{
	"id": "3961b2a1-e9d4-4c1a-9d17-8033c619bad0",
	"created_at": "2026-04-06T00:16:14.652827Z",
	"updated_at": "2026-04-12T02:21:18.089838Z",
	"deleted_at": null,
	"sha1_hash": "580d97846874c39b61013ec189a66cd02fb0cfc7",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 55961,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 18:43:21 UTC\r\n APT group: Taidoor\r\nNames\r\nTaidoor (Trend Micro)\r\nBudminer (Symantec)\r\nEarth Aughisky (Trend Micro)\r\nG0015 (MITRE)\r\nCountry China\r\nMotivation Information theft and espionage\r\nFirst seen 2008\r\nDescription\r\n(Trend Micro) The Taidoor attackers have been actively engaging in targeted attacks since at\r\nleast March 4, 2009. Despite some exceptions, the Taidoor campaign often used Taiwanese IP\r\naddresses as C\u0026C servers and email addresses to send out socially engineered emails with\r\nmalware as attachments. One of the primary targets of the Taidoor campaign appeared to be the\r\nTaiwanese government. The attackers spoofed Taiwanese government email addresses to send\r\nout socially engineered emails in the Chinese language that typically leveraged Taiwan-themed\r\nissues. The attackers actively sent out malicious documents and maintained several IP\r\naddresses for command and control.\r\nAs part of their social engineering ploy, the Taidoor attackers attach a decoy document to their\r\nemails that, when opened, displays the contents of a legitimate document but executes a\r\nmalicious payload in the background.\r\nWe were only able to gather a limited amount of information regarding the Taidoor attackers’\r\nactivities after they have compromised a target. We did, however, find that the Taidoor\r\nmalware allowed attackers to operate an interactive shell on compromised computers and to\r\nupload and download files. In order to determine the operational capabilities of the attackers\r\nbehind the Taidoor campaign, we monitored a compromised honeypot. The attackers issued out\r\nsome basic commands in an attempt to map out the extent of the network compromise but\r\nquickly realized that the honeypot was not an intended targeted and so promptly disabled the\r\nTaidoor malware running on it. This indicated that while Taidoor malware were more widely\r\ndistributed compared with those tied to other targeted campaigns, the attackers could quickly\r\nassess their targets and distinguish these from inadvertently compromised computers and\r\nhoneypots.\r\nObserved\r\nSectors: Government.\r\nCountries: Brazil, Japan, South Korea, Taiwan, USA.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=24403b57-1bb4-4c24-964c-ac2a35e67869\r\nPage 1 of 2\n\nTools used Dripion, Taidoor.\nOperations performed Late 2015\nTaiwan targeted with new cyberespionage back door Trojan\nInformation\nMITRE ATT\u0026CK Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=24403b57-1bb4-4c24-964c-ac2a35e67869\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=24403b57-1bb4-4c24-964c-ac2a35e67869\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=24403b57-1bb4-4c24-964c-ac2a35e67869"
	],
	"report_names": [
		"showcard.cgi?u=24403b57-1bb4-4c24-964c-ac2a35e67869"
	],
	"threat_actors": [
		{
			"id": "71b19e59-b5f7-4bc6-816d-194be0f02af0",
			"created_at": "2022-10-25T16:07:24.301036Z",
			"updated_at": "2026-04-12T02:00:04.902473Z",
			"deleted_at": null,
			"main_name": "Taidoor",
			"aliases": [
				"Budminer",
				"Earth Aughisky",
				"G0015"
			],
			"source_name": "ETDA:Taidoor",
			"tools": [
				"Dripion",
				"Masson",
				"Taidoor",
				"simbot"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "50bd4a6c-7542-4bdd-8b37-ab468fc428ef",
			"created_at": "2023-01-06T13:46:38.998658Z",
			"updated_at": "2026-04-12T02:00:03.260446Z",
			"deleted_at": null,
			"main_name": "Taidoor",
			"aliases": [
				"G0015",
				"Earth Aughisky"
			],
			"source_name": "MISPGALAXY:Taidoor",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "478e9b27-39b9-49e4-a3c5-81569a767275",
			"created_at": "2022-10-25T15:50:23.417339Z",
			"updated_at": "2026-04-12T02:00:04.56738Z",
			"deleted_at": null,
			"main_name": "Taidoor",
			"aliases": [
				"Taidoor"
			],
			"source_name": "MITRE:Taidoor",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "2b7276b8-7f25-4e60-be9a-86cbc153cbfc",
			"created_at": "2023-01-06T13:46:39.086587Z",
			"updated_at": "2026-04-12T02:00:03.284962Z",
			"deleted_at": null,
			"main_name": "Budminer",
			"aliases": [
				"Budminer cyberespionage group"
			],
			"source_name": "MISPGALAXY:Budminer",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434574,
	"ts_updated_at": 1775960478,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/580d97846874c39b61013ec189a66cd02fb0cfc7.pdf",
		"text": "https://archive.orkl.eu/580d97846874c39b61013ec189a66cd02fb0cfc7.txt",
		"img": "https://archive.orkl.eu/580d97846874c39b61013ec189a66cd02fb0cfc7.jpg"
	}
}