{ "id": "fa3a8a27-eae1-4177-be73-14d533ba52cc", "created_at": "2026-04-06T00:09:04.209829Z", "updated_at": "2026-04-10T03:32:27.380417Z", "deleted_at": null, "sha1_hash": "3ed4b15c9ad15e9dd0910e044aa01f6c97889ac5", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 53908, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 16:39:23 UTC\r\n APT group: Suckfly\r\nNames\r\nSuckfly (Symantec)\r\nG0039 (MITRE)\r\nCountry China\r\nMotivation Information theft and espionage\r\nFirst seen 2014\r\nDescription\r\n(Symantec) In March 2016, Symantec published a blog on Suckfly, an advanced\r\ncyberespionage group that conducted attacks against a number of South Korean\r\norganizations to steal digital certificates. Since then we have identified a number of\r\nattacks over a two-year period, beginning in April 2014, which we attribute to\r\nSuckfly. The attacks targeted high-profile targets, including government and\r\ncommercial organizations. These attacks occurred in several different countries, but\r\nour investigation revealed that the primary targets were individuals and\r\norganizations primarily located in India.\r\nWhile there have been several Suckfly campaigns that infected organizations with\r\nthe group’s custom malware Backdoor.Nidiran, the Indian targets show a greater\r\namount of post-infection activity than targets in other regions. This suggests that\r\nthese attacks were part of a planned operation against specific targets in India.\r\nObserved\r\nSectors: Entertainment, Financial, Government, Healthcare, Media, Shipping and\r\nLogistics and E-commerce, Software development and Video game development.\r\nCountries: India.\r\nTools used gsecdump, Nidiran, smbscan, Windows Credentials Editor.\r\nOperations performed\r\nApr 2014\r\nThe first known Suckfly campaign began in April of 2014. During our\r\ninvestigation of the campaign, we identified a number of global targets\r\nacross several industries who were attacked in 2015. Many of the\r\ntargets we identified were well known commercial organizations\r\nlocated in India.\r\n\u003chttps://www.symantec.com/connect/blogs/indian-organizations-targeted-suckfly-attacks\u003e\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=155b1a73-17ac-449e-bdcd-54a79119b397\r\nPage 1 of 2\n\nLate 2015\nWe discovered Suckfly, an advanced threat group, conducting targeted\nattacks using multiple stolen certificates, as well as hacktools and\ncustom malware. The group had obtained the certificates through pre-attack operations before commencing targeted attacks against a\nnumber of government and commercial organizations spread across\nmultiple continents over a two-year period. This type of activity and\nthe malicious use of stolen certificates emphasizes the importance of\nsafeguarding certificates to prevent them from being used maliciously.\nMITRE ATT\u0026CK Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=155b1a73-17ac-449e-bdcd-54a79119b397\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=155b1a73-17ac-449e-bdcd-54a79119b397\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=155b1a73-17ac-449e-bdcd-54a79119b397" ], "report_names": [ "showcard.cgi?u=155b1a73-17ac-449e-bdcd-54a79119b397" ], "threat_actors": [ { "id": "aada2650-7bef-45e4-8371-18c4318a7056", "created_at": "2022-10-25T15:50:23.422502Z", "updated_at": "2026-04-10T02:00:05.278662Z", "deleted_at": null, "main_name": "Suckfly", "aliases": [ "Suckfly" ], "source_name": "MITRE:Suckfly", "tools": [ "Nidiran" ], "source_id": "MITRE", "reports": null }, { "id": "a4a3c2a4-992d-4ce6-8c97-e39b23da9a26", "created_at": "2022-10-25T16:07:24.242051Z", "updated_at": "2026-04-10T02:00:04.909353Z", "deleted_at": null, "main_name": "Suckfly", "aliases": [ "G0039" ], "source_name": "ETDA:Suckfly", "tools": [ "Backdoor.Nidiran", "Nidiran", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "gsecdump", "smbscan" ], "source_id": "ETDA", "reports": null }, { "id": "7b039cc0-33b6-495a-b4ca-649d096b993d", "created_at": "2023-01-06T13:46:38.482654Z", "updated_at": "2026-04-10T02:00:02.99265Z", "deleted_at": null, "main_name": "APT22", "aliases": [ "G0039", "Suckfly", "BRONZE OLIVE", "Group 46" ], "source_name": "MISPGALAXY:APT22", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1d63fba2-f042-41ca-8a72-64c6e737d295", "created_at": "2025-08-07T02:03:24.643647Z", "updated_at": "2026-04-10T02:00:03.719558Z", "deleted_at": null, "main_name": "BRONZE OLIVE", "aliases": [ "APT22 ", "Barista", "Group 46 ", "Suckfly " ], "source_name": "Secureworks:BRONZE OLIVE", "tools": [ "Angryrebel", "DestroyRAT", "PlugX" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434144, "ts_updated_at": 1775791947, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3ed4b15c9ad15e9dd0910e044aa01f6c97889ac5.pdf", "text": "https://archive.orkl.eu/3ed4b15c9ad15e9dd0910e044aa01f6c97889ac5.txt", "img": "https://archive.orkl.eu/3ed4b15c9ad15e9dd0910e044aa01f6c97889ac5.jpg" } }