{
	"id": "63121b0e-eb72-43be-a84a-c16628cde830",
	"created_at": "2026-04-06T00:13:07.412204Z",
	"updated_at": "2026-04-10T03:35:44.260451Z",
	"deleted_at": null,
	"sha1_hash": "295cf08319c646a8442288972de987b5920016ee",
	"title": "PittyTiger, Pitty Panda - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 57137,
	"plain_text": "PittyTiger, Pitty Panda - Threat Group Cards: A Threat Actor\nEncyclopedia\nArchived: 2026-04-05 18:06:02 UTC\nHome \u003e List all groups \u003e PittyTiger, Pitty Panda\n APT group: PittyTiger, Pitty Panda\nNames\nPittyTiger (FireEye)\nPitty Panda (CrowdStrike)\nG0011 (MITRE)\nCountry China\nMotivation Information theft and espionage\nFirst seen 2011\nDescription\n(Airbus) Pitty Tiger is a group of attackers that have been active since at least 2011. They have targeted private companies in\nsuch as defense and telecommunications, but also at least one government.\nWe have been able to track down this group of attackers and can provide detailed information about them. We were able to c\ntheir “malware arsenal”. We also analyzed their technical organization.\nOur investigations indicate that Pitty Tiger has not used any 0day vulnerability so far, rather they prefer using custom malwa\nthe group’s exclusive usage. Our discoveries indicate that Pitty Tiger is a group of attackers with the ability to stay under the\nas mature as other groups of attackers we monitor.\nPitty Tiger is probably not a state-sponsored group of attackers. They lack the experience and financial support that one wou\nsponsored attackers. We suppose this group is opportunistic and sells its services to probable competitors of their targets in t\nWe have been able to leverage several attackers profiles, showing that the Pitty Tiger group is fairly small compared to other\nis probably why we saw them work on a very limited amount of targets.\nThere is some overlap with APT 5, Keyhole Panda.\nObserved\nSectors: Defense, Government, Telecommunications and Web development.\nCountries: Taiwan and Europe.\nTools used Enfal, Gh0st RAT, gsecdump, Leo RAT, Mimikatz, Paladin RAT, pgift, Pitty, Poison Ivy.\nOperations performed\n2011\nOperation “The Eye of the Tiger”\nJul 2014\nDuring the last month, McAfee Labs researchers have uncovered targeted attacks carried out via spear phishing\nFrench company. We have seen email sent to a large group of individuals in the organization.\n2014\nIn a recent attack against a French company, the attackers sent simple, straightforward messages in English and\nemail addresses using names of actual employees of the targeted company.\nMITRE ATT\u0026CK Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=26627515-afdb-421b-b59e-3a5300210001\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=26627515-afdb-421b-b59e-3a5300210001\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=26627515-afdb-421b-b59e-3a5300210001\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=26627515-afdb-421b-b59e-3a5300210001"
	],
	"report_names": [
		"showcard.cgi?u=26627515-afdb-421b-b59e-3a5300210001"
	],
	"threat_actors": [
		{
			"id": "1b77c737-ab1f-45e9-ae50-996741d94ab2",
			"created_at": "2022-10-25T15:50:23.842907Z",
			"updated_at": "2026-04-10T02:00:05.401907Z",
			"deleted_at": null,
			"main_name": "PittyTiger",
			"aliases": [
				"PittyTiger"
			],
			"source_name": "MITRE:PittyTiger",
			"tools": [
				"gh0st RAT",
				"Lurid",
				"gsecdump",
				"PoisonIvy",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "6241b9be-9c59-4164-a7f2-c45844b14a56",
