{ "id": "d5f28dbc-2257-48fd-a61d-8c661f97c252", "created_at": "2026-04-06T00:18:37.663405Z", "updated_at": "2026-04-10T03:30:47.808377Z", "deleted_at": null, "sha1_hash": "2435acf42194ca449e86bbb2fb644e88883cf8d2", "title": "APT 4, Maverick Panda, Wisp Team", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 61088, "plain_text": "APT 4, Maverick Panda, Wisp Team\r\nArchived: 2026-04-05 21:26:32 UTC\r\nHome \u003e List all groups \u003e APT 4, Maverick Panda, Wisp Team\r\n APT group: APT 4, Maverick Panda, Wisp Team\r\nNames\r\nAPT 4 (Mandiant)\r\nAPT 4 (FireEye)\r\nMaverick Panda (CrowdStrike)\r\nWisp Team (Symantec)\r\nSykipot (AlienVault)\r\nTG-0623 (SecureWorks)\r\nBronze Edison (SecureWorks)\r\nSodium (Microsoft)\r\nSalmon Typhoo (Microsoft)\r\nCountry China\r\nSponsor State-sponsored, PLA Navy\r\nMotivation Information theft and espionage\r\nFirst seen 2007\r\nDescription\r\n(Trend Micro) Sykipot has a history of primarily targeting US Defense Initial Base\r\n(DIB) and key industries such as telecommunications, computer hardware,\r\ngovernment contractors, and aerospace. Open source review of 15 major Sykipot\r\nattacks over the last 6 years confirm this.\r\nRecently, we encountered a case where Sykipot variants were gathering information\r\nrelated to the civil aviation sector. The exploitation occurred at a target consistent\r\nwith their history, the information sought raises new interest. The intentions of this\r\nlatest round of targeting are unclear, but it represents a change in shift in objectives\r\nor mission.\r\nObserved\r\nSectors: Aerospace, Aviation, Defense, Government, Telecommunications.\r\nCountries: USA.\r\nTools used Sykipot, XMRig.\r\nOperations performed Dec 2011 Are the Sykipot’s authors obsessed with next generation US drones?\r\n\u003chttps://cybersecurity.att.com/blogs/labs-research/are-the-sykipots-https://apt.etda.or.th/cgi-bin/showcard.cgi?u=37543431-9ac9-488b-ad5a-eded5a6ff964\r\nPage 1 of 2\n\nauthors-obsessed-with-next-generation-us-drones\u003e\nJan 2012\nSykipot variant hijacks DOD and Windows smart cards\nJul 2012\nSykipot is back\nMar 2013\nNew Sykipot developments\nSep 2013\nSykipot Now Targeting US Civil Aviation Sector Information\n2015\nA group dubbed APT4 is suspected to be behind a breach of an Asian\nairline company discovered in the second quarter of this year. Its attack\nstyle uses well-written and researched ‘spear-phishes’ with industry\nthemes. The attacks were aimed at public key infrastructure targets.\nOct 2018\nThe report also mentions some attacks conducted by APT4 which\nincludes sending malicious emails to a blockchain gaming start-up last\nyear and attacking a cryptocurrency exchange in June 2018. In last\nOctober, the group also used XMRig, a Monero cryptocurrency mining\ntool in the target’s computer.\nInformation\nLast change to this card: 06 March 2024\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=37543431-9ac9-488b-ad5a-eded5a6ff964\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=37543431-9ac9-488b-ad5a-eded5a6ff964\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=37543431-9ac9-488b-ad5a-eded5a6ff964" ], "report_names": [ "showcard.cgi?u=37543431-9ac9-488b-ad5a-eded5a6ff964" ], "threat_actors": [ { "id": "c8aefee7-fb57-409b-857e-23e986cb4a56", "created_at": "2023-01-06T13:46:38.285223Z", "updated_at": "2026-04-10T02:00:02.910756Z", "deleted_at": null, "main_name": "APT18", "aliases": [ "SCANDIUM", "PLA Navy", "Wekby", "G0026", "Satin Typhoon", "DYNAMITE PANDA", "TG-0416" ], "source_name": "MISPGALAXY:APT18", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "68cc6e37-f16d-4995-a75b-5e8e2a6cbb3d", "created_at": "2024-05-01T02:03:07.943593Z", "updated_at": "2026-04-10T02:00:03.795229Z", "deleted_at": null, "main_name": "BRONZE EDISON", "aliases": [ "APT4 ", "DarkSeoul", "Maverick Panda ", "Salmon Typhoon ", "Sodium ", "Sykipot ", "TG-0623 ", "getkys" ], "source_name": "Secureworks:BRONZE EDISON", "tools": [ "Gh0st RAT", "Wkysol", "ZxPortMap" ], "source_id": "Secureworks", "reports": null }, { "id": "2ac8fb39-1ad4-407c-bf51-249751a575ba", "created_at": "2023-01-06T13:46:38.337728Z", "updated_at": "2026-04-10T02:00:02.933527Z", "deleted_at": null, "main_name": "SAMURAI PANDA", "aliases": [ "PLA Navy", "Wisp Team" ], "source_name": "MISPGALAXY:SAMURAI PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d4ac28d1-66eb-4f2d-9f9b-a72394349fd0", "created_at": "2023-01-06T13:46:38.667954Z", "updated_at": "2026-04-10T02:00:03.061447Z", "deleted_at": null, "main_name": "APT4", "aliases": [ "PLA Navy", "MAVERICK PANDA", "BRONZE EDISON", "SODIUM", "Salmon Typhoon" ], "source_name": "MISPGALAXY:APT4", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6fbff48b-7a3e-4e54-ac22-b10f11e32337", "created_at": "2022-10-25T16:07:23.318008Z", "updated_at": "2026-04-10T02:00:04.539063Z", "deleted_at": null, "main_name": "APT 4", "aliases": [ "APT 4", "Bronze Edison", "Maverick Panda", "Salmon Typhoo", "Sodium", "Sykipot", "TG-0623", "Wisp Team" ], "source_name": "ETDA:APT 4", "tools": [ "Getkys", "Sykipot", "Wkysol", "XMRig" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434717, "ts_updated_at": 1775791847, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2435acf42194ca449e86bbb2fb644e88883cf8d2.pdf", "text": "https://archive.orkl.eu/2435acf42194ca449e86bbb2fb644e88883cf8d2.txt", "img": "https://archive.orkl.eu/2435acf42194ca449e86bbb2fb644e88883cf8d2.jpg" } }