{
	"id": "3bb2a691-ea01-45f5-8ebb-9faf92d52357",
	"created_at": "2026-04-06T00:06:49.717909Z",
	"updated_at": "2026-04-10T03:36:33.763596Z",
	"deleted_at": null,
	"sha1_hash": "5843256045139fc9660b720b48acfadc9f9742cd",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 49599,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 17:53:09 UTC\n APT group: CeranaKeeper\nNames CeranaKeeper (ESET)\nCountry China\nSponsor State-sponsored\nMotivation Information theft and espionage\nFirst seen 2022\nDescription\n(ESET) CeranaKeeper has been active since at least the beginning of 2022, mainly\ntargeting governmental entities in Asian countries such as Thailand, Myanmar, the\nPhilippines, Japan, and Taiwan; we believe it is aligned with China’s interests. The\ngroup’s relentless hunt for data is remarkable, with its attackers deploying a wide\narray of tools aimed at extracting as much information as possible from\ncompromised networks. In the operation we analyzed, the group turned\ncompromised machines into update servers, devised a novel technique using\nGitHub’s pull request and issue comment features to create a stealthy reverse shell,\nand deployed single-use harvesting components when collecting entire file trees.\nCeranaKeeper seems to reuse tools from Mustang Panda, Bronze President.\nObserved\nSectors: Government.\nCountries: Japan, Myanmar, Philippines, Taiwan, Thailand.\nTools used PUBLOAD, TONEINS, TONESHELL.\nOperations performed 2023\nSeparating the bee from the panda: CeranaKeeper making a beeline for\nThailand\nInformation\nLast change to this card: 24 October 2024\nDownload this actor card in PDF or JSON format\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=36113f3a-c04e-46da-bec8-7d0232e94e2f\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=36113f3a-c04e-46da-bec8-7d0232e94e2f\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=36113f3a-c04e-46da-bec8-7d0232e94e2f\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=36113f3a-c04e-46da-bec8-7d0232e94e2f"
	],
	"report_names": [
		"showcard.cgi?u=36113f3a-c04e-46da-bec8-7d0232e94e2f"
	],
	"threat_actors": [
		{
			"id": "b69037ec-2605-4de4-bb32-a20d780a8406",
			"created_at": "2023-01-06T13:46:38.790766Z",
			"updated_at": "2026-04-10T02:00:03.101635Z",
			"deleted_at": null,
			"main_name": "MUSTANG PANDA",
			"aliases": [
				"Stately Taurus",
				"LuminousMoth",
				"TANTALUM",
				"Twill Typhoon",
				"TEMP.HEX",
				"Earth Preta",
				"Polaris",
				"BRONZE PRESIDENT",
				"HoneyMyte",
				"Red Lich",
				"TA416"
			],
			"source_name": "MISPGALAXY:MUSTANG PANDA",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "7e75b11d-f74c-4721-958e-f5a831ae85dc",
			"created_at": "2024-10-25T02:02:07.623446Z",
			"updated_at": "2026-04-10T02:00:04.608517Z",
			"deleted_at": null,
			"main_name": "CeranaKeeper",
			"aliases": [],
			"source_name": "ETDA:CeranaKeeper",
			"tools": [
				"ClaimLoader",
				"PUBLOAD",
				"TONEINS",
				"TONESHELL"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "6daadf00-952c-408a-89be-aa490d891743",
			"created_at": "2025-08-07T02:03:24.654882Z",
			"updated_at": "2026-04-10T02:00:03.645565Z",
			"deleted_at": null,
			"main_name": "BRONZE PRESIDENT",
			"aliases": [
				"Earth Preta ",
				"HoneyMyte ",
				"Mustang Panda ",
				"Red Delta ",
				"Red Lich ",
				"Stately Taurus ",
				"TA416 ",
				"Temp.Hex ",
				"Twill Typhoon "
			],
			"source_name": "Secureworks:BRONZE PRESIDENT",
			"tools": [
				"BlueShell",
