Since March 2025, the U.S. government has exposed Chinese hackers and entities linked to threat groups publicly tracked as APT27, HAFNIUM, Silk Typhoon, and other threat group monikers. Among these named Advanced Persistent Threat (APT) groups, technical analysis and observed intrusion activities from the cybersecurity community have provided group tracking criteria and measures to mitigate harm and to eradicate malware from systems and networks. Because cybersecurity firms often use different threat models, have their own standards for clustering intrusions, and closely guard their telemetry data—often not sharing with others—we see threat groups labeled with a number of “a.k.a.” (also known as) group names. For example, the profile of APT27 on Malpedia, a community-curated online malware encyclopedia and resource, lists 16 a.k.a. group names. How do these a.k.a. groups overlap? How are they different from one another? The answers are not always clear.

Additionally, when law enforceme…