Mallory MCP Server

Get threat actor by identifier

Use this tool when you need detailed intelligence about a specific threat actor or advanced persistent threat (APT) group. This information is valuable for:

• Understanding the tactics, techniques, and procedures (TTPs) of threat actors
• Researching who might be behind a security incident
• Evaluating the sophistication level of potential adversaries
• Gathering threat intelligence for security briefings
• Understanding which sectors or regions a threat actor typically targets

Args: identifier (str): The identifier of the threat actor - can be either: - UUID (e.g., "a9b46d37-42b8-4b27-8b69-583dbcb2f5e1") - Name (e.g., "dark_cloud_shield")

Returns: Dict[str, Any]: Detailed threat actor information including: - uuid: Unique identifier for this threat actor - name: Machine-readable name (typically lowercase with underscores) - display_name: Human-readable name with proper formatting - created_at/updated_at/enriched_at: Timestamps for record management - gen_description: Generated description (if available) - mentions: List of references to this threat actor from various sources, each containing: - uuid: Unique identifier for this mention - overview: Summary of the threat actor's activities from this source - published_at: When the source material was published - collected_at: When this mention was collected - reference_url: URL of the source material - reference_source: Name of the source (e.g., "talos_intelligence_blog") - reference_user_generated_content: Whether this is user-generated content - Other metadata about the mention and reference

These mentions provide valuable context about the threat actor's:

• Known attack vectors and exploited vulnerabilities
• Target sectors, regions, or organizations
• Tools and malware used
• Attribution confidence and alternate names