Skip to content

How to use this wiki

  • Prefer durable notes over raw logs
  • Link to primary sources
  • Keep pages concise and actionable

Section definitions

  • Groups: named crews, clusters, or shared personas treated as one operational unit
  • People: specific humans only when a public source clearly names them and the identity matters operationally
  • Ops: compromise chains, campaign timelines, and how access was obtained, expanded, and used
  • Tools: malware, payloads, implants, loaders, or attacker infrastructure worth tracking as reusable capability

Attribution rules

  • Separate confirmed facts from inference
  • Prefer names used by operators, maintainers, upstream projects, or other firsthand sources over later vendor branding when the source support is clear
  • If a page needs alternate names, say who used each name and link the report or advisory it came from
  • If reporting only names a crew, handle, or persona, keep the material under Groups
  • Do not create People pages from speculation, handle reuse, or unsupported social-media claims