{
	"id": "22a98e93-84e3-4605-b10c-48441b0631cf",
	"created_at": "2026-04-06T00:16:03.512267Z",
	"updated_at": "2026-04-10T13:12:16.12606Z",
	"deleted_at": null,
	"sha1_hash": "157ef84c85fcceb119fa0c91aea9275c3895b821",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 50855,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 18:42:47 UTC\r\n APT group: Lead\r\nNames\r\nLead (Microsoft)\r\nTG-3279 (SecureWorks)\r\nCasper (BlackBerry)\r\nCountry China\r\nSponsor State-sponsored\r\nMotivation Information theft and espionage\r\nFirst seen 2016\r\nDescription\r\n(Microsoft) In the past few years, Lead’s victims have included:\r\n• Multinational, multi-industry companies involved in the manufacture of textiles, chemicals,\r\nand electronics\r\n• Pharmaceutical companies\r\n• A company in the chemical industry\r\n• University faculty specializing in aeronautical engineering and research\r\n• A company involved in the design and manufacture of motor vehicles\r\n• A cybersecurity company focusing on protecting industrial control systems\r\nDuring these intrusions, Lead’s objective was to steal sensitive data, including research\r\nmaterials, process documents, and project plans. Lead also steals code-signing certificates to\r\nsign its malware in subsequent attacks.\r\nIn most cases, Lead’s attacks do not feature any advanced exploit techniques. The group also\r\ndoes not make special effort to cultivate victims prior to an attack. Instead, the group often\r\nsimply emails a Winnti installer to potential victims, relying on basic social engineering tactics\r\nto convince recipients to run the attached malware. In some other cases, Lead gains access to a\r\ntarget by brute-forcing remote access login credentials, performing SQL injection, or\r\nexploiting unpatched web servers, and then they copy the Winnti installer directly to\r\ncompromised machines.\r\nObserved\r\nSectors: Online video game companies, Pharmaceutical, Technology, Telecommunications.\r\nCountries: Japan, USA.\r\nTools used Cobalt Strike, Winnti.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=c874e794-c836-4714-9ed3-a168a967a942\r\nPage 1 of 2\n\nInformation\nLast change to this card: 14 April 2020\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=c874e794-c836-4714-9ed3-a168a967a942\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=c874e794-c836-4714-9ed3-a168a967a942\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=c874e794-c836-4714-9ed3-a168a967a942"
	],
	"report_names": [
		"showcard.cgi?u=c874e794-c836-4714-9ed3-a168a967a942"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "4d5f939b-aea9-4a0e-8bff-003079a261ea",
			"created_at": "2023-01-06T13:46:39.04841Z",
			"updated_at": "2026-04-10T02:00:03.196806Z",
			"deleted_at": null,
			"main_name": "APT41",
			"aliases": [
				"WICKED PANDA",
				"BRONZE EXPORT",
				"Brass Typhoon",
				"TG-2633",
				"Leopard Typhoon",
				"G0096",
				"Grayfly",
				"BARIUM",
				"BRONZE ATLAS",
				"Red Kelpie",
				"G0044",
				"Earth Baku",
				"TA415",
				"WICKED SPIDER",
				"HOODOO",
				"Winnti",
				"Double Dragon"
			],
			"source_name": "MISPGALAXY:APT41",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2a24d664-6a72-4b4c-9f54-1553b64c453c",
			"created_at": "2025-08-07T02:03:24.553048Z",
			"updated_at": "2026-04-10T02:00:03.787296Z",
			"deleted_at": null,
			"main_name": "BRONZE ATLAS",
			"aliases": [
				"APT41 ",
				"BARIUM ",
				"Blackfly ",
				"Brass Typhoon",
				"CTG-2633",
				"Earth Baku ",
				"GREF",
				"Group 72 ",
				"Red Kelpie ",
				"TA415 ",
				"TG-2633 ",
				"Wicked Panda ",
				"Winnti"
			],
			"source_name": "Secureworks:BRONZE ATLAS",
			"tools": [
				"Acehash",
				"CCleaner v5.33 backdoor",
				"ChinaChopper",
				"Cobalt Strike",
				"DUSTPAN",
				"Dicey MSDN",
				"Dodgebox",
				"ForkPlayground",
				"HUC Proxy Malware (Htran)"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "00e7a6ed-1880-4391-b0b9-1f46fae0e5cc",
			"created_at": "2025-08-07T02:03:24.591024Z",
			"updated_at": "2026-04-10T02:00:03.717645Z",
			"deleted_at": null,
			"main_name": "BRONZE EXPORT",
			"aliases": [
				"TG-3279 ",
				"Wicked Spider "
			],
			"source_name": "Secureworks:BRONZE EXPORT",
			"tools": [
				"Conpee",
				"PlugX",
				"PwDump"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434563,
	"ts_updated_at": 1775826736,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/157ef84c85fcceb119fa0c91aea9275c3895b821.pdf",
		"text": "https://archive.orkl.eu/157ef84c85fcceb119fa0c91aea9275c3895b821.txt",
		"img": "https://archive.orkl.eu/157ef84c85fcceb119fa0c91aea9275c3895b821.jpg"
	}
}