Skip to content

Commit 3202f6f

Browse files
poliveriapoliveria
committed
Update threat actor naming table with new entries
Added new threat actor entries: Oka Flood, Pepper Typhoon, Storm-2460, Storm-2477, and Storm-2657. Updated and reorganized the table to reflect these changes and removed the duplicate Storm-1679 entry. Also updated the document date to 11/07/2025.
1 parent 172e442 commit 3202f6f

File tree

1 file changed

+6
-2
lines changed

1 file changed

+6
-2
lines changed

unified-secops-platform/microsoft-threat-actor-naming.md

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,7 @@ ms.custom:
1818
- cx-ti
1919
ms.topic: article
2020
search.appverid: met150
21-
ms.date: 10/15/2025
21+
ms.date: 11/07/2025
2222
---
2323

2424
# How Microsoft names threat actors
@@ -118,12 +118,14 @@ The following table lists publicly disclosed threat actor names with their origi
118118
|Night Tsunami|Israel|DEV-0336|
119119
|Nylon Typhoon|China|NICKEL, VIXEN PANDA, Playful Dragon, RedRiver, ke3chang, APT15, Mirage|
120120
|[Octo Tempest](https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/)|Financially motivated| SCATTERED SPIDER, 0ktapus|
121+
|[Oka Flood](https://blogs.microsoft.com/on-the-issues/2024/09/17/russian-election-interference-efforts-focus-on-the-harris-walz-campaign/)|Russia, Influence operations|Storm-1679|
121122
|Onyx Sleet|North Korea|PLUTONIUM, SILENT CHOLLIMA, StoneFly, Tdrop2 campaign, DarkSeoul, Black Chollima, Andariel, APT45|
122123
|Opal Sleet|North Korea|OSMIUM, VELVET CHOLLIMA, Planedown, Konni, APT43|
123124
|Patched Lightning||Storm-0113|
124125
|[Peach Sandstorm](https://www.microsoft.com/en-us/security/blog/2024/08/28/peach-sandstorm-deploys-new-custom-tickler-malware-in-long-running-intelligence-gathering-operations/)|Iran|HOLMIUM, REFINED KITTEN, APT33, Elfin|
125126
|Pearl Sleet|North Korea|LAWRENCIUM|
126127
|Periwinkle Tempest|Russia|DEV-0193, WIZARD SPIDER|
128+
|Pepper Typhoon|China|LIMINAL PANDA, CL-STA-0969|
127129
|Phlox Tempest|Israel, Financially motivated|DEV-0796|
128130
|Pink Sandstorm|Iran|AMERICIUM, SPECTRAL KITTEN, Agrius, Deadwood, BlackShadow, SharpBoys, FireAnt, Justice Blade|
129131
|Pinstripe Lightning||NIOBIUM, RENEGADE JACKAL, Desert Falcons, Scimitar, Arid Viper|
@@ -174,7 +176,6 @@ The following table lists publicly disclosed threat actor names with their origi
174176
|[Storm-1567](https://www.microsoft.com/en-us/security/blog/2023/10/11/automatic-disruption-of-human-operated-attacks-through-containment-of-compromised-user-accounts/)|Financially motivated|PUNK SPIDER|
175177
| [Storm-1607](https://www.microsoft.com/en-us/security/blog/2025/08/21/think-before-you-clickfix-analyzing-the-clickfix-social-engineering-technique/) | Group in development ||
176178
|[Storm-1674](https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/)|Financially motivated||
177-
|[Storm-1679](https://blogs.microsoft.com/on-the-issues/2024/09/17/russian-election-interference-efforts-focus-on-the-harris-walz-campaign/)|Influence operations||
178179
|[Storm-1811](https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/)|Financially motivated|CURLY SPIDER|
179180
|Storm-1849|China|UAT4356|
180181
|[Storm-1865](https://www.microsoft.com/en-us/security/blog/2025/03/13/phishing-campaign-impersonates-booking-com-delivers-a-suite-of-credential-stealing-malware/)|Group in development||
@@ -183,7 +184,10 @@ The following table lists publicly disclosed threat actor names with their origi
183184
|[Storm-2077](https://www.microsoft.com/en-us/security/blog/2024/11/22/microsoft-shares-latest-intelligence-on-north-korean-and-chinese-threat-actors-at-cyberwarcon/#storm-2077)|China|TAG-100|
184185
|[Storm-2246](https://blogs.microsoft.com/on-the-issues/2025/09/16/microsoft-seizes-338-websites-to-disrupt-rapidly-growing-raccoono365-phishing-service/)|Group in development||
185186
|[Storm-2372](https://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conducts-device-code-phishing-campaign/)|Group in development||
187+
|[Storm-2460](https://www.microsoft.com/en-us/security/blog/2025/08/18/dissecting-pipemagic-inside-the-architecture-of-a-modular-backdoor-framework/)|Group in development||
188+
|[Storm-2477](https://www.microsoft.com/en-us/security/blog/2025/05/21/lumma-stealer-breaking-down-the-delivery-techniques-and-capabilities-of-a-prolific-infostealer/)|Group in development|Lumma Stealer|
186189
|[Storm-2603](https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/)|China||
190+
|[Storm-2657](https://www.microsoft.com/en-us/security/blog/2025/05/21/lumma-stealer-breaking-down-the-delivery-techniques-and-capabilities-of-a-prolific-infostealer/)|United States, Financially motivated|Payroll Pirates|
187191
|Strawberry Tempest|Financially motivated|DEV-0537, SLIPPY SPIDER, LAPSUS$|
188192
|Sunglow Blizzard||DEV-0665|
189193
|Swirl Typhoon|China|TELLURIUM, STALKER PANDA, Tick, Bronze Butler, REDBALDKNIGHT|

0 commit comments

Comments
 (0)