
    "T1041",
    "T1046",
    "T1059",
    "T1074",
    "T1078",
    "T1110",
    "T1119",
    "T1140",
    "T1190",
    "T1505",
    "T1543",
    "T1560",
    "T1570",
    "T1583",
    "T1685"
   ],
   "subtechnique_ids": [
    "T1003.001",
    "T1003.002",
    "T1021.001",
    "T1059.003",
    "T1074.001",
    "T1078.002",
    "T1110.003",
    "T1505.003",
    "T1543.003",
    "T1560.001"
   ]
  },
  {
   "actor_id": "G1031",
   "canonical_name": "Saint Bear",
   "aliases": [
    "Saint Bear",
    "Storm-0587",
    "TA471",
    "UAC-0056",
    "Lorec53"
   ],
   "category": "state",
   "sponsor": {
    "country": "RU"
   },
   "cve_count": 0,
   "technique_count": 26,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "9211",
     "label": "Executive, Legislative & Other General Government Support",
     "evidence": "MITRE notes Saint Bear spoofs government entities for phishing campaigns primarily against targets in Ukraine and Georgia (Palo Alto Unit 42 OutSteel SaintBot February 2022).",
     "source": "Palo Alto Unit 42 OutSteel SaintBot February 2022"
    },
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G1031",
   "cve_ids": [],
   "technique_ids": [
    "T1027",
    "T1059",
    "T1112",
    "T1203",
    "T1204",
    "T1497",
    "T1553",
    "T1566",
    "T1583",
    "T1589",
    "T1608",
    "T1684",
    "T1685"
   ],
   "subtechnique_ids": [
    "T1027.002",
    "T1027.013",
    "T1059.001",
    "T1059.003",
    "T1059.007",
    "T1204.001",
    "T1204.002",
    "T1553.002",
    "T1566.001",
    "T1583.006",
    "T1589.002",
    "T1608.001",
    "T1684.001"
   ]
  },
  {
   "actor_id": "G1032",
   "canonical_name": "INC Ransom",
   "aliases": [
    "INC Ransom",
    "GOLD IONIC"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 34,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "31",
     "label": "Manufacturing",
     "evidence": "MITRE ATT&CK description states INC Ransom targeted industrial sector organizations (Bleeping Computer INC Ransomware March 2024).",
     "source": "Bleeping Computer INC Ransomware March 2024"
    },
    {
     "naics": "62",
     "label": "Health Care & Social Assistance",
     "evidence": "MITRE ATT&CK description states INC Ransom targeted healthcare sector organizations (Cybereason INC Ransomware November 2023).",
     "source": "Cybereason INC Ransomware November 2023"
    },
    {
     "naics": "61",
     "label": "Educational Services",
     "evidence": "MITRE ATT&CK description states INC Ransom targeted education sector organizations (Secureworks GOLD IONIC April 2024).",
     "source": "Secureworks GOLD IONIC April 2024"
    },
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G1032",
   "cve_ids": [],
   "technique_ids": [
    "T1021",
    "T1036",
    "T1046",
    "T1047",
    "T1049",
    "T1059",
    "T1069",
    "T1070",
    "T1071",
    "T1074",
    "T1078",
    "T1087",
    "T1105",
    "T1135",
    "T1190",
    "T1219",
    "T1486",
    "T1537",
    "T1560",
    "T1566",
    "T1569",
    "T1570",
    "T1588",
    "T1657",
    "T1685"
   ],
   "subtechnique_ids": [
    "T1021.001",
    "T1036.005",
    "T1059.003",
    "T1069.002",
    "T1070.004",
    "T1087.002",
    "T1560.001",
    "T1569.002",
    "T1588.002"
   ]
  },
  {
   "actor_id": "G1033",
   "canonical_name": "Star Blizzard",
   "aliases": [
    "Star Blizzard",
    "SEABORGIUM",
    "Callisto Group",
    "TA446",
    "COLDRIVER"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 31,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "61",
     "label": "Educational Services",
     "evidence": "MITRE ATT&CK description states persistent phishing against academic organizations (Microsoft Star Blizzard August 2022).",
     "source": "Microsoft Star Blizzard August 2022"
    },
    {
     "naics": "9211",
     "label": "Executive, Legislative & Other General Government Support",
     "evidence": "MITRE ATT&CK description states persistent phishing against government organizations (CISA Star Blizzard Advisory December 2023).",
     "source": "CISA Star Blizzard Advisory December 2023"
    },
    {
     "naics": "92811",
     "label": "National Security",
     "evidence": "MITRE ATT&CK description states persistent phishing against defense organizations (Google TAG COLDRIVER January 2024).",
     "source": "Google TAG COLDRIVER January 2024"
    },
    {
     "naics": "54",
     "label": "Professional, Scientific & Technical Services",
     "evidence": "MITRE ATT&CK description states persistent phishing against think tank organizations (Microsoft Star Blizzard August 2022).",
     "source": "Microsoft Star Blizzard August 2022"
    },
    {
     "naics": "81",
     "label": "Other Services (except Public Administration)",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G1033",
   "cve_ids": [],
   "technique_ids": [
    "T1059",
    "T1078",
    "T1114",
    "T1204",
    "T1539",
    "T1550",
    "T1566",
    "T1583",
    "T1585",
    "T1586",
    "T1588",
    "T1589",
    "T1593",
    "T1598",
    "T1608",
    "T1684"
   ],
   "subtechnique_ids": [
    "T1059.007",
    "T1114.002",
    "T1114.003",
    "T1204.002",
    "T1550.004",
    "T1566.001",
    "T1583.001",
    "T1585.001",
    "T1585.002",
    "T1586.002",
    "T1588.002",
    "T1598.002",
    "T1598.003",
    "T1608.001",
    "T1684.001"
   ]
  },
  {
   "actor_id": "G1034",
   "canonical_name": "Daggerfly",
   "aliases": [
    "Daggerfly",
    "Evasive Panda",
    "BRONZE HIGHLAND"
   ],
   "category": "state",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 30,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "517",
     "label": "Telecommunications",
     "evidence": "MITRE ATT&CK description states Daggerfly targeted telecommunication companies (Symantec Daggerfly 2023).",
     "source": "Symantec Daggerfly 2023"
    },
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "MITRE ATT&CK description states Daggerfly targeted government entities (ESET EvasivePanda 2023).",
     "source": "ESET EvasivePanda 2023"
    },
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "81",
     "label": "Other Services (except Public Administration)",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G1034",
   "cve_ids": [],
   "technique_ids": [
    "T1003",
    "T1012",
    "T1036",
    "T1053",
    "T1059",
    "T1071",
    "T1082",
    "T1105",
    "T1136",
    "T1189",
    "T1195",
    "T1204",
    "T1218",
    "T1553",
    "T1574",
    "T1584",
    "T1587"
   ],
   "subtechnique_ids": [
    "T1003.002",
    "T1036.003",
    "T1053.005",
    "T1059.001",
    "T1071.001",
    "T1136.001",
    "T1195.002",
    "T1204.001",
    "T1218.011",
    "T1553.002",
    "T1574.001",
    "T1584.004",
    "T1587.002"
   ]
  },
  {
   "actor_id": "G1035",
   "canonical_name": "Winter Vivern",
   "aliases": [
    "Winter Vivern",
    "TA473",
    "UAC-0114"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 1,
   "technique_count": 36,
   "idf_score": 4.29,
   "exclusive_cve_count": 1,
   "active_year_min": 2021,
   "active_year_max": 2021,
   "sectors": [
    {
     "naics": "9211",
     "label": "Executive, Legislative & Other General Government Support",
     "evidence": "MITRE ATT&CK description states Winter Vivern targets 'various European government and NGO entities' (citing CERT-UA WinterVivern 2023, ESET WinterVivern 2023).",
     "source": "CERT-UA WinterVivern 2023"
    },
    {
     "naics": "22",
     "label": "Utilities",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "81",
     "label": "Other Services (except Public Administration)",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [
    [
     "application",
     1
    ]
   ],
   "mitre_url": "https://attack.mitre.org/groups/G1035",
   "cve_ids": [
    "CVE-2021-35207"
   ],
   "technique_ids": [
    "T1020",
    "T1033",
    "T1036",
    "T1041",
    "T1053",
    "T1056",
    "T1059",
    "T1071",
    "T1082",
    "T1083",
    "T1105",
    "T1113",
    "T1114",
    "T1119",
    "T1140",
    "T1189",
    "T1190",
    "T1204",
    "T1566",
    "T1583",
    "T1584",
    "T1595"
   ],
   "subtechnique_ids": [
    "T1036.004",
    "T1053.005",
    "T1056.003",
    "T1059.001",
    "T1059.003",
    "T1059.007",
    "T1071.001",
    "T1114.001",
    "T1204.001",
    "T1566.001",
    "T1583.001",
    "T1583.003",
    "T1584.006",
    "T1595.002"
   ]
  },
  {
   "actor_id": "G1036",
   "canonical_name": "Moonstone Sleet",
   "aliases": [
    "Moonstone Sleet",
    "Storm-1789"
   ],
   "category": "state",
   "sponsor": {
    "country": "KP"
   },
   "cve_count": 0,
   "technique_count": 42,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G1036",
   "cve_ids": [],
   "technique_ids": [
    "T1003",
    "T1016",
    "T1027",
    "T1033",
    "T1053",
    "T1071",
    "T1082",
    "T1105",
    "T1140",
    "T1195",
    "T1204",
    "T1217",
    "T1486",
    "T1547",
    "T1566",
    "T1569",
    "T1583",
    "T1585",
    "T1587",
    "T1589",
    "T1591",
    "T1598",
    "T1608"
   ],
   "subtechnique_ids": [
    "T1003.001",
    "T1027.009",
    "T1027.013",
    "T1053.005",
    "T1071.001",
    "T1195.002",
    "T1204.002",
    "T1547.001",
    "T1566.001",
    "T1566.003",
    "T1569.002",
    "T1583.001",
    "T1583.003",
    "T1585.001",
    "T1585.002",
    "T1587.001",
    "T1589.002",
    "T1598.003",
    "T1608.001"
   ]
  },
  {
   "actor_id": "G1037",
   "canonical_name": "TA577",
   "aliases": [
    "TA577"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 11,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G1037",
   "cve_ids": [],
   "technique_ids": [
    "T1027",
    "T1059",
    "T1204",
    "T1566",
    "T1586"
   ],
   "subtechnique_ids": [
    "T1027.009",
    "T1059.003",
    "T1059.007",
    "T1204.001",
    "T1566.002",
    "T1586.002"
   ]
  },
  {
   "actor_id": "G1038",
   "canonical_name": "TA578",
   "aliases": [
    "TA578"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 7,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G1038",
   "cve_ids": [],
   "technique_ids": [
    "T1059",
    "T1204",
    "T1583",
    "T1594"
   ],
   "subtechnique_ids": [
    "T1059.007",
    "T1204.001",
    "T1583.006"
   ]
  },
  {
   "actor_id": "G1039",
   "canonical_name": "RedCurl",
   "aliases": [
    "RedCurl"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 60,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "522",
     "label": "Credit Intermediation & Related Activities (Banking)",
     "evidence": "MITRE ATT&CK description states RedCurl targets banks, citing group-ib_redcurl1.",
     "source": "Group-IB RedCurl"
    },
    {
     "naics": "524",
     "label": "Insurance Carriers & Related Activities",
     "evidence": "MITRE ATT&CK description states RedCurl targets insurance companies, citing group-ib_redcurl1.",
     "source": "Group-IB RedCurl"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G1039",
   "cve_ids": [],
   "technique_ids": [
    "T1003",
    "T1005",
    "T1020",
    "T1027",
    "T1036",
    "T1039",
    "T1046",
    "T1053",
    "T1056",
    "T1059",
    "T1070",
    "T1071",
    "T1080",
    "T1082",
    "T1083",
    "T1087",
    "T1102",
    "T1114",
    "T1119",
    "T1199",
    "T1202",
    "T1204",
    "T1218",
    "T1537",
    "T1547",
    "T1552",
    "T1555",
    "T1560",
    "T1564",
    "T1566",
    "T1573",
    "T1587"
   ],
   "subtechnique_ids": [
    "T1003.001",
    "T1036.005",
    "T1053.005",
    "T1056.002",
    "T1059.001",
    "T1059.003",
    "T1059.005",
    "T1059.006",
    "T1070.004",
    "T1071.001",
    "T1087.001",
    "T1087.002",
    "T1087.003",
    "T1114.001",
    "T1204.001",
    "T1204.002",
    "T1218.011",
    "T1547.001",
    "T1552.001",
    "T1552.002",
    "T1555.003",
    "T1560.001",
    "T1564.001",
    "T1566.001",
    "T1566.002",
    "T1573.001",
    "T1573.002",
    "T1587.001"
   ]
  },
  {
   "actor_id": "G1040",
   "canonical_name": "Play",
   "aliases": [
    "Play"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 35,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "22",
     "label": "Utilities",
     "evidence": "MITRE ATT&CK profile states Play targeted critical infrastructure sectors (CISA Play Ransomware Advisory December 2023).",
