{ "id": "3bb0a071-9047-44d1-abd9-1517af3cc5e1", "created_at": "2026-04-06T00:13:17.751092Z", "updated_at": "2026-04-10T03:36:06.594785Z", "deleted_at": null, "sha1_hash": "15daf07aefd5d9e174e195c7036e1746caecb2e7", "title": "Carderbee Targets Hong Kong in Supply Chain Attack", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2258265, "plain_text": "Carderbee Targets Hong Kong in Supply Chain Attack\r\nBy The Hivemind\r\nArchived: 2026-04-02 10:40:55 UTC\r\nSep 8, 2023 2:29:33 PM / by The Hivemind\r\nRelated Families: Korplug, PlugX\r\nExecutive Summary\r\nIn a recent campaign, Carderbee targeted entities in Hong Kong and other regions\r\nof Asia via a supply chain attack leveraging the legitimate Cobra DocGuard\r\nsoftware.\r\nKey Takeaways\r\nA recent campaign targeted entities in Hong Kong and other regions of Asia via a supply chain attack\r\nleveraging the legitimate Cobra DocGuard software.\r\nThe threat actors targeted these entities with the goal of deploying a version of Korplug (PlugX) on victim\r\nsystems. \r\nSome of the malware used in the campaign was signed with a Microsoft certificate. \r\nSymantec attributed this activity to a previously unnamed group they dubbed Carderbee.\r\nhttps://blog.polyswarm.io/carderbee-targets-hong-kong-in-supply-chain-attack\r\nPage 1 of 2\n\nThe Campaign\r\nSymantec recently reported on activity attributed to a threat actor group dubbed Carderbee. In the campaign, the\r\nthreat actors target entities in Hong Kong and other regions of Asia via a supply chain attack leveraging the\r\nlegitimate Cobra DocGuard software. The activity began as early as September 2022.\r\nThe threat actors targeted these entities with the goal of deploying a version of Korplug (PlugX) on victim\r\nsystems. The version of Korplug used had multiple capabilities including executing commands via CMD,\r\nenumerating files, checking running processes, downloading files, opening firewall ports, and keylogging. Some\r\nof the malware used in the campaign was signed with a Microsoft certificate. While over 2000 computers were\r\naffected by the Cobra DocGuard software used in the campaign, only about 100 had evidence of malicious\r\nactivity. This likely indicates that Carderbee was selectively targeting certain entities.\r\nWho is Carderbee?\r\nCobra DocGuard, legitimate encryption software, has been previously used by China nexus threat actor groups\r\nincluding Winnti and Budworm. Since the other TTPs did not seem to follow those of a known threat actor group,\r\nSymantec attributed this activity to a previously unnamed group they dubbed Carderbee. Symantec noted that\r\nCarderbee appears to consist of patient and skilled threat actors. At this time, no other details about the threat actor\r\ngroup are available.\r\nIOCs\r\nPolySwarm has multiple samples associated with this activity.\r\nB5159f8ae16deda7aa5d55100a0eac6e5dacd1f6502689b543513a742353d1ea\r\n96170614bbd02223dc79cec12afb6b11004c8edb8f3de91f78a6fc54d0844622\r\n2400d8e66c652f4f8a13c99a5ffb67cb5c0510144b30e93122b1809b58614936\r\n7e6d0f14302662f52e4379eb5b69a3749d8597e8f61266aeda74611258972a3d\r\n1ff7b55dde007b7909f43dd47692f7c171caa2897d663eb9db01001062b1fe9d\r\nf64267decaa982c63185d92e028f52c31c036e85b2731a6e0bccdb8f7b646e97\r\nYou can use the following CLI command to search for all related samples in our portal:\r\n$ polyswarm link list -f Carderbee\r\nDon’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.\r\nContact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports\r\nSource: https://blog.polyswarm.io/carderbee-targets-hong-kong-in-supply-chain-attack\r\nhttps://blog.polyswarm.io/carderbee-targets-hong-kong-in-supply-chain-attack\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://blog.polyswarm.io/carderbee-targets-hong-kong-in-supply-chain-attack" ], "report_names": [ "carderbee-targets-hong-kong-in-supply-chain-attack" ], "threat_actors": [ { "id": "c1f1d9ce-ad31-49db-9f82-cc0dd12374da", "created_at": "2023-01-06T13:46:39.006986Z", "updated_at": "2026-04-10T02:00:03.17886Z", "deleted_at": null, "main_name": "[Unnamed group]", "aliases": [], "source_name": "MISPGALAXY:[Unnamed group]", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e737c474-a1f2-4e18-9d78-1c00f0887fa0", "created_at": "2023-11-05T02:00:08.085728Z", "updated_at": "2026-04-10T02:00:03.401539Z", "deleted_at": null, "main_name": "Carderbee", "aliases": [], "source_name": "MISPGALAXY:Carderbee", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "17cfc7a6-c8f2-4806-b77f-ba23fb772e70", "created_at": "2023-09-07T02:02:47.182792Z", "updated_at": "2026-04-10T02:00:04.604605Z", "deleted_at": null, "main_name": "Carderbee", "aliases": [], "source_name": "ETDA:Carderbee", "tools": [ "Agent.dhwf", "Cobra DocGuard", "Destroy RAT", "DestroyRAT", "Kaba", "Korplug", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav" ], "source_id": "ETDA", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434397, "ts_updated_at": 1775792166, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/15daf07aefd5d9e174e195c7036e1746caecb2e7.pdf", "text": "https://archive.orkl.eu/15daf07aefd5d9e174e195c7036e1746caecb2e7.txt", "img": "https://archive.orkl.eu/15daf07aefd5d9e174e195c7036e1746caecb2e7.jpg" } }