VulnCheck's Threat Actors Index provides the ability to consume all known information associated with a threat actor in a single machine consumable format.
VulnCheck currates threat actor data from 100s of sources which includes:
The VulnCheck API makes it easy to get started with VulnCheck Exploit & Vulnerability Intelligence. To start, simply query the threat-actors index via the /v3/index/:index?threatactor=:threatactor API as follows:
curl --request GET \
--url https://api.vulncheck.com/v3/index/threat-actors?threat_actor=Cozy%20Bear \
--header 'Accept: application/json' \
--header 'Authorization: Bearer insert_token_here'
package main
import (
"context"
"encoding/json"
"fmt"
"log"
"os"
vulncheck "github.com/vulncheck-oss/sdk-go-v2/v2"
)
func main() {
configuration := vulncheck.NewConfiguration()
configuration.Scheme = "https"
configuration.Host = "api.vulncheck.com"
client := vulncheck.NewAPIClient(configuration)
token := os.Getenv("VULNCHECK_API_TOKEN")
auth := context.WithValue(
context.Background(),
vulncheck.ContextAPIKeys,
map[string]vulncheck.APIKey{
"Bearer": {Key: token},
},
)
resp, httpRes, err := client.IndicesAPI.IndexThreatActorsGet(auth).ThreatActor("Cozy Bear").Execute()
if err != nil || httpRes.StatusCode != 200 {
log.Fatal(err)
}
prettyJSON, err := json.MarshalIndent(resp.Data, "", " ")
if err != nil {
log.Fatalf("Failed to generate JSON: %v", err)
return
}
fmt.Println(string(prettyJSON))
}
import vulncheck_sdk
configuration = vulncheck_sdk.Configuration(host="https://api.vulncheck.com/v3")
configuration.api_key["Bearer"] = "insert_token_here"
with vulncheck_sdk.ApiClient(configuration) as api_client:
indices_client = vulncheck_sdk.IndicesApi(api_client)
api_response = indices_client.index_threat_actors_get(threat_actor="Cozy Bear")
print(api_response.data)
vulncheck index browse threat-actors --threat_actor "Cozy Bear"
The above example searches the threat-actors index for information on Cozy Bear.
After calling the /v3/index/threat-actors?threatactor=:threatactor API endpoint with a valid threat actor name, a response similar to the below will be returned:
{
"_benchmark": 0.113047,
"_meta": {
"timestamp": "2026-05-12T16:07:04.009013686Z",
// ...
},
"data": [
{
"threat_actor_name": "Cozy Bear",
"date_added": "2016-08-04",
"mitre_id": "G0016",
"misp_id": "b2056ff0-00b9-482e-b11c-c771daa5f28a",
"malpedia_url": "https://malpedia.caad.fkie.fraunhofer.de/actor/apt29",
"vendor_names_for_threat_actors": [
{
"vendor_name": "CrowdStrike",
"threat_actor_name": "Cozy Bear"
},
{
"vendor_name": "Microsoft",
"threat_actor_name": "Midnight Blizzard",
"url": "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming"
}
],
"tools": [
{
"name": "Cobalt Strike",
"references": [
{
"date_added": "2024-12-11",
"url": "https://intel471.com/blog/threat-hunting-case-study-cozy-bear"
}
]
},
{
"name": "EasterBunny",
"references": [
{
"date_added": "2026-04-29",
"url": "https://home.s2grupo.es/hubfs/Informe%20LAB52-%20EasterBunny_Complete.pdf"
}
]
}
//...
],
"cve_references": [
{
"url": "https://www.recordedfuture.com/russian-apt-toolkits",
"date_added": "2016-08-04",
"cve": [
"CVE-2010-0232",
"CVE-2010-4398"
//...
]
},
{
"url": "https://media.defense.gov/2020/Jul/16/2002457639/-1/-1/0/NCSC_APT29_ADVISORY-QUAD-OFFICIAL-20200709-1810.PDF",
"date_added": "2020-07-16",
"cve": [
"CVE-2018-13379",
"CVE-2019-9670"
//...
]
}
//...
],
"mitre_attack_group": {
"name": "APT29",
"aliases": [
"APT29",
"YTTRIUM"
//...
],
"description": "APT29 is threat group that has been attributed to the Russian government and has operated since at least 2008. This group reportedly compromised the Democratic National Committee starting in the summer of 2015. ",
"techniques": [
{
"technique_id": "T1001",
"technique_name": "Data Obfuscation",
"sub_technique": "002",
"sub_technique_name": "Steganography",
"tactic": [
"command-and-control"
]
},
{
"technique_id": "T1027",
"technique_name": "Obfuscated Files or Information",
"tactic": [
"defense-evasion"
]
}
//...
