This document defines the data structure for "Hacking Attack" articles. These articles provide insights into real-world cyberattacks, threat actor operations, malware campaigns, and observed attack infrastructure.
Field | Type | Description |
| string | Summary or key message of the article. |
| string | Title of the original attack report. |
| string (ISO 8601) | When the article was first published. |
| string (ISO 8601) | (Optional) Last modification date from the source. |
| string (ISO 8601) | Date when the report was ingested. |
| string | Direct link to the original article. |
| string | Entity or company publishing the report. |
| string | Version or tag of the report (if any). |
| string | Always set to |
Field | Type | Description |
| List[string] | Threat actor group names (e.g., APT28, Lazarus). |
| List[string] | Named botnets involved in the attack. |
| List[string] | Named attack campaigns referenced in the article. |
| List[string] | Tools or malware mentioned (e.g., Cobalt Strike, Mimikatz). |
| List[string] | Additional URLs or citations in the article. |
| List[string] | Named victim organizations if publicly known. |
| List[string] | Sectors targeted (e.g., Finance, Healthcare, Government). |
| List[string] | Geographic regions or countries affected. |
| List[string] | Related CVE identifiers used in the attack. |
Use classification == "Hacking Attack" to classify this type.
If groups or botnets are mentioned, they can be cross-referenced against threat intel databases.
victim_names should be anonymized if needed for internal tooling.
tools, campaigns, and CVEs are helpful for correlating with IOC datasets.
Dates are stored in ISO 8601 format (e.g., 2025-06-01T00:00:00Z).