     "source": "CISA Play Ransomware Advisory December 2023"
    },
    {
     "naics": "51",
     "label": "Information",
     "evidence": "MITRE ATT&CK profile states Play targeted media sectors (CISA Play Ransomware Advisory December 2023).",
     "source": "CISA Play Ransomware Advisory December 2023"
    },
    {
     "naics": "62",
     "label": "Health Care & Social Assistance",
     "evidence": "MITRE ATT&CK profile states Play targeted healthcare sectors (CISA Play Ransomware Advisory December 2023).",
     "source": "CISA Play Ransomware Advisory December 2023"
    },
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "MITRE ATT&CK profile states Play targeted government sectors (CISA Play Ransomware Advisory December 2023).",
     "source": "CISA Play Ransomware Advisory December 2023"
    },
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "515",
     "label": "Broadcasting",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G1040",
   "cve_ids": [],
   "technique_ids": [
    "T1003",
    "T1016",
    "T1018",
    "T1021",
    "T1027",
    "T1030",
    "T1048",
    "T1057",
    "T1059",
    "T1070",
    "T1078",
    "T1082",
    "T1083",
    "T1105",
    "T1133",
    "T1190",
    "T1518",
    "T1560",
    "T1587",
    "T1588",
    "T1657",
    "T1685"
   ],
   "subtechnique_ids": [
    "T1003.001",
    "T1021.002",
    "T1027.010",
    "T1059.001",
    "T1059.003",
    "T1070.004",
    "T1078.002",
    "T1078.003",
    "T1518.001",
    "T1560.001",
    "T1587.001",
    "T1588.002",
    "T1685.005"
   ]
  },
  {
   "actor_id": "G1041",
   "canonical_name": "Sea Turtle",
   "aliases": [
    "Sea Turtle",
    "Teal Kurma",
    "Marbled Dust",
    "Cosmic Wolf",
    "SILICON"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 40,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "517",
     "label": "Telecommunications",
     "evidence": "Talos Sea Turtle 2019 and PWC Sea Turtle 2023 report Sea Turtle compromising DNS providers and registrars managing ccTLDs to hijack resolution for espionage.",
     "source": "Talos Sea Turtle 2019"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G1041",
   "cve_ids": [],
   "technique_ids": [
    "T1027",
    "T1059",
    "T1071",
    "T1074",
    "T1078",
    "T1114",
    "T1133",
    "T1190",
    "T1199",
    "T1203",
    "T1213",
    "T1505",
    "T1557",
    "T1560",
    "T1564",
    "T1566",
    "T1583",
    "T1584",
    "T1588",
    "T1608",
    "T1685",
    "T1690"
   ],
   "subtechnique_ids": [
    "T1027.004",
    "T1059.004",
    "T1071.001",
    "T1074.002",
    "T1078.003",
    "T1114.001",
    "T1213.006",
    "T1505.003",
    "T1560.001",
    "T1564.011",
    "T1583.001",
    "T1583.002",
    "T1583.003",
    "T1584.002",
    "T1588.002",
    "T1588.004",
    "T1608.003",
    "T1685.006"
   ]
  },
  {
   "actor_id": "G1042",
   "canonical_name": "RedEcho",
   "aliases": [
    "RedEcho"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 8,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "2211",
     "label": "Electric Power Generation, Transmission & Distribution",
     "evidence": "RecordedFuture RedEcho 2021/2022 reports document RedEcho intrusions against Indian electric power grid and utility entities.",
     "source": "RecordedFuture RedEcho 2021"
    },
    {
     "naics": "22",
     "label": "Utilities",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G1042",
   "cve_ids": [],
   "technique_ids": [
    "T1071",
    "T1568",
    "T1571",
    "T1573",
    "T1583"
   ],
   "subtechnique_ids": [
    "T1071.001",
    "T1573.002",
    "T1583.001"
   ]
  },
  {
   "actor_id": "G1043",
   "canonical_name": "BlackByte",
   "aliases": [
    "BlackByte",
    "Hecamede"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 3,
   "technique_count": 66,
   "idf_score": 12.871,
   "exclusive_cve_count": 3,
   "active_year_min": 2019,
   "active_year_max": 2026,
   "sectors": [
    {
     "naics": "22",
     "label": "Utilities",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [
    [
     "other",
     2
    ],
    [
     "application",
     1
    ]
   ],
   "mitre_url": "https://attack.mitre.org/groups/G1043",
   "cve_ids": [
    "CVE-2019-16098",
    "CVE-2026-4368",
    "CVE-2049-16098"
   ],
   "technique_ids": [
    "T1003",
    "T1012",
    "T1016",
    "T1018",
    "T1021",
    "T1036",
    "T1041",
    "T1046",
    "T1047",
    "T1053",
    "T1055",
    "T1059",
    "T1068",
    "T1070",
    "T1071",
    "T1078",
    "T1082",
    "T1087",
    "T1105",
    "T1112",
    "T1134",
    "T1135",
    "T1136",
    "T1140",
    "T1190",
    "T1219",
    "T1480",
    "T1482",
    "T1486",
    "T1490",
    "T1491",
    "T1505",
    "T1518",
    "T1543",
    "T1547",
    "T1560",
    "T1567",
    "T1569",
    "T1570",
    "T1583",
    "T1608",
    "T1614",
    "T1685",
    "T1686"
   ],
   "subtechnique_ids": [
    "T1021.001",
    "T1021.002",
    "T1036.008",
    "T1053.005",
    "T1055.012",
    "T1059.001",
    "T1059.003",
    "T1070.004",
    "T1071.001",
    "T1078.002",
    "T1087.002",
    "T1134.003",
    "T1136.002",
    "T1491.001",
    "T1505.003",
    "T1518.001",
    "T1543.003",
    "T1547.001",
    "T1569.002",
    "T1583.003",
    "T1608.001",
    "T1614.001"
   ]
  },
  {
   "actor_id": "G1044",
   "canonical_name": "APT42",
   "aliases": [
    "APT42"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 47,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G1044",
   "cve_ids": [],
   "technique_ids": [
    "T1016",
    "T1036",
    "T1047",
    "T1053",
    "T1056",
    "T1059",
    "T1070",
    "T1071",
    "T1082",
    "T1087",
    "T1102",
    "T1111",
    "T1112",
    "T1113",
    "T1132",
    "T1518",
    "T1530",
    "T1539",
    "T1547",
    "T1555",
    "T1566",
    "T1573",
    "T1583",
    "T1585",
    "T1588",
    "T1608",
    "T1682",
    "T1684"
   ],
   "subtechnique_ids": [
    "T1036.005",
    "T1053.005",
    "T1056.001",
    "T1059.001",
    "T1059.005",
    "T1070.008",
    "T1071.001",
    "T1087.001",
    "T1132.001",
    "T1518.001",
    "T1555.003",
    "T1566.002",
    "T1573.002",
    "T1583.001",
    "T1583.003",
    "T1585.002",
    "T1588.002",
    "T1608.001",
    "T1684.001"
   ]
  },
  {
   "actor_id": "G1045",
   "canonical_name": "Salt Typhoon",
   "aliases": [
    "Salt Typhoon"
   ],
   "category": "state",
   "sponsor": {
    "country": "CN",
    "agency": "MSS"
   },
   "cve_count": 0,
   "technique_count": 23,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "517",
     "label": "Telecommunications",
     "evidence": "MITRE ATT&CK states Salt Typhoon compromises network infrastructure at major U.S. telecommunication and ISP providers (Cisco Salt Typhoon FEB 2025).",
     "source": "Cisco Salt Typhoon FEB 2025"
    },
    {
     "naics": "22",
     "label": "Utilities",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G1045",
   "cve_ids": [],
   "technique_ids": [
    "T1021",
    "T1040",
    "T1048",
    "T1098",
    "T1110",
    "T1136",
    "T1190",
    "T1572",
    "T1587",
    "T1588",
    "T1590",
    "T1602",
    "T1685",
    "T1686"
   ],
   "subtechnique_ids": [
    "T1021.004",
    "T1048.003",
    "T1098.004",
    "T1110.002",
    "T1587.001",
    "T1588.002",
    "T1590.004",
    "T1602.002",
    "T1685.006"
   ]
  },
  {
   "actor_id": "G1046",
   "canonical_name": "Storm-1811",
   "aliases": [
    "Storm-1811"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 47,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G1046",
   "cve_ids": [],
   "technique_ids": [
    "T1021",
    "T1027",
    "T1033",
    "T1036",
    "T1048",
    "T1056",
    "T1059",
    "T1074",
    "T1087",
    "T1105",
    "T1140",
    "T1204",
    "T1219",
    "T1222",
    "T1482",
    "T1486",
    "T1547",
    "T1566",
    "T1570",
    "T1574",
    "T1583",
    "T1585",
    "T1588",
    "T1667",
    "T1684"
   ],
   "subtechnique_ids": [
    "T1021.002",
    "T1021.004",
    "T1027.013",
    "T1036.005",
    "T1036.010",
    "T1048.002",
    "T1059.001",
    "T1059.003",
    "T1074.001",
    "T1087.002",
    "T1204.002",
    "T1219.002",
    "T1222.001",
    "T1547.001",
    "T1566.002",
    "T1566.003",
    "T1566.004",
    "T1574.001",
    "T1583.001",
    "T1585.003",
    "T1588.002",
    "T1684.001"
   ]
  },
  {
   "actor_id": "G1047",
   "canonical_name": "Velvet Ant",
   "aliases": [
    "Velvet Ant"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 31,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G1047",
   "cve_ids": [],
   "technique_ids": [
    "T1021",
    "T1036",
    "T1037",
    "T1040",
    "T1047",
    "T1049",
    "T1055",
    "T1059",
    "T1071",
    "T1078",
    "T1083",
    "T1090",
    "T1132",
    "T1133",
    "T1211",
    "T1569",
    "T1570",
    "T1571",
    "T1573",
    "T1574",
    "T1685",
    "T1686"
   ],
   "subtechnique_ids": [
    "T1021.002",
    "T1036.005",
    "T1037.004",
    "T1059.004",
    "T1078.003",
    "T1090.001",
    "T1569.002",
    "T1573.002",
    "T1574.001"
   ]
  },
  {
   "actor_id": "G1048",
   "canonical_name": "UNC3886",
   "aliases": [
    "UNC3886"
   ],
   "category": "state",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 63,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "92811",
     "label": "National Security",
     "evidence": "MITRE ATT&CK description states UNC3886 targets defense organizations (Mandiant Fortinet Zero Day; Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023).",
     "source": "Mandiant Fortinet Zero Day"
    },
    {
     "naics": "517",
     "label": "Telecommunications",
     "evidence": "MITRE ATT&CK description states UNC3886 targets telecommunication organizations (Mandiant Fortinet Zero Day; Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023).",
     "source": "Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023"
    },
    {
     "naics": "334",
     "label": "Computer & Electronic Product Manufacturing",
     "evidence": "MITRE ATT&CK description states UNC3886 targets technology organizations (Mandiant Fortinet Zero Day; Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023).",
     "source": "Mandiant Fortinet Zero Day"
    },
    {
     "naics": "22",
     "label": "Utilities",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "51",
     "label": "Information",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G1048",
   "cve_ids": [],
   "technique_ids": [
    "T1003",
    "T1008",
    "T1014",
    "T1021",
    "T1027",
    "T1036",
    "T1037",
    "T1040",
    "T1057",
    "T1059",
    "T1068",
    "T1070",
    "T1074",
    "T1078",
    "T1083",
    "T1095",
    "T1124",
    "T1190",
    "T1203",
    "T1205",
    "T1212",
    "T1218",
    "T1505",
    "T1548",
    "T1554",
    "T1555",
    "T1560",
    "T1564",
    "T1570",
    "T1587",
    "T1588",
    "T1673",
    "T1675",
    "T1681",
    "T1685",
    "T1686",
    "T1690"
   ],
   "subtechnique_ids": [
    "T1003.001",
    "T1021.004",
    "T1027.005",
    "T1036.004",
    "T1037.004",
    "T1059.001",
    "T1059.003",
    "T1059.004",
    "T1059.006",
    "T1059.012",
    "T1070.004",
    "T1070.006",
    "T1070.007",
    "T1074.001",
    "T1078.001",
    "T1205.001",
    "T1218.011",
    "T1505.006",
    "T1555.005",
    "T1560.001",
    "T1560.003",
    "T1564.011",
    "T1587.001",
    "T1587.004",
    "T1588.001",
    "T1588.004"
   ]
  },
  {
   "actor_id": "G1049",
   "canonical_name": "AppleJeus",
   "aliases": [
    "AppleJeus",
    "Gleaming Pisces",
    "Citrine Sleet",
    "UNC1720",
    "UNC4736"
   ],
   "category": "state",
   "sponsor": {
    "country": "KP"
   },
   "cve_count": 0,
   "technique_count": 2,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "523",
     "label": "Securities, Commodity Contracts & Other Financial Investments",
     "evidence": "MITRE ATT&CK description states AppleJeus 'primarily targets the cryptocurrency industry' and conducts extended operations against 'high-value financial targets' (Mandiant DPRK Groups 2023).",
     "source": "Mandiant DPRK Groups 2023"
    },
    {
     "naics": "52",
     "label": "Finance & Insurance",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G1049",
   "cve_ids": [],
   "technique_ids": [
    "T1566",
    "T1657"
   ],
   "subtechnique_ids": []
  },
  {
