{ "id": "fd12694b-6014-48e0-9bd2-f83dce389829", "created_at": "2026-04-06T00:17:33.316874Z", "updated_at": "2026-04-10T03:30:25.863695Z", "deleted_at": null, "sha1_hash": "3b17a5ab1eaca48bf65d1e765bb3f2b1b4176af4", "title": "Operation Red Signature - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48685, "plain_text": "Operation Red Signature - Threat Group Cards: A Threat Actor\nEncyclopedia\nArchived: 2026-04-05 22:20:42 UTC\nHome \u003e List all groups \u003e Operation Red Signature\n APT group: Operation Red Signature\nNames Operation Red Signature (Trend Micro)\nCountry China\nMotivation Information theft and espionage\nFirst seen 2018\nDescription\n(Trend Micro) Together with our colleagues at IssueMakersLab, we uncovered Operation Red\nSignature, an information theft-driven supply chain attack targeting organizations in South\nKorea. We discovered the attacks around the end of July, while the media reported the attack in\nSouth Korea on August 6.\nThe threat actors compromised the update server of a remote support solutions provider to\ndeliver a remote access tool called 9002 RAT to their targets of interest through the update\nprocess. They carried this out by first stealing the company’s certificate then using it to sign\nthe malware. They also configured the update server to only deliver malicious files if the client\nis located in the range of IP addresses of their target organizations.\n9002 RAT also installed additional malicious tools: an exploit tool for Internet Information\nServices (IIS) 6 WebDav (exploiting CVE-2017-7269) and an SQL database password dumper.\nThese tools hint at how the attackers are also after data stored in their target’s web server and\ndatabase.\nObserved Countries: South Korea.\nTools used 9002 RAT.\nInformation\nLast change to this card: 29 April 2020\nDownload this actor card in PDF or JSON format\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=b097cbfd-9d8d-4899-9e51-c3d673cdd74d\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=b097cbfd-9d8d-4899-9e51-c3d673cdd74d\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=b097cbfd-9d8d-4899-9e51-c3d673cdd74d\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=b097cbfd-9d8d-4899-9e51-c3d673cdd74d" ], "report_names": [ "showcard.cgi?u=b097cbfd-9d8d-4899-9e51-c3d673cdd74d" ], "threat_actors": [ { "id": "8860d9ac-afa8-454d-9d86-926aa8dd5019", "created_at": "2024-02-08T02:00:04.313581Z", "updated_at": "2026-04-10T02:00:03.582422Z", "deleted_at": null, "main_name": "Operation Red Signature", "aliases": [], "source_name": "MISPGALAXY:Operation Red Signature", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "446025dc-d003-448e-a5ea-43ce24bc883d", "created_at": "2022-10-25T16:07:23.997281Z", "updated_at": "2026-04-10T02:00:04.827365Z", "deleted_at": null, "main_name": "Operation Red Signature", "aliases": [], "source_name": "ETDA:Operation Red Signature", "tools": [ "9002 RAT", "HOMEUNIX", "HidraQ", "Homux", "Hydraq", "McRAT", "MdmBot", "Roarur" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434653, "ts_updated_at": 1775791825, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3b17a5ab1eaca48bf65d1e765bb3f2b1b4176af4.pdf", "text": "https://archive.orkl.eu/3b17a5ab1eaca48bf65d1e765bb3f2b1b4176af4.txt", "img": "https://archive.orkl.eu/3b17a5ab1eaca48bf65d1e765bb3f2b1b4176af4.jpg" } }