{ "id": "19783ce5-c0df-48f4-8b03-3fb6914e6ccd", "created_at": "2026-04-06T00:14:02.586725Z", "updated_at": "2026-04-10T13:12:39.50095Z", "deleted_at": null, "sha1_hash": "23bbdf148fc7630350704b144906042b873c77a2", "title": "Wicked Spider, APT 22 - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 54735, "plain_text": "Wicked Spider, APT 22 - Threat Group Cards: A Threat Actor\nEncyclopedia\nArchived: 2026-04-05 20:24:04 UTC\nHome \u003e List all groups \u003e Wicked Spider, APT 22\n APT group: Wicked Spider, APT 22\nNames\nWicked Spider (CrowdStrike)\nAPT 22 (Mandiant)\nBronze Export (SecureWorks)\nBronze Olive (SecureWorks)\nCountry China\nMotivation Financial crime\nFirst seen 2018\nDescription\n(CrowdStrike) Winnti Group, Wicked Panda refers to the targeted intrusion operations of the\nactor publicly known as “Winnti,” whereas Wicked Spider represents this group’s financially-motivated criminal activity. Originally, Wicked Spider was observed exploiting a number of\ngaming companies and stealing code-signing certificates for use in other operations associated\nwith the malware known as Winnti. Now, Winnti is commonly associated with the interests of\nthe government of the People’s Republic of China (PRC).\nWicked Spider has been observed targeting technology companies in Germany, Indonesia, the\nRussian Federation, South Korea, Sweden, Thailand, Turkey, the United States, and elsewhere.\nNotably, Wicked Spider has often targeted gaming companies for their certificates, which can\nbe used in future PRC-based operations to sign malware. Ongoing analysis is still evaluating\nhow these certificates are used — whether Wicked Spider hands the certificates off to other\nadversaries for use in future campaigns or stockpiles them for its own use.\nObserved\nSectors: Technology.\nCountries: Germany, Indonesia, Russia, South Korea, Sweden, Thailand, Turkey, USA and\nelsewhere.\nTools used DoublePulsar, EternalBlue, Gh0st RAT, PlugX.\nInformation\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=2eca8267-0436-448f-aa63-97e70d08ce3e\nPage 1 of 2\n\nLast change to this card: 13 March 2024\r\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=2eca8267-0436-448f-aa63-97e70d08ce3e\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=2eca8267-0436-448f-aa63-97e70d08ce3e\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=2eca8267-0436-448f-aa63-97e70d08ce3e" ], "report_names": [ "showcard.cgi?u=2eca8267-0436-448f-aa63-97e70d08ce3e" ], "threat_actors": [ { "id": "5bbced13-72f7-40dc-8c41-dcce75bf885e", "created_at": "2022-10-25T15:50:23.695735Z", "updated_at": "2026-04-10T02:00:05.335976Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "Winnti Group" ], "source_name": "MITRE:Winnti Group", "tools": [ "PipeMon", "Winnti for Windows", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "7b039cc0-33b6-495a-b4ca-649d096b993d", "created_at": "2023-01-06T13:46:38.482654Z", "updated_at": "2026-04-10T02:00:02.99265Z", "deleted_at": null, "main_name": "APT22", "aliases": [ "G0039", "Suckfly", "BRONZE OLIVE", "Group 46" ], "source_name": "MISPGALAXY:APT22", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "273a41a8-5115-4f55-865f-0960a765f18c", "created_at": "2022-10-25T16:07:24.397947Z", "updated_at": "2026-04-10T02:00:04.974605Z", "deleted_at": null, "main_name": "Wicked Spider", "aliases": [ "APT 22", "Bronze Export", "Bronze Olive", "Wicked Spider" ], "source_name": "ETDA:Wicked Spider", "tools": [ "Agent.dhwf", "AngryRebel", "Destroy RAT", "DestroyRAT", "DoublePulsar", "EternalBlue", "Farfli", "Gh0st RAT", "Ghost RAT", "Kaba", "Korplug", "Moudour", "Mydoor", "PCRat", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav" ], "source_id": "ETDA", "reports": null }, { "id": "945a572f-ebe3-4e2f-a288-512fe751cfa8", "created_at": "2022-10-25T16:07:24.413971Z", "updated_at": "2026-04-10T02:00:04.97924Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "G0044", "Leopard Typhoon", "Wicked Panda", "Winnti Group" ], "source_name": "ETDA:Winnti Group", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "RbDoor", "RibDoor", "RouterGod", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "00e7a6ed-1880-4391-b0b9-1f46fae0e5cc", "created_at": "2025-08-07T02:03:24.591024Z", "updated_at": "2026-04-10T02:00:03.717645Z", "deleted_at": null, "main_name": "BRONZE EXPORT", "aliases": [ "TG-3279 ", "Wicked Spider " ], "source_name": "Secureworks:BRONZE EXPORT", "tools": [ "Conpee", "PlugX", "PwDump" ], "source_id": "Secureworks", "reports": null }, { "id": "1d63fba2-f042-41ca-8a72-64c6e737d295", "created_at": "2025-08-07T02:03:24.643647Z", "updated_at": "2026-04-10T02:00:03.719558Z", "deleted_at": null, "main_name": "BRONZE OLIVE", "aliases": [ "APT22 ", "Barista", "Group 46 ", "Suckfly " ], "source_name": "Secureworks:BRONZE OLIVE", "tools": [ "Angryrebel", "DestroyRAT", "PlugX" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434442, "ts_updated_at": 1775826759, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/23bbdf148fc7630350704b144906042b873c77a2.pdf", "text": "https://archive.orkl.eu/23bbdf148fc7630350704b144906042b873c77a2.txt", "img": "https://archive.orkl.eu/23bbdf148fc7630350704b144906042b873c77a2.jpg" } }