{ "id": "7af11f6d-de26-4579-8df6-efb1baea71c0", "created_at": "2026-04-06T03:35:47.902998Z", "updated_at": "2026-04-10T03:37:51.365496Z", "deleted_at": null, "sha1_hash": "04a60620d6d0776d24b04cb1a790d9853410a9f9", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 54712, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-06 03:17:43 UTC\r\nHome \u003e List all groups \u003e Bronze Starlight\r\n APT group: Bronze Starlight\r\nNames\r\nBronze Starlight (SecureWorks)\r\nDEV-0401 (Microsoft)\r\nCinnamon Tempest (Microsoft)\r\nOperation ChattyGoblin (SentinelLabs)\r\nSLIME34 (?)\r\nHighGround (CrowdStrike)\r\nCountry China\r\nMotivation Information theft and espionage\r\nFirst seen 2021\r\nDescription\r\n(SecureWorks) BRONZE STARLIGHT has been active since mid 2021 and targets\r\norganizations globally across a range of industry verticals. The group leverages HUI\r\nLoader to load Cobalt Strike and PlugX payloads for command and control. CTU\r\nresearchers have observed BRONZE STARLIGHT deploying ransomware to\r\ncompromised networks as part of name-and-shame ransomware schemes, and posted\r\nvictim names to leak sites.\r\nCTU researchers assess with moderate confidence that BRONZE STARLIGHT is\r\nlocated in China based on observed tradecraft, including the use of HUI Loader and\r\nPlugX which are associated with China-based threat group activity. It is plausible\r\nthat BRONZE STARLIGHT deploys ransomware as a smokescreen rather than for\r\nfinancial gain, with the underlying motivation of stealing intellectual property theft\r\nor conducting espionage.\r\nObserved\r\nSectors: Casinos and Gambling.\r\nCountries: Philippines and Southeast Asia.\r\nTools used AtomSilo, Cobalt Strike, HUI Loader, LockFile, NightSky, Pandora, PlugX, Rook.\r\nOperations performed Mar 2023 Chinese Entanglement | DLL Hijacking in the Asian Gambling\r\nSector\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=ada0ccd1-3229-4514-9a65-a66dd7ec862b\r\nPage 1 of 2\n\nInformation\nLast change to this card: 28 June 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=ada0ccd1-3229-4514-9a65-a66dd7ec862b\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=ada0ccd1-3229-4514-9a65-a66dd7ec862b\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=ada0ccd1-3229-4514-9a65-a66dd7ec862b" ], "report_names": [ "showcard.cgi?u=ada0ccd1-3229-4514-9a65-a66dd7ec862b" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f63c346d-18c8-4821-a56d-fefb1ad7ed5d", "created_at": "2022-10-25T16:07:23.42507Z", "updated_at": "2026-04-10T02:00:04.593122Z", "deleted_at": null, "main_name": "Bronze Starlight", "aliases": [ "Cinnamon Tempest", "DEV-0401", "HighGround", "Operation ChattyGoblin", "SLIME34" ], "source_name": "ETDA:Bronze Starlight", "tools": [ "Agent.dhwf", "Agentemis", "AtomSilo", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "HUI Loader", "Kaba", "Korplug", "LockFile", "Night Sky", "NightSky", "Pandora", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "c69bcda3-0893-4ea1-9ec1-ae016332d283", "created_at": "2023-01-06T13:46:39.410593Z", "updated_at": "2026-04-10T02:00:03.317754Z", "deleted_at": null, "main_name": "BRONZE STARLIGHT", "aliases": [ "DEV-0401", "Cinnamon Tempest", "Emperor Dragonfly", "SLIME34" ], "source_name": "MISPGALAXY:BRONZE STARLIGHT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d511e74b-96b8-4ab9-88d6-bc183351dbd8", "created_at": "2025-08-07T02:03:24.674685Z", "updated_at": "2026-04-10T02:00:03.800936Z", "deleted_at": null, "main_name": "BRONZE STARLIGHT", "aliases": [ "Cinnamon Tempest ", "DEV-0401 ", "Emperor Dragonfly " ], "source_name": "Secureworks:BRONZE STARLIGHT", "tools": [ "AtomSilo", "Cobalt Strike", "HUI Loader", "Impacket", "LockFile", "NightSky", "Pandora", "PlugX", "Rook" ], "source_id": "Secureworks", "reports": null }, { "id": "81e29474-63ad-4ce8-97db-b1712d5481d5", "created_at": "2024-04-24T02:00:49.570158Z", "updated_at": "2026-04-10T02:00:05.285111Z", "deleted_at": null, "main_name": "Cinnamon Tempest", "aliases": [ "Cinnamon Tempest", "DEV-0401", "Emperor Dragonfly", "BRONZE STARLIGHT" ], "source_name": "MITRE:Cinnamon Tempest", "tools": [ "Pandora", "PlugX", "Cheerscrypt", "Impacket", "Cobalt Strike", "HUI Loader", "Rclone" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775446547, "ts_updated_at": 1775792271, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/04a60620d6d0776d24b04cb1a790d9853410a9f9.pdf", "text": "https://archive.orkl.eu/04a60620d6d0776d24b04cb1a790d9853410a9f9.txt", "img": "https://archive.orkl.eu/04a60620d6d0776d24b04cb1a790d9853410a9f9.jpg" } }