{ "id": "fda90b09-5a97-4dc9-92ba-a930b4f75411", "created_at": "2026-04-06T01:30:32.728281Z", "updated_at": "2026-04-10T13:13:00.796476Z", "deleted_at": null, "sha1_hash": "505b0cc599a3a0a882471400b8e2678322bf9bba", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 47629, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-06 00:32:20 UTC\r\nHome \u003e List all groups \u003e Earth Wendigo\r\n APT group: Earth Wendigo\r\nNames Earth Wendigo (Trend Micro)\r\nCountry China\r\nMotivation Information theft and espionage\r\nFirst seen 2019\r\nDescription\r\n(Trend Micro) We discovered a new campaign that has been targeting several organizations —\r\nincluding government organizations, research institutions and universities in Taiwan — since\r\nMay 2019, aiming to exfiltrate emails from targeted organizations via the injection of\r\nJavaScript backdoors to a webmail system that is widely-used in Taiwan. With no clear\r\nconnection to any previous attack group, we gave this new threat actor the name “Earth\r\nWendigo.”\r\nAdditional investigation shows that the threat actor also sent spear-phishing emails embedded\r\nwith malicious links to multiple individuals, including politicians and activists, who support\r\nmovements in Tibet, the Uyghur region, or Hong Kong. However, this is a separate series of\r\nattacks from their operation in Taiwan, which this report covers.\r\nObserved\r\nSectors: Education, Government and politicians and activists, who support movements in\r\nTibet, the Uyghur region, or Hong Kong.\r\nCountries: Taiwan.\r\nTools used Cobalt Strike.\r\nInformation\r\n\u003chttps://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html\u003e\r\nLast change to this card: 07 January 2021\r\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=94bb4827-bba0-4b88-a6de-c7db9e6e8c1d\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=94bb4827-bba0-4b88-a6de-c7db9e6e8c1d\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=94bb4827-bba0-4b88-a6de-c7db9e6e8c1d" ], "report_names": [ "showcard.cgi?u=94bb4827-bba0-4b88-a6de-c7db9e6e8c1d" ], "threat_actors": [ { "id": "501fec31-9b82-487b-bad5-736645148ddc", "created_at": "2022-10-25T16:07:23.569989Z", "updated_at": "2026-04-10T02:00:04.670486Z", "deleted_at": null, "main_name": "Earth Wendigo", "aliases": [], "source_name": "ETDA:Earth Wendigo", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "a1063e48-c06a-4bdd-bb56-03654dd2c690", "created_at": "2023-01-06T13:46:39.39909Z", "updated_at": "2026-04-10T02:00:03.313651Z", "deleted_at": null, "main_name": "Earth Wendigo", "aliases": [], "source_name": "MISPGALAXY:Earth Wendigo", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775439032, "ts_updated_at": 1775826780, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/505b0cc599a3a0a882471400b8e2678322bf9bba.pdf", "text": "https://archive.orkl.eu/505b0cc599a3a0a882471400b8e2678322bf9bba.txt", "img": "https://archive.orkl.eu/505b0cc599a3a0a882471400b8e2678322bf9bba.jpg" } }