{ "id": "4635206f-198f-4ace-bd3c-a968467796e1", "created_at": "2026-04-06T00:16:53.475893Z", "updated_at": "2026-04-10T03:35:27.004061Z", "deleted_at": null, "sha1_hash": "0016d8adc536be0226d2973214e8bfb569ad39a3", "title": "Operation Diplomatic Specter - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 54281, "plain_text": "Operation Diplomatic Specter - Threat Group Cards: A Threat\nActor Encyclopedia\nArchived: 2026-04-05 19:59:20 UTC\nHome \u003e List all groups \u003e Operation Diplomatic Specter\n APT group: Operation Diplomatic Specter\nNames\nOperation Diplomatic Specter (Palo Alto)\nCL-STA-0043 (Palo Alto)\nTGR-STA-0043 (Palo Alto)\nCountry China\nSponsor State-sponsored\nMotivation Information theft and espionage\nFirst seen 2022\nDescription\n(Palo Alto) A Chinese advanced persistent threat (APT) group has been conducting an ongoing\ncampaign, which we call Operation Diplomatic Specter. This campaign has been targeting\npolitical entities in the Middle East, Africa and Asia since at least late 2022.\nAn analysis of this threat actor’s activity reveals long-term espionage operations against at\nleast seven governmental entities. The threat actor performed intelligence collection efforts at\na large scale, leveraging rare email exfiltration techniques against compromised servers.\nObserved\nSectors: Defense, Education, Embassies, Government, Retail, Telecommunications.\nCountries: USA and Middle East, Africa and Asia.\nTools used\nAgent Racoon, China Chopper, Gh0st RAT, HTran, JuicyPotatoNG, LadonGo, Mimikatz,\nMimilite, nbtscan, Ntospy, PlugX, SharpEfsPotato, SweetSpecter, TunnelSpecter, Yasso.\nInformation\nLast change to this card: 19 June 2024\nDownload this actor card in PDF or JSON format\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=e2b7d21a-cb70-413d-803a-00ce90412300\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=e2b7d21a-cb70-413d-803a-00ce90412300\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=e2b7d21a-cb70-413d-803a-00ce90412300\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=e2b7d21a-cb70-413d-803a-00ce90412300" ], "report_names": [ "showcard.cgi?u=e2b7d21a-cb70-413d-803a-00ce90412300" ], "threat_actors": [ { "id": "ffc66b49-9396-46af-966f-9376c4315f32", "created_at": "2023-11-21T02:00:07.339061Z", "updated_at": "2026-04-10T02:00:03.462317Z", "deleted_at": null, "main_name": "CL-STA-0043", "aliases": [ "TGR-STA-0043" ], "source_name": "MISPGALAXY:CL-STA-0043", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cff2cedd-a198-4e79-ae67-19048084ae7f", "created_at": "2024-06-20T02:02:09.945126Z", "updated_at": "2026-04-10T02:00:04.79991Z", "deleted_at": null, "main_name": "Operation Diplomatic Specter", "aliases": [ "CL-STA-0043", "TGR-STA-0043" ], "source_name": "ETDA:Operation Diplomatic Specter", "tools": [ "Agent Racoon", "Agent.dhwf", "AngryRebel", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "Farfli", "Gh0st RAT", "Ghost RAT", "HTran", "HUC Packet Transmit Tool", "JuicyPotatoNG", "Kaba", "Korplug", "LadonGo", "Mimikatz", "Mimilite", "Moudour", "Mydoor", "NBTscan", "Ntospy", "PCRat", "PlugX", "RedDelta", "SharpEfsPotato", "SinoChopper", "Sogu", "SweetSpecter", "TIGERPLUG", "TVT", "Thoper", "TunnelSpecter", "Xamtrav", "Yasso", "nbtscan" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434613, "ts_updated_at": 1775792127, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0016d8adc536be0226d2973214e8bfb569ad39a3.pdf", "text": "https://archive.orkl.eu/0016d8adc536be0226d2973214e8bfb569ad39a3.txt", "img": "https://archive.orkl.eu/0016d8adc536be0226d2973214e8bfb569ad39a3.jpg" } }