How Microsoft names threat actors

Microsoft has shifted to a new naming taxonomy for threat actors aligned with the theme of weather. With the new taxonomy, we intend to bring better clarity to customers and other security researchers already confronted with an overwhelming amount of threat intelligence data and offer a more organized, articulate, and easy way to reference threat actors so that organizations can better prioritize and protect themselves.

Nation-state actors based on Microsoft naming

Microsoft categorizes threat actors into five key groups:

Nation-state actors: cyber operators acting on behalf of or directed by a nation/state-aligned program, irrespective of whether for espionage, financial gain, or retribution. Microsoft has observed that most nation state actors continue to focus operations and attacks on government agencies, intergovernmental organizations, non-governmental organizations, and think tanks for traditional espionage or surveillance objectives.

Financially motivated actors: cyber campaigns/groups directed by a criminal organization/person with motivations of financial gain and haven't been associated with high confidence to a known non-nation state or commercial entity. This category includes ransomware operators, business email compromise, phishing, and other groups with purely financial or extortion motivations.

Private sector offensive actors (PSOAs): cyber activity led by commercial actors that are known/legitimate legal entities, that create and sell cyberweapons to customers who then select targets and operate the cyberweapons. These tools threaten many global human rights efforts, as they have been observed targeting and surveilling dissidents, human rights defenders, journalists, civil society advocates, and other private citizens.

Influence operations: information campaigns communicated online or offline in a manipulative fashion to shift perceptions, behaviors, or decisions by target audiences to further a group or a nation’s interests and objectives.

Groups in development: a temporary designation given to an unknown, emerging, or developing threat activity that allows Microsoft to track it as a discrete set of information until we can reach high confidence about the origin or identity of the actor behind the operation. Once criteria are met, a group in development is converted to a named actor or merged into existing names.

In our new taxonomy, a weather event or family name represents one of the above categories. In the case of nation-state actors, we have assigned a family name to a country of origin tied to attribution, like Typhoon indicates origin or attribution to China. For other actors, the family name represents a motivation. For example, Tempest indicates financially motivated actors. Threat actors within the same weather family are given an adjective to distinguish actor groups with distinct tactics, techniques, and procedures (TTPs), infrastructure, objectives, or other identified patterns. For groups in development, where there is a newly discovered, unknown, emerging, or developing cluster of threat activity, we use a temporary designation of Storm and a four-digit number, allowing us to track it as a unique set of information until we can reach high confidence about the origin or identity of the actor behind the operation.

The table below shows how the new family names map to a sampling of the threat actors that we track.

Actor category Type Family name
Nation-state China
North Korea
South Korea
Financially motivated Financially motivated Tempest
Private sector offensive actors PSOAs Tsunami
Influence operations Influence operations Flood
Groups in development Groups in development Storm

Use the following reference table below to understand how our previously publicly disclosed old threat actor names translate to our new taxonomy.

