{ "id": "60a95dd6-9f07-459b-b03a-f15f11d7e729", "created_at": "2026-04-06T00:22:16.571185Z", "updated_at": "2026-04-10T03:33:03.193441Z", "deleted_at": null, "sha1_hash": "3dd3b9fbdcfebc3a126dcc7bb6ebc1869fcfcf25", "title": "Operation HangOver, Monsoon, Viceroy Tiger", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 89881, "plain_text": "Operation HangOver, Monsoon, Viceroy Tiger\nArchived: 2026-04-05 16:42:01 UTC\nHome \u003e List all groups \u003e Operation HangOver, Monsoon, Viceroy Tiger\nThreat Group Cards: A Threat Actor Encyclopedia\n APT group: Operation HangOver, Monsoon, Viceroy Tiger\nNames\nOperation HangOver (Shadowserver Foundation)\nMonsoon (Forcepoint)\nViceroy Tiger (CrowdStrike)\nNeon (?)\nG0042 (MITRE)\nCountry India\nMotivation Information theft and espionage\nFirst seen 2010\nDescription\n(Shadowserver Foundation) On Sunday March 17th 2013 the Norwegian newspaper Aftenposten reported that the telecomm\nTelenor had filed a case with Norwegian criminal police (“KRIPOS”) over what was perceived as an unlawful intrusion into\nnetwork. The infection was reported to have been conducted via “spear phishing” emails sent to people in the upper tiers of m\nInitially, we had no information or visibility into this case. However, after some time Norwegian CERT (NorCERT) shared s\nevent, which included md5 hashes of malicious files and information about which Command and Control servers were used.\nHowever, the data we were given acted as a starting point for more data mining, and within a short period of time it became\nseeing a previously unknown and very extensive infrastructure for targeted attacks. This paper is the result of the ensuing inv\nThe samples we have uncovered seem to have been created from approximately September 2010 until the present day. It app\nactive year for this group, which saw escalation not only in numbers of created malware files but also in targets. There is no\nwill slow down in 2013, as we see new attacks continuously.\nIn a great number of isolated cases and contexts, the word “Appin” shows up and there seems to be some connection with th\ncompany called Appin Security Group.\nObserved\nSectors: Defense, Government, Hospitality, Telecommunications.\nCountries: Austria, Bangladesh, Canada, China, France, Germany, India, Indonesia, Iran, Jordan, Kuwait, Myanmar, Norway\nPakistan, Poland, Romania, Russia, Singapore, Sri Lanka, Taiwan, Thailand, UAE, UK, USA and Africa and Far East.\nTools used AutoIt backdoor, BackConfig, BADNEWS, TINYTYPHON, Unknown Logger, WSCSPL.\nOperations performed Jan 2020\nUpdated BackConfig Malware Targeting Government and Military Organizations in South Asia\nMITRE ATT\u0026CK Playbook https://apt.etda.or.th/cgi-bin/showcard.cgi?u=af67327e-b4c9-443b-bcc9-3fb2efd41401\nPage 1 of 2\n\nLast change to this card: 16 August 2025\r\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=af67327e-b4c9-443b-bcc9-3fb2efd41401\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=af67327e-b4c9-443b-bcc9-3fb2efd41401\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=af67327e-b4c9-443b-bcc9-3fb2efd41401" ], "report_names": [ "showcard.cgi?u=af67327e-b4c9-443b-bcc9-3fb2efd41401" ], "threat_actors": [ { "id": "ca292585-950c-400f-b632-c19fa3491fe1", "created_at": "2022-10-25T15:50:23.599765Z", "updated_at": "2026-04-10T02:00:05.417659Z", "deleted_at": null, "main_name": "MONSOON", "aliases": null, "source_name": "MITRE:MONSOON", "tools": [ "TINYTYPHON", "BADNEWS", "Unknown Logger", "AutoIt backdoor" ], "source_id": "MITRE", "reports": null }, { "id": "88854a9f-641a-4412-89db-449b4d5cbc51", "created_at": "2022-10-25T16:07:23.963599Z", "updated_at": "2026-04-10T02:00:04.810023Z", "deleted_at": null, "main_name": "Operation HangOver", "aliases": [ "G0042", "Monsoon", "Operation HangOver", "Viceroy Tiger" ], "source_name": "ETDA:Operation HangOver", "tools": [ "AutoIt backdoor", "BADNEWS", "BackConfig", "JakyllHyde", "TINYTYPHON", "Unknown Logger", "WSCSPL" ], "source_id": "ETDA", "reports": null }, { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-10T02:00:03.668131Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null }, { "id": "c81067e0-9dcb-4e3f-abb0-80126519c5b6", "created_at": "2022-10-25T15:50:23.285448Z", "updated_at": "2026-04-10T02:00:05.282202Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "Hangover Group", "Dropping Elephant", "Chinastrats", "Operation Hangover" ], "source_name": "MITRE:Patchwork", "tools": [ "NDiskMonitor", "QuasarRAT", "BackConfig", "TINYTYPHON", "AutoIt backdoor", "PowerSploit", "BADNEWS", "Unknown Logger" ], "source_id": "MITRE", "reports": null }, { "id": "cfdd350b-de30-4d29-bbee-28159f26c8c2", "created_at": "2023-01-06T13:46:38.433736Z", "updated_at": "2026-04-10T02:00:02.972971Z", "deleted_at": null, "main_name": "VICEROY TIGER", "aliases": [ "OPERATION HANGOVER", "Donot Team", "APT-C-35", "SectorE02", "Orange Kala" ], "source_name": "MISPGALAXY:VICEROY TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434936, "ts_updated_at": 1775791983, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3dd3b9fbdcfebc3a126dcc7bb6ebc1869fcfcf25.pdf", "text": "https://archive.orkl.eu/3dd3b9fbdcfebc3a126dcc7bb6ebc1869fcfcf25.txt", "img": "https://archive.orkl.eu/3dd3b9fbdcfebc3a126dcc7bb6ebc1869fcfcf25.jpg" } }