{ "id": "64b608b4-a0bf-4402-8fbf-995d20f7ac50", "created_at": "2026-04-06T00:06:20.702338Z", "updated_at": "2026-04-10T13:11:51.137412Z", "deleted_at": null, "sha1_hash": "02bd4b95f4c587a87e17935a4316c94fb0c33810", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 54937, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 22:39:30 UTC\r\nHome \u003e List all groups \u003e UNC5221, UTA0178\r\n APT group: UNC5221, UTA0178\r\nNames\r\nUNC5221 (Mandiant)\r\nUTA0178 (Volexity)\r\nCountry China\r\nMotivation Information theft and espionage\r\nFirst seen 2022\r\nDescription\r\n(Mandiant) Note: This is a developing campaign under active analysis by Mandiant\r\nand Ivanti. We will continue to add more indicators, detections, and information to\r\nthis blog post as needed.\r\nOn January 10, 2024, Ivanti disclosed two vulnerabilities, CVE-2023-46805 and\r\nCVE-2024-21887, impacting Ivanti Connect Secure VPN (“CS”, formerly Pulse\r\nSecure) and Ivanti Policy Secure (“PS”) appliances. Successful exploitation could\r\nresult in authentication bypass and command injection, leading to further\r\ndownstream compromise of a victim network. Mandiant has identified zero-day\r\nexploitation of these vulnerabilities in the wild beginning as early as December 2023\r\nby a suspected espionage threat actor, currently being tracked as UNC5221.\r\nObserved Countries: Worlwide.\r\nTools used\r\nBRICKSTORM, GLASSTOKEN, LIGHTWIRE, PySoxy, THINSPOOL,\r\nWARPWIRE, WIREFIRE, ZIPLINE.\r\nOperations performed\r\n2022\r\nNVISO analyzes BRICKSTORM espionage backdoor\r\n\u003chttps://blog.nviso.eu/wp-content/uploads/2025/04/NVISO-BRICKSTORM-Report.pdf\u003e\r\nMar 2025\r\nSuspected China-Nexus Threat Actor Actively Exploiting Critical\r\nIvanti Connect Secure Vulnerability (CVE-2025-22457)\r\n\u003chttps://cloud.google.com/blog/topics/threat-intelligence/china-nexus-exploiting-critical-ivanti-vulnerability\u003e\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=41ed823b-f62c-439a-9304-f9016f8dcef1\r\nPage 1 of 2\n\nInformation\nLast change to this card: 21 April 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=41ed823b-f62c-439a-9304-f9016f8dcef1\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=41ed823b-f62c-439a-9304-f9016f8dcef1\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=41ed823b-f62c-439a-9304-f9016f8dcef1" ], "report_names": [ "showcard.cgi?u=41ed823b-f62c-439a-9304-f9016f8dcef1" ], "threat_actors": [ { "id": "b2e48aa5-0dea-4145-a7e5-9a0f39d786d8", "created_at": "2024-01-18T02:02:34.643994Z", "updated_at": "2026-04-10T02:00:04.959645Z", "deleted_at": null, "main_name": "UNC5221", "aliases": [ "UNC5221", "UTA0178" ], "source_name": "ETDA:UNC5221", "tools": [ "BRICKSTORM", "GIFTEDVISITOR", "GLASSTOKEN", "LIGHTWIRE", "PySoxy", "THINSPOOL", "WARPWIRE", "WIREFIRE", "ZIPLINE" ], "source_id": "ETDA", "reports": null }, { "id": "6ce34ba9-7321-4caa-87be-36fa99dfe9c9", "created_at": "2024-01-12T02:00:04.33082Z", "updated_at": "2026-04-10T02:00:03.517264Z", "deleted_at": null, "main_name": "UTA0178", "aliases": [ "UNC5221", "Red Dev 61" ], "source_name": "MISPGALAXY:UTA0178", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775433980, "ts_updated_at": 1775826711, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/02bd4b95f4c587a87e17935a4316c94fb0c33810.pdf", "text": "https://archive.orkl.eu/02bd4b95f4c587a87e17935a4316c94fb0c33810.txt", "img": "https://archive.orkl.eu/02bd4b95f4c587a87e17935a4316c94fb0c33810.jpg" } }