{ "id": "7039d6c6-f6e3-4a4a-a4e5-0c11fce57539", "created_at": "2026-04-06T00:20:08.140092Z", "updated_at": "2026-04-12T02:22:06.828726Z", "deleted_at": null, "sha1_hash": "4aed73368b2e7fb9a1477d696bfd4df87361f143", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 54779, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 18:33:12 UTC\n APT group: Dalbit\nNames Dalbit (AhnLab)\nCountry China\nMotivation Information theft and espionage\nFirst seen 2022\nDescription\n(AhnLab) This group has had more than 50 confirmed attack attempts on Korean companies\nsince 2022. Most of the attacked companies were mid to small companies while a portion was\nmajor companies. The team has confirmed that 30% of the infected companies were using a\ncertain Korean groupware solution. It is currently difficult to check whether this groupware\nproduct has a vulnerability or not, but if a server that is this exposed has a vulnerability, then\nthere is a chance that companies could be affected gravely through the leakage of confidential\ninformation and ransomware behavior. Furthermore, this Dalbit group leaves some infected\ncompanies as proxies and download servers to later use them as means to communicate with\nthe threat actor upon infiltration of another company.\nObserved\nSectors: Automotive, Chemical, Construction, Education, Energy, Food and Agriculture, High-Tech, Hospitality, Industrial, Maritime and Shipbuilding, Media, Shipping and Logistics,\nTechnology and Consulting companies.\nCountries: South Korea.\nTools used\nAntSword, ASPXSpy, BadPotato, BlueShell, China Chopper, Cobalt Strike, EFSPotato, FRP,\nGodzilla, HTran, JuicyPotato, LadonGo, Metasploit, Mimikatz, NPS, ProcDump, PsExec,\nreGeorg, Remcom, RottenPotato, SweetPotato.\nInformation Last change to this card: 17 February 2023\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=d6e1986f-377f-4077-81f9-c1b59ef649d8\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=d6e1986f-377f-4077-81f9-c1b59ef649d8\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=d6e1986f-377f-4077-81f9-c1b59ef649d8" ], "report_names": [ "showcard.cgi?u=d6e1986f-377f-4077-81f9-c1b59ef649d8" ], "threat_actors": [ { "id": "bcf899bb-34bb-43e1-929d-02bc91974f2a", "created_at": "2023-02-18T02:04:24.050644Z", "updated_at": "2026-04-12T02:00:04.540526Z", "deleted_at": null, "main_name": "Dalbit", "aliases": [], "source_name": "ETDA:Dalbit", "tools": [ "ASPXSpy", "ASPXTool", "Agentemis", "AntSword", "BadPotato", "BlueShell", "CHINACHOPPER", "China Chopper", "Cobalt Strike", "CobaltStrike", "EFSPotato", "FRP", "Fast Reverse Proxy", "Godzilla", "Godzilla Loader", "HTran", "HUC Packet Transmit Tool", "JuicyPotato", "LadonGo", "Metasploit", "Mimikatz", "NPS", "ProcDump", "PsExec", "Remcom", "RemoteCommandExecution", "RottenPotato", "SinoChopper", "SweetPotato", "cobeacon", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "7cf4ec85-806f-4fd7-855a-6669ed381bf5", "created_at": "2023-11-08T02:00:07.176033Z", "updated_at": "2026-04-12T02:00:03.509365Z", "deleted_at": null, "main_name": "Dalbit", "aliases": [], "source_name": "MISPGALAXY:Dalbit", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434808, "ts_updated_at": 1775960526, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4aed73368b2e7fb9a1477d696bfd4df87361f143.pdf", "text": "https://archive.orkl.eu/4aed73368b2e7fb9a1477d696bfd4df87361f143.txt", "img": "https://archive.orkl.eu/4aed73368b2e7fb9a1477d696bfd4df87361f143.jpg" } }