   "actor_id": "G1050",
   "canonical_name": "Water Galura",
   "aliases": [
    "Water Galura",
    "GOLD FEATHER"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 4,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "522",
     "label": "Credit Intermediation & Related Activities (Banking)",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "511",
     "label": "Publishing Industries (Including Software)",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G1050",
   "cve_ids": [],
   "technique_ids": [
    "T1486",
    "T1585",
    "T1657"
   ],
   "subtechnique_ids": [
    "T1585.001"
   ]
  },
  {
   "actor_id": "G1051",
   "canonical_name": "Medusa Group",
   "aliases": [
    "Medusa Group"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 82,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "511",
     "label": "Publishing Industries (Including Software)",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G1051",
   "cve_ids": [],
   "technique_ids": [
    "T1003",
    "T1016",
    "T1018",
    "T1021",
    "T1027",
    "T1033",
    "T1046",
    "T1047",
    "T1057",
    "T1059",
    "T1069",
    "T1070",
    "T1071",
    "T1072",
    "T1078",
    "T1082",
    "T1083",
    "T1087",
    "T1090",
    "T1105",
    "T1106",
    "T1112",
    "T1135",
    "T1136",
    "T1190",
    "T1218",
    "T1219",
    "T1486",
    "T1489",
    "T1490",
    "T1505",
    "T1518",
    "T1529",
    "T1543",
    "T1548",
    "T1553",
    "T1559",
    "T1564",
    "T1567",
    "T1569",
    "T1570",
    "T1573",
    "T1583",
    "T1585",
    "T1588",
    "T1608",
    "T1650",
    "T1652",
    "T1657",
    "T1685",
    "T1686",
    "T1690"
   ],
   "subtechnique_ids": [
    "T1003.001",
    "T1003.003",
    "T1021.001",
    "T1027.002",
    "T1027.010",
    "T1059.001",
    "T1059.003",
    "T1069.002",
    "T1070.003",
    "T1070.004",
    "T1071.001",
    "T1087.001",
    "T1090.003",
    "T1136.002",
    "T1218.014",
    "T1505.003",
    "T1518.001",
    "T1543.003",
    "T1548.002",
    "T1553.002",
    "T1559.001",
    "T1564.003",
    "T1567.002",
    "T1569.002",
    "T1573.002",
    "T1583.006",
    "T1585.001",
    "T1585.002",
    "T1588.002",
    "T1608.002"
   ]
  },
  {
   "actor_id": "G1052",
   "canonical_name": "Contagious Interview",
   "aliases": [
    "Contagious Interview",
    "DeceptiveDevelopment",
    "Gwisin Gang",
    "Tenacious Pungsan",
    "DEV#POPPER",
    "PurpleBravo",
    "TAG-121"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 71,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "MITRE ATT&CK description states focus on individuals engaged in software development, corroborated by multiple reports including Validin Contagious Interview North Korea ClickFix January 2025 and dtex DPRK 2025 structure ITworkers.",
     "source": "Validin Contagious Interview North Korea ClickFix January 2025"
    },
    {
     "naics": "523",
     "label": "Securities, Commodity Contracts & Other Financial Investments",
     "evidence": "MITRE ATT&CK description states focus on cryptocurrency-related activities for theft of cryptocurrency, corroborated by Esentire ContagiousInterview BeaverTail InvisibleFerret November 2024 and Recorded Future Contagious Inteview BeaverTail InvisibleFerret OtterCookie February 2025.",
     "source": "Esentire ContagiousInterview BeaverTail InvisibleFerret November 2024"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G1052",
   "cve_ids": [],
   "technique_ids": [
    "T1027",
    "T1036",
    "T1041",
    "T1048",
    "T1059",
    "T1070",
    "T1071",
    "T1082",
    "T1083",
    "T1090",
    "T1204",
    "T1219",
    "T1480",
    "T1497",
    "T1543",
    "T1546",
    "T1547",
    "T1555",
    "T1566",
    "T1567",
    "T1571",
    "T1573",
    "T1583",
    "T1585",
    "T1587",
    "T1588",
    "T1589",
    "T1593",
    "T1608",
    "T1657",
    "T1681",
    "T1683",
    "T1684",
    "T1685"
   ],
   "subtechnique_ids": [
    "T1027.010",
    "T1027.013",
    "T1048.003",
    "T1059.003",
    "T1059.004",
    "T1059.005",
    "T1059.006",
    "T1059.007",
    "T1070.004",
    "T1071.003",
    "T1204.001",
    "T1204.002",
    "T1204.004",
    "T1204.005",
    "T1219.002",
    "T1543.001",
    "T1546.004",
    "T1547.001",
    "T1547.013",
    "T1555.001",
    "T1566.003",
    "T1567.002",
    "T1573.001",
    "T1583.001",
    "T1583.003",
    "T1583.006",
    "T1585.001",
    "T1585.002",
    "T1587.001",
    "T1588.002",
    "T1588.007",
    "T1593.001",
    "T1593.003",
    "T1608.001",
    "T1683.001",
    "T1683.002",
    "T1684.001"
   ]
  },
  {
   "actor_id": "G1053",
   "canonical_name": "Storm-0501",
   "aliases": [
    "Storm-0501"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 62,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G1053",
   "cve_ids": [],
   "technique_ids": [
    "T1003",
    "T1021",
    "T1027",
    "T1036",
    "T1053",
    "T1057",
    "T1059",
    "T1078",
    "T1082",
    "T1087",
    "T1098",
    "T1110",
    "T1190",
    "T1218",
    "T1219",
    "T1482",
    "T1484",
    "T1485",
    "T1486",
    "T1490",
    "T1518",
    "T1526",
    "T1530",
    "T1537",
    "T1552",
    "T1555",
    "T1556",
    "T1567",
    "T1578",
    "T1580",
    "T1587",
    "T1588",
    "T1614",
    "T1657"
   ],
   "subtechnique_ids": [
    "T1003.006",
    "T1021.006",
    "T1021.007",
    "T1027.002",
    "T1036.004",
    "T1053.005",
    "T1059.001",
    "T1059.009",
    "T1078.004",
    "T1087.002",
    "T1087.004",
    "T1098.001",
    "T1098.003",
    "T1218.010",
    "T1218.011",
    "T1219.002",
    "T1484.001",
    "T1484.002",
    "T1518.001",
    "T1552.004",
    "T1555.005",
    "T1555.006",
    "T1556.009",
    "T1567.002",
    "T1578.003",
    "T1587.003",
    "T1588.006",
    "T1614.001"
   ]
  },
  {
   "actor_id": "G1054",
   "canonical_name": "MirrorFace",
   "aliases": [
    "MirrorFace",
    "Earth Kasha"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 2,
   "technique_count": 65,
   "idf_score": 7.195,
   "exclusive_cve_count": 0,
   "active_year_min": 2023,
   "active_year_max": 2023,
   "sectors": [
    {
     "naics": "511",
     "label": "Publishing Industries (Including Software)",
     "evidence": "MITRE ATT&CK description states MirrorFace targeted Japanese media organizations (Citation: ESET MirrorFace DEC 2022).",
     "source": "ESET MirrorFace DEC 2022"
    },
    {
     "naics": "92811",
     "label": "National Security",
     "evidence": "MITRE ATT&CK description states MirrorFace targeted Japanese defense organizations (Citation: JPCERT MirrorFace JUL 2024).",
     "source": "JPCERT MirrorFace JUL 2024"
    },
    {
     "naics": "92812",
     "label": "International Affairs",
     "evidence": "MITRE ATT&CK description states MirrorFace targeted Japanese diplomatic organizations (Citation: Trend Micro Earth Kasha NOV 2024).",
     "source": "Trend Micro Earth Kasha NOV 2024"
    },
    {
     "naics": "52",
     "label": "Finance & Insurance",
     "evidence": "MITRE ATT&CK description states MirrorFace targeted Japanese financial organizations (Citation: Kaspersky LODEINFO OCT 2022).",
     "source": "Kaspersky LODEINFO OCT 2022"
    },
    {
     "naics": "31",
     "label": "Manufacturing",
     "evidence": "MITRE ATT&CK description states MirrorFace targeted Japanese manufacturing organizations (Citation: Trend Micro Earth Kasha Updates APR 2025).",
     "source": "Trend Micro Earth Kasha Updates APR 2025"
    },
    {
     "naics": "61",
     "label": "Educational Services",
     "evidence": "MITRE ATT&CK description states MirrorFace targeted Japanese academic organizations (Citation: ESET MirrorFace DEC 2022).",
     "source": "ESET MirrorFace DEC 2022"
    },
    {
     "naics": "22",
     "label": "Utilities",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "5112",
     "label": "Software Publishers",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "515",
     "label": "Broadcasting",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 0,
   "top_product_categories": [
    [
     "network",
     2
    ]
   ],
   "mitre_url": "https://attack.mitre.org/groups/G1054",
   "cve_ids": [
    "CVE-2023-3466",
    "CVE-2023-3467"
   ],
   "technique_ids": [
    "T1003",
    "T1005",
    "T1007",
    "T1016",
    "T1018",
    "T1021",
    "T1027",
    "T1033",
    "T1036",
    "T1047",
    "T1048",
    "T1057",
    "T1059",
    "T1070",
    "T1071",
    "T1074",
    "T1082",
    "T1083",
    "T1087",
    "T1090",
    "T1114",
    "T1190",
    "T1204",
    "T1221",
    "T1482",
    "T1553",
    "T1556",
    "T1560",
    "T1566",
    "T1574",
    "T1587",
    "T1588",
    "T1591",
    "T1614",
    "T1684",
    "T1685",
    "T1686"
   ],
   "subtechnique_ids": [
    "T1003.001",
    "T1003.002",
    "T1003.003",
    "T1021.001",
    "T1021.002",
    "T1027.013",
    "T1036.008",
    "T1048.002",
    "T1059.003",
    "T1059.005",
    "T1070.004",
    "T1071.002",
    "T1074.002",
    "T1087.002",
    "T1114.001",
    "T1204.002",
    "T1553.002",
    "T1556.002",
    "T1560.001",
    "T1566.001",
    "T1566.002",
    "T1574.001",
    "T1587.001",
    "T1588.002",
    "T1614.001",
    "T1684.001",
    "T1685.005",
    "T1686.003"
   ]
  },
  {
   "actor_id": "G1055",
   "canonical_name": "VOID MANTICORE",
   "aliases": [
    "VOID MANTICORE",
    "COBALT MYSTIQUE",
    "Handala Hack",
    "Homeland Justice",
    "Karma",
    "Karmabelow80",
    "BANISHED KITTEN",
    "Red Sandstorm"
   ],
   "category": "unknown",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 87,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [
    {
     "naics": "92",
     "label": "Public Administration",
     "evidence": "Targeted government entities across Albania, Israel, and US (Check Point VOID MANTICORE Handala Hack March 2026).",
     "source": "Check Point VOID MANTICORE Handala Hack March 2026"
    },
    {
     "naics": "3391",
     "label": "Medical Equipment & Supplies",
     "evidence": "March 2026 wiper attack on Stryker Corporation (medical equipment manufacturer) claimed by Handala Hack (DOJ FBI Handala Hack March 2026).",
     "source": "DOJ FBI Handala Hack March 2026"
    },
    {
     "naics": "22",
     "label": "Utilities",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    },
    {
     "naics": "9221",
     "label": "Justice, Public Order & Safety",
     "evidence": "Regex-derived from MITRE description text",
     "source": "regex"
    }
   ],
   "victim_count": 2,
   "top_product_categories": [],
   "mitre_url": "https://attack.mitre.org/groups/G1055",
   "cve_ids": [],
   "technique_ids": [
    "T1003",
    "T1005",
    "T1021",
    "T1027",
    "T1036",
    "T1041",
    "T1047",
    "T1059",
    "T1071",
    "T1072",
    "T1074",
    "T1078",
    "T1082",
    "T1087",
    "T1098",
    "T1102",
    "T1105",
    "T1110",
    "T1113",
    "T1114",
    "T1119",
    "T1123",
    "T1125",
    "T1133",
    "T1190",
    "T1199",
    "T1204",
    "T1213",
    "T1219",
    "T1484",
    "T1485",
    "T1486",
    "T1490",
    "T1547",
    "T1552",
    "T1560",
    "T1561",
    "T1564",
    "T1566",
    "T1572",
    "T1583",
    "T1585",
    "T1587",
    "T1588",
    "T1589",
    "T1595",
    "T1651",
    "T1657",
    "T1679",
    "T1684",
    "T1686"
   ],
   "subtechnique_ids": [
    "T1003.001",
    "T1021.001",
    "T1027.015",
    "T1036.004",
    "T1036.005",
    "T1059.001",
    "T1059.006",
    "T1071.001",
    "T1078.002",
    "T1078.004",
    "T1087.002",
    "T1110.001",
    "T1110.004",
    "T1114.002",
    "T1204.002",
    "T1213.002",
    "T1219.002",
    "T1484.001",
    "T1547.001",
    "T1552.002",
    "T1560.001",
    "T1561.001",
    "T1561.002",
    "T1564.003",
    "T1583.001",
    "T1583.003",
    "T1583.004",
    "T1583.006",
    "T1585.001",
    "T1585.002",
    "T1587.001",
    "T1588.001",
    "T1588.002",
    "T1595.002",
    "T1684.001",
    "T1686.003"
   ]
  },
  {
   "actor_id": "HACK-AL-TOUFAN",
   "canonical_name": "Al-Toufan",
   "aliases": [
    "Al-Toufan",
    "Anonymous Al-Toufan"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-ANONOPS",
   "canonical_name": "AnonOps",
   "aliases": [
    "AnonOps",
    "AnonOps IRC",
