{ "id": "78a44eb2-9b7b-4245-ba94-b913546767f8", "created_at": "2026-04-06T00:14:13.219936Z", "updated_at": "2026-04-10T13:12:28.362721Z", "deleted_at": null, "sha1_hash": "29a5c849dbaf5a1a6e7f8b849ceb67e0175da76a", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 49250, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 15:00:25 UTC\n Other threat group: UNC5537\nNames UNC5537 (Mandiant)\nCountry Canada\nMotivation Financial gain\nFirst seen 2024\nDescription\n(Mandiant) Through the course of our incident response engagements and threat\nintelligence collections, Mandiant has identified a threat campaign targeting Snowflake\ncustomer database instances with the intent of data theft and extortion. Snowflake is a\nmulti-cloud data warehousing platform used to store and analyze large amounts of\nstructured and unstructured data. Mandiant tracks this cluster of activity as UNC5537, a\nfinancially motivated threat actor suspected to have stolen a significant volume of\nrecords from Snowflake customer environments. UNC5537 is systematically\ncompromising Snowflake customer instances using stolen customer credentials,\nadvertising victim data for sale on cybercrime forums, and attempting to extort many of\nthe victims.\nMandiant's investigation has not found any evidence to suggest that unauthorized\naccess to Snowflake customer accounts stemmed from a breach of Snowflake's\nenterprise environment. Instead, every incident Mandiant responded to associated with\nthis campaign was traced back to compromised customer credentials.\nObserved\nTools used\nCounter operations\nNov 2024\nCanadian Suspect Arrested Over Snowflake Customer Breach and\nExtortion Attacks\nNov 2024\nUS indicts Snowflake hackers who extorted $2.5 million from 3 victims\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=469b78ee-1184-44c7-ad9d-4abe1ef60a18\nPage 1 of 2\n\nInformation\nPlaybook Last change to this card: 02 March 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=469b78ee-1184-44c7-ad9d-4abe1ef60a18\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=469b78ee-1184-44c7-ad9d-4abe1ef60a18\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=469b78ee-1184-44c7-ad9d-4abe1ef60a18" ], "report_names": [ "showcard.cgi?u=469b78ee-1184-44c7-ad9d-4abe1ef60a18" ], "threat_actors": [ { "id": "358432a9-d927-43c7-9201-b7aa7d184c26", "created_at": "2024-06-20T02:02:10.317536Z", "updated_at": "2026-04-10T02:00:05.043265Z", "deleted_at": null, "main_name": "UNC5537", "aliases": [], "source_name": "ETDA:UNC5537", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "c3c24777-7c0f-4772-b273-2163ac5a6b67", "created_at": "2024-06-19T02:00:04.373472Z", "updated_at": "2026-04-10T02:00:03.651748Z", "deleted_at": null, "main_name": "UNC5537", "aliases": [], "source_name": "MISPGALAXY:UNC5537", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434453, "ts_updated_at": 1775826748, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/29a5c849dbaf5a1a6e7f8b849ceb67e0175da76a.pdf", "text": "https://archive.orkl.eu/29a5c849dbaf5a1a6e7f8b849ceb67e0175da76a.txt", "img": "https://archive.orkl.eu/29a5c849dbaf5a1a6e7f8b849ceb67e0175da76a.jpg" } }