]
},
"misp_threat_actor": {
"description": "A 2015 report by F-Secure describe APT29 as: 'The Dukes are a well-resourced, highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making. ...'",
"meta": {
"attribution-confidence": "50",
"cfr-suspected-state-sponsor": "Russian Federation",
"cfr-suspected-victims": [
"United States",
"China"
//...
],
"cfr-target-category": [
"Government",
"Private sector"
],
"cfr-type-of-incident": [
"Espionage"
],
"country": "RU",
"refs": [
"https://labsblog.f-secure.com/2015/09/17/the-dukes-7-years-of-russian-cyber-espionage/",
"https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf"
//...
],
"synonyms": [
"Group 100",
"COZY BEAR"
//...
]
},
"related": [
{
"dest-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "0125ef58-2675-426f-90eb-0b189961199a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "uses"
}
//...
],
"value": "APT29"
},
"mitre_group_cti": {
"id": "G0016",
"aliases": [
"APT29",
"IRON RITUAL"
//...
],
"description": "[APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR)...",
"references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/groups/G0016",
"external_id": "G0016"
},
{
"source_name": "CozyDuke",
"description": "(Citation: Crowdstrike DNC June 2016)"
}
//...
]
},
"country": "RU",
"vendors_and_products_targeted": [
{
"vendor": "Microsoft",
"product": "Windows"
},
{
"vendor": "Adobe",
"product": "Acrobat and Reader"
}
//...
],
"associated_mitre_attack_techniques": [
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"domain": "Enterprise",
"tactics": [
"privilege-escalation"
],
"subtechnique": false,
"nist_controls": [
{
"nist_control_id": "CA-07",
"nist_control_name": "Continuous Monitoring",
"nist_control_family": "Security Assessment and Authorization",
"cis_controls": [
{
"cis_control_id": "cisc-3.13",
"cis_control_name": "Segment Data Processing and Storage Based on Sensitivity",
"cis_control_description": "Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool to identify all sensitive data stored, processed, or transmitted through enterprise assets, including those located onsite or at a remote service provider, and update the enterprise's sensitive data inventory."
}
]
},
{
"nist_control_id": "CM-06",
"nist_control_name": "Configuration Settings",
"nist_control_family": "Configuration Management",
"cis_controls": [
{
"cis_control_id": "cisc-4.8",
"cis_control_name": "Uninstall or Disable Unnecessary Services on Enterprise Assets and Software",
"cis_control_description": "Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function."
},
{
"cis_control_id": "cisc-12.3",
"cis_control_name": "Securely Manage Network Infrastructure",
"cis_control_description": "Securely manage network infrastructure. Example implementations include version-controlled-infrastructure-as-code, and the use of secure network protocols, such as SSH and HTTPS."
}
//...
]
}
//...
]
},
{
"id": "T1190",
"name": "Exploit Public-Facing Application",
"domain": "Enterprise",
"tactics": [
"initial-access"
],
"subtechnique": false,
"nist_controls": [
{
"nist_control_id": "CA-07",
"nist_control_name": "Continuous Monitoring",
"nist_control_family": "Security Assessment and Authorization",
"cis_controls": [
{
"cis_control_id": "cisc-3.13",
"cis_control_name": "Segment Data Processing and Storage Based on Sensitivity",
"cis_control_description": "Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool to identify all sensitive data stored, processed, or transmitted through enterprise assets, including those located onsite or at a remote service provider, and update the enterprise's sensitive data inventory."
}
]
},
{
"nist_control_id": "CM-06",
"nist_control_name": "Configuration Settings",
"nist_control_family": "Configuration Management",
"cis_controls": [
{
"cis_control_id": "cisc-4.8",
"cis_control_name": "Uninstall or Disable Unnecessary Services on Enterprise Assets and Software",
"cis_control_description": "Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function."
},
{
"cis_control_id": "cisc-12.3",
"cis_control_name": "Securely Manage Network Infrastructure",
"cis_control_description": "Securely manage network infrastructure. Example implementations include version-controlled-infrastructure-as-code, and the use of secure network protocols, such as SSH and HTTPS."
}
//...
]
}
//...
]
}
//...
],
"associated_capecs": [
{
"lang": "en",
"capec_id": "CAPEC-233",
"capec_name": "Privilege Escalation",
"capec_url": "https://capec.mitre.org/data/definitions/233.html"
},
{
"lang": "en",
"capec_id": "CAPEC-100",
"capec_name": "Overflow Buffers",
"capec_url": "https://capec.mitre.org/data/definitions/100.html"
}
//...
