Cleaver Is Five Iranian APTs. PLA Navy Is Three Pandas. Grizzly Steppe Is Two Intelligence Services. The Vendor Naming Graph In Public.

The DugganUSA blog ran a post on May 13 titled "ClickFix Is Konni Is PySoxy. Three Vendor Labels, One IP." The single-IP version of the thesis: vendor attribution fragmentation provides operational camouflage for the threat actor. Three analyst teams looking at the same infrastructure produce three different campaign labels at three different abstraction levels, and the defender ends up tracking a phantom three-campaign threat instead of the real one-operator threat.

Today we ran the same analysis at corpus scale on our adversaries index. Three hundred and sixty-six tracked threat actor records. One hundred and nineteen of them carry two or more synonyms. The synonym graph reveals nineteen bridge nodes — alias names that are explicitly claimed by two or more distinct adversary records. The bridges tell you which named actors are observations of the same underlying entity, broken into different records because different analyst teams named them differently at different times.

The bridges also reveal three completely different topologies depending on the geography of the operator. This post catalogs the receipts.

The Iran cluster — hub-and-spoke around Cleaver

Cleaver, the threat-actor name first published by Cylance in their 2014 Operation Cleaver report, sits in the middle of a five-spoke graph in our adversaries index. Each of the spokes is a separately-tracked actor name in the threat-intel literature.

Cleaver shares the alias TG-2889 with Cutting Kitten. Cleaver shares Temp.Beanie with Rocket Kitten. Cleaver shares Cobalt Gypsy with OilRig. Cleaver shares Group 41 with Clever Kitten. Cleaver shares the alias APT 35 with the APT35 record itself, which itself is associated with the Magic Hound campaign cluster.

Five named threat actors. One hub. The synonym overlaps are not analysis we are doing — they are explicitly claimed by the adversary records themselves, in fields populated from MITRE ATT&CK and other published attribution sources. If you read a Mandiant report about OilRig and a CrowdStrike report about Rocket Kitten and a Cisco Talos report about Magic Hound, you are reading three vendors' independently-collected observation windows of operators whose underlying alias graph collapses to Cleaver.

The defender implication: every Cleaver-spoke detection ruleset that a SOC has built against one of these five names is probably under-attributing detections to the others. The infrastructure-first defender posture cuts through this. The operator does not change their TLS template when a different vendor decides to give them a new code name.

The China cluster — multi-bridge mesh

China does not have a single hub. China has bridges between sub-clusters. Five distinct synonym overlaps map the mesh.

The alias "PLA Navy" is explicitly claimed by three separately-tracked adversaries: Maverick Panda, Samurai Panda, and Wekby. Three named-actor records, three different writeups in three different vendor blogs, one People's Liberation Army naval-intelligence unit underneath. The defender who treats them as three groups is building three separate detection contexts for what the published attribution data says is one unit.

Shell Crew bridges Codoso (APT19) and Hurricane Panda via the "Black Vine" alias. Shell Crew also shares the APT 19 alias with Codoso directly. Shell Crew is functioning as an attribution bridge between two Western-named Chinese APT records.

Naikon bridges APT30 (as APT 30) and Thrip via the Lotus Panda alias. Naikon is the bridge node that connects what most threat-intel writeups treat as two distinct Chinese APTs.

Manganese is the alias bridging APT5 and Pitty Panda.

The China shape: each major Western threat-intel vendor named the Chinese groups they saw, and the synonym graph reveals that the various PLA-attributed records cross-pollinate at multiple points. The defender who reads a single vendor's "APT19 indicators" feed is seeing one observation window. The graph collapse reveals at least four PLA-attributed records that share aliases with at least one other PLA-attributed record.

The Russia cluster — umbrella terms

Russia gets sweeping umbrella designations, mostly from US government attribution. Two big ones.

Grizzly Steppe is the FBI's 2016 umbrella term covering the actors responsible for the DNC compromise. Our adversaries index has Grizzly Steppe as a shared alias on both APT 29 (Cozy Bear, attributed to SVR — Russia's foreign intelligence service) and Sofacy (Fancy Bear, attributed to GRU — Russian military intelligence). Two completely different intelligence services, one umbrella name. A defender consuming Grizzly Steppe indicators cannot tell whether they are looking at SVR tradecraft (slow, careful, espionage-shaped) or GRU tradecraft (faster, noisier, sometimes destructive). The umbrella name collapsed the distinction.

Sandworm is the alias jointly claimed by ELECTRUM (the Dragos record) and TeleBots (the ESET record). Two threat-intel vendors observed what they each named "Sandworm" but persisted as separate adversary records in published attribution data. Our adversaries index reflects both records and the shared alias. The defender consuming a "Sandworm" indicator from one vendor is consuming a specific lens; the indicator may or may not correlate with the other vendor's Sandworm record.

Hippo Team is the bridge between APT 26 and Turla Group. Turla is a Russian FSB-attributed cluster; APT 26 is a separately-tracked attribution. The alias overlap exists in published records.

What the three topologies tell us

The geography determines the topology. Iran gets a hub-and-spoke because the Western threat-intel ecosystem has been re-naming the same Iranian operators repeatedly for a decade and the synonym field on Cleaver collected the radial pattern. China gets a mesh because multiple Chinese groups operate in parallel and each has been independently named by every Western vendor, with the overlaps revealing where the observations cross. Russia gets umbrellas because US government attribution often prefers a single national-level term over the technical actor-cluster distinctions that private vendors use.

None of these is an analytical error. Each topology reflects how the corresponding side of the intel community handles the volume and shape of activity from each region. The receipts are useful precisely because they make the differences in handling visible.

What this is not

This is not a claim that all the Cleaver-cluster operators are the same operational unit. The synonym graph captures the published-attribution-claim graph, not the operational graph. Two adversary records sharing an alias means at least one analyst, somewhere, has published an attribution that links them. It does not mean the two records cover identical infrastructure or identical operators. The actual operational picture requires correlating IOCs, TTPs, and infrastructure across the adversary records — that is the next slice of analysis, not this one.

The honest claim is that the naming graph is messier than the consolidated threat-intel reports admit, and the mess is itself information. A defender who is told "OilRig is Iranian" by one vendor and "Magic Hound is Iranian" by another vendor and "Rocket Kitten is Iranian" by a third should know that the synonym graph collapses these to a Cleaver-anchored cluster. The defender's posture changes when the count shifts from "tracking three Iranian APTs" to "tracking one Iranian APT cluster under five names."

Why we keep coming back to this

The May 13 ClickFix-Konni-PySoxy post made the single-IP version of the case. Today's analysis makes the corpus-scale version. The thesis is the same: attribution fragmentation is the operator's quiet ally. Every time a vendor publishes a "new" actor name for activity that another vendor has been tracking under a different name, the defender's mental model gets noisier and the operator's apparent footprint shrinks.

The infrastructure-first detection posture is the alternative. Watch the TLS template, the JA3 fingerprint, the ASN, the cert chain. The operator can rebrand their campaign name every quarter. The operator generally does not rebrand their hosting choice. Our corpus has been built on this premise since day one — we tag everything we can tag, and we keep the synonym graph visible so the rebrand attempt does not erase the operator's identity in our records.

This is the second post we have shipped on this theme. There will be more. The naming graph is large, the operator's incentive to exploit it is structural, and the defender's path through it is reproducible from receipts. We will keep publishing the receipts.

That is the work.

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com