Previous name New name Origin/Threat Other names
ACTINIUM Aqua Blizzard Russia UNC530, Primitive Bear, Gamaredon
AMERICIUM Pink Sandstorm Iran Agrius, Deadwood, BlackShadow, SharpBoys
BARIUM Brass Typhoon China APT41
BISMUTH Canvas Cyclone Vietnam APT32, OceanLotus
BOHRIUM Smoke Sandstorm Iran
BROMINE Ghost Blizzard Russia Energetic Bear, Crouching Yeti
CERIUM Ruby Sleet North Korea
CHIMBORAZO Spandex Tempest Financially motivated TA505
CHROMIUM Charcoal Typhoon China ControlX
COPERNICIUM Sapphire Sleet North Korea Genie Spider, BlueNoroff
CURIUM Crimson Sandstorm Iran TA456, Tortoise Shell
DUBNIUM Zigzag Hail South Korea Dark Hotel, Tapaoux
ELBRUS Sangria Tempest Financially motivated Carbon Spider, FIN7
EUROPIUM Hazel Sandstorm Iran Cobalt Gypsy, APT34, OilRig
GADOLINIUM Gingham Typhoon China APT40, Leviathan, TEMP.Periscope, Kryptonite Panda
GALLIUM Granite Typhoon China
HAFNIUM Silk Typhoon China
HOLMIUM Peach Sandstorm Iran APT33, Refined Kitten
IRIDIUM Seashell Blizzard Russia Sandworm
KNOTWEED Denim Tsunami Private sector offensive actor DSIRF
KRYPTON Secret Blizzard Russia Venomous Bear, Turla, Snake
LAWRENCIUM Pearl Sleet North Korea
MANGANESE Mulberry Typhoon China APT5, Keyhole Panda, TABCTENG
MERCURY Mango Sandstorm Iran MuddyWater, SeedWorm, Static Kitten, TEMP.Zagros
NEPTUNIUM Cotton Sandstorm Iran Vice Leaker
NICKEL Nylon Typhoon China ke3chang, APT15, Vixen Panda
NOBELIUM Midnight Blizzard Russia APT29, Cozy Bear
OSMIUM Opal Sleet North Korea Konni
PARINACOTA Wine Tempest Financially motivated Wadhrama
PHOSPHORUS Mint Sandstorm Iran APT35, Charming Kitten
PLUTONIUM Onyx Sleet North Korea Silent Chollima, Andariel, DarkSeoul
POLONIUM Plaid Rain Lebanon
RADIUM Raspberry Typhoon China APT30, LotusBlossom
RUBIDIUM Lemon Sandstorm Iran Fox Kitten, UNC757, PioneerKitten
SEABORGIUM Star Blizzard Russia Callisto, Reuse Team
SILICON Marbled Dust Turkey Sea Turtle
SOURGUM Caramel Tsunami Private sector offensive actor Candiru
SPURR Tomato Tempest Financially motivated Vatet
STRONTIUM Forest Blizzard Russia APT28, Fancy Bear
TAAL Camouflage Tempest Financially motivated FIN6, Skeleton Spider
THALLIUM Emerald Sleet North Korea Kimsuky, Velvet Chollima
ZINC Diamond Sleet North Korea Labyrinth Chollima, Lazarus
ZIRCONIUM Violet Typhoon China APT31
Previous name New name Origin/Threat Other names
DEV-0146 Pumpkin Sandstorm Iran ZeroCleare
DEV-0193 Periwinkle Tempest Financially motivated Wizard Spider, UNC2053
DEV-0196 Carmine Tsunami Private sector offensive actor QuaDream
DEV-0198 (NEPTUNIUM) Cotton Sandstorm Iran Vice Leaker
DEV-0206 Mustard Tempest Financially motivated Purple Vallhund
DEV-0215 (LAWRENCIUM) Pearl Sleet North Korea
DEV-0227 (AMERICIUM) Pink Sandstorm Iran Agrius, Deadwood, BlackShadow, SharpBoys
DEV-0228 Cuboid Sandstorm Iran
DEV-0234 Lilac Typhoon China
DEV-0237 Pistachio Tempest Financially motivated FIN12
DEV-0243 Manatee Tempest Financially motivated EvilCorp, UNC2165, Indrik Spider
DEV-0257 Storm-0257 Group in development UNC1151
DEV-0322 Circle Typhoon China
DEV-0336 Night Tsunami Private sector offensive actor NSO Group
DEV-0343 Gray Sandstorm Iran
DEV-0401 Cinnamon Tempest Financially motivated Emperor Dragonfly, Bronze Starlight
DEV-0500 Marigold Sandstorm Iran Moses Staff
DEV-0504 Velvet Tempest Financially motivated
DEV-0530 Storm-0530 North Korea H0lyGh0st
DEV-0537 Strawberry Tempest Financially motivated LAPSUS$
DEV-0586 Cadet Blizzard Russia
DEV-0605 Wisteria Tsunami Private sector offensive actor CyberRoot
DEV-0665 Sunglow Blizzard Russia
DEV-0796 Phlox Tempest Financially motivated ClickPirate, Chrome Loader, Choziosi loader
DEV-0832 Vanilla Tempest Financially motivated
DEV-0950 Lace Tempest Financially motivated FIN11, TA505

Read our announcement about the new taxonomy for more information:

Putting intelligence into the hands of security professionals

Intel profiles in Microsoft Defender Threat Intelligence bring crucial threat actor insights directly into defenders' hands so that they can get the context they need as they prepare for and respond to threats.

Additionally, to further operationalize the threat intelligence you get from Microsoft, the Microsoft Defender Threat Intelligence Intel Profiles API provides the most up-to-date threat actor infrastructure visibility in the industry today, enabling threat intelligence and security operations (SecOps) teams to streamline their advanced threat hunting and analysis workflows. Learn more about this API in the documentation: Use the threat intelligence APIs in Microsoft Graph (preview).


Use the following query on Microsoft 365 Defender and other Microsoft security products supporting the Kusto query language (KQL) to get information about a threat actor using the old name, new name, or industry name:

let TANames = externaldata(PreviousName: string, NewName: string, Origin: string, OtherNames: dynamic)[@""] with(format="multijson", ingestionMapping='[{"Column":"PreviousName","Properties":{"Path":"$.Previous name"}},{"Column":"NewName","Properties":{"Path":"$.New name"}},{"Column":"Origin","Properties":{"Path":"$.Origin/Threat"}},{"Column":"OtherNames","Properties":{"Path":"$.Other names"}}]'); 
let GetThreatActorAlias = (Name: string) { 
| where Name =~ NewName or Name =~ PreviousName or OtherNames has Name 

The following files containing the comprehensive mapping of old threat actor names with their new names are also available: