Correct Intel471 Darknet actor classification for APT/group/ransomware entities

[Copilot]

Intel471 Darknet ingestion was collapsing distinct adversary concepts into Threat-Actor-Individual (e.g., APT intrusion sets and ransomware names). This update introduces explicit actor-type inference and routes conversion to the appropriate STIX/OpenCTI entity type.

• Actor type inference

  • Added src/lib/actor_typing.py with infer_actor_entity_type(...).
  • Classifies actor payloads into:
    • Intrusion-Set (APT patterns / explicit hints)
    • Threat-Actor-Group (group/gang/crew patterns / explicit hints)
    • Malware (malware/ransomware patterns)
    • fallback Threat-Actor-Individual

• STIX conversion updates

  • Updated lib/intel2stix.py:getThreatActorContent(...) to build the correct SDO per inferred type instead of always emitting individual threat actors.
  • Preserves deterministic IDs via pycti generators per entity type.

• Integration in connector flow

  • Updated main.py:_getActorContent(...) to use the centralized actor conversion path, ensuring consistent typing across report-derived and actor-endpoint data.

• Focused coverage for classification rules

  • Added tests/test_actor_typing.py for APT, threat actor group, ransomware/malware, fallback, and field fallback (handle/name/uid) cases.

# New classification path
entity_type = infer_actor_entity_type(actor)

if entity_type == "Intrusion-Set":
    return stix2.IntrusionSet(id=PyctiIntrusionSet.generate_id(name), ...)
elif entity_type == "Threat-Actor-Group":
    return stix2.ThreatActor(
        id=PyctiTAG.generate_id(name),
        custom_properties={"x_opencti_type": "Threat-Actor-Group"},
        ...
    )
elif entity_type == "Malware":
    return stix2.Malware(id=PyctiMalware.generate_id(name), is_family=True, ...)
else:
    return stix2.ThreatActor(
        id=PyctiTAI.generate_id(name),
        custom_properties={"x_opencti_type": "Threat-Actor-Individual"},
        ...
    )