{ "id": "c7b03ebf-a6f2-460b-9936-637604ad70d7", "created_at": "2026-04-06T00:19:38.398438Z", "updated_at": "2026-04-10T03:33:50.226182Z", "deleted_at": null, "sha1_hash": "3a2cd83195faf69b09ccfc47bea8088fadcb79ee", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48531, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 19:23:30 UTC\n APT group: WindShift\nNames\nWindShift (DarkMatter)\nWindy Phoenix (Palo Alto)\nG0112 (MITRE)\nCountry [Unknown]\nMotivation Information theft and espionage\nFirst seen 2018\nDescription\n(Palo Alto) In August of 2018, DarkMatter released a report entitled “In the Trails of\nWindShift APT”, which unveiled a threat actor with TTPs very similar to those of\nBahamut. Subsequently, two additional articles were released by Objective-See which\nprovide an analysis of some validated WindShift samples targeting OSX systems.\nPivoting on specific file attributes and infrastructure indicators, Unit 42 was able to\nidentify and correlate additional attacker activity and can now provide specific details on\na targeted WindShift attack as it unfolded at a Middle Eastern government agency.\nObserved\nSectors: Government.\nCountries: Middle East.\nTools used WindTail.\nInformation\nMITRE ATT\u0026CK Playbook Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=b75fd09b-c1ba-4b08-8adc-61925e605e78\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=b75fd09b-c1ba-4b08-8adc-61925e605e78\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=b75fd09b-c1ba-4b08-8adc-61925e605e78\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=b75fd09b-c1ba-4b08-8adc-61925e605e78" ], "report_names": [ "showcard.cgi?u=b75fd09b-c1ba-4b08-8adc-61925e605e78" ], "threat_actors": [ { "id": "732bfd4b-8c15-42a5-ac4b-14a9a4b902e9", "created_at": "2022-10-25T16:07:23.38079Z", "updated_at": "2026-04-10T02:00:04.574399Z", "deleted_at": null, "main_name": "Bahamut", "aliases": [], "source_name": "ETDA:Bahamut", "tools": [ "Bahamut", "DownPaper" ], "source_id": "ETDA", "reports": null }, { "id": "f99641e0-2688-47b0-97bc-7410659d49a0", "created_at": "2023-01-06T13:46:38.802141Z", "updated_at": "2026-04-10T02:00:03.106084Z", "deleted_at": null, "main_name": "Bahamut", "aliases": [], "source_name": "MISPGALAXY:Bahamut", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6bd4ed50-e116-494c-bb70-9587876663f1", "created_at": "2023-01-06T13:46:39.004062Z", "updated_at": "2026-04-10T02:00:03.178044Z", "deleted_at": null, "main_name": "WindShift", "aliases": [ "Windy Phoenix" ], "source_name": "MISPGALAXY:WindShift", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "68f12936-2361-4720-87e1-b79a4fdbf1a0", "created_at": "2022-10-25T16:07:24.409855Z", "updated_at": "2026-04-10T02:00:04.978227Z", "deleted_at": null, "main_name": "WindShift", "aliases": [ "G0112", "Windy Phoenix" ], "source_name": "ETDA:WindShift", "tools": [ "WindTail" ], "source_id": "ETDA", "reports": null }, { "id": "ada9e5d3-1cb2-4b70-a3c8-96808c304ac8", "created_at": "2022-10-25T15:50:23.6515Z", "updated_at": "2026-04-10T02:00:05.352078Z", "deleted_at": null, "main_name": "Windshift", "aliases": [ "Windshift", "Bahamut" ], "source_name": "MITRE:Windshift", "tools": [ "WindTail" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434778, "ts_updated_at": 1775792030, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3a2cd83195faf69b09ccfc47bea8088fadcb79ee.pdf", "text": "https://archive.orkl.eu/3a2cd83195faf69b09ccfc47bea8088fadcb79ee.txt", "img": "https://archive.orkl.eu/3a2cd83195faf69b09ccfc47bea8088fadcb79ee.jpg" } }