    "Operation Payback core"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 5,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-ANONYMOUS",
   "canonical_name": "Anonymous",
   "aliases": [
    "Anonymous",
    "AnonOps",
    "AntiSec"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-ANONYMOUS-BRASIL",
   "canonical_name": "Anonymous Brasil",
   "aliases": [
    "Anonymous Brasil",
    "AnonBrasil",
    "Anonymous Brazil"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-ANONYMOUS-COLLECTIVE",
   "canonical_name": "Anonymous Collective",
   "aliases": [
    "Anonymous Collective",
    "Skynet Collective"
   ],
   "category": "hacktivist",
   "sponsor": {
    "country": "RU"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-ANONYMOUS-FRANCE",
   "canonical_name": "Anonymous France",
   "aliases": [
    "Anonymous France",
    "AnonFR",
    "OpFrance"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-ANONYMOUS-INDONESIA",
   "canonical_name": "Anonymous Indonesia",
   "aliases": [
    "Anonymous Indonesia",
    "AnonID"
   ],
   "category": "hacktivist",
   "sponsor": {
    "country": "ID"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-ANONYMOUS-ITALIA",
   "canonical_name": "Anonymous Italia",
   "aliases": [
    "Anonymous Italia",
    "AnonItalia",
    "AnonPlus"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 2,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-ANONYMOUS-KOREA",
   "canonical_name": "Anonymous Korea",
   "aliases": [
    "Anonymous Korea",
    "AnonKorea",
    "OpNorthKorea"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-ANONYMOUS-PAKISTAN",
   "canonical_name": "Anonymous Pakistan",
   "aliases": [
    "Anonymous Pakistan",
    "AnonPak"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-ANONYMOUS-PH",
   "canonical_name": "Anonymous Philippines",
   "aliases": [
    "Anonymous Philippines",
    "AnonPH"
   ],
   "category": "hacktivist",
   "sponsor": {
    "country": "PH"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-ANONYMOUS-RUSSIA",
   "canonical_name": "Anonymous Russia",
   "aliases": [
    "Anonymous Russia",
    "AnonymousRussia",
    "Raty (persona)"
   ],
   "category": "hacktivist",
   "sponsor": {
    "country": "RU"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-ANONYMOUS-SPAIN",
   "canonical_name": "Anonymous Spain",
   "aliases": [
    "Anonymous Spain",
    "AnonSpain",
    "OpCataluna"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-ANONYMOUS-SUDAN",
   "canonical_name": "Anonymous Sudan",
   "aliases": [
    "Anonymous Sudan",
    "Storm-1359"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 2,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-ANONYMOUS-THAILAND",
   "canonical_name": "Anonymous Thailand",
   "aliases": [
    "Anonymous Thailand",
    "AnonThailand",
    "OpSingleGateway"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 2,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-ANONYMOUS-VIETNAM",
   "canonical_name": "Anonymous Vietnam",
   "aliases": [
    "Anonymous Vietnam",
    "AnonVN"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-AUERNHEIMER-WEEV",
   "canonical_name": "Andrew Auernheimer ('weev', Goatse Security)",
   "aliases": [
    "Andrew Auernheimer ('weev', Goatse Security)",
    "weev",
    "Andrew Auernheimer"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-BD-NETBIOS",
   "canonical_name": "BD-NETBIOS Cyber Force",
   "aliases": [
    "BD-NETBIOS Cyber Force",
    "BD NETBIOS",
    "Bangladesh NetBIOS"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-BEREGINI",
   "canonical_name": "Beregini",
   "aliases": [
    "Beregini",
    "Beregini Hack"
   ],
   "category": "hacktivist",
   "sponsor": {
    "country": "RU"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-BLACK-SHADOW",
   "canonical_name": "Black Shadow",
   "aliases": [
    "Black Shadow",
    "BlackShadow"
   ],
   "category": "hacktivist",
   "sponsor": {
    "country": "IR"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 3,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-BLACK-SKILLS",
   "canonical_name": "Black Skills",
   "aliases": [
    "Black Skills",
    "Black Owl (KillMilk affiliate)"
   ],
   "category": "hacktivist",
   "sponsor": {
    "country": "RU"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-BO-TEAM",
   "canonical_name": "BO Team",
   "aliases": [
    "BO Team",
    "BO_Team"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-BREACHFORUMS-STAFF",
   "canonical_name": "BreachForums staff (Pompompurin)",
   "aliases": [
    "BreachForums staff (Pompompurin)",
    "BreachForums admins",
    "Pompompurin"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-CAUSE-DIA",
   "canonical_name": "Cause Direct Action (CauseDIA)",
   "aliases": [
    "Cause Direct Action (CauseDIA)",
    "CauseDIA"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-CONTI-LEAKS",
   "canonical_name": "Conti Leaks (anti-Russia insider)",
   "aliases": [
    "Conti Leaks (anti-Russia insider)",
    "ContiLeaks",
    "@ContiLeaks"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-CRACKAS-WITH-ATTITUDE",
   "canonical_name": "Crackas With Attitude (Kane Gamble)",
   "aliases": [
    "Crackas With Attitude (Kane Gamble)",
    "Crackas With Attitude",
    "CWA",
    "Kane Gamble",
    "Cracka"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 3,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-CULT-DEAD-COW",
   "canonical_name": "Cult of the Dead Cow (cDc)",
   "aliases": [
    "Cult of the Dead Cow (cDc)",
    "Cult of the Dead Cow",
    "cDc",
    "cDc Communications"
   ],
   "category": "hacktivist",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-CYBER-AVENGERS",
   "canonical_name": "CyberAv3ngers (IRGC-linked)",
   "aliases": [
    "CyberAv3ngers (IRGC-linked)",
    "CyberAv3ngers",
    "Cyber Av3ngers",
    "Cyber Avengers"
   ],
   "category": "hacktivist",
   "sponsor": {
    "country": "IR"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-CYBER-PARTISANS",
   "canonical_name": "Belarusian Cyber Partisans",
   "aliases": [
    "Cyber Partisans",
    "Belarusian Cyber Partisans",
    "\u041a\u0438\u0431\u0435\u0440 \u041f\u0430\u0440\u0442\u0438\u0437\u0430\u043d\u044b"
   ],
   "category": "hacktivist",
   "sponsor": {
    "country": "BY"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 2,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-CYBER-TOUFAN",
   "canonical_name": "Cyber Toufan",
   "aliases": [
    "Cyber Toufan",
    "Cyber Toufan Al-Aqsa",
    "Cyber Toufan Operations"
   ],
   "category": "hacktivist",
   "sponsor": {
    "country": "IR"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-DDOS-CRIMEA",
   "canonical_name": "DDoS Crimea",
   "aliases": [
    "DDoS Crimea",
    "Crimea Defense Team"
   ],
   "category": "hacktivist",
   "sponsor": {
    "country": "RU"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-DDOSECRETS",
   "canonical_name": "Distributed Denial of Secrets",
   "aliases": [
    "Distributed Denial of Secrets",
    "DDoSecrets",
    "DDOS"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-DRAGON-FORCE-MY",
   "canonical_name": "DragonForce Malaysia",
   "aliases": [
    "DragonForce Malaysia",
    "DragonForce.my"
   ],
   "category": "hacktivist",
   "sponsor": {
    "country": "MY"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-DRAGONFORCE-PK",
   "canonical_name": "DragonForce Pakistan",
   "aliases": [
    "DragonForce Pakistan",
    "DragonForcePK"
   ],
   "category": "hacktivist",
   "sponsor": {
    "country": "PK"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-EDALAT-E-ALI",
   "canonical_name": "Edalat-e Ali",
   "aliases": [
    "Edalat-e Ali",
    "Ali's Justice",
    "\u0639\u062f\u0627\u0644\u062a \u0639\u0644\u06cc"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-EMPIRE-HACKER",
   "canonical_name": "Empire Hacking / Hack Forums hacktivist ecosystem",
   "aliases": [
    "Empire Hacking / Hack Forums hacktivist ecosystem",
    "Hack Forums hacktivism",
    "Empire hacking US ecosystem"
   ],
   "category": "hacktivist",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-FANCY-LAZARUS",
   "canonical_name": "Fancy Lazarus (DDoS extortion persona)",
   "aliases": [
    "Fancy Lazarus (DDoS extortion persona)",
    "Fancy Lazarus crew"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-FROM-RUSSIA-WITH-LOVE",
   "canonical_name": "FRwL (From Russia with Love)",
   "aliases": [
    "FRwL (From Russia with Love)",
    "FRwL",
    "Z-Team"
   ],
   "category": "hacktivist",
   "sponsor": {
    "country": "RU"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-GAZA-CYBERGANG",
   "canonical_name": "Gaza Cybergang (hacktivist persona)",
   "aliases": [
    "Gaza Cybergang (hacktivist persona)",
    "Gaza Hackers Team",
    "Molerats sibling"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-GHOSTSEC",
   "canonical_name": "GhostSec",
   "aliases": [
    "GhostSec",
    "Ghost Security"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-GUACAMAYA",
   "canonical_name": "Guacamaya",
   "aliases": [
    "Guacamaya",
    "Guacamaya Hackers"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 2,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-HAMMOND-ANTISEC",
   "canonical_name": "Jeremy Hammond (AntiSec / Stratfor breach)",
   "aliases": [
    "Jeremy Hammond (AntiSec / Stratfor breach)",
    "Jeremy Hammond",
    "Anarchaos"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-HANDALA",
   "canonical_name": "Handala Hack Team",
   "aliases": [
    "Handala Hack Team",
    "Handala",
    "Handala Hacking"
   ],
   "category": "hacktivist",
   "sponsor": {
    "country": "IR"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-HONKER-UNION",
   "canonical_name": "Honker Union of China",
   "aliases": [
    "Honker Union of China",
    "\u7ea2\u5ba2\u8054\u76df",
    "Honker Union",
    "HUC"
   ],
   "category": "hacktivist",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-INDIAN-CYBER-FORCE",
   "canonical_name": "Indian Cyber Force",
   "aliases": [
    "Indian Cyber Force",
    "ICF"
   ],
   "category": "hacktivist",
   "sponsor": {
    "country": "IN"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-INDONESIAN-CYBER-ARMY",
   "canonical_name": "Indonesian Cyber Army",
   "aliases": [
    "Indonesian Cyber Army",
    "ICA",
    "Indo Cyber Army"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-INDONESIAN-DARKNET-PARLIAMENT",
   "canonical_name": "Anonymous Darknet Parliament",
   "aliases": [
    "Anonymous Darknet Parliament",
    "Darknet Parliament"
   ],
   "category": "hacktivist",
   "sponsor": {
    "country": "RU"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-ISIS-HACKING-DIVISION",
   "canonical_name": "ISIS Hacking Division (Cyber Caliphate)",
   "aliases": [
    "ISIS Hacking Division (Cyber Caliphate)",
    "United Cyber Caliphate",
    "Cyber Caliphate Army",
    "CCA"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-IT-ARMY-UA",
   "canonical_name": "IT Army of Ukraine",
   "aliases": [
    "IT Army of Ukraine",
    "IT Army",
    "Ukraine IT Army"
   ],
   "category": "hacktivist",
   "sponsor": {
    "country": "UA"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-KARMA",
   "canonical_name": "Karma (IRGC-linked)",
   "aliases": [
    "Karma (IRGC-linked)",
    "N3tw0rm",
    "Karma Group"
   ],
   "category": "hacktivist",
   "sponsor": {
    "country": "IR"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-KHALSA-CYBER-FAUJ",
   "canonical_name": "Khalsa Cyber Fauj",
   "aliases": [
    "Khalsa Cyber Fauj",
    "KCF",
    "Khalsa Cyber Force"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-KILLMILK",
   "canonical_name": "Killmilk (KillNet founder persona)",
   "aliases": [
    "Killmilk (KillNet founder persona)",
    "Killmilk"
   ],
   "category": "hacktivist",
   "sponsor": {
    "country": "RU"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-KILLNET",
   "canonical_name": "KillNet",
   "aliases": [
    "KillNet"
   ],
   "category": "hacktivist",
   "sponsor": {
    "country": "RU"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-LAPSUS-HACKTIVIST",
   "canonical_name": "LAPSUS$ (hacktivist persona)",
   "aliases": [
    "LAPSUS$ (hacktivist persona)",
    "LAPSUS$",
    "Lapsus",
