{
	"id": "170be256-c4ce-4dd1-8000-cfe43372cb01",
	"created_at": "2026-04-06T00:11:10.585778Z",
	"updated_at": "2026-04-10T13:12:34.943718Z",
	"deleted_at": null,
	"sha1_hash": "148d568880881afc23f19d9bb1dbc4ebda2136b3",
	"title": "Operation Manul - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 56399,
	"plain_text": "Operation Manul - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-05 20:28:12 UTC\r\nHome \u003e List all groups \u003e Operation Manul\r\n APT group: Operation Manul\r\nNames Operation Manul (Electronic Frontier Foundation)\r\nCountry Kazakhstan\r\nMotivation Information theft and espionage\r\nFirst seen 2015\r\nDescription\r\n(Electronic Frontier Foundation) This report covers a campaign of phishing and malware\r\nwhich we have named “Operation Manul” and which, based on the available evidence, we\r\nbelieve is likely to have been carried out on behalf of the government of Kazakhstan against\r\njournalists, dissidents living in Europe, their family members, known associates, and their\r\nlawyers.\r\nMany of the targets are involved in litigation with the government of Kazakhstan in European\r\nand American courts whose substance ranges from attempts by the government of Kazakhstan\r\nto unmask the administrators behind an anonymous website that publishes leaks alleging\r\ngovernment corruption (Kazaword) to allegations of kidnapping.\r\nOur research suggests links between this campaign and other campaigns that have been\r\nattributed to an Indian security company called Appin Security Group. A hired actor is\r\nconsistent with our findings on the Command and Control servers related to this campaign,\r\nwhich included web-based control panels for multiple RATs, suggesting that several\r\ncampaigns were being run at once. A hired actor may also explain the generic and uninspired\r\nnature of the phishing, which often took the form of an email purporting to contain an invoice\r\nor a legal document with an attachment containing a blurry image. An investigation by the\r\nSwiss federal police of some of the emails linked to Operation Manul concludes that they were\r\nsent from IP addresses in India, which also suggests a link to Appin.\r\nObserved\r\nSectors: journalists and dissidents.\r\nCountries: Europe.\r\nTools used Bandook, JRat.\r\nInformation \u003chttps://www.eff.org/files/2016/08/03/i-got-a-letter-from-the-government.pdf\u003e\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=2eb09560-6cce-4c19-ab9d-7cb929bd110c\r\nPage 1 of 2\n\nLast change to this card: 09 August 2021\r\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=2eb09560-6cce-4c19-ab9d-7cb929bd110c\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=2eb09560-6cce-4c19-ab9d-7cb929bd110c\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=2eb09560-6cce-4c19-ab9d-7cb929bd110c"
	],
	"report_names": [
		"showcard.cgi?u=2eb09560-6cce-4c19-ab9d-7cb929bd110c"
	],
	"threat_actors": [
		{
			"id": "d4347dfe-2489-4fe4-8097-f4be33aadac2",
			"created_at": "2022-10-25T16:07:23.973289Z",
			"updated_at": "2026-04-10T02:00:04.815324Z",
			"deleted_at": null,
			"main_name": "Operation Manul",
			"aliases": [],
			"source_name": "ETDA:Operation Manul",
			"tools": [
				"Bandok",
				"Bandook",
				"JRat",
				"Jacksbot"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4",
			"created_at": "2025-08-07T02:03:25.123407Z",
			"updated_at": "2026-04-10T02:00:03.668131Z",
			"deleted_at": null,
			"main_name": "ZINC EMERSON",
			"aliases": [
				"Confucius ",
				"Dropping Elephant ",
				"EHDevel ",
				"Manul ",
				"Monsoon ",
				"Operation Hangover ",
				"Patchwork ",
				"TG-4410 ",
				"Viceroy Tiger "
			],
			"source_name": "Secureworks:ZINC EMERSON",
			"tools": [
				"Enlighten Infostealer",
				"Hanove",
				"Mac OS X KitM Spyware",
				"Proyecto2",
				"YTY Backdoor"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434270,
	"ts_updated_at": 1775826754,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/148d568880881afc23f19d9bb1dbc4ebda2136b3.pdf",
		"text": "https://archive.orkl.eu/148d568880881afc23f19d9bb1dbc4ebda2136b3.txt",
		"img": "https://archive.orkl.eu/148d568880881afc23f19d9bb1dbc4ebda2136b3.jpg"
	}
}