{ "id": "5c2920b4-4337-49fb-908f-409dc2cab1d3", "created_at": "2026-04-06T00:21:53.127088Z", "updated_at": "2026-04-10T03:35:55.926312Z", "deleted_at": null, "sha1_hash": "06ec2f069b168ce96f2eaa57e7c21e50b7548aa6", "title": "SharpPanda, Sharp Dragon - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 51441, "plain_text": "SharpPanda, Sharp Dragon - Threat Group Cards: A Threat Actor\nEncyclopedia\nArchived: 2026-04-05 12:51:22 UTC\nHome \u003e List all groups \u003e SharpPanda, Sharp Dragon\n APT group: SharpPanda, Sharp Dragon\nNames\nSharpPanda (Check Point)\nSharp Dragon (Check Point)\nCountry China\nMotivation Information theft and espionage\nFirst seen 2018\nDescription\n(Check Point) Check Point Research identified an ongoing surveillance operation\ntargeting a Southeast Asian government. The attackers use spear-phishing to gain\ninitial access and leverage old Microsoft Office vulnerabilities together with the\nchain of in-memory loaders to attempt and install a previously unknown backdoor\non victim’s machines.\nOur investigation shows the operation was carried out by what we believe is a\nChinese APT group that has been testing and refining the tools in its arsenal for at\nleast 3 years.\nObserved\nSectors: Government.\nCountries: Indonesia, Malaysia, Thailand, Vietnam and Africa, the Caribbean and\nSoutheast Asia.\nTools used 8.t Dropper, Cobalt Strike.\nOperations performed\n2024\nChinese Espionage Campaign Expands to Target Africa and The\nCaribbean\nMar 2024\nInside the SharpPanda's Malware Targeting Malaysia\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=7b0c519a-09c7-4d39-80cf-0b4bac1d5199\nPage 1 of 2\n\nInformation\nLast change to this card: 19 June 2024\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=7b0c519a-09c7-4d39-80cf-0b4bac1d5199\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=7b0c519a-09c7-4d39-80cf-0b4bac1d5199\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=7b0c519a-09c7-4d39-80cf-0b4bac1d5199" ], "report_names": [ "showcard.cgi?u=7b0c519a-09c7-4d39-80cf-0b4bac1d5199" ], "threat_actors": [ { "id": "8a3bd03a-f69b-455b-b88b-3842a3528bfd", "created_at": "2022-10-25T16:07:24.178007Z", "updated_at": "2026-04-10T02:00:04.89066Z", "deleted_at": null, "main_name": "SharpPanda", "aliases": [ "Sharp Dragon", "SharpPanda" ], "source_name": "ETDA:SharpPanda", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agentemis", "Cobalt Strike", "CobaltStrike", "RoyalRoad", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e7ef34b6-e7b6-46f3-8dd8-2708c1659cd6", "created_at": "2023-11-08T02:00:07.107758Z", "updated_at": "2026-04-10T02:00:03.415268Z", "deleted_at": null, "main_name": "SharpPanda", "aliases": [ "Sharp Dragon" ], "source_name": "MISPGALAXY:SharpPanda", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434913, "ts_updated_at": 1775792155, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/06ec2f069b168ce96f2eaa57e7c21e50b7548aa6.pdf", "text": "https://archive.orkl.eu/06ec2f069b168ce96f2eaa57e7c21e50b7548aa6.txt", "img": "https://archive.orkl.eu/06ec2f069b168ce96f2eaa57e7c21e50b7548aa6.jpg" } }