    "WhiteDoxbin"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 4,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-LIZARD-SQUAD",
   "canonical_name": "Lizard Squad",
   "aliases": [
    "Lizard Squad"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 4,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-LULZ-BOAT",
   "canonical_name": "Lulz Boat (LulzSec splinter)",
   "aliases": [
    "Lulz Boat (LulzSec splinter)",
    "The Lulz Boat",
    "LulzSec Reborn",
    "LulzSec Reloaded"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-LULZSEC",
   "canonical_name": "LulzSec",
   "aliases": [
    "LulzSec",
    "Lulz Security"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 5,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-LULZSEC-INDIA",
   "canonical_name": "LulzSec India",
   "aliases": [
    "LulzSec India",
    "LulzSecIndia"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 2,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-LULZSEC-PERU",
   "canonical_name": "LulzSec Peru",
   "aliases": [
    "LulzSec Peru",
    "LulzSecPeru"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-MOLERATS-HACKTIVIST",
   "canonical_name": "Molerats (hacktivist persona)",
   "aliases": [
    "Molerats (hacktivist persona)",
    "TA402 public face",
    "Extreme Jackal"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-MONSEGUR-SABU",
   "canonical_name": "Hector Xavier Monsegur ('Sabu', LulzSec/AntiSec)",
   "aliases": [
    "Hector Xavier Monsegur ('Sabu', LulzSec/AntiSec)",
    "Sabu",
    "Hector Monsegur"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 2,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-MOSES-STAFF",
   "canonical_name": "Moses Staff",
   "aliases": [
    "Moses Staff",
    "MosesStaff",
    "DEV-0500"
   ],
   "category": "hacktivist",
   "sponsor": {
    "country": "IR"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-MR-HAMZA",
   "canonical_name": "Mr Hamza (Algerian hacktivist channel)",
   "aliases": [
    "Mr Hamza (Algerian hacktivist channel)",
    "Mr. Hamza",
    "Mr Hamza"
   ],
   "category": "hacktivist",
   "sponsor": {
    "country": "DZ"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 2,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-MYSTERIOUS-TEAM-BD",
   "canonical_name": "Mysterious Team Bangladesh",
   "aliases": [
    "Mysterious Team Bangladesh",
    "Mysterious Team",
    "MTB"
   ],
   "category": "hacktivist",
   "sponsor": {
    "country": "BD"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-NB65",
   "canonical_name": "Network Battalion 65 (NB65)",
   "aliases": [
    "Network Battalion 65 (NB65)",
    "NB65"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-NONAME05716",
   "canonical_name": "NoName057(16)",
   "aliases": [
    "NoName057(16)",
    "NoName05716",
    "NoName"
   ],
   "category": "hacktivist",
   "sponsor": {
    "country": "RU"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-OP-CHILE",
   "canonical_name": "OpChile",
   "aliases": [
    "OpChile",
    "Operation Chile",
    "Pirate Bay Chile"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-OP-FERGUSON",
   "canonical_name": "OpFerguson",
   "aliases": [
    "OpFerguson",
    "Operation Ferguson",
    "Anonymous Ferguson"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-OP-ICARUS",
   "canonical_name": "OpIcarus",
   "aliases": [
    "OpIcarus",
    "Operation Icarus"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-OP-ISIS",
   "canonical_name": "OpISIS",
   "aliases": [
    "OpISIS",
    "Operation ISIS",
    "Anonymous OpParis"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-OP-KKK",
   "canonical_name": "OpKKK",
   "aliases": [
    "OpKKK",
    "Operation KKK",
    "HoodsOff"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 2,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-OP-LAST-RESORT",
   "canonical_name": "OpLastResort",
   "aliases": [
    "OpLastResort",
    "Operation Last Resort"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 2,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-OP-MEXICO",
   "canonical_name": "OpMexico",
   "aliases": [
    "OpMexico",
    "Operation Mexico",
    "Anonymous Mexico"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-OP-MYANMAR",
   "canonical_name": "OpMyanmar",
   "aliases": [
    "OpMyanmar",
    "Anonymous Myanmar",
    "Myanmar Hackers"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-OP-OLYMPIC-HOAX",
   "canonical_name": "OpOlympicHoax",
   "aliases": [
    "OpOlympicHoax",
    "OpOlympics"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-OP-OPSAUDI",
   "canonical_name": "OpSaudi",
   "aliases": [
    "OpSaudi",
    "Operation Saudi",
    "Saudi Cyber Army (anti-)"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-OP-SAUDI-ARAMCO",
   "canonical_name": "OpPetrol / Cutting Sword of Justice",
   "aliases": [
    "OpPetrol / Cutting Sword of Justice",
    "Cutting Sword of Justice",
    "OpPetrol"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-OP-WHITEROSE",
   "canonical_name": "OpWhiteRose",
   "aliases": [
    "OpWhiteRose",
    "Operation White Rose"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-OPISRAEL",
   "canonical_name": "OpIsrael (annual Anonymous-aligned operation)",
   "aliases": [
    "OpIsrael (annual Anonymous-aligned operation)",
    "OpIsrael",
    "#OpIsrael",
    "Op Israel"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-OPJERUSALEM",
   "canonical_name": "OpJerusalem",
   "aliases": [
    "OpJerusalem",
    "OpJerusalem campaign"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-PAKISTAN-CYBER-ARMY",
   "canonical_name": "Pakistan Cyber Army",
   "aliases": [
    "Pakistan Cyber Army",
    "PCA",
    "Pak Cyber Army"
   ],
   "category": "hacktivist",
   "sponsor": {
    "country": "PK"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 3,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-PAY2KEY",
   "canonical_name": "Pay2Key",
   "aliases": [
    "Pay2Key",
    "Pay2Key.Ransom"
   ],
   "category": "hacktivist",
   "sponsor": {
    "country": "IR"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-PHANTOM-SQUAD",
   "canonical_name": "Phantom Squad",
   "aliases": [
    "Phantom Squad",
    "PhantomSquad"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 3,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-PREDATORY-SPARROW",
   "canonical_name": "Predatory Sparrow",
   "aliases": [
    "Predatory Sparrow",
    "Gonjeshke Darande"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-PROJECT-CHANOLOGY",
   "canonical_name": "Project Chanology",
   "aliases": [
    "Project Chanology",
    "Chanology",
    "OpChanology",
    "Anonymous vs Scientology"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-RAIDFORUMS-STAFF",
   "canonical_name": "RaidForums staff",
   "aliases": [
    "RaidForums staff",
    "Omnipotent (RaidForums founder)"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-RBN-DEFACEMENT-CREW",
   "canonical_name": "RaidForums / BreachForums hacktivist ecosystem",
   "aliases": [
    "RaidForums / BreachForums hacktivist ecosystem",
    "RaidForums",
    "BreachForums",
    "Pompompurin"
   ],
   "category": "hacktivist",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-RED-HACKER-ALLIANCE",
   "canonical_name": "Red Hacker Alliance",
   "aliases": [
    "Red Hacker Alliance",
    "\u7ea2\u5ba2\u8054\u76df",
    "Hongke Lianmeng",
    "China Red Hackers"
   ],
   "category": "hacktivist",
   "sponsor": {
    "country": "CN"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-REDHACK",
   "canonical_name": "RedHack",
   "aliases": [
    "RedHack",
    "Red Hack Turkey",
    "K\u0131z\u0131l Hack"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-RUSTBOLT",
   "canonical_name": "RustBolt",
   "aliases": [
    "RustBolt",
    "RustBolt collective"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-SHINYHUNTERS",
   "canonical_name": "ShinyHunters",
   "aliases": [
    "ShinyHunters",
    "Shiny Hunters"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 4,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-SIEGEDSEC",
   "canonical_name": "SiegedSec",
   "aliases": [
    "SiegedSec"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 2,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-SOLDIERS-OF-SOLOMON",
   "canonical_name": "Soldiers of Solomon",
   "aliases": [
    "Soldiers of Solomon",
    "Soldiers of Solomon Group",
    "Edalat-e Ali ally"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-SOLNTSEPYOK",
   "canonical_name": "Solntsepyok (Solntsepek front for GRU Sandworm)",
   "aliases": [
    "Solntsepyok (Solntsepek front for GRU Sandworm)",
    "Solntsepek",
    "Solntsepyok"
   ],
   "category": "hacktivist",
   "sponsor": {
    "country": "RU"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-SRI-LANKA-CYBER-FORCE",
   "canonical_name": "Sri Lanka Cyber Force",
   "aliases": [
    "Sri Lanka Cyber Force",
    "SLCF"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-STORM-0784",
   "canonical_name": "Storm-0784",
   "aliases": [
    "Storm-0784",
    "Storm-0784 (Microsoft cluster)"
   ],
   "category": "hacktivist",
   "sponsor": {
    "country": "IR"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-STORMOUS",
   "canonical_name": "Stormous",
   "aliases": [
    "Stormous",
    "Stormous Team"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-SWARTZ-JSTOR",
   "canonical_name": "Aaron Swartz (JSTOR / PACER access)",
   "aliases": [
    "Aaron Swartz (JSTOR / PACER access)",
    "Aaron Swartz"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 2,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-SYRIAN-ELECTRONIC-ARMY",
   "canonical_name": "Syrian Electronic Army",
   "aliases": [
    "Syrian Electronic Army",
    "SEA",
    "\u0627\u0644\u062c\u064a\u0634 \u0627\u0644\u0633\u0648\u0631\u064a \u0627\u0644\u0625\u0644\u0643\u062a\u0631\u0648\u0646\u064a"
   ],
   "category": "hacktivist",
   "sponsor": {
    "country": "SY"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 5,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-TAPANDEGAN",
   "canonical_name": "Tapandegan",
   "aliases": [
    "Tapandegan",
    "Palpitating Hearts",
    "\u062a\u067e\u0646\u062f\u06af\u0627\u0646"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-TEAM-GHOSTSHELL",
   "canonical_name": "Team GhostShell",
   "aliases": [
    "Team GhostShell",
    "GhostShell",
    "DeadMellox crew"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-THE-JESTER",
   "canonical_name": "The Jester",
   "aliases": [
    "The Jester",
    "th3j35t3r",
    "Jester Actual"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-THEDARKOVERLORD",
   "canonical_name": "thedarkoverlord (extortion-hacktivism hybrid)",
   "aliases": [
    "thedarkoverlord (extortion-hacktivism hybrid)",
    "thedarkoverlord",
    "TDO"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-UCA",
   "canonical_name": "Ukrainian Cyber Alliance",
   "aliases": [
    "Ukrainian Cyber Alliance",
    "UCA",
    "UkrCyberAlliance",
    "RUH8",
    "Cyberhunta",
    "FalconsFlame"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-ULBRICHT-DPR",
   "canonical_name": "Ross Ulbricht ('Dread Pirate Roberts', Silk Road)",
   "aliases": [
    "Ross Ulbricht ('Dread Pirate Roberts', Silk Road)",
    "DPR",
    "Dread Pirate Roberts",
    "Ross Ulbricht"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-USDOD",
   "canonical_name": "USDoD",
   "aliases": [
    "USDoD",
    "EquationCorp",
    "NetSec"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 4,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-USERSEC",
   "canonical_name": "UserSec",
   "aliases": [
    "UserSec",
    "UserSec Collective"
   ],
   "category": "hacktivist",
   "sponsor": {
    "country": "RU"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-USPS-LEAK-CREW",
   "canonical_name": "USPS leak crew (USPS 2023)",
   "aliases": [
    "USPS leak crew (USPS 2023)",
    "USPS hack 2023"
   ],
   "category": "hacktivist",
   "sponsor": {},
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "HACK-XAKNET",
   "canonical_name": "XakNet Team",
   "aliases": [
    "XakNet Team",
    "XakNet"
   ],
   "category": "hacktivist",
   "sponsor": {
