{
	"id": "50c5315f-5bb6-4da4-99cb-6b11618e81b7",
	"created_at": "2026-04-06T01:32:28.02011Z",
	"updated_at": "2026-04-10T03:26:22.074102Z",
	"deleted_at": null,
	"sha1_hash": "50744a566291b2ffb1bee2f2342fc29d2a2273bb",
	"title": "Operation Epic Manchego - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 49807,
	"plain_text": "Operation Epic Manchego - Threat Group Cards: A Threat Actor\nEncyclopedia\nArchived: 2026-04-06 00:09:13 UTC\nHome \u003e List all groups \u003e Operation Epic Manchego\n APT group: Operation Epic Manchego\nNames Operation Epic Manchego (NVISO)\nCountry [Unknown]\nMotivation Information theft and espionage\nFirst seen 2020\nDescription\n(NVISIO) In July 2020, NVISO detected a set of malicious Excel documents, also known as\n“maldocs”, that deliver malware through VBA-activated spreadsheets. While the malicious\nVBA code and the dropped payloads were something we had seen before, it was the specific\nway in which the Excel documents themselves were created that caught our attention.\nThe creators of the malicious Excel documents used a technique that allows them to create\nmacro-laden Excel workbooks, without actually using Microsoft Office. As a side effect of this\nparticular way of working, the detection rate for these documents is typically lower than for\nstandard maldocs.\nObserved\nCountries: Bulgaria, Canada, China, Czech, France, Germany, Hungary, Italy, Japan, Malaysia,\nNetherlands, Poland, Romania, South Korea, Sweden, UK, Ukraine, Uruguay, USA, Vietnam.\nTools used Agent Tesla, AZORult, Formbook, Matiex, njRAT.\nInformation\nLast change to this card: 17 September 2020\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=f3b26faa-9b21-4401-8448-67b9c636c16f\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=f3b26faa-9b21-4401-8448-67b9c636c16f\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=f3b26faa-9b21-4401-8448-67b9c636c16f"
	],
	"report_names": [
		"showcard.cgi?u=f3b26faa-9b21-4401-8448-67b9c636c16f"
	],
	"threat_actors": [
		{
			"id": "f1c14cad-15c0-4ae3-be08-4226044aa8cb",
			"created_at": "2022-10-25T16:07:23.954439Z",
			"updated_at": "2026-04-10T02:00:04.806247Z",
			"deleted_at": null,
			"main_name": "Operation Epic Manchego",
			"aliases": [],
			"source_name": "ETDA:Operation Epic Manchego",
			"tools": [
				"AZORult",
				"AgenTesla",
				"Agent Tesla",
				"AgentTesla",
				"Bladabindi",
				"Formbook",
				"Jorik",
				"Matiex",
				"Negasteal",
				"Origin Logger",
				"PuffStealer",
				"Rultazo",
				"ZPAQ",
				"njRAT",
				"win.xloader"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775439148,
	"ts_updated_at": 1775791582,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/50744a566291b2ffb1bee2f2342fc29d2a2273bb.pdf",
		"text": "https://archive.orkl.eu/50744a566291b2ffb1bee2f2342fc29d2a2273bb.txt",
		"img": "https://archive.orkl.eu/50744a566291b2ffb1bee2f2342fc29d2a2273bb.jpg"
	}
}