{
	"id": "f8cbc7d2-1db9-43d3-835d-92a1260a6442",
	"created_at": "2026-04-06T00:07:10.421034Z",
	"updated_at": "2026-04-10T13:11:33.944741Z",
	"deleted_at": null,
	"sha1_hash": "396f2f8bb098c3c91c03b3e1c70d279d5794a61c",
	"title": "APT 30, Override Panda - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 33426,
	"plain_text": "APT 30, Override Panda - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-05 19:13:04 UTC\r\nDescriptionAPT 30 is a threat group suspected to be associated with the Chinese government. While Naikon,\r\nLotus Panda shares some characteristics with APT 30, the two groups do not appear to be exact matches.\r\n(FireEye) When our Singapore-based FireEye labs team examined malware aimed predominantly at entities in\r\nSoutheast Asia and India, we suspected that we were peering into a regionally focused cyber espionage operation.\r\nThe malware revealed a decade-long operation focused on targets—government and commercial—who hold key\r\npolitical, economic, and military information about the region. This group, who we call APT30, stands out not\r\nonly for their sustained activity and regional focus, but also for their continued success despite maintaining\r\nrelatively consistent tools, tactics, and infrastructure since at least 2005.\r\nBased on our knowledge of APT30’s targeting activity and tools, their objective appears to be data theft as\r\nopposed to financial gain. APT30 has not been observed to target victims or data that can be readily monetized\r\n(for example, credit card data, personally identifiable information, or bank transfer credentials). Instead, their tools\r\ninclude functionality that allows them to identify and steal documents, including what appears to be an interest in\r\ndocuments that may be stored on air-gapped networks.\r\nThe group expresses a distinct interest in organizations and governments associated with ASEAN, particularly so\r\naround the time of official ASEAN meetings.\r\nMany of APT30’s decoy documents use topics related to Southeast Asia, India, border areas, and broader security\r\nand diplomatic issues. Decoy documents attached to spear phishing emails are frequently indicators of intended\r\ntargeting because threat actors generally tailor these emails to entice their intended targets —who typically work\r\non related issues—to click on the attachments and infect themselves.\r\nIn addition to APT30’s Southeast Asia and India focus, we’ve observed APT30 target journalists reporting on\r\nissues traditionally considered to be focal points for the Chinese Communist Party’s sense of legitimacy, such as\r\ncorruption, the economy, and human rights. In China, the Communist Party has the ultimate authority over the\r\ngovernment. China-based threat groups have targeted journalists before; we believe they often do so to get a better\r\nunderstanding on developing stories to anticipate unfavorable coverage and better position themselves to shape\r\npublic messaging.\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=a97aea4e-ac99-4506-89e6-ba1e5b766b0d\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=a97aea4e-ac99-4506-89e6-ba1e5b766b0d\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=a97aea4e-ac99-4506-89e6-ba1e5b766b0d"
	],
	"report_names": [
		"showcard.cgi?u=a97aea4e-ac99-4506-89e6-ba1e5b766b0d"
	],
	"threat_actors": [
		{
			"id": "360f51f5-8a80-41d6-92c4-9aa042cd2732",
			"created_at": "2022-10-25T16:07:23.34569Z",
			"updated_at": "2026-04-10T02:00:04.55147Z",
			"deleted_at": null,
			"main_name": "APT 30",
			"aliases": [
				"APT 30",
				"Bronze Geneva",
				"Bronze Sterling",
				"CTG-5326",
				"G0013",
				"Override Panda",
				"RADIUM",
				"Raspberry Typhoon"
			],
			"source_name": "ETDA:APT 30",
			"tools": [
				"BackBend",
				"Creamsicle",
				"Flashflood",
				"Gemcutter",
				"Lecna",
				"NetEagle",
				"Neteagle_Scout",
				"Orangeade",
				"ScoutEagle",
				"Shipshape",
				"ZRLnk",
				"norton"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "a9ee8219-1882-4b1b-bac8-641b1603787d",
			"created_at": "2022-10-25T15:50:23.78263Z",
			"updated_at": "2026-04-10T02:00:05.351155Z",
			"deleted_at": null,
			"main_name": "APT30",
			"aliases": [
				"APT30"
			],
			"source_name": "MITRE:APT30",
			"tools": [
				"SHIPSHAPE",
				"FLASHFLOOD",
				"NETEAGLE"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "30ed778d-15b3-484e-a90b-e1e05b36a42f",
