{
	"id": "a59e0d92-ecff-4041-bc3b-d26b6fe4edbd",
	"created_at": "2026-04-06T00:07:35.406244Z",
	"updated_at": "2026-04-10T03:26:15.574591Z",
	"deleted_at": null,
	"sha1_hash": "13b1ef05fe2f82ebaa552a2f7bbe00b1dd19a71a",
	"title": "Operation Shady RAT - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 56570,
	"plain_text": "Operation Shady RAT - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-05 18:59:56 UTC\r\nHome \u003e List all groups \u003e Operation Shady RAT\r\n APT group: Operation Shady RAT\r\nNames Operation Shady RAT (McAfee)\r\nCountry China\r\nSponsor State-sponsored, PLA Unit 61398\r\nMotivation Information theft and espionage\r\nFirst seen 2006\r\nDescription (McAfee) With the goal of raising the level of public awareness today we are publishing the\r\nmost comprehensive analysis ever revealed of victim profiles from a five year targeted\r\noperation by one specific actor—Operation Shady RAT, as I have named it at McAfee (RAT is\r\na common acronym in the industry which stands for Remote Access Tool).\r\nThis is not a new attack, and the vast majority of the victims have long since remediated these\r\nspecific infections (although whether most realized the seriousness of the intrusion or simply\r\ncleaned up the infected machine without further analysis into the data loss is an open\r\nquestion). McAfee has detected the malware variants and other relevant indicators for years\r\nwith Generic Downloader.x and Generic BackDoor.t heuristic signatures (those who have had\r\nprior experience with this specific adversary may recognize it by the use of encrypted HTML\r\ncomments in web pages that serve as a command channel to the infected machine).\r\nMcAfee has gained access to one specific Command \u0026 Control server used by the intruders.\r\nWe have collected logs that reveal the full extent of the victim population since mid-2006\r\nwhen the log collection began. Note that the actual intrusion activity may have begun well\r\nbefore that time but that is the earliest evidence we have for the start of the compromises. The\r\ncompromises themselves were standard procedure for these types of targeted intrusions: a\r\nspear-phishing email containing an exploit is sent to an individual with the right level of access\r\nat the company, and the exploit when opened on an unpatched system will trigger a download\r\nof the implant malware. That malware will execute and initiate a backdoor communication\r\nchannel to the Command \u0026 Control web server and interpret the instructions encoded in the\r\nhidden comments embedded in the webpage code. This will be quickly followed by live\r\nintruders jumping on to the infected machine and proceeding to quickly escalate privileges and\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=3227cd76-90c0-4139-83c0-afbdb298d1f2\r\nPage 1 of 2\n\nmove laterally within the organization to establish new persistent footholds via additional\r\ncompromised machines running implant malware, as well as targeting for quick exfiltration the\r\nkey data they came for.\r\nObserved\r\nSectors: Energy, Government, Industrial, IT, Media, Telecommunications, Think Tanks, Non-profit organizations.\r\nCountries: Canada, Denmark, Germany, Hong Kong, India, Indonesia, Japan, Singapore,\r\nSouth Korea, Switzerland, Taiwan, UK, USA, Vietnam.\r\nTools used\r\nInformation\r\n\u003chttps://web.archive.org/web/20110804083836/http:/www.mcafee.com/us/resources/white-papers/wp-operation-shady-rat.pdf\u003e\r\n\u003chttps://www.vanityfair.com/news/2011/09/chinese-hacking-201109\u003e\r\n\u003chttps://en.wikipedia.org/wiki/Operation_Shady_RAT\u003e\r\nLast change to this card: 21 May 2021\r\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=3227cd76-90c0-4139-83c0-afbdb298d1f2\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=3227cd76-90c0-4139-83c0-afbdb298d1f2\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=3227cd76-90c0-4139-83c0-afbdb298d1f2"
	],
	"report_names": [
		"showcard.cgi?u=3227cd76-90c0-4139-83c0-afbdb298d1f2"
	],
	"threat_actors": [
		{
			"id": "b7aa23d0-65c8-49f4-8052-837ce6251b63",
			"created_at": "2022-10-25T16:07:24.006105Z",
			"updated_at": "2026-04-10T02:00:04.831292Z",
			"deleted_at": null,
			"main_name": "Operation Shady RAT",
			"aliases": [],
			"source_name": "ETDA:Operation Shady RAT",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb",
			"created_at": "2023-01-06T13:46:38.228042Z",
			"updated_at": "2026-04-10T02:00:02.883048Z",
			"deleted_at": null,
			"main_name": "APT1",
			"aliases": [
				"PLA Unit 61398",
				"Comment Crew",
				"Byzantine Candor",
				"Comment Group",
				"GIF89a",
				"Group 3",
				"TG-8223",
				"Brown Fox",
				"ShadyRAT",
				"G0006",
				"COMMENT PANDA"
			],
			"source_name": "MISPGALAXY:APT1",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434055,
	"ts_updated_at": 1775791575,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/13b1ef05fe2f82ebaa552a2f7bbe00b1dd19a71a.pdf",
		"text": "https://archive.orkl.eu/13b1ef05fe2f82ebaa552a2f7bbe00b1dd19a71a.txt",
		"img": "https://archive.orkl.eu/13b1ef05fe2f82ebaa552a2f7bbe00b1dd19a71a.jpg"
	}
}