{ "id": "a7d7207c-2d6e-46e7-b2cd-ccc5e99c2647", "created_at": "2026-04-06T00:11:57.780386Z", "updated_at": "2026-04-10T13:12:48.788986Z", "deleted_at": null, "sha1_hash": "28972318488b29a517bbd8e41d7b67b365b8656c", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 50773, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 23:19:45 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool IHEATE\n Tool: IHEATE\nNames IHEATE\nCategory Malware\nType Backdoor, Info stealer, Exfiltration\nDescription\n(Trend Micro) These attacks targeting users in the United States used a variant of\nIXESHE which has been seen in Taiwan since 2009 named IHEATE. These showed some\ndifferences from known IXESHE variants: they had a different command-and-control\n(C\u0026C) communication model and encryption methods.\nOne IHEATE sample we found contains the string “EMC112” as part of the C\u0026C traffic.\nSuch strings are frequently used to identify different campaigns. In this particular case,\nthe 112 part of the string matched the malware sample’s compilation date of January 12.\nInformation\nAlienVault OTX Last change to this tool card: 20 April 2020\nDownload this tool card in JSON format\nAll groups using tool IHEATE\nChanged Name Country Observed\nAPT groups\n APT 12, Numbered Panda 2009-Nov 2016\n1 group listed (1 APT, 0 other, 0 unknown)\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=28292c71-c66a-450d-a2d0-d096f954e150\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=28292c71-c66a-450d-a2d0-d096f954e150\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=28292c71-c66a-450d-a2d0-d096f954e150\r\nPage 2 of 2\n\nAPT groups APT 12, Numbered Panda 2009-Nov 2016 \n1 group listed (1 APT, 0 other, 0 unknown) \n Page 1 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=28292c71-c66a-450d-a2d0-d096f954e150" ], "report_names": [ "listgroups.cgi?u=28292c71-c66a-450d-a2d0-d096f954e150" ], "threat_actors": [ { "id": "c5f79f58-db78-4cd7-88cf-c029a2199360", "created_at": "2022-10-25T16:07:23.325227Z", "updated_at": "2026-04-10T02:00:04.542909Z", "deleted_at": null, "main_name": "APT 12", "aliases": [ "APT 12", "BeeBus", "Bronze Globe", "CTG-8223", "Calc Team", "Crimson Iron", "DNSCalc", "DynCALC", "G0005", "Group 22", "Hexagon Typhoon", "Numbered Panda" ], "source_name": "ETDA:APT 12", "tools": [ "AUMLIB", "ETUMBOT", "Exploz", "Graftor", "HIGHTIDE", "IHEATE", "IXESHE", "RIPTIDE", "RapidStealer", "Specfix", "THREEBYTE", "bbsinfo", "mswab", "yayih" ], "source_id": "ETDA", "reports": null }, { "id": "d18fe42c-8407-4f96-aee0-a04e6dce219a", "created_at": "2023-01-06T13:46:38.275292Z", "updated_at": "2026-04-10T02:00:02.907303Z", "deleted_at": null, "main_name": "APT12", "aliases": [ "Group 22", "Calc Team", "DNSCalc", "IXESHE", "Hexagon Typhoon", "BeeBus", "DynCalc", "Crimson Iron", "BRONZE GLOBE", "NUMBERED PANDA", "TG-2754" ], "source_name": "MISPGALAXY:APT12", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6a660ea2-1118-404a-9f8f-f0d6a1e9f184", "created_at": "2022-10-25T15:50:23.685924Z", "updated_at": "2026-04-10T02:00:05.364493Z", "deleted_at": null, "main_name": "APT12", "aliases": [ "APT12", "IXESHE", "DynCalc", "Numbered Panda", "DNSCALC" ], "source_name": "MITRE:APT12", "tools": [ "Ixeshe", "RIPTIDE", "HTRAN" ], "source_id": "MITRE", "reports": null }, { "id": "dc0eb4da-1f8c-4f2a-9530-62b0efbb1c35", "created_at": "2025-08-07T02:03:24.608888Z", "updated_at": "2026-04-10T02:00:03.749632Z", "deleted_at": null, "main_name": "BRONZE GLOBE", "aliases": [ "APT12 ", "CTG-8223 ", "DyncCalc ", "Numbered Panda ", "PortCalc" ], "source_name": "Secureworks:BRONZE GLOBE", "tools": [ "Badpuck", "BeepService", "Etumbot", "Gh0st RAT", "Ixeshe", "Mswab", "RAdmin", "Seatran", "SvcInstaller", "Ziyang" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434317, "ts_updated_at": 1775826768, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/28972318488b29a517bbd8e41d7b67b365b8656c.pdf", "text": "https://archive.orkl.eu/28972318488b29a517bbd8e41d7b67b365b8656c.txt", "img": "https://archive.orkl.eu/28972318488b29a517bbd8e41d7b67b365b8656c.jpg" } }