Evidence-labeled threat reports, SOC-oriented guidance, and defensive research.
Open-source CTI by Andrey Pautov.
Structured, citation-linked versions of long-form CTI articles: PDF and HTML with table of contents, working reference links [R1]–[Rx], and original figures. Each report is self-contained in its own directory and can be used for SOC playbooks, hunting, and training.
- Defender-focused: Prioritizes actionable guidance, detection ideas, and controls mapping.
- Evidence-labeled: Claims are tagged (Observed / Reported / Assessed / Claimed) with source references.
- Offline-friendly: PDFs and HTML work without depending on Medium or external links for the body text.
| Report | Scope | Format |
|---|---|---|
| Handala Hack Group | Handala Hack Team / Void Manticore. Evidence-labeled assessment and SOC guidance. Dec 2023–Mar 2026. | PDF · HTML · Medium → |
| Sandworm / APT44 | GRU GTsST (Sandworm). Evidence-labeled assessment and SOC guidance. 2009–Mar 2026. | PDF · HTML · Medium → |
| MuddyWater / Seedworm | Iranian MOIS-linked MuddyWater cluster. Evidence-labeled assessment and SOC guidance. 2017–Mar 2026. | PDF · HTML · Primary sources → |
| ATT&CK as a Working Tool | Practitioner's guide: framework anatomy, 14 tactics, 5 hands-on use cases (mapping, gap analysis, Sigma + ATT&CK, threat hunting, adversary emulation). For CTI analysts, detection engineers, and SOC analysts. Mar 2026. | PDF · Medium → |
| Attribution Methodology | Practitioner's guide: building and defending threat actor attribution. Evidence types ranked by strength (IOC overlap → TTP consistency → operator mistakes), 5-level attribution spectrum, false flag detection, APT29 worked exercise. For CTI analysts. Mar 2026. | PDF · Medium → |
| Infrastructure Pivoting | Field manual: expanding a single IOC into a full attacker infrastructure map. 7 pivot types (passive DNS, reverse IP, ASN, TLS certs, subdomains, Shodan/Censys, WHOIS), C2 tracing worked example. Includes autoWF.py — automated pivot tool (VirusTotal + SecurityTrails + crt.sh). Mar 2026. |
autoWF.py · Medium → |
| AI in Offensive Operations | Evidence-based deep research report: how threat actors use AI. Chronological timeline 2019–2026, 10 major incidents (voice cloning, Arup $25M deepfake, LAMEHUG, GTG-1002 agentic intrusion), TTP analysis (ATT&CK-aligned), statistics, reality vs. hype, actor segmentation, 5-year forecast. Apr 2026. | Report → |
More reports (malware writeups, tool analysis, IOCs) will be added in separate directories.
- Template: Use template/ to start a new report with the same structure (README, IOCs, outline, optional build scripts).
CTI/
├── README.md # This file
├── template/ # Universal research template (see below)
│ ├── README.md # How to use the template
│ ├── REPORT-README.tpl.md # Report directory README template
│ ├── IOCs.tpl.md # IOC document template
│ ├── REPORT-OUTLINE.md # Section outline for the long-form article
│ └── extract_figures.sh.tpl
├── handala-hack-group/ # One directory per report
│ ├── README.md, IOCs.md
│ ├── *.pdf, *.html
│ └── assets/ # Figures (optional; gitignored)
├── sandworm-apt44/
│ ├── README.md, IOCs.md
│ ├── *.pdf, *.html
│ └── assets/
├── muddywater-seedworm/
│ ├── README.md, IOCs.md
│ ├── *.pdf, *.html
│ └── assets/
├── ATT&CK/ # Practitioner's guide to MITRE ATT&CK
│ ├── README.md
│ └── *.pdf
├── Attribution/ # Practitioner's guide to attribution methodology
│ ├── README.md
│ └── *.pdf
├── Infrastructure_pivoting/ # Field manual: single IOC → full attacker infrastructure
│ ├── README.md
│ ├── autoWF.py # Automated pivot tool (VT + SecurityTrails + crt.sh)
│ └── *.pdf
└── AI_Threat_Actors/ # Deep research: AI use by threat actors 2019–2026
└── README.md
- PDF: Table of contents, clickable
[R1]…[Rx]to references, original figures where available. - HTML: Same content; good for search, copy-paste, and re-printing to PDF.
- assets/: Figures extracted from source; used when (re)building the report.
- Author: Andrey Pautov
- Long-form articles: Medium @1200km
- Reports here are structured, citation-linked editions of those articles (evidence cutoff and scope noted in each report).
Use the template for a consistent structure:
- Copy files from
template/into a new directory (e.g.my-actor-name/). - Rename and fill placeholders in
REPORT-README.tpl.md→ save asREADME.md; do the same forIOCs.tpl.md→IOCs.md. - Add your report PDF and HTML (and
assets/if you have figures; see template and existing reports for the build workflow). - Add a row to the Reports table above with links to the report and source.
See template/README.md for placeholders, naming conventions, and optional build steps.
- Use: Defensive and research only. Not for offensive use.
- IOCs/samples: Handle according to your security policy; validate before production use.
- Attribution: Views and assessments are the author’s; sources are cited in each report.
Per-report. See each report’s README and the original source (e.g. Medium) for terms of use.