			"created_at": "2023-01-06T13:46:38.321506Z",
			"updated_at": "2026-04-10T02:00:02.926657Z",
			"deleted_at": null,
			"main_name": "APT24",
			"aliases": [
				"PITTY PANDA",
				"G0011",
				"Temp.Pittytiger"
			],
			"source_name": "MISPGALAXY:APT24",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "13bedce4-3115-4563-afd5-068e3930e68e",
			"created_at": "2023-01-06T13:46:38.623775Z",
			"updated_at": "2026-04-10T02:00:03.042652Z",
			"deleted_at": null,
			"main_name": "APT5",
			"aliases": [
				"KEYHOLE PANDA",
				"BRONZE FLEETWOOD",
				"TEMP.Bottle",
				"Mulberry Typhoon",
				"Poisoned Flight"
			],
			"source_name": "MISPGALAXY:APT5",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6d69ef1b-b6f3-47e1-be5a-87ac0fd5ff55",
			"created_at": "2024-04-24T02:00:49.599348Z",
			"updated_at": "2026-04-10T02:00:05.303948Z",
			"deleted_at": null,
			"main_name": "APT5",
			"aliases": [
				"APT5",
				"Mulberry Typhoon",
				"BRONZE FLEETWOOD",
				"Keyhole Panda",
				"UNC2630"
			],
			"source_name": "MITRE:APT5",
			"tools": [
				"Tasklist",
				"PoisonIvy",
				"RAPIDPULSE",
				"PcShare",
				"Mimikatz",
				"SLOWPULSE",
				"SLIGHTPULSE",
				"Skeleton Key",
				"gh0st RAT",
				"PULSECHECK",
				"netstat"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "37941e7c-1966-4afa-b116-753e19e72808",
			"created_at": "2022-10-25T16:07:23.321195Z",
			"updated_at": "2026-04-10T02:00:04.540299Z",
			"deleted_at": null,
			"main_name": "APT 5",
			"aliases": [
				"APT 5",
				"Bronze Fleetwood",
				"Keyhole Panda",
				"Mulberry Typhoon",
				"Poisoned Flight",
				"TEMP.Bottle",
				"TG-2754"
			],
			"source_name": "ETDA:APT 5",
			"tools": [
				"LEOUNCIA",
				"shoco"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "c2ef6b18-12c4-4879-a408-be4c9b03eb6e",
			"created_at": "2022-10-25T16:07:24.055115Z",
			"updated_at": "2026-04-10T02:00:04.852387Z",
			"deleted_at": null,
			"main_name": "PittyTiger",
			"aliases": [
				"G0011",
				"Operation The Eye of the Tiger",
				"Pitty Panda",
				"PittyTiger"
			],
			"source_name": "ETDA:PittyTiger",
			"tools": [
				"AngryRebel",
				"Chymine",
				"Darkmoon",
				"Enfal",
				"Farfli",
				"Gen:Trojan.Heur.PT",
				"Gh0st RAT",
				"Ghost RAT",
				"Leo RAT",
				"Lurid",
				"Mimikatz",
				"Moudour",
				"Mydoor",
				"PCRat",
				"Paladin",
				"Paladin RAT",
				"Pitty",
				"PittyTiger RAT",
				"Poison Ivy",
				"ReRol",
				"SPIVY",
				"gsecdump",
				"pgift",
				"pivy",
				"poisonivy"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "47a8f6c7-5b29-4892-8f47-1d46be71714f",
			"created_at": "2025-08-07T02:03:24.599925Z",
			"updated_at": "2026-04-10T02:00:03.720795Z",
			"deleted_at": null,
			"main_name": "BRONZE FLEETWOOD",
			"aliases": [
				"APT5 ",
				"DPD ",
				"Keyhole Panda ",
				"Mulberry Typhoon ",
				"Poisoned Flight ",
				"TG-2754 "
			],
			"source_name": "Secureworks:BRONZE FLEETWOOD",
			"tools": [
				"Binanen",
				"Comfoo",
				"Gh0st RAT",
				"Isastart",
				"Leouncia",
				"Marade",
				"OrcaRAT",
				"PCShare",
				"Protux",
				"Skeleton Key",
				"SlyPidgin",
				"VinSelf"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434387,
	"ts_updated_at": 1775792144,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/295cf08319c646a8442288972de987b5920016ee.pdf",
		"text": "https://archive.orkl.eu/295cf08319c646a8442288972de987b5920016ee.txt",
		"img": "https://archive.orkl.eu/295cf08319c646a8442288972de987b5920016ee.jpg"
	}
}