{ "id": "b7218221-d271-42e0-bf1d-0b56fee662ec", "created_at": "2026-04-06T00:17:25.136118Z", "updated_at": "2026-04-10T13:13:08.072019Z", "deleted_at": null, "sha1_hash": "46948a883b04994d677b4240ded8e8aead9aa22b", "title": "GhostNet, Snooping Dragon - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 58696, "plain_text": "GhostNet, Snooping Dragon - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-05 14:06:30 UTC\r\nHome \u003e List all groups \u003e GhostNet, Snooping Dragon\r\n APT group: GhostNet, Snooping Dragon\r\nNames\r\nGhostNet (Information Warfare Monitor)\r\nSnooping Dragon (UCAM)\r\nCountry China\r\nSponsor State-sponsored, PLA Unit 61398\r\nMotivation Information theft and espionage\r\nFirst seen 2009\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=b3621d74-4802-4c40-995b-cf9258c832ce\r\nPage 1 of 2\n\nDescription\r\n(Information Warfare Monitor) Cyber espionage is an issue whose time has come. In\r\nthis second report from the Information Warfare Monitor, we lay out the findings of a\r\n10-month investigation of alleged Chinese cyber spying against Tibetan institutions.\r\nThe investigation, consisting of fieldwork, technical scouting, and laboratory analysis,\r\ndiscovered a lot more. The investigation ultimately uncovered a network of over 1,295\r\ninfected hosts in 103 countries. Up to 30% of the infected hosts are considered high-value targets and include computers located at ministries of foreign affairs, embassies,\r\ninternational organizations, news media, and NGOs. The Tibetan computer systems we\r\nmanually investigated, and from which our investigations began, were conclusively\r\ncompromised by multiple infections that gave attackers unprecedented access to\r\npotentially sensitive information.\r\n(UCAM) Attacks on the Dalai Lama’s Private Office\r\nThe OHHDL started to suspect it was under surveillance while setting up meetings be-tween His Holiness and foreign dignitaries. They sent an email invitation on behalf of\r\nHis Holiness to a foreign diplomat, but before they could follow it up with a courtesy\r\ntelephone call, the diplomat’s office was contacted by the Chinese government and\r\nwarned not to go ahead with the meeting. The Tibetans wondered whether a computer\r\ncompromise might be the explanation; they called ONI Asia who called us. (Until May\r\n2008, the first author was employed on a studentship funded by the OpenNet Initiative\r\nand the second author was a principal investigator for ONI.)\r\nAlso see Shadow Network.\r\nObserved\r\nSectors: Embassies, Financial, Government, Media, NGOs.\r\nCountries: Bangladesh, Barbados, Bhutan, Brunei, Philippines, Cyprus, Germany,\r\nIndia, Indonesia, Iran, Latvia, Malta, Pakistan, Portugal, Romania, South Korea,\r\nTaiwan, Thailand, ASEAN, NATO and SAARC (South Asian Association for Regional\r\nCooperation), the Asian Development Bank and news organizations.\r\nTools used Gh0stnet, Gh0st RAT, TOM-Skype.\r\nCounter operations 2010 Taken down by the Shadowserver Foundation.\r\nInformation\r\n\u003chttp://www.nartv.org/mirror/ghostnet.pdf\u003e\r\n\u003chttps://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.pdf\u003e\r\n\u003chttps://en.wikipedia.org/wiki/GhostNet\u003e\r\nLast change to this card: 21 May 2021\r\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=b3621d74-4802-4c40-995b-cf9258c832ce\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=b3621d74-4802-4c40-995b-cf9258c832ce\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=b3621d74-4802-4c40-995b-cf9258c832ce" ], "report_names": [ "showcard.cgi?u=b3621d74-4802-4c40-995b-cf9258c832ce" ], "threat_actors": [ { "id": "3cc6c262-df23-4075-a93f-b496e8908eb2", "created_at": "2022-10-25T16:07:23.682239Z", "updated_at": "2026-04-10T02:00:04.708878Z", "deleted_at": null, "main_name": "GhostNet", "aliases": [ "GhostNet", "Snooping Dragon" ], "source_name": "ETDA:GhostNet", "tools": [ "AngryRebel", "Farfli", "Gh0st RAT", "Gh0stnet", "Ghost RAT", "Ghostnet", "Moudour", "Mydoor", "PCRat", "Remosh", "TOM-Skype" ], "source_id": "ETDA", "reports": null }, { "id": "c398d083-1e86-4cee-8937-eb057f0e6fdc", "created_at": "2022-10-25T16:07:24.172423Z", "updated_at": "2026-04-10T02:00:04.888972Z", "deleted_at": null, "main_name": "Shadow Network", "aliases": [], "source_name": "ETDA:Shadow Network", "tools": [ "ShadowNet" ], "source_id": "ETDA", "reports": null }, { "id": "e91dae30-a513-4fb1-aace-4457466313b3", "created_at": "2023-01-06T13:46:38.974913Z", "updated_at": "2026-04-10T02:00:03.168521Z", "deleted_at": null, "main_name": "GhostNet", "aliases": [ "Snooping Dragon" ], "source_name": "MISPGALAXY:GhostNet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb", "created_at": "2023-01-06T13:46:38.228042Z", "updated_at": "2026-04-10T02:00:02.883048Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "PLA Unit 61398", "Comment Crew", "Byzantine Candor", "Comment Group", "GIF89a", "Group 3", "TG-8223", "Brown Fox", "ShadyRAT", "G0006", "COMMENT PANDA" ], "source_name": "MISPGALAXY:APT1", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "172e5e21-e954-4322-9317-41f2cbaed7f1", "created_at": "2023-01-06T13:46:38.992713Z", "updated_at": "2026-04-10T02:00:03.174179Z", "deleted_at": null, "main_name": "Shadow Network", "aliases": [], "source_name": "MISPGALAXY:Shadow Network", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434645, "ts_updated_at": 1775826788, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/46948a883b04994d677b4240ded8e8aead9aa22b.pdf", "text": "https://archive.orkl.eu/46948a883b04994d677b4240ded8e8aead9aa22b.txt", "img": "https://archive.orkl.eu/46948a883b04994d677b4240ded8e8aead9aa22b.jpg" } }