],
"associated_cwes": [
{
"lang": "en",
"value": "CWE-787",
"name": "Out-of-bounds Write",
"url": "https://cwe.mitre.org/data/definitions/787.html"
},
{
"lang": "en",
"value": "CWE-120",
"name": "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')",
"url": "https://cwe.mitre.org/data/definitions/120.html"
}
//...
],
"_timestamp": "2026-04-29T16:23:11.591368942Z"
}
]
}
The above example response shows what the
threat-actorsindex returns forCozy Bear.
| Attribute | Meaning |
|---|---|
| threat_actor_name | The primary name VulnCheck uses to identify the threat actor. |
| date_added | The date the threat actor was first added to the VulnCheck. |
| mitre_id | The MITRE ATT&CK Group ID assigned to the threat actor. |
| misp_id | The MISP Galaxy UUID associated with the threat actor. |
| malpedia_url | URL to the threat actor's entry in the Malpedia. |
| country | country code of the suspected sponsor or origin. |
| Attribute | Meaning |
|---|---|
| vendor_name | The security vendor's name. |
| threat_actor_name | The name the vendor uses to identify this threat actor. |
| url | Reference URL to the vendor's threat actor naming documentation or profile. |
The tools (malware, frameworks, utilities) attributed to the threat actor.
| Attribute | Meaning |
|---|---|
| name | The name of the tool. |
| references | References that attribute the tool to the threat actor. |
| references.date_added | The date the reference was added to the index. |
| references.url | URL to the report or analysis attributing the tool. |
VulnCheck currated CVE references Confirmed as Being Exploited by the Threat Actor.
| Attribute | Meaning |
|---|---|
| url | URL of the report or advisory linking the threat actor to the CVEs. |
| date_added | The date the reference published the research. |
| cve | CVE IDs reported being used by the threat actors. |
| Attribute | Meaning |
|---|---|
| name | The MITRE ATT&CK group name. |
| aliases | Alternate names MITRE recognizes for the group. |
| description | MITRE's description of the group. |
| techniques | ATT&CK techniques attributed to the group (see below). |
| Attribute | Meaning |
|---|---|
| technique_id | The ATT&CK technique identifier. |
| technique_name | The name of the technique. |
| sub_technique | The sub-technique identifier. |
| sub_technique_name | The name of the sub-technique. |
| tactic | ATT&CK tactics the technique falls under. |
| Attribute | Meaning |
|---|---|
| value | The primary MISP identifier for the threat actor. |
| description | MISP'sdescription of the threat actor. |
| related | Related MISP entities. |
| attribution-confidence | Confidence score (0–100) for attribution. |
| cfr-suspected-state-sponsor | Suspected state sponsor. |
| cfr-suspected-victims | Countries reported as victims of the actor. |
| cfr-target-category | Victim sector categories. |
| cfr-type-of-incident | Incident types attributed to the actor. |
| country | Country code of the suspected sponsor. |
| refs | Reference URLs supporting the MISP entry. |
| synonyms | Alternative names used across the industry to refer to the actor. |
| dest-uuid | UUID of the related MISP entity. |
| tags | Tags describing the nature of the relationship |
| type | The relationship type |
| Attribute | Meaning |
|---|---|
| id | The MITRE ATT&CK group ID. |
| aliases | Alternate names recognized by MITRE. |
| description | MITRE's description |
| references | Mitre CTI References. |
| source_name | Name of Source. |
| url | URL of the cited Source |
| description | Citation. |
| external_id | The external identifier. |
| Attribute | Meaning |
|---|---|
| vendor | The vendor name of the targeted technology. |
| product | The specific product or product family targeted. |
| Attribute | Meaning |
|---|---|
| id | The ATT&CK technique identifier. |
| name | The name of the technique. |
| domain | The ATT&CK domain. |
| tactics | ATT&CK tactics the technique falls under. |
| subtechnique | Indicating whether this entry is a sub-technique. |
| nist_controls | NIST 800-53 controls that mitigate the technique. |
| Attribute | Meaning |
|---|---|
| nist_control_id | The NIST 800-53 control identifier. |
| nist_control_name | The name of the NIST control. |
| nist_control_family | The NIST control family. |
| cis_controls | CIS Controls mapped to the NIST control. |
| Attribute | Meaning |
|---|---|
| cis_control_id | The CIS Controls identifier. |
| cis_control_name | The name of the CIS control. |
| cis_control_description | The descriptive of the CIS control. |
| Attribute | Meaning |
|---|---|
| lang | The language code of the entry. |
| capec_id | The CAPEC identifier. |
| capec_name | The name of the attack pattern. |
| capec_url | URL to the CAPEC entry. |
| Attribute | Meaning |
|---|---|
| lang | The language code of the entry. |
| value | The CWE identifier. |
| name | The name of the weakness. |
| url | URL to the CWE. |