{ "id": "f490b96e-c86c-48ff-a045-bff98ef4fdb2", "created_at": "2026-04-06T03:36:41.706539Z", "updated_at": "2026-04-10T03:24:26.603185Z", "deleted_at": null, "sha1_hash": "56a30c9b3838e4616639608d1cd0dc18cc299fbd", "title": "Gangnam Industrial Style - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 49020, "plain_text": "Gangnam Industrial Style - Threat Group Cards: A Threat Actor\nEncyclopedia\nArchived: 2026-04-06 03:15:51 UTC\nHome \u003e List all groups \u003e Gangnam Industrial Style\n APT group: Gangnam Industrial Style\nNames Gangnam Industrial Style (CyberX)\nCountry [Unknown]\nMotivation Information theft and espionage\nFirst seen 2019\nDescription\n(CyberX) Section 52, CyberX’s threat intelligence team, has uncovered an ongoing industrial\ncyberespionage campaign targeting hundreds of manufacturing and other industrial firms\nprimarily located in South Korea.\nThe campaign steals passwords and documents which could be used in a number of ways,\nincluding stealing trade secrets and intellectual property, performing cyber reconnaissance for\nfuture attacks, and compromising industrial control networks for ransomware attacks.\nFor example, the attackers could be stealing proprietary information about industrial\nequipment designs so they can sell it to competitors and nation-states seeking to advance their\ncompetitive posture.\nAlso, credentials can provide attackers with remote RDP access to IoT/ICS networks, while\nplant schematics help adversaries understand plant layouts in order to facilitate attacks. Design\ninformation can also be used by cyberattackers to identify vulnerabilities in industrial control\nsystems.\nObserved\nSectors: Engineering, Manufacturing.\nCountries: China, Ecuador, Germany, Indonesia, Japan, South Korea, Thailand, Turkey, UK.\nTools used LaZagne, MOVEit Freely, NcFTPPut, Secure FTP Client, Separ, Living off the Land.\nInformation\nLast change to this card: 14 April 2020\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=792aae38-0145-4cc0-8e9f-8d41d147e8ae\nPage 1 of 2\n\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=792aae38-0145-4cc0-8e9f-8d41d147e8ae\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=792aae38-0145-4cc0-8e9f-8d41d147e8ae\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=792aae38-0145-4cc0-8e9f-8d41d147e8ae" ], "report_names": [ "showcard.cgi?u=792aae38-0145-4cc0-8e9f-8d41d147e8ae" ], "threat_actors": [ { "id": "e05a6eb3-2b1f-42a8-b469-599e7441eae6", "created_at": "2022-10-25T16:07:23.663913Z", "updated_at": "2026-04-10T02:00:04.704871Z", "deleted_at": null, "main_name": "Gangnam Industrial Style", "aliases": [], "source_name": "ETDA:Gangnam Industrial Style", "tools": [ "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MOVEit Freely", "NcFTPPut", "Secure FTP Client", "Separ" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775446601, "ts_updated_at": 1775791466, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/56a30c9b3838e4616639608d1cd0dc18cc299fbd.pdf", "text": "https://archive.orkl.eu/56a30c9b3838e4616639608d1cd0dc18cc299fbd.txt", "img": "https://archive.orkl.eu/56a30c9b3838e4616639608d1cd0dc18cc299fbd.jpg" } }