Adversary catalogue, observed not narrated
A living catalogue of Thousands of adversary clusters — from nation-state operators and ransomware crews to commodity malware families and bulletproof-host operators. Every profile is built from observed indicator atoms, not vendor marketing.
A profile is the union of observed indicator atoms, MITRE technique frequency, target geography distribution, and infrastructure-overlap signals — recomputed continuously.
Indicator-derived, not press-release-derived
An adversary profile in HACKFORLAB is the union of everything observed about a cluster, structured for query. The profile records every indicator atom attributed to the cluster — IPs, domains, hashes, URLs, certificate fingerprints — with timestamps and confidence scores. It records every MITRE technique the cluster has been observed using, ranked by frequency and trend. It records the geographic distribution of targeting based on inferred victimology. It records industry targeting based on lure language, sector-specific tradecraft, and infrastructure overlap with known campaigns against named industries. It records aliases — operators often appear under multiple names from different reporting sources, and the platform maintains an alias graph.
What the profile does not contain is vendor prose. The cluster’s behaviour is derived from observation, not from narrative description. When you query a profile, you see the data the assertions are derived from. When the data changes, the profile updates. When tradecraft shifts, the technique frequency chart reflects that shift within the cycle.
Profile methodology is documented and reproducible. The same indicator inputs produce the same cluster assignment. Cross-cluster overlap analysis is computed continuously, so when two clusters start sharing infrastructure or tradecraft, the overlap surfaces as a graph edge rather than as a footnote in next quarter’s report.
Adversaries observed in current cycle
Indicator counts reflect observations in the catalogue. A profile may span multiple campaigns and aliases.
CobaltStrike
Offensive Tooling
Commercial post-exploitation framework now repurposed by adversary clusters across all tiers. Heavy presence in cloud-native engagements. Beacon configurations recovered from sandbox detonations are tagged against ATT&CK with each operator variant tracked separately.
57,571 indicators observed
Mirai
IoT Botnet
IoT-targeting botnet variants observed continuously across global edge networks. Telnet, SSH, and HTTP brute-force vectors. Mirai-family infections often signal a downstream proxy or DDoS-for-hire infrastructure capability.
10,195 indicators observed
Mozi
P2P Botnet
Peer-to-peer botnet with persistent infrastructure on residential and small-business networks. DHT-based command channel makes traditional sinkholing ineffective. Long-tailed presence in indicator volume.
5,185 indicators observed
DPRK
Nation-State Cluster
Long-running operator cluster aligned to North Korea-linked operations. Financial sector and cryptocurrency exchange targeting. Tooling reuse across campaigns provides infrastructure-overlap signal even when payloads vary.
4,835 indicators observed
Clearfake
Web Inject Campaign
Fake browser-update lure campaign delivering second-stage stealer payloads across compromised CMS instances. Distribution surface shifts weekly as compromised sites are remediated and new ones are added.
4,400 indicators observed
Formbook
Info-stealer
Commercially available information-stealing malware-as-a-service. Document-based delivery, email and clipboard targeting. Steady baseline volume punctuated by campaign-driven spikes.
875 indicators observed
AgentTesla
Info-stealer
Long-lived information stealer with keylogging and credential harvest capabilities. Wide telemetry presence across phishing-delivered campaigns. Variant ecosystem is highly fragmented.
871 indicators observed
StrelaStealer
Credential Theft
Email-client credential theft tool active across Western European target environments. Particular focus on Outlook and Thunderbird configurations.
835 indicators observed
Profile methodology
Indicator atoms
IPs, domains, URLs, file hashes, command-and-control infrastructure, lure documents. Time-stamped, confidence-scored. Source-traceable.
TTP frequency
Every observed technique counted and ranked against the cluster’s historical pattern. Shifts in tradecraft surface immediately rather than waiting for quarterly review.
Targeting signal
Industry sectors and geographies inferred from victimology mentions, lure language, and infrastructure placement. Updated continuously as new observations land.
Overlap analysis
Infrastructure and TTP overlap with other clusters is computed continuously to highlight likely shared operators or tooling. Graph edges expose the relationships.
