As many of you know, the most important part of CTI is naming threat actors. These names are what inspire marketing departments to glorify the baddies with huge fursonas at RSA, or branded skateboards, or coloring books. Unfortunately, GAYINT does not even have a marketing department. But if we did, it would certainly not put lampshades over the heads of women and make them stand and wave to the creeps in the vendor hall.
Anyway, here is our current threat actor naming taxonomy. Like the threat intel companies though, we can change it any time we feel like. It's not like anyone actually cares about attribution anyway, right? So we decided to pretend to be a legit organization and base our taxonomy on the one from Microsoft since several vendors said they're going to start doing the same.
| Origin / Type | Adjective |
|---|---|
| RU | FLAMBOYANT |
| CN | FUNKY |
| IR | DUSKY |
| KP | HORNY |
| TR | BITEY |
| DE | BEEFY |
| SY | JIGGLY |
| VN | JEALOUS |
| LB | UNFORTUNATE |
| KR | GLITTERY |
| PK | LUBRICATED |
| SG | BASIC |
| ES | FLUFFY |
| UA | STABBY |
| IN | CREAMY |
| US | RIBBED |
| PS | ANGRY |
| Influence Ops | SPARKLY |
| In Development | SPICY |
| Financially Motivated | FEISTY |
| Private Sector Offensive Actor | GREEDY |
| Trans girls who need money | KITTY |
As you can see, we follow the ADJECTIVE NOUN pattern common with threat actor naming. It's simple and easy to communicate and remember. As we report more, we will associate activity with the name we use for tracking. Often this will match 1:1 with already named threat actors. Sometimes it will not. Feel free to use our names as AKAs in your own reporting. It's not like there are too many of them already or anything.
Updated: 29 August 2025