			"created_at": "2023-01-06T13:46:38.290626Z",
			"updated_at": "2026-04-10T02:00:02.91411Z",
			"deleted_at": null,
			"main_name": "APT30",
			"aliases": [
				"G0013"
			],
			"source_name": "MISPGALAXY:APT30",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "b69484be-98d1-49e6-aed1-a28dbf65176a",
			"created_at": "2022-10-25T16:07:23.886782Z",
			"updated_at": "2026-04-10T02:00:04.779029Z",
			"deleted_at": null,
			"main_name": "Naikon",
			"aliases": [
				"G0019",
				"Hellsing",
				"ITG06",
				"Lotus Panda",
				"Naikon",
				"Operation CameraShy"
			],
			"source_name": "ETDA:Naikon",
			"tools": [
				"8.t Dropper",
				"8.t RTF exploit builder",
				"8t_dropper",
				"AR",
				"ARL",
				"Agent.dhwf",
				"Aria-body",
				"Aria-body loader",
				"Asset Reconnaissance Lighthouse",
				"BackBend",
				"Creamsicle",
				"Custom HDoor",
				"Destroy RAT",
				"DestroyRAT",
				"Flashflood",
				"FoundCore",
				"Gemcutter",
				"HDoor",
				"JadeRAT",
				"Kaba",
				"Korplug",
				"LOLBAS",
				"LOLBins",
				"LadonGo",
				"Lecna",
				"Living off the Land",
				"NBTscan",
				"Naikon",
				"NetEagle",
				"Neteagle_Scout",
				"NewCore RAT",
				"Orangeade",
				"PlugX",
				"Quarks PwDump",
				"RARSTONE",
				"RainyDay",
				"RedDelta",
				"RoyalRoad",
				"Sacto",
				"Sandboxie",
				"ScoutEagle",
				"Shipshape",
				"Sisfader",
				"Sisfader RAT",
				"Sogu",
				"SslMM",
				"Sys10",
				"TIGERPLUG",
				"TVT",
				"TeamViewer",
				"Thoper",
				"WinMM",
				"Xamtrav",
				"XsFunction",
				"ZRLnk",
				"nbtscan",
				"nokian",
				"norton",
				"xsControl",
				"xsPlus"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "a2912fc0-c34e-4e4b-82e9-665416c8fe32",
			"created_at": "2023-04-20T02:01:50.979595Z",
			"updated_at": "2026-04-10T02:00:02.913011Z",
			"deleted_at": null,
			"main_name": "Naikon",
			"aliases": [
				"BRONZE STERLING",
				"G0013",
				"PLA Unit 78020",
				"OVERRIDE PANDA",
				"Camerashy",
				"BRONZE GENEVA",
				"G0019",
				"Naikon"
			],
			"source_name": "MISPGALAXY:Naikon",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "c21da9ce-944f-4a37-8ce3-71a0f738af80",
			"created_at": "2025-08-07T02:03:24.586257Z",
			"updated_at": "2026-04-10T02:00:03.804264Z",
			"deleted_at": null,
			"main_name": "BRONZE ELGIN",
			"aliases": [
				"CTG-8171 ",
				"Lotus Blossom ",
				"Lotus Panda ",
				"Lstudio",
				"Spring Dragon "
			],
			"source_name": "Secureworks:BRONZE ELGIN",
			"tools": [
				"Chrysalis",
				"Cobalt Strike",
				"Elise",
				"Emissary Trojan",
				"Lzari",
				"Meterpreter"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "9f1ce7e3-77cd-4af0-bedb-1643f55c9baf",
			"created_at": "2022-10-25T15:50:23.31611Z",
			"updated_at": "2026-04-10T02:00:05.370146Z",
			"deleted_at": null,
			"main_name": "Naikon",
			"aliases": [
				"Naikon"
			],
			"source_name": "MITRE:Naikon",
			"tools": [
				"ftp",
				"netsh",
				"WinMM",
				"Systeminfo",
				"RainyDay",
				"RARSTONE",
				"HDoor",
				"Sys10",
				"SslMM",
				"PsExec",
				"Tasklist",
				"Aria-body"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "87a20b72-ab72-402f-9013-c746c8458b0b",
			"created_at": "2023-01-06T13:46:38.293223Z",
			"updated_at": "2026-04-10T02:00:02.915184Z",
			"deleted_at": null,
			"main_name": "LOTUS PANDA",
			"aliases": [
				"Red Salamander",
				"Lotus BLossom",
				"Billbug",
				"Spring Dragon",
				"ST Group",
				"BRONZE ELGIN",
				"ATK1",
				"G0030",
				"Lotus Blossom",
				"DRAGONFISH"
			],
			"source_name": "MISPGALAXY:LOTUS PANDA",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "578e92ed-3eda-45ef-b4bb-b882ec3dbb62",
			"created_at": "2025-08-07T02:03:24.604463Z",
			"updated_at": "2026-04-10T02:00:03.798481Z",
			"deleted_at": null,
			"main_name": "BRONZE GENEVA",
			"aliases": [
				"APT30 ",
				"BRONZE STERLING ",
				"CTG-5326 ",
				"Naikon ",
				"Override Panda ",
				"RADIUM ",
				"Raspberry Typhoon"
			],
			"source_name": "Secureworks:BRONZE GENEVA",
			"tools": [
				"Lecna Downloader",
				"Nebulae",
				"ShadowPad"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434030,
	"ts_updated_at": 1775826693,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/396f2f8bb098c3c91c03b3e1c70d279d5794a61c.pdf",
		"text": "https://archive.orkl.eu/396f2f8bb098c3c91c03b3e1c70d279d5794a61c.txt",
		"img": "https://archive.orkl.eu/396f2f8bb098c3c91c03b3e1c70d279d5794a61c.jpg"
	}
}