{
	"id": "5598e4ca-b035-447c-b12e-7281abf917ba",
	"created_at": "2026-04-06T15:53:04.12111Z",
	"updated_at": "2026-04-10T03:36:01.163218Z",
	"deleted_at": null,
	"sha1_hash": "47a7139334fbc65b7a3a7afee17273c21a342250",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 47160,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-06 15:42:20 UTC\nHome \u003e List all groups \u003e CardinalLizard\n APT group: CardinalLizard\nNames CardinalLizard (Kaspersky)\nCountry China\nMotivation Information theft and espionage\nFirst seen 2014\nDescription\n(Kaspersky) We are moderately confident that this is a new collection of Chinese-speaking\nactivity targeting businesses, active since 2014. Over the last few years, the group has shown\nan interest in the Philippines, Russia, Mongolia and Malaysia, the latter especially prevalent\nduring 2018. The hackers use a custom malware featuring some interesting anti-detection and\nanti-emulation techniques. The infrastructure used also shows some overlaps with Roaming\nTiger and previous PlugX campaigns, but this could just be due to infrastructure reuse under\nthe Chinese-speaking umbrella.\nObserved Countries: Malaysia, Mongolia, Philippines, Russia.\nTools used PlugX.\nInformation Last change to this card: 29 April 2020\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=e69f77ea-849d-4497-9f87-ca96df6921e2\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=e69f77ea-849d-4497-9f87-ca96df6921e2\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=e69f77ea-849d-4497-9f87-ca96df6921e2"
	],
	"report_names": [
		"showcard.cgi?u=e69f77ea-849d-4497-9f87-ca96df6921e2"
	],
	"threat_actors": [
		{
			"id": "866c0c21-8de3-4ad5-9887-cecd44feb788",
			"created_at": "2022-10-25T16:07:24.130298Z",
			"updated_at": "2026-04-10T02:00:04.875929Z",
			"deleted_at": null,
			"main_name": "Roaming Tiger",
			"aliases": [
				"Bronze Woodland",
				"CTG-7273",
				"Rotten Tomato"
			],
			"source_name": "ETDA:Roaming Tiger",
			"tools": [
				"Agent.dhwf",
				"AngryRebel",
				"BBSRAT",
				"Destroy RAT",
				"DestroyRAT",
				"Farfli",
				"Gh0st RAT",
				"Ghost RAT",
				"Kaba",
				"Korplug",
				"Moudour",
				"Mydoor",
				"PCRat",
				"PlugX",
				"RedDelta",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"Xamtrav"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "33d8cb45-44a3-46fc-8145-5de8f8e7b7f8",
			"created_at": "2024-02-06T02:00:04.152253Z",
			"updated_at": "2026-04-10T02:00:03.5803Z",
			"deleted_at": null,
			"main_name": "CardinalLizard",
			"aliases": [],
			"source_name": "MISPGALAXY:CardinalLizard",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "69bb4129-851b-4a19-941d-28a6c2d8c258",
			"created_at": "2022-10-25T16:07:23.445916Z",
			"updated_at": "2026-04-10T02:00:04.605868Z",
			"deleted_at": null,
			"main_name": "CardinalLizard",
			"aliases": [],
			"source_name": "ETDA:CardinalLizard",
			"tools": [
				"Agent.dhwf",
				"Destroy RAT",
				"DestroyRAT",
				"Kaba",
				"Korplug",
				"PlugX",
				"RedDelta",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"Xamtrav"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "5afe7b81-e99a-4c24-8fcc-250fb0cf40a3",
			"created_at": "2023-01-06T13:46:38.324616Z",
			"updated_at": "2026-04-10T02:00:02.928697Z",
			"deleted_at": null,
			"main_name": "Roaming Tiger",
			"aliases": [
				"BRONZE WOODLAND",
				"Rotten Tomato"
			],
			"source_name": "MISPGALAXY:Roaming Tiger",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "ee9a20b1-c6d6-42da-909d-66e7699723d1",
			"created_at": "2025-08-07T02:03:24.704306Z",
			"updated_at": "2026-04-10T02:00:03.722506Z",
			"deleted_at": null,
			"main_name": "BRONZE WOODLAND",
			"aliases": [
				"CTG-7273 ",
				"Roaming Tiger ",
				"Rotten Tomato "
			],
			"source_name": "Secureworks:BRONZE WOODLAND",
			"tools": [
				"Appat",
				"BbsRAT",
				"PlugX",
				"Zbot"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775490784,
	"ts_updated_at": 1775792161,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/47a7139334fbc65b7a3a7afee17273c21a342250.pdf",
		"text": "https://archive.orkl.eu/47a7139334fbc65b7a3a7afee17273c21a342250.txt",
		"img": "https://archive.orkl.eu/47a7139334fbc65b7a3a7afee17273c21a342250.jpg"
	}
}