{
	"id": "999b11c8-7670-4c0a-8f24-4c5777f7b076",
	"created_at": "2026-04-06T00:09:50.345985Z",
	"updated_at": "2026-04-10T13:11:45.441716Z",
	"deleted_at": null,
	"sha1_hash": "2f1b01eb4b6388c9084efd2f979468c34b364eea",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 52097,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 16:58:29 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Macma\r\n Tool: Macma\r\nNames\r\nMacma\r\nMacMa\r\nCDDS\r\nOSX.CDDS\r\nDazzleSpy\r\nCategory Malware\r\nType Backdoor, Info stealer, Credential stealer, Exfiltration\r\nDescription\r\n(Symantec) Macma is a macOS backdoor that was first documented by Google in 2021\r\nbut appears to have been used since at least 2019. At the time of discovery, it was being\r\ndistributed in watering hole attacks involving compromised websites in Hong Kong. The\r\nwatering holes contained exploits for iOS and macOS devices. Users of macOS devices\r\nwere targeted with a privilege escalation vulnerability (CVE-2021-30869) which\r\nallowed the attackers to install Macma on vulnerable systems.\r\nMacma is a modular backdoor. Functionality includes:\r\n• Device fingerprinting\r\n• Executing commands\r\n• Screen capture\r\n• Keylogging\r\n• Audio capture\r\n• Uploading and downloading files\r\nInformation\r\n\u003chttps://symantec-enterprise-blogs.security.com/threat-intelligence/daggerfly-espionage-updated-toolset\u003e\r\nMITRE ATT\u0026CK \u003chttps://attack.mitre.org/software/S1016\u003e\r\nMalpedia \u003chttps://malpedia.caad.fkie.fraunhofer.de/details/osx.cdds\u003e\r\nLast change to this tool card: 28 June 2025\r\nDownload this tool card in JSON format\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=069c86ae-99de-4486-a5c4-fa3616d2a2a4\r\nPage 1 of 2\n\nAll groups using tool Macma\r\nChanged Name Country Observed\r\nAPT groups\r\n  Bronze Highland 2012-Jul 2024  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=069c86ae-99de-4486-a5c4-fa3616d2a2a4\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=069c86ae-99de-4486-a5c4-fa3616d2a2a4\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=069c86ae-99de-4486-a5c4-fa3616d2a2a4"
	],
	"report_names": [
		"listgroups.cgi?u=069c86ae-99de-4486-a5c4-fa3616d2a2a4"
	],
	"threat_actors": [
		{
			"id": "f35997d9-ca1e-453f-b968-0e675cc16d97",
			"created_at": "2023-01-06T13:46:39.490819Z",
			"updated_at": "2026-04-10T02:00:03.345364Z",
			"deleted_at": null,
			"main_name": "Evasive Panda",
			"aliases": [
				"BRONZE HIGHLAND"
			],
			"source_name": "MISPGALAXY:Evasive Panda",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "05cb998c-6e81-47f0-9806-ee4fda72fe0a",
			"created_at": "2024-11-01T02:00:52.763555Z",
			"updated_at": "2026-04-10T02:00:05.263997Z",
			"deleted_at": null,
			"main_name": "Daggerfly",
			"aliases": [
				"Daggerfly",
				"Evasive Panda",
				"BRONZE HIGHLAND"
			],
			"source_name": "MITRE:Daggerfly",
			"tools": [
				"PlugX",
				"MgBot",
				"BITSAdmin",
				"MacMa",
				"Nightdoor"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "812f36f8-e82b-41b6-b9ec-0d23ab0ad6b7",
			"created_at": "2023-01-06T13:46:39.413725Z",
			"updated_at": "2026-04-10T02:00:03.31882Z",
			"deleted_at": null,
			"main_name": "BRONZE HIGHLAND",
			"aliases": [
				"Evasive Panda",
				"Daggerfly"
			],
			"source_name": "MISPGALAXY:BRONZE HIGHLAND",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "19ac84cc-bb2d-4e0c-ace0-5a7659d89ac7",
			"created_at": "2022-10-25T16:07:23.422755Z",
			"updated_at": "2026-04-10T02:00:04.592069Z",
			"deleted_at": null,
			"main_name": "Bronze Highland",
			"aliases": [
				"Daggerfly",
				"Digging Taurus",
				"Evasive Panda",
				"Storm Cloud",
				"StormBamboo",
				"TAG-102",
				"TAG-112"
			],
			"source_name": "ETDA:Bronze Highland",
			"tools": [
				"Agentemis",
				"CDDS",
				"CloudScout",
				"Cobalt Strike",
				"CobaltStrike",
				"DazzleSpy",
				"KsRemote",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"MacMa",
				"Macma",
				"MgBot",
				"Mgmbot",
				"NetMM",
				"Nightdoor",
				"OSX.CDDS",
				"POCOSTICK",
				"RELOADEXT",
				"Suzafk",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "4f7d2815-7504-4818-bf8d-bba18161b111",
			"created_at": "2025-08-07T02:03:24.613342Z",
			"updated_at": "2026-04-10T02:00:03.732192Z",
			"deleted_at": null,
			"main_name": "BRONZE HIGHLAND",
			"aliases": [
				"Daggerfly",
				"Daggerfly ",
				"Evasive Panda ",
				"Evasive Panda ",
				"Storm Bamboo "
			],
			"source_name": "Secureworks:BRONZE HIGHLAND",
			"tools": [
				"Cobalt Strike",
				"KsRemote",
				"Macma",
				"MgBot",
				"Nightdoor",
				"PlugX"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434190,
	"ts_updated_at": 1775826705,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2f1b01eb4b6388c9084efd2f979468c34b364eea.pdf",
		"text": "https://archive.orkl.eu/2f1b01eb4b6388c9084efd2f979468c34b364eea.txt",
		"img": "https://archive.orkl.eu/2f1b01eb4b6388c9084efd2f979468c34b364eea.jpg"
	}
}