    "country": "RU"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-AIRBUS-CFIUS-2020",
   "canonical_name": "Airbus French-procurement insider disclosure (FR/UK DPA, 2020)",
   "aliases": [
    "Airbus French-procurement insider disclosure (FR/UK DPA, 2020)",
    "Airbus DPA 2020 insider"
   ],
   "category": "insider",
   "sponsor": {
    "country": "FR"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-AIRBUS-EUROCOPTER-2012",
   "canonical_name": "Eurocopter (Airbus Helicopters) \u2014 Sikorsky tech transfer 2012",
   "aliases": [
    "Eurocopter (Airbus Helicopters) \u2014 Sikorsky tech transfer 2012",
    "Eurocopter trade-secret case 2012"
   ],
   "category": "insider",
   "sponsor": {
    "country": "FR"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-AIRBUS-FRANCE-2015",
   "canonical_name": "Airbus Defence & Space export-control employee case (FR 2015)",
   "aliases": [
    "Airbus Defence & Space export-control employee case (FR 2015)",
    "Airbus DS export control 2015"
   ],
   "category": "insider",
   "sponsor": {
    "country": "FR"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-AIRBUS-SUPPLIERS-2019",
   "canonical_name": "Airbus supplier-chain intrusion series (2019)",
   "aliases": [
    "Airbus supplier-chain intrusion series (2019)",
    "Airbus 2019 supplier breach"
   ],
   "category": "insider",
   "sponsor": {
    "country": "FR"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 3,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-ALEYNIKOV-2010",
   "canonical_name": "Sergey Aleynikov",
   "aliases": [
    "Sergei Aleynikov",
    "Sergey Aleynikov"
   ],
   "category": "insider",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-ASML-CHINA-2024",
   "canonical_name": "ASML China data-misappropriation disclosure (2024)",
   "aliases": [
    "ASML China data-misappropriation disclosure (2024)",
    "ASML 2024 China leak"
   ],
   "category": "insider",
   "sponsor": {
    "country": "NL"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-ASML-EMPLOYEE-2023",
   "canonical_name": "ASML former employee (PRC IP transfer 2023)",
   "aliases": [
    "ASML former employee (PRC IP transfer 2023)",
    "ASML insider 2023"
   ],
   "category": "insider",
   "sponsor": {
    "country": "NL"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-ASML-LIU-2015",
   "canonical_name": "Yuanyuan Liu civil settlement (ASML / Xtal cohort)",
   "aliases": [
    "Yuanyuan Liu civil settlement (ASML / Xtal cohort)",
    "Yuanyuan Liu"
   ],
   "category": "insider",
   "sponsor": {
    "country": "NL"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-ASML-LIU-2022",
   "canonical_name": "Yuanyuan Liu (ASML/Suzhou earlier IP transfer)",
   "aliases": [
    "Yuanyuan Liu (ASML/Suzhou earlier IP transfer)",
    "Yuanyuan Liu",
    "Liu Yuanyuan"
   ],
   "category": "insider",
   "sponsor": {
    "country": "NL"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-ASML-SHANGHAI-2015",
   "canonical_name": "ASML former employee unauthorised data transfer (NL, 2015)",
   "aliases": [
    "ASML former employee unauthorised data transfer (NL, 2015)",
    "ASML NL 2015 insider"
   ],
   "category": "insider",
   "sponsor": {
    "country": "NL"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-ASML-XTAL-2018",
   "canonical_name": "Xtal Inc. / Dongfang Jingyuan trade-secret theft (ASML)",
   "aliases": [
    "Xtal Inc. / Dongfang Jingyuan trade-secret theft (ASML)",
    "Xtal",
    "ASML XTAL case"
   ],
   "category": "insider",
   "sponsor": {
    "country": "NL"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-AU-DUONG-2023",
   "canonical_name": "Di Sanh Duong (Australia foreign-interference conviction)",
   "aliases": [
    "Di Sanh Duong (Australia foreign-interference conviction)",
    "Di Sanh Duong",
    "Sunny Duong"
   ],
   "category": "insider",
   "sponsor": {
    "country": "AU"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-AUSTRALIAN-PLA-PHD-2020",
   "canonical_name": "Australian PLA-PhD-student visa-cancellation cohort (AU, 2020)",
   "aliases": [
    "Australian PLA-PhD-student visa-cancellation cohort (AU, 2020)",
    "Australia PLA PhD 2020"
   ],
   "category": "insider",
   "sponsor": {
    "country": "AU"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-BAESYSTEMS-SFO-2010",
   "canonical_name": "BAE Systems SFO Al-Yamamah insider disclosures",
   "aliases": [
    "BAE Systems SFO Al-Yamamah insider disclosures",
    "BAE Systems Al-Yamamah SFO"
   ],
   "category": "insider",
   "sponsor": {
    "country": "GB"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-BAYER-2018",
   "canonical_name": "Bayer agro-chemistry employee case (DE 2018)",
   "aliases": [
    "Bayer agro-chemistry employee case (DE 2018)",
    "Bayer Leverkusen insider 2018"
   ],
   "category": "insider",
   "sponsor": {
    "country": "DE"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-BIOT-ITALY-2024",
   "canonical_name": "Walter Biot (Italian Navy / Russia espionage)",
   "aliases": [
    "Walter Biot (Italian Navy / Russia espionage)",
    "Walter Biot"
   ],
   "category": "insider",
   "sponsor": {
    "country": "IT"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-CAO-TESLA-XPENG-2021",
   "canonical_name": "Guangzhi Cao (Tesla Autopilot source code \u2192 XPeng)",
   "aliases": [
    "Guangzhi Cao (Tesla Autopilot source code \u2192 XPeng)",
    "Guangzhi Cao",
    "Cao Guangzhi"
   ],
   "category": "insider",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-CHEN-APPLE-2019",
   "canonical_name": "Jizhong Chen (Apple self-driving)",
   "aliases": [
    "Jizhong Chen (Apple self-driving)",
    "Jizhong Chen",
    "Chen Jizhong"
   ],
   "category": "insider",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-CHEN-NOAA-2014",
   "canonical_name": "Sherry Chen (NOAA hydrologist \u2014 charges dropped)",
   "aliases": [
    "Sherry Chen (NOAA hydrologist \u2014 charges dropped)",
    "Xiafen Chen",
    "Sherry Chen"
   ],
   "category": "insider",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-CHEN-TSMC-2026",
   "canonical_name": "Chen Li-ming (TSMC 2nm leak to Tokyo Electron)",
   "aliases": [
    "Chen Li-ming (TSMC 2nm leak to Tokyo Electron)",
    "Chen Li-ming",
    "TSMC 2nm leak ringleader"
   ],
   "category": "insider",
   "sponsor": {
    "country": "TW"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-CHUN-FBI-2017",
   "canonical_name": "Kun Shan 'Joey' Chun (former FBI technician)",
   "aliases": [
    "Kun Shan 'Joey' Chun (former FBI technician)",
    "Joey Chun",
    "Kun Shan Chun"
   ],
   "category": "insider",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-CHUNG-2010",
   "canonical_name": "Dongfan 'Greg' Chung",
   "aliases": [
    "Dongfan 'Greg' Chung",
    "Dongfan Chung",
    "Greg Chung",
    "Chung Dongfan"
   ],
   "category": "insider",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 2,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-DAIMLER-BENZ-2019",
   "canonical_name": "Mercedes-Benz / Daimler interior-design civil claim (DE 2019)",
   "aliases": [
    "Mercedes-Benz / Daimler interior-design civil claim (DE 2019)",
    "Daimler interior IP 2019"
   ],
   "category": "insider",
   "sponsor": {
    "country": "DE"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-DING-GOOGLE-2024",
   "canonical_name": "Linwei 'Leon' Ding (Google AI / TPU architecture)",
   "aliases": [
    "Linwei 'Leon' Ding (Google AI / TPU architecture)",
    "Leon Ding",
    "Linwei Ding"
   ],
   "category": "insider",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-EVOBUS-2017",
   "canonical_name": "EvoBus / Daimler bus design civil claim (BGH 2017)",
   "aliases": [
    "EvoBus / Daimler bus design civil claim (BGH 2017)",
    "EvoBus BGH 2017"
   ],
   "category": "insider",
   "sponsor": {
    "country": "DE"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-HITACHI-METALS-2012",
   "canonical_name": "Hitachi Metals amorphous-alloy leak (JP, 2012)",
   "aliases": [
    "Hitachi Metals amorphous-alloy leak (JP, 2012)",
    "Hitachi Metals JP 2012"
   ],
   "category": "insider",
   "sponsor": {
    "country": "JP"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-HO-2017",
   "canonical_name": "Allen Ho (CB&I/TVA nuclear tech)",
   "aliases": [
    "Allen Ho (CB&I/TVA nuclear tech)",
    "Allen Ho",
    "Szuhsiung Ho",
    "Ho Szu Hsiung"
   ],
   "category": "insider",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-HU-TENNESSEE-2021",
   "canonical_name": "Anming Hu (Univ. of Tennessee / NASA disclosure case)",
   "aliases": [
    "Anming Hu (Univ. of Tennessee / NASA disclosure case)",
    "Anming Hu",
    "Hu Anming"
   ],
   "category": "insider",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 2,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-HYTERA-KOK-2017",
   "canonical_name": "G.S. Kok / Y.T. Kok / S.C. Chia (Motorola \u2192 Hytera engineers)",
   "aliases": [
    "G.S. Kok / Y.T. Kok / S.C. Chia (Motorola \u2192 Hytera engineers)",
    "G.S. Kok",
    "Y.T. Kok",
    "S.C. Chia",
    "Sam Chia"
   ],
   "category": "insider",
   "sponsor": {
    "country": "MY"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-HYUNDAI-MOBIS-2021",
   "canonical_name": "Hyundai Mobis ADAS engineer indictment (KR, 2021)",
   "aliases": [
    "Hyundai Mobis ADAS engineer indictment (KR, 2021)",
    "Hyundai Mobis KR 2021"
   ],
   "category": "insider",
   "sponsor": {
    "country": "KR"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-IPCOM-NOKIA-2014",
   "canonical_name": "Hytera / Nokia / Bosch GmbH engineer civil claims",
   "aliases": [
    "Hytera / Nokia / Bosch GmbH engineer civil claims",
    "IPCom-Nokia German civil"
   ],
   "category": "insider",
   "sponsor": {
    "country": "DE"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 2,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-JAPAN-TOSHIBA-NAND-2018",
   "canonical_name": "Japan Toshiba NAND secondary leak prosecutions (JP, 2018)",
   "aliases": [
    "Japan Toshiba NAND secondary leak prosecutions (JP, 2018)",
    "Toshiba NAND 2018 prosecution"
   ],
   "category": "insider",
   "sponsor": {
    "country": "JP"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-JP-DENSO-2014",
   "canonical_name": "Denso engineer trade-secret case (JP, 2014)",
   "aliases": [
    "Denso engineer trade-secret case (JP, 2014)",
    "Denso JP 2014"
   ],
   "category": "insider",
   "sponsor": {
    "country": "JP"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-JP-NIPPONSTEEL-2012",
   "canonical_name": "Nippon Steel grain-oriented steel civil case (JP, 2012)",
   "aliases": [
    "Nippon Steel grain-oriented steel civil case (JP, 2012)",
    "Nippon Steel Posco JP 2012"
   ],
   "category": "insider",
   "sponsor": {
    "country": "JP"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-KAERI-2021",
   "canonical_name": "KAERI VPN intrusion (South Korea, 2021)",
   "aliases": [
    "KAERI VPN intrusion (South Korea, 2021)",
    "KAERI hack 2021"
   ],
   "category": "insider",
   "sponsor": {
    "country": "KR"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-KAERI-INSIDER-2022",
   "canonical_name": "KAERI researcher Industrial Technology Protection Act case (KR, 2022)",
   "aliases": [
    "KAERI researcher Industrial Technology Protection Act case (KR, 2022)",
    "KAERI insider KR 2022"
   ],
   "category": "insider",
   "sponsor": {
    "country": "KR"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-KIA-EV-2024",
   "canonical_name": "Kia EV-platform engineer indictment (KR, 2024)",
   "aliases": [
    "Kia EV-platform engineer indictment (KR, 2024)",
    "Kia EV KR 2024"
   ],
   "category": "insider",
   "sponsor": {
    "country": "KR"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-KOREA-NIS-DISPLAY-2017",
   "canonical_name": "Samsung Display engineer indictment (KR, 2017)",
   "aliases": [
    "Samsung Display engineer indictment (KR, 2017)",
    "Samsung Display KR 2017"
   ],
   "category": "insider",
   "sponsor": {
    "country": "KR"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-KOREA-NIS-DISPLAY-2019",
   "canonical_name": "Samsung Display engineer indictment (KR, 2019 / BOE)",
   "aliases": [
