Skip to content

Add threat actor alias mappings for Chinese APT groups #39

Open
Open
Add threat actor alias mappings for Chinese APT groups#39
Labels
entity-patternsNew entity extraction patternsgood first issueGood for newcomers
@rolandpg

Description

@rolandpg
rolandpg
opened on Apr 15, 2026

Summary

Add alias mappings for Chinese APT groups to the alias resolver.

Context

The alias resolver maps alternate names to canonical threat actor names (e.g., Fancy Bear -> APT28). Chinese APT groups have many aliases across vendors that need mapping.

  • File to edit: src/zettelforge/alias_resolver.py
  • Tests: add to existing alias resolver tests

Acceptance Criteria

  • Add at least 10 Chinese APT group alias mappings to the hardcoded aliases in alias_resolver.py
  • Required mappings (at minimum):
    • Hafnium -> APT40 (also TEMP.Periscope, Leviathan)
    • Double Dragon -> APT41 (also Wicked Panda, Barium)
    • Stone Panda -> APT10 (also menuPass, Red Apollo)
    • Emissary Panda -> APT27 (also LuckyMouse, Iron Tiger)
    • Mustang Panda -> BRONZE PRESIDENT (also RedDelta, TA416)
  • Aliases are case-insensitive (matching existing behavior)
  • resolver.resolve("actor", "Hafnium") returns "apt40"
  • At least 5 test cases covering the new mappings
  • All existing tests pass

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    entity-patternsNew entity extraction patternsgood first issueGood for newcomers

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions