{ "id": "6df1d5ba-d141-4bfc-87c2-77c51528059d", "created_at": "2026-04-06T00:12:00.371641Z", "updated_at": "2026-04-10T03:33:56.206037Z", "deleted_at": null, "sha1_hash": "35de14c25704010224a584b0f982c3a0213697d5", "title": "APT 20, Violin Panda - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 63080, "plain_text": "APT 20, Violin Panda - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-05 23:21:37 UTC\r\nHome \u003e List all groups \u003e APT 20, Violin Panda\r\n APT group: APT 20, Violin Panda\r\nNames\r\nAPT 20 (FireEye)\r\nAPT 8 (Mandiant)\r\nViolin Panda (Crowdstrike)\r\nTH3Bug (Palo Alto)\r\nCrawling Taurus (Palo Alto)\r\nCountry China\r\nMotivation Information theft and espionage\r\nFirst seen 2014\r\nDescription\r\n(Palo Alto) We’ve uncovered some new data and likely attribution regarding a series\r\nof APT watering hole attacks this past summer. Watering hole attacks are an\r\nincreasingly popular component of APT campaigns, as many people are more aware\r\nof spear phishing and are less likely to open documents or click on links in\r\nunsolicited emails. Watering hole attacks offer a much better chance of success\r\nbecause they involve compromising legitimate websites and installing malware\r\nintended to compromise website visitors. These are often popular websites\r\nfrequented by people who work in specific industries or have political sympathies to\r\nwhich the actors want to gain access.\r\nIn contrast to many other APT campaigns, which tend to rely heavily on spear\r\nphishing to gain victims, “th3bug” is known for compromising legitimate websites\r\ntheir intended visitors are likely to frequent. Over the summer they compromised\r\nseveral sites, including a well-known Uyghur website written in that native\r\nlanguage.\r\nThis group could be related to Axiom, Group 72.\r\nObserved Sectors: Aviation, Chemical, Construction, Defense, Energy, Engineering, Financial,\r\nGovernment, Healthcare, High-Tech, Pharmaceutical, Telecommunications,\r\nTransportation and Uyghur sympathizers.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=73a85c37-08ef-4df4-ac98-7cb07b58715b\r\nPage 1 of 2\n\nCountries: Brazil, China, France, Germany, Italy, Mexico, Portugal, Spain, Thailand,\nUK, USA and East Asia.\nTools used\nBloodHound, KeeThief, Kerberoast, Mimikatz, PlugX, Poison Ivy, ProcDump,\nPsExec, SharpHound, SMBExec, WinRAR, XServer, Living off the Land.\nOperations performed 2017\nOperation “Wocao”\nInformation\nPlaybook Last change to this card: 10 March 2024\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=73a85c37-08ef-4df4-ac98-7cb07b58715b\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=73a85c37-08ef-4df4-ac98-7cb07b58715b\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=73a85c37-08ef-4df4-ac98-7cb07b58715b" ], "report_names": [ "showcard.cgi?u=73a85c37-08ef-4df4-ac98-7cb07b58715b" ], "threat_actors": [ { "id": "cea5ceec-0f14-4e34-bd0e-4074bc1a707d", "created_at": "2022-10-25T15:50:23.629983Z", "updated_at": "2026-04-10T02:00:05.362084Z", "deleted_at": null, "main_name": "Axiom", "aliases": [ "Group 72" ], "source_name": "MITRE:Axiom", "tools": [ "ZxShell", "gh0st RAT", "Zox", "PlugX", "Hikit", "PoisonIvy", "Derusbi", "Hydraq" ], "source_id": "MITRE", "reports": null }, { "id": "5d512e7c-f6a7-47b5-b440-4968c299deaf", "created_at": "2023-01-06T13:46:38.344772Z", "updated_at": "2026-04-10T02:00:02.9359Z", "deleted_at": null, "main_name": "APT20", "aliases": [ "VIOLIN PANDA", "TH3Bug", "Crawling Taurus" ], "source_name": "MISPGALAXY:APT20", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b7cb83fe-4412-40b3-8757-ace5107599b6", "created_at": "2023-01-06T13:46:39.08347Z", "updated_at": "2026-04-10T02:00:03.207564Z", "deleted_at": null, "main_name": "Operation Wocao", "aliases": [], "source_name": "MISPGALAXY:Operation Wocao", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "dd583696-3de6-4c23-bfb6-e675a38a7000", "created_at": "2022-10-25T16:07:23.338398Z", "updated_at": "2026-04-10T02:00:04.548798Z", "deleted_at": null, "main_name": "APT 20", "aliases": [ "APT 20", "APT 8", "Crawling Taurus", "Operation Wocao", "TH3Bug", "Violin Panda" ], "source_name": "ETDA:APT 20", "tools": [ "Agent.dhwf", "Chymine", "Darkmoon", "Destroy RAT", "DestroyRAT", "Filesnfer", "Gen:Trojan.Heur.PT", "Kaba", "KeeThief", "Kerberoast", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "PlugX", "Poison Ivy", "ProcDump", "PsExec", "RedDelta", "SMBExec", "SPIVY", "SharpHound", "Sogu", "TIGERPLUG", "TVT", "Thoper", "WinRAR", "XServer", "Xamtrav", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "4b48d9e2-ef19-44fb-938b-30a9078d9e49", "created_at": "2022-10-25T15:50:23.314139Z", "updated_at": "2026-04-10T02:00:05.317785Z", "deleted_at": null, "main_name": "Operation Wocao", "aliases": [ "Operation Wocao" ], "source_name": "MITRE:Operation Wocao", "tools": [ "netstat", "dsquery", "Mimikatz", "PowerSploit", "Impacket" ], "source_id": "MITRE", "reports": null }, { "id": "a7aefdda-98f1-4790-a32d-14cc99de2d60", "created_at": "2023-01-06T13:46:38.281844Z", "updated_at": "2026-04-10T02:00:02.909711Z", "deleted_at": null, "main_name": "APT17", "aliases": [ "BRONZE KEYSTONE", "G0025", "Group 72", "G0001", "HELIUM", "Heart Typhoon", "Group 8", "AURORA PANDA", "Hidden Lynx", "Tailgater Team" ], "source_name": "MISPGALAXY:APT17", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "ee39ecf0-d311-49e5-b0ae-3e3d71f71def", "created_at": "2025-08-07T02:03:24.626625Z", "updated_at": "2026-04-10T02:00:03.605175Z", "deleted_at": null, "main_name": "BRONZE KEYSTONE", "aliases": [ "APT17 ", "Aurora Panda ", "DeputyDog ", "Group 72 ", "Hidden Lynx ", "TG-8153 ", "Tailgater Team" ], "source_name": "Secureworks:BRONZE KEYSTONE", "tools": [ "9002", "BlackCoffee", "DeputyDog", "Derusbi", "Gh0stHTTPSDropper", "HiKit", "InternalCMD", "PlugX", "PoisonIvy", "ZxShell" ], "source_id": "Secureworks", "reports": null }, { "id": "5c74936a-79d1-41b8-81eb-01d03c90a26b", "created_at": "2022-10-25T16:07:23.371052Z", "updated_at": "2026-04-10T02:00:04.570621Z", "deleted_at": null, "main_name": "Axiom", "aliases": [ "G0001", "Group 72", "Operation SMN" ], "source_name": "ETDA:Axiom", "tools": [ "9002 RAT", "Agent.dhwf", "AngryRebel", "BlackCoffee", "BleDoor", "Chymine", "Darkmoon", "DeputyDog", "Derusbi", "Destroy RAT", "DestroyRAT", "Farfli", "Fexel", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Gresim", "HOMEUNIX", "HiKit", "HidraQ", "Homux", "Hydraq", "Kaba", "Korplug", "McRAT", "MdmBot", "Moudour", "Mydoor", "PCRat", "PNGRAT", "PlugX", "Poison Ivy", "RbDoor", "RedDelta", "RibDoor", "Roarur", "SPIVY", "Sensocode", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "ZXShell", "Zox", "ZoxPNG", "ZoxRPC", "gresim", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434320, "ts_updated_at": 1775792036, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/35de14c25704010224a584b0f982c3a0213697d5.pdf", "text": "https://archive.orkl.eu/35de14c25704010224a584b0f982c3a0213697d5.txt", "img": "https://archive.orkl.eu/35de14c25704010224a584b0f982c3a0213697d5.jpg" } }