    "Samsung Display engineer indictment (KR, 2019 / BOE)",
    "Samsung Display KR 2019 BOE"
   ],
   "category": "insider",
   "sponsor": {
    "country": "KR"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-LEE-CIA-2019",
   "canonical_name": "Jerry Chun Shing Lee (former CIA case officer)",
   "aliases": [
    "Jerry Chun Shing Lee (former CIA case officer)",
    "Jerry Lee",
    "Zhen Cheng Li"
   ],
   "category": "insider",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-LEONARDO-2017",
   "canonical_name": "Leonardo Finmeccanica defence-data theft (IT, 2017)",
   "aliases": [
    "Leonardo Finmeccanica defence-data theft (IT, 2017)",
    "Leonardo insider Naples 2017"
   ],
   "category": "insider",
   "sponsor": {
    "country": "IT"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-LEVANDOWSKI-2017",
   "canonical_name": "Anthony Levandowski",
   "aliases": [
    "Anthony Levandowski",
    "Levandowski"
   ],
   "category": "insider",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 3,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-LG-DISPLAY-2020",
   "canonical_name": "LG Display senior engineer (OLED transfer to BOE 2020)",
   "aliases": [
    "LG Display senior engineer (OLED transfer to BOE 2020)",
    "LG Display OLED leak 2020"
   ],
   "category": "insider",
   "sponsor": {
    "country": "KR"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-LIANG-VW-2017",
   "canonical_name": "James Robert Liang (Volkswagen / Dieselgate engineer)",
   "aliases": [
    "James Robert Liang (Volkswagen / Dieselgate engineer)",
    "James Liang"
   ],
   "category": "insider",
   "sponsor": {
    "country": "DE"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-LIEBER-2020",
   "canonical_name": "Charles Lieber (Harvard / Thousand Talents)",
   "aliases": [
    "Charles Lieber (Harvard / Thousand Talents)",
    "Charles Lieber",
    "Charles M. Lieber"
   ],
   "category": "insider",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-LIEW-2014",
   "canonical_name": "Walter Lian-Heen Liew",
   "aliases": [
    "Walter Liew",
    "Walter Lian-Heen Liew",
    "Liew Lian-Heen"
   ],
   "category": "insider",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-LIU-LOCKHEED-2014",
   "canonical_name": "Mo Yun + co-defendants (Pioneer corn parallel case)",
   "aliases": [
    "Mo Yun + co-defendants (Pioneer corn parallel case)",
    "Mo Yun",
    "Yun Mo"
   ],
   "category": "insider",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-LIU-RUOPENG-2010",
   "canonical_name": "Liu Ruopeng (Duke \u2192 Kuang-Chi metamaterials)",
   "aliases": [
    "Liu Ruopeng (Duke \u2192 Kuang-Chi metamaterials)",
    "Liu Ruopeng",
    "Ruopeng Liu"
   ],
   "category": "insider",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-LONG-UTRC-2016",
   "canonical_name": "Yu Long (United Technologies Research Center / F119-F135)",
   "aliases": [
    "Yu Long (United Technologies Research Center / F119-F135)",
    "Yu Long"
   ],
   "category": "insider",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-LOPEZ-1993",
   "canonical_name": "Jos\u00e9 Ignacio L\u00f3pez de Arriort\u00faa (GM \u2192 VW)",
   "aliases": [
    "Jos\u00e9 Ignacio L\u00f3pez de Arriort\u00faa (GM \u2192 VW)",
    "Jos\u00e9 Ignacio L\u00f3pez de Arriort\u00faa",
    "Inaki Lopez",
    "Jose Lopez"
   ],
   "category": "insider",
   "sponsor": {
    "country": "DE"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-LOPEZ-BGH-2007",
   "canonical_name": "Klaus-Joachim Gebauer civil action (Volkswagen bribery)",
   "aliases": [
    "Klaus-Joachim Gebauer civil action (Volkswagen bribery)",
    "Gebauer VW affair",
    "Volkswagen labour-relations scandal"
   ],
   "category": "insider",
   "sponsor": {
    "country": "DE"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-LU-MEDDEV-2014",
   "canonical_name": "Wenfeng Lu (ev3 / Edwards Lifesciences medical devices)",
   "aliases": [
    "Wenfeng Lu (ev3 / Edwards Lifesciences medical devices)",
    "Wenfeng Lu"
   ],
   "category": "insider",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 2,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-MAK-2007",
   "canonical_name": "Chi Mak (Power Paragon / US Navy quiet propulsion)",
   "aliases": [
    "Chi Mak (Power Paragon / US Navy quiet propulsion)",
    "Chi Mak",
    "Mak Chi"
   ],
   "category": "insider",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 3,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-MAO-CNEX-2020",
   "canonical_name": "Bo Mao (CNEX Labs / Huawei flash-storage IP)",
   "aliases": [
    "Bo Mao (CNEX Labs / Huawei flash-storage IP)",
    "Bo Mao"
   ],
   "category": "insider",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-MARTIN-2017",
   "canonical_name": "Harold T. Martin III",
   "aliases": [
    "Harold Martin",
    "Harold T. Martin III",
    "Hal Martin"
   ],
   "category": "insider",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 2,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-MAZDA-EV-2020",
   "canonical_name": "Mazda EV-component engineer disclosure (JP, 2020)",
   "aliases": [
    "Mazda EV-component engineer disclosure (JP, 2020)",
    "Mazda JP 2020 EV"
   ],
   "category": "insider",
   "sponsor": {
    "country": "JP"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-MEDIATEK-2022",
   "canonical_name": "MediaTek senior engineer indictment (TW, 2022)",
   "aliases": [
    "MediaTek senior engineer indictment (TW, 2022)",
    "MediaTek TW 2022"
   ],
   "category": "insider",
   "sponsor": {
    "country": "TW"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-MITSUBISHI-ELECTRIC-2020",
   "canonical_name": "Mitsubishi Electric engineer (Tianma transfer 2020)",
   "aliases": [
    "Mitsubishi Electric engineer (Tianma transfer 2020)",
    "Mitsubishi Electric LCD leak 2020"
   ],
   "category": "insider",
   "sponsor": {
    "country": "JP"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-MO-2016",
   "canonical_name": "Mo Hailong (Pioneer corn seeds)",
   "aliases": [
    "Mo Hailong (Pioneer corn seeds)",
    "Mo Hailong",
    "Robert Mo"
   ],
   "category": "insider",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 2,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-MOINIAN-2022",
   "canonical_name": "Shapour Moinian (former US Army pilot / aviation contractor)",
   "aliases": [
    "Shapour Moinian (former US Army pilot / aviation contractor)",
    "Shapour Moinian"
   ],
   "category": "insider",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-NISSAN-MITSUI-2018",
   "canonical_name": "Nissan / Mitsui materials-engineer civil case (JP, 2018)",
   "aliases": [
    "Nissan / Mitsui materials-engineer civil case (JP, 2018)",
    "Nissan Mitsui JP 2018"
   ],
   "category": "insider",
   "sponsor": {
    "country": "JP"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 2,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-NXP-CHIMERA-2021",
   "canonical_name": "NXP Semiconductors (Chimera intrusion, 2017-2020)",
   "aliases": [
    "NXP Semiconductors (Chimera intrusion, 2017-2020)",
    "NXP Chimera"
   ],
   "category": "insider",
   "sponsor": {
    "country": "NL"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-OLYMPUS-WOODFORD-2011",
   "canonical_name": "Michael Woodford (Olympus whistleblower / accounting fraud)",
   "aliases": [
    "Michael Woodford (Olympus whistleblower / accounting fraud)",
    "Michael Woodford",
    "Olympus Woodford"
   ],
   "category": "insider",
   "sponsor": {
    "country": "GB"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-OROURKE-DURABAR-2019",
   "canonical_name": "Robert O'Rourke (Dura-Bar / Jiangsu rival)",
   "aliases": [
    "Robert O'Rourke (Dura-Bar / Jiangsu rival)",
    "Robert O'Rourke"
   ],
   "category": "insider",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-PHILIPS-SOLAR-2014",
   "canonical_name": "Philips solar-display employee civil action (NL, 2014)",
   "aliases": [
    "Philips solar-display employee civil action (NL, 2014)",
    "Philips Dutch civil trade secret 2014"
   ],
   "category": "insider",
   "sponsor": {
    "country": "NL"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-RENAULT-2011",
   "canonical_name": "Renault 2011 alleged spy affair (later discredited)",
   "aliases": [
    "Renault 2011 alleged spy affair (later discredited)",
    "Renault 2011",
    "Renault EV spy case 2011"
   ],
   "category": "insider",
   "sponsor": {
    "country": "FR"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-RENAULT-EV-2011",
   "canonical_name": "Renault EV-battery 'spy affair' (2011, later debunked)",
   "aliases": [
    "Renault EV-battery 'spy affair' (2011, later debunked)",
    "Renault EV affair",
    "Renault electric-vehicle espionage"
   ],
   "category": "insider",
   "sponsor": {
    "country": "FR"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-RENAULT-LIBYA-2011",
   "canonical_name": "Renault EV-program internal investigation (mishandled, 2011)",
   "aliases": [
    "Renault EV-program internal investigation (mishandled, 2011)",
    "Renault EV affair 2011"
   ],
   "category": "insider",
   "sponsor": {
    "country": "FR"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-SAFRAN-CFM-2018",
   "canonical_name": "Safran-Suzhou JV insiders (CFM/LEAP engine conspiracy)",
   "aliases": [
    "Safran-Suzhou JV insiders (CFM/LEAP engine conspiracy)",
    "Safran-Snecma insider conspiracy"
   ],
   "category": "insider",
   "sponsor": {
    "country": "FR"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 3,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-SAMSUNG-CXMT-2025",
   "canonical_name": "Ten ex-Samsung employees indicted (DRAM tech \u2192 CXMT)",
   "aliases": [
    "Ten ex-Samsung employees indicted (DRAM tech \u2192 CXMT)",
    "Samsung CXMT 10 indictment",
    "Korea CXMT DRAM case"
   ],
   "category": "insider",
   "sponsor": {
    "country": "KR"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-SAMSUNG-FOUNDRY-2023",
   "canonical_name": "Samsung Foundry former executive (PRC fab plans 2023)",
   "aliases": [
    "Samsung Foundry former executive (PRC fab plans 2023)",
    "Samsung Foundry leak 2023",
    "Choi Jin-seog"
   ],
   "category": "insider",
   "sponsor": {
    "country": "KR"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-SAMSUNG-XIAN-2023",
   "canonical_name": "Ex-Samsung executive charged over plan to clone fab in China (2023)",
   "aliases": [
    "Ex-Samsung executive charged over plan to clone fab in China (2023)",
    "Choi Jin-seog",
    "Samsung Xi'an copy-fab case"
   ],
   "category": "insider",
   "sponsor": {
    "country": "KR"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-SCHULTE-2022",
   "canonical_name": "Joshua Schulte (CIA Vault 7 leak)",
   "aliases": [
    "Joshua Schulte (CIA Vault 7 leak)",
    "Joshua Schulte",
    "Joshua Adam Schulte"
   ],
   "category": "insider",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-SHIH-UCLA-2019",
   "canonical_name": "Yi-Chi Shih (UCLA / Chengdu GaStone semiconductors)",
   "aliases": [
    "Yi-Chi Shih (UCLA / Chengdu GaStone semiconductors)",
    "Shih Yi-chi",
    "Yi-Chi Shih"
   ],
   "category": "insider",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-SIEMENS-RAIL-SUMMARY-2023",
   "canonical_name": "Siemens Mobility v. RSS engineers (UK rail signalling)",
   "aliases": [
    "Siemens Mobility v. RSS engineers (UK rail signalling)",
    "Siemens v Yunex RSS UK"
   ],
   "category": "insider",
   "sponsor": {
    "country": "GB"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 2,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-SIEMENS-YUNEX-UK-2023",
   "canonical_name": "Siemens Mobility v. Rail Signalling Services (UK High Court 2023)",
   "aliases": [
    "Siemens Mobility v. Rail Signalling Services (UK High Court 2023)",
    "Siemens v. RSS",
    "Siemens Mobility UK trade-secret"
   ],
   "category": "insider",
   "sponsor": {
    "country": "GB"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-SK-HYNIX-2014",
   "canonical_name": "SK Hynix engineer (SanDisk/Toshiba NAND counter-leak 2014)",
   "aliases": [
    "SK Hynix engineer (SanDisk/Toshiba NAND counter-leak 2014)",
    "SK Hynix NAND case 2014"