				"China Chopper",
				"Claimloader",
				"Cobalt Strike",
				"HIUPAN",
				"ORat",
				"PTSOCKET",
				"PUBLOAD",
				"PlugX",
				"RCSession",
				"TONESHELL",
				"TinyNote"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "9baa7519-772a-4862-b412-6f0463691b89",
			"created_at": "2022-10-25T15:50:23.354429Z",
			"updated_at": "2026-04-10T02:00:05.310361Z",
			"deleted_at": null,
			"main_name": "Mustang Panda",
			"aliases": [
				"Mustang Panda",
				"TA416",
				"RedDelta",
				"BRONZE PRESIDENT",
				"STATELY TAURUS",
				"FIREANT",
				"CAMARO DRAGON",
				"EARTH PRETA",
				"HIVE0154",
				"TWILL TYPHOON",
				"TANTALUM",
				"LUMINOUS MOTH",
				"UNC6384",
				"TEMP.Hex",
				"Red Lich"
			],
			"source_name": "MITRE:Mustang Panda",
			"tools": [
				"CANONSTAGER",
				"STATICPLUGIN",
				"ShadowPad",
				"TONESHELL",
				"Cobalt Strike",
				"HIUPAN",
				"Impacket",
				"SplatCloak",
				"PAKLOG",
				"Wevtutil",
				"AdFind",
				"CLAIMLOADER",
				"Mimikatz",
				"PUBLOAD",
				"StarProxy",
				"CorKLOG",
				"RCSession",
				"NBTscan",
				"PoisonIvy",
				"SplatDropper",
				"China Chopper",
				"PlugX"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "eeea8091-668c-4e89-9c67-e688fd599365",
			"created_at": "2024-10-08T02:00:04.464686Z",
			"updated_at": "2026-04-10T02:00:03.723141Z",
			"deleted_at": null,
			"main_name": "CeranaKeeper",
			"aliases": [],
			"source_name": "MISPGALAXY:CeranaKeeper",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2ee03999-5432-4a65-a850-c543b4fefc3d",
			"created_at": "2022-10-25T16:07:23.882813Z",
			"updated_at": "2026-04-10T02:00:04.776949Z",
			"deleted_at": null,
			"main_name": "Mustang Panda",
			"aliases": [
				"Bronze President",
				"Camaro Dragon",
				"Earth Preta",
				"G0129",
				"Hive0154",
				"HoneyMyte",
				"Mustang Panda",
				"Operation SMUGX",
				"Operation SmugX",
				"PKPLUG",
				"Red Lich",
				"Stately Taurus",
				"TEMP.Hex",
				"Twill Typhoon"
			],
			"source_name": "ETDA:Mustang Panda",
			"tools": [
				"9002 RAT",
				"AdFind",
				"Agent.dhwf",
				"Agentemis",
				"CHINACHOPPER",
				"China Chopper",
				"Chymine",
				"ClaimLoader",
				"Cobalt Strike",
				"CobaltStrike",
				"DCSync",
				"DOPLUGS",
				"Darkmoon",
				"Destroy RAT",
				"DestroyRAT",
				"Farseer",
				"Gen:Trojan.Heur.PT",
				"HOMEUNIX",
				"Hdump",
				"HenBox",
				"HidraQ",
				"Hodur",
				"Homux",
				"HopperTick",
				"Hydraq",
				"Impacket",
				"Kaba",
				"Korplug",
				"LadonGo",
				"MQsTTang",
				"McRAT",
				"MdmBot",
				"Mimikatz",
				"NBTscan",
				"NetSess",
				"Netview",
				"Orat",
				"POISONPLUG.SHADOW",
				"PUBLOAD",
				"PVE Find AD Users",
				"PlugX",
				"Poison Ivy",
				"PowerView",
				"QMAGENT",
				"RCSession",
				"RedDelta",
				"Roarur",
				"SPIVY",
				"ShadowPad Winnti",
				"SinoChopper",
				"Sogu",
				"TIGERPLUG",
				"TONEINS",
				"TONESHELL",
				"TVT",
				"TeamViewer",
				"Thoper",
				"TinyNote",
				"WispRider",
				"WmiExec",
				"XShellGhost",
				"Xamtrav",
				"Zupdax",
				"cobeacon",
				"nbtscan",
				"nmap",
				"pivy",
				"poisonivy"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434009,
	"ts_updated_at": 1775792193,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5843256045139fc9660b720b48acfadc9f9742cd.pdf",
		"text": "https://archive.orkl.eu/5843256045139fc9660b720b48acfadc9f9742cd.txt",
		"img": "https://archive.orkl.eu/5843256045139fc9660b720b48acfadc9f9742cd.jpg"
	}
}