   ],
   "category": "insider",
   "sponsor": {
    "country": "KR"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-SK-HYNIX-HUAWEI-2024",
   "canonical_name": "Former SK Hynix engineer arrested over HiSilicon leak (KR 2024)",
   "aliases": [
    "Former SK Hynix engineer arrested over HiSilicon leak (KR 2024)",
    "SK Hynix HiSilicon insider 2024"
   ],
   "category": "insider",
   "sponsor": {
    "country": "KR"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-SK-LG-EVBATTERY-2022",
   "canonical_name": "SK Innovation employees referred for EV-battery secrets (KR, 2022)",
   "aliases": [
    "SK Innovation employees referred for EV-battery secrets (KR, 2022)",
    "SK-LG battery 30 employees"
   ],
   "category": "insider",
   "sponsor": {
    "country": "KR"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-SNOWDEN-2013",
   "canonical_name": "Edward Snowden",
   "aliases": [
    "Edward Snowden",
    "Snowden"
   ],
   "category": "insider",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-STEPNEY-FERRARI-2007",
   "canonical_name": "Nigel Stepney + Mike Coughlan (Ferrari \u2192 McLaren 'Spygate')",
   "aliases": [
    "Nigel Stepney + Mike Coughlan (Ferrari \u2192 McLaren 'Spygate')",
    "Stepneygate",
    "Spygate F1 2007",
    "Nigel Stepney",
    "Mike Coughlan"
   ],
   "category": "insider",
   "sponsor": {
    "country": "IT"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-SU-BIN-2016",
   "canonical_name": "Su Bin (Boeing C-17 / F-22 / F-35 data)",
   "aliases": [
    "Su Bin (Boeing C-17 / F-22 / F-35 data)",
    "Su Bin",
    "Stephen Su",
    "Stephen Subin"
   ],
   "category": "insider",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-TAIWAN-MEDIATEK-2020",
   "canonical_name": "MediaTek ex-engineers (Taiwan Trade Secrets Act, 2020)",
   "aliases": [
    "MediaTek ex-engineers (Taiwan Trade Secrets Act, 2020)",
    "MediaTek trade-secret case 2020"
   ],
   "category": "insider",
   "sponsor": {
    "country": "TW"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-TAIWAN-NETSPEED-2018",
   "canonical_name": "Bitmain / Taiwan IC-design engineer indictment (TW, 2018)",
   "aliases": [
    "Bitmain / Taiwan IC-design engineer indictment (TW, 2018)",
    "Taiwan IC design 2018"
   ],
   "category": "insider",
   "sponsor": {
    "country": "TW"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-TAN-PHILLIPS-2019",
   "canonical_name": "Hongjin Tan (Phillips 66 battery R&D)",
   "aliases": [
    "Hongjin Tan (Phillips 66 battery R&D)",
    "Hongjin Tan"
   ],
   "category": "insider",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-THYSSENKRUPP-2016",
   "canonical_name": "ThyssenKrupp industrial-data intrusion (2016)",
   "aliases": [
    "ThyssenKrupp industrial-data intrusion (2016)",
    "ThyssenKrupp 2016 breach"
   ],
   "category": "insider",
   "sponsor": {
    "country": "DE"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-TOSHIBA-NAND-2014",
   "canonical_name": "Yoshitaka Sugita (Toshiba NAND theft 2014)",
   "aliases": [
    "Yoshitaka Sugita (Toshiba NAND theft 2014)",
    "Yoshitaka Sugita"
   ],
   "category": "insider",
   "sponsor": {
    "country": "JP"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 2,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-TSMC-CHANG-2018",
   "canonical_name": "Former TSMC manager indictment (TW, 2018 / HLMC)",
   "aliases": [
    "Former TSMC manager indictment (TW, 2018 / HLMC)",
    "TSMC HLMC 2018 indictment"
   ],
   "category": "insider",
   "sponsor": {
    "country": "TW"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-TW-IC-DESIGN-2023",
   "canonical_name": "MTK / Realtek engineer recruitment ring indictment (TW, 2023)",
   "aliases": [
    "MTK / Realtek engineer recruitment ring indictment (TW, 2023)",
    "Taiwan Realtek 2023 ring"
   ],
   "category": "insider",
   "sponsor": {
    "country": "TW"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 2,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-UMC-JINHUA-CHEN-2020",
   "canonical_name": "Chen Zhengkun (UMC / Fujian Jinhua / Micron DRAM)",
   "aliases": [
    "Chen Zhengkun (UMC / Fujian Jinhua / Micron DRAM)",
    "Stephen Chen",
    "Chen Zhengkun"
   ],
   "category": "insider",
   "sponsor": {
    "country": "TW"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-UMC-JINHUA-HE-2020",
   "canonical_name": "He Jianting (UMC / Fujian Jinhua co-defendant)",
   "aliases": [
    "He Jianting (UMC / Fujian Jinhua co-defendant)",
    "J.T. Ho",
    "He Jianting"
   ],
   "category": "insider",
   "sponsor": {
    "country": "TW"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-VW-LIANG-2017",
   "canonical_name": "James Liang (Volkswagen Dieselgate engineer)",
   "aliases": [
    "James Liang (Volkswagen Dieselgate engineer)",
    "James Robert Liang"
   ],
   "category": "insider",
   "sponsor": {
    "country": "DE"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-WANG-APPLE-2023",
   "canonical_name": "Weibao Wang (Apple autonomous-systems source code)",
   "aliases": [
    "Weibao Wang (Apple autonomous-systems source code)",
    "Weibao Wang"
   ],
   "category": "insider",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-WANG-GE-2019",
   "canonical_name": "Xiaoqing Zheng (GE turbine technology)",
   "aliases": [
    "Xiaoqing Zheng (GE turbine technology)",
    "Xiaoqing Zheng",
    "Zheng Xiaoqing"
   ],
   "category": "insider",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 2,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-WANG-TESLA-2023",
   "canonical_name": "Klaus Pflugbeil + Yilong Shao (Tesla battery)",
   "aliases": [
    "Klaus Pflugbeil + Yilong Shao (Tesla battery)",
    "Klaus Pflugbeil",
    "Yilong Shao",
    "Shao Yilong"
   ],
   "category": "insider",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 2,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-WINNER-2017",
   "canonical_name": "Reality Winner",
   "aliases": [
    "Reality Winner",
    "Reality Leigh Winner"
   ],
   "category": "insider",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-XIANG-MONSANTO-2022",
   "canonical_name": "Haitao Xiang (Monsanto / Climate Corp Nutrient Optimizer)",
   "aliases": [
    "Haitao Xiang (Monsanto / Climate Corp Nutrient Optimizer)",
    "Haitao Xiang"
   ],
   "category": "insider",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 2,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-XU-2019",
   "canonical_name": "Yanjun Xu (MSS officer, GE Aviation case)",
   "aliases": [
    "Yanjun Xu (MSS officer, GE Aviation case)",
    "Yanjun Xu",
    "Xu Yanjun"
   ],
   "category": "insider",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-YASKAWA-2019",
   "canonical_name": "Yaskawa Electric industrial-robotics leak (JP, 2019)",
   "aliases": [
    "Yaskawa Electric industrial-robotics leak (JP, 2019)",
    "Yaskawa JP 2019"
   ],
   "category": "insider",
   "sponsor": {
    "country": "JP"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-YE-BU-2020",
   "canonical_name": "Yanqing Ye (PLA lieutenant at Boston University)",
   "aliases": [
    "Yanqing Ye (PLA lieutenant at Boston University)",
    "Yanqing Ye"
   ],
   "category": "insider",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-YOU-COCACOLA-2022",
   "canonical_name": "Xiaorong 'Shannon' You (Coca-Cola / Eastman BPA-free coatings)",
   "aliases": [
    "Xiaorong 'Shannon' You (Coca-Cola / Eastman BPA-free coatings)",
    "Xiaorong You",
    "Shannon You"
   ],
   "category": "insider",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 7,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-YU-ADI-2022",
   "canonical_name": "Haoyang 'Jack' Yu (Analog Devices / Tricon MMIC)",
   "aliases": [
    "Haoyang 'Jack' Yu (Analog Devices / Tricon MMIC)",
    "Jack Yu",
    "Haoyang Yu"
   ],
   "category": "insider",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-ZHANG-APPLE-2018",
   "canonical_name": "Xiaolang Zhang (Apple self-driving)",
   "aliases": [
    "Xiaolang Zhang (Apple self-driving)",
    "Xiaolang Zhang",
    "Zhang Xiaolang"
   ],
   "category": "insider",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 1,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "INS-ZHANG-FBAR-2020",
   "canonical_name": "Hao Zhang (FBAR / Avago / Skyworks)",
   "aliases": [
    "Hao Zhang (FBAR / Avago / Skyworks)",
    "Hao Zhang",
    "Tianjin FBAR case"
   ],
   "category": "insider",
   "sponsor": {
    "country": "US"
   },
   "cve_count": 0,
   "technique_count": 0,
   "idf_score": 0.0,
   "exclusive_cve_count": 0,
   "active_year_min": null,
   "active_year_max": null,
   "sectors": [],
   "victim_count": 2,
   "top_product_categories": [],
   "mitre_url": null,
   "cve_ids": [],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "MISP-21b349c3",
   "canonical_name": "Clop",
   "aliases": [
    "Clop",
    "Cl0p"
   ],
   "category": "criminal",
   "sponsor": {},
   "cve_count": 3,
   "technique_count": 0,
   "idf_score": 11.485,
   "exclusive_cve_count": 1,
   "active_year_min": 2023,
   "active_year_max": 2023,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [
    [
     "network",
     3
    ]
   ],
   "mitre_url": null,
   "cve_ids": [
    "CVE-2023-3466",
    "CVE-2023-3467",
    "CVE-2023-4967"
   ],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "MISP-2ce00149",
   "canonical_name": "Chernovite",
   "aliases": [
    "Chernovite"
   ],
   "category": "state",
   "sponsor": {
    "country": "RU"
   },
   "cve_count": 1,
   "technique_count": 0,
   "idf_score": 4.29,
   "exclusive_cve_count": 1,
   "active_year_min": 2020,
   "active_year_max": 2020,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [
    [
     "network",
     1
    ]
   ],
   "mitre_url": null,
   "cve_ids": [
    "CVE-2020-15368"
   ],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "MISP-47945864",
   "canonical_name": "Storm-0530",
   "aliases": [
    "Storm-0530",
    "DEV-0530",
    "H0lyGh0st"
   ],
   "category": "state",
   "sponsor": {
    "country": "KP"
   },
   "cve_count": 11,
   "technique_count": 0,
   "idf_score": 31.946,
   "exclusive_cve_count": 0,
   "active_year_min": 2018,
   "active_year_max": 2022,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [
    [
     "application",
     9
    ],
    [
     "linux",
     3
    ],
    [
     "microsoft",
     2
    ],
    [
     "macos",
     1
    ],
    [
     "network",
     1
    ]
   ],
   "mitre_url": null,
   "cve_ids": [
    "CVE-2017-4946",
    "CVE-2019-15637",
    "CVE-2021-3018",
    "CVE-2021-40684",
    "CVE-2021-44142",
    "CVE-2021-45837",
    "CVE-2022-22005",
    "CVE-2022-24663",
    "CVE-2022-24664",
    "CVE-2022-24665",
    "CVE-2022-24785"
   ],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "MISP-705e03d1",
   "canonical_name": "Crypt32",
   "aliases": [
    "Crypt32"
   ],
   "category": "criminal",
   "sponsor": {},
   "cve_count": 3,
   "technique_count": 0,
   "idf_score": 12.871,
   "exclusive_cve_count": 3,
   "active_year_min": 2020,
   "active_year_max": 2020,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [
    [
     "microsoft",
     3
    ]
   ],
   "mitre_url": null,
   "cve_ids": [
    "CVE-2020-0609",
    "CVE-2020-0610",
    "CVE-2020-0611"
   ],
   "technique_ids": [],
   "subtechnique_ids": []
  },
  {
   "actor_id": "MISP-995c3772",
   "canonical_name": "Maui ransomware",
   "aliases": [
    "Maui ransomware"
   ],
   "category": "criminal",
   "sponsor": {},
   "cve_count": 11,
   "technique_count": 0,
   "idf_score": 31.946,
   "exclusive_cve_count": 0,
   "active_year_min": 2018,
   "active_year_max": 2022,
   "sectors": [],
   "victim_count": 0,
   "top_product_categories": [
    [
     "application",
     9
    ],
    [
     "linux",
     3
    ],
    [
     "microsoft",
     2
    ],
    [
     "macos",
     1
    ],
    [
     "network",
     1
    ]
   ],
   "mitre_url": null,
   "cve_ids": [
    "CVE-2017-4946",
    "CVE-2019-15637",
    "CVE-2021-3018",
    "CVE-2021-40684",
    "CVE-2021-44142",
    "CVE-2021-45837",
    "CVE-2022-22005",
    "CVE-2022-24663",
    "CVE-2022-24664",
    "CVE-2022-24665",
    "CVE-2022-24785"
   ],
   "technique_ids": [],
   "subtechnique_ids": []
  }
 ]
}